MD2 is not one way (!?)

Mads Rasmussen mads at
Wed Sep 8 16:29:27 EDT 2004

Jason Holt wrote:
> Includes one titled "The MD2 Hash Function is Not One-Way".  That's the first
> I've heard about MD2; the other breaks were for md4 and md5.  Anyone know
> details?

Actually there was a paper analysing the MD2 algorithms back in 1997: N. 
Rogier and P Chauvaud, "MD2 is not secure without the Checksum Byte", 
Design, codes and Cryptography, 12(3):245-251 - an early version was 
presented at SAC 1995

The abstract of the new paper by Frédéric Muller describing a pre-image 
attack, more theoretical than practical although very interesting,

"MD2 is an early hash function developed by Ron Rivest for RSA Security, 
that produces message digests of 128 bits. In this paper, we show that 
MD2 does not reach the ideal security level of 2^128 . We
describe preimage attacks against the underlying compression function,
the best of which has complexity of 2^73 . As a result, the full MD2 
hash can be attacked in preimage with complexity of 2^104"

Mads Rasmussen
Open Communications Security
+55 11 3345 2525

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list