MD5 Message Digest Algorithm

MD5 (http://www.faqs.org/rfcs/rfc1321.html ) was developed by Ron Rivest at MIT in 1991. Until

MD5 Logic
The algorithm takes as input a message of arbitrary length and produces as output a 128-bit message
digest. The input is processed in 512-bit blocks.
Figure 12.1 depicts the overall processing of a message to produce a digest. The processing consists
of the following steps:
1. Append padding bits: The message is padded so that its length in bits is congruent to 448
modulo 512 ( length  448 mod 512 ). That is, the length of the padded message is 64 bits less
than an integer multiple of 512 bits. Padding is always added, even if the message is already
of the desired length. For example, if the message is 448 bits long, it is padded with 512 bits
to a length of 960 bits. Thus, the number of padding bits is in the range of 1 to 512. The
padding consists of a single 1-bit followed by the necessary number of 0-bits.
2. Append length: A 64-bit representation of the length in bits of the original message (before
the padding) is appended to the result of Step 1 (least significant byte first). If the original
length is greater than 2 64 , then only the lower-order 64 bits of the length are used. Thus, the
field contains the length of the original message, modulo 2 64 .
The outcome of the first two steps yields a message that is an integer multiple of 512 bits in
length. In Figure 12.1,

1
 MD5 Logic (Cont 1)

the expanded message is represented as the sequence of 512-bit blocks Y0 , Y1 ,.., YL 1 , so that the
total length of the expanded message is L  512 bits. Equivalently, the result is a multiple of 16
32-bit words. Let M[0..N-1] denote the words of the resulting message with N an integer
multiple of 16. Thus, N  L 16 .
3. Initialize MD buffer: A 128-bit buffer is used to hold intermediate and final results of the
hash function. The buffer can be represented as four 32-bit registers (A,B,C,D). These
registers are initialized to the following 32-bit integers (hexadecimal values):
A=67452301
B=EFCDAB89
C=98BADCFE
D=10325476
These values are stored in little-endian format, which is the least-significant byte of a word in the
low-address byte position. As 32-bit strings, the initialization values (in hexadecimal format) appear
as follows:
Word A: 01 23 45 67
Word B: 89 AB CD EF
Word C: FE DC BA 98
Word D: 76 54 32 10

2
 MD5 Logic (Cont 2)
4. Process message in 512-bit (16-word) blocks: The heart of the algorithm is a compression
function that consists of four “rounds” of processing; this module is labeled H MD 5 in Figure
12.1, and its logic is illustrated in Figure 12.2. The four rounds have a similar structure, but
each uses a different primitive logical function, referred to as F, G, H, and I in the
specification.

Each round takes as input the current 512-bit block being processed ( Yq ) and the 128-bit buffer
value ABCD and updates the contents of the buffer. Each round also makes use of one-fourth of
a 64-element table T[1..64], constructed from the sine function. The i-th element of T, denoted
T[i], has the value equal to the integer part of 2 32  abs(sin(i)) , where i is in radians. Because
abs(sin(i ))  [0,1] , each element of T is an integer that can be represented in 32 bits. The table
provides a “randomized “ set of 32-bit patterns, which should eliminate any regularities in the
input data. Table 12.1b lists values of T.

3
 MD5 Logic (Cont 3)

The output of the fourth round is added to the input to the first round ( CV q ) to produce CV q 1 .
The addition is done independently for each of the four words in the buffer with each of the
corresponding words in CV q , using addition modulo 2 32 .
5. Output: After all L 512-bit blocks have been processed, the output from the L-th stage is the
128-bit message digest.
We can summarize the behavior of MD5 as follows:
CV0  IV
CVq 1  SUM 32 (CV q , RFI (Yq , RFH (Yq , RFG (Yq , RFF (Yq , CV q )))))
MD  CV L 1
Where
IV - initial value of the ABCD buffer, defined in Step 3
Yq - the q-th 512-bit block of the message
L – the number of blocks in the message (including padding and length fields)
CV q - chaining variable processed with the q-th block of the message
RFx - round function using primitive logic function x
MD - final message digest value
SUM 32 - addition modulo 2 32 performed separately on each word of the pair of inputs

4
MD5 Logic (Cont 4)

5
 MD5 Compression Function
Let’s look in more detail at the logic of the four rounds of the processing of one 512-bit block.
Each round consists of a sequence of 16 steps operating on the buffer ABCD. Each step is of the
form
a  b  ((a  g (b, c, d )  X [k ]  T [i ])  s )
Where
a,b,c,d – the four words of the buffer, in a specified order that varies across steps
g – one of the primitive functions F,G,H,I
<<<s – circular left shift (rotation) of the 32-bit argument by s bits
X[k] – M[q  16+k] – k-th 32-bit word in the q-th 512-bit of the message
T[i] – the i-th 32-bit word in matrix T
+ - addition modulo 2 32
Figure 12.3 illustrates the step operation

The order in which the four words (a,b,c,d) are used produces a word-level circular right shift
for each step.
One of the four primitive logical functions is used for each of the four rounds of the algorithm.
Each primitive function takes three 32-bit words as input and produces a 32-bit output. Each
6
 MD5 Compression Function (Cont 1)
function performs a set of logical operations; that is, the n-th bit of the output is a function of the
three inputs. The functions can be summarized as follows:
Round Primitive function g g(b,c,d)
1 F(b,c,d) (b  c)  (b  d )
2 G(b,c,d) (b  d )  (c  d )
3 H(b,c,d) bc d
4 I(b,c,d) c  (b  d )
Figure 12.4 adapted from RFC 1321, defines the processing algorithm of step 4. The array of 32-bit
words X[0..15] holds the value of the current 512-bit input block being processed. Within a round,
each of the 16 words of X[i] is used exactly once, during one step; the order in which these words
are used varies from round to round. In the first round, they are used in the original order. The
following permutations are defined for rounds 2 through 4:
 2 (i )  (1  5i ) mod16
 3 (i )  (5  3i ) mod16
 4 (i )  7i mod16
Consider permutation  2 :
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
1 6 11 0 5 10 15 4 9 14 3 8 13 2 7 12

Each of the 64 32-bit word elements of T is used exactly once, during one step of one round. Also,
note that for each step, only one of the 4 bytes of the ABCD buffer is updated. Hence, each byte of
the buffer is updated four times during the round and then a final time at the end to produce the final
output of this block. Finally, note that four different circular left shift amounts are used each round
and are different from round to round. The point of all this complexity is to make it very difficult to
generate collisions (two 512-bit blocks that produce the same output).

7
 MD5 Compression Function (Cont 2)

We see that in Figure 12.4, order of k values in Round 2 follows specified above permutation  2 .