1214:
0xe9b6c7aa } K := { 0xd62f105d, 0x02441453, 0xd8a1e681, 0xe7d3fbc8 } K := { 0x21e1cde6, 0xc33707d6, 0xf4d50d87, 0x455a14ed } K := { 0xa9e3e905, 0xfcefa3f8, 0x676f02d9, 0x8d2a4c8a } K := { 0xfffa3942, 0x8771f681, 0x6d9d6122, 0xfde5380c } K := { 0xa4beea44, 0x4bdecfa9, 0xf6bb4b60, 0xbebfbc70 } K := { 0x289b7ec6, 0xeaa127fa, 0xd4ef3085, 0x04881d05 } K := { 0xd9d4d039, 0xe6db99e5, 0x1fa27cf8, 0xc4ac5665 } K := { 0xf4292244, 0x432aff97, 0xab9423a7, 0xfc93a039 } K := { 0x655b59c3, 0x8f0ccc92, 0xffeff47d, 0x85845dd1 } K := { 0x6fa87e4f, 0xfe2ce6e0, 0xa3014314, 0x4e0811a1 } K := { 0xf7537e82, 0xbd3af235, 0x2ad7d2bb, 0xeb86d391 }
655:
4590:
517:, David Molnar, Dag Arne Osvik, and Benne de Weger). Bruce Schneier wrote of the attack that "we already knew that MD5 is a broken hash function" and that "no one should be using MD5 anymore". The SSL researchers wrote, "Our desired impact is that Certification Authorities will stop using MD5 in issuing new certificates. We also hope that use of MD5 in other applications will be reconsidered as well."
694:
1081:
539:: an attacker can create two colliding files that both begin with the same content. All the attacker needs to generate two colliding files is a template file with a 128-byte block of data, aligned on a 64-byte boundary, that can be changed freely by the collision-finding algorithm. An example MD5 collision, with the two messages differing in 6 bits, is:
501:, the issuers of RapidSSL certificates, said they stopped issuing new certificates using MD5 as their checksum algorithm for RapidSSL once the vulnerability was announced. Although Verisign declined to revoke existing certificates signed using MD5, their response was considered adequate by the authors of the exploit (
1180:
s := { 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22 } s := { 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20 } s := { 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23 } s := { 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21
662:
As it is easy to generate MD5 collisions, it is possible for the person who created the file to create a second file with the same checksum, so this technique cannot protect against some forms of malicious tampering. In some cases, the checksum cannot be trusted (for example, if it was obtained over
768:
so that its length is divisible by 512. The padding works as follows: first, a single bit, 1, is appended to the end of the message. This is followed by as many zeros as are required to bring the length of the message up to 64 bits fewer than a multiple of 512. The remaining bits are filled up with
1541:
Instead of the formulation from the original RFC 1321 shown, the following may be used for improved efficiency (useful if assembly language is being used – otherwise, the compiler will generally optimize the above code. Since each computation is dependent on another in these formulations, this is
802:
1213:
K := { 0xd76aa478, 0xe8c7b756, 0x242070db, 0xc1bdceee } K := { 0xf57c0faf, 0x4787c62a, 0xa8304613, 0xfd469501 } K := { 0x698098d8, 0x8b44f7af, 0xffff5bb1, 0x895cd7be } K := { 0x6b901122, 0xfd987193, 0xa679438e, 0x49b40821 } K := { 0xf61e2562, 0xc040b340, 0x265e5a51,
312:
On 24 December 2010, Tao Xie and
Dengguo Feng announced the first published single-block (512-bit) MD5 collision. (Previous collision discoveries had relied on multi-block attacks.) For "security reasons", Xie and Feng did not disclose the new attack method. They issued a challenge to the
297:
described an improved algorithm, able to construct MD5 collisions in a few hours on a single notebook computer. On 18 March 2006, Klima published an algorithm that could find a collision within one minute on a single notebook computer, using a method he calls tunneling.
535:, so if two prefixes with the same hash can be constructed, a common suffix can be added to both to make the collision more likely to be accepted as valid data by the application using it. Furthermore, current collision-finding techniques allow specifying an arbitrary
604:
has been flipped. For example, the 20th byte (offset 0x13) in the top sample, 0x87, is 10000111 in binary. The leading bit in the byte (also the leading bit in the first nibble) is flipped to make 00000111, which is 0x07, as shown in the lower sample.
608:
Later it was also found to be possible to construct collisions between two files with separately chosen prefixes. This technique was used in the creation of the rogue CA certificate in 2008. A new variant of parallelized collision searching using
235:
In 1996, Dobbertin announced a collision of the compression function of MD5 (Dobbertin, 1996). While this was not an attack on the full MD5 hash function, it was close enough for cryptographers to recommend switching to a replacement, such as
458:
technical newsletter, "The presented attack does not yet threaten practical applications of MD5, but it comes rather close ... in the future MD5 should no longer be implemented ... where a collision-resistant hash function is required."
1290:// Notice: the two padding steps above are implemented in a simpler way // in implementations that only work with complete bytes: append 0x80 // and pad with 0x00 bytes so that the message length in bytes ≡ 56 (mod 64).
1076:{\displaystyle {\begin{aligned}F(B,C,D)&=(B\wedge {C})\vee (\neg {B}\wedge {D})\\G(B,C,D)&=(B\wedge {D})\vee (C\wedge \neg {D})\\H(B,C,D)&=B\oplus C\oplus D\\I(B,C,D)&=C\oplus (B\vee \neg {D})\end{aligned}}}
355:
that can produce a collision for two inputs with specified prefixes within seconds, using off-the-shelf computing hardware (complexity 2). The ability to find collisions has been greatly aided by the use of off-the-shelf
663:
the same channel as the downloaded file), in which case MD5 can only provide error-checking functionality: it will recognize a corrupt or incomplete download, which becomes more likely when downloading larger files.
645:
for the files, so that a user can compare the checksum of the downloaded file to it. Most unix-based operating systems include MD5 sum utilities in their distribution packages; Windows users may use the included
2784:
788:. These are initialized to certain fixed constants. The main algorithm then uses each 512-bit message block in turn to modify the state. The processing of a message block consists of four similar stages, termed
650:
function "Get-FileHash", the included command line function "certutil -hashfile <filename> md5", install a
Microsoft utility, or use third-party applications. Android ROMs also use this type of checksum.
3171:
181:; however it has been found to suffer from extensive vulnerabilities. It remains suitable for other non-cryptographic purposes, for example for determining the partition for a particular key in a
807:
2346:
1121:
3461:
3350:
293:
certificates with different public keys and the same MD5 hash value, a demonstrably practical collision. The construction included private keys for both public keys. A few days later,
360:. On an NVIDIA GeForce 8400GS graphics processor, 16–18 million hashes per second can be computed. An NVIDIA GeForce 8800 Ultra can calculate more than 200 million hashes per second.
4570:
4400:
764:
MD5 processes a variable-length message into a fixed-length output of 128 bits. The input message is broken up into chunks of 512-bit blocks (sixteen 32-bit words); the message is
477:
how they had used MD5 collisions to create an intermediate certificate authority certificate that appeared to be legitimate when checked by its MD5 hash. The researchers used a
336:
concluded that MD5 was essentially "cryptographically broken and unsuitable for further use". The weaknesses of MD5 have been exploited in the field, most infamously by the
386:
In 1996, a flaw was found in the design of MD5. While it was not deemed a fatal weakness at the time, cryptographers began recommending the use of other algorithms, such as
3127:
685:
numbering system that has been used for decades during the exchange of paper documents. As above, this usage should be discouraged due to the ease of collision attacks.
2788:
758:
482:
3201:
2106:
2378:
796:, modular addition, and left rotation. Figure 1 illustrates one operation within a round. There are four possible functions; a different one is used in each round:
3167:
470:
certificates with the same hash. Later that year, MD5's designer Ron Rivest wrote that "md5 and sha1 are both clearly broken (in terms of collision-resistance)".
4253:
654:
1966:
4173:
3561:
2968:
1607:
1593:
3329:
2580:
3590:
1699:
2915:
3305:
2999:
2863:
2338:
637:
world to provide some assurance that a transferred file has arrived intact. For example, file servers often provide a pre-computed MD5 (known as
2404:
681:, to provide a unique identifier for each document that is exchanged during the legal discovery process. This method can be used to replace the
2471:
3482:
3346:
2555:
2497:
4618:
3412:
3143:
3106:
1864:
1274:
message< // Notice: the input bytes are considered as bit strings, // where the first bit is the most significant bit of the byte.
206:
413:. Further advances were made in breaking MD5 in 2005, 2006, and 2007. In December 2008, a group of researchers used this technique to fake
3022:
405:
that rely on this property for digital security. Researchers additionally discovered more serious flaws in MD5, and described a feasible
1911:
4117:
3427:
532:
107:
3950:
1889:
421:
333:
2811:
4246:
3476:
3393:
2889:
363:
These hash and collision attacks have been demonstrated in the public in various situations, including colliding document files and
2534:
Sotirov, Alexander; Marc
Stevens; Jacob Appelbaum; Arjen Lenstra; David Molnar; Dag Arne Osvik; Benne de Weger (30 December 2008).
2162:
2945:
497:
for that issuer, which could then be used to create other certificates that would appear to be legitimate and issued by RapidSSL.
340:
in 2012. As of 2019, MD5 continues to be widely used, despite its well-documented weaknesses and deprecation by security experts.
313:
cryptographic community, offering a US$ 10,000 reward to the first finder of a different 64-byte collision before 1 January 2013.
332:
to find two distinct messages that hash to the same value. MD5 fails this requirement catastrophically. On 31 December 2008, the
3554:
2699:
2629:
1772:
424:
considers MD5 "cryptographically broken and unsuitable for further use", and most U.S. government applications now require the
329:
3510:
2681:
4623:
4449:
4158:
3643:
3595:
2755:
1704:
1677:
367:. As of 2015, MD5 was demonstrated to be still quite widely used, most notably by security research and antivirus companies.
352:
3193:
2092:
1624:
The MD5 algorithm is specified for messages consisting of any number of bits; it is not limited to multiples of eight bits (
317:
responded to the challenge and published colliding single-block messages as well as the construction algorithm and sources.
3945:
3279:
3253:
3227:
2369:
4628:
4239:
4163:
2563:
1657:
474:
225:
2539:
4565:
4520:
4333:
3932:
3574:
3570:
2097:
1652:
1599:
Even a small change in the message will (with overwhelming probability) result in a mostly different hash, due to the
306:
259:
started in March 2004 to demonstrate that MD5 is practically insecure by finding a collision using a birthday attack.
178:
84:
4444:
3547:
3090:
2835:
The presented attack does not yet threaten practical applications of MD5, but it comes rather close. .... [
2733:
2444:
2312:
2201:
1974:
3060:
1822:
4560:
4189:
3828:
3444:
3122:
Ming Mao and
Shaohui Chen and Jin Xu (2009). "Construction of the Initial Structure for Preimage Attack of MD5".
2972:
2603:
2281:
2242:
2045:
2009:
1938:
1088:
610:
506:
371:
351:
within seconds on a computer with a 2.6 GHz
Pentium 4 processor (complexity of 2). Further, there is also a
314:
94:
3522:
4550:
4540:
4395:
4168:
4004:
3703:
3698:
3326:
2576:
613:
was proposed by Anton
Kuznetsov in 2014, which allowed finding a collision in 11 hours on a computing cluster.
395:
357:
1933:
697:
Figure 1. One MD5 operation. MD5 consists of 64 of these operations, grouped in four rounds of 16 operations.
2136:
2075:
2050:
2014:
4545:
4535:
4338:
4298:
4291:
4281:
4276:
4091:
3911:
2668:, Cryptology ePrint Archive Report 2004/199, 16 August 2004, revised 17 August 2004. Retrieved 27 July 2008.
137:
4286:
4199:
3585:
2082:, Cryptology ePrint Archive Report 2006/105, 18 March 2006, revised 17 April 2006. Retrieved 27 July 2008.
765:
398:
320:
In 2011 an informational RFC 6151 was approved to update the security considerations in MD5 and HMAC-MD5.
186:
3085:
Yu Sasaki; Kazumaro Aoki (16 April 2009). "Finding
Preimages in Full MD5 Faster Than Exhaustive Search".
4593:
4439:
4385:
4214:
3864:
3818:
3708:
3666:
3651:
3633:
2911:
1882:
Designing Data-Intensive
Applications: The Big Ideas Behind Reliable, Scalable, and Maintainable Systems
256:
229:
3301:
4555:
4479:
3884:
3788:
3738:
3713:
2995:
2859:
2679:
Vulnerability of software integrity and code signing applications to chosen-prefix collisions for MD5
2415:
1786:
678:
348:
302:
182:
133:
114:
2482:
4318:
4209:
4086:
4035:
3974:
3793:
3753:
3733:
2552:
2508:
2186:"RFC 6151 – Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithms"
1132:
1128:
622:
391:
364:
4424:
4408:
4355:
4143:
4127:
4076:
3661:
3149:
64:
2036:
1856:
3030:
743:
4484:
4474:
4345:
4020:
3472:
3408:
3389:
3139:
3102:
1885:
1860:
1625:
502:
490:
433:
402:
3054:"An algorithm for MD5 single-block collision attack using high performance computing cluster"
4419:
4107:
4061:
3823:
3423:
3131:
3094:
2273:
2232:
2193:
1776:
1762:
1600:
772:
The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted
455:
445:
406:
390:, which has since been found to be vulnerable as well. In 2004 it was shown that MD5 is not
375:
344:
3403:
Bert den Boer; Antoon
Bosselaers (1993). "Collisions for the Compression Function of MD5".
1908:
625:. This attack is only theoretical, with a computational complexity of 2 for full preimage.
4122:
4071:
4066:
3854:
3526:
3514:
3333:
2685:
2559:
2079:
1929:
1915:
682:
525:
510:
429:
414:
294:
248:
2885:
136:
in 2 time. This attack runs in less than a second on a regular computer. MD5 is prone to
2158:
4494:
4414:
4375:
4323:
4308:
4112:
3840:
3384:
Berson, Thomas A. (1992). "Differential
Cryptanalysis Mod 2 with Applications to MD5".
2937:
1849:
671:
494:
451:
263:
221:
220:
In 1993, Den Boer and Bosselaers gave an early, although limited, result of finding a "
214:
198:
174:
674:. NIST does not include MD5 in their list of recommended hashes for password storage.
309:
used an MD5 hash value of their mission statement as a part of their official emblem.
4612:
4575:
4530:
4489:
4469:
4365:
4328:
4303:
4204:
4081:
3783:
2756:"NIST.gov — Computer Security Division — Computer Security Resource Center"
1996:
514:
337:
282:
202:
159:
151:
125:
46:
3153:
2707:
2640:
1510:
a0 := a0 + A b0 := b0 + B c0 := c0 + C d0 := d0 + D
4525:
4370:
4360:
4350:
4313:
4262:
3507:
3421:
Hans Dobbertin, Cryptanalysis of MD5 compress. Announcement on Internet, May 1996.
2678:
2467:
2000:
286:
267:
2759:
2498:"A Note on the Practical Value of Single Hash Collisions for Special File Formats"
274:, and Hongbo Yu. Their analytical attack was reported to take only one hour on an
2339:"A quarter of major CMSs use outdated MD5 as the default password hashing scheme"
792:; each round is composed of 16 similar operations based on a non-linear function
213:
was likely to be insecure, Rivest designed MD5 in 1991 as a secure replacement. (
4504:
4194:
4040:
3969:
3965:
3874:
3249:
3223:
3098:
1789:
1766:
1582:
478:
185:, and may be preferred due to lower computational requirements than more recent
3275:
1667:
4464:
4434:
4429:
4390:
3224:"Availability and description of the File Checksum Integrity Verifier utility"
2102:
1758:
1148:
647:
463:
328:
One basic requirement of any cryptographic hash function is that it should be
271:
241:
2912:"[Python-Dev] hashlib — faster md5/sha, adds sha256/512 support"
4454:
3869:
2535:
2476:
1714:
1709:
1672:
1542:
often slower than the above method where the nand/and can be parallelised):
521:
3656:
693:
528:
malware used an MD5 collision to forge a Windows code-signing certificate.
1496:
A := D D := C C := B B := B +
1147:
The MD5 hash is calculated according to this algorithm. All values are in
4499:
4459:
4148:
4045:
4030:
4025:
4015:
3979:
3899:
3813:
3693:
3135:
2703:
2304:
1662:
1157:: All variables are unsigned 32 bit and wrap modulo 2^32 when calculating
1136:
667:
642:
634:
600:. The difference between the two samples is that the leading bit in each
498:
486:
410:
275:
170:
3124:
2009 International Conference on Computational Intelligence and Security
2729:
2440:
1855:. Australia; United States: Course Technology/Cengage Learning. p.
1185:
Use binary integer part of the sines of integers (Radians) as constants:
17:
3984:
3940:
3718:
1811:
1719:
1687:
1682:
450:
In 1996, collisions were found in the compression function of MD5, and
247:
The size of the hash value (128 bits) is small enough to contemplate a
177:
against unintentional corruption. Historically it was widely used as a
3250:"How to compute the MD5 or SHA-1 cryptographic hash values for a file"
3053:
2265:
2224:
2185:
409:—a method to create a pair of inputs for which MD5 produces identical
4380:
4153:
3894:
3889:
3859:
3849:
3808:
3803:
3798:
3778:
3773:
3748:
3743:
3728:
3688:
3519:
2665:
2277:
2237:
2197:
1781:
1724:
1633:
638:
621:
In April 2009, an attack against MD5 was published that breaks MD5's
601:
252:
209:(Rivest, 1992). When analytic work indicated that MD5's predecessor
2841:] in the future MD5 should no longer be implemented... [
2441:"New GPU MD5 cracker cracks more than 200 million hashes per second"
1943:
769:
64 bits representing the length of the original message, modulo 2.
3879:
3768:
3723:
3671:
3628:
3623:
3617:
2311:. CERT Carnegie Mellon University Software Engineering Institute.
2305:"Vulnerability Note VU#836068 MD5 vulnerable to collision attacks"
2129:
2072:
2040:
2004:
1739:
1734:
1586:
692:
473:
On 30 December 2008, a group of researchers announced at the 25th
467:
425:
387:
290:
237:
132:
A 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD5
2938:"Researchers Use PlayStation Cluster to Forge a Web Skeleton Key"
2577:"Poisonous MD5 – Wolves Among the Sheep | Silent Signal Techblog"
3994:
3989:
3960:
3955:
3919:
2496:
Max Gebhardt; Georg Illies; Werner Schindler (31 October 2005).
2159:"Marc Stevens – Research – Single-block collision attack on MD5"
1629:
4235:
3543:
2130:"Construct MD5 Collisions Using Just A Single Block Of Message"
3763:
3758:
2843:
2837:
2264:
Krawczyk, Hugo; Bellare, Mihir; Canetti, Ran (February 1997).
1729:
1124:
210:
163:
155:
72:
68:
701:
is a nonlinear function; one function is used in each round.
666:
Historically, MD5 has been used to store a one-way hash of a
3276:"FreeBSD Handbook, Security – DES, Blowfish, MD5, and Crypt"
2847:] where a collision-resistant hash function is required.
2403:
Marc Stevens; Arjen Lenstra; Benne de Weger (16 June 2009).
1648:
Below is a list of cryptography libraries that support MD5:
653:
432:
malware exploited the weaknesses in MD5 to fake a Microsoft
2266:"RFC 2104 – HMAC: Keyed-Hashing for Message Authentication"
1603:. For example, adding a period to the end of the sentence:
489:, Switzerland to change a normal SSL certificate issued by
2637:
Advances in Cryptology – Lecture Notes in Computer Science
3407:. EUROCRYPT. Berlin; London: Springer. pp. 293–304.
2073:
Tunnels in Hash Functions: MD5 Collisions Within a Minute
723:
denotes a 32-bit constant, different for each operation.
3371:
RFC 1321, section 2, "Terminology and Notation", Page 2.
2700:"Web browser flaw could put e-commerce security at risk"
658:
Diagram showing use of MD5 hashing in file transmission
4401:
Cryptographically secure pseudorandom number generator
1636:
might be limited to octets, or they might not support
585:
487da03fd 02396306d248cda0 e99f33420f577ee8 ce54b67080
573:
712467eab 4004583eb8fb7f89 55ad340609f4b302 83e4888325
558:
487da03fd 02396306d248cda0 e99f33420f577ee8 ce54b67080
546:
712467eab 4004583eb8fb7f89 55ad340609f4b302 83e4888325
289:, and Benne de Weger demonstrated construction of two
3089:. Lecture Notes in Computer Science. Vol. 5479.
1909:
A Study of the MD5 Attacks: Insights and Improvements
1091:
805:
746:
394:. As such, MD5 is not suitable for applications like
3531:
2041:"Finding MD5 Collisions – a Toy For a Notebook"
1324:
break chunk into sixteen 32-bit words M, 0 ≤ j ≤ 15
4513:
4269:
4182:
4136:
4100:
4054:
4003:
3931:
3908:
3837:
3681:
3642:
3604:
2405:"Chosen-prefix Collisions for MD5 and Applications"
123:
113:
103:
93:
83:
78:
60:
52:
42:
37:
1848:
1640:for messages of an initially undetermined length.
1115:
1075:
752:
581:280373c5b d8823e3156348f5b ae6dacd436c919c6 dd53e2
554:280373c5b d8823e3156348f5b ae6dacd436c919c6 dd53e2
462:In 2005, researchers were able to create pairs of
2093:"Code Cracked! Cyber Command Logo Mystery Solved"
1307:Process the message in successive 512-bit chunks:
712:denotes a 32-bit block of the message input, and
1903:
1901:
1581:) are typically represented as a sequence of 32
262:MD5CRK ended shortly after 17 August 2004, when
2472:"Hash Collisions (The Poisoned Message Attack)"
3302:"Synopsis – man pages section 4: File Formats"
2664:Xiaoyun Wang, Dengguo ,k.,m.,m, HAVAL-128 and
2505:National Institute of Standards and Technology
2332:
2330:
1577:The 128-bit (16-byte) MD5 hashes (also termed
1210:(Or just use the following precomputed table):
4247:
3555:
2677:Marc Stevens, Arjen Lenstra, Benne de Weger:
2529:
2527:
2525:
2523:
2521:
2225:"RFC 1321 – The MD5 Message-Digest Algorithm"
1585:digits. The following demonstrates a 43-byte
8:
1621:MD5("") = d41d8cd98f00b204e9800998ecf8427e
162:in 1991 to replace an earlier hash function
32:
3462:"How to Break MD5 and Other Hash Functions"
2969:"This morning's MD5 attack — resolved"
2860:"Schneier on Security: More MD5 Collisions"
2688:, 30 November 2007. Retrieved 27 July 2008.
2630:"How to Break MD5 and Other Hash Functions"
1884:(1 ed.). O'Reilly Media. p. 203.
1763:"Step 4. Process Message in 16-Word Blocks"
1608:The quick brown fox jumps over the lazy dog
1594:The quick brown fox jumps over the lazy dog
1486:Be wary of the below definitions of a,b,c,d
1116:{\displaystyle \oplus ,\wedge ,\vee ,\neg }
4254:
4240:
4232:
3562:
3548:
3540:
3536:
3532:
2785:"Flame malware collision attack explained"
1934:"Musings on the Wang et al. MD5 Collision"
1810:Xie Tao; Fanbao Liu; Dengguo Feng (2013).
1700:Comparison of cryptographic hash functions
217:did indeed later find weaknesses in MD4.)
3445:"The Status of MD5 After a Recent Attack"
2812:"The Status of MD5 After a Recent Attack"
2604:"The Status of MD5 After a Recent Attack"
2236:
1780:
1090:
1061:
950:
927:
875:
867:
850:
806:
804:
745:
633:MD5 digests have been widely used in the
166:, and was specified in 1992 as RFC 1321.
2412:École Polytechnique Fédérale de Lausanne
569:d131dd02c5e6eec4 693d9a0698aff95c 2fcab5
542:d131dd02c5e6eec4 693d9a0698aff95c 2fcab5
428:family of hash functions. In 2012, the
3168:"Finding Checksum Values in Windows 10"
3087:Advances in Cryptology - EUROCRYPT 2009
1967:"Fast MD5 and MD4 Collision Generators"
1918:, 3 March 2006. Retrieved 27 July 2008.
1750:
1618:The hash of the zero-length string is:
1615:") = e4d909c290d0fb1ca068ffaddf22cbd0
1507:Add this chunk's hash to result so far:
1288:message length in bits ≡ 448 (mod 512)
1177:s specifies the per-round shift amounts
370:As of 2019, one quarter of widely used
3405:Advances in Cryptology – EUROCRYPT '93
3252:. Microsoft Support. 23 January 2007.
2779:
2777:
2303:Chad R, Dougherty (31 December 2008).
1596:") = 9e107d9d372bb6826bd81d3542a419d6
1589:input and the corresponding MD5 hash:
31:
3282:from the original on 18 February 2017
3230:from the original on 15 February 2015
3204:from the original on 23 November 2023
2914:. Mail.python.org. 16 December 2005.
2109:from the original on 17 February 2014
1328:Initialize hash value for this chunk:
1264:Pre-processing: adding a single 1 bit
1203:K := floor(2 × abs(sin(i + 1)))
7:
3174:from the original on 11 January 2024
3130:Computer Society. pp. 442–445.
3002:from the original on 9 November 2020
2698:Stray, Jonathan (30 December 2008).
2349:from the original on 24 January 2021
1828:from the original on 2 February 2021
1632:). Some MD5 implementations such as
3304:. Docs.oracle.com. 1 January 2013.
3226:. Microsoft Support. 17 June 2013.
2994:Bruce Schneier (31 December 2008).
2730:"CERT Vulnerability Note VU#836068"
1907:J. Black, M. Cochran, T. Highland:
1434:C) g := (5×i + 1)
1410:D) g := i
374:were reported to still use MD5 for
305:have been published. In 2009, the
266:for the full MD5 were announced by
2948:from the original on 21 April 2009
2866:from the original on 11 April 2021
2736:from the original on 21 March 2017
2542:from the original on 25 March 2017
2284:from the original on 15 April 2021
2003:; Weger, Benne de (1 March 2005).
1880:Kleppmann, Martin (2 April 2017).
1454:D g := (3×i + 5)
1278:Pre-processing: padding with zeros
1110:
1058:
947:
864:
422:CMU Software Engineering Institute
334:CMU Software Engineering Institute
232:that produce an identical digest.
25:
3430:from the original on 24 June 2008
3353:from the original on 21 June 2021
3308:from the original on 4 March 2016
3256:from the original on 9 March 2015
2583:from the original on 10 June 2015
2315:from the original on 26 July 2011
2245:from the original on 9 April 2021
2204:from the original on 15 June 2017
1928:Hawkes, Philip; Paddon, Michael;
1775:. p. 5. sec. 3.4.
677:MD5 is also used in the field of
201:algorithms designed by Professor
4589:
4588:
3460:Xiaoyun Wang; Hongbo Yu (2005).
3066:from the original on 4 June 2016
3021:Eric Rescorla (17 August 2004).
2967:Callan, Tim (31 December 2008).
2892:from the original on 15 May 2017
2639:. pp. 19–35. Archived from
2628:Xiaoyun Wang; Hongbo Yu (2005).
2447:from the original on 11 May 2011
2384:from the original on 17 May 2017
2223:Rivest, Ronald L. (April 1992).
2165:from the original on 15 May 2017
2139:from the original on 14 May 2017
2053:from the original on 17 May 2017
2017:from the original on 23 May 2017
1965:Bishop Fox (26 September 2013).
1768:The MD5 Message-Digest Algorithm
1478:D)) g := (7×i)
598:79054025255fb1a26e4bc422aef54eb4
158:hash value. MD5 was designed by
27:Message-digest hashing algorithm
2918:from the original on 6 May 2021
2810:Dobbertin, Hans (Summer 1996).
2758:. Csrc.nist.gov. Archived from
2270:Internet Engineering Task Force
2229:Internet Engineering Task Force
2190:Internet Engineering Task Force
1851:CompTIA Security+ 2008 in depth
1557:D)) (16 ≤ i ≤ 31): F := C
732:denotes a left bit rotation by
4450:Information-theoretic security
4159:NIST hash function competition
2886:"Colliding X.509 Certificates"
2602:Hans Dobbertin (Summer 1996).
2536:"MD5 considered harmful today"
2128:Tao Xie; Dengguo Feng (2010).
2005:"Colliding X.509 Certificates"
1812:"Fast Collision Attack on MD5"
1705:Hash function security summary
1066:
1049:
1033:
1015:
983:
965:
955:
938:
932:
918:
908:
890:
880:
861:
855:
841:
831:
813:
353:chosen-prefix collision attack
1:
589:80d1e c69821bcb6a88393 96f965
577:1415a 085125e8f7cdc99f d91dbd
562:80d1e c69821bcb6a88393 96f965
550:1415a 085125e8f7cdc99f d91dbd
4619:Cryptographic hash functions
4164:Password Hashing Competition
3575:message authentication codes
3571:Cryptographic hash functions
2819:RSA Laboratories CryptoBytes
2564:Chaos Communication Congress
2368:M.M.J. Stevens (June 2007).
2309:Vulnerability notes database
1536:(Output is in little-endian)
475:Chaos Communication Congress
240:(also compromised since) or
148:MD5 message-digest algorithm
4566:Message authentication code
4521:Cryptographic hash function
4334:Cryptographic hash function
4118:Merkle–Damgård construction
3099:10.1007/978-3-642-01001-9_8
2184:Turner, Sean (March 2011).
1545:( 0 ≤ i ≤ 15): F := D
740:varies for each operation.
533:Merkle–Damgård construction
382:Overview of security issues
307:United States Cyber Command
179:cryptographic hash function
108:Merkle–Damgård construction
4645:
4445:Harvest now, decrypt later
3091:Springer Berlin Heidelberg
2996:"Forging SSL Certificates"
2971:. Verisign. Archived from
760:denotes addition modulo 2.
596:Both produce the MD5 hash
443:
372:content management systems
330:computationally infeasible
197:MD5 is one in a series of
4584:
4561:Post-quantum cryptography
4231:
3581:
3539:
3535:
3508:W3C recommendation on MD5
3027:Educated Guesswork (blog)
2161:. Marc-stevens.nl. 2012.
2046:Cryptology ePrint Archive
2010:Cryptology ePrint Archive
1939:Cryptology ePrint Archive
1819:Cryptology ePrint Archive
1139:operations respectively.
753:{\displaystyle \boxplus }
440:Collision vulnerabilities
228:; that is, two different
193:History and cryptanalysis
131:
4551:Quantum key distribution
4541:Authenticated encryption
4396:Random number generation
3912:key derivation functions
3525:16 November 2022 at the
3513:28 December 2014 at the
3443:Dobbertin, Hans (1996).
3426:. Citeseer.ist.psu.edu.
2998:. Schneier on Security.
2684:13 December 2007 at the
2558:16 November 2018 at the
1493:M must be a 32-bit block
1489:F := F + A + K + M
1295:original length in bits
1257:d0 := 0x10325476
1247:c0 := 0x98badcfe
1237:b0 := 0xefcdab89
1227:a0 := 0x67452301
138:length extension attacks
4546:Public-key cryptography
4536:Symmetric-key algorithm
4339:Key derivation function
4299:Cryptographic primitive
4292:Authentication protocol
4282:Outline of cryptography
4277:History of cryptography
4190:Hash-based cryptography
4092:Length extension attack
3332:1 December 2016 at the
3170:. Microsoft Community.
4287:Cryptographic protocol
4200:Message authentication
3023:"A real MD5 collision"
1914:1 January 2015 at the
1117:
1077:
761:
754:
659:
617:Preimage vulnerability
520:In 2012, according to
230:initialization vectors
187:Secure Hash Algorithms
4624:Broken hash functions
4440:End-to-end encryption
4386:Cryptojacking malware
2514:on 17 September 2008.
2371:On Collisions for MD5
2078:6 August 2011 at the
1847:Ciampa, Mark (2009).
1218:Initialize variables:
1118:
1078:
755:
696:
657:
524:, the authors of the
444:Further information:
347:exists that can find
169:MD5 can be used as a
4556:Quantum cryptography
4480:Trusted timestamping
3136:10.1109/CIS.2009.214
3093:. pp. 134–152.
3052:Anton A. Kuznetsov.
2944:. 31 December 2008.
1089:
803:
744:
679:electronic discovery
365:digital certificates
301:Various MD5-related
226:compression function
183:partitioned database
134:collision resistance
4629:Checksum algorithms
4319:Cryptographic nonce
4087:Side-channel attack
3200:. Microsoft Learn.
2377:(Master's thesis).
1932:(13 October 2004).
623:preimage resistance
392:collision-resistant
257:distributed project
34:
4425:Subliminal channel
4409:Pseudorandom noise
4356:Key (cryptography)
4144:CAESAR Competition
4128:HAIFA construction
4077:Brute-force attack
3388:. pp. 71–80.
3347:"Reference Source"
2975:on 16 January 2009
2421:on 9 November 2011
2337:Cimpanu, Catalin.
1946:on 5 November 2018
1520:digest := a0
1113:
1073:
1071:
762:
750:
660:
403:digital signatures
4606:
4605:
4602:
4601:
4485:Key-based routing
4475:Trapdoor function
4346:Digital signature
4227:
4226:
4223:
4222:
4021:ChaCha20-Poly1305
3838:Password hashing/
3414:978-3-540-57600-6
3145:978-0-7695-3931-7
3108:978-3-642-01000-2
3033:on 15 August 2014
2710:on 28 August 2013
2485:on 27 March 2010.
2479:2005 rump session
2071:Vlastimil Klima:
1866:978-1-59863-913-1
1351:C := c0
1344:B := b0
1337:A := a0
503:Alexander Sotirov
434:digital signature
281:On 1 March 2005,
150:is a widely used
144:
143:
16:(Redirected from
4636:
4592:
4591:
4420:Insecure channel
4256:
4249:
4242:
4233:
4108:Avalanche effect
4062:Collision attack
3605:Common functions
3564:
3557:
3550:
3541:
3537:
3533:
3497:
3495:
3493:
3487:
3481:. Archived from
3466:
3456:
3439:
3437:
3435:
3418:
3399:
3372:
3369:
3363:
3362:
3360:
3358:
3343:
3337:
3324:
3318:
3317:
3315:
3313:
3298:
3292:
3291:
3289:
3287:
3272:
3266:
3265:
3263:
3261:
3246:
3240:
3239:
3237:
3235:
3220:
3214:
3213:
3211:
3209:
3190:
3184:
3183:
3181:
3179:
3164:
3158:
3157:
3119:
3113:
3112:
3082:
3076:
3075:
3073:
3071:
3065:
3058:
3049:
3043:
3042:
3040:
3038:
3029:. Archived from
3018:
3012:
3011:
3009:
3007:
2991:
2985:
2984:
2982:
2980:
2964:
2958:
2957:
2955:
2953:
2934:
2928:
2927:
2925:
2923:
2908:
2902:
2901:
2899:
2897:
2882:
2876:
2875:
2873:
2871:
2862:. Schneier.com.
2856:
2850:
2849:
2832:
2830:
2816:
2807:
2801:
2800:
2798:
2796:
2787:. Archived from
2781:
2772:
2771:
2769:
2767:
2752:
2746:
2745:
2743:
2741:
2726:
2720:
2719:
2717:
2715:
2706:. Archived from
2695:
2689:
2675:
2669:
2662:
2656:
2655:
2653:
2651:
2645:
2634:
2625:
2619:
2618:
2616:
2614:
2599:
2593:
2592:
2590:
2588:
2579:. 10 June 2015.
2573:
2567:
2551:
2549:
2547:
2531:
2516:
2515:
2513:
2507:. Archived from
2502:
2493:
2487:
2486:
2481:. Archived from
2463:
2457:
2456:
2454:
2452:
2437:
2431:
2430:
2428:
2426:
2420:
2414:. Archived from
2409:
2400:
2394:
2393:
2391:
2389:
2383:
2376:
2365:
2359:
2358:
2356:
2354:
2334:
2325:
2324:
2322:
2320:
2300:
2294:
2293:
2291:
2289:
2278:10.17487/RFC2104
2261:
2255:
2254:
2252:
2250:
2240:
2238:10.17487/RFC1321
2220:
2214:
2213:
2211:
2209:
2198:10.17487/RFC6151
2181:
2175:
2174:
2172:
2170:
2155:
2149:
2148:
2146:
2144:
2134:
2125:
2119:
2118:
2116:
2114:
2089:
2083:
2069:
2063:
2062:
2060:
2058:
2039:(5 March 2005).
2037:Klíma, Vlastimil
2033:
2027:
2026:
2024:
2022:
1993:
1987:
1986:
1984:
1982:
1977:on 26 April 2017
1973:. Archived from
1962:
1956:
1955:
1953:
1951:
1942:. Archived from
1930:Rose, Gregory G.
1925:
1919:
1905:
1896:
1895:
1877:
1871:
1870:
1854:
1844:
1838:
1837:
1835:
1833:
1827:
1816:
1807:
1801:
1800:
1798:
1796:
1784:
1782:10.17487/RFC1321
1755:
1614:
1601:avalanche effect
1538:
1509:
1495:
1488:
1364:
1330:
1309:
1291:
1280:
1266:
1260:
1250:
1240:
1230:
1220:
1212:
1187:
1179:
1159:
1122:
1120:
1119:
1114:
1082:
1080:
1079:
1074:
1072:
1065:
954:
931:
879:
871:
854:
795:
787:
783:
779:
775:
759:
757:
756:
751:
739:
735:
731:
722:
711:
700:
599:
592:
588:
584:
580:
576:
572:
565:
561:
557:
553:
549:
545:
456:RSA Laboratories
446:Collision attack
420:As of 2010, the
407:collision attack
376:password hashing
345:collision attack
270:, Dengguo Feng,
222:pseudo-collision
154:producing a 128-
35:
21:
4644:
4643:
4639:
4638:
4637:
4635:
4634:
4633:
4609:
4608:
4607:
4598:
4580:
4509:
4265:
4260:
4219:
4178:
4137:Standardization
4132:
4123:Sponge function
4096:
4072:Birthday attack
4067:Preimage attack
4050:
4006:
3999:
3927:
3910:
3909:General purpose
3904:
3839:
3833:
3682:Other functions
3677:
3644:SHA-3 finalists
3638:
3600:
3577:
3568:
3527:Wayback Machine
3515:Wayback Machine
3504:
3491:
3489:
3485:
3479:
3464:
3459:
3442:
3433:
3431:
3422:
3415:
3402:
3396:
3383:
3380:
3378:Further reading
3375:
3370:
3366:
3356:
3354:
3345:
3344:
3340:
3334:Wayback Machine
3327:NIST SP 800-132
3325:
3321:
3311:
3309:
3300:
3299:
3295:
3285:
3283:
3274:
3273:
3269:
3259:
3257:
3248:
3247:
3243:
3233:
3231:
3222:
3221:
3217:
3207:
3205:
3192:
3191:
3187:
3177:
3175:
3166:
3165:
3161:
3146:
3126:. Vol. 1.
3121:
3120:
3116:
3109:
3084:
3083:
3079:
3069:
3067:
3063:
3056:
3051:
3050:
3046:
3036:
3034:
3020:
3019:
3015:
3005:
3003:
2993:
2992:
2988:
2978:
2976:
2966:
2965:
2961:
2951:
2949:
2936:
2935:
2931:
2921:
2919:
2910:
2909:
2905:
2895:
2893:
2884:
2883:
2879:
2869:
2867:
2858:
2857:
2853:
2828:
2826:
2814:
2809:
2808:
2804:
2794:
2792:
2783:
2782:
2775:
2765:
2763:
2754:
2753:
2749:
2739:
2737:
2732:. Kb.cert.org.
2728:
2727:
2723:
2713:
2711:
2697:
2696:
2692:
2686:Wayback Machine
2676:
2672:
2663:
2659:
2649:
2647:
2643:
2632:
2627:
2626:
2622:
2612:
2610:
2601:
2600:
2596:
2586:
2584:
2575:
2574:
2570:
2560:Wayback Machine
2545:
2543:
2533:
2532:
2519:
2511:
2500:
2495:
2494:
2490:
2465:
2464:
2460:
2450:
2448:
2439:
2438:
2434:
2424:
2422:
2418:
2407:
2402:
2401:
2397:
2387:
2385:
2381:
2374:
2367:
2366:
2362:
2352:
2350:
2336:
2335:
2328:
2318:
2316:
2302:
2301:
2297:
2287:
2285:
2263:
2262:
2258:
2248:
2246:
2222:
2221:
2217:
2207:
2205:
2183:
2182:
2178:
2168:
2166:
2157:
2156:
2152:
2142:
2140:
2132:
2127:
2126:
2122:
2112:
2110:
2105:. 8 July 2010.
2091:
2090:
2086:
2080:Wayback Machine
2070:
2066:
2056:
2054:
2035:
2034:
2030:
2020:
2018:
1995:
1994:
1990:
1980:
1978:
1964:
1963:
1959:
1949:
1947:
1927:
1926:
1922:
1916:Wayback Machine
1906:
1899:
1892:
1879:
1878:
1874:
1867:
1846:
1845:
1841:
1831:
1829:
1825:
1814:
1809:
1808:
1804:
1794:
1792:
1757:
1756:
1752:
1748:
1696:
1646:
1644:Implementations
1622:
1616:
1610:
1597:
1579:message digests
1575:
1570:
1539:
1533:
1504:
1490:
1483:
1359:
1325:
1320:padded message
1304:
1289:
1275:
1261:
1258:
1248:
1238:
1228:
1215:
1207:
1182:
1174:
1154:
1145:
1087:
1086:
1070:
1069:
1036:
1009:
1008:
986:
959:
958:
911:
884:
883:
834:
801:
800:
793:
785:
781:
777:
773:
742:
741:
737:
733:
730:
724:
721:
713:
710:
702:
698:
691:
631:
619:
597:
594:
590:
586:
582:
578:
574:
570:
567:
563:
559:
555:
551:
547:
543:
511:Jacob Appelbaum
493:into a working
448:
442:
415:SSL certificate
384:
326:
295:Vlastimil Klima
249:birthday attack
195:
53:First published
28:
23:
22:
15:
12:
11:
5:
4642:
4640:
4632:
4631:
4626:
4621:
4611:
4610:
4604:
4603:
4600:
4599:
4597:
4596:
4585:
4582:
4581:
4579:
4578:
4573:
4571:Random numbers
4568:
4563:
4558:
4553:
4548:
4543:
4538:
4533:
4528:
4523:
4517:
4515:
4511:
4510:
4508:
4507:
4502:
4497:
4495:Garlic routing
4492:
4487:
4482:
4477:
4472:
4467:
4462:
4457:
4452:
4447:
4442:
4437:
4432:
4427:
4422:
4417:
4415:Secure channel
4412:
4406:
4405:
4404:
4393:
4388:
4383:
4378:
4376:Key stretching
4373:
4368:
4363:
4358:
4353:
4348:
4343:
4342:
4341:
4336:
4326:
4324:Cryptovirology
4321:
4316:
4311:
4309:Cryptocurrency
4306:
4301:
4296:
4295:
4294:
4284:
4279:
4273:
4271:
4267:
4266:
4261:
4259:
4258:
4251:
4244:
4236:
4229:
4228:
4225:
4224:
4221:
4220:
4218:
4217:
4212:
4207:
4202:
4197:
4192:
4186:
4184:
4180:
4179:
4177:
4176:
4171:
4166:
4161:
4156:
4151:
4146:
4140:
4138:
4134:
4133:
4131:
4130:
4125:
4120:
4115:
4113:Hash collision
4110:
4104:
4102:
4098:
4097:
4095:
4094:
4089:
4084:
4079:
4074:
4069:
4064:
4058:
4056:
4052:
4051:
4049:
4048:
4043:
4038:
4033:
4028:
4023:
4018:
4012:
4010:
4001:
4000:
3998:
3997:
3992:
3987:
3982:
3977:
3972:
3963:
3958:
3953:
3948:
3943:
3937:
3935:
3929:
3928:
3926:
3925:
3922:
3916:
3914:
3906:
3905:
3903:
3902:
3897:
3892:
3887:
3882:
3877:
3872:
3867:
3862:
3857:
3852:
3846:
3844:
3841:key stretching
3835:
3834:
3832:
3831:
3826:
3821:
3816:
3811:
3806:
3801:
3796:
3791:
3786:
3781:
3776:
3771:
3766:
3761:
3756:
3751:
3746:
3741:
3736:
3731:
3726:
3721:
3716:
3711:
3706:
3701:
3696:
3691:
3685:
3683:
3679:
3678:
3676:
3675:
3669:
3664:
3659:
3654:
3648:
3646:
3640:
3639:
3637:
3636:
3631:
3626:
3621:
3615:
3608:
3606:
3602:
3601:
3599:
3598:
3593:
3588:
3582:
3579:
3578:
3569:
3567:
3566:
3559:
3552:
3544:
3530:
3529:
3520:MD5 Calculator
3517:
3503:
3502:External links
3500:
3499:
3498:
3488:on 21 May 2009
3477:
3457:
3440:
3419:
3413:
3400:
3394:
3379:
3376:
3374:
3373:
3364:
3338:
3319:
3293:
3267:
3241:
3215:
3185:
3159:
3144:
3114:
3107:
3077:
3044:
3013:
2986:
2959:
2929:
2903:
2888:. Win.tue.nl.
2877:
2851:
2802:
2791:on 8 June 2012
2773:
2762:on 9 June 2011
2747:
2721:
2690:
2670:
2657:
2646:on 21 May 2009
2620:
2594:
2568:
2517:
2488:
2458:
2432:
2395:
2360:
2326:
2295:
2256:
2215:
2176:
2150:
2120:
2084:
2064:
2028:
1997:Lenstra, Arjen
1988:
1957:
1920:
1897:
1891:978-1449373320
1890:
1872:
1865:
1839:
1802:
1761:(April 1992).
1749:
1747:
1744:
1743:
1742:
1737:
1732:
1727:
1722:
1717:
1712:
1707:
1702:
1695:
1692:
1691:
1690:
1685:
1680:
1675:
1670:
1665:
1660:
1655:
1645:
1642:
1620:
1605:
1591:
1574:
1571:
1544:
1153:
1144:
1141:
1112:
1109:
1106:
1103:
1100:
1097:
1094:
1084:
1083:
1068:
1064:
1060:
1057:
1054:
1051:
1048:
1045:
1042:
1039:
1037:
1035:
1032:
1029:
1026:
1023:
1020:
1017:
1014:
1011:
1010:
1007:
1004:
1001:
998:
995:
992:
989:
987:
985:
982:
979:
976:
973:
970:
967:
964:
961:
960:
957:
953:
949:
946:
943:
940:
937:
934:
930:
926:
923:
920:
917:
914:
912:
910:
907:
904:
901:
898:
895:
892:
889:
886:
885:
882:
878:
874:
870:
866:
863:
860:
857:
853:
849:
846:
843:
840:
837:
835:
833:
830:
827:
824:
821:
818:
815:
812:
809:
808:
749:
726:
717:
706:
690:
687:
672:key stretching
630:
627:
618:
615:
568:
541:
495:CA certificate
466:documents and
452:Hans Dobbertin
441:
438:
383:
380:
325:
322:
215:Hans Dobbertin
199:message digest
194:
191:
175:data integrity
142:
141:
129:
128:
121:
120:
117:
111:
110:
105:
101:
100:
97:
91:
90:
87:
81:
80:
76:
75:
62:
58:
57:
54:
50:
49:
44:
40:
39:
26:
24:
14:
13:
10:
9:
6:
4:
3:
2:
4641:
4630:
4627:
4625:
4622:
4620:
4617:
4616:
4614:
4595:
4587:
4586:
4583:
4577:
4576:Steganography
4574:
4572:
4569:
4567:
4564:
4562:
4559:
4557:
4554:
4552:
4549:
4547:
4544:
4542:
4539:
4537:
4534:
4532:
4531:Stream cipher
4529:
4527:
4524:
4522:
4519:
4518:
4516:
4512:
4506:
4503:
4501:
4498:
4496:
4493:
4491:
4490:Onion routing
4488:
4486:
4483:
4481:
4478:
4476:
4473:
4471:
4470:Shared secret
4468:
4466:
4463:
4461:
4458:
4456:
4453:
4451:
4448:
4446:
4443:
4441:
4438:
4436:
4433:
4431:
4428:
4426:
4423:
4421:
4418:
4416:
4413:
4410:
4407:
4402:
4399:
4398:
4397:
4394:
4392:
4389:
4387:
4384:
4382:
4379:
4377:
4374:
4372:
4369:
4367:
4366:Key generator
4364:
4362:
4359:
4357:
4354:
4352:
4349:
4347:
4344:
4340:
4337:
4335:
4332:
4331:
4330:
4329:Hash function
4327:
4325:
4322:
4320:
4317:
4315:
4312:
4310:
4307:
4305:
4304:Cryptanalysis
4302:
4300:
4297:
4293:
4290:
4289:
4288:
4285:
4283:
4280:
4278:
4275:
4274:
4272:
4268:
4264:
4257:
4252:
4250:
4245:
4243:
4238:
4237:
4234:
4230:
4216:
4213:
4211:
4208:
4206:
4205:Proof of work
4203:
4201:
4198:
4196:
4193:
4191:
4188:
4187:
4185:
4181:
4175:
4172:
4170:
4167:
4165:
4162:
4160:
4157:
4155:
4152:
4150:
4147:
4145:
4142:
4141:
4139:
4135:
4129:
4126:
4124:
4121:
4119:
4116:
4114:
4111:
4109:
4106:
4105:
4103:
4099:
4093:
4090:
4088:
4085:
4083:
4082:Rainbow table
4080:
4078:
4075:
4073:
4070:
4068:
4065:
4063:
4060:
4059:
4057:
4053:
4047:
4044:
4042:
4039:
4037:
4034:
4032:
4029:
4027:
4024:
4022:
4019:
4017:
4014:
4013:
4011:
4008:
4005:Authenticated
4002:
3996:
3993:
3991:
3988:
3986:
3983:
3981:
3978:
3976:
3973:
3971:
3967:
3964:
3962:
3959:
3957:
3954:
3952:
3949:
3947:
3944:
3942:
3939:
3938:
3936:
3934:
3933:MAC functions
3930:
3923:
3921:
3918:
3917:
3915:
3913:
3907:
3901:
3898:
3896:
3893:
3891:
3888:
3886:
3883:
3881:
3878:
3876:
3873:
3871:
3868:
3866:
3863:
3861:
3858:
3856:
3853:
3851:
3848:
3847:
3845:
3842:
3836:
3830:
3827:
3825:
3822:
3820:
3817:
3815:
3812:
3810:
3807:
3805:
3802:
3800:
3797:
3795:
3792:
3790:
3787:
3785:
3782:
3780:
3777:
3775:
3772:
3770:
3767:
3765:
3762:
3760:
3757:
3755:
3752:
3750:
3747:
3745:
3742:
3740:
3737:
3735:
3732:
3730:
3727:
3725:
3722:
3720:
3717:
3715:
3712:
3710:
3707:
3705:
3702:
3700:
3697:
3695:
3692:
3690:
3687:
3686:
3684:
3680:
3673:
3670:
3668:
3665:
3663:
3660:
3658:
3655:
3653:
3650:
3649:
3647:
3645:
3641:
3635:
3632:
3630:
3627:
3625:
3622:
3620:(compromised)
3619:
3616:
3614:(compromised)
3613:
3610:
3609:
3607:
3603:
3597:
3596:Known attacks
3594:
3592:
3589:
3587:
3584:
3583:
3580:
3576:
3572:
3565:
3560:
3558:
3553:
3551:
3546:
3545:
3542:
3538:
3534:
3528:
3524:
3521:
3518:
3516:
3512:
3509:
3506:
3505:
3501:
3484:
3480:
3478:3-540-25910-4
3474:
3470:
3463:
3458:
3454:
3450:
3446:
3441:
3429:
3425:
3420:
3416:
3410:
3406:
3401:
3397:
3395:3-540-56413-6
3391:
3387:
3382:
3381:
3377:
3368:
3365:
3352:
3348:
3342:
3339:
3335:
3331:
3328:
3323:
3320:
3307:
3303:
3297:
3294:
3281:
3277:
3271:
3268:
3255:
3251:
3245:
3242:
3229:
3225:
3219:
3216:
3203:
3199:
3195:
3189:
3186:
3173:
3169:
3163:
3160:
3155:
3151:
3147:
3141:
3137:
3133:
3129:
3125:
3118:
3115:
3110:
3104:
3100:
3096:
3092:
3088:
3081:
3078:
3062:
3055:
3048:
3045:
3032:
3028:
3024:
3017:
3014:
3001:
2997:
2990:
2987:
2974:
2970:
2963:
2960:
2947:
2943:
2939:
2933:
2930:
2917:
2913:
2907:
2904:
2891:
2887:
2881:
2878:
2865:
2861:
2855:
2852:
2848:
2846:
2845:
2840:
2839:
2824:
2820:
2813:
2806:
2803:
2790:
2786:
2780:
2778:
2774:
2761:
2757:
2751:
2748:
2735:
2731:
2725:
2722:
2709:
2705:
2701:
2694:
2691:
2687:
2683:
2680:
2674:
2671:
2667:
2661:
2658:
2642:
2638:
2631:
2624:
2621:
2609:
2605:
2598:
2595:
2582:
2578:
2572:
2569:
2565:
2561:
2557:
2554:
2541:
2537:
2530:
2528:
2526:
2524:
2522:
2518:
2510:
2506:
2499:
2492:
2489:
2484:
2480:
2478:
2473:
2469:
2466:Magnus Daum,
2462:
2459:
2446:
2442:
2436:
2433:
2417:
2413:
2406:
2399:
2396:
2380:
2373:
2372:
2364:
2361:
2348:
2344:
2340:
2333:
2331:
2327:
2314:
2310:
2306:
2299:
2296:
2283:
2279:
2275:
2271:
2267:
2260:
2257:
2244:
2239:
2234:
2230:
2226:
2219:
2216:
2203:
2199:
2195:
2191:
2187:
2180:
2177:
2164:
2160:
2154:
2151:
2138:
2131:
2124:
2121:
2108:
2104:
2100:
2099:
2094:
2088:
2085:
2081:
2077:
2074:
2068:
2065:
2052:
2048:
2047:
2042:
2038:
2032:
2029:
2016:
2012:
2011:
2006:
2002:
2001:Wang, Xiaoyun
1998:
1992:
1989:
1976:
1972:
1968:
1961:
1958:
1945:
1941:
1940:
1935:
1931:
1924:
1921:
1917:
1913:
1910:
1904:
1902:
1898:
1893:
1887:
1883:
1876:
1873:
1868:
1862:
1858:
1853:
1852:
1843:
1840:
1824:
1820:
1813:
1806:
1803:
1791:
1788:
1783:
1778:
1774:
1770:
1769:
1764:
1760:
1754:
1751:
1745:
1741:
1738:
1736:
1733:
1731:
1728:
1726:
1723:
1721:
1718:
1716:
1713:
1711:
1708:
1706:
1703:
1701:
1698:
1697:
1693:
1689:
1686:
1684:
1681:
1679:
1676:
1674:
1671:
1669:
1666:
1664:
1661:
1659:
1658:Bouncy Castle
1656:
1654:
1651:
1650:
1649:
1643:
1641:
1639:
1635:
1631:
1627:
1619:
1613:
1609:
1604:
1602:
1595:
1590:
1588:
1584:
1580:
1572:
1568:
1564:
1560:
1556:
1552:
1548:
1543:
1537:
1531:
1527:
1523:
1519:
1516:
1513:
1508:
1503:
1499:
1494:
1487:
1481:
1477:
1473:
1469:
1465:
1461:
1457:
1453:
1449:
1445:
1441:
1437:
1433:
1429:
1425:
1421:
1418:F := (D
1417:
1413:
1409:
1405:
1401:
1397:
1394:F := (B
1393:
1389:
1386:F, g
1385:
1382:
1379:
1375:
1371:
1367:
1363:
1358:D := d0
1357:
1354:
1350:
1347:
1343:
1340:
1336:
1333:
1329:
1323:
1319:
1315:
1312:
1308:
1302:
1298:
1294:
1287:
1283:
1279:
1273:
1269:
1265:
1256:
1253:
1246:
1243:
1236:
1233:
1226:
1223:
1219:
1211:
1206:
1202:
1198:
1194:
1190:
1186:
1178:
1172:
1169:
1165:
1162:
1158:
1152:
1150:
1149:little-endian
1142:
1140:
1138:
1134:
1130:
1126:
1107:
1104:
1101:
1098:
1095:
1092:
1062:
1055:
1052:
1046:
1043:
1040:
1038:
1030:
1027:
1024:
1021:
1018:
1012:
1005:
1002:
999:
996:
993:
990:
988:
980:
977:
974:
971:
968:
962:
951:
944:
941:
935:
928:
924:
921:
915:
913:
905:
902:
899:
896:
893:
887:
876:
872:
868:
858:
851:
847:
844:
838:
836:
828:
825:
822:
819:
816:
810:
799:
798:
797:
791:
770:
767:
747:
729:
720:
716:
709:
705:
695:
688:
686:
684:
680:
675:
673:
670:, often with
669:
664:
656:
652:
649:
644:
640:
636:
628:
626:
624:
616:
614:
612:
606:
603:
540:
538:
534:
531:MD5 uses the
529:
527:
523:
518:
516:
515:Arjen Lenstra
512:
508:
504:
500:
496:
492:
488:
484:
480:
476:
471:
469:
465:
460:
457:
454:wrote in the
453:
447:
439:
437:
435:
431:
427:
423:
418:
416:
412:
408:
404:
400:
397:
393:
389:
381:
379:
377:
373:
368:
366:
361:
359:
354:
350:
346:
341:
339:
338:Flame malware
335:
331:
323:
321:
318:
316:
310:
308:
304:
299:
296:
292:
288:
284:
283:Arjen Lenstra
279:
277:
273:
269:
265:
260:
258:
254:
250:
245:
243:
239:
233:
231:
227:
224:" of the MD5
223:
218:
216:
212:
208:
204:
203:Ronald Rivest
200:
192:
190:
188:
184:
180:
176:
172:
167:
165:
161:
160:Ronald Rivest
157:
153:
152:hash function
149:
139:
135:
130:
127:
126:cryptanalysis
122:
118:
116:
112:
109:
106:
102:
98:
96:
92:
88:
86:
82:
79:Cipher detail
77:
74:
70:
66:
63:
59:
55:
51:
48:
47:Ronald Rivest
45:
41:
36:
30:
19:
4526:Block cipher
4371:Key schedule
4361:Key exchange
4351:Kleptography
4314:Cryptosystem
4263:Cryptography
3611:
3490:. Retrieved
3483:the original
3468:
3452:
3448:
3432:. Retrieved
3404:
3385:
3367:
3355:. Retrieved
3341:
3322:
3310:. Retrieved
3296:
3284:. Retrieved
3270:
3258:. Retrieved
3244:
3232:. Retrieved
3218:
3206:. Retrieved
3197:
3188:
3176:. Retrieved
3162:
3123:
3117:
3086:
3080:
3068:. Retrieved
3047:
3035:. Retrieved
3031:the original
3026:
3016:
3004:. Retrieved
2989:
2977:. Retrieved
2973:the original
2962:
2950:. Retrieved
2941:
2932:
2920:. Retrieved
2906:
2894:. Retrieved
2880:
2868:. Retrieved
2854:
2842:
2836:
2834:
2827:. Retrieved
2822:
2818:
2805:
2793:. Retrieved
2789:the original
2764:. Retrieved
2760:the original
2750:
2738:. Retrieved
2724:
2712:. Retrieved
2708:the original
2693:
2673:
2660:
2648:. Retrieved
2641:the original
2636:
2623:
2611:. Retrieved
2607:
2597:
2585:. Retrieved
2571:
2562:at the 25th
2544:. Retrieved
2509:the original
2504:
2491:
2483:the original
2475:
2468:Stefan Lucks
2461:
2449:. Retrieved
2435:
2423:. Retrieved
2416:the original
2411:
2398:
2386:. Retrieved
2370:
2363:
2351:. Retrieved
2342:
2317:. Retrieved
2308:
2298:
2286:. Retrieved
2269:
2259:
2247:. Retrieved
2228:
2218:
2206:. Retrieved
2189:
2179:
2167:. Retrieved
2153:
2141:. Retrieved
2123:
2111:. Retrieved
2096:
2087:
2067:
2055:. Retrieved
2044:
2031:
2019:. Retrieved
2008:
1991:
1979:. Retrieved
1975:the original
1970:
1960:
1948:. Retrieved
1944:the original
1937:
1923:
1881:
1875:
1850:
1842:
1830:. Retrieved
1818:
1805:
1793:. Retrieved
1767:
1753:
1647:
1637:
1623:
1617:
1611:
1598:
1578:
1576:
1566:
1562:
1558:
1554:
1550:
1546:
1540:
1535:
1529:
1525:
1521:
1517:
1514:
1511:
1506:
1501:
1497:
1492:
1485:
1479:
1475:
1471:
1467:
1466:F := C
1463:
1462:48 ≤ i ≤ 63
1459:
1455:
1451:
1447:
1446:F := B
1443:
1442:32 ≤ i ≤ 47
1439:
1435:
1431:
1427:
1423:
1419:
1415:
1414:16 ≤ i ≤ 31
1411:
1407:
1403:
1399:
1395:
1391:
1387:
1383:
1380:
1377:
1373:
1369:
1365:
1361:
1355:
1352:
1348:
1345:
1341:
1338:
1334:
1331:
1327:
1321:
1317:
1313:
1310:
1306:
1300:
1296:
1292:
1285:
1281:
1277:
1271:
1267:
1263:
1254:
1251:
1244:
1241:
1234:
1231:
1224:
1221:
1217:
1209:
1204:
1200:
1196:
1192:
1188:
1184:
1176:
1170:
1167:
1163:
1160:
1156:
1146:
1085:
789:
771:
763:
727:
725:<<<
718:
714:
707:
703:
676:
665:
661:
632:
629:Applications
620:
607:
595:
536:
530:
519:
507:Marc Stevens
472:
461:
449:
419:
399:certificates
385:
369:
362:
342:
327:
319:
315:Marc Stevens
311:
300:
287:Xiaoyun Wang
280:
268:Xiaoyun Wang
261:
246:
234:
219:
196:
168:
147:
145:
124:Best public
85:Digest sizes
29:
4514:Mathematics
4505:Mix network
4195:Merkle tree
4183:Utilization
4169:NSA Suite B
3449:CryptoBytes
3424:"CiteSeerX"
3357:23 December
3336:Section 5.1
3208:23 November
3178:23 November
2979:31 December
2952:31 December
2714:24 February
2650:21 December
2608:CryptoBytes
2546:30 December
2208:11 November
1981:10 February
1583:hexadecimal
1500:(F, s)
1458:16
1438:16
1390:0 ≤ i ≤ 15
1123:denote the
683:Bates stamp
479:PS3 cluster
95:Block sizes
4613:Categories
4465:Ciphertext
4435:Decryption
4430:Encryption
4391:Ransomware
4007:encryption
3784:RadioGatún
3591:Comparison
3286:19 October
3194:"certutil"
3070:3 November
2613:22 October
2319:3 February
2103:Wired News
2098:USCYBERCOM
2057:10 October
2021:10 October
1950:10 October
1832:3 December
1795:10 October
1759:Rivest, R.
1746:References
1573:MD5 hashes
1498:leftrotate
1362:Main loop:
1143:Pseudocode
648:PowerShell
593:b6ff72a70
566:b6ff72a70
464:PostScript
417:validity.
349:collisions
303:RFC errata
272:Xuejia Lai
264:collisions
242:RIPEMD-160
173:to verify
56:April 1992
4455:Plaintext
3924:KDF1/KDF2
3843:functions
3829:Whirlpool
3469:EUROCRYPT
3386:EUROCRYPT
2829:10 August
2553:Announced
2477:Eurocrypt
2288:5 October
2249:5 October
1971:BishopFox
1710:HashClash
1673:Libgcrypt
1638:streaming
1111:¬
1105:∨
1099:∧
1093:⊕
1059:¬
1056:∨
1047:⊕
1003:⊕
997:⊕
948:¬
945:∧
936:∨
925:∧
873:∧
865:¬
859:∨
848:∧
748:⊞
689:Algorithm
522:Microsoft
411:checksums
278:cluster.
104:Structure
43:Designers
4594:Category
4500:Kademlia
4460:Codetext
4403:(CSPRNG)
4149:CRYPTREC
3980:Poly1305
3900:yescrypt
3814:Streebog
3694:CubeHash
3674:(winner)
3523:Archived
3511:Archived
3434:9 August
3428:Archived
3351:Archived
3330:Archived
3312:10 April
3306:Archived
3280:Archived
3260:10 April
3254:Archived
3234:10 April
3228:Archived
3202:Archived
3198:certutil
3172:Archived
3154:16512325
3061:Archived
3059:. IACR.
3037:13 April
3006:10 April
3000:Archived
2946:Archived
2922:9 August
2916:Archived
2896:9 August
2890:Archived
2870:9 August
2864:Archived
2766:9 August
2740:9 August
2734:Archived
2704:CNET.com
2682:Archived
2581:Archived
2556:Archived
2540:Archived
2451:25 March
2445:Archived
2425:31 March
2388:31 March
2379:Archived
2347:Archived
2313:Archived
2282:Archived
2243:Archived
2202:Archived
2169:10 April
2163:Archived
2137:Archived
2107:Archived
2076:Archived
2051:Archived
2015:Archived
1912:Archived
1823:Archived
1715:MD5Crypt
1694:See also
1668:Crypto++
1663:cryptlib
1311:for each
1303:message
1284:"0" bit
1270:"1" bit
736:places;
668:password
643:checksum
635:software
499:VeriSign
491:RapidSSL
487:Lausanne
324:Security
276:IBM p690
171:checksum
18:MD5 hash
4270:General
4055:Attacks
3985:SipHash
3941:CBC-MAC
3875:LM hash
3855:Balloon
3719:HAS-160
3492:6 March
2587:10 June
2353:17 June
2143:28 July
2113:29 July
1720:md5deep
1688:wolfSSL
1683:OpenSSL
1512:end for
1502:end for
1460:else if
1440:else if
1412:else if
1314:512-bit
1205:end for
481:at the
99:512 bit
89:128 bit
71:, MD5,
38:General
4381:Keygen
4215:Pepper
4154:NESSIE
4101:Design
3895:scrypt
3890:PBKDF2
3865:Catena
3860:bcrypt
3850:Argon2
3809:Snefru
3804:Shabal
3799:SWIFFT
3779:RIPEMD
3774:N-hash
3749:MASH-2
3744:MASH-1
3729:Kupyna
3689:BLAKE3
3672:Keccak
3657:Grøstl
3634:BLAKE2
3475:
3411:
3392:
3152:
3142:
3105:
2825:(2): 1
2795:7 June
2666:RIPEMD
1888:
1863:
1725:md5sum
1678:Nettle
1634:md5sum
1626:octets
1530:append
1526:append
1522:append
1316:chunk
1293:append
1282:append
1268:append
790:rounds
784:, and
766:padded
639:md5sum
602:nibble
537:prefix
255:was a
253:MD5CRK
115:Rounds
61:Series
4411:(PRN)
4009:modes
3885:Makwa
3880:Lyra2
3870:crypt
3819:Tiger
3769:MDC-2
3724:HAVAL
3709:Fugue
3667:Skein
3652:BLAKE
3629:SHA-3
3624:SHA-2
3618:SHA-1
3486:(PDF)
3465:(PDF)
3150:S2CID
3064:(PDF)
3057:(PDF)
2942:Wired
2815:(PDF)
2644:(PDF)
2633:(PDF)
2512:(PDF)
2501:(PDF)
2419:(PDF)
2408:(PDF)
2382:(PDF)
2375:(PDF)
2343:ZDNet
2133:(PDF)
1826:(PDF)
1815:(PDF)
1740:SHA-2
1735:SHA-1
1653:Botan
1630:bytes
1606:MD5("
1592:MD5("
1587:ASCII
1286:until
1166:s, K
526:Flame
468:X.509
430:Flame
426:SHA-2
388:SHA-1
291:X.509
238:SHA-1
4210:Salt
4174:CNSA
4041:IAPM
3995:VMAC
3990:UMAC
3975:PMAC
3970:CMAC
3966:OMAC
3961:NMAC
3956:HMAC
3951:GMAC
3920:HKDF
3789:SIMD
3739:Lane
3714:GOST
3699:ECOH
3586:List
3573:and
3494:2008
3473:ISBN
3455:(2).
3436:2010
3409:ISBN
3390:ISBN
3359:2020
3314:2014
3288:2014
3262:2014
3236:2014
3210:2023
3180:2023
3140:ISBN
3128:IEEE
3103:ISBN
3072:2014
3039:2015
3008:2014
2981:2008
2954:2008
2924:2010
2898:2010
2872:2010
2831:2010
2797:2012
2768:2010
2742:2010
2716:2009
2652:2009
2615:2013
2589:2015
2548:2008
2453:2011
2427:2010
2390:2010
2355:2019
2321:2017
2290:2013
2251:2013
2210:2013
2171:2014
2145:2011
2115:2011
2059:2018
2023:2018
1983:2014
1952:2018
1886:ISBN
1861:ISBN
1834:2013
1797:2018
1790:1321
1773:IETF
1569:C))
1518:char
1464:then
1444:then
1416:then
1392:then
1370:from
1259:// D
1249:// C
1239:// B
1229:// A
1193:from
1135:and
483:EPFL
358:GPUs
146:The
4046:OCB
4036:GCM
4031:EAX
4026:CWC
4016:CCM
3946:DAA
3824:VSH
3794:SM3
3764:MD6
3759:MD4
3754:MD2
3734:LSH
3704:FSB
3612:MD5
3132:doi
3095:doi
2844:sic
2838:sic
2274:doi
2233:doi
2194:doi
1857:290
1787:RFC
1777:doi
1730:MD6
1567:xor
1565:(B
1563:and
1561:(D
1559:xor
1555:xor
1553:(C
1551:and
1549:(B
1547:xor
1534://
1532:d0
1528:c0
1524:b0
1515:var
1505://
1491://
1484://
1482:16
1480:mod
1476:not
1470:(B
1468:xor
1456:mod
1452:xor
1448:xor
1436:mod
1432:and
1430:D)
1428:not
1422:B)
1420:and
1408:and
1406:B)
1404:not
1398:C)
1396:and
1384:int
1381:var
1376:63
1366:for
1360://
1356:int
1353:var
1349:int
1346:var
1342:int
1339:var
1335:int
1332:var
1326://
1305://
1297:mod
1276://
1262://
1255:int
1252:var
1245:int
1242:var
1235:int
1232:var
1225:int
1222:var
1216://
1208://
1199:63
1189:for
1183://
1175://
1171:int
1168:var
1164:int
1161:var
1155://
1137:NOT
1129:AND
1125:XOR
611:MPI
485:in
401:or
396:SSL
211:MD4
207:MIT
205:of
164:MD4
156:bit
73:MD6
69:MD4
65:MD2
33:MD5
4615::
3662:JH
3471:.
3467:.
3451:.
3447:.
3349:.
3278:.
3196:.
3148:.
3138:.
3101:.
3025:.
2940:.
2833:.
2821:.
2817:.
2776:^
2702:.
2635:.
2606:.
2538:.
2520:^
2503:.
2474:.
2470:.
2443:.
2410:.
2345:.
2341:.
2329:^
2307:.
2280:.
2272:.
2268:.
2241:.
2231:.
2227:.
2200:.
2192:.
2188:.
2135:.
2101:.
2095:.
2049:.
2043:.
2013:.
2007:.
1999:;
1969:.
1936:.
1900:^
1859:.
1821:.
1817:.
1785:.
1771:.
1765:.
1628:,
1472:or
1450:C
1426:((
1424:or
1402:((
1400:or
1388:if
1378:do
1374:to
1372:0
1368:i
1322:do
1318:of
1301:to
1299:2
1272:to
1201:do
1197:to
1195:0
1191:i
1181:}
1173:i
1151:.
1133:OR
1131:,
1127:,
780:,
776:,
641:)
513:,
509:,
505:,
436:.
378:.
343:A
285:,
251:.
244:.
189:.
67:,
4255:e
4248:t
4241:v
3968:/
3563:e
3556:t
3549:v
3496:.
3453:2
3438:.
3417:.
3398:.
3361:.
3316:.
3290:.
3264:.
3238:.
3212:.
3182:.
3156:.
3134::
3111:.
3097::
3074:.
3041:.
3010:.
2983:.
2956:.
2926:.
2900:.
2874:.
2823:2
2799:.
2770:.
2744:.
2718:.
2654:.
2617:.
2591:.
2566:.
2550:.
2455:.
2429:.
2392:.
2357:.
2323:.
2292:.
2276::
2253:.
2235::
2212:.
2196::
2173:.
2147:.
2117:.
2061:.
2025:.
1985:.
1954:.
1894:.
1869:.
1836:.
1799:.
1779::
1612:.
1474:(
1108:,
1102:,
1096:,
1067:)
1063:D
1053:B
1050:(
1044:C
1041:=
1034:)
1031:D
1028:,
1025:C
1022:,
1019:B
1016:(
1013:I
1006:D
1000:C
994:B
991:=
984:)
981:D
978:,
975:C
972:,
969:B
966:(
963:H
956:)
952:D
942:C
939:(
933:)
929:D
922:B
919:(
916:=
909:)
906:D
903:,
900:C
897:,
894:B
891:(
888:G
881:)
877:D
869:B
862:(
856:)
852:C
845:B
842:(
839:=
832:)
829:D
826:,
823:C
820:,
817:B
814:(
811:F
794:F
786:D
782:C
778:B
774:A
738:s
734:s
728:s
719:i
715:K
708:i
704:M
699:F
591:a
587:2
583:3
579:7
575:f
571:0
564:2
560:a
556:b
552:f
548:7
544:8
140:.
119:4
20:)
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.