SHA1 and MD5 are broken

SHA1 (RFC 3174) and MD5 (RFC 1321) legacy, broken hash functions. Don't use them in a new protocol. What "broken" means:

• Collisions can be made with 2^18 effort in MD5, 2^60 in SHA1.
• No practical pre-image attacks (only theoretical, 2^123.4)
• HMAC seems kinda ok: https://datatracker.ietf.org/doc/html/rfc6151

MD5 architecture is similar to SHA1, with some differences:

• reduced output length: 16 bytes (128 bit) instead of 20
• 64 rounds, instead of 80
• little-endian: could be faster, but will require more code
• non-linear index selection: huge speed-up for unroll
• per round constants: more memory accesses, additional speed-up for unroll