ISO/IEC 10118-3:2004
(Main)Information technology — Security techniques — Hash-functions — Part 3: Dedicated hash-functions
Information technology — Security techniques — Hash-functions — Part 3: Dedicated hash-functions
ISO/IEC 10118-3:2004 specifies the following seven dedicated hash-functions, i.e. specially-designed hash-functions: the first hash-function (RIPEMD-160) in Clause 7 provides hash-codes of lengths up to 160 bits; the second hash-function (RIPEMD-128) in Clause 8 provides hash-codes of lengths up to 128 bits; the third hash-function (SHA-1) in Clause 9 provides hash-codes of lengths up to 160 bits; the fourth hash-function (SHA-256) in Clause 10 provides hash-codes of lengths up to 256 bits; the fifth hash-function (SHA-512) in Clause 11 provides hash-codes of lengths up to 512 bits; the sixth hash-function (SHA-384) in Clause 12 provides hash-codes of a fixed length, 384 bits; and the seventh hash-function (WHIRLPOOL) in Clause 13 provides hash-codes of lengths up to 512 bits. For each of these dedicated hash-functions, ISO/IEC 10118-3:2004 specifies a round-function that consists of a sequence of sub-functions, a padding method, initializing values, parameters, constants, and an object identifier as normative information, and also specifies several computation examples as informative information.
Technologies de l'information — Techniques de sécurité — Fonctions de brouillage — Partie 3: Fonctions de brouillage dédiées
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 10118-3
Third edition
2004-03-01
Information technology — Security
techniques — Hash-functions —
Part 3:
Dedicated hash-functions
Technologies de l'information — Techniques de sécurité — Fonctions
de brouillage —
Partie 3: Fonctions de brouillage dédiées
Reference number
ISO/IEC 10118-3:2004(E)
©
ISO/IEC 2004
---------------------- Page: 1 ----------------------
ISO/IEC 10118-3:2004(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
© ISO/IEC 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2004 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 10118-3:2004(E)
Contents Page
Foreword. iv
Introduction . v
1 Scope. 1
2 Normative references . 1
3 Terms and definitions. 1
4 Symbols (and abbreviated terms) . 1
4.1 Symbols specified in ISO/IEC 10118-1. 1
4.2 Symbols specific to this part . 2
5 Requirements . 3
6 Model for dedicated hash-functions . 4
7 Dedicated Hash-Function 1 (RIPEMD-160). 4
7.1 Parameters, functions and constants. 4
7.2 Padding method . 7
7.3 Description of the round-function. 7
8 Dedicated Hash-Function 2 (RIPEMD-128). 8
8.1 Parameters, functions and constants. 8
8.2 Padding method . 9
8.3 Description of the round-function. 9
9 Dedicated Hash-Function 3 (SHA-1) . 10
9.1 Parameters, functions and constants. 10
9.2 Padding method . 11
9.3 Description of the round-function. 12
10 Dedicated Hash-Function 4 (SHA-256) .13
10.1 Parameters, functions and constants. 13
10.2 Padding method . 14
10.3 Description of the round-function. 14
11 Dedicated Hash-Function 5 (SHA-512) .15
11.1 Parameters, functions and constants. 15
11.2 Padding method . 17
11.3 Description of the round-function. 17
12 Dedicated Hash-Function 6 (SHA-384) .18
12.1 Parameters, functions and constants. 18
12.2 Padding method . 19
12.3 Description of the round-function. 19
13 Dedicated Hash-Function 7 (WHIRLPOOL) . 19
13.1 Parameters, functions and constants. 19
13.2 Padding method . 21
13.3 Description of the round-function. 22
Annex A (informative) Examples. 23
Annex B (informative) Formal specifications . 78
Annex C (normative) ASN.1 Module . 91
Bibliography . 94
© ISO/IEC 2004 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 10118-3:2004(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
ISO/IEC 10118-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This third edition cancels and replaces the second edition (ISO/IEC 10118-3:2003), which has been
technically revised.
ISO/IEC 10118 consists of the following parts, under the general title Information technology — Security
techniques — Hash-functions:
Part 1: General
Part 2: Hash-functions using an n-bit block cipher
Part 3: Dedicated hash-functions
Part 4: Hash-functions using modular arithmetic
iv © ISO/IEC 2004 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 10118-3:2004(E)
Introduction
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
draw attention to the fact that it is claimed that compliance with this International Standard may involve the
use of patents.
ISO and IEC take no position concerning the evidence, validity and scope of this patent right.
The holder of this patent right has assured ISO and IEC that he is willing to negotiate licences under
reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect,
the statement of the holder of this patent right is registered with the ISO and IEC. Information may be obtained
from:
ISO/IEC JTC 1/SC 27 Standing Document 8 (SD8) “Patent Information”
Standing Document 8 (SD8) is publicly available at: http://www.ni.din.de/sc27
Attention is drawn to the possibility that some of the elements of this International Standard may be the
subject of patent rights other than those identified above. ISO and IEC shall not be held responsible for
identifying any or all such patent rights.
© ISO/IEC 2004 – All rights reserved v
---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 10118-3:2004(E)
Information technology — Security techniques — Hash-
functions —
Part 3:
Dedicated hash-functions
1 Scope
This part of ISO/IEC 10118 specifies dedicated hash-functions, i.e. specially designed hash-functions. The
hash-functions in this part of ISO/IEC 10118 are based on the iterative use of a round-function. Seven distinct
round-functions are specified, giving rise to distinct dedicated hash-functions.
The first and third dedicated hash-functions in Clauses 7 and 9 respectively provide hash-codes of lengths up
to 160 bits; the second in Clause 8 provides hash-codes of lengths up to 128 bits; the fourth in Clause 10
provides hash-codes of lengths up to 256 bits; the sixth in Clause 12 provides hash-codes of a fixed length,
384 bits; and the fifth and seventh in Clauses 11 and 13 respectively provide hash-codes of lengths up to
512 bits.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 10118-1:2000, Information technology — Security techniques — Hash-functions — Part 1: General
3 Terms and definitions
For the purposes of this part of ISO/IEC 10118, the definitions given in ISO/IEC 10118-1 and the following
apply.
3.1
block
a bit-string of length L , i.e., the length of the first input to the round-function
1
3.2
word
a string of 32 bits used in dedicated hash-functions 1, 2, 3 and 4 of Clauses 7, 8, 9 and 10 respectively, or a
string of 64 bits used in dedicated hash-functions 5 and 6 of Clauses 11 and 12 respectively
3.3
matrix
an 8 by 8 matrix in which each entry is a string of 8 bits used in dedicated hash-function 7 of Clause 13
4 Symbols (and abbreviated terms)
4.1 Symbols specified in ISO/IEC 10118-1
This part of ISO/IEC 10118 makes use of the following symbols and notations defined in ISO/IEC 10118-1.
B A byte.
i
© ISO/IEC 2004 – All rights reserved 1
---------------------- Page: 6 ----------------------
ISO/IEC 10118-3:2004(E)
D Data.
H Hash-code.
IV Initializing value.
L The length (in bits) of the first of the two input strings to the round-function Φ.
1
L The length (in bits) of the second of the two input strings to the round-function Φ, of the output string
2
from the round-function Φ, and of the IV.
L Length (in bits) of a bit-string X.
X
Φ A round-function, i.e., if X, Y are bit-strings of lengths L and L respectively, then Φ(X, Y) is the string
1 2
obtained by applying Φ to X and Y.
X ⊕Y Exclusive-or of strings of bits X and Y (where L = L ).
X Y
4.2 Symbols specific to this part
For the purpose of this part of ISO/IEC 10118, the following symbols and notations apply:
a , a' Sequences of indices used in specifying a round-function.
i i
i
A A sequence of constant matrices used in specifying the round-function defined in Clause 13.
8
c Function taking a string of 64 elements of GF(2 ) as input, and giving an 8 by 8 matrix with entries
0
8
from GF(2 ) as output, used in specifying the round-function defined in Clause 13.
8
c , c , c Functions taking an 8 by 8 matrix of elements of GF(2 ) as input, and giving an 8 by 8 matrix with
1 2 3
8
entries from GF(2 ) as output, used in specifying the round-function defined in Clause 13.
8
c Function taking two 8 by 8 matrices of elements of GF(2 ) as input, and giving an 8 by 8 matrix with
4
8
entries from GF(2 ) as output, used in specifying the round-function defined in Clause 13.
C, C' Constant words used in the round-functions.
i i
8
C'' An 8 by 8 circulant matrix with entries chosen from GF(2 ) used in specifying the round-function in
Clause 13.
D A block derived from the data-string after the padding process.
i
d , e, f , g Functions taking either one or three words as input and producing a single word as output, used in
i i i i
specifying round-functions.
H A string of L bits which is used in the hashing operation to store an intermediate result.
i 2
8 8 4 3 2
GF(2 ) A field defined as GF(2)[x] / p (x) where p (x) = x + x + x + x + 1. The elements of the field are
8 8
8-bit strings.
8
M An 8 by 8 matrix whose entries are chosen from GF(2 ).
q The number of blocks in the data string after the padding and splitting processes.
n n
R () The operation of right shift by n bits, i.e. if A is a word and n is a non-negative integer then R (A)
denotes the word obtained by right-shifting the contents of A by n places.
8
s A nonlinear substitution box, which replaces an element x ∈ GF(2 ) with another element s[x] ∈
8
GF(2 );
2 © ISO/IEC 2004 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 10118-3:2004(E)
n
S () The operation of ‘circular left shift’ by n bit positions, i.e. if A is a word and n is a non-negative
n
integer then S (A) denotes the word obtained by left-shifting the contents of A by n places in a cyclic
fashion.
n
S' () The operation of ‘circular right shift’ by n bit positions, i.e. if A is a word and n is a non-negative
n
integer then S' (A) denotes the word obtained by right-shifting the contents of A by n places in a
cyclic fashion.
t, t' Shift-values used in specifying a round-function.
i i
W, X, X' , Y , Z Words used to store the results of intermediate computations.
i i i i
8
W', X'', K, Y', Z' Matrices with entries chosen from GF(2 ) used to store the results of intermediate
i
computations.
Λ The bit-wise logical AND operation on bit-strings, i.e. if A, B are words then AΛB is the word equal to
the bit-wise logical AND of A and B.
V The bit-wise logical OR operation on bit-strings, i.e. if A, B are words then AVB is the word equal to
the bit-wise logical OR of A and B.
¬ The bit-wise logical NOT operation on a bit-string, i.e., if A is a word then ¬A is the word equal to the
bit-wise logical NOT of A.
w
⊎ The modulo 2 addition operation, where w is the number of bits in a word. I.e. if A and B are words,
then A⊎B is the word obtained by treating A and B as the binary representations of integers and
w w
computing their sum modulo 2 , where the result is constrained to lie between 0 and 2 -1 inclusive.
The value of w is 32 for dedicated hash-functions 1-4, defined in Clauses 7-10, and 64 for dedicated
hash-functions 5 and 6, defined in Clauses 11 and 12.
8
• The multiplication operation of 8 by 8 matrices with entries chosen from GF(2 ). I.e. if A and B are
such matrices, then A•B is the matrix obtained by multiplying A and B in the following way: treat
each entry of either A or B as the binary polynomial representation of an integer (for example, the
7 3
binary polynomial representation of integer 89 (hexadecimal) is x +x +1); treat a multiplication of two
of the entries as the remainder when a multiplication of the two polynomials is divided by a
8 4 3 2
polynomial p (x), where p (x) = x + x + x + x + 1; and treat a sum operation as the operation ⊕.
8 8
:= A symbol denoting the ‘set equal to’ operation used in procedural specifications of round-functions,
where it indicates that the word (or the matrix in Clause 13) on the left side of the symbol shall be
made equal to the value of the expression on the right side of the symbol.
5 Requirements
Users who wish to employ a hash-function from this part of ISO/IEC 10118 shall select:
one of the dedicated hash-functions specified below; and
the length L of the hash-code H.
H
NOTE The first and second dedicated hash-functions are defined so as to facilitate software implementations for
‘little-endian’ computers, i.e., where the lowest-addressed byte in a word is interpreted as the least significant; conversely,
the third, fourth, fifth and sixth dedicated hash-functions are defined so as to facilitate software implementations for ‘big-
endian’ computers, i.e., where the lowest-addressed byte in a word is interpreted as the most significant. However, by
adjusting the definition appropriately, any of these six round-functions can be implemented on a ‘big-endian’ or a ‘little-
endian’ computer. The seventh dedicated hash-function is defined to be ‘endian-neutral’, in the sense that it uses no
8
endian-sensitive arithmetical operation (such as integer addition). If sequences of elements from GF(2 ) (i.e., bytes) are
mapped to computer words to parallelize such operations as exclusive-or, the byte disposition within a word is irrelevant,
as long as the inverse mapping is consistent. All the hash-functions defined in this part of ISO/IEC 10118 take a bit-string
as input and give a bit-string as output; this is independent of the internal byte-ordering convention used within each hash-
function.
© ISO/IEC 2004 – All rights reserved 3
---------------------- Page: 8 ----------------------
ISO/IEC 10118-3:2004(E)
NOTE The choice of L affects the security of the hash-function. All of the hash-functions specified in this part of
H
L /2
H
ISO/IEC 10118 are believed to be collision-resistant hash-functions in environments where performing 2 hash-code
computations is deemed to be computationally infeasible.
6 Model for dedicated hash-functions
The hash-functions specified in this part of ISO/IEC 10118 are based on the general model for hash-functions
given in part 1 of this standard, i.e., ISO/IEC 10118-1:2000.
In the specifications of the hash-functions in this part of ISO/IEC 10118, it is assumed that the padded data-
string input to the hash-function is in the form of a sequence of bytes. If the padded data-string is in the form
of a sequence of 8n bits, x , x , …, x , then it shall be interpreted as a sequence of n bytes, B , B , …, B ,
0 1 8n-1 0 1 n-1
in the following way. Each group of eight consecutive bits is considered as a byte, the first bit of a group being
the most significant bit of that byte. Hence
7 6
B = 2 x + 2 x + ···+ x
i 8i 8i+1 8i+7
for every i (0 ≤ i < n).
The output transformation for the hash-functions specified in this part of ISO/IEC 10118 is that the hash-code
H is derived by taking the leftmost L bits of the final L -bit output string H .
H 2 q
Identifiers are defined for each of the seven dedicated hash-functions specified in this standard. The hash-
function identifiers for the dedicated hash-functions specified in Clauses 7, 8, 9, 10, 11, 12 and 13 are equal to
31, 32, 33, 34, 35, 36 and 37 (hexadecimal) respectively. The range of values from 38 to 3F (hexadecimal)
are reserved for future use as hash-function identifiers by this part of ISO/IEC 10118. The hash-function
identifiers are also used in the OSI object identifiers assigned in Annex C.
7 Dedicated Hash-Function 1 (RIPEMD-160)
In this Clause we specify a padding method, an initializing value, and a round-function for use in the general
model for hash-functions described in ISO/IEC 10118-1:2000. The padding method, initializing value and
round-function specified here, when used in the above general model, together define Dedicated Hash-
64
Function 1. This dedicated hash-function can be applied to all data strings D containing at most 2 -1 bits.
The ISO/IEC hash-function identifier for Dedicated Hash-Function 1 is equal to 31 (hexadecimal).
NOTE Dedicated Hash-Function 1 defined in this clause is commonly called RIPEMD-160, [3].
7.1 Parameters, functions and constants
7.1.1 Parameters
For this hash-function L = 512, L = 160 and L is up to 160.
1 2 H
7.1.2 Byte ordering convention
In the specification of the round-function of this clause it is assumed that the block input to the round-function
is in the form of a sequence of 32-bit words, each 512-bit block being made up of 16 such words. A sequence
of 64 bytes, B , B , …, B , shall be interpreted as a sequence of 16 words, Z , Z , …, Z , in the following
0 1 63 0 1 15
way. Each group of four consecutive bytes is considered as a word, the first byte of a word being the least
significant byte of that word. Hence
24 16 8
Z = 2 B + 2 B +2 B + B , (0 ≤ i ≤ 15).
i 4i+3 4i+2 4i+1 4i
To convert the hash-code from a sequence of words to a byte-sequence, the inverse process shall be
followed.
NOTE The byte-ordering specified here is different from that of subclause 9.1.2.
4 © ISO/IEC 2004 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 10118-3:2004(E)
7.1.3 Functions
To facilitate software implementation, the round-function Φ is described in terms of operations on 32-bit words.
A sequence of functions g , g , …, g is used in this round-function, where each function g, 0 ≤ i ≤ 79, takes
0 1 79 i
three words X , X and X as input and produces a single word as output.
0 1 2
The functions g are defined as follows:
i
g(X ,X ,X ) = X ⊕ X ⊕ X , ( 0 ≤ i ≤ 15),
i 0 1 2 0 1 2
g(X ,X ,X ) = (X Λ X ) V (¬X Λ X ), (16 ≤ i ≤ 31),
i 0 1 2 0 1 0 2
g(X ,X ,X ) = (X V ¬X ) ⊕ X , (32 ≤ i ≤ 47),
i 0 1 2 0 1 2
g(X ,X ,X ) = (X Λ X ) V (X Λ ¬X ), (48 ≤ i ≤ 63),
i 0 1 2 0 2 1 2
g(X ,X ,X ) = X ⊕ (X V ¬X ), (64 ≤ i ≤ 79).
i 0 1 2 0 1 2
7.1.4 Constants
Two sequences of constant words C , C , …, C and C' , C' , …, C' are used in this round-function. In a
0 1 79 0 1 79
hexadecimal representation (where the most significant bit corresponds to the left-most bit) these are defined
as follows:
C = 00000000, ( 0 ≤ i ≤ 15),
i
C = 5A827999, (16 ≤ i ≤ 31),
i
C = 6ED9EBA1, (32 ≤ i ≤ 47),
i
C = 8F1BBCDC, (48 ≤ i ≤ 63),
i
C = A953FD4E, (64 ≤ i ≤ 79),
i
C' = 50A28BE6, ( 0 ≤ i ≤ 15),
i
C' = 5C4DD124, (16 ≤ i ≤ 31),
i
C' = 6D703EF3, (32 ≤ i ≤ 47),
i
C' = 7A6D76E9, (48 ≤ i ≤ 63),
i
C' = 00000000, (64 ≤ i ≤ 79).
i
Two sequences of 80 shift-values are used in this round-function, where each shift-value is between 5 and 15.
We denote these sequences by (t , t , …, t ) and (t' , t' , …, t' ). A further two sequences of 80 indices are
0 1 79 0 1 79
used in this round-function, where each value in the sequence is between 0 and 15. We denote these
sequences as (a , a , …, a ), and (a' , a' , …, a' ). All four sequences are defined in Table 1 below.
0 1 79 0 1 79
Table 1
i 0 123 456 7
t
1 11 41 51 2 5 8 7 9
i
t '
8 9 9 1 11 31 51 5 5
i
a
i 0 123 456 7
a '
51 4 7 0 9 21 1 4
i
i 8 9 1 0 1 1 1 2 1 3 1 4 1 5
t 1 1 1 3 1 4 1 5 6 7 9 8
i
t ' 7 7 8 1 1 1 4 1 4 1 2 6
i
a 8 9 1 0 1 1 1 2 1 3 1 4 1 5
i
a ' 1 3 6 1 5 8 1 1 0 3 1 2
i
i 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3
t 7 6 81 3 1 1 9 71 5
i
t '
i 9 1 3 1 57 1 28 9 1 1
a
i 7 4 1 31 1 06 1 53
a ' 6 1 1 3 7 0 1 3 5 1 0
i
© ISO/IEC 2004 – All rights reserved 5
---------------------- Page: 10 ----------------------
ISO/IEC 10118-3:2004(E)
i 2 42 52 62 72 82 93 03 1
t 71 2 1 591 17 1 3 1 2
i
t '
7 7 1 27 61 5 1 3 1 1
i
a
i 1 20 9 5 21 4 1 18
a '
1 4 1 5 8 1 2 4 9 1 2
i
i 3 23 33 43 53 63 73 83 9
t 1 1 1 3 6 71 49 1 3 1 5
i
t '
i 97 1 5 1 1 866 1 4
a 31 0 1 44 91 5 8 1
i
a '
i 1 55 1 3 71 4 6 9
i 4 0 4 1 4 2 4 3 4 4 4 5 4 6 4 7
t
1 4 8 1 3 6 5 1 2 7 5
i
t ' 1 2 1 3 5 1 4 1 3 1 3 7 5
i
a
27 06 1 3 1 1 5 1 2
i
a ' 1 1 8 1 2 2 1 0 0 4 1 3
i
i 4 84 9 5 05 15 2 5 35 45 5
t 1 11 2 1 41 51 4 1 5 9 8
i
t '
1 55 8 1 1 1 4 1 46 1 4
i
a 1 9 1 1 1 00 8 1 24
i
a '
86 413 1 1 1 5 0
i
i 5 6 5 7 5 8 5 9 6 0 6 1 6 2 6 3
t 9 1 4 568 65 1 2
i
t '
6 9 1 29 1 25 1 58
i
a 1 33 7 1 5 1 45 6 2
i
a '
5 1 22 1 39 7 1 0 1 4
i
i 6 4 6 5 6 6 6 7 6 8 6 9 7 0 7 1
t 9 1 55 1 16 8 1 3 1 2
i
t ' 8 5 1 29 1 25 1 46
i
a
40 597 1 2 2 1 0
i
a '
i 1 2 1 5 1 0 4 1 587
i 7 27 3 7 47 57 6 7 77 87 9
t
5 1 2 1 31 41 1 8 5 6
i
t '
8 1 3 6 5 1 5 1 3 1 1 1 1
i
a
1 41 3 8 1 16 1 5 1 3
i
a ' 62 1 3 1 4 0 39 1 1
i
7.1.5 Initializing value
For this round-function the initializing value, IV, shall always be the following 160-bit string, represented here
as a sequence of five words Y ,Y ,Y ,Y ,Y in a hexadecimal representation, where Y represents the left-most
0 1 2 3 4 0
32 of the 160 bits:
Y = 67452301,
0
Y = EFCDAB89,
1
Y = 98BADCFE,
2
Y = 10325476,
3
Y = C3D2E1F0.
4
6 © ISO/IEC 2004 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 10118-3:2004(E)
7.2 Padding method
The data string D needs to be padded to make it contain a number of bits which is an integer multiple of 512.
The padding procedure operates as follows:
1. D is concatenated with a single ‘1’ bit.
2. The result of the previous step is concatenated with between zero and 511 ‘0’ bits such that the length (in
bits) of the resultant string is congruent to 448 modulo 512. More explicitly, if the original length of D is L ,
D
and letting r be the remainder when L is divided by 512, then the number of concatenated zeros is equal
D
to either 447-r (if r ≤ 447) or 959-r (if r > 447). The result will be a bit string whose length will be 64 bits
short of an integer multiple of 512 bits.
3. Divide the 64-bit binary representation of L into two 32-bit strings, one representing the ‘most significant
D
half’ of L and the other the ‘least significant half’. Now concatenate the string resulting from the previous
D
step with these two 32-bit strings, with the ‘least significant half’ preceding the ‘most significant half’.
In the description of the round-function which follows, each 512-bit data block D, 1 ≤ i ≤ q, is treated as a
i
sequence of 16 words, Z , Z , …, Z , where Z corresponds to the left-most 32 bits of D.
0 1 15 0 i
NOTE The concatenation of the two 32-bit strings of L in step 3 is such that these two 32-bit strings are used directly
D
as the words Z and Z of the last data block; based on the byte ordering convention in Clause 7.1.2, the least significant
14 15
octet of L is the leftmost octet, and the most significant octet of L is the rightmost octet.
D D
7.3 Description of the round-function
The round-function Φ operates as follows. Note that, in this description, we use the symbols W, X , X , X , X ,
0 1 2 3
X , X' , X' , X' , X' , X' to denote eleven distinct words which contain values required in the computations.
4 0 1 2 3 4
1. Suppose the 512-bit (first) input to Φ is contained in Z , Z , …, Z , where Z contains the left-most 32 of
0 1 15 0
the 512 bits. Suppose also that the 160-bit (second) input to Φ is contained in five words, Y , Y , Y , Y , Y .
0 1 2 3 4
2. Let X :=Y , X :=Y , X :=Y , X :=Y and X :=Y .
0 0 1 1 2 2 3 3 4 4
3. Let X' :=Y , X' :=Y , X' :=Y , X' :=Y and X' :=Y .
0 0 1 1 2 2 3
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.