Information technology — Security techniques — Message Authentication Codes (MACs) — Part 2: Mechanisms using a dedicated hash-function

Message Authentication Code (MAC) algorithms are data integrity mechanisms that compute a short string (the Message Authentication Code or MAC) as a complex function of every bit of the data and of a secret key. Their main security property is unforgeability: someone who does not know the secret key should not be able to predict the MAC on any new data string. MAC algorithms can be used to provide data integrity. Their purpose is the detection of any unauthorized modification of the data such as deletion, insertion, or transportation of items within data. This includes both malicious and accidental modifications. MAC algorithms can also provide data origin authentication. This means that they can provide assurance that a message has been originated by an entity in possession of a specific secret key. ISO/IEC 9797-2:2011 specifies three MAC algorithms that are based on a dedicated hash-function (selected from ISO/IEC 10118-3). ISO/IEC 9797-2:2011 specifies three MAC algorithms that use a secret key and a hash-function (or its round-function) with an n-bit result to calculate an m-bit MAC. The strength of the data integrity mechanism and message authentication mechanism is dependent on the length (in bits) k and secrecy of the key, on the length (in bits) n of the hash-function and its strength, on the length (in bits) m of the MAC, and on the specific mechanism. The first mechanism specified in ISO/IEC 9797-2:2011 is commonly known as MDx-MAC. It calls the complete hash-function once, but it makes a small modification to the round-function by adding a key to the additive constants in the round-function. The second mechanism specified in ISO/IEC 9797-2:2011 is commonly known as HMAC. It calls the complete hash-function twice. The third mechanism specified in ISO/IEC 9797-2:2011 is a variant of MDx-MAC that takes as input only short strings (at most 256 bits). It offers a higher performance for applications that work with short input strings only.

Technologies de l'information — Techniques de sécurité — Codes d'authentification de message (MAC) — Partie 2: Mécanismes utilisant une fonction de hachage dédiée

General Information

Status
Withdrawn
Publication Date
01-May-2011
Withdrawal Date
01-May-2011
Current Stage
9599 - Withdrawal of International Standard
Completion Date
23-Jun-2021
Ref Project

Relations

Buy Standard

Standard
ISO/IEC 9797-2:2011 - Information technology -- Security techniques -- Message Authentication Codes (MACs)
English language
39 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

INTERNATIONAL ISO/IEC
STANDARD 9797-2
Second edition
2011-05-01
Corrected version
2011-06-15


Information technology — Security
techniques — Message Authentication
Codes (MACs) —
Part 2:
Mechanisms using a dedicated
hash-function
Technologies de l'information — Techniques de sécurité — Codes
d'authentification de message (MAC) —
Partie 2: Mécanismes utilisant une fonction de hachage dédiée




Reference number
ISO/IEC 9797-2:2011(E)
©
ISO/IEC 2011

---------------------- Page: 1 ----------------------
ISO/IEC 9797-2:2011(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2011 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 9797-2:2011(E)
Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .2
4 Symbols and notation.4
5 Requirements.5
6 MAC Algorithm 1 .6
6.1 Description of MAC Algorithm 1 .7
6.1.1 Step 1 (key expansion).7
6.1.2 Step 2 (modification of the constants and the IV).7
6.1.3 Step 3 (hashing operation) .7
6.1.4 Step 4 (output transformation).8
6.1.5 Step 5 (truncation).8
6.2 Efficiency.8
6.3 Computation of the constants.8
6.3.1 Dedicated Hash-Function 1 (RIPEMD-160) .9
6.3.2 Dedicated Hash-Function 2 (RIPEMD-128) .9
6.3.3 Dedicated Hash-Function 3 (SHA-1).10
6.3.4 Dedicated Hash-Function 4 (SHA-256).10
6.3.5 Dedicated Hash-Function 5 (SHA-512).10
6.3.6 Dedicated Hash-Function 6 (SHA-384).11
6.3.7 Dedicated Hash-Function 8 (SHA-224).11
7 MAC Algorithm 2 .12
7.1 Description of MAC Algorithm 2 .12
7.1.1 Step 1 (key expansion).12
7.1.2 Step 2 (hashing operation) .12
7.1.3 Step 3 (output transformation).12
7.1.4 Step 4 (truncation).13
7.2 Efficiency.13
8 MAC Algorithm 3 .13
8.1 Description of MAC Algorithm 3 .13
8.1.1 Step 1 (key expansion).13
8.1.2 Step 2 (modification of the constants and the IV).14
8.1.3 Step 3 (padding) .14
8.1.4 Step 4 (application of the round-function).14
8.1.5 Step 5 (truncation).15
8.2 Efficiency.15
Annex A (normative) ASN.1 Module .16
Annex B (informative) Examples .17
Annex C (informative) A security analysis of the MAC algorithms.37
Bibliography.39

© ISO/IEC 2011 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 9797-2:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
ISO/IEC 9797-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 9797-2:2002), which has been technically
revised by including MAC algorithms based on Dedicated Hash-Functions 4 – 7 of ISO/IEC 10118-3:2004 and
Dedicated Hash-Function 8 of ISO/IEC 10118-3/Amd.1:2006.
ISO/IEC 9797 consists of the following parts, under the general title Information technology — Security
techniques — Message Authentication Codes (MACs):
⎯ Part 1: Mechanisms using a block cipher
⎯ Part 2: Mechanisms using a dedicated hash-function
⎯ Part 3: Mechanisms using a universal hash-function
Further parts may follow.
This corrected version of ISO/IEC 9797-2:2011 incorporates corrections to subclauses 3.14, 6.3, 6.3.5 and
6.3.6.
iv © ISO/IEC 2011 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 9797-2:2011(E)
Introduction
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
draw attention to the fact that it is claimed that compliance with this document may involve the use of a patent
concerning MAC Algorithm 1 (MDx-MAC) given in Clause 6.

ISO and IEC take no position concerning the evidence, validity and scope of this patent right.

The holder of this patent right has assured ISO and IEC that he is willing to negotiate licenses under
reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect,
the statement of the holder of this patent right is registered with ISO and IEC. Information may be obtained
from:
Entrust Technologies, Technology Licensing Dept., 1000 Innovation Drive, Ottawa, Ontario, Canada K2K 3E7.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all
such patent rights.

© ISO/IEC 2011 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 9797-2:2011(E)

Information technology — Security techniques — Message
Authentication Codes (MACs) —
Part 2:
Mechanisms using a dedicated hash-function
1 Scope
This part of ISO/IEC 9797 specifies three MAC algorithms that use a secret key and a hash-function (or its
round-function) with an n-bit result to calculate an m-bit MAC. These mechanisms can be used as data
integrity mechanisms to verify that data has not been altered in an unauthorized manner. They can also be
used as message authentication mechanisms to provide assurance that a message has been originated by an
entity in possession of the secret key. The strength of the data integrity and message authentication
mechanisms is dependent on the entropy and secrecy of the key, on the length (in bits) n of a hash-code
produced by the hash-function, on the strength of the hash-function, on the length (in bits) m of the MAC, and
on the specific mechanism.

The three mechanisms specified in this part of ISO/IEC 9797 are based on the dedicated hash-functions
specified in ISO/IEC 10118-3. The first mechanism is commonly known as MDx-MAC. It calls the hash-
function once, but it makes a small modification to the round-function in the hash-function by adding a key to
the additive constants in the round-function. The second mechanism is commonly known as HMAC. It calls
the hash-function twice. The third mechanism is a variant of MDx-MAC that takes as input only short strings
(at most 256 bits). It offers higher performance for applications that work with short input data strings only.

This part of ISO/IEC 9797 can be applied to the security services of any security architecture, process, or
application.
NOTE A general framework for the provision of integrity services is specified in ISO/IEC 10181-6 [5].
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

ISO/IEC 10118-3:2004, Information technology — Security techniques — Hash-functions — Part 3: Dedicated
hash-functions
ISO/IEC 10118-3:2004/Amd.1:2006, Information technology — Security techniques — Hash-functions —
Part 3: Dedicated hash-functions — Amendment 1: Dedicated Hash-Function 8 (SHA-224)
© ISO/IEC 2011 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 9797-2:2011(E)
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
block
bit-string of length L , i.e. the length of the first input to the round-function
1

[ISO/IEC 10118-3]

3.2
collision-resistant hash-function
hash-function satisfying the following property:

- it is computationally infeasible to find any two distinct inputs which map to the same output
[ISO/IEC 10118-1]
3.3
entropy
total amount of information yielded by a set of bits, representative of the work effort required for an adversary
to be able to reproduce the same set of bits

[ISO/IEC 18032]

3.4
input data string
string of bits which is the input to a hash-function
3.5
hash-code
string of bits which is the output of a hash-function
[ISO/IEC 10118-1]
3.6
hash-function
function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties:

- for a given output, it is computationally infeasible to find an input which maps to this output;
- for a given input, it is computationally infeasible to find a second input which maps to the same
output
[ISO/IEC 10118-1]
3.7
initializing value
value used in defining the starting point of a hash-function
[ISO/IEC 10118-1]

3.8
MAC algorithm key
key that controls the operation of a MAC algorithm
[ISO/IEC 9797-1]
2 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 9797-2:2011(E)
3.9
Message Authentication Code (MAC)
string of bits which is the output of a MAC algorithm

NOTE A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2 [1]).

[ISO/IEC 9797-1]

3.10
Message Authentication Code (MAC) algorithm
algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits,
satisfying the following two properties:
- for any key and any input string, the function can be computed efficiently;
- for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute the
function value on any new input string, even given knowledge of the set of input strings and
corresponding function values, where the value of the ith input string may have been chosen after
observing the value of the first i-1 function values (for integer i > 1)
NOTE 1 A MAC algorithm is sometimes called a cryptographic check function (see for example ISO 7498-2 [1]).
NOTE 2 Computational feasibility depends on the user's specific security requirements and environment.
[ISO/IEC 9797-1]

3.11
output transformation
function that is applied at the end of the MAC algorithm, before the truncation operation
[ISO/IEC 9797-1]

3.12
padding
appending extra bits to a data string

[ISO/IEC 10118-1]

3.13
round-function
function that transforms two binary strings of lengths L and L to a binary string of length L
1 2 2
NOTE 1 It is used iteratively as part of a hash-function, where it combines a data string of length L with the previous
1
output of length L .
2

[ISO/IEC 10118-1]
NOTE 2 This function is also referred to as compression function in a certain hash-function text.
3.14
security strength
a number associated with the amount of work (i.e. the number of operations) that is required to break a
cryptographic algorithm or system
NOTE Security strength is specified in bits, and is a specific value from the set {80, 112, 128, 192, 256}. A security
b
strength of b bits means that of the order of 2 operations are required to break the system.
3.15
word
string of 32 bits used in Dedicated Hash-Functions 1, 2, 3, 4 and 8, or a string of 64 bits used in Dedicated
Hash-Functions 5 and 6 of ISO/IEC 10118-3
[ISO/IEC 10118-3]
© ISO/IEC 2011 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 9797-2:2011(E)
4 Symbols and notation
This part of ISO/IEC 9797 makes use of the following symbols and notation defined in ISO/IEC 9797-1 [3]:
D the input data string, i.e. the data string to be input to the MAC algorithm.
m  the length (in bits) of the MAC.
q the number of blocks in the input data string D after the padding and splitting process.
j ~ X the string obtained from the string X by taking the leftmost j bits of X.
X ⊕ Y bitwise exclusive-or of bit-strings X and Y.
X || Y concatenation of bit-strings X and Y (in that order).
:= a symbol denoting the 'set equal to' operation used in the procedural specifications of MAC
algorithms, where it indicates that the value of the string on the left side of the symbol shall be made
equal to the value of the expression on the right side of the symbol.
For the purposes of this part of ISO/IEC 9797, the following symbols and notation apply:
D padded data string.
h  hash-function.
h' the hash-function h with modified constants and modified IV.
h simplified hash-function h without the padding and length appending, and without truncating the
round-function output (L bits) to its left-most L bits.
2 H
NOTE 1 h shall only be applied to input strings with a length that is a positive integer multiple of L .
1

NOTE 2 The output of h should be L2 bits rather than LH bits; in particular, in Dedicated Hash-Functions 6 and
8 defined in ISO/IEC 10118-3, L is always smaller than L .
H 2

H', H'' strings of L bits which are used in the MAC algorithm computation to store an intermediate result.
2
IV', IV , IV initializing values.
1 2
k length (in bits) of the MAC algorithm key.
K secret MAC algorithm key.
K',K ,K ,K ,K,K ,K secret MAC algorithm derived keys.
0 1 2 1 2
KT the first input string of the function φ' used in the output transformation step of MAC Algorithm 1.
~
L the bit string encoding the message length in MAC Algorithm 3.
OPAD, IPAD constant strings used in MAC Algorithm 2.
R, S , S , S constant strings used in the computation of the constants for MAC Algorithm 1 and MAC
0 1 2
Algorithm 3.
T , T , T constant strings used in the key derivation for MAC Algorithm 1 and MAC Algorithm 3.
0 1 2
4 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 9797-2:2011(E)
U , U , U constant strings used in the key derivation for MAC Algorithm 1 and MAC Algorithm 3.
0 1 2
φ' round-function with modified constants.
K [i] the ith word of the string K , i.e. K = K [0] || K [1] || K [2] || K [3].
1 1 1 1 1 1 1
This part of ISO/IEC 9797 makes use of the following symbols and notation defined in ISO/IEC 10118-1:
H hash-code.
IV initializing value.
L length (in bits) of a bit-string X.
X
This part of ISO/IEC 9797 makes use of the following symbols and notation defined in ISO/IEC 10118-3:
C, C' constant words used in the round-functions.
i i
L the length (in bits) of the first of the two input strings to the round-function φ.
1
L the length (in bits) of the second of the two input strings to the round-function φ, of the output string
2
from the round-function φ, and of IV.
w the length (in bits) of a word; w is 32 when using Dedicated Hash-Functions 1, 2, 3, 4 and 8 of
ISO/IEC 10118-3, and w is 64 when using Dedicated Hash-Functions 5 and 6 of ISO/IEC 10118-3.
φ a round-function, i.e. if X and Y are bit-strings of lengths L and L respectively, then φ (X,Y) is the
1 2
string obtained by applying φ to X and Y.
w
Ψ the modulo 2 addition operation, where w is the number of bits in a word. So, if A and B are words,
then AΨB is the word obtained by treating A and B as the binary representations of integers and
w w
computing their sum modulo 2 , and the result is constrained to lie between 0 and 2 -1 inclusive. The
value of w is 32 in Dedicated Hash-Functions 1, 2, 3, 4 and 8, and 64 in Dedicated Hash-Functions 5
and 6.

5 Requirements
Users who wish to employ a MAC algorithm from this part of ISO/IEC 9797 shall select:
• a MAC algorithm from amongst those specified in Clauses 6, 7, and 8;
• a dedicated hash-function from the functions specified in ISO/IEC 10118-3; and
• the length (in bits) m of the MAC.
NOTE 1 The use of MAC Algorithms 1 and 3 with Dedicated Hash-Function 7 of ISO/IEC 10118-3 is not specified in this
part of ISO/IEC 9797.

Agreement on these choices amongst the users is essential for use of the data integrity mechanism.

The key K used in a MAC algorithm shall have entropy that meets or exceeds the security strength to be
provided by the MAC algorithm.

NOTE 2 In every case, the MAC algorithm key K shall be chosen such that every possible key is approximately equally
likely to be selected.
© ISO/IEC 2011 – All rights reserved 5

---------------------- Page: 10 ----------------------
ISO/IEC 9797-2:2011(E)
For MAC Algorithms 1 and 2, the length m of the MAC shall be a positive integer less than or equal to the
length of the hash-code L . For MAC Algorithm 3, the length m of the MAC shall be a positive integer less
H
than or equal to half the length of the hash-code, i.e., m ≤ L /2.
H

64
For MAC Algorithms 1 and 2, the length in bits of the input data string D shall be at most 2 - 1 when using
128
Dedicated Hash-Functions 1, 2, 3, 4 and 8, and at most 2 – 1 when using Dedicated Hash-Functions 5 and
256
6. For MAC Algorithm 2, it shall be at most 2 – 1 when using Dedicated Hash-Function 7. For MAC
Algorithm 3, it shall be at most 256.

The selection of a specific MAC algorithm, dedicated hash-function, and value for m is beyond the scope of
this part of ISO/IEC 9797.
NOTE 3 These choices affect the security level of the MAC algorithm. For a detailed discussion, see Annex C.

The key used for calculating and verifying the MAC shall be the same. If the input data string is also being
enciphered, the key used for the calculation of the MAC shall be different from that used for encipherment.
NOTE 4 It is considered to be good cryptographic practice to have independent keys for confidentiality and for data
integrity.
6 MAC Algorithm 1
NOTE 1 This clause contains a description of MDx-MAC [9] with Dedicated Hash-Functions 1 – 6 and 8. Table 1 shows
the commonly known names of MDx-MAC with individual dedicated hash-functions.

Table 1 –The MDx-MAC algorithm with different Dedicated Hash-Functions

Dedicated Hash-Function: The MDx-MAC algorithm is also known as
Dedicated Hash-Function 1 RIPEMD-160-MAC
Dedicated Hash-Function 2 RIPEMD-128-MAC
Dedicated Hash-Function 3 SHA-1-MAC
Dedicated Hash-Function 4 SHA-256-MAC
Dedicated Hash-Function 5 SHA-512-MAC
Dedicated Hash-Function 6 SHA-384-MAC
Dedicated Hash-Function 8 SHA-224-MAC


NOTE 2 The use of MAC Algorithm 1 with Dedicated Hash-Function 7 of ISO/IEC 10118-3 is not specified in this part of
ISO/IEC 9797.

MAC Algorithm 1 requires one application of the hash-function to compute a MAC value, but requires that the
constants in the corresponding round-function are modified.

The hash-function shall be selected from Dedicated Hash-Functions 1 – 6 from ISO/IEC 10118-3:2004, and
Dedicated Hash-Function 8 from ISO/IEC 10118-3:2004/Amd.1:2006.

The bit length of the key k shall be at most 128 bits.

6 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 11 ----------------------
ISO/IEC 9797-2:2011(E)
6.1 Description of MAC Algorithm 1
MAC algorithm 1 involves the following five steps: key expansion, modification of the constants and the IV,
hashing operation, output transformation, and truncation.
6.1.1 Step 1 (key expansion)
If K is shorter than 128 bits, concatenate K to itself ⎡128/K⎤ times and select the leftmost 128 bits of the result
to form the 128-bit key K' (if the length (in bits) of K is equal to 128, K' := K):
K' := 128 ~ (K || K || … || K).

Compute the subkeys K , K , and K as follows:
0 1 2
K := h ( K' || U || K')
0 0
K :=  128 ~ h ( K' || U || K'), when using Dedicated Hash-Functions 1, 2 and 3
1 1
K :=  256 ~ h ( K' || U || K'), when using Dedicated Hash-Functions 4, 5, 6 and 8
1 1
K := 128 ~ h ( K' || U || K').
2 2

Here U , U , and U are 768-bit constants that are defined in Clause 6.3, and h denotes a simplified hash-
0 1 2
function h, i.e., without the padding and length appending, and without truncating the round-function output (L
2
bits) to its left-most L bits.
H

NOTE 1 Padding and length appending are omitted because in this case the length of the input string is either L bits or
1
2L bits.
1

NOTE 2 Truncation is omitted because in this case the length of K is always L bits, which is at least L .
0 2 H

When using Dedicated Hash-Functions 1, 2, 3, 5 and 6, the derived key K is split into four words denoted by
1
K [i] (0 ≤ i ≤ 3), i.e.
1
K = K [0] || K [1] || K [2] || K [3].
1 1 1 1 1
When using Dedicated Hash-Functions 4 and 8, the derived key K is split into eight words denoted by K [i]
1 1
(0 ≤ i ≤ 7), i.e.
K = K [0] || K [1] || K [2] || K [3]|| K [4] || K [5] || K [6] || K [7].
1 1 1 1 1 1 1 1 1
For the conversion of a string into words, a byte ordering convention is required. The byte ordering convention
for this conversion is that which is defined for the selected dedicated hash-function in ISO/IEC 10118-3.
6.1.2 Step 2 (modification of the constants and the IV)
When using Dedicated Hash-Functions 1, 2, 3, 4, 5, 6 and 8, the additive constants used in the round-function
w
are modified by the addition mod 2 of a word of K , e.g.,
1
C := C Ψ K [0].
0 0 1
Clause 6.3 indicates which word of K is added to each constant.
1
The initial value IV of the hash function is replaced by IV' := K . The function resulting from the changes in this
0
step is denoted by h', and its round-function is denoted by φ'.
6.1.3 Step 3 (hashing operation)
The string which is input to the modified hash-function h' is equal to the input data string D, i.e.
H' := h' (D).
© ISO/IEC 2011 – All rights reserved 7

---------------------- Page: 12 ----------------------
ISO/IEC 9797-2:2011(E)
6.1.4 Step 4 (output transformation)
The modified round-function φ' is applied one additional time, with first input the string KT (defined below) and
second input the string H' (the result of Step 3) i.e.
H'' := φ' (KT, H' ).
For Dedicated Hash-Functions 1, 2, 3, 4 and 8,
KT = K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T ).
2 2 0 2 1 2 2
For Dedicated Hash-Functions 5 and 6,
KT = K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T )|| K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T ).
2 2 0 2 1 2 2 2 2 0 2 1 2 2
Here T , T , and T are 128-bit strings defined in Clause 6.3 for each dedicated hash-function.
0 1 2
NOTE The output transformation corresponds to processing an additional data block derived from K after padding and
2
appending of the length field.
6.1.5 Step 5 (truncation)
The MAC of m bits is derived by taking the leftmost m bits of the string H'', i.e.
MAC := m ~ H''.
6.2 Efficiency
If the padded data string (where the padding algorithm depends on the selected hash-function) contains q
blocks, then MAC Algorithm 1 requires q + 7 applications of the round-function.

This can be reduced to q + 1 applications of the round-function by pre-computing the values K , K and K ,
0 1 2
and by replacing the initial value IV by IV' in the application of the hash-function. It is recommended to make
this modification to the code of the hash-function together with the mandatory modification required for Step 2.

For long input strings, MAC Algorithm 1 has a performance which is comparable to that of the hash-function
used.
6.3 Computation of the constants
The constants described in this clause are used in MAC Algorithms 1 and 3. MAC Algorithm 3 is specified in
Clause 8.

The strings T and U (0 u i u 2) are fixed elements in the description of the MAC algorithm. They are
i i
computed (only once) using the hash-function; they are different for each of the seven hash-functions.

The 128-bit constants T and 768-bit constants U are defined as follows. The definition of T involves the 496-
i i i
bit constant R = "ab…yzAB…YZ01…89'' and 16-bit constants S , S , S , where S is the 16-bit string formed
0 1 2 i
by repeating twice the 8-bit representation of i (e.g., the hexadecimal representation of S is 3131). In both
1
cases ASCII coding is used; this is equivalent to coding using ISO/IEC 646:1991.
For i := 0 to 2
T := 128 ~ h ( S || R ) for Dedicated Hash-Functions 1, 2, 3, 4 and 8;
i i
512 512
T := 128 ~ h ( S || R || 0 ) for
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.