ISO/IEC 10118-3:2003

INTERNATIONAL ISO/IEC
STANDARD 10118-3
Second edition
2003-05-01
Information technology — Security
techniques — Hash-functions —
Part 3:
Dedicated hash-functions
Technologies de l'information — Techniques de sécurité — Fonctions
de brouillage —
Partie 3: Fonctions de brouillage dédiées

Reference number
©
ISO/IEC 2003
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2003
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2003 — All rights reserved

Contents Page
Foreword.vi
1 Scope.1
2 Normative references .1
3 Terms and definitions.1
4 Symbols (and abbreviated terms) .2
4.1 Symbols specified in ISO/IEC 10118-1.2
4.2 Symbols specific to this part .2
5 Requirements .3
6 Model for dedicated hash-functions .4
7 Dedicated Hash-Function 1 (RIPEMD-160).4
7.1 Parameters, functions and constants.4
7.1.1 Parameters.4
7.1.2 Byte ordering convention .4
7.1.3 Functions .5
7.1.4 Constants.5
7.1.5 Initializing value .6
7.2 Padding method.7
7.3 Description of the round-function.7
8 Dedicated Hash-Function 2 (RIPEMD-128).8
8.1 Parameters, functions and constants.8
8.1.1 Parameters.8
8.1.2 Byte ordering convention .8
8.1.3 Functions .9
8.1.4 Constants.9
8.1.5 Initializing value .9
8.2 Padding method.9
8.3 Description of the round-function.9
9 Dedicated Hash-Function 3 (SHA-1) .10
9.1 Parameters, functions and constants.11
9.1.1 Parameters.11
9.1.2 Byte ordering convention .11
9.1.3 Functions .11
9.1.4 Constants.11
9.1.5 Initializing value .11
9.2 Padding method.12
9.3 Description of the round-function.12
10 Dedicated Hash-Function 4 (SHA-256) .13
10.1 Parameters, functions and constants.13
10.1.1 Parameters.13
10.1.2 Byte ordering convention .13
10.1.3 Functions .13
10.1.4 Constants.14
10.1.5 Initializing value .14
10.2 Padding method.14
10.3 Description of the round-function.14
11 Dedicated Hash-Function 5 (SHA-512) .15
11.1 Parameters, functions and constants.15
© ISO/IEC 2003 — All rights reserved iii

11.1.1 Parameters. 15
11.1.2 Byte ordering convention. 16
11.1.3 Functions . 16
11.1.4 Constants. 16
11.1.5 Initializing value. 17
11.2 Padding method . 17
11.3 Description of the round-function. 17
12 Dedicated Hash-Function 6 (SHA-384) . 18
12.1 Parameters, functions and constants. 19
12.1.1 Parameters. 19
12.1.2 Byte ordering convention. 19
12.1.3 Functions . 19
12.1.4 Constants. 19
12.1.5 Initializing value. 19
12.2 Padding method . 19
12.3 Description of the round-function. 19
13 Dedicated Hash-Function 7 (WHIRLPOOL) . 19
13.1 Parameters, functions and constants. 20
13.1.1 Parameters. 20
13.1.2 Byte ordering convention. 20
13.1.3 Functions . 20
13.1.4 Constants. 21
13.1.5 Initializing value. 21
13.2 Padding method . 21
13.3 Description of the round-function. 22
Annex A (informative) Examples. 23
A.1 Dedicated Hash-Function 1. 23
A.1.1 Example 1. 23
A.1.2 Example 2. 23
A.1.3 Example 3. 23
A.1.4 Example 4. 25
A.1.5 Example 5. 25
A.1.6 Example 6. 25
A.1.7 Example 7. 25
A.1.8 Example 8. 25
A.1.9 Example 9. 28
A.1.10 Example 10. 28
A.1.11 Example 11. 28
A.2 Dedicated Hash-Function 2. 28
A.2.1 Example 1. 28
A.2.2 Example 2. 29
A.2.3 Example 3. 29
A.2.4 Example 4. 30
A.2.5 Example 5. 30
A.2.6 Example 6. 30
A.2.7 Example 7. 30
A.2.8 Example 8. 31
A.2.9 Example 9. 33
A.2.10 Example 10. 33
A.2.11 Example 11. 33
A.3 Dedicated Hash-Function 3. 34
A.3.1 Example 1. 34
A.3.2 Example 2. 34
A.3.3 Example 3. 34
A.3.4 Example 4. 35
A.3.5 Example 5. 36
A.3.6 Example 6. 36
A.3.7 Example 7. 36
iv © ISO/IEC 2003 — All rights reserved

A.3.8 Example 8 .36
A.3.9 Example 9 .39
A.3.10 Example 10 .39
A.3.11 Example 11 .39
A.4 Dedicated Hash-Function 4.39
A.4.1 Example 1 .39
A.4.2 Example 2 .40
A.4.3 Example 3 .40
A.4.4 Example 4 .41
A.4.5 Example 5 .42
A.4.6 Example 6 .42
A.4.7 Example 7 .42
A.4.8 Example 8 .42
A.4.9 Example 9 .45
A.4.10 Example 10 .45
A.4.11 Example 11 .46
A.5 Dedicated Hash-Function 5.46
A.5.1 Example 1 .46
A.5.2 Example 2 .46
A.5.3 Example 3 .46
A.5.4 Example 4 .50
A.5.5 Example 5 .50
A.5.6 Example 6 .50
A.5.7 Example 7 .50
A.5.8 Example 8 .50
A.5.9 Example 9 .51
A.5.10 Example 10 .51
A.5.11 Example 11 .57
A.6 Dedicated Hash-Function 6.57
A.6.1 Example 1 .57
A.6.2 Example 2 .58
A.6.3 Example 3 .58
A.6.4 Example 4 .61
A.6.5 Example 5 .61
A.6.6 Example 6 .61
A.6.7 Example 7 .62
A.6.8 Example 8 .62
A.6.9 Example 9 .62
A.6.10 Example 10 .62
A.6.11 Example 11 .69
A.7 Dedicated Hash-Function 7.69
A.7.1 Example 1 .69
A.7.2 Example 2 .69
A.7.3 Example 3 .69
A.7.4 Example 4 .72
A.7.5 Example 5 .72
A.7.6 Example 6 .72
A.7.7 Example 7 .72
A.7.8 Example 8 .72
A.7.9 Example 9 .77
Annex B (informative) Formal specifications .78
B.0 Introduction .78
B.1 Specification of Dedicated Hash-Function 1.78
B.1.1 Auxiliary functions.84
B.2 Specification of Dedicated Hash-Function 2.84
B.3 Specification of Dedicated Hash-Function 3.86
Annex C (normative) Object Identifiers.90
Bibliography .91
© ISO/IEC 2003 — All rights reserved v

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members o
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft Internationa
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication a
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of paten
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 10118-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 10118-3:1998), which has been technicall
revised.
ISO/IEC 10118 consists of the following parts, under the general title Information technology — Securi
techniques — Hash-functions:
 Part 1: General
 Part 2: Hash-functions using an n-bit block cipher
 Part 3: Dedicated hash-functions
 Part 4: Hash-functions using modular arithmetic
Further parts may follow.
vi © ISO/IEC 2003 — All rights reserved

INTERNATIONAL STANDARD ISO/IEC 10118-3:2003(E)
Information technology — Security techniques —
Hash-functions —
Part 3:
Dedicated hash-functions
1 Scope
This part of ISO/IEC 10118 specifies dedicated hash-functions, i.e., specially designed hash-functions. The hash-

functions in this part of ISO/IEC 10118 are based on the iterative use of a round-function. Seven distinct round-
functions are specified, giving rise to distinct dedicated hash-functions.
The first and third dedicated hash-functions in clauses 7 and 9 respectively provide hash-codes of lengths up to
160 bits; the second in clause 8 provides hash-codes of lengths up to 128 bits; the fourth in clause 10 provides
hash-codes of lengths up to 256 bits; the sixth in clause 12 provides hash-codes of a fixed length, 384 bits; and the
fifth and seventh in clauses 11 and 13 respectively provide hash-codes of lengths up to 512 bits.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 10118-1: 2000, Information technology — Security techniques — Hash-functions — Part 1: General
3 Terms and definitions
For the purposes of this document, the definitions given in ISO/IEC 10118-1 and the following apply.
3.1
block
a bit-string of length L , i.e., the length of the first input to the round-function.
3.2
word
a string of 32 bits used in dedicated hash-functions 1, 2, 3 and 4 of clauses 7, 8, 9 and 10 respectively, or a string
of 64 bits used in dedicated hash-functions 5 and 6 of clauses 11 and 12 respectively.
3.3
matrix
an 8 by 8 matrix in which each entry is a string of 8 bits used in dedicated hash-function 7 of clause 13.
© ISO/IEC 2003 — All rights reserved 1

4 Symbols (and abbreviated terms)
4.1 Symbols specified in ISO/IEC 10118-1
This part of ISO/IEC 10118 makes use of the following symbols and notations defined in ISO/IEC 10118-1.
B A byte.
i
D Data.
H Hash-code.
IV Initializing value.
L The length (in bits) of the first of the two input strings to the round-function Φ.
L The length (in bits) of the second of the two input strings to the round-function Φ, of the output string from the
round-function Φ, and of the IV.
L Length (in bits) of a bit-string X.
X
Φ A round-function, i.e., if X, Y are bit-strings of lengths L and L respectively, then Φ(X, Y) is the string
1 2
obtained by applying Φ to X and Y.
X ⊕Y Exclusive-or of strings of bits X and Y (where L = L ).
X Y
4.2 Symbols specific to this part
For the purpose of this part of ISO/IEC 10118, the following symbols and notations apply:
a , a' Sequences of indices used in specifying a round-function.
i i
i
A A sequence of constant matrices used in specifying the round-function defined in clause 13.
8 8
c Function taking a string of 64 elements of GF(2 ) as input, and giving an 8 by 8 matrix with entries from GF(2 )
as output, used in specifying the round-function defined in clause 13.
c , c , c  Functions taking an 8 by 8 matrix of elements of GF(2 ) as input, and giving an 8 by 8 matrix with entries
1 2 3
from GF(2 ) as output, used in specifying the round-function defined in clause 13.
c Function taking two 8 by 8 matrices of elements of GF(2 ) as input, and giving an 8 by 8 matrix with entries
from GF(2 ) as output, used in specifying the round-function defined in clause 13.
C, C'  Constant words used in the round-functions.
i i
C'' An 8 by 8 circulant matrix with entries chosen from GF(2 ) used in specifying the round-function in clause 13.
D A block derived from the data-string after the padding process.
i
d, e, f, g  Functions taking either one or three words as input and producing a single word as output, used in
i i i i
specifying round-functions.
H A string of L bits which is used in the hashing operation to store an intermediate result.
i 2
8 8 4 3 2
GF(2 )  A field defined as GF(2)[x] / p (x) where p (x) = x + x + x + x + 1. The elements of the field are 8-bit
8 8
strings.
M An 8 by 8 matrix whose entries are chosen from GF(2 ).

2 © ISO/IEC 2003 — All rights reserved

q The number of blocks in the data string after the padding and splitting processes.
n n
R ()  The operation of right shift by n bits, i.e., if A is a word and n is a non-negative integer then R (A) denotes the
word obtained by right-shifting the contents of A by n places.
8 8
s A nonlinear substitution box, which replaces an element x ∈ GF(2 ) with another element s[x] ∈ GF(2 );
n
S ()  The operation of ‘circular left shift’ by n bit positions, i.e., if A is a word and n is a non-negative integer then
n
S (A) denotes the word obtained by left-shifting the contents of A by n places in a cyclic fashion.
n
S' ()  The operation of ‘circular right shift’ by n bit positions, i.e., if A is a word and n is a non-negative integer then
n
S' (A) denotes the word obtained by right-shifting the contents of A by n places in a cyclic fashion.
t, t'  Shift-values used in specifying a round-function.
i i
W, X, X' , Y , Z  Words used to store the results of intermediate computations.
i i i i
W', X'', K, Y', Z'  Matrices with entries chosen from GF(2 ) used to store the results of intermediate computations.
i
Λ The bit-wise logical AND operation on bit-strings, i.e., if A, B are words then AΛB is the word equal to the bit-
wise logical AND of A and B.
V The bit-wise logical OR operation on bit-strings, i.e., if A, B are words then AVB is the word equal to the bit-
wise logical OR of A and B.
¬ The bit-wise logical NOT operation on a bit-string, i.e., if A is a word then ¬A is the word equal to the bit-wise
logical NOT of A.
w
⊎ The modulo 2 addition operation, where w is the number of bits in a word. I.e., if A and B are words, then
A⊎B is the word obtained by treating A and B as the binary representations of integers and computing their
w w
sum modulo 2 , where the result is constrained to lie between 0 and 2 -1 inclusive. The value of w is 32 for

dedicated hash-functions 1-4, defined in clauses 7-10, and 64 for dedicated hash-functions 5 and 6, defined in
clauses 11 and 12.
• The multiplication operation of 8 by 8 matrices with entries chosen from GF(2 ). I.e., if A and B are such
matrices, then A•B is the matrix obtained by multiplying A and B in the following way: treat each entry of either
A or B as the binary polynomial representation of an integer (for example, the binary polynomial representation
7 3
of integer 89 (hexadecimal) is x +x +1); treat a multiplication of two of the entries as the remainder when a
8 4 3 2
multiplication of the two polynomials is divided by a polynomial p (x), where p (x) = x + x + x + x + 1; and
8 8
treat a sum operation as the operation ⊕.
:= A symbol denoting the ‘set equal to’ operation used in procedural specifications of round-functions, where it
indicates that the word (or the matrix in clause 13) on the left side of the symbol shall be made equal to the
value of the expression on the right side of the symbol.
5 Requirements
Users who wish to employ a hash-function from this part of ISO/IEC 10118 shall select:
 one of the dedicated hash-functions specified below; and
 the length L of the hash-code H.
H
NOTE — The first and second dedicated hash-functions are defined so as to facilitate software implementations for ‘little-
endian’ computers, i.e., where the lowest-addressed byte in a word is interpreted as the least significant; conversely, the third,
fourth, fifth and sixth dedicated hash-functions are defined so as to facilitate software implementations for ‘big-endian’
computers, i.e., where the lowest-addressed byte in a word is interpreted as the most significant. However, by adjusting the
definition appropriately, any of these six round-functions can be implemented on a ‘big-endian’ or a ‘little-endian’ computer. The
seventh dedicated hash-function is defined to be ‘endian-neutral’, in the sense that it uses no endian-sensitive arithmetical
operation (such as integer addition). If sequences of GF(2 ) elements (i.e., bytes) are mapped to computer words to parallelize
© ISO/IEC 2003 — All rights reserved 3

such operations as exclusive-or, the byte disposition within a word is irrelevant, as long as the inverse mapping is consistent. All
the hash-functions defined in this part of ISO/IEC 10118 take a bit-string as input and give a bit-string as output; this is
independent of the internal byte-ordering convention used within each hash-function.
NOTE — The choice of L affects the security of the hash-function. All of the hash-functions specified in this part of ISO/IEC
H
L /2
H
10118 are believed to be collision-resistant hash-functions in environments where performing 2 hash-code computations is
deemed to be computationally infeasible.
6 Model for dedicated hash-functions
The hash-functions specified in this part of ISO/IEC 10118 are based on the general model for hash-functions
given in part 1 of this ISO/IEC standard, i.e., ISO/IEC 10118-1:2000.
In the specifications of the hash-functions in this part of ISO/IEC 10118, it is assumed that the padded data-string
input to the hash-function is in the form of a sequence of bytes. If the padded data-string is in the form of a
sequence of 8n bits, x , x , …, x , then it shall be interpreted as a sequence of n bytes, B , B , …, B , in the
0 1 8n-1 0 1 n-1
following way. Each group of eight consecutive bits is considered as a byte, the first bit of a group being the most
significant bit of that byte. Hence
7 6
B = 2 x + 2 x + ···+ x
i 8i 8i+1 8i+7
for every i (0 ≤ i < n).
The output transformation for the hash-functions specified in this part of ISO/IEC 10118 is that the hash-code H is
derived by taking the leftmost L bits of the final L -bit output string H .
H 2 q
Identifiers are defined for each of the seven dedicated hash-functions specified in this standard. The hash-function
identifiers for the dedicated hash-functions specified in clauses 7, 8, 9, 10, 11, 12 and 13 are equal to 31, 32, 33,
34, 35, 36 and 37 (hexadecimal) respectively. The range of values from 38 to 3F (hexadecimal) are reserved for
future use as hash-function identifiers by this part of ISO/IEC 10118. The hash-function identifiers are also used in
the OSI object identifiers assigned in Annex C.
7 Dedicated Hash-Function 1 (RIPEMD-160)
In this clause we specify a padding method, an initializing value, and a round-function for use in the general model
for hash-functions described in ISO/IEC 10118-1:2000. The padding method, initializing value and round-function
specified here, when used in the above general model, together define Dedicated Hash-Function 1. This dedicated
hash-function can be applied to all data strings D containing at most 2 -1 bits.
The ISO/IEC hash-function identifier for Dedicated Hash-Function 1 is equal to 31 (hexadecimal).
NOTE — Dedicated Hash-Function 1 defined in this clause is commonly called RIPEMD-160, [3].
7.1 Parameters, functions and constants
7.1.1 Parameters
For this hash-function L = 512, L = 160 and L is up to 160.
1 2 H
7.1.2 Byte ordering convention
In the specification of the round-function of this clause it is assumed that the block input to the round-function is in
the form of a sequence of 32-bit words, each 512-bit block being made up of 16 such words. A sequence of 64
bytes, B , B , …, B , shall be interpreted as a sequence of 16 words, Z , Z , …, Z , in the following way. Each
0 1 63 0 1 15
group of four consecutive bytes is considered as a word, the first byte of a word being the least significant byte of
that word. Hence
4 © ISO/IEC 2003 — All rights reserved

24 16 8
Z = 2 B + 2 B +2 B + B ,         (0 ≤ i ≤ 15).
i 4i+3 4i+2 4i+1 4i
To convert the hash-code from a sequence of words to a byte-sequence, the inverse process shall be followed.
NOTE — The byte-ordering specified here is different from that of subclause 9.1.2.
7.1.3 Functions
To facilitate software implementation, the round-function Φ is described in terms of operations on 32-bit words. A
sequence of functions g , g , …, g is used in this round-function, where each function g, 0 ≤ i ≤ 79, takes three
0 1 79 i
words X , X and X as input and produces a single word as output.
0 1 2
The functions g are defined as follows:
i
g(X ,X ,X ) = X ⊕ X ⊕ X ,     ( 0 ≤ i ≤ 15),
i 0 1 2 0 1 2
g(X ,X ,X ) = (X Λ X ) V (¬X Λ X), (16 ≤ i ≤ 31),
i 0 1 2 0 1 0 2
g(X ,X ,X ) = (X V ¬X ) ⊕ X ,     (32 ≤ i ≤ 47),
i 0 1 2 0 1 2
g(X ,X ,X ) = (X Λ X ) V (X Λ ¬X), (48 ≤ i ≤ 63),
i 0 1 2 0 2 1 2
g(X ,X ,X ) = X ⊕ (X V ¬X ),      (64 ≤ i ≤ 79).
i 0 1 2 0 1 2
7.1.4 Constants
Two sequences of constant words C , C , …, C and C' , C' , …, C' are used in this round-function. In a
0 1 79 0 1 79
hexadecimal representation (where the most significant bit corresponds to the left-most bit) these are defined as
follows:
C = 00000000, ( 0 ≤ i ≤ 15),
i
C = 5A827999, (16 ≤ i ≤ 31),
i
= 6ED9EBA1, (32 ≤ i ≤ 47),
C
i
C = 8F1BBCDC, (48 ≤ i ≤ 63),
i
C = A953FD4E, (64 ≤ i ≤ 79),
i
C' = 50A28BE6, ( 0 ≤ i ≤ 15),
i
C' = 5C4DD124, (16 ≤ i ≤ 31),
i
C' = 6D703EF3, (32 ≤ i ≤ 47),
i
C' = 7A6D76E9, (48 ≤ i ≤ 63),
i
C' = 00000000, (64 ≤ i ≤ 79).
i
Two sequences of 80 shift-values are used in this round-function, where each shift-value is between 5 and 15. We
denote these sequences by (t , t , …, t ) and (t' , t' , …, t' ). A further two sequences of 80 indices are used in this
0 1 79 0 1 79
round-function, where each value in the sequence is between 0 and 15. We denote these sequences as (a , a ,
0 1
, a ), and (a' , a' , …, a' ). All four se
...