ISO/IEC 10118-4:1998

INTERNATIONAL ISO/IEC
STANDARD 10118-4
First edition
1998-12-15
Information technology — Security
techniques — Hash-functions —
Part 4:
Hash-functions using modular arithmetic
Technologies de l'information — Techniques de sécurité — Fonctions
de brouillage —
Partie 4: Fonctions de hachage utilisant l’arithmétique modulaire
Reference number
B C
ISO/IEC 10118-4:1998(E)

---------------------- Page: 1 ----------------------
ISO/IEC 10118-4:1998(E)
Contents
1 Scope .1
2 Normative reference .1
3 Terms and definitions.1
3.1 From ISO/IEC 10118-1.1
3.2 Unique to this part of ISO/IEC 10118.1
3.3 Conventions .2
4 Symbols and abbreviated terms.2
4.1 From ISO/IEC 10118-1.2
4.2 Unique to this part of ISO/IEC 10118.3
5 Requirements .4
6 Variables and values needed for the hash operation.4
6.1 The length of the hash-code and of the modulus.4
6.2 The modulus of the round-function .4
6.3 Initializing value .5
6.4 Exponent.5
6.5 Reduction-function prime number.5
7 Hashing procedure .5
7.1 Preparation of the data string.5
7.1.1 Padding the data string .5
7.1.2 Appending the length .5
7.1.3 Splitting the data string.5
7.1.4 Expansion .5
7.2 Application of the round-function.5
©  ISO/IEC 1998
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced
or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm, without permission in writing from the publisher.
ISO/IEC Copyright Office • Case postale 56 • CH-1211 Genève 20 • Switzerland
Printed in Switzerland
ii

---------------------- Page: 2 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
7.3 The Reduction-function. 6
7.3.1 Splitting the block H . 6
q
7.3.2 Extending the data string. 6
7.3.3 Processing the half-blocks . 6
7.3.4 Reduction . 6
8 Hash-functions. 6
8.1 MASH-1 . 6
8.2 MASH-2 . 7
Annex A (informative) Examples . 9
Annex B (informative) Additional Information. 22
Annex C (informative) Bibliography . 23
iii

---------------------- Page: 3 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in
liaison with ISO and IEC, also take part in the work.
In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.
International Standard ISO/IEC 10118-4 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
technology, Subcommittee SC27, IT Security techniques.
ISO/IEC 10118 consists of the following parts, under the general title Information technology – Security techniques
– Hash-functions:
– Part 1: General
– Part 2: Hash-functions using an n-bit block cipher algorithm
– Part 3: Dedicated hash-functions
– Part 4: Hash-functions using modular arithmetic
Annexes A, B and C of this part of ISO/IEC 10118 are for information only.
iv

---------------------- Page: 4 ----------------------
©
INTERNATIONAL STANDARD  ISO/IEC ISO/IEC 10118-4:1998(E)
Information technology — Security techniques — Hash
functions —
Part 4:
Hash-functions using modular arithmetic
1 Scope
This part of ISO/IEC 10118 specifies two hash-functions which make use of modular arithmetic. These hash-func-
tions, which are believed to be collision-resistant, compress messages of arbitrary but limited length to a hash-code
whose length is determined by the length of the prime number used in the reduction-function defined in 7.3. Thus,
the hash-code is easily scaled to the input length of any mechanism (e.g., signature algorithm, identification
scheme).
The hash-functions specified in this part of ISO/IEC 10118, known as MASH-1 and MASH-2 (Modular Arithmetic
Secure Hash) are particularly suitable for environments in which implementations of modular arithmetic of sufficient
length are already available. The two hash-functions differ only in the exponent used in the round-function.
2 Normative reference
The following standard contains provisions which, through reference in this text, constitute provisions of this part of
ISO/IEC 10118. At the time of publication, the edition indicated was valid. All standards are subject to revision and
parties to agreements based on this part of ISO/IEC 10118 are encouraged to investigate the possibility of applying
the most recent edition of the standard indicated below. Members of IEC and ISO maintain registers of currently
valid International Standards.
ISO/IEC 10118-1: 1994, Information technology – Security techniques – Hash-functions – Part 1: General.
3 Terms and definitions
For the purposes of this part of ISO/IEC 10118, the following definitions apply.
3.1 From ISO/IEC 10118-1
– collision-resistant hash-function
– data string (data)
– hash-code
– hash-function
– initializing value
– padding.
3.2 Unique to this part of ISO/IEC 10118
3.2.1
block
a string of bits of length L , which shall be an integer multiple of 16 (see also clause 6.1)
φ
EXAMPLE The length of the output H of the round-function.
j
1

---------------------- Page: 5 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
3.2.2
half-block
a string of bits of length L /2
φ
EXAMPLE Half the length of the block H .
j
3.2.3
hash-function identifier
a byte identifying a specific hash-function
3.2.4
modulus
a parameter which is a positive integer and a product of two distinct prime numbers
3.2.5
reduction-function
a function RED that is applied to the block H of length L to generate the hash-code H of length L
q φ p
3.2.6
round-function
. .
a function φ( , ) that transforms two binary strings of length L to a binary string of length L
φ φ
NOTE It is used iteratively as part of a hash-function, where it combines an 'expanded' data block of length L with the
φ
previous output of length L .
φ
3.3 Conventions
3.3.1 Bit ordering
Bit ordering in this part of ISO/IEC 10118 is as described in clause 3 of ISO/IEC 10118-1.
3.3.2 Converting a number to a string
During computation of the round-function, integers need to be converted to strings of L bits. Where this is required,
the string of bits shall be made equal to the binary representation of the integer, with the left-most bit of the string
corresponding to the most significant bit of the binary representation. If the resulting string of bits has less than L
bits, then the string shall be left-padded with the appropriate number of zeros to make it of length L.
3.3.3 Converting a string to a number
During computation of the round-function, strings of bits need to be converted into integers. Where this is required,
the integer shall be made equal to the number having binary representation equal to the binary string, where the
left-most bit of the string is considered as the most significant bit of the binary representation.
3.4 Hash-function identifier
Identifiers are defined for each of the two MASH hash-functions specified in this standard. The hash-function
identifiers for the hash-functions specified in clause 8.1 and 8.2 are equal to 41 and 42 (hexadecimal) respectively.
The range of values from 43 to 4f (hexadecimal) are reserved for future use as hash-function identifiers by this part
of ISO/IEC 10118.
4 Symbols and abbreviated terms
Throughout this part of ISO/IEC 10118, the following symbols and abbreviations apply.
4.1 From ISO/IEC 10118-1
D Data
H Hash-code
IV Initializing value
X⊕Y Exclusive-or of strings of bits X and Y
2

---------------------- Page: 6 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
4.2 Unique to this part of ISO/IEC 10118
B The jth block derived from the data string D after the padding, splitting, and expansion process.
j
D The jth half-block derived from the data string D after the padding and the splitting process. D through
j q+1
D are additional data blocks computed in the reduction-function.
q+8
e The exponent used in the round-function.
E A constant block equal to four ones (in the left-most position) followed by L –4 zeros.
φ
H The output of the round-function in the jth round. H has length L .
j j φ
L The length of the input string D in bits.
D
L The length of the output H of the round-function φ. It shall be an integer multiple of 16.
φ j
L The length of the modulus N used in the round-function.
N
L The length of the prime number p used in the reduction-function.
p
mod If Z is an integer and Z is a positive integer, then Z mod Z denotes the unique integer Z which satisfies
1 2 1 2 3
a) 0 ≤ Z < Z , and
3 2
b) Z - Z is an integer multiple of Z .
1 3 2
N A composite integer, used as the modulus in the round-function.
NOTE For the determination of the value of N, see clause 5.
p A prime number used in the reduction-function.
NOTE For the determination of the value of p, see clause 5.
q The number of half-blocks in the data string D after the padding and splitting processes, also the number of
blocks after the padding, splitting, and expansion process.
RED The reduction-function, that is applied as the last operation of the hashing procedure to reduce the block H
q
of length L to the hash-code H of length L .
φ p
Y The jth sub-string of length L /4 bits used in the reduction-function.
j φ
φ A round-function. If X and Y denote strings of L bits, then φ(X,Y) denotes a string of L bits obtained by
φ φ
applying φ to X and Y.
∨ The bit-wise inclusive OR operation on strings of bits, i.e., if X and Y are strings of the same length, then
X∨Y denotes the string obtained as the bit-wise inclusive OR of X and Y.
~ A symbol denoting the truncate operation. If X is a bitstring then X~j denotes the bitstring obtained by taking
the right-most j bits of X.
:= A symbol denoting the 'set equal to' operation. It is used in the procedural specification of the round-function
and of the reduction-function, where it indicates that the block on the left side of the symbol shall be
changed to equal the value of the expression on the right side of the symbol.
X || Y Concatenation of bit-strings X and Y in the indicated order.
3

---------------------- Page: 7 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
5 Requirements
5.1  To employ either of the hash-functions specified in this part of ISO/IEC 10118, two integers shall be selected:
the modulus N used in the round-function and the prime p used in the reduction-function.
Both integers, N and p, are determined by the security requirements of the application for which these hash-func-
tions are used.
5.1.1  The modulus N shall be chosen so that factoring it is computationally infeasible.
5.1.2  The modulus N shall be generated in a way that the factors remain secret. This can be accomplished by a
trusted third party or by a secure multiparty computation.
NOTE 1 Generating a modulus N with the property that its factors remain secret can be accomplished by using a trusted
third party, trusted hardware, and/or a secure multiparty computation. Examples can be found in Boneh [1], Cocks [2], and
Frankel [3].
NOTE 2 If the factors of the modulus are kept secret, and if the size of the prime p is sufficiently large, then the best known
L /2
p
algorithm to find a collision takes approximately 2 evaluations of the round-function, and the best known algorithm to find a
L
p
(2nd) pre-image requires approximately 2 evaluations of the round-function. Thus in these circumstances MASH-1 and
MASH-2 are believed to be collision-free hash-functions.
5.1.3  The reduction-function prime p shall not be a factor of the modulus N of the round-function.
5.1.4  The length L of the prime p shall be at most half of the length of the modulus N, Lp ≤ L /2.
p φ
5.1.5  The three high order bits of prime p shall consist of ones.
5.2  To employ one of the hash-functions, MASH-1 or MASH-2, the user has to select one of the two exponents e
used in the round-function φ.
Lφ/2
5.3  MASH-1 and MASH-2 can be applied to all data strings D containing at most 2 -1 bits.
6 Variables and values needed for the hash operation
6.1 The length of the hash-code and of the modulus
The length of the modulus N and the length of the blocks H are related in the following manner:
j
L +1 ≤ L ≤ L +16
φ N φ
The length L of the block H shall be an integer multiple of 16.
φ q
NOTE 1 If the length L is chosen, then the length L is constrained by the inequalities above. If the length L is chosen,
φ N N
then the length L will be the largest multiple of 16 less than L .
φ N
NOTE 2 Knowledge of N is sufficient to determine L , and consequently L .
N φ
6.2 The modulus of the round-function
The modulus N used in the round-function is a composite integer generated as a product of two prime numbers of
about the same length such that it is computationally infeasible to factorize N.
NOTE 1 In addition to the infeasibility of the factorization of the modulus, the security of the MASH hash-functions is based in
part on the difficulty of extracting modular roots.
NOTE 2 The choice of a specific modulus N of appropriate length is outside the scope of this part of ISO/IEC 10118.
4

---------------------- Page: 8 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
6.3 Initializing value
The initializing value IV is defined to be the string of L binary zeros.
φ
6.4 Exponent
For MASH-1 the value of the exponent e in the round-function equals 2. For MASH-2 the value of the exponent e in
the round-function equals 257.
6.5 Reduction-function prime number
The reduction-function specified in 7.3 requires a prime p. The length L of prime p is determined by the security
p
requirements, and by the input length of any mechanism using the hash-code. The length L shall be at most half of
p
the length of the modulus N, Lp ≤ L /2.
φ
NOTE 1 The choice of a specific prime p of appropriate length is outside the scope of this part of ISO/IEC 10118.
NOTE 2 To avoid unbalanced results by the reduction modulo p, the prime number p shall be selected with the three high
order bits equal to ones.
7 Hashing procedure
The hash-code H of the data string D shall be calculated using the following steps (see Figure 1):
7.1 Preparation of the data string
The data string D is transformed into a sequence of blocks for input to the round-function φ. The preparation
consists of padding, splitting, and expanding as detailed in the following sub-clauses.
7.1.1 Padding the data string
If the length L of the data string D is not an integer multiple of L /2, D is right-padded with binary zeros according
D φ
to padding method 1 described in ISO/IEC 10118-1, Appendix B.
7.1.2 Appending the length
An additional half-block is right-appended to the data string. It contains the binary representation of the length L of
D
the original (unpadded) data string D, left-padded with binary zeros (see 3.3.2).
NOTE – If the data block D is empty, only the length block is input to the hashing procedure.
7.1.3 Splitting the data string
The resulting string is divided into a sequence of q half-blocks D ,D , … ,D , D .
1 2 q-1 q
7.1.4 Expansion
Every half-block D , j = 1,2,…,q, is now doubled in length from L /2 bits to L bits. This is achieved by dividing D
j φ φ j
into half-bytes and preceding each half-byte of D with a half-byte consisting of four ones (1111), for j=1,2,…,q. The
j
result of this process when applied to half-block D is denoted as B , j =1,2,…,q.
j j
7.2 Application of the round-function
The round-function φ on which the MASH hash-functions are based takes as input two blocks, H and B , both of
j-1 j
5

---------------------- Page: 9 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
length L . It returns a block H of length L . It is defined as follows:
φ j φ
e
φ(B ,H ) = ((((H ⊕ B ) ∨ E) mod N)~L ) ⊕ H
j j-1 j-1 j φ j-1
This round-function is applied sequentially to the data blocks B as follows:
j
H := IV
0
H := φ(B ,H )  j = 1,2, … ,q
j j j-1
7.3 The Reduction-function
The reduction-function RED consists of eight applications of the round-function with a data input derived from H .
q
The hash-code H shall be calculated using the following four steps: splitting the block H , extending the data string,
 q
processing the additional data blocks, and reducing the block H .
q+8
7.3.1 Splitting the block H
q
The block H is divided into four strings of length L /4 bits, denoted with H , H , H , H , i.e.,
q φ q1 q2 q3 q4
:= || || ||
H H H H H
q q1 q2 q3 q4
7.3.2 Extending the data string
Define Y := H , Y := H , Y := H , and Y := H . Then for i = 4 to 15 let
0 q3 1 q1 2 q4 3 q2
Y := Y ⊕ Y
i i-1 i-4
Define then eight additional data half-blocks D through D as follows: for i = 1 to 8 let
q+1 q+8
D := Y || Y
q+i 2i-2 2i-1
7.3.3 Processing the half-blocks
The eight half-blocks D through D are processed as in 7.1.4 and 7.2, but with IV equal to H , yielding the
q+1 q+8 q
result H .
q+8
7.3.4 Reduction
The hash-code H of length L is computed as follows:
 p
H := H mod p
q+8
8 Hash-functions
The two hash-functions specified in this part of ISO/IEC 10118 differ in the value of the exponent e used in the
round-function φ.
8.1 MASH-1
For MASH-1, the round-function φ as specified in clause 7 becomes:
2
φ(B ,H ) = ((((H ⊕ B ) ∨ E) mod N) ~L ) ⊕ H
j j-1 j-1 j φ j-1
The ISO/IEC hash-function identifier for the hash-function MASH-1 is equal to 41 (hexadecimal).
6

---------------------- Page: 10 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
8.2 MASH-2
For MASH-2, the round-function φ as specified in clause 7 becomes:
257

φ(B ,H ) = ((((H ⊕B ) ∨ E) mod N) ~L ) ⊕H
j j-1 j-1 j φ j-1
The ISO/IEC hash-function identifier for the hash-function MASH-2 is equal to 42 (hexadecimal).
7

---------------------- Page: 11 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
input string
data D to be hashed
L
D
padded with
binary zeros
D
Padding
L /2
φ
(q-1)*L
/2
φ
half-block containing
length L
D D D D D
Splitting 1 2 i q-1 q
D
q*L
φ
Expansion
B B B B B
q-1 q
1 2 i
φ φ
φ φ φ (B ,H ) (B ,H )
Iteration (B ,H ) (B ,H ) (B ,H )
H =IV
q-1 q-2 q q-1
1 0 2 1 i i-1
0
H H H H H
q-1 q
1 2 i
block
H
q
Splitting
H H H H
q1 q2 q3 q4
Reduction-function
RED
Y :=H Y :=H Y :=H Y :=H
0 q3, 1 q1, 2 q4, 3 q2
Extending
Y := Y ⊕ Y for i = 4 to 15
i i-1  i-4
D := Y || Y for i = 1 to 8

q+i 2i-2 2i-1
D D D
q+1 q+i q+8
Expansion
B B B
q+1 q+i q+8
φ
φ (B ,H ) φ
(B ,H ) (B ,H )
Iteration
q+i q+i-1
q+1 q q+8 q+7

H =IV
q
H H
H
q+i q+8
q+1
mod
H p Reduction
q+8

 output:  hash-code H
Figure 1 — The MASH hash-function
8

---------------------- Page: 12 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
Annex A
(informative)
Examples
A.1  The hashing procedure
In practice, the data string may be supplied as a stream. Its overall length L may be unknown before the end of the
D
stream is reached. As the stream passes through, the hash calculation is performed. For convenience of the
description, a constant k = L /2 is introduced. Only the following four registers are required for the variables: i, A, B,
φ
C.
i bit counter for the length L .
D
A buffer to hold the hash-code.
B accumulator to hold the intermediate results.
C holding one half-block of data.
The hash-code H of the data D is calculated in the following steps:
A.1.1  Step 1 (Initialisation)
The buffer A is set to zero: A := 0 (initializing value IV = H = 0)
0
The accumulator B is set to zero: B := 0
The bit counter is set to zero: i := 0 (counts the number of effective data bits hashed)
A.1.2  Step 2a (Reading a data block)
If at least k bits of the data are remaining, read k bits of the data D into C. If k' (with 0 < k' < k) bits of the data are
remaining, read k' bits of the data D into C and fill up C with k-k' binary zeros on the right. k (respectively k' ) is
added to i. If no more data bits are available (k' = 0), go to Step 3a.
Step 2b (Expansion)
Each byte of C is split into halves and each half is preceded with four binary ones. The result is put into the accumulator
B.
Step 2c (Combination with previous hash-value)
Calculate: B := B ⊕ A (combination)
Step 2d
B := B ∨ E (the four highest valued bits are set to 1)
Step 2e (Exponentiation)
e
Calculate: B := B mod N where e=2 (squaring) with MASH-1, and e=257 with MASH-2.
Step 2f (Truncation)
(the leftmost bits of C which exceed the length L are erased)
φ
Step 2g (Feed-forward with previous hash-value)
Calculate: A := B ⊕A
Step 2h Return to Step 2a.
9

---------------------- Page: 13 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
A.1.3  Step 3a (Reading the length counter)
C := i (the content of the length counter is put into C ).
The integer is converted into a string as specified in 3.3.2.
Step 3b (Hash with length counter)
Perform steps 2b, 2c, 2d, 2e, 2f and 2g, then go to Step 4.
A.1.4  Step 4 (Output the result)
The block H is contained in the buffer A as the rightmost L bits.
q φ
A.1.5  The reduction procedure
The following registers are required for the variables: A, B, C, C , C , C , C , i.
0 1 2 3
A holding the block H to be reduced.
q
B buffer used in the round-function.
C accumulator of length L /2, to hold a half-block.
φ
C , C , C , C four buffers of length L /4.
0 1 2 3 φ
i a counter.
The hash-code H is calculated in the following steps.

A.1.5.1  Step 4a (Initialisation)
The counter is set to 8: i := 8 (the number of half-blocks to be processed)
A.1.5.2  Step 4b (Splitting of the block H )
q
The block H contained in buffer A is divided into four parts H , H , H , H each of length L /4 (see Figure 1)
q q1 q2 q3 q4 φ
and saved:
C := H
0 q3
C := H
1 q1
C := H
2 q4
C := H
3 q2
A.1.5.3  Step 4c (Extension and iteration)
Calculate: C := C || C (concatenate)
0 1
and perform Steps 2b through 2g (apply the round-function φ) (Round number q+1)
Calculate: i := i-1. (reduce counter)
Step 4d (Extension and iteration)
Calculate: C := C || C (concatenate)
2 3
and perform Steps 2b through 2g (apply the round-function φ) (Round number q+2)
Calculate: i := i-1 (reduce counter).
A.1.5.4  Step 4e (Combination, extension and iteration)
: (combination)
Calculate: C = C ⊕ C
0 0 3
C := C ⊕ C
1 1 0
10

---------------------- Page: 14 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
Calculate: C := C || C (concatenate)
0 1
and perform Steps 2b through 2g (apply the round-function φ) (Round number q+3, q+5, q+7)
Calculate: i := i-1 (reduce counter).
Step 4f (Combination of split blocks)
(combination)
Calculate: C = C ⊕ C
2 : 2 1
C = C ⊕ C
3 : 3 2
Calculate: C := C || C (concatenate)
2 3
and perform Steps 2b through 2g (apply the round-function φ) (Round number q+4, q+6, q+8)
Calculate: i := i-1 If i does not equal zero, go to Step 4e.
A.1.6  Step 5 (Final reduction)

Calculate: A := A mod p
A.1.7  Step 6 (Output the result)
The hash-code H is contained in the buffer A as the rightmost L bits.
p
A.2  Example hash calculations
In the following example N is a composite number, 12 bits larger than L . L is a multiple of 16 strictly below L . The length of
φ φ N
the modulus N is selected just to demonstrate the hashing procedure step by step, and does not necessarily meet the security
requirements. To distinguish between decimal and hexadecimal numbers the subscript d or h is added respectively .
The following data are used:
10c
Length of the modulus N, L = h = 268
N d
100
Length of the block H,L = h = 256
j φ d
80
Length of the prime p, L = h = 128
p d
80
Length of the hash-code H, L = h = 128
p d
eec19b75218d08ad5516deceec1cf4af3824a95691ab41806865e09ffd51fbfa54d
Modulus N =
h
f000000000000000000000000000000000000000000000000000000000000000
E =
h
ceced8f8b6b854189f8d6b39b75c1329
Modulus p =
h
Data string D = 'Now is the time for all '
Data string D encoded according to ISO 646 in hexadecimal representation:
4e6f77206973207468652074696d6520666f7220616c6c20
h
Length of the data string D, L = c0 = 192
D h d
NOTE — ISO 646 code is commonly called ASCII code because it is equivalent to ASCII 7-bit code. The 7-bit ASCII code is extended to
eight bits by inserting a leading zero bit.
Every step is recorded to show the changing values of the variables i, A, B, C and C , C , C , C during the course of the
0 1 2 3
calculation. The first column refers to the steps described in Annex A.1.
A.2.1  Example hash calculation using MASH-1
Initialisation step: A := 0
B := 0
i := 0
11

---------------------- Page: 15 ----------------------
©
ISO/IEC
ISO/IEC 10118-4:1998(E)
First round:
(2a) C = 4e6f77206973207468652074696d6520         (the first 16 bytes of the data string D)
h d
80
i=
h
f4fef6fff7f7f2f0f6f9f7f3f2f0f7f4f6f8f6f5f2f0f7f4f6f9f6fdf6f5f2f0
(2b) B =
h
f4fef6fff7f7f2f0f6f9f7f3f2f0f7f4f6f8f6f5f2f0f7f4f6f9f6fdf6f5f2f0
(2c) B =
h
f4fef6fff7f7f2f0f6f9f7f3f2f0f7f4f6f8f6f5f2f0f7f4f6f9f6fdf6f5f2f0
(2d) B =
h
00000d87836ef6fbfe7f050ffa9c69d6c5ebab11b7f42df62f56904a924f169bf41b39f1
(2e) B =
h
836ef6fbfe7f050ffa9c69d6c5ebab11b7f42df62f56904a924f169bf41b39f1
(2f) A = h
836ef6fbfe7f050ffa9c69d6c5ebab11b7f42df62f56904a924f169bf41b39f1
(2g) A = h
Second round:
(2a) C = 666f7220616c6c20                                     (the last 8 bytes of the data string D)
h d
(2a) C = 666f7220616c6c200000000000000000 (… padded with binary zeros)
h
c0
i= h
f6f6f6fff7f2f2f0f6f1f6fcf6fcf2f0f0f0
...