ISO/IEC 10118-3:1998
(Main)Information technology — Security techniques — Hash-functions — Part 3: Dedicated hash-functions
Information technology — Security techniques — Hash-functions — Part 3: Dedicated hash-functions
Technologies de l'information — Techniques de sécurité — Fonctions de brouillage — Partie 3: Fonctions de hachage dédiées
General Information
Relations
Standards Content (Sample)
ISO/IEC
INTERNATIONAL
10118-3
STANDARD
First edition
1998-06-01
Information technology - Security
Hash-functions -
techniques -
Part 3:
Dedicated hash-functions
Technologies de Yinformation - Techniques de s&wit6 - Fonctions de
brouillage -
Partie 3: Fonctions de hachage dgdikes
Reference number
ISO/IEC 10118-3: 1998(E)
---------------------- Page: 1 ----------------------
lSO/IEC 10118-3 : 1998 (E)
Foreword
IS0 (the International Organization for Standardization) and IEC (the International Electrotechnical Com-
National bodies that are members of
mission) form the specialized system for worldwide standardization.
IS0 or IEC participate in the development of International Standards through technical committees estab-
lished by the respective organization to deal with particular fields of technical activity. IS0 and IEC technical
committees collaborate in fields of mutual interest. Other international organizations, governmental and
non-governmental, in liaison with IS0 and IEC, also take part in the work.
In the field of information technology, IS0 and IEC have established a joint technical committee, ISO/IEC
JTCl. Draft International Standards adopted by the joint technical committee are circulated to national
bodies for voting. Publication as an International Standard requires approval by at least 75% of the national
bodies casting a vote.
International Standard ISO/IEC 10118-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Ill-
formation techn,ology, Sub-Committee SC27, IT S ’ecwrity techniques.
ISO/IEC 10118 consists of the following parts, under the general title Infow2ation technology --- S ’ecnrity
techniques - Hash-functions:
- Part 1: Geneml
- Part 2: Hash-functions using an n-bit block cipher algorithm
- Part 3: Dedicated hash-functions
- Part 4: Hash-functions using modular withmetic
Further parts may follow.
Annexes A, B, and C of this part of ISO/IEC 10118 are for information only.
0 ISO/IEC 1998
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or
utilized in any form or by any means, electronic or mechanical, including photocopying and micro-
film, without permission in writing from the publisher.
ISO/IEC Copyright Office l Case postale 56 l CH- 1211 Geneve 20 l Switzerland
Printed in Switzerland
ii
---------------------- Page: 2 ----------------------
INTERNATIONAL STANDARD @ lSo/lEC ISO/IEC 10118-3 : 1998 (E)
Information technology - Hash-
Security techniques -
functions - Part 3: Dedicated hash-functions
1 Scope of the first input to the round-function.
This part of ISO/IEC 10118 specifies dedicated hash-
3.2 hash-function identifier: A byte identifying
functions, i.e. specially designed hash-functions. The a specific hash-function.
hash-functions in this part of ISO/IEC 10118 are
3.3 round-function: A function $(., .) that trans-
based on the iterative use of a round-function. Three
forms two binary strings of lengths L1 and I,2 to a
distinct round-functions are specified, giving rise to
binary string of length La. It is used iteratively as part
distinct dedicated hash-functions” The first and third
of a hash-function, where it combines a data string of
provide hash-codes of lengths up to 160 bits, and the
length L1 with the previous output of length Lz.
second provides hash-codes of lengths up to 128 bits.
3.4 word: A string of 32 bits.
2 Normative reference
4 Symbols and notation
The following standard contains provisions which,
This part of ISO/IEC 10118 makes use of the following
through reference in the text, constitute provisions of
symbols and notation defined in ISO/IEC 10118-l.
this part of ISO/IEC 10118. At the time of publica-
tion, the edition indicated was valid. All standards are
D A data string to be input to the hash-function.
subject to revision and parties to agreements based on
this part of ISO/IEC 10118 are encouraged to investi-
H Hash-code.
gate the possibility of applying the most recent edition
II’ lnitializing value.
of the standard indicated below. Members of IEC and
IS0 maintain registers of currently valid International
L_k= Length (in bits) of a bit-string X.
Standards.
ISO/IEC 10118-l: 1994, Ir~formntion technology - X @ 1’ Exclusive-or of bit-strings X and Y.
Security techniques - Hash-functions - Pnrt I:
For the purpose of this Part of ISO/IEC 10118, the
General.
following symbols and notation apply:
3 Definitions
a;, at Sequences of indices used in specifying a round-
For the purposes of this part of ISO/IEC 10118, the
function.
definitions given in ISO/IEC 10118-l and the follow-
ing definitions apply.
B; A byte.
3.1 block: A bit-string of length L1, i.e. the length
c ’;,ci Constant words used in the round-functions.
1
---------------------- Page: 3 ----------------------
@ ISO/IEC
ISO/IEC 10118-3 : 1998 (E)
Di A block derived from the data-string after the := A symbol denoting the ‘set equal to’ opera-
padding process. tion used in procedural specifications of round-
functions, where it indicates that the word on
f;,g; Functions taking three words as input and pro-
the left side of the symbol shall be made equal
ducing a single word as output, used in specifying
to the value of the expression on the right side
round-functions.
of the symbol.
H; A string of Lz bits which is used in the hashing
operation to store an intermediate result.
5 Requirements
L1 The length (in bits) of the first of the two input
Users who wish to employ a hash-function from this
strings to the round-function 4.
part of ISO/IEC 10118 shall select:
I52 The length (in bits) of the second of the two input
l one of the dedicated hash-functions specified be-
strings to the round-function 4, of the output
low; and
string from the round-function @, and of IV.
l the length LH of the hash-code K
y The number of blocks in the data string after the
padding and splitting processes.
NOTE l- The first and second dedicated
Sn(> The operation of ‘circular left shift’ by 71 bit
hash-functions are defined so as to facil-
i.e. if /I is a word and rt is a non-
positions,
itate software implementations for ‘little-
negative integer then S ”(A) denotes the word
endian computers, i.e. where the lowest-
obtained by left-shifting the contents of ~4 by n
addressed byte in a word is interpreted as the
places in a cyclic fashion.
least significant; conversely, the third round-
function is defined so as to facilitate soft-
ti, t: Shift-values used in specifying a round-function.
ware implementations for ‘big-endian’ com-
puters, i.e. where the lowest-addressed byte
IV, ‘JLri, S[, yi, Zi Words used to store the results of
in a word is interpreted as the most signif-
intermediate computations.
icant. However, by adjusting the definition
# A round-function, i.e. if X,Y are bit-strings of appropriately, any of the round-functions
lengths L1 and Lz respectively, then $(X7 Y)
can be implemented on a ‘big-endian’ or
is the string obtained by applying 4 to X and Y. a ‘little-endian’ computer. All the hash-
functions defined in this part of ISO/IEC
A The bit-wise logical AND operation on bit-strings,
10118 take a bit-string as input and give
i.e. if A, B are words then /I A B is the word
a bit-string as output; this is independent of
equal to the bit-wise logical AND of ,:I and B.
the internal byte-ordering convention used
within each hash-function.
v The bit-wise logical OR operation on bit-strings,
i.e. if /-I, B are words then /I V B is the word
NOTE 2 - The choice of LH affects the se-
equal to the bit-wise logical OR of i4 and B.
curity of the hash-function. All of the hash-
1 The bit-wise logical NOT operation on a bitAxing,
functions specified in this part of ISO/IEC
i.e. if /I is a word then 4 is the word equal to 10118 are believed to be collision-resistant
the bit-wise logical NOT of ,;1.
hash-functions in environments where per-
forming 2L~jl” hash-code computations is
~tl The modulo P addition operation, i.e. if /I, B are
deemed to be computationally infeasible.
words then LIMB is the word obtained by treating
A and B as the binary representations of integers
and computing their sum modulo P, where the
result is constrained to lie between 0 and Z3’ - 1
inclusive.
---------------------- Page: 4 ----------------------
@ ISO/IEC ISO/IEC 10118-3 : 1998 (E)
6 Model for dedicated hash-functions the first L1 bits of the padded version of D, Dz rep-
resents the next L1 bits, and so on. The Padding and
6.1 General
Figure 1.
Splitting Processes are illustrated in
The hash-functions specified in this standard require
the use of a round-function 4. In subsequent clauses
of this part of ISO/IEC 10118, three alternatives for
padding added
the function 4 are specified.
The hash-functions which are specified in this stan-
dard provide hash-codes of length LH, where LH is
less than or equal to the value of L2 for the round- /I Padding
function 4 being used.
I I
I
I
In the specifications of the hash-functions in this part
of ISO/IEC 10118, it is assumed that the padded data-
&I ---- “-i-I Splitting
string input to the hash-function is in the form of a
sequence of bytes. If the padded data-string is in
the form of a sequence of &z bits, x0, x1,. . . , x8,-1) LL,J
I
I I
then it shall be interpreted as a sequence of n bytes,
in the following way. Each group
Bo7 Bl, l l l ? h-1 9
Figure 1: Padding & splitting processes
of eight consecutive bits is considered as a byte, the
first bit of a group being the most significant bit of
that byte. Hence
6.2.3 Step 3 (iteration)
D, be the Ll-bit blocks of the data
Let Dl,Dz,. ,
B = Z7X8i + Z6Xgi+1 + o l l + X82+7
i
after padding and splitting. Let Ho be a bit-string
for every i (0 5 i < n). equal to IV. The L,-bit strings HI, Hz,. . . , Hq are
calculated iteratively in the following way.
Identifiers are defined for each of the three dedicated
hash-functions specified in this standard. The hash-
function identifiers for the dedicated hash-functions
for i from 1 to Q:
specified in clauses 7, 8 and 9 are equal to 31, 32, and
33 (hexadecimal) respectively. The range of values
from 34 to 3F (h exadecimal) are reserved for future
use as hash-function identifiers by this part of ISO/IEC
10118.
6.2 Hashing operation
The Iteration Process is illustrated in Figure 2.
Let 6 be a round-function and IV be an initializing
value of length L2. For the hash-functions specified
in this part of ISO/IEC 10118, the value of the IV
D crt,I
i
shall be fixed for a given round-function 4.
The hash-code H of the data D shall be calculated
t *
t
in four steps.
6.2.1 Step 1 (padding)
Round-function 4
The data string D is padded in order to ensure that
its length is a multiple of L1. Specific instances of
padding methods are specified in subsequent clauses
t
of this part of ISO/IEC 10118.
6.2.2 Step 2 (splitting)
The padded version of the data string D is split into
Figure 2: The Iteration Process
&-bit blocks D1, D2, . . . , D,, where D1 represents
3
---------------------- Page: 5 ----------------------
@ ISO/IEC
ISO/IEC 10118-3 : 1998 (E)
used in this round-function, where each function g;,
6.2.4 Step 4 (truncation)
0 < i < 79, takes three words -;kro, Xl and X.2 as
- -
The hash-code H is derived by taking the leftmost
input and produces a single word as output.
LH bits of the final &-bit output string N,.
The functions gi are defined as follows:
7 Dedicated Hash-Function 1
= x(-j @ x1 @ A& (0 5 2' 2 l!q,
g&q), 11-1, S,)
NOTE - This clause contains a description
gi(sO, X1, LYz) = (S" A x1 ) v (1X() A S,))
of the round-function, initializing value and
(16 < i < 31),
padding method for RIPEMD-160, [3].
tJi(-Y(j, /Yl, S,) = (X0 v--d<) @ X2, (:32 < 2' < 47)
(A-Q A A'?) v (S1 A -s,,. -
g&&-j, x1, X?) =
7.1 General
(48 < i < 6l3),
- -
In this clause we specify a padding method, an initial-
y;(S*, AjJ s,) = So c-j3 (X1 v +L), (64 < i < 79)
- -
izing value, and a round-function for use in the general
model described in this part of ISO/IEC 10118. The
padding method, initializing value and round-function
specified here, when used in the above general model,
7.2.4 Constants
together define Dedicated Hash-Function 1. This ded-
Two sequences of constant words &, cl,. . . , cl79 and
icated hash-function can be applied to all data strings
are used in this round-function. In a
c&c;,. ,c;cJ
D containing at most Z6’ - 1 bits.
hexadecimal representation (where the most signifi-
The ISO/IEC hash-f unction identifier for Dedicated
cant bit corresponds to the left-most bit) these are
Hash-Function 1 is equal to 31 (hexadecimal).
defined as follows:
7.2 Parameters, functions and constants
7.2.1 Parameters
-I
For this hash-function L1 = f512 and La = 160. = 00000000, (0 < i < 15),
c
i
f
c = 5A827999, (lb:< i< 31),
7.2.2 Byte ordering convention
’ i
1
c = GEDSEBAI, (32 7 i 147),
-1 i
In the specification of the round-function of clause 7 it
-1
is assumed that the block input to the round-function
(48 1 i 163),
c = 8FlBBCDC:
ji
is in the form of a sequence of words, each 512-bit
-1
= A953FD4E, (64 < i T 79)?
c- -1 i
-
block being made up of 16 such words. A sequence
of 64 bytes, Bo, Bl,. . . , B63, shall be interpreted as
a sequence of 16 words, Zo,Z17. . , Z,,, in the fol-
I/
c = 50A28BE6, (0 < i < L5),
Ji
lowing way. Each group of four consecutive bytes is
i/
c = 5C4DD124; pi--< i< 31),
considered as a word, the first byte of a word being Ji
I/
the least significant byte of that word. Hence
c = 6D703EF3, (32 T i 14T),
i
‘I/
c = 7A6D76E9, (4s 1 i T KS),
i
= 2"4B4i+3+21cjBqi+~+28Bq;tl+B,i, (0 < i < 15).
zi - -
/
c = 00000000, (64 1 i 7 79).
- -
i
To convert the hash-code from a sequence of words to
a byte-sequence, the inverse process shall be followed.
Two sequences of 80 shift-values are used in this
NOTE - The byte-ordering specified here
round-function, where each shift-value is between 5
is different from that of subclause 9.2.2.
and 15. We denote these sequences by (to, tl, . . . 7 tT9)
and (tb, ti?. . . , t&J. A further two sequences of 80 in-
7.2.3 Functions
dices are used in this round-function, where each value
To facilitate software implementation, the round- in the sequence is between 0 and 15. We denote these
function 4 is described in terms of operations on
sequences as (no? nl,. . . ? n;g>, and (nb, ~ ‘1,. . . , L&J.
words. A sequence of functions go, gl, . . . , gT9 is All four sequences are defined in the following table.
4
---------------------- Page: 6 ----------------------
C ISO/IEC
ISO/IEC 10118-3 : 1998 (E)
0
i 0 1 2 3 4 5 6 7 i 72 73 74
75 76 77 78 79
k 11 14 15 12 5 8 7 9 ti
5 12 13 14 11 8 5 6
t; 8
9 9 11 13 15 15 5 ta
8 13 6 5 15 13 11 11
1 ai II 0 I 1 ai 14
I 2 I 3 I 4 I 5 I 6 I 7 I 1 3 8 11 6 15 13
a{ 5 14 7 0 9
2 11 4 ai 6
2 13 14 0 3 9 11
”
I 1 I
i 8 9 10 11
12 13 14 15
ti 11 13 7.2.5 Initialking Value
14 15 6 7 9 8
t; 7 7 8 11
14 14 12 6
For this round-function the initializing value, IV, shall
ai 8 9 10 11
12 13 14 15
always be the following 160-bit string, represented
a{ 13 6 15
8 1 10 3 12
here as a sequence of five words Yo, E;, Yz, Y3, Yd in a
i
16 17 18 19 20 21 hexadecimal representation, where Yo represents the
22 23
ti left-most 32 of the 160 bits:
7 6 8 13 11
9 7 15
t;
9 13 15 7 12
8 9 11
-
= 67452301,
xl
a; 7
4 13 1 10 6
15 3
I
k = EFCDAB89,
ai 6 11
3 7 0 13 5 1
10
i 24 = 98BADCFE,
25 26 27 1 28 K!
29 30 31
Y3 = 10325476,
7
Y = C3D2ElFO.
4
Y
I I 1 7.3 Padding method
I
i 32 33 34 35 36 37 38 39
The data string D needs to be padded to make it
t, 11 13 6 7 14 9 13 1.5
- -- -w
contain a number of bits which is an integer multiple
t: 9 7 15 11
8 6 6 14
of 512. The padding procedure operates as follows:
ai 3
10 14 4 9 15
8 1
Uf: 15 5 1
3 7 14 6
9
D is concatenated with a single ‘1’ bit.
i 40
41 42 43 44
45 46 47
The result of the previous step is concatenated
k 14 8 13 6 5 12
7 5
with between zero and 511 ‘0’ bits such that the
t; 12 13 5 14 13
13 7 5
length (in bits) of the resultant string is congru-
CL; 2 7 0 6 13 11
5 12
ent to 448 modulo 512. More explicitly, if the
u: 11 8 12 2
10 0 4 13
original length of D is LD, and letting T be the
i 48 49 1 50 51
52 53 54 55
remainder when LD is divided by 512, then the
ti 11 12 14 15
14 15 9 8
number of concatenated zeros is equal to either
t; 15 5 8 11 14
14 6 14
447 - 7’ (if 1‘ < 447)
or 959-r (if r > 447). The
-
a; 1 9 11
10 0 8 12 4
result will be a bit string whose length will be 64
ai 8 6 4
1 3 11 15 0
bits short of an integer multiple of 512 bits.
i 56 57
58 59 60 61 62 63
Divide the 64-bit binary representation of
LD
ti 9 14 5 6 8 6 5 12
into two 32-bit strings, one representing
the
t: 6 9 12 9 12 5 15 8
L
‘most significant half’ of LD and the other
the
ai
13 3 7 15 14 5 6 i
‘least significant half ’. Now concatenate the
ai 5 12 2 13 9 7 10 14
string resulting from the previous step with these
i 64 65 66 67 68 69 70 71
two 32-bit strings, with the ‘least significant half’
t, 9 15 5 11 6 8 13 12
preceding the ‘most significant half ’.
t; 8 5 12 9 12 5 14 6
I a; 4 0 5 9 7 12 2 10
In the description of the round-function which follows,
ai 12 15 10 4 1 5 8 7
each 512-bit data block D;, 1 < i 5 q, is treated as
a sequence of 16 words, Zo,Z~,. . . ,215, where 20
corresponds to the left-most 32 bits of Di.
---------------------- Page: 7 ----------------------
@ ISO/IEC
ISO/IEC 10118-3 : 1998 (E)
the 20th (right-most) byte will corespond to the
7.4 Description of the round-function
most significant byte of 1,;. The 20 bytes shall
Note
The round-function 4 operates as follows.
be converted to a string of 160 bits using the in-
in this description, we use the symbols
that,
verse of the procedure specified in 6.1, i.e. the
W, X0 , X1 , -;k ’;! , X3 , X4 , AT-6 , Xi , Xi , Xi , XL; to de-
first (left-most) bit will correspond to the most
note eleven distinct words which contain values re-
significant bit of the first (left-most) byte, and
quired in the computations.
the 160th (right-most) bit will correspond to the
least significant bit of the 20th (right-most) byte.
1. Suppose the 512-bit (first) input to Q is con-
tained in ZO, Z1,. . . ? 215, where Zo contains the
left-most 32 of the 512 bits. Suppose also that
8 Dedicated Hash-Function 2
the 160-bit (second) input to 4 is contained in
five words, V& Yl! El ’& &, E;.
NOTE - This clause contains a description
of the round-function, initializing value and
2. Let X0 := Yb, X1 := E;, & := Yi, X3 := 1,;
padding method for RIPEMD-128, [3].
and X4 := Es>.
This hash-function should only be used in
3. Let X-5, := YO, _71 ’1 := &, -Xi := I,;, _;k ’i := &
applications where a hash-code containing
and Xi := 1;.
128 bits or less is considered adequately se-
cure.
4. For i := 0 to ‘79 do the following four steps in
the order specified:
8.1 General
(a) IV := St2(X&J@Y1, X2, X+JZQ21slCr;)W
In this clause we specify a padding method, an initial-
& ;
izing value, and a round-function for use in the general
(b) X0 := &; & := X3; X3 := S1 ’(X2);
model described in this part of ISO/IEC 10118. The
x-2 := x-1; x1 := w;
padding method, initializing value and round-function
(C) W I= St ’(2XA kJ tJTCJ_i(?Ci, -Yi: -Yh) Itl Z,t Itl
specified here, when used in the above general model,
2
c;l> kJ xi; together define Dedicated Hash-Function 2. This ded-
icated hash-function can be applied to all data strings
(d) sg, := X-i; Xi := X-4; 1X-h := S ’“(X-;);
D containing at most 2”” - 11 bits.
:I= q; Jy-; :I= Til/ ‘;
,Y ’ ;
The ISO/IEC hash-function identifier for Dedicated
5. Let
Hash-Function 2 is equal to 32 (hexadecimal).
.-
8.2 Parameters, functions and constants
w .-
&,
:= Yl km-~ km-;, 8.2.1 Parameters
Xl
Yl := Y&o+LY~,
For this hash-function L1 = !A ’2 and & = 1 ’128
:= kjax&;,l
JT2
8.2.2 Byte ordering convention
:= L;Kx-()Kx-;,
Y3
The byte ordering convention for this hash-function is
:= WUAY~ LOT;.
I:,
the same as that for the hash-function of clause 7.
8.2.3 Functions
6. The five words Yb, Y&Y& Y&Y> represent the
To facilitate software implementation, the round-
output of the round-function 4. After the fi-
function 4 is described in terms of operations on
nal iteration of the round-function, the five words
words. A sequence of functions go, gl,. . . , ,cjG3 is
Yo, Y1, Y&E& Yq shall be converted to a sequence
used in this round-function, where each function ,(I;,
of 20 bytes using the inverse of the procedure
0 < i < 63, takes three words X0, Xl and X2 as
- -
specified in 7.2.2, and where Yo shall yield the
input and produces a single word as output.
first four bytes, Y-1 the next four bytes, and so
on. Thus the first (left-most) byte will corre-
The functions 9; are defined to be the same as the
spond to the least significant byte of Eib, and first 64 of the functions defined in subclause 7.2.3.
6
---------------------- Page: 8 ----------------------
@ ISO/IEC ISO/IEC 10118-3 : 1998 (E)
8.2.4 Constants The round-function 4 operates as follows.
Note
that, in this description, we use the symbols
Two sequences of constant words C ’o, Cl). . . , (763 and
IV, X0, X1, Xa, Xx, X& Xi, Xi, Xi to denote nine
. are used in this round-function. In a
c;,c;?. ,c&
distinct words which contain values required in the
hexadecimal representation (where the most signifi-
computations.
cant bit corresponds to the left-most bit) these are
defined as follows:
1,
Suppose the 512-bit (first) input to C#I is con-
1
, -
tained in Zo, Z1, . . . , Z15, where Zo contains the
c = 00000000, (0 < i < 1.5),
z - -
left-most 32 of the 512 bits. Suppose also that
c = 5A827999, (16 < i < 31),
i -
-
the 128-bit (second) input to 4 is contained in
c = GEDSEBAl, (32 < i < 47):
/i - -
four words, Yo: Yl, Yz, Y3.
c = 8FlBBCDC, (4s < i < 63),
/i - -
Let X0 := Yo, Xl := Yl, X2 := Y2 and X3 :=
YJ.
I/
c = 50A28BE6, (0 < i < 15),
i - -
It
Let X6 := Yo, Xi := Y;, Xi := Yz and Xi :=
c = 5C4DD124, (16 < i < 31):
-
i -
/
E I> .
c /. = 6D703EF3, (3'2 < i < 4i),
i - -
f/
c = 00000000, (48 < i < 63).
For i := 0 to 63 do the following four steps in
i - -
the order specified:
Two sequences of 64 shift-values are also used in this
round-function, where each shift-value is between 5 (a) W := Sti(XO~SI;(X1,X;?,~~3)~Z,;~Ci);
and 15. We denote these sequences by (to, tI, . , t )
l 7 63
(b) X0 := x-3; x-3 := x,; x2 := x-1; x1 :=
7
and (tb, ti, . . . , t&,), and they are defined to be equal .
w
?
to the first 64 values of the corresponding sequences
(c) w := St’ ( lXrh Itl CJ63-i( JC{ ),71 ’1, Xi) ItJ Z,! Itl
2
defined in subclause 7.2.4.
'1 .
7
c.>
Finally, two further sequences of 64 indices are used in
-/
:= *y;; x; := x;; x; := ,k ’;; x; :=
(d) . ‘rl
0
this round-function, where each value in the sequence
/ 7.
If
?
is between 0 and 15. We denote these sequences by
a63), and (n& a;,. . . ? c&), and they are
ao!%*-- I
( . e
5 Lt
defined to be equal to the first 64 values of the cor-
.-
.-
responding sequences defined in subclause 7.2.4. w
kb,
I$ := 1/; Itl x2 kJ x;,
8.2.5 Initialking Value
Yl := Y2 Itl x3 kJ x;,
For this hash-function the initializing value, IV, shall
always be the following 128-bit string, represented := Y ’,ux,kJx;,
K2
here as a sequence of four words Yb, Ifi7 Y& Y> in a
YJ := w kJx, km;.
hexadecimal representation, where Y. represents the
left-most 32 of the 128 bits:
6 . The four words I$, E;! Y2, Y3 represent the out-
put of the round-function #. After the final
El; = 67452301,
iteration of the round-function, the four words
1 = EFCDAB89;
'i
Yb, Ei, Y& Y3 shall be converted to a sequence
Y2
= 98BADCFE, of 16 bytes using the inverse of the procedure
specified in 7.2.2, and where Y. shall yield the
FJ = 10325476.
first four bytes, Yl the next four bytes, and so
on. Thus the first (left-most) byte will corre-
8.3 Padding method
spond to the least significant byte of Yo, and
The padding method to be used with this hash-
the 16th (right-most) byte will corespond to the
function shall be the same as the padding method
most significant byte of Y3. The 16 bytes shall
defined in subclause 7.3.
be converted to a string of 128 bits using the in-
8.4 Description of the round-function verse of the procedure specified in 6.1, i.e. the
---------------------- Page: 9 ----------------------
@ ISO/IEC
ISO/IEC 10118-3 : 1998 (E)
first (left-most) bit will correspond to the most 9.2.3 Functions
significant bit of the first (left-most) byte, and
To facilitate software implementation, the round-
the 128th (right-most) bit will correspond to the
function d is described in terms of operations on
least significant bit of the 16th (right-most) byte.
words. A sequence of functions fo, fl, . . . , ~~~ is
used in this round-function, where each function f;?
0 < i < 79, takes three words X0, -X.-l and X2 as
- -
9 Dedicated Hash-Function 3
input and produces a single word as output.
The functions fi are defined as follows:
NOTE - This clause contains a description r
r
= (A-[) A A-1 ) v (-a(] A Ah),
fi(hh J-1: L2)
of the round-function, initializing value and
(0 < i < l(3),
padding method for SHA-1 (the US NIST
fi (So , -Sl , Sz ) = s* Y- tj? A~ T & sf!, ( ‘LO < i < N),
‘Secure Hash Algorithm ’), [2].
fj ( So , A-1 , A-2 ) = (A-(] A S,) v (A-(] A A-;) vyxi A S,):
(40 < i < 59);
9.1 General
f; (A-()) x1 ; x3) = A--(] _, x;; x2, (60 < __ i < _ - (9).
In this clause we specify a padding method, an initial-
izing value, and a round-function for use in the general
model described in this part of ISO/IEC 10118. The
9.2.4 Constants
padding method, initializing value and round-function
A sequence of constant words co., cIfl,. . . , cfTc;, is used
specified here, when used in the above general model,
in this round-function. In a hexadecimal representa-
together define Dedicated Hash-Function 3. This ded-
tion (where the most significant bit corresponds to
icated hash-function can be applied to all data strings
the left-most bit) these are defined as follows:
D containing at most 12~’ - 1 bits.
-f
= 5A827999, (0 < i< 19).
The ISO/IEC hash-f unction identifier for Dedicated c
,i - -
f
Hash-Function 3 is equal to 33 (hexadecimal).
6 = GEDSEBAI? (20 < i < i?g>:
- -
i' 1
f
9.2 Parameters, functions and constants
c -/ i = 8FlBBCDC, (40 < i < X)),
- -
1
9.2.1 Parameters c- = CA62ClD6, (60 < i < 79).
- -
-i
For this hash-function L1 = 51'2 and Lz = 160.
9.2.5 Initializing Value
9.2.2 Byte ordering convention
For this round-function the initializing value, IV, shall
In the specification of the round-function of clause 9 it
always be the following 160-bit string, represented
is assumed that the block input to the round-function
here as a sequence of five words E;, I$,&. YI,? & in a
is in the form of a sequence of words, each 512-bit
hexadecimal representation, where I$ represents the
block being made up of 16 such words. A sequence
left-most 32 of the 160 bits:
of 64 bytes, Bo, B1,. . . , & ‘3 shall be interpreted as
. t
a sequence of 16 words, Zo, Z1,. . e , ZIs, in the fol-
E,b = 67452301,
lowing way. Each group of four consecutive bytes is
1,; = EFCDAB89,
considered as a word, the first byte of a word being
= 98BADCFE,
1;
the most significant byte of that word. Hence
Y3 = 10325476,
= 22"B,i+21"B,1+,+28B,i+2+~~i+3, (0 < i < l*!j>.
Z 1; = C3D2ElFO.
- -
i
To convert the hash-code from a sequence of words 9.3 Padding method
-
to a sequence of bytes, the inverse process shall be
The data string D needs to be padded to make it
followed.
contain a number of bits which is an integer multiple
of 512. The padding procedure operates as follows:
NOTE - The byte-ordering specified here
is different from that of subclause 7.2.2. 1. D is concatenated with a single ‘1’ bit.
8
---------------------- Page: 10 ----------------------
@ ISO/IEC
ISO/IEC 10118-3 : 1998 (E)
2. The result of the previous step is concatenated 15, YI, Y2, El>, Yd shall be converted to a sequence
with between zero and 511 ‘0’ bits such that the of 20 bytes using the inverse of the procedure
length (in bits) of the resultant string is congru-
specified in 9.2.2, and where Yo shall yield the
ent to 448 modulo 512. More explicitly, if the first four bytes, E; the next four bytes, and so
original length of D is LD, and letting 1‘ be the
on. Thus the first (left-most) byte will corre-
remainder when L n is divided by 512, then the spond to the most significant byte of Yo, and
number of concatenated zeros is equal to either the 20th (right-most) byte will corespond to the
447 - r (if r 5 4U) or 959 - r (if r > 447). The
least significant byte of YJ. The 20 bytes shall
result will be a bit string whose length will be 64
be converted to a string of 160 bits using the in-
bits short of an integer multiple of 512 bits.
verse of the procedure specified in 6.1, i.e. the
first (left-most) bit will correspond to the most
3. Concatenate the string resulting from the previ-
significant bit of the first (left-most) byte, and
ous step with the 64-bit binary representation of
the 160th (right-most) bit will correspond to the
Lu, most significant bit first.
least significant bit of the 20th (right-most) byte.
In the description of the round-function which follows,
each 512-bit data block Di, 1 5 i 5 QI is treated as
a sequence of 16 words, Zo, Z1,. . . ? ZI,s, where Z.
corresponds to the left-most 32 bits of II;.
9.4 Description of the round-function
The round-function 4 operates as follows. No
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.