Iso Iec 10118-2-2010

Copyrighted material licensed to BR Demo by Thomson Reuters (Scientific), Inc., subscriptions.techstreet.com, downloaded on Nov-28-2014 by James Madison.
No further reproduction or distribution is permitted. Uncontrolled when printe

INTERNATIONAL ISO/IEC
STANDARD 10118-2
Third edition
2010-10-15
Information technology — Security

techniques — Hash-functions —
Part 2:
Hash-functions using an n-bit block
cipher
Technologies de l'information — Techniques de sécurité — Fonctions
de brouillage —
Partie 2: Fonctions de brouillage utilisant un chiffrement par blocs de
n bits
Reference number
ISO/IEC 10118-2:2010(E)
© ISO/IEC 2010
Copyrighted material licensed to BR Demo by Thomson Reuters (Scientific), Inc., subscriptions.techstreet.com, downloaded on Nov-28-2014 by James Madison. No further reproduction or distribution is permitted. Uncontrolled when printe
ISO/IEC 10118-2:2010(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2010 – All rights reserved

ISO/IEC 10118-2:2010(E)
Contents Page
Foreword .............................................................................................................................................................v
Introduction........................................................................................................................................................vi
1 Scope ......................................................................................................................................................1
2 Normative references............................................................................................................................1
3 Terms and definitions ...........................................................................................................................1
4 Symbols and abbreviated terms ..........................................................................................................2
5 Use of the general model......................................................................................................................2
6 Hash-function 1 .....................................................................................................................................2
6.1 General ...................................................................................................................................................2
6.2 Parameter selection ..............................................................................................................................2
6.3 Padding method ....................................................................................................................................3
6.4 Initializing value.....................................................................................................................................3
6.5 Round function ......................................................................................................................................3
6.6 Output transformation ..........................................................................................................................4
7 Hash-function 2 .....................................................................................................................................4
7.1 General ...................................................................................................................................................4
7.3 Padding method ....................................................................................................................................4
7.5 Round function ......................................................................................................................................4
8 Hash-function 3 .....................................................................................................................................6
8.1 General ...................................................................................................................................................6
8.3 Padding method ....................................................................................................................................6
8.5 Round function ......................................................................................................................................6
9 Hash-function 4 .....................................................................................................................................9
9.1 General ...................................................................................................................................................9
9.3 Padding method ....................................................................................................................................9
9.5 Round function ......................................................................................................................................9
9.6 Output transformation ........................................................................................................................11
Annex A (informative) Use of AES...................................................................................................................13
A.1 General .................................................................................................................................................13
A.2 Hash-function 1 ...................................................................................................................................13
A.3 Hash-function 2 ...................................................................................................................................13
A.4 Hash-function 3 ...................................................................................................................................13
A.5 Hash-function 4 ...................................................................................................................................14
Annex B (informative) Examples .....................................................................................................................15
B.1 General .................................................................................................................................................15
B.2 Hash-function 1 ...................................................................................................................................15
B.3 Hash-function 2 ...................................................................................................................................16
B.4 Hash-function 3 ...................................................................................................................................17
© ISO/IEC 2010 – All rights reserved iii

ISO/IEC 10118-2:2010(E)
B.5 Hash-function 4....................................................................................................................................22

Annex C (normative) ASN.1 Module................................................................................................................27
Bibliography ......................................................................................................................................................29
iv © ISO/IEC 2010 – All rights reserved

ISO/IEC 10118-2:2010(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
ISO/IEC 10118-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This third edition cancels and replaces the second edition (ISO/IEC 10118-2:2000), which has been
technically revised. It also incorporates the Technical Corrigendum ISO/IEC 10118-2:2000/Cor.2:2007. The
major change is that in the second edition the underlying block cipher used in the hash-functions was
assumed to be Data Encryption Algorithm (DEA), whereas in the third edition it is assumed to be more secure
block ciphers like Advanced Encryption Standard (AES) and other ciphers included in ISO/IEC 18033-3.
ISO/IEC 10118 consists of the following parts, under the general title Information technology — Security
techniques — Hash-functions:
⎯ Part 1: General
⎯ Part 2: Hash-functions using an n-bit block cipher
⎯ Part 3: Dedicated hash-functions
⎯ Part 4: Hash-functions using modular arithmetic
© ISO/IEC 2010 – All rights reserved v

ISO/IEC 10118-2:2010(E)
Introduction
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
draw attention to the fact that it is claimed that compliance with this document may involve the use of patents.
The ISO and IEC take no position concerning the evidence, validity and scope of these patent rights.
The holders of these patent rights have assured the ISO and IEC that they are willing to negotiate licences
under reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this
respect, the statements of the holders of these patent rights are registered with the ISO and IEC. Information
may be obtained from the ISO/IEC JTC 1 Patent database:
http://www.iso.org/patents
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all
such patent rights.
vi © ISO/IEC 2010 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 10118-2:2010(E)
Information technology — Security techniques —

Hash-functions —
Part 2:
Hash-functions using an n-bit block cipher
1 Scope
This part of ISO/IEC 10118 specifies hash-functions which make use of an n-bit block cipher algorithm. They
are therefore suitable for an environment in which such an algorithm is already implemented.
Four hash-functions are specified. The first provides hash-codes of length less than or equal to n, where n is
the block-length of the underlying block cipher algorithm used. The second provides hash-codes of length less
than or equal to 2n; the third provides hash-codes of length equal to 2n; and the fourth provides hash-codes of
length 3n. All four of the hash-functions specified in this part of ISO/IEC 10118 conform to the general model
specified in ISO/IEC 10118-1.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 10118-1:2000, Information technology — Security techniques — Hash-functions — Part 1: General
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 10118-1 and the following apply.
3.1
block
string of bits of defined length
3.2
n-bit block cipher
block cipher with the property that plaintext blocks and ciphertext blocks are n bits in length
[ISO/IEC 18033-3:2005]
3.3
round function
function φ (.,.) that transforms two binary strings of lengths L1 and L2 to a binary string of length L2
NOTE The round function is used iteratively.
© ISO/IEC 2010 – All rights reserved 1

ISO/IEC 10118-2:2010(E)
4 Symbols and abbreviated terms

For the purposes of this document, the symbols and abbreviated terms given in ISO/IEC 10118-1 and the
following apply.
L
B When n is even, the string composed of the n/2 leftmost bits of the block B.
When n is odd, the string composed of the (n+1)/2 leftmost bits of the block B
R
B When n is even, the string composed of the n/2 rightmost bits of the block B.
When n is odd, the string composed of the (n-1)/2 rightmost bits of the block B
Bx When B is a sequence of blocks and each block has m bits, Bx (x≥0)

represents the x-th block of B.
EK(P) n-bit block cipher algorithm taking the key K and plaintext P as input. It is
recommended that the block cipher algorithms specified in ISO/IEC 18033-3
are used in the hash-functions.
K Key for the algorithm E
u or u’ Function which takes as input an n-bit block and gives as output a key for the
algorithm E.
5 Use of the general model

The hash-functions specified in the next four clauses provide hash-codes H of length LH. The hash-functions
conform to the general model specified in ISO/IEC 10118-1. For each of the four hash-functions that follow, it
is therefore only necessary to specify
⎯ the parameters L1, L2, LH,
⎯ the padding method,
⎯ the initializing value IV,
⎯ the round function φ,
⎯ the output transformation T.
6 Hash-function 1
6.1 General
The hash-function specified in this clause provides hash-codes of length L1 and L2 where L1 and L2 are equal
to n. Some specific definitions that are required to specify hash-function 1 follow.
NOTE This hash-function is described in [5].
6.2 Parameter selection
The parameters L1, L2 and LH for the hash-function specified in this clause shall satisfy L1 = L2 = n, and LH is
less than or equal to n.
2 © ISO/IEC 2010 – All rights reserved

ISO/IEC 10118-2:2010(E)
6.3 Padding method
The selection of the padding method for use with this hash-function is beyond the scope of this part of
ISO/IEC 10118. As minimum requirements, the padding method shall output a set of q blocks D1, D2, ..., Dq
where each block Dj is of length n and shall be such that each possible input produces distinct outputs.
Examples of padding methods are presented in ISO/IEC 10118-1:2000, Annex A.
6.4 Initializing value
The selection of the IV for use with this hash-function is beyond the scope of this part of ISO/IEC 10118. The
IV shall be a bit-string of length n and the value of the IV shall be agreed upon and fixed by users of the
hash-function.
6.5 Round function
Transformation u:
Define a mapping u from the ciphertext space.
The round function φ combines a padded data block Dj (of L1 = n-bits) with Hj-1, the previous output of the
round function (of L2 = n bits), to yield Hj. As part of the round function it is necessary to choose a function u,
which transforms an n-bit block into a key for use with the block cipher algorithm E. The selection of the
function u for use with this hash-function is outside the scope of this part of ISO/IEC 10118.
The round function itself is defined as follows:
Set H0 equal to IV
φ (Dj, Hj-1) = EKj (Dj) ⊕ Dj
where Kj = u (Hj-1). The round function is shown in Figure 1.
Hj-1 Dj
E
u
Kj
Hj
Figure 1 — Round function of hash-function 1

ISO/IEC 10118-2:2010(E)
6.6 Output transformation
The output transformation T is simply truncation, i.e., the hash-code H is derived by taking the leftmost LH bits
of the final output block Hq.
7 Hash-function 2
7.1 General
The hash-function specified in this clause provides hash-codes of length L1 and L2 where L1 is equal to n and
L2 is equal to 2n. Some specific definitions that are required to specify hash-function 2 follow.
NOTE 1 This hash-function is described in [4].
NOTE 2 In [6], theoretical attacks on hash-function 2 have been reported: a collision attack, with n = 128, which has
124.5 n
complexity 2 , and a preimage attack requiring complexity and space about 2 .
The only reason to keep hash-function 2 in this part of ISO/IEC 10118 is for compatibility with the existing
applications.
The parameters L1, L2 and LH for the hash-function specified in this clause shall satisfy L1 = n, L2 = 2n, and LH
is less than or equal to 2n.
7.3 Padding method
The selection of the padding method for use with this hash-function is beyond the scope of this part of
ISO/IEC 10118. As minimum requirements, the padding method shall output a set of q blocks D1, D2, ..., Dq
where each block Dj is of length n and shall be such that each possible input produces distinct outputs.
Examples of padding methods are presented in ISO/IEC 10118-1:2000, Annex A.
The selection of the IV (of length 2n) for use with this hash-function is beyond the scope of this part of
ISO/IEC 10118. The IV shall be a bit-string of length 2n and the value of the IV shall be agreed upon and fixed
L R
by users of the hash-function. However, the IV shall be selected such that u(IV ) and u’ (IV ) are different.
7.5 Round function
The round function φ combines a padded data block Dj (of L1 = n bits) with Hj-1, the previous output of the
round function (of L2 = 2n bits), to yield Hj. As part of the round function it is necessary to choose two
transformations u and u’. These transformations are used to transform an output block into two suitable LK bit
keys for the algorithm E. The specification of u and u’ is beyond the scope of this part of ISO/IEC 10118.
However, it should be taken into consideration that the selection of u and u’ is important for the security of the
hash-function.
L R L R
Set H0 and H0 equal to IV and IV respectively. The round function is defined in the following way, for j = 1
to q:
Hj = φ (Dj, Hj-1)
L R
X = u(Hj-1 ) and Y = u’ (Hj-1 )
Bj = EX(Dj) ⊕ Dj, and B’j= EY(Dj) ⊕ Dj

ISO/IEC 10118-2:2010(E)
L L R R L R
Hj = Bj || B’j and Hj =B’j || Bj
L R
The round function is shown in Figure 2 where X and Y are replaced with K j and K j respectively.

L
If LH is even, the hash-code is the concatenation of the LH/2 leftmost bits of Hq and the LH/2 leftmost bits of
R L
Hq . If LH is odd, the hash-code is the concatenation of the (LH+1)/2 leftmost bits of Hq and the (LH -1)/2
R
leftmost bits of Hq .
Hj-1 Dj
Hj-1L Hj-1R
E E
Hj-1L KjL KjR Hj-1R
u u′
BjL BjR B ′jL B ′jR
BjL B ′jR B ′jL B jR
HjL HjR
Hj

ISO/IEC 10118-2:2010(E)
8 Hash-function 3
8.1 General
The hash-function specified in this clause provides hash-codes of length LH, where LH is equal to 2n for even
values of n. Some specific definitions that are required to specify hash-function 3 follow.
The parameters L1, L2 and LH for the hash-function specified in this clause shall satisfy L1 = 4n, L2 = 8n, and
LH = 2n.
8.3 Padding method
The padding method for use with this hash-function shall be that specified in ISO/IEC 10118-1:2000, A.3, such
that r = n.
IV shall be a bit-string of length 8n and the value of the IV shall be agreed upon and fixed by users of the
hash-function.
8.5 Round function
Transformation u:
Define eight mappings u1, u2,…, u8 from the ciphertext space to the key space, such that:
ui(C) ≠ uj(C), for all i, j from the set {1,2,…, 8}, j ≠ i, and for all values of C
This can be achieved by fixing specific key bits: e.g., One can fix three key bits to the values 000, 001, ..., 111.
Additional conditions might be imposed upon the mappings ui, for example, to avoid the problems related to
weak keys or complementation properties of the block cipher. Let uj,i = uj(Xj,i).
Function fi:
Define the eight functions fi as follows:
fi(X,Y) = Eui(X) (Y) ⊕ Y, 1 ≤ i ≤ 8.
Linear mapping β:
Define the linear mapping β that takes as input a 2n-bit string X = x0||x1||x2||x3 and maps it to a 2n-bit string
Y = y0||y1||y2||y3 as follows:
y0 := x0 ⊕ x3
y1 := x0 ⊕ x1 ⊕ x3
y2 := x1 ⊕ x2
y3 := x2 ⊕ x3
Here xi and yj are n/2-bit strings.

ISO/IEC 10118-2:2010(E)
The round function φ has eight parallel encryptions, and eight n-bit chaining variables Hj,1, Hj,2,…, Hj,8.
In every iteration, four n-bit data blocks, Dj,1, Dj,2, Dj,3, Dj,4 (of length L1 = 4n bits) are combined from the
previous output of the round function, Hj-1,1, Hj-1,2,…, Hj-1,8 (of length L2 = 8n bits) to yield Hj,1, Hj,2,…, Hj,8
(of length L2 = 8n bits).
The round function is based on a linear mapping γ1 , that takes as input 12 n-bit strings I1, I2,…, I12 and maps
them to eight n-bit strings X1, X2,…, X8 and to eight n-bit strings Y1, Y2,…, Y8. The mapping uses eight 2n-bit
auxiliary strings R0, R1, M0, M1,..., M5. The mapping γ1 is defined by the following steps:
i) Set H 0,1,..., H 0,8 in the way that H 0,1||...||H 0,8 is equal to IV.
L R
ii) for i = 0 to 5 do { M i := I2i+1 ; M i := I2i+2 ;}
R0 := 0 ; R1 := 0 ;
iii) for i = 0 to 5 do {
B := R1 ⊕ M i ;
R1 := R0 ⊕ β (B) ;
R0 := B ; }
iv) for i = 1 to 8 do { X i := I i ;}
L
Y1 := R0 ;
R
Y2 := R0 ;
L
Y3 := R1 ;
R
Y4 := R1 ;
for i = 1 to 4 do { Y4+i := I8+i ;}

ISO/IEC 10118-2:2010(E)
Hj-1,1,…, Hj-1,8 Dj,1,…,Dj,4
γ1
Xj,1,…, Xj,8 Yj,1,…, Yj,8
E
uj,1,…,uj,8
Hj,1,…, Hj,8
H 1 H2 H3 H4 H5 H6 H7 H 8 D1 D2 D3 D4
R 0 R1
n n n n n n n n n n n n
0 0 0 0
M 0 2n 2n
H 1 H2 +
2n
+ β
M 1
H3 H4 +
2n
+ β
M
H5 H6
2
+
γ1
2n
+ β
M 3
H7 H 8 +
2n
+ β
M 4
D1 D2 +
2n
+ β
M 5
D3 D4 +
2n
+ β
2n 2n
X1 X 2 X3 X4 X5 X 6 X7 X8 Y5 Y6 Y7 Y8 Y1 Y2 Y3 Y4
Figure 4 — Linear mapping γ1 of hash-function 3

ISO/IEC 10118-2:2010(E)
The round function has the following form (1≤ j ≤ q).
(Xj,1, Xj,2,…, Xj,8, Yj,1, Yj,2,…, Yj,8) := γ1(Hj-1,1, Hj-1,2,…, Hj-1,8, Dj,1, Dj,2, Dj,3, Dj,4);
for i = 1 to 8 do { H j,i := fi (Xj,i, Yj,i) ;}
The round function is illustrated in Figure 3 and the linear mapping γ1 in Figure 4.
After processing of the padded message, the chaining variables have the values, Hq, 1, Hq, 2,…, Hq, 8. Perform
four additional iterations of the round function with the data inputs
Dq+1,i = Hq,i, 1≤ i ≤ 4
Dq+2,i = Hq,i+4, 1≤ i ≤ 4
Dq+3,i = Hq,i, 1≤ i ≤ 4
Dq+4,i = Hq,i+4, 1≤ i ≤ 4.
The output LH of the hash-function then consists of Hq+4,1 || Hq+4,2. The output transformation requires 26
encryptions (in the last iteration only two encryptions need to be performed).
9 Hash-function 4
9.1 General
The hash-function specified in this clause provides hash-codes of length LH, where LH is equal to 3n for even
values of n.
The parameters L1 and L2 and LH for the hash-function specified in this clause shall satisfy L1 = 3n, L2 = 9n,
and LH = 3n.
9.3 Padding method
The padding method for use with this hash-function shall be that specified in ISO/IEC 10118-1:2000, A.3, such
that r = n.
IV shall be a bit-string of length 9n and the value of the IV shall be agreed upon and fixed by users of the
hash-function.
9.5 Round function
Transformation u:
Define nine mappings u1, u2, …, u9 from the ciphertext space to the key space, such that,

ISO/IEC 10118-2:2010(E)
For all i, j from the set {1,2,…,9}, j ≠ i, ui(C) ≠ uj(C) for all values of C
This can be achieved by fixing specific key bits: e.g., One can fix four key bits to the values 0000, 0001, ...,
1000. Additional conditions might be imposed upon the mappings ui, for example, to avoid the problems
related to weak keys or complementation properties of the block cipher.
Function fi:
Define the nine functions fi as follows:
fi(X,Y) = Eui(X) (Y) ⊕ Y, 1 ≤ i ≤ 9.
Linear mapping β:
See 8.1 for specific definitions relevant to this hash-function.
The round function φ has nine parallel encryptions, and nine n-bit chaining variables, Hj, 1, Hj, 2,…, Hj, 9.
In every iteration, three n-bit data blocks, Dj,1, Dj,2, Dj,3 (of length L1 = 3n bits) are combined from the previous
output of the round function, Hj-1, 1, Hj-1, 2,…, Hj-1, 9 (of length L2 = 9n bits) to yield Hj, 1, Hj, 2,…, Hj, 9 (of length
L2 = 9n bits).
The round function is based on a linear mapping γ2 , that takes as input 12 n-bit strings l1, l2,…, l12 and maps
them to nine n-bit strings X1, X2,…, X9 and to nine n-bit strings Y1, Y2,…, Y9. The mapping uses nine 2n-bit
auxiliary strings R0, R1, R2, M0, M1,..., M5. The mapping γ2 is defined by the following steps:
i) Set H 0,1,..., H 0,9 in the way that H 0,1||...||H 0,9 is equal to IV

L R
ii) for i = 0 to 5 do { Mi := I 2i+1 ; Mi := I2i+2 ;}
R0 := 0 ; R1 := 0 ;R2 := 0 ;
iii) for i = 0 to 5 do {
B := R2 ⊕ M i ;
U := β (B) ;
R2 := R1 ⊕ U ;
R1 := R0 ⊕ U ;
R0 := B ; }
iv) for i = 1 to 9 do { X i := I i ;}
L
Y1 := R0 ;
R
Y2 := R0 ;
L
Y3 := R1 ;
R
Y4 := R1 ;
L
Y5 := R2 ;
R
Y6 := R2 ;
for i = 1 to 3 do { Y 6+i := I9+i ;}

ISO/IEC 10118-2:2010(E)
The round function has the following form (1≤ j ≤ q).
(Xj,1, Xj,2,…, Xj,9, Yj,1, Yj,2,…, Yj,9) := γ2(Hj-1,1, Hj-1,2,…, Hj-1,9, Dj,1, Dj,2, Dj,3);
for i = 1 to 9 do { H j,i := fi (Xj,i, Yj,i) ;}
The round function is illustrated in Figure 5 and the linear mapping γ2 in Figure 6.
Hj-1,1,…, Hj-1,9 Dj,1, Dj,2, Dj,3
γ2
Xj,1,…, Xj,9 Yj,1,…, Yj,9
uj,1,.. uj,9 E
Hj,1,…, Hj,9
After processing of the padded message, the chaining variables have the values Hq, 1, Hq, 2,…, Hq, 9. Perform
four additional iterations of the round function with the message inputs
Dq+1,i = Hq,i, 1≤ i ≤ 3
Dq+2,i = Hq,i+3, 1≤ i ≤ 3
Dq+3,i = Hq,i+6, 1≤ i ≤ 3
Dq+4,i = Hq,i, 1≤ i ≤ 3.
The output of the hash-function then consists of Hq+4,1|| Hq+4,2|| Hq+4,3 The output transformation requires 30
encryptions (in the last iteration only three encryptions need to be performed).

ISO/IEC 10118-2:2010(E)
H1 H2 H3 H4 H5 H6 H7 H8 H9 D1 D2 D3
R 0 R 1 R 2
n n n n n n n n n n n n
0 0 0 0 0 0
M 0
2n 2n 2n
H1 H2 +
2n + β
+
M 1
H3 H4 +
2n +
+
β
M 2
H5 H6 +
2n +
+ β
γ2
M 3
H7 H8 +
2n
+ β
L R
+
M 4 M 4
H9 D1 +
2n
+
+ β
M 5
D2 D3 +
2n +
+ β
2n 2n 2n
X1 X2 X3 X4 X5 X6 X7 X8 X9 Y7 Y8 Y9 Y1 Y2 Y3 Y4 Y5 Y6
Figure 6 — Linear mapping γ2 of hash-function 4

ISO/IEC 10118-2:2010(E)
Annex A
(informative)
Use of AES
A.1 General
This annex presents a way of using the AES (ISO/IEC 18033-3) in conjunction with the hashing operations
specified in this part of ISO/IEC 10118. The parameter for AES is n = 128. And the length of K is 128 bits.
A.2 Hash-function 1
IV should be equal to ‘52525252525252525252525252525252’ (in hexadecimal notation).
The transformation u should be chosen as follows. Let X be the binary decomposition of a 128-bit string.
Then Y = u(X) =X.
64
NOTE It is believed that finding collisions for the round function and for the hash-function requires 2 AES
encryptions.
A.3 Hash-function 2
L
R
The transformation u should be chosen as follows. Let X = x1x2…x128 be the binary decomposition of a 128-bit
string X. Then Y = u(X) is the string obtained after forcing the bit x1 to the value ‘0’. The result is:
Y = 0x2x3…x127x128. The transformation u’ should be chosen as follows. Then Y = u’(X) is the string obtained
after forcing the bit x1 to the value ‘1’. The result is: Y = 1x2x3…x127x128.
A.4 Hash-function 3
IV1, IV2,..., IV8 shall be equal to `52525252525252525252525252525252' (in hexadecimal notation).
The transformation u1, u2, …u8 shall be chosen as follows. Let X = x1x2…x128 be the binary decomposition of a
128-bit string X. Then Y = ui(X) is the string obtained after forcing the bits x1, x2, x3 to the values given in
Table 1.

ISO/IEC 10118-2:2010(E)
Table A.1 — Hash-function 3: Values of key bits no. 1, 2, 3 in the eight subfunctions
Subfunction i Subfunction i
1 000
2 001
3 010
4 011
5 100
6 101
7 110
8 111
A.5 Hash-function 4
IV1, IV2, ... IV9 shall be equal to `52525252525252525252525252525252' (in hexadecimal notation).
The transformation u1, u2, …u9 shall be chosen as follows. Let X = x1x2…x128 be the binary decomposition of a
128-bit string X. Then Y = ui(X) is the string obtained after forcing the bits x1, x2, x3, x4 to the values given in
Table 2.
Table A.2 — Hash-function 4: Values of key bits no. 1, 2, 3, and 4 in the nine subfunctions
Subfunction i Subfunction i
1 0000
2 0001
3 0010
4 0011
5 0100
6 0101
7 0110
8 0111
9 1000

ISO/IEC 10118-2:2010(E)
Annex B
(informative)
Examples
B.1 General
This annex gives examples for the computation of a hash-code for all the hash-functions specified in
Clauses 6-9 of this part of ISO/IEC 10118, the block cipher specified in Annex A of this part of ISO/IEC 10118
and selected padding methods specified in Annex A of ISO/IEC 10118-1:2000.
The data string is the 7-bit ASCII code as described in [3] (no parity) for “Now_is_the_time_for_all_”, where ”_”
denotes a blank in hexadecimal notation:
‘4e6f77206973207468652074696d6520666f7220616c6c20’
B.2 Hash-function 1
See A.2.
Padding method 1
J Dj Hj-1 Hj
1 4e6f772069732074 5252525252525252 113fff9a8dfe98c1
68652074696d6520 5252525252525252 6ed8932aff2dfd9e
2 666f7220616c6c20 113fff9a8dfe98c1 08851dc2ef0dd720
0000000000000000 6ed8932aff2dfd9e b76972c33761b988
Padding method 2
J Dj Hj-1 Hj
1 4e6f772069732074 5252525252525252 113fff9a8dfe98c1
68652074696d6520 5252525252525252 6ed8932aff2dfd9e
2 666f7220616c6c20 113fff9a8dfe98c1 2bf0f0e63c36e020
8000000000000000 6ed8932aff2dfd9e 780d4835b98590ea

ISO/IEC 10118-2:2010(E)
B.3 Hash-function 2
Padding method 1
L R
j Dj H j-1 H j-1
1 4e6f772069732074 5252525252525252 2525252525252525
68652074696d6520 5252525252525252 2525252525252525
2 666f7220616c6c20 c84daaccf3ea34a4 5f66afab4d7e2f20
0000000000000000 234c789d2e61f2e3 b4df8be09cdcd69b
L R
J Dj H j H j
1 c84daaccf3ea34a4 5f66afab4d7e2f20
234c789d2e61f2e3 b4df8be09cdcd69b
2 4a56ed816a52ca1f e88d9cdbcc55850c
6d89483b781ec276 e2ced29925a6f64b
Padding method 2
L R
j Dj H j-1 H j-1
1 4e6f772069732074 5252525252525252 2525252525252525
68652074696d6520 5252525252525252 2525252525252525
2 666f7220616c6c20 c84daaccf3ea34a4 5f66afab4d7e2f20
8000000000000000 234c789d2e61f2e3 b4df8be09cdcd69b
L R
j Dj H j H j
1 c84daaccf3ea34a4 5f66afab4d7e2f20
234c789d2e61f2e3 b4df8be09cdcd69b
2 ca3eafd2bf937bfe fff352b5d02670c6
8c11b00d4543a1cd d2c0d86822aaeed5

ISO/IEC 10118-2:2010(E)
B.4 Hash-function 3
Padding method 3.
D1, 1, D1, 2, D1, 3, D1, 4 H0, 1, H0, 2, H0, 3, H0, 4, H1, 1, H1, 2, H1, 3, H1, 4,
H0, 5, H0, 6, H0, 7, H0, 8 H1, 5, H1, 6, H1, 7, H1, 8
4e6f772069732074 5252525252525252 218f923b370be9a8
68652074696d6520 5252525252525252 920562614859df7e
666f7220616c6c20 5252525252525252 8a26575e97be292b
8000000000000000 5252525252525252 4aa47e1e8206a2f7
0000000000000000 5252525252525252 1230f84cffde57fd
0000000000000000 5252525252525252 988b6063b3b2d3cf
0000000000000000 5252525252525252 ed5d056582182065
00000000000000c0 5252525252525252 c4fb4f2966b27058
5252525252525252 6eb4beb7c1b2141f
5252525252525252 268ba3326336413b
5252525252525252 c90a43026a380748
5252525252525252 dcc2521dd2cf3e0d
5252525252525252 c9851c64fef13ad7
5252525252525252 11d1a801e2ac052d
5252525252525252 1e79a495366b8cd9
5252525252525252 ca1eca9844dc09e5

ISO/IEC 10118-2:2010(E)
D2, 1, D2, 2, D2, 3, D2, 4 H1, 1, H1, 2, H1, 3, H1, 4, H2, 1, H2, 2, H2, 3, H2, 4,
H1, 5, H1, 6, H1, 7, H1, 8 H2, 5, H2, 6, H2, 7, H2, 8
218f923b370be9a8 218f923b370be9a8 e05e2407707fa017
920562614859df7e 920562614859df7e 44e1156f9ba14704
8a26575e97be292b 8a26575e97be292b 2d6d30d47c1736d0
4aa47e1e8206a2f7 4aa47e1e8206a2f7 597e1750720f4247
1230f84cffde57fd 1230f84cffde57fd 01af4028b2023819
988b6063b3b2d3cf 988b6063b3b2d3cf 40db2f9056889610
ed5d056582182065 ed5d056582182065 450cebc815285244
c4fb4f2966b27058 c4fb4f2966b27058 343f87f2aba57fe8
6eb4beb7c1b2141f ccc71fdf4a500dbe
268ba3326336413b 6fc9f91932ec9cdd
c90a43026a380748 7332ba30f8c7fab0
dcc2521dd2cf3e0d 55f859f7c74d4589
c9851c64fef13ad7 9c8e431285712ab2
11d1a801e2ac052d 675dc2734f1bac40
1e79a495366b8cd9 96c578ed26e38a77
ca1eca9844dc09e5 d62f10e896523889

ISO/IEC 10118-2:2010(E)
D3, 1, D3, 2, D3, 3, D3, 4 H2, 1, H2, 2, H2, 3, H2, 4, H3, 1, H3, 2, H3, 3, H3, 4,
H2, 5, H2, 6, H2, 7, H2, 8 H3, 5, H3, 6, H3, 7, H3, 8
6eb4beb7c1b2141f e05e2407707fa017 f9c0dfe1c95010b2
268ba3326336413b 44e1156f9ba14704 8f8bcb23eef6daa2
c90a43026a380748 2d6d30d47c1736d0 ea0ad33cc80231dc
dcc2521dd2cf3e0d 597e1750720f4247 9790b34d5ec03c0e
c9851c64fef13ad7 01af4028b2023819 861bafcee007b4cd
11d1a801e2ac052d 40db2f9056889610 6dbf787a2654dcf7
1e79a495366b8cd9 450cebc815285244 977028407cb93345
ca1eca9844dc09e5 343f87f2aba57fe8 b163d9e3a005ff7f
ccc71fdf4a500dbe 5688331e36f098bc
6fc9f91932ec9cdd 75d83967830d4086
7332ba30f8c7fab0 6196b975ab6fee13
55f859f7c74d4589 fff012673153fd87
9c8e431285712ab2 7f021bdfc73f846f
675dc2734f1bac40 8e485a4fe0fa1644
96c578ed26e38a77 6662de8b03a6b64d
d62f10e896523889 5fb159f1adf26d5d

ISO/IEC 10118-2:2010(E)
D4, 1, D4, 2, D4, 3, D4, 4 H3, 1, H3, 2, H3, 3, H3, 4, H4, 1, H4, 2, H4, 3, H4, 4,
H3, 5, H3, 6, H3, 7, H3, 8 H4, 5, H4, 6, H4, 7, H4, 8
218f923b370be9a8 f9c0dfe1c95010b2 5a3824dd343c1c91
920562614859df7e 8f8bcb23eef6daa2 cd5ddb98d4c0da49
8a26575e97be292b ea0ad33cc80231dc f929439b08ccf36b
4aa47e1e8206a2f7 9790b34d5ec03c0e 14ae2fce0d7e2c76
1230f84cffde57fd 861bafcee007b4cd ff001505ccb8b3a6
988b6063b3b2d3cf 6dbf787a2654dcf7 0a3f4674496b91f1
ed5d056582182065 977028407cb93345 baa3b2b7746c548e
c4fb4f2966b27058 b163d9e3a005ff7f 0676aff6595c6e11
5688331e36f098bc 3be7c5a7d47b7bbb
75d83967830d4086 f3f8df583e5633d1
6196b975ab6fee13 4a87df6f5892eece
fff012673153fd87 73bf2cd832bfc181
7f021bdfc73f846f fead044cd64757ed
8e485a4fe0fa1644 74477d02b1ecfff2
6662de8b03a6b64d a836d76f2117e1f1
5fb159f1adf26d5d faa55af85c67f5b2

ISO/IEC 10118-2:2010(E)
D5, 1, D5, 2, D5, 3, D5, 4 H4, 1, H4, 2, H4, 3, H4, 4, H5, 1, H5, 2, H5, 3, H5, 4,
H4, 5, H4, 6, H4, 7, H4, 8 H5, 5, H5, 6, H5, 7, H5, 8
218f923b370be9a8 5a3824dd343c1c91 35af124f4845eb47
920562614859df7e cd5ddb98d4c0da49 256a959eb84554e0
8a26575e97be292b f929439b08ccf36b 3b78dd0c4a1d9bf3
4aa47e1e8206a2f7 14ae2fce0d7e2c76 6c4a4010aa41d8c5
1230f84cffde57fd ff001505ccb8b3a6 2cd3c769464dc946
988b6063b3b2d3cf 0a3f4674496b91f1 6beb79285da9e383
ed5d056582182065 baa3b2b7746c548e 0c0afc2e1fba5338
c4fb4f2966b27058 0676aff6595c6e11 d1ae7bff8f000138
3be7c5a7d47b7bbb 08b7bf8d2761947e
f3f8df583e5633d1 fb950243c0980b87
4a87df6f5892eece 683447121ef47b19
73bf2cd832bfc181 b043076cf44d931b
fead044cd64757ed af4f446c2e2cf09d
74477d02b1ecfff2 c73cd1a4383d1f26
a836d76f2117e1f1 6dfaa1bfc27b6606
faa55af85c67f5b2 7c88bc330ec798f5
Hash-code:
'35af124f4845eb47256a959eb84554e03b78dd0c4a1d9bf36c4a4010aa41d8c5’

ISO/IEC 10118-2:2010(E)
B.5 Hash-function 4
Padding method 3
D1, 1, D1, 2, D1, 3 H0, 1, H0, 2, H0, 3, H0, 4, H1, 1, H1, 2, H1, 3, H1, 4,
H0, 5, H0, 6, H0, 7, H0, 8, H0, 9 H1, 5, H1, 6, H1, 7, H1, 8, H1, 9
4e6f772069732074 5252525252525252 35373c5888be113e
68652074696d6520 5252525252525252 685b8c0a1c87af82
666f7220616c6c20 5252525252525252 10322300513de264
8000000000000000 5252525252525252 f47883512306b378
0000000000000000 5252525252525252 3ccf820b5a6395f1
00000000000000c0 5252525252525252 6af97874f3ced2e5
5252525252525252 64dd22a5fc7673d9
5252525252525252 0deeed557012a0a0
5252525252525252 546cff0e61ff9597
5252525252525252 388dbe3bdc3ad0aa
5252525252525252 276b38ca16da0733
5252525252525252 1efc14b2188b4510
5252525252525252 9943f2aa62125370
5252525252525252 c7ee32c7e95ed829
5252525252525252 cec2c97e170a75ec
5252525252525252 2604a9fda4811e4b
5252525252525252 70f5c66e35c89830
5252525252525252 3143d2449a614041

ISO/IEC 10118-2:2010(E)
D2, 1, D2, 2, D2, 3 H1, 1, H1, 2, H1, 3, H1, 4, H2, 1, H2, 2, H2, 3, H2, 4,
H1, 5, H1, 6, H1, 7, H1, 8, H1, 9 H2, 5, H2, 6, H2, 7, H2, 8, H2, 9
35373c5888be113e 35373c5888be113e 44d108f07ce9d076
685b8c0a1c87af82 685b8c0a1c87af82 69f7e43f7c627c48
10322300513de264 10322300513de264 a1948349260589ed
f47883512306b378 f47883512306b378 8ac7d620da4321dd
3ccf820b5a6395f1 3ccf820b5a6395f1 9f148d9316ff1278
6af97874f3ced2e5 6af97874f3ced2e5 4fd51e6f2e35da96
64dd22a5fc7673d9 8e3d490e4875f1c9
0deeed557012a0a0 8307522ee5e1f967
546cff0e61ff9597 5f77293a3205e448
388dbe3bdc3ad0aa e56ca64c230ad045
276b38ca16da0733 2261fbdbcf5df445
1efc14b2188b4510 3da0a49acdf3288f
9943f2aa62125370 b5e607b243ae52d5
c7ee32c7e95ed829 5a49885511f4e946
cec2c97e170a75ec d0449c6baf4ba7ef
2604a9fda4811e4b c7bae60df90dd97f
70f5c66e35c89830 3b9364cadd1572f0
3143d2449a614041 35f52ead4810674a

ISO/IEC 10118-2:2010(E)
D3, 1, D3, 2, D3, 3 H2, 1, H2, 2, H2, 3, H2, 4, H3, 1, H3, 2, H3, 3, H3, 4,
H2, 5, H2, 6, H2, 7, H2, 8, H2, 9 H3, 5, H3, 6, H3, 7, H3, 8, H3, 9
64dd22a5fc7673d9 44d108f07ce9d076 1c76cca901cba5d6
0deeed557012a0a0 69f7e43f7c627c48 b96cd1f95dedca52
546cff0e61ff9597 a1948349260589ed 7ca446c11c899e28
388dbe3bdc3ad0aa 8ac7d620da4321dd e526ba9d0dcfc49f
276b38ca16da0733 9f148d9316ff1278 a22b3dc0a231acf4
1efc14b2188b4510 4fd51e6f2e35da96 e53f010576888ebc
8e3d490e4875f1c9 f3b5906d11c43a05
8307522ee5e1f967 3c36b712ab49681d
5f77293a3205e448 14b4c16475053acb
e56ca64c230ad045 f001a8ca0d852e6a
2261fbdbcf5df445 134a555ea2cdd353
3da0a49acdf3288f 81e8a2d31d279a6d
b5e607b243ae52d5 ca55673c5bb6f505
5a49885511f4e946 6dd666af5dfb707e
d0449c6baf4ba7ef 1d9d223fcf99f110
c7bae60df90dd97f 46de8b95c927403b
3b9364cadd1572f0 7fff085eff33d9e9
35f52ead4810674a 572fc59a39cb4043

ISO/IEC 10118-2:2010(E)
D4, 1, D4, 2, D4, 3 H3, 1, H3, 2, H3, 3, H3, 4, H4, 1, H4, 2, H4, 3, H4, 4,
H3, 5, H3, 6, H3, 7, H3, 8, H3, 9 H4, 5, H4, 6, H4, 7, H4, 8, H4, 9
9943f2aa62125370 1c76cca901cba5d6 77f6113309990295
c7ee32c7e95ed829 b96cd1f95dedca52 edf3e00dfc8cc0b6
cec2c97e170a75ec 7ca446c11c899e28 8b6516b5c4b6ad38
2604a9fda4811e4b e526ba9d0dcfc49f fc571e26e4c5e7ca
70f5c66e35c89830 a22b3dc0a231acf4 1a1db32389fd15d7
3143d2449a614041 e53f010576888ebc c7a280bd5f4ebd75
f3b5906d11c43a05 808f8a05ab60e731
3c36b712ab49681d 05901262a5bf2c19
14b4c16475053acb 8ac554b724bde667
f001a8ca0d852e6a 7c06331a8adf8d6e
134a555ea2cdd353 00bafa8a6f62f8fa
81e8a2d31d279a6d 3c21d5eabde939c6
ca55673c5bb6f505 f881454248849271
6dd666af5dfb707e 7c423d111187e791
1d9d223fcf99f110 5b4b7ac7fce35e12
46de8b95c927403b a99cd3df62ea97fa
7fff085eff33d9e9 3a3263d188f5ff0b
572fc59a39cb4043 1fa1c82c69e7f961

ISO/IEC 10118-2:2010(E)
D5, 1, D5, 2, D5, 3 H4, 1, H4, 2, H4, 3, H4, 4, H5, 1, H5, 2, H5, 3, H5, 4,
H4, 5, H4, 6, H4, 7, H4, 8, H4, 9 H5, 5, H5, 6, H5, 7, H5, 8, H5, 9
35373c5888be113e 77f6113309990295 cdac9fdaff9e80f1
685b8c0a1c87af82 edf3e00dfc8cc0b6 c464af255041b323
10322300513de264 8b6516b5c4b6ad38 c8d6aa10e8f147a2
f47883512306b378 fc571e26e4c5e7ca dedfd219ae0c2a4c
3ccf820b5a6395f1 1a1db32389fd15d7 96e3c0f64293b529
6af97874f3ced2e5 c7a280bd5f4ebd75 8b264625901920d1
808f8a05ab60e731 d12be37468aaea96
05901262a5bf2c19 ad5ceb214786b5e8
8ac554b724bde667 617bb4b093fc5310
7c06331a8adf8d6e 524f75ead2e90641
00bafa8a6f62f8fa acea1480ca6f8442
3c21d5eabde939c6 850172e1da4bbfb7
f881454248849271 ff99ea1fdd4aba2b
7c423d111187e791 6181aef8cfac2724
5b4b7ac7fce35e12 cd3647e4deb06d7a
a99cd3df62ea97fa 9d542fc808ae980c
3a3263d188f5ff0b e0fc52b0d4c1d8e1
1fa1c82c69e7f961 53dc66bfbc492875
Hash-code:
'cdac9fdaff9e80f1c464af255041b323c8d6aa10e8f147a2dedfd219ae0c2a4c96e3c0f64293b5298b264625
901920d1’

ISO/IEC 10118-2:2010(E)
Annex C
(normative)
ASN.1 Module
This annex lists the ASN.1 module assigned to the hash-functions using an n-bit block cipher specified in this
part of ISO/IEC 10118.
Hash-functionsPart2 {
iso(1) standard(0) hash-functions(10118) part2(2)
asn1-module(1) hash-functions-using-blockcipher(0) }
DEFINITIONS EXPLICIT TAGS ::= BEGIN
-- Cryptographic algorithm identification –-

ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL
}
WITH SYNTAX { OID &id [PARMS &Type] }
-- EXPORTS All; --
OID ::= OBJECT IDENTIFIER -- alias
-- Synonyms --
is10118-2 OID ::= {iso(1) standard(0) part2(2) }
id-dhf OID ::= { is10118-2 algorithm(0) }
is18033-3 OID ::= { iso(1) standard(0) is18033(18033) part3(3) }

id-bc64 OID ::= { is18033-3 cipher-64-bit(1) }
id-bc128 OID ::= { is18033-3 cipher-128-bit(2) }
-- Assignments --
id-hash-1 OID ::= { id-dhf hash-function-1(1) }

EncryptionAlgorithmIdentifier {ALGORITHM:BlockAlgorithms}::= SEQUENCE {

algorithm ALGORITHM.&id({BlockAlgorithms}),
parameters ALGORITHM.&Type({BlockAlgorithms}{@algorithm}) OPTIONAL
}
BlockAlgorithms ALGORITHM ::= {

{ OID id-bc64-tdea PARMS KeyLengthID } |
{ OID id-bc64-misty1 PARMS KeyLength } |
{ OID id-bc64-cast128 PARMS KeyLength } |
{ OID id-bc128-aes PARMS KeyLengthID } |
{ OID id-bc128-camellia PARMS KeyLengthID } |
{ OID id-bc128-seed PARMS KeyLength },
... –- Except additional algorithms –-
}
KeyLength ::= INTEGER
KeyLengthID ::= CHOICE {
int KeyLength,
oid OID

© ISO/IEC 2010 – All rights reserved

END -- Hash-functionsPart2 --
ISO/IEC 10118-2:2010(E)
28
}
ISO/IEC 10118-2:2010(E)
Bibliography
[1] KNUDSEN, L.R. PRENEEL, B. Hash-functions based on block ciphers and quaternary codes, Advances
in Cryptology, Proc. AsiaCrypt’96, LNCS 1163, K. Kim, T. Matsumoto, Eds., Springer-Verlag, 1996,
pp. 77-90
[2] KNUDSEN, L.R. PRENEEL, B. Fast and secure hashing based on codes, Advances in Cryptology, Proc.
Crypto’97, LNCS 1294, B. Kaliski, Ed., Springer-Verlag, 1997, pp. 485-498
[3] ISO 646:1991, Information technology — ISO 7-bit coded character set for information interchange
[4] COPPERSMITH, D. MATYAS, S.M. PEYRAVIAN, M. Rationale for Bit Fixing in the MDC-2 Algorithm, IBM
T.J. Watson Research Center, Yorktown Heights, N.Y., 10598, Research Report RC21471, May 7
1999
[5] MENEZES ALFRED J., Paul C. VAN OORSCHOT, Scott A. VANSTONE, Handbook of Applied Cryptography.
Fifth Printing (August 2001)
[6] KNUDSEN, L.R. MENDEL, F. RECHBERGER, C. THOMSEN, S.S. Cryptanalysis of MDC-2, Advances in
Cryptology, Proc. Eurocrypt 2009, LNCS 5479, A. Joux, Ed., Springer-Verlag, 2009, pp. 106-120
[7] ISO/IEC 18033-3:2005, Information technology — Security techniques — Encryption algorithms —

Part 3: Block ciphers

© ISO/IEC 2010 – All rights reserved

ISO/IEC 10118-2:2010(E)
Price based on 29 pages

ICS 35.040

Iso Iec 10118-2-2010

Uploaded by

Copyright:

Available Formats

You might also like

Iso Iec 10118-2-2010

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Iso Iec 10118-2-2010

Uploaded by

Copyright:

Available Formats

Copyrighted material licensed to BR Demo by Thomson Reuters (Scientific), Inc., subscriptions.techstreet.com, downloaded on Nov-28-2014 by James Madison.

No further reproduction or distribution is permitted. Uncontrolled when printe

Information technology — Security

COPYRIGHT PROTECTED DOCUMENT

ii © ISO/IEC 2010 – All rights reserved

© ISO/IEC 2010 – All rights reserved iii

B.5 Hash-function 4....................................................................................................................................22

iv © ISO/IEC 2010 – All rights reserved

⎯ Part 2: Hash-functions using an n-bit block cipher

⎯ Part 3: Dedicated hash-functions

⎯ Part 4: Hash-functions using modular arithmetic

© ISO/IEC 2010 – All rights reserved v

vi © ISO/IEC 2010 – All rights reserved

Information technology — Security techniques —

ISO/IEC 10118-1:2000, Information technology — Security techniques — Hash-functions — Part 1: General

3 Terms and definitions

NOTE The round function is used iteratively.

© ISO/IEC 2010 – All rights reserved 1

4 Symbols and abbreviated terms

Bx When B is a sequence of blocks and each block has m bits, Bx (x≥0)

K Key for the algorithm E

5 Use of the general model

⎯ the parameters L1, L2, LH,

⎯ the padding method,

⎯ the initializing value IV,

⎯ the round function φ,

⎯ the output transformation T.

NOTE This hash-function is described in [5].

6.2 Parameter selection

2 © ISO/IEC 2010 – All rights reserved

6.3 Padding method

6.4 Initializing value

6.5 Round function

Define a mapping u from the ciphertext space.

The round function itself is defined as follows:

φ (Dj, Hj-1) = EKj (Dj) ⊕ Dj

where Kj = u (Hj-1). The round function is shown in Figure 1.

Figure 1 — Round function of hash-function 1

© ISO/IEC 2010 – All rights reserved 3

6.6 Output transformation

NOTE 1 This hash-function is described in [4].

7.2 Parameter selection

7.3 Padding method

7.4 Initializing value

7.5 Round function

Bj = EX(Dj) ⊕ Dj, and B’j= EY(Dj) ⊕ Dj

4 © ISO/IEC 2010 – All rights reserved

7.6 Output transformation

BjL BjR B ′jL B ′jR

BjL B ′jR B ′jL B jR

Figure 2 — Round function of hash-function 2

© ISO/IEC 2010 – All rights reserved 5

NOTE This hash-function is described in [1].

8.2 Parameter selection

8.3 Padding method

8.4 Initializing value

8.5 Round function