ISO/IEC 9797-2:2011

INTERNATIONAL ISO/IEC
STANDARD 9797-2
Second edition
2011-05-01
Corrected version
2011-06-15
Information technology — Security
techniques — Message Authentication
Codes (MACs) —
Part 2:
Mechanisms using a dedicated
hash-function
Technologies de l'information — Techniques de sécurité — Codes
d'authentification de message (MAC) —
Partie 2: Mécanismes utilisant une fonction de hachage dédiée

Reference number
©
ISO/IEC 2011
©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2011 – All rights reserved

Contents Page
Foreword .iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .2
4 Symbols and notation.4
5 Requirements.5
6 MAC Algorithm 1 .6
6.1 Description of MAC Algorithm 1 .7
6.1.1 Step 1 (key expansion).7
6.1.2 Step 2 (modification of the constants and the IV).7
6.1.3 Step 3 (hashing operation) .7
6.1.4 Step 4 (output transformation).8
6.1.5 Step 5 (truncation).8
6.2 Efficiency.8
6.3 Computation of the constants.8
6.3.1 Dedicated Hash-Function 1 (RIPEMD-160) .9
6.3.2 Dedicated Hash-Function 2 (RIPEMD-128) .9
6.3.3 Dedicated Hash-Function 3 (SHA-1).10
6.3.4 Dedicated Hash-Function 4 (SHA-256).10
6.3.5 Dedicated Hash-Function 5 (SHA-512).10
6.3.6 Dedicated Hash-Function 6 (SHA-384).11
6.3.7 Dedicated Hash-Function 8 (SHA-224).11
7 MAC Algorithm 2 .12
7.1 Description of MAC Algorithm 2 .12
7.1.1 Step 1 (key expansion).12
7.1.2 Step 2 (hashing operation) .12
7.1.3 Step 3 (output transformation).12
7.1.4 Step 4 (truncation).13
7.2 Efficiency.13
8 MAC Algorithm 3 .13
8.1 Description of MAC Algorithm 3 .13
8.1.1 Step 1 (key expansion).13
8.1.2 Step 2 (modification of the constants and the IV).14
8.1.3 Step 3 (padding) .14
8.1.4 Step 4 (application of the round-function).14
8.1.5 Step 5 (truncation).15
8.2 Efficiency.15
Annex A (normative) ASN.1 Module .16
Annex B (informative) Examples .17
Annex C (informative) A security analysis of the MAC algorithms.37
Bibliography.39

© ISO/IEC 2011 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
ISO/IEC 9797-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC 9797-2:2002), which has been technically
revised by including MAC algorithms based on Dedicated Hash-Functions 4 – 7 of ISO/IEC 10118-3:2004 and
Dedicated Hash-Function 8 of ISO/IEC 10118-3/Amd.1:2006.
ISO/IEC 9797 consists of the following parts, under the general title Information technology — Security
techniques — Message Authentication Codes (MACs):
⎯ Part 1: Mechanisms using a block cipher
⎯ Part 2: Mechanisms using a dedicated hash-function
⎯ Part 3: Mechanisms using a universal hash-function
Further parts may follow.
This corrected version of ISO/IEC 9797-2:2011 incorporates corrections to subclauses 3.14, 6.3, 6.3.5 and
6.3.6.
iv © ISO/IEC 2011 – All rights reserved

Introduction
The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC)
draw attention to the fact that it is claimed that compliance with this document may involve the use of a patent
concerning MAC Algorithm 1 (MDx-MAC) given in Clause 6.

ISO and IEC take no position concerning the evidence, validity and scope of this patent right.

The holder of this patent right has assured ISO and IEC that he is willing to negotiate licenses under
reasonable and non-discriminatory terms and conditions with applicants throughout the world. In this respect,
the statement of the holder of this patent right is registered with ISO and IEC. Information may be obtained
from:
Entrust Technologies, Technology Licensing Dept., 1000 Innovation Drive, Ottawa, Ontario, Canada K2K 3E7.

Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or all
such patent rights.
© ISO/IEC 2011 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 9797-2:2011(E)

Information technology — Security techniques — Message
Authentication Codes (MACs) —
Part 2:
Mechanisms using a dedicated hash-function
1 Scope
This part of ISO/IEC 9797 specifies three MAC algorithms that use a secret key and a hash-function (or its
round-function) with an n-bit result to calculate an m-bit MAC. These mechanisms can be used as data
integrity mechanisms to verify that data has not been altered in an unauthorized manner. They can also be
used as message authentication mechanisms to provide assurance that a message has been originated by an
entity in possession of the secret key. The strength of the data integrity and message authentication
mechanisms is dependent on the entropy and secrecy of the key, on the length (in bits) n of a hash-code
produced by the hash-function, on the strength of the hash-function, on the length (in bits) m of the MAC, and
on the specific mechanism.
The three mechanisms specified in this part of ISO/IEC 9797 are based on the dedicated hash-functions
specified in ISO/IEC 10118-3. The first mechanism is commonly known as MDx-MAC. It calls the hash-
function once, but it makes a small modification to the round-function in the hash-function by adding a key to
the additive constants in the round-function. The second mechanism is commonly known as HMAC. It calls
the hash-function twice. The third mechanism is a variant of MDx-MAC that takes as input only short strings
(at most 256 bits). It offers higher performance for applications that work with short input data strings only.

This part of ISO/IEC 9797 can be applied to the security services of any security architecture, process, or
application.
NOTE A general framework for the provision of integrity services is specified in ISO/IEC 10181-6 [5].
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.

ISO/IEC 10118-3:2004, Information technology — Security techniques — Hash-functions — Part 3: Dedicated
hash-functions
ISO/IEC 10118-3:2004/Amd.1:2006, Information technology — Security techniques — Hash-functions —
Part 3: Dedicated hash-functions — Amendment 1: Dedicated Hash-Function 8 (SHA-224)
© ISO/IEC 2011 – All rights reserved 1

3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
block
bit-string of length L , i.e. the length of the first input to the round-function
[ISO/IEC 10118-3]
3.2
collision-resistant hash-function
hash-function satisfying the following property:

- it is computationally infeasible to find any two distinct inputs which map to the same output
[ISO/IEC 10118-1]
3.3
entropy
total amount of information yielded by a set of bits, representative of the work effort required for an adversary
to be able to reproduce the same set of bits

[ISO/IEC 18032]
3.4
input data string
string of bits which is the input to a hash-function
3.5
hash-code
string of bits which is the output of a hash-function
[ISO/IEC 10118-1]
3.6
hash-function
function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties:

- for a given output, it is computationally infeasible to find an input which maps to this output;
- for a given input, it is computationally infeasible to find a second input which maps to the same
output
[ISO/IEC 10118-1]
3.7
initializing value
value used in defining the starting point of a hash-function
[ISO/IEC 10118-1]
3.8
MAC algorithm key
key that controls the operation of a MAC algorithm
[ISO/IEC 9797-1]
2 © ISO/IEC 2011 – All rights reserved

3.9
Message Authentication Code (MAC)
string of bits which is the output of a MAC algorithm

NOTE A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2 [1]).

[ISO/IEC 9797-1]
3.10
Message Authentication Code (MAC) algorithm
algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings of bits,
satisfying the following two properties:
- for any key and any input string, the function can be computed efficiently;
- for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute the
function value on any new input string, even given knowledge of the set of input strings and
corresponding function values, where the value of the ith input string may have been chosen after
observing the value of the first i-1 function values (for integer i > 1)
NOTE 1 A MAC algorithm is sometimes called a cryptographic check function (see for example ISO 7498-2 [1]).
NOTE 2 Computational feasibility depends on the user's specific security requirements and environment.
[ISO/IEC 9797-1]
3.11
output transformation
function that is applied at the end of the MAC algorithm, before the truncation operation
[ISO/IEC 9797-1]
3.12
padding
appending extra bits to a data string

[ISO/IEC 10118-1]
3.13
round-function
function that transforms two binary strings of lengths L and L to a binary string of length L
1 2 2
NOTE 1 It is used iteratively as part of a hash-function, where it combines a data string of length L with the previous
output of length L .
[ISO/IEC 10118-1]
NOTE 2 This function is also referred to as compression function in a certain hash-function text.
3.14
security strength
a number associated with the amount of work (i.e. the number of operations) that is required to break a
cryptographic algorithm or system
NOTE Security strength is specified in bits, and is a specific value from the set {80, 112, 128, 192, 256}. A security
b
strength of b bits means that of the order of 2 operations are required to break the system.
3.15
word
string of 32 bits used in Dedicated Hash-Functions 1, 2, 3, 4 and 8, or a string of 64 bits used in Dedicated
Hash-Functions 5 and 6 of ISO/IEC 10118-3
[ISO/IEC 10118-3]
© ISO/IEC 2011 – All rights reserved 3

4 Symbols and notation
This part of ISO/IEC 9797 makes use of the following symbols and notation defined in ISO/IEC 9797-1 [3]:
D the input data string, i.e. the data string to be input to the MAC algorithm.
m  the length (in bits) of the MAC.
q the number of blocks in the input data string D after the padding and splitting process.
j ~ X the string obtained from the string X by taking the leftmost j bits of X.
X ⊕ Y bitwise exclusive-or of bit-strings X and Y.
X || Y concatenation of bit-strings X and Y (in that order).
:= a symbol denoting the 'set equal to' operation used in the procedural specifications of MAC
algorithms, where it indicates that the value of the string on the left side of the symbol shall be made
equal to the value of the expression on the right side of the symbol.
For the purposes of this part of ISO/IEC 9797, the following symbols and notation apply:
D padded data string.
h  hash-function.
h' the hash-function h with modified constants and modified IV.
h simplified hash-function h without the padding and length appending, and without truncating the
round-function output (L bits) to its left-most L bits.
2 H
NOTE 1 h shall only be applied to input strings with a length that is a positive integer multiple of L .
NOTE 2 The output of h should be L2 bits rather than LH bits; in particular, in Dedicated Hash-Functions 6 and
8 defined in ISO/IEC 10118-3, L is always smaller than L .
H 2
H', H'' strings of L bits which are used in the MAC algorithm computation to store an intermediate result.
IV', IV , IV initializing values.
1 2
k length (in bits) of the MAC algorithm key.
K secret MAC algorithm key.
K',K ,K ,K ,K,K ,K secret MAC algorithm derived keys.
0 1 2 1 2
KT the first input string of the function φ' used in the output transformation step of MAC Algorithm 1.
~
L the bit string encoding the message length in MAC Algorithm 3.
OPAD, IPAD constant strings used in MAC Algorithm 2.
R, S , S , S constant strings used in the computation of the constants for MAC Algorithm 1 and MAC
0 1 2
Algorithm 3.
T , T , T constant strings used in the key derivation for MAC Algorithm 1 and MAC Algorithm 3.
0 1 2
4 © ISO/IEC 2011 – All rights reserved

U , U , U constant strings used in the key derivation for MAC Algorithm 1 and MAC Algorithm 3.
0 1 2
φ' round-function with modified constants.
K [i] the ith word of the string K , i.e. K = K [0] || K [1] || K [2] || K [3].
1 1 1 1 1 1 1
This part of ISO/IEC 9797 makes use of the following symbols and notation defined in ISO/IEC 10118-1:
H hash-code.
IV initializing value.
L length (in bits) of a bit-string X.
X
This part of ISO/IEC 9797 makes use of the following symbols and notation defined in ISO/IEC 10118-3:
C, C' constant words used in the round-functions.
i i
L the length (in bits) of the first of the two input strings to the round-function φ.
L the length (in bits) of the second of the two input strings to the round-function φ, of the output string
from the round-function φ, and of IV.
w the length (in bits) of a word; w is 32 when using Dedicated Hash-Functions 1, 2, 3, 4 and 8 of
ISO/IEC 10118-3, and w is 64 when using Dedicated Hash-Functions 5 and 6 of ISO/IEC 10118-3.
φ a round-function, i.e. if X and Y are bit-strings of lengths L and L respectively, then φ (X,Y) is the
1 2
string obtained by applying φ to X and Y.
w
Ψ the modulo 2 addition operation, where w is the number of bits in a word. So, if A and B are words,
then AΨB is the word obtained by treating A and B as the binary representations of integers and
w w
computing their sum modulo 2 , and the result is constrained to lie between 0 and 2 -1 inclusive. The
value of w is 32 in Dedicated Hash-Functions 1, 2, 3, 4 and 8, and 64 in Dedicated Hash-Functions 5
and 6.
5 Requirements
Users who wish to employ a MAC algorithm from this part of ISO/IEC 9797 shall select:
• a MAC algorithm from amongst those specified in Clauses 6, 7, and 8;
• a dedicated hash-function from the functions specified in ISO/IEC 10118-3; and
• the length (in bits) m of the MAC.
NOTE 1 The use of MAC Algorithms 1 and 3 with Dedicated Hash-Function 7 of ISO/IEC 10118-3 is not specified in this
part of ISO/IEC 9797.
Agreement on these choices amongst the users is essential for use of the data integrity mechanism.

The key K used in a MAC algorithm shall have entropy that meets or exceeds the security strength to be
provided by the MAC algorithm.

NOTE 2 In every case, the MAC algorithm key K shall be chosen such that every possible key is approximately equally
likely to be selected.
© ISO/IEC 2011 – All rights reserved 5

For MAC Algorithms 1 and 2, the length m of the MAC shall be a positive integer less than or equal to the
length of the hash-code L . For MAC Algorithm 3, the length m of the MAC shall be a positive integer less
H
than or equal to half the length of the hash-code, i.e., m ≤ L /2.
H
For MAC Algorithms 1 and 2, the length in bits of the input data string D shall be at most 2 - 1 when using
Dedicated Hash-Functions 1, 2, 3, 4 and 8, and at most 2 – 1 when using Dedicated Hash-Functions 5 and
6. For MAC Algorithm 2, it shall be at most 2 – 1 when using Dedicated Hash-Function 7. For MAC
Algorithm 3, it shall be at most 256.

The selection of a specific MAC algorithm, dedicated hash-function, and value for m is beyond the scope of
this part of ISO/IEC 9797.
NOTE 3 These choices affect the security level of the MAC algorithm. For a detailed discussion, see Annex C.

The key used for calculating and verifying the MAC shall be the same. If the input data string is also being
enciphered, the key used for the calculation of the MAC shall be different from that used for encipherment.
NOTE 4 It is considered to be good cryptographic practice to have independent keys for confidentiality and for data
integrity.
6 MAC Algorithm 1
NOTE 1 This clause contains a description of MDx-MAC [9] with Dedicated Hash-Functions 1 – 6 and 8. Table 1 shows
the commonly known names of MDx-MAC with individual dedicated hash-functions.

Table 1 –The MDx-MAC algorithm with different Dedicated Hash-Functions

Dedicated Hash-Function: The MDx-MAC algorithm is also known as
Dedicated Hash-Function 1 RIPEMD-160-MAC
Dedicated Hash-Function 2 RIPEMD-128-MAC
Dedicated Hash-Function 3 SHA-1-MAC
Dedicated Hash-Function 4 SHA-256-MAC
Dedicated Hash-Function 5 SHA-512-MAC
Dedicated Hash-Function 6 SHA-384-MAC
Dedicated Hash-Function 8 SHA-224-MAC

NOTE 2 The use of MAC Algorithm 1 with Dedicated Hash-Function 7 of ISO/IEC 10118-3 is not specified in this part of
ISO/IEC 9797.
MAC Algorithm 1 requires one application of the hash-function to compute a MAC value, but requires that the
constants in the corresponding round-function are modified.

The hash-function shall be selected from Dedicated Hash-Functions 1 – 6 from ISO/IEC 10118-3:2004, and
Dedicated Hash-Function 8 from ISO/IEC 10118-3:2004/Amd.1:2006.

The bit length of the key k shall be at most 128 bits.

6 © ISO/IEC 2011 – All rights reserved

6.1 Description of MAC Algorithm 1
MAC algorithm 1 involves the following five steps: key expansion, modification of the constants and the IV,
hashing operation, output transformation, and truncation.
6.1.1 Step 1 (key expansion)
If K is shorter than 128 bits, concatenate K to itself ⎡128/K⎤ times and select the leftmost 128 bits of the result
to form the 128-bit key K' (if the length (in bits) of K is equal to 128, K' := K):
K' := 128 ~ (K || K || … || K).

Compute the subkeys K , K , and K as follows:
0 1 2
K := h ( K' || U || K')
0 0
K :=  128 ~ h ( K' || U || K'), when using Dedicated Hash-Functions 1, 2 and 3
1 1
K :=  256 ~ h ( K' || U || K'), when using Dedicated Hash-Functions 4, 5, 6 and 8
1 1
K := 128 ~ h ( K' || U || K').
2 2
Here U , U , and U are 768-bit constants that are defined in Clause 6.3, and h denotes a simplified hash-
0 1 2
function h, i.e., without the padding and length appending, and without truncating the round-function output (L
bits) to its left-most L bits.
H
NOTE 1 Padding and length appending are omitted because in this case the length of the input string is either L bits or
2L bits.
NOTE 2 Truncation is omitted because in this case the length of K is always L bits, which is at least L .
0 2 H
When using Dedicated Hash-Functions 1, 2, 3, 5 and 6, the derived key K is split into four words denoted by
K [i] (0 ≤ i ≤ 3), i.e.
K = K [0] || K [1] || K [2] || K [3].
1 1 1 1 1
When using Dedicated Hash-Functions 4 and 8, the derived key K is split into eight words denoted by K [i]
1 1
(0 ≤ i ≤ 7), i.e.
K = K [0] || K [1] || K [2] || K [3]|| K [4] || K [5] || K [6] || K [7].
1 1 1 1 1 1 1 1 1
For the conversion of a string into words, a byte ordering convention is required. The byte ordering convention
for this conversion is that which is defined for the selected dedicated hash-function in ISO/IEC 10118-3.
6.1.2 Step 2 (modification of the constants and the IV)
When using Dedicated Hash-Functions 1, 2, 3, 4, 5, 6 and 8, the additive constants used in the round-function
w
are modified by the addition mod 2 of a word of K , e.g.,
C := C Ψ K [0].
0 0 1
Clause 6.3 indicates which word of K is added to each constant.
The initial value IV of the hash function is replaced by IV' := K . The function resulting from the changes in this
step is denoted by h', and its round-function is denoted by φ'.
6.1.3 Step 3 (hashing operation)
The string which is input to the modified hash-function h' is equal to the input data string D, i.e.
H' := h' (D).
© ISO/IEC 2011 – All rights reserved 7

6.1.4 Step 4 (output transformation)
The modified round-function φ' is applied one additional time, with first input the string KT (defined below) and
second input the string H' (the result of Step 3) i.e.
H'' := φ' (KT, H' ).
For Dedicated Hash-Functions 1, 2, 3, 4 and 8,
KT = K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T ).
2 2 0 2 1 2 2
For Dedicated Hash-Functions 5 and 6,
KT = K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T )|| K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T ).
2 2 0 2 1 2 2 2 2 0 2 1 2 2
Here T , T , and T are 128-bit strings defined in Clause 6.3 for each dedicated hash-function.
0 1 2
NOTE The output transformation corresponds to processing an additional data block derived from K after padding and
appending of the length field.
6.1.5 Step 5 (truncation)
The MAC of m bits is derived by taking the leftmost m bits of the string H'', i.e.
MAC := m ~ H''.
6.2 Efficiency
If the padded data string (where the padding algorithm depends on the selected hash-function) contains q
blocks, then MAC Algorithm 1 requires q + 7 applications of the round-function.

This can be reduced to q + 1 applications of the round-function by pre-computing the values K , K and K ,
0 1 2
and by replacing the initial value IV by IV' in the application of the hash-function. It is recommended to make
this modification to the code of the hash-function together with the mandatory modification required for Step 2.

For long input strings, MAC Algorithm 1 has a performance which is comparable to that of the hash-function
used.
6.3 Computation of the constants
The constants described in this clause are used in MAC Algorithms 1 and 3. MAC Algorithm 3 is specified in
Clause 8.
The strings T and U (0 u i u 2) are fixed elements in the description of the MAC algorithm. They are
i i
computed (only once) using the hash-function; they are different for each of the seven hash-functions.

The 128-bit constants T and 768-bit constants U are defined as follows. The definition of T involves the 496-
i i i
bit constant R = "ab…yzAB…YZ01…89'' and 16-bit constants S , S , S , where S is the 16-bit string formed
0 1 2 i
by repeating twice the 8-bit representation of i (e.g., the hexadecimal representation of S is 3131). In both
cases ASCII coding is used; this is equivalent to coding using ISO/IEC 646:1991.
For i := 0 to 2
T := 128 ~ h ( S || R ) for Dedicated Hash-Functions 1, 2, 3, 4 and 8;
i i
512 512
T := 128 ~ h ( S || R || 0 ) for Dedicated Hash-Functions 5 and 6, where 0 is 512-bits of 0'.
i i
8 © ISO/IEC 2011 – All rights reserved

For i := 0 to 2
U := T || T || T || T || T || T
i i i + 1 i + 2 i i + 1 i + 2
where the subscripts in T are taken modulo 3.
i
In Dedicated Hash-Functions 1, 2, 3, 4, 5, 6 and 8, for all constants C , C' and all words K [i] the most
i i 1
significant bit corresponds to the left-most bit. The constants C and C' are presented using a hexadecimal
i i
representation.
6.3.1 Dedicated Hash-Function 1 (RIPEMD-160)
The 128-bit constant strings T for Dedicated Hash-Function 1 are defined as follows (in hexadecimal
i
representation):
T = 1CC7086A046AFA22353AE88F3D3DACEB
T = E3FA02710E491D851151CC34E4718D41
T = 93987557C07B8102BA592949EB638F37
Two sequences of constant words C , C , …, C and C' , C' , …, C' are used in the round-function of
0 1 79 0 1 79
Dedicated Hash-Function 1. They are defined as follows:
C = K [0] Ψ 00000000, (0 ≤ i ≤ 15),
i 1
C = K [1] Ψ 5A827999, (16 ≤ i ≤ 31),
i 1
C = K [2] Ψ 6ED9EBA1, (32 ≤ i ≤ 47),
i 1
C = K [3] Ψ 8F1BBCDC, (48 ≤ i ≤ 63),
i 1
C = K [0] Ψ A953FD4E, (64 ≤ i ≤ 79),
i 1
C' = K [1] Ψ 50A28BE6, (0 ≤ i ≤ 15),
i 1
C' = K [2] Ψ 5C4DD124, (16 ≤ i ≤ 31),
i 1
C' = K [3] Ψ 6D703EF3, (32 ≤ i ≤ 47),
i 1
C' = K [0] Ψ 7A6D76E9, (48 ≤ i ≤ 63),
i 1
C' = K [1] Ψ 00000000, (64 ≤ i ≤ 79).
i 1
6.3.2 Dedicated Hash-Function 2 (RIPEMD-128)
The 128-bit constant strings T for Dedicated Hash-Function 2 are defined as follows (in hexadecimal
i
representation):
T  = FD7EC18964C36D53FC18C31B72112AAC
T  = 2538B78EC0E273949EE4C4457A77525C
T  = F5C93ED85BD65F609A7EB182A85BA181
Two sequences of constant words C , C , …, C and C' , C' , …, C' are used in the round-function of
0 1 63 0 1 63
Dedicated Hash-Function 2. They are defined as follows:
C = K [0] Ψ 00000000, (0 ≤ i ≤ 15),
i 1
C = K [1] Ψ 5A827999, (16 ≤ i ≤ 31),
i 1
C = K [2] Ψ 6ED9EBA1, (32 ≤ i ≤ 47),
i 1
C = K [3] Ψ 8F1BBCDC, (48 ≤ i ≤ 63),
i 1
C' = K [0] Ψ 50A28BE6, (0 ≤ i ≤ 15),
i 1
C' = K [1] Ψ 5C4DD124, (16 ≤ i ≤ 31),
i 1
C' = K [2] Ψ 6D703EF3, (32 ≤ i ≤ 47),
i 1
C' = K [3] Ψ 00000000, (48 ≤ i ≤ 63).
i 1
© ISO/IEC 2011 – All rights reserved 9

6.3.3 Dedicated Hash-Function 3 (SHA-1)
The 128-bit constant strings T for Dedicated Hash-Function 3 are defined as follows (in hexadecimal
i
representation):
T  = 1D4CA39FA40417E2AE5A77B49067BBCC
T  = 9318AFEF5D5A5B46EFCA6BEC0E138940
T  = 4544209656E14F97005DAC76868E97A3
A sequence of constant words C , C , …, C is used in the round-function of Dedicated Hash-Function 3. It is
0 1 79
defined as follows:
C = K [0] Ψ 5A827999, ( 0 ≤ i ≤ 19),
i 1
C = K [1] Ψ 6ED9EBA1, (20 ≤ i ≤ 39),
i 1
C = K [2] Ψ 8F1BBCDC, (40 ≤ i ≤ 59),
i 1
C = K [3] Ψ CA62C1D6, (60 ≤ i ≤ 79) .
i 1
6.3.4 Dedicated Hash-Function 4 (SHA-256)
The 128-bit constant strings T for Dedicated Hash-Function 4 are computed as follows (where h is the
i
simplified version of Dedicated Hash-Function 4 defined in Clause 6.1.1):
T  = 128 ~ h ( S || R ),
0 0
T  = 128 ~ h ( S || R ),
1 1
T  = 128 ~ h ( S || R ).
2 2
A sequence of constant words C , C , …, C is used in the round-function of Dedicated Hash-Function 4. It is
0 1 63
defined as follows:
C = K [i mod 8] Ψ C'' (0 ≤ i ≤ 63),
i 1 i
where the sequence C'' , C'' , …, C'' in a hexadecimal representation (where the most significant bit
0 1 63
corresponds to the left-most bit) is defined as follows, where the words are listed in the order C'' , C'' , …, C'' .
0 1 63
428a2f98 71374491 b5c0fbcf e9b5dba5 3956c25b 59f111f1 923f82a4 ab1c5ed5
d807aa98 12835b01 243185be 550c7dc3 72be5d74 80deb1fe 9bdc06a7 c19bf174
e49b69c1 efbe4786 0fc19dc6 240ca1cc 2de92c6f 4a7484aa 5cb0a9dc 76f988da
983e5152 a831c66d b00327c8 bf597fc7 c6e00bf3 d5a79147 06ca6351 14292967
27b70a85 2e1b2138 4d2c6dfc 53380d13 650a7354 766a0abb 81c2c92e 92722c85
a2bfe8a1 a81a664b c24b8b70 c76c51a3 d192e819 d6990624 f40e3585 106aa070
19a4c116 1e376c08 2748774c 34b0bcb5 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3
748f82ee 78a5636f 84c87814 8cc70208 90befffa a4506ceb bef9a3f7 c67178f2
NOTE These values are the first thirty-two bits of the fractional parts of the cube roots of the first sixty-four primes.
They are the constant sequence used in SHA-256.

6.3.5 Dedicated Hash-Function 5 (SHA-512)
The 128-bit constant strings T for Dedicated Hash-Function 5 are computed as follows (where h is the
i
simplified version of Dedicated Hash-Function 5 defined in Clause 6.1.1):
T = 85f6e8b28ba014ed11d076ead90412a5
T = 33a6da6c7aaaf2149104fe4183152828
T = 7682094a7e45cf6bf27d19c2c7d6cf77
10 © ISO/IEC 2011 – All rights reserved

A sequence of constant words C , C , …, C is used in the round-function of Dedicated Hash-Function 5. It is
0 1 79
defined as follows:
C = K [i mod 4] Ψ C'' (0 ≤ i ≤ 79),
i 1 i
where the sequence C'' , C'' , …, C'' in a hexadecimal representation (where the most significant bit
0 1 79
corresponds to the left-most bit) is defined as follows, where the words are listed in the order C'' , C'' , …, C'' .
0 1 79
428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc
3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118
d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2
72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694
e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65
2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5
983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4
c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70
27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df
650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b
a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30
d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8
19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8
391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3
748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec
90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b
ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178
06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b
28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c
4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817
NOTE These values are the first sixty-four bits of the fractional parts of the cube roots of the first eighty primes. They
are the constant sequence used in SHA-512.

6.3.6 Dedicated Hash-Function 6 (SHA-384)
The 128-bit constant strings T for Dedicated Hash-Function 6 are computed as follows (where h is the
i
simplified version of Dedicated Hash-Function 6 defined in Clause 6.1.1):
T = 33bfc7a7db2d833c1fa120f248ea0c68
T = 0f53e26170ddedf90aa666a58accf8c4
T = f9371fddd155caefbd989e1270066c7c
A sequence of constant words C , C , …, C is used in the round-function of Dedicated Hash-Function 6. It is
0 1 79
defined as follows:
C = K [i mod 4] Ψ C'' (0 ≤ i ≤ 79),
i 1 i
where the sequence C'' , C'' , …, C'' is the same as that for Dedicated Hash-Function 5 of Clause 6.3.5.
0 1 79
6.3.7 Dedicated Hash-Function 8 (SHA-224)
The 128-bit constant strings T for Dedicated Hash-Function 8 are computed as follows (where h is the
i
simplified version of Dedicated Hash-Function 8 defined in Clause 6.1.1):
T  = 128 ~ h ( S || R ),
0 0
T  = 128 ~ h ( S || R ),
1 1
T  = 128 ~ h ( S || R ).
2 2
© ISO/IEC 2011 – All rights reserved 11

A sequence of constant words C , C , …, C is used in the round-function of Dedicated Hash-Function 6. It is
0 1 63
defined as follows:
C = K [i mod 8] Ψ C'' (0 ≤ i ≤ 63),
i 1 i
where the sequence C'' , C'' , …, C'' is the same as that for Dedicated Hash-Function 4 of Clause 6.3.4.
0 1 63
7 MAC Algorithm 2
NOTE 1 This clause contains a description of HMAC [7].

MAC Algorithm 2 requires two applications of a hash-function to compute a MAC value.

The hash-function shall be selected from ISO/IEC 10118-3, with the requirement that L is a positive integer
multiple of 8 and that L ≤ L .
2 1
NOTE 2 Dedicated Hash-Functions 1 – 7 in ISO/IEC 10118-3:2004 and Dedicated Hash-Function 8 in
ISO/IEC 10118-3/Amd1:2006 satisfy these conditions.

The key size k in bits shall be at least L , where L is the size of the hash-code in bits, and at most L bits,
2 2 1
where L is the size of the data input of the round-function in bits, i.e., L ≤ k ≤ L .
1 2 1
7.1 Description of MAC Algorithm 2
MAC algorithm 2 requires the following four steps: key expansion, hashing operation, output transformation,
and truncation.
7.1.1 Step 1 (key expansion)
Append (L - k) zero bits to the right of the key K; the resulting string of length L is denoted by K .
1 1
The key K is expanded to create two subkeys K and K :
1 2
• Define the string IPAD as the concatenation of L /8 copies of the hexadecimal value '36' (or the binary
value '00110110'). Then compute the value K as the exclusive-or of K and the string IPAD, i.e.
K := K ⊕ IPAD.
• Define the string OPAD as the concatenation of L /8 copies of the hexadecimal value '5C' (or the binary
value '01011100'). Then compute the value K as the exclusive-or of K and the string OPAD, i.e.
K := K ⊕ OPAD.
7.1.2 Step 2 (hashing operation)
The string input to the hash-function is equal to the concatenation of K and D, i.e.
H' := h( K || D).
7.1.3 Step 3 (output transformation)
The string input to the hash-function is equal to the concatenation of K and H', i.e.
H'' := h( K || H').
12 © ISO/IEC 2011 – All rights reserved

7.1.4 Step 4 (truncation)
The MAC of m bits is derived by taking the leftmost m bits of the string H'', i.e.
MAC := m ~ H''.
7.2 Efficiency
If the padded data string (where the padding algorithm is specific to the chosen hash-function) contains q
blocks, then MAC Algorithm 2 requires q + 3 applications of the round-function.

This can be reduced to q + 1 applications of the round-function by modifying the code for the hash-function.
One can pre-compute the values IV := φ ( K , IV) and IV := φ ( K , IV) and replace the initial value IV by IV in
1 2 1
1 2
the first application of the hash-function, and by IV in the output transformation (the second application of the
hash-function). This also requires a modification of the padding method: indeed, the actual input to the hash-
function is now L bits shorter; this means that the value L has to be added to the value L .
1 1 D
For long input strings, MAC Algorithm 2 has a performance comparable to that of the hash-function used.
8 MAC Algorithm 3
NOTE This clause contains a variant of MAC Algorithm 1 that is optimized for short inputs (at most 256 bits).

MAC Algorithm 3 requires seven applications of the simplified round-function to compute a MAC value, but
this can be reduced to a single application of this round-function by performing certain pre-computations.

The hash-function shall be selected from Dedicated Hash-Functions 1 – 6 from ISO/IEC 10118-3:2004 and
Dedicated Hash-Function 8 from ISO/IEC 10118-3/Amd1:2006.

The key size k in bits shall be at most 128 bits, and the MAC length m in bits shall be at most L /2.
H
8.1 Description of MAC Algorithm 3
MAC algorithm 3 requires the following five steps: key expansion, modification of the constants of the round-
function, padding, application of the round-function, and truncation.
8.1.1 Step 1 (key expansion)
If K is shorter than 128 bits, concatenate K to itself a sufficient number of times and select the leftmost 128
bits to form the 128-bit key K' (if the length (in bits) of K is equal to 128, K' := K):
K' := 128 ~ (K || K || … || K).

Compute the subkeys K , K , and K as follows:
0 1 2
K := h ( K' || U || K')
0 0
K :=  128 ~ h ( K' || U || K'), when using Dedicated Hash-Functions 1, 2 and 3
1 1
K :=  256 ~ h ( K' || U || K'), when using Dedicated Hash-Functions 4, 5, 6 and 8
1 1
K := 128 ~ h ( K' || U || K')
2 2
Here U , U and U are 768-bit constants that are defined in Clause 6.3, and h denotes the hash-function h
0 1 2
without the padding and length appending, and without truncating the round-function output (L bits) to its left-
most L .
H
© ISO/IEC 2011 – All rights reserved 13

NOTE 1 Padding and length appending are omitted because in this case the length of the input string is either L bits
or 2L bits.
NOTE 2 Truncation is omitted because in this case the length of K is always L bits, which is ≥ L .
0 2 H
When using Dedicated Hash-Functions 1, 2, 3, 5 and 6, the derived key K is split into four words denoted
K [i] (0 ≤ i ≤ 3), i.e.
K = K [0] || K [1] || K [2] || K [3].
1 1 1 1 1
When using Dedicated Hash-Functions 4 and 8, the derived key K is split into eight words denoted K [i] (0 ≤ i
1 1
≤ 7), i.e.
K = K [0] || K [1] || K [2] || K [3]|| K [4] || K [5] || K [6] || K [7].
1 1 1 1 1 1 1 1 1
For conversion of a string into words, a byte ordering convention is required. The byte ordering convention for
this conversion is that which is defined for each dedicated hash-function in ISO/IEC 10118-3.
8.1.2 Step 2 (modification of the constants and the IV)
When using Dedicated Hash-Functions 1, 2, 3, 4, 5, 6 and 8, the additive constants used in the round-function
w
are modified by the addition mod 2 of a word of K , e.g.,
C := C Ψ K [0].
0 0 1
Clause 6.3 indicates which word of K is added to each constant.
The initial value IV of the hash function is replaced by IV' := K . The resulting round-function is denoted by φ'.
8.1.3 Step 3 (padding)
The padding bits that are added to the original data string are only used for calculating the MAC.
Consequently, these padding bits (if any) need not be stored or transmitted with the data. The verifier shall
know whether or not the padding bits have been stored or transmitted.

The data string D to be input to the MAC algorithm shall be right-padded with as few (possibly none) '0' bits as
necessary to obtain a data string D of length 256 bits.
NOTE If the input data string is empty, the padded data string D consists of 256 '0' bits.
8.1.4 Step 4 (application of the round-function)
~
The bit
...