ANSI INCITS ISO IEC 10118-2-2000 Information technology - Security techniques - Hash-functions - Part 2 Hash-functions using an n-bit block cipher.pdf

1、Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 8/1/2001Published by American National Standards Institute,25 West 43rd Street, New York, New York 10036Copyright 2003 by Information Technology Industry Council (

2、ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information Technology Industry Council(ITI). Not for resale. No part of thi

3、s publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washington, DC 20005.Printed in the United States of AmericaReference numberISO/I

4、EC 10118-2:2000(E)ISO/IEC 2000INTERNATIONALSTANDARDISO/IEC10118-2Second edition2000-12-15Information technology Securitytechniques Hash-functions Part 2:Hash-functions using an n-bit block cipherTechnologies de linformation Techniques de scurit Fonctions debrouillage Partie 2: Fonctions de brouillag

5、e utilisant un chiffrement par blocs de n bitsISO/IEC 10118-2:2000(E)PDF disclaimerThis PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall notbe edited unless the typefaces which are embedded are licensed to and installed

6、 on the computer performing the editing. In downloading thisfile, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in thisarea.Adobe is a trademark of Adobe Systems Incorporated.Details of the software products used

7、 to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameterswere optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely eventthat a problem relating to it is found, please info

8、rm the Central Secretariat at the address given below. ISO/IEC 2000All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronicor mechanical, including photocopying and microfilm, without permission in writing from

9、 either ISO at the address below or ISOs member bodyin the country of the requester.ISO copyright officeCase postale 56 Gb7 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.chWeb www.iso.chPrinted in Switzerlandii ISO/IEC 2000 All rights reservedISO/IEC 10118-2:2000(E)

10、 ISO/IEC 2000 All rights reserved iiiContents PageForeword.ivIntroduction.v1 Scope 12 Normative references 13 Terms and definitions .14 Symbols and abbreviated terms 15 Use of the general model 26 Hash-function one .26.1 Parameter selection.26.2 Padding method.26.3 Initializing value .26.4 Round-fun

11、ction 26.5 Output transformation.37 Hash-function two .37.1 Parameter selection.37.2 Padding method.37.3 Initializing value .37.4 Round-function 47.5 Output transformation.58 Hash-function three.58.1 General58.2 Parameter selection.58.3 Padding method.58.4 Initializing value .68.5 Round-function 68.

12、6 Output transformation.89 Hash-function four.89.1 General89.2 Parameter selection.89.3 Padding method.89.4 Initializing value .89.5 Round-function 89.6 Output transformation.10Annex A (informative) Use of DEA.11Annex B (informative) Examples .14Bibliography19ISO/IEC 10118-2:2000(E)iv ISO/IEC 2000 A

13、ll rights reservedForewordISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)form the specialized system for worldwide standardization. National bodies that are members of ISO or IECparticipate in the development of International Standards

14、 through technical committees established by therespective organization to deal with particular fields of technical activity. ISO and IEC technical committeescollaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, inliaison with ISO and IEC, al

15、so take part in the work.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.Draft International Standards adopted by the joint technic

16、al committee are circulated to national bodies for voting.Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote.International Standard ISO/IEC 10118-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Informationtechnology, Subcommit

17、tee SC 27, IT Security techniques.This second edition cancels and replaces the first edition (ISO/IEC 10118-2:1994), which has been technicallyrevised to conform to the general model described in ISO/IEC 10118-1, and to add two additional hash-functions.Note, however, that implementations which comp

18、ly with ISO/IEC 10118-2:1994 will be compliant with this edition ofISO/IEC 10118-2.ISO/IEC 10118 consists of the following parts, under the general title Information technology Securitytechniques Hash-functions: Part 1: General Part 2: Hash-functions using an n-bit block cipher Part 3: Dedicated has

19、h-functions Part 4: Hash-functions using modular arithmeticAnnexes A and B of this part of ISO/IEC 10118 are for information only.ISO/IEC 10118-2:2000(E) ISO/IEC 2000 All rights reserved vIntroductionThe International Organization for Standardization (ISO) and the International Electrotechnical Comm

20、ission (IEC)draw attention to the fact that it is claimed that compliance with this part of ISO/IEC 10118 may involve the use of apatent concerning the “Data Authentication Using Modification Detection Codes Based on a Public One WayEncryption Function,” (U.S. Patent 4,908,861 issued 1990-03-13).ISO

21、 and IEC take no position concerning the evidence, validity and scope of this patent right.The holder of this patent right has assured ISO and IEC that he is willing to negotiate licences under reasonableand non-discriminatory terms and conditions with applicants throughout the world. In this respec

22、t, the statement ofthe holder of this patent right is registered with ISO and IEC. Information may be obtained from:Director of LicensingInternational Business Machnies Corporation500 Columbus AvenueThornwood, NY 10594U.S.A.Attention is drawn to the possibility that some of the elements of this part

23、 of ISO/IEC 10118 may be the subject ofpatent rights other than those identified above. ISO and IEC shall not be held responsible for identifying any or allsuch patent rights.INTERNATIONAL STANDARD ISO/IEC 10118-2:2000(E) ISO/IEC 2000 All rights reserved 1Information technology Security techniques H

24、ash-functions Part 2:Hash-functions using an n-bit block cipher1 ScopeThis part of ISO/IEC 10118 specifies hash-functions which make use of an n-bit block cipher algorithm. They aretherefore suitable for an environment in which such an algorithm is already implemented.Four hash-functions are specifi

25、ed. The first provides hash-codes of length smaller than or equal to n,wheren is theblock-length of the algorithm used. The second provides hash-codes of length less than or equal to 2n;thethirdprovides hash-codes of length equal to 2n; and the fourth provides hash-codes of length 3n. All four of th

26、e hash-functions specified in this part of ISO/IEC 10118 conform to the general model specified in ISO/IEC 10118-1.2 Normative referencesThe following normative documents contain provisions which, through reference in this text, constitute provisions ofthis part of ISO/IEC 10118. For dated reference

27、s, subsequent amendments to, or revisions of, any of thesepublications do not apply. However, parties to agreements based on this part of ISO/IEC 10118 are encouraged toinvestigate the possibility of applying the most recent editions of the normative documents indicated below. Forundated references,

28、 the latest edition of the normative document referred to applies. Members of ISO and IECmaintain registers of currently valid International Standards.ISO/IEC 10116:1997, Information technology Security techniques Modes of operation for an n-bit block cipher.ISO/IEC 10118-1:2000, Information technol

29、ogy Security techniques Hash-functions Part 1: General.3 Terms and definitionsFor the purposes of this part of ISO/IEC 10118, the terms and definitions given in ISO/IEC 10118-1 and thefollowing apply.3.1n-bit block ciphera block cipher with the property that plaintext blocks and ciphertext blocks ar

30、e n bits in length (see ISO/IEC 10116)4 Symbols and abbreviated termsFor the purposes of this part of ISO/IEC 10118, the symbols and abbreviations given in ISO/IEC 10118-1 and thefollowing apply:en-bit block cipher algorithm (see ISO/IEC 10116)K Key for the algorithm e (see ISO/IEC 10116)ISO/IEC 101

31、18-2:2000(E)2 ISO/IEC 2000 All rights reservedeK(P) Operation of encipherment using the algorithm e and the key K (see ISO/IEC 10116) on plaintext Pu or uGa2 Transformation of one n-bit block into a key for the algorithm eBLWhen n is even, the string composed of the n/2 leftmost bits of the block B.

32、 When n is odd, the stringcomposed of the (n+1)/2 leftmost bits of the block BBRWhen n is even, the string composed of the n/2 rightmost bits of the block B. When n is odd, the stringcomposed of the (n-1)/2 rightmost bits of the block BBxWhen B is a string of nm-bit blocks, Bxrepresents the x-th m-b

33、it block of BBx-yWhen B is a string of nm-bit blocks, Bx-yrepresents the x-th through the y-th m-bit blocks of B5 Use of the general modelThe hash-functions specified in the next four clauses provide hash-codes H of length LH. The hash-functionconforms to the general model specified in ISO/IEC 10118

34、-1. For each of the four hash-functions that follow, it istherefore only necessary to specify:Gbe the parameters L1, L2;Gbe the padding method;Gbe the initializing value IV;Gbe the round-function G66;Gbe the output transformation T.The use of a hash-function defined using the general model will also

35、 require the selection of the parameter LH.6 Hash-function one6.1 Parameter selectionThe parameters L1and L2and LHfor the hash-function specified in this clause shall satisfy L1= L2= n,andLHisless than or equal to n.6.2 Padding methodThe selection of the padding method for use with this hash-functio

36、n is beyond the scope of this part ofISO/IEC 10118. Examples of padding methods are presented in annex A of ISO/IEC 10118-1:2000.6.3 Initializing valueThe selection of the IV for use with this hash-function is beyond the scope of this part of ISO/IEC 10118. The valueof the IV shall be agreed upon an

37、d fixed by the users of the hash-function.6.4 Round-functionThe round-function G66 combines a padded data block Di(of L1= n-bits) with Hi-1, the previous output of the round-function (of L2= n bits), to yield Hi. As part of the round-function it is necessary to choose a function u,whichtransforms an

38、 n-bit block into a key for use with the block cipher algorithm e. The selection of the function u for usewith this hash-function is outside the scope of this part of ISO/IEC 10118 (see annex A for guidance).ISO/IEC 10118-2:2000(E) ISO/IEC 2000 All rights reserved 3The round-function itself is defin

39、ed as follows:G66 (Dj, Hj-1)=eKj(Dj) Gc5 Djwhere Kj= u (Hj-1). The round-function is shown in Figure 1.Figure 1 Round-function of hash-function one6.5 Output transformationThe output transformation T is simply truncation, i.e., the hash-code H is derived by taking the leftmost LHbits ofthe final out

40、put block Hq.7 Hash-function two7.1 Parameter selectionThe parameters L1and L2and LHfor the hash-function specified in this clause shall satisfy L1= n, L2=2n, and LHisless than or equal to 2n.7.2 Padding methodThe selection of the padding method for use with this hash-function is beyond the scope of

41、 this part ofISO/IEC 10118. Examples of padding methods are presented in annex A of ISO/IEC 10118-1:2000.7.3 Initializing valueThe selection of the IV (of length 2n) for use with this hash-function is beyond the scope of this part ofISO/IEC 10118. The value of the IV shall be agreed upon and fixed b

42、y the users of the hash-function. However, theIV shall be selected such that u(IVL) and u(IVR) are different.euHj-1KjDjHjISO/IEC 10118-2:2000(E)4 ISO/IEC 2000 All rights reserved7.4 Round-functionThe round-function G66 combines a padded data block Di(of L1= n bits) with Hi-1, the previous output of

43、the round-function (of L2=2n bits), to yield Hi. As part of the round-function it is necessary to choose two transformations uand uGa2.These transformations are used to transform an output block into two suitable LKbit keys for the algorithm e.The specification of u and uGa2 is beyond the scope of t

44、his part of ISO/IEC 10118. However, it should be taken intoconsideration that the selection of u and uGa2 is important for the security of the hash-function (see annex A).Set H0Land H0Requal to IVLand IVRrespectively. The output blocks are calculated iteratively in the following way,for j =1toq:G66

45、(Dj, Hj-1)=HjKjL= u(Hj-1L)andKjR= uGa2 (Hj-1R)Bj= eKjL(Dj) Gc5 Dj, and B Ga2j= eKjR(Dj) Gc5 DjHjL= BjL| B Ga2jRand HjR=B Ga2jL| BjRThe round-function is shown in Figure 2.Figure 2 Round-function of hash-function twoHjHj-1RHj-1LHj-1Re eBjLBjRBjLBGa2jRB Ga2jLB Ga2jRBGa2jLBjRuuGa2Hj-1LKjLDjKjRHj-1HjLHj

46、RISO/IEC 10118-2:2000(E) ISO/IEC 2000 All rights reserved 57.5 Output transformationIf LHis even, the hash-code is the concatenation of the LH/2 leftmost bits of HqLand the LH/2 leftmost bits of HqR.IfLHis odd, the hash-code is the concatenation of the (LH+1)/2 leftmost bits of HqLand the (LH-1)/2 l

47、eftmost bits ofHqR.8 Hash-function threeThe hash-function specified in this clause provides hash-codes of length LH, where LHis equal to 2n for evenvalues of n.8.1 GeneralSome specific definitions that are required to specify hash-function three follow.Transformation u:Define r mappings u1, u2, , ur

48、from the ciphertext space to the key space, such that,For all i, j from the set 1,2,r, j Gb9 i, ui(C) Gb9 uj(C) for all values of C.This can be achieved by fixing specific key bits: e.g., if r = 8 one can fix three key bits to the values 000, 001, .,111. Additional conditions might be imposed upon t

49、he mappings ui, for example, to avoid the problems related toweak keys or complementation properties of the block cipher.Function fi:Define the r functions fias follows:fi(X,Y)=eui(X)(Y) Gc5 Y,1Ga3 i Ga3 r.Linear mapping G62:Define the linear mapping G62 that takes as input a 2n-bit string X = x0|x1|x2|x3and maps it to a 2n-bit string Y =y0|y1|y2|y3as follows:y0:= x0Gc5 x3y1:= x0Gc5 x1Gc5 x3y2:= x1Gc5 x2y3:= x2Gc5 x3Here xiand yjare n/2 bit strings.8.2 Parameter selectionThe parameters L1and L2and LHfor t