ISO IEC 10118-2:2010 pdf download – Information technology — Security techniques — Hash-functions — Part 2: Hash-functions using an n-bit block cipher.
6.3 Padding method The selection of the padding method for use with this hash-function is beyond the scope of this part of ISO/IEC 10118. As minimum requirements, the padding method shall output a set of q blocks D 1 , D 2 , …, D q where each block D j is of length n and shall be such that each possible input produces distinct outputs. Examples of padding methods are presented in ISO/IEC 10118-1:2000, Annex A. 6.4 Initializing value The selection of the IV for use with this hash-function is beyond the scope of this part of ISO/IEC 10118. The IV shall be a bit-string of length n and the value of the IV shall be agreed upon and fixed by users of the hash-function. 6.5 Round function Transformation u: Define a mapping u from the ciphertext space. The round function φ combines a padded data block D j (of L 1 = n-bits) with H j-1 , the previous output of the round function (of L 2 = n bits), to yield H j . As part of the round function it is necessary to choose a function u, which transforms an n-bit block into a key for use with the block cipher algorithm E. The selection of the function u for use with this hash-function is outside the scope of this part of ISO/IEC 10118. The round function itself is defined as follows: Set H 0 equal to IV φ (D j , H j-1 ) = E Kj (D j ) ⊕ D j where K j = u (H j-1 ). The round function is shown in Figure 1.
7 Hash-function 2 7.1 General The hash-function specified in this clause provides hash-codes of length L 1 and L 2 where L 1 is equal to n and L 2 is equal to 2n. Some specific definitions that are required to specify hash-function 2 follow. NOTE 1 This hash-function is described in [4]. NOTE 2 In [6], theoretical attacks on hash-function 2 have been reported: a collision attack, with n = 128, which has complexity 2 124.5 , and a preimage attack requiring complexity and space about 2 n . The only reason to keep hash-function 2 in this part of ISO/IEC 10118 is for compatibility with the existing applications. 7.2 Parameter selection The parameters L 1 , L 2 and L H for the hash-function specified in this clause shall satisfy L 1 = n, L 2 = 2n, and L H is less than or equal to 2n. 7.3 Padding method The selection of the padding method for use with this hash-function is beyond the scope of this part of ISO/IEC 10118. As minimum requirements, the padding method shall output a set of q blocks D 1 , D 2 , …, D q where each block D j is of length n and shall be such that each possible input produces distinct outputs. Examples of padding methods are presented in ISO/IEC 10118-1:2000, Annex A. 7.4 Initializing value The selection of the IV (of length 2n) for use with this hash-function is beyond the scope of this part of ISO/IEC 10118. The IV shall be a bit-string of length 2n and the value of the IV shall be agreed upon and fixed by users of the hash-function. However, the IV shall be selected such that u(IV L ) and u’ (IV R ) are different.