ISO/IEC 9797-2:2021

INTERNATIONAL ISO/IEC
STANDARD 9797-2
Third edition
2021-06
Information security — Message
authentication codes (MACs) —
Part 2:
Mechanisms using a dedicated hash-
function
Sécurité de l'information — Codes d'authentication de message
(MAC) —
Partie 2: Mécanismes utilisant une fonction de hachage dédiée
Reference number
©
ISO/IEC 2021
© ISO/IEC 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved

Contents Page
Foreword .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and notation . 3
5 Requirements . 5
6 MAC Algorithm 1 . 6
6.1 General . 6
6.2 Description of MAC Algorithm 1 . 7
6.2.1 General. 7
6.2.2 Step 1 (key expansion) . 7
6.2.3 Step 2 (modification of the constants and the IV) . 7
6.2.4 Step 3 (hashing operation) . 8
6.2.5 Step 4 (output transformation) . 8
6.2.6 Step 5 (truncation) . 8
6.3 Efficiency . 8
6.4 Computation of the constants . 8
6.4.1 General. 8
6.4.2 Dedicated hash-function 1 (RIPEMD-160). 9
6.4.3 Dedicated hash-function 2 (RIPEMD-128). 9
6.4.4 Dedicated hash-function 3 (SHA-1) .10
6.4.5 Dedicated hash-function 4 (SHA-256) .10
6.4.6 Dedicated hash-function 5 (SHA-512) .10
6.4.7 Dedicated hash-function 6 (SHA-384) .11
6.4.8 Dedicated hash-function 8 (SHA-224) .11
6.4.9 Dedicated hash-function 17 (SM3) .12
7 MAC Algorithm 2 .12
7.1 General .12
7.2 Description of MAC Algorithm 2 .12
7.2.1 General.12
7.2.2 Step 1 (key expansion) .13
7.2.3 Step 2 (hashing operation) .13
7.2.4 Step 3 (output transformation) .13
7.2.5 Step 4 (truncation) .13
7.3 Efficiency .13
8 MAC Algorithm 3 .13
8.1 General .13
8.2 Description of MAC Algorithm 3 .14
8.2.1 General.14
8.2.2 Step 1 (key expansion) .14
8.2.3 Step 2 (modification of the constants and the IV) .14
8.2.4 Step 3 (padding) .15
8.2.5 Step 4 (application of the round-function) .15
8.2.6 Step 5 (truncation) .15
8.3 Efficiency .15
9 MAC Algorithm 4 .15
9.1 General .15
9.2 Description of MAC Algorithm 4 .16
9.3 Encoding and padding .16
9.3.1 Integer to byte encoding .16
9.3.2 String encoding .17
© ISO/IEC 2021 – All rights reserved iii

9.3.3 Padding .17
9.4 KMAC128 .18
9.4.1 General.18
9.4.2 Step 1 (Prepare newD) .18
9.4.3 Step 2 (Prepare X) . .18
9.4.4 Step 3 (Generate MAC output) .18
9.5 KMAC256 .18
9.5.1 General.18
9.5.2 Step 1 (Prepare newD) .18
9.5.3 Step 2 (Prepare X) . .19
9.5.4 Step 3 (Generate MAC output) .19
9.6 KMACXOF128 .19
9.6.1 General.19
9.6.2 Step 1 (Prepare newD) .19
9.6.3 Step 2 (Prepare X) . .19
9.6.4 Step 3 (Generate MAC output) .20
9.7 KMACXOF256 .20
9.7.1 General.20
9.7.2 Step 1 (Prepare newD) .20
9.7.3 Step 2 (Prepare X) . .20
9.7.4 Step 3 (Generate MAC output) .20
Annex A (normative) Object identifiers .21
Annex B (informative) Numerical examples .23
Annex C (informative) Security analysis of the MAC algorithms .50
Bibliography .52
iv © ISO/IEC 2021 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives or www .iec .ch/ members
_experts/ refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC
list of patent declarations received (see patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/
iso/ foreword .html. In the IEC, see www .iec .ch/ understanding -standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, SC 27,
Information security, cybersecurity and privacy protection.
This third edition cancels and replaces the second edition (ISO/IEC 9797-2:2011), which has been
technically revised.
The main changes compared to the previous edition are as follows:
— Using dedicated hash-function 17 for MAC Algorithms 1 and 3 has been added;
— Using dedicated hash-functions 11, 12, 13 to 16, and 17 for MAC Algorithm 2 has been added;
— MAC Algorithm 4 based on Keccak, a primitive in the definition of dedicated hash-functions 13 to 16
has been added.
A list of all parts in the ISO/IEC 9797 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/ members .html and www .iec .ch/ national
-committees.
© ISO/IEC 2021 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 9797-2:2021(E)
Information security — Message authentication codes
(MACs) —
Part 2:
Mechanisms using a dedicated hash-function
1 Scope
This document specifies MAC algorithms that use a secret key and a hash-function (or its round-
function or sponge function) to calculate an m-bit MAC. These mechanisms can be used as data integrity
mechanisms to verify that data has not been altered in an unauthorized manner.
NOTE A general framework for the provision of integrity services is specified in ISO/IEC 10181-6.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 10118-3, IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
block
bit-string of length L , i.e. the length of the first input to the round-function
[SOURCE: ISO/IEC 10118-3:2018, 3.1]
3.2
entropy
measure of the disorder, randomness or variability in a closed system
Note 1 to entry: The entropy of a random variable X is a mathematical measure of the amount of information
provided by an observation of X.
[SOURCE: ISO/IEC 18031:2011, 3.11]
3.3
input data string
string of bits which is the input to a MAC algorithm
© ISO/IEC 2021 – All rights reserved 1

3.4
hash-code
string of bits which is the output of a hash-function
[SOURCE: ISO/IEC 10118-1:2016, 3.3]
3.5
hash-function
function which maps strings of bits of variable (but usually upper bounded) length to fixed-length
strings of bits, satisfying the following two properties:
— for a given output, it is computationally infeasible to find an input which maps to this output;
— for a given input, it is computationally infeasible to find a second input which maps to the same
output
Note 1 to entry: Computational infeasibility depends on the specific security requirements and environment.
Refer to ISO/IEC 10118-1:2016, Annex C.
[SOURCE: ISO/IEC 10118-1:2016, 3.4, modified — "feasability" in Note 1 to entry changed to
"infeasability".]
3.6
initializing value
value used in defining the starting point of a hash-function
[SOURCE: ISO/IEC 10118-1:2016, 3.5, modified — Note 1 to entry removed]
3.7
MAC algorithm key
key that controls the operation of a MAC algorithm
[SOURCE: ISO/IEC 9797-1:2011, 3.8]
3.8
message authentication code
MAC
string of bits which is the output of a MAC algorithm
[1]
Note 1 to entry: A MAC is sometimes called a cryptographic check value (see for example ISO 7498-2 ).
[SOURCE: ISO/IEC 9797-1:2011, 3.9]
3.9
message authentication code algorithm
MAC algorithm
algorithm for computing a function which maps strings of bits and a secret key to fixed-length strings
of bits, satisfying the following two properties:
— for any key and any input string the function can be computed efficiently;
— for any fixed key, and given no prior knowledge of the key, it is computationally infeasible to compute
the function value on any new input string, even given knowledge of the set of input strings and
corresponding function values, where the value of the ith input string may have been chosen after
observing the value of the first i-1 function values (for integer i > 1)
Note 1 to entry: A MAC algorithm is sometimes called a cryptographic check function (see for example
ISO 7498-2).
Note 2 to entry: Computational infeasibility depends on the user's specific security requirements and
environment.
2 © ISO/IEC 2021 – All rights reserved

[SOURCE: ISO/IEC 9797-1:2011, 3.10 modified — "feasability" in Note 2 to entry changed to
"infeasability".]
3.10
output transformation
function that is applied at the end of the MAC algorithm, before the truncation operation
[SOURCE: ISO/IEC 9797-1:2011, 3.12]
3.11
padding
appending extra bits to a data string
[SOURCE: ISO/IEC 10118-1:2016, 3.7]
3.12
round-function
function ϕ (.,.) that transforms two binary strings of lengths L and L to a binary string of length L
1 2 2
that is used iteratively as part of a hash-function, where it combines a data string of length L with the
previous output of length L or the initializing value
Note 1 to entry: The literature on this subject contains a variety of terms that have the same or similar meaning
as round-function. Compression function and iterative function are some examples.
[SOURCE: ISO/IEC 10118-1:2016, 3.8]
3.13
security strength
number associated with the amount of work required to break a cryptographic algorithm or system
s
and specified in bits such that security strength s bits implies the required number of operations is 2
Note 1 to entry: Computationally infeasible in 3.2, 3.6 and 3.10 implies the security strength is at least 112 bits.
Refer to ISO/IEC 10118-1:2016, Annex C.
3.14
word
string of 32 bits used in dedicated hash-functions 1, 2, 3, 4, 8 and 17 or a string of 64 bits used in
dedicated hash-functions 5, 6, 9 and 10 of ISO/IEC 10118-3:2018
[SOURCE: ISO/IEC 10118-3:2018, 3.2, modified — added specific bit lengths, 32 bits or 64 bits, for
different dedicated hash-functions.]
4 Symbols and notation
C , C' constant words used in the round-functions
i i
D input data string, i.e. the data string to be input to the MAC algorithm
D padded data string
j ~ X string obtained from a string X at least j bits in length by taking the leftmost j bits of X
H hash-code
H', H” strings of L bits which are used in the MAC algorithm computation to store an intermediate
result
h
hash-function
h′
hash-function h with modified constants and modified IV
© ISO/IEC 2021 – All rights reserved 3

h simplified hash-function h without the padding and length appending, and without truncating
the round-function output (L bits) to its leftmost L bits
2 H
NOTE 1 h is applied to input strings with a length that is a positive integer multiple of L .
NOTE 2 The output of h is L bits rather than L bits; in particular, in dedicated hash-functions 6 and 8
2 H
defined in ISO/IEC 10118-3:2018, L is always smaller than L .
H 2
initializing value
IV
initializing values
IV', IV ,
IV
length (in bits) of the MAC algorithm key
k
MAC algorithm key
K
secret keys derived to be used for a MAC algorithm
K', K ,
K , K ,
1 2
K , K ,
K
th
K [i] i word in the derived key K
1 1
KT first input string of the function ϕ' used in the output transformation step of MAC Algorithm 1

bit string encoding the message length in MAC Algorithm 3
L
L length (in bits) of a bit-string X
X
L length (in bits) of the first of the two input strings to the round-function, ϕ
L length (in bits) of the second of the two input strings to the round-function, ϕ, of the output
string from the round-function, ϕ, and of IV
m length (in bits) of the MAC
OPAD, constant strings used in MAC Algorithm 2
IPAD
q number of blocks in the input data string D after the padding and splitting process
R, S , S , constant strings used in the computation of the constants for MAC Algorithm 1 and MAC Algo-
0 1
S rithm 3
T , T , constant strings used in the key derivation for MAC Algorithm 1 and MAC Algorithm 3
0 1
T U ,
2, 0
U , U
1 2
w length (in bits) of a word; w is 32 when using dedicated hash-functions 1, 2, 3, 4, 8 and 17 of
ISO/IEC 10118-3:2018, and w is 64 when using dedicated hash-functions 5, 6, 9 and 10 of ISO/
IEC 10118-3:2018
X ⊕ Y bitwise exclusive-or of bit-strings X and Y
X || Y concatenation of bit-strings X and Y (in that order)
: = symbol denoting the "set equal to" operation used in the procedural specifications of MAC
algorithms, where it indicates that the value of the string on the left side of the symbol shall
be made equal to the value of the expression on the right side of the symbol
4 © ISO/IEC 2021 – All rights reserved

ϕ round-function, i.e. if X and Y are bit-strings of lengths L and L respectively, then ϕ (X, Y) is
1 2
the string obtained by applying ϕ to X and Y
ϕ' modified round-function with constants different from those used in the original round func-
tion
w
Ψ modulo 2 addition operation, where w is the number of bits in a word, i.e. if A and B are
words, then AΨB is the word obtained by treating A and B as the binary representations of
w
integers and computing their sum modulo 2 , and the result is constrained to lie between 0
w
and 2 −1 inclusive
The value of w is 32 in dedicated hash-functions 1, 2, 3, 4, 8 and 17, and 64 in dedicated
hash-functions 5, 6, 9 and 10.
5 Requirements
Users who wish to employ a MAC algorithm from this document shall select:
— a dedicated hash-function from the functions specified in ISO/IEC 10118-3:2018 so that the hash-
function and its round-function or its sponge function is implemented or suitable to use; a MAC
algorithm amongst those specified in Clauses 6, 7, 8 and 9 which can use the selected hash-function
or its round-function or sponge function; and
— the length (in bits) m of the MAC, where m is at least 32.
The use of dedicated hash-functions 7 and 9 to 16 from ISO/IEC 10118-3 with MAC Algorithms 1 and 3
is not specified in this document. The use of dedicated hash-functions 9 and 10 from ISO/IEC 10118-3
with MAC Algorithm 2 is also not specified in this document. MAC Algorithm 4 makes use of the Keccak
function, a primitive (known as a sponge function) used in defining dedicated hash-functions 13 to
16 from ISO/IEC 10118-3. The permitted combinations of MAC algorithms and hash-functions are
summarized in Table 1.
Table 1 — Permitted combinations of MAC algorithms and dedicated hash-functions
Dedicated hash-function in ISO/ MAC Algorithm MAC Algorithm MAC Algorithm MAC Algorithm
IEC 10118-3 1 2 3 4
1 RIPEMD-160 √ √ √
2 RIPEMD-128 √ √ √
3 SHA-1 √ √ √
4 SHA-256 √ √ √
5 SHA-512 √ √ √
6 SHA-384 √ √ √
7 Whirlpool √
8 SHA-224 √ √ √
9 SHA-512/224
10 SHA-512/256
11 STREEBOG 512 √
12 STREEBOG 256 √
13 SHA3–224 √ √
14 SHA3–256 √ √
15 SHA3–384 √ √
16 SHA3–512 √ √
17 SM3 √ √ √
Agreement on these choices amongst the users is essential for use of the data integrity mechanism.
© ISO/IEC 2021 – All rights reserved 5

The key K used in a MAC algorithm shall have entropy that meets or exceeds the security strength to be
provided by the MAC algorithm.
In every case, the MAC algorithm key K shall be chosen such that every possible key is approximately
equally likely to be selected.
For MAC Algorithms 1 and 2, the length m of the MAC is a positive integer less than or equal to the
length of the hash-code L . For MAC Algorithm 2, the length m of MAC value shall be at least 32 bits. For
H
MAC Algorithm 3, the length m of the MAC is a positive integer less than or equal to half the length of
the hash-code, i.e. m ≤ L /2. The length in bits of the input data string may be limited by the dedicated
H
hash-function and/or the MAC algorithm and is discussed for each MAC algorithm. For MAC Algorithm
2 040
4, the length in bits of the input data string D shall be at most 2 −1. The selection of a specific MAC
Algorithm, dedicated hash-function as specified in Table 1, and value for m is beyond the scope of this
document.
These choices affect the security level of the MAC algorithm. For a detailed discussion, see Annex C.
The key used for calculating and verifying the MAC is the same. If the input data string is also
being enciphered, the key used for the calculation of the MAC should be different from that used for
encipherment, because it is considered as good cryptographic practice to have independent keys for
confidentiality and for data integrity.
Annex A lists the object identifiers which shall be used to identify the mechanisms defined in this
document.
Annex B provides numerical examples for the MAC algorithms specified in this document to be used for
checking the correctness of implementations.
Annex C describes major attacks and proofs of security for the MAC algorithms specified in this
document.
6 MAC Algorithm 1
6.1 General
[10]
This clause contains a description of MDx-MAC with dedicated hash-functions 1 to 6, 8 and 17.
Table 2 shows the commonly used names of MDx-MAC with individual dedicated hash-functions.
Table 2 — The MDx-MAC algorithm with different dedicated hash-functions
Dedicated hash-function: The MDx-MAC algorithm is also known as
Dedicated hash-function 1 RIPEMD-160-MAC
Dedicated hash-function 2 RIPEMD-128-MAC
Dedicated hash-function 3 SHA-1-MAC
Dedicated hash-function 4 SHA-256-MAC
Dedicated hash-function 5 SHA-512-MAC
Dedicated hash-function 6 SHA-384-MAC
Dedicated hash-function 8 SHA-224-MAC
Dedicated hash-function 17 SM3-MAC
The use of MAC Algorithm 1 with dedicated hash-functions 7 and 9 to 16 of ISO/IEC 10118-3 is not
specified in this document.
MAC Algorithm 1 requires one application of the hash-function to compute a MAC value but requires
that the constants in the corresponding round-function be modified. The hash-function shall be
selected from dedicated hash-functions 1 to 6, 8 and 17 from ISO/IEC 10118-3. MAC Algorithm 1 can
accommodate the maximum of 128 bit key K and therefore provide at most 128 bits security strength.
For MAC Algorithm 1, the length in bits of the input data string D shall be at most 2 - 1 when using
6 © ISO/IEC 2021 – All rights reserved

dedicated hash-functions 1, 2, 3, 4, 8 and 17, and at most 2 – 1 when using dedicated hash-functions
5 and 6.
6.2 Description of MAC Algorithm 1
6.2.1 General
MAC Algorithm 1 involves the following five steps: key expansion, modification of the constants and the
IV, hashing operation, output transformation, and truncation.
6.2.2 Step 1 (key expansion)
If K is shorter than 128 bits, concatenate K to itself ⌈128/k⌈ times and select the leftmost 128 bits of
the result to form the 128-bit key K':
K': = 128 ~ (K || K || … || K). If the length (in bits) of K is greater than or equal to 128, K’: = 128~K.
Compute the derived keys K , K , and K as follows:
0 1 2
K := h (K' || U || K')
0 0
K := 128 ~ h (K' || U || K'), when using dedicated hash-functions 1, 2 and 3
1 1
K := 256 ~ h (K' || U || K'), when using dedicated hash-functions 4, 5, 6, 8 and 17
1 1
K := 128 ~ h (K' || U || K')
2 2
Here h is a simplified hash-function h selected from dedicated hash-functions listed in Table 2 and U ,
U , and U are 768-bit constants that are defined in 6.4.1.
1 2
Padding and length appending can be omitted because in this case the length of the input string is either
L bits or 2L bits.
1 1
When deriving K , truncation is omitted and the length of K is always L bits.
0 0 2
When using dedicated hash-functions 1, 2, 3, 5 and 6, the derived key K is split into four words denoted
by K [i] (0 ≤ i ≤ 3), i.e.
K = K [0] || K [1] || K [2] || K [3]
1 1 1 1 1
When using dedicated hash-functions 4, 8 and 17, the derived key K is split into eight words denoted by
K [i] (0 ≤ i ≤ 7), i.e:
K = K [0] || K [1] || K [2] || K [3]|| K [4] || K [5] || K [6] || K [8]
1 1 1 1 1 1 1 1 1
To convert a string into words, a byte ordering convention is required. The byte ordering convention for
this conversion is that which is defined for the selected dedicated hash-functions in ISO/IEC 10118-3.
6.2.3 Step 2 (modification of the constants and the IV)
When using dedicated hash-functions 1, 2, 3, 4, 5, 6, 8 and 17, the additive constants used in the round-
w
function are modified by the modulo 2 addition of a word of K , for example:
C : = C Ψ K [0]
0 0 1
Precisely which word of K is added to each constant depends on the hash-function in use, and is
specified in 6.4.
The initializing value, IV, of the hash-function is replaced by IV': = K .
© ISO/IEC 2021 – All rights reserved 7

6.2.4 Step 3 (hashing operation)
The string which is input to the modified hash-function h' is equal to the input data string D, i.e.
H': = h' (D).
6.2.5 Step 4 (output transformation)
The modified round-function ϕ' is applied one additional time, with as first input the string KT (defined
below) and as second input the string H' (the result of Step 3), i.e.:
H”: = ϕ' (KT, H').
For dedicated hash-functions 1, 2, 3, 4, 8 and 17:
KT = K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T )
2 2 0 2 1 2 2
For dedicated hash-functions 5 and 6:
KT = K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T )|| K || (K ⊕ T ) || (K ⊕ T ) || (K ⊕ T )
2 2 0 2 1 2 2 2 2 0 2 1 2 2
Here T , T , and T are 128-bit strings defined in 6.4 for each dedicated hash-function.
0 1 2
The output transformation corresponds to processing an additional data block derived from K after
padding and appending of the length field.
6.2.6 Step 5 (truncation)
The MAC of m bits is derived by taking the leftmost m bits of the string H”, i.e.
MAC: = m ~ H”
6.3 Efficiency
If the padded data string (where the padding algorithm depends on the selected hash-function) contains
q blocks, then MAC Algorithm 1 requires q + 7 applications of the round-function when dedicated hash-
functions 1, 2, 3, 4, 8 and 17 are selected, and q + 4 applications of the round function when dedicated
hash-functions 5 and 6 are selected. This can be reduced to q + 1 applications of the round-function by
pre-computing the values K , K and K , and by replacing the initializing value IV by IV' in the application
0 1 2
of the hash-function. It is recommended to make this modification to the code of the hash-function
together with the mandatory modification required for Step 2. For long input strings, MAC Algorithm 1
has a performance which is comparable to that of the hash-function used.
6.4 Computation of the constants
6.4.1 General
The constants described in 6.4 are used in MAC Algorithms 1 and 3. MAC Algorithm 3 is specified in
Clause 8. The strings T and U are fixed elements in the description of the MAC algorithm. They are
i i
computed (only once) using the hash-function; they are different for each of the eight hash-functions.
The 128-bit constants T and 768-bit constants U are defined as follows. The definition of T involves
i i i
the 496-bit constant R = “ab…yzAB…YZ01…89” and 16-bit constants S , S , S , where S is the 16-bit
0 1 2 i
string formed by repeating twice the 8-bit representation of i (e.g. the hexadecimal representation of S
is 3131). In both cases, ASCII coding is used; this is equivalent to coding using ISO/IEC 646:
for i: = 0 to 2
T := 128 ~ h (S || R) for dedicated hash-functions 1, 2, 3, 4, 8 and 17
i i
512 512
T := 128 ~ h (S || R || 0 ) for dedicated hash-functions 5 and 6, where 0 is 512 zero bits
i i
8 © ISO/IEC 2021 – All rights reserved

for i: = 0 to 2 U : = T || T || T || T || T || T
i i i + 1 i + 2 i i + 1 i + 2
where the subscripts in T are taken modulo 3. In dedicated hash-functions 1, 2, 3, 4, 5, 6, 8 and 17,
i
for all constants C , C' and all words K [i] the most significant bit corresponds to the leftmost bit. The
i i 1
constants C and C' are presented using a hexadecimal representation.
i i
6.4.2 Dedicated hash-function 1 (RIPEMD-160)
The 128-bit constant strings T for dedicated hash-function 1 are defined as follows (in hexadecimal
i
representation):
T = 1CC7086A046AFA22353AE88F3D3DACEB
T = E3FA02710E491D851151CC34E4718D41
T = 93987557C07B8102BA592949EB638F37
Two sequences of constant words C , C , …, C and C' , C' , …, C' are used in the round-function of
0 1 79 0 1 79
dedicated hash-functions 1. They are defined as follows:
C = K [0],              (0 ≤ i ≤ 15)
i 1
C = K [1] Ψ 5A827999, (16 ≤ i ≤ 31)
i 1
C = K [2] Ψ 6ED9EBA1, (32 ≤ i ≤ 47)
i 1
C = K [3] Ψ 8F1BBCDC, (48 ≤ i ≤ 63)
i 1
C = K [0] Ψ A953FD4E, (64 ≤ i ≤ 79)
i 1
C' = K [1] Ψ 50A28BE6, (0 ≤ i ≤ 15)
i 1
C' = K [2] Ψ 5C4DD124, (16 ≤ i ≤ 31)
i 1
C' = K [3] Ψ 6D703EF3, (32 ≤ i ≤ 47)
i 1
C' = K [0] Ψ 7A6D76E9, (48 ≤ i ≤ 63)
i 1
C' = K ,[1]             (64 ≤ i ≤ 79)
i 1
6.4.3 Dedicated hash-function 2 (RIPEMD-128)
The 128-bit constant strings T for dedicated hash-function 2 are defined as follows (in hexadecimal
i
representation).
T = FD7EC18964C36D53FC18C31B72112AAC
T = 2538B78EC0E273949EE4C4457A77525C
T = F5C93ED85BD65F609A7EB182A85BA181
Two sequences of constant words C , C , …, C and C' , C' , …, C' are used in the round-function of
0 1 63 0 1 63
dedicated hash-function 2. They are defined as follows:
C = K [0],              (0 ≤ i ≤ 15)
i 1
C = K [1] Ψ 5A827999, (16 ≤ i ≤ 31)
i 1
C = K [2] Ψ 6ED9EBA1, (32 ≤ i ≤ 47)
i 1
C = K [3] Ψ 8F1BBCDC, (48 ≤ i ≤ 63)
i 1
C' = K [0] Ψ 50A28BE6, (0 ≤ i ≤ 15)
i 1
© ISO/IEC 2021 – All rights reserved 9

C' = K [1] Ψ 5C4DD124, (16 ≤ i ≤ 31)
i 1
C' = K [2] Ψ 6D703EF3, (32 ≤ i ≤ 47)
i 1
C' = K ,[3]        (48 ≤ i ≤ 63)
i 1
6.4.4 Dedicated hash-function 3 (SHA-1)
The 128-bit constant strings T for dedicated hash-function 3 are defined as follows (in hexadecimal
i
representation):
T = 1D4CA39FA40417E2AE5A77B49067BBCC
T = 9318AFEF5D5A5B46EFCA6BEC0E138940
T = 4544209656E14F97005DAC76868E97A3
A sequence of constant words C , C , …, C is used in the round-function of dedicated hash-function 3.
0 1 79
It is defined as follows.
C = K [0] Ψ 5A827999, (0 ≤ i ≤ 19)
i 1
C = K [1] Ψ 6ED9EBA1, (20 ≤ i ≤ 39)
i 1
C = K [2] Ψ 8F1BBCDC, (40 ≤ i ≤ 59)
i 1
C = K [3] Ψ CA62C1D6, (60 ≤ i ≤ 79)
i 1
6.4.5 Dedicated hash-function 4 (SHA-256)
The 128-bit constant strings T for dedicated hash-function 4 are computed as follows (where h is the
i
simplified version of dedicated hash-function 4).
T = 13C10FB018D2C57E189060502F7DB523
T = 3DD6B5AE05B11977F3BFDC25CB1F35A8
T = E31F81250B926FEAD2A82A6F63DD66D5
A sequence of constant words C , C , …, C is used in the round-function of dedicated hash-function 4.
0 1 63
It is defined as follows.
C = K [i mod 8] Ψ C" (0 ≤ i ≤ 63)
i 1 i
where the sequence C" , C" , …, C" in a hexadecimal representation (where the most significant bit
0 1 63
corresponds to the leftmost bit) is defined as follows, where the words are listed in the order C" , C" ,
0 1
…, C" .
428a2f98 71374491 b5c0fbcf e9b5dba5 3956c25b 59f111f1 923f82a4 ab1c5ed5
d807aa98 12835b01 243185be 550c7dc3 72be5d74 80deb1fe 9bdc06a7 c19bf174
e49b69c1 efbe4786 0fc19dc6 240ca1cc 2de92c6f 4a7484aa 5cb0a9dc 76f988da
983e5152 a831c66d b00327c8 bf597fc7 c6e00bf3 d5a79147 06ca6351 14292967
27b70a85 2e1b2138 4d2c6dfc 53380d13 650a7354 766a0abb 81c2c92e 92722c85
a2bfe8a1 a81a664b c24b8b70 c76c51a3 d192e819 d6990624 f40e3585 106aa070
19a4c116 1e376c08 2748774c 34b0bcb5 391c0cb3 4ed8aa4a 5b9cca4f 682e6ff3
748f82ee 78a5636f 84c87814 8cc70208 90befffa a4506ceb bef9a3f7 c67178f2
NOTE These values are the first 32 bits of the fractional parts of the cube roots of the first 64 primes. They
are the constant sequence used in SHA-256.
6.4.6 Dedicated hash-function 5 (SHA-512)
The 128-bit constant strings T for dedicated hash-function 5 are computed as follows (where h is the
i
simplified version of dedicated hash-function 5):
10 © ISO/IEC 2021 – All rights reserved

T = 85f6e8b28ba014ed11d076ead90412a5
T = 33a6da6c7aaaf2149104fe4183152828
T = 7682094a7e45cf6bf27d19c2c7d6cf77
A sequence of constant words C , C , …, C is used in the round-function of dedicated hash-function 5.
0 1 79
It is defined as follows:
C = K [i mod 4] Ψ C" (0 ≤ i ≤ 79),
i 1 i
where the sequence C" , C" , …, C" in a hexadecimal representation (where the most significant bit
0 1 79
corresponds to the leftmost bit) is defined as follows, where the words are listed in the order C" , C" ,
0 1
…, C" .
428a2f98d728ae22 7137449123ef65cd b5c0fbcfec4d3b2f e9b5dba58189dbbc
3956c25bf348b538 59f111f1b605d019 923f82a4af194f9b ab1c5ed5da6d8118
d807aa98a3030242 12835b0145706fbe 243185be4ee4b28c 550c7dc3d5ffb4e2
72be5d74f27b896f 80deb1fe3b1696b1 9bdc06a725c71235 c19bf174cf692694
e49b69c19ef14ad2 efbe4786384f25e3 0fc19dc68b8cd5b5 240ca1cc77ac9c65
2de92c6f592b0275 4a7484aa6ea6e483 5cb0a9dcbd41fbd4 76f988da831153b5
983e5152ee66dfab a831c66d2db43210 b00327c898fb213f bf597fc7beef0ee4
c6e00bf33da88fc2 d5a79147930aa725 06ca6351e003826f 142929670a0e6e70
27b70a8546d22ffc 2e1b21385c26c926 4d2c6dfc5ac42aed 53380d139d95b3df
650a73548baf63de 766a0abb3c77b2a8 81c2c92e47edaee6 92722c851482353b
a2bfe8a14cf10364 a81a664bbc423001 c24b8b70d0f89791 c76c51a30654be30
d192e819d6ef5218 d69906245565a910 f40e35855771202a 106aa07032bbd1b8
19a4c116b8d2d0c8 1e376c085141ab53 2748774cdf8eeb99 34b0bcb5e19b48a8
391c0cb3c5c95a63 4ed8aa4ae3418acb 5b9cca4f7763e373 682e6ff3d6b2b8a3
748f82ee5defb2fc 78a5636f43172f60 84c87814a1f0ab72 8cc702081a6439ec
90befffa23631e28 a4506cebde82bde9 bef9a3f7b2c67915 c67178f2e372532b
ca273eceea26619c d186b8c721c0c207 eada7dd6cde0eb1e f57d4f7fee6ed178
06f067aa72176fba 0a637dc5a2c898a6 113f9804bef90dae 1b710b35131c471b
28db77f523047d84 32caab7b40c72493 3c9ebe0a15c9bebc 431d67c49c100d4c
4cc5d4becb3e42b6 597f299cfc657e2a 5fcb6fab3ad6faec 6c44198c4a475817
These values are the first 64 bits of the fractional parts of the cube roots of the first 80 primes. They are
the constant sequence used in SHA-512.
6.4.7 Dedicated hash-function 6 (SHA-384)
The 128-bit constant strings T for dedicated hash-function 6 are computed as follows (where h is the
i
simplified version of dedicated hash-function 6).
T = 33bfc7a7db2d833c1fa120f248ea0c68
T = 0f53e26170d
...