Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
IEC 10118-3-04 (2013): Dedicated Cryptographic Hash Functions — Technical Specifications and Implementation
An in-depth analysis of the international standard defining dedicated hash functions, including SHA-2 and RIPEMD families, with guidelines for secure implementation and compliance
1. Scope of IEC 10118-3-04 (2013)
IEC 10118-3-04 (2013), also designated as ISO/IEC 10118-3:2013, is the third part of the international standard governing hash functions used in security services. It specifies a set of dedicated hash functions — cryptographic primitives that produce a fixed-length digest from an arbitrary-length message. This edition supersedes the 2004 version and introduces enhanced algorithms aligned with modern security requirements.
The standard defines algorithms such as SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, and the RIPEMD family (RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320). These functions are widely used for digital signatures, message authentication codes, random number generation, and integrity verification across industries including finance, telecommunications, and government sectors.
Important: While SHA-1 remains in the standard for backward compatibility, it is no longer considered secure against well-funded adversaries. Industry best practices recommend transitioning to SHA-256 or higher for all new applications.
2. Technical Requirements
2.1 Hash Function Families
IEC 10118-3-04 classifies hash functions based on their internal structure and output length. The SHA-2 family (SHA-224 through SHA-512) is derived from the SHA-256 design with variations in word size, number of rounds, and truncation. The RIPEMD family uses a different internal structure with parallel compression pipelines. All algorithms must produce digests that meet collision resistance, preimage resistance, and second-preimage resistance with quantifiable security strengths.
2.2 Parameters and Properties
The standard defines for each algorithm: the initial hash value (IV), the round constants, the compression function, the padding scheme (Merkle-Damgård construction with a length field), and the output transformation. A critical aspect is the security strength, which is approximately half the digest length for collision resistance. The table below summarizes key characteristics:
| Hash Function | Digest Length (bits) | Block Size (bits) | Security Strength (bits) | Word Size (bits) |
|---|---|---|---|---|
| SHA-1 | 160 | 512 | 80 | 32 |
| SHA-224 | 224 | 512 | 112 | 32 |
| SHA-256 | 256 | 512 | 128 | 32 |
| SHA-384 | 384 | 1024 | 192 | 64 |
| SHA-512 | 512 | 1024 | 256 | 64 |
| SHA-512/224 | 224 | 1024 | 112 | 64 |
| SHA-512/256 | 256 | 1024 | 128 | 64 |
| RIPEMD-128 | 128 | 512 | 64 | 32 |
| RIPEMD-160 | 160 | 512 | 80 | 32 |
| RIPEMD-256 | 256 | 512 | 128 | 32 |
| RIPEMD-320 | 320 | 512 | 160 | 32 |
All algorithms use the Merkle-Damgård construction with a strengthened length padding. The SHA-2 family adds a finalization block count to thwart length extension attacks on certain truncation modes. The standard also specifies test vectors for each algorithm, which must produce correct outputs for conformance validation.
3. Implementation Highlights
Implementations of IEC 10118-3-04 must be both correct and secure. The standard provides normative references for each algorithm’s steps, including the message schedule, compression function, and intermediate hash state updates. Common implementation approaches include:
- High-level cryptographic libraries (OpenSSL, Bouncy Castle) with validated core modules.
- Hardware acceleration via processor-specific instructions (e.g., Intel SHA Extensions, ARM Cryptography Extensions).
- Dedicated cryptographic co-processors for high-throughput environments.
Optimization Tip: For SHA-256 on 64-bit platforms, use bit-sliced implementations that process multiple blocks in parallel. For SHA-512, ensure proper handling of 128-bit intermediate carries when using compiler intrinsics. Hardware acceleration can increase throughput by up to 5x compared to purely software implementations.
Security Warning: Side-channel attacks, such as cache-timing and power analysis, can leak secret values (including keyed hash outputs). Always use constant-time implementations for the critical compression function loops and avoid table-based accesses with secret indices.
When deploying dedicated hash functions, engineers must also address cryptographic agility — the ability to switch algorithms if vulnerabilities are discovered. The standard supports this by defining multiple algorithms with overlapping security strengths. For instance, if SHA-256 becomes weak, organizations can move to SHA-512 or SHA-512/256 without changing the digest length.
4. Compliance and Conformance Testing
Conformance to IEC 10118-3-04 is verified through specified test vectors for each dedicated hash function. The standard includes example messages and expected digests for every defined algorithm. Independent certification bodies, such as NIST’s Cryptographic Algorithm Validation Program (CAVP), use these vectors to validate implementations. For applications requiring regulatory approval (e.g., Common Criteria, FIPS 140-3), the implementation must be tested by an accredited laboratory.
Compliance Note: Algorithms listed in IEC 10118-3-04 (SHA-224, SHA-256, SHA-384, SHA-512) are also adopted in FIPS PUB 180-4 (Secure Hash Standard). A FIPS 140-3 validated module that implements SHA-256 automatically satisfies the corresponding requirements of this international standard, facilitating global product acceptance.
To achieve full compliance:
- Implement all padding and message scheduling exactly as specified, without substitution.
- Perform self-tests on initialization to ensure the algorithm’s compression function and output are correct.
- Document the security strength for each algorithm and restrict use to appropriate security levels.
- Maintain a change log for any modifications to the reference implementation.
Upgrade Path: For legacy systems using SHA-1, transition to SHA-256 is strongly recommended by international security guidelines (NIST SP 800-131A, ENISA). The 2013 edition of the standard provides the SHA-512/224 and SHA-512/256 variants to facilitate this upgrade on 64-bit platforms without performance or digest-length concerns.
The standardization of dedicated hash functions in IEC 10118-3-04 ensures worldwide interoperability. Systems that claim compliance with this standard can exchange digital signatures, certificates, and checksums reliably, regardless of the underlying implementation platform.
Frequently Asked Questions
Q: What is the difference between IEC 10118-3-04 and the FIPS SHA standard?
A: IEC 10118-3-04 (2013) includes all SHA-2 variants (SHA-224/256/384/512/512-224/512-256) plus the RIPEMD family, while FIPS PUB 180-4 covers only the SHA-1 and SHA-2 families. The two standards align on the SHA algorithms, so a FIPS-validated SHA-256 implementation also meets IEC requirements for that specific function. However, for applications requiring RIPEMD-160 (common in some legacy European systems), IEC 10118-3-04 must be referenced directly.
A: IEC 10118-3-04 (2013) includes all SHA-2 variants (SHA-224/256/384/512/512-224/512-256) plus the RIPEMD family, while FIPS PUB 180-4 covers only the SHA-1 and SHA-2 families. The two standards align on the SHA algorithms, so a FIPS-validated SHA-256 implementation also meets IEC requirements for that specific function. However, for applications requiring RIPEMD-160 (common in some legacy European systems), IEC 10118-3-04 must be referenced directly.
Q: Which hash function from IEC 10118-3-04 should I choose for a new cryptographic system?
A: For the best balance of security and performance, choose SHA-256 (128-bit security) for most applications. If you need higher resistance (for example, in systems that must remain secure for decades), use SHA-512 (256-bit security). For constrained environments where digest size matters, SHA-224 or SHA-512/224 are suitable with 112-bit security. Avoid SHA-1 and RIPEMD-128 for new designs due to known weaknesses.
A: For the best balance of security and performance, choose SHA-256 (128-bit security) for most applications. If you need higher resistance (for example, in systems that must remain secure for decades), use SHA-512 (256-bit security). For constrained environments where digest size matters, SHA-224 or SHA-512/224 are suitable with 112-bit security. Avoid SHA-1 and RIPEMD-128 for new designs due to known weaknesses.
Q: Can I implement the hash functions from IEC 10118-3-04 without a license?
A: Yes. The dedicated hash functions defined in this standard are not subject to patent restrictions (the basic algorithms are public domain). International standardization ensures free use without royalty burdens. However, if your product claims conformance, you must ensure the implementation passes the test vectors provided in the standard, and you may need to undergo formal validation for certain government or regulated markets.
A: Yes. The dedicated hash functions defined in this standard are not subject to patent restrictions (the basic algorithms are public domain). International standardization ensures free use without royalty burdens. However, if your product claims conformance, you must ensure the implementation passes the test vectors provided in the standard, and you may need to undergo formal validation for certain government or regulated markets.
Q: Does IEC 10118-3-04 address side-channel attacks?
A: The standard itself focuses on functional correctness and does not mandate specific countermeasures against side-channel attacks. It is the implementer’s responsibility to add protections such as constant-time logic, masking, or hardware isolation. When compliance audits require resistance to such attacks, consult additional guidelines like ISO/IEC 19790 or NIST SP 800-140.
A: The standard itself focuses on functional correctness and does not mandate specific countermeasures against side-channel attacks. It is the implementer’s responsibility to add protections such as constant-time logic, masking, or hardware isolation. When compliance audits require resistance to such attacks, consult additional guidelines like ISO/IEC 19790 or NIST SP 800-140.
Published 2026 | International Electrotechnical Commission (IEC) standard reference IEC 10118-3-04 (Ed. 2.0 2013). This article is for informational purposes and does not replace the official standard document.