GOST R 34.12-2015: Block Cipher "Kuznyechik"Research Computer Center MSU
Leninskiye Gory, 1, building 4, MGU NIVCMoscow119991Russian Federationdol@srcc.msu.ru
General
Internet Engineering Task ForceKuznyechikBlock Cipher This document is intended to be a source of information about the
Russian Federal standard block cipher with block length of n=128 bits,
which is also referred as "Kuznyechik" .This algorithm
is one of the Russian cryptographic standard algorithms (called GOST
algorithms).
The Russian Federal standard specifies basic block
ciphers used as cryptographic techniques for information processing and
information protection including the provision of confidentiality, authenticity,
and integrity of information during information transmission, processing and
storage in computer-aided systems.
The cryptographic algorithms specified in this Standard are designed both for
hardware and software implementation. They comply with modern cryptographic
requirements, and put no restrictions on the confidentiality level of the protected
information.
The Standard applies to developing, operation, and modernization of the
information systems of various purposes.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document
are to be interpreted as described in .
The block cipher "Kuznyechik" was developed by the Center for
Information Protection and Special Communications of the Federal Security Service
of the Russian Federation with participation of the Open Joint-Stock company
"Information Technologies and Communication Systems" (InfoTeCS JSC).
GOST R 34.12-2015 was approved and introduced by Decree #749 of the Federal Agency
on Technical Regulating and Metrology on 19.06.2015.
Terms and concepts in the standard comply with the following international standards:
ISO/IEC 10116 ,
series of standards ISO/IEC 18033 , .
The following terms and their corresponding definitions are used in the standard.
Definitions
encryption algorithm: process which transforms plaintext into ciphertext
(Clause 2.19 of ),
decryption algorithm: process which transforms ciphertext into plaintext
(Clause 2.14 of ),
basic block cipher: block cipher which for a given key provides a single
invertible mapping of the set of fixed-length plaintext blocks into ciphertext blocks
of the same length,
block: string of bits of a defined length (Clause 2.6 of ),
block cipher: symmetric encipherment system with the property that the
encryption algorithm operates on a block of plaintext, i.e. a string of
bits of a defined length, to yield a block of ciphertext (Clause 2.7 of
),
Note: In GOST R 34.12-2015, it is established that the terms "block
cipher" and "block encryption algorithm" are synonyms.
encryption: reversible transformation of data by a cryptographic algorithm
to produce ciphertext, i.e., to hide the information content of the data
(Clause 2.18 of ),
round key: sequence of symbols which is calculated from the key and controls
a transformation for one round of a block cipher,
key: sequence of symbols that controls the operation of a cryptographic
transformation (e.g., encipherment, decipherment) (Clause 2.21 of ),
Note: In GOST R 34.12-2015, the key must be a binary sequence.
plaintext: unencrypted information (Clause 3.11 of ),
key schedule: calculation of round keys from the key,
decryption: reversal of a corresponding encipherment (Clause 2.13 of ),
symmetric cryptographic technique: cryptographic technique that uses the same secret
key for both the originator`s and the recipient`s transformation (Clause 2.32 of
),
cipher: alternative term for encipherment system (Clause 2.20 of ),
ciphertext: data which has been transformed to hide its information content
(Clause 3.3 of ).
The following notations are used in the standard:
the set of all binary vector-strings of a finite length (hereinafter referred to as the strings) including empty string,
the set of all binary strings of length s, where s is a non-negative integer;
substrings and string components are enumerated from right to left starting from zero,
direct (Cartesian) product of two set Us and W,
the number of components (the length) of a string A belonging to V* (if A is an empty string,
then |A| = 0),
concatenation of strings A, B both belonging to V*, i.e., a string from V_(|A|+|B|),
where the left substring from V_|A| is equal to A
and the right subdtring from V_|B| is equal to B,
ring of residues modulo 2^n,
finite field GF(2)[x]/p(x), where p(x)=x^8+x^7+x^6+x+1 belongs to GF(2)[x];
elements of field Q are represented by integers in such way that element
z_0+z_1*theta+...+z_7*theta^7 belonging to Q corresponds to integer
z_0+2*z_1+...+2^7*z_7, where z_i=0 or z_i=1, i=0,1,...,7 and
theta denotes a residue class modulo p(x) containing x,
exclusive-or of the two binary strings of the same length,
bijective mapping which maps an element from ring Z_(2^s)
into its binary representation, i.e., for an element z of the ring Z_(2^s),
represented by the residue z_0 + (2*z_1) + ... + (2^(s-1)*z_(s-1)),
where z_i in {0, 1}, i = 0, ..., n-1, the equality Vec_s(z) = z_(s-1)||...||z_1||z_0 holds,
the mapping inverse to the mapping Vec_s, i.e., Int_s = Vec_s^(-1),
bijective mapping which maps a binary string from V_8 into an element from field
Q as follows: string z_7||...||z_1||z_0, where z_i in {0, 1}, i = 0, ..., 7, corresponds
to the element z_0+(z_1*theta)+...+(z_7*theta^7) belonging to Z,
the mapping inverse to the mapping nabla, i.e., delta = nabla^(-1),
composition of mappings, where the mapping S applies first,
composition of mappings P^(s-1) and P, where P^1=P,
The bijective nonlinear mapping is a substitution: Pi = (Vec_8)Pi'(Int_8): V_8 -> V_8,
where Pi': Z_(2^8) -> Z_(2^8). The values of the substitution Pi' are specified below
as an array Pi' = (Pi'(0), Pi'(1), ... , Pi'(255)):
The linear transformation is denoted by l: (V_8)^16 -> V_8, and defined as:
for all a_i belonging to V_8, i = 0, 1, ..., 15, where the addition and multiplication
operations are in the field Q, and constants are elements of the field as defined above.
The following transformations are applicable for encryption and decryption algorithms:
X[k](a)=x(xor)a, where k, a belong to V_128,
S(a)=(a_15||...||a_0)=pi(a_15)||...||pi(a_0),
where a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
the inverse transformation of S, which may be calculated, for example,
as follows: S^(-1)(a_15||...||a_0)=pi^(-1) (a_15)||...||pi^(-1)(a_0),
where a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
pi^(-1) is the inverse of pi.,
R(a_15||...||a_0)=l(a_15,...,a_0)||a_15||...||a_1, where a_15||...||a_0
belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
L(a)=R^(16)(a), where a belongs to V_128,
the inverse transformation of R, which may be calculated, for example,
as follows: R^(-1)(a_15||...||a_0)=a_14||a_13||...||a_0||l(a_14,a_13,...,a_0,a_15),
where a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15, pi^(-1)
is the inverse of pi,
L^(-1)(a)=(R^(-1))(16)(a), where a belongs to V_128,
F[k](a_1,a_0)=(LSX[k](a_1)(xor)a_0,a_1), where k, a_0, a_1 belong to V_128.
Key schedule uses round constants C_i belonging to V_128, i=1, 2, ..., 32, defined as
Round keys K_i, i=1, 2, ..., 10 are derived from key K=k_255||...||k_0 belonging to V_256,
k_i belongs to V_1, i=0, 1, ..., 255, as follows:
Depending on the values of round keys K_1,...,K_10, the encryption algorithm is a substitution E_(K_1,...,K_10)
defined as follows:
where a belongs to V_128.
Depending on the values of round keys K_1,...,K_10, the decryption algorithm is a substitution D_(K_1,...,K_10)
defined as follows:
where a belongs to V_128.
This section is for information only and is not a normative part of the standard.
In this test example, the key is equal to:
The round keys K_i, i = 1, 2, ..., 10, take the following values:
In this test example, encryption is performed
on the round keys specified in clause 5.4. Let the plaintext be
then
Then the ciphertext is
In this test example, decryption is performed
on the round keys specified in clause 5.4. Let the ciphertext be
then
Then the plaintext is
This entire document is about security considerations.
Information technology. Cryptographic data security. Block ciphers.GOST R 34.12-2015
Federal Agency on Technical Regulating and Metrology Information technology - Security techniques - Modes of operation for
an n-bit block cipher, ISO-IEC 10116
ISO-IEC Information technology - Security techniques - Encryption algorithms -
Part 1: General, ISO-IEC 18033-1
ISO-IEC Information technology - Security techniques - Encryption algorithms -
Part 3: Block ciphers, ISO-IEC 18033-3
ISO-IECKey words for use in RFCs to Indicate Requirement Levels