idnits 2.17.1 draft-dolmatov-cryptocom-gost2814789-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) -- The document has an IETF Trust Provisions (28 Dec 2009) Section 6.c(i) Publication Limitation clause. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 21, 2009) is 5233 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '0' on line 693 -- Looks like a reference, but probably isn't: '16' on line 704 == Unused Reference: 'GOST28147' is defined on line 739, but no explicit reference was found in the text Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet-Draft V. Dolmatov, Ed. 2 Intended status: Informational Cryptocom Ltd. 3 Expires: June 21, 2010 December 21, 2009 5 GOST 28147-89 6 encryption, decryption and MAC algorithms 7 draft-dolmatov-cryptocom-gost2814789-08 9 Status of This Memo 11 This Internet-Draft is submitted to IETF in full conformance with the 12 provisions of BCP 78 and BCP 79. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt. 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 This Internet-Draft will expire on June 21, 2010. 32 Copyright Notice 34 Copyright (c) 2009 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents in effect on the date of 39 publication of this document (http://trustee.ietf.org/license-info). 40 Please review these documents carefully, as they describe your rights 41 and restrictions with respect to this document. 43 This document may not be modified, and derivative works of it may 44 not be created, except to format it for publication as an RFC or to 45 translate it into languages other than English. 47 Abstract 49 This document is intended to be a source of information about the 50 Russian Federal standard for electronic encryption, decryption, 51 and message authentication algorithms (GOST 28147-89), which is 52 one of the Russian cryptographic standard algorithms (called 53 GOST algorithms). Recently, Russian cryptography is being 54 used in Internet applications, and this document has been created 55 as information for developers and users of GOST 28147-89 for 56 encryption, decryption, message authentication. 58 Table of Contents 60 1. Introduction...................................................... 2 61 1.1. General information.......................................... 2 62 2. Applicability..................................................... 2 63 3. Definitions and notations......................................... 3 64 3.1. Definitions.................................................. 3 65 3.2. Notations.................................................... 3 66 4. General statements................................................ 4 67 5. The electronic codebook mode...................................... 5 68 5.1. Encryption of plain text in the electronic codebook mode..... 5 69 5.2. Decryption of ciphertext in the electronic codebook mode..... 7 70 6. The counter encryption mode....................................... 9 71 6.1. Encryption of plain text in the counter encryption mode...... 9 72 6.2. Decryption of ciphertext in the counter encryption mode......11 73 7. The cipher feedback mode..........................................11 74 7.1. Encryption of plain text in the cipher feedback mode.........11 75 7.2. Decryption of ciphertext in the cipher feedback mode.........12 76 8. Message autentication code (MAC) generation mode..................13 77 9. Security considerations...........................................14 78 10. IANA Considerations..............................................15 79 11. Normative references.............................................15 80 Appendix 1. Values of the constants C1, C2...........................15 82 1. Introduction 84 1.1. General information 86 GOST 28147-89 is the unified cryptographic transformation algorithm 87 for information processing systems of different purposes, defining 88 the encryption/decryption rules and the message authentication code 89 (MAC) generation rules. 91 This cryptographic transformation algorithm is intended for hardware 92 or software implementation and corresponds to the cryptographic 93 requirements. It puts no limitations on the encrypted information 94 secrecy level. 96 2. Applicability 98 GOST 28147-89 defines encryption/decryption model and MAC generation 99 for a given message (document) that is meant for transmission via 100 insecure public telecommunication channels between data processing 101 systems of different purposes. 103 GOST 28147-89 is required for use in the Russian Federation by all 104 data processing systems providing public services. 106 3. Definitions and notations 108 3.1. Definitions 110 The following terms are used in the standard: 112 3.1.1 Running key: a pseudo-random bit sequence generated by a given 113 algorithm for encrypting plain texts and decrypting encrypted texts. 115 3.1.2 Encryption: the process of transforming plain text to 116 encrypted data using a cipher. 118 3.1.3 MAC: an information string of fixed length that is generated 119 from a plain text and a key according to some rule and added to the 120 encrypted data, for protection against data falsification. 122 3.1.4 Key: a defined secret state of some parameters of a 123 cryptographic transformation algorithm, that provides a choice of 124 one transformation out of all the possible transformations. 126 3.1.5 Cryptographic protection: data protection using the data 127 cryptographic transformations. 129 3.1.6 Cryptographic transformation: data transformation using 130 encryption and (or) MAC. 132 3.1.7 Decryption: the process of transforming encrypted data to 133 plain text using a cipher. 135 3.1.8 Initialisation vector: initial values of plain parameters of a 136 cryptographic transformation algorithm. 138 3.1.9 Encryption equation: a correlation showing the process of 139 generating encrypted data out of plain text as a result of 140 transformations defined by the cryptographic transformation 141 algorithm. 143 3.1.10 Decryption equation: a correlation showing the process of 144 generating plain text out of encrypted data as a result of 145 transformations defined by the cryptographic transformation 146 algorithm. 148 3.1.11 Cipher: a set of reversible transformations of the set of 149 possible plain texts onto the set of encrypted data, made after 150 certain rules and using keys. 152 3.2 Notation 154 In this document the following notations are used: 156 ^ is a power operator 158 (+) is bitwise addition of the words of the same length modulo 2. 160 [+] is addition of 32-bit vectors modulo 2^32. 162 [+]' is addition of the 32-bit vectors modulo 2^32-1. 164 1..N is all values from 1 to N. 166 4 General Statements 168 4.1. The structure model of the cryptographic transformation 169 algorithm (a cryptographic model) contains: 171 - a 256 bit key data store (KDS) consisting of eight 32-bit 172 registers (X0, X1, X2, X3, X4, X5, X6, X7); 174 - four 32-bit registers (N1, N2, N3, N4); 176 - two 32-bit registers (N5, N6) containing constants C2, C1; 178 - two 32-bit adders modulo 2^32 (CM1, CM3); 180 - a 32-bit adder of bitwise sums modulo 2 (CM2); 182 - a 32-bit adder modulo (2^32-1) (CM4); 184 - an adder modulo 2 (CM5), with no limitation to its 185 width; 187 - a substitution box (K); 189 - a register for a cyclic shift of 11 steps to the top digit (R). 191 4.2. A substitution box (S-box) K consists of eight substitution points 192 K1, K2, K3, K4, K5, K6, K7, K8, with 64 bit memory. A 32-bit 193 vector coming to the substitution box is divided into eight 194 successive 4-bit vectors, and each of them is transformed into a 195 4-bit vector by a corresponding substitution point. A substitution 196 point is a table consisting of 16 lines, each containing 4 bits. 197 The incoming vector defines the line address in the table, and the 198 contents of that line is the outgoing vector. Then these 4-bit 199 outgoing vectors are successively combined into a 32-bit vector. 201 Remark: the standard doesn't define any S-boxes. Some of them are 202 defined in [RFC4357]. 204 4.3. When adding and cyclically shifting binary vectors, the registers 205 with larger numbers are considered the top digits. 207 4.4. When writing a key (W1, W2, ..., W256), Wq = 0..1, q = 1..256, 208 in the KDS the value W1 is written into the 1-st bit of the register 209 X0, the value W2 is written into the 2-nd bit of the register X0, 210 ..., the value W32 is written into the 32-nd bit of the register X0; 211 the value W33 is written into the 1-st bit of the register X1, the 212 value W34 is written into the 2-nd bit of the register X1, ..., the 213 value W64 is written into the 32-nd bit of the register X1; the 214 value W65 is written into the 1-st bit of the register X2 etc.; the 215 value W256 is written into the 32-nd bit of the register X7. 217 4.5. When rewriting the information, the value of p-th bit of one 218 register (adder) is written into the p-th bit of another register 219 (adder). 221 4.6. The values of the constants C1, C2 in the registers N5 and 222 N6 are in the Appendix 1. 224 4.7. The keys defining fillings of KDS and the substitution box K tables 225 are secret elements and are provided in accordance with the 226 established procedure. 228 The filling of the substitution box K is described in GOST 28147-89 229 as a long-term key element common for a whole computer network. 230 Usually K is used as a parameter of algorithm, some possible sets 231 of K are described in [RFC4357]. 233 4.8 The cryptographic model contemplates four working modes: 235 - data encryption (decryption) in the electronic codebook (ECB) mode; 237 - data encryption (decryption) in the counter (CNT) mode; 239 - data encryption (decryption) in the cipher feedback (CFB) mode; 241 - the MAC generation mode. 243 [RFC4357] describes also the CBC mode of GOST 28147-89, but this mode 244 is not a part of the standard. 246 5. The Electronic Codebook Mode 248 5.1. Encryption of plain text in the electronic codebook mode 250 5.1.1. The plain text to be encrypted is split into 64-bit blocks. 251 Input of a binary data block Tp = (a1(0), a2(0), ... , a31(0), 252 a32(0), b1(0), b2(0), ..., b32(0)) into the registers N1 and N2 is 253 done so that the value of a1(0) is put into the first bit of N1, the 254 value of a2(0) is put into the second bit of N1 etc., and the value 255 of a32(0) is put into the 32nd bit of N1. The value of b1(0) is put 256 into the first bit of N2, the value of b2(0) is put into the 2_nd bit 257 of N2 etc., and the value of b32(0) is input into the 32nd bit of N2. 259 The result is the state (a32(0), a31(0), ..., a2(0), a1(0)) of the 260 register N1 and the state (b32(0), b31(0), ..., b1(0)) of the 261 register N2. 263 5.1.2. The 256 bits of the key are entered into the KDS. The 264 contents of eight 32-bit registers X0, X1, ..., X7 are: 266 X0 = W32, W31, ... , W2, W1 268 X1 = W64, W63, ... , W34, W33 270 . . . . . . . . . . . . . . . 272 X7 = W256, W255 ..., W226, W225 274 5.1.3. The algorithm for enciphering 64-bit blocks of plain text in 275 the electronic codebook mode consists of 32 rounds. 277 In the first round the initial value of register N1 is added 278 modulo 2^32 in the adder CM1 to the contents of the register X0. 279 Note: the value of register N1 is unchanged. 281 The result of the addition is transformed in the substitution block 282 K, and the resulting vector is put into the register R, where it is 283 cyclically shifted by 11 steps towards the top digit. The result of 284 this shift is added bitwise modulo 2 in the adder CM2 to the 32-bit 285 contents of the register N2. The result produced in CM2 is then 286 written into N1, and the old contents of N1 are written in N2. 287 Thus the first round ends. 289 The subsequent rounds are similar to the first one: in the second 290 round the contents of X1 is read from the KDS, in the third round 291 the contents of X2 are read from the KDS etc., in the 8th round the 292 contents of X7 are read from the KDS. In the rounds 9 through 16 and 293 17 through 24 the contents of the KDS are read in the same order: 295 X0, X1, X2, X3, X4, X5, X6, X7. 297 In the last eight rounds from the 25th to the 32nd the contents of 298 the KDS are read backwards: 300 X7, X6, X5, X4, X3, X2, X1, X0. 302 Thus, during the 32 rounds of encryption, the following order of 303 choosing the registers' contents is implemented: 305 X0, X1, X2, X3, X4, X5, X6, X7, X0, X1, X2, X3, X4, X5, X6, X7, 307 X0, X1, X2, X3, X4, X5, X6, X7, X7, X6, X5, X4, X3, X2, X1, X0 309 In the 32nd round the result in the adder CM2 is written into the 310 register N2, and the old contents of register N1 are unchanged. 312 The contents of the registers N1 and N2 after the 32nd round are an 313 encrypted data block corresponding to a block of plain text. 315 5.1.4. The equations for enciphering in the electronic codebook mode 316 are: 318 |a(j) = (a(j-1) [+] X(j-1)(mod 8))*K*R (+) b (j-1) 319 | j = 1..24; 320 |b(j) = a(j-1) 322 |a(j) = (a(j-1) [+] X(32-j))*K*R (+) b(j-1) 323 | j = 25..31; a32 = a31; 324 |b(j) = a(j-1) 326 b(32) = (a(31) [+] X0)*K*R (+) b(31) j=32, 328 where a(0) = (a32(0), a31(0), ..., a1(0)) is the initial contents of 329 N1 before the first round of encryption; 331 b(0) = (b32(0), b31(0), ..., b1(0)) is the initial contents of N2 332 before the first round of encryption; 334 a(j) = (a32(j), a31(j), ..., a1(j)) is the contents of N1 after the 335 j-th round of encryption; 337 b(j) = (b32(j), b31(j), ..., b1(j)) is the contents of N2 after the 339 j^th round of encryption, j = 1..32. 341 R is the operation of cyclic shift towards the top digit by 11 steps, 342 as follows: 344 R(r32, r31, r30, r29, r28, r27, r26, r25, r24, r23, r22, r21, r20, 345 ..., r2, r1) = 347 (r21, r20, ..., r2, r1, r32, r31, r30, r29, r28, r27, r26, r25, 348 r24, r23, r22) 350 5.1.5. The 64-bit block of ciphertext Tc is taken out of the 351 registers N1, N2 in the following order: 353 the first, second, ..., 32nd bit of the register N1, then the first, 354 second, . .., 32nd bit of the register N2, i.e., 356 Tc = a1(32), a2(32), ..., a32(32), b1(32), b2(32), ..., b32(32)). 358 The remaining blocks of the plain text in electronic codebook mode 359 are encrypted in the same fashion. 361 5.2. Decryption of the ciphertext in the electronic codebook mode 363 5.2.1 The same 256-bit key that was used for encryption is loaded 364 into the KDS, the encrypted data to be deciphered is divided into 365 64-bit blocks. The loading of any binary information block 367 Tc = (a1(32), a2(32), ..., a32(32), b1(32), b2(32), ..., b32(32)) 368 into the registers N1 and N2 is done in such a way that the contents 369 of a1(32) are written into the first bit of N1, the contents of 370 a2(32) are written into the second bit of N1 and so on, the contents 371 of a32(32) are written into the 32nd bit of N1; the contents of 372 b1(32) are written into the first bit of N2 and so on, and the 373 contents of b32(32) are written into the 32nd bit of N2. 375 5.2.2. The decryption procedure uses the same algorithm as the 376 encryption of plain text, with one exception: the contents of the 377 registers X0, X1, ..., X7 are read from the KDS in the decryption 378 rounds in the following order: 380 X0,X1,X2,X3,X4,X5,X6,X7, X7,X6,X5,X4,X3,X2,X1,X0, 382 X7,X6,X5,X4,X3,X2,X1,X0, X7,X6,X5,X4,X3,X2,X1,X0. 384 5.2.3. The decryption equations are: 386 |a(32-j) = (a(32-j+1) [+] X(j-1))*K*R (+) b(32-j+1) 387 | j = 1..8; 388 |b(32-1) = a(32-j+1) 390 |a(32-j) = (a(32-j+1) [+] X(j-1)(mod 8))*K*R (+) b(32-j+1) 391 | j = 9..31; 392 |b(32-1) = a(32-j+1) 394 |a(0) = a(1) 395 | j=32. 396 |b(0) = (a(1) [+] X0)*K*R (+) b1 398 5.2.4 The fillings of the adders N1 and N2 after 32 working rounds 399 are a plain text block. 401 Tp = (a1(0), a2(0), ... , a32(0), b1(0), b2(0), ..., b32(0)) 403 corresponding to the encrypted data block, and the value of a1(0) of 404 the block Tp corresponds to the contents of the first bit of N1, the 405 value of a2(0) corresponds to the contents of the second bit of N1 406 etc., the value of b1(0) corresponds to the contents of the first 407 bit of N2, the value of b2(0) corresponds to the contents of the 408 second bit of N2 etc., the value of b32(0) corresponds to the 409 contents of 32nd bot of N2. 411 The remaining blocks of encrypted data are decrypted similarly. 413 5.3. The encryption algorithm in the electronic codebook mode of a 414 64-bit block Tp is denoted by A, that is 416 A(Tp) is A(a(0), b(0)) = (a(32), b(32)) = Tc. 418 6. The counter encryption mode 420 6.1. Encryption of plain text in the counter encryption mode 422 6.1.1 The plain text divided into 64-bit blocks Tp(1), Tp(2), 423 ..., Tp(M-1), Tp(M) is encrypted in the counter encryption mode 424 by bitwise addition modulo 2 in the adder CM5 with the running key 425 Gc produced in 64 bit blocks, that is: 427 Gc = (Gc(1), Gc(2), ..., Gc(M-1), Gc(M)) 429 where M is defined by the size of the plain text being encrypted. 430 Gc(i) is the i-th 64-bit block where i=1..M, the number of bit in 431 a block Tp(M) can be less than 64, in this case the unused part of 432 the running key block Gc(M) is discarded. 434 6.1.2 256 bit of the key are put into the KDS. The registers N1 and 435 N2 accept a 64-bit binary sequence (an initialisation vector) S = 436 (S1, S2, ..., S64) that is the initial filling of these registers for 437 subsequent generation of M blocks of the running key. The 438 initialisation vector is put into the registers N1 and N2 so as the 439 value of S1 is written into the first bit of N1, the value of S2 is 440 written into the second bit of N1 etc., the value of S32 is written 441 into the 32nd bit of N1; the value of S33 is written into the first 442 bit of N2, the value of S34 is written into the 33th bit of N2, etc., 443 the value of S64 is written into the 32nd bit of N2. 445 6.1.3 The initial filling of the registers N1 and and N2 (the 446 initialisation vector S) is encrypted in the electronic codebook mode 447 in accordance with the requirements from section 5.1. The result of 448 that encryption A(S) = (Y0, Z0) is rewritten into the 32-bit 449 registers N3 and N4 so as the contents of N1 are written into N3, and 450 the contents of N2 are written into N4. 452 6.1.4 The filling of the register N4 is added modulo (2^32-1) in the 453 adder CM4 to the 32-bit constant C1 from the register N6, the result 454 is written into N4. The filling of the register N3 is added modulo 455 2^32 in the adder CM3 with the 32-bit constant C2 from the register 456 N5, the result is written into N3. 458 The filling of N3 is copied into N1, and the filling of N4 is 459 copied into N2, while the fillings of N3 and N4 are kept. 461 The filling of N1 and N2 is encrypted in the electronic codebook mode 462 according to the requirements of the section 5.1. The resulting 463 encrypted filling of N1 and N2 is the first 64-bit block of the 464 running key Gc(1), this block is bitwise added modulo 2 in the adder 465 CM5 with the first 64-bit block of the plain text: 467 Tp(1) = (t1(1), t2(1), ..., t63(1), t64(1)). 469 The result of this addition is a 64-bit block of the encrypted data 471 Tc(1) = (tau1(1), tau2(1), ..., tau63(1), tau64(1)). 473 The value of tau1(1) of the block Tc(1) is the result of addition 474 modulo 2 in the CM5 the value t1(1) of the block Tp(1) to the value 475 of the first bit of N1, the value of tau2(1) of the block Tc(1) is 476 the result of addition modulo 2 in the CM5 the value of t2(1) from 477 the block Tp(1) to the value of the second bit of N1 etc., the value 478 of tau64(1) of the block Tc(1) is the result of addition modulo 2 in 479 the CM5 of the value t64(1) of the block Tp(1) to the value of the 480 32nd bit of N2. 482 6.1.5 To get the next 64-bit block of the running key Gc(2) the 483 filling of N4 is added modulo (2^32-1) in the adder CM4 with the 484 constant C1 from N6, the filling of N3 is added modulo 2^32 in the 485 adder CM3 with the constant C2 from N5. The new filling of N3 is 486 copied into N1, the new filling of N4 is copied into N2, while the 487 fillings of N3 and N4 are kept. 489 The filling of N1 and N2 is encrypted in the electronic codebook mode 490 according to the requirements of the section 5.1. The resulting 491 encrypted filling of N1 and N2 is the second 64-bit block of the 492 running key Gc(2), this block is bitwise added modulo 2 in the adder 493 CM5 with the first 64-bit block of the plain text Tp(2). The 494 remaining running key blocks Gc(3), Gc(4), ..., Gc(M) are generated 495 and the plain text blocks Tp(3), Tp(4), ..., Tp(M) are encrypted 496 similarly. If the length of the last M-th block of the plain text is 497 less than 64 bit then only the corresponding number of bit from the 498 last M-th block of the running key is uses, remaining bit are 499 discarded. 501 6.1.6 The initialisation vector S and the blocks of encrypted data 502 Tc(1), Tc(2), ..., Tc(M) are transmitted to the telecommunication 503 channel or to the computer memory. 505 6.1.7 The encryption equation is: 507 Tc(i) = A(Y[i-1] [+] C2, Z[i-1]) [+]' C1) (+) Tp(i) 508 = Gc(i) (+) Tp(i) i=1..M 510 where: 512 Y[i] is the contents of the register N3 after encrypting the 513 i-th block of the plain text Tp(i); 515 Z(i) is the contents of the register N4 after encrypting the 516 i-th block of the plain text Tp(i); 518 (Y[0], Z[0]) = A(S). 520 6.2. Decryption of ciphertext in the counter encryption mode 522 6.2.1 256 bit of the key that was used for encrypting the data Tp(1), 523 Tp(2), ..., Tp(M) are put into the KDS. The initialisation vector S 524 is put into the registers N1 and N2 and, like in the sections 6.1.2 - 525 6.1.5 M blocks of the running key Gc(1), Gc(2), ..., Gc(M) are 526 generated. The encrypted data blocks Tc(1), Tc(2), ..., Tc(M) are 527 added bitwise modulo 2 in the adder CM5 with the blocks of the 528 running key, and this results in the blocks of plain text Tp(1), 529 Tp(2), ..., Tp(M), and Tp(M) may contain less than 64 bit. 531 6.2.2 The decryption equation is: 533 Tp(i) = A (Y[i-1] [+] C2, Z[i-1] [+]' C1) (+) Tc(i) 534 = Gc(i) (+) Tc(i) i = 1..M 536 7. The cipher feedback mode 538 7.1. Encryption of plain text in the cipher feedback mode 540 7.1.1 The plain text is divided into 64-bit blocks Tp(1), Tp(2), ..., 541 Tp(M) and encrypted in the cipher feedback mode by bitwise addition 542 modulo 2 in the adder CM5 with the running key Gc generated in 64-bit 543 blocks, i.e. Gc(i)=(Gc(1), Gc(2), ..., Gc(M)), where M is defined by 544 ___ 545 the length of the plain text, Gc(i) is the i-th 64-bit block, i=1,M. 546 The number of bits in the block Tp(M) may be less than 64. 548 7.1.2 256 bit of key are put into the KDS. The 64-bit initialisation 549 vector S = (S1, S2, ... S64) is put into N1 and N2 as described in 550 the section 6.1.2. 552 7.1.3 The initial filling of N1 and N2 is encrypted in the electronic 553 codebook mode in accordance with the requirements in section 6.1. The 554 resulting encrypted filling N1 and N2 is the first 64-bit block of 555 the running key Gc(1)=A(S), then this block is added bitwise modulo 2 556 with the first 64-bit block of plain text Tp(1) = (t1(1), t2(1), ..., 557 t64(1)). 559 The result is 64-bit block of encrypted data 561 Tc(1) = (tau1(1), tau2(1), ..., tau64(1)). 563 7.1.4 The block of encrypted data Tc(1) is simultaneously the initial 564 state of N1 and N2 for generating the second block of the running key 565 Gc(2) and is written on feedback in these registers. Here the value 566 of tau1(1) is written into the first bit of N1, the value of tau2(1) 567 is written into the second bit of N1, etc., the value of tau32(1) is 568 written into the 32nd bit of N1; the value of tau33(1) is written 569 into the first bit of N2, the value of tau34(1) is written into the 570 second bit of N2 etc., the value of tau64(1) is written into the 32nd 571 bit of N2. 573 The filling of N1, N2 is encrypted in the electronic codebook mode in 574 accordance with the requirements in the section 6.1. The encrypted 575 filling N1, N2 makes the second 64-bit block of the running key 576 Gc(2), this block is added bitwise modulo 2 in the adder CM5 to the 577 second block of the plain text Tp(2). 579 The generation of subsequent blocks of the running key Gc(i) and the 580 encryption of the corresponding blocks of the plain text Tp(i) 581 (i = 3..M) is performed similarly. If the length of the last M-th 582 block of the plain text is less than 64 bit, only the corresponding 583 number of bits of the M-th block of the running key Gc(M) is used, 584 remaining bits are discarded. 586 7.1.5. The encryption equations in the cipher feedback mode are: 588 |Tc(1) = A(S) (+) Tp(1) = Gc(1) (+) Tp(1) 589 | 590 |Tc(i) = A(Tc(i-1)) (+) Tp(i) = Gc(i) + Tp(i), i = 2..M. 592 7.1.6 The initialisation vector S and the blocks of encrypted data 593 Tc(1), Tc(2), ..., Tc(M) are transmitted into the telecommunication 594 channel or to the computer memory. 596 7.2. Decryption of ciphertext in the cipher feedback mode 598 7.2.1 256 bits of the key used for the encryption of Tp(1), Tp(2), 599 ..., Tp(M) are put into the KDS. The initialisation vector S is put 600 into N1 and N2 similarly to 6.1.2. 602 7.2.2 The initial filling of N1, N2 (the initialisation vector S) is 603 encrypted in the electronic codebook mode in accordance with the 604 subsection 6.1. The encrypted filling of N1, N2 is the first block of 605 the running key Gc(1) = A(S), this block is added bitwise modulo 2 in 606 the adder CM5 with the encrypted data block Tc(1). This results in 607 the first block of plain text Tp(1). 609 7.2.3 The block of encrypted data Tc(1) makes the initial filling of 610 N1, N2 for generating the second block of the running key Gc(2). The 611 block Tc(1) is written in N1 and N2 in accordance with the 612 requirements in the subsection 6.1, the resulted block Gc(2) is 613 added bitwise modulo 2 in the adder CM5 to the second block of the 614 encrypted data Tc(2). This results in the block of plain text Tc(2). 616 Similarly, the blocks of encrypted data Tc(2), Tc(3), ..., Tc(M-1) 617 are written in N1, N2 successively, and the blocks of the running key 618 Gc(3), Gc(4), ..., Gc(M) are generated out of them in the electronic 619 codebook mode. The blocks of the running key are added bitwise modulo 620 2 in the adder CM5 to the blocks of the encrypted data Tc(3), Tc(4), 621 ..., Tc(M), this results in the blocks of plain text Tp(3), Tp(4), 622 ..., Tp(M), here the number of bits in the last block of the plain 623 text Tp(M) can be less than 64 bit. 625 7.2.4. The decryption equations in the cipher feedback mode are: 627 |Tp(1) = A(S) (+) Tc(1) = Gc(1) (+) Tc(1) 628 | 629 |Tp(1) = A(Tc(i-1)) (+) Tc(i) = Gc(i) (+) Tc(i), i=2..M 631 8. Message authentication code (MAC) generation mode 633 8.1. To provide the protection from falsification of plain text 634 consisting of M 64-bit blocks Tp(1), Tp(2), ..., Tp(M), M >= 2, an 635 additional l-bit block is generated (the message authentication 636 code I(l)). The process of MAC generation is the same for all the 637 encryption/decryption modes. 639 8.2. The first block of plain text 641 Tp(1) = (t1(1), t1(2), ..., t64(1)) = (a1(1)[0], a2(1)[0], ..., 642 a32(1)[0], b1(1)[0], b2(1)[0], ..., b32(1)[0]) 644 is written to the registers N1 and N2, the value of t1(1) = a1(1)[0] 645 is written into the first bit of N1, the value of t2(1) = a2(1)[0] is 646 written into the second bit of N1, etc., the value of t32(1) = 647 a32(1)[0] is written into the 32nd bit of N1; the value of t33(1) = 648 b1(1)[0] is written into the first bit of N2 etc., the value of 649 t64(1) = b32(1)[0] is written into the 32nd bit of N2. 651 8.3. The filling of N1 and N2 is transformed in accordance with the 652 first 16 rounds of the encryption algorithm in the electronic 653 codebook mode (see the subsection 6.1). In the KDS there's the same 654 key that is used for encrypting the blocks of plain text Tp(1), 655 Tp(2), ..., Tp(M) in the corresponding blocks of encrypted data 656 Tc(1), Tc(2), ..., Tc(M). 658 The filling of N1 and N2 after the 16 working rounds, looking like 659 (a1(1)[16], a2(1)[16], ..., a32(1)[16], b1(1)[16], b2(1)[16], ..., 660 b32(1)[16]), is added in CM5 modulo 2 to the second block Tp(2) = 661 (t1(2), t2(2), ..., t64(2)). 663 The result of this addition 665 (a1(1)[16](+)t1(2), a2(1)[16](+)t2(2), ..., a32(1)[16](+)t32(2), 666 b1(1)[16](+)t33(2), b2(1)[16](+)t34(2), ..., b32(1)[16](+)t64(2)) 668 = 670 (a1(2)[0], a2(2)[0] ..., a32(2)[0], b1(2)[0], b2(2)[0], ..., 671 b32(2)[0]) 673 is written into N1 and N2 and is transformed in accordance with the 674 first 16 rounds of the encryption algorithm in the electronic 675 codebook mode. 677 The resulting filling of N1 and N2 is added in the CM5 modulo 2 with 678 the third block Tp(3) etc., the last block Tp(M) = (t1(M), t2(M), 679 ..., t64(M)), padded if necessary to a complete 64-bit block by 680 zeros, is added in CM5 modulo 2 with the filling N1, N2 681 (a1(M-1)[16], a2(M-1)[16], ..., a32(M-1)[16], b1(M-1)[16], 682 b2(M-1)[16], ..., b32(M-1)[16]). 684 The result of the addition 686 (a1(M-1)[16](+)t1(M), a2(M-1)[16](+)t2(M), ..., a32(M-1)[16](+) 687 t32(M), b1(M-1)[16](+)t33(M), b2(M-1)[16](+)t34(M), ..., 688 b32(M-1)[16](+)t64(M)) 690 = 692 (a1(M)[0], a2(M)[0] ..., a32(M)[0], b1(M)[0], b2(M)[0], ..., 693 b32(M)[0]) 695 is written into N1, N2 and encrypted in the electronic codebook mode 696 after the first 16 rounds of the algorithm's work. Out of the 697 resulting filling of the registers N1 and N2 699 (a1(M)[16], a2(M)[16] ..., a32(M)[16], b1(M)[16], b2(M)[16], ..., 700 b32(M)[16]) 702 an l-bit string I(l) (the MAC) is chosen: 704 I(l) = [a(32-l+1)(M)[16], a(32-l+2)(M)[16], ..., a32(M)[16]]. 706 The MAC I(l) is transmitted through the telecommunication channel or 707 to the computer memory attached to the end of the encrypted data, 708 i.e. Tc(1), Tc(2), ..., Tc(M), I(l). 710 8.4. The encrypted data Tc(1), Tc(2), ..., Tc(M), when arriving, are 711 decrypted, out of the resulting plain text blocks Tp(1), Tp(2), ..., 712 Tp(M), the MAC I'(l) is generated as described in the subsection 5.3 713 and compared with the MAC I(l) received together with the encrypted 714 data from the telecommunication channel or from the computer memory. 715 If the MACs are not equal, the resulting plain text blocks Tp(1), 716 Tp(2), ..., Tp(M) are considered false. 718 The MAC I(l) (I'(l)) can be generated either before encryption (after 719 decryption, respectively) of the whole message, or simultaneously 720 with the encryption (decryption) in blocks. The first plain text 721 blocks, used in the MAC generation, can contain service information 722 (the address section, a time mark, the initialisation vector etc.,) 723 and they may be unencrypted. 725 The parameter l value (the bit length of the MAC) is defined by the 726 actual cryptographic requirements, while considering that the 727 possibility of imposing false data is 2^-l. 729 9. Security considerations 731 This entire document is about security considerations. 733 10. IANA Considerations 735 This document has no actions for IANA. 737 11. Normative references 739 [GOST28147] "Cryptographic Protection for Data Processing System", 740 GOST 28147-89, Gosudarstvennyi Standard of USSR, 741 Government Committee of the USSR for Standards, 1989. 742 (In Russian) 744 [RFC4357] RFC 4357. V.Popov, I.Kurepkin, S.Leontiev. Additional 745 Cryptographic Algorithms for Use with GOST 28147-89, 746 GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms 748 Appendix 1. Values of the constants C1, C2 750 The constant C1 is: 752 The bit of N6 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 754 The bit value 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 756 The bit of N6 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 758 The bit value 1 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 760 The constant C2 is: 762 The bit of N6 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18 764 The bit value 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 766 The bit of N6 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 768 The bit value 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 769 Authors' Addresses 771 Vasily Dolmatov, Ed. 772 Cryptocom Ltd. 773 Kedrova st., 14, bld.2 774 Moscow, 117218, Russian Federation 776 EMail: dol@cryptocom.ru 778 Dmitry Kabelev 779 Cryptocom Ltd. 780 Kedrova st., 14, bld.2 781 Moscow, 117218, Russian Federation 783 EMail: kdb@cryptocom.ru 785 Igor Ustinov 786 Cryptocom Ltd. 787 Kedrova st., 14, bld.2 788 Moscow, 117218, Russian Federation 790 EMail: igus@cryptocom.ru 792 Irene Emelianova 793 Cryptocom Ltd. 794 Kedrova st., 14, bld.2 795 Moscow, 117218, Russian Federation 797 EMail: irene@cryptocom.ru