idnits 2.17.1 draft-dolmatov-cryptocom-gost341194-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.ii or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) -- The document has an IETF Trust Provisions (28 Dec 2009) Section 6.c(i) Publication Limitation clause. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 21, 2009) is 5240 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Looks like a reference, but probably isn't: '256' on line 213 -- Looks like a reference, but probably isn't: '255' on line 213 -- Looks like a reference, but probably isn't: '1' on line 673 -- Looks like a reference, but probably isn't: '4' on line 681 -- Looks like a reference, but probably isn't: '3' on line 679 -- Looks like a reference, but probably isn't: '2' on line 676 -- Looks like a reference, but probably isn't: '16' on line 307 -- Looks like a reference, but probably isn't: '32' on line 218 -- Looks like a reference, but probably isn't: '31' on line 218 -- Looks like a reference, but probably isn't: '15' on line 302 -- Looks like a reference, but probably isn't: '13' on line 306 -- Looks like a reference, but probably isn't: '8' on line 396 == Unused Reference: 'GOST3411' is defined on line 717, but no explicit reference was found in the text Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 14 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet-Draft V. Dolmatov, Ed. 2 Intended status: Informational Cryptocom Ltd. 3 Expires: June 21, 2010 December 21, 2009 5 GOST R 34.11-94 6 Hash function algorithm 7 draft-dolmatov-cryptocom-gost341194-07 9 Status of This Memo 11 This Internet-Draft is submitted to IETF in full conformance with the 12 provisions of BCP 78 and BCP 79. 14 Internet-Drafts are working documents of the Internet Engineering 15 Task Force (IETF), its areas, and its working groups. Note that 16 other groups may also distribute working documents as Internet- 17 Drafts. 19 Internet-Drafts are draft documents valid for a maximum of six months 20 and may be updated, replaced, or obsoleted by other documents at any 21 time. It is inappropriate to use Internet-Drafts as reference 22 material or to cite them other than as "work in progress." 24 The list of current Internet-Drafts can be accessed at 25 http://www.ietf.org/ietf/1id-abstracts.txt. 27 The list of Internet-Draft Shadow Directories can be accessed at 28 http://www.ietf.org/shadow.html. 30 This Internet-Draft will expire on June 21, 2010. 32 Copyright Notice 34 Copyright (c) 2009 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents in effect on the date of 39 publication of this document (http://trustee.ietf.org/license-info). 40 Please review these documents carefully, as they describe your rights 41 and restrictions with respect to this document. 43 This document may not be modified, and derivative works of it may 44 not be created, except to format it for publication as an RFC or to 45 translate it into languages other than English. 47 Abstract 49 This document is intended to be a source of information about the 50 Russian Federal standard hash function (GOST R 34.11-94), which 51 is one of the Russian cryptographic standard algorithms (called GOST 52 algorithms). Recently, Russian cryptography is being used in Internet 53 applications, and this document has been created as information for 54 developers and users of GOST R 34.11-94 for hash computation. 56 Table of Contents 58 1. Introduction.....................................................2 59 1.1. General information.........................................2 60 1.2. The purpose of GOST R 34.11-94..............................2 61 2. Applicability....................................................3 62 3. Conventions Used in This Document................................4 63 4. General statements...............................................4 64 5. Step-by-step hash function.......................................4 65 5.1. Key generation..............................................4 66 5.2. Encryption transformation...................................6 67 5.3. Mixing transformation.......................................6 68 6. The calculation procedure for a hash function....................6 69 7. Examples (Appendix to GOST R 34.11-94)...........................8 70 7.1. Usage of the algorithm GOST 28147...........................8 71 7.2. Representation of vectors...................................9 72 7.3. Examples of the hash value calculation......................9 73 7.3.1. Hash calculation for the sample message M.................9 74 7.3.2. Hash calculation for the sample message M................11 75 8. Security considerations.........................................14 76 9. IANA Considerations.............................................14 77 10. Normative references...........................................14 79 1 Introduction 81 1.1. General information 83 1. GOST R 34.11-94 was developed by the Federal Agency for Government 84 Communication and Information and by the All-Russia Scientific and 85 Research Institute of Standardization. 87 2. GOST R 34.11-94 was accepted and activated by the Act 154 of 88 23.05.1994 issued by the Russian federal committee for standards. 90 1.2 The purpose of GOST R 34.11-94 92 Expanding application of information technologies when creating, 93 processing and storing documents requires in some cases 94 confidentiality of their contents, maintenance of completeness and 95 authenticity. 97 Cryptography (cryptographic security) is one of the effective 98 approaches for data security. It is widely applied in different areas 99 of government and commercial activity. 101 Cryptographic data security methods are under serious scientific 102 research and standardization efforts at national, regional and 103 international levels. 105 GOST R 34.11-94 defines a hash function calculation procedure for an 106 arbitrary sequence of binary symbols. 108 The hash function maps an arbitrary set of data represented as a 109 sequence of binary symbols onto its image of a fixed small length. 111 Thus hash function can be used in procedures related to the 112 electronic digital signature, resulting in considerable reduction of 113 elapsed time for sign and verify stages. The effect of reduction of 114 time is due to the fact that only a short image of initial data is 115 actually signed. 117 2. Applicability 119 GOST R 34.11-94 defines algorithm and procedure for calculation of 120 a hash function for an arbitrary sequence of binary symbols. These 121 algorithm and procedure should be applied in cryptographic methods of 122 data processing and securing, including digital signature procedures 123 employed for data transfer and data storage in computer-aided 124 systems. 126 The hash function, defined in GOST R 34.11-94, is used for digital 127 signature systems based on the asymmetric cryptographic algorithm 128 according to GOST R 34.10-2001 (see section 3). 130 3. Conventions Used in This Document 132 The following notations are used in GOST R 34.11-94: 134 V_all is a set of all finite words in alphabet V = {0,1}. The words 135 reading and alphabet symbols numbering are performed right to left 136 (rightmost symbol of the word has number one, second right symbol 137 has number two etc.). 139 Vk is a set of all words in alphabet V = {0,1} of length k bits 140 (k=16,64,256). 142 |A| is a length of a word A belonging to V_all. 144 A||B is concatenation of words A, B belonging to V_all. It is a word 145 of length |A| + |B|, where the left |A| symbols come from the work A, 146 and the right |B| symbols come from the word B. One can also use a 147 notation A||B = A * B. 149 A^k is a concatenation of k copies of the word A (A belongs to 150 V_all). 152 _k is a word of length k, containing a binary representation of 153 N(mod 2^k) residue, with a non-negative integer N. 155 A^$ is a non-negative integer with A as its binary representation. 157 (xor) is the bitwise modulo 2 addition of the words of the same 158 length. 160 (+)' is the addition according to the rule A (+)' B = _k, 161 where k = |A| = |B|. 163 M is a binary sequence to be hashed, M belongs to V_all. M is 164 a message in digital signature systems. 166 h is a hash-function which maps the sequence M belonging to V_all 167 onto the word h(M) belonging to V_256. 169 E(k,A) is a result of encryption of the word A using key K with the 170 encryption algorithm according to [GOST28147] in the electronic 171 codebook (ECB) mode (K belongs to V256, A belongs to V64). 173 h0 is an initial hash value. 175 e := g is assignment of the value g to the parameter e. 177 ^ is the power operator. 179 i = 1..8 is i being all values in interval from 1 to 8. 181 hUZ is the S-boxes described in [GOST28147]. 183 4. General statements 185 A hash-function h is the mapping h : V_all -> V256, depending 186 on the parameter (which is the initial hash value H, H is a word 187 from V256). To define the hash-function it is necessary to have: 189 - A calculation algorithm for the step-by-step hash function 191 chi : V256 x V256 -> V256. 193 - A description of an iterative procedure for calculating the hash 194 value h. 196 A hash function h depends on two parameters h0 and hUZ. 198 5. Step-by-step hash function 200 A calculation algorithm for the step-by-step hash function contains 201 three parts, which successively do: 203 - keys generation, here keys are 256 bit long words; 205 - an encryption transformation, that is encryption of 64-bit 206 subwords of word H using keys K[i], (i = 1, 2, 3, 4) with the 207 algorithm according to [GOST28147] in ECB mode; 209 - a mixing transformation for the result of the encryption. 211 5.1 Key generation 213 Consider X = (b[256], b[255], ..., b[1]) belonging to V256. 215 Let 216 X = x[4]||x[3]||x[2]||x[1] = eta[16]||[eta15]||...||eta[1] 218 = xi[32]||xi[31]||...||xi[1], where 220 x[i] = (b[i*64],...,b[(i-1)*64+1]) belonging to V64, i = 1..4, 222 eta[j] = (b[j*16],...,b[(j-1)*16+1]) belonging to V16, j = 1..16, 224 xi[k] = (b[k*8],..., b[(k-1)*8+1]) belonging to V8, k = 1..32; 226 Yet another notation: A(X) = (x[1](xor)x[2])||x[4]||x[3]||x[2]. 228 The transformation P : V256 -> V256 maps the word xi32||...||xi1 229 onto the word xi[phi(32)] || ... || xi[phi(1)], 231 where phi(i + 1 + 4 ( k - 1) ) = 8i + k , i = 0..3, k = 1..8. 233 For the key generation one should use the following initial data: 235 - words H, M belonging to V256 , 237 - parameters: words C[i] (i = 2, 3, 4) , with values: 239 C[2] = C[4] = 0^256; 241 C[3] = 1^8||0^8||1^16||0^24||1^16||0^8||(0^8||1^8)^2||1^8||0^8 242 ||(0^8||1^8)^4||(1^8||0^8 )^4. 244 The following algorithm is used for the key calculation: 246 1. Assign values: 248 i := 1, U := H , V := M . 250 2. Calculate: 252 W = U (xor) V , K[i] = P(W). 254 3. Assign 255 i := i + 1. 257 4. Verify condition 258 i = 5. 260 If it is true, go to step 7. If not, go to step 5. 262 5. Calculate: 264 U := A(U)(xor)C[i], V := A(A(V)), 265 W := U(xor)V, K[i] = P(W). 267 6. Go to step 3. 269 7. End. 271 5.2. Encryption transformation 273 At this stage 64-bit subwords of the word H are encrypted using 274 keys K[i] (i = 1, 2, 3, 4). 276 For the encryption transformation one should use the following 277 initial data: 279 H = h[4]||h[3]||h[2]||h[1], 281 where h[i] belong to V64, i = 1,2,3,4 , and a key set is K[1], K[2], 282 K[3], K[4]. 284 The encryption algorithm is applied and the following words are 285 obtained 287 s[i] = E(K[i],h[i]), where: i = 1,2,3,4 289 As a result of the stage the following sequence is formed 291 S = s[4]||s[3]||s[2]||s[1]. 293 5.3. Mixing transformation 295 At this stage the obtained sequence is mixed using a shift register. 297 The initial data include words H, M belonging to V256 and a 298 word S belonging to V256 . 300 Let a mapping PSI(X) : V256(2) -> V256(2) transform the word 302 eta[16]||eta[15]||...||eta[1], eta[i] belongs to V16, i = 1..16 304 into the word 306 eta[1](xor)eta[2](xor)eta[3](xor)eta[4](xor)eta[13](xor)eta[16] 307 ||eta[16]||...||eta[2]. 309 Then the value of the step-by-step hash function value is the word: 311 chi(M, H) = PSI^61(H(xor)PSI(M(xor)PSI^12(S))) , where PSI^i(X) is 312 the transformation PSI applied i times to X. 314 6. The calculation procedure for a hash function 316 The calculation procedure for a hash function h is assumed to be 317 applied to a sequence M belonging to V_all. Its parameter is an 318 initial hash value h0 which is an arbitrarily fixed word from V256. 320 The calculation procedure for the function h uses the following 321 quantities at each step of iteration: 323 _M_ belonging to V_all - a part of the sequence M, which was not 324 hashed at previous iterations; 325 H belonging to V256 - the current hash value; 327 SIGMA belonging to V256 - the current check sum value; 329 L belonging to V256 - the length of the partial sequence M 330 processed at the previous iteration step. 332 The calculation algorithm for function h consists of the following 333 steps: 335 Step 1. Assign initial values to current quantities 337 1.1 _M_ := M. 339 1.2 H := h0. 341 1.3 SIGMA := 0^256. 343 1.4 L := 0^256. 345 1.5 Go to step 2. 347 Step 2. 349 2.1 Verify the condition |_M_|>256. 351 If it is true go to step 3. 353 Else make the following calculations: 355 2.2 L := _256 357 2.3 M' := 0^(256 -|M|)||M 359 2.4 SIGMA := SIGMA (+)' M' 361 2.5 H := chi (M', H) 363 2.6 H := chi (L, H) 365 2.7 H := chi (SIGMA, H) 367 2.8 End. 369 Step 3. 371 3.1 Calculate a subword M_s belonging to V256 of the word _M_ 372 (_M_ = M_p||M_s). Then make the following calculations: 374 3.2 H := chi (M_s, H) 376 3.3 L := _256 377 3.4 SIGMA := SIGMA (+)' M[s] 379 3.5 _M_ = M_p 381 3.6 Go to step 2. 383 The quantity H obtained at step 2.7 is the value of the hash function 384 h(M). 386 7. Test examples (Informative) 388 It is recommended to use the values for substitution units pi[1], 389 pi[2],..., pi[8] and the initial hash value H described in this 390 appendix for the GOST R 34.11-94 test examples only. 392 7.1 Usage of the algorithm GOST 28147-89 394 The algorithm GOST 28147-89 [GOST28147] in ECB mode is used as an 395 encryption transformation in the following examples. The following 396 values of the substitution units pi[1], pi[2],..., pi[8] have been 397 chosen: 399 8 7 6 5 4 3 2 1 401 0 1 D 4 6 7 5 E 4 403 1 F B B C D 8 B A 405 2 D 4 A 7 A 1 4 9 407 3 0 1 0 1 1 D C 2 409 4 5 3 7 5 0 A 6 D 411 5 7 F 2 F 8 3 D 8 413 6 A 5 1 D 9 4 F 0 415 7 4 9 D 8 F 2 A E 417 8 9 0 3 4 E E 2 6 419 9 2 A 6 A 4 F 3 B 421 10 3 E 8 9 6 C 8 1 423 11 E 7 5 E C 7 1 C 425 12 6 6 9 0 B 6 0 7 427 13 B 8 C 3 2 0 7 F 429 14 8 2 F B 5 9 5 5 431 15 C C E 2 3 B 9 3 432 The hexadecimal value of pi[j](i) is given in a column number j, 434 j = 1..8, and in a row number i, i = 0..15 . 436 7.2 Representation of vectors 438 We will put down binary symbol sequences as hexadecimal digits 439 strings, where each digit corresponds to four signs of its binary 440 representation. 442 7.3 Examples of the hash value calculation 444 A zero vector, for example, can be taken as an initial hash value: 446 h0 = 00000000 00000000 00000000 00000000 447 00000000 00000000 00000000 00000000 449 7.3.1 Hash calculation for the sample message M 451 M = 73657479 62203233 3D687467 6E656C20 452 2C656761 7373656D 20736920 73696854 454 Initial values are assigned for text: 456 _M_ = 73657479 62203233 3D687467 6E656C20 457 2C656761 7373656D 20736920 73696854 459 for hash-function: 461 H = 00000000 00000000 00000000 00000000 462 00000000 00000000 00000000 00000000 464 for the sum of text blocks: 466 SIGMA = 00000000 00000000 00000000 00000000 467 00000000 00000000 00000000 00000000 469 for the length of the text: 471 L = 00000000 00000000 00000000 00000000 472 00000000 00000000 00000000 00000000 474 As a length of the message to be hashed equals 256 bits (32 bytes), 475 then 477 L = 00000000 00000000 00000000 00000000 478 00000000 00000000 00000000 00000100 480 M' = _M_ = 73657479 62203233 3D687467 6E656C20 481 2C656761 7373656D 20736920 73696854 483 and there is no need to pad the current block with zeroes, 484 SIGMA=M' = 73657479 62203233 3D687467 6E656C20 485 2C656761 7373656D 20736920 73696854 487 The step-by-step hash function chi(M, N) values are calculated. 489 The keys are generated: 491 K[1] = 733D2C20 65686573 74746769 326C6568 492 626E7373 20657369 79676120 33206D54 494 K[2] = 110C733D 0D166568 130E7474 06417967 495 1D00626E 161A2065 090D326C 4D393320 497 K[3] = 80B111F3 730DF216 850013F1 C7E1F941 498 620C1DFF 3ABAE91A 3FA109F2 F513B239 500 K[4] = A0E2804E FF1B73F2 ECE27A00 E7B8C7E1 501 EE1D620C AC0CC5BA A804C05E A18B0AEC 503 The 64-bit subwords of block H are encrypted by the algorithm 504 according to GOST 28147. 506 Block h[1] = 00000000 00000000 is encrypted using key K[1] and 507 s[1] = 42ABBCCE 32BC0B1B is obtained. 509 Block h[2] = 00000000 00000000 is encrypted using key K[2] and 510 s[2] = 5203EBC8 5D9BCFFD is obtained. 512 Block h[3] = 00000000 00000000 is encrypted using key K[3] and 513 s[3] = 8D345899 00FF0E28 is obtained. 515 Block h[4] = 00000000 00000000 is encrypted using key K[4] and 516 s[4] = E7860419 0D2A562D is obtained. 518 So S = E7860419 0D2A562D 8D345899 00FF0E28 519 5203EBC8 5D9BCFFD 42ABBCCE 32BC0B1B 521 is obtained. 523 The mixing transformation using a shift register is performed and 525 KSI = chi(M, H) = CF9A8C65 505967A4 68A03B8C 42DE7624 526 D99C4124 883DA687 561C7DE3 3315C034 528 is obtained. 530 Assign H = KSI and calculate chi(L, H) : 532 K[1] = CF68D956 9AA09C1C 8C3B417D 658C24E3 533 50428833 59DE3D15 6776A6C1 A4248734 535 K[2] = 8FCF68D9 809AA09C 3C8C3B41 C7658C24 536 BB504288 2859DE3D 666676A6 B3A42487 537 K[3] = 4E70CF97 3C8065A0 853C8CC4 57389A8C 538 CABB50BD E3D7A6DE D1996788 5CB35B24 540 K[4] = 584E70CF C53C8065 48853C8C 1657389A 541 EDCABB50 78E3D7A6 EED19867 7F5CB35B 543 S = 66B70F5E F163F461 468A9528 61D60593 544 E5EC8A37 3FD42279 3CD1602D DD783E86 546 KSI = 2B6EC233 C7BC89E4 2ABC2692 5FEA7285 547 DD3848D1 C6AC997A 24F74E2B 09A3AEF7 549 Now assign H = KSI again and calculate chi( SIGMA, H): 551 K[1] = 5817F104 0BD45D84 B6522F27 4AF5B00B 552 A531B57A 9C8FDFCA BB1EFCC6 D7A517A3 554 K[2] = E82759E0 C278D950 15CC523C FC72EBB6 555 D2C73DA8 19A6CAC9 3E8440F5 C0DDB65A 557 K[3] = 77483AD9 F7C29CAA EB06D1D7 841BCAD3 558 FBC3DAA0 7CB555F0 D4968080 0A9E56BC 560 K[4] = A1157965 2D9FBC9C 088C7CC2 46FB3DD2 561 7684ADCB FA4ACA06 53EFF7D7 C0748708 563 S = 2AEBFA76 A85FB57D 6F164DE9 2951A581 564 C31E7435 4930FD05 1F8A4942 550A582D 566 KSI = FAFF37A6 15A81669 1CFF3EF8 B68CA247 567 E09525F3 9F811983 2EB81975 D366C4B1 569 Then the hash result is 571 H = FAFF37A6 15A81669 1CFF3EF8 B68CA247 572 E09525F3 9F811983 2EB81975 D366C4B1 574 7.3.2 Hash calculation for the sample message M 576 Let M = 7365 74796220 3035203D 20687467 6E656C20 577 73616820 65676173 73656D20 6C616E69 578 6769726F 20656874 2065736F 70707553 580 As the length of the message to be hashed equals 400 bits 581 (50 bytes), the message is divided into two blocks, and the second 582 (high-order) one is padded with zeroes. During the calculations the 583 following numbers are obtained: 585 STEP 1. 587 H = 00000000 00000000 00000000 00000000 588 00000000 00000000 00000000 00000000 590 M_s = 73616820 65676173 73656D20 6C616E69 591 6769726F 20656874 2065736F 70707553 593 K[1] = 73736720 61656965 686D7273 20206F6F 594 656C2070 67616570 616E6875 73697453 596 K[2] = 14477373 0C0C6165 1F01686D 4F002020 597 4C50656C 04156761 061D616E 1D277369 599 K[3] = CBFF14B8 6D04F30C 96051FFE DFFFB000 600 35094CAF 72F9FB15 7CF006E2 AB1AE227 602 K[4] = EBACCB00 F7006DFB E5E16905 B0B0DFFF 603 BA1C3509 FD118DF9 F61B830F F8C554E5 605 S = FF41797C EEAADAC2 43C9B1DF 2E14681C 606 EDDC2210 1EE1ADF9 FA67E757 DAFE3AD9 608 KSI = F0CEEA4E 368B5A60 C63D96C1 E5B51CD2 609 A93BEFBD 2634F0AD CBBB69CE ED2D5D9A 611 STEP 2. 613 H = F0CEEA4E 368B5A60 C63D96C1 E5B51CD2 614 A93BEFBD 2634F0AD CBBB69CE ED2D5D9A 616 M' = 00000000 00000000 00000000 00007365 617 74796220 3035203D 20687467 6E656C20 619 K[1] = F0C6DDEB CE3D42D3 EA968D1D 4EC19DA9 620 36E51683 8BB50148 5A6FD031 60B790BA 622 K[2] = 16A4C6A9 F9DF3D3B E4FC96EF 5309C1BD 623 FB68E526 2CDBB534 FE161C83 6F7DD2C8 625 K[3] = C49D846D 1780482C 9086887F C48C9186 626 9DCB0644 D1E641E5 A02109AF 9D52C7CF 627 K[4] = BDB0C9F0 756E9131 E1F290EA 50E4CBB1 628 1CAD9536 F4E4B674 99F31E29 70C52AFA 630 S = 62A07EA5 EF3C3309 2CE1B076 173D48CC 631 6881EB66 F5C7959F 63FCA1F1 D33C31B8 633 KSI = 95BEA0BE 88D5AA02 FE3C9D45 436CE821 634 B8287CB6 2CBC135B 3E339EFE F6576CA9 636 STEP 3. 638 H = 95BEA0BE 88D5AA02 FE3C9D45 436CE821 639 B8287CB6 2CBC135B 3E339EFE F6576CA9 641 L = 00000000 00000000 00000000 00000000 642 00000000 00000000 00000000 00000190 644 K[1] = 95FEB83E BE3C2833 A09D7C9E BE45B6FE 645 88432CF6 D56CBC57 AAE8136D 02215B39 647 K[2] = 8695FEB8 1BBE3C28 E2A09D7C 48BE45B6 648 DA88432C EBD56CBC 7FABE813 F292215B 650 K[2] = 8695FEB8 1BBE3C28 E2A09D7C 48BE45B6 651 DA88432C EBD56CBC 7FABE813 F292215B 653 K[3] = B9799501 141B413C 1EE2A062 0CB74145 654 6FDA88BC D0142A6C FA80AA16 15F2FDB1 656 K[4] = 94B97995 7D141B41 C21EE2A0 040CB741 657 346FDA88 46D0142A BDFA81AA DC1562FD 659 S = D42336E0 2A0A6998 6C65478A 3D08A1B9 660 9FDDFF20 4808E863 94FD9D6D F776A7AD 662 KSI = 47E26AFD 3E7278A1 7D473785 06140773 663 A3D97E7E A744CB43 08AA4C24 3352C745 665 STEP 4. 667 H = 47E26AFD 3E7278A1 7D473785 06140773 668 A3D97E7E A744CB43 08AA4C24 3352C745 670 SIGMA = 73616820 65676173 73656D20 6C61E1CE 671 DBE2D48F 509A88B1 40CDE7D6 DED5E173 673 K[1] = 340E7848 83223B67 025AAAAB DDA5F1F2 674 5B6AF7ED 1575DE87 19E64326 D2BDF236 676 K[2] = 03DC0ED0 F4CD26BC 8B595F13 F5A4A55E 677 A8B063CB ED3D7325 6511662A 7963008D 679 K[3] = C954EF19 D0779A68 ED37D3FB 7DA5ADDC 680 4A9D0277 78EF765B C4731191 7EBB21B1 681 K[4] = 6D12BC47 D9363D19 1E3C696F 28F2DC02 682 F2137F37 64E4C18B 69CCFBF8 EF72B7E3 684 S = 790DD7A1 066544EA 2829563C 3C39D781 685 25EF9645 EE2C05DD A5ECAD92 2511A4D1 687 KSI = 0852F562 3B89DD57 AEB4781F E54DF14E 688 EAFBC135 0613763A 0D770AA6 57BA1A47 690 Then the hash result is 692 H = 0852F562 3B89DD57 AEB4781F E54DF14E 693 EAFBC135 0613763A 0D770AA6 57BA1A47 695 8. Security considerations 697 This entire document is about security considerations. 699 Current cryptographic resistance of GOST R 34.11-94 hash algorithm is 700 estimated as 2**128 operations of computations of step hash function. 701 (There is known method to reduce this estimate to 2**105 operations, 702 but it demands padding the colliding message with 1024 random bit 703 blocks each of 256 bit length, thus it cannot be used in any 704 practical implementation). 706 9. IANA Considerations 708 This document has no actions for IANA. 710 10. Normative references 712 [GOST28147] "Cryptographic Protection for Data Processing System", 713 GOST 28147-89, Gosudarstvennyi Standard of USSR, 714 Government Committee of the USSR for Standards, 1989. 715 (In Russian) 717 [GOST3411] "Information technology. Cryptographic Data Security. 718 Hashing function.", GOST R 34.10-94, Gosudarstvennyi 719 Standard of Russian Federation, Government Committee of 720 the Russia for Standards, 1994. (In Russian) 722 Authors' Addresses 724 Vasily Dolmatov, Ed. 725 Cryptocom Ltd. 726 Kedrova st., 14, bld.2 727 Moscow, 117218, Russian Federation 729 EMail: dol@cryptocom.ru 731 Dmitry Kabelev 732 Cryptocom Ltd. 733 Kedrova st., 14, bld.2 734 Moscow, 117218, Russian Federation 735 EMail: kdb@cryptocom.ru 737 Igor Ustinov 738 Cryptocom Ltd. 739 Kedrova st., 14, bld.2 740 Moscow, 117218, Russian Federation 742 EMail: igus@cryptocom.ru 744 Sergey Vyshensky 745 Moscow State University 746 Leninskie gory, 1 747 Moscow, 119991, Russian Federation 749 EMail: svysh@pn.sinp.msu.ru