idnits 2.17.1 draft-dolmatov-kuznyechik-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 21 instances of too long lines in the document, the longest one being 40 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 17, 2016) is 3012 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force V. Dolmatov, Ed. 3 Internet-Draft Research Computer Center MSU 4 Intended status: Informational January 17, 2016 5 Expires: July 20, 2016 7 GOST R 34.12-2015: Block Cipher "Kuznyechik" 8 draft-dolmatov-kuznyechik-05 10 Abstract 12 This document is intended to be a source of information about the 13 Russian Federal standard GOST R 34.12-2015 describing block cipher 14 with block length of n=128 bits and key length k=256 bits, which is 15 also referred as "Kuznyechik". This algorithm is one of the set of 16 Russian cryptographic standard algorithms (called GOST algorithms). 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on July 20, 2016. 35 Copyright Notice 37 Copyright (c) 2016 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 53 2. General Information . . . . . . . . . . . . . . . . . . . . . 3 54 3. Definitions and Notations . . . . . . . . . . . . . . . . . . 3 55 3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 56 3.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 4 57 4. Parameter Values . . . . . . . . . . . . . . . . . . . . . . 5 58 4.1. Nonlinear Bijection . . . . . . . . . . . . . . . . . . . 5 59 4.2. Linear Transformation . . . . . . . . . . . . . . . . . . 7 60 4.3. Transformations . . . . . . . . . . . . . . . . . . . . . 7 61 4.4. Key schedule . . . . . . . . . . . . . . . . . . . . . . 8 62 4.5. Basic encryption algorithm . . . . . . . . . . . . . . . 8 63 4.5.1. Encryption . . . . . . . . . . . . . . . . . . . . . 8 64 4.5.2. Decryption . . . . . . . . . . . . . . . . . . . . . 9 65 5. Examples (Informative) . . . . . . . . . . . . . . . . . . . 9 66 5.1. Transformation S . . . . . . . . . . . . . . . . . . . . 9 67 5.2. Transformation R . . . . . . . . . . . . . . . . . . . . 9 68 5.3. Transformation L . . . . . . . . . . . . . . . . . . . . 9 69 5.4. Key schedule . . . . . . . . . . . . . . . . . . . . . . 9 70 5.5. Test encryption . . . . . . . . . . . . . . . . . . . . . 11 71 5.6. Test decryption . . . . . . . . . . . . . . . . . . . . . 11 72 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 73 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 74 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 75 8.1. Normative References . . . . . . . . . . . . . . . . . . 12 76 8.2. Informative References . . . . . . . . . . . . . . . . . 12 77 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12 79 1. Scope 81 The Russian Federal standard [GOST3412-2015] specifies basic block 82 ciphers used as cryptographic techniques for information processing 83 and information protection including the provision of 84 confidentiality, authenticity, and integrity of information during 85 information transmission, processing and storage in computer-aided 86 systems. 88 The cryptographic algorithms specified in this Standard are designed 89 both for hardware and software implementation. They comply with 90 modern cryptographic requirements, and put no restrictions on the 91 confidentiality level of the protected information. 93 The Standard applies to developing, operation, and modernization of 94 the information systems of various purposes. 96 2. General Information 98 The block cipher "Kuznyechik" [GOST3412-2015] was developed by the 99 Center for Information Protection and Special Communications of the 100 Federal Security Service of the Russian Federation with participation 101 of the Open Joint-Stock company "Information Technologies and 102 Communication Systems" (InfoTeCS JSC). GOST R 34.12-2015 was 103 approved and introduced by Decree #749 of the Federal Agency on 104 Technical Regulating and Metrology on 19.06.2015. 106 Terms and concepts in the standard comply with the following 107 international standards: 109 o ISO/IEC 10116 [ISO-IEC10116], 111 o series of standards ISO/IEC 18033 [ISO-IEC18033-1], 112 [ISO-IEC18033-3]. 114 3. Definitions and Notations 116 The following terms and their corresponding definitions are used in 117 the standard. 119 3.1. Definitions 121 Definitions 123 encryption algorithm: process which transforms plaintext into 124 ciphertext (Clause 2.19 of [ISO-IEC18033-1]), 126 decryption algorithm: process which transforms ciphertext into 127 plaintext (Clause 2.14 of [ISO-IEC18033-1]), 129 basic block cipher: block cipher which for a given key provides a 130 single invertible mapping of the set of fixed-length plaintext 131 blocks into ciphertext blocks of the same length, 133 block: string of bits of a defined length (Clause 2.6 of 134 [ISO-IEC18033-1]), 136 block cipher: symmetric encipherment system with the property that 137 the encryption algorithm operates on a block of plaintext, i.e. a 138 string of bits of a defined length, to yield a block of ciphertext 139 (Clause 2.7 of [ISO-IEC18033-1]), 141 Note: In GOST R 34.12-2015, it is established that the terms 142 "block cipher" and "block encryption algorithm" are synonyms. 144 encryption: reversible transformation of data by a cryptographic 145 algorithm to produce ciphertext, i.e., to hide the information 146 content of the data (Clause 2.18 of [ISO-IEC18033-1]), 148 round key: sequence of symbols which is calculated from the key 149 and controls a transformation for one round of a block cipher, 151 key: sequence of symbols that controls the operation of a 152 cryptographic transformation (e.g., encipherment, decipherment) 153 (Clause 2.21 of [ISO-IEC18033-1]), 155 Note: In GOST R 34.12-2015, the key must be a binary sequence. 157 plaintext: unencrypted information (Clause 3.11 of 158 [ISO-IEC10116]), 160 key schedule: calculation of round keys from the key, 162 decryption: reversal of a corresponding encipherment (Clause 2.13 163 of [ISO-IEC18033-1]), 165 symmetric cryptographic technique: cryptographic technique that 166 uses the same secret key for both the originator`s and the 167 recipient`s transformation (Clause 2.32 of [ISO-IEC18033-1]), 169 cipher: alternative term for encipherment system (Clause 2.20 of 170 [ISO-IEC18033-1]), 172 ciphertext: data which has been transformed to hide its 173 information content (Clause 3.3 of [ISO-IEC10116]). 175 3.2. Notations 177 The following notations are used in the standard: 179 V* the set of all binary vector-strings of a finite length 180 (hereinafter referred to as the strings) including the empty 181 string, 183 V_s the set of all binary strings of length s, where s is a 184 non-negative integer; substrings and string components are 185 enumerated from right to left starting from zero, 187 U[*]W direct (Cartesian) product of two set U and W, 189 |A| the number of components (the length) of a string A 190 belonging to V* (if A is an empty string, then |A| = 0), 191 A||B concatenation of strings A and B both belonging to V*, 192 i.e., a string from V_(|A|+|B|), where the left substring from 193 V_|A| is equal to A and the right substring from V_|B| is equal to 194 B, 196 Z_(2^n) ring of residues modulo 2^n, 198 Q finite field GF(2)[x]/p(x), where p(x)=x^8+x^7+x^6+x+1 199 belongs to GF(2)[x]; elements of field Q are represented by 200 integers in such way that element z_0+z_1*theta+...+z_7*theta^7 201 belonging to Q corresponds to integer z_0+2*z_1+...+2^7*z_7, where 202 z_i=0 or z_i=1, i=0,1,...,7 and theta denotes a residue class 203 modulo p(x) containing x, 205 (xor) exclusive-or of the two binary strings of the same length, 207 Vec_s: Z_(2^s) -> V_s bijective mapping which maps an element from 208 ring Z_(2^s) into its binary representation, i.e., for an element 209 z of the ring Z_(2^s), represented by the residue z_0 + (2*z_1) + 210 ... + (2^(s-1)*z_(s-1)), where z_i in {0, 1}, i = 0, ..., n-1, the 211 equality Vec_s(z) = z_(s-1)||...||z_1||z_0 holds, 213 Int_s: V_s -> Z_(2^s) the mapping inverse to the mapping Vec_s, 214 i.e., Int_s = Vec_s^(-1), 216 delta: V_8 -> Q bijective mapping which maps a binary string from 217 V_8 into an element from field Q as follows: string 218 z_7||...||z_1||z_0, where z_i in {0, 1}, i = 0, ..., 7, 219 corresponds to the element z_0+(z_1*theta)+...+(z_7*theta^7) 220 belonging to Z, 222 nabla: Q -> V8 the mapping inverse to the mapping delta, i.e., delta 223 = nabla^(-1), 225 PS composition of mappings, where the mapping S applies first, 227 P^s composition of mappings P^(s-1) and P, where P^1=P, 229 4. Parameter Values 231 4.1. Nonlinear Bijection 233 The bijective nonlinear mapping is a substitution: Pi = 234 (Vec_8)Pi'(Int_8): V_8 -> V_8, where Pi': Z_(2^8) -> Z_(2^8). The 235 values of the substitution Pi' are specified below as an array Pi' = 236 (Pi'(0), Pi'(1), ... , Pi'(255)): 238 Pi' = 239 ( 252, 238, 221, 17, 207, 110, 49, 22, 251, 196, 250, 240 218, 35, 197, 4, 77, 233, 119, 240, 219, 147, 46, 241 153, 186, 23, 54, 241, 187, 20, 205, 95, 193, 249, 242 24, 101, 90, 226, 92, 239, 33, 129, 28, 60, 66, 243 139, 1, 142, 79, 5, 132, 2, 174, 227, 106, 143, 244 160, 6, 11, 237, 152, 127, 212, 211, 31, 235, 52, 245 44, 81, 234, 200, 72, 171, 242, 42, 104, 162, 253, 246 58, 206, 204, 181, 112, 14, 86, 8, 12, 118, 18, 247 191, 114, 19, 71, 156, 183, 93, 135, 21, 161, 150, 248 41, 16, 123, 154, 199, 243, 145, 120, 111, 157, 158, 249 178, 177, 50, 117, 25, 61, 255, 53, 138, 126, 109, 250 84, 198, 128, 195, 189, 13, 87, 223, 245, 36, 169, 251 62, 168, 67, 201, 215, 121, 214, 246, 124, 34, 185, 252 3, 224, 15, 236, 222, 122, 148, 176, 188, 220, 232, 253 40, 80, 78, 51, 10, 74, 167, 151, 96, 115, 30, 254 0, 98, 68, 26, 184, 56, 130, 100, 159, 38, 65, 255 173, 69, 70, 146, 39, 94, 85, 47, 140, 163, 165, 256 125, 105, 213, 149, 59, 7, 88, 179, 64, 134, 172, 257 29, 247, 48, 55, 107, 228, 136, 217, 231, 137, 225, 258 27, 131, 73, 76, 63, 248, 254, 141, 83, 170, 144, 259 202, 216, 133, 97, 32, 113, 103, 164, 45, 43, 9, 260 91, 203, 155, 37, 208, 190, 229, 108, 82, 89, 166, 261 116, 210, 230, 244, 180, 192, 209, 102, 175, 194, 57, 262 75, 99, 182). 264 Pi^(-1) is the inverse of Pi, the values of the substitution Pi^(-1)' 265 are specified below as an array Pi^(-1)' = (Pi^(-1)'(0), Pi^(-1)'(1), 266 ... , Pi^(-1)'(255)): 268 Pi^(-1)' = 269 ( 165, 45, 50, 143, 14, 48, 56, 192, 84, 230, 158, 270 57, 85, 126, 82, 145, 100, 3, 87, 90, 28, 96, 271 7, 24, 33, 114, 168, 209, 41, 198, 164, 63, 224, 272 39, 141, 12, 130, 234, 174, 180, 154, 99, 73, 229, 273 66, 228, 21, 183, 200, 6, 112, 157, 65, 117, 25, 274 201, 170, 252, 77, 191, 42, 115, 132, 213, 195, 175, 275 43, 134, 167, 177, 178, 91, 70, 211, 159, 253, 212, 276 15, 156, 47, 155, 67, 239, 217, 121, 182, 83, 127, 277 193, 240, 35, 231, 37, 94, 181, 30, 162, 223, 166, 278 254, 172, 34, 249, 226, 74, 188, 53, 202, 238, 120, 279 5, 107, 81, 225, 89, 163, 242, 113, 86, 17, 106, 280 137, 148, 101, 140, 187, 119, 60, 123, 40, 171, 210, 281 49, 222, 196, 95, 204, 207, 118, 44, 184, 216, 46, 282 54, 219, 105, 179, 20, 149, 190, 98, 161, 59, 22, 283 102, 233, 92, 108, 109, 173, 55, 97, 75, 185, 227, 284 186, 241, 160, 133, 131, 218, 71, 197, 176, 51, 250, 285 150, 111, 110, 194, 246, 80, 255, 93, 169, 142, 23, 286 27, 151, 125, 236, 88, 247, 31, 251, 124, 9, 13, 287 122, 103, 69, 135, 220, 232, 79, 29, 78, 4, 235, 288 248, 243, 62, 61, 189, 138, 136, 221, 205, 11, 19, 289 152, 2, 147, 128, 144, 208, 36, 52, 203, 237, 244, 290 206, 153, 16, 68, 64, 146, 58, 1, 38, 18, 26, 291 72, 104, 245, 129, 139, 199, 214, 32, 10, 8, 0, 292 76, 215, 116 ). 294 4.2. Linear Transformation 296 The linear transformation is denoted by l: (V_8)^16 -> V_8, and 297 defined as: 299 l(a_15,...,a_0) = nabla(148*delta(a_15) + 32*delta(a_15) + 133*delta(a_13) + 300 16*delta(a_12) + 194*delta(a_11) + 192*delta(a_10) + 1*delta(a_9) + 251*delta(a_8) + 301 1*delta(a_7) + 192*delta(a_6) + 194*delta(a_5) + 16*delta(a_4) + 302 133*delta(a_3) + 32*delta(a_2) + 148*delta(a_1) +1*delta(a_0)), 304 for all a_i belonging to V_8, i = 0, 1, ..., 15, where the addition 305 and multiplication operations are in the field Q, and constants are 306 elements of the field as defined above. 308 4.3. Transformations 310 The following transformations are applicable for encryption and 311 decryption algorithms: 313 X[x]:V_128->V_128 X[k](a)=k(xor)a, where k, a belong to V_128, 314 S:V_128-> V_128 S(a)=(a_15||...||a_0)=pi(a_15)||...||pi(a_0), where 315 a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15, 317 S^(-1):V_128-> V_128 the inverse transformation of S, which may be 318 calculated, for example, as follows: 319 S^(-1)(a_15||...||a_0)=pi^(-1) (a_15)||...||pi^(-1)(a_0), where 320 a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15, 322 R:V_128-> V_128 R(a_15||...||a_0)=l(a_15,...,a_0)||a_15||...||a_1, 323 where a_15||...||a_0 belongs to V_128, a_i belongs to V_8, 324 i=0,1,...,15, 326 L:V_128-> V_128 L(a)=R^(16)(a), where a belongs to V_128, 328 R^(-1):V_128-> V_128 the inverse transformation of R, which may be 329 calculated, for example, as follows: R^(-1)(a_15||...||a_0)=a_14|| 330 a_13||...||a_0||l(a_14,a_13,...,a_0,a_15), where a_15||...||a_0 331 belongs to V_128, a_i belongs to V_8, i=0,1,...,15 333 L^(-1):V_128-> V_128 L^(-1)(a)=(R^(-1))(16)(a), where a belongs to 334 V_128, 336 F[k]:V_128[*]V_128 -> V_128[*]V_128 337 F[k](a_1,a_0)=(LSX[k](a_1)(xor)a_0,a_1), where k, a_0, a_1 belong 338 to V_128. 340 4.4. Key schedule 342 Key schedule uses round constants C_i belonging to V_128, i=1, 2, 343 ..., 32, defined as 345 C_i=L(Vec_128(i)), i=1,2,...,32. 347 Round keys K_i, i=1, 2, ..., 10 are derived from key 348 K=k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1, 349 ..., 255, as follows: 351 K_1=k_255||...||k_128; 352 K_2=k_127||...||k_0; 353 (K_(2i+1),K_(2i+2))=F[C_(8(i-1)+8)]... F[C_(8(i-1)+1)](K_(2i-1),K_(2i)), i=1,2,3,4. 355 4.5. Basic encryption algorithm 357 4.5.1. Encryption 359 Depending on the values of round keys K_1,...,K_10, the encryption 360 algorithm is a substitution E_(K_1,...,K_10) defined as follows: 362 E_(K_1,...,K_10)(a)=X[K_10]LSX[K_9]...LSX[K_2]LSX[K_1](a), 364 where a belongs to V_128. 366 4.5.2. Decryption 368 Depending on the values of round keys K_1,...,K_10, the decryption 369 algorithm is a substitution D_(K_1,...,K_10) defined as follows: 371 D_(K_1,...,K_10)(a)=X[K_1]L^(-1)S^(-1)X[K_2]...L^(-1)S^(-1)X[K_9] L^(-1)S^(-1)X[K_10](a), 373 where a belongs to V_128. 375 5. Examples (Informative) 377 This section is for information only and is not a normative part of 378 the standard. 380 5.1. Transformation S 382 S(ffeeddccbbaa99881122334455667700) = b66cd8887d38e8d77765aeea0c9a7efc, 383 S(b66cd8887d38e8d77765aeea0c9a7efc) = 559d8dd7bd06cbfe7e7b262523280d39, 384 S(559d8dd7bd06cbfe7e7b262523280d39) = 0c3322fed531e4630d80ef5c5a81c50b, 385 S(0c3322fed531e4630d80ef5c5a81c50b) = 23ae65633f842d29c5df529c13f5acda. 387 5.2. Transformation R 389 R(00000000000000000000000000000100) = 94000000000000000000000000000001, 390 R(94000000000000000000000000000001) = a5940000000000000000000000000000, 391 R(a5940000000000000000000000000000) = 64a59400000000000000000000000000, 392 R(64a59400000000000000000000000000) = 0d64a594000000000000000000000000. 394 5.3. Transformation L 396 L(64a59400000000000000000000000000) = d456584dd0e3e84cc3166e4b7fa2890d, 397 L(d456584dd0e3e84cc3166e4b7fa2890d) = 79d26221b87b584cd42fbc4ffea5de9a, 398 L(79d26221b87b584cd42fbc4ffea5de9a) = 0e93691a0cfc60408b7b68f66b513c13, 399 L(0e93691a0cfc60408b7b68f66b513c13) = e6a8094fee0aa204fd97bcb0b44b8580. 401 5.4. Key schedule 403 In this test example, the key is equal to: 405 K = 8899aabbccddeeff0011223344556677fedcba98765432100123456789abcdef. 407 K_1 = 8899aabbccddeeff0011223344556677, 408 K_2 = fedcba98765432100123456789abcdef. 410 C_1 = 6ea276726c487ab85d27bd10dd849401, 411 X[C_1](K_1) = e63bdcc9a09594475d369f2399d1f276, 412 SX[C_1](K_1) = 0998ca37a7947aabb78f4a5ae81b748a, 413 LSX[C_1](K_1) = 3d0940999db75d6a9257071d5e6144a6, 414 F[C_1](K_1, K_2) = = (c3d5fa01ebe36f7a9374427ad7ca8949, 8899aabbccddeeff0011223344556677). 416 C_2 = dc87ece4d890f4b3ba4eb92079cbeb02, 417 F [C_2]F [C_1](K_1, K_2) = (37777748e56453377d5e262d90903f87, c3d5fa01ebe36f7a9374427ad7ca8949). 419 C_3 = b2259a96b4d88e0be7690430a44f7f03, 420 F[C_3]...F[C_1](K_1, K_2) = (f9eae5f29b2815e31f11ac5d9c29fb01, 37777748e56453377d5e262d90903f87). 422 C_4 = 7bcd1b0b73e32ba5b79cb140f2551504, 423 F[C_4]...F[C_1](K_1, K_2) = (e980089683d00d4be37dd3434699b98f, f9eae5f29b2815e31f11ac5d9c29fb01). 425 C_5 = 156f6d791fab511deabb0c502fd18105, 426 F[C_5]...F[C_1](K_1, K_2) = (b7bd70acea4460714f4ebe13835cf004, e980089683d00d4be37dd3434699b98f). 428 C_6 = a74af7efab73df160dd208608b9efe06, 429 F[C_6]...F[C_1](K_1, K_2) = (1a46ea1cf6ccd236467287df93fdf974, b7bd70acea4460714f4ebe13835cf004). 431 C_7 = c9e8819dc73ba5ae50f5b570561a6a07, 432 F[C_7]...F [C_1](K_1, K_2) = (3d4553d8e9cfec6815ebadc40a9ffd04, 1a46ea1cf6ccd236467287df93fdf974) 434 C_8 = f6593616e6055689adfba18027aa2a08, 435 (K_3, K_4) = F [C_8]...F [C_1](K_1, K_2) = (db31485315694343228d6aef8cc78c44, 3d4553d8e9cfec6815ebadc40a9ffd04). 437 The round keys K_i, i = 1, 2, ..., 10, take the following values: 439 K_1 = 8899aabbccddeeff0011223344556677, 440 K_2 = fedcba98765432100123456789abcdef, 441 K_3 = db31485315694343228d6aef8cc78c44, 442 K_4 = 3d4553d8e9cfec6815ebadc40a9ffd04, 443 K_5 = 57646468c44a5e28d3e59246f429f1ac, 444 K_6 = bd079435165c6432b532e82834da581b, 445 K_7 = 51e640757e8745de705727265a0098b1, 446 K_8 = 5a7925017b9fdd3ed72a91a22286f984, 447 K_9 = bb44e25378c73123a5f32f73cdb6e517, 448 K_10 = 72e9dd7416bcf45b755dbaa88e4a4043. 450 5.5. Test encryption 452 In this test example, encryption is performed on the round keys 453 specified in clause 5.4. Let the plaintext be 455 a = 1122334455667700ffeeddccbbaa9988, 457 then 459 X[K_1](a) = 99bb99ff99bb99ffffffffffffffffff, 460 SX[K_1](a) = e87de8b6e87de8b6b6b6b6b6b6b6b6b6, 461 LSX[K_1](a) = e297b686e355b0a1cf4a2f9249140830, 462 LSX[K_2]LSX[K_1](a) = 285e497a0862d596b36f4258a1c69072, 463 LSX[K_3]...LSX[K_1](a) = 0187a3a429b567841ad50d29207cc34e, 464 LSX[K_4]...LSX[K_1](a) = ec9bdba057d4f4d77c5d70619dcad206, 465 LSX[K_5]...LSX[K_1](a) = 1357fd11de9257290c2a1473eb6bcde1, 466 LSX[K_6]...LSX[K_1](a) = 28ae31e7d4c2354261027ef0b32897df, 467 LSX[K_7]...LSX[K_1](a) = 07e223d56002c013d3f5e6f714b86d2d, 468 LSX[K_8]...LSX[K_1](a) = cd8ef6cd97e0e092a8e4cca61b38bf65, 469 LSX[K_9]...LSX[K_1](a) = 0d8e40e4a800d06b2f1b37ea379ead8e. 471 Then the ciphertext is 473 b = X[K_10]LSX[K_9]...LSX[K_1](a) = 7f679d90bebc24305a468d42b9d4edcd. 475 5.6. Test decryption 477 In this test example, decryption is performed on the round keys 478 specified in clause 5.4. Let the ciphertext be 480 b = 7f679d90bebc24305a468d42b9d4edcd, 482 then 484 X[K_10](b) = 0d8e40e4a800d06b2f1b37ea379ead8e, 485 L^(-1)X[K_10](b) = 8a6b930a52211b45c5baa43ff8b91319, 486 S^(-1)L^(-1)X[K_10](b) = 76ca149eef27d1b10d17e3d5d68e5a72, 487 S^(-1)L^(-1)X[K_9]S^(-1)L^(-1)X[K_10](b) = 5d9b06d41b9d1d2d04df7755363e94a9, 488 S^(-1)L^(-1)X[K_8]...S^(-1)L^(-1)X[K_10](b) = 79487192aa45709c115559d6e9280f6e, 489 S^(-1)L^(-1)X[K_7]...S^(-1)L^(-1)X[K_10](b) = ae506924c8ce331bb918fc5bdfb195fa, 490 S^(-1)L^(-1)X[K_6]...S^(-1)L^(-1)X[K_10](b) = bbffbfc8939eaaffafb8e22769e323aa, 491 S^(-1)L^(-1)X[K_5]...S^(-1)L^(-1)X[K_10](b) = 3cc2f07cc07a8bec0f3ea0ed2ae33e4a, 492 S^(-1)L^(-1)X[K_4]...S^(-1)L^(-1)X[K_10](b) = f36f01291d0b96d591e228b72d011c36, 493 S^(-1)L^(-1)X[K_3]...S^(-1)L^(-1)X[K_10](b) = 1c4b0c1e950182b1ce696af5c0bfc5df, 494 S^(-1)L^(-1)X[K_2]...S^(-1)L^(-1)X[K_10](b) = 99bb99ff99bb99ffffffffffffffffff. 496 Then the plaintext is 498 a = X[K_1]S^(-1)L^(-1)X[K_2]...S^(-1)L^(-1)X[K_10](b) = 1122334455667700ffeeddccbbaa9988. 500 6. Security Considerations 502 This entire document is about security considerations. 504 7. IANA Considerations 506 This document has no IANA considerations. 508 8. References 510 8.1. Normative References 512 [GOST3412-2015] 513 Federal Agency on Technical Regulating and Metrology, 514 "Information technology. Cryptographic data security. 515 Block ciphers.GOST R 34.12-2015", 2015. 517 8.2. Informative References 519 [ISO-IEC10116] 520 ISO-IEC, "Information technology - Security techniques - 521 Modes of operation for an n-bit block cipher, ISO-IEC 522 10116", 2006. 524 [ISO-IEC18033-1] 525 ISO-IEC, "Information technology - Security techniques - 526 Encryption algorithms - Part 1: General, ISO-IEC 18033-1", 527 2013. 529 [ISO-IEC18033-3] 530 ISO-IEC, "Information technology - Security techniques - 531 Encryption algorithms - Part 3: Block ciphers, ISO-IEC 532 18033-3", 2010. 534 Author's Address 536 Vasily Dolmatov (editor) 537 Research Computer Center MSU 538 Leninskiye Gory, 1, building 4, MGU NIVC 539 Moscow 119991 540 Russian Federation 542 Email: dol@srcc.msu.ru