idnits 2.17.1 draft-dolmatov-magma-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC5830, but the abstract doesn't seem to directly say this. It does mention RFC5830 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 25, 2019) is 1765 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force V. Dolmatov, Ed. 3 Internet-Draft JSC "NPK Kryptonite" 4 Updates: 5830 (if approved) D. Eremin-Solenikov 5 Intended status: Informational Auriga, Inc 6 Expires: December 27, 2019 June 25, 2019 8 GOST R 34.12-2015: Block Cipher "Magma" 9 draft-dolmatov-magma-00 11 Abstract 13 This document is intended to be a source of information about updated 14 version of the block cipher with block length of n=64 bits and key 15 length k=256 bits (RFC5830), which is also referred as "Magma" and is 16 described in the Russian Federal standard GOST R 34.12-2015, 17 containing also the description of block cipher "Kuznechik" 18 (RFC7801)/>. These algorithms are from the set of Russian 19 cryptographic standard algorithms (called GOST algorithms). 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on December 27, 2019. 38 Copyright Notice 40 Copyright (c) 2019 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. General Information . . . . . . . . . . . . . . . . . . . . . 3 57 3. Definitions and Notations . . . . . . . . . . . . . . . . . . 3 58 3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 4 60 4. Description of Kuznechik cipher . . . . . . . . . . . . . . . 5 61 5. Parameter Values . . . . . . . . . . . . . . . . . . . . . . 5 62 5.1. Nonlinear Bijection . . . . . . . . . . . . . . . . . . . 5 63 5.2. Transformations . . . . . . . . . . . . . . . . . . . . . 6 64 5.3. Key schedule . . . . . . . . . . . . . . . . . . . . . . 6 65 6. Basic encryption algorithm . . . . . . . . . . . . . . . . . 7 66 6.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . 7 67 6.2. Decryption . . . . . . . . . . . . . . . . . . . . . . . 7 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 69 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 70 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 71 9.1. Normative References . . . . . . . . . . . . . . . . . . 7 72 9.2. Informative References . . . . . . . . . . . . . . . . . 8 73 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 8 74 A.1. Transformation t . . . . . . . . . . . . . . . . . . . . 8 75 A.2. Transformation g . . . . . . . . . . . . . . . . . . . . 8 76 A.3. Key schedule . . . . . . . . . . . . . . . . . . . . . . 9 77 A.4. Test Encryption . . . . . . . . . . . . . . . . . . . . . 10 78 A.5. Test Decryption . . . . . . . . . . . . . . . . . . . . . 11 79 Appendix B. Background . . . . . . . . . . . . . . . . . . . . . 12 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 82 1. Introduction 84 The Russian Federal standard [GOSTR3412-2015] specifies basic block 85 ciphers used as cryptographic techniques for information processing 86 and information protection including the provision of 87 confidentiality, authenticity, and integrity of information during 88 information transmission, processing and storage in computer-aided 89 systems. 91 The cryptographic algorithms specified in this Standard are designed 92 both for hardware and software implementation. They comply with 93 modern cryptographic requirements, and put no restrictions on the 94 confidentiality level of the protected information. 96 2. General Information 98 The Russian Federal standard [GOSTR3412-2015] was developed by the 99 Center for Information Protection and Special Communications of the 100 Federal Security Service of the Russian Federation with participation 101 of the Open Joint-Stock company "Information Technologies and 102 Communication Systems" (InfoTeCS JSC). GOST R 34.12-2015 was 103 approved and introduced by Decree #749 of the Federal Agency on 104 Technical Regulating and Metrology on 19.06.2015. 106 Terms and concepts in the standard comply with the following 107 international standards: 109 o ISO/IEC 10116 [ISO-IEC10116], 111 o series of standards ISO/IEC 18033 [ISO-IEC18033-1], 112 [ISO-IEC18033-3]. 114 3. Definitions and Notations 116 The following terms and their corresponding definitions are used in 117 the standard. 119 3.1. Definitions 121 Definitions 123 encryption algorithm: process which transforms plaintext into 124 ciphertext (Clause 2.19 of [ISO-IEC18033-1]), 126 decryption algorithm: process which transforms ciphertext into 127 plaintext (Clause 2.14 of [ISO-IEC18033-1]), 129 basic block cipher: block cipher which for a given key provides a 130 single invertible mapping of the set of fixed-length plaintext 131 blocks into ciphertext blocks of the same length, 133 block: string of bits of a defined length (Clause 2.6 of 134 [ISO-IEC18033-1]), 136 block cipher: symmetric encipherment system with the property that 137 the encryption algorithm operates on a block of plaintext, i.e. a 138 string of bits of a defined length, to yield a block of ciphertext 139 (Clause 2.7 of [ISO-IEC18033-1]), 141 Note: In GOST R 34.12-2015, it is established that the terms 142 "block cipher" and "block encryption algorithm" are synonyms. 144 encryption: reversible transformation of data by a cryptographic 145 algorithm to produce ciphertext, i.e., to hide the information 146 content of the data (Clause 2.18 of [ISO-IEC18033-1]), 148 round key: sequence of symbols which is calculated from the key 149 and controls a transformation for one round of a block cipher, 151 key: sequence of symbols that controls the operation of a 152 cryptographic transformation (e.g., encipherment, decipherment) 153 (Clause 2.21 of [ISO-IEC18033-1]), 155 Note: In GOST R 34.12-2015, the key must be a binary sequence. 157 plaintext: unencrypted information (Clause 3.11 of 158 [ISO-IEC10116]), 160 key schedule: calculation of round keys from the key, 162 decryption: reversal of a corresponding encipherment (Clause 2.13 163 of [ISO-IEC18033-1]), 165 symmetric cryptographic technique: cryptographic technique that 166 uses the same secret key for both the originator's and the 167 recipient's transformation (Clause 2.32 of [ISO-IEC18033-1]), 169 cipher: alternative term for encipherment system (Clause 2.20 of 170 [ISO-IEC18033-1]), 172 ciphertext: data which has been transformed to hide its 173 information content (Clause 3.3 of [ISO-IEC10116]). 175 3.2. Notations 177 The following notations are used in the standard: 179 V* the set of all binary vector-strings of a finite length 180 (hereinafter referred to as the strings) including the empty 181 string, 183 V_s the set of all binary strings of length s, where s is a 184 non-negative integer; substrings and string components are 185 enumerated from right to left starting from zero, 187 U[*]W direct (Cartesian) product of two set U and W, 189 |A| the number of components (the length) of a string A 190 belonging to V* (if A is an empty string, then |A| = 0), 191 A||B concatenation of strings A and B both belonging to V*, 192 i.e., a string from V_(|A|+|B|), where the left substring from 193 V_|A| is equal to A and the right substring from V_|B| is equal to 194 B, 196 A<<<_11 cyclic rotation of string A belonging to V_32 by 11 197 components in the direction of components having greater indices 199 Z_(2^n) ring of residues modulo 2^n, 201 (xor) exclusive-or of the two binary strings of the same length, 203 [+] addition in the ring Z_(2^32) 205 Vec_s: Z_(2^s) -> V_s bijective mapping which maps an element from 206 ring Z_(2^s) into its binary representation, i.e., for an element 207 z of the ring Z_(2^s), represented by the residue z_0 + (2*z_1) + 208 ... + (2^(s-1)*z_(s-1)), where z_i in {0, 1}, i = 0, ..., n-1, the 209 equality Vec_s(z) = z_(s-1)||...||z_1||z_0 holds, 211 Int_s: V_s -> Z_(2^s) the mapping inverse to the mapping Vec_s, 212 i.e., Int_s = Vec_s^(-1), 214 PS composition of mappings, where the mapping S applies first, 216 P^s composition of mappings P^(s-1) and P, where P^1=P, 218 4. Description of Kuznechik cipher 220 This section corresponds to "Kuznechik" cipher and is described in 221 [RFC7801] 223 5. Parameter Values 225 5.1. Nonlinear Bijection 227 The bijective nonlinear mapping is a set of substitutions: 229 Pi_i = Vec_4 Pi'_i Int_4: V_4 -> V_4, 231 where 233 Pi'_i: Z_(2^4) -> Z_(2^4), i = 0, 1, ..., 7. 235 The values of the substitution Pi' are specified below as arrays 236 Pi'_i = (Pi'_i(0), Pi'_i(1), ... , Pi'_i(15)), i = 0, 1, ..., 7: 238 Pi'_0 = (12, 4, 6, 2, 10, 5, 11, 9, 14, 8, 13, 7, 0, 3, 15, 1); 239 Pi'_1 = (6, 8, 2, 3, 9, 10, 5, 12, 1, 14, 4, 7, 11, 13, 0, 15); 240 Pi'_2 = (11, 3, 5, 8, 2, 15, 10, 13, 14, 1, 7, 4, 12, 9, 6, 0); 241 Pi'_3 = (12, 8, 2, 1, 13, 4, 15, 6, 7, 0, 10, 5, 3, 14, 9, 11); 242 Pi'_4 = (7, 15, 5, 10, 8, 1, 6, 13, 0, 9, 3, 14, 11, 4, 2, 12); 243 Pi'_5 = (5, 13, 15, 6, 9, 2, 12, 10, 11, 7, 8, 1, 4, 3, 14, 0); 244 Pi'_6 = (8, 14, 2, 5, 6, 9, 1, 12, 15, 4, 11, 0, 13, 10, 3, 7); 245 Pi'_7 = (1, 7, 14, 13, 0, 5, 8, 3, 4, 15, 10, 6, 9, 12, 11, 2); 247 5.2. Transformations 249 The following transformations are applicable for encryption and 250 decryption algorithms: 252 t: V_32 -> V_32 t(a) = t(a_7||...||a_0) = Pi_7(a_7)||...||Pi_0(a_0), 253 where a=a_7||...||a_0 belongs to V_32, a_i belongs to V_4, i=0, 1, 254 ..., 7; 256 g[k]: V_32 -> V_32 g[k](a) = (t(Vec_32(Int_32(a) [+] Int_32(k)))) 257 <<<_11, where k, a belong to V_32; 259 G[k]: V_32[*]V_32 -> V_32[*]V_32 G[k](a_1, a_0) = (a_0, g[k](a_0) 260 (xor) a_1), where k, a_0, a_1 belong to V_32; 262 G^*[k]: V_32[*]V_32 -> V_64 G^*[k](a_1, a_0) = (g[k](a_0) (xor) 263 a_1) || a_0, where k, a_0, a_1 belong to V_32. 265 5.3. Key schedule 267 Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from 268 key K=k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1, 269 ..., 255, as follows: 271 K_1=k_255||...||k_224; 272 K_2=k_223||...||k_192; 273 K_3=k_191||...||k_160; 274 K_4=k_159||...||k_128; 275 K_5=k_127||...||k_96; 276 K_6=k_95||...||k_64; 277 K_7=k_63||...||k_32; 278 K_8=k_31||...||k_0; 279 K_(i+8)=K_i, i = 1, 2, ..., 8; 280 K_(i+16)=K_i, i = 1, 2, ..., 8; 281 K_(i+24)=K_(9-i), i = 1, 2, ..., 8. 283 6. Basic encryption algorithm 285 6.1. Encryption 287 Depending on the values of round keys K_1,...,K_32, the encryption 288 algorithm is a substitution E_(K_1,...,K_32) defined as follows: 290 E_(K_1,...,K_32)(a)=G^*[K_32]G[K_31]...G[K_2]G[K_1](a_1, a_0), 292 where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32. 294 6.2. Decryption 296 Depending on the values of round keys K_1,...,K_32, the decryption 297 algorithm is a substitution D_(K_1,...,K_32) defined as follows: 299 D_(K_1,...,K_32)(a)=G^*[K_1]G[K_2]...G[K_31]G[K_32](a_1, a_0), 301 where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32. 303 7. IANA Considerations 305 This memo includes no request to IANA. 307 8. Security Considerations 309 This entire document is about security considerations. 311 9. References 313 9.1. Normative References 315 [GOSTR3412-2015] 316 Federal Agency on Technical Regulating and Metrology, 317 "Information technology. Cryptographic data security. 318 Block ciphers. GOST R 34.12-2015", 2015. 320 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 321 and Message Authentication Code (MAC) Algorithms", 322 RFC 5830, DOI 10.17487/RFC5830, March 2010, 323 . 325 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 326 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 327 . 329 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 330 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 331 on the Cryptographic Algorithms to Accompany the Usage of 332 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 333 RFC 7836, DOI 10.17487/RFC7836, March 2016, 334 . 336 9.2. Informative References 338 [GOST28147-89] 339 Government Committee of the USSR for Standards, 340 ""Cryptographic Protection for Data Processing System", 341 GOST 28147-89, Gosudarstvennyi Standard of USSR", 1989. 343 [ISO-IEC10116] 344 ISO-IEC, "Information technology - Security techniques - 345 Modes of operation for an n-bit block cipher, ISO-IEC 346 10116", 2006. 348 [ISO-IEC18033-1] 349 ISO-IEC, "Information technology - Security techniques - 350 Encryption algorithms - Part 1: General, ISO-IEC 18033-1", 351 2013. 353 [ISO-IEC18033-3] 354 ISO-IEC, "Information technology - Security techniques - 355 Encryption algorithms - Part 3: Block ciphers, ISO-IEC 356 18033-3", 2010. 358 Appendix A. Test Examples 360 This section is for information only and is not a normative part of 361 the standard. 363 A.1. Transformation t 365 t(fdb97531) = 2a196f34, 366 t(2a196f34) = ebd9f03a, 367 t(ebd9f03a) = b039bb3d, 368 t(b039bb3d) = 68695433. 370 A.2. Transformation g 372 g[87654321](fedcba98) = fdcbc20c, 373 g[fdcbc20c](87654321) = 7e791a4b, 374 g[7e791a4b](fdcbc20c) = c76549ec, 375 g[c76549ec](7e791a4b) = 9791c849. 377 A.3. Key schedule 379 With key set to 381 K = ffeeddccbbaa99887766554433221100f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff, 383 following round keys are generated: 385 K_1 = ffeeddcc, 386 K_2 = bbaa9988, 387 K_3 = 77665544, 388 K_4 = 33221100, 389 K_5 = f0f1f2f3, 390 K_6 = f4f5f6f7, 391 K_7 = f8f9fafb, 392 K_8 = fcfdfeff, 394 K_9 = ffeeddcc, 395 K_10 = bbaa9988, 396 K_11 = 77665544, 397 K_12 = 33221100, 398 K_13 = f0f1f2f3, 399 K_14 = f4f5f6f7, 400 K_15 = f8f9fafb, 401 K_16 = fcfdfeff, 403 K_17 = ffeeddcc, 404 K_18 = bbaa9988, 405 K_19 = 77665544, 406 K_20 = 33221100, 407 K_21 = f0f1f2f3, 408 K_22 = f4f5f6f7, 409 K_23 = f8f9fafb, 410 K_24 = fcfdfeff, 412 K_25 = fcfdfeff, 413 K_26 = f8f9fafb, 414 K_27 = f4f5f6f7, 415 K_28 = f0f1f2f3, 416 K_29 = 33221100, 417 K_30 = 77665544, 418 K_31 = bbaa9988, 419 K_32 = ffeeddcc. 421 A.4. Test Encryption 423 In this test example, encryption is performed on the round keys 424 specified in clause A.3. Let the plaintext be 426 a = fedcba9876543210, 428 then 430 (a_1, a_0) = (fedcba98, 76543210), 431 G[K_1](a_1, a_0) = (76543210, 28da3b14), 432 G[K_2]G[K_1](a_1, a_0) = (28da3b14, b14337a5), 433 G[K_3]...G[K_1](a_1, a_0) = (b14337a5, 633a7c68), 434 G[K_4]...G[K_1](a_1, a_0) = (633a7c68, ea89c02c), 435 G[K_5]...G[K_1](a_1, a_0) = (ea89c02c, 11fe726d), 436 G[K_6]...G[K_1](a_1, a_0) = (11fe726d, ad0310a4), 437 G[K_7]...G[K_1](a_1, a_0) = (ad0310a4, 37d97f25), 438 G[K_8]...G[K_1](a_1, a_0) = (37d97f25, 46324615), 439 G[K_9]...G[K_1](a_1, a_0) = (46324615, ce995f2a), 440 G[K_10]...G[K_1](a_1, a_0) = (ce995f2a, 93c1f449), 441 G[K_11]...G[K_1](a_1, a_0) = (93c1f449, 4811c7ad), 442 G[K_12]...G[K_1](a_1, a_0) = (4811c7ad, c4b3edca), 443 G[K_13]...G[K_1](a_1, a_0) = (c4b3edca, 44ca5ce1), 444 G[K_14]...G[K_1](a_1, a_0) = (44ca5ce1, fef51b68), 445 G[K_15]...G[K_1](a_1, a_0) = (fef51b68, 2098cd86) 446 G[K_16]...G[K_1](a_1, a_0) = (2098cd86, 4f15b0bb), 447 G[K_17]...G[K_1](a_1, a_0) = (4f15b0bb, e32805bc), 448 G[K_18]...G[K_1](a_1, a_0) = (e32805bc, e7116722), 449 G[K_19]...G[K_1](a_1, a_0) = (e7116722, 89cadf21), 450 G[K_20]...G[K_1](a_1, a_0) = (89cadf21, bac8444d), 451 G[K_21]...G[K_1](a_1, a_0) = (bac8444d, 11263a21), 452 G[K_22]...G[K_1](a_1, a_0) = (11263a21, 625434c3), 453 G[K_23]...G[K_1](a_1, a_0) = (625434c3, 8025c0a5), 454 G[K_24]...G[K_1](a_1, a_0) = (8025c0a5, b0d66514), 455 G[K_25]...G[K_1](a_1, a_0) = (b0d66514, 47b1d5f4), 456 G[K_26]...G[K_1](a_1, a_0) = (47b1d5f4, c78e6d50), 457 G[K_27]...G[K_1](a_1, a_0) = (c78e6d50, 80251e99), 458 G[K_28]...G[K_1](a_1, a_0) = (80251e99, 2b96eca6), 459 G[K_29]...G[K_1](a_1, a_0) = (2b96eca6, 05ef4401), 460 G[K_30]...G[K_1](a_1, a_0) = (05ef4401, 239a4577), 461 G[K_31]...G[K_1](a_1, a_0) = (239a4577, c2d8ca3d). 463 Then the ciphertext is 465 b = G^*[K_32]G[K_31]...G[K_1](a_1, a_0) = 4ee901e5c2d8ca3d. 467 A.5. Test Decryption 469 In this test example, decryption is performed on the round keys 470 specified in clause A.3. Let the ciphertext be 472 b = 4ee901e5c2d8ca3d, 474 then 476 (b_1, b_0) = (4ee901e5, c2d8ca3d), 477 G[K_32](b_1, b_0) = (c2d8ca3d, 239a4577), 478 G[K_31]G[K_32](b_1, b_0) = (239a4577, 05ef4401), 479 G[K_30]...G[K_32](b_1, b_0) = (05ef4401, 2b96eca6), 480 G[K_29]...G[K_32](b_1, b_0) = (2b96eca6, 80251e99), 481 G[K_28]...G[K_32](b_1, b_0) = (80251e99, c78e6d50), 482 G[K_27]...G[K_32](b_1, b_0) = (c78e6d50, 47b1d5f4), 483 G[K_26]...G[K_32](b_1, b_0) = (47b1d5f4, b0d66514), 484 G[K_25]...G[K_32](b_1, b_0) = (b0d66514, 8025c0a5), 485 G[K_24]...G[K_32](b_1, b_0) = (8025c0a5, 625434c3), 486 G[K_23]...G[K_32](b_1, b_0) = (625434c3, 11263a21), 487 G[K_22]...G[K_32](b_1, b_0) = (11263a21, bac8444d), 488 G[K_21]...G[K_32](b_1, b_0) = (bac8444d, 89cadf21), 489 G[K_20]...G[K_32](b_1, b_0) = (89cadf21, e7116722), 490 G[K_19]...G[K_32](b_1, b_0) = (e7116722, e32805bc), 491 G[K_18]...G[K_32](b_1, b_0) = (e32805bc, 4f15b0bb), 492 G[K_17]...G[K_32](b_1, b_0) = (4f15b0bb, 2098cd86), 493 G[K_16]...G[K_32](b_1, b_0) = (2098cd86, fef51b68), 494 G[K_15]...G[K_32](b_1, b_0) = (fef51b68, 44ca5ce1), 495 G[K_14]...G[K_32](b_1, b_0) = (44ca5ce1, c4b3edca), 496 G[K_13]...G[K_32](b_1, b_0) = (c4b3edca, 4811c7ad), 497 G[K_12]...G[K_32](b_1, b_0) = (4811c7ad, 93c1f449), 498 G[K_11]...G[K_32](b_1, b_0) = (93c1f449, ce995f2a), 499 G[K_10]...G[K_32](b_1, b_0) = (ce995f2a, 46324615), 500 G[K_9]...G[K_32](b_1, b_0) = (46324615, 37d97f25), 501 G[K_8]...G[K_32](b_1, b_0) = (37d97f25, ad0310a4), 502 G[K_7]...G[K_32](b_1, b_0) = (ad0310a4, 11fe726d), 503 G[K_6]...G[K_32](b_1, b_0) = (11fe726d, ea89c02c), 504 G[K_5]...G[K_32](b_1, b_0) = (ea89c02c, 633a7c68), 505 G[K_4]...G[K_32](b_1, b_0) = (633a7c68, b14337a5), 506 G[K_3]...G[K_32](b_1, b_0) = (b14337a5, 28da3b14), 507 G[K_2]...G[K_32](b_1, b_0) = (28da3b14, 76543210). 509 Then the plaintext is 511 a = G^*[K_1]G[K_2]...G[K_32](b_1, b_0) = fedcba9876543210. 513 Appendix B. Background 515 Algoritmically Magma is a variation of block cipher defined in 516 [RFC5830] ([GOST28147-89]) with the following clarifications and 517 minor modifications: 519 1. S-BOX set is fixed at id-tc26-gost-28147-param-Z (See Appendix C 520 of [RFC7836]); 522 2. key is parsed as a single big-endian integer (compared to little- 523 endian approach used in [GOST28147-89]), which results in 524 different subkey values being used; 526 3. data are also parsed as single big-endian integer (instead of 527 being parsed as little-endian integer). 529 Authors' Addresses 531 Vasily Dolmatov (editor) 532 JSC "NPK Kryptonite" 533 Spartakovskaya sq., 14, bld 2, JSC "NPK Kryptonite" 534 Moscow 105082 535 Russian Federation 537 Email: vdolmatov@gmail.com 539 Dmitry Eremin-Solenikov 540 Auriga, Inc 541 Torfyanaya Doroga, 7F, office 1410 542 Saint-Petersburg 197374 543 Russia 545 Email: dbaryshkov@gmail.com