idnits 2.17.1 draft-dolmatov-magma-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC5830, but the abstract doesn't seem to directly say this. It does mention RFC5830 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 17, 2019) is 1619 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force V. Dolmatov, Ed. 3 Internet-Draft JSC "NPK Kryptonite" 4 Updates: 5830 (if approved) D. Eremin-Solenikov 5 Intended status: Informational Auriga, Inc 6 Expires: May 20, 2020 November 17, 2019 8 GOST R 34.12-2015: Block Cipher "Magma" 9 draft-dolmatov-magma-05 11 Abstract 13 In addition to a new cipher with block length of n=128 bits (referred 14 to as "Kyznyechik" and described in RFC 7801) Russian Federal 15 standard GOST R 34.12-2015 includes an updated version of the block 16 cipher with block length of n=64 bits and key length k=256 bits, 17 which is also referred to as "Magma". The algorithm is an updated 18 version of an older block cipher with block length of n=64 bits 19 described in GOST 28147-89 (RFC 5830). This document is intended to 20 be a source of information about the updated version of the 64-bit 21 cipher. It may facilitate the use of the block cipher in Internet 22 applications by providing information for developers and users of 23 GOST 64-bit cipher with the revised version of the cipher for 24 encryption and decryption. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on May 20, 2020. 43 Copyright Notice 45 Copyright (c) 2019 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. General Information . . . . . . . . . . . . . . . . . . . . . 3 62 3. Definitions and Notations . . . . . . . . . . . . . . . . . . 3 63 3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 64 3.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 4 65 4. Parameter Values . . . . . . . . . . . . . . . . . . . . . . 5 66 4.1. Nonlinear Bijection . . . . . . . . . . . . . . . . . . . 5 67 4.2. Transformations . . . . . . . . . . . . . . . . . . . . . 6 68 4.3. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 6 69 5. Basic Encryption Algorithm . . . . . . . . . . . . . . . . . 7 70 5.1. Encryption . . . . . . . . . . . . . . . . . . . . . . . 7 71 5.2. Decryption . . . . . . . . . . . . . . . . . . . . . . . 7 72 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 73 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 74 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 75 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 76 8.2. Informative References . . . . . . . . . . . . . . . . . 8 77 Appendix A. Test Examples . . . . . . . . . . . . . . . . . . . 9 78 A.1. Transformation t . . . . . . . . . . . . . . . . . . . . 9 79 A.2. Transformation g . . . . . . . . . . . . . . . . . . . . 9 80 A.3. Key schedule . . . . . . . . . . . . . . . . . . . . . . 9 81 A.4. Test Encryption . . . . . . . . . . . . . . . . . . . . . 10 82 A.5. Test Decryption . . . . . . . . . . . . . . . . . . . . . 11 83 Appendix B. Background . . . . . . . . . . . . . . . . . . . . . 12 84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 86 1. Introduction 88 The Russian Federal standard [GOSTR3412-2015] specifies basic block 89 ciphers used as cryptographic techniques for information processing 90 and information protection including the provision of 91 confidentiality, authenticity, and integrity of information during 92 information transmission, processing and storage in computer-aided 93 systems. 95 The cryptographic algorithms defined in this specification are 96 designed both for hardware and software implementation. They comply 97 with modern cryptographic requirements, and put no restrictions on 98 the confidentiality level of the protected information. 100 This document is intended to be a source of information about the 101 updated version of 64-bit cipher. It may facilitate the use of the 102 block cipher in Internet applications by providing information for 103 developers and users of GOST 64-bit cipher with the revised version 104 of the cipher for encryption and decryption. 106 2. General Information 108 The Russian Federal standard [GOSTR3412-2015] was developed by the 109 Center for Information Protection and Special Communications of the 110 Federal Security Service of the Russian Federation with participation 111 of the Open Joint-Stock company "Information Technologies and 112 Communication Systems" (InfoTeCS JSC). GOST R 34.12-2015 was 113 approved and introduced by Decree #749 of the Federal Agency on 114 Technical Regulating and Metrology on 19.06.2015. 116 Terms and concepts in the specification comply with the following 117 international standards: 119 o ISO/IEC 10116 [ISO-IEC10116], 121 o series of standards ISO/IEC 18033 [ISO-IEC18033-1], 122 [ISO-IEC18033-3]. 124 3. Definitions and Notations 126 The following terms and their corresponding definitions are used in 127 the specification. 129 3.1. Definitions 131 Definitions 133 encryption algorithm: process which transforms plaintext into 134 ciphertext (Clause 2.19 of [ISO-IEC18033-1]), 136 decryption algorithm: process which transforms ciphertext into 137 plaintext (Clause 2.14 of [ISO-IEC18033-1]), 139 basic block cipher: block cipher which for a given key provides a 140 single invertible mapping of the set of fixed-length plaintext 141 blocks into ciphertext blocks of the same length, 142 block: string of bits of a defined length (Clause 2.6 of 143 [ISO-IEC18033-1]), 145 block cipher: symmetric encipherment system with the property that 146 the encryption algorithm operates on a block of plaintext, i.e. a 147 string of bits of a defined length, to yield a block of ciphertext 148 (Clause 2.7 of [ISO-IEC18033-1]), 150 Note: In GOST R 34.12-2015, it is established that the terms 151 "block cipher" and "block encryption algorithm" are synonyms. 153 encryption: reversible transformation of data by a cryptographic 154 algorithm to produce ciphertext, i.e., to hide the information 155 content of the data (Clause 2.18 of [ISO-IEC18033-1]), 157 round key: sequence of symbols which is calculated from the key 158 and controls a transformation for one round of a block cipher, 160 key: sequence of symbols that controls the operation of a 161 cryptographic transformation (e.g., encipherment, decipherment) 162 (Clause 2.21 of [ISO-IEC18033-1]), 164 Note: In GOST R 34.12-2015, the key must be a binary sequence. 166 plaintext: unencrypted information (Clause 3.11 of 167 [ISO-IEC10116]), 169 key schedule: calculation of round keys from the key, 171 decryption: reversal of a corresponding encipherment (Clause 2.13 172 of [ISO-IEC18033-1]), 174 symmetric cryptographic technique: cryptographic technique that 175 uses the same secret key for both the originator's and the 176 recipient's transformation (Clause 2.32 of [ISO-IEC18033-1]), 178 cipher: alternative term for encipherment system (Clause 2.20 of 179 [ISO-IEC18033-1]), 181 ciphertext: data which has been transformed to hide its 182 information content (Clause 3.3 of [ISO-IEC10116]). 184 3.2. Notations 186 The following notations are used in the specification: 188 V* the set of all binary vector-strings of a finite length 189 (hereinafter referred to as the strings) including the empty 190 string, 192 V_s the set of all binary strings of length s, where s is a 193 non-negative integer; substrings and string components are 194 enumerated from right to left starting from zero, 196 U[*]W direct (Cartesian) product of two sets U and W, 198 |A| the number of components (the length) of a string A 199 belonging to V* (if A is an empty string, then |A| = 0), 201 A||B concatenation of strings A and B both belonging to V*, 202 i.e., a string from V_(|A|+|B|), where the left substring from 203 V_|A| is equal to A and the right substring from V_|B| is equal to 204 B, 206 A<<<_11 cyclic rotation of string A belonging to V_32 by 11 207 components in the direction of components having greater indices, 209 Z_(2^n) ring of residues modulo 2^n, 211 (xor) exclusive-or of the two binary strings of the same length, 213 [+] addition in the ring Z_(2^32) 215 Vec_s: Z_(2^s) -> V_s bijective mapping which maps an element from 216 ring Z_(2^s) into its binary representation, i.e., for an element 217 z of the ring Z_(2^s), represented by the residue z_0 + (2*z_1) + 218 ... + (2^(s-1)*z_(s-1)), where z_i in {0, 1}, i = 0, ..., n-1, the 219 equality Vec_s(z) = z_(s-1)||...||z_1||z_0 holds, 221 Int_s: V_s -> Z_(2^s) the mapping inverse to the mapping Vec_s, 222 i.e., Int_s = Vec_s^(-1), 224 PS composition of mappings, where the mapping S applies first, 226 P^s composition of mappings P^(s-1) and P, where P^1=P, 228 4. Parameter Values 230 4.1. Nonlinear Bijection 232 The bijective nonlinear mapping is a set of substitutions: 234 Pi_i = Vec_4 Pi'_i Int_4: V_4 -> V_4, 235 where 237 Pi'_i: Z_(2^4) -> Z_(2^4), i = 0, 1, ..., 7. 239 The values of the substitution Pi' are specified below as arrays 241 Pi'_i = (Pi'_i(0), Pi'_i(1), ... , Pi'_i(15)), i = 0, 1, ..., 7: 243 Pi'_0 = (12, 4, 6, 2, 10, 5, 11, 9, 14, 8, 13, 7, 0, 3, 15, 1); 244 Pi'_1 = (6, 8, 2, 3, 9, 10, 5, 12, 1, 14, 4, 7, 11, 13, 0, 15); 245 Pi'_2 = (11, 3, 5, 8, 2, 15, 10, 13, 14, 1, 7, 4, 12, 9, 6, 0); 246 Pi'_3 = (12, 8, 2, 1, 13, 4, 15, 6, 7, 0, 10, 5, 3, 14, 9, 11); 247 Pi'_4 = (7, 15, 5, 10, 8, 1, 6, 13, 0, 9, 3, 14, 11, 4, 2, 12); 248 Pi'_5 = (5, 13, 15, 6, 9, 2, 12, 10, 11, 7, 8, 1, 4, 3, 14, 0); 249 Pi'_6 = (8, 14, 2, 5, 6, 9, 1, 12, 15, 4, 11, 0, 13, 10, 3, 7); 250 Pi'_7 = (1, 7, 14, 13, 0, 5, 8, 3, 4, 15, 10, 6, 9, 12, 11, 2); 252 4.2. Transformations 254 The following transformations are applicable for encryption and 255 decryption algorithms: 257 t: V_32 -> V_32 t(a) = t(a_7||...||a_0) = Pi_7(a_7)||...||Pi_0(a_0), 258 where a=a_7||...||a_0 belongs to V_32, a_i belongs to V_4, i=0, 1, 259 ..., 7; 261 g[k]: V_32 -> V_32 g[k](a) = (t(Vec_32(Int_32(a) [+] Int_32(k)))) 262 <<<_11, where k, a belong to V_32; 264 G[k]: V_32[*]V_32 -> V_32[*]V_32 G[k](a_1, a_0) = (a_0, g[k](a_0) 265 (xor) a_1), where k, a_0, a_1 belong to V_32; 267 G^*[k]: V_32[*]V_32 -> V_64 G^*[k](a_1, a_0) = (g[k](a_0) (xor) 268 a_1) || a_0, where k, a_0, a_1 belong to V_32. 270 4.3. Key Schedule 272 Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from 273 key K=k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1, 274 ..., 255, as follows: 276 K_1=k_255||...||k_224; 277 K_2=k_223||...||k_192; 278 K_3=k_191||...||k_160; 279 K_4=k_159||...||k_128; 280 K_5=k_127||...||k_96; 281 K_6=k_95||...||k_64; 282 K_7=k_63||...||k_32; 283 K_8=k_31||...||k_0; 284 K_(i+8)=K_i, i = 1, 2, ..., 8; 285 K_(i+16)=K_i, i = 1, 2, ..., 8; 286 K_(i+24)=K_(9-i), i = 1, 2, ..., 8. 288 5. Basic Encryption Algorithm 290 5.1. Encryption 292 Depending on the values of round keys K_1,...,K_32, the encryption 293 algorithm is a substitution E_(K_1,...,K_32) defined as follows: 295 E_(K_1,...,K_32)(a)=G^*[K_32]G[K_31]...G[K_2]G[K_1](a_1, a_0), 297 where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32. 299 5.2. Decryption 301 Depending on the values of round keys K_1,...,K_32, the decryption 302 algorithm is a substitution D_(K_1,...,K_32) defined as follows: 304 D_(K_1,...,K_32)(a)=G^*[K_1]G[K_2]...G[K_31]G[K_32](a_1, a_0), 306 where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32. 308 6. IANA Considerations 310 This memo includes no request to IANA. 312 7. Security Considerations 314 This entire document is about security considerations. 316 Unlike [RFC5830] (GOST 28147-89), but like [RFC7801] this 317 specification does not define exact block modes which should be used 318 together with updated Magma cipher. One is free to select block 319 modes depending on the protocol and necessity. 321 8. References 323 8.1. Normative References 325 [GOSTR3412-2015] 326 Federal Agency on Technical Regulating and Metrology, 327 "Information technology. Cryptographic data security. 328 Block ciphers. GOST R 34.12-2015", 2015. 330 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 331 and Message Authentication Code (MAC) Algorithms", 332 RFC 5830, DOI 10.17487/RFC5830, March 2010, 333 . 335 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 336 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 337 . 339 8.2. Informative References 341 [GOST28147-89] 342 Government Committee of the USSR for Standards, 343 ""Cryptographic Protection for Data Processing System", 344 GOST 28147-89, Gosudarstvennyi Standard of USSR", 1989. 346 [ISO-IEC10116] 347 ISO-IEC, "Information technology - Security techniques - 348 Modes of operation for an n-bit block cipher, ISO-IEC 349 10116", 2006. 351 [ISO-IEC18033-1] 352 ISO-IEC, "Information technology - Security techniques - 353 Encryption algorithms - Part 1: General, ISO-IEC 18033-1", 354 2013. 356 [ISO-IEC18033-3] 357 ISO-IEC, "Information technology - Security techniques - 358 Encryption algorithms - Part 3: Block ciphers, ISO-IEC 359 18033-3", 2010. 361 [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., 362 Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines 363 on the Cryptographic Algorithms to Accompany the Usage of 364 Standards GOST R 34.10-2012 and GOST R 34.11-2012", 365 RFC 7836, DOI 10.17487/RFC7836, March 2016, 366 . 368 Appendix A. Test Examples 370 This section is for information only and is not a normative part of 371 the specification. 373 A.1. Transformation t 375 t(fdb97531) = 2a196f34, 376 t(2a196f34) = ebd9f03a, 377 t(ebd9f03a) = b039bb3d, 378 t(b039bb3d) = 68695433. 380 A.2. Transformation g 382 g[87654321](fedcba98) = fdcbc20c, 383 g[fdcbc20c](87654321) = 7e791a4b, 384 g[7e791a4b](fdcbc20c) = c76549ec, 385 g[c76549ec](7e791a4b) = 9791c849. 387 A.3. Key schedule 389 With key set to 391 K = ffeeddccbbaa99887766554433221100f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff, 393 following round keys are generated: 395 K_1 = ffeeddcc, 396 K_2 = bbaa9988, 397 K_3 = 77665544, 398 K_4 = 33221100, 399 K_5 = f0f1f2f3, 400 K_6 = f4f5f6f7, 401 K_7 = f8f9fafb, 402 K_8 = fcfdfeff, 404 K_9 = ffeeddcc, 405 K_10 = bbaa9988, 406 K_11 = 77665544, 407 K_12 = 33221100, 408 K_13 = f0f1f2f3, 409 K_14 = f4f5f6f7, 410 K_15 = f8f9fafb, 411 K_16 = fcfdfeff, 413 K_17 = ffeeddcc, 414 K_18 = bbaa9988, 415 K_19 = 77665544, 416 K_20 = 33221100, 417 K_21 = f0f1f2f3, 418 K_22 = f4f5f6f7, 419 K_23 = f8f9fafb, 420 K_24 = fcfdfeff, 422 K_25 = fcfdfeff, 423 K_26 = f8f9fafb, 424 K_27 = f4f5f6f7, 425 K_28 = f0f1f2f3, 426 K_29 = 33221100, 427 K_30 = 77665544, 428 K_31 = bbaa9988, 429 K_32 = ffeeddcc. 431 A.4. Test Encryption 433 In this test example, encryption is performed on the round keys 434 specified in clause A.3. Let the plaintext be 436 a = fedcba9876543210, 438 then 439 (a_1, a_0) = (fedcba98, 76543210), 440 G[K_1](a_1, a_0) = (76543210, 28da3b14), 441 G[K_2]G[K_1](a_1, a_0) = (28da3b14, b14337a5), 442 G[K_3]...G[K_1](a_1, a_0) = (b14337a5, 633a7c68), 443 G[K_4]...G[K_1](a_1, a_0) = (633a7c68, ea89c02c), 444 G[K_5]...G[K_1](a_1, a_0) = (ea89c02c, 11fe726d), 445 G[K_6]...G[K_1](a_1, a_0) = (11fe726d, ad0310a4), 446 G[K_7]...G[K_1](a_1, a_0) = (ad0310a4, 37d97f25), 447 G[K_8]...G[K_1](a_1, a_0) = (37d97f25, 46324615), 448 G[K_9]...G[K_1](a_1, a_0) = (46324615, ce995f2a), 449 G[K_10]...G[K_1](a_1, a_0) = (ce995f2a, 93c1f449), 450 G[K_11]...G[K_1](a_1, a_0) = (93c1f449, 4811c7ad), 451 G[K_12]...G[K_1](a_1, a_0) = (4811c7ad, c4b3edca), 452 G[K_13]...G[K_1](a_1, a_0) = (c4b3edca, 44ca5ce1), 453 G[K_14]...G[K_1](a_1, a_0) = (44ca5ce1, fef51b68), 454 G[K_15]...G[K_1](a_1, a_0) = (fef51b68, 2098cd86) 455 G[K_16]...G[K_1](a_1, a_0) = (2098cd86, 4f15b0bb), 456 G[K_17]...G[K_1](a_1, a_0) = (4f15b0bb, e32805bc), 457 G[K_18]...G[K_1](a_1, a_0) = (e32805bc, e7116722), 458 G[K_19]...G[K_1](a_1, a_0) = (e7116722, 89cadf21), 459 G[K_20]...G[K_1](a_1, a_0) = (89cadf21, bac8444d), 460 G[K_21]...G[K_1](a_1, a_0) = (bac8444d, 11263a21), 461 G[K_22]...G[K_1](a_1, a_0) = (11263a21, 625434c3), 462 G[K_23]...G[K_1](a_1, a_0) = (625434c3, 8025c0a5), 463 G[K_24]...G[K_1](a_1, a_0) = (8025c0a5, b0d66514), 464 G[K_25]...G[K_1](a_1, a_0) = (b0d66514, 47b1d5f4), 465 G[K_26]...G[K_1](a_1, a_0) = (47b1d5f4, c78e6d50), 466 G[K_27]...G[K_1](a_1, a_0) = (c78e6d50, 80251e99), 467 G[K_28]...G[K_1](a_1, a_0) = (80251e99, 2b96eca6), 468 G[K_29]...G[K_1](a_1, a_0) = (2b96eca6, 05ef4401), 469 G[K_30]...G[K_1](a_1, a_0) = (05ef4401, 239a4577), 470 G[K_31]...G[K_1](a_1, a_0) = (239a4577, c2d8ca3d). 472 Then the ciphertext is 474 b = G^*[K_32]G[K_31]...G[K_1](a_1, a_0) = 4ee901e5c2d8ca3d. 476 A.5. Test Decryption 478 In this test example, decryption is performed on the round keys 479 specified in clause A.3. Let the ciphertext be 481 b = 4ee901e5c2d8ca3d, 483 then 484 (b_1, b_0) = (4ee901e5, c2d8ca3d), 485 G[K_32](b_1, b_0) = (c2d8ca3d, 239a4577), 486 G[K_31]G[K_32](b_1, b_0) = (239a4577, 05ef4401), 487 G[K_30]...G[K_32](b_1, b_0) = (05ef4401, 2b96eca6), 488 G[K_29]...G[K_32](b_1, b_0) = (2b96eca6, 80251e99), 489 G[K_28]...G[K_32](b_1, b_0) = (80251e99, c78e6d50), 490 G[K_27]...G[K_32](b_1, b_0) = (c78e6d50, 47b1d5f4), 491 G[K_26]...G[K_32](b_1, b_0) = (47b1d5f4, b0d66514), 492 G[K_25]...G[K_32](b_1, b_0) = (b0d66514, 8025c0a5), 493 G[K_24]...G[K_32](b_1, b_0) = (8025c0a5, 625434c3), 494 G[K_23]...G[K_32](b_1, b_0) = (625434c3, 11263a21), 495 G[K_22]...G[K_32](b_1, b_0) = (11263a21, bac8444d), 496 G[K_21]...G[K_32](b_1, b_0) = (bac8444d, 89cadf21), 497 G[K_20]...G[K_32](b_1, b_0) = (89cadf21, e7116722), 498 G[K_19]...G[K_32](b_1, b_0) = (e7116722, e32805bc), 499 G[K_18]...G[K_32](b_1, b_0) = (e32805bc, 4f15b0bb), 500 G[K_17]...G[K_32](b_1, b_0) = (4f15b0bb, 2098cd86), 501 G[K_16]...G[K_32](b_1, b_0) = (2098cd86, fef51b68), 502 G[K_15]...G[K_32](b_1, b_0) = (fef51b68, 44ca5ce1), 503 G[K_14]...G[K_32](b_1, b_0) = (44ca5ce1, c4b3edca), 504 G[K_13]...G[K_32](b_1, b_0) = (c4b3edca, 4811c7ad), 505 G[K_12]...G[K_32](b_1, b_0) = (4811c7ad, 93c1f449), 506 G[K_11]...G[K_32](b_1, b_0) = (93c1f449, ce995f2a), 507 G[K_10]...G[K_32](b_1, b_0) = (ce995f2a, 46324615), 508 G[K_9]...G[K_32](b_1, b_0) = (46324615, 37d97f25), 509 G[K_8]...G[K_32](b_1, b_0) = (37d97f25, ad0310a4), 510 G[K_7]...G[K_32](b_1, b_0) = (ad0310a4, 11fe726d), 511 G[K_6]...G[K_32](b_1, b_0) = (11fe726d, ea89c02c), 512 G[K_5]...G[K_32](b_1, b_0) = (ea89c02c, 633a7c68), 513 G[K_4]...G[K_32](b_1, b_0) = (633a7c68, b14337a5), 514 G[K_3]...G[K_32](b_1, b_0) = (b14337a5, 28da3b14), 515 G[K_2]...G[K_32](b_1, b_0) = (28da3b14, 76543210). 517 Then the plaintext is 519 a = G^*[K_1]G[K_2]...G[K_32](b_1, b_0) = fedcba9876543210. 521 Appendix B. Background 523 This specification is a translation of relevant parts of 524 [GOSTR3412-2015] standard. The order of terms in both parts of 525 Section 3 comes from original text. If one combines [RFC7801] with 526 this document, he will have complete translation of [GOSTR3412-2015] 527 into English. 529 Algoritmically Magma is a variation of block cipher defined in 530 [RFC5830] ([GOST28147-89]) with the following clarifications and 531 minor modifications: 533 1. S-BOX set is fixed at id-tc26-gost-28147-param-Z (See Appendix C 534 of [RFC7836]); 536 2. key is parsed as a single big-endian integer (compared to little- 537 endian approach used in [GOST28147-89]), which results in 538 different subkey values being used; 540 3. data bytes are also parsed as single big-endian integer (instead 541 of being parsed as little-endian integer). 543 Authors' Addresses 545 Vasily Dolmatov (editor) 546 JSC "NPK Kryptonite" 547 Spartakovskaya sq., 14, bld 2, JSC "NPK Kryptonite" 548 Moscow 105082 549 Russian Federation 551 Email: vdolmatov@gmail.com 553 Dmitry Eremin-Solenikov 554 Auriga, Inc 555 Torfyanaya Doroga, 7F, office 1410 556 Saint-Petersburg 197374 557 Russian Federation 559 Email: dbaryshkov@gmail.com