idnits 2.17.1 draft-smyshlyaev-gost-usage-19.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 140 has weird spacing: '...ntation the b...' == Line 146 has weird spacing: '...ntation if n ...' == Line 410 has weird spacing: '... K_in der...' == Line 412 has weird spacing: '...l, seed the p...' == Line 460 has weird spacing: '... K_in der...' == (1 more instance...) -- The document date (December 28, 2015) is 3032 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 2 errors (**), 0 flaws (~~), 7 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft E. Alekseev 4 Intended status: Informational I. Oshkin 5 Expires: June 30, 2016 V. Popov 6 S. Leontiev 7 CRYPTO-PRO 8 V. Podobaev 9 FACTOR-TS 10 D. Belyavsky 11 TCI 12 December 28, 2015 14 Guidelines on the Cryptographic Algorithms, Accompanying the Usage of 15 Standards GOST R 34.10-2012 and GOST R 34.11-2012 16 draft-smyshlyaev-gost-usage-19 18 Abstract 20 The purpose of this document is to make the specifications of the 21 cryptographic algorithms defined by the Russian national standards 22 GOST R 34.10-2012 and GOST R 34.11-2012 available to the Internet 23 community for their implementation in the cryptographic protocols 24 based on the accompanying algorithms. 26 These specifications define the pseudorandom functions, the key 27 agreement algorithm based on the Diffie-Hellman algorithm and a hash 28 function, the parameters of elliptic curves, the key derivation 29 functions and the key export functions. 31 Status of This Memo 33 This Internet-Draft is submitted in full conformance with the 34 provisions of BCP 78 and BCP 79. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF). Note that other groups may also distribute 38 working documents as Internet-Drafts. The list of current Internet- 39 Drafts is at http://datatracker.ietf.org/drafts/current/. 41 Internet-Drafts are draft documents valid for a maximum of six months 42 and may be updated, replaced, or obsoleted by other documents at any 43 time. It is inappropriate to use Internet-Drafts as reference 44 material or to cite them other than as "work in progress." 46 This Internet-Draft will expire on June 30, 2016. 48 Copyright Notice 50 Copyright (c) 2015 IETF Trust and the persons identified as the 51 document authors. All rights reserved. 53 This document is subject to BCP 78 and the IETF Trust's Legal 54 Provisions Relating to IETF Documents 55 (http://trustee.ietf.org/license-info) in effect on the date of 56 publication of this document. Please review these documents 57 carefully, as they describe your rights and restrictions with respect 58 to this document. Code Components extracted from this document must 59 include Simplified BSD License text as described in Section 4.e of 60 the Trust Legal Provisions and are provided without warranty as 61 described in the Simplified BSD License. 63 Table of Contents 65 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 66 2. Conventions used in this document . . . . . . . . . . . . . . 3 67 3. Basic terms, definitions and notations . . . . . . . . . . . 3 68 4. Algorithm descriptions . . . . . . . . . . . . . . . . . . . 5 69 4.1. HMAC functions . . . . . . . . . . . . . . . . . . . . . 5 70 4.2. Pseudorandom functions . . . . . . . . . . . . . . . . . 6 71 4.3. VKO algorithms for key agreement . . . . . . . . . . . . 7 72 4.4. The key derivation function KDF_TREE_GOSTR3411_2012_256 . 9 73 4.5. The key derivation function KDF_GOSTR3411_2012_256 . . . 10 74 4.6. Key wrap and key unwrap . . . . . . . . . . . . . . . . . 10 75 5. The parameters of elliptic curves . . . . . . . . . . . . . . 12 76 5.1. Canonical form . . . . . . . . . . . . . . . . . . . . . 12 77 5.2. Twisted Edwards form . . . . . . . . . . . . . . . . . . 13 78 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 79 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 80 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 81 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 82 8.2. Informative References . . . . . . . . . . . . . . . . . 16 83 Appendix A. Values of the parameter sets . . . . . . . . . . . . 17 84 A.1. Canonical form parameters . . . . . . . . . . . . . . . . 17 85 A.2. Twisted Edwards form parameters . . . . . . . . . . . . . 19 86 Appendix B. Test examples . . . . . . . . . . . . . . . . . . . 21 87 Appendix C. GOST 28147-89 parameter set . . . . . . . . . . . . 28 88 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 90 1. Introduction 92 The accompanying algorithms are intended for the cryptographic 93 protocols implementation. This memo contains a description of the 94 accompanying algorithms based on the Russian national standards GOST 95 R 34.10-2012 [GOST3410-2012] and GOST R 34.11-2012 [GOST3411-2012]. 97 The English versions of these standards can be found in [RFC7091] and 98 [RFC6986]; the English version of the encryption standard GOST 99 28147-89 [GOST28147-89] (which is used in the key export functions) 100 can be found in [RFC5830]. 102 The specifications of algorithms and parameters proposed in this memo 103 are provided on the basis of experience in the development of the 104 cryptographic protocols, as described in [RFC4357], [RFC4490] and 105 [RFC4491]. 107 This memo describes the pseudorandom functions, the key agreement 108 algorithm based on the Diffie-Hellman algorithm and a hash function, 109 the parameters of elliptic curves, the key derivation functions, and 110 the key export functions necessary to ensure interoperability of 111 security protocols that make use of the Russian cryptographic 112 standards GOST R 34.10-2012 [GOST3410-2012] digital signature 113 algorithm and GOST R 34.11-2012 [GOST3411-2012] cryptographic hash 114 function. 116 2. Conventions used in this document 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in [RFC2119]. 122 3. Basic terms, definitions and notations 124 This document uses the following terms and definitions for the sets 125 and operations on the elements of these sets: 127 (xor) exclusive-or of two binary vectors of the same length; 129 V_n the finite vector space over GF(2) of dimension n, n >= 0, 130 with the (xor) operation; for n = 0 the V_0 space consists of 131 a single empty element of size 0; 132 if U is an element of V_n, then U = (u_(n-1), u_(n-2), ..., 133 u_1, u_0), where u_i in {0, 1}; 135 V_(8, r) the set of byte vectors of size r, r >= 0, for r = 0 the 136 V_(8, r) set consists of a single empty element of size 0; if 137 W is an element of V_(8, r), r > 0, then W = (w^0, w^1, ..., 138 w^(r-1)), where w^0, w^1, ..., w^(r-1) are elements of V_8; 140 Bit representation the bit representation of the element W = (w^0, 141 w^1, ..., w^(r-1)) of V_(8, r) is an element (w_(8r-1), 142 w_(8r-2), ..., w_1, w_0) of V_(8*r), where w^0 = (w_7, w_6, 143 ..., w_0), w^1 = (w_15, w_14, ..., w_8), ..., w^(r-1) = 144 (w_(8r-1), w_(8r-2), ..., w_(8r-8)) are elements of V_8; 146 Byte representation if n is a multiple of 8, r = n/8, then the byte 147 representation of the element W = (w_(n-1), w_(n-2), ..., 148 w_0) of V_n is a byte vector (w^0, w^1, ..., w^(r-1)) of 149 V_(8, r), where w^0 = (w_7, w_6, ..., w_0), w^1 = (w_15, 150 w_14, ..., w_8), ..., w^(r-1) = (w_(8r-1), w_(8r-2), ..., 151 w_(8r-8)) are elements of V_8; 153 A|B concatenation of byte vectors A and B, i.e., if A in V_(8, 154 r1), B in V_(8, r2), A = (a^0, a^1, ..., a^(r1-1)) and B = 155 (b^0, b^1, ..., b^(r2-1)), then A|B = (a^0, a^1, ..., 156 a^(r1-1), b^0, b^1, ..., b^(r2-1)) is an element of V_(8, 157 r1+r2); 159 K (key) an arbitrary element of V_n; if K in V_n, then its size (in 160 bits) is equal to n, where n can be an arbitrary natural 161 number. 163 This memo uses the following abbreviations and symbols: 165 +---------+---------------------------------------------------------+ 166 | Symbols | Meaning | 167 +---------+---------------------------------------------------------+ 168 | H_256 | GOST R 34.11-2012 hash function with 256-bit output | 169 | | | 170 | H_512 | GOST R 34.11-2012 hash function with 512-bit output | 171 | | | 172 | HMAC | a function for calculating a message authentication | 173 | | code, based on a hash function in accordance with | 174 | | [RFC2104] | 175 | | | 176 | PRF | a pseudorandom function, i.e., a transformation that | 177 | | allows to generate pseudorandom sequence of bytes | 178 | | | 179 | KDF | a key derivation function, i.e., a transformation that | 180 | | allows to derive keys and keying material from the root | 181 | | key and additional input using a pseudorandom function | 182 | | | 183 | VKO | a key agreement algorithm based on the Diffie-Hellman | 184 | | algorithm and a hash function. | 185 +---------+---------------------------------------------------------+ 187 To generate a byte sequence of the size r with functions that give a 188 longer output the output is truncated to the first r bytes. This 189 remark applies to the following functions: 191 o the functions described in Section 4.2; 193 o KDF_TREE_GOSTR3411_2012_256 described in Section 4.4; 194 o KDF_GOSTR3411_2012_256 described in Section 4.5. 196 Hereinafter all data are provided in byte representation unless 197 otherwise specified. 199 If a function is defined outside this document (e.g., H_256) and its 200 definition requires arguments in bit representation, it is assumed 201 that the bit representations of the arguments are formed immediately 202 before the calculation of the function (in particular, immediately 203 after the application of the operation (|) to the byte representation 204 of the arguments). 206 If the output of another function defined outside of this document is 207 used as an argument of the functions defined below and it has the bit 208 representation then it is assumed that an output MUST have length 209 that is a multiple of 8 and that it will be translated into the byte 210 representation in advance. 212 When a point on an elliptic curve is given to an input of a hash 213 function, affine coordinates for short Weierstrass form are used (see 214 Section 5): an x coordinate value is fed first, an y coordinate value 215 is fed second, both in little-endian format. 217 4. Algorithm descriptions 219 4.1. HMAC functions 221 This section defines the HMAC transformations based on the GOST R 222 34.11-2012 [GOST3411-2012] algorithm. 224 4.1.1. HMAC_GOSTR3411_2012_256 226 This HMAC transformation is based on the GOST R 34.11-2012 227 [GOST3411-2012] hash function with 256-bit output. The object 228 identifier of this transformation is shown below: 230 id-tc26-hmac-gost-3411-12-256::= {iso(1) member-body(2) ru(643) 231 rosstandart(7) tc26(1) algorithms(1) mac(4) hmac-gost- 232 3411-12-256(1)}. 234 This algorithm uses H_256 as a hash function for HMAC, described in 235 [RFC2104]. The method of forming the values of ipad and opad is also 236 specified in [RFC2104]. The size of HMAC_GOSTR3411_2012_256 output 237 is equal to 32 bytes, the block size of the iterative procedure for 238 the H_256 compression function is equal to 64 bytes (in the notation 239 of [RFC2104], L = 32 and B = 64, respectively). 241 4.1.2. HMAC_GOSTR3411_2012_512 243 This HMAC transformation is based on the GOST R 34.11-2012 244 [GOST3411-2012] hash function with 512-bit output. The object 245 identifier of this transformation is shown below: 247 id-tc26-hmac-gost-3411-12-512::= {iso(1) member-body(2) ru(643) 248 rosstandart(7) tc26(1) algorithms(1) mac(4) hmac-gost- 249 3411-12-512(2)}. 251 This algorithm uses H_512 as a hash function for HMAC, described in 252 [RFC2104]. The method of forming the values of ipad and opad is also 253 specified in [RFC2104]. The size of HMAC_GOSTR3411_2012_512 output 254 is equal to 64 bytes, the block size of the iterative procedure for 255 the H_512 compression function is equal to 64 bytes (in the notation 256 of [RFC2104], L = 64 and B = 64, respectively). 258 4.2. Pseudorandom functions 260 This section defines four HMAC-based PRF transformations recommended 261 for usage. Two of them are designed for the TLS protocol and two are 262 designed for the IPsec protocol. 264 4.2.1. PRFs for the TLS protocol 266 4.2.1.1. PRF_TLS_GOSTR3411_2012_256 268 This is the transformation providing the pseudorandom function for 269 the TLS protocol (1.0 and higher versions) in accordance with GOST R 270 34.11-2012 [GOST3411-2012]. It uses the P_GOSTR3411_2012_256 271 function that is similar to the P_hash function defined in Section 5 272 of [RFC5246], where HMAC_GOSTR3411_2012_256 function (defined in 273 Section 4.1.1 of this document) is used as the HMAC_hash function. 275 PRF_TLS_GOSTR3411_2012_256 (secret, label, seed) = 276 = P_GOSTR3411_2012_256 (secret, label | seed). 278 Label and seed values MUST be assigned by a protocol, their lengths 279 SHOULD be fixed by a protocol in order to avoid possible collisions. 281 4.2.1.2. PRF_TLS_GOSTR3411_2012_512 283 This is the transformation providing the pseudorandom function for 284 the TLS protocol (1.0 and higher versions) in accordance with GOST R 285 34.11-2012 [GOST3411-2012]. It uses the P_GOSTR3411_2012_512 286 function that is similar to the P_hash function defined in Section 5 287 of [RFC5246], where HMAC_GOSTR3411_2012_512 function (defined in 288 Section 4.1.2 of this document) is used as the HMAC_hash function. 290 PRF_TLS_GOSTR3411_2012_512 (secret, label, seed) = 291 = P_GOSTR3411_2012_512 (secret, label | seed). 293 Label and seed values MUST be assigned by a protocol, their lengths 294 SHOULD be fixed by a protocol in order to avoid possible collisions. 296 4.2.2. PRFs for the IKEv2 protocol based on GOST R 34.11-2012 298 The specification for the Internet Key Exchange protocol version 2 299 (IKEv2) [RFC7296] defines the usage of PRFs in various parts of the 300 protocol for the purposes of keying material generation and 301 authentication. 303 IKEv2 has no default PRF. This document specifies that 304 HMAC_GOSTR3411_2012_256 may be used as "prf" function in "prf+" 305 function for the IKEv2 protocol 306 (PRF_IPSEC_PRFPLUS_GOSTR3411_2012_256). Also this document specifies 307 that HMAC_GOSTR3411_2012_512 may be used as "prf" function in "prf+" 308 function for the IKEv2 protocol 309 (PRF_IPSEC_PRFPLUS_GOSTR3411_2012_512). 311 4.3. VKO algorithms for key agreement 313 This section specifies the key agreement algorithms based on GOST R 314 34.10-2012 [GOST3410-2012]. 316 4.3.1. VKO_GOSTR3410_2012_256 318 The VKO_GOSTR3410_2012_256 transformation is used for agreement of 319 256-bit keys and is based on the 256-bit version of GOST R 34.11-2012 320 [GOST3411-2012]. This algorithm can be applied for a key agreement 321 using GOST R 34.10-2012 [GOST3410-2012] with 256-bit or 512-bit 322 private keys. 324 The algorithm is designed to produce an encryption key or a keying 325 material of size 256 bits to be used in various cryptographic 326 protocols. A key or a keying material KEK_VKO (x, y, UKM) is 327 produced from the private key x of one side, the public key y*P of 328 the opposite side and the UKM value, considered as an integer. 330 The algorithm can be used for static and ephemeral keys with the 331 public key size n >= 512 bits including the case where one side uses 332 a static key and the other uses an ephemeral one. 334 The UKM parameter is optional (the default UKM = 1) and can take any 335 integer value from 1 to 2^(n/2)-1. It is allowed to use a nonzero 336 UKM of an arbitrary size not exceeding n/2 bits. If at least one of 337 the parties uses static keys, the RECOMMENDED length of UKM is 64 338 bits or more. 340 KEK_VKO (x, y, UKM) is calculated using the formulas 342 KEK_VKO (x, y, UKM) = H_256 (K (x, y, UKM)), 344 K (x, y, UKM) = (m/q*UKM*x mod q)*(y*P), 346 where m and q are the parameters of an elliptic curve defined in the 347 GOST R 34.10-2012 [GOST3411-2012] standard (m is an elliptic curve 348 points group order, q is an order of a cyclic subgroup), P is a 349 nonzero point of the subgroup; P is defined by a protocol. 351 This algorithm is defined similar to the one specified in Section 5.2 352 of [RFC4357], but applies the hash function H_256 instead of the hash 353 function GOST R 34.11-94 [GOST3411-94] (referred as gostR3411). In 354 addition, K(x, y, UKM) is calculated with public key size n >= 512 355 bits and UKM has a size up to n/2 bits. 357 4.3.2. VKO_GOSTR3410_2012_512 359 The VKO_GOSTR3410_2012_512 transformation is used for agreement of 360 512-bit keys and is based on the 512-bit version of GOST R 34.11-2012 361 [GOST3411-2012]. This algorithm can be applied for a key agreement 362 using GOST R 34.10-2012 [GOST3410-2012] with 512-bit private keys. 364 The algorithm is designed to produce an encryption key or a keying 365 material of size 512 bits to be used in various cryptographic 366 protocols. A key or a keying material KEK_VKO (x, y, UKM) is 367 produced from the private key x of one side, the public key y*P of 368 the opposite side and the UKM value, considered as an integer. 370 The algorithm can be used for static and ephemeral keys with the 371 public key size n >= 1024 bits including the case where one side uses 372 a static key and the other uses an ephemeral one. 374 The UKM parameter is optional (the default UKM = 1) and can take any 375 integer value from 1 to 2^(n/2)-1. It is allowed to use a nonzero 376 UKM of an arbitrary size not exceeding n/2 bits. If at least one of 377 the parties uses static keys, the RECOMMENDED length of UKM is 128 378 bits or more. 380 KEK_VKO (x, y, UKM) is calculated using the formulas 382 KEK_VKO (x, y, UKM) = H_512 (K (x, y, UKM)), 384 K (x, y, UKM) = (m/q*UKM*x mod q)*(y*P), 386 where m and q are the parameters of an elliptic curve defined in the 387 GOST R 34.10-2012 [GOST3411-2012] standard (m is an elliptic curve 388 points group order, q is an order of a cyclic subgroup), P is a 389 nonzero point of the subgroup; P is defined by a protocol. 391 This algorithm is defined similar to the one specified in Section 5.2 392 of [RFC4357], but applies the hash function H_512 instead of the hash 393 function GOST R 34.11-94 [GOST3411-94] (referred as gostR3411). In 394 addition, K(x, y, UKM) is calculated with public key size n >= 1024 395 bits and UKM has a size up to n/2 bits. 397 4.4. The key derivation function KDF_TREE_GOSTR3411_2012_256 399 The key derivation function KDF_TREE_GOSTR3411_2012_256 based on the 400 HMAC_GOSTR3411_2012_256 function is given by: 402 KDF_TREE_GOSTR3411_2012_256 (K_in, label, seed, R) = K(1) | K(2) | 403 K(3) | K(4) |..., 405 K(i) = HMAC_GOSTR3411_2012_256 (K_in, [i]_b | label | 0x00 | 406 seed | [L]_b), i >= 1, 408 where 410 K_in derivation key; 412 label, seed the parameters that MUST be assigned by a protocol, 413 their lengths SHOULD be fixed by a protocol; 415 R a fixed external parameter, with possible values of 1, 2, 3 416 or 4; 418 i iteration counter; 420 [i]_b byte representation of the iteration counter (in the network 421 byte order), the number of bytes in the representation [i]_b 422 is equal to R (no more than 4 bytes); 424 L the required size (in bits) of the generated keying material 425 (an integer, not exceeding 256*(2^(8*R)-1)); 427 [L]_b byte representation of L, in network byte order (variable 428 length: no leading zero bytes added). 430 The key derivation function KDF_TREE_GOSTR3411_2012_256 is intended 431 for generating a keying material of size L, not exceeding 432 256*(2^(8*R)-1) bits, and utilizes general principles of the input 433 and output for the key derivation function outlined in Section 5.1 of 434 NIST SP 800-108 [NISTSP800-108]. The HMAC_GOSTR3411_2012_256 435 algorithm described in Section 4.1.1 is selected as a pseudorandom 436 function. 438 Each key derived from the keying material formed using the derivation 439 key K_in (0-level key) may be a 1-level derivation key and may be 440 used to generate a new keying material. The keying material derived 441 from the 1-level derivation key can be split down into the 2nd level 442 derivation keys. The application of this procedure leads to the 443 construction of the key tree with the root key and the formation of 444 the keying material to the hierarchy of the levels, as described in 445 Section 6 of NIST SP 800-108 [NISTSP800-108]. The partitioning 446 procedure for keying material at each level is defined in accordance 447 with a specific protocol. 449 4.5. The key derivation function KDF_GOSTR3411_2012_256 451 The KDF_GOSTR3411_2012_256 function is equivalent to the function 452 KDF_TREE_GOSTR3411_2012_256, when R = 1, L = 256, and is given by: 454 KDF_GOSTR3411_2012_256 (K_in, label, seed) = 455 HMAC_GOSTR3411_2012_256 (K_in, 0x01 | label | 0x00 | seed | 0x01 | 456 0x00), 458 where 460 K_in derivation key, 462 label, seed the parameters that MUST be assigned by a protocol, 463 their lengths SHOULD be fixed by a protocol. 465 4.6. Key wrap and key unwrap 467 Wrapped representation of a secret key K (256-bit GOST 28147-89 468 [GOST28147-89] key, 256-bit or 512-bit GOST R 34.10-2012 469 [GOST3410-2012] private key) is formed as follows by using a given 470 export key K_e (GOST 28147-89 [GOST28147-89] key) and a random seed 471 vector: 473 1. Generate a random seed vector from 8 up to 16 bytes. 475 2. With the key derivation function, using an export key K_e as a 476 derivation key, produce a key KEK_e (K_e, seed), where 478 KEK_e (K_e, seed) = KDF_GOSTR3411_2012_256 (K_e, label, seed), 480 where the KDF_GOSTR3411_2012_256 function (see Section 4.5) is 481 used as a key derivation function for the fixed label value 482 label = (0x26 | 0xBD | 0xB8 | 0x78). 484 3. GOST 28147-89 [GOST28147-89] MAC value (4-byte) for the data K 485 and the key KEK_e (K_e, seed) is calculated, initialization 486 vector (IV) in this case is equal to the first 8 bytes of seed. 487 The resulting value is denoted as CEK_MAC. 489 4. The key K is encrypted with the GOST 28147-89 [GOST28147-89] 490 algorithm in the Electronic Codebook (ECB) mode with the key 491 KEK_e (K_e, seed). The result is denoted as CEK_ENC. 493 5. The wrapped representation of the key is (seed | CEK_ENC | 494 CEK_MAC). 496 The value of key K is restored from the wrapped representation of the 497 key and the export key K_e as follows: 499 1. Obtain the seed, CEK_ENC and CEK_MAC values from the wrapped 500 representation of the key. 502 2. With the key derivation function, using the export key K_e as a 503 derivation key, produce a key KEK_e(K_e, seed), where 505 KEK_e (K_e, seed) = KDF_GOSTR3411_2012_256 (K_e, label, seed), 507 where the KDF_GOSTR3411_2012_256 function (see section 508 Section 4.5) is used as a key derivation function for the fixed 509 label value 511 label = (0x26 | 0xBD | 0xB8 | 0x78). 513 3. The CEK_ENC field is decrypted with the GOST 28147-89 514 [GOST28147-89] algorithm in the Electronic Codebook (ECB) mode 515 with the key KEK_e(K_e, seed). The unwrapped key K is assumed to 516 be equal to the result of decryption. 518 4. GOST 28147-89 [GOST28147-89] MAC value (4-byte) for the data K 519 and the key KEK_e(K_e, seed) is calculated, initialization vector 520 (IV) in this case is equal to the first 8 bytes of seed. If the 521 result is not equal to CEK_MAC, an error is returned. 523 The GOST 28147-89 [GOST28147-89] algorithm is used with the parameter 524 set defined in Appendix C of this document. 526 5. The parameters of elliptic curves 528 This section defines the elliptic curves parameters and object 529 identifiers that are RECOMMENDED for the usage with the signature and 530 verification algorithms of the digital signature in accordance with 531 the GOST R 34.10-2012 [GOST3410-2012] standard and with the key 532 agreement algorithms VKO_GOSTR3410_2012_256 and 533 VKO_GOSTR3410_2012_512. 535 This document does not negate the use of other parameters of elliptic 536 curves. 538 5.1. Canonical form 540 This section defines the elliptic curves parameters of the GOST R 541 34.10-2012 [GOST3410-2012] standard for the case of elliptic curves 542 with prime 512-bit moduli in canonical (short Weierstrass) form, that 543 is given by the following equation defined in GOST R 34.10-2012 544 [GOST3410-2012]: 546 y^2 = x^3 + ax + b (mod p). 548 In case of elliptic curves with 256-bit prime moduli the parameters 549 defined in [RFC4357] are proposed to use. 551 5.1.1. Parameters and object identifiers 553 The parameters for each elliptic curve are represented by the 554 following values which are defined in GOST R 34.10-2012 555 [GOST3410-2012]: 557 p the characteristic of the underlying prime field; 559 a, b the coefficients of the equation of the elliptic curve in the 560 canonical form; 562 m the elliptic curve group order; 564 q the elliptic curve subgroup order; 566 (x, y) the coordinates of the point P (generator of the subgroup of 567 order q) of the elliptic curve in the canonical form. 569 Both sets of the parameters are presented as ASN structures of the 570 form: 572 SEQUENCE { 573 p INTEGER, 574 a INTEGER, 575 b INTEGER, 576 m INTEGER, 577 q INTEGER, 578 x INTEGER, 579 y INTEGER 580 } 582 The parameter sets have the following object identifiers: 584 1. id-tc26-gost-3410-12-512-paramSetA::= {iso(1) member-body(2) 585 ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1) 586 gost-3410-12-512-constants(2) paramSetA(1)}; 588 2. id-tc26-gost-3410-12-512-paramSetB::= {iso(1) member-body(2) 589 ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1) 590 gost-3410-12-512-constants(2) paramSetB(2)}. 592 The corresponding values of the parameter sets can be found in 593 Appendix A.1. 595 5.2. Twisted Edwards form 597 This section defines the elliptic curves parameters and object 598 identifiers of the GOST R 34.10-2012 [GOST3410-2012] standard for the 599 case of elliptic curves that have a representation in the Twisted 600 Edwards form with prime 256-bit and 512-bit moduli. 602 A Twisted Edwards curve E over a finite prime field F_p, p > 3, is an 603 elliptic curve defined by the equation: 605 e*u^2 + v^2 = 1 + d*u^2*v^2 (mod p), 607 where e, d are in F_p, ed(e-d) != 0. 609 A Twisted Edwards curve has an equivalent representation in the short 610 Weierstrass form defined by parameters a, b. The parameters a, b, e 611 and d are related as follows: 613 a = s^2 - 3*t^2 (mod p), 614 b = 2*t^3 - t*s^2 (mod p), 616 where 617 s = (e - d)/4 (mod p), 618 t = (e + d)/6 (mod p). 620 Coordinate transformations are defined as follows: 622 (u,v) --> (x,y) = (s(1 + v)/(1 - v) + t, s(1 + v)/((1 - v)u)), 623 (x,y) --> (u,v) = ((x - t)/y, (x - t - s)/(x - t + s)). 625 5.2.1. Parameters and object identifiers 627 The parameters for each elliptic curve are represented by the 628 following values which are defined in GOST R 34.10-2012 629 [GOST3410-2012]: 631 p the characteristic of the underlying prime field; 633 a, b the coefficients of the equation of the elliptic curve in the 634 canonical form; 636 e, d the coefficients of the equation of the elliptic curve in the 637 Twisted Edwards form; 639 m the elliptic curve group order; 641 q the elliptic curve subgroup order; 643 (x, y) the coordinates of the point P (generator of the subgroup of 644 order q) of the elliptic curve in the canonical form; 646 (u, v) the coordinates of the point P (generator of the subgroup of 647 order q) of the elliptic curve in the Twisted Edwards form. 649 Both sets of the parameters are presented as ASN structures of the 650 form: 652 SEQUENCE { 653 p INTEGER, 654 a INTEGER, 655 b INTEGER, 656 e INTEGER, 657 d INTEGER, 658 m INTEGER, 659 q INTEGER, 660 x INTEGER, 661 y INTEGER, 662 u INTEGER, 663 v INTEGER 664 } 666 The parameter sets have the following object identifiers: 668 1. id-tc26-gost-3410-2012-256-paramSetA ::= {iso(1) member-body(2) 669 ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1) 670 gost-3410-12-256-constants(1) paramSetA(1)}; 672 2. id-tc26-gost-3410-2012-512-paramSetC ::= {iso(1) member-body(2) 673 ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1) 674 gost-3410-12-512-constants(2) paramSetC(3)}. 676 The corresponding values of the parameter sets can be found in 677 Appendix A.2. 679 6. Acknowledgments 681 We thank Valery Smyslov, Igor Ustinov, Basil Dolmatov, Russ Housley, 682 Dmitry Khovratovich, Oleksandr Kazymyrov, Ekaterina Smyshlyaeva, 683 Vasily Nikolaev and Lolita Sonina for their careful readings and 684 useful comments. 686 7. Security Considerations 688 This entire document is about security considerations. 690 8. References 692 8.1. Normative References 694 [GOST28147-89] 695 Gosudarstvennyi Standard of USSR, Government Committee of 696 the USSR for Standards (In Russian), "Systems of 697 information processing. Cryptographic data security. 698 Algorithms of cryptographic transformation", 699 GOST 28147-89, 1989. 701 [GOST3410-2012] 702 Federal Agency on Technical Regulating and Metrology (In 703 Russian), "Information technology. Cryptographic data 704 security. Signature and verification processes of 705 [electronic] digital signature", GOST R 34.10-2012, 2012. 707 [GOST3411-2012] 708 Federal Agency on Technical Regulating and Metrology (In 709 Russian), "Information technology. Cryptographic Data 710 Security. Hashing function", GOST R 34.11-2012, 2012. 712 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- 713 Hashing for Message Authentication", RFC 2104, 714 DOI 10.17487/RFC2104, February 1997, 715 . 717 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 718 Requirement Levels", BCP 14, RFC 2119, 719 DOI 10.17487/RFC2119, March 1997, 720 . 722 [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional 723 Cryptographic Algorithms for Use with GOST 28147-89, GOST 724 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 725 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, 726 . 728 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 729 (TLS) Protocol Version 1.2", RFC 5246, 730 DOI 10.17487/RFC5246, August 2008, 731 . 733 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 734 Kivinen, "Internet Key Exchange Protocol Version 2 735 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 736 2014, . 738 8.2. Informative References 740 [GOST3411-94] 741 Federal Agency on Technical Regulating and Metrology (In 742 Russian), "Information technology. Cryptographic Data 743 Security. Hashing function", GOST R 34.11-94, 1994. 745 [NISTSP800-108] 746 National Institute of Standards and Technology, 747 "Recommendation for Key Derivation Using Pseudorandom 748 Functions", NIST SP 800-108, October 2009. 750 [RFC4490] Leontiev, S., Ed. and G. Chudov, Ed., "Using the GOST 751 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R 752 34.10-2001 Algorithms with Cryptographic Message Syntax 753 (CMS)", RFC 4490, DOI 10.17487/RFC4490, May 2006, 754 . 756 [RFC4491] Leontiev, S., Ed. and D. Shefanovski, Ed., "Using the GOST 757 R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 758 Algorithms with the Internet X.509 Public Key 759 Infrastructure Certificate and CRL Profile", RFC 4491, 760 DOI 10.17487/RFC4491, May 2006, 761 . 763 [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, 764 and Message Authentication Code (MAC) Algorithms", 765 RFC 5830, DOI 10.17487/RFC5830, March 2010, 766 . 768 [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: 769 Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 770 2013, . 772 [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: 773 Digital Signature Algorithm", RFC 7091, 774 DOI 10.17487/RFC7091, December 2013, 775 . 777 Appendix A. Values of the parameter sets 779 A.1. Canonical form parameters 781 Parameter set: id-tc26-gost-3410-12-512-paramSetA 783 SEQUENCE 784 { 785 OBJECT IDENTIFIER 786 id-tc26-gost-3410-12-512-paramSetA 787 SEQUENCE 788 { 789 INTEGER 790 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 791 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 792 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 793 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD 794 C7 795 INTEGER 796 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 797 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 798 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 799 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD 800 C4 801 INTEGER 802 00 E8 C2 50 5D ED FC 86 DD C1 BD 0B 2B 66 67 F1 803 DA 34 B8 25 74 76 1C B0 E8 79 BD 08 1C FD 0B 62 804 65 EE 3C B0 90 F3 0D 27 61 4C B4 57 40 10 DA 90 805 DD 86 2E F9 D4 EB EE 47 61 50 31 90 78 5A 71 C7 806 60 807 INTEGER 808 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 809 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 810 FF 27 E6 95 32 F4 8D 89 11 6F F2 2B 8D 4E 05 60 811 60 9B 4B 38 AB FA D2 B8 5D CA CD B1 41 1F 10 B2 812 75 813 INTEGER 814 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 815 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 816 FF 27 E6 95 32 F4 8D 89 11 6F F2 2B 8D 4E 05 60 817 60 9B 4B 38 AB FA D2 B8 5D CA CD B1 41 1F 10 B2 818 75 819 INTEGER 820 03 821 INTEGER 822 75 03 CF E8 7A 83 6A E3 A6 1B 88 16 E2 54 50 E6 823 CE 5E 1C 93 AC F1 AB C1 77 80 64 FD CB EF A9 21 824 DF 16 26 BE 4F D0 36 E9 3D 75 E6 A5 0E 3A 41 E9 825 80 28 FE 5F C2 35 F5 B8 89 A5 89 CB 52 15 F2 A4 826 } 827 } 829 Parameter set: id-tc26-gost-3410-12-512-paramSetB 831 SEQUENCE 832 { 833 OBJECT IDENTIFIER 834 id-tc26-gost-3410-12-512-paramSetB 835 SEQUENCE 836 { 837 INTEGER 838 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 839 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 840 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 841 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 842 6F 843 INTEGER 844 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 845 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 846 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 847 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 848 6C 849 INTEGER 850 68 7D 1B 45 9D C8 41 45 7E 3E 06 CF 6F 5E 25 17 851 B9 7C 7D 61 4A F1 38 BC BF 85 DC 80 6C 4B 28 9F 852 3E 96 5D 2D B1 41 6D 21 7F 8B 27 6F AD 1A B6 9C 853 50 F7 8B EE 1F A3 10 6E FB 8C CB C7 C5 14 01 16 854 INTEGER 855 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 856 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 857 01 49 A1 EC 14 25 65 A5 45 AC FD B7 7B D9 D4 0C 858 FA 8B 99 67 12 10 1B EA 0E C6 34 6C 54 37 4F 25 859 BD 860 INTEGER 861 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 862 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 863 01 49 A1 EC 14 25 65 A5 45 AC FD B7 7B D9 D4 0C 864 FA 8B 99 67 12 10 1B EA 0E C6 34 6C 54 37 4F 25 865 BD 866 INTEGER 867 02 868 INTEGER 869 1A 8F 7E DA 38 9B 09 4C 2C 07 1E 36 47 A8 94 0F 870 3C 12 3B 69 75 78 C2 13 BE 6D D9 E6 C8 EC 73 35 871 DC B2 28 FD 1E DF 4A 39 15 2C BC AA F8 C0 39 88 872 28 04 10 55 F9 4C EE EC 7E 21 34 07 80 FE 41 BD 873 } 874 } 876 A.2. Twisted Edwards form parameters 878 Parameter set: id-tc26-gost-3410-2012-256-paramSetA 880 SEQUENCE 881 { 882 OBJECT IDENTIFIER 883 id-tc26-gost-3410-2012-256-paramSetA 884 SEQUENCE 885 { 886 INTEGER 887 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 888 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD 889 97 890 INTEGER 891 00 C2 17 3F 15 13 98 16 73 AF 48 92 C2 30 35 A2 892 7C E2 5E 20 13 BF 95 AA 33 B2 2C 65 6F 27 7E 73 893 35 894 INTEGER 895 29 5F 9B AE 74 28 ED 9C CC 20 E7 C3 59 A9 D4 1A 896 22 FC CD 91 08 E1 7B F7 BA 93 37 A6 F8 AE 95 13 897 INTEGER 898 01 899 INTEGER 900 06 05 F6 B7 C1 83 FA 81 57 8B C3 9C FA D5 18 13 901 2B 9D F6 28 97 00 9A F7 E5 22 C3 2D 6D C7 BF FB 902 INTEGER 903 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 904 00 3F 63 37 7F 21 ED 98 D7 04 56 BD 55 B0 D8 31 905 9C 906 INTEGER 907 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 908 0F D8 CD DF C8 7B 66 35 C1 15 AF 55 6C 36 0C 67 909 INTEGER 910 00 91 E3 84 43 A5 E8 2C 0D 88 09 23 42 57 12 B2 911 BB 65 8B 91 96 93 2E 02 C7 8B 25 82 FE 74 2D AA 912 28 913 INTEGER 914 32 87 94 23 AB 1A 03 75 89 57 86 C4 BB 46 E9 56 915 5F DE 0B 53 44 76 67 40 AF 26 8A DB 32 32 2E 5C 916 INTEGER 917 0D 918 INTEGER 919 60 CA 1E 32 AA 47 5B 34 84 88 C3 8F AB 07 64 9C 920 E7 EF 8D BE 87 F2 2E 81 F9 2B 25 92 DB A3 00 E7 921 } 922 } 924 Parameter set: id-tc26-gost-3410-2012-512-paramSetC 926 SEQUENCE 927 { 928 OBJECT IDENTIFIER 929 id-tc26-gost-3410-2012-512-paramSetC 930 SEQUENCE 931 { 932 INTEGER 933 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 934 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 935 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 936 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD 937 C7 938 INTEGER 939 00 DC 92 03 E5 14 A7 21 87 54 85 A5 29 D2 C7 22 940 FB 18 7B C8 98 0E B8 66 64 4D E4 1C 68 E1 43 06 941 45 46 E8 61 C0 E2 C9 ED D9 2A DE 71 F4 6F CF 50 942 FF 2A D9 7F 95 1F DA 9F 2A 2E B6 54 6F 39 68 9B 943 D3 944 INTEGER 945 00 B4 C4 EE 28 CE BC 6C 2C 8A C1 29 52 CF 37 F1 946 6A C7 EF B6 A9 F6 9F 4B 57 FF DA 2E 4F 0D E5 AD 947 E0 38 CB C2 FF F7 19 D2 C1 8D E0 28 4B 8B FE F3 948 B5 2B 8C C7 A5 F5 BF 0A 3C 8D 23 19 A5 31 25 57 949 E1 950 INTEGER 951 01 952 INTEGER 953 00 9E 4F 5D 8C 01 7D 8D 9F 13 A5 CF 3C DF 5B FE 954 4D AB 40 2D 54 19 8E 31 EB DE 28 A0 62 10 50 43 955 9C A6 B3 9E 0A 51 5C 06 B3 04 E2 CE 43 E7 9E 36 956 9E 91 A0 CF C2 BC 2A 22 B4 CA 30 2D BB 33 EE 75 957 50 958 INTEGER 959 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 960 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 961 FF 26 33 6E 91 94 1A AC 01 30 CE A7 FD 45 1D 40 962 B3 23 B6 A7 9E 9D A6 84 9A 51 88 F3 BD 1F C0 8F 963 B4 964 INTEGER 965 3F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 966 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 967 C9 8C DB A4 65 06 AB 00 4C 33 A9 FF 51 47 50 2C 968 C8 ED A9 E7 A7 69 A1 26 94 62 3C EF 47 F0 23 ED 969 INTEGER 970 00 E2 E3 1E DF C2 3D E7 BD EB E2 41 CE 59 3E F5 971 DE 22 95 B7 A9 CB AE F0 21 D3 85 F7 07 4C EA 04 972 3A A2 72 72 A7 AE 60 2B F2 A7 B9 03 3D B9 ED 36 973 10 C6 FB 85 48 7E AE 97 AA C5 BC 79 28 C1 95 01 974 48 975 INTEGER 976 00 F5 CE 40 D9 5B 5E B8 99 AB BC CF F5 91 1C B8 977 57 79 39 80 4D 65 27 37 8B 8C 10 8C 3D 20 90 FF 978 9B E1 8E 2D 33 E3 02 1E D2 EF 32 D8 58 22 42 3B 979 63 04 F7 26 AA 85 4B AE 07 D0 39 6E 9A 9A DD C4 980 0F 981 INTEGER 982 12 983 INTEGER 984 46 9A F7 9D 1F B1 F5 E1 6B 99 59 2B 77 A0 1E 2A 985 0F DF B0 D0 17 94 36 8D 9A 56 11 7F 7B 38 66 95 986 22 DD 4B 65 0C F7 89 EE BF 06 8C 5D 13 97 32 F0 987 90 56 22 C0 4B 2B AA E7 60 03 03 EE 73 00 1A 3D 988 } 989 } 991 Appendix B. Test examples 993 1) HMAC_GOSTR3411_2012_256 994 Key K: 996 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 997 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 999 T: 1001 01 26 bd b8 78 00 af 21 43 41 45 65 63 78 01 00 1003 HMAC_GOSTR3411_2012_256 (K, T) value: 1005 a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34 1006 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9 1008 2) HMAC_GOSTR3411_2012_512 1010 Key K: 1012 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1013 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 1015 T: 1017 01 26 bd b8 78 00 af 21 43 41 45 65 63 78 01 00 1019 HMAC_GOSTR3411_2012_512 (K, T) value: 1021 a5 9b ab 22 ec ae 19 c6 5f bd e6 e5 f4 e9 f5 d8 1022 54 9d 31 f0 37 f9 df 9b 90 55 00 e1 71 92 3a 77 1023 3d 5f 15 30 f2 ed 7e 96 4c b2 ee dc 29 e9 ad 2f 1024 3a fe 93 b2 81 4f 79 f5 00 0f fc 03 66 c2 51 e6 1026 3) PRF_TLS_GOSTR3411_2012_256 1028 Key K: 1030 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1031 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 1033 Seed: 1035 18 47 1d 62 2d c6 55 c4 d2 d2 26 96 91 ca 4a 56 1036 0b 50 ab a6 63 55 3a f2 41 f1 ad a8 82 c9 f2 9a 1038 Label: 1040 11 22 33 44 55 1042 Output T1: 1044 ff 09 66 4a 44 74 58 65 94 4f 83 9e bb 48 96 5f 1045 15 44 ff 1c c8 e8 f1 6f 24 7e e5 f8 a9 eb e9 7f 1047 Output T2: 1049 c4 e3 c7 90 0e 46 ca d3 db 6a 01 64 30 63 04 0e 1050 c6 7f c0 fd 5c d9 f9 04 65 23 52 37 bd ff 2c 02 1052 4) PRF_TLS_GOSTR3411_2012_512 1054 Key K: 1056 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1057 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 1059 Seed: 1061 18 47 1d 62 2d c6 55 c4 d2 d2 26 96 91 ca 4a 56 1062 0b 50 ab a6 63 55 3a f2 41 f1 ad a8 82 c9 f2 9a 1064 Label: 1066 11 22 33 44 55 1068 Output T1: 1070 f3 51 87 a3 dc 96 55 11 3a 0e 84 d0 6f d7 52 6c 1071 5f c1 fb de c1 a0 e4 67 3d d6 d7 9d 0b 92 0e 65 1072 ad 1b c4 7b b0 83 b3 85 1c b7 cd 8e 7e 6a 91 1a 1073 62 6c f0 2b 29 e9 e4 a5 8e d7 66 a4 49 a7 29 6d 1075 Output T2: 1077 e6 1a 7a 26 c4 d1 ca ee cf d8 0c ca 65 c7 1f 0f 1078 88 c1 f8 22 c0 e8 c0 ad 94 9d 03 fe e1 39 57 9f 1079 72 ba 0c 3d 32 c5 f9 54 f1 cc cd 54 08 1f c7 44 1080 02 78 cb a1 fe 7b 7a 17 a9 86 fd ff 5b d1 5d 1f 1082 5) PRF_IPSEC_PRFPLUS_GOSTR3411_2012_256 1084 Key K: 1086 c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 1087 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21 1089 Data S: 1091 01 26 bd b8 78 00 1d 80 60 3c 85 44 c7 27 01 00 1092 Output T1: 1094 2d e5 ee 84 e1 3d 7b e5 36 16 67 39 13 37 0a b0 1095 54 c0 74 b7 9b 69 a8 a8 46 82 a9 f0 4f ec d5 87 1097 Output T2: 1099 29 f6 0d da 45 7b f2 19 aa 2e f9 5d 7a 59 be 95 1100 4d e0 08 f4 a5 0d 50 4d bd b6 90 be 68 06 01 53 1102 6) PRF_IPSEC_PRFPLUS_GOSTR3411_2012_512 1104 Key K: 1106 c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 1107 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21 1109 Data S: 1111 01 26 bd b8 78 00 1d 80 60 3c 85 44 c7 27 01 00 1113 Output T1: 1115 5d a6 71 43 a5 f1 2a 6d 6e 47 42 59 6f 39 24 3f 1116 cc 61 57 45 91 5b 32 59 10 06 ff 78 a2 08 63 d5 1117 f8 8e 4a fc 17 fb be 70 b9 50 95 73 db 00 5e 96 1118 26 36 98 46 cb 86 19 99 71 6c 16 5d d0 6a 15 85 1120 Output T2: 1122 48 34 49 5a 43 74 6c b5 3f 0a ba 3b c4 6e bc f8 1123 77 3c a6 4a d3 43 c1 22 ee 2a 57 75 57 03 81 57 1124 ee 9c 38 8d 96 ef 71 d5 8b e5 c1 ef a1 af a9 5e 1125 be 83 e3 9d 00 e1 9a 5d 03 dc d6 0a 01 bc a8 e3 1127 7) VKO_GOSTR3410_2012_256 with 256-bit output on the GOST 1128 R 34.10-2012 512-bit keys with id-tc26-gost-3410-12-512-paramSetA 1130 UKM value: 1132 1d 80 60 3c 85 44 c7 27 1134 Private key x of A: 1136 c9 90 ec d9 72 fc e8 4e c4 db 02 27 78 f5 0f ca 1137 c7 26 f4 67 08 38 4b 8d 45 83 04 96 2d 71 47 f8 1138 c2 db 41 ce f2 2c 90 b1 02 f2 96 84 04 f9 b9 be 1139 6d 47 c7 96 92 d8 18 26 b3 2b 8d ac a4 3c b6 67 1140 Public key x*P of A (curve point (X, Y)): 1142 aa b0 ed a4 ab ff 21 20 8d 18 79 9f b9 a8 55 66 1143 54 ba 78 30 70 eb a1 0c b9 ab b2 53 ec 56 dc f5 1144 d3 cc ba 61 92 e4 64 e6 e5 bc b6 de a1 37 79 2f 1145 24 31 f6 c8 97 eb 1b 3c 0c c1 43 27 b1 ad c0 a7 1146 91 46 13 a3 07 4e 36 3a ed b2 04 d3 8d 35 63 97 1147 1b d8 75 8e 87 8c 9d b1 14 03 72 1b 48 00 2d 38 1148 46 1f 92 47 2d 40 ea 92 f9 95 8c 0f fa 4c 93 75 1149 64 01 b9 7f 89 fd be 0b 5e 46 e4 a4 63 1c db 5a 1151 Private key y of part B: 1153 48 c8 59 f7 b6 f1 15 85 88 7c c0 5e c6 ef 13 90 1154 cf ea 73 9b 1a 18 c0 d4 66 22 93 ef 63 b7 9e 3b 1155 80 14 07 0b 44 91 85 90 b4 b9 96 ac fe a4 ed fb 1156 bb cc cc 8c 06 ed d8 bf 5b da 92 a5 13 92 d0 db 1158 Public key y*P of B (curve point (X, Y)): 1160 19 2f e1 83 b9 71 3a 07 72 53 c7 2c 87 35 de 2e 1161 a4 2a 3d bc 66 ea 31 78 38 b6 5f a3 25 23 cd 5e 1162 fc a9 74 ed a7 c8 63 f4 95 4d 11 47 f1 f2 b2 5c 1163 39 5f ce 1c 12 91 75 e8 76 d1 32 e9 4e d5 a6 51 1164 04 88 3b 41 4c 9b 59 2e c4 dc 84 82 6f 07 d0 b6 1165 d9 00 6d da 17 6c e4 8c 39 1e 3f 97 d1 02 e0 3b 1166 b5 98 bf 13 2a 22 8a 45 f7 20 1a ba 08 fc 52 4a 1167 2d 77 e4 3a 36 2a b0 22 ad 40 28 f7 5b de 3b 79 1169 KEK_VKO value: 1171 c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 1172 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21 1174 8) VKO_GOSTR3410_2012_512 with 512-bit output on the GOST 1175 R 34.10-2012 512-bit keys with id-tc26-gost-3410-12-512-paramSetA 1177 UKM value: 1179 1d 80 60 3c 85 44 c7 27 1181 Private key x of A: 1183 c9 90 ec d9 72 fc e8 4e c4 db 02 27 78 f5 0f ca 1184 c7 26 f4 67 08 38 4b 8d 45 83 04 96 2d 71 47 f8 1185 c2 db 41 ce f2 2c 90 b1 02 f2 96 84 04 f9 b9 be 1186 6d 47 c7 96 92 d8 18 26 b3 2b 8d ac a4 3c b6 67 1187 Public key x*P of A (curve point (X, Y)): 1189 aa b0 ed a4 ab ff 21 20 8d 18 79 9f b9 a8 55 66 1190 54 ba 78 30 70 eb a1 0c b9 ab b2 53 ec 56 dc f5 1191 d3 cc ba 61 92 e4 64 e6 e5 bc b6 de a1 37 79 2f 1192 24 31 f6 c8 97 eb 1b 3c 0c c1 43 27 b1 ad c0 a7 1193 91 46 13 a3 07 4e 36 3a ed b2 04 d3 8d 35 63 97 1194 1b d8 75 8e 87 8c 9d b1 14 03 72 1b 48 00 2d 38 1195 46 1f 92 47 2d 40 ea 92 f9 95 8c 0f fa 4c 93 75 1196 64 01 b9 7f 89 fd be 0b 5e 46 e4 a4 63 1c db 5a 1198 Private key y of B: 1200 48 c8 59 f7 b6 f1 15 85 88 7c c0 5e c6 ef 13 90 1201 cf ea 73 9b 1a 18 c0 d4 66 22 93 ef 63 b7 9e 3b 1202 80 14 07 0b 44 91 85 90 b4 b9 96 ac fe a4 ed fb 1203 bb cc cc 8c 06 ed d8 bf 5b da 92 a5 13 92 d0 db 1205 Public key y*P of B (curve point (X, Y)): 1207 19 2f e1 83 b9 71 3a 07 72 53 c7 2c 87 35 de 2e 1208 a4 2a 3d bc 66 ea 31 78 38 b6 5f a3 25 23 cd 5e 1209 fc a9 74 ed a7 c8 63 f4 95 4d 11 47 f1 f2 b2 5c 1210 39 5f ce 1c 12 91 75 e8 76 d1 32 e9 4e d5 a6 51 1211 04 88 3b 41 4c 9b 59 2e c4 dc 84 82 6f 07 d0 b6 1212 d9 00 6d da 17 6c e4 8c 39 1e 3f 97 d1 02 e0 3b 1213 b5 98 bf 13 2a 22 8a 45 f7 20 1a ba 08 fc 52 4a 1214 2d 77 e4 3a 36 2a b0 22 ad 40 28 f7 5b de 3b 79 1216 KEK_VKO value: 1218 79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 1219 ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa 1220 7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 1221 f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df 1223 9) Key derivation function KDF_GOSTR3411_2012_256 1225 K_in key: 1227 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1228 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 1230 Label: 1232 26 bd b8 78 1234 Seed: 1236 af 21 43 41 45 65 63 78 1238 KDF(K_in, label, seed) value: 1240 a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34 1241 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9 1243 10) Key derivation function KDF_TREE_GOSTR3411_2012_256 1245 Output size of L: 1247 512 1249 K_in key: 1251 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1252 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 1254 Label: 1256 26 bd b8 78 1258 Seed: 1260 af 21 43 41 45 65 63 78 1262 K1: 1264 22 b6 83 78 45 c6 be f6 5e a7 16 72 b2 65 83 10 1265 86 d3 c7 6a eb e6 da e9 1c ad 51 d8 3f 79 d1 6b 1267 K2: 1269 07 4c 93 30 59 9d 7f 8d 71 2f ca 54 39 2f 4d dd 1270 e9 37 51 20 6b 35 84 c8 f4 3f 9e 6d c5 15 31 f9 1272 R: 1274 1 1276 11) Key wrap and unwrap with the szOID_Gost28147_89_TC26_Z_ParamSet 1277 parameters 1279 Key K_e: 1281 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 1282 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 1283 Key K: 1285 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f 1286 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 1288 Seed: 1290 af 21 43 41 45 65 63 78 1292 Label: 1294 26 bd b8 78 1296 KEK_e(seed) = KDF_GOSTR3411_2012_256(K_e, label, seed): 1298 a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34 1299 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9 1301 CEK_MAC: 1303 be 33 f0 52 1305 CEK_ENC: 1307 d1 55 47 f8 ee 85 12 1b c8 7d 4b 10 27 d2 60 27 1308 ec c0 71 bb a6 e7 2f 3f ec 6f 62 0f 56 83 4c 5a 1310 Appendix C. GOST 28147-89 parameter set 1312 The parameter set has the following object identifier: 1314 1. id-tc26-gost-28147-param-Z::= {iso(1) member-body(2) ru(643) 1315 rosstandart(7) tc26(1) constants(2) cipher-constants(5) gost- 1316 28147-constants(1) param-Z(1)} 1318 The parameter set is defined below: 1320 x K1(x) K2(x) K3(x) K4(x) K5(x) K6(x) K7(x) K8(x) 1321 ------------------------------------------------------------ 1322 0 | c 6 b c 7 5 8 1 1323 1 | 4 8 3 8 f d e 7 1324 2 | 6 2 5 2 5 f 2 e 1325 3 | 2 3 8 1 a 6 5 d 1326 4 | a 9 2 d 8 9 6 0 1327 5 | 5 a f 4 1 2 9 5 1328 6 | b 5 a f 6 c 1 8 1329 7 | 9 c d 6 d a c 3 1330 8 | e 1 e 7 0 b f 4 1331 9 | 8 e 1 0 9 7 4 f 1332 a | d 4 7 a 3 8 b a 1333 b | 7 7 4 5 e 1 0 6 1334 c | 0 b c 3 b 4 d 9 1335 d | 3 d 9 e 4 3 a c 1336 e | f 0 6 9 2 e 3 b 1337 f | 1 f 0 b c 0 7 2 1339 Authors' Addresses 1341 Stanislav Smyshlyaev (editor) 1342 CRYPTO-PRO 1343 18, Suschevsky val 1344 Moscow 127018 1345 Russian Federation 1347 Phone: +7 (495) 995-48-20 1348 Email: svs@cryptopro.ru 1350 Evgeny Alekseev 1351 CRYPTO-PRO 1352 18, Suschevsky val 1353 Moscow 127018 1354 Russian Federation 1356 Phone: +7 (495) 995-48-20 1357 Email: alekseev@cryptopro.ru 1358 Igor Oshkin 1359 CRYPTO-PRO 1360 18, Suschevsky val 1361 Moscow 127018 1362 Russian Federation 1364 Phone: +7 (495) 995-48-20 1365 Email: oshkin@cryptopro.ru 1367 Vladimir Popov 1368 CRYPTO-PRO 1369 18, Suschevsky val 1370 Moscow 127018 1371 Russian Federation 1373 Phone: +7 (495) 995-48-20 1374 Email: vpopov@cryptopro.ru 1376 Serguei Leontiev 1377 CRYPTO-PRO 1378 18, Suschevsky val 1379 Moscow 127018 1380 Russian Federation 1382 Phone: +7 (495) 995-48-20 1383 Email: lse@cryptopro.ru 1385 Vladimir Podobaev 1386 FACTOR-TS 1387 11A, 1st Magistralny proezd 1388 Moscow 123290 1389 Russian Federation 1391 Phone: +7 (495) 644-31-30 1392 Email: v_podobaev@factor-ts.ru 1394 Dmitry Belyavsky 1395 TCI 1396 8, Zoologicheskaya st 1397 Moscow 117218 1398 Russian Federation 1400 Phone: +7 (499) 254-24-50 1401 Email: beldmit@gmail.com