idnits 2.17.1 draft-smyshlyaev-mgm-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 19, 2019) is 1831 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational V. Nozdrunov 5 Expires: October 21, 2019 V. Shishkin 6 TC 26 7 April 19, 2019 9 Multilinear Galois Mode (MGM) 10 draft-smyshlyaev-mgm-10 12 Abstract 14 Multilinear Galois Mode (MGM) is an authenticated encryption with 15 associated data block cipher mode based on EtM principle. MGM is 16 defined for use with 64-bit and 128-bit block ciphers. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at https://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on October 21, 2019. 35 Copyright Notice 37 Copyright (c) 2019 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (https://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 53 1.1. Existing Constructions . . . . . . . . . . . . . . . . . 2 54 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 55 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 2 56 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 57 4.1. MGM Encryption and Authentication Procedure . . . . . . . 4 58 4.2. MGM Decryption and Authentication Check Procedure . . . . 6 59 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 7 60 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 61 6.1. Normative References . . . . . . . . . . . . . . . . . . 8 62 6.2. Informative References . . . . . . . . . . . . . . . . . 9 63 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 64 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 12 65 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 67 1. Introduction 69 Multilinear Galois Mode (MGM) is an authenticated encryption with 70 associated data block cipher mode based on EtM principle. MGM is 71 defined for use with 64-bit and 128-bit block. The MGM design 72 principles can easily be applied to other block sizes. 74 1.1. Existing Constructions 76 The text will be added in the future versions of the draft. 78 2. Conventions Used in This Document 80 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 81 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 82 document are to be interpreted as described in [RFC2119]. 84 3. Basic Terms and Definitions 86 This document uses the following terms and definitions for the sets 87 and operations on the elements of these sets: 89 V* the set of all bit strings of a finite length (hereinafter 90 referred to as strings), including the empty string; 91 substrings and string components are enumerated from right to 92 left starting from zero; 94 V_s the set of all bit strings of length s, where s is a non- 95 negative integer; 97 |X| the bit length of the bit string X (if X is an empty string, 98 then |X| = 0); 100 X || Y concatenation of strings X and Y both belonging to V*, i.e., 101 a string from V_{|X|+|Y|}, where the left substring from 102 V_{|X|} is equal to X, and the right substring from V_{|Y|} 103 is equal to Y; 105 a^s the string in V_s that consists of s 'a' bits: a^s = (a, a, 106 ... , a), 'a' in V_1; 108 (xor) exclusive-or of the two bit strings of the same length, 110 Z_{2^s} ring of residues modulo 2^s; 112 MSB_i: V_s -> V_i the transformation that maps the string X = 113 (x_{s-1}, ... , x_0) in V_s into the string MSB_i(X) = 114 (x_{s-1}, ... , x_{s-i}) in V_i, i <= s, (most significant 115 bits); 117 Int_s: V_s -> Z_{2^s} the transformation that maps a string X = 118 (x_{s-1}, ... , x_0) in V_s into the integer Int_s(X) = 119 2^{s-1} * x_{s-1} + ... + 2 * x_1 + x_0 (the interpretation 120 of the bit string as an integer); 122 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 123 Int_s (the interpretation of an integer as a bit string); 125 E_K: V_n -> V_n the block cipher permutation under the key K in V_k; 127 k the bit length of the block cipher key; 129 n the block size of the block cipher (in bits); 131 len: V_s -> V_{n/2} the transformation that maps a string X in V_s, 132 0 <= s <= 2^{n/2} - 1, into the string len(X) = 133 Vec_{n/2}(|X|) in V_{n/2}, where n is the block size of the 134 used block cipher; 136 [+] the addition operation in Z_{2^{n/2}}, where n is the block 137 size of the used block cipher; 139 (x) multiplication in GF(2^n), where n is the block size of the 140 used block cipher; if n = 64, then the field polynomial is 141 equal to f = x^64 + x^4 + x^3 + x + 1; if n = 128, then the 142 field polynomial is equal to f = x^128 + x^7 + x^2 + x + 1; 144 incr_l: V_n -> V_n the transformation that maps a string L || R, 145 where L, R in V_{n/2}, into the string incr_l(L || R ) = 146 Vec_{n/2}(Int_{n/2}(L) [+] 1) || R; 148 incr_r: V_n -> V_n the transformation that maps a string L || R, 149 where L, R in V_{n/2}, into the string incr_r(L || R ) = L || 150 Vec_{n/2}(Int_{n/2}(R) [+] 1). 152 4. Specification 154 An additional parameter that defines the functioning of MGM mode is 155 the bit length S of the authentication tag, 32 <= S <= 128. The 156 value of S MUST be fixed for a particular protocol. The choice of 157 the value S involves a trade-off between message expansion and the 158 forgery probability. 160 4.1. MGM Encryption and Authentication Procedure 162 The MGM encryption and authentication procedure takes the following 163 parameters as inputs: 165 1. Encryption key K in V_k. 167 2. Initial counter nonce ICN in V_{n-1}. 169 3. Plaintext P, 0 <= |P| < 2^{n/2}. If |P| > 0, then P = P_1 || 170 ... || P*_q, P_i in V_n, i = 1, ... , q - 1, P*_q in V_u, 1 <= u 171 <= n. If |P| = 0, then by definition P*_q is empty, and the q 172 and u parameters are set as follows: q = 0, u = n. 174 4. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, 175 then A = A_1 || ... || A*_h, A_j in V_n, j = 1, ... , h - 1, A*_h 176 in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is 177 empty, and the h and t parameters are set as follows: h = 0, t = 178 n. The associated data is authenticated but is not encrypted. 180 The MGM encryption and authentication procedure outputs the following 181 parameters: 183 1. Initial counter nonce ICN. 185 2. Associated authenticated data A. 187 3. Ciphertext C in V_{|P|}. 189 4. Authentication tag T in V_S. 191 The MGM encryption and authentication procedure consists of the 192 following steps: 194 +----------------------------------------------------------------+ 195 | MGM-Encrypt(K, ICN, P, A) | 196 |----------------------------------------------------------------| 197 | 1. Encryption step: | 198 | - Y_1 = E_K(0 || ICN), | 199 | - For i = 2, 3, ... , q do | 200 | Y_i = incr_r(Y_{i-1}), | 201 | - For i = 1, 2, ... , q - 1 do | 202 | C_i = P_i (xor) E_K(Y_i), | 203 | - C*_q = P*_q (xor) MSB_u(E_K(Y_q)), | 204 | - C = C_1 || ... || C*_q. | 205 | | 206 | 2. Padding step: | 207 | - A_h = A*_h || 0^{n-t}, | 208 | - C_q = C*_q || 0^{n-u}. | 209 | | 210 | 3. Authentication tag T generation step: | 211 | - Z_1 = E_K(1 || ICN), | 212 | - sum = 0, | 213 | - For i = 1, 2, ..., h do | 214 | H_i = E_K(Z_i), | 215 | sum = sum (xor) ( H_i (x) A_i ), | 216 | Z_{i+1} = incr_l(Z_i), | 217 | - For j = 1, 2, ..., q do | 218 | H_{h+j} = E_K(Z_{h+j}), | 219 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 220 | Z_{h+j+1} = incr_l(Z_{h+j}), | 221 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 222 | - T = MSB_S(E_K(sum (xor) H_{h+q+1} (x) | 223 | (len(A) || len(C)))). | 224 | | 225 | 4. Return (ICN, A, C, T). | 226 |----------------------------------------------------------------+ 228 The ICN value for each message that is encrypted under the given key 229 K must be chosen in a unique manner. Using the same ICN values for 230 two different messages encrypted with the same key eliminates the 231 security properties of this mode. 233 Users who do not wish to encrypt plaintext can provide a string P of 234 zero length. Users who do not wish to authenticate associated data 235 can provide a string A of zero length. The length of the associated 236 data A and of the plaintext P MUST be such that 0 < |A| + |P| < 237 2^{n/2}. 239 4.2. MGM Decryption and Authentication Check Procedure 241 The MGM decryption and authentication procedure takes the following 242 parameters as inputs: 244 1. The encryption key K in V_k. 246 2. The initial counter nonce ICN in V_{n-1}. 248 3. The associated authenticated data A, 0 <= |A| < 2^{n/2}. A = 249 A_1 || ... || A*_h, A_j in V_n, j = 1, ... , h - 1, A*_h in V_t, 250 1 <= t <= n. 252 4. The ciphertext C, 0 <= |C| < 2^{n/2}. C = C_1 || ... || C*_q, C_i 253 in V_n, i = 1, ... , q - 1, C*_q in V_u, 1 <= u <= n. 255 5. The authenticated tag T in V_S. 257 The MGM decryption and authentication procedure outputs FAIL or the 258 following parameters: 260 1. Plaintext P in V_{|C|}. 262 2. Associated authenticated data A. 264 The MGM decryption and authentication procedure consists of the 265 following steps: 267 +----------------------------------------------------------------+ 268 | MGM-Decrypt(K, ICN, A, C, T) | 269 |----------------------------------------------------------------| 270 | 1. Padding step: | 271 | - A_h = A*_h || 0^{n-t}, | 272 | - C_q = C*_q || 0^{n-u}. | 273 | | 274 | 2. Authentication tag T verification step: | 275 | - Z_1 = E_K(1 || ICN), | 276 | - sum1 = 0, sum2 = 0, | 277 | - For i = 1, 2, ..., h do | 278 | H_i = E_K(Z_i), | 279 | sum1 = sum1 (xor) ( H_i (x) A_i ), | 280 | Z_{i+1} = incr_l(Z_i), | 281 | - For j = 1, 2, ..., q do | 282 | H_{h+j} = E_K(Z_{h+j}), | 283 | sum2 = sum2 (xor) ( H_{h+j} (x) C_j ), | 284 | Z_{h+j+1} = incr_l(Z_{h+j}), | 285 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 286 | - T' = MSB_S(E_K(sum1 (xor) sum2 (xor) | 287 | H_{h+q+1} (x) (len(A) || len(C)))), | 288 | - If T' != T then return FAIL | 289 | return FAIL. | 290 | | 291 | 3. Decryption step: | 292 | - Y_1 = E_K(0 || ICN), | 293 | - For i = 2, 3, ... , q do | 294 | Y_i = incr_r(Y_{i-1}), | 295 | - For i = 1, 2, ... , q - 1 do | 296 | P_i = C_i (xor) E_K(Y_i), | 297 | - P*_q = C*_q (xor) MSB_u(E_K(Y_q)), | 298 | - P = P_1 || ... || P*_q. | 299 | | 300 | 4. Return (P, A). | 301 |----------------------------------------------------------------+ 303 5. Rationale 305 The MGM mode was originally proposed in [PDMODE]. 307 From the operational point of view the MGM mode is designed to be 308 parallelizeable, inverse free, online and to provide availability of 309 precomputations. 311 Parallelizability of the MGM mode is achieved due to its counter-type 312 structure and the usage of the multilinear function for 313 authentication. Indeed, both encryption blocks E_K(Y_i) and 314 authentication blocks H_i are produced in the counter mode manner, 315 and the multilinear function determined by H_i is parallelizeable in 316 itself. Additionally, the counter-type structure of the mode 317 provides the inverse free property. 319 The online property means the possibility to process message even if 320 it is not completely received (so its length is unknown). To provide 321 this property the MGM mode uses blocks E_K(Y_i) and H_i which are 322 produced basing on two independent source blocks Y_i and Z_i. 324 Availability of precomputations for the MGM mode means the 325 possibility to calculate H_i and E_K(Y_i) even before data is 326 retrieved. It is holds due to again the usage of counters for 327 calculating them. 329 The MGM mode incorporates some mechanisms for advancing cryptographic 330 properties. Further we note the main ones: 332 Different functions generating the counter values: The functions 333 incr_r and incr_l are chosen to minimize intersection (if it 334 happens) between the sets of counter values Y_i and Z_i. 336 Ciphering of the multilinear function output: This procedure allows 337 to resist attacks based on padding and linear properties (see 338 [Ferg05] for details). 340 Multilinear function for authentication: It allows to resist the 341 small subgroup attacks [Saar12]. 343 Ciphering of the nonces (0 || ICN) and (1 || ICN): The aim of this 344 ciphering is to minimize the number of plaintext/ciphertext pairs 345 of blocks known to an adversary. Small number of these pairs 346 allows to resist attacks that need substantial amount of such 347 material (e.g., linear and differential cryptanalysis, side- 348 channel attacks). 350 6. References 352 6.1. Normative References 354 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 355 Requirement Levels", BCP 14, RFC 2119, 356 DOI 10.17487/RFC2119, March 1997, 357 . 359 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 360 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 361 . 363 6.2. Informative References 365 [Ferg05] Ferguson, N., "Authentication weaknesses in GCM", 2005. 367 [GOST3412-2015] 368 Federal Agency on Technical Regulating and Metrology, 369 "Information technology. Cryptographic data security. 370 Block ciphers", GOST R 34.12-2015, 2015. 372 [PDMODE] Nozdrunov, V., "Parallel and double block cipher mode of 373 operation (PD-mode) for authenticated encryption", CTCrypt 374 2017 proceedings, pp. 36-45, 2017. 376 [Saar12] Saarinen, O., "Cycling Attacks on GCM, GHASH and Other 377 Polynomial MACs and Hashes", FSE 2012 proceedings, pp. 378 216-225, 2012. 380 Appendix A. Test Vectors 382 Test vectors for the Kuznyechik block cipher (n = 128, k = 256) 383 defined in [GOST3412-2015] (the English version can be found in 384 [RFC7801]). 386 Encryption key K: 387 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 388 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 390 Associated authenticated data A: 391 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 392 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 393 00020: EA 05 05 05 05 05 05 05 05 395 Plaintext P: 396 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 397 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 398 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 399 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 400 00040: AA BB CC 402 1. Encryption step: 404 0^1 || ICN: 405 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 407 Y_1: 408 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CD 409 E_K(Y_1): 411 00000: B8 57 48 C5 12 F3 19 90 AA 56 7E F1 53 35 DB 74 413 Y_2: 414 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CE 415 E_K(Y_2): 416 00000: 80 64 F0 12 6F AC 9B 2C 5B 6E AC 21 61 2F 94 33 418 Y_3: 419 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CF 420 E_K(Y_3): 421 00000: 58 58 82 1D 40 C0 CD 0D 0A C1 E6 C2 47 09 8F 1C 423 Y_4: 424 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D0 425 E_K(Y_4): 426 00000: E4 3F 50 81 B5 8F 0B 49 01 2F 8E E8 6A CD 6D FA 428 Y_5: 429 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D1 430 E_K(Y_5): 431 00000: 86 CE 9E 2A 0A 12 25 E3 33 56 91 B2 0D 5A 33 48 433 C: 434 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 435 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 436 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 437 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 438 00040: 2C 75 52 440 2. Padding step: 442 A_1 || ... || A_h: 443 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 444 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 445 00020: EA 05 05 05 05 05 05 05 05 00 00 00 00 00 00 00 447 C_1 || ... || C_q: 448 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 449 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 450 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 451 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 452 00040: 2C 75 52 00 00 00 00 00 00 00 00 00 00 00 00 00 454 3. Authentication tag T generation step: 456 1^1 || ICN: 457 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 458 Z_1: 459 00000: 7F C2 45 A8 58 6E 66 02 A7 BB DB 27 86 BD C6 6F 460 H_1: 461 00000: 8D B1 87 D6 53 83 0E A4 BC 44 64 76 95 2C 30 0B 462 current sum: 463 00000: 4C F4 27 F4 AD B7 5C F4 C0 DA 39 D5 AB 48 CF 38 465 Z_2: 466 00000: 7F C2 45 A8 58 6E 66 03 A7 BB DB 27 86 BD C6 6F 467 H_2: 468 00000: 7A 24 F7 26 30 E3 76 37 21 C8 F3 CD B1 DA 0E 31 469 current sum: 470 00000: 94 95 44 0E F6 24 A1 DD C6 F5 D9 77 28 50 C5 73 472 Z_3: 473 00000: 7F C2 45 A8 58 6E 66 04 A7 BB DB 27 86 BD C6 6F 474 H_3: 475 00000: 44 11 96 21 17 D2 06 35 C5 25 E0 A2 4D B4 B9 0A 476 current sum: 477 00000: A4 9A 8C D8 A6 F2 74 23 DB 79 E4 4A B3 06 D9 42 479 Z_4: 480 00000: 7F C2 45 A8 58 6E 66 05 A7 BB DB 27 86 BD C6 6F 481 H_4: 482 00000: D8 C9 62 3C 4D BF E8 14 CE 7C 1C 0C EA A9 59 DB 483 current sum: 484 00000: 09 FE 3F 6A 83 3C 21 B3 90 27 D0 20 6A 84 E1 5A 486 Z_5: 487 00000: 7F C2 45 A8 58 6E 66 06 A7 BB DB 27 86 BD C6 6F 488 H_5: 489 00000: A5 E1 F1 95 33 3E 14 82 96 99 31 BF BE 6D FD 43 490 current sum: 491 00000: B5 DA 26 BB 00 EB A8 04 35 D7 97 6B C6 B5 46 4D 493 Z_6: 494 00000: 7F C2 45 A8 58 6E 66 07 A7 BB DB 27 86 BD C6 6F 495 H_6: 496 00000: B4 CA 80 8C AC CF B3 F9 17 24 E4 8A 2C 7E E9 D2 497 current sum: 498 00000: DD 1C 0E EE F7 83 C8 EB 2A 33 F3 58 D7 23 0E E5 500 Z_7: 501 00000: 7F C2 45 A8 58 6E 66 08 A7 BB DB 27 86 BD C6 6F 502 H_7: 503 00000: 72 90 8F C0 74 E4 69 E8 90 1B D1 88 EA 91 C3 31 504 current sum: 505 00000: 89 6C E1 08 32 EB EA F9 06 9F 3F 73 76 59 4D 40 506 Z_8: 507 00000: 7F C2 45 A8 58 6E 66 09 A7 BB DB 27 86 BD C6 6F 508 H_8: 509 00000: 23 CA 27 15 B0 2C 68 31 3B FD AC B3 9E 4D 0F B8 510 current sum: 511 00000: 99 1A F5 C9 D0 80 F7 63 87 FE 64 9E 7C 93 C6 42 513 Z_9: 514 00000: 7F C2 45 A8 58 6E 66 0A A7 BB DB 27 86 BD C6 6F 515 H_9: 516 00000: BC BC E6 C4 1A A3 55 A4 14 88 62 BF 64 BD 83 0D 517 len(A) || len(C): 518 00000: 00 00 00 00 00 00 01 48 00 00 00 00 00 00 02 18 519 sum (xor) H_9 (x) (len(A) || len(C)): 520 00000: C0 C7 22 DB 5E 0B D6 DB 25 76 73 83 3D 56 71 28 522 Tag T: 523 00000: CF 5D 65 6F 40 C3 4F 5C 46 E8 BB 0E 29 FC DB 4C 525 Appendix B. Contributors 527 o Evgeny Alekseev 528 CryptoPro 529 alekseev@cryptopro.ru 531 o Ekaterina Smyshlyaeva 532 CryptoPro 533 ess@cryptopro.ru 535 o Lilia Akhmetzyanova 536 CryptoPro 537 lah@cryptopro.ru 539 o Grigory Marshalko 540 TC 26 541 marshalko_gb@tc26.ru 543 o Vladimir Rudskoy 544 TC 26 545 rudskoy_vi@tc26.ru 547 o Alexey Nesterenko 548 National Research University Higher School of Economics 549 anesterenko@hse.ru 551 Authors' Addresses 553 Stanislav Smyshlyaev (editor) 554 CryptoPro 556 Phone: +7 (495) 995-48-20 557 Email: svs@cryptopro.ru 559 Vladislav Nozdrunov 560 TC 26 562 Email: nozdrunov_vi@tc26.ru 564 Vasily Shishkin 565 TC 26 567 Email: shishkin_va@tc26.ru