idnits 2.17.1 draft-smyshlyaev-mgm-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 18, 2019) is 1775 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational V. Nozdrunov 5 Expires: December 20, 2019 V. Shishkin 6 TC 26 7 E. Smyshlyaeva 8 CryptoPro 9 June 18, 2019 11 Multilinear Galois Mode (MGM) 12 draft-smyshlyaev-mgm-11 14 Abstract 16 Multilinear Galois Mode (MGM) is an authenticated encryption with 17 associated data block cipher mode based on EtM principle. MGM is 18 defined for use with 64-bit and 128-bit block ciphers. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on December 20, 2019. 37 Copyright Notice 39 Copyright (c) 2019 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 56 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 2 57 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 58 4.1. MGM Encryption and Authentication Procedure . . . . . . . 4 59 4.2. MGM Decryption and Authentication Check Procedure . . . . 6 60 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 7 61 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 62 6.1. Normative References . . . . . . . . . . . . . . . . . . 8 63 6.2. Informative References . . . . . . . . . . . . . . . . . 9 64 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 65 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 12 66 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 68 1. Introduction 70 Multilinear Galois Mode (MGM) is an authenticated encryption with 71 associated data block cipher mode based on EtM principle. MGM is 72 defined for use with 64-bit and 128-bit block. The MGM design 73 principles can easily be applied to other block sizes. 75 2. Conventions Used in This Document 77 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 78 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 79 document are to be interpreted as described in [RFC2119]. 81 3. Basic Terms and Definitions 83 This document uses the following terms and definitions for the sets 84 and operations on the elements of these sets: 86 V* the set of all bit strings of a finite length (hereinafter 87 referred to as strings), including the empty string; 88 substrings and string components are enumerated from right to 89 left starting from zero; 91 V_s the set of all bit strings of length s, where s is a non- 92 negative integer; 94 |X| the bit length of the bit string X (if X is an empty string, 95 then |X| = 0); 97 X || Y concatenation of strings X and Y both belonging to V*, i.e., 98 a string from V_{|X|+|Y|}, where the left substring from 99 V_{|X|} is equal to X, and the right substring from V_{|Y|} 100 is equal to Y; 102 a^s the string in V_s that consists of s 'a' bits: a^s = (a, a, 103 ... , a), 'a' in V_1; 105 (xor) exclusive-or of the two bit strings of the same length, 107 Z_{2^s} ring of residues modulo 2^s; 109 MSB_i: V_s -> V_i the transformation that maps the string X = 110 (x_{s-1}, ... , x_0) in V_s into the string MSB_i(X) = 111 (x_{s-1}, ... , x_{s-i}) in V_i, i <= s, (most significant 112 bits); 114 Int_s: V_s -> Z_{2^s} the transformation that maps a string X = 115 (x_{s-1}, ... , x_0) in V_s into the integer Int_s(X) = 116 2^{s-1} * x_{s-1} + ... + 2 * x_1 + x_0 (the interpretation 117 of the bit string as an integer); 119 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 120 Int_s (the interpretation of an integer as a bit string); 122 E_K: V_n -> V_n the block cipher permutation under the key K in V_k; 124 k the bit length of the block cipher key; 126 n the block size of the block cipher (in bits); 128 len: V_s -> V_{n/2} the transformation that maps a string X in V_s, 129 0 <= s <= 2^{n/2} - 1, into the string len(X) = 130 Vec_{n/2}(|X|) in V_{n/2}, where n is the block size of the 131 used block cipher; 133 [+] the addition operation in Z_{2^{n/2}}, where n is the block 134 size of the used block cipher; 136 (x) multiplication in GF(2^n), where n is the block size of the 137 used block cipher; if n = 64, then the field polynomial is 138 equal to f = x^64 + x^4 + x^3 + x + 1; if n = 128, then the 139 field polynomial is equal to f = x^128 + x^7 + x^2 + x + 1; 141 incr_l: V_n -> V_n the transformation that maps a string L || R, 142 where L, R in V_{n/2}, into the string incr_l(L || R ) = 143 Vec_{n/2}(Int_{n/2}(L) [+] 1) || R; 145 incr_r: V_n -> V_n the transformation that maps a string L || R, 146 where L, R in V_{n/2}, into the string incr_r(L || R ) = L || 147 Vec_{n/2}(Int_{n/2}(R) [+] 1). 149 4. Specification 151 An additional parameter that defines the functioning of MGM mode is 152 the bit length S of the authentication tag, 32 <= S <= 128. The 153 value of S MUST be fixed for a particular protocol. The choice of 154 the value S involves a trade-off between message expansion and the 155 forgery probability. 157 4.1. MGM Encryption and Authentication Procedure 159 The MGM encryption and authentication procedure takes the following 160 parameters as inputs: 162 1. Encryption key K in V_k. 164 2. Initial counter nonce ICN in V_{n-1}. 166 3. Plaintext P, 0 <= |P| < 2^{n/2}. If |P| > 0, then P = P_1 || 167 ... || P*_q, P_i in V_n, for i = 1, ... , q - 1, P*_q in V_u, 1 168 <= u <= n. If |P| = 0, then by definition P*_q is empty, and the 169 q and u parameters are set as follows: q = 0, u = n. 171 4. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, 172 then A = A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, 173 A*_h in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is 174 empty, and the h and t parameters are set as follows: h = 0, t = 175 n. The associated data is authenticated but is not encrypted. 177 The MGM encryption and authentication procedure outputs the following 178 parameters: 180 1. Initial counter nonce ICN. 182 2. Associated authenticated data A. 184 3. Ciphertext C in V_{|P|}. 186 4. Authentication tag T in V_S. 188 The MGM encryption and authentication procedure consists of the 189 following steps: 191 +----------------------------------------------------------------+ 192 | MGM-Encrypt(K, ICN, P, A) | 193 |----------------------------------------------------------------| 194 | 1. Encryption step: | 195 | - Y_1 = E_K(0 || ICN), | 196 | - For i = 2, 3, ... , q do | 197 | Y_i = incr_r(Y_{i-1}), | 198 | - For i = 1, 2, ... , q - 1 do | 199 | C_i = P_i (xor) E_K(Y_i), | 200 | - C*_q = P*_q (xor) MSB_u(E_K(Y_q)), | 201 | - C = C_1 || ... || C*_q. | 202 | | 203 | 2. Padding step: | 204 | - A_h = A*_h || 0^{n-t}, | 205 | - C_q = C*_q || 0^{n-u}. | 206 | | 207 | 3. Authentication tag T generation step: | 208 | - Z_1 = E_K(1 || ICN), | 209 | - sum = 0, | 210 | - For i = 1, 2, ..., h do | 211 | H_i = E_K(Z_i), | 212 | sum = sum (xor) ( H_i (x) A_i ), | 213 | Z_{i+1} = incr_l(Z_i), | 214 | - For j = 1, 2, ..., q do | 215 | H_{h+j} = E_K(Z_{h+j}), | 216 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 217 | Z_{h+j+1} = incr_l(Z_{h+j}), | 218 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 219 | - T = MSB_S(E_K(sum (xor) H_{h+q+1} (x) | 220 | (len(A) || len(C)))). | 221 | | 222 | 4. Return (ICN, A, C, T). | 223 |----------------------------------------------------------------+ 225 The ICN value for each message that is encrypted under the given key 226 K must be chosen in a unique manner. Using the same ICN values for 227 two different messages encrypted with the same key eliminates the 228 security properties of this mode. 230 Users who do not wish to encrypt plaintext can provide a string P of 231 zero length. Users who do not wish to authenticate associated data 232 can provide a string A of zero length. The length of the associated 233 data A and of the plaintext P MUST be such that 0 < |A| + |P| < 234 2^{n/2}. 236 4.2. MGM Decryption and Authentication Check Procedure 238 The MGM decryption and authentication procedure takes the following 239 parameters as inputs: 241 1. The encryption key K in V_k. 243 2. The initial counter nonce ICN in V_{n-1}. 245 3. The associated authenticated data A, 0 <= |A| < 2^{n/2}. A = 246 A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, A*_h in 247 V_t, 1 <= t <= n. 249 4. The ciphertext C, 0 <= |C| < 2^{n/2}. C = C_1 || ... || C*_q, C_i 250 in V_n, for i = 1, ... , q - 1, C*_q in V_u, 1 <= u <= n. 252 5. The authenticated tag T in V_S. 254 The MGM decryption and authentication procedure outputs FAIL or the 255 following parameters: 257 1. Plaintext P in V_{|C|}. 259 2. Associated authenticated data A. 261 The MGM decryption and authentication procedure consists of the 262 following steps: 264 +----------------------------------------------------------------+ 265 | MGM-Decrypt(K, ICN, A, C, T) | 266 |----------------------------------------------------------------| 267 | 1. Padding step: | 268 | - A_h = A*_h || 0^{n-t}, | 269 | - C_q = C*_q || 0^{n-u}. | 270 | | 271 | 2. Authentication tag T verification step: | 272 | - Z_1 = E_K(1 || ICN), | 273 | - sum = 0, | 274 | - For i = 1, 2, ..., h do | 275 | H_i = E_K(Z_i), | 276 | sum = sum (xor) ( H_i (x) A_i ), | 277 | Z_{i+1} = incr_l(Z_i), | 278 | - For j = 1, 2, ..., q do | 279 | H_{h+j} = E_K(Z_{h+j}), | 280 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 281 | Z_{h+j+1} = incr_l(Z_{h+j}), | 282 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 283 | - T' = MSB_S(E_K(sum (xor) H_{h+q+1} (x) | 284 | (len(A) || len(C)))), | 285 | - If T' != T then return FAIL. | 286 | | 287 | 3. Decryption step: | 288 | - Y_1 = E_K(0 || ICN), | 289 | - For i = 2, 3, ... , q do | 290 | Y_i = incr_r(Y_{i-1}), | 291 | - For i = 1, 2, ... , q - 1 do | 292 | P_i = C_i (xor) E_K(Y_i), | 293 | - P*_q = C*_q (xor) MSB_u(E_K(Y_q)), | 294 | - P = P_1 || ... || P*_q. | 295 | | 296 | 4. Return (P, A). | 297 |----------------------------------------------------------------+ 299 5. Rationale 301 The MGM mode was originally proposed in [PDMODE]. 303 From the operational point of view the MGM mode is designed to be 304 parallelizable, inverse free, online and to provide availability of 305 precomputations. 307 Parallelizability of the MGM mode is achieved due to its counter-type 308 structure and the usage of the multilinear function for 309 authentication. Indeed, both encryption blocks E_K(Y_i) and 310 authentication blocks H_i are produced in the counter mode manner, 311 and the multilinear function determined by H_i is parallelizable in 312 itself. Additionally, the counter-type structure of the mode 313 provides the inverse free property. 315 The online property means the possibility to process message even if 316 it is not completely received (so its length is unknown). To provide 317 this property the MGM mode uses blocks E_K(Y_i) and H_i which are 318 produced basing on two independent source blocks Y_i and Z_i. 320 Availability of precomputations for the MGM mode means the 321 possibility to calculate H_i and E_K(Y_i) even before data is 322 retrieved. It is holds due to again the usage of counters for 323 calculating them. 325 The MGM mode incorporates some mechanisms for advancing cryptographic 326 properties. Further we note the main ones: 328 Different functions generating the counter values: The functions 329 incr_r and incr_l are chosen to minimize intersection (if it 330 happens) between the sets of counter values Y_i and Z_i. 332 Ciphering of the multilinear function output: This procedure allows 333 to resist attacks based on padding and linear properties (see 334 [Ferg05] for details). 336 Multilinear function for authentication: It allows to resist the 337 small subgroup attacks [Saar12]. 339 Ciphering of the nonces (0 || ICN) and (1 || ICN): The aim of this 340 ciphering is to minimize the number of plaintext/ciphertext pairs 341 of blocks known to an adversary. Small number of these pairs 342 allows to resist attacks that need substantial amount of such 343 material (e.g., linear and differential cryptanalysis, side- 344 channel attacks). 346 6. References 348 6.1. Normative References 350 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 351 Requirement Levels", BCP 14, RFC 2119, 352 DOI 10.17487/RFC2119, March 1997, 353 . 355 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 356 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 357 . 359 6.2. Informative References 361 [Ferg05] Ferguson, N., "Authentication weaknesses in GCM", 2005. 363 [GOST3412-2015] 364 Federal Agency on Technical Regulating and Metrology, 365 "Information technology. Cryptographic data security. 366 Block ciphers", GOST R 34.12-2015, 2015. 368 [PDMODE] Nozdrunov, V., "Parallel and double block cipher mode of 369 operation (PD-mode) for authenticated encryption", CTCrypt 370 2017 proceedings, pp. 36-45, 2017. 372 [Saar12] Saarinen, O., "Cycling Attacks on GCM, GHASH and Other 373 Polynomial MACs and Hashes", FSE 2012 proceedings, pp. 374 216-225, 2012. 376 Appendix A. Test Vectors 378 Test vectors for the Kuznyechik block cipher (n = 128, k = 256) 379 defined in [GOST3412-2015] (the English version can be found in 380 [RFC7801]). 382 Encryption key K: 383 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 384 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 386 Associated authenticated data A: 387 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 388 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 389 00020: EA 05 05 05 05 05 05 05 05 391 Plaintext P: 392 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 393 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 394 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 395 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 396 00040: AA BB CC 398 1. Encryption step: 400 0^1 || ICN: 401 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 403 Y_1: 404 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CD 405 E_K(Y_1): 407 00000: B8 57 48 C5 12 F3 19 90 AA 56 7E F1 53 35 DB 74 409 Y_2: 410 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CE 411 E_K(Y_2): 412 00000: 80 64 F0 12 6F AC 9B 2C 5B 6E AC 21 61 2F 94 33 414 Y_3: 415 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CF 416 E_K(Y_3): 417 00000: 58 58 82 1D 40 C0 CD 0D 0A C1 E6 C2 47 09 8F 1C 419 Y_4: 420 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D0 421 E_K(Y_4): 422 00000: E4 3F 50 81 B5 8F 0B 49 01 2F 8E E8 6A CD 6D FA 424 Y_5: 425 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D1 426 E_K(Y_5): 427 00000: 86 CE 9E 2A 0A 12 25 E3 33 56 91 B2 0D 5A 33 48 429 C: 430 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 431 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 432 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 433 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 434 00040: 2C 75 52 436 2. Padding step: 438 A_1 || ... || A_h: 439 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 440 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 441 00020: EA 05 05 05 05 05 05 05 05 00 00 00 00 00 00 00 443 C_1 || ... || C_q: 444 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 445 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 446 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 447 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 448 00040: 2C 75 52 00 00 00 00 00 00 00 00 00 00 00 00 00 450 3. Authentication tag T generation step: 452 1^1 || ICN: 453 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 454 Z_1: 455 00000: 7F C2 45 A8 58 6E 66 02 A7 BB DB 27 86 BD C6 6F 456 H_1: 457 00000: 8D B1 87 D6 53 83 0E A4 BC 44 64 76 95 2C 30 0B 458 current sum: 459 00000: 4C F4 27 F4 AD B7 5C F4 C0 DA 39 D5 AB 48 CF 38 461 Z_2: 462 00000: 7F C2 45 A8 58 6E 66 03 A7 BB DB 27 86 BD C6 6F 463 H_2: 464 00000: 7A 24 F7 26 30 E3 76 37 21 C8 F3 CD B1 DA 0E 31 465 current sum: 466 00000: 94 95 44 0E F6 24 A1 DD C6 F5 D9 77 28 50 C5 73 468 Z_3: 469 00000: 7F C2 45 A8 58 6E 66 04 A7 BB DB 27 86 BD C6 6F 470 H_3: 471 00000: 44 11 96 21 17 D2 06 35 C5 25 E0 A2 4D B4 B9 0A 472 current sum: 473 00000: A4 9A 8C D8 A6 F2 74 23 DB 79 E4 4A B3 06 D9 42 475 Z_4: 476 00000: 7F C2 45 A8 58 6E 66 05 A7 BB DB 27 86 BD C6 6F 477 H_4: 478 00000: D8 C9 62 3C 4D BF E8 14 CE 7C 1C 0C EA A9 59 DB 479 current sum: 480 00000: 09 FE 3F 6A 83 3C 21 B3 90 27 D0 20 6A 84 E1 5A 482 Z_5: 483 00000: 7F C2 45 A8 58 6E 66 06 A7 BB DB 27 86 BD C6 6F 484 H_5: 485 00000: A5 E1 F1 95 33 3E 14 82 96 99 31 BF BE 6D FD 43 486 current sum: 487 00000: B5 DA 26 BB 00 EB A8 04 35 D7 97 6B C6 B5 46 4D 489 Z_6: 490 00000: 7F C2 45 A8 58 6E 66 07 A7 BB DB 27 86 BD C6 6F 491 H_6: 492 00000: B4 CA 80 8C AC CF B3 F9 17 24 E4 8A 2C 7E E9 D2 493 current sum: 494 00000: DD 1C 0E EE F7 83 C8 EB 2A 33 F3 58 D7 23 0E E5 496 Z_7: 497 00000: 7F C2 45 A8 58 6E 66 08 A7 BB DB 27 86 BD C6 6F 498 H_7: 499 00000: 72 90 8F C0 74 E4 69 E8 90 1B D1 88 EA 91 C3 31 500 current sum: 501 00000: 89 6C E1 08 32 EB EA F9 06 9F 3F 73 76 59 4D 40 502 Z_8: 503 00000: 7F C2 45 A8 58 6E 66 09 A7 BB DB 27 86 BD C6 6F 504 H_8: 505 00000: 23 CA 27 15 B0 2C 68 31 3B FD AC B3 9E 4D 0F B8 506 current sum: 507 00000: 99 1A F5 C9 D0 80 F7 63 87 FE 64 9E 7C 93 C6 42 509 Z_9: 510 00000: 7F C2 45 A8 58 6E 66 0A A7 BB DB 27 86 BD C6 6F 511 H_9: 512 00000: BC BC E6 C4 1A A3 55 A4 14 88 62 BF 64 BD 83 0D 513 len(A) || len(C): 514 00000: 00 00 00 00 00 00 01 48 00 00 00 00 00 00 02 18 515 sum (xor) H_9 (x) (len(A) || len(C)): 516 00000: C0 C7 22 DB 5E 0B D6 DB 25 76 73 83 3D 56 71 28 518 Tag T: 519 00000: CF 5D 65 6F 40 C3 4F 5C 46 E8 BB 0E 29 FC DB 4C 521 Appendix B. Contributors 523 o Evgeny Alekseev 524 CryptoPro 525 alekseev@cryptopro.ru 527 o Ekaterina Smyshlyaeva 528 CryptoPro 529 ess@cryptopro.ru 531 o Lilia Akhmetzyanova 532 CryptoPro 533 lah@cryptopro.ru 535 o Grigory Marshalko 536 TC 26 537 marshalko_gb@tc26.ru 539 o Vladimir Rudskoy 540 TC 26 541 rudskoy_vi@tc26.ru 543 o Alexey Nesterenko 544 National Research University Higher School of Economics 545 anesterenko@hse.ru 547 Authors' Addresses 549 Stanislav Smyshlyaev (editor) 550 CryptoPro 552 Phone: +7 (495) 995-48-20 553 Email: svs@cryptopro.ru 555 Vladislav Nozdrunov 556 TC 26 558 Email: nozdrunov_vi@tc26.ru 560 Vasily Shishkin 561 TC 26 563 Email: shishkin_va@tc26.ru 565 Ekaterina Smyshlyaeva 566 CryptoPro 568 Email: ess@cryptopro.ru