idnits 2.17.1 draft-smyshlyaev-mgm-16.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 12, 2019) is 1598 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational V. Nozdrunov 5 Expires: June 14, 2020 V. Shishkin 6 TC 26 7 E. Smyshlyaeva 8 CryptoPro 9 December 12, 2019 11 Multilinear Galois Mode (MGM) 12 draft-smyshlyaev-mgm-16 14 Abstract 16 Multilinear Galois Mode (MGM) is an authenticated encryption with 17 associated data (AEAD) block cipher mode based on EtM principle. MGM 18 is defined for use with 64-bit and 128-bit block ciphers. 20 MGM has been standardized in Russia. It is used as an AEAD mode for 21 the GOST block cipher algorithms in many protocols, e.g. TLS 1.3 and 22 IPsec. This document provides a reference for MGM to enable review 23 of the mechanisms in use and to make MGM available for use with any 24 block cipher. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on June 14, 2020. 43 Copyright Notice 45 Copyright (c) 2019 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 62 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 3 63 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 64 4.1. MGM Encryption and Authentication Procedure . . . . . . . 4 65 4.2. MGM Decryption and Authentication Check Procedure . . . . 7 66 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 8 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 69 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 70 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 71 8.2. Informative References . . . . . . . . . . . . . . . . . 10 72 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 10 73 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 13 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 76 1. Introduction 78 Multilinear Galois Mode (MGM) is an authenticated encryption with 79 associated data (AEAD) block cipher mode based on EtM principle. MGM 80 is defined for use with 64-bit and 128-bit block ciphers. The MGM 81 design principles can easily be applied to other block sizes. 83 MGM has been standardized in Russia. It is used as an AEAD mode for 84 the GOST block cipher algorithms in many protocols, e.g. TLS 1.3 and 85 IPsec. This document provides a reference for MGM to enable review 86 of the mechanisms in use and to make MGM available for use with any 87 block cipher. 89 This document does not have IETF consensus and does not imply IETF 90 support for MGM. 92 2. Conventions Used in This Document 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 96 "OPTIONAL" in this document are to be interpreted as described in BCP 97 14 [RFC2119] [RFC8174] when, and only when, they appear in all 98 capitals, as shown here. 100 3. Basic Terms and Definitions 102 This document uses the following terms and definitions for the sets 103 and operations on the elements of these sets: 105 V* the set of all bit strings of a finite length (hereinafter 106 referred to as strings), including the empty string; 107 substrings and string components are enumerated from right to 108 left starting from zero; 110 V_s the set of all bit strings of length s, where s is a non- 111 negative integer; 113 |X| the bit length of the bit string X (if X is an empty string, 114 then |X| = 0); 116 X || Y concatenation of strings X and Y both belonging to V*, i.e., 117 a string from V_{|X|+|Y|}, where the left substring from 118 V_{|X|} is equal to X, and the right substring from V_{|Y|} 119 is equal to Y; 121 a^s the string in V_s that consists of s 'a' bits: a^s = (a, a, 122 ... , a), 'a' in V_1; 124 (xor) exclusive-or of the two bit strings of the same length, 126 Z_{2^s} ring of residues modulo 2^s; 128 MSB_i: V_s -> V_i the transformation that maps the string X = 129 (x_{s-1}, ... , x_0) in V_s into the string MSB_i(X) = 130 (x_{s-1}, ... , x_{s-i}) in V_i, i <= s, (most significant 131 bits); 133 Int_s: V_s -> Z_{2^s} the transformation that maps a string X = 134 (x_{s-1}, ... , x_0) in V_s into the integer Int_s(X) = 135 2^{s-1} * x_{s-1} + ... + 2 * x_1 + x_0 (the interpretation 136 of the bit string as an integer); 138 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 139 Int_s (the interpretation of an integer as a bit string); 141 E_K: V_n -> V_n the block cipher permutation under the key K in V_k; 143 k the bit length of the block cipher key; 145 n the block size of the block cipher (in bits); 147 len: V_s -> V_{n/2} the transformation that maps a string X in V_s, 148 0 <= s <= 2^{n/2} - 1, into the string len(X) = 149 Vec_{n/2}(|X|) in V_{n/2}, where n is the block size of the 150 used block cipher; 152 [+] the addition operation in Z_{2^{n/2}}, where n is the block 153 size of the used block cipher; 155 (x) multiplication in GF(2^n), where n is the block size of the 156 used block cipher; if n = 64, then the field polynomial is 157 equal to f = x^64 + x^4 + x^3 + x + 1; if n = 128, then the 158 field polynomial is equal to f = x^128 + x^7 + x^2 + x + 1; 160 incr_l: V_n -> V_n the transformation that maps a string L || R, 161 where L, R in V_{n/2}, into the string incr_l(L || R ) = 162 Vec_{n/2}(Int_{n/2}(L) [+] 1) || R; 164 incr_r: V_n -> V_n the transformation that maps a string L || R, 165 where L, R in V_{n/2}, into the string incr_r(L || R ) = L || 166 Vec_{n/2}(Int_{n/2}(R) [+] 1). 168 4. Specification 170 An additional parameter that defines the functioning of Multilinear 171 Galois Mode (MGM) is the bit length S of the authentication tag, 32 172 <= S <= 128. The value of S MUST be fixed for a particular protocol. 173 The choice of the value S involves a trade-off between message 174 expansion and the forgery probability. 176 4.1. MGM Encryption and Authentication Procedure 178 The MGM encryption and authentication procedure takes the following 179 parameters as inputs: 181 1. Encryption key K in V_k. 183 2. Initial counter nonce ICN in V_{n-1}. 185 3. Plaintext P, 0 <= |P| < 2^{n/2}. If |P| > 0, then P = P_1 || 186 ... || P*_q, P_i in V_n, for i = 1, ... , q - 1, P*_q in V_u, 1 187 <= u <= n. If |P| = 0, then by definition P*_q is empty, and the 188 q and u parameters are set as follows: q = 0, u = n. 190 4. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, 191 then A = A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, 192 A*_h in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is 193 empty, and the h and t parameters are set as follows: h = 0, t = 194 n. The associated data is authenticated but is not encrypted. 196 The MGM encryption and authentication procedure outputs the following 197 parameters: 199 1. Initial counter nonce ICN. 201 2. Associated authenticated data A. 203 3. Ciphertext C in V_{|P|}. 205 4. Authentication tag T in V_S. 207 The MGM encryption and authentication procedure consists of the 208 following steps: 210 +----------------------------------------------------------------+ 211 | MGM-Encrypt(K, ICN, P, A) | 212 |----------------------------------------------------------------| 213 | 1. Encryption step: | 214 | - Y_1 = E_K(0 || ICN), | 215 | - For i = 2, 3, ... , q do | 216 | Y_i = incr_r(Y_{i-1}), | 217 | - For i = 1, 2, ... , q - 1 do | 218 | C_i = P_i (xor) E_K(Y_i), | 219 | - C*_q = P*_q (xor) MSB_u(E_K(Y_q)), | 220 | - C = C_1 || ... || C*_q. | 221 | | 222 | 2. Padding step: | 223 | - A_h = A*_h || 0^{n-t}, | 224 | - C_q = C*_q || 0^{n-u}. | 225 | | 226 | 3. Authentication tag T generation step: | 227 | - Z_1 = E_K(1 || ICN), | 228 | - sum = 0, | 229 | - For i = 1, 2, ..., h do | 230 | H_i = E_K(Z_i), | 231 | sum = sum (xor) ( H_i (x) A_i ), | 232 | Z_{i+1} = incr_l(Z_i), | 233 | - For j = 1, 2, ..., q do | 234 | H_{h+j} = E_K(Z_{h+j}), | 235 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 236 | Z_{h+j+1} = incr_l(Z_{h+j}), | 237 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 238 | - T = MSB_S(E_K(sum (xor) H_{h+q+1} (x) | 239 | (len(A) || len(C)))). | 240 | | 241 | 4. Return (ICN, A, C, T). | 242 |----------------------------------------------------------------+ 244 The ICN value for each message that is encrypted under the given key 245 K must be chosen in a unique manner. 247 Users who do not wish to encrypt plaintext can provide a string P of 248 zero length. Users who do not wish to authenticate associated data 249 can provide a string A of zero length. The length of the associated 250 data A and of the plaintext P MUST be such that 0 < |A| + |P| < 251 2^{n/2}. 253 4.2. MGM Decryption and Authentication Check Procedure 255 The MGM decryption and authentication procedure takes the following 256 parameters as inputs: 258 1. The encryption key K in V_k. 260 2. The initial counter nonce ICN in V_{n-1}. 262 3. The associated authenticated data A, 0 <= |A| < 2^{n/2}. A = 263 A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, A*_h in 264 V_t, 1 <= t <= n. 266 4. The ciphertext C, 0 <= |C| < 2^{n/2}. C = C_1 || ... || C*_q, C_i 267 in V_n, for i = 1, ... , q - 1, C*_q in V_u, 1 <= u <= n. 269 5. The authenticated tag T in V_S. 271 The MGM decryption and authentication procedure outputs FAIL or the 272 following parameters: 274 1. Plaintext P in V_{|C|}. 276 2. Associated authenticated data A. 278 The MGM decryption and authentication procedure consists of the 279 following steps: 281 +----------------------------------------------------------------+ 282 | MGM-Decrypt(K, ICN, A, C, T) | 283 |----------------------------------------------------------------| 284 | 1. Padding step: | 285 | - A_h = A*_h || 0^{n-t}, | 286 | - C_q = C*_q || 0^{n-u}. | 287 | | 288 | 2. Authentication tag T verification step: | 289 | - Z_1 = E_K(1 || ICN), | 290 | - sum = 0, | 291 | - For i = 1, 2, ..., h do | 292 | H_i = E_K(Z_i), | 293 | sum = sum (xor) ( H_i (x) A_i ), | 294 | Z_{i+1} = incr_l(Z_i), | 295 | - For j = 1, 2, ..., q do | 296 | H_{h+j} = E_K(Z_{h+j}), | 297 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 298 | Z_{h+j+1} = incr_l(Z_{h+j}), | 299 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 300 | - T' = MSB_S(E_K(sum (xor) H_{h+q+1} (x) | 301 | (len(A) || len(C)))), | 302 | - If T' != T then return FAIL. | 303 | | 304 | 3. Decryption step: | 305 | - Y_1 = E_K(0 || ICN), | 306 | - For i = 2, 3, ... , q do | 307 | Y_i = incr_r(Y_{i-1}), | 308 | - For i = 1, 2, ... , q - 1 do | 309 | P_i = C_i (xor) E_K(Y_i), | 310 | - P*_q = C*_q (xor) MSB_u(E_K(Y_q)), | 311 | - P = P_1 || ... || P*_q. | 312 | | 313 | 4. Return (P, A). | 314 |----------------------------------------------------------------+ 316 5. Rationale 318 The MGM was originally proposed in [PDMODE]. 320 From the operational point of view the MGM is designed to be 321 parallelizable, inverse free, online and to provide availability of 322 precomputations. 324 Parallelizability of the MGM is achieved due to its counter-type 325 structure and the usage of the multilinear function for 326 authentication. Indeed, both encryption blocks E_K(Y_i) and 327 authentication blocks H_i are produced in the counter mode manner, 328 and the multilinear function determined by H_i is parallelizable in 329 itself. Additionally, the counter-type structure of the mode 330 provides the inverse free property. 332 The online property means the possibility to process message even if 333 it is not completely received (so its length is unknown). To provide 334 this property the MGM uses blocks E_K(Y_i) and H_i which are produced 335 basing on two independent source blocks Y_i and Z_i. 337 Availability of precomputations for the MGM means the possibility to 338 calculate H_i and E_K(Y_i) even before data is retrieved. It is 339 holds due to again the usage of counters for calculating them. 341 6. Security Considerations 343 The security properties of the MGM are based on the following: 345 o Different functions generating the counter values: 346 The functions incr_r and incr_l are chosen to minimize 347 intersection (if it happens) of counter values Y_i and Z_i. 349 o Encryption of the multilinear function output: 350 It allows to resist attacks based on padding and linear properties 351 (see [Ferg05] for details). 353 o Multilinear function for authentication: 354 It allows to resist the small subgroup attacks [Saar12]. 356 o Encryption of the nonces (0 || ICN) and (1 || ICN): 357 The use of this encryption minimizes the number of plaintext/ 358 ciphertext pairs of blocks known to an adversary. It allows to 359 resist attacks that need substantial amount of such material 360 (e.g., linear and differential cryptanalysis, side-channel 361 attacks). 363 It is crucial to the security of MGM to use unique ICN values. Using 364 the same ICN values for two different messages encrypted with the 365 same key eliminates the security properties of this mode. 367 7. IANA Considerations 369 This document does not require any IANA actions. 371 8. References 372 8.1. Normative References 374 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 375 Requirement Levels", BCP 14, RFC 2119, 376 DOI 10.17487/RFC2119, March 1997, 377 . 379 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 380 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 381 . 383 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 384 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 385 May 2017, . 387 8.2. Informative References 389 [Ferg05] Ferguson, N., "Authentication weaknesses in GCM", 2005. 391 [GOST3412-2015] 392 Federal Agency on Technical Regulating and Metrology, 393 "Information technology. Cryptographic data security. 394 Block ciphers", GOST R 34.12-2015, 2015. 396 [PDMODE] Nozdrunov, V., "Parallel and double block cipher mode of 397 operation (PD-mode) for authenticated encryption", CTCrypt 398 2017 proceedings, pp. 36-45, 2017. 400 [Saar12] Saarinen, O., "Cycling Attacks on GCM, GHASH and Other 401 Polynomial MACs and Hashes", FSE 2012 proceedings, pp. 402 216-225, 2012. 404 Appendix A. Test Vectors 406 Test vectors for the Kuznyechik block cipher (n = 128, k = 256) 407 defined in [GOST3412-2015] (the English version can be found in 408 [RFC7801]). 410 Encryption key K: 411 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 412 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 414 Associated authenticated data A: 415 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 416 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 417 00020: EA 05 05 05 05 05 05 05 05 418 Plaintext P: 419 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 420 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 421 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 422 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 423 00040: AA BB CC 425 1. Encryption step: 427 0^1 || ICN: 428 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 430 Y_1: 431 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CD 432 E_K(Y_1): 433 00000: B8 57 48 C5 12 F3 19 90 AA 56 7E F1 53 35 DB 74 435 Y_2: 436 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CE 437 E_K(Y_2): 438 00000: 80 64 F0 12 6F AC 9B 2C 5B 6E AC 21 61 2F 94 33 440 Y_3: 441 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CF 442 E_K(Y_3): 443 00000: 58 58 82 1D 40 C0 CD 0D 0A C1 E6 C2 47 09 8F 1C 445 Y_4: 446 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D0 447 E_K(Y_4): 448 00000: E4 3F 50 81 B5 8F 0B 49 01 2F 8E E8 6A CD 6D FA 450 Y_5: 451 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D1 452 E_K(Y_5): 453 00000: 86 CE 9E 2A 0A 12 25 E3 33 56 91 B2 0D 5A 33 48 455 C: 456 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 457 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 458 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 459 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 460 00040: 2C 75 52 462 2. Padding step: 464 A_1 || ... || A_h: 465 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 466 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 467 00020: EA 05 05 05 05 05 05 05 05 00 00 00 00 00 00 00 469 C_1 || ... || C_q: 470 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 471 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 472 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 473 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 474 00040: 2C 75 52 00 00 00 00 00 00 00 00 00 00 00 00 00 476 3. Authentication tag T generation step: 478 1^1 || ICN: 479 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 481 Z_1: 482 00000: 7F C2 45 A8 58 6E 66 02 A7 BB DB 27 86 BD C6 6F 483 H_1: 484 00000: 8D B1 87 D6 53 83 0E A4 BC 44 64 76 95 2C 30 0B 485 current sum: 486 00000: 4C F4 27 F4 AD B7 5C F4 C0 DA 39 D5 AB 48 CF 38 488 Z_2: 489 00000: 7F C2 45 A8 58 6E 66 03 A7 BB DB 27 86 BD C6 6F 490 H_2: 491 00000: 7A 24 F7 26 30 E3 76 37 21 C8 F3 CD B1 DA 0E 31 492 current sum: 493 00000: 94 95 44 0E F6 24 A1 DD C6 F5 D9 77 28 50 C5 73 495 Z_3: 496 00000: 7F C2 45 A8 58 6E 66 04 A7 BB DB 27 86 BD C6 6F 497 H_3: 498 00000: 44 11 96 21 17 D2 06 35 C5 25 E0 A2 4D B4 B9 0A 499 current sum: 500 00000: A4 9A 8C D8 A6 F2 74 23 DB 79 E4 4A B3 06 D9 42 502 Z_4: 503 00000: 7F C2 45 A8 58 6E 66 05 A7 BB DB 27 86 BD C6 6F 504 H_4: 505 00000: D8 C9 62 3C 4D BF E8 14 CE 7C 1C 0C EA A9 59 DB 506 current sum: 507 00000: 09 FE 3F 6A 83 3C 21 B3 90 27 D0 20 6A 84 E1 5A 509 Z_5: 510 00000: 7F C2 45 A8 58 6E 66 06 A7 BB DB 27 86 BD C6 6F 511 H_5: 512 00000: A5 E1 F1 95 33 3E 14 82 96 99 31 BF BE 6D FD 43 513 current sum: 514 00000: B5 DA 26 BB 00 EB A8 04 35 D7 97 6B C6 B5 46 4D 516 Z_6: 517 00000: 7F C2 45 A8 58 6E 66 07 A7 BB DB 27 86 BD C6 6F 518 H_6: 519 00000: B4 CA 80 8C AC CF B3 F9 17 24 E4 8A 2C 7E E9 D2 520 current sum: 521 00000: DD 1C 0E EE F7 83 C8 EB 2A 33 F3 58 D7 23 0E E5 523 Z_7: 524 00000: 7F C2 45 A8 58 6E 66 08 A7 BB DB 27 86 BD C6 6F 525 H_7: 526 00000: 72 90 8F C0 74 E4 69 E8 90 1B D1 88 EA 91 C3 31 527 current sum: 528 00000: 89 6C E1 08 32 EB EA F9 06 9F 3F 73 76 59 4D 40 530 Z_8: 531 00000: 7F C2 45 A8 58 6E 66 09 A7 BB DB 27 86 BD C6 6F 532 H_8: 533 00000: 23 CA 27 15 B0 2C 68 31 3B FD AC B3 9E 4D 0F B8 534 current sum: 535 00000: 99 1A F5 C9 D0 80 F7 63 87 FE 64 9E 7C 93 C6 42 537 Z_9: 538 00000: 7F C2 45 A8 58 6E 66 0A A7 BB DB 27 86 BD C6 6F 539 H_9: 540 00000: BC BC E6 C4 1A A3 55 A4 14 88 62 BF 64 BD 83 0D 541 len(A) || len(C): 542 00000: 00 00 00 00 00 00 01 48 00 00 00 00 00 00 02 18 543 sum (xor) H_9 (x) (len(A) || len(C)): 544 00000: C0 C7 22 DB 5E 0B D6 DB 25 76 73 83 3D 56 71 28 546 Tag T: 547 00000: CF 5D 65 6F 40 C3 4F 5C 46 E8 BB 0E 29 FC DB 4C 549 Appendix B. Contributors 551 o Evgeny Alekseev 552 CryptoPro 553 alekseev@cryptopro.ru 555 o Alexandra Babueva 556 CryptoPro 557 babueva@cryptopro.ru 559 o Lilia Akhmetzyanova 560 CryptoPro 561 lah@cryptopro.ru 563 o Grigory Marshalko 564 TC 26 565 marshalko_gb@tc26.ru 567 o Vladimir Rudskoy 568 TC 26 569 rudskoy_vi@tc26.ru 571 o Alexey Nesterenko 572 National Research University Higher School of Economics 573 anesterenko@hse.ru 575 Authors' Addresses 577 Stanislav Smyshlyaev (editor) 578 CryptoPro 580 Phone: +7 (495) 995-48-20 581 Email: svs@cryptopro.ru 583 Vladislav Nozdrunov 584 TC 26 586 Email: nozdrunov_vi@tc26.ru 588 Vasily Shishkin 589 TC 26 591 Email: shishkin_va@tc26.ru 593 Ekaterina Smyshlyaeva 594 CryptoPro 596 Email: ess@cryptopro.ru