idnits 2.17.1 draft-smyshlyaev-mgm-18.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 29, 2020) is 1366 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational V. Nozdrunov 5 Expires: January 30, 2021 V. Shishkin 6 TC 26 7 E. Griboedova 8 CryptoPro 9 July 29, 2020 11 Multilinear Galois Mode (MGM) 12 draft-smyshlyaev-mgm-18 14 Abstract 16 Multilinear Galois Mode (MGM) is an authenticated encryption with 17 associated data (AEAD) block cipher mode based on EtM principle. MGM 18 is defined for use with 64-bit and 128-bit block ciphers. 20 MGM has been standardized in Russia. It is used as an AEAD mode for 21 the GOST block cipher algorithms in many protocols, e.g. TLS 1.3 and 22 IPsec. This document provides a reference for MGM to enable review 23 of the mechanisms in use and to make MGM available for use with any 24 block cipher. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on January 30, 2021. 43 Copyright Notice 45 Copyright (c) 2020 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 62 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 3 63 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 64 4.1. MGM Encryption and Tag Generation Procedure . . . . . . . 4 65 4.2. MGM Decryption and Tag Verification Check Procedure . . . 7 66 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 8 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 70 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 71 8.2. Informative References . . . . . . . . . . . . . . . . . 10 72 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11 73 A.1. Test Vectors for the Kuznyechik block cipher . . . . . . 11 74 A.2. Test Vectors for the Magma block cipher . . . . . . . . . 16 75 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 22 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 78 1. Introduction 80 Multilinear Galois Mode (MGM) is an authenticated encryption with 81 associated data (AEAD) block cipher mode based on EtM principle. MGM 82 is defined for use with 64-bit and 128-bit block ciphers. The MGM 83 design principles can easily be applied to other block sizes. 85 MGM has been standardized in Russia [R1323565.1.026-2019]. It is 86 used as an AEAD mode for the GOST block cipher algorithms in many 87 protocols, e.g. TLS 1.3 and IPsec. This document provides a 88 reference for MGM to enable review of the mechanisms in use and to 89 make MGM available for use with any block cipher. 91 This document does not have IETF consensus and does not imply IETF 92 support for MGM. 94 2. Conventions Used in This Document 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 98 "OPTIONAL" in this document are to be interpreted as described in BCP 99 14 [RFC2119] [RFC8174] when, and only when, they appear in all 100 capitals, as shown here. 102 3. Basic Terms and Definitions 104 This document uses the following terms and definitions for the sets 105 and operations on the elements of these sets: 107 V* the set of all bit strings of a finite length (hereinafter 108 referred to as strings), including the empty string; 109 substrings and string components are enumerated from right to 110 left starting from zero; 112 V_s the set of all bit strings of length s, where s is a non- 113 negative integer. For s = 0, the V_0 consists of a single 114 empty string; 116 |X| the bit length of the bit string X (if X is an empty string, 117 then |X| = 0); 119 X || Y concatenation of strings X and Y both belonging to V*, i.e., 120 a string from V_{|X|+|Y|}, where the left substring from 121 V_{|X|} is equal to X, and the right substring from V_{|Y|} 122 is equal to Y; 124 a^s the string in V_s that consists of s 'a' bits; 126 (xor) exclusive-or of the two bit strings of the same length; 128 Z_{2^s} ring of residues modulo 2^s; 130 MSB_i: V_s -> V_i the transformation that maps the string X = 131 (x_{s-1}, ... , x_0) in V_s into the string MSB_i(X) = 132 (x_{s-1}, ... , x_{s-i}) in V_i, i <= s, (most significant 133 bits); 135 Int_s: V_s -> Z_{2^s} the transformation that maps the string X = 136 (x_{s-1}, ... , x_0) in V_s, s > 0, into the integer Int_s(X) 137 = 2^{s-1} * x_{s-1} + ... + 2 * x_1 + x_0 (the interpretation 138 of the bit string as an integer); 140 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 141 Int_s (the interpretation of an integer as a bit string); 143 E_K: V_n -> V_n the block cipher permutation under the key K in V_k; 145 k the bit length of the block cipher key; 147 n the block size of the block cipher (in bits); 149 len: V_s -> V_{n/2} the transformation that maps a string X in V_s, 150 0 <= s <= 2^{n/2} - 1, into the string len(X) = 151 Vec_{n/2}(|X|) in V_{n/2}, where n is the block size of the 152 used block cipher; 154 [+] the addition operation in Z_{2^{n/2}}, where n is the block 155 size of the used block cipher; 157 (x) the transformation that maps two strings X = (x_{n-1}, ... , 158 x_0) in V_n and Y = (y_{n-1}, ... , y_0) in V_n into the 159 string Z = X (x) Y = (z_{n-1}, ... , z_0) in V_n; the string 160 Z corresponds to the polynomial Z(w) = z_{n-1} * w^{n-1} + 161 ... + z_1 * w + z_0 which is a result of the polynomials X(w) 162 = x_{n-1} * w^{n-1} + ... + x_1 * w + x_0 and Y(w) = y_{n-1} 163 * w^{n-1} + ... + y_1 * w + y_0 multiplication in the field 164 GF(2^n), where n is the block size of the used block cipher; 165 if n = 64, then the field polynomial is equal to f(w) = w^64 166 + w^4 + w^3 + w + 1; if n = 128, then the field polynomial is 167 equal to f(w) = w^128 + w^7 + w^2 + w + 1; 169 incr_l: V_n -> V_n the transformation that maps a string L || R, 170 where L, R in V_{n/2}, into the string incr_l(L || R) = 171 Vec_{n/2}(Int_{n/2}(L) [+] 1) || R; 173 incr_r: V_n -> V_n the transformation that maps a string L || R, 174 where L, R in V_{n/2}, into the string incr_r(L || R) = L || 175 Vec_{n/2}(Int_{n/2}(R) [+] 1). 177 4. Specification 179 An additional parameter that defines the functioning of Multilinear 180 Galois Mode (MGM) is the bit length S of the authentication tag, 32 181 <= S <= n. The value of S MUST be fixed for a particular protocol. 182 The choice of the value S involves a trade-off between message 183 expansion and the forgery probability. 185 4.1. MGM Encryption and Tag Generation Procedure 187 The MGM encryption and tag generation procedure takes the following 188 parameters as inputs: 190 1. Encryption key K in V_k. 192 2. Initial counter nonce ICN in V_{n-1}. 194 3. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, 195 then A = A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, 196 A*_h in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is 197 empty, and the h and t parameters are set as follows: h = 0, t = 198 n. The associated data is authenticated but is not encrypted. 200 4. Plaintext P, 0 <= |P| < 2^{n/2}. If |P| > 0, then P = P_1 || 201 ... || P*_q, P_i in V_n, for i = 1, ... , q - 1, P*_q in V_u, 1 202 <= u <= n. If |P| = 0, then by definition P*_q is empty, and the 203 q and u parameters are set as follows: q = 0, u = n. 205 The MGM encryption and tag generation procedure outputs the following 206 parameters: 208 1. Initial counter nonce ICN. 210 2. Associated authenticated data A. 212 3. Ciphertext C in V_{|P|}. 214 4. Authentication tag T in V_S. 216 The MGM encryption and tag generation procedure consists of the 217 following steps: 219 +----------------------------------------------------------------+ 220 | MGM-Encrypt(K, ICN, A, P) | 221 |----------------------------------------------------------------| 222 | 1. Encryption step: | 223 | - if |P| = 0 then | 224 | - C*_q = P*_q | 225 | - C = P | 226 | - else | 227 | - Y_1 = E_K(0^1 || ICN), | 228 | - For i = 2, 3, ... , q do | 229 | Y_i = incr_r(Y_{i-1}), | 230 | - For i = 1, 2, ... , q - 1 do | 231 | C_i = P_i (xor) E_K(Y_i), | 232 | - C*_q = P*_q (xor) MSB_u(E_K(Y_q)), | 233 | - C = C_1 || ... || C*_q. | 234 | | 235 | 2. Padding step: | 236 | - A_h = A*_h || 0^{n-t}, | 237 | - C_q = C*_q || 0^{n-u}. | 238 | | 239 | 3. Authentication tag T generation step: | 240 | - Z_1 = E_K(1^1 || ICN), | 241 | - sum = 0, | 242 | - For i = 1, 2, ..., h do | 243 | H_i = E_K(Z_i), | 244 | sum = sum (xor) ( H_i (x) A_i ), | 245 | Z_{i+1} = incr_l(Z_i), | 246 | - For j = 1, 2, ..., q do | 247 | H_{h+j} = E_K(Z_{h+j}), | 248 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 249 | Z_{h+j+1} = incr_l(Z_{h+j}), | 250 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 251 | - T = MSB_S(E_K(sum (xor) ( H_{h+q+1} (x) | 252 | ( len(A) || len(C) ) ))). | 253 | | 254 | 4. Return (ICN, A, C, T). | 255 +----------------------------------------------------------------+ 257 The ICN value for each message that is encrypted under the given key 258 K must be chosen in a unique manner. 260 Users who do not wish to encrypt plaintext can provide a string P of 261 zero length. Users who do not wish to authenticate associated data 262 can provide a string A of zero length. The length of the associated 263 data A and of the plaintext P MUST be such that 0 < |A| + |P| < 264 2^{n/2}. 266 4.2. MGM Decryption and Tag Verification Check Procedure 268 The MGM decryption and tag verification procedure takes the following 269 parameters as inputs: 271 1. The encryption key K in V_k. 273 2. The initial counter nonce ICN in V_{n-1}. 275 3. The associated authenticated data A, 0 <= |A| < 2^{n/2}. A = 276 A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, A*_h in 277 V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is empty, 278 and the h and t parameters are set as follows: h = 0, t = n. The 279 associated data is authenticated but is not encrypted. 281 4. The ciphertext C, 0 <= |C| < 2^{n/2}. C = C_1 || ... || C*_q, C_i 282 in V_n, for i = 1, ... , q - 1, C*_q in V_u, 1 <= u <= n. If |C| 283 = 0, then by definition C*_q is empty, and the q and u parameters 284 are set as follows: q = 0, u = n. 286 5. The authenticated tag T in V_S. 288 The MGM decryption and tag verification procedure outputs FAIL or the 289 following parameters: 291 1. Associated authenticated data A. 293 2. Plaintext P in V_{|C|}. 295 The MGM decryption and tag verification procedure consists of the 296 following steps: 298 +----------------------------------------------------------------+ 299 | MGM-Decrypt(K, ICN, A, C, T) | 300 |----------------------------------------------------------------| 301 | 1. Padding step: | 302 | - A_h = A*_h || 0^{n-t}, | 303 | - C_q = C*_q || 0^{n-u}. | 304 | | 305 | 2. Authentication tag T verification step: | 306 | - Z_1 = E_K(1^1 || ICN), | 307 | - sum = 0, | 308 | - For i = 1, 2, ..., h do | 309 | H_i = E_K(Z_i), | 310 | sum = sum (xor) ( H_i (x) A_i ), | 311 | Z_{i+1} = incr_l(Z_i), | 312 | - For j = 1, 2, ..., q do | 313 | H_{h+j} = E_K(Z_{h+j}), | 314 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 315 | Z_{h+j+1} = incr_l(Z_{h+j}), | 316 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 317 | - T' = MSB_S(E_K(sum (xor) ( H_{h+q+1} (x) | 318 | ( len(A) || len(C) ) ))), | 319 | - If T' != T then return FAIL. | 320 | | 321 | 3. Decryption step: | 322 | - if |C| = 0 then | 323 | - P = C | 324 | - else | 325 | - Y_1 = E_K(0^1 || ICN), | 326 | - For i = 2, 3, ... , q do | 327 | Y_i = incr_r(Y_{i-1}), | 328 | - For i = 1, 2, ... , q - 1 do | 329 | P_i = C_i (xor) E_K(Y_i), | 330 | - P*_q = C*_q (xor) MSB_u(E_K(Y_q)), | 331 | - P = P_1 || ... || P*_q. | 332 | | 333 | 4. Return (A, P). | 334 +----------------------------------------------------------------+ 336 The length of the associated data A and of the ciphertext C MUST be 337 such that 0 < |A| + |C| < 2^{n/2}. 339 5. Rationale 341 The MGM was originally proposed in [PDMODE]. 343 From the operational point of view the MGM is designed to be 344 parallelizable, inverse free, online and to provide availability of 345 precomputations. 347 Parallelizability of the MGM is achieved due to its counter-type 348 structure and the usage of the multilinear function for 349 authentication. Indeed, both encryption blocks E_K(Y_i) and 350 authentication blocks H_i are produced in the counter mode manner, 351 and the multilinear function determined by H_i is parallelizable in 352 itself. Additionally, the counter-type structure of the mode 353 provides the inverse free property. 355 The online property means the possibility to process message even if 356 it is not completely received (so its length is unknown). To provide 357 this property the MGM uses blocks E_K(Y_i) and H_i which are produced 358 basing on two independent source blocks Y_i and Z_i. 360 Availability of precomputations for the MGM means the possibility to 361 calculate H_i and E_K(Y_i) even before data is retrieved. It is 362 holds due to again the usage of counters for calculating them. 364 6. Security Considerations 366 The security properties of the MGM are based on the following: 368 o Different functions generating the counter values: 369 The functions incr_r and incr_l are chosen to minimize 370 intersection (if it happens) of counter values Y_i and Z_i. 372 o Encryption of the multilinear function output: 373 It allows to resist attacks based on padding and linear properties 374 (see [Ferg05] for details). 376 o Multilinear function for authentication: 377 It allows to resist the small subgroup attacks [Saar12]. 379 o Encryption of the nonces (0^1 || ICN) and (1^1 || ICN): 380 The use of this encryption minimizes the number of plaintext/ 381 ciphertext pairs of blocks known to an adversary. It allows to 382 resist attacks that need substantial amount of such material 383 (e.g., linear and differential cryptanalysis, side-channel 384 attacks). 386 It is crucial to the security of MGM to use unique ICN values. Using 387 the same ICN values for two different messages encrypted with the 388 same key eliminates the security properties of this mode. 390 Security analysis for MGM with E_K being a random permutation was 391 performed in [SecMGM]. More precisely, the bounds for 392 confidentiality advantage (CA) and integrity advantage (IA) (for 393 details see [I-D.wood-cfrg-aead-limits]) were obtained. According to 394 these results, for an adversary making at most q encryption queries 395 with the total length of plaintexts and associated data of at most s 396 blocks and allowed to output a forgery with the summary length of 397 ciphertext and associated data of at most l blocks: 399 CA <= ( 3( s + 4q )^2 )/ 2^n, 401 IA <= ( 3( s + 4q + l + 3 )^2 )/ 2^n + 2/2^S, 403 where n is the block size and S is the authentication tag size. 405 These bounds can be used as guidelines on how to calculate 406 confidentiality and integrity limits (for details also see 407 [I-D.wood-cfrg-aead-limits]). 409 7. IANA Considerations 411 This document does not require any IANA actions. 413 8. References 415 8.1. Normative References 417 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 418 Requirement Levels", BCP 14, RFC 2119, 419 DOI 10.17487/RFC2119, March 1997, 420 . 422 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 423 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 424 . 426 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 427 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 428 May 2017, . 430 8.2. Informative References 432 [Ferg05] Ferguson, N., "Authentication weaknesses in GCM", 2005. 434 [GOST3412-2015] 435 Federal Agency on Technical Regulating and Metrology, 436 "Information technology. Cryptographic data security. 437 Block ciphers", GOST R 34.12-2015, 2015. 439 [I-D.dolmatov-magma] 440 Dolmatov, V. and D. Eremin-Solenikov, "GOST R 34.12-2015: 441 Block Cipher "Magma"", draft-dolmatov-magma-06 (work in 442 progress), March 2020. 444 [I-D.wood-cfrg-aead-limits] 445 Guenther, F., Thomson, M., and C. Wood, "Usage Limits on 446 AEAD Algorithms", draft-wood-cfrg-aead-limits-00 (work in 447 progress), May 2020. 449 [PDMODE] Nozdrunov, V., "Parallel and double block cipher mode of 450 operation (PD-mode) for authenticated encryption", CTCrypt 451 2017 proceedings, pp. 36-45, 2017. 453 [R1323565.1.026-2019] 454 Federal Agency on Technical Regulating and Metrology, 455 "Information technology. Cryptographic data security. 456 Authenticated encryption block cipher operation modes", 457 R 1323565.1.026-2019, 2019. 459 [Saar12] Saarinen, O., "Cycling Attacks on GCM, GHASH and Other 460 Polynomial MACs and Hashes", FSE 2012 proceedings, pp. 461 216-225, 2012. 463 [SecMGM] Akhmetzyanova, L., Alekseev, E., Karpunin, G. and V. 464 Nozdrunov, "Security of Multilinear Galois Mode (MGM).", 465 IACR Cryptology ePrint Archive 2019, p. 123, 2019. 467 Appendix A. Test Vectors 469 A.1. Test Vectors for the Kuznyechik block cipher 471 Test vectors for the Kuznyechik block cipher (n = 128, k = 256) 472 defined in [GOST3412-2015] (the English version can be found in 473 [RFC7801]). 475 -------------------------Example 1-------------------------- 477 Encryption key K: 478 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 479 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 481 ICN: 482 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 484 Associated authenticated data A: 485 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 486 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 487 00020: EA 05 05 05 05 05 05 05 05 489 Plaintext P: 490 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 491 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 492 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 493 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 494 00040: AA BB CC 496 1. Encryption step: 498 0^1 || ICN: 499 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 501 Y_1: 502 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CD 503 E_K(Y_1): 504 00000: B8 57 48 C5 12 F3 19 90 AA 56 7E F1 53 35 DB 74 506 Y_2: 507 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CE 508 E_K(Y_2): 509 00000: 80 64 F0 12 6F AC 9B 2C 5B 6E AC 21 61 2F 94 33 511 Y_3: 512 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CF 513 E_K(Y_3): 514 00000: 58 58 82 1D 40 C0 CD 0D 0A C1 E6 C2 47 09 8F 1C 516 Y_4: 517 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D0 518 E_K(Y_4): 519 00000: E4 3F 50 81 B5 8F 0B 49 01 2F 8E E8 6A CD 6D FA 521 Y_5: 522 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D1 523 E_K(Y_5): 524 00000: 86 CE 9E 2A 0A 12 25 E3 33 56 91 B2 0D 5A 33 48 526 C: 527 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 528 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 529 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 530 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 531 00040: 2C 75 52 533 2. Padding step: 535 A_1 || ... || A_h: 536 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 537 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 538 00020: EA 05 05 05 05 05 05 05 05 00 00 00 00 00 00 00 540 C_1 || ... || C_q: 541 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 542 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 543 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 544 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 545 00040: 2C 75 52 00 00 00 00 00 00 00 00 00 00 00 00 00 547 3. Authentication tag T generation step: 549 1^1 || ICN: 550 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 552 Z_1: 553 00000: 7F C2 45 A8 58 6E 66 02 A7 BB DB 27 86 BD C6 6F 554 H_1: 555 00000: 8D B1 87 D6 53 83 0E A4 BC 44 64 76 95 2C 30 0B 556 current sum: 557 00000: 4C F4 27 F4 AD B7 5C F4 C0 DA 39 D5 AB 48 CF 38 559 Z_2: 560 00000: 7F C2 45 A8 58 6E 66 03 A7 BB DB 27 86 BD C6 6F 561 H_2: 562 00000: 7A 24 F7 26 30 E3 76 37 21 C8 F3 CD B1 DA 0E 31 563 current sum: 564 00000: 94 95 44 0E F6 24 A1 DD C6 F5 D9 77 28 50 C5 73 566 Z_3: 567 00000: 7F C2 45 A8 58 6E 66 04 A7 BB DB 27 86 BD C6 6F 568 H_3: 569 00000: 44 11 96 21 17 D2 06 35 C5 25 E0 A2 4D B4 B9 0A 570 current sum: 571 00000: A4 9A 8C D8 A6 F2 74 23 DB 79 E4 4A B3 06 D9 42 573 Z_4: 574 00000: 7F C2 45 A8 58 6E 66 05 A7 BB DB 27 86 BD C6 6F 575 H_4: 576 00000: D8 C9 62 3C 4D BF E8 14 CE 7C 1C 0C EA A9 59 DB 577 current sum: 578 00000: 09 FE 3F 6A 83 3C 21 B3 90 27 D0 20 6A 84 E1 5A 580 Z_5: 581 00000: 7F C2 45 A8 58 6E 66 06 A7 BB DB 27 86 BD C6 6F 582 H_5: 583 00000: A5 E1 F1 95 33 3E 14 82 96 99 31 BF BE 6D FD 43 584 current sum: 585 00000: B5 DA 26 BB 00 EB A8 04 35 D7 97 6B C6 B5 46 4D 587 Z_6: 588 00000: 7F C2 45 A8 58 6E 66 07 A7 BB DB 27 86 BD C6 6F 589 H_6: 590 00000: B4 CA 80 8C AC CF B3 F9 17 24 E4 8A 2C 7E E9 D2 591 current sum: 592 00000: DD 1C 0E EE F7 83 C8 EB 2A 33 F3 58 D7 23 0E E5 594 Z_7: 595 00000: 7F C2 45 A8 58 6E 66 08 A7 BB DB 27 86 BD C6 6F 596 H_7: 597 00000: 72 90 8F C0 74 E4 69 E8 90 1B D1 88 EA 91 C3 31 598 current sum: 599 00000: 89 6C E1 08 32 EB EA F9 06 9F 3F 73 76 59 4D 40 601 Z_8: 602 00000: 7F C2 45 A8 58 6E 66 09 A7 BB DB 27 86 BD C6 6F 603 H_8: 604 00000: 23 CA 27 15 B0 2C 68 31 3B FD AC B3 9E 4D 0F B8 605 current sum: 606 00000: 99 1A F5 C9 D0 80 F7 63 87 FE 64 9E 7C 93 C6 42 608 Z_9: 609 00000: 7F C2 45 A8 58 6E 66 0A A7 BB DB 27 86 BD C6 6F 610 H_9: 611 00000: BC BC E6 C4 1A A3 55 A4 14 88 62 BF 64 BD 83 0D 612 len(A) || len(C): 613 00000: 00 00 00 00 00 00 01 48 00 00 00 00 00 00 02 18 614 sum (xor) ( H_9 (x) ( len(A) || len(C) ) ): 615 00000: C0 C7 22 DB 5E 0B D6 DB 25 76 73 83 3D 56 71 28 617 Tag T: 618 00000: CF 5D 65 6F 40 C3 4F 5C 46 E8 BB 0E 29 FC DB 4C 620 -------------------------Example 2-------------------------- 622 Encryption key K: 623 00000: 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 FE 624 00010: DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 88 626 ICN: 628 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 630 Associated authenticated data A: 631 00000: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 633 Plaintext P: 634 00000: 636 1. Encryption step: 638 C: 639 00000: 641 2. Padding step: 643 A_1 || ... || A_h: 644 00000: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 646 C_1 || ... || C_q: 647 00000: 649 3. Authentication tag T generation step: 651 1^1 || ICN: 652 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 654 Z_1: 655 00000: 79 32 72 68 96 C4 3E 3F BF D6 50 89 EB F1 E5 B6 656 H_1: 657 00000: 99 3A 80 66 CC C0 A4 0F AC 4A 14 F7 A2 F6 6D 9B 658 current sum: 659 00000: 0A C1 1E 2C 1C D6 07 D8 2F E3 55 54 B4 01 02 81 661 Z_2: 662 00000: 79 32 72 68 96 C4 3E 40 BF D6 50 89 EB F1 E5 B6 663 H_2: 664 00000: 0C 38 A7 1E E7 93 BF 76 89 81 BF CD 7C DA 78 C8 665 len(A) || len(C): 666 00000: 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 667 sum (xor) ( H_2 (x) ( len(A) || len(C) ) ): 668 00000: CA 1E F8 92 71 EA 60 C4 53 9E 40 EB 26 C2 80 5D 670 Tag T: 671 00000: 79 01 E9 EA 20 85 CD 24 7E D2 49 69 5F 9F 8A 85 673 A.2. Test Vectors for the Magma block cipher 675 Test vectors for the Magma block cipher (n = 64, k = 256) defined in 676 [GOST3412-2015] (the English version can be found in 677 [I-D.dolmatov-magma]). 679 -------------------------Example 1-------------------------- 681 Encryption key K: 682 00000: FF EE DD CC BB AA 99 88 77 66 55 44 33 22 11 00 683 00010: F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF 685 ICN: 686 00000: 12 DE F0 6B 3C 13 0A 59 688 Associated authenticated data A: 689 00000: 01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 690 00010: 03 03 03 03 03 03 03 03 04 04 04 04 04 04 04 04 691 00020: 05 05 05 05 05 05 05 05 EA 693 Plaintext P: 694 00000: FF EE DD CC BB AA 99 88 11 22 33 44 55 66 77 00 695 00010: 88 99 AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 696 00020: 99 AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 88 697 00030: AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 88 99 698 00040: AA BB CC 700 1. Encryption step: 702 0^1 || ICN: 703 00000: 12 DE F0 6B 3C 13 0A 59 705 Y_1: 706 00000: 56 23 89 01 62 DE 31 BF 707 E_K(Y_1): 708 00000: 38 7B DB A0 E4 34 39 B3 710 Y_2: 711 00000: 56 23 89 01 62 DE 31 C0 712 E_K(Y_2): 713 00000: 94 33 00 06 10 F7 F2 AE 715 Y_3: 716 00000: 56 23 89 01 62 DE 31 C1 717 E_K(Y_3): 718 00000: 97 B7 AA 6D 73 C5 87 57 719 Y_4: 720 00000: 56 23 89 01 62 DE 31 C2 721 E_K(Y_4): 722 00000: 94 15 52 8B FF C9 E8 0A 724 Y_5: 725 00000: 56 23 89 01 62 DE 31 C3 726 E_K(Y_5): 727 00000: 03 F7 68 BF F1 82 D6 70 729 Y_6: 730 00000: 56 23 89 01 62 DE 31 C4 731 E_K(Y_6): 732 00000: FD 05 F8 4E 9B 09 D2 FE 734 Y_7: 735 00000: 56 23 89 01 62 DE 31 C5 736 E_K(Y_7): 737 00000: DA 4D 90 8A 95 B1 75 C4 739 Y_8: 740 00000: 56 23 89 01 62 DE 31 C6 741 E_K(Y_8): 742 00000: 65 99 73 96 DA C2 4B D7 744 Y_9: 745 00000: 56 23 89 01 62 DE 31 C7 746 E_K(Y_9): 747 00000: A9 00 50 4A 14 8D EE 26 749 C: 750 00000: C7 95 06 6C 5F 9E A0 3B 85 11 33 42 45 91 85 AE 751 00010: 1F 2E 00 D6 BF 2B 78 5D 94 04 70 B8 BB 9C 8E 7D 752 00020: 9A 5D D3 73 1F 7D DC 70 EC 27 CB 0A CE 6F A5 76 753 00030: 70 F6 5C 64 6A BB 75 D5 47 AA 37 C3 BC B5 C3 4E 754 00040: 03 BB 9C 756 2. Padding step: 758 A_1 || ... || A_h: 759 00000: 01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 760 00010: 03 03 03 03 03 03 03 03 04 04 04 04 04 04 04 04 761 00020: 05 05 05 05 05 05 05 05 EA 00 00 00 00 00 00 00 763 C_1 || ... || C_q: 764 00000: C7 95 06 6C 5F 9E A0 3B 85 11 33 42 45 91 85 AE 765 00010: 1F 2E 00 D6 BF 2B 78 5D 94 04 70 B8 BB 9C 8E 7D 766 00020: 9A 5D D3 73 1F 7D DC 70 EC 27 CB 0A CE 6F A5 76 767 00030: 70 F6 5C 64 6A BB 75 D5 47 AA 37 C3 BC B5 C3 4E 768 00040: 03 BB 9C 00 00 00 00 00 770 3. Authentication tag T generation step: 772 1^1 || ICN: 773 00000: 92 DE F0 6B 3C 13 0A 59 775 Z_1: 776 00000: 2B 07 3F 04 94 F3 72 A0 777 H_1: 778 00000: 70 8A 78 19 1C DD 22 AA 779 current sum: 780 00000: D6 BB 5B EA 81 93 12 62 782 Z_2: 783 00000: 2B 07 3F 05 94 F3 72 A0 784 H_2: 785 00000: 6F 02 CC 46 4B 2F A0 A3 786 current sum: 787 00000: DD 1C 82 4E 91 78 49 A5 789 Z_3: 790 00000: 2B 07 3F 06 94 F3 72 A0 791 H_3: 792 00000: 9F 81 F2 26 FD 19 6F 05 793 current sum: 794 00000: 05 89 22 17 F6 5A DA C7 796 Z_4: 797 00000: 2B 07 3F 07 94 F3 72 A0 798 H_4: 799 00000: B9 C2 AC 9B E5 B5 DF F9 800 current sum: 801 00000: D1 DB 9B 7F C4 9E 7C 97 803 Z_5: 804 00000: 2B 07 3F 08 94 F3 72 A0 805 H_5: 806 00000: 74 B5 EC 96 55 1B F8 88 807 current sum: 808 00000: 56 45 F6 B5 18 5C B7 1A 810 Z_6: 811 00000: 2B 07 3F 09 94 F3 72 A0 812 H_6: 813 00000: 7E B0 21 A4 03 5B 04 C3 814 current sum: 815 00000: 3F C2 C2 E6 FB EE D0 4D 817 Z_7: 818 00000: 2B 07 3F 0A 94 F3 72 A0 819 H_7: 820 00000: C2 A9 C3 A8 70 4D 9B B0 821 current sum: 822 00000: 15 47 1F B5 CD 8E 6C 02 824 Z_8: 825 00000: 2B 07 3F 0B 94 F3 72 A0 826 H_8: 827 00000: F5 D5 05 A8 7B 83 83 B5 828 current sum: 829 00000: 12 56 78 96 1D 40 E0 93 831 Z_9: 832 00000: 2B 07 3F 0C 94 F3 72 A0 833 H_9: 834 00000: F7 95 E7 5F DE B8 93 3C 835 current sum: 836 00000: 6E F4 0A B0 C1 5F 20 48 838 Z_10: 839 00000: 2B 07 3F 0D 94 F3 72 A0 840 H_10: 841 00000: 65 A1 A3 E6 80 F0 81 45 842 current sum: 843 00000: A4 64 A7 08 FF 45 14 22 845 Z_11: 846 00000: 2B 07 3F 0E 94 F3 72 A0 847 H_11: 848 00000: 1C 74 A5 76 4C B0 D5 95 849 current sum: 850 00000: 60 94 4E 05 D0 85 75 14 852 Z_12: 853 00000: 2B 07 3F 0F 94 F3 72 A0 854 H_12: 855 00000: DC 84 47 A5 14 E7 83 E7 856 current sum: 857 00000: EE 98 B9 B5 0F F7 83 E8 859 Z_13: 860 00000: 2B 07 3F 10 94 F3 72 A0 861 H_13: 863 00000: A7 E3 AF E0 04 EE 16 E3 864 current sum: 865 00000: C0 39 0F A2 28 AF 6D CB 867 Z_14: 868 00000: 2B 07 3F 11 94 F3 72 A0 869 H_14: 870 00000: A5 AA BB 0B 79 80 D0 71 871 current sum: 872 00000: 73 E0 6E 07 EF 37 CD CC 874 Z_15: 875 00000: 2B 07 3F 12 94 F3 72 A0 876 H_15: 877 00000: 6E 10 4C C9 33 52 5C 5D 878 current sum: 879 00000: 2F 40 69 0A EB 53 F5 39 881 Z_16: 882 00000: 2B 07 3F 13 94 F3 72 A0 883 H_16: 884 00000: 83 11 B6 02 4A A9 66 C1 885 len(A) || len(C): 886 00000: 00 00 01 48 00 00 02 18 887 sum (xor) ( H_16 (x) ( len(A) || len(C) ) ): 888 00000: 73 CE F4 4B AE 6B DB 61 890 Tag T: 891 00000: A7 92 80 69 AA 10 FD 10 893 -------------------------Example 2-------------------------- 895 Encryption key K: 896 00000: 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 FE 897 00010: DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 88 899 ICN: 900 00000: 00 77 66 55 44 33 22 11 902 Associated authenticated data A: 903 00000: 905 Plaintext P: 906 00000: 22 33 44 55 66 77 00 FF 907 1. Encryption step: 909 0^1 || ICN: 910 00000: 00 77 66 55 44 33 22 11 912 Y_1: 913 00000: 5B 2A 7E 60 4F 9F BB 95 914 E_K(Y_1): 915 00000: 48 A6 A5 17 0D 52 9D B1 917 C: 918 00000: 6A 95 E1 42 6B 25 9D 4E 920 2. Padding step: 922 A_1 || ... || A_h: 923 00000: 925 C_1 || ... || C_q: 926 00000: 6A 95 E1 42 6B 25 9D 4E 928 3. Authentication tag T generation step: 930 1^1 || ICN: 931 00000: 80 77 66 55 44 33 22 11 933 Z_1: 934 00000: 59 73 54 78 7E 52 E6 EB 935 H_1: 936 00000: EC E3 F9 DA 11 8C 7D 95 937 current sum: 938 00000: 25 D0 E4 20 7B 6B F6 3D 940 Z_2: 941 00000: 59 73 54 79 7E 52 E6 EB 942 H_2: 943 00000: 31 0C 0D AC C9 D0 4D 93 944 len(A) || len(C): 945 00000: 00 00 00 00 00 00 00 40 946 sum (xor) ( H_2 (x) ( len(A) || len(C) ) ): 947 00000: 66 D3 8F 12 0F 78 92 49 949 Tag T: 950 00000: 33 4E E2 70 45 0B EC 9E 952 Appendix B. Contributors 954 o Evgeny Alekseev 955 CryptoPro 956 alekseev@cryptopro.ru 958 o Alexandra Babueva 959 CryptoPro 960 babueva@cryptopro.ru 962 o Lilia Akhmetzyanova 963 CryptoPro 964 lah@cryptopro.ru 966 o Grigory Marshalko 967 TC 26 968 marshalko_gb@tc26.ru 970 o Vladimir Rudskoy 971 TC 26 972 rudskoy_vi@tc26.ru 974 o Alexey Nesterenko 975 National Research University Higher School of Economics 976 anesterenko@hse.ru 978 o Lidia Nikiforova 979 CryptoPro 980 nikiforova@cryptopro.ru 982 Authors' Addresses 984 Stanislav Smyshlyaev (editor) 985 CryptoPro 987 Phone: +7 (495) 995-48-20 988 Email: svs@cryptopro.ru 990 Vladislav Nozdrunov 991 TC 26 993 Email: nozdrunov_vi@tc26.ru 994 Vasily Shishkin 995 TC 26 997 Email: shishkin_va@tc26.ru 999 Ekaterina Griboedova 1000 CryptoPro 1002 Email: griboedova.e.s@gmail.com