idnits 2.17.1 draft-smyshlyaev-mgm-19.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (January 26, 2021) is 1186 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-08) exists of draft-irtf-cfrg-aead-limits-01 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational V. Nozdrunov 5 Expires: July 30, 2021 V. Shishkin 6 TC 26 7 E. Griboedova 8 CryptoPro 9 January 26, 2021 11 Multilinear Galois Mode (MGM) 12 draft-smyshlyaev-mgm-19 14 Abstract 16 Multilinear Galois Mode (MGM) is an authenticated encryption with 17 associated data (AEAD) block cipher mode based on EtM principle. MGM 18 is defined for use with 64-bit and 128-bit block ciphers. 20 MGM has been standardized in Russia. It is used as an AEAD mode for 21 the GOST block cipher algorithms in many protocols, e.g. TLS 1.3 and 22 IPsec. This document provides a reference for MGM to enable review 23 of the mechanisms in use and to make MGM available for use with any 24 block cipher. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on July 30, 2021. 43 Copyright Notice 45 Copyright (c) 2021 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 62 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 3 63 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 64 4.1. MGM Encryption and Tag Generation Procedure . . . . . . . 4 65 4.2. MGM Decryption and Tag Verification Check Procedure . . . 7 66 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 8 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 70 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 71 8.2. Informative References . . . . . . . . . . . . . . . . . 11 72 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11 73 A.1. Test Vectors for the Kuznyechik block cipher . . . . . . 11 74 A.2. Test Vectors for the Magma block cipher . . . . . . . . . 16 75 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 22 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 78 1. Introduction 80 Multilinear Galois Mode (MGM) is an authenticated encryption with 81 associated data (AEAD) block cipher mode based on EtM principle. MGM 82 is defined for use with 64-bit and 128-bit block ciphers. The MGM 83 design principles can easily be applied to other block sizes. 85 MGM has been standardized in Russia [R1323565.1.026-2019]. It is 86 used as an AEAD mode for the GOST block cipher algorithms in many 87 protocols, e.g. TLS 1.3 and IPsec. This document provides a 88 reference for MGM to enable review of the mechanisms in use and to 89 make MGM available for use with any block cipher. 91 This document does not have IETF consensus and does not imply IETF 92 support for MGM. 94 2. Conventions Used in This Document 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 98 "OPTIONAL" in this document are to be interpreted as described in BCP 99 14 [RFC2119] [RFC8174] when, and only when, they appear in all 100 capitals, as shown here. 102 3. Basic Terms and Definitions 104 This document uses the following terms and definitions for the sets 105 and operations on the elements of these sets: 107 V* the set of all bit strings of a finite length (hereinafter 108 referred to as strings), including the empty string; 109 substrings and string components are enumerated from right to 110 left starting from zero; 112 V_s the set of all bit strings of length s, where s is a non- 113 negative integer. For s = 0, the V_0 consists of a single 114 empty string; 116 |X| the bit length of the bit string X (if X is an empty string, 117 then |X| = 0); 119 X || Y concatenation of strings X and Y both belonging to V*, i.e., 120 a string from V_{|X|+|Y|}, where the left substring from 121 V_{|X|} is equal to X, and the right substring from V_{|Y|} 122 is equal to Y; 124 a^s the string in V_s that consists of s 'a' bits; 126 (xor) exclusive-or of the two bit strings of the same length; 128 Z_{2^s} ring of residues modulo 2^s; 130 MSB_i: V_s -> V_i the transformation that maps the string X = 131 (x_{s-1}, ... , x_0) in V_s into the string MSB_i(X) = 132 (x_{s-1}, ... , x_{s-i}) in V_i, i <= s, (most significant 133 bits); 135 Int_s: V_s -> Z_{2^s} the transformation that maps the string X = 136 (x_{s-1}, ... , x_0) in V_s, s > 0, into the integer Int_s(X) 137 = 2^{s-1} * x_{s-1} + ... + 2 * x_1 + x_0 (the interpretation 138 of the bit string as an integer); 140 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 141 Int_s (the interpretation of an integer as a bit string); 143 E_K: V_n -> V_n the block cipher permutation under the key K in V_k; 145 k the bit length of the block cipher key; 147 n the block size of the block cipher (in bits); 149 len: V_s -> V_{n/2} the transformation that maps a string X in V_s, 150 0 <= s <= 2^{n/2} - 1, into the string len(X) = 151 Vec_{n/2}(|X|) in V_{n/2}, where n is the block size of the 152 used block cipher; 154 [+] the addition operation in Z_{2^{n/2}}, where n is the block 155 size of the used block cipher; 157 (x) the transformation that maps two strings X = (x_{n-1}, ... , 158 x_0) in V_n and Y = (y_{n-1}, ... , y_0) in V_n into the 159 string Z = X (x) Y = (z_{n-1}, ... , z_0) in V_n; the string 160 Z corresponds to the polynomial Z(w) = z_{n-1} * w^{n-1} + 161 ... + z_1 * w + z_0 which is a result of the polynomials X(w) 162 = x_{n-1} * w^{n-1} + ... + x_1 * w + x_0 and Y(w) = y_{n-1} 163 * w^{n-1} + ... + y_1 * w + y_0 multiplication in the field 164 GF(2^n), where n is the block size of the used block cipher; 165 if n = 64, then the field polynomial is equal to f(w) = w^64 166 + w^4 + w^3 + w + 1; if n = 128, then the field polynomial is 167 equal to f(w) = w^128 + w^7 + w^2 + w + 1; 169 incr_l: V_n -> V_n the transformation that maps a string L || R, 170 where L, R in V_{n/2}, into the string incr_l(L || R) = 171 Vec_{n/2}(Int_{n/2}(L) [+] 1) || R; 173 incr_r: V_n -> V_n the transformation that maps a string L || R, 174 where L, R in V_{n/2}, into the string incr_r(L || R) = L || 175 Vec_{n/2}(Int_{n/2}(R) [+] 1). 177 4. Specification 179 An additional parameter that defines the functioning of Multilinear 180 Galois Mode (MGM) is the bit length S of the authentication tag, 32 181 <= S <= n. The value of S MUST be fixed for a particular protocol. 182 The choice of the value S involves a trade-off between message 183 expansion and the forgery probability. 185 4.1. MGM Encryption and Tag Generation Procedure 187 The MGM encryption and tag generation procedure takes the following 188 parameters as inputs: 190 1. Encryption key K in V_k. 192 2. Initial counter nonce ICN in V_{n-1}. 194 3. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, 195 then A = A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, 196 A*_h in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is 197 empty, and the h and t parameters are set as follows: h = 0, t = 198 n. The associated data is authenticated but is not encrypted. 200 4. Plaintext P, 0 <= |P| < 2^{n/2}. If |P| > 0, then P = P_1 || 201 ... || P*_q, P_i in V_n, for i = 1, ... , q - 1, P*_q in V_u, 1 202 <= u <= n. If |P| = 0, then by definition P*_q is empty, and the 203 q and u parameters are set as follows: q = 0, u = n. 205 The MGM encryption and tag generation procedure outputs the following 206 parameters: 208 1. Initial counter nonce ICN. 210 2. Associated authenticated data A. 212 3. Ciphertext C in V_{|P|}. 214 4. Authentication tag T in V_S. 216 The MGM encryption and tag generation procedure consists of the 217 following steps: 219 +----------------------------------------------------------------+ 220 | MGM-Encrypt(K, ICN, A, P) | 221 |----------------------------------------------------------------| 222 | 1. Encryption step: | 223 | - if |P| = 0 then | 224 | - C*_q = P*_q | 225 | - C = P | 226 | - else | 227 | - Y_1 = E_K(0^1 || ICN), | 228 | - For i = 2, 3, ... , q do | 229 | Y_i = incr_r(Y_{i-1}), | 230 | - For i = 1, 2, ... , q - 1 do | 231 | C_i = P_i (xor) E_K(Y_i), | 232 | - C*_q = P*_q (xor) MSB_u(E_K(Y_q)), | 233 | - C = C_1 || ... || C*_q. | 234 | | 235 | 2. Padding step: | 236 | - A_h = A*_h || 0^{n-t}, | 237 | - C_q = C*_q || 0^{n-u}. | 238 | | 239 | 3. Authentication tag T generation step: | 240 | - Z_1 = E_K(1^1 || ICN), | 241 | - sum = 0, | 242 | - For i = 1, 2, ..., h do | 243 | H_i = E_K(Z_i), | 244 | sum = sum (xor) ( H_i (x) A_i ), | 245 | Z_{i+1} = incr_l(Z_i), | 246 | - For j = 1, 2, ..., q do | 247 | H_{h+j} = E_K(Z_{h+j}), | 248 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 249 | Z_{h+j+1} = incr_l(Z_{h+j}), | 250 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 251 | - T = MSB_S(E_K(sum (xor) ( H_{h+q+1} (x) | 252 | ( len(A) || len(C) ) ))). | 253 | | 254 | 4. Return (ICN, A, C, T). | 255 +----------------------------------------------------------------+ 257 The ICN value for each message that is encrypted under the given key 258 K must be chosen in a unique manner. 260 Users who do not wish to encrypt plaintext can provide a string P of 261 zero length. Users who do not wish to authenticate associated data 262 can provide a string A of zero length. The length of the associated 263 data A and of the plaintext P MUST be such that 0 < |A| + |P| < 264 2^{n/2}. 266 4.2. MGM Decryption and Tag Verification Check Procedure 268 The MGM decryption and tag verification procedure takes the following 269 parameters as inputs: 271 1. The encryption key K in V_k. 273 2. The initial counter nonce ICN in V_{n-1}. 275 3. The associated authenticated data A, 0 <= |A| < 2^{n/2}. A = 276 A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, A*_h in 277 V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is empty, 278 and the h and t parameters are set as follows: h = 0, t = n. The 279 associated data is authenticated but is not encrypted. 281 4. The ciphertext C, 0 <= |C| < 2^{n/2}. C = C_1 || ... || C*_q, C_i 282 in V_n, for i = 1, ... , q - 1, C*_q in V_u, 1 <= u <= n. If |C| 283 = 0, then by definition C*_q is empty, and the q and u parameters 284 are set as follows: q = 0, u = n. 286 5. The authenticated tag T in V_S. 288 The MGM decryption and tag verification procedure outputs FAIL or the 289 following parameters: 291 1. Associated authenticated data A. 293 2. Plaintext P in V_{|C|}. 295 The MGM decryption and tag verification procedure consists of the 296 following steps: 298 +----------------------------------------------------------------+ 299 | MGM-Decrypt(K, ICN, A, C, T) | 300 |----------------------------------------------------------------| 301 | 1. Padding step: | 302 | - A_h = A*_h || 0^{n-t}, | 303 | - C_q = C*_q || 0^{n-u}. | 304 | | 305 | 2. Authentication tag T verification step: | 306 | - Z_1 = E_K(1^1 || ICN), | 307 | - sum = 0, | 308 | - For i = 1, 2, ..., h do | 309 | H_i = E_K(Z_i), | 310 | sum = sum (xor) ( H_i (x) A_i ), | 311 | Z_{i+1} = incr_l(Z_i), | 312 | - For j = 1, 2, ..., q do | 313 | H_{h+j} = E_K(Z_{h+j}), | 314 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 315 | Z_{h+j+1} = incr_l(Z_{h+j}), | 316 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 317 | - T' = MSB_S(E_K(sum (xor) ( H_{h+q+1} (x) | 318 | ( len(A) || len(C) ) ))), | 319 | - If T' != T then return FAIL. | 320 | | 321 | 3. Decryption step: | 322 | - if |C| = 0 then | 323 | - P = C | 324 | - else | 325 | - Y_1 = E_K(0^1 || ICN), | 326 | - For i = 2, 3, ... , q do | 327 | Y_i = incr_r(Y_{i-1}), | 328 | - For i = 1, 2, ... , q - 1 do | 329 | P_i = C_i (xor) E_K(Y_i), | 330 | - P*_q = C*_q (xor) MSB_u(E_K(Y_q)), | 331 | - P = P_1 || ... || P*_q. | 332 | | 333 | 4. Return (A, P). | 334 +----------------------------------------------------------------+ 336 The length of the associated data A and of the ciphertext C MUST be 337 such that 0 < |A| + |C| < 2^{n/2}. 339 5. Rationale 341 The MGM was originally proposed in [PDMODE]. 343 From the operational point of view the MGM is designed to be 344 parallelizable, inverse free, online and to provide availability of 345 precomputations. 347 Parallelizability of the MGM is achieved due to its counter-type 348 structure and the usage of the multilinear function for 349 authentication. Indeed, both encryption blocks E_K(Y_i) and 350 authentication blocks H_i are produced in the counter mode manner, 351 and the multilinear function determined by H_i is parallelizable in 352 itself. Additionally, the counter-type structure of the mode 353 provides the inverse free property. 355 The online property means the possibility to process message even if 356 it is not completely received (so its length is unknown). To provide 357 this property the MGM uses blocks E_K(Y_i) and H_i which are produced 358 basing on two independent source blocks Y_i and Z_i. 360 Availability of precomputations for the MGM means the possibility to 361 calculate H_i and E_K(Y_i) even before data is retrieved. It is 362 holds due to again the usage of counters for calculating them. 364 6. Security Considerations 366 The security properties of the MGM are based on the following: 368 o Different functions generating the counter values: 369 The functions incr_r and incr_l are chosen to minimize 370 intersection (if it happens) of counter values Y_i and Z_i. 372 o Encryption of the multilinear function output: 373 It allows to resist attacks based on padding and linear properties 374 (see [Ferg05] for details). 376 o Multilinear function for authentication: 377 It allows to resist the small subgroup attacks [Saar12]. 379 o Encryption of the nonces (0^1 || ICN) and (1^1 || ICN): 380 The use of this encryption minimizes the number of plaintext/ 381 ciphertext pairs of blocks known to an adversary. It allows to 382 resist attacks that need substantial amount of such material 383 (e.g., linear and differential cryptanalysis, side-channel 384 attacks). 386 It is crucial to the security of MGM to use unique ICN values. Using 387 the same ICN values for two different messages encrypted with the 388 same key eliminates the security properties of this mode. 390 Security analysis for MGM with E_K being a random permutation was 391 performed in [SecMGM]. More precisely, the bounds for 392 confidentiality advantage (CA) and integrity advantage (IA) (for 393 details see [I-D.irtf-cfrg-aead-limits]) were obtained. According to 394 these results, for an adversary making at most q encryption queries 395 with the total length of plaintexts and associated data of at most s 396 blocks and allowed to output a forgery with the summary length of 397 ciphertext and associated data of at most l blocks: 399 CA <= ( 3( s + 4q )^2 )/ 2^n, 401 IA <= ( 3( s + 4q + l + 3 )^2 )/ 2^n + 2/2^S, 403 where n is the block size and S is the authentication tag size. 405 These bounds can be used as guidelines on how to calculate 406 confidentiality and integrity limits (for details also see 407 [I-D.irtf-cfrg-aead-limits]). 409 7. IANA Considerations 411 This document does not require any IANA actions. 413 8. References 415 8.1. Normative References 417 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 418 Requirement Levels", BCP 14, RFC 2119, 419 DOI 10.17487/RFC2119, March 1997, 420 . 422 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 423 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 424 . 426 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 427 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 428 May 2017, . 430 [RFC8891] Dolmatov, V., Ed. and D. Baryshkov, "GOST R 34.12-2015: 431 Block Cipher "Magma"", RFC 8891, DOI 10.17487/RFC8891, 432 September 2020, . 434 8.2. Informative References 436 [Ferg05] Ferguson, N., "Authentication weaknesses in GCM", 2005. 438 [GOST3412-2015] 439 Federal Agency on Technical Regulating and Metrology, 440 "Information technology. Cryptographic data security. 441 Block ciphers", GOST R 34.12-2015, 2015. 443 [I-D.irtf-cfrg-aead-limits] 444 Guenther, F., Thomson, M., and C. Wood, "Usage Limits on 445 AEAD Algorithms", draft-irtf-cfrg-aead-limits-01 (work in 446 progress), September 2020. 448 [PDMODE] Nozdrunov, V., "Parallel and double block cipher mode of 449 operation (PD-mode) for authenticated encryption", CTCrypt 450 2017 proceedings, pp. 36-45, 2017. 452 [R1323565.1.026-2019] 453 Federal Agency on Technical Regulating and Metrology, 454 "Information technology. Cryptographic data security. 455 Authenticated encryption block cipher operation modes", 456 R 1323565.1.026-2019, 2019. 458 [Saar12] Saarinen, O., "Cycling Attacks on GCM, GHASH and Other 459 Polynomial MACs and Hashes", FSE 2012 proceedings, pp. 460 216-225, 2012. 462 [SecMGM] Akhmetzyanova, L., Alekseev, E., Karpunin, G. and V. 463 Nozdrunov, "Security of Multilinear Galois Mode (MGM).", 464 IACR Cryptology ePrint Archive 2019, p. 123, 2019. 466 Appendix A. Test Vectors 468 A.1. Test Vectors for the Kuznyechik block cipher 470 Test vectors for the Kuznyechik block cipher (n = 128, k = 256) 471 defined in [GOST3412-2015] (the English version can be found in 472 [RFC7801]). 474 -------------------------Example 1-------------------------- 476 Encryption key K: 477 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 478 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 480 ICN: 482 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 484 Associated authenticated data A: 485 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 486 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 487 00020: EA 05 05 05 05 05 05 05 05 489 Plaintext P: 490 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 491 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 492 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 493 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 494 00040: AA BB CC 496 1. Encryption step: 498 0^1 || ICN: 499 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 501 Y_1: 502 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CD 503 E_K(Y_1): 504 00000: B8 57 48 C5 12 F3 19 90 AA 56 7E F1 53 35 DB 74 506 Y_2: 507 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CE 508 E_K(Y_2): 509 00000: 80 64 F0 12 6F AC 9B 2C 5B 6E AC 21 61 2F 94 33 511 Y_3: 512 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CF 513 E_K(Y_3): 514 00000: 58 58 82 1D 40 C0 CD 0D 0A C1 E6 C2 47 09 8F 1C 516 Y_4: 517 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D0 518 E_K(Y_4): 519 00000: E4 3F 50 81 B5 8F 0B 49 01 2F 8E E8 6A CD 6D FA 521 Y_5: 522 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D1 523 E_K(Y_5): 524 00000: 86 CE 9E 2A 0A 12 25 E3 33 56 91 B2 0D 5A 33 48 526 C: 527 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 528 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 529 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 530 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 531 00040: 2C 75 52 533 2. Padding step: 535 A_1 || ... || A_h: 536 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 537 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 538 00020: EA 05 05 05 05 05 05 05 05 00 00 00 00 00 00 00 540 C_1 || ... || C_q: 541 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 542 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 543 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 544 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 545 00040: 2C 75 52 00 00 00 00 00 00 00 00 00 00 00 00 00 547 3. Authentication tag T generation step: 549 1^1 || ICN: 550 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 552 Z_1: 553 00000: 7F C2 45 A8 58 6E 66 02 A7 BB DB 27 86 BD C6 6F 554 H_1: 555 00000: 8D B1 87 D6 53 83 0E A4 BC 44 64 76 95 2C 30 0B 556 current sum: 557 00000: 4C F4 27 F4 AD B7 5C F4 C0 DA 39 D5 AB 48 CF 38 559 Z_2: 560 00000: 7F C2 45 A8 58 6E 66 03 A7 BB DB 27 86 BD C6 6F 561 H_2: 562 00000: 7A 24 F7 26 30 E3 76 37 21 C8 F3 CD B1 DA 0E 31 563 current sum: 564 00000: 94 95 44 0E F6 24 A1 DD C6 F5 D9 77 28 50 C5 73 566 Z_3: 567 00000: 7F C2 45 A8 58 6E 66 04 A7 BB DB 27 86 BD C6 6F 568 H_3: 569 00000: 44 11 96 21 17 D2 06 35 C5 25 E0 A2 4D B4 B9 0A 570 current sum: 571 00000: A4 9A 8C D8 A6 F2 74 23 DB 79 E4 4A B3 06 D9 42 573 Z_4: 574 00000: 7F C2 45 A8 58 6E 66 05 A7 BB DB 27 86 BD C6 6F 575 H_4: 576 00000: D8 C9 62 3C 4D BF E8 14 CE 7C 1C 0C EA A9 59 DB 577 current sum: 578 00000: 09 FE 3F 6A 83 3C 21 B3 90 27 D0 20 6A 84 E1 5A 580 Z_5: 581 00000: 7F C2 45 A8 58 6E 66 06 A7 BB DB 27 86 BD C6 6F 582 H_5: 583 00000: A5 E1 F1 95 33 3E 14 82 96 99 31 BF BE 6D FD 43 584 current sum: 585 00000: B5 DA 26 BB 00 EB A8 04 35 D7 97 6B C6 B5 46 4D 587 Z_6: 588 00000: 7F C2 45 A8 58 6E 66 07 A7 BB DB 27 86 BD C6 6F 589 H_6: 590 00000: B4 CA 80 8C AC CF B3 F9 17 24 E4 8A 2C 7E E9 D2 591 current sum: 592 00000: DD 1C 0E EE F7 83 C8 EB 2A 33 F3 58 D7 23 0E E5 594 Z_7: 595 00000: 7F C2 45 A8 58 6E 66 08 A7 BB DB 27 86 BD C6 6F 596 H_7: 597 00000: 72 90 8F C0 74 E4 69 E8 90 1B D1 88 EA 91 C3 31 598 current sum: 599 00000: 89 6C E1 08 32 EB EA F9 06 9F 3F 73 76 59 4D 40 601 Z_8: 602 00000: 7F C2 45 A8 58 6E 66 09 A7 BB DB 27 86 BD C6 6F 603 H_8: 604 00000: 23 CA 27 15 B0 2C 68 31 3B FD AC B3 9E 4D 0F B8 605 current sum: 606 00000: 99 1A F5 C9 D0 80 F7 63 87 FE 64 9E 7C 93 C6 42 608 Z_9: 609 00000: 7F C2 45 A8 58 6E 66 0A A7 BB DB 27 86 BD C6 6F 610 H_9: 611 00000: BC BC E6 C4 1A A3 55 A4 14 88 62 BF 64 BD 83 0D 612 len(A) || len(C): 613 00000: 00 00 00 00 00 00 01 48 00 00 00 00 00 00 02 18 614 sum (xor) ( H_9 (x) ( len(A) || len(C) ) ): 615 00000: C0 C7 22 DB 5E 0B D6 DB 25 76 73 83 3D 56 71 28 617 Tag T: 618 00000: CF 5D 65 6F 40 C3 4F 5C 46 E8 BB 0E 29 FC DB 4C 620 -------------------------Example 2-------------------------- 621 Encryption key K: 622 00000: 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 FE 623 00010: DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 88 625 ICN: 626 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 628 Associated authenticated data A: 629 00000: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 631 Plaintext P: 632 00000: 634 1. Encryption step: 636 C: 637 00000: 639 2. Padding step: 641 A_1 || ... || A_h: 642 00000: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 644 C_1 || ... || C_q: 645 00000: 647 3. Authentication tag T generation step: 649 1^1 || ICN: 650 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 652 Z_1: 653 00000: 79 32 72 68 96 C4 3E 3F BF D6 50 89 EB F1 E5 B6 654 H_1: 655 00000: 99 3A 80 66 CC C0 A4 0F AC 4A 14 F7 A2 F6 6D 9B 656 current sum: 657 00000: 0A C1 1E 2C 1C D6 07 D8 2F E3 55 54 B4 01 02 81 659 Z_2: 660 00000: 79 32 72 68 96 C4 3E 40 BF D6 50 89 EB F1 E5 B6 661 H_2: 662 00000: 0C 38 A7 1E E7 93 BF 76 89 81 BF CD 7C DA 78 C8 663 len(A) || len(C): 664 00000: 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 665 sum (xor) ( H_2 (x) ( len(A) || len(C) ) ): 666 00000: CA 1E F8 92 71 EA 60 C4 53 9E 40 EB 26 C2 80 5D 667 Tag T: 668 00000: 79 01 E9 EA 20 85 CD 24 7E D2 49 69 5F 9F 8A 85 670 A.2. Test Vectors for the Magma block cipher 672 Test vectors for the Magma block cipher (n = 64, k = 256) defined in 673 [GOST3412-2015] (the English version can be found in [RFC8891]). 675 -------------------------Example 1-------------------------- 677 Encryption key K: 678 00000: FF EE DD CC BB AA 99 88 77 66 55 44 33 22 11 00 679 00010: F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF 681 ICN: 682 00000: 12 DE F0 6B 3C 13 0A 59 684 Associated authenticated data A: 685 00000: 01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 686 00010: 03 03 03 03 03 03 03 03 04 04 04 04 04 04 04 04 687 00020: 05 05 05 05 05 05 05 05 EA 689 Plaintext P: 690 00000: FF EE DD CC BB AA 99 88 11 22 33 44 55 66 77 00 691 00010: 88 99 AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 692 00020: 99 AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 88 693 00030: AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 88 99 694 00040: AA BB CC 696 1. Encryption step: 698 0^1 || ICN: 699 00000: 12 DE F0 6B 3C 13 0A 59 701 Y_1: 702 00000: 56 23 89 01 62 DE 31 BF 703 E_K(Y_1): 704 00000: 38 7B DB A0 E4 34 39 B3 706 Y_2: 707 00000: 56 23 89 01 62 DE 31 C0 708 E_K(Y_2): 709 00000: 94 33 00 06 10 F7 F2 AE 711 Y_3: 712 00000: 56 23 89 01 62 DE 31 C1 713 E_K(Y_3): 714 00000: 97 B7 AA 6D 73 C5 87 57 716 Y_4: 717 00000: 56 23 89 01 62 DE 31 C2 718 E_K(Y_4): 719 00000: 94 15 52 8B FF C9 E8 0A 721 Y_5: 722 00000: 56 23 89 01 62 DE 31 C3 723 E_K(Y_5): 724 00000: 03 F7 68 BF F1 82 D6 70 726 Y_6: 727 00000: 56 23 89 01 62 DE 31 C4 728 E_K(Y_6): 729 00000: FD 05 F8 4E 9B 09 D2 FE 731 Y_7: 732 00000: 56 23 89 01 62 DE 31 C5 733 E_K(Y_7): 734 00000: DA 4D 90 8A 95 B1 75 C4 736 Y_8: 737 00000: 56 23 89 01 62 DE 31 C6 738 E_K(Y_8): 739 00000: 65 99 73 96 DA C2 4B D7 741 Y_9: 742 00000: 56 23 89 01 62 DE 31 C7 743 E_K(Y_9): 744 00000: A9 00 50 4A 14 8D EE 26 746 C: 747 00000: C7 95 06 6C 5F 9E A0 3B 85 11 33 42 45 91 85 AE 748 00010: 1F 2E 00 D6 BF 2B 78 5D 94 04 70 B8 BB 9C 8E 7D 749 00020: 9A 5D D3 73 1F 7D DC 70 EC 27 CB 0A CE 6F A5 76 750 00030: 70 F6 5C 64 6A BB 75 D5 47 AA 37 C3 BC B5 C3 4E 751 00040: 03 BB 9C 753 2. Padding step: 755 A_1 || ... || A_h: 756 00000: 01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 757 00010: 03 03 03 03 03 03 03 03 04 04 04 04 04 04 04 04 758 00020: 05 05 05 05 05 05 05 05 EA 00 00 00 00 00 00 00 760 C_1 || ... || C_q: 762 00000: C7 95 06 6C 5F 9E A0 3B 85 11 33 42 45 91 85 AE 763 00010: 1F 2E 00 D6 BF 2B 78 5D 94 04 70 B8 BB 9C 8E 7D 764 00020: 9A 5D D3 73 1F 7D DC 70 EC 27 CB 0A CE 6F A5 76 765 00030: 70 F6 5C 64 6A BB 75 D5 47 AA 37 C3 BC B5 C3 4E 766 00040: 03 BB 9C 00 00 00 00 00 768 3. Authentication tag T generation step: 770 1^1 || ICN: 771 00000: 92 DE F0 6B 3C 13 0A 59 773 Z_1: 774 00000: 2B 07 3F 04 94 F3 72 A0 775 H_1: 776 00000: 70 8A 78 19 1C DD 22 AA 777 current sum: 778 00000: D6 BB 5B EA 81 93 12 62 780 Z_2: 781 00000: 2B 07 3F 05 94 F3 72 A0 782 H_2: 783 00000: 6F 02 CC 46 4B 2F A0 A3 784 current sum: 785 00000: DD 1C 82 4E 91 78 49 A5 787 Z_3: 788 00000: 2B 07 3F 06 94 F3 72 A0 789 H_3: 790 00000: 9F 81 F2 26 FD 19 6F 05 791 current sum: 792 00000: 05 89 22 17 F6 5A DA C7 794 Z_4: 795 00000: 2B 07 3F 07 94 F3 72 A0 796 H_4: 797 00000: B9 C2 AC 9B E5 B5 DF F9 798 current sum: 799 00000: D1 DB 9B 7F C4 9E 7C 97 801 Z_5: 802 00000: 2B 07 3F 08 94 F3 72 A0 803 H_5: 804 00000: 74 B5 EC 96 55 1B F8 88 805 current sum: 806 00000: 56 45 F6 B5 18 5C B7 1A 808 Z_6: 810 00000: 2B 07 3F 09 94 F3 72 A0 811 H_6: 812 00000: 7E B0 21 A4 03 5B 04 C3 813 current sum: 814 00000: 3F C2 C2 E6 FB EE D0 4D 816 Z_7: 817 00000: 2B 07 3F 0A 94 F3 72 A0 818 H_7: 819 00000: C2 A9 C3 A8 70 4D 9B B0 820 current sum: 821 00000: 15 47 1F B5 CD 8E 6C 02 823 Z_8: 824 00000: 2B 07 3F 0B 94 F3 72 A0 825 H_8: 826 00000: F5 D5 05 A8 7B 83 83 B5 827 current sum: 828 00000: 12 56 78 96 1D 40 E0 93 830 Z_9: 831 00000: 2B 07 3F 0C 94 F3 72 A0 832 H_9: 833 00000: F7 95 E7 5F DE B8 93 3C 834 current sum: 835 00000: 6E F4 0A B0 C1 5F 20 48 837 Z_10: 838 00000: 2B 07 3F 0D 94 F3 72 A0 839 H_10: 840 00000: 65 A1 A3 E6 80 F0 81 45 841 current sum: 842 00000: A4 64 A7 08 FF 45 14 22 844 Z_11: 845 00000: 2B 07 3F 0E 94 F3 72 A0 846 H_11: 847 00000: 1C 74 A5 76 4C B0 D5 95 848 current sum: 849 00000: 60 94 4E 05 D0 85 75 14 851 Z_12: 852 00000: 2B 07 3F 0F 94 F3 72 A0 853 H_12: 854 00000: DC 84 47 A5 14 E7 83 E7 855 current sum: 856 00000: EE 98 B9 B5 0F F7 83 E8 857 Z_13: 858 00000: 2B 07 3F 10 94 F3 72 A0 859 H_13: 860 00000: A7 E3 AF E0 04 EE 16 E3 861 current sum: 862 00000: C0 39 0F A2 28 AF 6D CB 864 Z_14: 865 00000: 2B 07 3F 11 94 F3 72 A0 866 H_14: 867 00000: A5 AA BB 0B 79 80 D0 71 868 current sum: 869 00000: 73 E0 6E 07 EF 37 CD CC 871 Z_15: 872 00000: 2B 07 3F 12 94 F3 72 A0 873 H_15: 874 00000: 6E 10 4C C9 33 52 5C 5D 875 current sum: 876 00000: 2F 40 69 0A EB 53 F5 39 878 Z_16: 879 00000: 2B 07 3F 13 94 F3 72 A0 880 H_16: 881 00000: 83 11 B6 02 4A A9 66 C1 882 len(A) || len(C): 883 00000: 00 00 01 48 00 00 02 18 884 sum (xor) ( H_16 (x) ( len(A) || len(C) ) ): 885 00000: 73 CE F4 4B AE 6B DB 61 887 Tag T: 888 00000: A7 92 80 69 AA 10 FD 10 890 -------------------------Example 2-------------------------- 892 Encryption key K: 893 00000: 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 FE 894 00010: DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 88 896 ICN: 897 00000: 00 77 66 55 44 33 22 11 899 Associated authenticated data A: 900 00000: 902 Plaintext P: 903 00000: 22 33 44 55 66 77 00 FF 905 1. Encryption step: 907 0^1 || ICN: 908 00000: 00 77 66 55 44 33 22 11 910 Y_1: 911 00000: 5B 2A 7E 60 4F 9F BB 95 912 E_K(Y_1): 913 00000: 48 A6 A5 17 0D 52 9D B1 915 C: 916 00000: 6A 95 E1 42 6B 25 9D 4E 918 2. Padding step: 920 A_1 || ... || A_h: 921 00000: 923 C_1 || ... || C_q: 924 00000: 6A 95 E1 42 6B 25 9D 4E 926 3. Authentication tag T generation step: 928 1^1 || ICN: 929 00000: 80 77 66 55 44 33 22 11 931 Z_1: 932 00000: 59 73 54 78 7E 52 E6 EB 933 H_1: 934 00000: EC E3 F9 DA 11 8C 7D 95 935 current sum: 936 00000: 25 D0 E4 20 7B 6B F6 3D 938 Z_2: 939 00000: 59 73 54 79 7E 52 E6 EB 940 H_2: 941 00000: 31 0C 0D AC C9 D0 4D 93 942 len(A) || len(C): 943 00000: 00 00 00 00 00 00 00 40 944 sum (xor) ( H_2 (x) ( len(A) || len(C) ) ): 945 00000: 66 D3 8F 12 0F 78 92 49 947 Tag T: 949 00000: 33 4E E2 70 45 0B EC 9E 951 Appendix B. Contributors 953 o Evgeny Alekseev 954 CryptoPro 955 alekseev@cryptopro.ru 957 o Alexandra Babueva 958 CryptoPro 959 babueva@cryptopro.ru 961 o Lilia Akhmetzyanova 962 CryptoPro 963 lah@cryptopro.ru 965 o Grigory Marshalko 966 TC 26 967 marshalko_gb@tc26.ru 969 o Vladimir Rudskoy 970 TC 26 971 rudskoy_vi@tc26.ru 973 o Alexey Nesterenko 974 National Research University Higher School of Economics 975 anesterenko@hse.ru 977 o Lidia Nikiforova 978 CryptoPro 979 nikiforova@cryptopro.ru 981 Authors' Addresses 983 Stanislav Smyshlyaev (editor) 984 CryptoPro 986 Phone: +7 (495) 995-48-20 987 Email: svs@cryptopro.ru 989 Vladislav Nozdrunov 990 TC 26 992 Email: nozdrunov_vi@tc26.ru 993 Vasily Shishkin 994 TC 26 996 Email: shishkin_va@tc26.ru 998 Ekaterina Griboedova 999 CryptoPro 1001 Email: griboedovaekaterina@gmail.com