idnits 2.17.1 draft-smyshlyaev-mgm-20.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 12, 2021) is 1109 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-08) exists of draft-irtf-cfrg-aead-limits-01 Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Smyshlyaev, Ed. 3 Internet-Draft CryptoPro 4 Intended status: Informational V. Nozdrunov 5 Expires: October 14, 2021 V. Shishkin 6 TC 26 7 E. Griboedova 8 CryptoPro 9 April 12, 2021 11 Multilinear Galois Mode (MGM) 12 draft-smyshlyaev-mgm-20 14 Abstract 16 Multilinear Galois Mode (MGM) is an authenticated encryption with 17 associated data (AEAD) block cipher mode based on EtM principle. MGM 18 is defined for use with 64-bit and 128-bit block ciphers. 20 MGM has been standardized in Russia. It is used as an AEAD mode for 21 the GOST block cipher algorithms in many protocols, e.g. TLS 1.3 and 22 IPsec. This document provides a reference for MGM to enable review 23 of the mechanisms in use and to make MGM available for use with any 24 block cipher. 26 Status of This Memo 28 This Internet-Draft is submitted in full conformance with the 29 provisions of BCP 78 and BCP 79. 31 Internet-Drafts are working documents of the Internet Engineering 32 Task Force (IETF). Note that other groups may also distribute 33 working documents as Internet-Drafts. The list of current Internet- 34 Drafts is at https://datatracker.ietf.org/drafts/current/. 36 Internet-Drafts are draft documents valid for a maximum of six months 37 and may be updated, replaced, or obsoleted by other documents at any 38 time. It is inappropriate to use Internet-Drafts as reference 39 material or to cite them other than as "work in progress." 41 This Internet-Draft will expire on October 14, 2021. 43 Copyright Notice 45 Copyright (c) 2021 IETF Trust and the persons identified as the 46 document authors. All rights reserved. 48 This document is subject to BCP 78 and the IETF Trust's Legal 49 Provisions Relating to IETF Documents 50 (https://trustee.ietf.org/license-info) in effect on the date of 51 publication of this document. Please review these documents 52 carefully, as they describe your rights and restrictions with respect 53 to this document. Code Components extracted from this document must 54 include Simplified BSD License text as described in Section 4.e of 55 the Trust Legal Provisions and are provided without warranty as 56 described in the Simplified BSD License. 58 Table of Contents 60 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 61 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 62 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 3 63 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 64 4.1. MGM Encryption and Tag Generation Procedure . . . . . . . 4 65 4.2. MGM Decryption and Tag Verification Check Procedure . . . 7 66 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 8 67 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 68 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 70 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 71 8.2. Informative References . . . . . . . . . . . . . . . . . 11 72 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 11 73 A.1. Test Vectors for the Kuznyechik block cipher . . . . . . 11 74 A.2. Test Vectors for the Magma block cipher . . . . . . . . . 16 75 Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 22 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 78 1. Introduction 80 Multilinear Galois Mode (MGM) is an authenticated encryption with 81 associated data (AEAD) block cipher mode based on EtM principle. MGM 82 is defined for use with 64-bit and 128-bit block ciphers. The MGM 83 design principles can easily be applied to other block sizes. 85 MGM has been standardized in Russia [R1323565.1.026-2019]. It is 86 used as an AEAD mode for the GOST block cipher algorithms in many 87 protocols, e.g. TLS 1.3 and IPsec. This document provides a 88 reference for MGM to enable review of the mechanisms in use and to 89 make MGM available for use with any block cipher. 91 This document does not have IETF consensus and does not imply IETF 92 support for MGM. 94 2. Conventions Used in This Document 96 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 97 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 98 "OPTIONAL" in this document are to be interpreted as described in BCP 99 14 [RFC2119] [RFC8174] when, and only when, they appear in all 100 capitals, as shown here. 102 3. Basic Terms and Definitions 104 This document uses the following terms and definitions for the sets 105 and operations on the elements of these sets: 107 V* the set of all bit strings of a finite length (hereinafter 108 referred to as strings), including the empty string; 109 substrings and string components are enumerated from right to 110 left starting from zero; 112 V_s the set of all bit strings of length s, where s is a non- 113 negative integer. For s = 0, the V_0 consists of a single 114 empty string; 116 |X| the bit length of the bit string X (if X is an empty string, 117 then |X| = 0); 119 X || Y concatenation of strings X and Y both belonging to V*, i.e., 120 a string from V_{|X|+|Y|}, where the left substring from 121 V_{|X|} is equal to X, and the right substring from V_{|Y|} 122 is equal to Y; 124 a^s the string in V_s that consists of s 'a' bits; 126 (xor) exclusive-or of the two bit strings of the same length; 128 Z_{2^s} ring of residues modulo 2^s; 130 MSB_i: V_s -> V_i the transformation that maps the string X = 131 (x_{s-1}, ... , x_0) in V_s into the string MSB_i(X) = 132 (x_{s-1}, ... , x_{s-i}) in V_i, i <= s, (most significant 133 bits); 135 Int_s: V_s -> Z_{2^s} the transformation that maps the string X = 136 (x_{s-1}, ... , x_0) in V_s, s > 0, into the integer Int_s(X) 137 = 2^{s-1} * x_{s-1} + ... + 2 * x_1 + x_0 (the interpretation 138 of the bit string as an integer); 140 Vec_s: Z_{2^s} -> V_s the transformation inverse to the mapping 141 Int_s (the interpretation of an integer as a bit string); 143 E_K: V_n -> V_n the block cipher permutation under the key K in V_k; 145 k the bit length of the block cipher key; 147 n the block size of the block cipher (in bits); 149 len: V_s -> V_{n/2} the transformation that maps a string X in V_s, 150 0 <= s <= 2^{n/2} - 1, into the string len(X) = 151 Vec_{n/2}(|X|) in V_{n/2}, where n is the block size of the 152 used block cipher; 154 [+] the addition operation in Z_{2^{n/2}}, where n is the block 155 size of the used block cipher; 157 (x) the transformation that maps two strings X = (x_{n-1}, ... , 158 x_0) in V_n and Y = (y_{n-1}, ... , y_0) in V_n into the 159 string Z = X (x) Y = (z_{n-1}, ... , z_0) in V_n; the string 160 Z corresponds to the polynomial Z(w) = z_{n-1} * w^{n-1} + 161 ... + z_1 * w + z_0 which is the result of multiplying the 162 polynomials X(w) = x_{n-1} * w^{n-1} + ... + x_1 * w + x_0 163 and Y(w) = y_{n-1} * w^{n-1} + ... + y_1 * w + y_0 in the 164 field GF(2^n), where n is the block size of the used block 165 cipher; if n = 64, then the field polynomial is equal to f(w) 166 = w^64 + w^4 + w^3 + w + 1; if n = 128, then the field 167 polynomial is equal to f(w) = w^128 + w^7 + w^2 + w + 1; 169 incr_l: V_n -> V_n the transformation that maps a string L || R, 170 where L, R in V_{n/2}, into the string incr_l(L || R) = 171 Vec_{n/2}(Int_{n/2}(L) [+] 1) || R; 173 incr_r: V_n -> V_n the transformation that maps a string L || R, 174 where L, R in V_{n/2}, into the string incr_r(L || R) = L || 175 Vec_{n/2}(Int_{n/2}(R) [+] 1). 177 4. Specification 179 An additional parameter that defines the functioning of Multilinear 180 Galois Mode (MGM) is the bit length S of the authentication tag, 32 181 <= S <= n. The value of S MUST be fixed for a particular protocol. 182 The choice of the value S involves a trade-off between message 183 expansion and the forgery probability. 185 4.1. MGM Encryption and Tag Generation Procedure 187 The MGM encryption and tag generation procedure takes the following 188 parameters as inputs: 190 1. Encryption key K in V_k. 192 2. Initial counter nonce ICN in V_{n-1}. 194 3. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, 195 then A = A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, 196 A*_h in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is 197 empty, and the h and t parameters are set as follows: h = 0, t = 198 n. The associated data is authenticated but is not encrypted. 200 4. Plaintext P, 0 <= |P| < 2^{n/2}. If |P| > 0, then P = P_1 || 201 ... || P*_q, P_i in V_n, for i = 1, ... , q - 1, P*_q in V_u, 1 202 <= u <= n. If |P| = 0, then by definition P*_q is empty, and the 203 q and u parameters are set as follows: q = 0, u = n. 205 The MGM encryption and tag generation procedure outputs the following 206 parameters: 208 1. Initial counter nonce ICN. 210 2. Associated authenticated data A. 212 3. Ciphertext C in V_{|P|}. 214 4. Authentication tag T in V_S. 216 The MGM encryption and tag generation procedure consists of the 217 following steps: 219 +----------------------------------------------------------------+ 220 | MGM-Encrypt(K, ICN, A, P) | 221 |----------------------------------------------------------------| 222 | 1. Encryption step: | 223 | - if |P| = 0 then | 224 | - C*_q = P*_q | 225 | - C = P | 226 | - else | 227 | - Y_1 = E_K(0^1 || ICN), | 228 | - For i = 2, 3, ... , q do | 229 | Y_i = incr_r(Y_{i-1}), | 230 | - For i = 1, 2, ... , q - 1 do | 231 | C_i = P_i (xor) E_K(Y_i), | 232 | - C*_q = P*_q (xor) MSB_u(E_K(Y_q)), | 233 | - C = C_1 || ... || C*_q. | 234 | | 235 | 2. Padding step: | 236 | - A_h = A*_h || 0^{n-t}, | 237 | - C_q = C*_q || 0^{n-u}. | 238 | | 239 | 3. Authentication tag T generation step: | 240 | - Z_1 = E_K(1^1 || ICN), | 241 | - sum = 0^n, | 242 | - For i = 1, 2, ..., h do | 243 | H_i = E_K(Z_i), | 244 | sum = sum (xor) ( H_i (x) A_i ), | 245 | Z_{i+1} = incr_l(Z_i), | 246 | - For j = 1, 2, ..., q do | 247 | H_{h+j} = E_K(Z_{h+j}), | 248 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 249 | Z_{h+j+1} = incr_l(Z_{h+j}), | 250 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 251 | - T = MSB_S(E_K(sum (xor) ( H_{h+q+1} (x) | 252 | ( len(A) || len(C) ) ))). | 253 | | 254 | 4. Return (ICN, A, C, T). | 255 +----------------------------------------------------------------+ 257 The ICN value for each message that is encrypted under the given key 258 K must be chosen in a unique manner. 260 Users who do not wish to encrypt plaintext can provide a string P of 261 zero length. Users who do not wish to authenticate associated data 262 can provide a string A of zero length. The length of the associated 263 data A and of the plaintext P MUST be such that 0 < |A| + |P| < 264 2^{n/2}. 266 4.2. MGM Decryption and Tag Verification Check Procedure 268 The MGM decryption and tag verification procedure takes the following 269 parameters as inputs: 271 1. Encryption key K in V_k. 273 2. Initial counter nonce ICN in V_{n-1}. 275 3. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, 276 then A = A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, 277 A*_h in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is 278 empty, and the h and t parameters are set as follows: h = 0, t = 279 n. The associated data is authenticated but is not encrypted. 281 4. Ciphertext C, 0 <= |C| < 2^{n/2}. If |C| > 0, then C = C_1 || 282 ... || C*_q, C_i in V_n, for i = 1, ... , q - 1, C*_q in V_u, 1 283 <= u <= n. If |C| = 0, then by definition C*_q is empty, and the 284 q and u parameters are set as follows: q = 0, u = n. 286 5. Authentication tag T in V_S. 288 The MGM decryption and tag verification procedure outputs FAIL or the 289 following parameters: 291 1. Associated authenticated data A. 293 2. Plaintext P in V_{|C|}. 295 The MGM decryption and tag verification procedure consists of the 296 following steps: 298 +----------------------------------------------------------------+ 299 | MGM-Decrypt(K, ICN, A, C, T) | 300 |----------------------------------------------------------------| 301 | 1. Padding step: | 302 | - A_h = A*_h || 0^{n-t}, | 303 | - C_q = C*_q || 0^{n-u}. | 304 | | 305 | 2. Authentication tag T verification step: | 306 | - Z_1 = E_K(1^1 || ICN), | 307 | - sum = 0^n, | 308 | - For i = 1, 2, ..., h do | 309 | H_i = E_K(Z_i), | 310 | sum = sum (xor) ( H_i (x) A_i ), | 311 | Z_{i+1} = incr_l(Z_i), | 312 | - For j = 1, 2, ..., q do | 313 | H_{h+j} = E_K(Z_{h+j}), | 314 | sum = sum (xor) ( H_{h+j} (x) C_j ), | 315 | Z_{h+j+1} = incr_l(Z_{h+j}), | 316 | - H_{h+q+1} = E_K(Z_{h+q+1}), | 317 | - T' = MSB_S(E_K(sum (xor) ( H_{h+q+1} (x) | 318 | ( len(A) || len(C) ) ))), | 319 | - If T' != T then return FAIL. | 320 | | 321 | 3. Decryption step: | 322 | - if |C| = 0 then | 323 | - P = C | 324 | - else | 325 | - Y_1 = E_K(0^1 || ICN), | 326 | - For i = 2, 3, ... , q do | 327 | Y_i = incr_r(Y_{i-1}), | 328 | - For i = 1, 2, ... , q - 1 do | 329 | P_i = C_i (xor) E_K(Y_i), | 330 | - P*_q = C*_q (xor) MSB_u(E_K(Y_q)), | 331 | - P = P_1 || ... || P*_q. | 332 | | 333 | 4. Return (A, P). | 334 +----------------------------------------------------------------+ 336 The length of the associated data A and of the ciphertext C MUST be 337 such that 0 < |A| + |C| < 2^{n/2}. 339 5. Rationale 341 The MGM was originally proposed in [PDMODE]. 343 From the operational point of view the MGM is designed to be 344 parallelizable, inverse-free, online and to provide availability of 345 precomputations. 347 Parallelizability of the MGM is achieved due to its counter-type 348 structure and the usage of the multilinear function for 349 authentication. Indeed, both encryption blocks E_K(Y_i) and 350 authentication blocks H_i are produced in the counter mode manner, 351 and the multilinear function determined by H_i is parallelizable in 352 itself. Additionally, the counter-type structure of the mode 353 provides the inverse-free property. 355 The online property means the possibility to process message even if 356 it is not completely received (so its length is unknown). To provide 357 this property the MGM uses blocks E_K(Y_i) and H_i which are produced 358 basing on two independent source blocks Y_i and Z_i. 360 Availability of precomputations for the MGM means the possibility to 361 calculate H_i and E_K(Y_i) even before data is retrieved. It holds 362 again due to the usage of counters for calculating them. 364 6. Security Considerations 366 The security properties of the MGM are based on the following: 368 o Different functions generating the counter values: 369 The functions incr_r and incr_l are chosen to minimize 370 intersection (if it happens) of counter values Y_i and Z_i. 372 o Encryption of the multilinear function output: 373 It allows to resist attacks based on padding and linear properties 374 (see [Ferg05] for details). 376 o Multilinear function for authentication: 377 It allows to resist the small subgroup attacks [Saar12]. 379 o Encryption of the nonces (0^1 || ICN) and (1^1 || ICN): 380 The use of this encryption minimizes the number of plaintext/ 381 ciphertext pairs of blocks known to an adversary. It allows to 382 resist attacks that need substantial amount of such material 383 (e.g., linear and differential cryptanalysis, side-channel 384 attacks). 386 It is crucial to the security of MGM to use unique ICN values. Using 387 the same ICN values for two different messages encrypted with the 388 same key eliminates the security properties of this mode. 390 It is crucial for the security of MGM not to process empty plaintext 391 and empty associated data at the same time. Otherwise, a tag becomes 392 independent from a nonce value, leading to vulnerability to forgery 393 attack. 395 Security analysis for MGM with E_K being a random permutation was 396 performed in [SecMGM]. More precisely, the bounds for 397 confidentiality advantage (CA) and integrity advantage (IA) (for 398 details see [I-D.irtf-cfrg-aead-limits]) were obtained. According to 399 these results, for an adversary making at most q encryption queries 400 with the total length of plaintexts and associated data of at most s 401 blocks and allowed to output a forgery with the summary length of 402 ciphertext and associated data of at most l blocks: 404 CA <= ( 3( s + 4q )^2 )/ 2^n, 406 IA <= ( 3( s + 4q + l + 3 )^2 )/ 2^n + 2/2^S, 408 where n is the block size and S is the authentication tag size. 410 These bounds can be used as guidelines on how to calculate 411 confidentiality and integrity limits (for details also see 412 [I-D.irtf-cfrg-aead-limits]). 414 7. IANA Considerations 416 This document does not require any IANA actions. 418 8. References 420 8.1. Normative References 422 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 423 Requirement Levels", BCP 14, RFC 2119, 424 DOI 10.17487/RFC2119, March 1997, 425 . 427 [RFC7801] Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher 428 "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016, 429 . 431 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 432 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 433 May 2017, . 435 [RFC8891] Dolmatov, V., Ed. and D. Baryshkov, "GOST R 34.12-2015: 436 Block Cipher "Magma"", RFC 8891, DOI 10.17487/RFC8891, 437 September 2020, . 439 8.2. Informative References 441 [Ferg05] Ferguson, N., "Authentication weaknesses in GCM", 2005. 443 [GOST3412-2015] 444 Federal Agency on Technical Regulating and Metrology, 445 "Information technology. Cryptographic data security. 446 Block ciphers", GOST R 34.12-2015, 2015. 448 [I-D.irtf-cfrg-aead-limits] 449 Guenther, F., Thomson, M., and C. Wood, "Usage Limits on 450 AEAD Algorithms", draft-irtf-cfrg-aead-limits-01 (work in 451 progress), September 2020. 453 [PDMODE] Nozdrunov, V., "Parallel and double block cipher mode of 454 operation (PD-mode) for authenticated encryption", CTCrypt 455 2017 proceedings, pp. 36-45, 2017. 457 [R1323565.1.026-2019] 458 Federal Agency on Technical Regulating and Metrology, 459 "Information technology. Cryptographic data security. 460 Authenticated encryption block cipher operation modes", 461 R 1323565.1.026-2019, 2019. 463 [Saar12] Saarinen, O., "Cycling Attacks on GCM, GHASH and Other 464 Polynomial MACs and Hashes", FSE 2012 proceedings, pp. 465 216-225, 2012. 467 [SecMGM] Akhmetzyanova, L., Alekseev, E., Karpunin, G. and V. 468 Nozdrunov, "Security of Multilinear Galois Mode (MGM).", 469 IACR Cryptology ePrint Archive 2019, p. 123, 2019. 471 Appendix A. Test Vectors 473 A.1. Test Vectors for the Kuznyechik block cipher 475 Test vectors for the Kuznyechik block cipher (n = 128, k = 256) 476 defined in [GOST3412-2015] (the English version can be found in 477 [RFC7801]). 479 -------------------------Example 1-------------------------- 481 Encryption key K: 482 00000: 88 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 483 00010: FE DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 485 ICN: 487 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 489 Associated authenticated data A: 490 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 491 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 492 00020: EA 05 05 05 05 05 05 05 05 494 Plaintext P: 495 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 496 00010: 00 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 497 00020: 11 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 498 00030: 22 33 44 55 66 77 88 99 AA BB CC EE FF 0A 00 11 499 00040: AA BB CC 501 1. Encryption step: 503 0^1 || ICN: 504 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 506 Y_1: 507 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CD 508 E_K(Y_1): 509 00000: B8 57 48 C5 12 F3 19 90 AA 56 7E F1 53 35 DB 74 511 Y_2: 512 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CE 513 E_K(Y_2): 514 00000: 80 64 F0 12 6F AC 9B 2C 5B 6E AC 21 61 2F 94 33 516 Y_3: 517 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED CF 518 E_K(Y_3): 519 00000: 58 58 82 1D 40 C0 CD 0D 0A C1 E6 C2 47 09 8F 1C 521 Y_4: 522 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D0 523 E_K(Y_4): 524 00000: E4 3F 50 81 B5 8F 0B 49 01 2F 8E E8 6A CD 6D FA 526 Y_5: 527 00000: 7F 67 9D 90 BE BC 24 30 5A 46 8D 42 B9 D4 ED D1 528 E_K(Y_5): 529 00000: 86 CE 9E 2A 0A 12 25 E3 33 56 91 B2 0D 5A 33 48 531 C: 532 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 533 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 534 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 535 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 536 00040: 2C 75 52 538 2. Padding step: 540 A_1 || ... || A_h: 541 00000: 02 02 02 02 02 02 02 02 01 01 01 01 01 01 01 01 542 00010: 04 04 04 04 04 04 04 04 03 03 03 03 03 03 03 03 543 00020: EA 05 05 05 05 05 05 05 05 00 00 00 00 00 00 00 545 C_1 || ... || C_q: 546 00000: A9 75 7B 81 47 95 6E 90 55 B8 A3 3D E8 9F 42 FC 547 00010: 80 75 D2 21 2B F9 FD 5B D3 F7 06 9A AD C1 6B 39 548 00020: 49 7A B1 59 15 A6 BA 85 93 6B 5D 0E A9 F6 85 1C 549 00030: C6 0C 14 D4 D3 F8 83 D0 AB 94 42 06 95 C7 6D EB 550 00040: 2C 75 52 00 00 00 00 00 00 00 00 00 00 00 00 00 552 3. Authentication tag T generation step: 554 1^1 || ICN: 555 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 557 Z_1: 558 00000: 7F C2 45 A8 58 6E 66 02 A7 BB DB 27 86 BD C6 6F 559 H_1: 560 00000: 8D B1 87 D6 53 83 0E A4 BC 44 64 76 95 2C 30 0B 561 current sum: 562 00000: 4C F4 27 F4 AD B7 5C F4 C0 DA 39 D5 AB 48 CF 38 564 Z_2: 565 00000: 7F C2 45 A8 58 6E 66 03 A7 BB DB 27 86 BD C6 6F 566 H_2: 567 00000: 7A 24 F7 26 30 E3 76 37 21 C8 F3 CD B1 DA 0E 31 568 current sum: 569 00000: 94 95 44 0E F6 24 A1 DD C6 F5 D9 77 28 50 C5 73 571 Z_3: 572 00000: 7F C2 45 A8 58 6E 66 04 A7 BB DB 27 86 BD C6 6F 573 H_3: 574 00000: 44 11 96 21 17 D2 06 35 C5 25 E0 A2 4D B4 B9 0A 575 current sum: 576 00000: A4 9A 8C D8 A6 F2 74 23 DB 79 E4 4A B3 06 D9 42 578 Z_4: 579 00000: 7F C2 45 A8 58 6E 66 05 A7 BB DB 27 86 BD C6 6F 580 H_4: 581 00000: D8 C9 62 3C 4D BF E8 14 CE 7C 1C 0C EA A9 59 DB 582 current sum: 583 00000: 09 FE 3F 6A 83 3C 21 B3 90 27 D0 20 6A 84 E1 5A 585 Z_5: 586 00000: 7F C2 45 A8 58 6E 66 06 A7 BB DB 27 86 BD C6 6F 587 H_5: 588 00000: A5 E1 F1 95 33 3E 14 82 96 99 31 BF BE 6D FD 43 589 current sum: 590 00000: B5 DA 26 BB 00 EB A8 04 35 D7 97 6B C6 B5 46 4D 592 Z_6: 593 00000: 7F C2 45 A8 58 6E 66 07 A7 BB DB 27 86 BD C6 6F 594 H_6: 595 00000: B4 CA 80 8C AC CF B3 F9 17 24 E4 8A 2C 7E E9 D2 596 current sum: 597 00000: DD 1C 0E EE F7 83 C8 EB 2A 33 F3 58 D7 23 0E E5 599 Z_7: 600 00000: 7F C2 45 A8 58 6E 66 08 A7 BB DB 27 86 BD C6 6F 601 H_7: 602 00000: 72 90 8F C0 74 E4 69 E8 90 1B D1 88 EA 91 C3 31 603 current sum: 604 00000: 89 6C E1 08 32 EB EA F9 06 9F 3F 73 76 59 4D 40 606 Z_8: 607 00000: 7F C2 45 A8 58 6E 66 09 A7 BB DB 27 86 BD C6 6F 608 H_8: 609 00000: 23 CA 27 15 B0 2C 68 31 3B FD AC B3 9E 4D 0F B8 610 current sum: 611 00000: 99 1A F5 C9 D0 80 F7 63 87 FE 64 9E 7C 93 C6 42 613 Z_9: 614 00000: 7F C2 45 A8 58 6E 66 0A A7 BB DB 27 86 BD C6 6F 615 H_9: 616 00000: BC BC E6 C4 1A A3 55 A4 14 88 62 BF 64 BD 83 0D 617 len(A) || len(C): 618 00000: 00 00 00 00 00 00 01 48 00 00 00 00 00 00 02 18 619 sum (xor) ( H_9 (x) ( len(A) || len(C) ) ): 620 00000: C0 C7 22 DB 5E 0B D6 DB 25 76 73 83 3D 56 71 28 622 Tag T: 623 00000: CF 5D 65 6F 40 C3 4F 5C 46 E8 BB 0E 29 FC DB 4C 625 -------------------------Example 2-------------------------- 626 Encryption key K: 627 00000: 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 FE 628 00010: DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 88 630 ICN: 631 00000: 11 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 633 Associated authenticated data A: 634 00000: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 636 Plaintext P: 637 00000: 639 1. Encryption step: 641 C: 642 00000: 644 2. Padding step: 646 A_1 || ... || A_h: 647 00000: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 649 C_1 || ... || C_q: 650 00000: 652 3. Authentication tag T generation step: 654 1^1 || ICN: 655 00000: 91 22 33 44 55 66 77 00 FF EE DD CC BB AA 99 88 657 Z_1: 658 00000: 79 32 72 68 96 C4 3E 3F BF D6 50 89 EB F1 E5 B6 659 H_1: 660 00000: 99 3A 80 66 CC C0 A4 0F AC 4A 14 F7 A2 F6 6D 9B 661 current sum: 662 00000: 0A C1 1E 2C 1C D6 07 D8 2F E3 55 54 B4 01 02 81 664 Z_2: 665 00000: 79 32 72 68 96 C4 3E 40 BF D6 50 89 EB F1 E5 B6 666 H_2: 667 00000: 0C 38 A7 1E E7 93 BF 76 89 81 BF CD 7C DA 78 C8 668 len(A) || len(C): 669 00000: 00 00 00 00 00 00 00 80 00 00 00 00 00 00 00 00 670 sum (xor) ( H_2 (x) ( len(A) || len(C) ) ): 671 00000: CA 1E F8 92 71 EA 60 C4 53 9E 40 EB 26 C2 80 5D 672 Tag T: 673 00000: 79 01 E9 EA 20 85 CD 24 7E D2 49 69 5F 9F 8A 85 675 A.2. Test Vectors for the Magma block cipher 677 Test vectors for the Magma block cipher (n = 64, k = 256) defined in 678 [GOST3412-2015] (the English version can be found in [RFC8891]). 680 -------------------------Example 1-------------------------- 682 Encryption key K: 683 00000: FF EE DD CC BB AA 99 88 77 66 55 44 33 22 11 00 684 00010: F0 F1 F2 F3 F4 F5 F6 F7 F8 F9 FA FB FC FD FE FF 686 ICN: 687 00000: 12 DE F0 6B 3C 13 0A 59 689 Associated authenticated data A: 690 00000: 01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 691 00010: 03 03 03 03 03 03 03 03 04 04 04 04 04 04 04 04 692 00020: 05 05 05 05 05 05 05 05 EA 694 Plaintext P: 695 00000: FF EE DD CC BB AA 99 88 11 22 33 44 55 66 77 00 696 00010: 88 99 AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 697 00020: 99 AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 88 698 00030: AA BB CC EE FF 0A 00 11 22 33 44 55 66 77 88 99 699 00040: AA BB CC 701 1. Encryption step: 703 0^1 || ICN: 704 00000: 12 DE F0 6B 3C 13 0A 59 706 Y_1: 707 00000: 56 23 89 01 62 DE 31 BF 708 E_K(Y_1): 709 00000: 38 7B DB A0 E4 34 39 B3 711 Y_2: 712 00000: 56 23 89 01 62 DE 31 C0 713 E_K(Y_2): 714 00000: 94 33 00 06 10 F7 F2 AE 716 Y_3: 717 00000: 56 23 89 01 62 DE 31 C1 718 E_K(Y_3): 719 00000: 97 B7 AA 6D 73 C5 87 57 721 Y_4: 722 00000: 56 23 89 01 62 DE 31 C2 723 E_K(Y_4): 724 00000: 94 15 52 8B FF C9 E8 0A 726 Y_5: 727 00000: 56 23 89 01 62 DE 31 C3 728 E_K(Y_5): 729 00000: 03 F7 68 BF F1 82 D6 70 731 Y_6: 732 00000: 56 23 89 01 62 DE 31 C4 733 E_K(Y_6): 734 00000: FD 05 F8 4E 9B 09 D2 FE 736 Y_7: 737 00000: 56 23 89 01 62 DE 31 C5 738 E_K(Y_7): 739 00000: DA 4D 90 8A 95 B1 75 C4 741 Y_8: 742 00000: 56 23 89 01 62 DE 31 C6 743 E_K(Y_8): 744 00000: 65 99 73 96 DA C2 4B D7 746 Y_9: 747 00000: 56 23 89 01 62 DE 31 C7 748 E_K(Y_9): 749 00000: A9 00 50 4A 14 8D EE 26 751 C: 752 00000: C7 95 06 6C 5F 9E A0 3B 85 11 33 42 45 91 85 AE 753 00010: 1F 2E 00 D6 BF 2B 78 5D 94 04 70 B8 BB 9C 8E 7D 754 00020: 9A 5D D3 73 1F 7D DC 70 EC 27 CB 0A CE 6F A5 76 755 00030: 70 F6 5C 64 6A BB 75 D5 47 AA 37 C3 BC B5 C3 4E 756 00040: 03 BB 9C 758 2. Padding step: 760 A_1 || ... || A_h: 761 00000: 01 01 01 01 01 01 01 01 02 02 02 02 02 02 02 02 762 00010: 03 03 03 03 03 03 03 03 04 04 04 04 04 04 04 04 763 00020: 05 05 05 05 05 05 05 05 EA 00 00 00 00 00 00 00 765 C_1 || ... || C_q: 767 00000: C7 95 06 6C 5F 9E A0 3B 85 11 33 42 45 91 85 AE 768 00010: 1F 2E 00 D6 BF 2B 78 5D 94 04 70 B8 BB 9C 8E 7D 769 00020: 9A 5D D3 73 1F 7D DC 70 EC 27 CB 0A CE 6F A5 76 770 00030: 70 F6 5C 64 6A BB 75 D5 47 AA 37 C3 BC B5 C3 4E 771 00040: 03 BB 9C 00 00 00 00 00 773 3. Authentication tag T generation step: 775 1^1 || ICN: 776 00000: 92 DE F0 6B 3C 13 0A 59 778 Z_1: 779 00000: 2B 07 3F 04 94 F3 72 A0 780 H_1: 781 00000: 70 8A 78 19 1C DD 22 AA 782 current sum: 783 00000: D6 BB 5B EA 81 93 12 62 785 Z_2: 786 00000: 2B 07 3F 05 94 F3 72 A0 787 H_2: 788 00000: 6F 02 CC 46 4B 2F A0 A3 789 current sum: 790 00000: DD 1C 82 4E 91 78 49 A5 792 Z_3: 793 00000: 2B 07 3F 06 94 F3 72 A0 794 H_3: 795 00000: 9F 81 F2 26 FD 19 6F 05 796 current sum: 797 00000: 05 89 22 17 F6 5A DA C7 799 Z_4: 800 00000: 2B 07 3F 07 94 F3 72 A0 801 H_4: 802 00000: B9 C2 AC 9B E5 B5 DF F9 803 current sum: 804 00000: D1 DB 9B 7F C4 9E 7C 97 806 Z_5: 807 00000: 2B 07 3F 08 94 F3 72 A0 808 H_5: 809 00000: 74 B5 EC 96 55 1B F8 88 810 current sum: 811 00000: 56 45 F6 B5 18 5C B7 1A 813 Z_6: 815 00000: 2B 07 3F 09 94 F3 72 A0 816 H_6: 817 00000: 7E B0 21 A4 03 5B 04 C3 818 current sum: 819 00000: 3F C2 C2 E6 FB EE D0 4D 821 Z_7: 822 00000: 2B 07 3F 0A 94 F3 72 A0 823 H_7: 824 00000: C2 A9 C3 A8 70 4D 9B B0 825 current sum: 826 00000: 15 47 1F B5 CD 8E 6C 02 828 Z_8: 829 00000: 2B 07 3F 0B 94 F3 72 A0 830 H_8: 831 00000: F5 D5 05 A8 7B 83 83 B5 832 current sum: 833 00000: 12 56 78 96 1D 40 E0 93 835 Z_9: 836 00000: 2B 07 3F 0C 94 F3 72 A0 837 H_9: 838 00000: F7 95 E7 5F DE B8 93 3C 839 current sum: 840 00000: 6E F4 0A B0 C1 5F 20 48 842 Z_10: 843 00000: 2B 07 3F 0D 94 F3 72 A0 844 H_10: 845 00000: 65 A1 A3 E6 80 F0 81 45 846 current sum: 847 00000: A4 64 A7 08 FF 45 14 22 849 Z_11: 850 00000: 2B 07 3F 0E 94 F3 72 A0 851 H_11: 852 00000: 1C 74 A5 76 4C B0 D5 95 853 current sum: 854 00000: 60 94 4E 05 D0 85 75 14 856 Z_12: 857 00000: 2B 07 3F 0F 94 F3 72 A0 858 H_12: 859 00000: DC 84 47 A5 14 E7 83 E7 860 current sum: 861 00000: EE 98 B9 B5 0F F7 83 E8 862 Z_13: 863 00000: 2B 07 3F 10 94 F3 72 A0 864 H_13: 865 00000: A7 E3 AF E0 04 EE 16 E3 866 current sum: 867 00000: C0 39 0F A2 28 AF 6D CB 869 Z_14: 870 00000: 2B 07 3F 11 94 F3 72 A0 871 H_14: 872 00000: A5 AA BB 0B 79 80 D0 71 873 current sum: 874 00000: 73 E0 6E 07 EF 37 CD CC 876 Z_15: 877 00000: 2B 07 3F 12 94 F3 72 A0 878 H_15: 879 00000: 6E 10 4C C9 33 52 5C 5D 880 current sum: 881 00000: 2F 40 69 0A EB 53 F5 39 883 Z_16: 884 00000: 2B 07 3F 13 94 F3 72 A0 885 H_16: 886 00000: 83 11 B6 02 4A A9 66 C1 887 len(A) || len(C): 888 00000: 00 00 01 48 00 00 02 18 889 sum (xor) ( H_16 (x) ( len(A) || len(C) ) ): 890 00000: 73 CE F4 4B AE 6B DB 61 892 Tag T: 893 00000: A7 92 80 69 AA 10 FD 10 895 -------------------------Example 2-------------------------- 897 Encryption key K: 898 00000: 99 AA BB CC DD EE FF 00 11 22 33 44 55 66 77 FE 899 00010: DC BA 98 76 54 32 10 01 23 45 67 89 AB CD EF 88 901 ICN: 902 00000: 00 77 66 55 44 33 22 11 904 Associated authenticated data A: 905 00000: 907 Plaintext P: 908 00000: 22 33 44 55 66 77 00 FF 910 1. Encryption step: 912 0^1 || ICN: 913 00000: 00 77 66 55 44 33 22 11 915 Y_1: 916 00000: 5B 2A 7E 60 4F 9F BB 95 917 E_K(Y_1): 918 00000: 48 A6 A5 17 0D 52 9D B1 920 C: 921 00000: 6A 95 E1 42 6B 25 9D 4E 923 2. Padding step: 925 A_1 || ... || A_h: 926 00000: 928 C_1 || ... || C_q: 929 00000: 6A 95 E1 42 6B 25 9D 4E 931 3. Authentication tag T generation step: 933 1^1 || ICN: 934 00000: 80 77 66 55 44 33 22 11 936 Z_1: 937 00000: 59 73 54 78 7E 52 E6 EB 938 H_1: 939 00000: EC E3 F9 DA 11 8C 7D 95 940 current sum: 941 00000: 25 D0 E4 20 7B 6B F6 3D 943 Z_2: 944 00000: 59 73 54 79 7E 52 E6 EB 945 H_2: 946 00000: 31 0C 0D AC C9 D0 4D 93 947 len(A) || len(C): 948 00000: 00 00 00 00 00 00 00 40 949 sum (xor) ( H_2 (x) ( len(A) || len(C) ) ): 950 00000: 66 D3 8F 12 0F 78 92 49 952 Tag T: 954 00000: 33 4E E2 70 45 0B EC 9E 956 Appendix B. Contributors 958 o Evgeny Alekseev 959 CryptoPro 960 alekseev@cryptopro.ru 962 o Alexandra Babueva 963 CryptoPro 964 babueva@cryptopro.ru 966 o Lilia Akhmetzyanova 967 CryptoPro 968 lah@cryptopro.ru 970 o Grigory Marshalko 971 TC 26 972 marshalko_gb@tc26.ru 974 o Vladimir Rudskoy 975 TC 26 976 rudskoy_vi@tc26.ru 978 o Alexey Nesterenko 979 National Research University Higher School of Economics 980 anesterenko@hse.ru 982 o Lidia Nikiforova 983 CryptoPro 984 nikiforova@cryptopro.ru 986 Authors' Addresses 988 Stanislav Smyshlyaev (editor) 989 CryptoPro 991 Phone: +7 (495) 995-48-20 992 Email: svs@cryptopro.ru 994 Vladislav Nozdrunov 995 TC 26 997 Email: nozdrunov_vi@tc26.ru 998 Vasily Shishkin 999 TC 26 1001 Email: shishkin_va@tc26.ru 1003 Ekaterina Griboedova 1004 CryptoPro 1006 Email: griboedovaekaterina@gmail.com