diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc8133.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc8133.txt')
-rw-r--r-- | doc/rfc/rfc8133.txt | 2859 |
1 files changed, 2859 insertions, 0 deletions
diff --git a/doc/rfc/rfc8133.txt b/doc/rfc/rfc8133.txt new file mode 100644 index 0000000..ac6f5ca --- /dev/null +++ b/doc/rfc/rfc8133.txt @@ -0,0 +1,2859 @@ + + + + + + +Independent Submission S. Smyshlyaev, Ed. +Request for Comments: 8133 E. Alekseev +Category: Informational I. Oshkin +ISSN: 2070-1721 V. Popov + CRYPTO-PRO + March 2017 + + +The Security Evaluated Standardized Password-Authenticated Key Exchange + (SESPAKE) Protocol + +Abstract + + This document describes the Security Evaluated Standardized Password- + Authenticated Key Exchange (SESPAKE) protocol. The SESPAKE protocol + provides password-authenticated key exchange for usage in systems for + protection of sensitive information. The security proofs of the + protocol were made for situations involving an active adversary in + the channel, including man-in-the-middle (MitM) attacks and attacks + based on the impersonation of one of the subjects. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This is a contribution to the RFC Series, independently of any other + RFC stream. The RFC Editor has chosen to publish this document at + its discretion and makes no statement about its value for + implementation or deployment. Documents approved for publication by + the RFC Editor are not a candidate for any level of Internet + Standard; see Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc8133. + +Copyright Notice + + Copyright (c) 2017 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. + + + +Smyshlyaev, et al. Informational [Page 1] + +RFC 8133 SESPAKE March 2017 + + +Table of Contents + + 1. Introduction ....................................................2 + 2. Conventions Used in This Document ...............................2 + 3. Notations .......................................................3 + 4. Protocol Description ............................................4 + 4.1. Protocol Parameters ........................................5 + 4.2. Initial Values of the Protocol Counters ....................7 + 4.3. Protocol Steps .............................................7 + 5. Construction of Points {Q_1,...,Q_N} ...........................11 + 6. Security Considerations ........................................13 + 7. IANA Considerations ............................................13 + 8. References .....................................................14 + 8.1. Normative References ......................................14 + 8.2. Informative References ....................................15 + Appendix A. Test Examples for GOST-Based Protocol Implementation ..16 + A.1. Examples of Points .........................................16 + A.2. Test Examples of SESPAKE ...................................17 + Appendix B. Point Verification Script .............................33 + Acknowledgments ...................................................51 + Authors' Addresses ................................................51 + +1. Introduction + + This document describes the Security Evaluated Standardized Password- + Authenticated Key Exchange (SESPAKE) protocol. The SESPAKE protocol + provides password-authenticated key exchange for usage in systems for + protection of sensitive information. The protocol is intended to be + used to establish keys that are then used to organize a secure + channel for protection of sensitive information. The security proofs + of the protocol were made for situations involving an active + adversary in the channel, including man-in-the-middle (MitM) attacks + and attacks based on the impersonation of one of the subjects. + +2. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 2] + +RFC 8133 SESPAKE March 2017 + + +3. Notations + + This document uses the following parameters of elliptic curves in + accordance with [RFC6090]: + + E an elliptic curve defined over a finite prime field GF(p), + where p > 3; + + p the characteristic of the underlying prime field; + + a, b the coefficients of the equation of the elliptic curve in the + canonical form; + + m the elliptic curve group order; + + q the elliptic curve subgroup order; + + P a generator of the subgroup of order q; + + X, Y the coordinates of the elliptic curve point in the canonical + form; + + O zero point (point at infinity) of the elliptic curve. + + This memo uses the following functions: + + HASH the underlying hash function; + + HMAC the function for calculating a message authentication code + (MAC), based on a HASH function in accordance with [RFC2104]; + + F(PW, salt, n) + the value of the function PBKDF2(PW, salt, n, len), where + PBKDF2(PW, salt, n, len) is calculated according to + [RFC8018]. The parameter len is considered equal to the + minimum integer that is a multiple of 8 and satisfies the + following condition: + + len >= floor(log_2(q)). + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 3] + +RFC 8133 SESPAKE March 2017 + + + This document uses the following terms and definitions for the sets + and operations on the elements of these sets: + + B_n the set of byte strings of size n, n >= 0; for n = 0, the B_n + set consists of a single empty string of size 0; if b is an + element of B_n, then b = (b_1,...,b_n), where b_1,...,b_n are + elements of {0,...,255}; + + || concatenation of byte strings A and C, i.e., if A in B_n1, + C in B_n2, A = (a_1,a_2,...,a_n1) and C = (c_1,c_2,...,c_n2), + then A || C = (a_1,a_2,...,a_n1,c_1,c_2,...,c_n2) is an + element of B_(n1 + n2); + + int(A) for the byte string A = (a_1,...,a_n) in B_n, an integer + int(A) = 256^(n - 1)a_n +...+ 256^(0)a_1; + + bytes_n(X) + the byte string A in B_n, such that int(A) = X, where X is an + integer and 0 <= X < 256^n; + + BYTES(Q) + for Q in E, the byte string bytes_n(X) || bytes_n(Y), where + X, Y are standard Weierstrass coordinates of point Q and + n = ceil(log_{256}(p)). + +4. Protocol Description + + The main point of the SESPAKE protocol is that parties sharing a weak + key (a password) generate a strong common key. An active adversary + who has access to a channel is not able to obtain any information + that can be used to find a key in offline mode, i.e., without + interaction with legitimate participants. + + The protocol is used by subjects A (client) and B (server) that share + some secret parameter that was established in an out-of-band + mechanism: a client is a participant who stores a password as a + secret parameter, and a server is a participant who stores a + password-based computed point of the elliptic curve. + + The SESPAKE protocol consists of two steps: the key-agreement step + and the key-confirmation step. During the first step (the + key-agreement step), the parties exchange keys using Diffie-Hellman + with public components masked by an element that depends on the + password -- one of the predefined elliptic curve points multiplied by + the password-based coefficient. This approach provides an implicit + key authentication, which means that after this step, one party is + assured that no other party, aside from a specifically identified + second party, may gain access to the generated secret key. During + + + +Smyshlyaev, et al. Informational [Page 4] + +RFC 8133 SESPAKE March 2017 + + + the second step (the key-confirmation step), the parties exchange + strings that strongly depend on the generated key. After this step, + the parties are assured that a legitimate party, and no one else, + actually has possession of the secret key. + + To protect against online guessing attacks, counters that indicate + the number of failed connections were introduced in the SESPAKE + protocol. There is also a special technique for small-order point + processing and a mechanism that provides protection against + reflection attacks by using different operations for different sides. + +4.1. Protocol Parameters + + Various elliptic curves can be used in the protocol. For each + elliptic curve supported by clients, the following values MUST be + defined: + + o the protocol parameters identifier, ID_ALG (which can also define + a HASH function, a pseudorandom function (PRF) used in the PBKDF2 + function, etc.), which is a byte string of an arbitrary length; + + o the point P, which is a generator point of the subgroup of order q + of the curve; + + o the set of distinct curve points {Q_1,Q_2,...,Q_N} of order q, + where the total number of points, N, is defined for the protocol + instance. + + The method of generation of the points {Q_1,Q_2,...,Q_N} is described + in Section 5. + + The following protocol parameters are used by subject A: + + 1. The secret password value PW, which is a byte string that is + uniformly randomly chosen from a subset of cardinality 10^10 or + greater of the set B_k, where k >= 6 is the password length. + + 2. The list of curve identifiers supported by A. + + 3. Sets of points {Q_1,Q_2,...,Q_N}, corresponding to curves + supported by A. + + 4. The C_1^A counter, which tracks the total number of unsuccessful + authentication trials in a row, and a value of CLim_1 that stores + the maximum possible number of such events. + + + + + + +Smyshlyaev, et al. Informational [Page 5] + +RFC 8133 SESPAKE March 2017 + + + 5. The C_2^A counter, which tracks the total number of unsuccessful + authentication events during the period of usage of the specific + PW, and a value of CLim_2 that stores the maximum possible number + of such events. + + 6. The C_3^A counter, which tracks the total number of + authentication events (successful and unsuccessful) during the + period of usage of the specific PW, and a value of CLim_3 that + stores the maximum possible number of such events. + + 7. The unique identifier, ID_A, of subject A (OPTIONAL), which is a + byte string of an arbitrary length. + + The following protocol parameters are used by subject B: + + 1. The values ind and salt, where ind is in {1,...,N} and salt is in + {1,...,2^128-1}. + + 2. The point Q_PW, satisfying the following equation: + + Q_PW = int(F(PW, salt, 2000))*Q_ind. + + It is possible that the point Q_PW is not stored and is + calculated using PW in the beginning of the protocol. In that + case, B has to store PW and points {Q_1,Q_2,...,Q_N}. + + 3. The ID_ALG identifier. + + 4. The C_1^B counter, which tracks the total number of unsuccessful + authentication trials in a row, and a value of CLim_1 that stores + the maximum possible number of such events. + + 5. The C_2^B counter, which tracks the total number of unsuccessful + authentication events during the period of usage of the specific + PW, and a value of CLim_2 that stores the maximum possible number + of such events. + + 6. The C_3^B counter, which tracks the total number of + authentication events (successful and unsuccessful) during the + period of usage of the specific PW, and a value of CLim_3 that + stores the maximum possible number of such events. + + 7. The unique identifier, ID_B, of subject B (OPTIONAL), which is a + byte string of an arbitrary length. + + + + + + + +Smyshlyaev, et al. Informational [Page 6] + +RFC 8133 SESPAKE March 2017 + + +4.2. Initial Values of the Protocol Counters + + After the setup of a new password value PW, the values of the + counters MUST be assigned as follows: + + o C_1^A = C_1^B = CLim_1, where CLim_1 is in {3,...,5}; + + o C_2^A = C_2^B = CLim_2, where CLim_2 is in {7,...,20}; + + o C_3^A = C_3^B = CLim_3, where CLim_3 is in {10^3,10^3+1,...,10^5}. + +4.3. Protocol Steps + + The basic SESPAKE steps are shown in the scheme below: + + +--------------------------+------------+---------------------------+ + | A [A_ID, PW] | | B [B_ID, Q_PW, ind, salt] | + +--------------------------+------------+---------------------------+ + | if C_1^A or C_2^A or | | | + | C_3^A = 0 ==> quit | | | + | decrement C_1^A, C_2^A, | A_ID ---> | if C_1^B or C_2^B or | + | C_3^A by 1 | | C_3^B = 0 ==> quit | + | z_A = 0 | <--- | decrement C_1^B, C_2^B, | + | | ID_ALG, | C_3^B by 1 | + | | B_ID | | + | | (OPTIONAL),| | + | | ind, salt | | + | Q_PW^A = int(F(PW, salt, | | | + | 2000))*Q_ind | | | + | choose alpha randomly | | | + | from {1,...,q-1} | | | + | u_1 = alpha*P - Q_PW^A | u_1 ---> | if u_1 not in E ==> quit | + | | | z_B = 0 | + | | | Q_B = u_1 + Q_PW | + | | | choose beta randomly from | + | | | {1,...,q-1} | + | | | if m/q*Q_B = O ==> Q_B = | + | | | beta*P, z_B = 1 | + | | | K_B = | + | | | HASH(BYTES(( m/q*beta* | + | | | (mod q))*Q_B )) | + | if u_2 not in E ==> quit | <--- u_2 | u_2 = beta*P + Q_PW | + | Q_A = u_2 - Q_PW^A | | | + | if m/q*Q_A = O ==> Q_A = | | | + | alpha*P, z_A = 1 | | | + | K_A = HASH(BYTES(( m/q* | | | + | alpha(mod q))*Q_A )) | | | + | | | | + + + +Smyshlyaev, et al. Informational [Page 7] + +RFC 8133 SESPAKE March 2017 + + + | U_1 = BYTES(u_1), U_2 = | | | + | BYTES(u_2) | | | + | MAC_A = HMAC(K_A, 0x01 | DATA_A, | U_1 = BYTES(u_1), U_2 = | + | || ID_A || ind || salt | MAC_A ---> | BYTES(u_2) | + | || U_1 || U_2 || ID_ALG | | | + | (OPTIONAL) || DATA_A) | | | + | | | if MAC_A != HMAC(K_B, | + | | | 0x01 || ID_A || ind || | + | | | salt || U_1 || U_2 || | + | | | ID_ALG (OPTIONAL) || | + | | | DATA_A) ==> quit | + | | | if z_B = 1 ==> quit | + | | | C_1^B = CLim_1, increment | + | | | C_2^B by 1 | + | if MAC_B != HMAC(K_A, | <--- | MAC_B = HMAC(K_B, 0x02 || | + | 0x02 || ID_B || ind || | DATA_B, | ID_B || ind || salt || | + | salt || U_1 || U_2 || | MAC_B | U_1 || U_2 || ID_ALG | + | ID_ALG (OPTIONAL) || | | (OPTIONAL) || DATA_A || | + | DATA_A || DATA_B) ==> | | DATA_B) | + | quit | | | + | if z_A = 1 ==> quit | | | + | C_1^A = CLim_1, | | | + | increment C_2^A by 1 | | | + +--------------------------+------------+---------------------------+ + + Table 1: SESPAKE Protocol Steps + + The full description of the protocol consists of the following steps: + + 1. If any of the counters C_1^A, C_2^A, or C_3^A is equal to 0, A + finishes the protocol with an informational error regarding + exceeding the number of trials that is controlled by the + corresponding counter. + + 2. A decrements each of the counters C_1^A, C_2^A, and C_3^A by 1, + requests open authentication information from B, and sends the + ID_A identifier. + + 3. If any of the counters C_1^B, C_2^B, or C_3^B is equal to 0, B + finishes the protocol with an informational error regarding + exceeding the number of trials that is controlled by the + corresponding counter. + + 4. B decrements each of the counters C_1^B, C_2^B, and C_3^B by 1. + + + + + + + +Smyshlyaev, et al. Informational [Page 8] + +RFC 8133 SESPAKE March 2017 + + + 5. B sends the values of ind, salt, and the ID_ALG identifier to A. + B also can OPTIONALLY send the ID_B identifier to A. All + subsequent calculations are done by B in the elliptic curve + group defined by the ID_ALG identifier. + + 6. A sets the curve defined by the received ID_ALG identifier as + the used elliptic curve. All subsequent calculations are done + by A in this elliptic curve group. + + 7. A calculates the point Q_PW^A = int(F(PW, salt, 2000))*Q_ind. + + 8. A chooses randomly (according to the uniform distribution) the + value alpha; alpha is in {1,...,q-1}; then A assigns z_A = 0. + + 9. A sends the value u_1 = alpha*P - Q_PW^A to B. + + 10. After receiving u_1, B checks to see if u_1 is in E. If it is + not, B finishes with an error and considers the authentication + process unsuccessful. + + 11. B calculates Q_B = u_1 + Q_PW, assigns z_B = 0, and chooses + randomly (according to the uniform distribution) the value beta; + beta is in {1,...,q-1}. + + 12. If m/q*Q_B = O, B assigns Q_B = beta*P and z_B = 1. + + 13. B calculates K_B = HASH(BYTES(( m/q*beta*(mod q))*Q_B )). + + 14. B sends the value u_2 = beta*P + Q_PW to A. + + 15. After receiving u_2, A checks to see if u_2 is in E. If it is + not, A finishes with an error and considers the authentication + process unsuccessful. + + 16. A calculates Q_A = u_2 - Q_PW^A. + + 17. If m/q*Q_A = O, then A assigns Q_A = alpha*P and z_A = 1. + + 18. A calculates K_A = HASH(BYTES(( m/q*alpha(mod q))*Q_A )). + + 19. A calculates U_1 = BYTES(u_1), U_2 = BYTES(u_2). + + 20. A calculates MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || + U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A), where DATA_A is an + OPTIONAL string that is authenticated with MAC_A (if it is not + used, then DATA_A is considered to be of zero length). + + 21. A sends DATA_A, MAC_A to B. + + + +Smyshlyaev, et al. Informational [Page 9] + +RFC 8133 SESPAKE March 2017 + + + 22. B calculates U_1 = BYTES(u_1), U_2 = BYTES(u_2). + + 23. B checks to see if the values MAC_A and HMAC(K_B, 0x01 || ID_A + || ind || salt || U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A) are + equal. If they are not, it finishes with an error and considers + the authentication process unsuccessful. + + 24. If z_B = 1, B finishes with an error and considers the + authentication process unsuccessful. + + 25. B sets the value of C_1^B to CLim_1 and increments C_2^B by 1. + + 26. B calculates MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || + U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A || DATA_B), where + DATA_B is an OPTIONAL string that is authenticated with MAC_B + (if it is not used, then DATA_B is considered to be of zero + length). + + 27. B sends DATA_B, MAC_B to A. + + 28. A checks to see if the values MAC_B and HMAC(K_A, 0x02 || ID_B + || ind || salt || U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A || + DATA_B) are equal. If they are not, it finishes with an error + and considers the authentication process unsuccessful. + + 29. If z_A = 1, A finishes with an error and considers the + authentication process unsuccessful. + + 30. A sets the value of C_1^A to CLim_1 and increments C_2^A by 1. + + After the procedure finishes successfully, subjects A and B are + mutually authenticated, and each subject has an explicitly + authenticated value of K = K_A = K_B. + + Notes: + + 1. In cases where the interaction process can be initiated by any + subject (client or server), the ID_A and ID_B options MUST be + used, and the receiver MUST check to see if the identifier he had + received is not equal to his own; otherwise, it finishes the + protocol. If an OPTIONAL parameter ID_A (or ID_B) is not used in + the protocol, it SHOULD be considered equal to a fixed byte + string (a zero-length string is allowed) defined by a specific + implementation. + + + + + + + +Smyshlyaev, et al. Informational [Page 10] + +RFC 8133 SESPAKE March 2017 + + + 2. The ind, ID_A, ID_B, and salt parameters can be agreed upon in + advance. If some parameter is agreed upon in advance, it is + possible not to send it during a corresponding step. + Nevertheless, all parameters MUST be used as corresponding inputs + to the HMAC function during Steps 20, 23, 26, and 28. + + 3. The ID_ALG parameter can be fixed or agreed upon in advance. + + 4. It is RECOMMENDED that the ID_ALG parameter be used in HMAC + during Steps 20, 23, 26, and 28. + + 5. Continuation of protocol interaction in a case where any of the + counters C_1^A or C_1^B is equal to zero MAY be done without + changing the password. In this case, these counters can be used + for protection against denial-of-service attacks. For example, + continuation of interaction can be allowed after a certain delay + period. + + 6. Continuation of protocol interaction in a case where any of the + counters C_2^A, C_3^A, C_2^B, or C_3^B is equal to zero MUST be + done only after changing the password. + + 7. It is RECOMMENDED that during Steps 9 and 14 the points u_1 and + u_2 be sent in a non-compressed format (BYTES(u_1) and + BYTES(u_2)). However, point compression MAY be used. + + 8. The use of several Q points can reinforce the independence of the + data streams when working with several applications -- for + example, when two high-level protocols can use two different + points. However, the use of more than one point is OPTIONAL. + +5. Construction of Points {Q_1,...,Q_N} + + This section provides an example of a possible algorithm for the + generation of each point Q_i in the set {Q_1,...,Q_N} that + corresponds to the given elliptic curve E. + + The algorithm is based on choosing points with coordinates with known + preimages of a cryptographic hash function H, which is the + GOST R 34.11-2012 hash function (see [RFC6986]) with 256-bit output + if 2^254 < q < 2^256, and the GOST R 34.11-2012 hash function (see + [RFC6986]) with 512-bit output if 2^508 < q < 2^512. + + + + + + + + + +Smyshlyaev, et al. Informational [Page 11] + +RFC 8133 SESPAKE March 2017 + + + The algorithm consists of the following steps: + + 1. Set i = 1, SEED = 0, s = 4. + + 2. Calculate X = int(HASH(BYTES(P) || bytes_s(SEED))) mod p. + + 3. Check to see if the value of X^3 + aX + b is a quadratic residue + in the field F_p. If it is not, set SEED = SEED + 1 and return + to Step 2. + + 4. Choose the value of Y = min{r1, r2}, where r1, r2 from + {0,1,...,p-1} are such that r1 != r2 and r1^2 = r2^2 = R mod p + for R = X^3 + aX + b. + + 5. Check to see if the following relations hold for the point + Q = (X, Y): Q != O and q*Q = O. If they do, go to Step 6; if + not, set SEED = SEED + 1 and return to Step 2. + + 6. Set Q_i = Q. If i < N, then set i = i + 1 and go to Step 2; + otherwise, finish. + + With the defined algorithm for any elliptic curve E, point sets + {Q_1,...,Q_N} are constructed. Constructed points in one set MUST + have distinct X-coordinates. + + Note: The knowledge of a hash function preimage prevents knowledge of + the multiplicity of any point related to generator point P. It is of + primary importance, because such knowledge could be used to implement + an attack against the protocol with an exhaustive search for the + password. + + + + + + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 12] + +RFC 8133 SESPAKE March 2017 + + +6. Security Considerations + + Any cryptographic algorithms -- particularly HASH functions and HMAC + functions -- that are used in the SESPAKE protocol MUST be carefully + designed and MUST be able to withstand all known types of + cryptanalytic attacks. + + It is RECOMMENDED that the HASH function satisfy the following + condition: + + o hashlen <= log_2(q) + 4, where hashlen is the length of the HASH + function output. + + It is RECOMMENDED that the output length of hash functions used in + the SESPAKE protocol be greater than or equal to 256 bits. + + The points {Q_1,Q_2,...,Q_N} and P MUST be chosen in such a way that + they are provably pseudorandom. As a practical matter, this means + that the algorithm for generation of each point Q_i in the set + {Q_1,...,Q_N} (see Section 5) ensures that the multiplicity of any + point under any other point is unknown. + + Using N = 1 is RECOMMENDED. + + Note: The specific adversary models for the protocol discussed in + this document can be found in [SESPAKE-SECURITY], which contains the + security proofs. + +7. IANA Considerations + + This document does not require any IANA actions. + + + + + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 13] + +RFC 8133 SESPAKE March 2017 + + +8. References + +8.1. Normative References + + [GOST3410-2012] + "Information technology. Cryptographic data security. + Signature and verification processes of [electronic] + digital signature", GOST R 34.10-2012, Federal Agency on + Technical Regulating and Metrology (in Russian), 2012. + + [GOST3411-2012] + "Information technology. Cryptographic Data Security. + Hashing function", GOST R 34.11-2012, Federal Agency on + Technical Regulating and Metrology (in Russian), 2012. + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: + Keyed-Hashing for Message Authentication", RFC 2104, + DOI 10.17487/RFC2104, February 1997, + <http://www.rfc-editor.org/info/rfc2104>. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <http://www.rfc-editor.org/info/rfc2119>. + + [RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic + Curve Cryptography Algorithms", RFC 6090, + DOI 10.17487/RFC6090, February 2011, + <http://www.rfc-editor.org/info/rfc6090>. + + [RFC6986] Dolmatov, V., Ed., and A. Degtyarev, "GOST R 34.11-2012: + Hash Function", RFC 6986, DOI 10.17487/RFC6986, + August 2013, <http://www.rfc-editor.org/info/rfc6986>. + + [RFC7091] Dolmatov, V., Ed., and A. Degtyarev, "GOST R 34.10-2012: + Digital Signature Algorithm", RFC 7091, + DOI 10.17487/RFC7091, December 2013, + <http://www.rfc-editor.org/info/rfc7091>. + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 14] + +RFC 8133 SESPAKE March 2017 + + + [RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., + Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines + on the Cryptographic Algorithms to Accompany the Usage of + Standards GOST R 34.10-2012 and GOST R 34.11-2012", + RFC 7836, DOI 10.17487/RFC7836, March 2016, + <http://www.rfc-editor.org/info/rfc7836>. + + [RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: + Password-Based Cryptography Specification Version 2.1", + RFC 8018, DOI 10.17487/RFC8018, January 2017, + <http://www.rfc-editor.org/info/rfc8018>. + +8.2. Informative References + + [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional + Cryptographic Algorithms for Use with GOST 28147-89, + GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 + Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, + <http://www.rfc-editor.org/info/rfc4357>. + + [SESPAKE-SECURITY] + Smyshlyaev, S., Oshkin, I., Alekseev, E., and L. + Ahmetzyanova, "On the Security of One Password + Authenticated Key Exchange Protocol", 2015, + <http://eprint.iacr.org/2015/1237.pdf>. + + + + + + + + + + + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 15] + +RFC 8133 SESPAKE March 2017 + + +Appendix A. Test Examples for GOST-Based Protocol Implementation + + The following test examples are made for the protocol implementation + that is based on the Russian national standards GOST R 34.10-2012 + [GOST3410-2012] and GOST R 34.11-2012 [GOST3411-2012]. The English + versions of these standards can be found in [RFC7091] and [RFC6986]. + +A.1. Examples of Points + + There is one point Q_1 for each of the elliptic curves below. These + points were constructed using the method described in Section 5 for + N = 1 and the GOST R 34.11-2012 hash function (see [RFC6986]). If + 2^254 < q < 2^256, the GOST R 34.11-2012 hash function with 256-bit + output is used, and if 2^508 < q < 2^512, the GOST R 34.11-2012 hash + function with 512-bit output is used. + + Each of the points complies with the GOST R 34.10-2012 + [GOST3410-2012] standard and is represented by a pair of (X, Y) + coordinates in the canonical form and also by a pair of (U, V) + coordinates in the twisted Edwards form in accordance with [RFC7836] + for the curves that have equivalent representations in this form. + There is a SEED value for each point, by which it was generated. + + id-GostR3410-2001-CryptoPro-A-ParamSet, + id-GostR3410-2001-CryptoPro-B-ParamSet, etc. are defined in + [RFC4357]. id-tc26-gost-3410-2012-512-paramSetA, + id-tc26-gost-3410-2012-512-paramSetB, etc. are defined in [RFC7836]. + +A.1.1. Curve id-GostR3410-2001-CryptoPro-A-ParamSet + + Point Q_1 + X = 0xa69d51caf1a309fa9e9b66187759b0174c274e080356f23cfcbfe84d396ad7bb + Y = 0x5d26f29ecc2e9ac0404dcf7986fa55fe94986362170f54b9616426a659786dac + SEED = 0x0001 + +A.1.2. Curve id-GostR3410-2001-CryptoPro-B-ParamSet + + Point Q_1 + X = 0x3d715a874a4b17cb3b517893a9794a2b36c89d2ffc693f01ee4cc27e7f49e399 + Y = 0x1c5a641fcf7ce7e87cdf8cea38f3db3096eace2fad158384b53953365f4fe7fe + SEED = 0x0000 + +A.1.3. Curve id-GostR3410-2001-CryptoPro-C-ParamSet + + Point Q_1 + X = 0x1e36383e43bb6cfa2917167d71b7b5dd3d6d462b43d7c64282ae67dfbec2559d + Y = 0x137478a9f721c73932ea06b45cf72e37eb78a63f29a542e563c614650c8b6399 + SEED = 0x0006 + + + +Smyshlyaev, et al. Informational [Page 16] + +RFC 8133 SESPAKE March 2017 + + +A.1.4. Curve id-tc26-gost-3410-2012-512-paramSetA + + Point Q_1 + X = 0x2a17f8833a32795327478871b5c5e88aefb91126c64b4b8327289bea62559425 + d18198f133f400874328b220c74497cd240586cb249e158532cb8090776cd61c + Y = 0x728f0c4a73b48da41ce928358fad26b47a6e094e9362bae82559f83cddc4ec3a + 4676bd3707edeaf4cd85e99695c64c241edc622be87dc0cf87f51f4367f723c5 + SEED = 0x0001 + +A.1.5. Curve id-tc26-gost-3410-2012-512-paramSetB + + Point Q_1 + X = 0x7e1fae8285e035bec244bef2d0e5ebf436633cf50e55231dea9c9cf21d4c8c33 + df85d4305de92971f0a4b4c07e00d87bdbc720eb66e49079285aaf12e0171149 + Y = 0x2cc89998b875d4463805ba0d858a196592db20ab161558ff2f4ef7a85725d209 + 53967ae621afdeae89bb77c83a2528ef6fce02f68bda4679d7f2704947dbc408 + SEED = 0x0000 + +A.1.6. Curve id-tc26-gost-3410-2012-256-paramSetA + + Point Q_1 + X = 0xb51adf93a40ab15792164fad3352f95b66369eb2a4ef5efae32829320363350e + Y = 0x74a358cc08593612f5955d249c96afb7e8b0bb6d8bd2bbe491046650d822be18 + U = 0xebe97afffe0d0f88b8b0114b8de430ac2b34564e4420af24728e7305bc48aeaa + V = 0x828f2dcf8f06612b4fea4da72ca509c0f76dd37df424ea22bfa6f4f65748c1e4 + SEED = 0x0001 + +A.1.7. Curve id-tc26-gost-3410-2012-512-paramSetC + + Point Q_1 + X = 0x489c91784e02e98f19a803abca319917f37689e5a18965251ce2ff4e8d8b298f + 5ba7470f9e0e713487f96f4a8397b3d09a270c9d367eb5e0e6561adeeb51581d + Y = 0x684ea885aca64eaf1b3fee36c0852a3be3bd8011b0ef18e203ff87028d6eb5db + 2c144a0dcc71276542bfd72ca2a43fa4f4939da66d9a60793c704a8c94e16f18 + U = 0x3a3496f97e96b3849a4fa7db60fd93858bde89958e4beebd05a6b3214216b37c + 9d9a560076e7ea59714828b18fbfef996ffc98bf3dc9f2d3cb0ed36a0d6ace88 + V = 0x52d884c8bf0ad6c5f7b3973e32a668daa1f1ed092eff138dae6203b2ccdec561 + 47464d35fec4b727b2480eb143074712c76550c7a54ff3ea26f70059480dcb50 + SEED = 0x0013 + +A.2. Test Examples of SESPAKE + + This protocol implementation uses the GOST R 34.11-2012 hash function + (see [RFC6986]) with 256-bit output as the H function and the + HMAC_GOSTR3411_2012_512 function defined in [RFC7836] as a PRF for + the F function. The parameter len is considered equal to 256 if + 2^254 < q < 2^256, and equal to 512 if 2^508 < q < 2^512. + + + + +Smyshlyaev, et al. Informational [Page 17] + +RFC 8133 SESPAKE March 2017 + + + The test examples for the point of each curve in Appendix A.1 are + given below. + +A.2.1. Curve id-GostR3410-2001-CryptoPro-A-ParamSet + +The input protocol parameters in this example take the following +values: + +N = 1 +ind = 1 +ID_A: + 00 00 00 00 +ID_B: + 00 00 00 00 +PW: + 31 32 33 34 35 36 ('123456') +salt: + 29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB +Q_ind: + X = 0xA69D51CAF1A309FA9E9B66187759B0174C274E080356F23CFCBFE84D396AD7BB + Y = 0x5D26F29ECC2E9AC0404DCF7986FA55FE94986362170F54B9616426A659786DAC + +The function F(PW, salt, 2000) takes the following values: + +F(PW, salt, 2000): + BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 + D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 + +The coordinates of the point Q_PW are: + + X = 0x59495655D1E7C7424C622485F575CCF121F3122D274101E8AB734CC9C9A9B45E + Y = 0x48D1C311D33C9B701F3B03618562A4A07A044E3AF31E3999E67B487778B53C62 + +During the calculation of u_1 on subject A, the parameter alpha, +the point alpha*P, and u_1 take the following values: + +alpha=0x1F2538097D5A031FA68BBB43C84D12B3DE47B7061C0D5E24993E0C873CDBA6B3 +alpha*P: + X = 0xBBC77CF42DC1E62D06227935379B4AA4D14FEA4F565DDF4CB4FA4D31579F9676 + Y = 0x8E16604A4AFDF28246684D4996274781F6CB80ABBBA1414C1513EC988509DABF +u_1: + X = 0x204F564383B2A76081B907F3FCA8795E806BE2C2ED228730B5B9E37074229E8D + Y = 0xE84F9E442C61DDE37B601A7F37E7CA11C56183FA071DFA9320EDE3E7521F9D41 + + + + + + + + +Smyshlyaev, et al. Informational [Page 18] + +RFC 8133 SESPAKE March 2017 + + +When processing u_1, calculating the K_B key, and calculating u_2 on +subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 +take the following values: + +beta=0xDC497D9EF6324912FD367840EE509A2032AEDB1C0A890D133B45F596FCCBD45D +src: + 2E 01 A3 D8 4F DB 7E 94 7B B8 92 9B E9 36 3D F5 + F7 25 D6 40 1A A5 59 D4 1A 67 24 F8 D5 F1 8E 2C + A0 DB A9 31 05 CD DA F4 BF AE A3 90 6F DD 71 9D + BE B2 97 B6 A1 7F 4F BD 96 DC C7 23 EA 34 72 A9 +K_B: + 1A 62 65 54 92 1D C2 E9 2B 4D D8 D6 7D BE 5A 56 + 62 E5 62 99 37 3F 06 79 95 35 AD 26 09 4E CA A3 +beta*P: + X = 0x6097341C1BE388E83E7CA2DF47FAB86E2271FD942E5B7B2EB2409E49F742BC29 + Y = 0xC81AA48BDB4CA6FA0EF18B9788AE25FE30857AA681B3942217F9FED151BAB7D0 +u_2: + X = 0xDC137A2F1D4A35AEBC0ECBF6D3486DEF8480BFDC752A86DD4F207D7D1910E22D + Y = 0x7532F0CE99DCC772A4D77861DAE57C138F07AE304A727907FB0AAFDB624ED572 + +When processing u_2 and calculating the key on subject A, the K_A key +takes the following values: + +K_A: + 1A 62 65 54 92 1D C2 E9 2B 4D D8 D6 7D BE 5A 56 + 62 E5 62 99 37 3F 06 79 95 35 AD 26 09 4E CA A3 + +The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) +from subject A takes the following values: + +MAC_A: + 23 7A 03 C3 5F 49 17 CE 86 B3 58 94 45 F1 1E 1A + 6F 10 8B 2F DD 0A A9 E8 10 66 4B 25 59 60 B5 79 + +The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) +from subject B takes the following values: + +MAC_B: + 9E E0 E8 73 3B 06 98 50 80 4D 97 98 73 1D CD 1C + FF E8 7A 3B 15 1F 0A E8 3E A9 6A FB 4F FC 31 E4 + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 19] + +RFC 8133 SESPAKE March 2017 + + +A.2.2. Curve id-GostR3410-2001-CryptoPro-B-ParamSet + +The input protocol parameters in this example take the following +values: + +N = 1 +ind = 1 +ID_A: + 00 00 00 00 +ID_B: + 00 00 00 00 +PW: + 31 32 33 34 35 36 ('123456') +salt: + 29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB +Q_ind: + X = 0x3D715A874A4B17CB3B517893A9794A2B36C89D2FFC693F01EE4CC27E7F49E399 + Y = 0x1C5A641FCF7CE7E87CDF8CEA38F3DB3096EACE2FAD158384B53953365F4FE7FE + +The function F(PW, salt, 2000) takes the following values: + +F(PW, salt, 2000): + BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 + D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 + +The coordinates of the point Q_PW are: + + X = 0x6DC2AE26BC691FCA5A73D9C452790D15E34BA5404D92955B914C8D2662ABB985 + Y = 0x3B02AAA9DD65AE30C335CED12F3154BBAC059F66B088306747453EDF6E5DB077 + +During the calculation of u_1 on subject A, the parameter alpha, +the point alpha*P, and u_1 take the following values: + +alpha=0x499D72B90299CAB0DA1F8BE19D9122F622A13B32B730C46BD0664044F2144FAD +alpha*P: + X = 0x61D6F916DB717222D74877F179F7EBEF7CD4D24D8C1F523C048E34A1DF30F8DD + Y = 0x3EC48863049CFCFE662904082E78503F4973A4E105E2F1B18C69A5E7FB209000 +u_1: + X = 0x21F5437AF33D2A1171A070226B4AE82D3765CD0EEBFF1ECEFE158EBC50C63AB1 + Y = 0x5C9553B5D11AAAECE738AD9A9F8CB4C100AD4FA5E089D3CBCCEA8C0172EB7ECC + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 20] + +RFC 8133 SESPAKE March 2017 + + +When processing u_1, calculating the K_B key, and calculating u_2 on +subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 +take the following values: + +beta=0x0F69FF614957EF83668EDC2D7ED614BE76F7B253DB23C5CC9C52BF7DF8F4669D +src: + 50 14 0A 5D ED 33 43 EF C8 25 7B 79 E6 46 D9 F0 + DF 43 82 8C 04 91 9B D4 60 C9 7A D1 4B A3 A8 6B + 00 C4 06 B5 74 4D 8E B1 49 DC 8E 7F C8 40 64 D8 + 53 20 25 3E 57 A9 B6 B1 3D 0D 38 FE A8 EE 5E 0A +K_B: + A6 26 DE 01 B1 68 0F F7 51 30 09 12 2B CE E1 89 + 68 83 39 4F 96 03 01 72 45 5C 9A E0 60 CC E4 4A +beta*P: + X = 0x33BC6F7E9C0BA10CFB2B72546C327171295508EA97F8C8BA9F890F2478AB4D6C + Y = 0x75D57B396C396F492F057E9222CCC686437A2AAD464E452EF426FC8EEED1A4A6 +u_2: + X = 0x089DDEE718EE8A224A7F37E22CFFD731C25FCBF58860364EE322412CDCEF99AC + Y = 0x0ECE03D4E395A6354C571871BEF425A532D5D463B0F8FD427F91A43E20CDA55C + +When processing u_2 and calculating the key on subject A, the K_A key +takes the following values: + +K_A: + A6 26 DE 01 B1 68 0F F7 51 30 09 12 2B CE E1 89 + 68 83 39 4F 96 03 01 72 45 5C 9A E0 60 CC E4 4A + +The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) +from subject A takes the following values: + +MAC_A: + B9 1F 43 90 2A FA 90 D3 E5 C6 91 CB DC 43 8A 1E + BF 54 7F 4C 2C B4 14 43 CC 38 79 7B E2 47 A7 D0 + +The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) +from subject B takes the following values: + +MAC_B: + 79 D5 54 83 FD 99 B1 2B CC A5 ED C6 BB E1 D7 B9 + 15 CE 04 51 B0 89 1E 77 5D 4A 61 CB 16 E3 3F CC + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 21] + +RFC 8133 SESPAKE March 2017 + + +A.2.3. Curve id-GostR3410-2001-CryptoPro-C-ParamSet + +The input protocol parameters in this example take the following +values: + +N = 1 +ind = 1 +ID_A: + 00 00 00 00 +ID_B: + 00 00 00 00 +PW: + 31 32 33 34 35 36 ('123456') +salt: + 29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB +Q_ind: + X = 0x1E36383E43BB6CFA2917167D71B7B5DD3D6D462B43D7C64282AE67DFBEC2559D + Y = 0x137478A9F721C73932EA06B45CF72E37EB78A63F29A542E563C614650C8B6399 + +The function F(PW, salt, 2000) takes the following values: + +F(PW, salt, 2000): + BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 + D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 + +The coordinates of the point Q_PW are: + + X = 0x945821DAF91E158B839939630655A3B21FF3E146D27041E86C05650EB3B46B59 + Y = 0x3A0C2816AC97421FA0E879605F17F0C9C3EB734CFF196937F6284438D70BDC48 + +During the calculation of u_1 on subject A, the parameter alpha, +the point alpha*P, and u_1 take the following values: + +alpha=0x3A54AC3F19AD9D0B1EAC8ACDCEA70E581F1DAC33D13FEAFD81E762378639C1A8 +alpha*P: + X = 0x96B7F09C94D297C257A7DA48364C0076E59E48D221CBA604AE111CA3933B446A + Y = 0x54E4953D86B77ECCEB578500931E822300F7E091F79592CA202A020D762C34A6 +u_1: + X = 0x81BBD6FCA464D2E2404A66D786CE4A777E739A89AEB68C2DAC99D53273B75387 + Y = 0x6B6DBD922EA7E060998F8B230AB6EF07AD2EC86B2BF66391D82A30612EADD411 + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 22] + +RFC 8133 SESPAKE March 2017 + + +When processing u_1, calculating the K_B key, and calculating u_2 on +subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 +take the following values: + +beta=0x448781782BF7C0E52A1DD9E6758FD3482D90D3CFCCF42232CF357E59A4D49FD4 +src: + 16 A1 2D 88 54 7E 1C 90 06 BA A0 08 E8 CB EC C9 + D1 68 91 ED C8 36 CF B7 5F 8E B9 56 FA 76 11 94 + D2 8E 25 DA D3 81 8D 16 3C 49 4B 05 9A 8C 70 A5 + A1 B8 8A 7F 80 A2 EE 35 49 30 18 46 54 2C 47 0B +K_B: + BE 7E 7E 47 B4 11 16 F2 C7 7E 3B 8F CE 40 30 72 + CA 82 45 0D 65 DE FC 71 A9 56 49 E4 DE EA EC EE +beta*P: + X = 0x4B9C0AB55A938121F282F48A2CC4396EB16E7E0068B495B0C1DD4667786A3EB7 + Y = 0x223460AA8E09383E9DF9844C5A0F2766484738E5B30128A171B69A77D9509B96 +u_2: + X = 0x2ED9B903254003A672E89EBEBC9E31503726AD124BB5FC0A726EE0E6FCCE323E + Y = 0x4CF5E1042190120391EC8DB62FE25E9E26EC60FB0B78B242199839C295FCD022 + +When processing u_2 and calculating the key on subject A, the K_A key +takes the following values: + +K_A: + BE 7E 7E 47 B4 11 16 F2 C7 7E 3B 8F CE 40 30 72 + CA 82 45 0D 65 DE FC 71 A9 56 49 E4 DE EA EC EE + +The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) +from subject A takes the following values: + +MAC_A: + D3 B4 1A E2 C9 43 11 36 06 3E 6D 08 A6 1B E9 63 + BD 5E D6 A1 FF F9 37 FA 8B 09 0A 98 E1 62 BF ED + +The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) +from subject B takes the following values: + +MAC_B: + D6 B3 9A 44 99 BE D3 E0 4F AC F9 55 50 2D 16 B2 + CB 67 4A 20 5F AC 3C D8 3D 54 EC 2F D5 FC E2 58 + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 23] + +RFC 8133 SESPAKE March 2017 + + +A.2.4. Curve id-tc26-gost-3410-2012-512-paramSetA + +The input protocol parameters in this example take the following +values: + +N = 1 +ind = 1 +ID_A: + 00 00 00 00 +ID_B: + 00 00 00 00 +PW: + 31 32 33 34 35 36 ('123456') +salt: + 29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB +Q_ind: + X = 0x2A17F8833A32795327478871B5C5E88AEFB91126C64B4B8327289BEA62559425 + D18198F133F400874328B220C74497CD240586CB249E158532CB8090776CD61C + Y = 0x728F0C4A73B48DA41CE928358FAD26B47A6E094E9362BAE82559F83CDDC4EC3A + 4676BD3707EDEAF4CD85E99695C64C241EDC622BE87DC0CF87F51F4367F723C5 + +The function F(PW, salt, 2000) takes the following values: + +F(PW, salt, 2000): + BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 + D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 + 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 + EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02 + +The coordinates of the point Q_PW are: + + X = 0x0C0AB53D0E0A9C607CAD758F558915A0A7DC5DC87B45E9A58FDDF30EC3385960 + 283E030CD322D9E46B070637785FD49D2CD711F46807A24C40AF9A42C8E2D740 + Y = 0xDF93A8012B86D3A3D4F8A4D487DA15FC739EB31B20B3B0E8C8C032AAF8072C63 + 37CF7D5B404719E5B4407C41D9A3216A08CA69C271484E9ED72B8AAA52E28B8B + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 24] + +RFC 8133 SESPAKE March 2017 + + +During the calculation of u_1 on subject A, the parameter alpha, +the point alpha*P, and u_1 take the following values: + +alpha=0x3CE54325DB52FE798824AEAD11BB16FA766857D04A4AF7D468672F16D90E7396 + 046A46F815693E85B1CE5464DA9270181F82333B0715057BBE8D61D400505F0E +alpha*P: + X = 0xB93093EB0FCC463239B7DF276E09E592FCFC9B635504EA4531655D76A0A3078E + 2B4E51CFE2FA400CC5DE9FBE369DB204B3E8ED7EDD85EE5CCA654C1AED70E396 + Y = 0x809770B8D910EA30BD2FA89736E91DC31815D2D9B31128077EEDC371E9F69466 + F497DC64DD5B1FADC587F860EE256109138C4A9CD96B628E65A8F590520FC882 +u_1: + X = 0xE7510A9EDD37B869566C81052E2515E1563FDFE79F1D782D6200F33C3CC2764D + 40D0070B73AD5A47BAE9A8F2289C1B07DAC26A1A2FF9D3ECB0A8A94A4F179F13 + Y = 0xBA333B912570777B626A5337BC7F727952460EEBA2775707FE4537372E902DF5 + 636080B25399751BF48FB154F3C2319A91857C23F39F89EF54A8F043853F82DE + +When processing u_1, calculating the K_B key, and calculating u_2 on +subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 +take the following values: + +beta=0xB5C286A79AA8E97EC0E19BC1959A1D15F12F8C97870BA9D68CC12811A56A3BB1 + 1440610825796A49D468CDC9C2D02D76598A27973D5960C5F50BCE28D8D345F4 +src: + 84 59 C2 0C B5 C5 32 41 6D B9 28 EB 50 C0 52 0F + B2 1B 9C D3 9A 4E 76 06 B2 21 BE 15 CA 1D 02 DA + 08 15 DE C4 49 79 C0 8C 7D 23 07 AF 24 7D DA 1F + 89 EC 81 20 69 F5 D9 CD E3 06 AF F0 BC 3F D2 6E + D2 01 B9 53 52 A2 56 06 B6 43 E8 88 30 2E FC 8D + 3E 95 1E 3E B4 68 4A DB 5C 05 7B 8F 8C 89 B6 CC + 0D EE D1 00 06 5B 51 8A 1C 71 7F 76 82 FF 61 2B + BC 79 8E C7 B2 49 0F B7 00 3F 94 33 87 37 1C 1D +K_B: + 53 24 DE F8 48 B6 63 CC 26 42 2F 5E 45 EE C3 4C + 51 D2 43 61 B1 65 60 CA 58 A3 D3 28 45 86 CB 7A +beta*P: + X = 0x238B38644E440452A99FA6B93D9FD7DA0CB83C32D3C1E3CFE5DF5C3EB0F9DB91 + E588DAEDC849EA2FB867AE855A21B4077353C0794716A6480995113D8C20C7AF + Y = 0xB2273D5734C1897F8D15A7008B862938C8C74CA7E877423D95243EB7EBD02FD2 + C456CF9FC956F078A59AA86F19DD1075E5167E4ED35208718EA93161C530ED14 +u_2: + X = 0xC33844126216E81B372001E77C1FE9C7547F9223CF7BB865C4472EC18BE0C79A + 678CC5AE4028E3F3620CCE355514F1E589F8A0C433CEAFCBD2EE87884D953411 + Y = 0x8B520D083AAF257E8A54EC90CBADBAF4FEED2C2D868C82FF04FCBB9EF6F38E56 + F6BAF9472D477414DA7E36F538ED223D2E2EE02FAE1A20A98C5A9FCF03B6F30D + + + + + + + +Smyshlyaev, et al. Informational [Page 25] + +RFC 8133 SESPAKE March 2017 + + +When processing u_2 and calculating the key on subject A, the K_A key +takes the following values: + +K_A: + 53 24 DE F8 48 B6 63 CC 26 42 2F 5E 45 EE C3 4C + 51 D2 43 61 B1 65 60 CA 58 A3 D3 28 45 86 CB 7A + +The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) +from subject A takes the following values: + +MAC_A: + E8 EF 9E A8 F1 E6 B1 26 68 E5 8C D2 2D D8 EE C6 + 4A 16 71 00 39 FA A6 B6 03 99 22 20 FA FE 56 14 + +The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) +from subject B takes the following values: + +MAC_B: + 61 14 34 60 83 6B 23 5C EC D0 B4 9B 58 7E A4 5D + 51 3C 3A 38 78 3F 1C 9D 3B 05 97 0A 95 6A 55 BA + +A.2.5. Curve id-tc26-gost-3410-2012-512-paramSetB + +The input protocol parameters in this example take the following +values: + +N = 1 +ind = 1 +ID_A: + 00 00 00 00 +ID_B: + 00 00 00 00 +PW: + 31 32 33 34 35 36 ('123456') +salt: + 29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB +Q_ind: + X = 0x7E1FAE8285E035BEC244BEF2D0E5EBF436633CF50E55231DEA9C9CF21D4C8C33 + DF85D4305DE92971F0A4B4C07E00D87BDBC720EB66E49079285AAF12E0171149 + Y = 0x2CC89998B875D4463805BA0D858A196592DB20AB161558FF2F4EF7A85725D209 + 53967AE621AFDEAE89BB77C83A2528EF6FCE02F68BDA4679D7F2704947DBC408 + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 26] + +RFC 8133 SESPAKE March 2017 + + +The function F(PW, salt, 2000) takes the following values: + +F(PW, salt, 2000): + BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 + D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 + 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 + EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02 + +The coordinates of the point Q_PW are: + + X = 0x7D03E65B8050D1E12CBB601A17B9273B0E728F5021CD47C8A4DD822E4627BA5F + 9C696286A2CDDA9A065509866B4DEDEDC4A118409604AD549F87A60AFA621161 + Y = 0x16037DAD45421EC50B00D50BDC6AC3B85348BC1D3A2F85DB27C3373580FEF87C + 2C743B7ED30F22BE22958044E716F93A61CA3213A361A2797A16A3AE62957377 + +During the calculation of u_1 on subject A, the parameter alpha, +the point alpha*P, and u_1 take the following values: + +alpha=0x715E893FA639BF341296E0623E6D29DADF26B163C278767A7982A989462A3863 + FE12AEF8BD403D59C4DC4720570D4163DB0805C7C10C4E818F9CB785B04B9997 +alpha*P: + X = 0x10C479EA1C04D3C2C02B0576A9C42D96226FF033C1191436777F66916030D87D + 02FB93738ED7669D07619FFCE7C1F3C4DB5E5DF49E2186D6FA1E2EB5767602B9 + Y = 0x039F6044191404E707F26D59D979136A831CCE43E1C5F0600D1DDF8F39D0CA3D + 52FBD943BF04DDCED1AA2CE8F5EBD7487ACDEF239C07D015084D796784F35436 +u_1: + X = 0x45C05CCE8290762F2470B719B4306D62B2911CEB144F7F72EF11D10498C7E921 + FF163FE72044B4E7332AD8CBEC3C12117820F53A60762315BCEB5BC6DA5CF1E0 + Y = 0x5BE483E382D0F5F0748C4F6A5045D99E62755B5ACC9554EC4A5B2093E121A2DD + 5C6066BC9EDE39373BA19899208BB419E38B39BBDEDEB0B09A5CAAEAA984D02E + + + + + + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 27] + +RFC 8133 SESPAKE March 2017 + + +When processing u_1, calculating the K_B key, and calculating u_2 on +subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 +take the following values: + +beta=0x30FA8C2B4146C2DBBE82BED04D7378877E8C06753BD0A0FF71EBF2BEFE8DA8F3 + DC0836468E2CE7C5C961281B6505140F8407413F03C2CB1D201EA1286CE30E6D +src: + 3F 04 02 E4 0A 9D 59 63 20 5B CD F4 FD 89 77 91 + 9B BA F4 80 F8 E4 FB D1 25 5A EC E6 ED 57 26 4B + D0 A2 87 98 4F 59 D1 02 04 B5 F4 5E 4D 77 F3 CF + 8A 63 B3 1B EB 2D F5 9F 8A F7 3C 20 9C CA 8B 50 + B4 18 D8 01 E4 90 AE 13 3F 04 F4 F3 F4 D8 FE 8E + 19 64 6A 1B AF 44 D2 36 FC C2 1B 7F 4D 8F C6 A1 + E2 9D 6B 69 AC CE ED 4E 62 AB B2 0D AD 78 AC F4 + FE B0 ED 83 8E D9 1E 92 12 AB A3 89 71 4E 56 0C +K_B: + D5 90 E0 5E F5 AE CE 8B 7C FB FC 71 BE 45 5F 29 + A5 CC 66 6F 85 CD B1 7E 7C C7 16 C5 9F F1 70 E9 +beta*P: + X = 0x34C0149E7BB91AE377B02573FCC48AF7BFB7B16DEB8F9CE870F384688E3241A3 + A868588CC0EF4364CCA67D17E3260CD82485C202ADC76F895D5DF673B1788E67 + Y = 0x608E944929BD643569ED5189DB871453F13333A1EAF82B2FE1BE8100E775F13D + D9925BD317B63BFAF05024D4A738852332B64501195C1B2EF789E34F23DDAFC5 +u_2: + X = 0x0535F95463444C4594B5A2E14B35760491C670925060B4BEBC97DE3A3076D1A5 + 81F89026E04282B040925D9250201024ACA4B2713569B6C3916A6F3344B840AD + Y = 0x40E6C2E55AEC31E7BCB6EA0242857FC6DFB5409803EDF4CA20141F72CC3C7988 + 706E076765F4F004340E5294A7F8E53BA59CB67502F0044558C854A7D63FE900 + +When processing u_2 and calculating the key on subject A, the K_A key +takes the following values: + +K_A: + D5 90 E0 5E F5 AE CE 8B 7C FB FC 71 BE 45 5F 29 + A5 CC 66 6F 85 CD B1 7E 7C C7 16 C5 9F F1 70 E9 + +The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) +from subject A takes the following values: + +MAC_A: + DE 46 BB 4C 8C E0 8A 6E F3 B8 DF AC CC 1A 39 B0 + 8D 8C 27 B6 CB 0F CF 59 23 86 A6 48 F4 E5 BD 8C + + + + + + + + + +Smyshlyaev, et al. Informational [Page 28] + +RFC 8133 SESPAKE March 2017 + + +The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) +from subject B takes the following values: + +MAC_B: + EC B1 1D E2 06 1C 55 F1 D1 14 59 CB 51 CE 31 40 + 99 99 99 2F CA A1 22 2F B1 4F CE AB 96 EE 7A AC + +A.2.6. Curve id-tc26-gost-3410-2012-256-paramSetA + +The input protocol parameters in this example take the following +values: + +N = 1 +ind = 1 +ID_A: + 00 00 00 00 +ID_B: + 00 00 00 00 +PW: + 31 32 33 34 35 36 ('123456') +salt: + 29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB +Q_ind: + X = 0xB51ADF93A40AB15792164FAD3352F95B66369EB2A4EF5EFAE32829320363350E + Y = 0x74A358CC08593612F5955D249C96AFB7E8B0BB6D8BD2BBE491046650D822BE18 + +The function F(PW, salt, 2000) takes the following values: + +F(PW, salt, 2000): + BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 + D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 + +The coordinates of the point Q_PW are: + + X = 0xDBF99827078956812FA48C6E695DF589DEF1D18A2D4D35A96D75BF6854237629 + Y = 0x9FDDD48BFBC57BEE1DA0CFF282884F284D471B388893C48F5ECB02FC18D67589 + +During the calculation of u_1 on subject A, the parameter alpha, +the point alpha*P, and u_1 take the following values: + +alpha=0x147B72F6684FB8FD1B418A899F7DBECAF5FCE60B13685BAA95328654A7F0707F +alpha*P: + X = 0x33FBAC14EAE538275A769417829C431BD9FA622B6F02427EF55BD60EE6BC2888 + Y = 0x22F2EBCF960A82E6CDB4042D3DDDA511B2FBA925383C2273D952EA2D406EAE46 +u_1: + X = 0xE569AB544E3A13C41077DE97D659A1B7A13F61DDD808B633A5621FE2583A2C43 + Y = 0xA21A743A08F4D715661297ECD6F86553A808925BF34802BF7EC34C548A40B2C0 + + + + +Smyshlyaev, et al. Informational [Page 29] + +RFC 8133 SESPAKE March 2017 + + +When processing u_1, calculating the K_B key, and calculating u_2 on +subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 +take the following values: + +beta=0x30D5CFADAA0E31B405E6734C03EC4C5DF0F02F4BA25C9A3B320EE6453567B4CB +src: + A3 39 A0 B8 9C EF 1A 6F FD 4C A1 28 04 9E 06 84 + DF 4A 97 75 B6 89 A3 37 84 1B F7 D7 91 20 7F 35 + 11 86 28 F7 28 8E AA 0F 7E C8 1D A2 0A 24 FF 1E + 69 93 C6 3D 9D D2 6A 90 B7 4D D1 A2 66 28 06 63 +K_B: + 7D F7 1A C3 27 ED 51 7D 0D E4 03 E8 17 C6 20 4B + C1 91 65 B9 D1 00 2B 9F 10 88 A6 CD A6 EA CF 27 +beta*P: + X = 0x2B2D89FAB735433970564F2F28CFA1B57D640CB902BC6334A538F44155022CB2 + Y = 0x10EF6A82EEF1E70F942AA81D6B4CE5DEC0DDB9447512962874870E6F2849A96F +u_2: + X = 0x190D2F283F7E861065DB53227D7FBDF429CEBF93791262CB29569BDF63C86CA4 + Y = 0xB3F1715721E9221897CCDE046C9B843A8386DBF7818A112F15A02BC820AC8F6D + +When processing u_2 and calculating the key on subject A, the K_A key +takes the following values: + +K_A: + 7D F7 1A C3 27 ED 51 7D 0D E4 03 E8 17 C6 20 4B + C1 91 65 B9 D1 00 2B 9F 10 88 A6 CD A6 EA CF 27 + +The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) +from subject A takes the following values: + +MAC_A: + F9 29 B6 1A 3C 83 39 85 B8 29 F2 68 55 7F A8 11 + 00 9F 82 0A B1 A7 30 B5 AA 33 4C 3E 6B A3 17 7F + +The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) +from subject B takes the following values: + +MAC_B: + A2 92 8A 5C F6 20 BB C4 90 0D E4 03 F7 FC 59 A5 + E9 80 B6 8B E0 46 D0 B5 D9 B4 AE 6A BF A8 0B D6 + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 30] + +RFC 8133 SESPAKE March 2017 + + +A.2.7. Curve id-tc26-gost-3410-2012-512-paramSetC + +The input protocol parameters in this example take the following +values: + +N = 1 +ind = 1 +ID_A: + 00 00 00 00 +ID_B: + 00 00 00 00 +PW: + 31 32 33 34 35 36 ('123456') +salt: + 29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB +Q_ind: + X = 0x489C91784E02E98F19A803ABCA319917F37689E5A18965251CE2FF4E8D8B298F + 5BA7470F9E0E713487F96F4A8397B3D09A270C9D367EB5E0E6561ADEEB51581D + Y = 0x684EA885ACA64EAF1B3FEE36C0852A3BE3BD8011B0EF18E203FF87028D6EB5DB + 2C144A0DCC71276542BFD72CA2A43FA4F4939DA66D9A60793C704A8C94E16F18 + +The function F(PW, salt, 2000) takes the following values: + +F(PW, salt, 2000): + BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 + D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 + 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 + EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02 + +The coordinates of the point Q_PW are: + + X = 0x0185AE6271A81BB7F236A955F7CAA26FB63849813C0287D96C83A15AE6B6A864 + 67AB13B6D88CE8CD7DC2E5B97FF5F28FAC2C108F2A3CF3DB5515C9E6D7D210E8 + Y = 0xED0220F92EF771A71C64ECC77986DB7C03D37B3E2AB3E83F32CE5E074A762EC0 + 8253C9E2102B87532661275C4B1D16D2789CDABC58ACFDF7318DE70AB64F09B8 + +During the calculation of u_1 on subject A, the parameter alpha, +the point alpha*P, and u_1 take the following values: + +alpha=0x332F930421D14CFE260042159F18E49FD5A54167E94108AD80B1DE60B13DE799 + 9A34D611E63F3F870E5110247DF8EC7466E648ACF385E52CCB889ABF491EDFF0 +alpha*P: + X = 0x561655966D52952E805574F4281F1ED3A2D498932B00CBA9DECB42837F09835B + FFBFE2D84D6B6B242FE7B57F92E1A6F2413E12DDD6383E4437E13D72693469AD + Y = 0xF6B18328B2715BD7F4178615273A36135BC0BF62F7D8BB9F080164AD36470AD0 + 3660F51806C64C6691BADEF30F793720F8E3FEAED631D6A54A4C372DCBF80E82 + + + + + +Smyshlyaev, et al. Informational [Page 31] + +RFC 8133 SESPAKE March 2017 + + +u_1: + X = 0x40645B4B9A908D74DEF98886A336F98BAE6ADA4C1AC9B7594A33D5E4A16486C5 + 533C7F3C5DD84797AB5B4340BFC70CAF1011B69A01A715E5B9B5432D5151CBD7 + Y = 0x267FBB18D0B79559D1875909F2A15F7B49ECD8ED166CF7F4FCD1F44891550483 + 5E80D52BE8D34ADA5B5E159CF52979B1BCFE8F5048DC443A0983AA19192B8407 + +When processing u_1, calculating the K_B key, and calculating u_2 on +subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 +take the following values: + +beta=0x38481771E7D054F96212686B613881880BD8A6C89DDBC656178F014D2C093432 + A033EE10415F13A160D44C2AD61E6E2E05A7F7EC286BCEA3EA4D4D53F8634FA2 +src: + 4F 4D 64 B5 D0 70 08 E9 E6 85 87 4F 88 2C 3E 1E + 60 A6 67 5E ED 42 1F C2 34 16 3F DE B4 4C 69 18 + B7 BC CE AB 88 A0 F3 FB 78 8D A8 DB 10 18 51 FF + 1A 41 68 22 BA 37 C3 53 CE C4 C5 A5 23 95 B7 72 + AC 93 C0 54 E3 F4 05 5C ED 6F F0 BE E4 A6 A2 4E + D6 8B 86 FE FA 70 DE 4A 2B 16 08 51 42 A4 DF F0 + 5D 32 EC 7D DF E3 04 F5 C7 04 FD FA 06 0F 64 E9 + E8 32 14 00 25 F3 92 E5 03 50 77 0E 3F B6 2C AC +K_B: + A0 83 84 A6 2F 4B E1 AE 48 98 FC A3 6D AA 3F AA + 45 1B 3E C5 B5 9C E3 75 F8 9E 92 9F 4B 13 25 8C +beta*P: + X = 0xB7C5818687083433BC1AFF61CB5CA79E38232025E0C1F123B8651E62173CE687 + 3F3E6FFE7281C2E45F4F524F66B0C263616ED08FD210AC4355CA3292B51D71C3 + Y = 0x497F14205DBDC89BDDAF50520ED3B1429AD30777310186BE5E68070F016A44E0 + C766DB08E8AC23FBDFDE6D675AA4DF591EB18BA0D348DF7AA40973A2F1DCFA55 +u_2: + X = 0xB772FD97D6FDEC1DA0771BC059B3E5ADF9858311031EAE5AEC6A6EC8104B4105 + C45A6C65689A8EE636C687DB62CC0AFC9A48CA66E381286CC73F374C1DD8F445 + Y = 0xC64F69425FFEB2995130E85A08EDC3A686EC28EE6E8469F7F09BD3BCBDD843AC + 573578DA6BA1CB3F5F069F205233853F06255C4B28586C9A1643537497B1018C + +When processing u_2 and calculating the key on subject A, the K_A key +takes the following values: + +K_A: + A0 83 84 A6 2F 4B E1 AE 48 98 FC A3 6D AA 3F AA + 45 1B 3E C5 B5 9C E3 75 F8 9E 92 9F 4B 13 25 8C + +The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) +from subject A takes the following values: + +MAC_A: + 12 63 F2 89 0E 90 EE 42 6B 9B A0 8A B9 EA 7F 1F + FF 26 E1 60 5C C6 5D E2 96 96 91 15 E5 31 76 87 + + + +Smyshlyaev, et al. Informational [Page 32] + +RFC 8133 SESPAKE March 2017 + + +The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) +from subject B takes the following values: + +MAC_B: + 6D FD 06 04 5D 6D 97 A0 E4 19 B0 0E 00 35 B9 D2 + E3 AB 09 8B 7C A4 AD 52 54 60 FA B6 21 85 AA 57 + +Appendix B. Point Verification Script + + The points from Appendix A.1 were generated with the following point + verification script in Python: + +curvesParams = [ +{ +"OID":"id-GostR3410-2001-CryptoPro-A-ParamSet", +"p":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97, +"a":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94, +"b":166, +"m":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893, +"q":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893, +"x":1, +"y":0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14, +"n":32 +}, +{ +"OID":"id-GostR3410-2001-CryptoPro-B-ParamSet", +"p":0x8000000000000000000000000000000000000000000000000000000000000C99, +"a":0x8000000000000000000000000000000000000000000000000000000000000C96, +"b":0x3E1AF419A269A5F866A7D3C25C3DF80AE979259373FF2B182F49D4CE7E1BBC8B, +"m":0x800000000000000000000000000000015F700CFFF1A624E5E497161BCC8A198F, +"q":0x800000000000000000000000000000015F700CFFF1A624E5E497161BCC8A198F, +"x":1, +"y":0x3FA8124359F96680B83D1C3EB2C070E5C545C9858D03ECFB744BF8D717717EFC, +"n":32 +}, +{ +"OID":"id-GostR3410-2001-CryptoPro-C-ParamSet", +"p":0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D759B, +"a":0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D7598, +"b":32858, +"m":0x9B9F605F5A858107AB1EC85E6B41C8AA582CA3511EDDFB74F02F3A6598980BB9, +"q":0x9B9F605F5A858107AB1EC85E6B41C8AA582CA3511EDDFB74F02F3A6598980BB9, +"x":0, +"y":0x41ECE55743711A8C3CBF3783CD08C0EE4D4DC440D4641A8F366E550DFDB3BB67, +"n":32 +}, + + + + + +Smyshlyaev, et al. Informational [Page 33] + +RFC 8133 SESPAKE March 2017 + + +{ +"OID":"id-tc26-gost-3410-2012-512-paramSetA", +"p":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\ + (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\ + 0xFFFFFFFFFFFFFFFFFDC7L, +"a":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\ + (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\ + 0xFFFFFFFFFFFFFFFFFDC4L, +"b":(0xE8C2505DEDFC86DDC1BD0B2B6667F1DA34B82574761CB0E879BD08L<<296)+\ + (0x1CFD0B6265EE3CB090F30D27614CB4574010DA90DD862EF9D4EBEEL<<80)+\ + 0x4761503190785A71C760L, +"m":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\ + (0xFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2L<<80)+\ + 0xB85DCACDB1411F10B275L, +"q":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\ + (0xFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2L<<80)+\ + 0xB85DCACDB1411F10B275L, +"x":3, +"y":(0x7503CFE87A836AE3A61B8816E25450E6CE5E1C93ACF1ABC1778064L<<296)+\ + (0xFDCBEFA921DF1626BE4FD036E93D75E6A50E3A41E98028FE5FC235L<<80)+\ + 0xF5B889A589CB5215F2A4L, +"n":64 +}, +{ +"OID":"id-tc26-gost-3410-2012-512-paramSetB", +"p":(0x800000000000000000000000000000000000000000000000000000L<<296)+\ + (0x000000000000000000000000000000000000000000000000000000L<<80)+\ + 0x0000000000000000006FL, +"a":(0x800000000000000000000000000000000000000000000000000000L<<296)+\ + (0x000000000000000000000000000000000000000000000000000000L<<80)+\ + 0x0000000000000000006CL, +"b":(0x687D1B459DC841457E3E06CF6F5E2517B97C7D614AF138BCBF85DCL<<296)+\ + (0x806C4B289F3E965D2DB1416D217F8B276FAD1AB69C50F78BEE1FA3L<<80)+\ + 0x106EFB8CCBC7C5140116L, +"m":(0x800000000000000000000000000000000000000000000000000000L<<296)+\ + (0x000000000149A1EC142565A545ACFDB77BD9D40CFA8B996712101BL<<80)+\ + 0xEA0EC6346C54374F25BDL, +"q":(0x800000000000000000000000000000000000000000000000000000L<<296)+\ + (0x000000000149A1EC142565A545ACFDB77BD9D40CFA8B996712101BL<<80)+\ + 0xEA0EC6346C54374F25BDL, +"x":2, +"y":(0x1A8F7EDA389B094C2C071E3647A8940F3C123B697578C213BE6DD9L<<296)+\ + (0xE6C8EC7335DCB228FD1EDF4A39152CBCAAF8C0398828041055F94CL<<80)+\ + 0xEEEC7E21340780FE41BDL, +"n":64 +}, + + + + + +Smyshlyaev, et al. Informational [Page 34] + +RFC 8133 SESPAKE March 2017 + + +{ +"OID":"id-tc26-gost-3410-2012-256-paramSetA", +"p":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97, +"a":0xC2173F1513981673AF4892C23035A27CE25E2013BF95AA33B22C656F277E7335, +"b":0x295F9BAE7428ED9CCC20E7C359A9D41A22FCCD9108E17BF7BA9337A6F8AE9513, +"m":0x1000000000000000000000000000000003F63377F21ED98D70456BD55B0D8319C, +"q":0x400000000000000000000000000000000FD8CDDFC87B6635C115AF556C360C67, +"x":0x91E38443A5E82C0D880923425712B2BB658B9196932E02C78B2582FE742DAA28, +"y":0x32879423AB1A0375895786C4BB46E9565FDE0B5344766740AF268ADB32322E5C, +"n":32 +}, +{ +"OID":"id-tc26-gost-3410-2012-512-paramSetC", +"p":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\ + (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\ + 0xFFFFFFFFFFFFFFFFFDC7L, +"a":(0xDC9203E514A721875485A529D2C722FB187BC8980EB866644DE41CL<<296)+\ + (0x68E143064546E861C0E2C9EDD92ADE71F46FCF50FF2AD97F951FDAL<<80)+\ + 0x9F2A2EB6546F39689BD3L, +"b":(0xB4C4EE28CEBC6C2C8AC12952CF37F16AC7EFB6A9F69F4B57FFDA2EL<<296)+\ + (0x4F0DE5ADE038CBC2FFF719D2C18DE0284B8BFEF3B52B8CC7A5F5BFL<<80)+\ + 0x0A3C8D2319A5312557E1L, +"m":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\ + (0xFFFFFFFFFF26336E91941AAC0130CEA7FD451D40B323B6A79E9DA6L<<80)+\ + 0x849A5188F3BD1FC08FB4L, +"q":(0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\ + (0xFFFFFFFFFFC98CDBA46506AB004C33A9FF5147502CC8EDA9E7A769L<<80)+\ + 0xA12694623CEF47F023EDL, +"x":(0xE2E31EDFC23DE7BDEBE241CE593EF5DE2295B7A9CBAEF021D385F7L<<296)+\ + (0x074CEA043AA27272A7AE602BF2A7B9033DB9ED3610C6FB85487EAEL<<80)+\ + 0x97AAC5BC7928C1950148L, +"y":(0xF5CE40D95B5EB899ABBCCFF5911CB8577939804D6527378B8C108CL<<296)+\ + (0x3D2090FF9BE18E2D33E3021ED2EF32D85822423B6304F726AA854BL<<80)+\ + 0xAE07D0396E9A9ADDC40FL, +"n":64 +} +] + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 35] + +RFC 8133 SESPAKE March 2017 + + +def str2list( s ): + res = [] + for c in s: + res += [ ord( c ) ] + return res + +def list2str( l ): + r = "" + for k in l: + r += chr( k ) + return r + +def hprint( data ): + r = "" + for i in range( len( data ) ): + r += "%02X " % data[ i ] + if i % 16 == 15: + r += "\n" + print( r ) + +class Stribog: + + __A = [ + 0x8e20faa72ba0b470, 0x47107ddd9b505a38, 0xad08b0e0c3282d1c, + 0xd8045870ef14980e, 0x6c022c38f90a4c07, 0x3601161cf205268d, + 0x1b8e0b0e798c13c8, 0x83478b07b2468764, 0xa011d380818e8f40, + 0x5086e740ce47c920, 0x2843fd2067adea10, 0x14aff010bdd87508, + 0x0ad97808d06cb404, 0x05e23c0468365a02, 0x8c711e02341b2d01, + 0x46b60f011a83988e, 0x90dab52a387ae76f, 0x486dd4151c3dfdb9, + 0x24b86a840e90f0d2, 0x125c354207487869, 0x092e94218d243cba, + 0x8a174a9ec8121e5d, 0x4585254f64090fa0, 0xaccc9ca9328a8950, + 0x9d4df05d5f661451, 0xc0a878a0a1330aa6, 0x60543c50de970553, + 0x302a1e286fc58ca7, 0x18150f14b9ec46dd, 0x0c84890ad27623e0, + 0x0642ca05693b9f70, 0x0321658cba93c138, 0x86275df09ce8aaa8, + 0x439da0784e745554, 0xafc0503c273aa42a, 0xd960281e9d1d5215, + 0xe230140fc0802984, 0x71180a8960409a42, 0xb60c05ca30204d21, + 0x5b068c651810a89e, 0x456c34887a3805b9, 0xac361a443d1c8cd2, + 0x561b0d22900e4669, 0x2b838811480723ba, 0x9bcf4486248d9f5d, + 0xc3e9224312c8c1a0, 0xeffa11af0964ee50, 0xf97d86d98a327728, + 0xe4fa2054a80b329c, 0x727d102a548b194e, 0x39b008152acb8227, + 0x9258048415eb419d, 0x492c024284fbaec0, 0xaa16012142f35760, + 0x550b8e9e21f7a530, 0xa48b474f9ef5dc18, 0x70a6a56e2440598e, + 0x3853dc371220a247, 0x1ca76e95091051ad, 0x0edd37c48a08a6d8, + 0x07e095624504536c, 0x8d70c431ac02a736, 0xc83862965601dd1b, + 0x641c314b2b8ee083 + ] + + + + + +Smyshlyaev, et al. Informational [Page 36] + +RFC 8133 SESPAKE March 2017 + + + __Sbox = [ + 0xFC, 0xEE, 0xDD, 0x11, 0xCF, 0x6E, 0x31, 0x16, 0xFB, 0xC4, 0xFA, + 0xDA, 0x23, 0xC5, 0x04, 0x4D, 0xE9, 0x77, 0xF0, 0xDB, 0x93, 0x2E, + 0x99, 0xBA, 0x17, 0x36, 0xF1, 0xBB, 0x14, 0xCD, 0x5F, 0xC1, 0xF9, + 0x18, 0x65, 0x5A, 0xE2, 0x5C, 0xEF, 0x21, 0x81, 0x1C, 0x3C, 0x42, + 0x8B, 0x01, 0x8E, 0x4F, 0x05, 0x84, 0x02, 0xAE, 0xE3, 0x6A, 0x8F, + 0xA0, 0x06, 0x0B, 0xED, 0x98, 0x7F, 0xD4, 0xD3, 0x1F, 0xEB, 0x34, + 0x2C, 0x51, 0xEA, 0xC8, 0x48, 0xAB, 0xF2, 0x2A, 0x68, 0xA2, 0xFD, + 0x3A, 0xCE, 0xCC, 0xB5, 0x70, 0x0E, 0x56, 0x08, 0x0C, 0x76, 0x12, + 0xBF, 0x72, 0x13, 0x47, 0x9C, 0xB7, 0x5D, 0x87, 0x15, 0xA1, 0x96, + 0x29, 0x10, 0x7B, 0x9A, 0xC7, 0xF3, 0x91, 0x78, 0x6F, 0x9D, 0x9E, + 0xB2, 0xB1, 0x32, 0x75, 0x19, 0x3D, 0xFF, 0x35, 0x8A, 0x7E, 0x6D, + 0x54, 0xC6, 0x80, 0xC3, 0xBD, 0x0D, 0x57, 0xDF, 0xF5, 0x24, 0xA9, + 0x3E, 0xA8, 0x43, 0xC9, 0xD7, 0x79, 0xD6, 0xF6, 0x7C, 0x22, 0xB9, + 0x03, 0xE0, 0x0F, 0xEC, 0xDE, 0x7A, 0x94, 0xB0, 0xBC, 0xDC, 0xE8, + 0x28, 0x50, 0x4E, 0x33, 0x0A, 0x4A, 0xA7, 0x97, 0x60, 0x73, 0x1E, + 0x00, 0x62, 0x44, 0x1A, 0xB8, 0x38, 0x82, 0x64, 0x9F, 0x26, 0x41, + 0xAD, 0x45, 0x46, 0x92, 0x27, 0x5E, 0x55, 0x2F, 0x8C, 0xA3, 0xA5, + 0x7D, 0x69, 0xD5, 0x95, 0x3B, 0x07, 0x58, 0xB3, 0x40, 0x86, 0xAC, + 0x1D, 0xF7, 0x30, 0x37, 0x6B, 0xE4, 0x88, 0xD9, 0xE7, 0x89, 0xE1, + 0x1B, 0x83, 0x49, 0x4C, 0x3F, 0xF8, 0xFE, 0x8D, 0x53, 0xAA, 0x90, + 0xCA, 0xD8, 0x85, 0x61, 0x20, 0x71, 0x67, 0xA4, 0x2D, 0x2B, 0x09, + 0x5B, 0xCB, 0x9B, 0x25, 0xD0, 0xBE, 0xE5, 0x6C, 0x52, 0x59, 0xA6, + 0x74, 0xD2, 0xE6, 0xF4, 0xB4, 0xC0, 0xD1, 0x66, 0xAF, 0xC2, 0x39, + 0x4B, 0x63, 0xB6 + ] + + __Tau = [ + 0, 8, 16, 24, 32, 40, 48, 56, + 1, 9, 17, 25, 33, 41, 49, 57, + 2, 10, 18, 26, 34, 42, 50, 58, + 3, 11, 19, 27, 35, 43, 51, 59, + 4, 12, 20, 28, 36, 44, 52, 60, + 5, 13, 21, 29, 37, 45, 53, 61, + 6, 14, 22, 30, 38, 46, 54, 62, + 7, 15, 23, 31, 39, 47, 55, 63 + ] + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 37] + +RFC 8133 SESPAKE March 2017 + + + __C = [ + [ + 0xb1, 0x08, 0x5b, 0xda, 0x1e, 0xca, 0xda, 0xe9, + 0xeb, 0xcb, 0x2f, 0x81, 0xc0, 0x65, 0x7c, 0x1f, + 0x2f, 0x6a, 0x76, 0x43, 0x2e, 0x45, 0xd0, 0x16, + 0x71, 0x4e, 0xb8, 0x8d, 0x75, 0x85, 0xc4, 0xfc, + 0x4b, 0x7c, 0xe0, 0x91, 0x92, 0x67, 0x69, 0x01, + 0xa2, 0x42, 0x2a, 0x08, 0xa4, 0x60, 0xd3, 0x15, + 0x05, 0x76, 0x74, 0x36, 0xcc, 0x74, 0x4d, 0x23, + 0xdd, 0x80, 0x65, 0x59, 0xf2, 0xa6, 0x45, 0x07 + ], + [ + 0x6f, 0xa3, 0xb5, 0x8a, 0xa9, 0x9d, 0x2f, 0x1a, + 0x4f, 0xe3, 0x9d, 0x46, 0x0f, 0x70, 0xb5, 0xd7, + 0xf3, 0xfe, 0xea, 0x72, 0x0a, 0x23, 0x2b, 0x98, + 0x61, 0xd5, 0x5e, 0x0f, 0x16, 0xb5, 0x01, 0x31, + 0x9a, 0xb5, 0x17, 0x6b, 0x12, 0xd6, 0x99, 0x58, + 0x5c, 0xb5, 0x61, 0xc2, 0xdb, 0x0a, 0xa7, 0xca, + 0x55, 0xdd, 0xa2, 0x1b, 0xd7, 0xcb, 0xcd, 0x56, + 0xe6, 0x79, 0x04, 0x70, 0x21, 0xb1, 0x9b, 0xb7 + ], + [ + 0xf5, 0x74, 0xdc, 0xac, 0x2b, 0xce, 0x2f, 0xc7, + 0x0a, 0x39, 0xfc, 0x28, 0x6a, 0x3d, 0x84, 0x35, + 0x06, 0xf1, 0x5e, 0x5f, 0x52, 0x9c, 0x1f, 0x8b, + 0xf2, 0xea, 0x75, 0x14, 0xb1, 0x29, 0x7b, 0x7b, + 0xd3, 0xe2, 0x0f, 0xe4, 0x90, 0x35, 0x9e, 0xb1, + 0xc1, 0xc9, 0x3a, 0x37, 0x60, 0x62, 0xdb, 0x09, + 0xc2, 0xb6, 0xf4, 0x43, 0x86, 0x7a, 0xdb, 0x31, + 0x99, 0x1e, 0x96, 0xf5, 0x0a, 0xba, 0x0a, 0xb2 + ], + [ + 0xef, 0x1f, 0xdf, 0xb3, 0xe8, 0x15, 0x66, 0xd2, + 0xf9, 0x48, 0xe1, 0xa0, 0x5d, 0x71, 0xe4, 0xdd, + 0x48, 0x8e, 0x85, 0x7e, 0x33, 0x5c, 0x3c, 0x7d, + 0x9d, 0x72, 0x1c, 0xad, 0x68, 0x5e, 0x35, 0x3f, + 0xa9, 0xd7, 0x2c, 0x82, 0xed, 0x03, 0xd6, 0x75, + 0xd8, 0xb7, 0x13, 0x33, 0x93, 0x52, 0x03, 0xbe, + 0x34, 0x53, 0xea, 0xa1, 0x93, 0xe8, 0x37, 0xf1, + 0x22, 0x0c, 0xbe, 0xbc, 0x84, 0xe3, 0xd1, 0x2e + ], + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 38] + +RFC 8133 SESPAKE March 2017 + + + [ + 0x4b, 0xea, 0x6b, 0xac, 0xad, 0x47, 0x47, 0x99, + 0x9a, 0x3f, 0x41, 0x0c, 0x6c, 0xa9, 0x23, 0x63, + 0x7f, 0x15, 0x1c, 0x1f, 0x16, 0x86, 0x10, 0x4a, + 0x35, 0x9e, 0x35, 0xd7, 0x80, 0x0f, 0xff, 0xbd, + 0xbf, 0xcd, 0x17, 0x47, 0x25, 0x3a, 0xf5, 0xa3, + 0xdf, 0xff, 0x00, 0xb7, 0x23, 0x27, 0x1a, 0x16, + 0x7a, 0x56, 0xa2, 0x7e, 0xa9, 0xea, 0x63, 0xf5, + 0x60, 0x17, 0x58, 0xfd, 0x7c, 0x6c, 0xfe, 0x57 + ], + [ + 0xae, 0x4f, 0xae, 0xae, 0x1d, 0x3a, 0xd3, 0xd9, + 0x6f, 0xa4, 0xc3, 0x3b, 0x7a, 0x30, 0x39, 0xc0, + 0x2d, 0x66, 0xc4, 0xf9, 0x51, 0x42, 0xa4, 0x6c, + 0x18, 0x7f, 0x9a, 0xb4, 0x9a, 0xf0, 0x8e, 0xc6, + 0xcf, 0xfa, 0xa6, 0xb7, 0x1c, 0x9a, 0xb7, 0xb4, + 0x0a, 0xf2, 0x1f, 0x66, 0xc2, 0xbe, 0xc6, 0xb6, + 0xbf, 0x71, 0xc5, 0x72, 0x36, 0x90, 0x4f, 0x35, + 0xfa, 0x68, 0x40, 0x7a, 0x46, 0x64, 0x7d, 0x6e + ], + [ + 0xf4, 0xc7, 0x0e, 0x16, 0xee, 0xaa, 0xc5, 0xec, + 0x51, 0xac, 0x86, 0xfe, 0xbf, 0x24, 0x09, 0x54, + 0x39, 0x9e, 0xc6, 0xc7, 0xe6, 0xbf, 0x87, 0xc9, + 0xd3, 0x47, 0x3e, 0x33, 0x19, 0x7a, 0x93, 0xc9, + 0x09, 0x92, 0xab, 0xc5, 0x2d, 0x82, 0x2c, 0x37, + 0x06, 0x47, 0x69, 0x83, 0x28, 0x4a, 0x05, 0x04, + 0x35, 0x17, 0x45, 0x4c, 0xa2, 0x3c, 0x4a, 0xf3, + 0x88, 0x86, 0x56, 0x4d, 0x3a, 0x14, 0xd4, 0x93 + ], + [ + 0x9b, 0x1f, 0x5b, 0x42, 0x4d, 0x93, 0xc9, 0xa7, + 0x03, 0xe7, 0xaa, 0x02, 0x0c, 0x6e, 0x41, 0x41, + 0x4e, 0xb7, 0xf8, 0x71, 0x9c, 0x36, 0xde, 0x1e, + 0x89, 0xb4, 0x44, 0x3b, 0x4d, 0xdb, 0xc4, 0x9a, + 0xf4, 0x89, 0x2b, 0xcb, 0x92, 0x9b, 0x06, 0x90, + 0x69, 0xd1, 0x8d, 0x2b, 0xd1, 0xa5, 0xc4, 0x2f, + 0x36, 0xac, 0xc2, 0x35, 0x59, 0x51, 0xa8, 0xd9, + 0xa4, 0x7f, 0x0d, 0xd4, 0xbf, 0x02, 0xe7, 0x1e + ], + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 39] + +RFC 8133 SESPAKE March 2017 + + + [ + 0x37, 0x8f, 0x5a, 0x54, 0x16, 0x31, 0x22, 0x9b, + 0x94, 0x4c, 0x9a, 0xd8, 0xec, 0x16, 0x5f, 0xde, + 0x3a, 0x7d, 0x3a, 0x1b, 0x25, 0x89, 0x42, 0x24, + 0x3c, 0xd9, 0x55, 0xb7, 0xe0, 0x0d, 0x09, 0x84, + 0x80, 0x0a, 0x44, 0x0b, 0xdb, 0xb2, 0xce, 0xb1, + 0x7b, 0x2b, 0x8a, 0x9a, 0xa6, 0x07, 0x9c, 0x54, + 0x0e, 0x38, 0xdc, 0x92, 0xcb, 0x1f, 0x2a, 0x60, + 0x72, 0x61, 0x44, 0x51, 0x83, 0x23, 0x5a, 0xdb + ], + [ + 0xab, 0xbe, 0xde, 0xa6, 0x80, 0x05, 0x6f, 0x52, + 0x38, 0x2a, 0xe5, 0x48, 0xb2, 0xe4, 0xf3, 0xf3, + 0x89, 0x41, 0xe7, 0x1c, 0xff, 0x8a, 0x78, 0xdb, + 0x1f, 0xff, 0xe1, 0x8a, 0x1b, 0x33, 0x61, 0x03, + 0x9f, 0xe7, 0x67, 0x02, 0xaf, 0x69, 0x33, 0x4b, + 0x7a, 0x1e, 0x6c, 0x30, 0x3b, 0x76, 0x52, 0xf4, + 0x36, 0x98, 0xfa, 0xd1, 0x15, 0x3b, 0xb6, 0xc3, + 0x74, 0xb4, 0xc7, 0xfb, 0x98, 0x45, 0x9c, 0xed + ], + [ + 0x7b, 0xcd, 0x9e, 0xd0, 0xef, 0xc8, 0x89, 0xfb, + 0x30, 0x02, 0xc6, 0xcd, 0x63, 0x5a, 0xfe, 0x94, + 0xd8, 0xfa, 0x6b, 0xbb, 0xeb, 0xab, 0x07, 0x61, + 0x20, 0x01, 0x80, 0x21, 0x14, 0x84, 0x66, 0x79, + 0x8a, 0x1d, 0x71, 0xef, 0xea, 0x48, 0xb9, 0xca, + 0xef, 0xba, 0xcd, 0x1d, 0x7d, 0x47, 0x6e, 0x98, + 0xde, 0xa2, 0x59, 0x4a, 0xc0, 0x6f, 0xd8, 0x5d, + 0x6b, 0xca, 0xa4, 0xcd, 0x81, 0xf3, 0x2d, 0x1b + ], + [ + 0x37, 0x8e, 0xe7, 0x67, 0xf1, 0x16, 0x31, 0xba, + 0xd2, 0x13, 0x80, 0xb0, 0x04, 0x49, 0xb1, 0x7a, + 0xcd, 0xa4, 0x3c, 0x32, 0xbc, 0xdf, 0x1d, 0x77, + 0xf8, 0x20, 0x12, 0xd4, 0x30, 0x21, 0x9f, 0x9b, + 0x5d, 0x80, 0xef, 0x9d, 0x18, 0x91, 0xcc, 0x86, + 0xe7, 0x1d, 0xa4, 0xaa, 0x88, 0xe1, 0x28, 0x52, + 0xfa, 0xf4, 0x17, 0xd5, 0xd9, 0xb2, 0x1b, 0x99, + 0x48, 0xbc, 0x92, 0x4a, 0xf1, 0x1b, 0xd7, 0x20 + ] + ] + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 40] + +RFC 8133 SESPAKE March 2017 + + + def __AddModulo(self, A, B): + result = [0] * 64 + t = 0 + for i in reversed(range(0, 64)): + t = A[i] + B[i] + (t >> 8) + result[i] = t & 0xFF + return result + + def __AddXor(self, A, B): + result = [0] * 64 + for i in range(0, 64): + result[i] = A[i] ^ B[i] + return result + + def __S(self, state): + result = [0] * 64 + for i in range(0, 64): + result[i] = self.__Sbox[state[i]] + return result + + def __P(self, state): + result = [0] * 64 + for i in range(0, 64): + result[i] = state[self.__Tau[i]] + return result + + def __L(self, state): + result = [0] * 64 + for i in range(0, 8): + t = 0 + for k in range(0, 8): + for j in range(0, 8): + if ((state[i * 8 + k] & (1 << (7 - j))) != 0): + t ^= self.__A[k * 8 + j] + for k in range(0, 8): + result[i * 8 + k] = (t & (0xFF << (7 - k) * 8)) >> (7 - k) * 8 + return result + + def __KeySchedule(self, K, i): + K = self.__AddXor(K, self.__C[i]) + K = self.__S(K) + K = self.__P(K) + K = self.__L(K) + return K + + + + + + + +Smyshlyaev, et al. Informational [Page 41] + +RFC 8133 SESPAKE March 2017 + + + # E(K, m) + def __E(self, K, m): + state = self.__AddXor(K, m) + for i in range(0, 12): + state = self.__S(state) + state = self.__P(state) + state = self.__L(state) + K = self.__KeySchedule(K, i) + state = self.__AddXor(state, K) + return state + + def __G_n(self, N, h, m): + K = self.__AddXor(h, N) + K = self.__S(K) + K = self.__P(K) + K = self.__L(K) + t = self.__E(K, m) + t = self.__AddXor(t, h) + return self.__AddXor(t, m) + + def __Padding(self, last, N, h, Sigma): + if (len(last) < 64): + padding = [0] * (64 - len(last)) + padding[-1] = 1 + padded_message = padding + last + h = self.__G_n(N, h, padded_message) + N_len = [0] * 64 + N_len[63] = (len(last) * 8) & 0xff + N_len[62] = (len(last) * 8) >> 8 + N = self.__AddModulo(N, N_len) + Sigma = self.__AddModulo(Sigma, padded_message) + return (h, N, Sigma) + + def digest( self, message, out=512 ): + return list2str( self.GetHash( str2list( message ), out ) ) + + def GetHash(self, message, out=512, no_pad=False): + N = [0] * 64 + Sigma = [0] * 64 + if out == 512: + h = [0] * 64 + elif out == 256: + h = [0x01] * 64 + else: + print("Wrong hash out length!") + + N_512 = [0] * 64 + N_512[62] = 0x02 # 512 = 0x200 + + + +Smyshlyaev, et al. Informational [Page 42] + +RFC 8133 SESPAKE March 2017 + + + length_bits = len(message) * 8 + length = len(message) + + i = 0 + asd = message[::-1] + while (length_bits >= 512): + tmp = (message[i * 64: (i + 1) * 64])[::-1] + h = self.__G_n(N, h, tmp) + N = self.__AddModulo(N, N_512) + Sigma = self.__AddModulo(Sigma, tmp) + length_bits -= 512 + i += 1 + + last = (message[i * 64: length])[::-1] + + if (len(last) == 0 and no_pad): + pass + else: + h, N, Sigma = self.__Padding(last, N, h, Sigma) + + N_0 = [0] * 64 + h = self.__G_n(N_0, h, N) + h = self.__G_n(N_0, h, Sigma) + + if out == 512: + return h[::-1] + elif out == 256: + return (h[0:32])[::-1] + + def hash(self, str_message, out=512, no_pad=False): + return list2str(self.GetHash(str2list(str_message), out, no_pad)) + +def H256(msg): + S = Stribog() + return S.hash(msg, out=256) + +def H512(msg): + S = Stribog() + return S.hash(msg) + +def num2le( s, n ): + res = "" + for i in range(n): + res += chr(s & 0xFF) + s >>= 8 + return res + + + + + +Smyshlyaev, et al. Informational [Page 43] + +RFC 8133 SESPAKE March 2017 + + +def le2num( s ): + res = 0 + for i in range(len(s) - 1, -1, -1): + res = (res << 8) + ord(s[i]) + return res + +def XGCD(a,b): + """XGCD(a,b) returns a list of form [g,x,y], where g is GCD(a,b) and + x,y satisfy the equation g = ax + by.""" + a1=1; b1=0; a2=0; b2=1; aneg=1; bneg=1; swap = False + if(a < 0): + a = -a; aneg=-1 + if(b < 0): + b = -b; bneg=-1 + if(b > a): + swap = True + [a,b] = [b,a] + while (1): + quot = -(a / b) + a = a % b + a1 = a1 + quot*a2; b1 = b1 + quot*b2 + if(a == 0): + if(swap): + return [b, b2*bneg, a2*aneg] + else: + return [b, a2*aneg, b2*bneg] + quot = -(b / a) + b = b % a + a2 = a2 + quot*a1; b2 = b2 + quot*b1 + if(b == 0): + if(swap): + return [a, b1*bneg, a1*aneg] + else: + return [a, a1*aneg, b1*bneg] + +def getMultByMask( elems, mask ): + n = len( elems ) + r = 1 + for i in range( n ): + if mask & 1: + r *= elems[ n - 1 - i ] + mask = mask >> 1 + return r + + + + + + + + +Smyshlyaev, et al. Informational [Page 44] + +RFC 8133 SESPAKE March 2017 + + +def subF(P, other, p): + return (P - other) % p + +def divF(P, other, p): + return mulF(P, invF(other, p), p) + +def addF(P, other, p): + return (P + other) % p + +def mulF(P, other, p): + return (P * other) % p + +def invF(R, p): + assert (R != 0) + return XGCD(R, p)[1] % p + +def negF(R, p): + return (-R) % p + +def powF(R, m, p): + assert R != None + assert type(m) in (int, long) + + if m == 0: + assert R != 0 + return 1 + elif m < 0: + t = invF(R, p) + return powF(t, (-m), p) + else: + i = m.bit_length() - 1 + r = 1 + while i > 0: + if (m >> i) & 1: + r = (r * R) % p + r = (r * r) % p + i -= 1 + if m & 1: + r = (r * R) % p + return r + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 45] + +RFC 8133 SESPAKE March 2017 + + +def add(Px, Py, Qx, Qy, p, a, b): + if Qx == Qy == None: + return [Px, Py] + + if Px == Py == None: + return [Qx, Qy] + + if (Px == Qx) and (Py == negF(Qy, p)): + return [None, None] + + if (Px == Qx) and (Py == Qy): + assert Py != 0 + return duplicate(Px, Py, p, a) + else: + l = divF( subF( Qy, Py, p ), subF( Qx, Px, p ), p ) + resX = subF( subF( powF( l, 2, p ), Px, p ), Qx, p ) + resY = subF( mulF( l, subF( Px, resX, p ), p ), Py, p ) + return [resX, resY] + +def duplicate(Px, Py, p, a): + if (Px == None) and (Py == None): + return [None, None] + + if Py == 0: + return [None, None] + + l = divF(addF(mulF(powF(Px, 2, p), 3, p), a, p), mulF(Py, 2, p), p) + resX = subF(powF(l, 2, p), mulF(Px, 2, p), p) + resY = subF(mulF(l, subF(Px, resX, p), p), Py, p) + return [resX, resY] + + + + + + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 46] + +RFC 8133 SESPAKE March 2017 + + +def mul(Px, Py, s, p, a, b): + assert type(s) in (int, long) + assert Px != None and Py != None + + X = Px + Y = Py + + i = s.bit_length() - 1 + resX = None + resY = None + while i > 0: + if (s >> i) & 1: + resX, resY = add(resX, resY, X, Y, p, a, b) + resX, resY = duplicate(resX, resY, p, a) + i -= 1 + if s & 1: + resX, resY = add(resX, resY, X, Y, p, a, b) + return [resX, resY] + +def Ord(Px, Py, m, q, p, a, b): + assert Px != None and Py != None + assert (m != None) and (q != None) + assert mul(Px, Py, m, p, a, b) == [None, None] + + X = Px + Y = Py + r = m + for mask in range(1 << len(q)): + t = getMultByMask(q, mask) + Rx, Ry = mul(X, Y, t, p, a, b) + if (Rx == None) and (Ry == None): + r = min(r, t) + return r + +def isQuadraticResidue( R, p ): + if R == 0: + assert False + temp = powF(R, ((p - 1) / 2), p) + if temp == (p - 1): + return False + else: + assert temp == 1 + return True + + + + + + + + +Smyshlyaev, et al. Informational [Page 47] + +RFC 8133 SESPAKE March 2017 + + +def getRandomQuadraticNonresidue(p): + from random import randint + r = (randint(2, p - 1)) % p + while isQuadraticResidue(r, p): + r = (randint(2, p - 1)) % p + return r + +def ModSqrt( R, p ): + assert R != None + assert isQuadraticResidue(R, p) + + if p % 4 == 3: + res = powF(R, (p + 1) / 4, p) + if powF(res, 2, p) != R: + res = None + return [res, negF(res, p)] + else: + ainvF = invF(R, p) + + s = p - 1 + alpha = 0 + while (s % 2) == 0: + alpha += 1 + s = s / 2 + + b = powF(getRandomQuadraticNonresidue(p), s, p) + r = powF(R, (s + 1) / 2, p) + + bj = 1 + for k in range(0, alpha - 1): # alpha >= 2 because p % 4 = 1 + d = 2 ** (alpha - k - 2) + x = powF(mulF(powF(mulF(bj, r, p), 2, p), ainvF, p), d, p) + if x != 1: + bj = mulF(bj, powF(b, (2 ** k), p), p) + res = mulF(bj, r, p) + return [res, negF(res, p)] + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 48] + +RFC 8133 SESPAKE March 2017 + + +def generateQs( p, pByteSize, a, b, m, q, orderDivisors, Px, Py, N ): + assert pByteSize in ( 256 / 8, 512 / 8 ) + PxBytes = num2le( Px, pByteSize ) + PyBytes = num2le( Py, pByteSize ) + Qs = [] + S = [] + Hash_src = [] + Hash_res = [] + co_factor = m / q + + seed = 0 + while len( Qs ) != N: + hashSrc = PxBytes + PyBytes + num2le( seed, 4 ) + if pByteSize == ( 256 / 8 ): + QxBytes = H256( hashSrc ) + else: + QxBytes = H512( hashSrc ) + + Qx = le2num( QxBytes ) % p + + R = addF( addF( powF(Qx, 3, p ), mulF(Qx, a, p), p), b, p ) + if ( R == 0 ) or ( not isQuadraticResidue( R, p ) ): + seed += 1 + continue + + Qy_sqrt = ModSqrt( R, p ) + Qy = min(Qy_sqrt) + if co_factor * Ord(Qx, Qy, m, orderDivisors, p, a, b) != m: + seed += 1 + continue + + Qs += [(Qx, Qy)] + S += [seed] + Hash_src += [hashSrc] + Hash_res += [QxBytes] + seed += 1 + + return Qs, S, Hash_src, Hash_res + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 49] + +RFC 8133 SESPAKE March 2017 + + +if __name__ == "__main__": + for i, curve in enumerate(curvesParams): + print "A.1." + str(i+1) + ". Curve " + curve["OID"] + if "3410-2012-256-paramSetA" in curve["OID"] or \ + "3410-2012-512-paramSetC" in curve["OID"]: + Q, S, Hash_src, Hash_res = generateQs(curve["p"],\ + curve["n"],\ + curve["a"],\ + curve["b"],\ + curve["m"],\ + curve["q"],\ + [ 2, 2, curve["q"]],\ + curve["x"],\ + curve["y"],\ + 1) + else: + Q, S, Hash_src, Hash_res = generateQs(curve["p"],\ + curve["n"],\ + curve["a"],\ + curve["b"],\ + curve["m"],\ + curve["q"],\ + [curve["q"]],\ + curve["x"],\ + curve["y"],\ + 1) + + j = 1 + for q, s, hash_src, hash_res in zip(Q, S, Hash_src, Hash_res): + print "Point Q_" + str(j) + j += 1 + + print "X=", hex(q[0])[:-1] + print "Y=", hex(q[1])[:-1] + + print "SEED=","{0:#0{1}x}".format(s,6) + print + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 50] + +RFC 8133 SESPAKE March 2017 + + +Acknowledgments + + We thank Lolita Sonina, Georgiy Borodin, Sergey Agafin, and Ekaterina + Smyshlyaeva for their careful readings and useful comments. + +Authors' Addresses + + Stanislav Smyshlyaev (editor) + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: svs@cryptopro.ru + + + Evgeny Alekseev + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: alekseev@cryptopro.ru + + + Igor Oshkin + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: oshkin@cryptopro.ru + + + Vladimir Popov + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: vpopov@cryptopro.ru + + + + + + +Smyshlyaev, et al. Informational [Page 51] + |