summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5830.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc5830.txt')
-rw-r--r--doc/rfc/rfc5830.txt1067
1 files changed, 1067 insertions, 0 deletions
diff --git a/doc/rfc/rfc5830.txt b/doc/rfc/rfc5830.txt
new file mode 100644
index 0000000..6a5062d
--- /dev/null
+++ b/doc/rfc/rfc5830.txt
@@ -0,0 +1,1067 @@
+
+
+
+
+
+
+Independent Submission V. Dolmatov, Ed.
+Request for Comments: 5830 Cryptocom, Ltd.
+Category: Informational March 2010
+ISSN: 2070-1721
+
+
+ GOST 28147-89: Encryption, Decryption,
+ and Message Authentication Code (MAC) Algorithms
+
+Abstract
+
+ This document is intended to be a source of information about the
+ Russian Federal standard for electronic encryption, decryption, and
+ message authentication algorithms (GOST 28147-89), which is one of
+ the Russian cryptographic standard algorithms called GOST
+ algorithms). Recently, Russian cryptography is being used in
+ Internet applications, and this document has been created as
+ information for developers and users of GOST 28147-89 for encryption,
+ decryption, and message authentication.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc5830.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dolmatov Informational [Page 1]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+ This document may not be modified, and derivative works of it may not
+ be created, except to format it for publication as an RFC or to
+ translate it into languages other than English.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. General Information ........................................3
+ 2. Applicability ...................................................3
+ 3. Definitions and Notations .......................................3
+ 3.1. Definitions ................................................3
+ 3.2. Notation ...................................................4
+ 4. General Statements ..............................................4
+ 5. The Electronic Codebook Mode ....................................6
+ 5.1. Encryption of Plain Text in the Electronic Codebook Mode ...6
+ 5.2. Decryption of the Ciphertext in the Electronic
+ Codebook Mode ..............................................9
+ 6. The Counter Encryption Mode ....................................10
+ 6.1. Encryption of Plain Text in the Counter Encryption Mode ...10
+ 6.2. Decryption of Ciphertext in the Counter Encryption Mode ...13
+ 7. The Cipher Feedback Mode .......................................13
+ 7.1. Encryption of Plain Text in the Cipher Feedback Mode ......13
+ 7.2. Decryption of Ciphertext in the Cipher Feedback Mode ......14
+ 8. Message Authentication Code (MAC) Generation Mode ..............15
+ 9. Security Considerations ........................................17
+ 10. Normative References ..........................................17
+ Appendix A. Values of the Constants C1 and C2 .....................18
+ Appendix B. Contributors ..........................................19
+
+
+
+
+
+
+
+
+
+
+
+Dolmatov Informational [Page 2]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+1. Introduction
+
+1.1. General Information
+
+ [GOST28147-89] is the unified cryptographic transformation algorithm
+ for information processing systems of different purposes, defining
+ the encryption/decryption rules and the message authentication code
+ (MAC) generation rules.
+
+ This cryptographic transformation algorithm is intended for hardware
+ or software implementation and corresponds to the cryptographic
+ requirements. It puts no limitations on the encrypted information
+ secrecy level.
+
+2. Applicability
+
+ GOST 28147-89 defines the encryption/decryption model and MAC
+ generation for a given message (document) that is meant for
+ transmission via insecure public telecommunication channels between
+ data processing systems of different purposes.
+
+ GOST 28147-89 is obligatory to use in the Russian Federation in all
+ data processing systems providing public services.
+
+3. Definitions and Notations
+
+3.1. Definitions
+
+ The following terms are used in the standard:
+
+ Running key: a pseudo-random bit sequence generated by a given
+ algorithm for encrypting plain texts and decrypting encrypted texts.
+
+ Encryption: the process of transforming plain text to encrypted data
+ using a cipher.
+
+ MAC: an information string of fixed length that is generated from
+ plain text and a key according to some rule and added to the
+ encrypted data for protection against data falsification.
+
+ Key: a defined secret state of some parameters of a cryptographic
+ transformation algorithm, that provides a choice of one
+ transformation out of all the possible transformations.
+
+ Cryptographic protection: data protection using the data
+ cryptographic transformations.
+
+
+
+
+
+Dolmatov Informational [Page 3]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ Cryptographic transformation: data transformation using encryption
+ and (or) MAC.
+
+ Decryption: the process of transforming encrypted data to plain text
+ using a cipher.
+
+ Initialisation vector: initial values of plain parameters of a
+ cryptographic transformation algorithm.
+
+ Encryption equation: a correlation showing the process of generating
+ encrypted data out of plain text as a result of transformations
+ defined by the cryptographic transformation algorithm.
+
+ Decryption equation: a correlation showing the process of generating
+ plain text out of encrypted data as a result of transformations
+ defined by the cryptographic transformation algorithm.
+
+ Cipher: a set of reversible transformations of the set of possible
+ plain texts onto the set of encrypted data, made after certain rules
+ and using keys.
+
+3.2. Notation
+
+ In this document, the following notations are used:
+
+ ^ is a power operator.
+
+ (+) is a bitwise addition of the words of the same length modulo 2.
+
+ [+] is an addition of 32-bit vectors modulo 2^32.
+
+ [+]' is an addition of the 32-bit vectors modulo 2^32-1.
+
+ 1..N is all values from 1 to N.
+
+4. General Statements
+
+ The structure model of the cryptographic transformation algorithm (a
+ cryptographic model) contains:
+
+ - a 256-bit key data store (KDS) consisting of eight 32-bit registers
+ (X0, X1, X2, X3, X4, X5, X6, X7);
+
+ - four 32-bit registers (N1, N2, N3, N4);
+
+ - two 32-bit registers (N5 and N6) containing constants C1 and C2;
+
+ - two 32-bit adders modulo 2^32 (CM1, CM3);
+
+
+
+Dolmatov Informational [Page 4]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ - a 32-bit adder of bitwise sums modulo 2 (CM2);
+
+ - a 32-bit adder modulo (2^32-1) (CM4);
+
+ - an adder modulo 2 (CM5), with no limitation to its width;
+
+ - a substitution box (K);
+
+ - a register for a cyclic shift of 11 steps to the top digit (R).
+
+ A substitution box (S-box) K consists of eight substitution points
+ K1, K2, K3, K4, K5, K6, K7, K8, with 64-bit memory. A 32-bit vector
+ coming to the substitution box is divided into eight successive 4-bit
+ vectors, and each of them is transformed into a 4-bit vector by a
+ corresponding substitution point. A substitution point is a table
+ consisting of 16 lines, each containing four bits. The incoming
+ vector defines the line address in the table, and the contents of
+ that line is the outgoing vector. Then, these 4-bit outgoing vectors
+ are successively combined into a 32-bit vector.
+
+ Remark: the standard doesn't define any S-boxes. Some of them are
+ defined in [RFC4357].
+
+ When adding and cyclically shifting binary vectors, the registers
+ with larger numbers are considered the top digits.
+
+ When writing a key (W1, W2, ..., W256), Wq = 0..1, q = 1..256, in the
+ KDS the value:
+
+ - W1 is written into the 1st bit of the register X0;
+
+ - the value W2 is written into the 2nd bit of the register X0 (etc.);
+
+ - the value W32 is written into the 32nd bit of the register X0;
+
+ - the value W33 is written into the 1st bit of the register X1;
+
+ - the value W34 is written into the 2nd bit of the register X1
+ (etc.);
+
+ - the value W64 is written into the 32nd bit of the register X1;
+
+ - the value W65 is written into the 1st bit of the register X2
+ (etc.);
+
+ - the value W256 is written into the 32nd bit of the register X7.
+
+
+
+
+
+Dolmatov Informational [Page 5]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ When rewriting the information, the value of the p-th bit of one
+ register (adder) is written into the p-th bit of another register
+ (adder).
+
+ The values of the constants C1 and C2 in the registers N5 and N6 are
+ in the Appendix 1.
+
+ The keys defining fillings of KDS and the substitution box K tables
+ are secret elements and are provided in accordance with the
+ established procedure.
+
+ The filling of the substitution box K is described in GOST 28147-89
+ as a long-term key element common for a whole computer network.
+ Usually, K is used as a parameter of algorithm, some possible sets of
+ K are described in [RFC4357].
+
+ The cryptographic model contemplates four working modes:
+
+ - data encryption (decryption) in the electronic codebook (ECB) mode,
+
+ - data encryption (decryption) in the counter (CNT) mode,
+
+ - data encryption (decryption) in the cipher feedback (CFB) mode, and
+
+ - the MAC generation mode.
+
+ [RFC4357] also describes the CBC mode of GOST 28147-89, but this mode
+ is not a part of the standard.
+
+5. The Electronic Codebook Mode
+
+5.1. Encryption of Plain Text in the Electronic Codebook Mode
+
+ The plain text to be encrypted is split into 64-bit blocks. Input of
+ a binary data block Tp = (a1(0), a2(0), ... , a31(0), a32(0), b1(0),
+ b2(0), ..., b32(0)) into the registers N1 and N2 is done so that the
+ value of a1(0) is put into the first bit of N1, the value of a2(0) is
+ put into the second bit of N1, etc., and the value of a32(0) is put
+ into the 32nd bit of N1. The value of b1(0) is put into the first
+ bit of N2, the value of b2(0) is put into the 2nd bit of N2, etc.,
+ and the value of b32(0) is input into the 32nd bit of N2.
+
+ The result is the state (a32(0), a31(0), ..., a2(0), a1(0)) of the
+ register N1 and the state (b32(0), b31(0), ..., b1(0)) of the
+ register N2.
+
+ The 256 bits of the key are entered into the KDS. The contents of
+ eight 32-bit registers X0, X1, ..., X7 are:
+
+
+
+Dolmatov Informational [Page 6]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ X0 = W32, W31, ..., W2, W1
+
+ X1 = W64, W63, ..., W34, W33
+
+ . . . . . . . . . . . . . . .
+
+ X7 = W256, W255, ..., W226, W225
+
+ The algorithm for enciphering 64-bit blocks of plain text in the
+ electronic codebook mode consists of 32 rounds.
+
+ In the first round, the initial value of register N1 is added modulo
+ 2^32 in the adder CM1 to the contents of the register X0. Note: the
+ value of register N1 is unchanged.
+
+ The result of the addition is transformed in the substitution block
+ K, and the resulting vector is put into the register R, where it is
+ cyclically shifted by 11 steps towards the top digit. The result of
+ this shift is added bitwise modulo 2 in the adder CM2 to the 32-bit
+ contents of the register N2. The result produced in CM2 is then
+ written into N1, and the old contents of N1 are written in N2. Thus,
+ the first round ends.
+
+ The subsequent rounds are similar to the first one:
+
+ - in the second round, the contents of X1 are read from the KDS;
+
+ - in the third round, the contents of X2 are read from the KDS, etc.;
+
+ - in the 8th round, the contents of X7 are read from the KDS.
+
+ - in rounds 9 through 16 and 17 through 24, the contents of the KDS
+ are read in the same order:
+
+ X0, X1, X2, X3, X4, X5, X6, X7.
+
+ - in the last eight rounds from the 25th to the 32nd, the contents of
+ the KDS are read backwards:
+
+ X7, X6, X5, X4, X3, X2, X1, X0.
+
+ Thus, during the 32 rounds of encryption, the following order of
+ choosing the registers' contents is implemented:
+
+ X0, X1, X2, X3, X4, X5, X6, X7, X0, X1, X2, X3, X4, X5, X6, X7,
+
+ X0, X1, X2, X3, X4, X5, X6, X7, X7, X6, X5, X4, X3, X2, X1, X0
+
+
+
+
+Dolmatov Informational [Page 7]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ In the 32nd round, the result in the adder CM2 is written into the
+ register N2, and the old contents of register N1 are unchanged.
+
+ After the 32nd round, the contents of the registers N1 and N2 are an
+ encrypted data block corresponding to a block of plain text.
+
+ The equations for enciphering in the electronic codebook mode are:
+
+ |a(j) = (a(j-1) [+] X(j-1)(mod 8))*K*R (+) b (j-1)
+ | j = 1..24;
+ |b(j) = a(j-1)
+
+ |a(j) = (a(j-1) [+] X(32-j))*K*R (+) b(j-1)
+ | j = 25..31; a32 = a31;
+ |b(j) = a(j-1)
+
+ b(32) = (a(31) [+] X0)*K*R (+) b(31) j=32,
+
+ where:
+
+ a(0) = (a32(0), a31(0), ..., a1(0)) constitutes the initial contents
+ of N1 before the first round of encryption;
+
+ b(0) = (b32(0), b31(0), ..., b1(0)) constitutes the initial contents
+ of N2 before the first round of encryption;
+
+ a(j) = (a32(j), a31(j), ..., a1(j)) constitutes the contents of N1
+ after the j-th round of encryption;
+
+ b(j) = (b32(j), b31(j), ..., b1(j)) constitutes the contents of N2
+ after the j-th round of encryption, j = 1..32.
+
+ R is the operation of cyclic shift towards the top digit by 11 steps,
+ as follows:
+
+ R(r32, r31, r30, r29, r28, r27, r26, r25, r24, r23, r22, r21,
+ r20, ..., r2, r1) =
+
+ (r21, r20, ..., r2, r1, r32, r31, r30, r29, r28, r27, r26, r25,
+ r24, r23, r22)
+
+ The 64-bit block of ciphertext Tc is taken out of the registers N1,
+ N2 in the following order:
+
+ the first, second, ..., 32nd bit of the register N1, then the first,
+ second, ..., 32nd bit of the register N2, i.e.,
+
+ Tc = a1(32), a2(32), ..., a32(32), b1(32), b2(32), ..., b32(32)).
+
+
+
+Dolmatov Informational [Page 8]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ The remaining blocks of the plain text in electronic codebook mode
+ are encrypted in the same fashion.
+
+5.2. Decryption of the Ciphertext in the Electronic Codebook Mode
+
+ The same 256-bit key that was used for encryption is loaded into the
+ KDS, the encrypted data to be deciphered is divided into 64-bit
+ blocks. The loading of any binary information block
+
+ Tc = (a1(32), a2(32), ..., a32(32), b1(32), b2(32), ..., b32(32))
+
+ into the registers N1 and N2 is done in such a way that:
+
+ - the contents of a1(32) are written into the first bit of N1;
+
+ - the contents of a2(32) are written into the second bit of N1 (and
+ so on);
+
+ - the contents of a32(32) are written into the 32nd bit of N1;
+
+ - the contents of b1(32) are written into the first bit of N2 (and so
+ on);
+
+ - and the contents of b32(32) are written into the 32nd bit of N2.
+
+ The decryption procedure uses the same algorithm as the encryption of
+ plain text, with one exception: the contents of the registers X0, X1,
+ ..., X7 are read from the KDS in the decryption rounds in the
+ following order:
+
+ X0,X1,X2,X3,X4,X5,X6,X7, X7,X6,X5,X4,X3,X2,X1,X0,
+
+ X7,X6,X5,X4,X3,X2,X1,X0, X7,X6,X5,X4,X3,X2,X1,X0.
+
+ The decryption equations are:
+
+ |a(32-j) = (a(32-j+1) [+] X(j-1))*K*R (+) b(32-j+1)
+ | j = 1..8;
+ |b(32-1) = a(32-j+1)
+
+ |a(32-j) = (a(32-j+1) [+] X(j-1)(mod 8))*K*R (+) b(32-j+1)
+ | j = 9..31;
+ |b(32-1) = a(32-j+1)
+
+ |a(0) = a(1)
+ | j=32.
+ |b(0) = (a(1) [+] X0)*K*R (+) b1
+
+
+
+
+Dolmatov Informational [Page 9]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ The fillings of the adders N1 and N2 after 32 working rounds are a
+ plain text block.
+
+ Tp = (a1(0), a2(0), ... , a32(0), b1(0), b2(0), ..., b32(0))
+
+ corresponding to the encrypted data block:
+
+ - the value of a1(0) of the block Tp corresponds to the contents of
+ the first bit of N1;
+
+ - the value of a2(0) corresponds to the contents of the second bit of
+ N1 (etc.);
+
+ - the value of b1(0) corresponds to the contents of the first bit of
+ N2;
+
+ - the value of b2(0) corresponds to the contents of the second bit of
+ N2 (etc.);
+
+ - the value of b32(0) corresponds to the contents of 32nd bit of N2;
+
+ - the remaining blocks of encrypted data are decrypted similarly.
+
+ The encryption algorithm in the electronic codebook mode of a 64-bit
+ block Tp is denoted by A, that is:
+
+ A(Tp) is A(a(0), b(0)) = (a(32), b(32)) = Tc.
+
+6. The Counter Encryption Mode
+
+6.1. Encryption of Plain Text in the Counter Encryption Mode
+
+ The plain text divided into 64-bit blocks Tp(1), Tp(2), ..., Tp(M-1),
+ Tp(M) is encrypted in the counter encryption mode by bitwise addition
+ modulo 2 in the adder CM5 with the running key Gc produced in 64-bit
+ blocks, that is:
+
+ Gc = (Gc(1), Gc(2), ..., Gc(M-1), Gc(M))
+
+ where M is defined by the size of the plain text being encrypted.
+ Gc(i) is the i-th 64-bit block where i=1..M, the number of bits in a
+ block Tp(M) can be less than 64. In this case, the unused part of
+ the running key block Gc(M) is discarded.
+
+
+
+
+
+
+
+
+Dolmatov Informational [Page 10]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ 256 bits of the key are put into the KDS. The registers N1 and N2
+ accept a 64-bit binary sequence (an initialisation vector) S = (S1,
+ S2, ..., S64), that is, the initial filling of these registers for
+ subsequent generation of M blocks of the running key. The
+ initialisation vector is put into the registers N1 and N2 so:
+
+ - the value of S1 is written into the first bit of N1;
+
+ - the value of S2 is written into the second bit of N1 (etc.);
+
+ - the value of S32 is written into the 32nd bit of N1;
+
+ - the value of S33 is written into the first bit of N2;
+
+ - the value of S34 is written into the 33th bit of N2 (etc.);
+
+ - the value of S64 is written into the 32nd bit of N2.
+
+ The initial filling of the registers N1 and N2 (the initialisation
+ vector S) is encrypted in the electronic codebook mode in accordance
+ with the requirements from section 5.1. The result of that
+ encryption A(S) = (Y0, Z0) is rewritten into the 32-bit registers N3
+ and N4 so as the contents of N1 are written into N3, and the contents
+ of N2 are written into N4.
+
+ The filling of the register N4 is added modulo (2^32-1) in the adder
+ CM4 to the 32-bit constant C1 from the register N6; the result is
+ written into N4. The filling of the register N3 is added modulo 2^32
+ in the adder CM3 with the 32-bit constant C2 from the register N5;
+ the result is written into N3.
+
+ The filling of N3 is copied into N1, and the filling of N4 is copied
+ into N2, while the fillings of N3 and N4 are kept.
+
+ The filling of N1 and N2 is encrypted in the electronic codebook mode
+ according to the requirements of section 5.1. The resulting
+ encrypted filling of N1 and N2 is the first 64-bit block of the
+ running key Gc(1), this block is bitwise added modulo 2 in the adder
+ CM5 with the first 64-bit block of the plain text:
+
+ Tp(1) = (t1(1), t2(1), ..., t63(1), t64(1)).
+
+ The result of this addition is a 64-bit block of the encrypted data:
+
+ Tc(1) = (tau1(1), tau2(1), ..., tau63(1), tau64(1)).
+
+
+
+
+
+
+Dolmatov Informational [Page 11]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ The value of tau1(1) of the block Tc(1) is the result of the addition
+ of modulo 2 in the CM5 the value t1(1) of the block Tp(1) to the
+ value of the first bit of N1; the value of tau2(1) of the block Tc(1)
+ is the result of addition modulo 2 in the CM5 the value of t2(1) from
+ the block Tp(1) to the value of the second bit of N1, etc.; the value
+ of tau64(1) of the block Tc(1) is the result of addition modulo 2 in
+ the CM5 of the value t64(1) of the block Tp(1) to the value of the
+ 32nd bit of N2.
+
+ To get the next 64-bit block of the running key Gc(2), the filling of
+ N4 is added modulo (2^32-1) in the adder CM4 with the constant C1
+ from N6; the filling of N3 is added modulo 2^32 in the adder CM3 with
+ the constant C2 from N5. The new filling of N3 is copied into N1;
+ the new filling of N4 is copied into N2; the fillings of N3 and N4
+ are kept.
+
+ The filling of N1 and N2 is encrypted in the electronic codebook mode
+ according to the requirements of section 5.1. The resulting
+ encrypted filling of N1 and N2 is the second 64-bit block of the
+ running key Gc(2); this block is bitwise added modulo 2 in the adder
+ CM5 with the first 64-bit block of the plain text Tp(2). The
+ remaining running key blocks Gc(3), Gc(4), ..., Gc(M) are generated
+ and the plain text blocks Tp(3), Tp(4), ..., Tp(M) are encrypted
+ similarly. If the length of the last M-th block of the plain text is
+ less than 64 bits, then only the corresponding number of bits from
+ the last M-th block of the running key is used; remaining bits are
+ discarded.
+
+ The initialisation vector S and the blocks of encrypted data Tc(1),
+ Tc(2), ..., Tc(M) are transmitted to the telecommunication channel or
+ to the computer memory.
+
+ The encryption equation is:
+
+ Tc(i) = A(Y[i-1] [+] C2, Z[i-1]) [+]' C1) (+) Tp(i)
+ = Gc(i) (+) Tp(i) i=1..M
+
+ where:
+
+ Y[i] is the contents of the register N3 after encrypting the
+ i-th block of the plain text Tp(i);
+
+ Z(i) is the contents of the register N4 after encrypting the
+ i-th block of the plain text Tp(i);
+
+ (Y[0], Z[0]) = A(S).
+
+
+
+
+
+Dolmatov Informational [Page 12]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+6.2. Decryption of Ciphertext in the Counter Encryption Mode
+
+ 256 bits of the key that was used for encrypting the data Tp(1),
+ Tp(2), ..., Tp(M) are put into the KDS. The initialisation vector S
+ is put into the registers N1 and N2 and, like in the section 6.1 M
+ blocks of the running key, Gc(1), Gc(2), ..., Gc(M) are generated.
+ The encrypted data blocks Tc(1), Tc(2), ..., Tc(M) are added bitwise
+ modulo 2 in the adder CM5 with the blocks of the running key, and
+ this results in the blocks of plain text Tp(1), Tp(2), ..., Tp(M),
+ and Tp(M) may contain less than 64 bit.
+
+ The decryption equation is:
+
+ Tp(i) = A (Y[i-1] [+] C2, Z[i-1] [+]' C1) (+) Tc(i)
+ = Gc(i) (+) Tc(i) i = 1..M
+
+7. The Cipher Feedback Mode
+
+7.1. Encryption of Plain Text in the Cipher Feedback Mode
+
+ The plain text is divided into 64-bit blocks Tp(1), Tp(2), ..., Tp(M)
+ and encrypted in the cipher feedback mode by bitwise addition modulo
+ 2 in the adder CM5 with the running key Gc generated in 64-bit
+ blocks, i.e., Gc(i)=(Gc(1), Gc(2), ..., Gc(M)), where M is defined by
+ ___
+ the length of the plain text, Gc(i) is the i-th 64-bit block, i=1,M.
+ The number of bits in the block Tp(M) may be less than 64.
+
+ 256 bits of the key are put into the KDS. The 64-bit initialisation
+ vector S = (S1, S2, ..., S64) is put into N1 and N2 as described in
+ section 6.1.
+
+ The initial filling of N1 and N2 is encrypted in the electronic
+ codebook mode in accordance with the requirements in section 6.1. If
+ resulting encrypted filling N1 and N2 is the first 64-bit block of
+ the running key Gc(1)=A(S), then this block is added bitwise modulo 2
+ with the first 64-bit block of plain text Tp(1) = (t1(1), t2(1), ...,
+ t64(1)).
+
+ The result is a 64-bit block of encrypted data
+
+ Tc(1) = (tau1(1), tau2(1), ..., tau64(1)).
+
+ The block of encrypted data Tc(1) is simultaneously the initial state
+ of N1 and N2 for generating the second block of the running key Gc(2)
+ and is written on feedback in these registers. Here:
+
+ - the value of tau1(1) is written into the first bit of N1;
+
+
+
+Dolmatov Informational [Page 13]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ - the value of tau2(1) is written into the second bit of N1, etc.;
+
+ - the value of tau32(1) is written into the 32nd bit of N1;
+
+ - the value of tau33(1) is written into the first bit of N2;
+
+ - the value of tau34(1) is written into the second bit of N2, etc.;
+
+ - the value of tau64(1) is written into the 32nd bit of N2.
+
+ The filling of N1 and N2 is encrypted in the electronic codebook mode
+ in accordance with the requirements in the section 6.1. The
+ encrypted filling of N1 and N2 makes the second 64-bit block of the
+ running key Gc(2), this block is added bitwise modulo 2 in the adder
+ CM5 to the second block of the plain text Tp(2).
+
+ The generation of subsequent blocks of the running key Gc(i) and the
+ encryption of the corresponding blocks of the plain text Tp(i) (i =
+ 3..M) are performed similarly. If the length of the last M-th block
+ of the plain text is less than 64 bits, only the corresponding number
+ of bits of the M-th block of the running key Gc(M) is used; remaining
+ bits are discarded.
+
+ The encryption equations in the cipher feedback mode are:
+
+ |Tc(1) = A(S) (+) Tp(1) = Gc(1) (+) Tp(1)
+ |
+ |Tc(i) = A(Tc(i-1)) (+) Tp(i) = Gc(i) + Tp(i), i = 2..M.
+
+ The initialisation vector S and the blocks of encrypted data Tc(1),
+ Tc(2), ..., Tc(M) are transmitted into the telecommunication channel
+ or to the computer memory.
+
+7.2. Decryption of Ciphertext in the Cipher Feedback Mode
+
+ 256 bits of the key used for the encryption of Tp(1), Tp(2), ...,
+ Tp(M) are put into the KDS. The initialisation vector S is put into
+ N1 and N2 similar to 6.1.
+
+ The initial filling of N1 and N2 (the initialisation vector S) is
+ encrypted in the electronic codebook mode in accordance with the
+ subsection 6.1. The encrypted filling of N1, N2 is the first block
+ of the running key Gc(1) = A(S), this block is added bitwise modulo 2
+ in the adder CM5 with the encrypted data block Tc(1). This results
+ in the first block of plain text Tp(1).
+
+
+
+
+
+
+Dolmatov Informational [Page 14]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ The block of encrypted data Tc(1) makes the initial filling of N1, N2
+ for generating the second block of the running key Gc(2). The block
+ Tc(1) is written in N1 and N2 in accordance with the requirements in
+ the subsection 6.1, the resulted block Gc(2) is added bitwise modulo
+ 2 in the adder CM5 to the second block of the encrypted data Tc(2).
+ This results in the block of plain text Tc(2).
+
+ Similarly, the blocks of encrypted data Tc(2), Tc(3), ..., Tc(M-1)
+ are written in N1, N2 successively, and the blocks of the running key
+ Gc(3), Gc(4), ..., Gc(M) are generated out of them in the electronic
+ codebook mode. The blocks of the running key are added bitwise
+ modulo 2 in the adder CM5 to the blocks of the encrypted data Tc(3),
+ Tc(4), ..., Tc(M), this results in the blocks of plain text Tp(3),
+ Tp(4), ..., Tp(M); here, the number of bits in the last block of the
+ plain text Tp(M) can be less than 64 bit.
+
+ The decryption equations in the cipher feedback mode are:
+
+ |Tp(1) = A(S) (+) Tc(1) = Gc(1) (+) Tc(1)
+ |
+ |Tp(1) = A(Tc(i-1)) (+) Tc(i) = Gc(i) (+) Tc(i), i=2..M
+
+8. Message Authentication Code (MAC) Generation Mode
+
+ To provide the protection from falsification of plain text consisting
+ of M 64-bit blocks Tp(1), Tp(2), ..., Tp(M), M >= 2, an additional
+ l-bit block is generated (the message authentication code I(l)). The
+ process of MAC generation is the same for all the
+ encryption/decryption modes.
+
+ - The first block of plain text:
+
+ Tp(1) = (t1(1), t1(2), ..., t64(1)) = (a1(1)[0], a2(1)[0], ...,
+ a32(1)[0], b1(1)[0], b2(1)[0], ..., b32(1)[0])
+
+ is written to the registers N1 and N2;
+
+ - the value of t1(1) = a1(1)[0] is written into the first bit of N1;
+
+ - the value of t2(1) = a2(1)[0] is written into the second bit of N1,
+ etc.;
+
+ - the value of t32(1) = a32(1)[0] is written into the 32nd bit of N1;
+
+ - the value of t33(1) = b1(1)[0] is written into the first bit of N2,
+ etc.;
+
+ - the value of t64(1) = b32(1)[0] is written into the 32nd bit of N2.
+
+
+
+Dolmatov Informational [Page 15]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ The filling of N1 and N2 is transformed in accordance with the first
+ 16 rounds of the encryption algorithm in the electronic codebook mode
+ (see the subsection 6.1). In the KDS, there exists the same key that
+ is used for encrypting the blocks of plain text Tp(1), Tp(2), ...,
+ Tp(M) in the corresponding blocks of encrypted data Tc(1), Tc(2),
+ ..., Tc(M).
+
+ The filling of N1 and N2 after the 16 working rounds, looking like
+ (a1(1)[16], a2(1)[16], ..., a32(1)[16], b1(1)[16], b2(1)[16], ...,
+ b32(1)[16]), is added in CM5 modulo 2 to the second block Tp(2) =
+ (t1(2), t2(2), ..., t64(2)).
+
+ The result of this addition
+
+ (a1(1)[16](+)t1(2), a2(1)[16](+)t2(2), ..., a32(1)[16](+)t32(2),
+ b1(1)[16](+)t33(2), b2(1)[16](+)t34(2), ..., b32(1)[16](+)t64(2))
+
+ =
+
+ (a1(2)[0], a2(2)[0] ..., a32(2)[0], b1(2)[0], b2(2)[0], ...,
+ b32(2)[0])
+
+ is written into N1 and N2 and is transformed in accordance with the
+ first 16 rounds of the encryption algorithm in the electronic
+ codebook mode.
+
+ The resulting filling of N1 and N2 is added in the CM5 modulo 2 with
+ the third block Tp(3), etc., the last block Tp(M) = (t1(M), t2(M),
+ ..., t64(M)), padded if necessary to a complete 64-bit block by
+ zeros, is added in CM5 modulo 2 with the filling N1, N2 (a1(M-1)[16],
+ a2(M-1)[16], ..., a32(M-1)[16], b1(M-1)[16], b2(M-1)[16], ...,
+ b32(M-1)[16]).
+
+ The result of the addition
+
+ (a1(M-1)[16](+)t1(M), a2(M-1)[16](+)t2(M), ..., a32(M-1)[16](+)
+ t32(M), b1(M-1)[16](+)t33(M), b2(M-1)[16](+)t34(M), ...,
+ b32(M-1)[16](+)t64(M))
+
+ =
+
+ (a1(M)[0], a2(M)[0] ..., a32(M)[0], b1(M)[0], b2(M)[0], ...,
+ b32(M)[0])
+
+ is written into N1, N2 and encrypted in the electronic codebook mode
+ after the first 16 rounds of the algorithm's work. Out of the
+ resulting filling of the registers N1 and N2:
+
+
+
+
+Dolmatov Informational [Page 16]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+ (a1(M)[16], a2(M)[16] ..., a32(M)[16], b1(M)[16], b2(M)[16], ...,
+ b32(M)[16])
+
+ an l-bit string I(l) (the MAC) is chosen:
+
+ I(l) = [a(32-l+1)(M)[16], a(32-l+2)(M)[16], ..., a32(M)[16]].
+
+ The MAC I(l) is transmitted through the telecommunication channel or
+ to the computer memory attached to the end of the encrypted data,
+ i.e., Tc(1), Tc(2), ..., Tc(M), I(l).
+
+ The encrypted data Tc(1), Tc(2), ..., Tc(M), when arriving, are
+ decrypted, out of the resulting plain text blocks Tp(1), Tp(2), ...,
+ Tp(M). The MAC I'(l) is generated as described in the subsection 5.3
+ and compared with the MAC I(l) received together with the encrypted
+ data from the telecommunication channel or from the computer memory.
+ If the MACs are not equal, the resulting plain text blocks Tp(1),
+ Tp(2), ..., Tp(M) are considered false.
+
+ The MAC I(l) (I'(l)) can be generated either before encryption (after
+ decryption, respectively) of the whole message or simultaneously with
+ the encryption (decryption) in blocks. The first plain text blocks,
+ used in the MAC generation, can contain service information (the
+ address section, a time mark, the initialisation vector, etc.) and
+ they may be unencrypted.
+
+ The parameter l value (the bit length of the MAC) is defined by the
+ actual cryptographic requirements, while considering that the
+ possibility of imposing false data is 2^-l.
+
+9. Security Considerations
+
+ This entire document is about security considerations.
+
+10. Normative References
+
+ [GOST28147-89] "Cryptographic Protection for Data Processing System",
+ GOST 28147-89, Gosudarstvennyi Standard of USSR,
+ Government Committee of the USSR for Standards, 1989.
+ (In Russian)
+
+ [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional
+ Cryptographic Algorithms for Use with GOST 28147-89,
+ GOST R 34.10-94, GOST R 34.10-2001, and GOST R
+ 34.11-94 Algorithms", RFC 4357, January 2006.
+
+
+
+
+
+
+Dolmatov Informational [Page 17]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+Appendix A. Values of the Constants C1 and C2
+
+ The constant C1 is:
+
+ The bit of N6 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18
+
+ The bit value 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0
+
+
+ The bit of N6 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
+
+ The bit value 1 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0
+
+ The constant C2 is:
+
+ The bit of N6 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18
+
+ The bit value 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0
+
+
+ The bit of N6 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1
+
+ The bit value 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dolmatov Informational [Page 18]
+
+RFC 5830 GOST 28147-89 March 2010
+
+
+Appendix B. Contributors
+
+ Dmitry Kabelev
+ Cryptocom, Ltd.
+ 14 Kedrova St., Bldg. 2
+ Moscow, 117218
+ Russian Federation
+
+ EMail: kdb@cryptocom.ru
+
+
+ Igor Ustinov
+ Cryptocom, Ltd.
+ 14 Kedrova St., Bldg. 2
+ Moscow, 117218
+ Russian Federation
+
+ EMail: igus@cryptocom.ru
+
+
+ Irene Emelianova
+ Cryptocom Ltd.
+ 14 Kedrova St., Bldg. 2
+ Moscow, 117218
+ Russian Federation
+
+ EMail: irene@cryptocom.ru
+
+Author's Address
+
+ Vasily Dolmatov, Ed.
+ Cryptocom, Ltd.
+ 14 Kedrova St., Bldg. 2
+ Moscow, 117218
+ Russian Federation
+
+ EMail: dol@cryptocom.ru
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dolmatov Informational [Page 19]
+