summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7836.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7836.txt')
-rw-r--r--doc/rfc/rfc7836.txt1795
1 files changed, 1795 insertions, 0 deletions
diff --git a/doc/rfc/rfc7836.txt b/doc/rfc/rfc7836.txt
new file mode 100644
index 0000000..72bc171
--- /dev/null
+++ b/doc/rfc/rfc7836.txt
@@ -0,0 +1,1795 @@
+
+
+
+
+
+
+Independent Submission S. Smyshlyaev, Ed.
+Request for Comments: 7836 E. Alekseev
+Category: Informational I. Oshkin
+ISSN: 2070-1721 V. Popov
+ S. Leontiev
+ CRYPTO-PRO
+ V. Podobaev
+ FACTOR-TS
+ D. Belyavsky
+ TCI
+ March 2016
+
+
+ Guidelines on the Cryptographic Algorithms to
+Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012
+
+Abstract
+
+ The purpose of this document is to make the specifications of the
+ cryptographic algorithms defined by the Russian national standards
+ GOST R 34.10-2012 and GOST R 34.11-2012 available to the Internet
+ community for their implementation in the cryptographic protocols
+ based on the accompanying algorithms.
+
+ These specifications define the pseudorandom functions, the key
+ agreement algorithm based on the Diffie-Hellman algorithm and a hash
+ function, the parameters of elliptic curves, the key derivation
+ functions, and the key export functions.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This is a contribution to the RFC Series, independently of any other
+ RFC stream. The RFC Editor has chosen to publish this document at
+ its discretion and makes no statement about its value for
+ implementation or deployment. Documents approved for publication by
+ the RFC Editor are not a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7836.
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 1]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+Copyright Notice
+
+ Copyright (c) 2016 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
+ 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
+ 3. Basic Terms, Definitions, and Notations . . . . . . . . . . . 3
+ 4. Algorithm Descriptions . . . . . . . . . . . . . . . . . . . 6
+ 4.1. HMAC Functions . . . . . . . . . . . . . . . . . . . . . 6
+ 4.2. Pseudorandom Functions . . . . . . . . . . . . . . . . . 7
+ 4.3. VKO Algorithms for Key Agreement . . . . . . . . . . . . 8
+ 4.4. The Key Derivation Function KDF_TREE_GOSTR3411_2012_256 . 10
+ 4.5. The Key Derivation Function KDF_GOSTR3411_2012_256 . . . 11
+ 4.6. Key Wrap and Key Unwrap . . . . . . . . . . . . . . . . . 11
+ 5. The Parameters of Elliptic Curves . . . . . . . . . . . . . . 12
+ 5.1. Canonical Form . . . . . . . . . . . . . . . . . . . . . 13
+ 5.2. Twisted Edwards Form . . . . . . . . . . . . . . . . . . 14
+ 6. Security Considerations . . . . . . . . . . . . . . . . . . . 15
+ 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
+ 7.1. Normative References . . . . . . . . . . . . . . . . . . 16
+ 7.2. Informative References . . . . . . . . . . . . . . . . . 17
+ Appendix A. Values of the Parameter Sets . . . . . . . . . . . . 18
+ A.1. Canonical Form Parameters . . . . . . . . . . . . . . . . 18
+ A.2. Twisted Edwards Form Parameters . . . . . . . . . . . . . 20
+ Appendix B. Test Examples . . . . . . . . . . . . . . . . . . . 22
+ Appendix C. GOST 28147-89 Parameter Set . . . . . . . . . . . . 30
+ Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 30
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30
+
+
+
+
+
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 2]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+1. Introduction
+
+ The accompanying algorithms are intended for the implementation of
+ cryptographic protocols. This memo contains a description of the
+ accompanying algorithms based on the Russian national standards GOST
+ R 34.10-2012 [GOST3410-2012] and GOST R 34.11-2012 [GOST3411-2012].
+ The English versions of these standards can be found in [RFC7091] and
+ [RFC6986]; the English version of the encryption standard GOST
+ 28147-89 [GOST28147-89] (which is used in the key export functions)
+ can be found in [RFC5830].
+
+ The specifications of algorithms and parameters proposed in this memo
+ are provided on the basis of experience in the development of the
+ cryptographic protocols, as described in [RFC4357], [RFC4490], and
+ [RFC4491].
+
+ This memo describes the pseudorandom functions, the key agreement
+ algorithm based on the Diffie-Hellman algorithm and a hash function,
+ the parameters of elliptic curves, the key derivation functions, and
+ the key export functions necessary to ensure interoperability of
+ security protocols that make use of the Russian cryptographic
+ standards GOST R 34.10-2012 [GOST3410-2012] digital signature
+ algorithm and GOST R 34.11-2012 [GOST3411-2012] cryptographic hash
+ function.
+
+2. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [RFC2119].
+
+3. Basic Terms, Definitions, and Notations
+
+ This document uses the following terms and definitions for the sets
+ and operations on the elements of these sets:
+
+ (xor) Exclusive-or of two binary vectors of the same length.
+
+ V_n The finite vector space over GF(2) of dimension n, n >= 0,
+ with the (xor) operation. For n = 0, the V_0 space consists
+ of a single empty element of size 0.
+ If U is an element of V_n, then U = (u_(n-1), u_(n-2), ...,
+ u_1, u_0), where u_i in {0, 1}.
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 3]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ V_(8, r)
+ The set of byte vectors of size r, r >= 0, for r = 0 the
+ V_(8, r) set consists of a single empty element of size 0.
+ If W is an element of V_(8, r), r > 0, then W = (w^0, w^1,
+ ..., w^(r-1)), where w^0, w^1, ..., w^(r-1) are elements of
+ V_8.
+
+ Bit representation
+ The bit representation of the element W = (w^0, w^1, ...,
+ w^(r-1)) of V_(8, r) is an element (w_(8r-1), w_(8r-2), ...,
+ w_1, w_0) of V_(8*r), where w^0 = (w_7, w_6, ..., w_0),
+ w^1 = (w_15, w_14, ..., w_8), ..., w^(r-1) = (w_(8r-1),
+ w_(8r-2), ..., w_(8r-8)) are elements of V_8.
+
+ Byte representation
+ If n is a multiple of 8, r = n/8, then the byte
+ representation of the element W = (w_(n-1), w_(n-2), ...,
+ w_0) of V_n is a byte vector (w^0, w^1, ..., w^(r-1)) of
+ V_(8, r), where w^0 = (w_7, w_6, ..., w_0), w^1 = (w_15,
+ w_14, ..., w_8), ..., w^(r-1) = (w_(8r-1), w_(8r-2), ...,
+ w_(8r-8)) are elements of V_8.
+
+ A|B Concatenation of byte vectors A and B, i.e., if A in
+ V_(8, r1), B in V_(8, r2), A = (a^0, a^1, ..., a^(r1-1)) and
+ B = (b^0, b^1, ..., b^(r2-1)), then A|B = (a^0, a^1, ...,
+ a^(r1-1), b^0, b^1, ..., b^(r2-1)) is an element of V_(8,
+ r1+r2).
+
+ K (key) An arbitrary element of V_n. If K in V_n, then its size (in
+ bits) is equal to n, where n can be an arbitrary natural
+ number.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 4]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ This memo uses the following abbreviations and symbols:
+
+ +---------+---------------------------------------------------------+
+ | Symbols | Meaning |
+ +---------+---------------------------------------------------------+
+ | H_256 | GOST R 34.11-2012 hash function with 256-bit output |
+ | | |
+ | H_512 | GOST R 34.11-2012 hash function with 512-bit output |
+ | | |
+ | HMAC | Hashed-based Message Authentication Code. A function |
+ | | for calculating a message authentication code, based on |
+ | | a hash function in accordance with [RFC2104] |
+ | | |
+ | PRF | A pseudorandom function, i.e., a transformation that |
+ | | allows generation of a pseudorandom sequence of bytes |
+ | | |
+ | KDF | A key derivation function, i.e., a transformation that |
+ | | allows keys and keying material to be derived from the |
+ | | root key and additional input using a pseudorandom |
+ | | function |
+ | | |
+ | VKO | A key agreement algorithm based on the Diffie-Hellman |
+ | | algorithm and a hash function |
+ +---------+---------------------------------------------------------+
+
+ To generate a byte sequence of the size r with functions that give a
+ longer output, the output is truncated to the first r bytes. This
+ remark applies to the following functions:
+
+ o the functions described in Section 4.2;
+
+ o KDF_TREE_GOSTR3411_2012_256 described in Section 4.4;
+
+ o KDF_GOSTR3411_2012_256 described in Section 4.5.
+
+ Hereinafter, all data are provided in byte representation unless
+ otherwise specified.
+
+ If a function is defined outside this document (e.g., H_256) and its
+ definition requires arguments in bit representation, it is assumed
+ that the bit representations of the arguments are formed immediately
+ before the calculation of the function (in particular, immediately
+ after the application of the operation (|) to the byte representation
+ of the arguments).
+
+ If the output of another function defined outside of this document is
+ used as an argument of the functions defined below and it has the bit
+ representation, then it is assumed that an output MUST have a length
+
+
+
+Smyshlyaev, et al. Informational [Page 5]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ that is a multiple of 8 and that it will be translated into the byte
+ representation in advance.
+
+ When a point on an elliptic curve is given to an input of a hash
+ function, affine coordinates for short Weierstrass form are used (see
+ Section 5): an x coordinate value is fed first, a y coordinate value
+ is fed second, both in little-endian format.
+
+4. Algorithm Descriptions
+
+4.1. HMAC Functions
+
+ This section defines the HMAC transformations based on the GOST R
+ 34.11-2012 [GOST3411-2012] algorithm.
+
+4.1.1. HMAC_GOSTR3411_2012_256
+
+ This HMAC transformation is based on the GOST R 34.11-2012
+ [GOST3411-2012] hash function with 256-bit output. The object
+ identifier of this transformation is shown below:
+
+ id-tc26-hmac-gost-3411-12-256::= {iso(1) member-body(2) ru(643)
+ rosstandart(7) tc26(1) algorithms(1) mac(4) hmac-gost-
+ 3411-12-256(1)}.
+
+ This algorithm uses H_256 as a hash function for HMAC, described in
+ [RFC2104]. The method of forming the values of ipad and opad is also
+ specified in [RFC2104]. The size of HMAC_GOSTR3411_2012_256 output
+ is equal to 32 bytes, the block size of the iterative procedure for
+ the H_256 compression function is equal to 64 bytes (in the notation
+ of [RFC2104], L = 32 and B = 64, respectively).
+
+4.1.2. HMAC_GOSTR3411_2012_512
+
+ This HMAC transformation is based on the GOST R 34.11-2012
+ [GOST3411-2012] hash function with 512-bit output. The object
+ identifier of this transformation is shown below:
+
+ id-tc26-hmac-gost-3411-12-512::= {iso(1) member-body(2) ru(643)
+ rosstandart(7) tc26(1) algorithms(1) mac(4) hmac-gost-
+ 3411-12-512(2)}.
+
+ This algorithm uses H_512 as a hash function for HMAC, described in
+ [RFC2104]. The method of forming the values of ipad and opad is also
+ specified in [RFC2104]. The size of HMAC_GOSTR3411_2012_512 output
+ is equal to 64 bytes, the block size of the iterative procedure for
+ the H_512 compression function is equal to 64 bytes (in the notation
+ of [RFC2104], L = 64 and B = 64, respectively).
+
+
+
+Smyshlyaev, et al. Informational [Page 6]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+4.2. Pseudorandom Functions
+
+ This section defines four HMAC-based PRF transformations recommended
+ for usage. Two of them are designed for the Transport Layer Security
+ (TLS) protocol and two are designed for the IPsec protocol.
+
+4.2.1. PRFs for the TLS Protocol
+
+4.2.1.1. PRF_TLS_GOSTR3411_2012_256
+
+ This is the transformation providing the pseudorandom function for
+ the TLS protocol (1.0 and higher versions) in accordance with GOST R
+ 34.11-2012 [GOST3411-2012]. It uses the P_GOSTR3411_2012_256
+ function that is similar to the P_hash function defined in Section 5
+ of [RFC5246], where the HMAC_GOSTR3411_2012_256 function (defined in
+ Section 4.1.1 of this document) is used as the HMAC_hash function.
+
+ PRF_TLS_GOSTR3411_2012_256 (secret, label, seed) =
+ = P_GOSTR3411_2012_256 (secret, label | seed).
+
+ Label and seed values MUST be assigned by a protocol, their lengths
+ SHOULD be fixed by a protocol in order to avoid possible collisions.
+
+4.2.1.2. PRF_TLS_GOSTR3411_2012_512
+
+ This is the transformation providing the pseudorandom function for
+ the TLS protocol (1.0 and higher versions) in accordance with GOST R
+ 34.11-2012 [GOST3411-2012]. It uses the P_GOSTR3411_2012_512
+ function that is similar to the P_hash function defined in Section 5
+ of [RFC5246], where the HMAC_GOSTR3411_2012_512 function (defined in
+ Section 4.1.2 of this document) is used as the HMAC_hash function.
+
+ PRF_TLS_GOSTR3411_2012_512 (secret, label, seed) =
+ = P_GOSTR3411_2012_512 (secret, label | seed).
+
+ Label and seed values MUST be assigned by a protocol, their lengths
+ SHOULD be fixed by a protocol in order to avoid possible collisions.
+
+4.2.2. PRFs for the IKEv2 Protocol Based on GOST R 34.11-2012
+
+ The specification for the Internet Key Exchange protocol version 2
+ (IKEv2) [RFC7296] defines the usage of PRFs in various parts of the
+ protocol for the purposes of generating and authenticating keying
+ material.
+
+ IKEv2 has no default PRF. This document specifies that
+ HMAC_GOSTR3411_2012_256 may be used as the "prf" function in the
+ "prf+" function for the IKEv2 protocol
+
+
+
+Smyshlyaev, et al. Informational [Page 7]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ (PRF_IPSEC_PRFPLUS_GOSTR3411_2012_256). Also, this document
+ specifies that HMAC_GOSTR3411_2012_512 may be used as the "prf"
+ function in the "prf+" function for the IKEv2 protocol
+ (PRF_IPSEC_PRFPLUS_GOSTR3411_2012_512).
+
+4.3. VKO Algorithms for Key Agreement
+
+ This section specifies the key agreement algorithms based on GOST R
+ 34.10-2012 [GOST3410-2012].
+
+4.3.1. VKO_GOSTR3410_2012_256
+
+ The VKO_GOSTR3410_2012_256 transformation is used for agreement of
+ 256-bit keys and is based on the 256-bit version of GOST R 34.11-2012
+ [GOST3411-2012]. This algorithm can be applied for a key agreement
+ using GOST R 34.10-2012 [GOST3410-2012] with 256-bit or 512-bit
+ private keys.
+
+ The algorithm is designed to produce an encryption key or a keying
+ material of size 256 bits to be used in various cryptographic
+ protocols. A key or a keying material KEK_VKO (x, y, UKM) is
+ produced from the private key x of one side, the public key y*P of
+ the opposite side and the User Keying Material (UKM) value.
+
+ The algorithm can be used for static and ephemeral keys with the
+ public key size n >= 512 bits including the case where one side uses
+ a static key and the other uses an ephemeral one.
+
+ The UKM parameter is optional (the default UKM = 1) and can take any
+ integer value from 1 to 2^(n/2)-1. It is allowed to use a non-zero
+ UKM of an arbitrary size that does not exceed n/2 bits. If at least
+ one of the parties uses static keys, the RECOMMENDED length of UKM is
+ 64 bits or more.
+
+ KEK_VKO (x, y, UKM) is calculated using the formulas:
+
+ KEK_VKO (x, y, UKM) = H_256 (K (x, y, UKM)),
+
+ K (x, y, UKM) = (m/q*UKM*x mod q)*(y*P),
+
+ where m and q are the parameters of an elliptic curve defined in the
+ GOST R 34.10-2012 [GOST3411-2012] standard (m is an elliptic curve
+ points group order, q is an order of a cyclic subgroup), P is a non-
+ zero point of the subgroup; P is defined by a protocol.
+
+ This algorithm is defined similar to the one specified in Section 5.2
+ of [RFC4357], but applies the hash function H_256 instead of the hash
+ function GOST R 34.11-94 [GOST3411-94] (referred to as "gostR3411").
+
+
+
+Smyshlyaev, et al. Informational [Page 8]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ In addition, K(x, y, UKM) is calculated with public key size n >= 512
+ bits and UKM has a size up to n/2 bits.
+
+4.3.2. VKO_GOSTR3410_2012_512
+
+ The VKO_GOSTR3410_2012_512 transformation is used for agreement of
+ 512-bit keys and is based on the 512-bit version of GOST R 34.11-2012
+ [GOST3411-2012]. This algorithm can be applied for a key agreement
+ using GOST R 34.10-2012 [GOST3410-2012] with 512-bit private keys.
+
+ The algorithm is designed to produce an encryption key or a keying
+ material of size 512 bits to be used in various cryptographic
+ protocols. A key or a keying material KEK_VKO (x, y, UKM) is
+ produced from the private key x of one side, the public key y*P of
+ the opposite side and the UKM value, considered as an integer.
+
+ The algorithm can be used for static and ephemeral keys with the
+ public key size n >= 1024 bits including the case where one side uses
+ a static key and the other uses an ephemeral one.
+
+ The UKM parameter is optional (the default UKM = 1) and can take any
+ integer value from 1 to 2^(n/2)-1. It is allowed to use a non-zero
+ UKM of an arbitrary size that does not exceed n/2 bits. If at least
+ one of the parties uses static keys, the RECOMMENDED length of UKM is
+ 128 bits or more.
+
+ KEK_VKO (x, y, UKM) is calculated using the formulas:
+
+ KEK_VKO (x, y, UKM) = H_512 (K (x, y, UKM)),
+
+ K (x, y, UKM) = (m/q*UKM*x mod q)*(y*P),
+
+ where m and q are the parameters of an elliptic curve defined in the
+ GOST R 34.10-2012 [GOST3411-2012] standard (m is an elliptic curve
+ points group order, q is an order of a cyclic subgroup), P is a non-
+ zero point of the subgroup; P is defined by a protocol.
+
+ This algorithm is defined similar to the one specified in Section 5.2
+ of [RFC4357], but applies the hash function H_512 instead of the hash
+ function GOST R 34.11-94 [GOST3411-94] (referred to as "gostR3411").
+ In addition, K(x, y, UKM) is calculated with public key size n >=
+ 1024 bits and UKM has a size up to n/2 bits.
+
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 9]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+4.4. The Key Derivation Function KDF_TREE_GOSTR3411_2012_256
+
+ The key derivation function KDF_TREE_GOSTR3411_2012_256 based on the
+ HMAC_GOSTR3411_2012_256 function is given by:
+
+ KDF_TREE_GOSTR3411_2012_256 (K_in, label, seed, R) = K(1) | K(2) |
+ K(3) | K(4) |...,
+
+ K(i) = HMAC_GOSTR3411_2012_256 (K_in, [i]_b | label | 0x00 | seed
+ | [L]_b), i >= 1,
+
+ where:
+
+ K_in Derivation key.
+
+ label, seed
+ The parameters that MUST be assigned by a protocol; their
+ lengths SHOULD be fixed by a protocol.
+
+ R A fixed external parameter, with possible values of 1, 2, 3,
+ or 4.
+
+ i Iteration counter.
+
+ [i]_b Byte representation of the iteration counter (in the network
+ byte order); the number of bytes in the representation [i]_b
+ is equal to R (no more than 4 bytes).
+
+ L The required size (in bits) of the generated keying material
+ (an integer, not exceeding 256*(2^(8*R)-1)).
+
+ [L]_b Byte representation of L, in network byte order (variable
+ length: no leading zero bytes added).
+
+ The key derivation function KDF_TREE_GOSTR3411_2012_256 is intended
+ for generating a keying material of size L, not exceeding
+ 256*(2^(8*R)-1) bits, and utilizing general principles of the input
+ and output for the key derivation function outlined in Section 5.1 of
+ NIST SP 800-108 [NISTSP800-108]. The HMAC_GOSTR3411_2012_256
+ algorithm described in Section 4.1.1 is selected as a pseudorandom
+ function.
+
+ Each key derived from the keying material formed using the derivation
+ key K_in (0-level key) may be a 1-level derivation key and may be
+ used to generate a new keying material. The keying material derived
+ from the first level derivation key can be split down into the second
+ level derivation keys. The application of this procedure leads to
+ the construction of the key tree with the root key and the formation
+
+
+
+Smyshlyaev, et al. Informational [Page 10]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ of the keying material to the hierarchy of the levels, as described
+ in Section 6 of NIST SP 800-108 [NISTSP800-108]. The partitioning
+ procedure for keying material at each level is defined in accordance
+ with a specific protocol.
+
+4.5. The Key Derivation Function KDF_GOSTR3411_2012_256
+
+ The KDF_GOSTR3411_2012_256 function is equivalent to the function
+ KDF_TREE_GOSTR3411_2012_256, when R = 1, L = 256, and is given by:
+
+ KDF_GOSTR3411_2012_256 (K_in, label, seed) =
+ HMAC_GOSTR3411_2012_256 (K_in, 0x01 | label | 0x00 | seed | 0x01 |
+ 0x00),
+
+ where:
+
+ K_in Derivation key.
+
+ label, seed
+ The parameters that MUST be assigned by a protocol; their
+ lengths SHOULD be fixed by a protocol.
+
+4.6. Key Wrap and Key Unwrap
+
+ Wrapped representation of a secret key K (256-bit GOST 28147-89
+ [GOST28147-89] key, 256-bit or 512-bit GOST R 34.10-2012
+ [GOST3410-2012] private key) is formed as follows by using a given
+ export key K_e (GOST 28147-89 [GOST28147-89] key) and a random seed
+ vector:
+
+ 1. Generate a random seed vector from 8 up to 16 bytes.
+
+ 2. With the key derivation function, using an export key K_e as a
+ derivation key, produce a key KEK_e (K_e, seed), where:
+
+ KEK_e (K_e, seed) = KDF_GOSTR3411_2012_256 (K_e, label, seed),
+
+ where the KDF_GOSTR3411_2012_256 function (see Section 4.5) is
+ used as a key derivation function for the fixed label value
+
+ label = (0x26 | 0xBD | 0xB8 | 0x78).
+
+ 3. GOST 28147-89 [GOST28147-89] Message Authentication Code (MAC)
+ value (4-byte) for the data K and the key KEK_e (K_e, seed) is
+ calculated; the initialization vector (IV) in this case is equal
+ to the first 8 bytes of seed. The resulting value is denoted as
+ CEK_MAC.
+
+
+
+
+Smyshlyaev, et al. Informational [Page 11]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ 4. The key K is encrypted with the GOST 28147-89 [GOST28147-89]
+ algorithm in the Electronic Codebook (ECB) mode with the key
+ KEK_e (K_e, seed). The result is denoted as CEK_ENC.
+
+ 5. The wrapped representation of the key is (seed | CEK_ENC |
+ CEK_MAC).
+
+ The value of key K is restored from the wrapped representation of the
+ key and the export key K_e as follows:
+
+ 1. Obtain the seed, CEK_ENC and CEK_MAC values from the wrapped
+ representation of the key.
+
+ 2. With the key derivation function, using the export key K_e as a
+ derivation key, produce a key KEK_e(K_e, seed), where:
+
+ KEK_e (K_e, seed) = KDF_GOSTR3411_2012_256 (K_e, label, seed),
+
+ where the KDF_GOSTR3411_2012_256 function (see Section 4.5) is
+ used as a key derivation function for the fixed label value
+
+ label = (0x26 | 0xBD | 0xB8 | 0x78).
+
+ 3. The CEK_ENC field is decrypted with the GOST 28147-89
+ [GOST28147-89] algorithm in the Electronic Codebook (ECB) mode
+ with the key KEK_e(K_e, seed). The unwrapped key K is assumed to
+ be equal to the result of decryption.
+
+ 4. GOST 28147-89 [GOST28147-89] MAC value (4-byte) for the data K
+ and the key KEK_e(K_e, seed) is calculated; the initialization
+ vector (IV) in this case is equal to the first 8 bytes of seed.
+ If the result is not equal to CEK_MAC, an error is returned.
+
+ The GOST 28147-89 [GOST28147-89] algorithm is used with the parameter
+ set defined in Appendix C of this document.
+
+5. The Parameters of Elliptic Curves
+
+ This section defines the elliptic curves parameters and object
+ identifiers that are RECOMMENDED for usage with the signature and
+ verification algorithms of the digital signature in accordance with
+ the GOST R 34.10-2012 [GOST3410-2012] standard and with the key
+ agreement algorithms VKO_GOSTR3410_2012_256 and
+ VKO_GOSTR3410_2012_512.
+
+ This document does not negate the use of other parameters of elliptic
+ curves.
+
+
+
+
+Smyshlyaev, et al. Informational [Page 12]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+5.1. Canonical Form
+
+ This section defines the elliptic curves parameters of the GOST R
+ 34.10-2012 [GOST3410-2012] standard for the case of elliptic curves
+ with prime 512-bit moduli in canonical (short Weierstrass) form, that
+ is given by the following equation defined in GOST R 34.10-2012
+ [GOST3410-2012]:
+
+ y^2 = x^3 + ax + b (mod p).
+
+ In case of elliptic curves with 256-bit prime moduli, the parameters
+ defined in [RFC4357] are proposed for use.
+
+5.1.1. Parameters and Object Identifiers
+
+ The parameters for each elliptic curve are represented by the
+ following values, which are defined in GOST R 34.10-2012
+ [GOST3410-2012]:
+
+ p the characteristic of the underlying prime field;
+
+ a, b the coefficients of the equation of the elliptic curve in the
+ canonical form;
+
+ m the elliptic curve group order;
+
+ q the elliptic curve subgroup order;
+
+ (x, y) the coordinates of the point P (generator of the subgroup of
+ order q) of the elliptic curve in the canonical form.
+
+ Both sets of the parameters are presented as structures of the form:
+
+ SEQUENCE {
+ p INTEGER,
+ a INTEGER,
+ b INTEGER,
+ m INTEGER,
+ q INTEGER,
+ x INTEGER,
+ y INTEGER
+ }
+
+ The parameter sets have the following object identifiers:
+
+ 1. id-tc26-gost-3410-12-512-paramSetA::= {iso(1) member-body(2)
+ ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1)
+ gost-3410-12-512-constants(2) paramSetA(1)};
+
+
+
+Smyshlyaev, et al. Informational [Page 13]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ 2. id-tc26-gost-3410-12-512-paramSetB::= {iso(1) member-body(2)
+ ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1)
+ gost-3410-12-512-constants(2) paramSetB(2)}.
+
+ The corresponding values of the parameter sets can be found in
+ Appendix A.1.
+
+5.2. Twisted Edwards Form
+
+ This section defines the elliptic curves parameters and object
+ identifiers of the GOST R 34.10-2012 [GOST3410-2012] standard for the
+ case of elliptic curves that have a representation in the twisted
+ Edwards form with prime 256-bit and 512-bit moduli.
+
+ A twisted Edwards curve E over a finite prime field F_p, p > 3, is an
+ elliptic curve defined by the equation:
+
+ e*u^2 + v^2 = 1 + d*u^2*v^2 (mod p),
+
+ where e, d are in F_p, ed(e-d) != 0.
+
+ A twisted Edwards curve has an equivalent representation in the short
+ Weierstrass form defined by parameters a, b. The parameters a, b, e,
+ and d are related as follows:
+
+ a = s^2 - 3*t^2 (mod p),
+ b = 2*t^3 - t*s^2 (mod p),
+
+ where:
+
+ s = (e - d)/4 (mod p),
+ t = (e + d)/6 (mod p).
+
+ Coordinate transformations are defined as follows:
+
+ (u,v) --> (x,y) = (s(1 + v)/(1 - v) + t, s(1 + v)/((1 - v)u)),
+ (x,y) --> (u,v) = ((x - t)/y, (x - t - s)/(x - t + s)).
+
+5.2.1. Parameters and Object Identifiers
+
+ The parameters for each elliptic curve are represented by the
+ following values, which are defined in GOST R 34.10-2012
+ [GOST3410-2012]:
+
+ p The characteristic of the underlying prime field.
+
+ a, b The coefficients of the equation of the elliptic curve in the
+ canonical form.
+
+
+
+Smyshlyaev, et al. Informational [Page 14]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ e, d The coefficients of the equation of the elliptic curve in the
+ twisted Edwards form.
+
+ m The elliptic curve group order.
+
+ q The elliptic curve subgroup order.
+
+ (x, y) The coordinates of the point P (generator of the subgroup of
+ order q) of the elliptic curve in the canonical form.
+
+ (u, v) The coordinates of the point P (generator of the subgroup of
+ order q) of the elliptic curve in the twisted Edwards form.
+
+ Both sets of the parameters are presented as ASN structures of the
+ form:
+
+ SEQUENCE {
+ p INTEGER,
+ a INTEGER,
+ b INTEGER,
+ e INTEGER,
+ d INTEGER,
+ m INTEGER,
+ q INTEGER,
+ x INTEGER,
+ y INTEGER,
+ u INTEGER,
+ v INTEGER
+ }
+
+ The parameter sets have the following object identifiers:
+
+ 1. id-tc26-gost-3410-2012-256-paramSetA ::= {iso(1) member-body(2)
+ ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1)
+ gost-3410-12-256-constants(1) paramSetA(1)};
+
+ 2. id-tc26-gost-3410-2012-512-paramSetC ::= {iso(1) member-body(2)
+ ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1)
+ gost-3410-12-512-constants(2) paramSetC(3)}.
+
+ The corresponding values of the parameter sets can be found in
+ Appendix A.2.
+
+6. Security Considerations
+
+ This entire document is about security considerations.
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 15]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+7. References
+
+7.1. Normative References
+
+ [GOST28147-89]
+ "Systems of information processing. Cryptographic data
+ security. Algorithms of cryptographic transformation",
+ GOST 28147-89 Gosudarstvennyi Standard of USSR, Government
+ Committee of the USSR for Standards, 1989.
+
+ [GOST3410-2012]
+ "Information technology. Cryptographic data security.
+ Signature and verification processes of [electronic]
+ digital signature", GOST R 34.10-2012 Federal Agency on
+ Technical Regulating and Metrology (In Russian), 2012.
+
+ [GOST3411-2012]
+ "Information technology. Cryptographic Data Security.
+ Hashing function", GOST R 34.11-2012 Federal Agency on
+ Technical Regulating and Metrology (In Russian), 2012.
+
+ [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
+ Hashing for Message Authentication", RFC 2104,
+ DOI 10.17487/RFC2104, February 1997,
+ <http://www.rfc-editor.org/info/rfc2104>.
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119,
+ DOI 10.17487/RFC2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional
+ Cryptographic Algorithms for Use with GOST 28147-89, GOST
+ R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+ Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006,
+ <http://www.rfc-editor.org/info/rfc4357>.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246,
+ DOI 10.17487/RFC5246, August 2008,
+ <http://www.rfc-editor.org/info/rfc5246>.
+
+ [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
+ Kivinen, "Internet Key Exchange Protocol Version 2
+ (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
+ 2014, <http://www.rfc-editor.org/info/rfc7296>.
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 16]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+7.2. Informative References
+
+ [GOST3411-94]
+ "Information technology. Cryptographic Data Security.
+ Hashing function", GOST R 34.11-94 Federal Agency on
+ Technical Regulating and Metrology (In Russian), 1994.
+
+ [NISTSP800-108]
+ National Institute of Standards and Technology,
+ "Recommendation for Key Derivation Using Pseudorandom
+ Functions", NIST SP 800-108, October 2009,
+ <http://csrc.nist.gov/publications/nistpubs/800-108/
+ sp800-108.pdf>.
+
+ [RFC4490] Leontiev, S., Ed. and G. Chudov, Ed., "Using the GOST
+ 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R
+ 34.10-2001 Algorithms with Cryptographic Message Syntax
+ (CMS)", RFC 4490, DOI 10.17487/RFC4490, May 2006,
+ <http://www.rfc-editor.org/info/rfc4490>.
+
+ [RFC4491] Leontiev, S., Ed. and D. Shefanovski, Ed., "Using the GOST
+ R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94
+ Algorithms with the Internet X.509 Public Key
+ Infrastructure Certificate and CRL Profile", RFC 4491,
+ DOI 10.17487/RFC4491, May 2006,
+ <http://www.rfc-editor.org/info/rfc4491>.
+
+ [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption,
+ and Message Authentication Code (MAC) Algorithms",
+ RFC 5830, DOI 10.17487/RFC5830, March 2010,
+ <http://www.rfc-editor.org/info/rfc5830>.
+
+ [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012:
+ Hash Function", RFC 6986, DOI 10.17487/RFC6986, August
+ 2013, <http://www.rfc-editor.org/info/rfc6986>.
+
+ [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012:
+ Digital Signature Algorithm", RFC 7091,
+ DOI 10.17487/RFC7091, December 2013,
+ <http://www.rfc-editor.org/info/rfc7091>.
+
+
+
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 17]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+Appendix A. Values of the Parameter Sets
+
+A.1. Canonical Form Parameters
+
+ Parameter set: id-tc26-gost-3410-12-512-paramSetA
+
+ SEQUENCE
+ {
+ OBJECT IDENTIFIER
+ id-tc26-gost-3410-12-512-paramSetA
+ SEQUENCE
+ {
+ INTEGER
+ 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD
+ C7
+ INTEGER
+ 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD
+ C4
+ INTEGER
+ 00 E8 C2 50 5D ED FC 86 DD C1 BD 0B 2B 66 67 F1
+ DA 34 B8 25 74 76 1C B0 E8 79 BD 08 1C FD 0B 62
+ 65 EE 3C B0 90 F3 0D 27 61 4C B4 57 40 10 DA 90
+ DD 86 2E F9 D4 EB EE 47 61 50 31 90 78 5A 71 C7
+ 60
+ INTEGER
+ 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF 27 E6 95 32 F4 8D 89 11 6F F2 2B 8D 4E 05 60
+ 60 9B 4B 38 AB FA D2 B8 5D CA CD B1 41 1F 10 B2
+ 75
+ INTEGER
+ 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF 27 E6 95 32 F4 8D 89 11 6F F2 2B 8D 4E 05 60
+ 60 9B 4B 38 AB FA D2 B8 5D CA CD B1 41 1F 10 B2
+ 75
+ INTEGER
+ 03
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 18]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ INTEGER
+ 75 03 CF E8 7A 83 6A E3 A6 1B 88 16 E2 54 50 E6
+ CE 5E 1C 93 AC F1 AB C1 77 80 64 FD CB EF A9 21
+ DF 16 26 BE 4F D0 36 E9 3D 75 E6 A5 0E 3A 41 E9
+ 80 28 FE 5F C2 35 F5 B8 89 A5 89 CB 52 15 F2 A4
+ }
+ }
+
+ Parameter set: id-tc26-gost-3410-12-512-paramSetB
+
+ SEQUENCE
+ {
+ OBJECT IDENTIFIER
+ id-tc26-gost-3410-12-512-paramSetB
+ SEQUENCE
+ {
+ INTEGER
+ 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 6F
+ INTEGER
+ 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 6C
+ INTEGER
+ 68 7D 1B 45 9D C8 41 45 7E 3E 06 CF 6F 5E 25 17
+ B9 7C 7D 61 4A F1 38 BC BF 85 DC 80 6C 4B 28 9F
+ 3E 96 5D 2D B1 41 6D 21 7F 8B 27 6F AD 1A B6 9C
+ 50 F7 8B EE 1F A3 10 6E FB 8C CB C7 C5 14 01 16
+ INTEGER
+ 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 01 49 A1 EC 14 25 65 A5 45 AC FD B7 7B D9 D4 0C
+ FA 8B 99 67 12 10 1B EA 0E C6 34 6C 54 37 4F 25
+ BD
+ INTEGER
+ 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 01 49 A1 EC 14 25 65 A5 45 AC FD B7 7B D9 D4 0C
+ FA 8B 99 67 12 10 1B EA 0E C6 34 6C 54 37 4F 25
+ BD
+ INTEGER
+ 02
+
+
+
+
+Smyshlyaev, et al. Informational [Page 19]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ INTEGER
+ 1A 8F 7E DA 38 9B 09 4C 2C 07 1E 36 47 A8 94 0F
+ 3C 12 3B 69 75 78 C2 13 BE 6D D9 E6 C8 EC 73 35
+ DC B2 28 FD 1E DF 4A 39 15 2C BC AA F8 C0 39 88
+ 28 04 10 55 F9 4C EE EC 7E 21 34 07 80 FE 41 BD
+ }
+ }
+
+A.2. Twisted Edwards Form Parameters
+
+ Parameter set: id-tc26-gost-3410-2012-256-paramSetA
+
+ SEQUENCE
+ {
+ OBJECT IDENTIFIER
+ id-tc26-gost-3410-2012-256-paramSetA
+ SEQUENCE
+ {
+ INTEGER
+ 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD
+ 97
+ INTEGER
+ 00 C2 17 3F 15 13 98 16 73 AF 48 92 C2 30 35 A2
+ 7C E2 5E 20 13 BF 95 AA 33 B2 2C 65 6F 27 7E 73
+ 35
+ INTEGER
+ 29 5F 9B AE 74 28 ED 9C CC 20 E7 C3 59 A9 D4 1A
+ 22 FC CD 91 08 E1 7B F7 BA 93 37 A6 F8 AE 95 13
+ INTEGER
+ 01
+ INTEGER
+ 06 05 F6 B7 C1 83 FA 81 57 8B C3 9C FA D5 18 13
+ 2B 9D F6 28 97 00 9A F7 E5 22 C3 2D 6D C7 BF FB
+ INTEGER
+ 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 00 3F 63 37 7F 21 ED 98 D7 04 56 BD 55 B0 D8 31
+ 9C
+ INTEGER
+ 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0F D8 CD DF C8 7B 66 35 C1 15 AF 55 6C 36 0C 67
+ INTEGER
+ 00 91 E3 84 43 A5 E8 2C 0D 88 09 23 42 57 12 B2
+ BB 65 8B 91 96 93 2E 02 C7 8B 25 82 FE 74 2D AA
+ 28
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 20]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ INTEGER
+ 32 87 94 23 AB 1A 03 75 89 57 86 C4 BB 46 E9 56
+ 5F DE 0B 53 44 76 67 40 AF 26 8A DB 32 32 2E 5C
+ INTEGER
+ 0D
+ INTEGER
+ 60 CA 1E 32 AA 47 5B 34 84 88 C3 8F AB 07 64 9C
+ E7 EF 8D BE 87 F2 2E 81 F9 2B 25 92 DB A3 00 E7
+ }
+ }
+
+ Parameter set: id-tc26-gost-3410-2012-512-paramSetC
+
+ SEQUENCE
+ {
+ OBJECT IDENTIFIER
+ id-tc26-gost-3410-2012-512-paramSetC
+ SEQUENCE
+ {
+ INTEGER
+ 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD
+ C7
+ INTEGER
+ 00 DC 92 03 E5 14 A7 21 87 54 85 A5 29 D2 C7 22
+ FB 18 7B C8 98 0E B8 66 64 4D E4 1C 68 E1 43 06
+ 45 46 E8 61 C0 E2 C9 ED D9 2A DE 71 F4 6F CF 50
+ FF 2A D9 7F 95 1F DA 9F 2A 2E B6 54 6F 39 68 9B
+ D3
+ INTEGER
+ 00 B4 C4 EE 28 CE BC 6C 2C 8A C1 29 52 CF 37 F1
+ 6A C7 EF B6 A9 F6 9F 4B 57 FF DA 2E 4F 0D E5 AD
+ E0 38 CB C2 FF F7 19 D2 C1 8D E0 28 4B 8B FE F3
+ B5 2B 8C C7 A5 F5 BF 0A 3C 8D 23 19 A5 31 25 57
+ E1
+ INTEGER
+ 01
+ INTEGER
+ 00 9E 4F 5D 8C 01 7D 8D 9F 13 A5 CF 3C DF 5B FE
+ 4D AB 40 2D 54 19 8E 31 EB DE 28 A0 62 10 50 43
+ 9C A6 B3 9E 0A 51 5C 06 B3 04 E2 CE 43 E7 9E 36
+ 9E 91 A0 CF C2 BC 2A 22 B4 CA 30 2D BB 33 EE 75
+ 50
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 21]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ INTEGER
+ 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF 26 33 6E 91 94 1A AC 01 30 CE A7 FD 45 1D 40
+ B3 23 B6 A7 9E 9D A6 84 9A 51 88 F3 BD 1F C0 8F
+ B4
+ INTEGER
+ 3F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
+ C9 8C DB A4 65 06 AB 00 4C 33 A9 FF 51 47 50 2C
+ C8 ED A9 E7 A7 69 A1 26 94 62 3C EF 47 F0 23 ED
+ INTEGER
+ 00 E2 E3 1E DF C2 3D E7 BD EB E2 41 CE 59 3E F5
+ DE 22 95 B7 A9 CB AE F0 21 D3 85 F7 07 4C EA 04
+ 3A A2 72 72 A7 AE 60 2B F2 A7 B9 03 3D B9 ED 36
+ 10 C6 FB 85 48 7E AE 97 AA C5 BC 79 28 C1 95 01
+ 48
+ INTEGER
+ 00 F5 CE 40 D9 5B 5E B8 99 AB BC CF F5 91 1C B8
+ 57 79 39 80 4D 65 27 37 8B 8C 10 8C 3D 20 90 FF
+ 9B E1 8E 2D 33 E3 02 1E D2 EF 32 D8 58 22 42 3B
+ 63 04 F7 26 AA 85 4B AE 07 D0 39 6E 9A 9A DD C4
+ 0F
+ INTEGER
+ 12
+ INTEGER
+ 46 9A F7 9D 1F B1 F5 E1 6B 99 59 2B 77 A0 1E 2A
+ 0F DF B0 D0 17 94 36 8D 9A 56 11 7F 7B 38 66 95
+ 22 DD 4B 65 0C F7 89 EE BF 06 8C 5D 13 97 32 F0
+ 90 56 22 C0 4B 2B AA E7 60 03 03 EE 73 00 1A 3D
+ }
+ }
+
+Appendix B. Test Examples
+
+ 1) HMAC_GOSTR3411_2012_256
+
+ Key K:
+
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+ 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+
+ T:
+
+ 01 26 bd b8 78 00 af 21 43 41 45 65 63 78 01 00
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 22]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ HMAC_GOSTR3411_2012_256 (K, T) value:
+
+ a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34
+ 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9
+
+ 2) HMAC_GOSTR3411_2012_512
+
+ Key K:
+
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+ 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+
+ T:
+
+ 01 26 bd b8 78 00 af 21 43 41 45 65 63 78 01 00
+
+ HMAC_GOSTR3411_2012_512 (K, T) value:
+
+ a5 9b ab 22 ec ae 19 c6 5f bd e6 e5 f4 e9 f5 d8
+ 54 9d 31 f0 37 f9 df 9b 90 55 00 e1 71 92 3a 77
+ 3d 5f 15 30 f2 ed 7e 96 4c b2 ee dc 29 e9 ad 2f
+ 3a fe 93 b2 81 4f 79 f5 00 0f fc 03 66 c2 51 e6
+
+ 3) PRF_TLS_GOSTR3411_2012_256
+
+ Key K:
+
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+ 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+
+ Seed:
+
+ 18 47 1d 62 2d c6 55 c4 d2 d2 26 96 91 ca 4a 56
+ 0b 50 ab a6 63 55 3a f2 41 f1 ad a8 82 c9 f2 9a
+
+ Label:
+
+ 11 22 33 44 55
+
+ Output T1:
+
+ ff 09 66 4a 44 74 58 65 94 4f 83 9e bb 48 96 5f
+ 15 44 ff 1c c8 e8 f1 6f 24 7e e5 f8 a9 eb e9 7f
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 23]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ Output T2:
+
+ c4 e3 c7 90 0e 46 ca d3 db 6a 01 64 30 63 04 0e
+ c6 7f c0 fd 5c d9 f9 04 65 23 52 37 bd ff 2c 02
+
+ 4) PRF_TLS_GOSTR3411_2012_512
+
+ Key K:
+
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+ 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+
+ Seed:
+
+ 18 47 1d 62 2d c6 55 c4 d2 d2 26 96 91 ca 4a 56
+ 0b 50 ab a6 63 55 3a f2 41 f1 ad a8 82 c9 f2 9a
+
+ Label:
+
+ 11 22 33 44 55
+
+ Output T1:
+
+ f3 51 87 a3 dc 96 55 11 3a 0e 84 d0 6f d7 52 6c
+ 5f c1 fb de c1 a0 e4 67 3d d6 d7 9d 0b 92 0e 65
+ ad 1b c4 7b b0 83 b3 85 1c b7 cd 8e 7e 6a 91 1a
+ 62 6c f0 2b 29 e9 e4 a5 8e d7 66 a4 49 a7 29 6d
+
+ Output T2:
+
+ e6 1a 7a 26 c4 d1 ca ee cf d8 0c ca 65 c7 1f 0f
+ 88 c1 f8 22 c0 e8 c0 ad 94 9d 03 fe e1 39 57 9f
+ 72 ba 0c 3d 32 c5 f9 54 f1 cc cd 54 08 1f c7 44
+ 02 78 cb a1 fe 7b 7a 17 a9 86 fd ff 5b d1 5d 1f
+
+ 5) PRF_IPSEC_PRFPLUS_GOSTR3411_2012_256
+
+ Key K:
+
+ c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19
+ 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21
+
+ Data S:
+
+ 01 26 bd b8 78 00 1d 80 60 3c 85 44 c7 27 01 00
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 24]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ Output T1:
+
+ 2d e5 ee 84 e1 3d 7b e5 36 16 67 39 13 37 0a b0
+ 54 c0 74 b7 9b 69 a8 a8 46 82 a9 f0 4f ec d5 87
+
+ Output T2:
+
+ 29 f6 0d da 45 7b f2 19 aa 2e f9 5d 7a 59 be 95
+ 4d e0 08 f4 a5 0d 50 4d bd b6 90 be 68 06 01 53
+
+ 6) PRF_IPSEC_PRFPLUS_GOSTR3411_2012_512
+
+ Key K:
+
+ c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19
+ 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21
+
+ Data S:
+
+ 01 26 bd b8 78 00 1d 80 60 3c 85 44 c7 27 01 00
+
+ Output T1:
+
+ 5d a6 71 43 a5 f1 2a 6d 6e 47 42 59 6f 39 24 3f
+ cc 61 57 45 91 5b 32 59 10 06 ff 78 a2 08 63 d5
+ f8 8e 4a fc 17 fb be 70 b9 50 95 73 db 00 5e 96
+ 26 36 98 46 cb 86 19 99 71 6c 16 5d d0 6a 15 85
+
+ Output T2:
+
+ 48 34 49 5a 43 74 6c b5 3f 0a ba 3b c4 6e bc f8
+ 77 3c a6 4a d3 43 c1 22 ee 2a 57 75 57 03 81 57
+ ee 9c 38 8d 96 ef 71 d5 8b e5 c1 ef a1 af a9 5e
+ be 83 e3 9d 00 e1 9a 5d 03 dc d6 0a 01 bc a8 e3
+
+ 7) VKO_GOSTR3410_2012_256 with 256-bit output on the GOST
+ R 34.10-2012 512-bit keys with id-tc26-gost-3410-12-512-paramSetA
+
+ UKM value:
+
+ 1d 80 60 3c 85 44 c7 27
+
+ Private key x of A:
+
+ c9 90 ec d9 72 fc e8 4e c4 db 02 27 78 f5 0f ca
+ c7 26 f4 67 08 38 4b 8d 45 83 04 96 2d 71 47 f8
+ c2 db 41 ce f2 2c 90 b1 02 f2 96 84 04 f9 b9 be
+ 6d 47 c7 96 92 d8 18 26 b3 2b 8d ac a4 3c b6 67
+
+
+
+Smyshlyaev, et al. Informational [Page 25]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ Public key x*P of A (curve point (X, Y)):
+
+ aa b0 ed a4 ab ff 21 20 8d 18 79 9f b9 a8 55 66
+ 54 ba 78 30 70 eb a1 0c b9 ab b2 53 ec 56 dc f5
+ d3 cc ba 61 92 e4 64 e6 e5 bc b6 de a1 37 79 2f
+ 24 31 f6 c8 97 eb 1b 3c 0c c1 43 27 b1 ad c0 a7
+ 91 46 13 a3 07 4e 36 3a ed b2 04 d3 8d 35 63 97
+ 1b d8 75 8e 87 8c 9d b1 14 03 72 1b 48 00 2d 38
+ 46 1f 92 47 2d 40 ea 92 f9 95 8c 0f fa 4c 93 75
+ 64 01 b9 7f 89 fd be 0b 5e 46 e4 a4 63 1c db 5a
+
+ Private key y of part B:
+
+ 48 c8 59 f7 b6 f1 15 85 88 7c c0 5e c6 ef 13 90
+ cf ea 73 9b 1a 18 c0 d4 66 22 93 ef 63 b7 9e 3b
+ 80 14 07 0b 44 91 85 90 b4 b9 96 ac fe a4 ed fb
+ bb cc cc 8c 06 ed d8 bf 5b da 92 a5 13 92 d0 db
+
+ Public key y*P of B (curve point (X, Y)):
+
+ 19 2f e1 83 b9 71 3a 07 72 53 c7 2c 87 35 de 2e
+ a4 2a 3d bc 66 ea 31 78 38 b6 5f a3 25 23 cd 5e
+ fc a9 74 ed a7 c8 63 f4 95 4d 11 47 f1 f2 b2 5c
+ 39 5f ce 1c 12 91 75 e8 76 d1 32 e9 4e d5 a6 51
+ 04 88 3b 41 4c 9b 59 2e c4 dc 84 82 6f 07 d0 b6
+ d9 00 6d da 17 6c e4 8c 39 1e 3f 97 d1 02 e0 3b
+ b5 98 bf 13 2a 22 8a 45 f7 20 1a ba 08 fc 52 4a
+ 2d 77 e4 3a 36 2a b0 22 ad 40 28 f7 5b de 3b 79
+
+ KEK_VKO value:
+
+ c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19
+ 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21
+
+ 8) VKO_GOSTR3410_2012_512 with 512-bit output on the GOST
+ R 34.10-2012 512-bit keys with id-tc26-gost-3410-12-512-paramSetA
+
+ UKM value:
+
+ 1d 80 60 3c 85 44 c7 27
+
+ Private key x of A:
+
+ c9 90 ec d9 72 fc e8 4e c4 db 02 27 78 f5 0f ca
+ c7 26 f4 67 08 38 4b 8d 45 83 04 96 2d 71 47 f8
+ c2 db 41 ce f2 2c 90 b1 02 f2 96 84 04 f9 b9 be
+ 6d 47 c7 96 92 d8 18 26 b3 2b 8d ac a4 3c b6 67
+
+
+
+
+Smyshlyaev, et al. Informational [Page 26]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ Public key x*P of A (curve point (X, Y)):
+
+ aa b0 ed a4 ab ff 21 20 8d 18 79 9f b9 a8 55 66
+ 54 ba 78 30 70 eb a1 0c b9 ab b2 53 ec 56 dc f5
+ d3 cc ba 61 92 e4 64 e6 e5 bc b6 de a1 37 79 2f
+ 24 31 f6 c8 97 eb 1b 3c 0c c1 43 27 b1 ad c0 a7
+ 91 46 13 a3 07 4e 36 3a ed b2 04 d3 8d 35 63 97
+ 1b d8 75 8e 87 8c 9d b1 14 03 72 1b 48 00 2d 38
+ 46 1f 92 47 2d 40 ea 92 f9 95 8c 0f fa 4c 93 75
+ 64 01 b9 7f 89 fd be 0b 5e 46 e4 a4 63 1c db 5a
+
+ Private key y of B:
+
+ 48 c8 59 f7 b6 f1 15 85 88 7c c0 5e c6 ef 13 90
+ cf ea 73 9b 1a 18 c0 d4 66 22 93 ef 63 b7 9e 3b
+ 80 14 07 0b 44 91 85 90 b4 b9 96 ac fe a4 ed fb
+ bb cc cc 8c 06 ed d8 bf 5b da 92 a5 13 92 d0 db
+
+ Public key y*P of B (curve point (X, Y)):
+
+ 19 2f e1 83 b9 71 3a 07 72 53 c7 2c 87 35 de 2e
+ a4 2a 3d bc 66 ea 31 78 38 b6 5f a3 25 23 cd 5e
+ fc a9 74 ed a7 c8 63 f4 95 4d 11 47 f1 f2 b2 5c
+ 39 5f ce 1c 12 91 75 e8 76 d1 32 e9 4e d5 a6 51
+ 04 88 3b 41 4c 9b 59 2e c4 dc 84 82 6f 07 d0 b6
+ d9 00 6d da 17 6c e4 8c 39 1e 3f 97 d1 02 e0 3b
+ b5 98 bf 13 2a 22 8a 45 f7 20 1a ba 08 fc 52 4a
+ 2d 77 e4 3a 36 2a b0 22 ad 40 28 f7 5b de 3b 79
+
+ KEK_VKO value:
+
+ 79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97
+ ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa
+ 7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9
+ f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df
+
+ 9) Key derivation function KDF_GOSTR3411_2012_256
+
+ K_in key:
+
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+ 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+
+ Label:
+
+ 26 bd b8 78
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 27]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ Seed:
+
+ af 21 43 41 45 65 63 78
+
+ KDF(K_in, label, seed) value:
+
+ a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34
+ 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9
+
+ 10) Key derivation function KDF_TREE_GOSTR3411_2012_256
+
+ Output size of L:
+
+ 512
+
+ K_in key:
+
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+ 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+
+ Label:
+
+ 26 bd b8 78
+
+ Seed:
+
+ af 21 43 41 45 65 63 78
+
+ K1:
+
+ 22 b6 83 78 45 c6 be f6 5e a7 16 72 b2 65 83 10
+ 86 d3 c7 6a eb e6 da e9 1c ad 51 d8 3f 79 d1 6b
+
+ K2:
+
+ 07 4c 93 30 59 9d 7f 8d 71 2f ca 54 39 2f 4d dd
+ e9 37 51 20 6b 35 84 c8 f4 3f 9e 6d c5 15 31 f9
+
+ R:
+
+ 1
+
+
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 28]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ 11) Key wrap and unwrap with the szOID_Gost28147_89_TC26_Z_ParamSet
+ parameters
+
+ Key K_e:
+
+ 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+ 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f
+
+ Key K:
+
+ 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f
+ 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f
+
+ Seed:
+
+ af 21 43 41 45 65 63 78
+
+ Label:
+
+ 26 bd b8 78
+
+ KEK_e(seed) = KDF_GOSTR3411_2012_256(K_e, label, seed):
+
+ a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34
+ 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9
+
+ CEK_MAC:
+
+ be 33 f0 52
+
+ CEK_ENC:
+
+ d1 55 47 f8 ee 85 12 1b c8 7d 4b 10 27 d2 60 27
+ ec c0 71 bb a6 e7 2f 3f ec 6f 62 0f 56 83 4c 5a
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 29]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+Appendix C. GOST 28147-89 Parameter Set
+
+ The parameter set has the following object identifier:
+
+ id-tc26-gost-28147-param-Z::= {iso(1) member-body(2) ru(643)
+ rosstandart(7) tc26(1) constants(2) cipher-constants(5)
+ gost-28147-constants(1) param-Z(1)}
+
+ The parameter set is defined below:
+
+ x K1(x) K2(x) K3(x) K4(x) K5(x) K6(x) K7(x) K8(x)
+ ------------------------------------------------------------
+ 0 | c 6 b c 7 5 8 1
+ 1 | 4 8 3 8 f d e 7
+ 2 | 6 2 5 2 5 f 2 e
+ 3 | 2 3 8 1 a 6 5 d
+ 4 | a 9 2 d 8 9 6 0
+ 5 | 5 a f 4 1 2 9 5
+ 6 | b 5 a f 6 c 1 8
+ 7 | 9 c d 6 d a c 3
+ 8 | e 1 e 7 0 b f 4
+ 9 | 8 e 1 0 9 7 4 f
+ a | d 4 7 a 3 8 b a
+ b | 7 7 4 5 e 1 0 6
+ c | 0 b c 3 b 4 d 9
+ d | 3 d 9 e 4 3 a c
+ e | f 0 6 9 2 e 3 b
+ f | 1 f 0 b c 0 7 2
+
+
+Acknowledgments
+
+ We thank Valery Smyslov, Igor Ustinov, Basil Dolmatov, Russ Housley,
+ Dmitry Khovratovich, Oleksandr Kazymyrov, Ekaterina Smyshlyaeva,
+ Vasily Nikolaev, and Lolita Sonina for their careful readings and
+ useful comments.
+
+Authors' Addresses
+
+ Stanislav Smyshlyaev (editor)
+ CRYPTO-PRO
+ 18, Suschevsky val
+ Moscow 127018
+ Russian Federation
+
+ Phone: +7 (495) 995-48-20
+ Email: svs@cryptopro.ru
+
+
+
+
+Smyshlyaev, et al. Informational [Page 30]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ Evgeny Alekseev
+ CRYPTO-PRO
+ 18, Suschevsky val
+ Moscow 127018
+ Russian Federation
+
+ Phone: +7 (495) 995-48-20
+ Email: alekseev@cryptopro.ru
+
+
+ Igor Oshkin
+ CRYPTO-PRO
+ 18, Suschevsky val
+ Moscow 127018
+ Russian Federation
+
+ Phone: +7 (495) 995-48-20
+ Email: oshkin@cryptopro.ru
+
+
+ Vladimir Popov
+ CRYPTO-PRO
+ 18, Suschevsky val
+ Moscow 127018
+ Russian Federation
+
+ Phone: +7 (495) 995-48-20
+ Email: vpopov@cryptopro.ru
+
+
+ Serguei Leontiev
+ CRYPTO-PRO
+ 18, Suschevsky val
+ Moscow 127018
+ Russian Federation
+
+ Phone: +7 (495) 995-48-20
+ Email: lse@cryptopro.ru
+
+
+ Vladimir Podobaev
+ FACTOR-TS
+ 11A, 1st Magistralny proezd
+ Moscow 123290
+ Russian Federation
+
+ Phone: +7 (495) 644-31-30
+ Email: v_podobaev@factor-ts.ru
+
+
+
+Smyshlyaev, et al. Informational [Page 31]
+
+RFC 7836 Cryptographic Algorithms for GOST March 2016
+
+
+ Dmitry Belyavsky
+ TCI
+ 8, Zoologicheskaya st
+ Moscow 117218
+ Russian Federation
+
+ Phone: +7 (499) 254-24-50
+ Email: beldmit@gmail.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Smyshlyaev, et al. Informational [Page 32]
+