diff options
Diffstat (limited to 'doc/rfc/rfc7836.txt')
-rw-r--r-- | doc/rfc/rfc7836.txt | 1795 |
1 files changed, 1795 insertions, 0 deletions
diff --git a/doc/rfc/rfc7836.txt b/doc/rfc/rfc7836.txt new file mode 100644 index 0000000..72bc171 --- /dev/null +++ b/doc/rfc/rfc7836.txt @@ -0,0 +1,1795 @@ + + + + + + +Independent Submission S. Smyshlyaev, Ed. +Request for Comments: 7836 E. Alekseev +Category: Informational I. Oshkin +ISSN: 2070-1721 V. Popov + S. Leontiev + CRYPTO-PRO + V. Podobaev + FACTOR-TS + D. Belyavsky + TCI + March 2016 + + + Guidelines on the Cryptographic Algorithms to +Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012 + +Abstract + + The purpose of this document is to make the specifications of the + cryptographic algorithms defined by the Russian national standards + GOST R 34.10-2012 and GOST R 34.11-2012 available to the Internet + community for their implementation in the cryptographic protocols + based on the accompanying algorithms. + + These specifications define the pseudorandom functions, the key + agreement algorithm based on the Diffie-Hellman algorithm and a hash + function, the parameters of elliptic curves, the key derivation + functions, and the key export functions. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This is a contribution to the RFC Series, independently of any other + RFC stream. The RFC Editor has chosen to publish this document at + its discretion and makes no statement about its value for + implementation or deployment. Documents approved for publication by + the RFC Editor are not a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7836. + + + + + + + +Smyshlyaev, et al. Informational [Page 1] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +Copyright Notice + + Copyright (c) 2016 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 + 3. Basic Terms, Definitions, and Notations . . . . . . . . . . . 3 + 4. Algorithm Descriptions . . . . . . . . . . . . . . . . . . . 6 + 4.1. HMAC Functions . . . . . . . . . . . . . . . . . . . . . 6 + 4.2. Pseudorandom Functions . . . . . . . . . . . . . . . . . 7 + 4.3. VKO Algorithms for Key Agreement . . . . . . . . . . . . 8 + 4.4. The Key Derivation Function KDF_TREE_GOSTR3411_2012_256 . 10 + 4.5. The Key Derivation Function KDF_GOSTR3411_2012_256 . . . 11 + 4.6. Key Wrap and Key Unwrap . . . . . . . . . . . . . . . . . 11 + 5. The Parameters of Elliptic Curves . . . . . . . . . . . . . . 12 + 5.1. Canonical Form . . . . . . . . . . . . . . . . . . . . . 13 + 5.2. Twisted Edwards Form . . . . . . . . . . . . . . . . . . 14 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 15 + 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 + 7.1. Normative References . . . . . . . . . . . . . . . . . . 16 + 7.2. Informative References . . . . . . . . . . . . . . . . . 17 + Appendix A. Values of the Parameter Sets . . . . . . . . . . . . 18 + A.1. Canonical Form Parameters . . . . . . . . . . . . . . . . 18 + A.2. Twisted Edwards Form Parameters . . . . . . . . . . . . . 20 + Appendix B. Test Examples . . . . . . . . . . . . . . . . . . . 22 + Appendix C. GOST 28147-89 Parameter Set . . . . . . . . . . . . 30 + Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 30 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 30 + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 2] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +1. Introduction + + The accompanying algorithms are intended for the implementation of + cryptographic protocols. This memo contains a description of the + accompanying algorithms based on the Russian national standards GOST + R 34.10-2012 [GOST3410-2012] and GOST R 34.11-2012 [GOST3411-2012]. + The English versions of these standards can be found in [RFC7091] and + [RFC6986]; the English version of the encryption standard GOST + 28147-89 [GOST28147-89] (which is used in the key export functions) + can be found in [RFC5830]. + + The specifications of algorithms and parameters proposed in this memo + are provided on the basis of experience in the development of the + cryptographic protocols, as described in [RFC4357], [RFC4490], and + [RFC4491]. + + This memo describes the pseudorandom functions, the key agreement + algorithm based on the Diffie-Hellman algorithm and a hash function, + the parameters of elliptic curves, the key derivation functions, and + the key export functions necessary to ensure interoperability of + security protocols that make use of the Russian cryptographic + standards GOST R 34.10-2012 [GOST3410-2012] digital signature + algorithm and GOST R 34.11-2012 [GOST3411-2012] cryptographic hash + function. + +2. Conventions Used in This Document + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +3. Basic Terms, Definitions, and Notations + + This document uses the following terms and definitions for the sets + and operations on the elements of these sets: + + (xor) Exclusive-or of two binary vectors of the same length. + + V_n The finite vector space over GF(2) of dimension n, n >= 0, + with the (xor) operation. For n = 0, the V_0 space consists + of a single empty element of size 0. + If U is an element of V_n, then U = (u_(n-1), u_(n-2), ..., + u_1, u_0), where u_i in {0, 1}. + + + + + + + + +Smyshlyaev, et al. Informational [Page 3] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + V_(8, r) + The set of byte vectors of size r, r >= 0, for r = 0 the + V_(8, r) set consists of a single empty element of size 0. + If W is an element of V_(8, r), r > 0, then W = (w^0, w^1, + ..., w^(r-1)), where w^0, w^1, ..., w^(r-1) are elements of + V_8. + + Bit representation + The bit representation of the element W = (w^0, w^1, ..., + w^(r-1)) of V_(8, r) is an element (w_(8r-1), w_(8r-2), ..., + w_1, w_0) of V_(8*r), where w^0 = (w_7, w_6, ..., w_0), + w^1 = (w_15, w_14, ..., w_8), ..., w^(r-1) = (w_(8r-1), + w_(8r-2), ..., w_(8r-8)) are elements of V_8. + + Byte representation + If n is a multiple of 8, r = n/8, then the byte + representation of the element W = (w_(n-1), w_(n-2), ..., + w_0) of V_n is a byte vector (w^0, w^1, ..., w^(r-1)) of + V_(8, r), where w^0 = (w_7, w_6, ..., w_0), w^1 = (w_15, + w_14, ..., w_8), ..., w^(r-1) = (w_(8r-1), w_(8r-2), ..., + w_(8r-8)) are elements of V_8. + + A|B Concatenation of byte vectors A and B, i.e., if A in + V_(8, r1), B in V_(8, r2), A = (a^0, a^1, ..., a^(r1-1)) and + B = (b^0, b^1, ..., b^(r2-1)), then A|B = (a^0, a^1, ..., + a^(r1-1), b^0, b^1, ..., b^(r2-1)) is an element of V_(8, + r1+r2). + + K (key) An arbitrary element of V_n. If K in V_n, then its size (in + bits) is equal to n, where n can be an arbitrary natural + number. + + + + + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 4] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + This memo uses the following abbreviations and symbols: + + +---------+---------------------------------------------------------+ + | Symbols | Meaning | + +---------+---------------------------------------------------------+ + | H_256 | GOST R 34.11-2012 hash function with 256-bit output | + | | | + | H_512 | GOST R 34.11-2012 hash function with 512-bit output | + | | | + | HMAC | Hashed-based Message Authentication Code. A function | + | | for calculating a message authentication code, based on | + | | a hash function in accordance with [RFC2104] | + | | | + | PRF | A pseudorandom function, i.e., a transformation that | + | | allows generation of a pseudorandom sequence of bytes | + | | | + | KDF | A key derivation function, i.e., a transformation that | + | | allows keys and keying material to be derived from the | + | | root key and additional input using a pseudorandom | + | | function | + | | | + | VKO | A key agreement algorithm based on the Diffie-Hellman | + | | algorithm and a hash function | + +---------+---------------------------------------------------------+ + + To generate a byte sequence of the size r with functions that give a + longer output, the output is truncated to the first r bytes. This + remark applies to the following functions: + + o the functions described in Section 4.2; + + o KDF_TREE_GOSTR3411_2012_256 described in Section 4.4; + + o KDF_GOSTR3411_2012_256 described in Section 4.5. + + Hereinafter, all data are provided in byte representation unless + otherwise specified. + + If a function is defined outside this document (e.g., H_256) and its + definition requires arguments in bit representation, it is assumed + that the bit representations of the arguments are formed immediately + before the calculation of the function (in particular, immediately + after the application of the operation (|) to the byte representation + of the arguments). + + If the output of another function defined outside of this document is + used as an argument of the functions defined below and it has the bit + representation, then it is assumed that an output MUST have a length + + + +Smyshlyaev, et al. Informational [Page 5] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + that is a multiple of 8 and that it will be translated into the byte + representation in advance. + + When a point on an elliptic curve is given to an input of a hash + function, affine coordinates for short Weierstrass form are used (see + Section 5): an x coordinate value is fed first, a y coordinate value + is fed second, both in little-endian format. + +4. Algorithm Descriptions + +4.1. HMAC Functions + + This section defines the HMAC transformations based on the GOST R + 34.11-2012 [GOST3411-2012] algorithm. + +4.1.1. HMAC_GOSTR3411_2012_256 + + This HMAC transformation is based on the GOST R 34.11-2012 + [GOST3411-2012] hash function with 256-bit output. The object + identifier of this transformation is shown below: + + id-tc26-hmac-gost-3411-12-256::= {iso(1) member-body(2) ru(643) + rosstandart(7) tc26(1) algorithms(1) mac(4) hmac-gost- + 3411-12-256(1)}. + + This algorithm uses H_256 as a hash function for HMAC, described in + [RFC2104]. The method of forming the values of ipad and opad is also + specified in [RFC2104]. The size of HMAC_GOSTR3411_2012_256 output + is equal to 32 bytes, the block size of the iterative procedure for + the H_256 compression function is equal to 64 bytes (in the notation + of [RFC2104], L = 32 and B = 64, respectively). + +4.1.2. HMAC_GOSTR3411_2012_512 + + This HMAC transformation is based on the GOST R 34.11-2012 + [GOST3411-2012] hash function with 512-bit output. The object + identifier of this transformation is shown below: + + id-tc26-hmac-gost-3411-12-512::= {iso(1) member-body(2) ru(643) + rosstandart(7) tc26(1) algorithms(1) mac(4) hmac-gost- + 3411-12-512(2)}. + + This algorithm uses H_512 as a hash function for HMAC, described in + [RFC2104]. The method of forming the values of ipad and opad is also + specified in [RFC2104]. The size of HMAC_GOSTR3411_2012_512 output + is equal to 64 bytes, the block size of the iterative procedure for + the H_512 compression function is equal to 64 bytes (in the notation + of [RFC2104], L = 64 and B = 64, respectively). + + + +Smyshlyaev, et al. Informational [Page 6] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +4.2. Pseudorandom Functions + + This section defines four HMAC-based PRF transformations recommended + for usage. Two of them are designed for the Transport Layer Security + (TLS) protocol and two are designed for the IPsec protocol. + +4.2.1. PRFs for the TLS Protocol + +4.2.1.1. PRF_TLS_GOSTR3411_2012_256 + + This is the transformation providing the pseudorandom function for + the TLS protocol (1.0 and higher versions) in accordance with GOST R + 34.11-2012 [GOST3411-2012]. It uses the P_GOSTR3411_2012_256 + function that is similar to the P_hash function defined in Section 5 + of [RFC5246], where the HMAC_GOSTR3411_2012_256 function (defined in + Section 4.1.1 of this document) is used as the HMAC_hash function. + + PRF_TLS_GOSTR3411_2012_256 (secret, label, seed) = + = P_GOSTR3411_2012_256 (secret, label | seed). + + Label and seed values MUST be assigned by a protocol, their lengths + SHOULD be fixed by a protocol in order to avoid possible collisions. + +4.2.1.2. PRF_TLS_GOSTR3411_2012_512 + + This is the transformation providing the pseudorandom function for + the TLS protocol (1.0 and higher versions) in accordance with GOST R + 34.11-2012 [GOST3411-2012]. It uses the P_GOSTR3411_2012_512 + function that is similar to the P_hash function defined in Section 5 + of [RFC5246], where the HMAC_GOSTR3411_2012_512 function (defined in + Section 4.1.2 of this document) is used as the HMAC_hash function. + + PRF_TLS_GOSTR3411_2012_512 (secret, label, seed) = + = P_GOSTR3411_2012_512 (secret, label | seed). + + Label and seed values MUST be assigned by a protocol, their lengths + SHOULD be fixed by a protocol in order to avoid possible collisions. + +4.2.2. PRFs for the IKEv2 Protocol Based on GOST R 34.11-2012 + + The specification for the Internet Key Exchange protocol version 2 + (IKEv2) [RFC7296] defines the usage of PRFs in various parts of the + protocol for the purposes of generating and authenticating keying + material. + + IKEv2 has no default PRF. This document specifies that + HMAC_GOSTR3411_2012_256 may be used as the "prf" function in the + "prf+" function for the IKEv2 protocol + + + +Smyshlyaev, et al. Informational [Page 7] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + (PRF_IPSEC_PRFPLUS_GOSTR3411_2012_256). Also, this document + specifies that HMAC_GOSTR3411_2012_512 may be used as the "prf" + function in the "prf+" function for the IKEv2 protocol + (PRF_IPSEC_PRFPLUS_GOSTR3411_2012_512). + +4.3. VKO Algorithms for Key Agreement + + This section specifies the key agreement algorithms based on GOST R + 34.10-2012 [GOST3410-2012]. + +4.3.1. VKO_GOSTR3410_2012_256 + + The VKO_GOSTR3410_2012_256 transformation is used for agreement of + 256-bit keys and is based on the 256-bit version of GOST R 34.11-2012 + [GOST3411-2012]. This algorithm can be applied for a key agreement + using GOST R 34.10-2012 [GOST3410-2012] with 256-bit or 512-bit + private keys. + + The algorithm is designed to produce an encryption key or a keying + material of size 256 bits to be used in various cryptographic + protocols. A key or a keying material KEK_VKO (x, y, UKM) is + produced from the private key x of one side, the public key y*P of + the opposite side and the User Keying Material (UKM) value. + + The algorithm can be used for static and ephemeral keys with the + public key size n >= 512 bits including the case where one side uses + a static key and the other uses an ephemeral one. + + The UKM parameter is optional (the default UKM = 1) and can take any + integer value from 1 to 2^(n/2)-1. It is allowed to use a non-zero + UKM of an arbitrary size that does not exceed n/2 bits. If at least + one of the parties uses static keys, the RECOMMENDED length of UKM is + 64 bits or more. + + KEK_VKO (x, y, UKM) is calculated using the formulas: + + KEK_VKO (x, y, UKM) = H_256 (K (x, y, UKM)), + + K (x, y, UKM) = (m/q*UKM*x mod q)*(y*P), + + where m and q are the parameters of an elliptic curve defined in the + GOST R 34.10-2012 [GOST3411-2012] standard (m is an elliptic curve + points group order, q is an order of a cyclic subgroup), P is a non- + zero point of the subgroup; P is defined by a protocol. + + This algorithm is defined similar to the one specified in Section 5.2 + of [RFC4357], but applies the hash function H_256 instead of the hash + function GOST R 34.11-94 [GOST3411-94] (referred to as "gostR3411"). + + + +Smyshlyaev, et al. Informational [Page 8] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + In addition, K(x, y, UKM) is calculated with public key size n >= 512 + bits and UKM has a size up to n/2 bits. + +4.3.2. VKO_GOSTR3410_2012_512 + + The VKO_GOSTR3410_2012_512 transformation is used for agreement of + 512-bit keys and is based on the 512-bit version of GOST R 34.11-2012 + [GOST3411-2012]. This algorithm can be applied for a key agreement + using GOST R 34.10-2012 [GOST3410-2012] with 512-bit private keys. + + The algorithm is designed to produce an encryption key or a keying + material of size 512 bits to be used in various cryptographic + protocols. A key or a keying material KEK_VKO (x, y, UKM) is + produced from the private key x of one side, the public key y*P of + the opposite side and the UKM value, considered as an integer. + + The algorithm can be used for static and ephemeral keys with the + public key size n >= 1024 bits including the case where one side uses + a static key and the other uses an ephemeral one. + + The UKM parameter is optional (the default UKM = 1) and can take any + integer value from 1 to 2^(n/2)-1. It is allowed to use a non-zero + UKM of an arbitrary size that does not exceed n/2 bits. If at least + one of the parties uses static keys, the RECOMMENDED length of UKM is + 128 bits or more. + + KEK_VKO (x, y, UKM) is calculated using the formulas: + + KEK_VKO (x, y, UKM) = H_512 (K (x, y, UKM)), + + K (x, y, UKM) = (m/q*UKM*x mod q)*(y*P), + + where m and q are the parameters of an elliptic curve defined in the + GOST R 34.10-2012 [GOST3411-2012] standard (m is an elliptic curve + points group order, q is an order of a cyclic subgroup), P is a non- + zero point of the subgroup; P is defined by a protocol. + + This algorithm is defined similar to the one specified in Section 5.2 + of [RFC4357], but applies the hash function H_512 instead of the hash + function GOST R 34.11-94 [GOST3411-94] (referred to as "gostR3411"). + In addition, K(x, y, UKM) is calculated with public key size n >= + 1024 bits and UKM has a size up to n/2 bits. + + + + + + + + + +Smyshlyaev, et al. Informational [Page 9] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +4.4. The Key Derivation Function KDF_TREE_GOSTR3411_2012_256 + + The key derivation function KDF_TREE_GOSTR3411_2012_256 based on the + HMAC_GOSTR3411_2012_256 function is given by: + + KDF_TREE_GOSTR3411_2012_256 (K_in, label, seed, R) = K(1) | K(2) | + K(3) | K(4) |..., + + K(i) = HMAC_GOSTR3411_2012_256 (K_in, [i]_b | label | 0x00 | seed + | [L]_b), i >= 1, + + where: + + K_in Derivation key. + + label, seed + The parameters that MUST be assigned by a protocol; their + lengths SHOULD be fixed by a protocol. + + R A fixed external parameter, with possible values of 1, 2, 3, + or 4. + + i Iteration counter. + + [i]_b Byte representation of the iteration counter (in the network + byte order); the number of bytes in the representation [i]_b + is equal to R (no more than 4 bytes). + + L The required size (in bits) of the generated keying material + (an integer, not exceeding 256*(2^(8*R)-1)). + + [L]_b Byte representation of L, in network byte order (variable + length: no leading zero bytes added). + + The key derivation function KDF_TREE_GOSTR3411_2012_256 is intended + for generating a keying material of size L, not exceeding + 256*(2^(8*R)-1) bits, and utilizing general principles of the input + and output for the key derivation function outlined in Section 5.1 of + NIST SP 800-108 [NISTSP800-108]. The HMAC_GOSTR3411_2012_256 + algorithm described in Section 4.1.1 is selected as a pseudorandom + function. + + Each key derived from the keying material formed using the derivation + key K_in (0-level key) may be a 1-level derivation key and may be + used to generate a new keying material. The keying material derived + from the first level derivation key can be split down into the second + level derivation keys. The application of this procedure leads to + the construction of the key tree with the root key and the formation + + + +Smyshlyaev, et al. Informational [Page 10] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + of the keying material to the hierarchy of the levels, as described + in Section 6 of NIST SP 800-108 [NISTSP800-108]. The partitioning + procedure for keying material at each level is defined in accordance + with a specific protocol. + +4.5. The Key Derivation Function KDF_GOSTR3411_2012_256 + + The KDF_GOSTR3411_2012_256 function is equivalent to the function + KDF_TREE_GOSTR3411_2012_256, when R = 1, L = 256, and is given by: + + KDF_GOSTR3411_2012_256 (K_in, label, seed) = + HMAC_GOSTR3411_2012_256 (K_in, 0x01 | label | 0x00 | seed | 0x01 | + 0x00), + + where: + + K_in Derivation key. + + label, seed + The parameters that MUST be assigned by a protocol; their + lengths SHOULD be fixed by a protocol. + +4.6. Key Wrap and Key Unwrap + + Wrapped representation of a secret key K (256-bit GOST 28147-89 + [GOST28147-89] key, 256-bit or 512-bit GOST R 34.10-2012 + [GOST3410-2012] private key) is formed as follows by using a given + export key K_e (GOST 28147-89 [GOST28147-89] key) and a random seed + vector: + + 1. Generate a random seed vector from 8 up to 16 bytes. + + 2. With the key derivation function, using an export key K_e as a + derivation key, produce a key KEK_e (K_e, seed), where: + + KEK_e (K_e, seed) = KDF_GOSTR3411_2012_256 (K_e, label, seed), + + where the KDF_GOSTR3411_2012_256 function (see Section 4.5) is + used as a key derivation function for the fixed label value + + label = (0x26 | 0xBD | 0xB8 | 0x78). + + 3. GOST 28147-89 [GOST28147-89] Message Authentication Code (MAC) + value (4-byte) for the data K and the key KEK_e (K_e, seed) is + calculated; the initialization vector (IV) in this case is equal + to the first 8 bytes of seed. The resulting value is denoted as + CEK_MAC. + + + + +Smyshlyaev, et al. Informational [Page 11] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + 4. The key K is encrypted with the GOST 28147-89 [GOST28147-89] + algorithm in the Electronic Codebook (ECB) mode with the key + KEK_e (K_e, seed). The result is denoted as CEK_ENC. + + 5. The wrapped representation of the key is (seed | CEK_ENC | + CEK_MAC). + + The value of key K is restored from the wrapped representation of the + key and the export key K_e as follows: + + 1. Obtain the seed, CEK_ENC and CEK_MAC values from the wrapped + representation of the key. + + 2. With the key derivation function, using the export key K_e as a + derivation key, produce a key KEK_e(K_e, seed), where: + + KEK_e (K_e, seed) = KDF_GOSTR3411_2012_256 (K_e, label, seed), + + where the KDF_GOSTR3411_2012_256 function (see Section 4.5) is + used as a key derivation function for the fixed label value + + label = (0x26 | 0xBD | 0xB8 | 0x78). + + 3. The CEK_ENC field is decrypted with the GOST 28147-89 + [GOST28147-89] algorithm in the Electronic Codebook (ECB) mode + with the key KEK_e(K_e, seed). The unwrapped key K is assumed to + be equal to the result of decryption. + + 4. GOST 28147-89 [GOST28147-89] MAC value (4-byte) for the data K + and the key KEK_e(K_e, seed) is calculated; the initialization + vector (IV) in this case is equal to the first 8 bytes of seed. + If the result is not equal to CEK_MAC, an error is returned. + + The GOST 28147-89 [GOST28147-89] algorithm is used with the parameter + set defined in Appendix C of this document. + +5. The Parameters of Elliptic Curves + + This section defines the elliptic curves parameters and object + identifiers that are RECOMMENDED for usage with the signature and + verification algorithms of the digital signature in accordance with + the GOST R 34.10-2012 [GOST3410-2012] standard and with the key + agreement algorithms VKO_GOSTR3410_2012_256 and + VKO_GOSTR3410_2012_512. + + This document does not negate the use of other parameters of elliptic + curves. + + + + +Smyshlyaev, et al. Informational [Page 12] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +5.1. Canonical Form + + This section defines the elliptic curves parameters of the GOST R + 34.10-2012 [GOST3410-2012] standard for the case of elliptic curves + with prime 512-bit moduli in canonical (short Weierstrass) form, that + is given by the following equation defined in GOST R 34.10-2012 + [GOST3410-2012]: + + y^2 = x^3 + ax + b (mod p). + + In case of elliptic curves with 256-bit prime moduli, the parameters + defined in [RFC4357] are proposed for use. + +5.1.1. Parameters and Object Identifiers + + The parameters for each elliptic curve are represented by the + following values, which are defined in GOST R 34.10-2012 + [GOST3410-2012]: + + p the characteristic of the underlying prime field; + + a, b the coefficients of the equation of the elliptic curve in the + canonical form; + + m the elliptic curve group order; + + q the elliptic curve subgroup order; + + (x, y) the coordinates of the point P (generator of the subgroup of + order q) of the elliptic curve in the canonical form. + + Both sets of the parameters are presented as structures of the form: + + SEQUENCE { + p INTEGER, + a INTEGER, + b INTEGER, + m INTEGER, + q INTEGER, + x INTEGER, + y INTEGER + } + + The parameter sets have the following object identifiers: + + 1. id-tc26-gost-3410-12-512-paramSetA::= {iso(1) member-body(2) + ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1) + gost-3410-12-512-constants(2) paramSetA(1)}; + + + +Smyshlyaev, et al. Informational [Page 13] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + 2. id-tc26-gost-3410-12-512-paramSetB::= {iso(1) member-body(2) + ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1) + gost-3410-12-512-constants(2) paramSetB(2)}. + + The corresponding values of the parameter sets can be found in + Appendix A.1. + +5.2. Twisted Edwards Form + + This section defines the elliptic curves parameters and object + identifiers of the GOST R 34.10-2012 [GOST3410-2012] standard for the + case of elliptic curves that have a representation in the twisted + Edwards form with prime 256-bit and 512-bit moduli. + + A twisted Edwards curve E over a finite prime field F_p, p > 3, is an + elliptic curve defined by the equation: + + e*u^2 + v^2 = 1 + d*u^2*v^2 (mod p), + + where e, d are in F_p, ed(e-d) != 0. + + A twisted Edwards curve has an equivalent representation in the short + Weierstrass form defined by parameters a, b. The parameters a, b, e, + and d are related as follows: + + a = s^2 - 3*t^2 (mod p), + b = 2*t^3 - t*s^2 (mod p), + + where: + + s = (e - d)/4 (mod p), + t = (e + d)/6 (mod p). + + Coordinate transformations are defined as follows: + + (u,v) --> (x,y) = (s(1 + v)/(1 - v) + t, s(1 + v)/((1 - v)u)), + (x,y) --> (u,v) = ((x - t)/y, (x - t - s)/(x - t + s)). + +5.2.1. Parameters and Object Identifiers + + The parameters for each elliptic curve are represented by the + following values, which are defined in GOST R 34.10-2012 + [GOST3410-2012]: + + p The characteristic of the underlying prime field. + + a, b The coefficients of the equation of the elliptic curve in the + canonical form. + + + +Smyshlyaev, et al. Informational [Page 14] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + e, d The coefficients of the equation of the elliptic curve in the + twisted Edwards form. + + m The elliptic curve group order. + + q The elliptic curve subgroup order. + + (x, y) The coordinates of the point P (generator of the subgroup of + order q) of the elliptic curve in the canonical form. + + (u, v) The coordinates of the point P (generator of the subgroup of + order q) of the elliptic curve in the twisted Edwards form. + + Both sets of the parameters are presented as ASN structures of the + form: + + SEQUENCE { + p INTEGER, + a INTEGER, + b INTEGER, + e INTEGER, + d INTEGER, + m INTEGER, + q INTEGER, + x INTEGER, + y INTEGER, + u INTEGER, + v INTEGER + } + + The parameter sets have the following object identifiers: + + 1. id-tc26-gost-3410-2012-256-paramSetA ::= {iso(1) member-body(2) + ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1) + gost-3410-12-256-constants(1) paramSetA(1)}; + + 2. id-tc26-gost-3410-2012-512-paramSetC ::= {iso(1) member-body(2) + ru(643) rosstandart(7) tc26(1) constants(2) sign-constants(1) + gost-3410-12-512-constants(2) paramSetC(3)}. + + The corresponding values of the parameter sets can be found in + Appendix A.2. + +6. Security Considerations + + This entire document is about security considerations. + + + + + +Smyshlyaev, et al. Informational [Page 15] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +7. References + +7.1. Normative References + + [GOST28147-89] + "Systems of information processing. Cryptographic data + security. Algorithms of cryptographic transformation", + GOST 28147-89 Gosudarstvennyi Standard of USSR, Government + Committee of the USSR for Standards, 1989. + + [GOST3410-2012] + "Information technology. Cryptographic data security. + Signature and verification processes of [electronic] + digital signature", GOST R 34.10-2012 Federal Agency on + Technical Regulating and Metrology (In Russian), 2012. + + [GOST3411-2012] + "Information technology. Cryptographic Data Security. + Hashing function", GOST R 34.11-2012 Federal Agency on + Technical Regulating and Metrology (In Russian), 2012. + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- + Hashing for Message Authentication", RFC 2104, + DOI 10.17487/RFC2104, February 1997, + <http://www.rfc-editor.org/info/rfc2104>. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <http://www.rfc-editor.org/info/rfc2119>. + + [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional + Cryptographic Algorithms for Use with GOST 28147-89, GOST + R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 + Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, + <http://www.rfc-editor.org/info/rfc4357>. + + [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security + (TLS) Protocol Version 1.2", RFC 5246, + DOI 10.17487/RFC5246, August 2008, + <http://www.rfc-editor.org/info/rfc5246>. + + [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. + Kivinen, "Internet Key Exchange Protocol Version 2 + (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October + 2014, <http://www.rfc-editor.org/info/rfc7296>. + + + + + +Smyshlyaev, et al. Informational [Page 16] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +7.2. Informative References + + [GOST3411-94] + "Information technology. Cryptographic Data Security. + Hashing function", GOST R 34.11-94 Federal Agency on + Technical Regulating and Metrology (In Russian), 1994. + + [NISTSP800-108] + National Institute of Standards and Technology, + "Recommendation for Key Derivation Using Pseudorandom + Functions", NIST SP 800-108, October 2009, + <http://csrc.nist.gov/publications/nistpubs/800-108/ + sp800-108.pdf>. + + [RFC4490] Leontiev, S., Ed. and G. Chudov, Ed., "Using the GOST + 28147-89, GOST R 34.11-94, GOST R 34.10-94, and GOST R + 34.10-2001 Algorithms with Cryptographic Message Syntax + (CMS)", RFC 4490, DOI 10.17487/RFC4490, May 2006, + <http://www.rfc-editor.org/info/rfc4490>. + + [RFC4491] Leontiev, S., Ed. and D. Shefanovski, Ed., "Using the GOST + R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 + Algorithms with the Internet X.509 Public Key + Infrastructure Certificate and CRL Profile", RFC 4491, + DOI 10.17487/RFC4491, May 2006, + <http://www.rfc-editor.org/info/rfc4491>. + + [RFC5830] Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption, + and Message Authentication Code (MAC) Algorithms", + RFC 5830, DOI 10.17487/RFC5830, March 2010, + <http://www.rfc-editor.org/info/rfc5830>. + + [RFC6986] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.11-2012: + Hash Function", RFC 6986, DOI 10.17487/RFC6986, August + 2013, <http://www.rfc-editor.org/info/rfc6986>. + + [RFC7091] Dolmatov, V., Ed. and A. Degtyarev, "GOST R 34.10-2012: + Digital Signature Algorithm", RFC 7091, + DOI 10.17487/RFC7091, December 2013, + <http://www.rfc-editor.org/info/rfc7091>. + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 17] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +Appendix A. Values of the Parameter Sets + +A.1. Canonical Form Parameters + + Parameter set: id-tc26-gost-3410-12-512-paramSetA + + SEQUENCE + { + OBJECT IDENTIFIER + id-tc26-gost-3410-12-512-paramSetA + SEQUENCE + { + INTEGER + 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD + C7 + INTEGER + 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD + C4 + INTEGER + 00 E8 C2 50 5D ED FC 86 DD C1 BD 0B 2B 66 67 F1 + DA 34 B8 25 74 76 1C B0 E8 79 BD 08 1C FD 0B 62 + 65 EE 3C B0 90 F3 0D 27 61 4C B4 57 40 10 DA 90 + DD 86 2E F9 D4 EB EE 47 61 50 31 90 78 5A 71 C7 + 60 + INTEGER + 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF 27 E6 95 32 F4 8D 89 11 6F F2 2B 8D 4E 05 60 + 60 9B 4B 38 AB FA D2 B8 5D CA CD B1 41 1F 10 B2 + 75 + INTEGER + 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF 27 E6 95 32 F4 8D 89 11 6F F2 2B 8D 4E 05 60 + 60 9B 4B 38 AB FA D2 B8 5D CA CD B1 41 1F 10 B2 + 75 + INTEGER + 03 + + + + + + + +Smyshlyaev, et al. Informational [Page 18] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + INTEGER + 75 03 CF E8 7A 83 6A E3 A6 1B 88 16 E2 54 50 E6 + CE 5E 1C 93 AC F1 AB C1 77 80 64 FD CB EF A9 21 + DF 16 26 BE 4F D0 36 E9 3D 75 E6 A5 0E 3A 41 E9 + 80 28 FE 5F C2 35 F5 B8 89 A5 89 CB 52 15 F2 A4 + } + } + + Parameter set: id-tc26-gost-3410-12-512-paramSetB + + SEQUENCE + { + OBJECT IDENTIFIER + id-tc26-gost-3410-12-512-paramSetB + SEQUENCE + { + INTEGER + 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 6F + INTEGER + 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 6C + INTEGER + 68 7D 1B 45 9D C8 41 45 7E 3E 06 CF 6F 5E 25 17 + B9 7C 7D 61 4A F1 38 BC BF 85 DC 80 6C 4B 28 9F + 3E 96 5D 2D B1 41 6D 21 7F 8B 27 6F AD 1A B6 9C + 50 F7 8B EE 1F A3 10 6E FB 8C CB C7 C5 14 01 16 + INTEGER + 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 01 49 A1 EC 14 25 65 A5 45 AC FD B7 7B D9 D4 0C + FA 8B 99 67 12 10 1B EA 0E C6 34 6C 54 37 4F 25 + BD + INTEGER + 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 01 49 A1 EC 14 25 65 A5 45 AC FD B7 7B D9 D4 0C + FA 8B 99 67 12 10 1B EA 0E C6 34 6C 54 37 4F 25 + BD + INTEGER + 02 + + + + +Smyshlyaev, et al. Informational [Page 19] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + INTEGER + 1A 8F 7E DA 38 9B 09 4C 2C 07 1E 36 47 A8 94 0F + 3C 12 3B 69 75 78 C2 13 BE 6D D9 E6 C8 EC 73 35 + DC B2 28 FD 1E DF 4A 39 15 2C BC AA F8 C0 39 88 + 28 04 10 55 F9 4C EE EC 7E 21 34 07 80 FE 41 BD + } + } + +A.2. Twisted Edwards Form Parameters + + Parameter set: id-tc26-gost-3410-2012-256-paramSetA + + SEQUENCE + { + OBJECT IDENTIFIER + id-tc26-gost-3410-2012-256-paramSetA + SEQUENCE + { + INTEGER + 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD + 97 + INTEGER + 00 C2 17 3F 15 13 98 16 73 AF 48 92 C2 30 35 A2 + 7C E2 5E 20 13 BF 95 AA 33 B2 2C 65 6F 27 7E 73 + 35 + INTEGER + 29 5F 9B AE 74 28 ED 9C CC 20 E7 C3 59 A9 D4 1A + 22 FC CD 91 08 E1 7B F7 BA 93 37 A6 F8 AE 95 13 + INTEGER + 01 + INTEGER + 06 05 F6 B7 C1 83 FA 81 57 8B C3 9C FA D5 18 13 + 2B 9D F6 28 97 00 9A F7 E5 22 C3 2D 6D C7 BF FB + INTEGER + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 3F 63 37 7F 21 ED 98 D7 04 56 BD 55 B0 D8 31 + 9C + INTEGER + 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0F D8 CD DF C8 7B 66 35 C1 15 AF 55 6C 36 0C 67 + INTEGER + 00 91 E3 84 43 A5 E8 2C 0D 88 09 23 42 57 12 B2 + BB 65 8B 91 96 93 2E 02 C7 8B 25 82 FE 74 2D AA + 28 + + + + + + +Smyshlyaev, et al. Informational [Page 20] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + INTEGER + 32 87 94 23 AB 1A 03 75 89 57 86 C4 BB 46 E9 56 + 5F DE 0B 53 44 76 67 40 AF 26 8A DB 32 32 2E 5C + INTEGER + 0D + INTEGER + 60 CA 1E 32 AA 47 5B 34 84 88 C3 8F AB 07 64 9C + E7 EF 8D BE 87 F2 2E 81 F9 2B 25 92 DB A3 00 E7 + } + } + + Parameter set: id-tc26-gost-3410-2012-512-paramSetC + + SEQUENCE + { + OBJECT IDENTIFIER + id-tc26-gost-3410-2012-512-paramSetC + SEQUENCE + { + INTEGER + 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FD + C7 + INTEGER + 00 DC 92 03 E5 14 A7 21 87 54 85 A5 29 D2 C7 22 + FB 18 7B C8 98 0E B8 66 64 4D E4 1C 68 E1 43 06 + 45 46 E8 61 C0 E2 C9 ED D9 2A DE 71 F4 6F CF 50 + FF 2A D9 7F 95 1F DA 9F 2A 2E B6 54 6F 39 68 9B + D3 + INTEGER + 00 B4 C4 EE 28 CE BC 6C 2C 8A C1 29 52 CF 37 F1 + 6A C7 EF B6 A9 F6 9F 4B 57 FF DA 2E 4F 0D E5 AD + E0 38 CB C2 FF F7 19 D2 C1 8D E0 28 4B 8B FE F3 + B5 2B 8C C7 A5 F5 BF 0A 3C 8D 23 19 A5 31 25 57 + E1 + INTEGER + 01 + INTEGER + 00 9E 4F 5D 8C 01 7D 8D 9F 13 A5 CF 3C DF 5B FE + 4D AB 40 2D 54 19 8E 31 EB DE 28 A0 62 10 50 43 + 9C A6 B3 9E 0A 51 5C 06 B3 04 E2 CE 43 E7 9E 36 + 9E 91 A0 CF C2 BC 2A 22 B4 CA 30 2D BB 33 EE 75 + 50 + + + + + + +Smyshlyaev, et al. Informational [Page 21] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + INTEGER + 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF 26 33 6E 91 94 1A AC 01 30 CE A7 FD 45 1D 40 + B3 23 B6 A7 9E 9D A6 84 9A 51 88 F3 BD 1F C0 8F + B4 + INTEGER + 3F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF + C9 8C DB A4 65 06 AB 00 4C 33 A9 FF 51 47 50 2C + C8 ED A9 E7 A7 69 A1 26 94 62 3C EF 47 F0 23 ED + INTEGER + 00 E2 E3 1E DF C2 3D E7 BD EB E2 41 CE 59 3E F5 + DE 22 95 B7 A9 CB AE F0 21 D3 85 F7 07 4C EA 04 + 3A A2 72 72 A7 AE 60 2B F2 A7 B9 03 3D B9 ED 36 + 10 C6 FB 85 48 7E AE 97 AA C5 BC 79 28 C1 95 01 + 48 + INTEGER + 00 F5 CE 40 D9 5B 5E B8 99 AB BC CF F5 91 1C B8 + 57 79 39 80 4D 65 27 37 8B 8C 10 8C 3D 20 90 FF + 9B E1 8E 2D 33 E3 02 1E D2 EF 32 D8 58 22 42 3B + 63 04 F7 26 AA 85 4B AE 07 D0 39 6E 9A 9A DD C4 + 0F + INTEGER + 12 + INTEGER + 46 9A F7 9D 1F B1 F5 E1 6B 99 59 2B 77 A0 1E 2A + 0F DF B0 D0 17 94 36 8D 9A 56 11 7F 7B 38 66 95 + 22 DD 4B 65 0C F7 89 EE BF 06 8C 5D 13 97 32 F0 + 90 56 22 C0 4B 2B AA E7 60 03 03 EE 73 00 1A 3D + } + } + +Appendix B. Test Examples + + 1) HMAC_GOSTR3411_2012_256 + + Key K: + + 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + + T: + + 01 26 bd b8 78 00 af 21 43 41 45 65 63 78 01 00 + + + + + + +Smyshlyaev, et al. Informational [Page 22] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + HMAC_GOSTR3411_2012_256 (K, T) value: + + a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34 + 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9 + + 2) HMAC_GOSTR3411_2012_512 + + Key K: + + 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + + T: + + 01 26 bd b8 78 00 af 21 43 41 45 65 63 78 01 00 + + HMAC_GOSTR3411_2012_512 (K, T) value: + + a5 9b ab 22 ec ae 19 c6 5f bd e6 e5 f4 e9 f5 d8 + 54 9d 31 f0 37 f9 df 9b 90 55 00 e1 71 92 3a 77 + 3d 5f 15 30 f2 ed 7e 96 4c b2 ee dc 29 e9 ad 2f + 3a fe 93 b2 81 4f 79 f5 00 0f fc 03 66 c2 51 e6 + + 3) PRF_TLS_GOSTR3411_2012_256 + + Key K: + + 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + + Seed: + + 18 47 1d 62 2d c6 55 c4 d2 d2 26 96 91 ca 4a 56 + 0b 50 ab a6 63 55 3a f2 41 f1 ad a8 82 c9 f2 9a + + Label: + + 11 22 33 44 55 + + Output T1: + + ff 09 66 4a 44 74 58 65 94 4f 83 9e bb 48 96 5f + 15 44 ff 1c c8 e8 f1 6f 24 7e e5 f8 a9 eb e9 7f + + + + + + + + +Smyshlyaev, et al. Informational [Page 23] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + Output T2: + + c4 e3 c7 90 0e 46 ca d3 db 6a 01 64 30 63 04 0e + c6 7f c0 fd 5c d9 f9 04 65 23 52 37 bd ff 2c 02 + + 4) PRF_TLS_GOSTR3411_2012_512 + + Key K: + + 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + + Seed: + + 18 47 1d 62 2d c6 55 c4 d2 d2 26 96 91 ca 4a 56 + 0b 50 ab a6 63 55 3a f2 41 f1 ad a8 82 c9 f2 9a + + Label: + + 11 22 33 44 55 + + Output T1: + + f3 51 87 a3 dc 96 55 11 3a 0e 84 d0 6f d7 52 6c + 5f c1 fb de c1 a0 e4 67 3d d6 d7 9d 0b 92 0e 65 + ad 1b c4 7b b0 83 b3 85 1c b7 cd 8e 7e 6a 91 1a + 62 6c f0 2b 29 e9 e4 a5 8e d7 66 a4 49 a7 29 6d + + Output T2: + + e6 1a 7a 26 c4 d1 ca ee cf d8 0c ca 65 c7 1f 0f + 88 c1 f8 22 c0 e8 c0 ad 94 9d 03 fe e1 39 57 9f + 72 ba 0c 3d 32 c5 f9 54 f1 cc cd 54 08 1f c7 44 + 02 78 cb a1 fe 7b 7a 17 a9 86 fd ff 5b d1 5d 1f + + 5) PRF_IPSEC_PRFPLUS_GOSTR3411_2012_256 + + Key K: + + c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 + 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21 + + Data S: + + 01 26 bd b8 78 00 1d 80 60 3c 85 44 c7 27 01 00 + + + + + + +Smyshlyaev, et al. Informational [Page 24] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + Output T1: + + 2d e5 ee 84 e1 3d 7b e5 36 16 67 39 13 37 0a b0 + 54 c0 74 b7 9b 69 a8 a8 46 82 a9 f0 4f ec d5 87 + + Output T2: + + 29 f6 0d da 45 7b f2 19 aa 2e f9 5d 7a 59 be 95 + 4d e0 08 f4 a5 0d 50 4d bd b6 90 be 68 06 01 53 + + 6) PRF_IPSEC_PRFPLUS_GOSTR3411_2012_512 + + Key K: + + c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 + 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21 + + Data S: + + 01 26 bd b8 78 00 1d 80 60 3c 85 44 c7 27 01 00 + + Output T1: + + 5d a6 71 43 a5 f1 2a 6d 6e 47 42 59 6f 39 24 3f + cc 61 57 45 91 5b 32 59 10 06 ff 78 a2 08 63 d5 + f8 8e 4a fc 17 fb be 70 b9 50 95 73 db 00 5e 96 + 26 36 98 46 cb 86 19 99 71 6c 16 5d d0 6a 15 85 + + Output T2: + + 48 34 49 5a 43 74 6c b5 3f 0a ba 3b c4 6e bc f8 + 77 3c a6 4a d3 43 c1 22 ee 2a 57 75 57 03 81 57 + ee 9c 38 8d 96 ef 71 d5 8b e5 c1 ef a1 af a9 5e + be 83 e3 9d 00 e1 9a 5d 03 dc d6 0a 01 bc a8 e3 + + 7) VKO_GOSTR3410_2012_256 with 256-bit output on the GOST + R 34.10-2012 512-bit keys with id-tc26-gost-3410-12-512-paramSetA + + UKM value: + + 1d 80 60 3c 85 44 c7 27 + + Private key x of A: + + c9 90 ec d9 72 fc e8 4e c4 db 02 27 78 f5 0f ca + c7 26 f4 67 08 38 4b 8d 45 83 04 96 2d 71 47 f8 + c2 db 41 ce f2 2c 90 b1 02 f2 96 84 04 f9 b9 be + 6d 47 c7 96 92 d8 18 26 b3 2b 8d ac a4 3c b6 67 + + + +Smyshlyaev, et al. Informational [Page 25] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + Public key x*P of A (curve point (X, Y)): + + aa b0 ed a4 ab ff 21 20 8d 18 79 9f b9 a8 55 66 + 54 ba 78 30 70 eb a1 0c b9 ab b2 53 ec 56 dc f5 + d3 cc ba 61 92 e4 64 e6 e5 bc b6 de a1 37 79 2f + 24 31 f6 c8 97 eb 1b 3c 0c c1 43 27 b1 ad c0 a7 + 91 46 13 a3 07 4e 36 3a ed b2 04 d3 8d 35 63 97 + 1b d8 75 8e 87 8c 9d b1 14 03 72 1b 48 00 2d 38 + 46 1f 92 47 2d 40 ea 92 f9 95 8c 0f fa 4c 93 75 + 64 01 b9 7f 89 fd be 0b 5e 46 e4 a4 63 1c db 5a + + Private key y of part B: + + 48 c8 59 f7 b6 f1 15 85 88 7c c0 5e c6 ef 13 90 + cf ea 73 9b 1a 18 c0 d4 66 22 93 ef 63 b7 9e 3b + 80 14 07 0b 44 91 85 90 b4 b9 96 ac fe a4 ed fb + bb cc cc 8c 06 ed d8 bf 5b da 92 a5 13 92 d0 db + + Public key y*P of B (curve point (X, Y)): + + 19 2f e1 83 b9 71 3a 07 72 53 c7 2c 87 35 de 2e + a4 2a 3d bc 66 ea 31 78 38 b6 5f a3 25 23 cd 5e + fc a9 74 ed a7 c8 63 f4 95 4d 11 47 f1 f2 b2 5c + 39 5f ce 1c 12 91 75 e8 76 d1 32 e9 4e d5 a6 51 + 04 88 3b 41 4c 9b 59 2e c4 dc 84 82 6f 07 d0 b6 + d9 00 6d da 17 6c e4 8c 39 1e 3f 97 d1 02 e0 3b + b5 98 bf 13 2a 22 8a 45 f7 20 1a ba 08 fc 52 4a + 2d 77 e4 3a 36 2a b0 22 ad 40 28 f7 5b de 3b 79 + + KEK_VKO value: + + c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 + 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21 + + 8) VKO_GOSTR3410_2012_512 with 512-bit output on the GOST + R 34.10-2012 512-bit keys with id-tc26-gost-3410-12-512-paramSetA + + UKM value: + + 1d 80 60 3c 85 44 c7 27 + + Private key x of A: + + c9 90 ec d9 72 fc e8 4e c4 db 02 27 78 f5 0f ca + c7 26 f4 67 08 38 4b 8d 45 83 04 96 2d 71 47 f8 + c2 db 41 ce f2 2c 90 b1 02 f2 96 84 04 f9 b9 be + 6d 47 c7 96 92 d8 18 26 b3 2b 8d ac a4 3c b6 67 + + + + +Smyshlyaev, et al. Informational [Page 26] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + Public key x*P of A (curve point (X, Y)): + + aa b0 ed a4 ab ff 21 20 8d 18 79 9f b9 a8 55 66 + 54 ba 78 30 70 eb a1 0c b9 ab b2 53 ec 56 dc f5 + d3 cc ba 61 92 e4 64 e6 e5 bc b6 de a1 37 79 2f + 24 31 f6 c8 97 eb 1b 3c 0c c1 43 27 b1 ad c0 a7 + 91 46 13 a3 07 4e 36 3a ed b2 04 d3 8d 35 63 97 + 1b d8 75 8e 87 8c 9d b1 14 03 72 1b 48 00 2d 38 + 46 1f 92 47 2d 40 ea 92 f9 95 8c 0f fa 4c 93 75 + 64 01 b9 7f 89 fd be 0b 5e 46 e4 a4 63 1c db 5a + + Private key y of B: + + 48 c8 59 f7 b6 f1 15 85 88 7c c0 5e c6 ef 13 90 + cf ea 73 9b 1a 18 c0 d4 66 22 93 ef 63 b7 9e 3b + 80 14 07 0b 44 91 85 90 b4 b9 96 ac fe a4 ed fb + bb cc cc 8c 06 ed d8 bf 5b da 92 a5 13 92 d0 db + + Public key y*P of B (curve point (X, Y)): + + 19 2f e1 83 b9 71 3a 07 72 53 c7 2c 87 35 de 2e + a4 2a 3d bc 66 ea 31 78 38 b6 5f a3 25 23 cd 5e + fc a9 74 ed a7 c8 63 f4 95 4d 11 47 f1 f2 b2 5c + 39 5f ce 1c 12 91 75 e8 76 d1 32 e9 4e d5 a6 51 + 04 88 3b 41 4c 9b 59 2e c4 dc 84 82 6f 07 d0 b6 + d9 00 6d da 17 6c e4 8c 39 1e 3f 97 d1 02 e0 3b + b5 98 bf 13 2a 22 8a 45 f7 20 1a ba 08 fc 52 4a + 2d 77 e4 3a 36 2a b0 22 ad 40 28 f7 5b de 3b 79 + + KEK_VKO value: + + 79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 + ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa + 7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 + f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df + + 9) Key derivation function KDF_GOSTR3411_2012_256 + + K_in key: + + 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + + Label: + + 26 bd b8 78 + + + + + +Smyshlyaev, et al. Informational [Page 27] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + Seed: + + af 21 43 41 45 65 63 78 + + KDF(K_in, label, seed) value: + + a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34 + 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9 + + 10) Key derivation function KDF_TREE_GOSTR3411_2012_256 + + Output size of L: + + 512 + + K_in key: + + 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + + Label: + + 26 bd b8 78 + + Seed: + + af 21 43 41 45 65 63 78 + + K1: + + 22 b6 83 78 45 c6 be f6 5e a7 16 72 b2 65 83 10 + 86 d3 c7 6a eb e6 da e9 1c ad 51 d8 3f 79 d1 6b + + K2: + + 07 4c 93 30 59 9d 7f 8d 71 2f ca 54 39 2f 4d dd + e9 37 51 20 6b 35 84 c8 f4 3f 9e 6d c5 15 31 f9 + + R: + + 1 + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 28] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + 11) Key wrap and unwrap with the szOID_Gost28147_89_TC26_Z_ParamSet + parameters + + Key K_e: + + 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f + 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f + + Key K: + + 20 21 22 23 24 25 26 27 28 29 2a 2b 2c 2d 2e 2f + 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f + + Seed: + + af 21 43 41 45 65 63 78 + + Label: + + 26 bd b8 78 + + KEK_e(seed) = KDF_GOSTR3411_2012_256(K_e, label, seed): + + a1 aa 5f 7d e4 02 d7 b3 d3 23 f2 99 1c 8d 45 34 + 01 31 37 01 0a 83 75 4f d0 af 6d 7c d4 92 2e d9 + + CEK_MAC: + + be 33 f0 52 + + CEK_ENC: + + d1 55 47 f8 ee 85 12 1b c8 7d 4b 10 27 d2 60 27 + ec c0 71 bb a6 e7 2f 3f ec 6f 62 0f 56 83 4c 5a + + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 29] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + +Appendix C. GOST 28147-89 Parameter Set + + The parameter set has the following object identifier: + + id-tc26-gost-28147-param-Z::= {iso(1) member-body(2) ru(643) + rosstandart(7) tc26(1) constants(2) cipher-constants(5) + gost-28147-constants(1) param-Z(1)} + + The parameter set is defined below: + + x K1(x) K2(x) K3(x) K4(x) K5(x) K6(x) K7(x) K8(x) + ------------------------------------------------------------ + 0 | c 6 b c 7 5 8 1 + 1 | 4 8 3 8 f d e 7 + 2 | 6 2 5 2 5 f 2 e + 3 | 2 3 8 1 a 6 5 d + 4 | a 9 2 d 8 9 6 0 + 5 | 5 a f 4 1 2 9 5 + 6 | b 5 a f 6 c 1 8 + 7 | 9 c d 6 d a c 3 + 8 | e 1 e 7 0 b f 4 + 9 | 8 e 1 0 9 7 4 f + a | d 4 7 a 3 8 b a + b | 7 7 4 5 e 1 0 6 + c | 0 b c 3 b 4 d 9 + d | 3 d 9 e 4 3 a c + e | f 0 6 9 2 e 3 b + f | 1 f 0 b c 0 7 2 + + +Acknowledgments + + We thank Valery Smyslov, Igor Ustinov, Basil Dolmatov, Russ Housley, + Dmitry Khovratovich, Oleksandr Kazymyrov, Ekaterina Smyshlyaeva, + Vasily Nikolaev, and Lolita Sonina for their careful readings and + useful comments. + +Authors' Addresses + + Stanislav Smyshlyaev (editor) + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: svs@cryptopro.ru + + + + +Smyshlyaev, et al. Informational [Page 30] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + Evgeny Alekseev + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: alekseev@cryptopro.ru + + + Igor Oshkin + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: oshkin@cryptopro.ru + + + Vladimir Popov + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: vpopov@cryptopro.ru + + + Serguei Leontiev + CRYPTO-PRO + 18, Suschevsky val + Moscow 127018 + Russian Federation + + Phone: +7 (495) 995-48-20 + Email: lse@cryptopro.ru + + + Vladimir Podobaev + FACTOR-TS + 11A, 1st Magistralny proezd + Moscow 123290 + Russian Federation + + Phone: +7 (495) 644-31-30 + Email: v_podobaev@factor-ts.ru + + + +Smyshlyaev, et al. Informational [Page 31] + +RFC 7836 Cryptographic Algorithms for GOST March 2016 + + + Dmitry Belyavsky + TCI + 8, Zoologicheskaya st + Moscow 117218 + Russian Federation + + Phone: +7 (499) 254-24-50 + Email: beldmit@gmail.com + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Smyshlyaev, et al. Informational [Page 32] + |