summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc5831.txt
blob: 5954d5ece3d180747224c80ca711fe566fc7e449 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
Independent Submission                                  V. Dolmatov, Ed.
Request for Comments: 5831                               Cryptocom, Ltd.
Category: Informational                                       March 2010
ISSN: 2070-1721


                GOST R 34.11-94: Hash Function Algorithm

Abstract

   This document is intended to be a source of information about the
   Russian Federal standard hash function (GOST R 34.11-94), which is
   one of the Russian cryptographic standard algorithms (called GOST
   algorithms).  Recently, Russian cryptography is being used in
   Internet applications, and this document has been created as
   information for developers and users of GOST R 34.11-94 for hash
   computation.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc5831.


















Dolmatov                      Informational                     [Page 1]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

   This document may not be modified, and derivative works of it may not
   be created, except to format it for publication as an RFC or to
   translate it into languages other than English.

Table of Contents

   1. Introduction ....................................................3
      1.1. General Information ........................................3
      1.2. The Purpose of GOST R 34.11-94 .............................3
   2. Applicability ...................................................3
   3. Conventions Used in This Document ...............................4
   4. General Statements ..............................................5
   5. Step-by-Step Hash Function ......................................5
      5.1. Key Generation .............................................5
      5.2. Encryption Transformation ..................................7
      5.3. Mixing Transformation ......................................7
   6. The Calculation Procedure for a Hash Function ...................8
   7. Test Examples (Informative) .....................................9
      7.1. Usage of the Algorithm GOST 28147-89 ......................10
      7.2. Representation of Vectors .................................11
      7.3. Examples of the Hash Value Calculation ....................11
           7.3.1. Hash Calculation for the Sample Message M ..........11
           7.3.2. Hash Calculation for the Sample Message M ..........14
   8. Security Considerations ........................................16
   9. Normative References ...........................................16
   10. Contributors ..................................................17













Dolmatov                      Informational                     [Page 2]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


1.  Introduction

1.1.  General Information

   1. GOST R 34.11-94  [GOST3411] was developed by the Federal Agency
      for Government Communication and Information and by the All-Russia
      Scientific and Research Institute of Standardization.

   2. GOST R 34.11-94 was accepted and activated by Act 154 of
      23.05.1994 issued by the Russian Federal committee for standards.

1.2.  The Purpose of GOST R 34.11-94

   Expanding the application of information technologies when creating,
   processing, and storing documents requires, in some cases,
   confidentiality of their contents, maintenance of completeness, and
   authenticity.

   Cryptography (cryptographic security) is one of the effective
   approaches for data security.  It is widely applied in different
   areas of government and commercial activity.

   Cryptographic data security methods are under serious scientific
   research and standardization efforts at national, regional, and
   international levels.

   GOST R 34.11-94 defines a hash function calculation procedure for an
   arbitrary sequence of binary symbols.

   The hash function maps an arbitrary set of data represented as a
   sequence of binary symbols onto its image of a fixed small length.

   Thus, hash functions can be used in procedures related to the
   electronic digital signature, resulting in considerable reduction of
   elapsed time for the sign and verify stages.  The effect of the
   reduction of time is due to the fact that only a short image of
   initial data is actually signed.

2.  Applicability

   GOST R 34.11-94 defines an algorithm and procedure for the
   calculation of a hash function for an arbitrary sequence of binary
   symbols.  These algorithms and procedures should be applied in
   cryptographic methods of data processing and securing, including
   digital signature procedures employed for data transfer and data
   storage in computer-aided systems.





Dolmatov                      Informational                     [Page 3]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


   The hash function, defined in GOST R 34.11-94, is used for digital
   signature systems based on the asymmetric cryptographic algorithm
   according to GOST R 34.10-2001 (see section 3).

3.  Conventions Used in This Document

   The following notations are used in GOST R 34.11-94:

   V_all is a set of all finite words in the alphabet V = {0,1}.  The
   words are read from right to left and the alphabet symbols are
   numbered from right to left (i.e., the rightmost symbol of the word
   has the number one, the second rightmost symbol has number two,
   etc.).

   Vk is a set of all words in alphabet V = {0,1} of length k bits
   (k=16,64,256).

   |A| is the length of a word A belonging to V_all.

   A||B is a concatenation of words A, B belonging to V_all.  Its length
   is |A| + |B|, where the left |A| symbols come from the word A, and
   the right |B| symbols come from the word B.  One can also use the
   notation A||B = A * B.

   A^k is a concatenation of k copies of the word A (A belongs to
   V_all).

   <N>_k is a word of length k, containing a binary representation of
   N(mod 2^k) residue, with a non-negative integer N.

   A^$ is a non-negative integer with A as its binary representation.

   (xor) is the bitwise modulo 2 addition of the words of the same
   length.

   (+)' is the addition according to the rule A (+)' B = <A^$+ B^$>_k,
   where k = |A| = |B|.

   M is a binary sequence to be hashed, M belongs to V_all.  M is a
   message in digital signature systems.

   h is a hash function that maps the sequence M belonging to V_all onto
   the word h(M) belonging to V_256.

   E(k,A) is a result of the encryption of the word A using key K with
   the encryption algorithm according to [GOST28147] in the electronic
   codebook (ECB) mode (K belongs to V256, A belongs to V64).




Dolmatov                      Informational                     [Page 4]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


   h0 is an initial hash value.

   e := g is the assignment of the value g to the parameter e.

   ^ is the power operator.

   i = 1..8 is an interval with i being all the values from 1 to 8.

   hUZ is the S-boxes described in [GOST28147].

4.  General Statements

   A hash function h is the mapping h :  V_all -> V256, depending on the
   parameter (which is the initial hash value H, H is a word from V256).
   To define the hash function, it is necessary to have:

      - a calculation algorithm for the step-by-step hash function

        chi : V256 x V256 ->  V256

      - a description of an iterative procedure for calculating the hash
        value h

   A hash function h depends on two parameters, h0 and hUZ.

5.  Step-by-Step Hash Function

   A calculation algorithm for the step-by-step hash function contains
   three parts, which successively do:

      - key generation, here keys are 256-bit words;

      - an encryption transformation, that is encryption of 64-bit
        subwords of word H using keys K[i], (i = 1, 2, 3, 4) with the
        algorithm according to [GOST28147] in ECB mode; and

      - a mixing transformation for the result of the encryption.

5.1  Key Generation

   Consider X = (b[256], b[255], ..., b[1]) belongs to V256.

   Let:

      X = x[4]||x[3]||x[2]||x[1] = eta[16]||[eta15]||...||eta[1]

        = xi[32]||xi[31]||...||xi[1], where




Dolmatov                      Informational                     [Page 5]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


        x[i] = (b[i*64],...,b[(i-1)*64+1]) belongs to V64, i = 1..4,

      eta[j] = (b[j*16],...,b[(j-1)*16+1]) belongs to V16, j = 1..16,

       xi[k] = (b[k*8],..., b[(k-1)*8+1]) belongs to V8, k = 1..32.

   Yet, another notation: A(X) = (x[1](xor)x[2])||x[4]||x[3]||x[2].

   The transformation P : V256 -> V256 maps the word xi32||...||xi1
   onto the word xi[phi(32)] || ... || xi[phi(1)],

   where phi(i + 1 + 4 ( k - 1) ) = 8i + k , i = 0..3, k = 1..8.

   For the key generation, one should use the following initial data:

      - words H, M belonging to V256,

      - parameters: words C[i] (i = 2, 3, 4), with values:

        C[2] = C[4] = 0^256;

        C[3] = 1^8||0^8||1^16||0^24||1^16||0^8||(0^8||1^8)^2||1^8||0^8
               ||(0^8||1^8)^4||(1^8||0^8 )^4.

   The following algorithm is used for the key calculation:

   1. Assign values:

      i := 1, U := H , V := M.

   2. Calculate:

      W = U (xor) V , K[i] = P(W).

   3. Assign:

      i := i + 1.

   4. Verify condition:

      i = 5.

   If it is true, go to step 7.  If not, go to step 5.

   5. Calculate:

      U := A(U)(xor)C[i], V := A(A(V)),
      W := U(xor)V, K[i] = P(W).



Dolmatov                      Informational                     [Page 6]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


   6. Go to step 3.

   7. End.

5.2.  Encryption Transformation

   At this stage, 64-bit subwords of the word H are encrypted using keys
   K[i] (i = 1, 2, 3, 4).

   For the encryption transformation, one should use the following
   initial data:

      H = h[4]||h[3]||h[2]||h[1],

   where h[i] belongs to V64, i = 1,2,3,4, and a key set is K[1], K[2],
   K[3], K[4].

   The encryption algorithm is applied and the following words are
   obtained:

      s[i] = E(K[i],h[i]), where: i = 1,2,3,4

   As a result of the stage, the following sequence is formed:

      S = s[4]||s[3]||s[2]||s[1].

5.3.  Mixing Transformation

   At this stage, the obtained sequence is mixed using a shift register.

   The initial data includes words H, M belonging to V256 and a word S
   belonging to V256 .

   Let a mapping PSI(X) : V256(2) -> V256(2) transform the word:

      eta[16]||eta[15]||...||eta[1], eta[i] belongs to V16, i = 1..16

   into the word:

      eta[1](xor)eta[2](xor)eta[3](xor)eta[4](xor)eta[13](xor)eta[16]
      ||eta[16]||...||eta[2].

   Then, the value of the step-by-step hash function value is the word:

      chi(M, H) =  PSI^61(H(xor)PSI(M(xor)PSI^12(S))),

   where PSI^i(X) is the transformation PSI applied i times to X.




Dolmatov                      Informational                     [Page 7]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


6.  The Calculation Procedure for a Hash Function

   The calculation procedure for a hash function h is assumed to be
   applied to a sequence M belonging to V_all.  Its parameter is an
   initial hash value h0, which is an arbitrarily fixed word from V256.

   The calculation procedure for the function h uses the following
   quantities at each step of iteration:

   _M_ belonging to V_all - a part of the sequence M, which was not
   hashed at previous iterations;

   H belonging to V256 - the current hash value;

   SIGMA belonging to V256 - the current check sum value;

   L belonging to V256 - the length of the partial sequence M processed
   at the previous iteration step.

   The calculation algorithm for function h consists of the following
   steps:

   Step 1. Assign initial values to current quantities:

      1.1 _M_ := M.

      1.2 H := h0.

      1.3 SIGMA := 0^256.

      1.4 L := 0^256.

      1.5 Go to step 2.

   Step 2.

      2.1 Verify the condition |_M_|>256.

   If it is true, go to step 3.

   Else, make the following calculations:

      2.2 L := <L^$ + |M|>_256

      2.3 M' := 0^(256 -|M|)||M

      2.4 SIGMA := SIGMA (+)' M'




Dolmatov                      Informational                     [Page 8]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


      2.5 H := chi (M', H)

      2.6 H := chi (L, H)

      2.7 H := chi (SIGMA, H)

      2.8 End.

   Step 3.

      3.1 Calculate a subword M_s belonging to V256 of the word _M_
          (_M_ = M_p||M_s).  Then make the following calculations:

      3.2 H := chi (M_s, H)

      3.3 L := <L^$ + 256>_256

      3.4 SIGMA := SIGMA (+)' M[s]

      3.5 _M_ = M_p

      3.6 Go to step 2.

   The quantity H obtained at step 2.7 is the value of the hash function
   h(M).

7.  Test Examples (Informative)

   It is recommended to use the values for substitution units pi[1],
   pi[2],..., pi[8] and the initial hash value H described in this
   appendix for the GOST R 34.11-94 test examples only.




















Dolmatov                      Informational                     [Page 9]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


7.1.  Usage of the Algorithm GOST 28147-89

   The algorithm GOST 28147-89 [GOST28147] in ECB mode is used as an
   encryption transformation in the following examples.  The following
   values of the substitution units pi[1], pi[2],..., pi[8] have been
   chosen:

           8 7 6 5 4 3 2 1

       0   1 D 4 6 7 5 E 4

       1   F B B C D 8 B A

       2   D 4 A 7 A 1 4 9

       3   0 1 0 1 1 D C 2

       4   5 3 7 5 0 A 6 D

       5   7 F 2 F 8 3 D 8

       6   A 5 1 D 9 4 F 0

       7   4 9 D 8 F 2 A E

       8   9 0 3 4 E E 2 6

       9   2 A 6 A 4 F 3 B

      10   3 E 8 9 6 C 8 1

      11   E 7 5 E C 7 1 C

      12   6 6 9 0 B 6 0 7

      13   B 8 C 3 2 0 7 F

      14   8 2 F B 5 9 5 5

      15   C C E 2 3 B 9 3

   The hexadecimal value of pi[j](i) is given in a column number j,

      j = 1..8, and in a row number i, i = 0..15.







Dolmatov                      Informational                    [Page 10]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


7.2.  Representation of Vectors

   We will put down binary symbol sequences as hexadecimal digits
   strings, where each digit corresponds to four signs of its binary
   representation.

7.3 Examples of the Hash Value Calculation

   A zero vector, for example, can be taken as an initial hash value:

   h0 = 00000000 00000000 00000000 00000000
        00000000 00000000 00000000 00000000

7.3.1.  Hash Calculation for the Sample Message M

   M = 73657479 62203233 3D687467 6E656C20
       2C656761 7373656D 20736920 73696854

   Initial values are assigned for the text:

   _M_   = 73657479 62203233 3D687467 6E656C20
           2C656761 7373656D 20736920 73696854

   for the hash function:

   H   = 00000000 00000000 00000000 00000000
         00000000 00000000 00000000 00000000

   for the sum of text blocks:


   SIGMA = 00000000 00000000 00000000 00000000
           00000000 00000000 00000000 00000000

   for the length of the text:

   L = 00000000 00000000 00000000 00000000
       00000000 00000000 00000000 00000000

   If the length of the message to be hashed equals 256 bits (32 bytes),
   then:

   L = 00000000 00000000 00000000 00000000
       00000000 00000000 00000000 00000100

   M' = _M_ = 73657479 62203233 3D687467 6E656C20
              2C656761 7373656D 20736920 73696854




Dolmatov                      Informational                    [Page 11]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


   and there is no need to pad the current block with zeroes:

   SIGMA=M' = 73657479 62203233 3D687467 6E656C20
               2C656761 7373656D 20736920 73696854

   The step-by-step hash function chi(M, N) values are calculated.

   The keys are generated:

   K[1] = 733D2C20 65686573 74746769 326C6568
          626E7373 20657369 79676120 33206D54

   K[2] = 110C733D 0D166568 130E7474 06417967
          1D00626E 161A2065 090D326C 4D393320

   K[3] = 80B111F3 730DF216 850013F1 C7E1F941
          620C1DFF 3ABAE91A 3FA109F2 F513B239

   K[4] = A0E2804E FF1B73F2 ECE27A00 E7B8C7E1
          EE1D620C AC0CC5BA A804C05E A18B0AEC

   The 64-bit subwords of block H are encrypted by the algorithm
   according to GOST 28147.

   Block h[1] = 00000000 00000000 is encrypted using key K[1] and
   s[1] = 42ABBCCE 32BC0B1B is obtained.

   Block h[2] = 00000000 00000000 is encrypted using key K[2] and
   s[2] = 5203EBC8 5D9BCFFD is obtained.

   Block h[3] = 00000000 00000000 is encrypted using key K[3] and
   s[3] = 8D345899 00FF0E28 is obtained.

   Block h[4] = 00000000 00000000 is encrypted using key K[4] and
   s[4] = E7860419 0D2A562D is obtained.

   So S = E7860419 0D2A562D 8D345899 00FF0E28
          5203EBC8 5D9BCFFD 42ABBCCE 32BC0B1B

   is obtained.

   The mixing transformation using a shift register is performed and

   KSI = chi(M, H) = CF9A8C65 505967A4 68A03B8C 42DE7624
                     D99C4124 883DA687 561C7DE3 3315C034

   is obtained.




Dolmatov                      Informational                    [Page 12]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


   Assign H = KSI and calculate chi(L, H):

   K[1] = CF68D956 9AA09C1C 8C3B417D 658C24E3
          50428833 59DE3D15 6776A6C1 A4248734

   K[2] = 8FCF68D9 809AA09C 3C8C3B41 C7658C24
          BB504288 2859DE3D 666676A6 B3A42487

   K[3] = 4E70CF97 3C8065A0 853C8CC4 57389A8C
          CABB50BD E3D7A6DE D1996788 5CB35B24

   K[4] = 584E70CF C53C8065 48853C8C 1657389A
          EDCABB50 78E3D7A6 EED19867 7F5CB35B

   S    = 66B70F5E F163F461 468A9528 61D60593
          E5EC8A37 3FD42279 3CD1602D DD783E86

   KSI  = 2B6EC233 C7BC89E4 2ABC2692 5FEA7285
          DD3848D1 C6AC997A 24F74E2B 09A3AEF7

   Now assign H = KSI again and calculate chi( SIGMA, H):

   K[1] = 5817F104 0BD45D84 B6522F27 4AF5B00B
          A531B57A 9C8FDFCA BB1EFCC6 D7A517A3

   K[2] = E82759E0 C278D950 15CC523C FC72EBB6
          D2C73DA8 19A6CAC9 3E8440F5 C0DDB65A

   K[3] = 77483AD9 F7C29CAA EB06D1D7 841BCAD3
          FBC3DAA0 7CB555F0 D4968080 0A9E56BC

   K[4] = A1157965 2D9FBC9C 088C7CC2 46FB3DD2
          7684ADCB FA4ACA06 53EFF7D7 C0748708

   S    = 2AEBFA76 A85FB57D 6F164DE9 2951A581
          C31E7435 4930FD05 1F8A4942 550A582D

   KSI  = FAFF37A6 15A81669 1CFF3EF8 B68CA247
          E09525F3 9F811983 2EB81975 D366C4B1

   Then, the hash result is:

   H    = FAFF37A6 15A81669 1CFF3EF8 B68CA247
          E09525F3 9F811983 2EB81975 D366C4B1







Dolmatov                      Informational                    [Page 13]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


7.3.2.  Hash Calculation for the Sample Message M

   Let M = 7365 74796220 3035203D 20687467 6E656C20
                73616820 65676173 73656D20 6C616E69
                6769726F 20656874 2065736F 70707553

   As the length of the message to be hashed equals 400 bits (50 bytes),
   the message is divided into two blocks, and the second (high-order)
   one is padded with zeroes.  During the calculations the following
   numbers are obtained:

   STEP 1.

   H    = 00000000 00000000 00000000 00000000
          00000000 00000000 00000000 00000000

   M_s = 73616820 65676173 73656D20 6C616E69
         6769726F 20656874 2065736F 70707553

   K[1] = 73736720 61656965 686D7273 20206F6F
          656C2070 67616570 616E6875 73697453

   K[2] = 14477373 0C0C6165 1F01686D 4F002020
          4C50656C 04156761 061D616E 1D277369

   K[3] = CBFF14B8 6D04F30C 96051FFE DFFFB000
          35094CAF 72F9FB15 7CF006E2 AB1AE227

   K[4] = EBACCB00 F7006DFB E5E16905 B0B0DFFF
          BA1C3509 FD118DF9 F61B830F F8C554E5

   S    = FF41797C EEAADAC2 43C9B1DF 2E14681C
          EDDC2210 1EE1ADF9 FA67E757 DAFE3AD9

   KSI  = F0CEEA4E 368B5A60 C63D96C1 E5B51CD2
          A93BEFBD 2634F0AD CBBB69CE ED2D5D9A

   STEP 2.

   H    = F0CEEA4E 368B5A60 C63D96C1 E5B51CD2
          A93BEFBD 2634F0AD CBBB69CE ED2D5D9A

   M'   = 00000000 00000000 00000000 00007365
          74796220 3035203D 20687467 6E656C20

   K[1] = F0C6DDEB CE3D42D3 EA968D1D 4EC19DA9
          36E51683 8BB50148 5A6FD031 60B790BA




Dolmatov                      Informational                    [Page 14]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


   K[2] = 16A4C6A9 F9DF3D3B E4FC96EF 5309C1BD
          FB68E526 2CDBB534 FE161C83 6F7DD2C8

   K[3] = C49D846D 1780482C 9086887F C48C9186
          9DCB0644 D1E641E5 A02109AF 9D52C7CF

   K[4] = BDB0C9F0 756E9131 E1F290EA 50E4CBB1
          1CAD9536 F4E4B674 99F31E29 70C52AFA

   S    = 62A07EA5 EF3C3309 2CE1B076 173D48CC
          6881EB66 F5C7959F 63FCA1F1 D33C31B8

   KSI  = 95BEA0BE 88D5AA02 FE3C9D45 436CE821
          B8287CB6 2CBC135B 3E339EFE F6576CA9

   STEP 3.

   H    = 95BEA0BE 88D5AA02 FE3C9D45 436CE821
          B8287CB6 2CBC135B 3E339EFE F6576CA9

   L    = 00000000 00000000 00000000 00000000
          00000000 00000000 00000000 00000190

   K[1] = 95FEB83E BE3C2833 A09D7C9E BE45B6FE
          88432CF6 D56CBC57 AAE8136D 02215B39

   K[2] = 8695FEB8 1BBE3C28 E2A09D7C 48BE45B6
          DA88432C EBD56CBC 7FABE813 F292215B

   K[2] = 8695FEB8 1BBE3C28 E2A09D7C 48BE45B6
          DA88432C EBD56CBC 7FABE813 F292215B

   K[3] = B9799501 141B413C 1EE2A062 0CB74145
          6FDA88BC D0142A6C FA80AA16 15F2FDB1

   K[4] = 94B97995 7D141B41 C21EE2A0 040CB741
          346FDA88 46D0142A BDFA81AA DC1562FD

   S    = D42336E0 2A0A6998 6C65478A 3D08A1B9
          9FDDFF20 4808E863 94FD9D6D F776A7AD

   KSI  = 47E26AFD 3E7278A1 7D473785 06140773
          A3D97E7E A744CB43 08AA4C24 3352C745

   STEP 4.

   H    = 47E26AFD 3E7278A1 7D473785 06140773
          A3D97E7E A744CB43 08AA4C24 3352C745



Dolmatov                      Informational                    [Page 15]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


   SIGMA = 73616820 65676173 73656D20 6C61E1CE
           DBE2D48F 509A88B1 40CDE7D6 DED5E173

   K[1] = 340E7848 83223B67 025AAAAB DDA5F1F2
          5B6AF7ED 1575DE87 19E64326 D2BDF236

   K[2] = 03DC0ED0 F4CD26BC 8B595F13 F5A4A55E
          A8B063CB ED3D7325 6511662A 7963008D

   K[3] = C954EF19 D0779A68 ED37D3FB 7DA5ADDC
          4A9D0277 78EF765B C4731191 7EBB21B1

   K[4] = 6D12BC47 D9363D19 1E3C696F 28F2DC02
          F2137F37 64E4C18B 69CCFBF8 EF72B7E3

   S    = 790DD7A1 066544EA 2829563C 3C39D781
          25EF9645 EE2C05DD A5ECAD92 2511A4D1

   KSI  = 0852F562 3B89DD57 AEB4781F E54DF14E
          EAFBC135 0613763A 0D770AA6 57BA1A47

   Then, the hash result is:

   H    = 0852F562 3B89DD57 AEB4781F E54DF14E
          EAFBC135 0613763A 0D770AA6 57BA1A47

8.  Security Considerations

   This entire document is about security considerations.

   Current cryptographic resistance of GOST R 34.11-94 hash algorithm is
   estimated as 2^128 operations of computations of step hash functions.
   (There is a known method to reduce this estimate to 2^105 operations,
   but it demands padding the colliding message with 1024 random bit
   blocks each of 256-bit length; thus, it cannot be used in any
   practical implementation).

9.  Normative References

   [GOST28147] "Cryptographic Protection for Data Processing System",
               GOST 28147-89, Gosudarstvennyi Standard of USSR,
               Government Committee of the USSR for Standards, 1989.
               (In Russian)

   [GOST3411]  "Information technology.  Cryptographic Data Security.
               Hashing function.", GOST R 34.10-94, Gosudarstvennyi
               Standard of Russian Federation, Government Committee of
               the Russia for Standards, 1994. (In Russian)



Dolmatov                      Informational                    [Page 16]
^L
RFC 5831                     GOST R 34.11-94                  March 2010


10.  Contributors

   Dmitry Kabelev
   Cryptocom, Ltd.
   14 Kedrova St., Bldg. 2
   Moscow, 117218
   Russian Federation


   EMail: kdb@cryptocom.ru

   Igor Ustinov
   Cryptocom, Ltd.
   14 Kedrova St., Bldg. 2
   Moscow, 117218
   Russian Federation

   EMail: igus@cryptocom.ru


   Sergey Vyshensky
   Moscow State University
   Leninskie gory, 1
   Moscow, 119991
   Russian Federation

   EMail: svysh@pn.sinp.msu.ru

Author's Address

   Vasily Dolmatov, Ed.
   Cryptocom, Ltd.
   14 Kedrova St., Bldg. 2
   Moscow, 117218
   Russian Federation

   EMail: dol@cryptocom.ru














Dolmatov                      Informational                    [Page 17]
^L