summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc8891.txt
blob: 90e719f9cfcccfb5145313c425ec7a4476e5d11e (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
Independent Submission                                  V. Dolmatov, Ed.
Request for Comments: 8891                          JSC "NPK Kryptonite"
Updates: 5830                                               D. Baryshkov
Category: Informational                                     Auriga, Inc.
ISSN: 2070-1721                                           September 2020


                GOST R 34.12-2015: Block Cipher "Magma"

Abstract

   In addition to a new cipher with a block length of n=128 bits
   (referred to as "Kuznyechik" and described in RFC 7801), Russian
   Federal standard GOST R 34.12-2015 includes an updated version of the
   block cipher with a block length of n=64 bits and key length of k=256
   bits, which is also referred to as "Magma".  The algorithm is an
   updated version of an older block cipher with a block length of n=64
   bits described in GOST 28147-89 (RFC 5830).  This document is
   intended to be a source of information about the updated version of
   the 64-bit cipher.  It may facilitate the use of the block cipher in
   Internet applications by providing information for developers and
   users of the GOST 64-bit cipher with the revised version of the
   cipher for encryption and decryption.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8891.

Copyright Notice

   Copyright (c) 2020 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction
   2.  General Information
   3.  Definitions and Notation
     3.1.  Definitions
     3.2.  Notation
   4.  Parameter Values
     4.1.  Nonlinear Bijection
     4.2.  Transformations
     4.3.  Key Schedule
   5.  Basic Encryption Algorithm
     5.1.  Encryption
     5.2.  Decryption
   6.  IANA Considerations
   7.  Security Considerations
   8.  References
     8.1.  Normative References
     8.2.  Informative References
   Appendix A.  Test Examples
     A.1.  Transformation t
     A.2.  Transformation g
     A.3.  Key Schedule
     A.4.  Test Encryption
     A.5.  Test Decryption
   Appendix B.  Background
   Authors' Addresses

1.  Introduction

   The Russian Federal standard [GOSTR3412-2015] specifies basic block
   ciphers used as cryptographic techniques for information processing
   and information protection, including the provision of
   confidentiality, authenticity, and integrity of information during
   information transmission, processing, and storage in computer-aided
   systems.

   The cryptographic algorithms defined in this specification are
   designed both for hardware and software implementation.  They comply
   with modern cryptographic requirements and put no restrictions on the
   confidentiality level of the protected information.

   This document is intended to be a source of information about the
   updated version of the 64-bit cipher.  It may facilitate the use of
   the block cipher in Internet applications by providing information
   for developers and users of a GOST 64-bit cipher with the revised
   version of the cipher for encryption and decryption.

2.  General Information

   The Russian Federal standard [GOSTR3412-2015] was developed by the
   Center for Information Protection and Special Communications of the
   Federal Security Service of the Russian Federation, with
   participation of the open joint-stock company "Information
   Technologies and Communication Systems" (InfoTeCS JSC).  GOST R
   34.12-2015 was approved and introduced by Decree #749 of the Federal
   Agency on Technical Regulating and Metrology on June 19, 2015.

   Terms and concepts in the specification comply with the following
   international standards:

   *  ISO/IEC 10116 [ISO-IEC10116]

   *  series of standards ISO/IEC 18033 [ISO-IEC18033-1][ISO-IEC18033-3]

3.  Definitions and Notation

   The following terms and their corresponding definitions are used in
   the specification.

3.1.  Definitions

   encryption algorithm:  process that transforms plaintext into
      ciphertext (Clause 2.19 of [ISO-IEC18033-1])

   decryption algorithm:  process that transforms ciphertext into
      plaintext (Clause 2.14 of [ISO-IEC18033-1])

   basic block cipher:  block cipher that, for a given key, provides a
      single invertible mapping of the set of fixed-length plaintext
      blocks into ciphertext blocks of the same length

   block:  string of bits of a defined length (Clause 2.6 of
      [ISO-IEC18033-1])

   block cipher:  symmetric encipherment system with the property that
      the encryption algorithm operates on a block of plaintext -- i.e.,
      a string of bits of a defined length -- to yield a block of
      ciphertext (Clause 2.7 of [ISO-IEC18033-1])

      Note: In GOST R 34.12-2015, it is established that the terms
      "block cipher" and "block encryption algorithm" are synonyms.

   encryption:  reversible transformation of data by a cryptographic
      algorithm to produce ciphertext -- i.e., to hide the information
      content of the data (Clause 2.18 of [ISO-IEC18033-1])

   round key:  sequence of symbols that is calculated from the key and
      controls a transformation for one round of a block cipher

   key:  sequence of symbols that controls the operation of a
      cryptographic transformation (e.g., encipherment, decipherment)
      (Clause 2.21 of [ISO-IEC18033-1])

      Note: In GOST R 34.12-2015, the key must be a binary sequence.

   plaintext:  unencrypted information (Clause 3.11 of [ISO-IEC10116])

   key schedule:  calculation of round keys from the key,

   decryption:  reversal of a corresponding encipherment (Clause 2.13 of
      [ISO-IEC18033-1])

   symmetric cryptographic technique:  cryptographic technique that uses
      the same secret key for both the originator's and the recipient's
      transformation (Clause 2.32 of [ISO-IEC18033-1])

   cipher:  alternative term for encipherment system (Clause 2.20 of
      [ISO-IEC18033-1])

   ciphertext:  data that has been transformed to hide its information
      content (Clause 3.3 of [ISO-IEC10116])

3.2.  Notation

   The following notation is used in the specification:

   V*  the set of all binary vector strings of a finite length
      (hereinafter referred to as the strings), including the empty
      string

   V_s  the set of all binary strings of length s, where s is a
      nonnegative integer; substrings and string components are
      enumerated from right to left, starting from zero

   U[*]W  direct (Cartesian) product of two sets U and W

   |A|  the number of components (the length) of a string A belonging to
      V* (if A is an empty string, then |A| = 0)

   A||B  concatenation of strings A and B both belonging to V* -- i.e.,
      a string from V_(|A|+|B|), where the left substring from V_|A| is
      equal to A and the right substring from V_|B| is equal to B

   A<<<_11  cyclic rotation of string A belonging to V_32 by 11
      components in the direction of components having greater indices

   Z_(2^n)  ring of residues modulo 2^n

   (xor)  exclusive-or of two binary strings of the same length

   [+]  addition in the ring Z_(2^32)

   Vec_s: Z_(2^s) -> V_s  bijective mapping that maps an element from
      ring Z_(2^s) into its binary representation; i.e., for an element
      z of the ring Z_(2^s), represented by the residue z_0 + (2*z_1) +
      ... + (2^(s-1)*z_(s-1)), where z_i in {0, 1}, i = 0, ..., n-1, the
      equality Vec_s(z) = z_(s-1)||...||z_1||z_0 holds

   Int_s: V_s -> Z_(2^s)  the mapping inverse to the mapping Vec_s,
      i.e., Int_s = Vec_s^(-1)

   PS  composition of mappings, where the mapping S applies first

   P^s  composition of mappings P^(s-1) and P, where P^1=P

4.  Parameter Values

4.1.  Nonlinear Bijection

   The bijective nonlinear mapping is a set of substitutions:

   Pi_i = Vec_4 Pi'_i Int_4: V_4 -> V_4,

   where

   Pi'_i: Z_(2^4) -> Z_(2^4), i = 0, 1, ..., 7.

   The values of the substitution Pi' are specified below as arrays.

   Pi'_i = (Pi'_i(0), Pi'_i(1), ... , Pi'_i(15)), i = 0, 1, ..., 7:

   Pi'_0 = (12, 4, 6, 2, 10, 5, 11, 9, 14, 8, 13, 7, 0, 3, 15, 1);
   Pi'_1 = (6, 8, 2, 3, 9, 10, 5, 12, 1, 14, 4, 7, 11, 13, 0, 15);
   Pi'_2 = (11, 3, 5, 8, 2, 15, 10, 13, 14, 1, 7, 4, 12, 9, 6, 0);
   Pi'_3 = (12, 8, 2, 1, 13, 4, 15, 6, 7, 0, 10, 5, 3, 14, 9, 11);
   Pi'_4 = (7, 15, 5, 10, 8, 1, 6, 13, 0, 9, 3, 14, 11, 4, 2, 12);
   Pi'_5 = (5, 13, 15, 6, 9, 2, 12, 10, 11, 7, 8, 1, 4, 3, 14, 0);
   Pi'_6 = (8, 14, 2, 5, 6, 9, 1, 12, 15, 4, 11, 0, 13, 10, 3, 7);
   Pi'_7 = (1, 7, 14, 13, 0, 5, 8, 3, 4, 15, 10, 6, 9, 12, 11, 2);

4.2.  Transformations

   The following transformations are applicable for encryption and
   decryption algorithms:

   t: V_32 -> V_32
      t(a) = t(a_7||...||a_0) = Pi_7(a_7)||...||Pi_0(a_0), where
      a=a_7||...||a_0 belongs to V_32, a_i belongs to V_4, i=0, 1, ...,
      7.

   g[k]: V_32 -> V_32
      g[k](a) = (t(Vec_32(Int_32(a) [+] Int_32(k)))) <<<_11, where k, a
      belong to V_32

   G[k]: V_32[*]V_32 -> V_32[*]V_32
      G[k](a_1, a_0) = (a_0, g[k](a_0) (xor) a_1), where k, a_0, a_1
      belong to V_32

   G^*[k]: V_32[*]V_32 -> V_64
      G^*[k](a_1, a_0) = (g[k](a_0) (xor) a_1) || a_0, where k, a_0, a_1
      belong to V_32.

4.3.  Key Schedule

   Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from
   key K = k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0,
   1, ..., 255, as follows:

   K_1 = k_255||...||k_224;
   K_2 = k_223||...||k_192;
   K_3 = k_191||...||k_160;
   K_4 = k_159||...||k_128;
   K_5 = k_127||...||k_96;
   K_6 = k_95||...||k_64;
   K_7 = k_63||...||k_32;
   K_8 = k_31||...||k_0;
   K_(i+8) = K_i, i = 1, 2, ..., 8;
   K_(i+16) = K_i, i = 1, 2, ..., 8;
   K_(i+24) = K_(9-i), i = 1, 2, ..., 8.

5.  Basic Encryption Algorithm

5.1.  Encryption

   Depending on the values of round keys K_1,...,K_32, the encryption
   algorithm is a substitution E_(K_1,...,K_32) defined as follows:

   E_(K_1,...,K_32)(a)=G^*[K_32]G[K_31]...G[K_2]G[K_1](a_1, a_0),

   where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32.

5.2.  Decryption

   Depending on the values of round keys K_1,...,K_32, the decryption
   algorithm is a substitution D_(K_1,...,K_32) defined as follows:

   D_(K_1,...,K_32)(a)=G^*[K_1]G[K_2]...G[K_31]G[K_32](a_1, a_0),

   where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32.

6.  IANA Considerations

   This document has no IANA actions.

7.  Security Considerations

   This entire document is about security considerations.

   Unlike [RFC5830] (GOST 28147-89), but like [RFC7801], this
   specification does not define exact block modes that should be used
   together with the updated Magma cipher.  One is free to select block
   modes depending on the protocol and necessity.

8.  References

8.1.  Normative References

   [GOSTR3412-2015]
              Federal Agency on Technical Regulating and Metrology,
              "Information technology. Cryptographic data security.
              Block ciphers.", GOST R 34.12-2015, 2015.

   [RFC5830]  Dolmatov, V., Ed., "GOST 28147-89: Encryption, Decryption,
              and Message Authentication Code (MAC) Algorithms",
              RFC 5830, DOI 10.17487/RFC5830, March 2010,
              <https://www.rfc-editor.org/info/rfc5830>.

   [RFC7801]  Dolmatov, V., Ed., "GOST R 34.12-2015: Block Cipher
              "Kuznyechik"", RFC 7801, DOI 10.17487/RFC7801, March 2016,
              <https://www.rfc-editor.org/info/rfc7801>.

8.2.  Informative References

   [GOST28147-89]
              Government Committee of the USSR for Standards,
              "Cryptographic Protection for Data Processing System, GOST
              28147-89, Gosudarstvennyi Standard of USSR", 1989.

   [ISO-IEC10116]
              ISO/IEC, "Information technology -- Security techniques --
              Modes of operation for an n-bit block cipher", ISO/
              IEC 10116, 2017.

   [ISO-IEC18033-1]
              ISO/IEC, "Information technology -- Security techniques --
              Encryption algorithms -- Part 1: General", ISO/
              IEC 18033-1:2015, 2015.

   [ISO-IEC18033-3]
              ISO/IEC, "Information technology -- Security techniques --
              Encryption algorithms -- Part 3: Block ciphers", ISO/
              IEC 18033-3:2010, 2010.

   [RFC7836]  Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V.,
              Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines
              on the Cryptographic Algorithms to Accompany the Usage of
              Standards GOST R 34.10-2012 and GOST R 34.11-2012",
              RFC 7836, DOI 10.17487/RFC7836, March 2016,
              <https://www.rfc-editor.org/info/rfc7836>.

Appendix A.  Test Examples

   This section is for information only and is not a normative part of
   the specification.

A.1.  Transformation t

   t(fdb97531) = 2a196f34,
   t(2a196f34) = ebd9f03a,
   t(ebd9f03a) = b039bb3d,
   t(b039bb3d) = 68695433.

A.2.  Transformation g

   g[87654321](fedcba98) = fdcbc20c,
   g[fdcbc20c](87654321) = 7e791a4b,
   g[7e791a4b](fdcbc20c) = c76549ec,
   g[c76549ec](7e791a4b) = 9791c849.

A.3.  Key Schedule

   With key set to

   K = ffeeddccbbaa99887766554433221100f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff,

   the following round keys are generated:

   K_1 = ffeeddcc,
   K_2 = bbaa9988,
   K_3 = 77665544,
   K_4 = 33221100,
   K_5 = f0f1f2f3,
   K_6 = f4f5f6f7,
   K_7 = f8f9fafb,
   K_8 = fcfdfeff,

   K_9 = ffeeddcc,
   K_10 = bbaa9988,
   K_11 = 77665544,
   K_12 = 33221100,
   K_13 = f0f1f2f3,
   K_14 = f4f5f6f7,
   K_15 = f8f9fafb,
   K_16 = fcfdfeff,

   K_17 = ffeeddcc,
   K_18 = bbaa9988,
   K_19 = 77665544,
   K_20 = 33221100,
   K_21 = f0f1f2f3,
   K_22 = f4f5f6f7,
   K_23 = f8f9fafb,
   K_24 = fcfdfeff,

   K_25 = fcfdfeff,
   K_26 = f8f9fafb,
   K_27 = f4f5f6f7,
   K_28 = f0f1f2f3,
   K_29 = 33221100,
   K_30 = 77665544,
   K_31 = bbaa9988,
   K_32 = ffeeddcc.

A.4.  Test Encryption

   In this test example, encryption is performed on the round keys
   specified in Appendix A.3.  Let the plaintext be

   a = fedcba9876543210,

   then

   (a_1, a_0) = (fedcba98, 76543210),
   G[K_1](a_1, a_0) = (76543210, 28da3b14),
   G[K_2]G[K_1](a_1, a_0) = (28da3b14, b14337a5),
   G[K_3]...G[K_1](a_1, a_0) = (b14337a5, 633a7c68),
   G[K_4]...G[K_1](a_1, a_0) = (633a7c68, ea89c02c),
   G[K_5]...G[K_1](a_1, a_0) = (ea89c02c, 11fe726d),
   G[K_6]...G[K_1](a_1, a_0) = (11fe726d, ad0310a4),
   G[K_7]...G[K_1](a_1, a_0) = (ad0310a4, 37d97f25),
   G[K_8]...G[K_1](a_1, a_0) = (37d97f25, 46324615),
   G[K_9]...G[K_1](a_1, a_0) = (46324615, ce995f2a),
   G[K_10]...G[K_1](a_1, a_0) = (ce995f2a, 93c1f449),
   G[K_11]...G[K_1](a_1, a_0) = (93c1f449, 4811c7ad),
   G[K_12]...G[K_1](a_1, a_0) = (4811c7ad, c4b3edca),
   G[K_13]...G[K_1](a_1, a_0) = (c4b3edca, 44ca5ce1),
   G[K_14]...G[K_1](a_1, a_0) = (44ca5ce1, fef51b68),
   G[K_15]...G[K_1](a_1, a_0) = (fef51b68, 2098cd86)
   G[K_16]...G[K_1](a_1, a_0) = (2098cd86, 4f15b0bb),
   G[K_17]...G[K_1](a_1, a_0) = (4f15b0bb, e32805bc),
   G[K_18]...G[K_1](a_1, a_0) = (e32805bc, e7116722),
   G[K_19]...G[K_1](a_1, a_0) = (e7116722, 89cadf21),
   G[K_20]...G[K_1](a_1, a_0) = (89cadf21, bac8444d),
   G[K_21]...G[K_1](a_1, a_0) = (bac8444d, 11263a21),
   G[K_22]...G[K_1](a_1, a_0) = (11263a21, 625434c3),
   G[K_23]...G[K_1](a_1, a_0) = (625434c3, 8025c0a5),
   G[K_24]...G[K_1](a_1, a_0) = (8025c0a5, b0d66514),
   G[K_25]...G[K_1](a_1, a_0) = (b0d66514, 47b1d5f4),
   G[K_26]...G[K_1](a_1, a_0) = (47b1d5f4, c78e6d50),
   G[K_27]...G[K_1](a_1, a_0) = (c78e6d50, 80251e99),
   G[K_28]...G[K_1](a_1, a_0) = (80251e99, 2b96eca6),
   G[K_29]...G[K_1](a_1, a_0) = (2b96eca6, 05ef4401),
   G[K_30]...G[K_1](a_1, a_0) = (05ef4401, 239a4577),
   G[K_31]...G[K_1](a_1, a_0) = (239a4577, c2d8ca3d).

   Then the ciphertext is

   b = G^*[K_32]G[K_31]...G[K_1](a_1, a_0) = 4ee901e5c2d8ca3d.

A.5.  Test Decryption

   In this test example, decryption is performed on the round keys
   specified in Appendix A.3.  Let the ciphertext be

   b = 4ee901e5c2d8ca3d,

   then

   (b_1, b_0) = (4ee901e5, c2d8ca3d),
   G[K_32](b_1, b_0) = (c2d8ca3d, 239a4577),
   G[K_31]G[K_32](b_1, b_0) = (239a4577, 05ef4401),
   G[K_30]...G[K_32](b_1, b_0) = (05ef4401, 2b96eca6),
   G[K_29]...G[K_32](b_1, b_0) = (2b96eca6, 80251e99),
   G[K_28]...G[K_32](b_1, b_0) = (80251e99, c78e6d50),
   G[K_27]...G[K_32](b_1, b_0) = (c78e6d50, 47b1d5f4),
   G[K_26]...G[K_32](b_1, b_0) = (47b1d5f4, b0d66514),
   G[K_25]...G[K_32](b_1, b_0) = (b0d66514, 8025c0a5),
   G[K_24]...G[K_32](b_1, b_0) = (8025c0a5, 625434c3),
   G[K_23]...G[K_32](b_1, b_0) = (625434c3, 11263a21),
   G[K_22]...G[K_32](b_1, b_0) = (11263a21, bac8444d),
   G[K_21]...G[K_32](b_1, b_0) = (bac8444d, 89cadf21),
   G[K_20]...G[K_32](b_1, b_0) = (89cadf21, e7116722),
   G[K_19]...G[K_32](b_1, b_0) = (e7116722, e32805bc),
   G[K_18]...G[K_32](b_1, b_0) = (e32805bc, 4f15b0bb),
   G[K_17]...G[K_32](b_1, b_0) = (4f15b0bb, 2098cd86),
   G[K_16]...G[K_32](b_1, b_0) = (2098cd86, fef51b68),
   G[K_15]...G[K_32](b_1, b_0) = (fef51b68, 44ca5ce1),
   G[K_14]...G[K_32](b_1, b_0) = (44ca5ce1, c4b3edca),
   G[K_13]...G[K_32](b_1, b_0) = (c4b3edca, 4811c7ad),
   G[K_12]...G[K_32](b_1, b_0) = (4811c7ad, 93c1f449),
   G[K_11]...G[K_32](b_1, b_0) = (93c1f449, ce995f2a),
   G[K_10]...G[K_32](b_1, b_0) = (ce995f2a, 46324615),
   G[K_9]...G[K_32](b_1, b_0) = (46324615, 37d97f25),
   G[K_8]...G[K_32](b_1, b_0) = (37d97f25, ad0310a4),
   G[K_7]...G[K_32](b_1, b_0) = (ad0310a4, 11fe726d),
   G[K_6]...G[K_32](b_1, b_0) = (11fe726d, ea89c02c),
   G[K_5]...G[K_32](b_1, b_0) = (ea89c02c, 633a7c68),
   G[K_4]...G[K_32](b_1, b_0) = (633a7c68, b14337a5),
   G[K_3]...G[K_32](b_1, b_0) = (b14337a5, 28da3b14),
   G[K_2]...G[K_32](b_1, b_0) = (28da3b14, 76543210).

   Then the plaintext is

   a = G^*[K_1]G[K_2]...G[K_32](b_1, b_0) = fedcba9876543210.

Appendix B.  Background

   This specification is a translation of relevant parts of the
   [GOSTR3412-2015] standard.  The order of terms in both parts of
   Section 3 comes from the original text.  Combining [RFC7801] with
   this document will create a complete translation of [GOSTR3412-2015]
   into English.

   Algorithmically, Magma is a variation of the block cipher defined in
   [RFC5830] ([GOST28147-89]) with the following clarifications and
   minor modifications:

   1.  S-BOX set is fixed at id-tc26-gost-28147-param-Z (see Appendix C
       of [RFC7836]);

   2.  key is parsed as a single big-endian integer (compared to the
       little-endian approach used in [GOST28147-89]), which results in
       different subkey values being used;

   3.  data bytes are also parsed as a single big-endian integer
       (instead of being parsed as little-endian integer).

Authors' Addresses

   Vasily Dolmatov (editor)
   JSC "NPK Kryptonite"
   Spartakovskaya sq., 14, bld 2, JSC "NPK Kryptonite"
   Moscow
   105082
   Russian Federation

   Email: vdolmatov@gmail.com


   Dmitry Baryshkov
   Auriga, Inc.
   office 1410
   Torfyanaya Doroga, 7F
   Saint-Petersburg
   197374
   Russian Federation

   Email: dbaryshkov@gmail.com