RFC 8891 | GOST R 34.12-2015: Block Cipher "Magma" | September 2020 |
Dolmatov & Baryshkov | Informational | [Page] |
In addition to a new cipher with a block length of n=128 bits (referred to as "Kuznyechik" and described in RFC 7801), Russian Federal standard GOST R 34.12-2015 includes an updated version of the block cipher with a block length of n=64 bits and key length of k=256 bits, which is also referred to as "Magma". The algorithm is an updated version of an older block cipher with a block length of n=64 bits described in GOST 28147-89 (RFC 5830). This document is intended to be a source of information about the updated version of the 64-bit cipher. It may facilitate the use of the block cipher in Internet applications by providing information for developers and users of the GOST 64-bit cipher with the revised version of the cipher for encryption and decryption.¶
This document is not an Internet Standards Track specification; it is published for informational purposes.¶
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not candidates for any level of Internet Standard; see Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8891.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The Russian Federal standard [GOSTR3412-2015] specifies basic block ciphers used as cryptographic techniques for information processing and information protection, including the provision of confidentiality, authenticity, and integrity of information during information transmission, processing, and storage in computer-aided systems.¶
The cryptographic algorithms defined in this specification are designed both for hardware and software implementation. They comply with modern cryptographic requirements and put no restrictions on the confidentiality level of the protected information.¶
This document is intended to be a source of information about the updated version of the 64-bit cipher. It may facilitate the use of the block cipher in Internet applications by providing information for developers and users of a GOST 64-bit cipher with the revised version of the cipher for encryption and decryption.¶
The Russian Federal standard [GOSTR3412-2015] was developed by the Center for Information Protection and Special Communications of the Federal Security Service of the Russian Federation, with participation of the open joint-stock company "Information Technologies and Communication Systems" (InfoTeCS JSC). GOST R 34.12-2015 was approved and introduced by Decree #749 of the Federal Agency on Technical Regulating and Metrology on June 19, 2015.¶
Terms and concepts in the specification comply with the following international standards:¶
The following terms and their corresponding definitions are used in the specification.¶
symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext -- i.e., a string of bits of a defined length -- to yield a block of ciphertext (Clause 2.7 of [ISO-IEC18033-1])¶
Note: In GOST R 34.12-2015, it is established that the terms "block cipher" and "block encryption algorithm" are synonyms.¶
sequence of symbols that controls the operation of a cryptographic transformation (e.g., encipherment, decipherment) (Clause 2.21 of [ISO-IEC18033-1])¶
Note: In GOST R 34.12-2015, the key must be a binary sequence.¶
The following notation is used in the specification:¶
The bijective nonlinear mapping is a set of substitutions:¶
Pi_i = Vec_4 Pi'_i Int_4: V_4 -> V_4,¶
where¶
Pi'_i: Z_(2^4) -> Z_(2^4), i = 0, 1, ..., 7.¶
The values of the substitution Pi' are specified below as arrays.¶
Pi'_i = (Pi'_i(0), Pi'_i(1), ... , Pi'_i(15)), i = 0, 1, ..., 7: Pi'_0 = (12, 4, 6, 2, 10, 5, 11, 9, 14, 8, 13, 7, 0, 3, 15, 1); Pi'_1 = (6, 8, 2, 3, 9, 10, 5, 12, 1, 14, 4, 7, 11, 13, 0, 15); Pi'_2 = (11, 3, 5, 8, 2, 15, 10, 13, 14, 1, 7, 4, 12, 9, 6, 0); Pi'_3 = (12, 8, 2, 1, 13, 4, 15, 6, 7, 0, 10, 5, 3, 14, 9, 11); Pi'_4 = (7, 15, 5, 10, 8, 1, 6, 13, 0, 9, 3, 14, 11, 4, 2, 12); Pi'_5 = (5, 13, 15, 6, 9, 2, 12, 10, 11, 7, 8, 1, 4, 3, 14, 0); Pi'_6 = (8, 14, 2, 5, 6, 9, 1, 12, 15, 4, 11, 0, 13, 10, 3, 7); Pi'_7 = (1, 7, 14, 13, 0, 5, 8, 3, 4, 15, 10, 6, 9, 12, 11, 2);¶
The following transformations are applicable for encryption and decryption algorithms:¶
Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from key K = k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1, ..., 255, as follows:¶
K_1 = k_255||...||k_224; K_2 = k_223||...||k_192; K_3 = k_191||...||k_160; K_4 = k_159||...||k_128; K_5 = k_127||...||k_96; K_6 = k_95||...||k_64; K_7 = k_63||...||k_32; K_8 = k_31||...||k_0; K_(i+8) = K_i, i = 1, 2, ..., 8; K_(i+16) = K_i, i = 1, 2, ..., 8; K_(i+24) = K_(9-i), i = 1, 2, ..., 8.¶
Depending on the values of round keys K_1,...,K_32, the encryption algorithm is a substitution E_(K_1,...,K_32) defined as follows:¶
E_(K_1,...,K_32)(a)=G^*[K_32]G[K_31]...G[K_2]G[K_1](a_1, a_0),¶
where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32.¶
Depending on the values of round keys K_1,...,K_32, the decryption algorithm is a substitution D_(K_1,...,K_32) defined as follows:¶
D_(K_1,...,K_32)(a)=G^*[K_1]G[K_2]...G[K_31]G[K_32](a_1, a_0),¶
where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32.¶
This document has no IANA actions.¶
This entire document is about security considerations.¶
Unlike [RFC5830] (GOST 28147-89), but like [RFC7801], this specification does not define exact block modes that should be used together with the updated Magma cipher. One is free to select block modes depending on the protocol and necessity.¶
This section is for information only and is not a normative part of the specification.¶
t(fdb97531) = 2a196f34, t(2a196f34) = ebd9f03a, t(ebd9f03a) = b039bb3d, t(b039bb3d) = 68695433.¶
g[87654321](fedcba98) = fdcbc20c, g[fdcbc20c](87654321) = 7e791a4b, g[7e791a4b](fdcbc20c) = c76549ec, g[c76549ec](7e791a4b) = 9791c849.¶
With key set to¶
K = ffeeddccbbaa99887766554433221100f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff,¶
the following round keys are generated:¶
K_1 = ffeeddcc, K_2 = bbaa9988, K_3 = 77665544, K_4 = 33221100, K_5 = f0f1f2f3, K_6 = f4f5f6f7, K_7 = f8f9fafb, K_8 = fcfdfeff, K_9 = ffeeddcc, K_10 = bbaa9988, K_11 = 77665544, K_12 = 33221100, K_13 = f0f1f2f3, K_14 = f4f5f6f7, K_15 = f8f9fafb, K_16 = fcfdfeff, K_17 = ffeeddcc, K_18 = bbaa9988, K_19 = 77665544, K_20 = 33221100, K_21 = f0f1f2f3, K_22 = f4f5f6f7, K_23 = f8f9fafb, K_24 = fcfdfeff, K_25 = fcfdfeff, K_26 = f8f9fafb, K_27 = f4f5f6f7, K_28 = f0f1f2f3, K_29 = 33221100, K_30 = 77665544, K_31 = bbaa9988, K_32 = ffeeddcc.¶
In this test example, encryption is performed on the round keys specified in Appendix A.3. Let the plaintext be¶
a = fedcba9876543210,¶
then¶
(a_1, a_0) = (fedcba98, 76543210), G[K_1](a_1, a_0) = (76543210, 28da3b14), G[K_2]G[K_1](a_1, a_0) = (28da3b14, b14337a5), G[K_3]...G[K_1](a_1, a_0) = (b14337a5, 633a7c68), G[K_4]...G[K_1](a_1, a_0) = (633a7c68, ea89c02c), G[K_5]...G[K_1](a_1, a_0) = (ea89c02c, 11fe726d), G[K_6]...G[K_1](a_1, a_0) = (11fe726d, ad0310a4), G[K_7]...G[K_1](a_1, a_0) = (ad0310a4, 37d97f25), G[K_8]...G[K_1](a_1, a_0) = (37d97f25, 46324615), G[K_9]...G[K_1](a_1, a_0) = (46324615, ce995f2a), G[K_10]...G[K_1](a_1, a_0) = (ce995f2a, 93c1f449), G[K_11]...G[K_1](a_1, a_0) = (93c1f449, 4811c7ad), G[K_12]...G[K_1](a_1, a_0) = (4811c7ad, c4b3edca), G[K_13]...G[K_1](a_1, a_0) = (c4b3edca, 44ca5ce1), G[K_14]...G[K_1](a_1, a_0) = (44ca5ce1, fef51b68), G[K_15]...G[K_1](a_1, a_0) = (fef51b68, 2098cd86) G[K_16]...G[K_1](a_1, a_0) = (2098cd86, 4f15b0bb), G[K_17]...G[K_1](a_1, a_0) = (4f15b0bb, e32805bc), G[K_18]...G[K_1](a_1, a_0) = (e32805bc, e7116722), G[K_19]...G[K_1](a_1, a_0) = (e7116722, 89cadf21), G[K_20]...G[K_1](a_1, a_0) = (89cadf21, bac8444d), G[K_21]...G[K_1](a_1, a_0) = (bac8444d, 11263a21), G[K_22]...G[K_1](a_1, a_0) = (11263a21, 625434c3), G[K_23]...G[K_1](a_1, a_0) = (625434c3, 8025c0a5), G[K_24]...G[K_1](a_1, a_0) = (8025c0a5, b0d66514), G[K_25]...G[K_1](a_1, a_0) = (b0d66514, 47b1d5f4), G[K_26]...G[K_1](a_1, a_0) = (47b1d5f4, c78e6d50), G[K_27]...G[K_1](a_1, a_0) = (c78e6d50, 80251e99), G[K_28]...G[K_1](a_1, a_0) = (80251e99, 2b96eca6), G[K_29]...G[K_1](a_1, a_0) = (2b96eca6, 05ef4401), G[K_30]...G[K_1](a_1, a_0) = (05ef4401, 239a4577), G[K_31]...G[K_1](a_1, a_0) = (239a4577, c2d8ca3d).¶
Then the ciphertext is¶
b = G^*[K_32]G[K_31]...G[K_1](a_1, a_0) = 4ee901e5c2d8ca3d.¶
In this test example, decryption is performed on the round keys specified in Appendix A.3. Let the ciphertext be¶
b = 4ee901e5c2d8ca3d,¶
then¶
(b_1, b_0) = (4ee901e5, c2d8ca3d), G[K_32](b_1, b_0) = (c2d8ca3d, 239a4577), G[K_31]G[K_32](b_1, b_0) = (239a4577, 05ef4401), G[K_30]...G[K_32](b_1, b_0) = (05ef4401, 2b96eca6), G[K_29]...G[K_32](b_1, b_0) = (2b96eca6, 80251e99), G[K_28]...G[K_32](b_1, b_0) = (80251e99, c78e6d50), G[K_27]...G[K_32](b_1, b_0) = (c78e6d50, 47b1d5f4), G[K_26]...G[K_32](b_1, b_0) = (47b1d5f4, b0d66514), G[K_25]...G[K_32](b_1, b_0) = (b0d66514, 8025c0a5), G[K_24]...G[K_32](b_1, b_0) = (8025c0a5, 625434c3), G[K_23]...G[K_32](b_1, b_0) = (625434c3, 11263a21), G[K_22]...G[K_32](b_1, b_0) = (11263a21, bac8444d), G[K_21]...G[K_32](b_1, b_0) = (bac8444d, 89cadf21), G[K_20]...G[K_32](b_1, b_0) = (89cadf21, e7116722), G[K_19]...G[K_32](b_1, b_0) = (e7116722, e32805bc), G[K_18]...G[K_32](b_1, b_0) = (e32805bc, 4f15b0bb), G[K_17]...G[K_32](b_1, b_0) = (4f15b0bb, 2098cd86), G[K_16]...G[K_32](b_1, b_0) = (2098cd86, fef51b68), G[K_15]...G[K_32](b_1, b_0) = (fef51b68, 44ca5ce1), G[K_14]...G[K_32](b_1, b_0) = (44ca5ce1, c4b3edca), G[K_13]...G[K_32](b_1, b_0) = (c4b3edca, 4811c7ad), G[K_12]...G[K_32](b_1, b_0) = (4811c7ad, 93c1f449), G[K_11]...G[K_32](b_1, b_0) = (93c1f449, ce995f2a), G[K_10]...G[K_32](b_1, b_0) = (ce995f2a, 46324615), G[K_9]...G[K_32](b_1, b_0) = (46324615, 37d97f25), G[K_8]...G[K_32](b_1, b_0) = (37d97f25, ad0310a4), G[K_7]...G[K_32](b_1, b_0) = (ad0310a4, 11fe726d), G[K_6]...G[K_32](b_1, b_0) = (11fe726d, ea89c02c), G[K_5]...G[K_32](b_1, b_0) = (ea89c02c, 633a7c68), G[K_4]...G[K_32](b_1, b_0) = (633a7c68, b14337a5), G[K_3]...G[K_32](b_1, b_0) = (b14337a5, 28da3b14), G[K_2]...G[K_32](b_1, b_0) = (28da3b14, 76543210).¶
Then the plaintext is¶
a = G^*[K_1]G[K_2]...G[K_32](b_1, b_0) = fedcba9876543210.¶
This specification is a translation of relevant parts of the [GOSTR3412-2015] standard. The order of terms in both parts of Section 3 comes from the original text. Combining [RFC7801] with this document will create a complete translation of [GOSTR3412-2015] into English.¶
Algorithmically, Magma is a variation of the block cipher defined in [RFC5830] ([GOST28147-89]) with the following clarifications and minor modifications:¶