Independent Submission                                  V. Dolmatov, Ed.
Request for Comments: 5832                               Cryptocom, Ltd.
Category: Informational                                       March 2010
ISSN: 2070-1721
        
Independent Submission                                  V. Dolmatov, Ed.
Request for Comments: 5832                               Cryptocom, Ltd.
Category: Informational                                       March 2010
ISSN: 2070-1721
        

GOST R 34.10-2001: Digital Signature Algorithm

GOST R 34.10-2001:数字签名算法

Abstract

摘要

This document is intended to be a source of information about the Russian Federal standard for digital signatures (GOST R 34.10-2001), which is one of the Russian cryptographic standard algorithms (called GOST algorithms). Recently, Russian cryptography is being used in Internet applications, and this document has been created as information for developers and users of GOST R 34.10-2001 for digital signature generation and verification.

本文件旨在作为俄罗斯联邦数字签名标准(GOST R 34.10-2001)的信息来源,该标准是俄罗斯密码标准算法之一(称为GOST算法)。最近,俄罗斯密码学正在互联网应用中使用,本文件作为GOST R 34.10-2001的开发者和用户的信息,用于生成和验证数字签名。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5832.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5832.

Copyright Notice

版权公告

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

This document may not be modified, and derivative works of it may not be created, except to format it for publication as an RFC or to translate it into languages other than English.

不得修改本文件,也不得创建其衍生作品,除非将其格式化为RFC出版或将其翻译为英语以外的其他语言。

Table of Contents

目录

   1. Introduction ....................................................3
      1.1. General Information ........................................3
      1.2. The Purpose of GOST R 34.10-2001 ...........................3
   2. Applicability ...................................................4
   3. Definitions and Notations .......................................4
      3.1. Definitions ................................................4
      3.2. Notations ..................................................6
   4. General Statements ..............................................7
   5. Mathematical Conventions ........................................8
      5.1. Mathematical Definitions ...................................9
      5.2. Digital Signature Parameters ..............................10
      5.3. Binary Vectors ............................................11
   6. Main Processes .................................................12
      6.1. Digital Signature Generation Process ......................12
      6.2. Digital Signature Verification ............................13
   7. Test Examples (Appendix to GOST R 34.10-2001) ..................14
      7.1. The Digital Signature Scheme Parameters ...................14
      7.2. Digital Signature Process (Algorithm I) ...................16
      7.3. Verification Process of Digital Signature (Algorithm II) ..17
   8. Security Considerations ........................................19
   9. References .....................................................19
      9.1. Normative References ......................................19
      9.2. Informative References ....................................19
   Appendix A. Extra Terms in the Digital Signature Area .............21
   Appendix B. Contributors ..........................................22
        
   1. Introduction ....................................................3
      1.1. General Information ........................................3
      1.2. The Purpose of GOST R 34.10-2001 ...........................3
   2. Applicability ...................................................4
   3. Definitions and Notations .......................................4
      3.1. Definitions ................................................4
      3.2. Notations ..................................................6
   4. General Statements ..............................................7
   5. Mathematical Conventions ........................................8
      5.1. Mathematical Definitions ...................................9
      5.2. Digital Signature Parameters ..............................10
      5.3. Binary Vectors ............................................11
   6. Main Processes .................................................12
      6.1. Digital Signature Generation Process ......................12
      6.2. Digital Signature Verification ............................13
   7. Test Examples (Appendix to GOST R 34.10-2001) ..................14
      7.1. The Digital Signature Scheme Parameters ...................14
      7.2. Digital Signature Process (Algorithm I) ...................16
      7.3. Verification Process of Digital Signature (Algorithm II) ..17
   8. Security Considerations ........................................19
   9. References .....................................................19
      9.1. Normative References ......................................19
      9.2. Informative References ....................................19
   Appendix A. Extra Terms in the Digital Signature Area .............21
   Appendix B. Contributors ..........................................22
        
1. Introduction
1. 介绍
1.1. General Information
1.1. 一般资料

1. GOST R 34.10-2001 [GOST3410] was developed by the Federal Agency for Government Communication and Information under the President of the Russian Federation with the participation of the All-Russia Scientific and Research Institute of Standardization.

1. GOST R 34.10-2001[GOST3410]由俄罗斯联邦总统领导的联邦政府通信和信息局在全俄罗斯标准化科学研究院的参与下制定。

GOST R 34.10-2001 was submitted by Federal Agency for Government Communication and Information at President of the Russian Federation.

GOST R 34.10-2001由联邦政府通信和信息局提交给俄罗斯联邦总统。

2. GOST R 34.10-2001 was accepted and activated by the Act 380-st of 12.09.2001 issued by the Government Committee of Russia for Standards.

2. GOST R 34.10-2001已被俄罗斯政府标准委员会发布的2001年9月12日第380号法案接受并激活。

3. GOST R 34.10-2001 was developed in accordance with the terminology and concepts of international standards ISO 2382-2:1976 "Data processing - Vocabulary - Part 2: Arithmetic and logic operations"; ISO/IEC 9796:1991 "Information technology -- Security techniques -- Digital signature schemes giving message recovery"; ISO/IEC 14888 "Information technology - Security techniques - Digital signatures with appendix"; and ISO/IEC 10118 "Information technology - Security techniques - Hash-functions".

3. GOST R 34.10-2001是根据国际标准ISO 2382-2:1976“数据处理-词汇-第2部分:算术和逻辑运算”的术语和概念制定的;ISO/IEC 9796:1991“信息技术——安全技术——提供消息恢复的数字签名方案”;ISO/IEC 14888“信息技术-安全技术-带附录的数字签名”;和ISO/IEC 10118“信息技术-安全技术-哈希函数”。

4. GOST R 34.10-2001 replaces GOST R 34.10-94.

4. GOST R 34.10-2001取代GOST R 34.10-94。

1.2. The Purpose of GOST R 34.10-2001
1.2. GOST R 34.10-2001的目的

GOST R 34.10-2001 describes the generation and verification processes for digital signatures, based on operations with an elliptic curve points group, defined over a prime finite field.

GOST R 34.10-2001描述了基于在素有限域上定义的椭圆曲线点群的操作的数字签名的生成和验证过程。

GOST R 34.10-2001 has been developed to replace GOST R 34.10-94. Necessity for this development is caused by the need to increase digital signature security against unauthorized modification. Digital signature security is based on the complexity of discrete logarithm calculation in an elliptic curve points group and also on the security of the hash function used (according to [GOST3411]).

已开发GOST R 34.10-2001以取代GOST R 34.10-94。这种发展的必要性是因为需要提高数字签名的安全性,以防止未经授权的修改。数字签名的安全性基于椭圆曲线点组中离散对数计算的复杂性以及所用哈希函数的安全性(根据[GOST3411])。

Terminologically and conceptually, GOST R 34.10-2001 is in accordance with international standards ISO 2382-2 [ISO2382-2], ISO/IEC 9796 [ISO9796-1991], ISO/IEC 14888 Parts 1-3 [ISO14888-1]-[ISO14888-3], and ISO/IEC 10118 Parts 1-4 [ISO10118-1]-[ISO10118-4].

在术语和概念上,GOST R 34.10-2001符合国际标准ISO 2382-2[ISO2382-2]、ISO/IEC 9796[ISO9796-1991]、ISO/IEC 14888第1-3部分[ISO14888-1]-[ISO14888-3]和ISO/IEC 10118第1-4部分[ISO10118-1]-[ISO10118-4]。

Note: the main part of GOST R 34.10-2001 is supplemented with three appendixes:

注:GOST R 34.10-2001的主要部分由三个附录补充:

"Extra Terms in the Digital Signature Area" (Appendix A of this memo);

“数字签名领域的额外条款”(本备忘录附录A);

"Test Examples" (Section 7 of this memo);

“测试示例”(本备忘录第7节);

"A Bibliography in the Digital Signature Area" (Section 9.2 of this memo).

“数字签名领域的参考书目”(本备忘录第9.2节)。

2. Applicability
2. 适用性

GOST R 34.10-2001 defines an electronic digital signature (or simply digital signature) scheme, digital signature generation and verification processes for a given message (document), meant for transmission via insecure public telecommunication channels in data processing systems of different purposes.

GOST R 34.10-2001定义了一个电子数字签名(或简称数字签名)方案、给定消息(文档)的数字签名生成和验证过程,用于在不同用途的数据处理系统中通过不安全的公共电信信道传输。

Use of a digital signature based on GOST R 34.10-2001 makes transmitted messages more resistant to forgery and loss of integrity, in comparison with the digital signature scheme prescribed by the previous standard.

与先前标准规定的数字签名方案相比,使用基于GOST R 34.10-2001的数字签名使传输的消息更能抵抗伪造和完整性丢失。

GOST R 34.10-2001 is obligatory to use in the Russian Federation in all data processing systems providing public services.

GOST R 34.10-2001在俄罗斯联邦必须用于提供公共服务的所有数据处理系统。

3. Definitions and Notations
3. 定义和符号
3.1. Definitions
3.1. 定义

The following terms are used in the standard:

本标准中使用了以下术语:

Appendix: Bit string, formed by a digital signature and by the arbitrary text field [ISO14888-1].

附录:由数字签名和任意文本字段构成的位字符串[ISO14888-1]。

Signature key: Element of secret data, specific to the subject and used only by this subject during the signature generation process [ISO14888-1].

签名密钥:秘密数据的元素,特定于主体,仅由该主体在签名生成过程中使用[ISO14888-1]。

Verification key: Element of data mathematically linked to the signature key data element, used by the verifier during the digital signature verification process [ISO14888-1].

验证密钥:与签名密钥数据元素在数学上相连的数据元素,在数字签名验证过程中由验证者使用[ISO14888-1]。

Domain parameter: Element of data that is common for all the subjects of the digital signature scheme, known or accessible to all the subjects [ISO14888-1].

域参数:数字签名方案所有主体共有的数据元素,所有主体都知道或可访问[ISO14888-1]。

Signed message: A set of data elements, which consists of the message and the appendix, which is a part of the message.

签名报文:一组数据元素,由报文和作为报文一部分的附录组成。

Pseudo-random number sequence: A sequence of numbers, which is obtained during some arithmetic (calculation) process, used in a specific case instead of a true random number sequence [ISO2382-2].

伪随机数序列:在某些算术(计算)过程中获得的数字序列,用于特定情况,而不是真随机数序列[ISO2382-2]。

Random number sequence: A sequence of numbers none of which can be predicted (calculated) using only the preceding numbers of the same sequence [ISO2382-2].

随机数序列:仅使用同一序列的前面的数字就无法预测(计算)的数字序列[ISO2382-2]。

Verification process: A process that uses the signed message, the verification key, and the digital signature scheme parameters as initial data and that gives the conclusion about digital signature validity or invalidity as a result [ISO14888-1].

验证过程:使用已签名消息、验证密钥和数字签名方案参数作为初始数据,并由此得出数字签名有效性或无效性结论的过程[ISO14888-1]。

Signature generation process: A process that uses the message, the signature key, and the digital signature scheme parameters as initial data and that generates the digital signature as the result [ISO14888-1].

签名生成过程:使用消息、签名密钥和数字签名方案参数作为初始数据并生成数字签名作为结果的过程[ISO14888-1]。

Witness: Element of data (resulting from the verification process) that states to the verifier whether the digital signature is valid or invalid [ISO148881-1]).

见证:向验证者说明数字签名是否有效的数据元素(由验证过程产生)[ISO148881-1])。

Random number: A number chosen from the definite number set in such a way that every number from the set can be chosen with equal probability [ISO2382-2].

随机数:从定数集中选择的一个数,该定数集中的每一个数都可以以相同的概率选择[ISO2382-2]。

Message: String of bits of a limited length [ISO9796-1991].

信息:有限长度的位串[ISO9796-1991]。

Hash code: String of bits that is a result of the hash function [ISO148881-1].

散列码:由散列函数[ISO148881-1]产生的比特串。

Hash function: The function, mapping bit strings onto bit strings of fixed length observing the following properties:

哈希函数:将位字符串映射到固定长度的位字符串上的函数,遵循以下属性:

1) it is difficult to calculate the input data, that is the pre-image of the given function value;

1) 难以计算输入数据,即给定函数值的前图像;

2) it is difficult to find another input data that is the pre-image of the same function value as is the given input data;

2) 很难找到与给定输入数据具有相同功能值的前图像的另一输入数据;

3) it is difficult to find a pair of different input data, producing the same hash function value.

3) 很难找到一对不同的输入数据,产生相同的哈希函数值。

Note: Property 1 in the context of the digital signature area means that it is impossible to recover the initial message using the digital signature; property 2 means that it is difficult to find another (falsified) message that produces the same digital signature

注:数字签名区域上下文中的属性1表示无法使用数字签名恢复初始消息;属性2意味着很难找到产生相同数字签名的另一条(伪造的)消息

as a given message; property 3 means that it is difficult to find some pair of different messages, which both produce the same signature.

作为一个给定的信息;属性3意味着很难找到一对不同的消息,它们都产生相同的签名。

(Electronic) Digital signature: String of bits obtained as a result of the signature generation process. This string has an internal structure, depending on the specific signature generation mechanism.

(电子)数字签名:通过签名生成过程获得的一串位。此字符串具有内部结构,具体取决于特定的签名生成机制。

Note: In GOST R 34.10-2001 terms, "Digital signature" and "Electronic digital signature" are synonymous to save terminological succession to native legal documents currently in force and scientific publications.

注:在GOST R 34.10-2001术语中,“数字签名”和“电子数字签名”是保留当前有效的本地法律文件和科学出版物的术语继承的同义词。

3.2. Notations
3.2. 符号

In GOST R 34.10-2001, the following notations are used:

在GOST R 34.10-2001中,使用了以下符号:

V256 - set of all binary vectors of a 256-bit length

V256-256位长度的所有二进制向量集

V_all - set of all binary vectors of an arbitrary finite length

任意有限长的所有二进制向量的V_all-集

Z - set of all integers

所有整数的Z-集

p - prime number, p > 3

p-素数,p>3

   GF(p) - finite prime field represented by a set of integers
           {0, 1, ..., p - 1}
        
   GF(p) - finite prime field represented by a set of integers
           {0, 1, ..., p - 1}
        

b (mod p) - minimal non-negative number, congruent to b modulo p

b(mod p)-最小非负数,与b模p全等

M - user's message, M belongs to V_all

M-用户的消息,M属于V_all

(H1 || H2 ) - concatenation of two binary vectors

(H1 | | H2)-两个二进制向量的串联

a,b - elliptic curve coefficients

a、 b-椭圆曲线系数

m - points of the elliptic curve group order

椭圆曲线群阶的m点

q - subgroup order of group of points of the elliptic curve

椭圆曲线点群的q-子群阶

O - zero point of the elliptic curve

椭圆曲线的O-零点

P - elliptic curve point of order q

P-椭圆曲线q阶点

d - integer - a signature key

d-整数-签名密钥

Q - elliptic curve point - a verification key

Q-椭圆曲线点-一个验证密钥

^ - the power operator

^-电力操作员

   /= - non-equality
        
   /= - non-equality
        

sqrt - square root

平方根

zeta - digital signature for the message M

zeta-消息M的数字签名

4. General Statements
4. 一般性发言

A commonly accepted digital signature scheme (model) (see Section 6 of [ISO/IEC14888-1]) consists of three processes:

公认的数字签名方案(模型)(见[ISO/IEC14888-1]第6节)由三个过程组成:

- generation of a pair of keys (for signature generation and for signature verification);

- 生成一对密钥(用于签名生成和签名验证);

- signature generation;

- 签名生成;

- signature verification.

- 签名验证。

In GOST R 34.10-2001, a process for generating a pair of keys (for signature and verification) is not defined. Characteristics and ways of the process realization are defined by involved subjects, who determine corresponding parameters by their agreement.

在GOST R 34.10-2001中,未定义生成一对密钥(用于签名和验证)的过程。过程实现的特征和方式由相关主体定义,这些主体通过协议确定相应的参数。

The digital signature mechanism is defined by the realization of two main processes (see Section 7):

数字签名机制通过实现两个主要过程来定义(见第7节):

- signature generation (see Section 6.1) and

- 签名生成(见第6.1节)和

- signature verification (see Section 6.2).

- 签名验证(见第6.2节)。

The digital signature is meant for the authentication of the signatory of the electronic message. Besides, digital signature usage gives an opportunity to provide the following properties during signed message transmission:

数字签名用于认证电子信息的签字人。此外,数字签名的使用提供了在签名消息传输期间提供以下属性的机会:

- realization of control of the transmitted signed message integrity,

- 实现对传输的签名消息完整性的控制,

- proof of the authorship of the signatory of the message,

- 信息签字人的身份证明,

- protection of the message against possible forgery.

- 保护邮件不被伪造。

A schematic representation of the signed message is shown in Figure 1.

签名消息的示意图如图1所示。

                                   appendix
                                      |
                      +-------------------------------+
                      |                               |
      +-----------+   +------------------------+- - - +
      | message M |---| digital signature zeta | text |
      +-----------+   +------------------------+- - - +
        
                                   appendix
                                      |
                      +-------------------------------+
                      |                               |
      +-----------+   +------------------------+- - - +
      | message M |---| digital signature zeta | text |
      +-----------+   +------------------------+- - - +
        

Figure 1: Signed message scheme

图1:签名消息方案

The field "digital signature" is supplemented by the field "text" (see Figure 1), that can contain, for example, identifiers of the signatory of the message and/or time label.

“数字签名”字段由“文本”字段补充(见图1),该字段可以包含例如电文和/或时间标签的签字人的标识符。

The digital signature scheme determined in GOST R 34.10-2001 must be implemented using operations of the elliptic curve points group, defined over a finite prime field, and also with the use of hash function.

GOST R 34.10-2001中确定的数字签名方案必须使用在有限素数域上定义的椭圆曲线点群的运算以及哈希函数来实现。

The cryptographic security of the digital signature scheme is based on the complexity of solving the problem of the calculation of the discrete logarithm in the elliptic curve points group and also on the security of the hash function used. The hash function calculation algorithm is determined in [GOST3411].

数字签名方案的密码安全性基于解决椭圆曲线点群中离散对数计算问题的复杂性以及所用哈希函数的安全性。哈希函数计算算法在[GOST3411]中确定。

The digital signature scheme parameters needed for signature generation and verification are determined in Section 5.2.

签名生成和验证所需的数字签名方案参数在第5.2节中确定。

GOST R 34.10-2001 does not determine the process of generating parameters needed for the digital signature scheme. Possible sets of these parameters are defined, for example, in [RFC4357].

GOST R 34.10-2001未确定生成数字签名方案所需参数的过程。例如,在[RFC4357]中定义了这些参数的可能集合。

The digital signature represented as a binary vector of a 512-bit length must be calculated using a definite set of rules, as stated in Section 6.1.

如第6.1节所述,表示为512位长度的二进制向量的数字签名必须使用一组确定的规则进行计算。

The digital signature of the received message is accepted or denied in accordance with the set of rules, as stated in Section 6.2.

如第6.2节所述,根据一套规则接受或拒绝接收到的消息的数字签名。

5. Mathematical Conventions
5. 数学惯例

To define a digital signature scheme, it is necessary to describe basic mathematical objects used in the signature generation and verification processes. This section lays out basic mathematical definitions and requirements for the parameters of the digital signature scheme.

为了定义数字签名方案,需要描述签名生成和验证过程中使用的基本数学对象。本节列出了数字签名方案参数的基本数学定义和要求。

5.1. Mathematical Definitions
5.1. 数学定义

Suppose a prime number p > 3 is given. Then, an elliptic curve E, defined over a finite prime field GF(p), is the set of number pairs (x,y), x, y belong to Fp, satisfying the identity:

假设一个素数p>3。然后,在有限素数域GF(p)上定义的椭圆曲线E是属于Fp的数对(x,y),x,y的集合,满足恒等式:

   y^2 = x^3 + a*x + b (mod p),                                      (1)
        
   y^2 = x^3 + a*x + b (mod p),                                      (1)
        

where a, b belong to GF(p) and 4*a^3 + 27*b^2 is not congruent to zero modulo p.

其中a,b属于GF(p),且4*a^3+27*b^2与模p为零的模p不全等。

An invariant of the elliptic curve is the value J(E), satisfying the equality:

椭圆曲线的不变量是值J(E),满足以下等式:

                   4*a^3
   J(E) = 1728 * ------------ (mod p)                                (2)
                 4*a^3+27*b^2
        
                   4*a^3
   J(E) = 1728 * ------------ (mod p)                                (2)
                 4*a^3+27*b^2
        

Elliptic curve E coefficients a,b are defined in the following way using the invariant J(E):

椭圆曲线E系数a、b使用不变量J(E)按以下方式定义:

   | a=3*k (mod p)
   |                              J(E)
   | b=2*k (mod p), where k = ----------- (mod p), J(E) /= 0 or 1728 (3)
                              1728 - J(E)
        
   | a=3*k (mod p)
   |                              J(E)
   | b=2*k (mod p), where k = ----------- (mod p), J(E) /= 0 or 1728 (3)
                              1728 - J(E)
        

The pairs (x,y) satisfying the identity (1) are called the elliptic curve E points; x and y are called x- and y-coordinates of the point, correspondingly.

满足恒等式(1)的对(x,y)称为椭圆曲线E点;x和y分别称为点的x坐标和y坐标。

We will denote elliptic curve points as Q(x,y) or just Q. Two elliptic curve points are equal if their x- and y-coordinates are equal.

我们将椭圆曲线点表示为Q(x,y)或只是Q。如果两个椭圆曲线点的x坐标和y坐标相等,则两个椭圆曲线点相等。

On the set of all elliptic curve E points, we will define the addition operation, denoted by "+". For two arbitrary elliptic curve E points Q1 (x1, y1) and Q2 (x2, y2), we will consider several variants.

在所有椭圆曲线E点的集合上,我们将定义加法运算,用“+”表示。对于两个任意椭圆曲线E点q1(x1,y1)和q2(x2,y2),我们将考虑几个变量。

Suppose coordinates of points Q1 and Q2 satisfy the condition x1 /= x2. In this case, their sum is defined as a point Q3 (x3,y3), with coordinates defined by congruencies:

假设点Q1和Q2的坐标满足条件x1/=x2。在这种情况下,它们的和被定义为点Q3(x3,y3),坐标由同余定义:

   | x3=lambda^2-x1-x2 (mod p),                  y1-y2
   |                              where lambda= ------- (mod p).     (4)
   | y3=lambda*(x1-x3)-y1 (mod p),               x1-x2
        
   | x3=lambda^2-x1-x2 (mod p),                  y1-y2
   |                              where lambda= ------- (mod p).     (4)
   | y3=lambda*(x1-x3)-y1 (mod p),               x1-x2
        

If x1 = x2 and y1 = y2 /= 0, then we will define point Q3 coordinates in the following way:

如果x1=x2和y1=y2/=0,则我们将按以下方式定义点Q3坐标:

   | x3=lambda^2-x1*2 (mod p),                    3*x1^2+a
   |                               where lambda= --------- (mod p)   (5)
   | y3=lambda*(x1-x3)-y1 (mod p),                 y1*2
        
   | x3=lambda^2-x1*2 (mod p),                    3*x1^2+a
   |                               where lambda= --------- (mod p)   (5)
   | y3=lambda*(x1-x3)-y1 (mod p),                 y1*2
        

If x1 = x2 and y1 = - y2 (mod p), then the sum of points Q1 and Q2 is called a zero point O, without determination of its x- and y-coordinates. In this case, point Q2 is called a negative of point Q1. For the zero point, the equalities hold:

如果x1=x2和y1=-y2(mod p),则点Q1和Q2的和称为零点O,而不确定其x坐标和y坐标。在这种情况下,点Q2称为点Q1的负值。对于零点,等式成立:

   O+Q=Q+O=Q,                                                        (6)
        
   O+Q=Q+O=Q,                                                        (6)
        

where Q is an arbitrary point of elliptic curve E.

其中Q是椭圆曲线E的任意点。

A set of all points of elliptic curve E, including zero point, forms a finite abelian (commutative) group of order m regarding the introduced addition operation. For m, the following inequalities hold:

椭圆曲线E的一组所有点,包括零点,就引入的加法运算形成一个m阶有限阿贝尔(交换)群。对于m,以下不等式成立:

   p + 1 - 2*sqrt(p) =< m =< p + 1 + 2*sqrt(p).                      (7)
        
   p + 1 - 2*sqrt(p) =< m =< p + 1 + 2*sqrt(p).                      (7)
        

The point Q is called a point of multiplicity k, or just a multiple point of the elliptic curve E, if for some point P the following equality holds:

点Q称为多重点k,或仅称为椭圆曲线E的多重点,如果对于某点P,以下等式成立:

   Q = P + ... + P = k*P.                                            (8)
       -----+-----
            k
        
   Q = P + ... + P = k*P.                                            (8)
       -----+-----
            k
        
5.2. Digital Signature Parameters
5.2. 数字签名参数

The digital signature parameters are:

数字签名参数包括:

- prime number p is an elliptic curve modulus, satisfying the inequality p > 2^255. The upper bound for this number must be determined for the specific realization of the digital signature scheme;

- 素数p是一个椭圆曲线模,满足不等式p>2^255。该数字的上限必须为数字签名方案的具体实现而确定;

- elliptic curve E, defined by its invariant J(E) or by coefficients a, b belonging to GF(p).

- 椭圆曲线E,由其不变量J(E)或属于GF(p)的系数a、b定义。

- integer m is an elliptic curve E points group order;

- 整数m为椭圆曲线E点群阶;

- prime number q is an order of a cyclic subgroup of the elliptic curve E points group, which satisfies the following conditions:

- 素数q是椭圆曲线E点群的循环子群的阶,满足下列条件:

   | m = nq, n belongs to Z , n>=1
   |                                                                 (9)
   | 2^254 < q < 2^256
        
   | m = nq, n belongs to Z , n>=1
   |                                                                 (9)
   | 2^254 < q < 2^256
        

- point P /= O of an elliptic curve E, with coordinates (x_p, y_p), satisfying the equality q*P=O.

- 椭圆曲线E的点P/=O,坐标为(x_P,y_P),满足等式q*P=O。

- hash function h(.):V_all -> V256, which maps the messages represented as binary vectors of arbitrary finite length onto binary vectors of a 256-bit length. The hash function is determined in [GOST3411].

- 哈希函数h(.):V_all->V256,它将表示为任意有限长度的二进制向量的消息映射到256位长度的二进制向量。哈希函数在[GOST3411]中确定。

Every user of the digital signature scheme must have its personal keys:

数字签名方案的每个用户都必须拥有其个人密钥:

- signature key, which is an integer d, satisfying the inequality 0 < d < q;

- 签名密钥,为整数d,满足不等式0<d<q;

- verification key, which is an elliptic curve point Q with coordinates (x_q, y_q), satisfying the equality d*P=Q.

- 验证密钥,它是一个坐标为(x_Q,y_Q)的椭圆曲线点Q,满足等式d*P=Q。

The previously introduced digital signature parameters must satisfy the following requirements:

先前引入的数字签名参数必须满足以下要求:

- it is necessary that the condition p^t/= 1 (mod q ) holds for all integers t = 1, 2, ... B where B satisfies the inequality B >= 31;

- 对于所有的整数t=1,2,…,条件p^t/=1(mod q)必须成立。。。其中B满足不等式B>=31;

- it is necessary that the inequality m /= p holds;

- 不等式m/=p成立是必要的;

- the curve invariant must satisfy the condition J(E) /= 0, 1728.

- 曲线不变量必须满足条件J(E)/=01728。

5.3. Binary Vectors
5.3. 二元向量

To determine the digital signature generation and verification processes, it is necessary to map the set of integers onto the set of binary vectors of a 256-bit length.

为了确定数字签名生成和验证过程,需要将整数集映射到256位长度的二进制向量集。

Consider the following binary vector of a 256-bit length where low-order bits are placed on the right, and high-order ones are placed on the left:

考虑以下256位长度的二进制向量,其中低阶位放置在右边,高阶位放置在左边:

   H = (alpha[255], ... , alpha[0]), H belongs to V256              (10)
        
   H = (alpha[255], ... , alpha[0]), H belongs to V256              (10)
        

where alpha[i], i = 0, ... , 255 are equal to 1 or to 0. We will say that the number alpha belonging to Z is mapped onto the binary vector h, if the equality holds:

式中,α[i],i=0,255等于1或0。如果等式成立,我们会说属于Z的数字alpha被映射到二元向量h上:

   alpha = alpha[0]*2^0 + alpha[1]*2^1 + ... + alpha[255]*2^255     (11)
        
   alpha = alpha[0]*2^0 + alpha[1]*2^1 + ... + alpha[255]*2^255     (11)
        

For two binary vectors H1 and H2, which correspond to integers alpha and beta, we define a concatenation (union) operation in the following way. If:

对于两个二进制向量H1和H2,它们对应于整数alpha和beta,我们用以下方式定义一个串联(并集)操作。如果:

      H1 = (alpha[255], ... , alpha[0]),
                                                                  (12)
      H2 = (beta[255], ..., beta[0]),
        
      H1 = (alpha[255], ... , alpha[0]),
                                                                  (12)
      H2 = (beta[255], ..., beta[0]),
        

then their union is

那么他们的结合就是

      H1||H2 = (alpha[255], ... , alpha[0], beta[255], ..., beta[0])
                                                                  (13)
   that is a binary vector of 512-bit length, consisting of coefficients
   of the vectors H1 and H2.
        
      H1||H2 = (alpha[255], ... , alpha[0], beta[255], ..., beta[0])
                                                                  (13)
   that is a binary vector of 512-bit length, consisting of coefficients
   of the vectors H1 and H2.
        

On the other hand, the introduced formulae define a way to divide a binary vector H of 512-bit length into two binary vectors of 256-bit length, where H is the concatenation of the two.

另一方面,引入的公式定义了将512位长度的二进制向量H划分为两个256位长度的二进制向量的方法,其中H是两个向量的串联。

6. Main Processes
6. 主要工艺

In this section, the digital signature generation and verification processes of user's message are defined.

在本节中,定义了用户消息的数字签名生成和验证过程。

For the realization of the processes, it is necessary that all users know the digital signature scheme parameters, which satisfy the requirements of Section 5.2.

为了实现这些过程,所有用户都必须知道满足第5.2节要求的数字签名方案参数。

Besides, every user must have the signature key d and the verification key Q(x[q], y[q]), which also must satisfy the requirements of Section 5.2.

此外,每个用户必须具有签名密钥d和验证密钥Q(x[Q],y[Q]),这也必须满足第5.2节的要求。

6.1. Digital Signature Generation Process
6.1. 数字签名生成过程

It is necessary to perform the following actions (steps) according to Algorithm I to obtain the digital signature for the message M belonging to V_all:

必须根据算法I执行以下操作(步骤),以获得属于V_all的消息M的数字签名:

   Step 1 - calculate the message hash code M: H = h(M).            (14)
        
   Step 1 - calculate the message hash code M: H = h(M).            (14)
        

Step 2 - calculate an integer alpha, binary representation of which is the vector H, and determine e = alpha (mod q ). (15)

第2步-计算一个整数alpha,其二进制表示为向量H,并确定e=alpha(mod q)。(15)

If e = 0, then assign e = 1.

如果e=0,则分配e=1。

Step 3 - generate a random (pseudorandom) integer k, satisfying the inequality:

步骤3-生成一个随机(伪随机)整数k,满足不等式:

0 < k < q. (16)

0<k<q。(16)

Step 4 - calculate the elliptic curve point C = k*P and determine if:

步骤4-计算椭圆曲线点C=k*P,并确定:

r = x_C (mod q), (17)

r=x_C(模数q),(17)

where x_C is x-coordinate of the point C. If r = 0, return to step 3.

其中x_C是点C的x坐标。如果r=0,则返回步骤3。

Step 5 - calculate the value:

步骤5-计算值:

   s = (r*d + k*e) (mod q).                                         (18)
        
   s = (r*d + k*e) (mod q).                                         (18)
        

If s = 0, return to step 3.

如果s=0,则返回步骤3。

   Step 6 - calculate the binary vectors R and S, corresponding to r
   and s, and determine the digital signature zeta = (R || S) as a
   concatenation of these two binary vectors.
        
   Step 6 - calculate the binary vectors R and S, corresponding to r
   and s, and determine the digital signature zeta = (R || S) as a
   concatenation of these two binary vectors.
        

The initial data of this process are the signature key d and the message M to be signed. The output result is the digital signature zeta.

该过程的初始数据是签名密钥d和要签名的消息M。输出结果是数字签名zeta。

6.2. Digital Signature Verification
6.2. 数字签名验证

To verify digital signatures for the received message M belonging to V_all, it is necessary to perform the following actions (steps) according to Algorithm II:

要验证属于V_all的接收消息M的数字签名,必须根据算法II执行以下操作(步骤):

Step 1 - calculate the integers r and s using the received signature zeta. If the inequalities 0 < r < q, 0 < s < q hold, go to the next step. Otherwise, the signature is invalid.

步骤1-使用收到的签名zeta计算整数r和s。如果不等式0<r<q,0<s<q保持不变,则转至下一步。否则,签名无效。

Step 2 - calculate the hash code of the received message M:

步骤2-计算接收到的消息M的散列码:

H = h(M). (19)

H=H(M)。(19)

Step 3 - calculate the integer alpha, the binary representation of which is the vector H, and determine if:

步骤3-计算整数alpha,其二进制表示为向量H,并确定:

e = alpha (mod q). (20)

e=α(mod q)。(20)

If e = 0, then assign e = 1.

如果e=0,则分配e=1。

   Step 4 - calculate the value v = e^(-1) (mod q).                 (21)
        
   Step 4 - calculate the value v = e^(-1) (mod q).                 (21)
        

Step 5 - calculate the values:

步骤5-计算值:

   z1 =  s*v (mod q), z2 = -r*v (mod q).                            (22)
        
   z1 =  s*v (mod q), z2 = -r*v (mod q).                            (22)
        

Step 6 - calculate the elliptic curve point C = z1*P + z2*Q and determine if:

步骤6-计算椭圆曲线点C=z1*P+z2*Q,并确定:

R = x_C (mod q), (23)

R=x_C(模数q),(23)

where x_C is x-coordinate of the point.

其中x_C是点的x坐标。

Step 7 - if the equality R = r holds, then the signature is accepted. Otherwise, the signature is invalid.

步骤7-如果等式R=R成立,则签名被接受。否则,签名无效。

The input data of the process are the signed message M, the digital signature zeta, and the verification key Q. The output result is the witness of the signature validity or invalidity.

该过程的输入数据是签名消息M、数字签名zeta和验证密钥Q。输出结果是签名有效性或无效性的见证。

7. Test Examples (Appendix to GOST R 34.10-2001)
7. 测试示例(GOST R 34.10-2001附录)

This section is included in GOST R 34.10-2001 as a reference appendix but is not officially mentioned as a part of the standard.

本节作为参考附录包含在GOST R 34.10-2001中,但未作为标准的一部分正式提及。

The values given here for the parameters p, a, b, m, q, P, the signature key d, and the verification key Q are recommended only for testing the correctness of actual realizations of the algorithms described in GOST R 34.10-2001.

此处给出的参数p、a、b、m、q、p、签名密钥d和验证密钥q的值仅用于测试GOST R 34.10-2001中所述算法的实际实现的正确性。

All numerical values are introduced in decimal and hexadecimal notations. The numbers beginning with 0x are in hexadecimal notation. The symbol "\\" denotes a hyphenation of a number to the next line. For example, the notation:

所有数值均采用十进制和十六进制表示法。以0x开头的数字采用十六进制表示法。符号“\\”表示数字与下一行的连字号。例如,符号:

12345\\ 67890

12345\\ 67890

0x499602D2

0x499602D2

represents 1234567890 in decimal and hexadecimal number systems, respectively.

分别以十进制和十六进制表示1234567890。

7.1. The Digital Signature Scheme Parameters
7.1. 数字签名方案参数

The following parameters must be used for the digital signature generation and verification (see Section 5.2).

数字签名生成和验证必须使用以下参数(见第5.2节)。

7.1.1. Elliptic Curve Modulus
7.1.1. 椭圆曲线模

The following value is assigned to parameter p in this example:

在本例中,将以下值指定给参数p:

   p= 57896044618658097711785492504343953926\\
   634992332820282019728792003956564821041
        
   p= 57896044618658097711785492504343953926\\
   634992332820282019728792003956564821041
        
   p = 0x8000000000000000000000000000\\
   000000000000000000000000000000000431
        
   p = 0x8000000000000000000000000000\\
   000000000000000000000000000000000431
        
7.1.2. Elliptic Curve Coefficients
7.1.2. 椭圆曲线系数

Parameters a and b take the following values in this example:

在本例中,参数a和b采用以下值:

a = 7 a = 0x7

a=7 a=0x7

   b = 43308876546767276905765904595650931995\\
   942111794451039583252968842033849580414
        
   b = 43308876546767276905765904595650931995\\
   942111794451039583252968842033849580414
        

b = 0x5FBFF498AA938CE739B8E022FBAFEF40563\\ F6E6A3472FC2A514C0CE9DAE23B7E

b=0x5FBFF498AA938CE739B8E022FBAFEF40563\\F6E6A3472FC2FA514C0CE9DAE23B7E

7.1.3. Elliptic Curve Points Group Order
7.1.3. 椭圆曲线点群序

Parameter m takes the following value in this example:

在本例中,参数m取以下值:

   m = 5789604461865809771178549250434395392\\
   7082934583725450622380973592137631069619
        
   m = 5789604461865809771178549250434395392\\
   7082934583725450622380973592137631069619
        
   m = 0x80000000000000000000000000000\\
   00150FE8A1892976154C59CFC193ACCF5B3
        
   m = 0x80000000000000000000000000000\\
   00150FE8A1892976154C59CFC193ACCF5B3
        
7.1.4. Order of Cyclic Subgroup of Elliptic Curve Points Group
7.1.4. 椭圆曲线点群的循环子群的阶

Parameter q takes the following value in this example:

在本例中,参数q取以下值:

   q = 5789604461865809771178549250434395392\\
   7082934583725450622380973592137631069619
        
   q = 5789604461865809771178549250434395392\\
   7082934583725450622380973592137631069619
        
   q = 0x80000000000000000000000000000001\\
   50FE8A1892976154C59CFC193ACCF5B3
        
   q = 0x80000000000000000000000000000001\\
   50FE8A1892976154C59CFC193ACCF5B3
        
7.1.5. Elliptic Curve Point Coordinates
7.1.5. 椭圆曲线点坐标

Point P coordinates take the following values in this example:

点P坐标在此示例中采用以下值:

x_p = 2 x_p = 0x2

x_p=2 x_p=0x2

   y_p = 40189740565390375033354494229370597\\
   75635739389905545080690979365213431566280
        
   y_p = 40189740565390375033354494229370597\\
   75635739389905545080690979365213431566280
        
   y_p = 0x8E2A8A0E65147D4BD6316030E16D19\\
   C85C97F0A9CA267122B96ABBCEA7E8FC8
        
   y_p = 0x8E2A8A0E65147D4BD6316030E16D19\\
   C85C97F0A9CA267122B96ABBCEA7E8FC8
        
7.1.6. Signature Key
7.1.6. 签名密钥

It is supposed, in this example, that the user has the following signature key d:

在此示例中,假设用户具有以下签名密钥d:

   d = 554411960653632461263556241303241831\\
   96576709222340016572108097750006097525544
        
   d = 554411960653632461263556241303241831\\
   96576709222340016572108097750006097525544
        
   d = 0x7A929ADE789BB9BE10ED359DD39A72C\\
   11B60961F49397EEE1D19CE9891EC3B28
        
   d = 0x7A929ADE789BB9BE10ED359DD39A72C\\
   11B60961F49397EEE1D19CE9891EC3B28
        
7.1.7. Verification Key
7.1.7. 验证密钥

It is supposed, in this example, that the user has the verification key Q with the following coordinate values:

在本例中,假设用户具有具有以下坐标值的验证密钥Q:

   x_q = 57520216126176808443631405023338071\\
   176630104906313632182896741342206604859403
        
   x_q = 57520216126176808443631405023338071\\
   176630104906313632182896741342206604859403
        
   x_q = 0x7F2B49E270DB6D90D8595BEC458B5\\
   0C58585BA1D4E9B788F6689DBD8E56FD80B
        
   x_q = 0x7F2B49E270DB6D90D8595BEC458B5\\
   0C58585BA1D4E9B788F6689DBD8E56FD80B
        
   y_q = 17614944419213781543809391949654080\\
   031942662045363639260709847859438286763994
        
   y_q = 17614944419213781543809391949654080\\
   031942662045363639260709847859438286763994
        
   y_q = 0x26F1B489D6701DD185C8413A977B3\\
   CBBAF64D1C593D26627DFFB101A87FF77DA
        
   y_q = 0x26F1B489D6701DD185C8413A977B3\\
   CBBAF64D1C593D26627DFFB101A87FF77DA
        
7.2. Digital Signature Process (Algorithm I)
7.2. 数字签名过程(算法一)

Suppose that after steps 1-3, according to Algorithm I (Section 6.1), are performed, the following numerical values are obtained:

假设根据算法I(第6.1节)执行步骤1-3后,获得以下数值:

   e = 2079889367447645201713406156150827013\\
   0637142515379653289952617252661468872421
        
   e = 2079889367447645201713406156150827013\\
   0637142515379653289952617252661468872421
        
   e = 0x2DFBC1B372D89A1188C09C52E0EE\\
   C61FCE52032AB1022E8E67ECE6672B043EE5
        
   e = 0x2DFBC1B372D89A1188C09C52E0EE\\
   C61FCE52032AB1022E8E67ECE6672B043EE5
        
   k = 538541376773484637314038411479966192\\
   41504003434302020712960838528893196233395
        
   k = 538541376773484637314038411479966192\\
   41504003434302020712960838528893196233395
        
   k = 0x77105C9B20BCD3122823C8CF6FCC\\
   7B956DE33814E95B7FE64FED924594DCEAB3
        
   k = 0x77105C9B20BCD3122823C8CF6FCC\\
   7B956DE33814E95B7FE64FED924594DCEAB3
        

And the multiple point C = k * P has the coordinates:

多点C=k*P的坐标为:

   x_C = 297009809158179528743712049839382569\\
   90422752107994319651632687982059210933395
        
   x_C = 297009809158179528743712049839382569\\
   90422752107994319651632687982059210933395
        
   x_C = 0x41AA28D2F1AB148280CD9ED56FED\\
   A41974053554A42767B83AD043FD39DC0493
        
   x_C = 0x41AA28D2F1AB148280CD9ED56FED\\
   A41974053554A42767B83AD043FD39DC0493
        
   y[C] = 328425352786846634770946653225170845\\
   06804721032454543268132854556539274060910
        
   y[C] = 328425352786846634770946653225170845\\
   06804721032454543268132854556539274060910
        
   y[C] = 0x489C375A9941A3049E33B34361DD\\
   204172AD98C3E5916DE27695D22A61FAE46E
        
   y[C] = 0x489C375A9941A3049E33B34361DD\\
   204172AD98C3E5916DE27695D22A61FAE46E
        

Parameter r = x_C(mod q) takes the value:

参数r=x_C(mod q)取以下值:

   r = 297009809158179528743712049839382569\\
   90422752107994319651632687982059210933395
        
   r = 297009809158179528743712049839382569\\
   90422752107994319651632687982059210933395
        
   r = 0x41AA28D2F1AB148280CD9ED56FED\\
   A41974053554A42767B83AD043FD39DC0493
        
   r = 0x41AA28D2F1AB148280CD9ED56FED\\
   A41974053554A42767B83AD043FD39DC0493
        
   Parameter s = (r*d + k*e)(mod q) takes the value:
        
   Parameter s = (r*d + k*e)(mod q) takes the value:
        
   s = 57497340027008465417892531001914703\\
   8455227042649098563933718999175515839552
        
   s = 57497340027008465417892531001914703\\
   8455227042649098563933718999175515839552
        
   s = 0x1456C64BA4642A1653C235A98A602\\
   49BCD6D3F746B631DF928014F6C5BF9C40
        
   s = 0x1456C64BA4642A1653C235A98A602\\
   49BCD6D3F746B631DF928014F6C5BF9C40
        
7.3. Verification Process of Digital Signature (Algorithm II)
7.3. 数字签名验证流程(算法二)

Suppose that after steps 1-3, according to Algorithm II (Section 6.2), are performed, the following numerical value is obtained:

假设根据算法II(第6.2节)执行步骤1-3后,得到以下数值:

   e = 2079889367447645201713406156150827013\\
   0637142515379653289952617252661468872421
        
   e = 2079889367447645201713406156150827013\\
   0637142515379653289952617252661468872421
        
   e = 0x2DFBC1B372D89A1188C09C52E0EE\\
   C61FCE52032AB1022E8E67ECE6672B043EE5
        
   e = 0x2DFBC1B372D89A1188C09C52E0EE\\
   C61FCE52032AB1022E8E67ECE6672B043EE5
        

And the parameter v = e^(-1) (mod q) takes the value:

参数v=e^(-1)(mod q)取以下值:

   v = 176866836059344686773017138249002685\\
   62746883080675496715288036572431145718978
        
   v = 176866836059344686773017138249002685\\
   62746883080675496715288036572431145718978
        
   v = 0x271A4EE429F84EBC423E388964555BB\\
   29D3BA53C7BF945E5FAC8F381706354C2
        
   v = 0x271A4EE429F84EBC423E388964555BB\\
   29D3BA53C7BF945E5FAC8F381706354C2
        

The parameters z1 = s*v(mod q) and z2 = -r*v(mod q) take the values:

参数z1=s*v(mod q)和z2=-r*v(mod q)取以下值:

   z1 = 376991675009019385568410572935126561\\
   08841345190491942619304532412743720999759
        
   z1 = 376991675009019385568410572935126561\\
   08841345190491942619304532412743720999759
        
   z1 = 0x5358F8FFB38F7C09ABC782A2DF2A\\
   3927DA4077D07205F763682F3A76C9019B4F
        
   z1 = 0x5358F8FFB38F7C09ABC782A2DF2A\\
   3927DA4077D07205F763682F3A76C9019B4F
        
   z2 = 141719984273434721125159179695007657\\
   6924665583897286211449993265333367109221
        
   z2 = 141719984273434721125159179695007657\\
   6924665583897286211449993265333367109221
        
   z2 = 0x3221B4FBBF6D101074EC14AFAC2D4F7\\
   EFAC4CF9FEC1ED11BAE336D27D527665
        
   z2 = 0x3221B4FBBF6D101074EC14AFAC2D4F7\\
   EFAC4CF9FEC1ED11BAE336D27D527665
        

The point C = z1*P + z2*Q has the coordinates:

点C=z1*P+z2*Q的坐标为:

   x_C = 2970098091581795287437120498393825699\\
   0422752107994319651632687982059210933395
        
   x_C = 2970098091581795287437120498393825699\\
   0422752107994319651632687982059210933395
        
   x_C = 0x41AA28D2F1AB148280CD9ED56FED\\
   A41974053554A42767B83AD043FD39DC0493
        
   x_C = 0x41AA28D2F1AB148280CD9ED56FED\\
   A41974053554A42767B83AD043FD39DC0493
        
   y[C] = 3284253527868466347709466532251708450\\
   6804721032454543268132854556539274060910
        
   y[C] = 3284253527868466347709466532251708450\\
   6804721032454543268132854556539274060910
        
   y[C] = 0x489C375A9941A3049E33B34361DD\\
   204172AD98C3E5916DE27695D22A61FAE46E
        
   y[C] = 0x489C375A9941A3049E33B34361DD\\
   204172AD98C3E5916DE27695D22A61FAE46E
        

Then the parameter R = x_C (mod q) takes the value:

然后参数R=x_C(mod q)取以下值:

   R = 2970098091581795287437120498393825699\\
   0422752107994319651632687982059210933395
        
   R = 2970098091581795287437120498393825699\\
   0422752107994319651632687982059210933395
        
   R = 0x41AA28D2F1AB148280CD9ED56FED\\
   A41974053554A42767B83AD043FD39DC0493
        
   R = 0x41AA28D2F1AB148280CD9ED56FED\\
   A41974053554A42767B83AD043FD39DC0493
        

Since the equality R = r holds, the digital signature is accepted.

因为等式R=R成立,所以数字签名被接受。

8. Security Considerations
8. 安全考虑

This entire document is about security considerations.

整个文档都是关于安全方面的考虑。

Current cryptographic resistance of GOST R 34.10-2001 digital signature algorithm is estimated as 2^128 operations of multiple elliptic curve point computations on prime modulus of order 2^256.

GOST R 34.10-2001数字签名算法目前的抗密码攻击能力估计为2^256阶素数模上的多次椭圆曲线点计算的2^128次运算。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[GOST3410] "Information technology. Cryptographic data security. Signature and verification processes of [electronic] digital signature.", GOST R 34.10-2001, Gosudarstvennyi Standard of Russian Federation, Government Committee of Russia for Standards, 2001. (In Russian)

[GOST3410]“信息技术.加密数据安全.[电子]数字签名的签名和验证过程”,GOST R 34.10-2001,俄罗斯联邦GOSUDARTVENNYI标准,俄罗斯政府标准委员会,2001年。(俄语)

[GOST3411] "Information technology. Cryptographic Data Security. Hashing function.", GOST R 34.10-94, Gosudarstvennyi Standard of Russian Federation, Government Committee of Russia for Standards, 1994. (In Russian)

[GOST3411]“信息技术.加密数据安全.散列函数”,GOST R 34.10-94,俄罗斯联邦Gosudarstvenyi标准,俄罗斯政府标准委员会,1994年。(俄语)

[RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms", RFC 4357, January 2006.

[RFC4357]Popov,V.,Kurepkin,I.,和S.Leontiev,“用于GOST 28147-89,GOST R 34.10-94,GOST R 34.10-2001和GOST R 34.11-94算法的其他加密算法”,RFC 4357,2006年1月。

9.2. Informative References
9.2. 资料性引用

[ISO2382-2] ISO 2382-2 (1976), "Data processing - Vocabulary - Part 2: Arithmetic and logic operations".

[ISO2382-2]ISO 2382-2(1976),“数据处理-词汇-第2部分:算术和逻辑运算”。

[ISO9796-1991] ISO/IEC 9796:1991, "Information technology -- Security techniques -- Digital signature schemes giving message recovery."

[ISO9796-1991]ISO/IEC 9796:1991,“信息技术——安全技术——提供消息恢复的数字签名方案。”

[ISO14888-1] ISO/IEC 14888-1 (1998), "Information technology - Security techniques - Digital signatures with appendix - Part 1: General".

[ISO14888-1]ISO/IEC 14888-1(1998),“信息技术-安全技术-带附录的数字签名-第1部分:总则”。

[ISO14888-2] ISO/IEC 14888-2 (1999), "Information technology - Security techniques - Digital signatures with appendix - Part 2: Identity-based mechanisms".

[ISO14888-2]ISO/IEC 14888-2(1999),“信息技术-安全技术-带附录的数字签名-第2部分:基于身份的机制”。

[ISO14888-3] ISO/IEC 14888-3 (1998), "Information technology - Security techniques - Digital signatures with appendix - Part 3: Certificate-based mechanisms".

[ISO14888-3]ISO/IEC 14888-3(1998),“信息技术-安全技术-带附录的数字签名-第3部分:基于证书的机制”。

[ISO10118-1] ISO/IEC 10118-1 (2000), "Information technology - Security techniques - Hash-functions - Part 1: General".

[ISO10118-1]ISO/IEC 10118-1(2000),“信息技术-安全技术-哈希函数-第1部分:总则”。

[ISO10118-2] ISO/IEC 10118-2 (2000), "Information technology - Security techniques - Hash-functions - Part 2: Hash-functions using an n-bit block cipher algorithm".

[ISO10118-2]ISO/IEC 10118-2(2000),“信息技术-安全技术-哈希函数-第2部分:使用n位分组密码算法的哈希函数”。

[ISO10118-3] ISO/IEC 10118-3 (2004), "Information technology - Security techniques - Hash-functions - Part 3: Dedicated hash-functions".

[ISO10118-3]ISO/IEC 10118-3(2004),“信息技术-安全技术-哈希函数-第3部分:专用哈希函数”。

[ISO10118-4] ISO/IEC 10118-4 (1998), "Information technology - Security techniques - Hash-functions - Part 4: Hash-functions using modular arithmetic".

[ISO10118-4]ISO/IEC 10118-4(1998),“信息技术-安全技术-哈希函数-第4部分:使用模运算的哈希函数”。

Appendix A. Extra Terms in the Digital Signature Area
附录A.数字签名领域的额外条款

The appendix gives extra international terms applied in the considered and allied areas.

附录中给出了适用于相关领域的额外国际术语。

1. Padding: Extending a data string with extra bits [ISO10118-1].

1. 填充:用额外位扩展数据字符串[ISO10118-1]。

2. Identification data: A list of data elements, including specific object identifier, that belongs to the object and is used for its denotation [ISO14888-1].

2. 标识数据:属于对象并用于其表示的数据元素列表,包括特定对象标识符[ISO14888-1]。

3. Signature equation: An equation, defined by the digital signature function [ISO14888-1].

3. 签名方程:由数字签名函数[ISO14888-1]定义的方程。

4. Verification function: A verification process function, defined by the verification key, which outputs a witness of the signature authenticity [ISO14888-1].

4. 验证功能:由验证密钥定义的验证过程功能,输出签名真实性的见证[ISO14888-1]。

5. Signature function: A function within a signature generation process, defined by the signature key and by the digital signature scheme parameters. This function inputs a part of initial data and, probably, a pseudo-random number sequence generator (randomizer), and outputs the second part of the digital signature.

5. 签名函数:签名生成过程中的函数,由签名密钥和数字签名方案参数定义。此函数输入一部分初始数据,可能还有一个伪随机数序列生成器(随机化器),并输出数字签名的第二部分。

Appendix B. Contributors
附录B.贡献者

Dmitry Kabelev Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

Dmitry Kabelev Cryptocom有限公司,俄罗斯联邦莫斯科凯德罗瓦街14号,2号楼,117218

   EMail: kdb@cryptocom.ru
        
   EMail: kdb@cryptocom.ru
        

Igor Ustinov Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

俄罗斯联邦莫斯科凯德罗瓦街14号第2栋Igor Ustinov Cryptocom有限公司,邮编:117218

   EMail: igus@cryptocom.ru
        
   EMail: igus@cryptocom.ru
        

Sergey Vyshensky Moscow State University Leninskie gory, 1 Moscow, 119991 Russian Federation

谢尔盖·维森斯基莫斯科国立大学列宁斯基·戈里,莫斯科1号,俄罗斯联邦119991

   EMail: svysh@pn.sinp.msu.ru
        
   EMail: svysh@pn.sinp.msu.ru
        

Author's Address

作者地址

Vasily Dolmatov, Ed. Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

俄罗斯联邦莫斯科凯德罗瓦街14号第2栋,邮编:117218

   EMail: dol@cryptocom.ru
        
   EMail: dol@cryptocom.ru