Independent Submission V. Dolmatov, Ed.
Request for Comments: 7801 Research Computer Center MSU
Category: Informational March 2016
ISSN: 2070-1721
Independent Submission V. Dolmatov, Ed.
Request for Comments: 7801 Research Computer Center MSU
Category: Informational March 2016
ISSN: 2070-1721
GOST R 34.12-2015: Block Cipher "Kuznyechik"
GOST R 34.12-2015:分组密码“Kuznyechik”
Abstract
摘要
This document is intended to be a source of information about the Russian Federal standard GOST R 34.12-2015 describing the block cipher with a block length of n=128 bits and a key length of k=256 bits, which is also referred to as "Kuznyechik". This algorithm is one of the set of Russian cryptographic standard algorithms (called GOST algorithms).
本文件旨在作为俄罗斯联邦标准GOST R 34.12-2015的信息来源,该标准描述了块长度为n=128位、密钥长度为k=256位的分组密码,也称为“Kuznyechik”。该算法是俄罗斯密码标准算法(称为GOST算法)之一。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7801.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7801.
Copyright Notice
版权公告
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2016 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. General Information . . . . . . . . . . . . . . . . . . . . . 3
3. Definitions and Notations . . . . . . . . . . . . . . . . . . 3
3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3
3.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Parameter Values . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Nonlinear Bijection . . . . . . . . . . . . . . . . . . . 6
4.2. Linear Transformation . . . . . . . . . . . . . . . . . . 7
4.3. Transformations . . . . . . . . . . . . . . . . . . . . . 8
4.4. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 9
4.5. Basic Encryption Algorithm . . . . . . . . . . . . . . . 9
4.5.1. Encryption . . . . . . . . . . . . . . . . . . . . . 9
4.5.2. Decryption . . . . . . . . . . . . . . . . . . . . . 9
5. Examples (Informative) . . . . . . . . . . . . . . . . . . . 10
5.1. Transformation S . . . . . . . . . . . . . . . . . . . . 10
5.2. Transformation R . . . . . . . . . . . . . . . . . . . . 10
5.3. Transformation L . . . . . . . . . . . . . . . . . . . . 10
5.4. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 11
5.5. Test Encryption . . . . . . . . . . . . . . . . . . . . . 12
5.6. Test Decryption . . . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
7.1. Normative References . . . . . . . . . . . . . . . . . . 14
7.2. Informative References . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. General Information . . . . . . . . . . . . . . . . . . . . . 3
3. Definitions and Notations . . . . . . . . . . . . . . . . . . 3
3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3
3.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Parameter Values . . . . . . . . . . . . . . . . . . . . . . 6
4.1. Nonlinear Bijection . . . . . . . . . . . . . . . . . . . 6
4.2. Linear Transformation . . . . . . . . . . . . . . . . . . 7
4.3. Transformations . . . . . . . . . . . . . . . . . . . . . 8
4.4. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 9
4.5. Basic Encryption Algorithm . . . . . . . . . . . . . . . 9
4.5.1. Encryption . . . . . . . . . . . . . . . . . . . . . 9
4.5.2. Decryption . . . . . . . . . . . . . . . . . . . . . 9
5. Examples (Informative) . . . . . . . . . . . . . . . . . . . 10
5.1. Transformation S . . . . . . . . . . . . . . . . . . . . 10
5.2. Transformation R . . . . . . . . . . . . . . . . . . . . 10
5.3. Transformation L . . . . . . . . . . . . . . . . . . . . 10
5.4. Key Schedule . . . . . . . . . . . . . . . . . . . . . . 11
5.5. Test Encryption . . . . . . . . . . . . . . . . . . . . . 12
5.6. Test Decryption . . . . . . . . . . . . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
7.1. Normative References . . . . . . . . . . . . . . . . . . 14
7.2. Informative References . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14
The Russian Federal standard [GOST3412-2015] specifies basic block ciphers used as cryptographic techniques for information processing and information protection including the provision of confidentiality, authenticity, and integrity of information during information transmission, processing, and storage in computer-aided systems.
俄罗斯联邦标准[GOST3412-2015]规定了用作信息处理和信息保护加密技术的基本分组密码,包括在计算机辅助系统的信息传输、处理和存储过程中提供信息的机密性、真实性和完整性。
The cryptographic algorithms specified in this standard are designed both for hardware and software implementation. They comply with modern cryptographic requirements and put no restrictions on the confidentiality level of the protected information.
本标准中规定的加密算法设计用于硬件和软件实现。它们符合现代密码要求,对受保护信息的保密级别没有任何限制。
The standard applies to development, operation, and modernization of the information systems of various purposes.
本标准适用于各种用途信息系统的开发、运行和现代化。
The block cipher "Kuznyechik" [GOST3412-2015] was developed by the Center for Information Protection and Special Communications of the Federal Security Service of the Russian Federation with participation of the Open Joint-Stock company "Information Technologies and Communication Systems" (InfoTeCS JSC). GOST R 34.12-2015 was approved and introduced by Decree #749 of the Federal Agency on Technical Regulating and Metrology on June 19, 2015.
分组密码“Kuznyechik”[GOST3412-2015]由俄罗斯联邦安全局信息保护和特殊通信中心开发,开放式股份公司“信息技术和通信系统”(InfoTeCS JSC)参与开发。GOST R 34.12-2015于2015年6月19日由联邦技术监管和计量局第749号法令批准和引入。
Terms and concepts in the standard comply with the following international standards:
本标准中的术语和概念符合以下国际标准:
o ISO/IEC 10116 [ISO-IEC10116] and
o ISO/IEC 10116[ISO-IEC10116]和
o series of standards ISO/IEC 18033 [ISO-IEC18033-1] [ISO-IEC18033-3].
o 标准系列ISO/IEC 18033[ISO-IEC18033-1][ISO-IEC18033-3]。
The following terms and their corresponding definitions are used in the standard.
本标准中使用了以下术语及其相应的定义。
Definitions
定义
encryption algorithm: process that transforms plaintext into ciphertext (Section 2.19 of [ISO-IEC18033-1]),
加密算法:将明文转换为密文的过程(ISO-IEC18033-1第2.19节),
decryption algorithm: process that transforms ciphertext into plaintext (Section 2.14 of [ISO-IEC18033-1]),
解密算法:将密文转换为明文的过程(ISO-IEC18033-1第2.14节),
basic block cipher: block cipher that for a given key provides a single invertible mapping of the set of fixed-length plaintext blocks into ciphertext blocks of the same length,
基本分组密码:一种分组密码,对于给定的密钥,它提供一组固定长度的明文块到相同长度的密文块的单一可逆映射,
block: string of bits of a defined length (Section 2.6 of [ISO-IEC18033-1]),
块:定义长度的位串(ISO-IEC18033-1第2.6节),
block cipher: symmetric encipherment system with the property that the encryption algorithm operates on a block of plaintext, i.e., a string of bits of a defined length, to yield a block of ciphertext (Section 2.7 of [ISO-IEC18033-1]),
分组密码:对称加密系统,其特点是加密算法对明文块(即定义长度的比特串)进行操作,以产生密文块(ISO-IEC18033-1第2.7节),
Note: In GOST R 34.12-2015, it is established that the terms "block cipher" and "block encryption algorithm" are synonyms.
注:GOST R 34.12-2015中规定术语“分组密码”和“分组加密算法”为同义词。
encryption: reversible transformation of data by a cryptographic algorithm to produce ciphertext, i.e., to hide the information content of the data (Section 2.18 of [ISO-IEC18033-1]),
加密:通过加密算法对数据进行可逆转换,以产生密文,即隐藏数据的信息内容(ISO-IEC18033-1第2.18节),
round key: sequence of symbols that is calculated from the key and controls a transformation for one round of a block cipher,
循环密钥:从密钥计算并控制一轮分组密码转换的符号序列,
key: sequence of symbols that controls the operation of a cryptographic transformation (e.g., encipherment and decipherment) (Section 2.21 of [ISO-IEC18033-1]),
密钥:控制密码转换操作(如加密和解密)的符号序列(ISO-IEC18033-1第2.21节),
Note: In GOST R 34.12-2015, the key must be a binary sequence.
注:在GOST R 34.12-2015中,密钥必须是二进制序列。
plaintext: unencrypted information (Section 3.11 of [ISO-IEC10116]),
明文:未加密信息(ISO-IEC10116第3.11节),
key schedule: calculation of round keys from the key,
键明细表:根据键计算圆键,
decryption: reversal of a corresponding encipherment (Section 2.13 of [ISO-IEC18033-1]),
解密:撤销相应的加密(ISO-IEC18033-1第2.13节),
symmetric cryptographic technique: cryptographic technique that uses the same secret key for both the originator's and the recipient's transformation (Section 2.32 of [ISO-IEC18033-1]),
对称加密技术:在发起人和接收人的转换中使用相同密钥的加密技术(ISO-IEC18033-1第2.32节),
cipher: alternative term for encipherment system (Section 2.20 of [ISO-IEC18033-1]), and
密码:加密系统的替代术语(ISO-IEC18033-1第2.20节),以及
ciphertext: data that has been transformed to hide its information content (Section 3.3 of [ISO-IEC10116]).
密文:经过转换以隐藏其信息内容的数据(ISO-IEC10116第3.3节)。
The following notations are used in the standard:
本标准中使用了以下符号:
V* the set of all binary vector strings of a finite length (hereinafter referred to as the strings) including the empty string,
V*有限长度的所有二进制向量字符串(以下称为字符串)的集合,包括空字符串,
V_s the set of all binary strings of length s, where s is a non-negative integer; substrings and string components are enumerated from right to left starting from zero,
V_s长度为s的所有二进制字符串的集合,其中s是非负整数;子字符串和字符串组件从零开始从右向左枚举,
U[*]W direct (Cartesian) product of two sets, U and W,
U[*]W两组的直接(笛卡尔)积,U和W,
|A| the number of components (the length) of a string A belonging to V* (if A is an empty string, then |A| = 0),
|A |属于V*的字符串A的分量数(长度)(如果A是空字符串,则| A |=0),
A||B concatenation of strings A and B both belonging to V*, i.e., a string from V_(|A|+|B|), where the left substring from V_|A| is equal to A, and the right substring from V_|B| is equal to B,
A | | B串接同时属于V*的字符串A和B,即来自V |的字符串(| A |+| B |),其中来自V | A |的左子字符串等于A,来自V | B |的右子字符串等于B,
Z_(2^n) ring of residues modulo 2^n,
模为2^n的剩余的Z_2;(2^n)环,
Q finite field GF(2)[x]/p(x), where p(x)=x^8+x^7+x^6+x+1 belongs to GF(2)[x]; elements of field Q are represented by integers in such way that element z_0+z_1*theta+...+z_7*theta^7 belonging to Q corresponds to integer z_0+2*z_1+...+2^7*z_7, where z_i=0 or z_i=1, i=0,1,...,7 and theta denotes a residue class modulo p(x) containing x,
Q有限域GF(2)[x]/p(x),其中p(x)=x^8+x^7+x^6+x+1属于GF(2)[x];字段Q的元素由整数表示,其中属于Q的元素z_0+z_1*θ+…+z_7*θ^7对应于整数z_0+2*z_1+…+2^7*z_7,其中z_i=0或z_i=1,i=0,1,…,7,θ表示包含x的剩余类模p(x),
(xor) exclusive-or of the two binary strings of the same length,
(xor)相同长度的两个二进制字符串的异或,
Vec_s: Z_(2^s) -> V_s bijective mapping that maps an element from ring Z_(2^s) into its binary representation, i.e., for an element z of the ring Z_(2^s), represented by the residue z_0 + (2*z_1) + ... + (2^(s-1)*z_(s-1)), where z_i in {0, 1}, i = 0, ..., n-1, the equality Vec_s(z) = z_(s-1)||...||z_1||z_0 holds,
Vec_s:Z_(2^s)->V_s双射映射,将环Z_(2^s)中的元素映射到其二进制表示形式,即,对于环Z_(2^s)的元素Z,由剩余的Z_0+(2*Z_1)+表示(2^(s-1)*z|(s-1)),其中z|i in{0,1},i=0,…,n-1,等式Vec|us(z)=z|(s-1)| | | | z| 0成立,
Int_s: V_s -> Z_(2^s) the mapping inverse to the mapping Vec_s, i.e., Int_s = Vec_s^(-1),
Int_s:V_s->Z_(2^s)映射向量的逆映射,即Int_s=Vec_s^(-1),
delta: V_8 -> Q bijective mapping that maps a binary string from V_8 into an element from field Q as follows: string z_7||...||z_1||z_0, where z_i in {0, 1}, i = 0, ..., 7, corresponds to the element z_0+(z_1*theta)+...+(z_7*theta^7) belonging to Z,
delta:V_8->Q双射映射,将V_8中的二进制字符串映射到字段Q中的元素,如下所示:字符串z_7 | | |······························································,
nabla: Q -> V8 the mapping inverse to the mapping delta, i.e., delta = nabla^(-1),
nabla:Q->V8映射与映射delta相反,即delta=nabla^(-1),
PS composition of mappings, where the mapping S applies first, and
PS映射的组合,其中映射S首先应用,以及
P^s composition of mappings P^(s-1) and P, where P^1=P.
P^s映射P^(s-1)和P的组合,其中P^1=P。
The bijective nonlinear mapping is a substitution: Pi = (Vec_8)Pi'(Int_8): V_8 -> V_8, where Pi': Z_(2^8) -> Z_(2^8). The values of the substitution Pi' are specified below as an array Pi' = (Pi'(0), Pi'(1), ... , Pi'(255)):
双射非线性映射是一种替换:Pi=(Vec_8)Pi'(Int_8):V_8->V_8,其中Pi':Z_(2^8)->Z_(2^8)。替换Pi'的值在下面指定为数组Pi'=(Pi'(0),Pi'(1),…,Pi'(255)):
Pi' = ( 252, 238, 221, 17, 207, 110, 49, 22, 251, 196, 250, 218, 35, 197, 4, 77, 233, 119, 240, 219, 147, 46, 153, 186, 23, 54, 241, 187, 20, 205, 95, 193, 249, 24, 101, 90, 226, 92, 239, 33, 129, 28, 60, 66, 139, 1, 142, 79, 5, 132, 2, 174, 227, 106, 143, 160, 6, 11, 237, 152, 127, 212, 211, 31, 235, 52, 44, 81, 234, 200, 72, 171, 242, 42, 104, 162, 253, 58, 206, 204, 181, 112, 14, 86, 8, 12, 118, 18, 191, 114, 19, 71, 156, 183, 93, 135, 21, 161, 150, 41, 16, 123, 154, 199, 243, 145, 120, 111, 157, 158, 178, 177, 50, 117, 25, 61, 255, 53, 138, 126, 109, 84, 198, 128, 195, 189, 13, 87, 223, 245, 36, 169, 62, 168, 67, 201, 215, 121, 214, 246, 124, 34, 185, 3, 224, 15, 236, 222, 122, 148, 176, 188, 220, 232, 40, 80, 78, 51, 10, 74, 167, 151, 96, 115, 30, 0, 98, 68, 26, 184, 56, 130, 100, 159, 38, 65, 173, 69, 70, 146, 39, 94, 85, 47, 140, 163, 165, 125, 105, 213, 149, 59, 7, 88, 179, 64, 134, 172, 29, 247, 48, 55, 107, 228, 136, 217, 231, 137, 225, 27, 131, 73, 76, 63, 248, 254, 141, 83, 170, 144, 202, 216, 133, 97, 32, 113, 103, 164, 45, 43, 9, 91, 203, 155, 37, 208, 190, 229, 108, 82, 89, 166, 116, 210, 230, 244, 180, 192, 209, 102, 175, 194, 57, 75, 99, 182).
π'=( 252, 238, 221, 17, 207, 110, 49, 22, 251, 196, 250, 218, 35, 197, 4, 77, 233, 119, 240, 219, 147, 46, 153, 186, 23, 54, 241, 187, 20, 205, 95, 193, 249, 24, 101, 90, 226, 92, 239, 33, 129, 28, 60, 66, 139, 1, 142, 79, 5, 132, 2, 174, 227, 106, 143, 160, 6, 11, 237, 152, 127, 212, 211, 31, 235, 52, 44, 81, 234, 200, 72, 171, 242, 42, 104, 162, 253, 58, 206, 204, 181, 112, 14, 86, 8, 12, 118, 18, 191, 114, 19, 71, 156, 183, 93, 135, 21, 161, 150, 41, 16, 123, 154, 199, 243, 145, 120, 111, 157, 158, 178, 177, 50, 117, 25, 61, 255, 53, 138, 126, 109, 84, 198, 128, 195, 189, 13, 87, 223, 245, 36, 169, 62, 168, 67, 201, 215, 121, 214, 246, 124, 34, 185, 3, 224, 15, 236, 222, 122, 148, 176, 188, 220, 232, 40, 80, 78, 51, 10, 74, 167, 151, 96, 115, 30, 0, 98, 68, 26, 184, 56, 130, 100, 159, 38, 65, 173, 69, 70, 146, 39, 94, 85, 47, 140, 163, 165, 125, 105, 213, 149, 59, 7, 88, 179, 64, 134, 172, 29, 247, 48, 55, 107, 228, 136, 217, 231, 137, 225, 27, 131, 73, 76, 63, 248, 254, 141, 83, 170, 144, 202, 216, 133, 97, 32, 113, 103, 164, 45, 43, 9, 91, 203, 155, 37, 208, 190, 229, 108, 82, 89, 166, 116, 210, 230, 244, 180, 192, 209, 102, 175, 194, 57, 75, 99, 182).
Pi^(-1) is the inverse of Pi; the values of the substitution Pi^(-1)'
are specified below as an array Pi^(-1)' = (Pi^(-1)'(0), Pi^(-1)'(1),
... , Pi^(-1)'(255)):
Pi^(-1) is the inverse of Pi; the values of the substitution Pi^(-1)'
are specified below as an array Pi^(-1)' = (Pi^(-1)'(0), Pi^(-1)'(1),
... , Pi^(-1)'(255)):
Pi^(-1)' = ( 165, 45, 50, 143, 14, 48, 56, 192, 84, 230, 158, 57, 85, 126, 82, 145, 100, 3, 87, 90, 28, 96, 7, 24, 33, 114, 168, 209, 41, 198, 164, 63, 224, 39, 141, 12, 130, 234, 174, 180, 154, 99, 73, 229, 66, 228, 21, 183, 200, 6, 112, 157, 65, 117, 25, 201, 170, 252, 77, 191, 42, 115, 132, 213, 195, 175, 43, 134, 167, 177, 178, 91, 70, 211, 159, 253, 212, 15, 156, 47, 155, 67, 239, 217, 121, 182, 83, 127, 193, 240, 35, 231, 37, 94, 181, 30, 162, 223, 166, 254, 172, 34, 249, 226, 74, 188, 53, 202, 238, 120, 5, 107, 81, 225, 89, 163, 242, 113, 86, 17, 106, 137, 148, 101, 140, 187, 119, 60, 123, 40, 171, 210, 49, 222, 196, 95, 204, 207, 118, 44, 184, 216, 46, 54, 219, 105, 179, 20, 149, 190, 98, 161, 59, 22, 102, 233, 92, 108, 109, 173, 55, 97, 75, 185, 227, 186, 241, 160, 133, 131, 218, 71, 197, 176, 51, 250, 150, 111, 110, 194, 246, 80, 255, 93, 169, 142, 23, 27, 151, 125, 236, 88, 247, 31, 251, 124, 9, 13, 122, 103, 69, 135, 220, 232, 79, 29, 78, 4, 235, 248, 243, 62, 61, 189, 138, 136, 221, 205, 11, 19, 152, 2, 147, 128, 144, 208, 36, 52, 203, 237, 244, 206, 153, 16, 68, 64, 146, 58, 1, 38, 18, 26, 72, 104, 245, 129, 139, 199, 214, 32, 10, 8, 0, 76, 215, 116 ).
Pi^(-1)=( 165, 45, 50, 143, 14, 48, 56, 192, 84, 230, 158, 57, 85, 126, 82, 145, 100, 3, 87, 90, 28, 96, 7, 24, 33, 114, 168, 209, 41, 198, 164, 63, 224, 39, 141, 12, 130, 234, 174, 180, 154, 99, 73, 229, 66, 228, 21, 183, 200, 6, 112, 157, 65, 117, 25, 201, 170, 252, 77, 191, 42, 115, 132, 213, 195, 175, 43, 134, 167, 177, 178, 91, 70, 211, 159, 253, 212, 15, 156, 47, 155, 67, 239, 217, 121, 182, 83, 127, 193, 240, 35, 231, 37, 94, 181, 30, 162, 223, 166, 254, 172, 34, 249, 226, 74, 188, 53, 202, 238, 120, 5, 107, 81, 225, 89, 163, 242, 113, 86, 17, 106, 137, 148, 101, 140, 187, 119, 60, 123, 40, 171, 210, 49, 222, 196, 95, 204, 207, 118, 44, 184, 216, 46, 54, 219, 105, 179, 20, 149, 190, 98, 161, 59, 22, 102, 233, 92, 108, 109, 173, 55, 97, 75, 185, 227, 186, 241, 160, 133, 131, 218, 71, 197, 176, 51, 250, 150, 111, 110, 194, 246, 80, 255, 93, 169, 142, 23, 27, 151, 125, 236, 88, 247, 31, 251, 124, 9, 13, 122, 103, 69, 135, 220, 232, 79, 29, 78, 4, 235, 248, 243, 62, 61, 189, 138, 136, 221, 205, 11, 19, 152, 2, 147, 128, 144, 208, 36, 52, 203, 237, 244, 206, 153, 16, 68, 64, 146, 58, 1, 38, 18, 26, 72, 104, 245, 129, 139, 199, 214, 32, 10, 8, 0, 76, 215, 116 ).
The linear transformation is denoted by l: (V_8)^16 -> V_8, and defined as:
线性变换用l:(V_8)^16->V_8表示,并定义为:
l(a_15,...,a_0) = nabla(148*delta(a_15) + 32*delta(a_15) + 133*delta(a_13) + 16*delta(a_12) + 194*delta(a_11) + 192*delta(a_10) + 1*delta(a_9) + 251*delta(a_8) + 1*delta(a_7) + 192*delta(a_6) + 194*delta(a_5) + 16*delta(a_4) + 133*delta(a_3) + 32*delta(a_2) + 148*delta(a_1) +1*delta(a_0)),
l(a_15,…,a_0)=纳布拉(148*delta(a_15)+32*delta(a_15)+133*delta(a_13)+16*delta(a_12)+194*delta(a_11)+192*delta(a_10)+1*delta(a_9)+251*delta(a_8)+1*delta(a_7)+192*delta(a_6)+194 delta(a_5)+16*delta(a_4*133*delta(a_3)+32*delta(a_2)+1+a,0,
for all a_i belonging to V_8, i = 0, 1, ..., 15, where the addition and multiplication operations are in the field Q, and constants are elements of the field as defined above.
对于属于V_8的所有a_i,i=0,1,…,15,其中加法和乘法运算在字段Q中,常数是如上定义的字段元素。
The following transformations are applicable for encryption and decryption algorithms:
以下转换适用于加密和解密算法:
X[x]:V_128->V_128 X[k](a)=k(xor)a, where k, a belong to V_128,
X[X]:V_128->V_128 X[k](a)=k(xor)a,其中k,a属于V_128,
S:V_128-> V_128 S(a)=(a_15||...||a_0)=pi(a_15)||...||pi(a_0), where a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
S:V|128->V|128 S(a)=(a|15 | | | | | | | | | | | a| 0属于V|128,a|i属于V|8,i=0,1,…,15,
S^(-1):V_128-> V_128 the inverse transformation of S, which may be calculated, for example, as follows: S^(-1)(a_15||...||a_0)=pi^(-1) (a_15)||...||pi^(-1)(a_0), where a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
S^(-1):V_128->V_128 S的逆变换,例如,可以计算如下:S^(-1)(a|15| | | | | | | | | | | | | | | | | a| 0)=pi^(-1)(a|u 15| | | | | | | | | | | | | | | | | |,
R:V_128-> V_128 R(a_15||...||a_0)=l(a_15,...,a_0)||a_15||...||a_1, where a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
R:V_128->V_128 R(a_15 | | | | | | | | | | | | | | | | | | | a | u 0属于V|u 128,a | i属于V|u 8,i=0,1,…,15,
L:V_128-> V_128 L(a)=R^(16)(a), where a belongs to V_128,
L:V_128->V_128 L(a)=R^(16)(a),其中a属于V_128,
R^(-1):V_128-> V_128 the inverse transformation of R, which may be calculated, for example, as follows: R^(-1)(a_15||...||a_0)=a_14|| a_13||...||a_0||l(a_14,a_13,...,a_0,a_15), where a_15||...||a_0 belongs to V_128, a_i belongs to V_8, i=0,1,...,15,
R^(-1):V|u 128->V|u 128 R的逆变换,例如,可以如下计算:R^(-1)(a|15| | | | | | | | | | | | a | 0 | l(a | u 14,a | 13,…,a | u 0,a | u 15),其中a | a | u 1240属于a |,a 1248,a | u,…,i,
L^(-1):V_128-> V_128 L^(-1)(a)=(R^(-1))(16)(a), where a belongs to
V_128, and
L^(-1):V_128-> V_128 L^(-1)(a)=(R^(-1))(16)(a), where a belongs to
V_128, and
F[k]:V_128[*]V_128 -> V_128[*]V_128 F[k](a_1,a_0)=(LSX[k](a_1)(xor)a_0,a_1), where k, a_0, a_1 belong to V_128.
F[k]:V_128[*]V_128->V_128[*]V_128 F[k](a_1,a_0)=(LSX[k](a_1)(xor)a_0,a_1),其中k,a_0,a_1属于V_128。
Key schedule uses round constants C_i belonging to V_128, i=1, 2, ..., 32, defined as
密钥调度使用属于V_128的圆形常量C_i,i=1,2,…,32,定义为
C_i=L(Vec_128(i)), i=1,2,...,32.
C_i=L(Vec_128(i)),i=1,2,…,32。
Round keys K_i, i=1, 2, ..., 10 are derived from key K=k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1, ..., 255, as follows:
圆键K_i,i=1,2,…,10是从属于V_256的键K=K_255 | | | | | K_0派生而来的,K_i属于V_1,i=0,1,…,255,如下所示:
K_1=k_255||...||k_128;
K_2=k_127||...||k_0;
(K_(2i+1),K_(2i+2))=F[C_(8(i-1)+8)]...
F[C_(8(i-1)+1)](K_(2i-1),K_(2i)), i=1,2,3,4.
K_1=k_255||...||k_128;
K_2=k_127||...||k_0;
(K_(2i+1),K_(2i+2))=F[C_(8(i-1)+8)]...
F[C_(8(i-1)+1)](K_(2i-1),K_(2i)), i=1,2,3,4.
Depending on the values of round keys K_1,...,K_10, the encryption algorithm is a substitution E_(K_1,...,K_10) defined as follows:
根据轮密钥K_1,…,K_10的值,加密算法是替换E_(K_1,…,K_10),定义如下:
E_(K_1,...,K_10)(a)=X[K_10]LSX[K_9]...LSX[K_2]LSX[K_1](a),
(K_1,…,K_10)(a)=X[K_10]LSX[K_9]…LSX[K_2]LSX[K_1](a),
where a belongs to V_128.
其中a属于V_128。
Depending on the values of round keys K_1,...,K_10, the decryption algorithm is a substitution D_(K_1,...,K_10) defined as follows:
根据轮密钥K_1,…,K_10的值,解密算法是替换D_(K_1,…,K_10),定义如下:
D_(K_1,...,K_10)(a)=X[K_1]L^(-1)S^(-1)X[K_2]... L^(-1)S^(-1)X[K_9] L^(-1)S^(-1)X[K_10](a),
(K_1,…,K_10)(a)=X[K_1]L^(-1)S^(-1)X[K_2]。。。L^(-1)S^(-1)X[K_9]L^(-1)S^(-1)X[K_10](a),
where a belongs to V_128.
其中a属于V_128。
This section is for information only and is not a normative part of the standard.
本节仅供参考,不是本标准的规范性部分。
S(ffeeddccbbaa99881122334455667700) = b66cd8887d38e8d77765aeea0c9a7efc, S(b66cd8887d38e8d77765aeea0c9a7efc) = 559d8dd7bd06cbfe7e7b262523280d39, S(559d8dd7bd06cbfe7e7b262523280d39) = 0c3322fed531e4630d80ef5c5a81c50b, S(0c3322fed531e4630d80ef5c5a81c50b) = 23ae65633f842d29c5df529c13f5acda.
S(ffeeddccbbaa99881122334455667700)=b66cd8887d38e8d77765aeea0c9a7efc,S(b66cd8887d38e8d77765aeea0c9a7efc)=559d8dd7bd06cbfe7e7b262523280d39,S(559d8dd7bd06cbfe7e7b262523280d39)=0C3322FED531E4630D80EF5A81C50B,S(0C322FED531EF84630D8EF5C55C55C)=429C55C59C59C55C55D8D5C55C55D8D7D7D7D7D7D7D7D7D7D7D7D5C55C59C59C57D7D7D7D5。
R(00000000000000000000000000000100) = 94000000000000000000000000000001, R(94000000000000000000000000000001) = a5940000000000000000000000000000, R(a5940000000000000000000000000000) = 64a59400000000000000000000000000, R(64a59400000000000000000000000000) = 0d64a594000000000000000000000000.
R(000000000000000000000000000000100)=9400000000000000000000000000000001,R(9400000000000000000000000000000001)=a5940000000000000000000000000000000,R(a5940000000000000000000000000000000)=64a59400000000000000000000000000000,R(64a59400000000000000000000000000000)=0d64a59400000000000000000000000000000。
L(64a59400000000000000000000000000) = d456584dd0e3e84cc3166e4b7fa2890d, L(d456584dd0e3e84cc3166e4b7fa2890d) = 79d26221b87b584cd42fbc4ffea5de9a, L(79d26221b87b584cd42fbc4ffea5de9a) = 0e93691a0cfc60408b7b68f66b513c13, L(0e93691a0cfc60408b7b68f66b513c13) = e6a8094fee0aa204fd97bcb0b44b8580.
L(64A594000000000000000)=d456584dd0e3e84cc3166e4b7fa2890d,L(d456584dd0e3e84cc3166e4b7fa2890d)=79d26221b87b584cd42fbc4ffea5de9a,L(79d26221b87b584cd42fbc4ffea5de9a)=0E93691A0CFC6040B7B68F66B513C13,L(0E93691A0FC604087B687B68F66B513C13)=E680AA204FDB44B8580。
In this test example, the key is equal to:
在本测试示例中,键等于:
K = 8899aabbccddeeff0011223344556677fedcba9876543210012345678 9abcdef.
K=8899aabbccddeeff0011223344556677fedcba9876543210012345678 9abcdef。
K_1 = 8899aabbccddeeff0011223344556677, K_2 = fedcba98765432100123456789abcdef.
K_1=8899aabbccddeeff0011223344556677,K_2=fedcba98765432100123456789abcdef。
C_1 = 6ea276726c487ab85d27bd10dd849401,
X[C_1](K_1) = e63bdcc9a09594475d369f2399d1f276,
SX[C_1](K_1) = 0998ca37a7947aabb78f4a5ae81b748a,
LSX[C_1](K_1) = 3d0940999db75d6a9257071d5e6144a6,
F[C_1](K_1, K_2) = = (c3d5fa01ebe36f7a9374427ad7ca8949,
8899aabbccddeeff0011223344556677).
C_1 = 6ea276726c487ab85d27bd10dd849401,
X[C_1](K_1) = e63bdcc9a09594475d369f2399d1f276,
SX[C_1](K_1) = 0998ca37a7947aabb78f4a5ae81b748a,
LSX[C_1](K_1) = 3d0940999db75d6a9257071d5e6144a6,
F[C_1](K_1, K_2) = = (c3d5fa01ebe36f7a9374427ad7ca8949,
8899aabbccddeeff0011223344556677).
C_2 = dc87ece4d890f4b3ba4eb92079cbeb02,
F [C_2]F [C_1](K_1, K_2) = (37777748e56453377d5e262d90903f87,
c3d5fa01ebe36f7a9374427ad7ca8949).
C_2 = dc87ece4d890f4b3ba4eb92079cbeb02,
F [C_2]F [C_1](K_1, K_2) = (37777748e56453377d5e262d90903f87,
c3d5fa01ebe36f7a9374427ad7ca8949).
C_3 = b2259a96b4d88e0be7690430a44f7f03,
F[C_3]...F[C_1](K_1, K_2) = (f9eae5f29b2815e31f11ac5d9c29fb01,
37777748e56453377d5e262d90903f87).
C_3 = b2259a96b4d88e0be7690430a44f7f03,
F[C_3]...F[C_1](K_1, K_2) = (f9eae5f29b2815e31f11ac5d9c29fb01,
37777748e56453377d5e262d90903f87).
C_4 = 7bcd1b0b73e32ba5b79cb140f2551504,
F[C_4]...F[C_1](K_1, K_2) = (e980089683d00d4be37dd3434699b98f,
f9eae5f29b2815e31f11ac5d9c29fb01).
C_4 = 7bcd1b0b73e32ba5b79cb140f2551504,
F[C_4]...F[C_1](K_1, K_2) = (e980089683d00d4be37dd3434699b98f,
f9eae5f29b2815e31f11ac5d9c29fb01).
C_5 = 156f6d791fab511deabb0c502fd18105,
F[C_5]...F[C_1](K_1, K_2) = (b7bd70acea4460714f4ebe13835cf004,
e980089683d00d4be37dd3434699b98f).
C_5 = 156f6d791fab511deabb0c502fd18105,
F[C_5]...F[C_1](K_1, K_2) = (b7bd70acea4460714f4ebe13835cf004,
e980089683d00d4be37dd3434699b98f).
C_6 = a74af7efab73df160dd208608b9efe06,
F[C_6]...F[C_1](K_1, K_2) = (1a46ea1cf6ccd236467287df93fdf974,
b7bd70acea4460714f4ebe13835cf004).
C_6 = a74af7efab73df160dd208608b9efe06,
F[C_6]...F[C_1](K_1, K_2) = (1a46ea1cf6ccd236467287df93fdf974,
b7bd70acea4460714f4ebe13835cf004).
C_7 = c9e8819dc73ba5ae50f5b570561a6a07,
F[C_7]...F [C_1](K_1, K_2) = (3d4553d8e9cfec6815ebadc40a9ffd04,
1a46ea1cf6ccd236467287df93fdf974).
C_7 = c9e8819dc73ba5ae50f5b570561a6a07,
F[C_7]...F [C_1](K_1, K_2) = (3d4553d8e9cfec6815ebadc40a9ffd04,
1a46ea1cf6ccd236467287df93fdf974).
C_8 = f6593616e6055689adfba18027aa2a08, (K_3, K_4) = F [C_8]...F [C_1](K_1, K_2) = (db31485315694343228d6aef8cc78c44, 3d4553d8e9cfec6815ebadc40a9ffd04).
C_8=f6593616e6055689adfba18027aa2a08,(K_3,K_4)=F[C_8]…F[C_1](K_1,K_2)=(DB31485315643228D6AEF8CC78C44,3d4553d8e9cfec6815ebadc40a9ffd04)。
The round keys K_i, i = 1, 2, ..., 10, take the following values:
圆键K_i,i=1,2,…,10采用以下值:
K_1 = 8899aabbccddeeff0011223344556677, K_2 = fedcba98765432100123456789abcdef, K_3 = db31485315694343228d6aef8cc78c44, K_4 = 3d4553d8e9cfec6815ebadc40a9ffd04, K_5 = 57646468c44a5e28d3e59246f429f1ac, K_6 = bd079435165c6432b532e82834da581b, K_7 = 51e640757e8745de705727265a0098b1, K_8 = 5a7925017b9fdd3ed72a91a22286f984, K_9 = bb44e25378c73123a5f32f73cdb6e517, K_10 = 72e9dd7416bcf45b755dbaa88e4a4043.
K_1=8899aabbccddeeff0011223344556677,K_2=fedcba98765432100123456789abcdef,K_3=DB3148531569443228D6AEF8CC78C44,K_4=3d4553d8e9cfec6815ebadc40a9ffd04,K_5=57646468C44A58D3E592446F429F1AC,K_6=BD07943535165;6432B5332B532E82834DA581;,K_7=51E647E87757; 572; 7DE725; 7; 7DE728B7B9AD927B7B7BU,KĠ=518;=D9;,K_9=bb44e25378c73123a5f32f73cdb6e517,K_10=72e9dd7416bcf45b755dbaa88e4a4043。
In this test example, encryption is performed on the round keys specified in Section 5.4. Let the plaintext be
在本测试示例中,对第5.4节中规定的圆密钥进行加密。让明文成为现实吧
a = 1122334455667700ffeeddccbbaa9988,
a=112233445667700FFEEDDCCBBAA9988,
then
然后
X[K_1](a) = 99bb99ff99bb99ffffffffffffffffff, SX[K_1](a) = e87de8b6e87de8b6b6b6b6b6b6b6b6b6, LSX[K_1](a) = e297b686e355b0a1cf4a2f9249140830, LSX[K_2]LSX[K_1](a) = 285e497a0862d596b36f4258a1c69072, LSX[K_3]...LSX[K_1](a) = 0187a3a429b567841ad50d29207cc34e, LSX[K_4]...LSX[K_1](a) = ec9bdba057d4f4d77c5d70619dcad206, LSX[K_5]...LSX[K_1](a) = 1357fd11de9257290c2a1473eb6bcde1, LSX[K_6]...LSX[K_1](a) = 28ae31e7d4c2354261027ef0b32897df, LSX[K_7]...LSX[K_1](a) = 07e223d56002c013d3f5e6f714b86d2d, LSX[K_8]...LSX[K_1](a) = cd8ef6cd97e0e092a8e4cca61b38bf65, LSX[K_9]...LSX[K_1](a) = 0d8e40e4a800d06b2f1b37ea379ead8e.
(一)(a)=E8 8 8 8 8 8 8 8 B 6 6 B B B B B B 6 6 6 B B B B B B B 6 B B B 6 B B B 6 B B B B 6 B B B 6 B B 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6(K_1)(a)=LSX[K(K(1)(a)=E297B6 6 6 6 6 6 8 8 8 8 8 8[K(K(K(K 1)(1)(1)(1)(a)1)(a)=6 6 6 6 6 6 6 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8[K(K(K(K(K(K(1)(1)(1)(1)(1)(1)(1)(a)=1)(a)=1)(a)=LSX[K(1)(a)=LSX[K K(K(1)(1)(a)=LSX[K)1)DCAD206,LSX[K_5]…LSX[K_1](a)=1357fd11de9257290c2a1473eb6bcde1,LSX[K_6]…LSX[K_1](a)=28ae31e7d4c2354261027ef0b32897df,LSX[K_7]…LSX[K_1](a)=07e223d56002c013d3f5e6f714b86d2d,LSX[K_8]…LSX[K_1](a)=CD8EF6CD6CD97E092A8E4CCA61B6B65,LSX[K_9]…LSX[K_1]=Ls8000E4; 8E408E4E4E4E4E4A378D8EAD9E。
Then the ciphertext is
那么密文就是
b = X[K_10]LSX[K_9]...LSX[K_1](a) = 7f679d90bebc24305a468d42b9d4edcd.
b=X[K_10]LSX[K_9]…LSX[K_1](a)=7f679d90bebc24305a468d42b9d4edcd。
In this test example, decryption is performed on the round keys specified in Section 5.4. Let the ciphertext be
在本测试示例中,对第5.4节中规定的圆密钥进行解密。让密文
b = 7f679d90bebc24305a468d42b9d4edcd,
b=7f679d90bebc24305a468d42b9d4edcd,
then
然后
X[K_10](b) = 0d8e40e4a800d06b2f1b37ea379ead8e, L^(-1)X[K_10](b) = 8a6b930a52211b45c5baa43ff8b91319, S^(-1)L^(-1)X[K_10](b) = 76ca149eef27d1b10d17e3d5d68e5a72, S^(-1)L^(-1)X[K_9]S^(-1)L^(-1)X[K_10](b) = 5d9b06d41b9d1d2d04df7755363e94a9, S^(-1)L^(-1)X[K_8]...S^(-1)L^(-1)X[K_10](b) = 79487192aa45709c115559d6e9280f6e, S^(-1)L^(-1)X[K_7]...S^(-1)L^(-1)X[K_10](b) = ae506924c8ce331bb918fc5bdfb195fa, S^(-1)L^(-1)X[K_6]...S^(-1)L^(-1)X[K_10](b) = bbffbfc8939eaaffafb8e22769e323aa, S^(-1)L^(-1)X[K_5]...S^(-1)L^(-1)X[K_10](b) = 3cc2f07cc07a8bec0f3ea0ed2ae33e4a, S^(-1)L^(-1)X[K_4]...S^(-1)L^(-1)X[K_10](b) = f36f01291d0b96d591e228b72d011c36, S^(-1)L^(-1)X[K_3]...S^(-1)L^(-1)X[K_10](b) = 1c4b0c1e950182b1ce696af5c0bfc5df, S^(-1)L^(-1)X[K_2]...S^(-1)L^(-1)X[K_10](b) = 99bb99ff99bb99ffffffffffffffffff.
(b)X(K(K)10(b)X(b)X(K(K)10(b)X(b)X(K(K(K)10(b)X(b)X(K(K(K(K)10)b)=8A6B6 B8 8 8 B8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8(K(K(K(K(b)K(K(b)K(b)K(K(b)K(b)b)X(K(b)8)X(K(K(b)8)8)X(K(b)8)8)8)8)8 8 8)8 8)8 8 8 8 8)8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8(-1)L^(-1)X[K_10](b)=79487192aa45709c115559d6e9280f6e,S^(-1)L^(-1)X[K_7]…S^(-1)L^(-1)(b)X(K K 10)K 10(b)K 10(b)K 10(b)K 10(b)K 10(b)K K 10(b)K 10(b)K 10(b)K 10(b)K 10(b)K 10(b)K 10(b)K 10(b)K 10(b)K 10)K 10(b)K 10(K 10)K 10(b)K 10(b)K 10(b)K 10(b)K 10(b)X(b)K 10(b)K(b)K(b)b)b)b)b(b)b)b)b)b(b)b)b)b(b(b)b)b)b)b)b)b(b)b)b)b)b)b)b(b)b)b)b)b)b)b(b)b)b)b)b)b)b)b)b)b)b)b)b)b)b)b)b)b 1291D0B96D591E228B72D011C36,S^(-1)L^(-1)X[K_3]…S^(-1)L^(-1)X[K_10](b)=1c4b0c1e950182b1ce696af5c0bfc5df,S^(-1)L^(-1)X[K_2]…S^(-1)L^(-1)X[K_10](b)=99bb99ff99bb99ffffffffffffff。
Then the plaintext is
那么明文就是
a = X[K_1]S^(-1)L^(-1)X[K_2]...S^(-1)L^(-1)X[K_10](b) = 1122334455667700ffeeddccbbaa9988.
a=X[K_1]S^(-1)L^(-1)X[K_2]…S^(-1)L^(-1)X[K_10](b)=112233445667700ffeeddccbbaa9988。
This entire document is about security considerations.
整个文档都是关于安全方面的考虑。
[GOST3412-2015] "Information technology. Cryptographic data security. Block ciphers", GOST R 34.12-2015, Federal Agency on Technical Regulating and Metrology, 2015.
[GOST3412-2015]“信息技术。加密数据安全。分组密码”,GOST R 34.12-2015,联邦技术监管和计量局,2015年。
[ISO-IEC10116] ISO/IEC, "Information technology -- Security techniques -- Modes of operation for an n-bit block cipher", ISO/ IEC 10116, 2006.
[ISO-IEC10116]ISO/IEC,“信息技术——安全技术——n位分组密码的操作模式”,ISO/IEC 101162006。
[ISO-IEC18033-1] ISO/IEC, "Information technology -- Security techniques -- Encryption algorithms -- Part 1: General", ISO/ IEC 18033-1, 2015.
[ISO-IEC18033-1]ISO/IEC,“信息技术——安全技术——加密算法——第1部分:总则”,ISO/IEC 18033-12015。
[ISO-IEC18033-3] ISO/IEC, "Information technology -- Security techniques -- Encryption algorithms -- Part 3: Block ciphers", ISO/ IEC 18033-3, 2010.
[ISO-IEC18033-3]ISO/IEC,“信息技术——安全技术——加密算法——第3部分:分组密码”,ISO/IEC 18033-32010。
Author's Address
作者地址
Vasily Dolmatov (editor) Research Computer Center MSU Leninskiye Gory, 1, Building 4, MGU NIVC Moscow 119991 Russian Federation
瓦西里·多尔马托夫(编辑)研究计算机中心MSU Leninskiye Gory,莫斯科MGU NIVC 4号楼1号,俄罗斯联邦莫斯科119991
Email: dol@srcc.msu.ru
Email: dol@srcc.msu.ru