Independent Submission V. Dolmatov, Ed. Request for Comments: 5831 Cryptocom, Ltd. Category: Informational March 2010 ISSN: 2070-1721
Independent Submission V. Dolmatov, Ed. Request for Comments: 5831 Cryptocom, Ltd. Category: Informational March 2010 ISSN: 2070-1721
GOST R 34.11-94: Hash Function Algorithm
GOST R 34.11-94:哈希函数算法
Abstract
摘要
This document is intended to be a source of information about the Russian Federal standard hash function (GOST R 34.11-94), which is one of the Russian cryptographic standard algorithms (called GOST algorithms). Recently, Russian cryptography is being used in Internet applications, and this document has been created as information for developers and users of GOST R 34.11-94 for hash computation.
本文件旨在作为俄罗斯联邦标准哈希函数(GOST R 34.11-94)的信息来源,该函数是俄罗斯加密标准算法(称为GOST算法)之一。最近,俄罗斯密码学正在互联网应用中使用,本文档已创建为GOST R 34.11-94的开发者和用户提供信息,用于哈希计算。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5831.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5831.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
This document may not be modified, and derivative works of it may not be created, except to format it for publication as an RFC or to translate it into languages other than English.
不得修改本文件,也不得创建其衍生作品,除非将其格式化为RFC出版或将其翻译为英语以外的其他语言。
Table of Contents
目录
1. Introduction ....................................................3 1.1. General Information ........................................3 1.2. The Purpose of GOST R 34.11-94 .............................3 2. Applicability ...................................................3 3. Conventions Used in This Document ...............................4 4. General Statements ..............................................5 5. Step-by-Step Hash Function ......................................5 5.1. Key Generation .............................................5 5.2. Encryption Transformation ..................................7 5.3. Mixing Transformation ......................................7 6. The Calculation Procedure for a Hash Function ...................8 7. Test Examples (Informative) .....................................9 7.1. Usage of the Algorithm GOST 28147-89 ......................10 7.2. Representation of Vectors .................................11 7.3. Examples of the Hash Value Calculation ....................11 7.3.1. Hash Calculation for the Sample Message M ..........11 7.3.2. Hash Calculation for the Sample Message M ..........14 8. Security Considerations ........................................16 9. Normative References ...........................................16 10. Contributors ..................................................17
1. Introduction ....................................................3 1.1. General Information ........................................3 1.2. The Purpose of GOST R 34.11-94 .............................3 2. Applicability ...................................................3 3. Conventions Used in This Document ...............................4 4. General Statements ..............................................5 5. Step-by-Step Hash Function ......................................5 5.1. Key Generation .............................................5 5.2. Encryption Transformation ..................................7 5.3. Mixing Transformation ......................................7 6. The Calculation Procedure for a Hash Function ...................8 7. Test Examples (Informative) .....................................9 7.1. Usage of the Algorithm GOST 28147-89 ......................10 7.2. Representation of Vectors .................................11 7.3. Examples of the Hash Value Calculation ....................11 7.3.1. Hash Calculation for the Sample Message M ..........11 7.3.2. Hash Calculation for the Sample Message M ..........14 8. Security Considerations ........................................16 9. Normative References ...........................................16 10. Contributors ..................................................17
1. GOST R 34.11-94 [GOST3411] was developed by the Federal Agency for Government Communication and Information and by the All-Russia Scientific and Research Institute of Standardization.
1. GOST R 34.11-94[GOST3411]由联邦政府通信和信息局以及全俄罗斯标准化科学研究院开发。
2. GOST R 34.11-94 was accepted and activated by Act 154 of 23.05.1994 issued by the Russian Federal committee for standards.
2. GOST R 34.11-94被俄罗斯联邦标准委员会发布的1994年5月23日第154号法案接受并激活。
Expanding the application of information technologies when creating, processing, and storing documents requires, in some cases, confidentiality of their contents, maintenance of completeness, and authenticity.
在创建、处理和存储文档时扩展信息技术的应用在某些情况下需要对其内容保密、保持完整性和真实性。
Cryptography (cryptographic security) is one of the effective approaches for data security. It is widely applied in different areas of government and commercial activity.
密码学(cryptographic security)是数据安全的有效方法之一。它广泛应用于政府和商业活动的不同领域。
Cryptographic data security methods are under serious scientific research and standardization efforts at national, regional, and international levels.
加密数据安全方法正在国家、地区和国际各级进行认真的科学研究和标准化工作。
GOST R 34.11-94 defines a hash function calculation procedure for an arbitrary sequence of binary symbols.
GOST R 34.11-94定义了任意二进制符号序列的哈希函数计算过程。
The hash function maps an arbitrary set of data represented as a sequence of binary symbols onto its image of a fixed small length.
哈希函数将表示为二进制符号序列的任意数据集映射到其固定小长度的图像上。
Thus, hash functions can be used in procedures related to the electronic digital signature, resulting in considerable reduction of elapsed time for the sign and verify stages. The effect of the reduction of time is due to the fact that only a short image of initial data is actually signed.
因此,可以在与电子数字签名相关的过程中使用散列函数,从而大大减少签名和验证阶段的运行时间。缩短时间的效果是由于只有初始数据的短图像被实际签名。
GOST R 34.11-94 defines an algorithm and procedure for the calculation of a hash function for an arbitrary sequence of binary symbols. These algorithms and procedures should be applied in cryptographic methods of data processing and securing, including digital signature procedures employed for data transfer and data storage in computer-aided systems.
GOST R 34.11-94定义了用于计算任意二进制符号序列的哈希函数的算法和程序。这些算法和程序应用于数据处理和安全的加密方法,包括计算机辅助系统中用于数据传输和数据存储的数字签名程序。
The hash function, defined in GOST R 34.11-94, is used for digital signature systems based on the asymmetric cryptographic algorithm according to GOST R 34.10-2001 (see section 3).
GOST R 34.11-94中定义的哈希函数用于基于GOST R 34.10-2001中非对称加密算法的数字签名系统(见第3节)。
The following notations are used in GOST R 34.11-94:
GOST R 34.11-94中使用了以下符号:
V_all is a set of all finite words in the alphabet V = {0,1}. The words are read from right to left and the alphabet symbols are numbered from right to left (i.e., the rightmost symbol of the word has the number one, the second rightmost symbol has number two, etc.).
V_all is a set of all finite words in the alphabet V = {0,1}. The words are read from right to left and the alphabet symbols are numbered from right to left (i.e., the rightmost symbol of the word has the number one, the second rightmost symbol has number two, etc.).
Vk is a set of all words in alphabet V = {0,1} of length k bits (k=16,64,256).
Vk is a set of all words in alphabet V = {0,1} of length k bits (k=16,64,256).
|A| is the length of a word A belonging to V_all.
|A |是属于V|all的单词A的长度。
A||B is a concatenation of words A, B belonging to V_all. Its length is |A| + |B|, where the left |A| symbols come from the word A, and the right |B| symbols come from the word B. One can also use the notation A||B = A * B.
A | | B是属于V|all的单词A、B的串联。它的长度是| A |+| B |,其中左| A |符号来自单词A,右| B |符号来自单词B。也可以使用符号A | B=A*B。
A^k is a concatenation of k copies of the word A (A belongs to V_all).
A^k是单词A(A属于V_all)的k个副本的串联。
<N>_k is a word of length k, containing a binary representation of N(mod 2^k) residue, with a non-negative integer N.
<N> _k是一个长度为k的字,包含N(mod 2^k)余数的二进制表示,带有一个非负整数N。
A^$ is a non-negative integer with A as its binary representation.
A^$是一个非负整数,二进制表示形式为A。
(xor) is the bitwise modulo 2 addition of the words of the same length.
(xor)是相同长度字的按位模2加法。
(+)' is the addition according to the rule A (+)' B = <A^$+ B^$>_k, where k = |A| = |B|.
(+)' is the addition according to the rule A (+)' B = <A^$+ B^$>_k, where k = |A| = |B|.
M is a binary sequence to be hashed, M belongs to V_all. M is a message in digital signature systems.
M是要散列的二进制序列,M属于V_all。M是数字签名系统中的消息。
h is a hash function that maps the sequence M belonging to V_all onto the word h(M) belonging to V_256.
h是一个哈希函数,它将属于V_all的序列M映射到属于V_256的单词h(M)。
E(k,A) is a result of the encryption of the word A using key K with the encryption algorithm according to [GOST28147] in the electronic codebook (ECB) mode (K belongs to V256, A belongs to V64).
E(k,A)是在电子码本(ECB)模式(k属于V256,A属于V64)下,使用密钥k和根据[GOST28147]的加密算法对单词A进行加密的结果。
h0 is an initial hash value.
h0是初始散列值。
e := g is the assignment of the value g to the parameter e.
e:=g是将值g赋值给参数e。
^ is the power operator.
^是电力操作员。
i = 1..8 is an interval with i being all the values from 1 to 8.
i=1..8是一个区间,i是从1到8的所有值。
hUZ is the S-boxes described in [GOST28147].
hUZ是[GOST28147]中所述的S盒。
A hash function h is the mapping h : V_all -> V256, depending on the parameter (which is the initial hash value H, H is a word from V256). To define the hash function, it is necessary to have:
散列函数h是映射h:V_all->V256,具体取决于参数(它是初始散列值h,h是V256中的一个字)。要定义哈希函数,必须具有:
- a calculation algorithm for the step-by-step hash function
- 一种分步hash函数的计算算法
chi : V256 x V256 -> V256
chi : V256 x V256 -> V256
- a description of an iterative procedure for calculating the hash value h
- 用于计算散列值h的迭代过程的描述
A hash function h depends on two parameters, h0 and hUZ.
散列函数h取决于两个参数h0和hUZ。
A calculation algorithm for the step-by-step hash function contains three parts, which successively do:
分步散列函数的计算算法包含三个部分,分别是:
- key generation, here keys are 256-bit words;
- 密钥生成,这里的密钥是256位字;
- an encryption transformation, that is encryption of 64-bit subwords of word H using keys K[i], (i = 1, 2, 3, 4) with the algorithm according to [GOST28147] in ECB mode; and
- 加密转换,即在ECB模式下使用密钥K[i],(i=1,2,3,4)和根据[GOST28147]的算法对字H的64位子字进行加密;和
- a mixing transformation for the result of the encryption.
- 加密结果的混合转换。
Consider X = (b[256], b[255], ..., b[1]) belongs to V256.
Consider X = (b[256], b[255], ..., b[1]) belongs to V256.
Let:
让我们:
X = x[4]||x[3]||x[2]||x[1] = eta[16]||[eta15]||...||eta[1]
X=X[4]| | X[3]| | X[2]| | X[1]=eta[16]| | |[eta15]| | | eta[1]
= xi[32]||xi[31]||...||xi[1], where
=xi[32]| | xi[31]| | | | | xi[1],其中
x[i] = (b[i*64],...,b[(i-1)*64+1]) belongs to V64, i = 1..4,
x[i] = (b[i*64],...,b[(i-1)*64+1]) belongs to V64, i = 1..4,
eta[j] = (b[j*16],...,b[(j-1)*16+1]) belongs to V16, j = 1..16,
eta[j] = (b[j*16],...,b[(j-1)*16+1]) belongs to V16, j = 1..16,
xi[k] = (b[k*8],..., b[(k-1)*8+1]) belongs to V8, k = 1..32.
xi[k] = (b[k*8],..., b[(k-1)*8+1]) belongs to V8, k = 1..32.
Yet, another notation: A(X) = (x[1](xor)x[2])||x[4]||x[3]||x[2].
Yet, another notation: A(X) = (x[1](xor)x[2])||x[4]||x[3]||x[2].
The transformation P : V256 -> V256 maps the word xi32||...||xi1 onto the word xi[phi(32)] || ... || xi[phi(1)],
转换P:V256->V256将单词xi32 | | | | | | xi1映射到单词xi[phi(32)]| | | | |xi[phi(1)],
where phi(i + 1 + 4 ( k - 1) ) = 8i + k , i = 0..3, k = 1..8.
其中φ(i+1+4(k-1))=8i+k,i=0..3,k=1..8。
For the key generation, one should use the following initial data:
对于密钥生成,应使用以下初始数据:
- words H, M belonging to V256,
- 属于V256的单词H,M,
- parameters: words C[i] (i = 2, 3, 4), with values:
- 参数:字C[i](i=2,3,4),值为:
C[2] = C[4] = 0^256;
C[2] = C[4] = 0^256;
C[3] = 1^8||0^8||1^16||0^24||1^16||0^8||(0^8||1^8)^2||1^8||0^8 ||(0^8||1^8)^4||(1^8||0^8 )^4.
C[3]=1^8 | 0^8 | 1^16 | 0^24 | 1^16 | 0^8 | |(0^8 | 1^8)^2 | 1^8 | 0^8 |(0^8 | 1^8)^4。
The following algorithm is used for the key calculation:
以下算法用于密钥计算:
1. Assign values:
1. 赋值:
i := 1, U := H , V := M.
i:=1,U:=H,V:=M。
2. Calculate:
2. 计算:
W = U (xor) V , K[i] = P(W).
W=U(xor)V,K[i]=P(W)。
3. Assign:
3. 分配:
i := i + 1.
i:=i+1。
4. Verify condition:
4. 验证条件:
i = 5.
i=5。
If it is true, go to step 7. If not, go to step 5.
如果为真,请转至步骤7。如果没有,请转至步骤5。
5. Calculate:
5. 计算:
U := A(U)(xor)C[i], V := A(A(V)), W := U(xor)V, K[i] = P(W).
U:=A(U)(xor)C[i],V:=A(A(V)),W:=U(xor)V,K[i]=P(W)。
6. Go to step 3.
6. 转至步骤3。
7. End.
7. 终止
At this stage, 64-bit subwords of the word H are encrypted using keys K[i] (i = 1, 2, 3, 4).
在此阶段,使用密钥K[i](i=1、2、3、4)对字H的64位子字进行加密。
For the encryption transformation, one should use the following initial data:
对于加密转换,应使用以下初始数据:
H = h[4]||h[3]||h[2]||h[1],
H=H[4]| | H[3]| | H[2]| | H[1],
where h[i] belongs to V64, i = 1,2,3,4, and a key set is K[1], K[2], K[3], K[4].
其中h[i]属于V64,i=1,2,3,4,密钥集为K[1],K[2],K[3],K[4]。
The encryption algorithm is applied and the following words are obtained:
应用加密算法并获得以下文字:
s[i] = E(K[i],h[i]), where: i = 1,2,3,4
s[i] = E(K[i],h[i]), where: i = 1,2,3,4
As a result of the stage, the following sequence is formed:
作为该阶段的结果,形成以下顺序:
S = s[4]||s[3]||s[2]||s[1].
S=S[4]| | S[3]| | S[2]| | S[1]。
At this stage, the obtained sequence is mixed using a shift register.
在此阶段,使用移位寄存器混合获得的序列。
The initial data includes words H, M belonging to V256 and a word S belonging to V256 .
初始数据包括属于V256的字H、M和属于V256的字S。
Let a mapping PSI(X) : V256(2) -> V256(2) transform the word:
让一个映射PSI(X):V256(2)->V256(2)变换单词:
eta[16]||eta[15]||...||eta[1], eta[i] belongs to V16, i = 1..16
埃塔[16]| |埃塔[15]| | | | | | | |埃塔[1],埃塔[i]属于V16,i=1..16
into the word:
换言之:
eta[1](xor)eta[2](xor)eta[3](xor)eta[4](xor)eta[13](xor)eta[16] ||eta[16]||...||eta[2].
埃塔[1](异或)埃塔[2](异或)埃塔[3](异或)埃塔[4](异或)埃塔[13](异或)埃塔[16]| | | |埃塔[2]。
Then, the value of the step-by-step hash function value is the word:
然后,逐步散列函数值的值为单词:
chi(M, H) = PSI^61(H(xor)PSI(M(xor)PSI^12(S))),
chi(M,H)=PSI^61(H(xor)PSI(M(xor)PSI^12(S)),
where PSI^i(X) is the transformation PSI applied i times to X.
其中,PSI^i(X)是应用于X的i次转换PSI。
The calculation procedure for a hash function h is assumed to be applied to a sequence M belonging to V_all. Its parameter is an initial hash value h0, which is an arbitrarily fixed word from V256.
假设散列函数h的计算过程应用于属于V_all的序列M。它的参数是初始散列值h0,它是V256中的任意固定字。
The calculation procedure for the function h uses the following quantities at each step of iteration:
函数h的计算程序在迭代的每个步骤中使用以下量:
_M_ belonging to V_all - a part of the sequence M, which was not hashed at previous iterations;
_M_u属于V_all-序列M的一部分,在以前的迭代中没有散列;
H belonging to V256 - the current hash value;
H属于V256——当前哈希值;
SIGMA belonging to V256 - the current check sum value;
属于V256的西格玛-当前校验和值;
L belonging to V256 - the length of the partial sequence M processed at the previous iteration step.
L属于V256-在上一迭代步骤中处理的部分序列M的长度。
The calculation algorithm for function h consists of the following steps:
函数h的计算算法包括以下步骤:
Step 1. Assign initial values to current quantities:
第一步。将初始值指定给当前数量:
1.1 _M_ := M.
1.1 _M:=M。
1.2 H := h0.
1.2 H:=h0。
1.3 SIGMA := 0^256.
1.3 西格玛:=0^256。
1.4 L := 0^256.
1.4 L:=0^256。
1.5 Go to step 2.
1.5 转至步骤2。
Step 2.
第二步。
2.1 Verify the condition |_M_|>256.
2.1 验证条件| | M |>256。
If it is true, go to step 3.
如果为真,请转至步骤3。
Else, make the following calculations:
否则,进行以下计算:
2.2 L := <L^$ + |M|>_256
2.2 L := <L^$ + |M|>_256
2.3 M' := 0^(256 -|M|)||M
2.3 M' := 0^(256 -|M|)||M
2.4 SIGMA := SIGMA (+)' M'
2.4 SIGMA := SIGMA (+)' M'
2.5 H := chi (M', H)
2.5 H:=chi(M',H)
2.6 H := chi (L, H)
2.6 H:=chi(L,H)
2.7 H := chi (SIGMA, H)
2.7 H:=chi(西格玛,H)
2.8 End.
2.8 终止
Step 3.
第三步。
3.1 Calculate a subword M_s belonging to V256 of the word _M_ (_M_ = M_p||M_s). Then make the following calculations:
3.1 计算属于单词_M_(_M_=M_p | | M_s)的V256的子单词M_s。然后进行以下计算:
3.2 H := chi (M_s, H)
3.2 H:=chi(mus,H)
3.3 L := <L^$ + 256>_256
3.3 L := <L^$ + 256>_256
3.4 SIGMA := SIGMA (+)' M[s]
3.4 SIGMA := SIGMA (+)' M[s]
3.5 _M_ = M_p
3.5 _M_u=M_p
3.6 Go to step 2.
3.6 转至步骤2。
The quantity H obtained at step 2.7 is the value of the hash function h(M).
在步骤2.7中获得的数量H是散列函数H(M)的值。
It is recommended to use the values for substitution units pi[1], pi[2],..., pi[8] and the initial hash value H described in this appendix for the GOST R 34.11-94 test examples only.
建议仅在GOST R 34.11-94测试示例中使用本附录中描述的替换单元pi[1]、pi[2]、…、pi[8]的值和初始散列值H。
The algorithm GOST 28147-89 [GOST28147] in ECB mode is used as an encryption transformation in the following examples. The following values of the substitution units pi[1], pi[2],..., pi[8] have been chosen:
在以下示例中,ECB模式下的算法GOST 28147-89[GOST28147]用作加密转换。已选择替换单元pi[1]、pi[2]、…、pi[8]的以下值:
8 7 6 5 4 3 2 1
8 7 6 5 4 3 2 1
0 1 D 4 6 7 5 E 4
01D4675E4
1 F B B C D 8 B A
1楼B C D 8 B A
2 D 4 A 7 A 1 4 9
2d4a7a149
3 0 1 0 1 1 D C 2
301011DC2
4 5 3 7 5 0 A 6 D
453750A6D
5 7 F 2 F 8 3 D 8
5 7 F 2 F 8 3 D 8
6 A 5 1 D 9 4 F 0
6 A 5 1 D 9 4 F 0
7 4 9 D 8 F 2 A E
7 4 9 D 8 F 2 A E
8 9 0 3 4 E E 2 6
89034E26
9 2 A 6 A 4 F 3 B
9 2 A 6 A 4 F 3 B
10 3 E 8 9 6 C 8 1
103 E 8 9 6 C 8 1
11 E 7 5 E C 7 1 C
11 E 7 5 E C 7 1 C
12 6 6 9 0 B 6 0 7
12 6 6 9 0 B 6 0 7
13 B 8 C 3 2 0 7 F
13B8C3207F
14 8 2 F B 5 9 5 5
14 8 2 F B 5 9 5 5
15 C C E 2 3 B 9 3
15 C C E 2 3 B 9 3
The hexadecimal value of pi[j](i) is given in a column number j,
pi[j](i)的十六进制值在列号j中给出,
j = 1..8, and in a row number i, i = 0..15.
j=1..8,在行号i中,i=0..15。
We will put down binary symbol sequences as hexadecimal digits strings, where each digit corresponds to four signs of its binary representation.
我们将把二进制符号序列记为十六进制数字字符串,其中每个数字对应于其二进制表示的四个符号。
A zero vector, for example, can be taken as an initial hash value:
例如,可以将零向量作为初始散列值:
h0 = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
h0=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000
M = 73657479 62203233 3D687467 6E656C20 2C656761 7373656D 20736920 73696854
M=73657479 62203233 3D687467 6E656C20 2C656761 7373656D 207369273696854
Initial values are assigned for the text:
将为文本指定初始值:
_M_ = 73657479 62203233 3D687467 6E656C20 2C656761 7373656D 20736920 73696854
_M=73657479 62203233 3D687467 6E656C20 2C656761 7373656D 207369273696854
for the hash function:
对于哈希函数:
H = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
H=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000
for the sum of text blocks:
对于文本块的总和:
SIGMA = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
西格玛=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000
for the length of the text:
关于文本的长度:
L = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
L=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000
If the length of the message to be hashed equals 256 bits (32 bytes), then:
如果要散列的消息长度等于256位(32字节),则:
L = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000100
L=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100
M' = _M_ = 73657479 62203233 3D687467 6E656C20 2C656761 7373656D 20736920 73696854
M'=_M_=73657479 62203233 3D687467 6E656C20 2C656761 7373656D 20736920 73696854
and there is no need to pad the current block with zeroes:
无需在当前块上填充零:
SIGMA=M' = 73657479 62203233 3D687467 6E656C20 2C656761 7373656D 20736920 73696854
西格玛=M'=73657479 62203233 3D687467 6E656C20 2C656761 7373656D 207369273696854
The step-by-step hash function chi(M, N) values are calculated.
计算逐步散列函数chi(M,N)值。
The keys are generated:
生成的密钥为:
K[1] = 733D2C20 65686573 74746769 326C6568 626E7373 20657369 79676120 33206D54
K[1]=733D2C20 65686573 74746769 326C6568 626E7373 20657369 79676120 33206D54
K[2] = 110C733D 0D166568 130E7474 06417967 1D00626E 161A2065 090D326C 4D393320
K[2]=110C733D 0D166568 130E7474 06417967 1D00626E 161A2065 090D326C 4D39320
K[3] = 80B111F3 730DF216 850013F1 C7E1F941 620C1DFF 3ABAE91A 3FA109F2 F513B239
K[3]=80B111F3 730DF216 850013F1 C7E1F941 620C1DF 3ABAE91A 3FA109F2 F513B239
K[4] = A0E2804E FF1B73F2 ECE27A00 E7B8C7E1 EE1D620C AC0CC5BA A804C05E A18B0AEC
K[4]=A0E2804E FF1B73F2 ECE27A00 E7B8C7E1 EE1D620C AC0CC5BA A804C05E A18B0AEC
The 64-bit subwords of block H are encrypted by the algorithm according to GOST 28147.
根据GOST 28147的算法对块H的64位子字进行加密。
Block h[1] = 00000000 00000000 is encrypted using key K[1] and s[1] = 42ABBCCE 32BC0B1B is obtained.
使用密钥K[1]对块h[1]=00000000 00000000进行加密,并获得s[1]=42abbce 32BC0B1B。
Block h[2] = 00000000 00000000 is encrypted using key K[2] and s[2] = 5203EBC8 5D9BCFFD is obtained.
使用密钥K[2]对块h[2]=00000000 00000000进行加密,并获得s[2]=5203EBC8 5D9BCFFD。
Block h[3] = 00000000 00000000 is encrypted using key K[3] and s[3] = 8D345899 00FF0E28 is obtained.
使用密钥K[3]对块h[3]=00000000 00000000进行加密,并获得s[3]=8D345899 00FF0E28。
Block h[4] = 00000000 00000000 is encrypted using key K[4] and s[4] = E7860419 0D2A562D is obtained.
使用密钥K[4]对块h[4]=00000000 00000000进行加密,并获得s[4]=E7860419 0D2A562D。
So S = E7860419 0D2A562D 8D345899 00FF0E28 5203EBC8 5D9BCFFD 42ABBCCE 32BC0B1B
因此S=E7860419 0D2A562D 8D345899 00FF0E28 5203 EBC8 5D9BCFFD 42ABBCCE 32BC0B1B
is obtained.
是获得的。
The mixing transformation using a shift register is performed and
使用移位寄存器执行混合变换,并
KSI = chi(M, H) = CF9A8C65 505967A4 68A03B8C 42DE7624 D99C4124 883DA687 561C7DE3 3315C034
KSI=chi(M,H)=CF9A8C65 505967A4 68A03B8C 42DE7624 D99C4124 883DA687 561C7DE3 3315C034
is obtained.
是获得的。
Assign H = KSI and calculate chi(L, H):
分配H=KSI并计算chi(L,H):
K[1] = CF68D956 9AA09C1C 8C3B417D 658C24E3 50428833 59DE3D15 6776A6C1 A4248734
K[1]=CF68D956 9AA09C1C 8C3B417D 658C24E3 5042833 59DE3D15 6776A6C1 A4248734
K[2] = 8FCF68D9 809AA09C 3C8C3B41 C7658C24 BB504288 2859DE3D 666676A6 B3A42487
K[2]=8FCF68D9 809AA09C 3C8C3B41 C7658C24 BB504288 2859DE3D 666676A6 B3A42487
K[3] = 4E70CF97 3C8065A0 853C8CC4 57389A8C CABB50BD E3D7A6DE D1996788 5CB35B24
K[3]=4E70CF97 3C8065A0 853C8CC4 57389A8C CABB50BD E3D7A6DE D1996788 5CB35B24
K[4] = 584E70CF C53C8065 48853C8C 1657389A EDCABB50 78E3D7A6 EED19867 7F5CB35B
K[4]=584E70CF C53C8065 48853C8C 1657389A EDCABB50 78E3D7A6 EED19867 7F5CB35B
S = 66B70F5E F163F461 468A9528 61D60593 E5EC8A37 3FD42279 3CD1602D DD783E86
S=66B70F5E F163F461468A9528 61D60593 E5EC8A37 3FD42279 3CD1602D DD783E86
KSI = 2B6EC233 C7BC89E4 2ABC2692 5FEA7285 DD3848D1 C6AC997A 24F74E2B 09A3AEF7
KSI=2B6EC233 C7BC89E4 2ABC2692 5FEA7285 DD3848D1 C6AC997A 24F74E2B 09A3AEF7
Now assign H = KSI again and calculate chi( SIGMA, H):
现在再次分配H=KSI并计算chi(σ,H):
K[1] = 5817F104 0BD45D84 B6522F27 4AF5B00B A531B57A 9C8FDFCA BB1EFCC6 D7A517A3
K[1]=5817F104 0BD45D84 B6522F27 4AF5B00B A531B57A 9C8FDFCA BB1EFCC6 D7A517A3
K[2] = E82759E0 C278D950 15CC523C FC72EBB6 D2C73DA8 19A6CAC9 3E8440F5 C0DDB65A
K[2]=E82759E0 C278D950 15CC523C FC72EBB6 D2C73DA8 19A6CAC9 3E8440F5 C0DDB65A
K[3] = 77483AD9 F7C29CAA EB06D1D7 841BCAD3 FBC3DAA0 7CB555F0 D4968080 0A9E56BC
K[3]=77483AD9 F7C29CAA EB06D1D7 841BCAD3 FBC3DAA0 7CB555F0 D49680 0A9E56BC
K[4] = A1157965 2D9FBC9C 088C7CC2 46FB3DD2 7684ADCB FA4ACA06 53EFF7D7 C0748708
K[4]=A1157965 2D9FBC9C 088C7CC2 46FB3DD2 7684ADCB FA4ACA06 53EFF7D7 C0748708
S = 2AEBFA76 A85FB57D 6F164DE9 2951A581 C31E7435 4930FD05 1F8A4942 550A582D
S=2AEBFA76 A85FB57D 6F164DE9 2951A581 C31E7435 4930FD05 1F8A4942 550A582D
KSI = FAFF37A6 15A81669 1CFF3EF8 B68CA247 E09525F3 9F811983 2EB81975 D366C4B1
KSI=FAFF37A6 15A81669 1CFF3EF8 B68CA247 E09525F3 9F811983 2EB81975 D366C4B1
Then, the hash result is:
然后,散列结果是:
H = FAFF37A6 15A81669 1CFF3EF8 B68CA247 E09525F3 9F811983 2EB81975 D366C4B1
H=FAFF37A6 15A81669 1CFF3EF8 B68CA247 E09525F3 9F811983 2EB81975 D366C4B1
Let M = 7365 74796220 3035203D 20687467 6E656C20 73616820 65676173 73656D20 6C616E69 6769726F 20656874 2065736F 70707553
设M=7365 74796220 3035203D 20687467 6E656C20 73616820 65676173 73656D20 6C616E69 6769726F 20656874 2065736F 707553
As the length of the message to be hashed equals 400 bits (50 bytes), the message is divided into two blocks, and the second (high-order) one is padded with zeroes. During the calculations the following numbers are obtained:
由于要散列的消息长度等于400位(50字节),消息被分为两个块,第二个(高阶)块用零填充。在计算过程中,获得了以下数字:
STEP 1.
第一步。
H = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
H=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000
M_s = 73616820 65676173 73656D20 6C616E69 6769726F 20656874 2065736F 70707553
M_s=73616820 65676173 73656D20 6C616E69 6769726F 20656874 2065736F 70707553
K[1] = 73736720 61656965 686D7273 20206F6F 656C2070 67616570 616E6875 73697453
K[1]=73736720 61656965 686D7273 20206F6F 656C2070 67616570 616E6875 73697453
K[2] = 14477373 0C0C6165 1F01686D 4F002020 4C50656C 04156761 061D616E 1D277369
K[2]=14477373 0C0C6165 1F01686D 4F0020 4C50656C 04156761 061D616E 1D277369
K[3] = CBFF14B8 6D04F30C 96051FFE DFFFB000 35094CAF 72F9FB15 7CF006E2 AB1AE227
K[3]=CBFF14B8 6D04F30C 96051FFE DFFFB000 35094CAF 72F9FB15 7CF006E2 AB1AE227
K[4] = EBACCB00 F7006DFB E5E16905 B0B0DFFF BA1C3509 FD118DF9 F61B830F F8C554E5
K[4]=EBACB00 F7006DFB E5E16905 B0B0DFFF BA1C3509 FD118DF9 F61B830F F8C554E5
S = FF41797C EEAADAC2 43C9B1DF 2E14681C EDDC2210 1EE1ADF9 FA67E757 DAFE3AD9
S=FF41797C EEAADAC2 43C9B1DF 2E14681C EDDC221 1EE1ADF9 FA67E757 DAFE3 AD9
KSI = F0CEEA4E 368B5A60 C63D96C1 E5B51CD2 A93BEFBD 2634F0AD CBBB69CE ED2D5D9A
KSI=F0CEEA4E 368B5A60 C63D96C1 E5B51CD2 A93BEFBD 2634F0AD CBBB69CE ED2D5D9A
STEP 2.
第二步。
H = F0CEEA4E 368B5A60 C63D96C1 E5B51CD2 A93BEFBD 2634F0AD CBBB69CE ED2D5D9A
H=F0CEEA4E 368B5A60 C63D96C1 E5B51CD2 A93BEFBD 2634F0AD CBBB69CE ED2D5D9A
M' = 00000000 00000000 00000000 00007365 74796220 3035203D 20687467 6E656C20
M'=00000000000000000000007365 74796220 3035203D 20687467 6E656C20
K[1] = F0C6DDEB CE3D42D3 EA968D1D 4EC19DA9 36E51683 8BB50148 5A6FD031 60B790BA
K[1]=F0C6DDEB CE3D42D3 EA968D1D 4EC19DA9 36E51683 8BB50148 5A6FD031 60B790BA
K[2] = 16A4C6A9 F9DF3D3B E4FC96EF 5309C1BD FB68E526 2CDBB534 FE161C83 6F7DD2C8
K[2]=16A4C6A9 F9DF3D3B E4FC96EF 5309C1BD FB68E526 2CDBB534 FE161C83 6F7DD2C8
K[3] = C49D846D 1780482C 9086887F C48C9186 9DCB0644 D1E641E5 A02109AF 9D52C7CF
K[3]=C49D846D 1780482C 9086887F C48C9186 9DCB0644 D1E641E5 A02109F 9D52C7CF
K[4] = BDB0C9F0 756E9131 E1F290EA 50E4CBB1 1CAD9536 F4E4B674 99F31E29 70C52AFA
K[4]=BDB0C9F0 756E9131 E1F290EA 50E4CBB1 1CAD9536 F4E4B674 99F31E29 70C52AFA
S = 62A07EA5 EF3C3309 2CE1B076 173D48CC 6881EB66 F5C7959F 63FCA1F1 D33C31B8
S=62A07EA5 EF3C3309 2CE1B076 173D48CC 6881EB66 F5C7959F 63FCA1F1 D33C31B8
KSI = 95BEA0BE 88D5AA02 FE3C9D45 436CE821 B8287CB6 2CBC135B 3E339EFE F6576CA9
KSI=95BEA0BE 88D5AA02 FE3C9D45 436CE821 B8287CB6 2CBC135B 3E339EFE F6576CA9
STEP 3.
第三步。
H = 95BEA0BE 88D5AA02 FE3C9D45 436CE821 B8287CB6 2CBC135B 3E339EFE F6576CA9
H=95BEA0BE 88D5AA02 FE3C9D45 436CE821 B8287CB6 2CBC135B 3E339EFE F6576CA9
L = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000190
L=00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000190
K[1] = 95FEB83E BE3C2833 A09D7C9E BE45B6FE 88432CF6 D56CBC57 AAE8136D 02215B39
K[1]=95FEB83E BE3C2833 A09D7C9E BE45B6FE 88432CF6 D56CBC57 AAE8136D 02215B39
K[2] = 8695FEB8 1BBE3C28 E2A09D7C 48BE45B6 DA88432C EBD56CBC 7FABE813 F292215B
K[2]=8695FEB8 1BBE3C28 E2A09D7C 48BE45B6 DA88432C EBD56CBC 7FABE813 F292215B
K[2] = 8695FEB8 1BBE3C28 E2A09D7C 48BE45B6 DA88432C EBD56CBC 7FABE813 F292215B
K[2]=8695FEB8 1BBE3C28 E2A09D7C 48BE45B6 DA88432C EBD56CBC 7FABE813 F292215B
K[3] = B9799501 141B413C 1EE2A062 0CB74145 6FDA88BC D0142A6C FA80AA16 15F2FDB1
K[3]=B9799501 141B413C 1EE2A062 0CB74145 6FDA88BC D0142A6C FA80AA16 15F2FDB1
K[4] = 94B97995 7D141B41 C21EE2A0 040CB741 346FDA88 46D0142A BDFA81AA DC1562FD
K[4]=94B97995 7D141B41 C21EE2A0 040CB741 346FDA88 46D0142A BDFA81AA DC1562FD
S = D42336E0 2A0A6998 6C65478A 3D08A1B9 9FDDFF20 4808E863 94FD9D6D F776A7AD
S=D42336E0 2A0A6998 6C65478A 3D08A1B9 FDDFF20 4808E863 94FD9D6D F776AD
KSI = 47E26AFD 3E7278A1 7D473785 06140773 A3D97E7E A744CB43 08AA4C24 3352C745
KSI=47E26AFD 3E7278A1 7D473785 06140773 A3D97E7E A744B43 08AA4C24 3352C745
STEP 4.
第四步。
H = 47E26AFD 3E7278A1 7D473785 06140773 A3D97E7E A744CB43 08AA4C24 3352C745
H=47E26AFD 3E7278A1 7D473785 06140773 A3D97E7E A744B43 08AA4C24 3352C745
SIGMA = 73616820 65676173 73656D20 6C61E1CE DBE2D48F 509A88B1 40CDE7D6 DED5E173
西格玛=73616820 65676173 73656D20 6C61E1CE DBE2D48F 509A88B1 40CDE7D6 DED5E173
K[1] = 340E7848 83223B67 025AAAAB DDA5F1F2 5B6AF7ED 1575DE87 19E64326 D2BDF236
K[1]=340E7848 83223B67 025AAAAB DDA5F1F2 5B6AF7ED 1575DE87 19E64326 D2BDF236
K[2] = 03DC0ED0 F4CD26BC 8B595F13 F5A4A55E A8B063CB ED3D7325 6511662A 7963008D
K[2]=03DC0ED0 F4CD26BC 8B595F13 F5A4A55E A8B063CB ED3D7325 6511662A 796308D
K[3] = C954EF19 D0779A68 ED37D3FB 7DA5ADDC 4A9D0277 78EF765B C4731191 7EBB21B1
K[3]=C954EF19 D0779A68 ED37D3FB 7DA5ADDC 4A9D0277 78EF765B C4731191 7EBB21B1
K[4] = 6D12BC47 D9363D19 1E3C696F 28F2DC02 F2137F37 64E4C18B 69CCFBF8 EF72B7E3
K[4]=6D12BC47 D9363D19 1E3C696F 28F2DC02 F2137F37 64E4C18B 69CCFBF8 EF72B7E3
S = 790DD7A1 066544EA 2829563C 3C39D781 25EF9645 EE2C05DD A5ECAD92 2511A4D1
S=790DD7A1 066544EA 2829563C 3C39D781 25EF9645 EE2C05DD A5ECAD92 251A4D1
KSI = 0852F562 3B89DD57 AEB4781F E54DF14E EAFBC135 0613763A 0D770AA6 57BA1A47
KSI=0852F562 3B89DD57 AEB4781F E54DF14E EAFBC135 0613763A 0D770AA6 57BA1A47
Then, the hash result is:
然后,散列结果是:
H = 0852F562 3B89DD57 AEB4781F E54DF14E EAFBC135 0613763A 0D770AA6 57BA1A47
H=0852F562 3B89DD57 AEB4781F E54DF14E EAFBC135 0613763A 0D770AA6 57BA1A47
This entire document is about security considerations.
整个文档都是关于安全方面的考虑。
Current cryptographic resistance of GOST R 34.11-94 hash algorithm is estimated as 2^128 operations of computations of step hash functions. (There is a known method to reduce this estimate to 2^105 operations, but it demands padding the colliding message with 1024 random bit blocks each of 256-bit length; thus, it cannot be used in any practical implementation).
GOST R 34.11-94散列算法的当前密码抵抗估计为步骤散列函数计算的2^128次操作。(有一种已知的方法可以将此估计值减少到2^105个操作,但它需要使用1024个随机位块(每个块的长度为256位)填充冲突消息;因此,它不能用于任何实际实现)。
[GOST28147] "Cryptographic Protection for Data Processing System", GOST 28147-89, Gosudarstvennyi Standard of USSR, Government Committee of the USSR for Standards, 1989. (In Russian)
[GOST28147]“数据处理系统的密码保护”,GOST 28147-89,苏联Gosudarstvenyi标准,苏联政府标准委员会,1989年。(俄语)
[GOST3411] "Information technology. Cryptographic Data Security. Hashing function.", GOST R 34.10-94, Gosudarstvennyi Standard of Russian Federation, Government Committee of the Russia for Standards, 1994. (In Russian)
[GOST3411]“信息技术.加密数据安全.散列函数”,GOST R 34.10-94,俄罗斯联邦Gosudarstvenyi标准,俄罗斯政府标准委员会,1994年。(俄语)
Dmitry Kabelev Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation
Dmitry Kabelev Cryptocom有限公司,俄罗斯联邦莫斯科凯德罗瓦街14号,2号楼,117218
EMail: kdb@cryptocom.ru
EMail: kdb@cryptocom.ru
Igor Ustinov Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation
俄罗斯联邦莫斯科凯德罗瓦街14号第2栋Igor Ustinov Cryptocom有限公司,邮编:117218
EMail: igus@cryptocom.ru
EMail: igus@cryptocom.ru
Sergey Vyshensky Moscow State University Leninskie gory, 1 Moscow, 119991 Russian Federation
谢尔盖·维森斯基莫斯科国立大学列宁斯基·戈里,莫斯科1号,俄罗斯联邦119991
EMail: svysh@pn.sinp.msu.ru
EMail: svysh@pn.sinp.msu.ru
Author's Address
作者地址
Vasily Dolmatov, Ed. Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation
俄罗斯联邦莫斯科凯德罗瓦街14号第2栋,邮编:117218
EMail: dol@cryptocom.ru
EMail: dol@cryptocom.ru