Independent Submission                                  V. Dolmatov, Ed.
Request for Comments: 7091                                  A. Degtyarev
Updates: 5832                                            Cryptocom, Ltd.
Category: Informational                                    December 2013
ISSN: 2070-1721
        
Independent Submission                                  V. Dolmatov, Ed.
Request for Comments: 7091                                  A. Degtyarev
Updates: 5832                                            Cryptocom, Ltd.
Category: Informational                                    December 2013
ISSN: 2070-1721
        

GOST R 34.10-2012: Digital Signature Algorithm

GOST R 34.10-2012:数字签名算法

Abstract

摘要

This document provides information about the Russian Federal standard for digital signatures (GOST R 34.10-2012), which is one of the Russian cryptographic standard algorithms (called GOST algorithms). Recently, Russian cryptography is being used in Internet applications, and this document provides information for developers and users of GOST R 34.10-2012 regarding digital signature generation and verification. This document updates RFC 5832.

本文件提供了有关俄罗斯联邦数字签名标准(GOST R 34.10-2012)的信息,该标准是俄罗斯密码标准算法之一(称为GOST算法)。最近,俄罗斯密码学正在互联网应用中使用,本文件为GOST R 34.10-2012的开发者和用户提供了有关数字签名生成和验证的信息。本文档更新了RFC 5832。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7091.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7091.

Copyright Notice

版权公告

Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2013 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

Table of Contents

目录

   1. Introduction ....................................................2
      1.1. General Information ........................................2
      1.2. The Purpose of GOST R 34.10-2012 ...........................3
      1.3. Requirements Language ......................................3
   2. Scope ...........................................................3
   3. Definitions and Notations .......................................4
      3.1. Definitions ................................................4
      3.2. Notations ..................................................6
   4. General Statements ..............................................7
   5. Mathematical Conventions ........................................8
      5.1. Mathematical Definitions ...................................9
      5.2. Digital Signature Parameters ..............................10
      5.3. Binary Vectors ............................................12
   6. Main Processes .................................................12
      6.1. Digital Signature Generation Process ......................13
      6.2. Digital Signature Verification ............................13
   7. Test Examples (Appendix to GOST R 34.10-2012) ..................14
      7.1. The Digital Signature Scheme Parameters ...................15
      7.2. Digital Signature Process (Algorithm I) ...................17
      7.3. Verification Process of Digital Signature (Algorithm II) ..18
   8. Security Considerations ........................................19
   9. References .....................................................19
      9.1. Normative References ......................................19
      9.2. Informative References ....................................20
        
   1. Introduction ....................................................2
      1.1. General Information ........................................2
      1.2. The Purpose of GOST R 34.10-2012 ...........................3
      1.3. Requirements Language ......................................3
   2. Scope ...........................................................3
   3. Definitions and Notations .......................................4
      3.1. Definitions ................................................4
      3.2. Notations ..................................................6
   4. General Statements ..............................................7
   5. Mathematical Conventions ........................................8
      5.1. Mathematical Definitions ...................................9
      5.2. Digital Signature Parameters ..............................10
      5.3. Binary Vectors ............................................12
   6. Main Processes .................................................12
      6.1. Digital Signature Generation Process ......................13
      6.2. Digital Signature Verification ............................13
   7. Test Examples (Appendix to GOST R 34.10-2012) ..................14
      7.1. The Digital Signature Scheme Parameters ...................15
      7.2. Digital Signature Process (Algorithm I) ...................17
      7.3. Verification Process of Digital Signature (Algorithm II) ..18
   8. Security Considerations ........................................19
   9. References .....................................................19
      9.1. Normative References ......................................19
      9.2. Informative References ....................................20
        
1. Introduction
1. 介绍
1.1. General Information
1.1. 一般资料

1. GOST R 34.10-2012 [GOST3410-2012] was developed by the Center for Information Protection and Special Communications of the Federal Security Service of the Russian Federation with participation of the open joint-stock company "Information Technologies and Communication Systems" (InfoTeCS JSC).

1. GOST R 34.10-2012【GOST3410-2012】由俄罗斯联邦安全局信息保护和特殊通信中心开发,开放式股份公司“信息技术和通信系统”(InfoTeCS JSC)参与。

2. GOST R 34.10-2012 was approved and introduced by Decree #215 of the Federal Agency on Technical Regulating and Metrology on 07.08.2012.

2. GOST R 34.10-2012于2012年8月7日由联邦技术监管和计量局第215号法令批准和引入。

3. GOST R 34.10-2012 replaces GOST R 34.10-2001 [GOST3410-2001], a national standard of the Russian Federation.

3. GOST R 34.10-2012取代了俄罗斯联邦国家标准GOST R 34.10-2001[GOST3410-2001]。

GOST R 34.10-2001 is superseded by GOST R 34.10-2012 from 1 January 2013. That means that all new systems that are presented for certification MUST use GOST R 34.10-2012 and MAY use

自2013年1月1日起,GOST R 34.10-2001被GOST R 34.10-2012取代。这意味着所有提交认证的新系统必须使用GOST R 34.10-2012,并且可以使用

GOST R 34.10-2001 also for maintaining compatibility with existing systems. Usage of GOST R 34.10-2001 in current systems is allowed at least for a 5-year period.

GOST R 34.10-2001也用于保持与现有系统的兼容性。允许在当前系统中使用GOST R 34.10-2001至少5年。

This document updates RFC 5832 [RFC5832].

本文件更新了RFC 5832[RFC5832]。

This document is an English translation of GOST R 34.10-2012; [RFC6986] is an English translation of GOST R 34.11-2012; and [RFC5832] is an English translation of GOST R 34.10-2001.

本文件为GOST R 34.10-2012的英文译本;[RFC6986]是GOST R 34.11-2012的英文译本;[RFC5832]是GOST R 34.10-2001的英文译本。

Terms and conceptions of this standard comply with the following international standards:

本标准的术语和概念符合以下国际标准:

o ISO 2382-2 [ISO2382-2], o ISO/IEC 9796 [ISO9796-2][ISO9796-3], o series of standards ISO/IEC 14888 [ISO14888-1] [ISO14888-2] [ISO14888-3] [ISO14888-4], and o series of standards ISO/IEC 10118 [ISO10118-1] [ISO10118-2] [ISO10118-3] [ISO10118-4].

o ISO 2382-2[ISO2382-2]、o ISO/IEC 9796[ISO9796-2][ISO9796-3]、o系列标准ISO/IEC 14888[ISO14888-1][ISO14888-2][ISO14888-3][ISO14888-4]、o系列标准ISO/IEC 10118[ISO10118-1][ISO10118-2][ISO10118-3][ISO10118-4]。

1.2. The Purpose of GOST R 34.10-2012
1.2. GOST R 34.10-2012的目的

GOST R 34.10-2012 describes the generation and verification processes for digital signatures, based on operations with an elliptic curve points group, defined over a prime finite field.

GOST R 34.10-2012描述了基于素数有限域上定义的椭圆曲线点群操作的数字签名生成和验证过程。

The necessity for developing this standard is caused by the need to implement digital signatures of varying resistance due to growth of computer technology. Digital signature security is based on the complexity of discrete logarithm calculation in an elliptic curve points group and also on the security of the hash function used (according to GOST R 34.11-2012 [GOST3411-2012]).

由于计算机技术的发展,需要实现不同阻力的数字签名,因此有必要制定本标准。数字签名安全性基于椭圆曲线点组中离散对数计算的复杂性以及所用哈希函数的安全性(根据GOST R 34.11-2012[GOST3411-2012])。

1.3. Requirements Language
1.3. 需求语言

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。

2. Scope
2. 范围

GOST R 34.10-2012 defines an electronic digital signature (or simply digital signature) scheme, digital signature generation and verification processes for a given message (document), meant for transmission via insecure public telecommunication channels in data processing systems of different purposes.

GOST R 34.10-2012定义了电子数字签名(或简称数字签名)方案、给定消息(文档)的数字签名生成和验证过程,旨在通过不同用途的数据处理系统中的不安全公共电信信道进行传输。

Use of a digital signature based on GOST R 34.10-2012 makes transmitted messages more resistant to forgery and loss of integrity, in comparison with the digital signature scheme prescribed by the previous standard.

与先前标准规定的数字签名方案相比,使用基于GOST R 34.10-2012的数字签名可以使传输的消息更抗伪造和完整性丢失。

GOST R 34.10-2012 is recommended for the creation, operation, and modernization of data processing systems of various purposes.

GOST R 34.10-2012建议用于各种用途数据处理系统的创建、操作和现代化。

3. Definitions and Notations
3. 定义和符号
3.1. Definitions
3.1. 定义

The following terms are used in the standard:

本标准中使用了以下术语:

appendix: bit string that is formed by a digital signature and by the arbitrary text field [ISO14888-1].

附录:由数字签名和任意文本字段构成的位字符串[ISO14888-1]。

signature key: element of secret data that is specific to the subject and used only by this subject during the signature generation process [ISO14888-1].

签名密钥:特定于主体的秘密数据元素,仅由该主体在签名生成过程中使用[ISO14888-1]。

verification key: element of data mathematically linked to the signature key data element that is used by the verifier during the digital signature verification process [ISO14888-1].

验证密钥:与数字签名验证过程中验证者使用的签名密钥数据元素数学链接的数据元素[ISO14888-1]。

domain parameter: element of data that is common for all the subjects of the digital signature scheme, known or accessible to all the subjects [ISO14888-1].

域参数:数字签名方案所有主体共有的数据元素,所有主体都知道或可访问[ISO14888-1]。

signed message: a set of data elements that consists of the message and the appendix, which is a part of the message [ISO14888-1].

签名报文:由报文和附录组成的一组数据元素,附录是报文的一部分[ISO14888-1]。

pseudorandom number sequence: a sequence of numbers that is obtained during some arithmetic (calculation) process, used in a specific case instead of a true random number sequence.

伪随机数序列:在某些算术(计算)过程中获得的数字序列,用于特定情况,而不是真随机数序列。

random number sequence: a sequence of numbers of which none can be predicted (calculated) using only the preceding numbers of the same sequence.

随机数序列:仅使用同一序列的前面数就无法预测(计算)的一系列数。

verification process: a process that uses the signed message, the verification key, and the digital signature scheme parameters as initial data and that gives the conclusion about digital signature validity or invalidity as a result [ISO14888-1].

验证过程:使用已签名消息、验证密钥和数字签名方案参数作为初始数据,并由此得出数字签名有效性或无效性结论的过程[ISO14888-1]。

signature generation process: a process that uses the message, the signature key, and the digital signature scheme parameters as initial data and that generates the digital signature as the result [ISO14888-1].

签名生成过程:使用消息、签名密钥和数字签名方案参数作为初始数据并生成数字签名作为结果的过程[ISO14888-1]。

witness: element of data that states to the verifier whether the digital signature is valid or invalid.

见证:向验证者说明数字签名是否有效的数据元素。

random number: a number chosen from the definite number set in such a way that every number from the set can be chosen with equal probability.

随机数:从定数集合中选择的一个数,该集合中的每一个数都可以以相同的概率选择。

message: string of bits of a limited length [ISO14888-1].

信息:有限长度的位串[ISO14888-1]。

hash code: string of bits that is a result of the hash function [ISO14888-1].

散列码:由散列函数[ISO14888-1]产生的比特串。

hash function: the function that maps bit strings onto bit strings of fixed length observing the following properties:

哈希函数:将位字符串映射到固定长度的位字符串上的函数,该函数遵循以下属性:

1. it is difficult to calculate the input data that is the pre-image of the given function value;

1. 难以计算作为给定函数值的前图像的输入数据;

2. it is difficult to find another input data that is the pre-image of the same function value as is the given input data; and

2. 很难找到与给定输入数据具有相同功能值的前图像的另一输入数据;和

3. it is difficult to find a pair of different input data that produces the same hash function value.

3. 很难找到一对产生相同哈希函数值的不同输入数据。

[ISO14888-1]

[ISO14888-1]

Notes:

笔记:

1. Property 1 in the context of the digital signature area means that it is impossible to recover the initial message using the digital signature; property 2 means that it is difficult to find another (falsified) message that produces the same digital signature as a given message; property 3 means that it is difficult to find a pair of different messages that both produce the same signature.

1. 在数字签名区域的上下文中,属性1意味着不可能使用数字签名恢复初始消息;属性2意味着很难找到另一条(伪造的)消息,该消息生成与给定消息相同的数字签名;属性3意味着很难找到一对产生相同签名的不同消息。

2. In this standard, the terms "hash function", "cryptographic hash function", "hashing function", and "cryptographic hashing function" are synonymous to provide terminological succession to native legal documents currently in force and scientific publications.

2. 在本标准中,术语“散列函数”、“加密散列函数”、“散列函数”和“加密散列函数”是同义词,用于为当前有效的本地法律文件和科学出版物提供术语继承。

(electronic) digital signature: string of bits that are obtained as a result of the signature generation process [ISO14888-1].

(电子)数字签名:通过签名生成过程获得的一串位[ISO14888-1]。

Notes:

笔记:

1. A string of bits that is a signature may have an internal structure depending on the specific signature generation mechanism.

1. 根据特定签名生成机制,作为签名的一串比特可以具有内部结构。

2. In this standard, the terms "electronic signature", "digital signature", and "electronic digital signature" are synonymous to provide terminological succession to native legal documents currently in force and scientific publications.

2. 在本标准中,术语“电子签名”、“数字签名”和“电子数字签名”是同义词,用于对当前有效的本地法律文件和科学出版物提供术语继承。

3.2. Notations
3.2. 符号

The following notations are used in this standard:

本标准中使用了以下符号:

V_l set of all binary vectors of an l-bit length

l位长度的所有二进制向量的V_l集

V_all set of all binary vectors of an arbitrary finite length

任意有限长的所有二进制向量的集合

Z set of all integers

所有整数的Z集

p prime number, p > 3

p素数,p>3

   GF(p)        finite prime field represented by a set of integers {0,
                1, ..., p - 1}
        
   GF(p)        finite prime field represented by a set of integers {0,
                1, ..., p - 1}
        

b (mod p) minimal non-negative number, congruent to b modulo p

b(mod p)极小非负数,与b模p全等

M user's message, M belongs to V_all

M用户的消息,M属于V_all

(H1 || H2 ) concatenation of two binary vectors

两个二进制向量的(H1 | | H2)级联

a, b elliptic curve coefficients

a、 椭圆曲线系数

m points of the elliptic curve group order

椭圆曲线群阶的m点

q subgroup order of group of points of the elliptic curve

椭圆曲线点群的q子群阶

O zero point of the elliptic curve

椭圆曲线的零点

P elliptic curve point of order q

P椭圆曲线q阶点

d integer - a signature key

d整数-签名密钥

Q elliptic curve point - a verification key

Q椭圆曲线点-一个验证密钥

zeta digital signature for the message M

消息M的zeta数字签名

^ the power operator

^电力操作员

/= non-equality

/=不平等

sqrt square root

平方根

4. General Statements
4. 一般性发言

A commonly accepted digital signature scheme (model) consists of three processes:

一个普遍接受的数字签名方案(模型)由三个过程组成:

- generation of a pair of keys (for signature generation and for signature verification),

- 生成一对密钥(用于签名生成和签名验证),

- signature generation, and

- 签名生成,以及

- signature verification.

- 签名验证。

In GOST R 34.10-2012, a process for generating a pair of keys (for signature and verification) is not defined. Characteristics and ways to realize the process are defined by involved subjects, who determine corresponding parameters by their agreement.

在GOST R 34.10-2012中,未定义生成一对密钥(用于签名和验证)的过程。过程的特征和实现方式由相关主体定义,他们通过协议确定相应的参数。

The digital signature mechanism is defined by the realization of two main processes (Section 6):

数字签名机制通过实现两个主要过程来定义(第6节):

- signature generation (Section 6.1), and

- 签名生成(第6.1节),以及

- signature verification (Section 6.2).

- 签名验证(第6.2节)。

The digital signature is meant for the authentication of the signatory of the electronic message. Besides, digital signature usage gives an opportunity to provide the following properties during signed message transmission:

数字签名用于认证电子信息的签字人。此外,数字签名的使用提供了在签名消息传输期间提供以下属性的机会:

- realization of control of the transmitted signed message integrity,

- 实现对传输的签名消息完整性的控制,

- proof of the authorship of the signatory of the message, and

- 信息签字人的身份证明,以及

- protection of the message against possible forgery.

- 保护邮件不被伪造。

A schematic representation of the signed message is shown in Figure 1.

签名消息的示意图如图1所示。

                                   appendix
                                      |
                      +-------------------------------+
                      |                               |
      +-----------+   +------------------------+- - - +
      | message M |---| digital signature zeta | text |
      +-----------+   +------------------------+- - - +
        
                                   appendix
                                      |
                      +-------------------------------+
                      |                               |
      +-----------+   +------------------------+- - - +
      | message M |---| digital signature zeta | text |
      +-----------+   +------------------------+- - - +
        

Figure 1: Signed Message Scheme

图1:签名消息方案

The field "digital signature" is supplemented by the field "text" that can contain, for example, identifiers of the signatory of the message and/or time label.

“数字签名”字段由“文本”字段补充,该字段可以包含例如电文和/或时间标签签字人的标识符。

The digital signature scheme defined in GOST R 34.10-2012 must be implemented using operations of the elliptic curve points group, defined over a finite prime field, and also with the use of the hash function.

GOST R 34.10-2012中定义的数字签名方案必须使用在有限素数域上定义的椭圆曲线点群的运算以及使用哈希函数来实现。

The cryptographic security of the digital signature scheme is based on the complexity of solving the problem of the calculation of the discrete logarithm in the elliptic curve points group and also on the security of the hash function used. The hash function calculation algorithm is defined in GOST R 34.11-2012 [GOST3411-2012].

数字签名方案的密码安全性基于解决椭圆曲线点群中离散对数计算问题的复杂性以及所用哈希函数的安全性。哈希函数计算算法在GOST R 34.11-2012[GOST3411-2012]中定义。

The digital signature scheme parameters needed for signature generation and verification are defined in Section 5.2. This standard provides the opportunity to select one of two options for parameter requirements.

第5.2节定义了签名生成和验证所需的数字签名方案参数。本标准为参数要求提供了从两个选项中选择一个选项的机会。

GOST R 34.10-2012 does not determine the process for generating the parameters needed for the digital signature scheme. Possible sets of these parameters are defined, for example, in [RFC4357].

GOST R 34.10-2012未确定生成数字签名方案所需参数的过程。例如,在[RFC4357]中定义了这些参数的可能集合。

The digital signature represented as a binary vector of a 512- or 1024-bit length must be calculated using a definite set of rules, as stated in Section 6.1.

如第6.1节所述,表示为512或1024位长度的二进制向量的数字签名必须使用一组确定的规则进行计算。

The digital signature of the received message is accepted or denied in accordance with the set of rules, as stated in Section 6.2.

如第6.2节所述,根据一套规则接受或拒绝接收到的消息的数字签名。

5. Mathematical Conventions
5. 数学惯例

To define a digital signature scheme, it is necessary to describe basic mathematical objects used in the signature generation and verification processes. This section lays out basic mathematical definitions and requirements for the parameters of the digital signature scheme.

为了定义数字签名方案,需要描述签名生成和验证过程中使用的基本数学对象。本节列出了数字签名方案参数的基本数学定义和要求。

5.1. Mathematical Definitions
5.1. 数学定义

Suppose a prime number p > 3 is given. Then, an elliptic curve E, defined over a finite prime field GF(p), is the set of number pairs (x,y), where x and y belong to Fp, satisfying the identity:

假设一个素数p>3。然后,在有限素数域GF(p)上定义的椭圆曲线E是数对(x,y)的集合,其中x和y属于Fp,满足恒等式:

   y^2 = x^3 + a * x + b (mod p),                                    (1)
        
   y^2 = x^3 + a * x + b (mod p),                                    (1)
        

where a, b belong to GF(p) and 4 * a^3 + 27 * b^2 is not congruent to zero modulo p.

其中a,b属于GF(p),且4*a^3+27*b^2与模p为零的模p不全等。

An invariant of the elliptic curve is the value J(E), satisfying the equality:

椭圆曲线的不变量是值J(E),满足以下等式:

                      4 * a^3
   J(E) = 1728 * ------------------ (mod p)                          (2)
                 4 * a^3 + 27 * b^2
        
                      4 * a^3
   J(E) = 1728 * ------------------ (mod p)                          (2)
                 4 * a^3 + 27 * b^2
        

Elliptic curve E coefficients a, b are defined in the following way using the invariant J(E):

椭圆曲线E系数a、b使用不变量J(E)按以下方式定义:

   | a = 3 * k (mod p),
   |                                                                 (3)
   | b = 2 * k (mod p),
        
   | a = 3 * k (mod p),
   |                                                                 (3)
   | b = 2 * k (mod p),
        
                 J(E)
   where k = ----------- (mod p), J(E) /= 0 or 1728
             1728 - J(E)
        
                 J(E)
   where k = ----------- (mod p), J(E) /= 0 or 1728
             1728 - J(E)
        

The pairs (x, y) satisfying the identity (1) are called "the elliptic curve E points"; x and y are called x- and y-coordinates of the point, correspondingly.

满足恒等式(1)的对(x,y)称为“椭圆曲线E点”;x和y分别称为点的x坐标和y坐标。

We will denote elliptic curve points as Q(x, y) or just Q. Two elliptic curve points are equal if their x- and y-coordinates are equal.

我们将椭圆曲线点表示为Q(x,y)或只是Q。如果两个椭圆曲线点的x坐标和y坐标相等,则两个椭圆曲线点相等。

On the set of all elliptic curve E points, we will define the addition operation, denoted by "+". For two arbitrary elliptic curve E points Q1 (x1, y1) and Q2 (x2, y2), we will consider several variants.

在所有椭圆曲线E点的集合上,我们将定义加法运算,用“+”表示。对于两个任意椭圆曲线E点q1(x1,y1)和q2(x2,y2),我们将考虑几个变量。

Suppose coordinates of points Q1 and Q2 satisfy the condition x1 /= x2. In this case, their sum is defined as a point Q3 (x3, y3), with coordinates defined by congruencies:

假设点Q1和Q2的坐标满足条件x1/=x2。在这种情况下,它们的和被定义为点Q3(x3,y3),坐标由同余定义:

   | x3 = lambda^2 - x1 - x2 (mod p),
   |                                                                 (4)
   | y3 = lambda * (x1 - x3) - y1 (mod p),
        
   | x3 = lambda^2 - x1 - x2 (mod p),
   |                                                                 (4)
   | y3 = lambda * (x1 - x3) - y1 (mod p),
        
                   y1 - y2
   where lambda = -------- (mod p).
                   x1 - x2
        
                   y1 - y2
   where lambda = -------- (mod p).
                   x1 - x2
        

If x1 = x2 and y1 = y2 /= 0, then we will define point Q3 coordinates in the following way:

如果x1=x2和y1=y2/=0,则我们将按以下方式定义点Q3坐标:

   | x3 = lambda^2 - x1 * 2 (mod p),
   |                                                                 (5)
   | y3 = lambda * (x1 - x3) - y1 (mod p),
        
   | x3 = lambda^2 - x1 * 2 (mod p),
   |                                                                 (5)
   | y3 = lambda * (x1 - x3) - y1 (mod p),
        
                  3 * x1^2 + a
   where lambda = ------------ (mod p)
                     y1 * 2
        
                  3 * x1^2 + a
   where lambda = ------------ (mod p)
                     y1 * 2
        

If x1 = x2 and y1 = -y2 (mod p), then the sum of points Q1 and Q2 is called a zero point O, without determination of its x- and y-coordinates. In this case, point Q2 is called a negative of point Q1. For the zero point, the equalities hold:

如果x1=x2和y1=-y2(mod p),则点Q1和Q2的和称为零点O,而不确定其x坐标和y坐标。在这种情况下,点Q2称为点Q1的负值。对于零点,等式成立:

   O + Q = Q + O = Q,                                                (6)
        
   O + Q = Q + O = Q,                                                (6)
        

where Q is an arbitrary point of elliptic curve E.

其中Q是椭圆曲线E的任意点。

A set of all points of elliptic curve E, including the zero point, forms a finite abelian (commutative) group of order m regarding the introduced addition operation. For m, the following inequalities hold:

椭圆曲线E的一组所有点,包括零点,就引入的加法运算形成一个m阶有限阿贝尔(交换)群。对于m,以下不等式成立:

   p + 1 - 2 * sqrt(p) =< m =< p + 1 + 2 * sqrt(p)                   (7)
        
   p + 1 - 2 * sqrt(p) =< m =< p + 1 + 2 * sqrt(p)                   (7)
        

The point Q is called "a point of multiplicity k", or just "a multiple point of the elliptic curve E", if for some point P, the following equality holds:

点Q称为“多重点k”,或仅称为“椭圆曲线E的多重点”,如果对于某点P,以下等式成立:

   Q = P + ... + P = k * P                                           (8)
       -----+-----
            k
        
   Q = P + ... + P = k * P                                           (8)
       -----+-----
            k
        
5.2. Digital Signature Parameters
5.2. 数字签名参数

The digital signature parameters are:

数字签名参数包括:

- prime number p is an elliptic curve modulus.

- 素数p是一个椭圆曲线模。

- elliptic curve E, defined by its invariant J(E) or by coefficients a, b belonging to GF(p).

- 椭圆曲线E,由其不变量J(E)或属于GF(p)的系数a、b定义。

- integer m is an elliptic curve E points group order.

- 整数m是椭圆曲线E点群阶。

- prime number q is an order of a cyclic subgroup of the elliptic curve E points group, which satisfies the following conditions:

- 素数q是椭圆曲线E点群的循环子群的阶,满足下列条件:

   | m = nq, n belongs to Z, n >= 1
   |                                                                 (9)
   | 2^254 < q < 2^256 or 2^508 < q < 2^512
        
   | m = nq, n belongs to Z, n >= 1
   |                                                                 (9)
   | 2^254 < q < 2^256 or 2^508 < q < 2^512
        

- point P /= O of an elliptic curve E, with coordinates (x_p, y_p), satisfying the equality q * P = O.

- 椭圆曲线E的点P/=O,坐标为(x_P,y_P),满足等式q*P=O。

- hash function h(.):V_all -> V_l, which maps the messages represented as binary vectors of arbitrary finite length onto binary vectors of an l-bit length. The hash function is defined in GOST R 34.11-2012 [GOST3411-2012].

- 散列函数h(.):V_all->V_l,它将表示为任意有限长度的二进制向量的消息映射到l位长度的二进制向量。哈希函数在GOST R 34.11-2012[GOST3411-2012]中定义。

If 2^254 < q < 2^256, then l = 256. If 2^508 < q < 2^512, then l = 512.

如果2^254<q<2^256,则l=256。如果2^508<q<2^512,则l=512。

Every user of the digital signature scheme must have its personal keys:

数字签名方案的每个用户都必须拥有其个人密钥:

- signature key, which is an integer d, satisfying the inequality 0 < d < q;

- 签名密钥,为整数d,满足不等式0<d<q;

- verification key, which is an elliptic curve point Q with coordinates (x_q, y_q), satisfying the equality d * P = Q.

- 验证密钥,它是一个坐标为(x_Q,y_Q)的椭圆曲线点Q,满足等式d*P=Q。

The previously introduced digital signature parameters must satisfy the following requirements:

先前引入的数字签名参数必须满足以下要求:

- it is necessary that the condition p^t /= 1 (mod q) holds for all integers t = 1, 2, ..., B, where

- 条件p^t/=1(mod q)必须适用于所有整数t=1,2,…,B,其中

      B = 31  if 2^254 < q < 2^256, or
      B = 131 if 2^508 < q < 2^512;
        
      B = 31  if 2^254 < q < 2^256, or
      B = 131 if 2^508 < q < 2^512;
        

- it is necessary that the inequality m /= p holds;

- 不等式m/=p成立是必要的;

- the curve invariant must satisfy the condition J(E) /= 0, 1728.

- 曲线不变量必须满足条件J(E)/=01728。

5.3. Binary Vectors
5.3. 二元向量

To determine the digital signature generation and verification processes, it is necessary to map the set of integers onto the set of binary vectors of an l-bit length.

为了确定数字签名生成和验证过程,有必要将整数集映射到l位长度的二进制向量集。

Consider the following binary vector of an l-bit length where low-order bits are placed on the right, and high-order ones are placed on the left:

考虑下面的二进制位向量L位长度,其中低阶位被放置在右边,高阶位放置在左边:

   H = (alpha[l-1], ..., alpha[0]), H belongs to V_l                (10)
        
   H = (alpha[l-1], ..., alpha[0]), H belongs to V_l                (10)
        

where alpha[i], i = 0, ..., l-1 are equal to 1 or to 0. The number alpha belonging to Z is mapped onto the binary vector h, if the equality holds:

式中,α[i],i=0,…,l-1等于1或0。如果等式成立,则属于Z的数字alpha映射到二进制向量h上:

   alpha = alpha[0]*2^0 + alpha[1]*2^1 + ... + alpha[l-1]*2^(l-1)   (11)
        
   alpha = alpha[0]*2^0 + alpha[1]*2^1 + ... + alpha[l-1]*2^(l-1)   (11)
        

For two binary vectors H1 and H2:

对于两个二进制向量H1和H2:

   H1 = (alpha[l-1], ..., alpha[0]),
                                                                    (12)
   H2 = (beta[l-1], ..., beta[0]),
        
   H1 = (alpha[l-1], ..., alpha[0]),
                                                                    (12)
   H2 = (beta[l-1], ..., beta[0]),
        

which correspond to integers alpha and beta, we define a concatenation (union) operation in the following way:

对应于整数alpha和beta,我们用以下方式定义串联(并集)操作:

   H1||H2 = (alpha[l-1], ..., alpha[0], beta[l-1], ..., beta[0])    (13)
        
   H1||H2 = (alpha[l-1], ..., alpha[0], beta[l-1], ..., beta[0])    (13)
        

that is a binary vector of 2*l-bit length, consisting of coefficients of the vectors H1 and H2.

这是2×l位长度的二进制向量,由向量H1和H2的系数组成。

On the other hand, the introduced formulae define a way to divide a binary vector H of 2*l-bit length into two binary vectors of l-bit length, where H is the concatenation of the two.

另一方面,引入的公式定义了将2×l位长度的二进制向量H划分为两个l位长度的二进制向量的方法,其中H是两个向量的串联。

6. Main Processes
6. 主要工艺

In this section, the digital signature generation and verification processes of a user's message are defined.

在本节中,定义了用户消息的数字签名生成和验证过程。

To realize the processes, it is necessary that all users know the digital signature scheme parameters, which satisfy the requirements of Section 5.2.

为了实现这些过程,所有用户都必须知道满足第5.2节要求的数字签名方案参数。

Besides, every user must have the signature key d and the verification key Q(x_q, y_q), which also must satisfy the requirements of Section 5.2.

此外,每个用户必须拥有签名密钥d和验证密钥Q(x_Q,y_Q),这也必须满足第5.2节的要求。

6.1. Digital Signature Generation Process
6.1. 数字签名生成过程

It is necessary to perform the following actions (steps) to obtain the digital signature for the message M belonging to V_all. This is Algorithm I.

必须执行以下操作(步骤)以获取属于V_all的消息M的数字签名。这是算法一。

Step 1. Calculate the message hash code M:

第一步。计算消息哈希代码M:

H = h(M) (14)

H=H(M)(14)

Step 2. Calculate an integer alpha, the binary representation of which is the vector H, and determine:

第二步。计算一个整数alpha,其二进制表示为向量H,并确定:

e = alpha (mod q) (15)

e=α(模数q)(15)

If e = 0, then assign e = 1.

如果e=0,则分配e=1。

Step 3. Generate a random (pseudorandom) integer k, satisfying the inequality:

第三步。生成一个随机(伪随机)整数k,满足以下不等式:

0 < k < q (16)

0<k<q(16)

Step 4. Calculate the elliptic curve point C = k * P and determine:

第四步。计算椭圆曲线点C=k*P并确定:

r = x_C (mod q), (17)

r=x_C(模数q),(17)

where x_C is the x-coordinate of the point C. If r = 0, return to step 3.

其中x_C是点C的x坐标。如果r=0,则返回步骤3。

Step 5. Calculate the value:

第五步。计算值:

            s = (r * d + k * e) (mod q)                             (18)
        
            s = (r * d + k * e) (mod q)                             (18)
        

If s = 0, return to Step 3.

如果s=0,则返回步骤3。

   Step 6.  Calculate the binary vectors R and S, corresponding to r and
            s, and determine the digital signature zeta = (R || S) as a
            concatenation of these two binary vectors.
        
   Step 6.  Calculate the binary vectors R and S, corresponding to r and
            s, and determine the digital signature zeta = (R || S) as a
            concatenation of these two binary vectors.
        

The initial data of this process are the signature key d and the message M to be signed. The output result is the digital signature zeta.

该过程的初始数据是签名密钥d和要签名的消息M。输出结果是数字签名zeta。

6.2. Digital Signature Verification
6.2. 数字签名验证

To verify the digital signature for the received message M, it is necessary to perform the following actions (steps). This is Algorithm II.

要验证接收到的消息M的数字签名,必须执行以下操作(步骤)。这是算法二。

Step 1. Calculate the integers r and s using the received signature zeta. If the inequalities 0 < r < q, 0 < s < q hold, go to the next step. Otherwise, the signature is invalid.

第一步。使用接收到的签名zeta计算整数r和s。如果不等式0<r<q,0<s<q保持不变,则转至下一步。否则,签名无效。

Step 2. Calculate the hash code of the received message M:

第二步。计算接收到的消息M的散列码:

H = h(M) (19)

H=H(M)(19)

Step 3. Calculate the integer alpha, the binary representation of which is the vector H, and determine if:

第三步。计算整数alpha,其二进制表示为向量H,并确定:

e = alpha (mod q) (20)

e=α(模数q)(20)

If e = 0, then assign e = 1.

如果e=0,则分配e=1。

Step 4. Calculate the value:

第四步。计算值:

v = e^(-1) (mod q) (21)

v=e^(-1)(q型)(21)

Step 5. Calculate the values:

第五步。计算值:

            z1 = s * v (mod q), z2 = -r * v (mod q)                 (22)
        
            z1 = s * v (mod q), z2 = -r * v (mod q)                 (22)
        

Step 6. Calculate the elliptic curve point C = z1 * P + z2 * Q and determine:

第六步。计算椭圆曲线点C=z1*P+z2*Q并确定:

R = x_C (mod q), (23)

R=x_C(模数q),(23)

where x_C is x-coordinate of the point.

其中x_C是点的x坐标。

Step 7. If the equality R = r holds, then the signature is accepted. Otherwise, the signature is invalid.

第七步。如果等式R=R成立,则签名被接受。否则,签名无效。

The input data of the process are the signed message M, the digital signature zeta, and the verification key Q. The output result is the witness of the signature validity or invalidity.

该过程的输入数据是签名消息M、数字签名zeta和验证密钥Q。输出结果是签名有效性或无效性的见证。

7. Test Examples (Appendix to GOST R 34.10-2012)
7. 测试示例(GOST R 34.10-2012附录)

This section is included in GOST R 34.10-2012 as a reference appendix but is not officially mentioned as a part of the standard.

本节作为参考附录包含在GOST R 34.10-2012中,但未作为标准的一部分正式提及。

The values given here for the parameters p, a, b, m, q, P, the signature key d, and the verification key Q are recommended only for testing the correctness of actual realizations of the algorithms described in GOST R 34.10-2012.

此处给出的参数p、a、b、m、q、p、签名密钥d和验证密钥q值仅用于测试GOST R 34.10-2012中所述算法的实际实现的正确性。

All numerical values are introduced in decimal and hexadecimal notations. The numbers beginning with 0x are in hexadecimal notation. The symbol "\\" denotes that the number continues on the next line. For example, the notation:

所有数值均采用十进制和十六进制表示法。以0x开头的数字采用十六进制表示法。符号“\\”表示数字在下一行继续。例如,符号:

12345\\ 67890

12345\\ 67890

0x499602D2

0x499602D2

represents 1234567890 in decimal and hexadecimal number systems, respectively.

分别以十进制和十六进制表示1234567890。

7.1. The Digital Signature Scheme Parameters
7.1. 数字签名方案参数

The following parameters must be used for digital signature generation and verification (see Section 5.2).

数字签名生成和验证必须使用以下参数(见第5.2节)。

7.1.1. Elliptic Curve Modulus
7.1.1. 椭圆曲线模

The following value is assigned to parameter p in this example:

在本例中,将以下值指定给参数p:

   p = 57896044618658097711785492504343953926\\
       634992332820282019728792003956564821041
        
   p = 57896044618658097711785492504343953926\\
       634992332820282019728792003956564821041
        
   p = 0x8000000000000000000000000000\\
       000000000000000000000000000000000431
        
   p = 0x8000000000000000000000000000\\
       000000000000000000000000000000000431
        
7.1.2. Elliptic Curve Coefficients
7.1.2. 椭圆曲线系数

Parameters a and b take the following values in this example:

在本例中,参数a和b采用以下值:

a = 7 a = 0x7

a=7 a=0x7

   b = 43308876546767276905765904595650931995\\
       942111794451039583252968842033849580414
        
   b = 43308876546767276905765904595650931995\\
       942111794451039583252968842033849580414
        

b = 0x5FBFF498AA938CE739B8E022FBAFEF40563\\ F6E6A3472FC2A514C0CE9DAE23B7E

b=0x5FBFF498AA938CE739B8E022FBAFEF40563\\F6E6A3472FC2FA514C0CE9DAE23B7E

7.1.3. Elliptic Curve Points Group Order
7.1.3. 椭圆曲线点群序

Parameter m takes the following value in this example:

在本例中,参数m取以下值:

   m = 5789604461865809771178549250434395392\\
       7082934583725450622380973592137631069619
        
   m = 5789604461865809771178549250434395392\\
       7082934583725450622380973592137631069619
        
   m = 0x80000000000000000000000000000\\
       00150FE8A1892976154C59CFC193ACCF5B3
        
   m = 0x80000000000000000000000000000\\
       00150FE8A1892976154C59CFC193ACCF5B3
        
7.1.4. Order of Cyclic Subgroup of Elliptic Curve Points Group
7.1.4. 椭圆曲线点群的循环子群的阶

Parameter q takes the following value in this example:

在本例中,参数q取以下值:

   q = 5789604461865809771178549250434395392\\
       7082934583725450622380973592137631069619
        
   q = 5789604461865809771178549250434395392\\
       7082934583725450622380973592137631069619
        
   q = 0x80000000000000000000000000000001\\
       50FE8A1892976154C59CFC193ACCF5B3
        
   q = 0x80000000000000000000000000000001\\
       50FE8A1892976154C59CFC193ACCF5B3
        
7.1.5. Elliptic Curve Point Coordinates
7.1.5. 椭圆曲线点坐标

Point P coordinates take the following values in this example:

点P坐标在此示例中采用以下值:

x_p = 2 x_p = 0x2

x_p=2 x_p=0x2

   y_p = 40189740565390375033354494229370597\\
         75635739389905545080690979365213431566280
        
   y_p = 40189740565390375033354494229370597\\
         75635739389905545080690979365213431566280
        
   y_p = 0x8E2A8A0E65147D4BD6316030E16D19\\
         C85C97F0A9CA267122B96ABBCEA7E8FC8
        
   y_p = 0x8E2A8A0E65147D4BD6316030E16D19\\
         C85C97F0A9CA267122B96ABBCEA7E8FC8
        
7.1.6. Signature Key
7.1.6. 签名密钥

It is supposed, in this example, that the user has the following signature key d:

在此示例中,假设用户具有以下签名密钥d:

   d = 554411960653632461263556241303241831\\
       96576709222340016572108097750006097525544
        
   d = 554411960653632461263556241303241831\\
       96576709222340016572108097750006097525544
        
   d = 0x7A929ADE789BB9BE10ED359DD39A72C\\
       11B60961F49397EEE1D19CE9891EC3B28
        
   d = 0x7A929ADE789BB9BE10ED359DD39A72C\\
       11B60961F49397EEE1D19CE9891EC3B28
        
7.1.7. Verification Key
7.1.7. 验证密钥

It is supposed, in this example, that the user has the verification key Q with the following coordinate values:

在本例中,假设用户具有具有以下坐标值的验证密钥Q:

   x_q = 57520216126176808443631405023338071\\
         176630104906313632182896741342206604859403
        
   x_q = 57520216126176808443631405023338071\\
         176630104906313632182896741342206604859403
        
   x_q = 0x7F2B49E270DB6D90D8595BEC458B5\\
         0C58585BA1D4E9B788F6689DBD8E56FD80B
        
   x_q = 0x7F2B49E270DB6D90D8595BEC458B5\\
         0C58585BA1D4E9B788F6689DBD8E56FD80B
        
   y_q = 17614944419213781543809391949654080\\
         031942662045363639260709847859438286763994
        
   y_q = 17614944419213781543809391949654080\\
         031942662045363639260709847859438286763994
        
   y_q = 0x26F1B489D6701DD185C8413A977B3\\
         CBBAF64D1C593D26627DFFB101A87FF77DA
        
   y_q = 0x26F1B489D6701DD185C8413A977B3\\
         CBBAF64D1C593D26627DFFB101A87FF77DA
        
7.2. Digital Signature Process (Algorithm I)
7.2. 数字签名过程(算法一)

Suppose that after Steps 1-3 in Algorithm I (Section 6.1) are performed, the following numerical values are obtained:

假设在执行算法I(第6.1节)中的步骤1-3后,获得以下数值:

   e = 2079889367447645201713406156150827013\\
       0637142515379653289952617252661468872421
        
   e = 2079889367447645201713406156150827013\\
       0637142515379653289952617252661468872421
        
   e = 0x2DFBC1B372D89A1188C09C52E0EE\\
       C61FCE52032AB1022E8E67ECE6672B043EE5
        
   e = 0x2DFBC1B372D89A1188C09C52E0EE\\
       C61FCE52032AB1022E8E67ECE6672B043EE5
        
   k = 538541376773484637314038411479966192\\
       41504003434302020712960838528893196233395
        
   k = 538541376773484637314038411479966192\\
       41504003434302020712960838528893196233395
        
   k = 0x77105C9B20BCD3122823C8CF6FCC\\
       7B956DE33814E95B7FE64FED924594DCEAB3
        
   k = 0x77105C9B20BCD3122823C8CF6FCC\\
       7B956DE33814E95B7FE64FED924594DCEAB3
        

And the multiple point C = k * P has the coordinates:

多点C=k*P的坐标为:

   x_C = 297009809158179528743712049839382569\\
         90422752107994319651632687982059210933395
        
   x_C = 297009809158179528743712049839382569\\
         90422752107994319651632687982059210933395
        
   x_C = 0x41AA28D2F1AB148280CD9ED56FED\\
         A41974053554A42767B83AD043FD39DC0493
        
   x_C = 0x41AA28D2F1AB148280CD9ED56FED\\
         A41974053554A42767B83AD043FD39DC0493
        
   y[C] = 328425352786846634770946653225170845\\
          06804721032454543268132854556539274060910
        
   y[C] = 328425352786846634770946653225170845\\
          06804721032454543268132854556539274060910
        
   y[C] = 0x489C375A9941A3049E33B34361DD\\
          204172AD98C3E5916DE27695D22A61FAE46E
        
   y[C] = 0x489C375A9941A3049E33B34361DD\\
          204172AD98C3E5916DE27695D22A61FAE46E
        

Parameter r = x_C (mod q) takes the value:

参数r=x_C(mod q)取以下值:

   r = 297009809158179528743712049839382569\\
       90422752107994319651632687982059210933395
        
   r = 297009809158179528743712049839382569\\
       90422752107994319651632687982059210933395
        
   r = 0x41AA28D2F1AB148280CD9ED56FED\\
       A41974053554A42767B83AD043FD39DC0493
        
   r = 0x41AA28D2F1AB148280CD9ED56FED\\
       A41974053554A42767B83AD043FD39DC0493
        
   Parameter s = (r * d + k * e)(mod q) takes the value:
        
   Parameter s = (r * d + k * e)(mod q) takes the value:
        
   s = 57497340027008465417892531001914703\\
       8455227042649098563933718999175515839552
        
   s = 57497340027008465417892531001914703\\
       8455227042649098563933718999175515839552
        
   s = 0x1456C64BA4642A1653C235A98A602\\
       49BCD6D3F746B631DF928014F6C5BF9C40
        
   s = 0x1456C64BA4642A1653C235A98A602\\
       49BCD6D3F746B631DF928014F6C5BF9C40
        
7.3. Verification Process of Digital Signature (Algorithm II)
7.3. 数字签名验证流程(算法二)

Suppose that after Steps 1-3 in Algorithm II (Section 6.2) are performed, the following numerical value is obtained:

假设在执行算法II(第6.2节)中的步骤1-3后,得到以下数值:

   e = 2079889367447645201713406156150827013\\
       0637142515379653289952617252661468872421
        
   e = 2079889367447645201713406156150827013\\
       0637142515379653289952617252661468872421
        
   e = 0x2DFBC1B372D89A1188C09C52E0EE\\
       C61FCE52032AB1022E8E67ECE6672B043EE5
        
   e = 0x2DFBC1B372D89A1188C09C52E0EE\\
       C61FCE52032AB1022E8E67ECE6672B043EE5
        

And the parameter v = e^(-1) (mod q) takes the value:

参数v=e^(-1)(mod q)取以下值:

   v = 176866836059344686773017138249002685\\
       62746883080675496715288036572431145718978
        
   v = 176866836059344686773017138249002685\\
       62746883080675496715288036572431145718978
        
   v = 0x271A4EE429F84EBC423E388964555BB\\
       29D3BA53C7BF945E5FAC8F381706354C2
        
   v = 0x271A4EE429F84EBC423E388964555BB\\
       29D3BA53C7BF945E5FAC8F381706354C2
        

The parameters z1 = s * v (mod q) and z2 = -r * v (mod q) take the values:

参数z1=s*v(mod q)和z2=-r*v(mod q)取以下值:

   z1 = 376991675009019385568410572935126561\\
        08841345190491942619304532412743720999759
        
   z1 = 376991675009019385568410572935126561\\
        08841345190491942619304532412743720999759
        
   z1 = 0x5358F8FFB38F7C09ABC782A2DF2A\\
        3927DA4077D07205F763682F3A76C9019B4F
        
   z1 = 0x5358F8FFB38F7C09ABC782A2DF2A\\
        3927DA4077D07205F763682F3A76C9019B4F
        
   z2 = 141719984273434721125159179695007657\\
        6924665583897286211449993265333367109221
        
   z2 = 141719984273434721125159179695007657\\
        6924665583897286211449993265333367109221
        
   z2 = 0x3221B4FBBF6D101074EC14AFAC2D4F7\\
        EFAC4CF9FEC1ED11BAE336D27D527665
        
   z2 = 0x3221B4FBBF6D101074EC14AFAC2D4F7\\
        EFAC4CF9FEC1ED11BAE336D27D527665
        

The point C = z1 * P + z2 * Q has the coordinates:

点C=z1*P+z2*Q的坐标为:

   x_C = 2970098091581795287437120498393825699\\
         0422752107994319651632687982059210933395
        
   x_C = 2970098091581795287437120498393825699\\
         0422752107994319651632687982059210933395
        
   x_C = 0x41AA28D2F1AB148280CD9ED56FED\\
         A41974053554A42767B83AD043FD39DC0493
        
   x_C = 0x41AA28D2F1AB148280CD9ED56FED\\
         A41974053554A42767B83AD043FD39DC0493
        
   y[C] = 3284253527868466347709466532251708450\\
          6804721032454543268132854556539274060910
        
   y[C] = 3284253527868466347709466532251708450\\
          6804721032454543268132854556539274060910
        
   y[C] = 0x489C375A9941A3049E33B34361DD\\
          204172AD98C3E5916DE27695D22A61FAE46E
        
   y[C] = 0x489C375A9941A3049E33B34361DD\\
          204172AD98C3E5916DE27695D22A61FAE46E
        

Then the parameter R = x_C (mod q) takes the value:

然后参数R=x_C(mod q)取以下值:

   R = 2970098091581795287437120498393825699\\
       0422752107994319651632687982059210933395
        
   R = 2970098091581795287437120498393825699\\
       0422752107994319651632687982059210933395
        
   R = 0x41AA28D2F1AB148280CD9ED56FED\\
       A41974053554A42767B83AD043FD39DC0493
        
   R = 0x41AA28D2F1AB148280CD9ED56FED\\
       A41974053554A42767B83AD043FD39DC0493
        

Since the equality R = r holds, the digital signature is accepted.

因为等式R=R成立,所以数字签名被接受。

8. Security Considerations
8. 安全考虑

This entire document is about security considerations.

整个文档都是关于安全方面的考虑。

9. References
9. 工具书类
9.1. Normative References
9.1. 规范性引用文件

[GOST3410-2001] "Information technology. Cryptographic data security. Signature and verification processes of [electronic] digital signature", GOST R 34.10-2001, Gosudarstvennyi Standard of Russian Federation, Government Committee of Russia for Standards, 2001. (In Russian)

[GOST3410-2001]“信息技术、加密数据安全、[电子]数字签名的签名和验证过程”,GOST R 34.10-2001,俄罗斯联邦GOSUDARTVENNYI标准,俄罗斯政府标准委员会,2001年。(俄语)

[GOST3410-2012] "Information technology. Cryptographic data security. Signature and verification processes of [electronic] digital signature", GOST R 34.10-2012, Federal Agency on Technical Regulating and Metrology, 2012.

[GOST3410-2012]“信息技术、加密数据安全、[电子]数字签名的签名和验证过程”,GOST R 34.10-2012,联邦技术监管和计量局,2012年。

[GOST3411-2012] "Information technology. Cryptographic Data Security. Hashing function", GOST R 34.11-2012, Federal Agency on Technical Regulating and Metrology, 2012.

[GOST3411-2012]“信息技术、加密数据安全、哈希函数”,GOST R 34.11-2012,联邦技术监管和计量局,2012年。

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms", RFC 4357, January 2006.

[RFC4357]Popov,V.,Kurepkin,I.,和S.Leontiev,“用于GOST 28147-89,GOST R 34.10-94,GOST R 34.10-2001和GOST R 34.11-94算法的其他加密算法”,RFC 4357,2006年1月。

9.2. Informative References
9.2. 资料性引用

[ISO2382-2] ISO, "Data processing - Vocabulary - Part 2: Arithmetic and logic operations", ISO 2382-2, 1976.

[ISO2382-2]ISO,“数据处理-词汇-第2部分:算术和逻辑运算”,ISO 2382-21976。

[ISO9796-2] ISO/IEC, "Information technology - Security techniques - Digital signatures giving message recovery - Part 2: Integer factorization based mechanisms", ISO/IEC 9796-2, 2010.

[ISO9796-2]ISO/IEC,“信息技术-安全技术-提供消息恢复的数字签名-第2部分:基于整数分解的机制”,ISO/IEC 9796-22010。

[ISO9796-3] ISO/IEC, "Information technology - Security techniques - Digital signature schemes giving message recovery - Part 3: Discrete logarithm based mechanisms", ISO/IEC 9796-3, 2006.

[ISO9796-3]ISO/IEC,“信息技术-安全技术-提供消息恢复的数字签名方案-第3部分:基于离散对数的机制”,ISO/IEC 9796-3,2006年。

[ISO14888-1] ISO/IEC, "Information technology - Security techniques - Digital signatures with appendix - Part 1: General", ISO/IEC 14888-1, 2008.

[ISO14888-1]ISO/IEC,“信息技术-安全技术-带附录的数字签名-第1部分:总则”,ISO/IEC 14888-12008。

[ISO14888-2] ISO/IEC, "Information technology - Security techniques - Digital signatures with appendix - Part 2: Integer factorization based mechanisms", ISO/IEC 14888-2, 2008.

[ISO14888-2]ISO/IEC,“信息技术-安全技术-带附录的数字签名-第2部分:基于整数分解的机制”,ISO/IEC 14888-22008。

[ISO14888-3] ISO/IEC, "Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm based mechanisms", ISO/IEC 14888-3,2006.

[ISO14888-3]ISO/IEC,“信息技术-安全技术-带附录的数字签名-第3部分:基于离散对数的机制”,ISO/IEC 14888-32006。

[ISO14888-4] ISO/IEC, "Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm based mechanisms. Amendment 1. Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital Signature Algorithm", ISO/IEC 14888-3:2006/Amd 1, 2010.

[ISO14888-4]ISO/IEC,信息技术.安全技术.带附录的数字签名.第3部分:基于离散对数的机制。修正案1。椭圆曲线俄罗斯数字签名算法、Schnorr数字签名算法、椭圆曲线Schnorr数字签名算法和椭圆曲线全Schnorr数字签名算法”,ISO/IEC 14888-3:2006/Amd 12010。

[ISO10118-1] ISO/IEC, "Information technology - Security techniques - Hash-functions - Part 1: General", ISO/IEC 10118-1, 2000.

[ISO10118-1]ISO/IEC,“信息技术-安全技术-散列函数-第1部分:总则”,ISO/IEC 10118-119000。

[ISO10118-2] ISO/IEC, "Information technology - Security techniques - Hash-functions - Part 2: Hash-functions using an n-bit block cipher algorithm", ISO/IEC 10118-2, 2010.

[ISO10118-2]ISO/IEC,“信息技术-安全技术-散列函数-第2部分:使用n位分组密码算法的散列函数”,ISO/IEC 10118-220010。

[ISO10118-3] ISO/IEC, "Information technology - Security techniques - Hash-functions - Part 3: Dedicated hash-functions", ISO/IEC 10118-3, 2004.

[ISO10118-3]ISO/IEC,“信息技术-安全技术-散列函数-第3部分:专用散列函数”,ISO/IEC 10118-3,2004年。

[ISO10118-4] ISO/IEC, "Information technology - Security techniques - Hash-functions - Part 4: Hash-functions using modular arithmetic", ISO/IEC 10118-4, 1998.

[ISO10118-4]ISO/IEC,“信息技术-安全技术-散列函数-第4部分:使用模运算的散列函数”,ISO/IEC 10118-41998。

[RFC5832] Dolmatov, V., Ed., "GOST R 34.10-2001: Digital Signature Algorithm", RFC 5832, March 2010.

[RFC5832]多尔马托夫,V.,编辑,“GOST R 34.10-2001:数字签名算法”,RFC 5832,2010年3月。

[RFC6986] Dolmatov, V., Ed., and A. Degtyarev, "GOST R 34.11-2012: Hash Function", RFC 6986, August 2013.

[RFC6986]Dolmatov,V.,Ed.,和A.Degtyarev,“GOST R 34.11-2012:哈希函数”,RFC 69862013年8月。

Authors' Addresses

作者地址

Vasily Dolmatov (editor) Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

瓦西里·多尔马托夫(编辑)Cryptocom有限公司,俄罗斯联邦莫斯科凯德罗瓦街14号,2号楼,117218

   EMail: dol@cryptocom.ru
        
   EMail: dol@cryptocom.ru
        

Alexey Degtyarev Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

俄罗斯联邦莫斯科凯德罗瓦街14号2号楼Alexey Degtyarev Cryptocom有限公司,邮编:117218

   EMail: alexey@renatasystems.org
        
   EMail: alexey@renatasystems.org