Independent Submission S. Smyshlyaev, Ed.
Request for Comments: 8133 E. Alekseev
Category: Informational I. Oshkin
ISSN: 2070-1721 V. Popov
CRYPTO-PRO
March 2017
Independent Submission S. Smyshlyaev, Ed.
Request for Comments: 8133 E. Alekseev
Category: Informational I. Oshkin
ISSN: 2070-1721 V. Popov
CRYPTO-PRO
March 2017
The Security Evaluated Standardized Password-Authenticated Key Exchange (SESPAKE) Protocol
安全评估标准化密码认证密钥交换(SESPAKE)协议
Abstract
摘要
This document describes the Security Evaluated Standardized Password-Authenticated Key Exchange (SESPAKE) protocol. The SESPAKE protocol provides password-authenticated key exchange for usage in systems for protection of sensitive information. The security proofs of the protocol were made for situations involving an active adversary in the channel, including man-in-the-middle (MitM) attacks and attacks based on the impersonation of one of the subjects.
本文档描述了安全评估标准化密码认证密钥交换(SESPAKE)协议。SESPAKE协议提供密码验证密钥交换,用于保护敏感信息的系统中。协议的安全性证明是针对涉及通道中的主动对手的情况进行的,包括中间人(MitM)攻击和基于其中一个主体的模拟攻击。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 7841.
这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc8133.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc8133.
Copyright Notice
版权公告
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2017 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。
Table of Contents
目录
1. Introduction ....................................................2
2. Conventions Used in This Document ...............................2
3. Notations .......................................................3
4. Protocol Description ............................................4
4.1. Protocol Parameters ........................................5
4.2. Initial Values of the Protocol Counters ....................7
4.3. Protocol Steps .............................................7
5. Construction of Points {Q_1,...,Q_N} ...........................11
6. Security Considerations ........................................13
7. IANA Considerations ............................................13
8. References .....................................................14
8.1. Normative References ......................................14
8.2. Informative References ....................................15
Appendix A. Test Examples for GOST-Based Protocol Implementation ..16
A.1. Examples of Points .........................................16
A.2. Test Examples of SESPAKE ...................................17
Appendix B. Point Verification Script .............................33
Acknowledgments ...................................................51
Authors' Addresses ................................................51
1. Introduction ....................................................2
2. Conventions Used in This Document ...............................2
3. Notations .......................................................3
4. Protocol Description ............................................4
4.1. Protocol Parameters ........................................5
4.2. Initial Values of the Protocol Counters ....................7
4.3. Protocol Steps .............................................7
5. Construction of Points {Q_1,...,Q_N} ...........................11
6. Security Considerations ........................................13
7. IANA Considerations ............................................13
8. References .....................................................14
8.1. Normative References ......................................14
8.2. Informative References ....................................15
Appendix A. Test Examples for GOST-Based Protocol Implementation ..16
A.1. Examples of Points .........................................16
A.2. Test Examples of SESPAKE ...................................17
Appendix B. Point Verification Script .............................33
Acknowledgments ...................................................51
Authors' Addresses ................................................51
This document describes the Security Evaluated Standardized Password-Authenticated Key Exchange (SESPAKE) protocol. The SESPAKE protocol provides password-authenticated key exchange for usage in systems for protection of sensitive information. The protocol is intended to be used to establish keys that are then used to organize a secure channel for protection of sensitive information. The security proofs of the protocol were made for situations involving an active adversary in the channel, including man-in-the-middle (MitM) attacks and attacks based on the impersonation of one of the subjects.
本文档描述了安全评估标准化密码认证密钥交换(SESPAKE)协议。SESPAKE协议提供密码验证密钥交换,用于保护敏感信息的系统中。该协议旨在用于建立密钥,然后用于组织用于保护敏感信息的安全通道。协议的安全性证明是针对涉及通道中的主动对手的情况进行的,包括中间人(MitM)攻击和基于其中一个主体的模拟攻击。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释。
This document uses the following parameters of elliptic curves in accordance with [RFC6090]:
本文件根据[RFC6090]使用椭圆曲线的以下参数:
E an elliptic curve defined over a finite prime field GF(p), where p > 3;
E有限素数域GF(p)上定义的椭圆曲线,其中p>3;
p the characteristic of the underlying prime field;
p底层素域的特征;
a, b the coefficients of the equation of the elliptic curve in the canonical form;
a、 b标准型椭圆曲线方程的系数;
m the elliptic curve group order;
m椭圆曲线群阶;
q the elliptic curve subgroup order;
q椭圆曲线子群阶;
P a generator of the subgroup of order q;
q阶子群的生成元;
X, Y the coordinates of the elliptic curve point in the canonical form;
十、 Y标准形椭圆曲线点的坐标;
O zero point (point at infinity) of the elliptic curve.
椭圆曲线的零点(无穷远处的点)。
This memo uses the following functions:
此备忘录使用以下功能:
HASH the underlying hash function;
散列底层散列函数;
HMAC the function for calculating a message authentication code (MAC), based on a HASH function in accordance with [RFC2104];
HMAC——根据[RFC2104]的哈希函数计算消息认证码(MAC)的函数;
F(PW, salt, n) the value of the function PBKDF2(PW, salt, n, len), where PBKDF2(PW, salt, n, len) is calculated according to [RFC8018]. The parameter len is considered equal to the minimum integer that is a multiple of 8 and satisfies the following condition:
F(PW,salt,n)函数PBKDF2(PW,salt,n,len)的值,其中PBKDF2(PW,salt,n,len)根据[RFC8018]计算。参数len被视为等于最小整数,该整数是8的倍数,并满足以下条件:
len >= floor(log_2(q)).
len>=地板(对数2(q))。
This document uses the following terms and definitions for the sets and operations on the elements of these sets:
本文档使用以下术语和定义来描述集合和集合元素的操作:
B_n the set of byte strings of size n, n >= 0; for n = 0, the B_n
set consists of a single empty string of size 0; if b is an
element of B_n, then b = (b_1,...,b_n), where b_1,...,b_n are
elements of {0,...,255};
B_n the set of byte strings of size n, n >= 0; for n = 0, the B_n
set consists of a single empty string of size 0; if b is an
element of B_n, then b = (b_1,...,b_n), where b_1,...,b_n are
elements of {0,...,255};
|| concatenation of byte strings A and C, i.e., if A in B_n1,
C in B_n2, A = (a_1,a_2,...,a_n1) and C = (c_1,c_2,...,c_n2),
then A || C = (a_1,a_2,...,a_n1,c_1,c_2,...,c_n2) is an
element of B_(n1 + n2);
|| concatenation of byte strings A and C, i.e., if A in B_n1,
C in B_n2, A = (a_1,a_2,...,a_n1) and C = (c_1,c_2,...,c_n2),
then A || C = (a_1,a_2,...,a_n1,c_1,c_2,...,c_n2) is an
element of B_(n1 + n2);
int(A) for the byte string A = (a_1,...,a_n) in B_n, an integer
int(A) = 256^(n - 1)a_n +...+ 256^(0)a_1;
int(A) for the byte string A = (a_1,...,a_n) in B_n, an integer
int(A) = 256^(n - 1)a_n +...+ 256^(0)a_1;
bytes_n(X)
the byte string A in B_n, such that int(A) = X, where X is an
integer and 0 <= X < 256^n;
bytes_n(X)
the byte string A in B_n, such that int(A) = X, where X is an
integer and 0 <= X < 256^n;
BYTES(Q) for Q in E, the byte string bytes_n(X) || bytes_n(Y), where X, Y are standard Weierstrass coordinates of point Q and n = ceil(log_{256}(p)).
字节(Q)对于E中的Q,字节字符串BYTES_n(X)| BYTES_n(Y),其中X,Y是点Q的标准Weierstrass坐标,n=ceil(log_{256}(p))。
The main point of the SESPAKE protocol is that parties sharing a weak key (a password) generate a strong common key. An active adversary who has access to a channel is not able to obtain any information that can be used to find a key in offline mode, i.e., without interaction with legitimate participants.
SESPAKE协议的要点是共享弱密钥(密码)的各方生成强公共密钥。能够访问通道的主动对手无法获得任何可用于在脱机模式下查找密钥的信息,即,在没有与合法参与者交互的情况下。
The protocol is used by subjects A (client) and B (server) that share some secret parameter that was established in an out-of-band mechanism: a client is a participant who stores a password as a secret parameter, and a server is a participant who stores a password-based computed point of the elliptic curve.
该协议用于共享在带外机制中建立的某些秘密参数的主体A(客户端)和主体B(服务器):客户端是存储密码作为秘密参数的参与者,服务器是存储基于密码的椭圆曲线计算点的参与者。
The SESPAKE protocol consists of two steps: the key-agreement step and the key-confirmation step. During the first step (the key-agreement step), the parties exchange keys using Diffie-Hellman with public components masked by an element that depends on the password -- one of the predefined elliptic curve points multiplied by the password-based coefficient. This approach provides an implicit key authentication, which means that after this step, one party is assured that no other party, aside from a specifically identified second party, may gain access to the generated secret key. During
SESPAKE协议包括两个步骤:密钥协商步骤和密钥确认步骤。在第一步(密钥协商步骤)中,双方使用Diffie Hellman与公共组件交换密钥,公共组件由依赖于密码的元素屏蔽——预定义的椭圆曲线点之一乘以基于密码的系数。该方法提供隐式密钥认证,这意味着在该步骤之后,一方被保证,除了特定识别的第二方之外,没有其他方可以访问生成的密钥。在期间
the second step (the key-confirmation step), the parties exchange strings that strongly depend on the generated key. After this step, the parties are assured that a legitimate party, and no one else, actually has possession of the secret key.
第二步(密钥确认步骤),双方交换强烈依赖于生成的密钥的字符串。在这一步之后,各方都被保证,合法的一方,而不是其他任何一方,实际上拥有秘密密钥。
To protect against online guessing attacks, counters that indicate the number of failed connections were introduced in the SESPAKE protocol. There is also a special technique for small-order point processing and a mechanism that provides protection against reflection attacks by using different operations for different sides.
为了防止在线猜测攻击,SESPAKE协议中引入了指示失败连接数的计数器。还有一种用于小阶点处理的特殊技术,以及一种通过对不同方面使用不同操作来防止反射攻击的机制。
Various elliptic curves can be used in the protocol. For each elliptic curve supported by clients, the following values MUST be defined:
协议中可以使用各种椭圆曲线。对于客户端支持的每条椭圆曲线,必须定义以下值:
o the protocol parameters identifier, ID_ALG (which can also define a HASH function, a pseudorandom function (PRF) used in the PBKDF2 function, etc.), which is a byte string of an arbitrary length;
o 协议参数标识符ID_ALG(也可以定义哈希函数、PBKDF2函数中使用的伪随机函数(PRF)等),是任意长度的字节字符串;
o the point P, which is a generator point of the subgroup of order q of the curve;
o 点P是曲线q阶子群的生成点;
o the set of distinct curve points {Q_1,Q_2,...,Q_N} of order q, where the total number of points, N, is defined for the protocol instance.
o Q阶的不同曲线点集{Q_1,Q_2,…,Q_N},其中为协议实例定义了点的总数N。
The method of generation of the points {Q_1,Q_2,...,Q_N} is described in Section 5.
第5节描述了点{Q_1,Q_2,…,Q_N}的生成方法。
The following protocol parameters are used by subject A:
受试者A使用以下协议参数:
1. The secret password value PW, which is a byte string that is uniformly randomly chosen from a subset of cardinality 10^10 or greater of the set B_k, where k >= 6 is the password length.
1. 秘密密码值PW,是从集合B_k的基数10^10或更大的子集中均匀随机选择的字节字符串,其中k>=6是密码长度。
2. The list of curve identifiers supported by A.
2. A支持的曲线标识符列表。
3. Sets of points {Q_1,Q_2,...,Q_N}, corresponding to curves supported by A.
3. 点集{Q_1,Q_2,…,Q_N},对应于A所支持的曲线。
4. The C_1^A counter, which tracks the total number of unsuccessful authentication trials in a row, and a value of CLim_1 that stores the maximum possible number of such events.
4. C_1^计数器,用于跟踪一行中未成功的身份验证试验的总数,以及CLim_1的值,该值存储此类事件的最大可能数量。
5. The C_2^A counter, which tracks the total number of unsuccessful authentication events during the period of usage of the specific PW, and a value of CLim_2 that stores the maximum possible number of such events.
5. C_2^计数器,用于跟踪特定PW使用期间未成功验证事件的总数,以及CLim_2的值,该值存储此类事件的最大可能数量。
6. The C_3^A counter, which tracks the total number of authentication events (successful and unsuccessful) during the period of usage of the specific PW, and a value of CLim_3 that stores the maximum possible number of such events.
6. C_3^计数器,用于跟踪特定PW使用期间认证事件(成功和失败)的总数,以及CLim_3的值,该值存储此类事件的最大可能数量。
7. The unique identifier, ID_A, of subject A (OPTIONAL), which is a byte string of an arbitrary length.
7. 主体A的唯一标识符ID_A(可选),是任意长度的字节字符串。
The following protocol parameters are used by subject B:
受试者B使用以下协议参数:
1. The values ind and salt, where ind is in {1,...,N} and salt is in {1,...,2^128-1}.
1. 值ind和salt,其中ind在{1,…,N}中,salt在{1,…,2^128-1}中。
2. The point Q_PW, satisfying the following equation:
2. 点Q_PW,满足以下等式:
Q_PW = int(F(PW, salt, 2000))*Q_ind.
Q_PW=int(F(PW,salt,2000))*Q_ind。
It is possible that the point Q_PW is not stored and is calculated using PW in the beginning of the protocol. In that case, B has to store PW and points {Q_1,Q_2,...,Q_N}.
可能没有存储点Q_PW,而是在协议开始时使用PW计算。在这种情况下,B必须存储PW和点{Q_1,Q_2,…,Q_N}。
3. The ID_ALG identifier.
3. ID\u ALG标识符。
4. The C_1^B counter, which tracks the total number of unsuccessful authentication trials in a row, and a value of CLim_1 that stores the maximum possible number of such events.
4. C_1^B计数器,用于跟踪一行中未成功的身份验证试验的总数,以及CLim_1的值,该值存储此类事件的最大可能数量。
5. The C_2^B counter, which tracks the total number of unsuccessful authentication events during the period of usage of the specific PW, and a value of CLim_2 that stores the maximum possible number of such events.
5. C_2^B计数器,用于跟踪特定PW使用期间未成功身份验证事件的总数,以及CLim_2的值,该值存储此类事件的最大可能数量。
6. The C_3^B counter, which tracks the total number of authentication events (successful and unsuccessful) during the period of usage of the specific PW, and a value of CLim_3 that stores the maximum possible number of such events.
6. C_3^B计数器,用于跟踪特定PW使用期间的身份验证事件总数(成功和失败),以及存储此类事件最大可能数量的CLim_3值。
7. The unique identifier, ID_B, of subject B (OPTIONAL), which is a byte string of an arbitrary length.
7. 主体B的唯一标识符ID_B(可选),是任意长度的字节字符串。
After the setup of a new password value PW, the values of the counters MUST be assigned as follows:
设置新密码值PW后,必须按如下方式分配计数器值:
o C_1^A = C_1^B = CLim_1, where CLim_1 is in {3,...,5};
o C_1^A=C_1^B=CLim_1,其中CLim_1在{3,…,5}中;
o C_2^A = C_2^B = CLim_2, where CLim_2 is in {7,...,20};
o C_2^A=C_2^B=CLim_2,其中CLim_2位于{7,…,20};
o C_3^A = C_3^B = CLim_3, where CLim_3 is in {10^3,10^3+1,...,10^5}.
o C_3^A=C_3^B=CLim_3,其中CLim_3在{10^3,10^3+1,…,10^5}中。
The basic SESPAKE steps are shown in the scheme below:
SESPAKE的基本步骤如下图所示:
+--------------------------+------------+---------------------------+
| A [A_ID, PW] | | B [B_ID, Q_PW, ind, salt] |
+--------------------------+------------+---------------------------+
| if C_1^A or C_2^A or | | |
| C_3^A = 0 ==> quit | | |
| decrement C_1^A, C_2^A, | A_ID ---> | if C_1^B or C_2^B or |
| C_3^A by 1 | | C_3^B = 0 ==> quit |
| z_A = 0 | <--- | decrement C_1^B, C_2^B, |
| | ID_ALG, | C_3^B by 1 |
| | B_ID | |
| | (OPTIONAL),| |
| | ind, salt | |
| Q_PW^A = int(F(PW, salt, | | |
| 2000))*Q_ind | | |
| choose alpha randomly | | |
| from {1,...,q-1} | | |
| u_1 = alpha*P - Q_PW^A | u_1 ---> | if u_1 not in E ==> quit |
| | | z_B = 0 |
| | | Q_B = u_1 + Q_PW |
| | | choose beta randomly from |
| | | {1,...,q-1} |
| | | if m/q*Q_B = O ==> Q_B = |
| | | beta*P, z_B = 1 |
| | | K_B = |
| | | HASH(BYTES(( m/q*beta* |
| | | (mod q))*Q_B )) |
| if u_2 not in E ==> quit | <--- u_2 | u_2 = beta*P + Q_PW |
| Q_A = u_2 - Q_PW^A | | |
| if m/q*Q_A = O ==> Q_A = | | |
| alpha*P, z_A = 1 | | |
| K_A = HASH(BYTES(( m/q* | | |
| alpha(mod q))*Q_A )) | | |
| | | |
+--------------------------+------------+---------------------------+
| A [A_ID, PW] | | B [B_ID, Q_PW, ind, salt] |
+--------------------------+------------+---------------------------+
| if C_1^A or C_2^A or | | |
| C_3^A = 0 ==> quit | | |
| decrement C_1^A, C_2^A, | A_ID ---> | if C_1^B or C_2^B or |
| C_3^A by 1 | | C_3^B = 0 ==> quit |
| z_A = 0 | <--- | decrement C_1^B, C_2^B, |
| | ID_ALG, | C_3^B by 1 |
| | B_ID | |
| | (OPTIONAL),| |
| | ind, salt | |
| Q_PW^A = int(F(PW, salt, | | |
| 2000))*Q_ind | | |
| choose alpha randomly | | |
| from {1,...,q-1} | | |
| u_1 = alpha*P - Q_PW^A | u_1 ---> | if u_1 not in E ==> quit |
| | | z_B = 0 |
| | | Q_B = u_1 + Q_PW |
| | | choose beta randomly from |
| | | {1,...,q-1} |
| | | if m/q*Q_B = O ==> Q_B = |
| | | beta*P, z_B = 1 |
| | | K_B = |
| | | HASH(BYTES(( m/q*beta* |
| | | (mod q))*Q_B )) |
| if u_2 not in E ==> quit | <--- u_2 | u_2 = beta*P + Q_PW |
| Q_A = u_2 - Q_PW^A | | |
| if m/q*Q_A = O ==> Q_A = | | |
| alpha*P, z_A = 1 | | |
| K_A = HASH(BYTES(( m/q* | | |
| alpha(mod q))*Q_A )) | | |
| | | |
| U_1 = BYTES(u_1), U_2 = | | |
| BYTES(u_2) | | |
| MAC_A = HMAC(K_A, 0x01 | DATA_A, | U_1 = BYTES(u_1), U_2 = |
| || ID_A || ind || salt | MAC_A ---> | BYTES(u_2) |
| || U_1 || U_2 || ID_ALG | | |
| (OPTIONAL) || DATA_A) | | |
| | | if MAC_A != HMAC(K_B, |
| | | 0x01 || ID_A || ind || |
| | | salt || U_1 || U_2 || |
| | | ID_ALG (OPTIONAL) || |
| | | DATA_A) ==> quit |
| | | if z_B = 1 ==> quit |
| | | C_1^B = CLim_1, increment |
| | | C_2^B by 1 |
| if MAC_B != HMAC(K_A, | <--- | MAC_B = HMAC(K_B, 0x02 || |
| 0x02 || ID_B || ind || | DATA_B, | ID_B || ind || salt || |
| salt || U_1 || U_2 || | MAC_B | U_1 || U_2 || ID_ALG |
| ID_ALG (OPTIONAL) || | | (OPTIONAL) || DATA_A || |
| DATA_A || DATA_B) ==> | | DATA_B) |
| quit | | |
| if z_A = 1 ==> quit | | |
| C_1^A = CLim_1, | | |
| increment C_2^A by 1 | | |
+--------------------------+------------+---------------------------+
| U_1 = BYTES(u_1), U_2 = | | |
| BYTES(u_2) | | |
| MAC_A = HMAC(K_A, 0x01 | DATA_A, | U_1 = BYTES(u_1), U_2 = |
| || ID_A || ind || salt | MAC_A ---> | BYTES(u_2) |
| || U_1 || U_2 || ID_ALG | | |
| (OPTIONAL) || DATA_A) | | |
| | | if MAC_A != HMAC(K_B, |
| | | 0x01 || ID_A || ind || |
| | | salt || U_1 || U_2 || |
| | | ID_ALG (OPTIONAL) || |
| | | DATA_A) ==> quit |
| | | if z_B = 1 ==> quit |
| | | C_1^B = CLim_1, increment |
| | | C_2^B by 1 |
| if MAC_B != HMAC(K_A, | <--- | MAC_B = HMAC(K_B, 0x02 || |
| 0x02 || ID_B || ind || | DATA_B, | ID_B || ind || salt || |
| salt || U_1 || U_2 || | MAC_B | U_1 || U_2 || ID_ALG |
| ID_ALG (OPTIONAL) || | | (OPTIONAL) || DATA_A || |
| DATA_A || DATA_B) ==> | | DATA_B) |
| quit | | |
| if z_A = 1 ==> quit | | |
| C_1^A = CLim_1, | | |
| increment C_2^A by 1 | | |
+--------------------------+------------+---------------------------+
Table 1: SESPAKE Protocol Steps
表1:SESPAKE协议步骤
The full description of the protocol consists of the following steps:
协议的完整描述包括以下步骤:
1. If any of the counters C_1^A, C_2^A, or C_3^A is equal to 0, A finishes the protocol with an informational error regarding exceeding the number of trials that is controlled by the corresponding counter.
1. 如果任何计数器C_1^A、C_2^A或C_3^A等于0,则A完成协议时会出现一个信息错误,该错误与超出相应计数器控制的试验次数有关。
2. A decrements each of the counters C_1^A, C_2^A, and C_3^A by 1, requests open authentication information from B, and sends the ID_A identifier.
2. A将每个计数器C_1^A、C_2^A和C_3^A递减1,从B请求开放身份验证信息,并发送ID_A标识符。
3. If any of the counters C_1^B, C_2^B, or C_3^B is equal to 0, B finishes the protocol with an informational error regarding exceeding the number of trials that is controlled by the corresponding counter.
3. 如果计数器C_1^B、C_2^B或C_3^B中的任何一个等于0,则B完成协议时会出现一个信息错误,该错误与超出相应计数器控制的试验次数有关。
4. B decrements each of the counters C_1^B, C_2^B, and C_3^B by 1.
4. B将每个计数器C_1^B、C_2^B和C_3^B递减1。
5. B sends the values of ind, salt, and the ID_ALG identifier to A. B also can OPTIONALLY send the ID_B identifier to A. All subsequent calculations are done by B in the elliptic curve group defined by the ID_ALG identifier.
5. B将ind、salt和ID_ALG标识符的值发送给A。B还可以选择将ID_B标识符发送给A。所有后续计算由B在ID_ALG标识符定义的椭圆曲线组中完成。
6. A sets the curve defined by the received ID_ALG identifier as the used elliptic curve. All subsequent calculations are done by A in this elliptic curve group.
6. A将接收到的ID_ALG标识符定义的曲线设置为使用的椭圆曲线。所有后续计算均由该椭圆曲线组中的A完成。
7. A calculates the point Q_PW^A = int(F(PW, salt, 2000))*Q_ind.
7. A计算点Q_PW^A=int(F(PW,salt,2000))*Q_ind。
8. A chooses randomly (according to the uniform distribution) the value alpha; alpha is in {1,...,q-1}; then A assigns z_A = 0.
8. A随机(根据均匀分布)选择α值;α在{1,…,q-1}中;然后A指定z_A=0。
9. A sends the value u_1 = alpha*P - Q_PW^A to B.
9. A将值u_1=alpha*P-Q_PW^A发送给B。
10. After receiving u_1, B checks to see if u_1 is in E. If it is not, B finishes with an error and considers the authentication process unsuccessful.
10. 收到u_1后,B检查u_1是否在E中。如果不在E中,B将以错误结束,并认为身份验证过程不成功。
11. B calculates Q_B = u_1 + Q_PW, assigns z_B = 0, and chooses randomly (according to the uniform distribution) the value beta; beta is in {1,...,q-1}.
11. B计算Q_B=u_1+Q_PW,分配z_B=0,并随机(根据均匀分布)选择β值;β在{1,…,q-1}中。
12. If m/q*Q_B = O, B assigns Q_B = beta*P and z_B = 1.
12. 如果m/q*q_B=O,B指定q_B=beta*P和z_B=1。
13. B calculates K_B = HASH(BYTES(( m/q*beta*(mod q))*Q_B )).
13. B计算K_B=散列(字节((m/q*beta*(mod q))*q_B))。
14. B sends the value u_2 = beta*P + Q_PW to A.
14. B将值u_2=beta*P+Q_PW发送给A。
15. After receiving u_2, A checks to see if u_2 is in E. If it is not, A finishes with an error and considers the authentication process unsuccessful.
15. 在收到u_2后,A检查u_2是否在E中。如果不在E中,A将以错误结束,并认为身份验证过程不成功。
16. A calculates Q_A = u_2 - Q_PW^A.
16. A计算Q_A=u_2-Q_PW^A。
17. If m/q*Q_A = O, then A assigns Q_A = alpha*P and z_A = 1.
17. 如果m/q*q_A=O,那么A分配q_A=alpha*P和z_A=1。
18. A calculates K_A = HASH(BYTES(( m/q*alpha(mod q))*Q_A )).
18. A计算K_A=散列(字节((m/q*alpha(mod q))*q_A))。
19. A calculates U_1 = BYTES(u_1), U_2 = BYTES(u_2).
19. A计算U_1=字节(U_1),U_2=字节(U_2)。
20. A calculates MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A), where DATA_A is an OPTIONAL string that is authenticated with MAC_A (if it is not used, then DATA_A is considered to be of zero length).
20. A计算MAC|A=HMAC(K|A,0x01 | ID|A | ind | salt | U | U | U 1 | U | U 2 | ID | U ALG(可选)| DATA | A),其中DATA | A是通过MAC U A验证的可选字符串(如果未使用,则数据124a被视为零长度)。
21. A sends DATA_A, MAC_A to B.
21. A将数据A、MAC A发送到B。
22. B calculates U_1 = BYTES(u_1), U_2 = BYTES(u_2).
22. B计算U_1=字节(U_1),U_2=字节(U_2)。
23. B checks to see if the values MAC_A and HMAC(K_B, 0x01 || ID_A || ind || salt || U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A) are equal. If they are not, it finishes with an error and considers the authentication process unsuccessful.
23. B检查MAC|U A和HMAC(K|U B,0x01 | ID|U A | ind | salt | U|U 1 | U|U 2 | ID|U ALG(可选)| DATA|U A)的值是否相等。如果没有,则会以错误结束,并认为身份验证过程不成功。
24. If z_B = 1, B finishes with an error and considers the authentication process unsuccessful.
24. 如果z_B=1,B将以错误结束,并认为身份验证过程不成功。
25. B sets the value of C_1^B to CLim_1 and increments C_2^B by 1.
25. B将C_1^B的值设置为CLim_1,并将C_2^B增加1。
26. B calculates MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A || DATA_B), where DATA_B is an OPTIONAL string that is authenticated with MAC_B (if it is not used, then DATA_B is considered to be of zero length).
26. B计算MAC|B=HMAC(K|B,0x02 | ID|B | ind | salt | U | U | 1 | U | U 2 | ID | ALG(可选)| DATA | A | DATA | B),其中DATA | B是通过MAC B验证的可选字符串(如果未使用,则数据124b被视为零长度)。
27. B sends DATA_B, MAC_B to A.
27. B向A发送数据,MAC。
28. A checks to see if the values MAC_B and HMAC(K_A, 0x02 || ID_B || ind || salt || U_1 || U_2 || ID_ALG (OPTIONAL) || DATA_A || DATA_B) are equal. If they are not, it finishes with an error and considers the authentication process unsuccessful.
28. A检查MAC|B和HMAC(K|A,0x02 | ID|B | ind | salt | U|U 1 | U|U 2 | ID|U ALG(可选)| DATA | U A | DATA | B)的值是否相等。如果没有,则会以错误结束,并认为身份验证过程不成功。
29. If z_A = 1, A finishes with an error and considers the authentication process unsuccessful.
29. 如果z_A=1,则A将以错误结束,并认为身份验证过程不成功。
30. A sets the value of C_1^A to CLim_1 and increments C_2^A by 1.
30. A将C_1^A的值设置为CLim_1,并将C_2^A增加1。
After the procedure finishes successfully, subjects A and B are mutually authenticated, and each subject has an explicitly authenticated value of K = K_A = K_B.
过程成功完成后,受试者A和B将相互验证,并且每个受试者都有一个明确验证的值K=K_A=K_B。
Notes:
笔记:
1. In cases where the interaction process can be initiated by any subject (client or server), the ID_A and ID_B options MUST be used, and the receiver MUST check to see if the identifier he had received is not equal to his own; otherwise, it finishes the protocol. If an OPTIONAL parameter ID_A (or ID_B) is not used in the protocol, it SHOULD be considered equal to a fixed byte string (a zero-length string is allowed) defined by a specific implementation.
1. 如果任何主体(客户端或服务器)都可以启动交互过程,则必须使用ID_A和ID_B选项,并且接收者必须检查他收到的标识符是否与他自己的标识符不相等;否则,它将完成协议。如果协议中未使用可选参数ID_A(或ID_B),则应将其视为等于特定实现定义的固定字节字符串(允许零长度字符串)。
2. The ind, ID_A, ID_B, and salt parameters can be agreed upon in advance. If some parameter is agreed upon in advance, it is possible not to send it during a corresponding step. Nevertheless, all parameters MUST be used as corresponding inputs to the HMAC function during Steps 20, 23, 26, and 28.
2. ind、ID_A、ID_B和salt参数可以事先商定。如果事先商定了某个参数,则可能在相应步骤中不发送该参数。然而,在步骤20、23、26和28期间,所有参数必须用作HMAC功能的相应输入。
3. The ID_ALG parameter can be fixed or agreed upon in advance.
3. ID_ALG参数可以事先确定或商定。
4. It is RECOMMENDED that the ID_ALG parameter be used in HMAC during Steps 20, 23, 26, and 28.
4. 建议在步骤20、23、26和28期间在HMAC中使用ID_ALG参数。
5. Continuation of protocol interaction in a case where any of the counters C_1^A or C_1^B is equal to zero MAY be done without changing the password. In this case, these counters can be used for protection against denial-of-service attacks. For example, continuation of interaction can be allowed after a certain delay period.
5. 在任何计数器C_1^a或C_1^B等于零的情况下,可以在不更改密码的情况下继续协议交互。在这种情况下,这些计数器可用于防止拒绝服务攻击。例如,在一定的延迟期之后,可以允许继续交互。
6. Continuation of protocol interaction in a case where any of the counters C_2^A, C_3^A, C_2^B, or C_3^B is equal to zero MUST be done only after changing the password.
6. 如果任何计数器C_2^a、C_3^a、C_2^B或C_3^B等于零,则必须在更改密码后才能继续协议交互。
7. It is RECOMMENDED that during Steps 9 and 14 the points u_1 and u_2 be sent in a non-compressed format (BYTES(u_1) and BYTES(u_2)). However, point compression MAY be used.
7. 建议在步骤9和14期间,以非压缩格式(字节(u_1)和字节(u_2))发送点u_1和u_2。然而,可以使用点压缩。
8. The use of several Q points can reinforce the independence of the data streams when working with several applications -- for example, when two high-level protocols can use two different points. However, the use of more than one point is OPTIONAL.
8. 在处理多个应用程序时,使用几个Q点可以增强数据流的独立性——例如,当两个高级协议可以使用两个不同的点时。但是,使用多个点是可选的。
This section provides an example of a possible algorithm for the generation of each point Q_i in the set {Q_1,...,Q_N} that corresponds to the given elliptic curve E.
本节提供了生成集合{Q_1,…,Q_N}中对应于给定椭圆曲线E的每个点Q_i的可能算法示例。
The algorithm is based on choosing points with coordinates with known preimages of a cryptographic hash function H, which is the GOST R 34.11-2012 hash function (see [RFC6986]) with 256-bit output if 2^254 < q < 2^256, and the GOST R 34.11-2012 hash function (see [RFC6986]) with 512-bit output if 2^508 < q < 2^512.
该算法基于选择具有已知加密散列函数H前像坐标的点,即GOST R 34.11-2012散列函数(参见[RFC6986]),如果2^254<q<2^256,则输出256位;如果2^508<q<2^512,则选择GOST R 34.11-2012散列函数(参见[RFC6986]),则输出512位。
The algorithm consists of the following steps:
该算法包括以下步骤:
1. Set i = 1, SEED = 0, s = 4.
1. 设置i=1,种子=0,s=4。
2. Calculate X = int(HASH(BYTES(P) || bytes_s(SEED))) mod p.
2. 计算X=int(散列(字节(P)| |字节(种子)))mod P。
3. Check to see if the value of X^3 + aX + b is a quadratic residue in the field F_p. If it is not, set SEED = SEED + 1 and return to Step 2.
3. 检查X^3+aX+b的值是否是字段F_p中的二次剩余。如果不是,则设置SEED=SEED+1并返回步骤2。
4. Choose the value of Y = min{r1, r2}, where r1, r2 from {0,1,...,p-1} are such that r1 != r2 and r1^2 = r2^2 = R mod p for R = X^3 + aX + b.
4. 选择Y=min{r1,r2}的值,其中{0,1,…,p-1}中的r1,r2为r1!=r2和r1^2=r2^2=R=X^3+aX+b的R模p。
5. Check to see if the following relations hold for the point Q = (X, Y): Q != O and q*Q = O. If they do, go to Step 6; if not, set SEED = SEED + 1 and return to Step 2.
5. 检查以下关系是否适用于点Q=(X,Y):Q!=O和q*q=O。如果是,则转至步骤6;如果不是,则设置SEED=SEED+1并返回步骤2。
6. Set Q_i = Q. If i < N, then set i = i + 1 and go to Step 2; otherwise, finish.
6. 设置Q_i=Q。如果i<N,则设置i=i+1并转至步骤2;否则,请完成。
With the defined algorithm for any elliptic curve E, point sets {Q_1,...,Q_N} are constructed. Constructed points in one set MUST have distinct X-coordinates.
利用任意椭圆曲线E的定义算法,构造了点集{Q_1,…,Q_N}。一个集合中的构造点必须具有不同的X坐标。
Note: The knowledge of a hash function preimage prevents knowledge of the multiplicity of any point related to generator point P. It is of primary importance, because such knowledge could be used to implement an attack against the protocol with an exhaustive search for the password.
注意:哈希函数前映像的知识可防止了解与生成器点P相关的任何点的多重性。这一点至关重要,因为此类知识可用于通过彻底搜索密码来实施对协议的攻击。
Any cryptographic algorithms -- particularly HASH functions and HMAC functions -- that are used in the SESPAKE protocol MUST be carefully designed and MUST be able to withstand all known types of cryptanalytic attacks.
SESPAKE协议中使用的任何加密算法——特别是哈希函数和HMAC函数——都必须经过仔细设计,并且必须能够抵御所有已知类型的密码分析攻击。
It is RECOMMENDED that the HASH function satisfy the following condition:
建议哈希函数满足以下条件:
o hashlen <= log_2(q) + 4, where hashlen is the length of the HASH function output.
o hashlen<=log_2(q)+4,其中hashlen是哈希函数输出的长度。
It is RECOMMENDED that the output length of hash functions used in the SESPAKE protocol be greater than or equal to 256 bits.
建议SESPAKE协议中使用的哈希函数的输出长度大于或等于256位。
The points {Q_1,Q_2,...,Q_N} and P MUST be chosen in such a way that they are provably pseudorandom. As a practical matter, this means that the algorithm for generation of each point Q_i in the set {Q_1,...,Q_N} (see Section 5) ensures that the multiplicity of any point under any other point is unknown.
点{Q_1,Q_2,…,Q_N}和P的选择必须确保它们是可证明的伪随机的。实际上,这意味着生成集合{Q_1,…,Q_N}中每个点Q_i的算法(见第5节)确保任何点在任何其他点下的多重性未知。
Using N = 1 is RECOMMENDED.
建议使用N=1。
Note: The specific adversary models for the protocol discussed in this document can be found in [SESPAKE-SECURITY], which contains the security proofs.
注:本文件中讨论的协议的特定对手模型可在[SESPAKE-SECURITY]中找到,其中包含安全证明。
This document does not require any IANA actions.
本文件不要求IANA采取任何行动。
[GOST3410-2012] "Information technology. Cryptographic data security. Signature and verification processes of [electronic] digital signature", GOST R 34.10-2012, Federal Agency on Technical Regulating and Metrology (in Russian), 2012.
[GOST3410-2012]“信息技术、加密数据安全、[电子]数字签名的签名和验证过程”,GOST R 34.10-2012,联邦技术监管和计量局(俄语),2012年。
[GOST3411-2012] "Information technology. Cryptographic Data Security. Hashing function", GOST R 34.11-2012, Federal Agency on Technical Regulating and Metrology (in Russian), 2012.
[GOST3411-2012]“信息技术、加密数据安全、哈希函数”,GOST R 34.11-2012,联邦技术监管和计量局(俄语),2012年。
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, DOI 10.17487/RFC2104, February 1997, <http://www.rfc-editor.org/info/rfc2104>.
[RFC2104]Krawczyk,H.,Bellare,M.,和R.Canetti,“HMAC:用于消息认证的键控哈希”,RFC 2104,DOI 10.17487/RFC2104,1997年2月<http://www.rfc-editor.org/info/rfc2104>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.
[RFC6090] McGrew, D., Igoe, K., and M. Salter, "Fundamental Elliptic Curve Cryptography Algorithms", RFC 6090, DOI 10.17487/RFC6090, February 2011, <http://www.rfc-editor.org/info/rfc6090>.
[RFC6090]McGrew,D.,Igoe,K.,和M.Salter,“基本椭圆曲线密码算法”,RFC 6090,DOI 10.17487/RFC6090,2011年2月<http://www.rfc-editor.org/info/rfc6090>.
[RFC6986] Dolmatov, V., Ed., and A. Degtyarev, "GOST R 34.11-2012: Hash Function", RFC 6986, DOI 10.17487/RFC6986, August 2013, <http://www.rfc-editor.org/info/rfc6986>.
[RFC6986]Dolmatov,V.,Ed.,和A.Degtyarev,“GOST R 34.11-2012:哈希函数”,RFC 6986,DOI 10.17487/RFC6986,2013年8月<http://www.rfc-editor.org/info/rfc6986>.
[RFC7091] Dolmatov, V., Ed., and A. Degtyarev, "GOST R 34.10-2012: Digital Signature Algorithm", RFC 7091, DOI 10.17487/RFC7091, December 2013, <http://www.rfc-editor.org/info/rfc7091>.
[RFC7091]Dolmatov,V.,Ed.,和A.Degtyarev,“GOST R 34.10-2012:数字签名算法”,RFC 7091,DOI 10.17487/RFC7091,2013年12月<http://www.rfc-editor.org/info/rfc7091>.
[RFC7836] Smyshlyaev, S., Ed., Alekseev, E., Oshkin, I., Popov, V., Leontiev, S., Podobaev, V., and D. Belyavsky, "Guidelines on the Cryptographic Algorithms to Accompany the Usage of Standards GOST R 34.10-2012 and GOST R 34.11-2012", RFC 7836, DOI 10.17487/RFC7836, March 2016, <http://www.rfc-editor.org/info/rfc7836>.
[RFC7836]Smyshlyaev,S.,Ed.,Alekseev,E.,Oshkin,I.,Popov,V.,Leontiev,S.,Podobaev,V.,和D.Belyavsky,“伴随GOST R 34.10-2012和GOST R 34.11-2012标准使用的加密算法指南”,RFC 7836,DOI 10.17487/RFC7836,2016年3月<http://www.rfc-editor.org/info/rfc7836>.
[RFC8018] Moriarty, K., Ed., Kaliski, B., and A. Rusch, "PKCS #5: Password-Based Cryptography Specification Version 2.1", RFC 8018, DOI 10.17487/RFC8018, January 2017, <http://www.rfc-editor.org/info/rfc8018>.
[RFC8018]Moriarty,K.,Ed.,Kaliski,B.,和A.Rusch,“PKCS#5:基于密码的加密规范版本2.1”,RFC 8018,DOI 10.17487/RFC8018,2017年1月<http://www.rfc-editor.org/info/rfc8018>.
[RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms", RFC 4357, DOI 10.17487/RFC4357, January 2006, <http://www.rfc-editor.org/info/rfc4357>.
[RFC4357]Popov,V.,Kurepkin,I.,和S.Leontiev,“用于GOST 28147-89,GOST R 34.10-94,GOST R 34.10-2001和GOST R 34.11-94算法的其他加密算法”,RFC 4357,DOI 10.17487/RFC4357,2006年1月<http://www.rfc-editor.org/info/rfc4357>.
[SESPAKE-SECURITY] Smyshlyaev, S., Oshkin, I., Alekseev, E., and L. Ahmetzyanova, "On the Security of One Password Authenticated Key Exchange Protocol", 2015, <http://eprint.iacr.org/2015/1237.pdf>.
[SESPAKE-SECURITY]Smyshlyaev,S.,Oshkin,I.,Alekseev,E.,和L.Ahmetzyanova,“关于单密码认证密钥交换协议的安全性”,2015年<http://eprint.iacr.org/2015/1237.pdf>.
The following test examples are made for the protocol implementation that is based on the Russian national standards GOST R 34.10-2012 [GOST3410-2012] and GOST R 34.11-2012 [GOST3411-2012]. The English versions of these standards can be found in [RFC7091] and [RFC6986].
根据俄罗斯国家标准GOST R 34.10-2012[GOST3410-2012]和GOST R 34.11-2012[GOST3411-2012],为协议实施制定了以下测试示例。这些标准的英文版本可在[RFC7091]和[RFC6986]中找到。
There is one point Q_1 for each of the elliptic curves below. These points were constructed using the method described in Section 5 for N = 1 and the GOST R 34.11-2012 hash function (see [RFC6986]). If 2^254 < q < 2^256, the GOST R 34.11-2012 hash function with 256-bit output is used, and if 2^508 < q < 2^512, the GOST R 34.11-2012 hash function with 512-bit output is used.
下面的每条椭圆曲线都有一个点Q_1。这些点是使用第5节中描述的N=1的方法和GOST R 34.11-2012散列函数构造的(参见[RFC6986])。如果2^254<q<2^256,则使用具有256位输出的GOST R 34.11-2012哈希函数;如果2^508<q<2^512,则使用具有512位输出的GOST R 34.11-2012哈希函数。
Each of the points complies with the GOST R 34.10-2012 [GOST3410-2012] standard and is represented by a pair of (X, Y) coordinates in the canonical form and also by a pair of (U, V) coordinates in the twisted Edwards form in accordance with [RFC7836] for the curves that have equivalent representations in this form. There is a SEED value for each point, by which it was generated.
每个点都符合GOST R 34.10-2012[GOST3410-2012]标准,并由一对标准形式的(X,Y)坐标表示,并且根据[RFC7836]的规定,对于具有该形式等效表示的曲线,也由一对(U,V)坐标表示。每个点都有一个种子值,通过该种子值生成该点。
id-GostR3410-2001-CryptoPro-A-ParamSet, id-GostR3410-2001-CryptoPro-B-ParamSet, etc. are defined in [RFC4357]. id-tc26-gost-3410-2012-512-paramSetA, id-tc26-gost-3410-2012-512-paramSetB, etc. are defined in [RFC7836].
[RFC4357]中定义了id-GostR3410-2001-CryptoPro-A-ParamSet、id-GostR3410-2001-CryptoPro-B-ParamSet等。id-tc26-gost-3410-2012-512-paramSetA、id-tc26-gost-3410-2012-512-paramSetB等在[RFC7836]中定义。
Point Q_1 X = 0xa69d51caf1a309fa9e9b66187759b0174c274e080356f23cfcbfe84d396ad7bb Y = 0x5d26f29ecc2e9ac0404dcf7986fa55fe94986362170f54b9616426a659786dac SEED = 0x0001
点Q_1 X=0xa69d51caf1a309fa9e9b66187759b0174c274e080356f23cfcbfe84d396ad7bb Y=0x5D26F29ECC2E9AC040DCF7986FA55FE94986362170F54B9616426A659786DAC种子=0x0001
Point Q_1 X = 0x3d715a874a4b17cb3b517893a9794a2b36c89d2ffc693f01ee4cc27e7f49e399 Y = 0x1c5a641fcf7ce7e87cdf8cea38f3db3096eace2fad158384b53953365f4fe7fe SEED = 0x0000
点Q_1 X=0x3d715a874a4b17cb3b517893a9794a2b36c89d2ffc693f01ee4cc27e7f49e399 Y=0x1C5A641FCF7CE7E87CDF8CEA38F3DB3096EACEFAD15884B5353365F4FE7FE种子=0x0000
Point Q_1 X = 0x1e36383e43bb6cfa2917167d71b7b5dd3d6d462b43d7c64282ae67dfbec2559d Y = 0x137478a9f721c73932ea06b45cf72e37eb78a63f29a542e563c614650c8b6399 SEED = 0x0006
点Q_1 X=0x1e36383e43bb6cfa2917167d71b7b5dd3d6d462b43d7c64282ae67dfbec2559d Y=0x137478A9F721C73932EA045CF72E37EB78A63F29A542E563C614650C8B6399种子=0x0006
Point Q_1 X = 0x2a17f8833a32795327478871b5c5e88aefb91126c64b4b8327289bea62559425 d18198f133f400874328b220c74497cd240586cb249e158532cb8090776cd61c Y = 0x728f0c4a73b48da41ce928358fad26b47a6e094e9362bae82559f83cddc4ec3a 4676bd3707edeaf4cd85e99695c64c241edc622be87dc0cf87f51f4367f723c5 SEED = 0x0001
点Q_1 X=0x2A17F8833A32795332747871B5C5E88AEFB91126C64B4B8327289BEA6259425 D18198F133F40087328B220C74497CD240586CB249E158532CB8090776CD61C Y=0x728F0C4A73B48DA41CE9258FAD26B47A6E094E9362BAE82559F83CDDC4EC3A 4676BD3707EDAF4CDE99695C664C2C28090776CD61C Y=0x728F0C47F54367F567F723CSEED=0x725
Point Q_1 X = 0x7e1fae8285e035bec244bef2d0e5ebf436633cf50e55231dea9c9cf21d4c8c33 df85d4305de92971f0a4b4c07e00d87bdbc720eb66e49079285aaf12e0171149 Y = 0x2cc89998b875d4463805ba0d858a196592db20ab161558ff2f4ef7a85725d209 53967ae621afdeae89bb77c83a2528ef6fce02f68bda4679d7f2704947dbc408 SEED = 0x0000
点Q_1 X=0x7E1FAE8285E035BEC2442D0E5EBF43633CF50E55231DEA9C9CF21D4C8C33 DF85D4305DE929710A4B4C07E00D87BDBC720EB66E4907928AAF12E00171149 Y=0x2CC89998B875D4463805BA0D858A196592DB201558FF2F7A85725D253967AE621AFDEA89BB7783A2528EF2F68BDA797F24708=0x2CC798B4708
Point Q_1 X = 0xb51adf93a40ab15792164fad3352f95b66369eb2a4ef5efae32829320363350e Y = 0x74a358cc08593612f5955d249c96afb7e8b0bb6d8bd2bbe491046650d822be18 U = 0xebe97afffe0d0f88b8b0114b8de430ac2b34564e4420af24728e7305bc48aeaa V = 0x828f2dcf8f06612b4fea4da72ca509c0f76dd37df424ea22bfa6f4f65748c1e4 SEED = 0x0001
点Q_1 X=0x74A358CC08593612F5955D249C96AFB7E8B0BB6D8BD2BB491046650D822BE18 U=0xEBE97AFFE0D0F88B014B8B014B8DE430AC2B34564E442AF24728E7305BC48AEA V=0x828F2DCF8F06612B4DA72CA509F76D37464B4EA22B4B4B4A509C076B4B4B4B4B4B4B4B4B4B4B4E7B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B4B
Point Q_1 X = 0x489c91784e02e98f19a803abca319917f37689e5a18965251ce2ff4e8d8b298f 5ba7470f9e0e713487f96f4a8397b3d09a270c9d367eb5e0e6561adeeb51581d Y = 0x684ea885aca64eaf1b3fee36c0852a3be3bd8011b0ef18e203ff87028d6eb5db 2c144a0dcc71276542bfd72ca2a43fa4f4939da66d9a60793c704a8c94e16f18 U = 0x3a3496f97e96b3849a4fa7db60fd93858bde89958e4beebd05a6b3214216b37c 9d9a560076e7ea59714828b18fbfef996ffc98bf3dc9f2d3cb0ed36a0d6ace88 V = 0x52d884c8bf0ad6c5f7b3973e32a668daa1f1ed092eff138dae6203b2ccdec561 47464d35fec4b727b2480eb143074712c76550c7a54ff3ea26f70059480dcb50 SEED = 0x0013
点Q_1 X=0x489C91784E02E98F19A03ABCA319917F37689E5A18965251CE2FF4E8D8B298F 5BA7470F9E0E713487F96F4A8397B3D09A270C9D367EB5E0E6561A581D Y=0x684EA885ACA64EAF136C0852A3BD8011EF18E203FF87028D6EB5DB 2CA7DCC71276542BFD72CA2A43FA4F469DA6660794A8U=0x3A3496F97E96B3849A4 FA7DB60FD93858BDE89958E4BD05A6B3214216B37C 9d9a560076e7ea59714828b18fbfef996ffc98bf3dc9f2d3cb0ed36a0d6ace88 V=0x52D884C8BF0AD6C5F773E32A668DAA1F1ED092FF138DAE6203CDEC56147464D35FEC4B727B280EB144712C76C5507A54FF3EA26F70059B50=0x0013种子
This protocol implementation uses the GOST R 34.11-2012 hash function (see [RFC6986]) with 256-bit output as the H function and the HMAC_GOSTR3411_2012_512 function defined in [RFC7836] as a PRF for the F function. The parameter len is considered equal to 256 if 2^254 < q < 2^256, and equal to 512 if 2^508 < q < 2^512.
该协议实现使用GOST R 34.11-2012散列函数(参见[RFC6986]),256位输出作为H函数,并使用[RFC7836]中定义的HMAC_GOSTR3411_2012_512函数作为F函数的PRF。如果2^254<q<2^256,则认为参数len等于256;如果2^508<q<2^512,则认为参数len等于512。
The test examples for the point of each curve in Appendix A.1 are given below.
附录A.1中各曲线点的试验示例如下所示。
The input protocol parameters in this example take the following values:
本例中的输入协议参数采用以下值:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0xA69D51CAF1A309FA9E9B66187759B0174C274E080356F23CFCBFE84D396AD7BB
Y = 0x5D26F29ECC2E9AC0404DCF7986FA55FE94986362170F54B9616426A659786DAC
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0xA69D51CAF1A309FA9E9B66187759B0174C274E080356F23CFCBFE84D396AD7BB
Y = 0x5D26F29ECC2E9AC0404DCF7986FA55FE94986362170F54B9616426A659786DAC
The function F(PW, salt, 2000) takes the following values:
函数F(PW,salt,2000)采用以下值:
F(PW, salt, 2000): BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
F(PW,salt,2000):BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
The coordinates of the point Q_PW are:
点Q_PW的坐标为:
X = 0x59495655D1E7C7424C622485F575CCF121F3122D274101E8AB734CC9C9A9B45E
Y = 0x48D1C311D33C9B701F3B03618562A4A07A044E3AF31E3999E67B487778B53C62
X = 0x59495655D1E7C7424C622485F575CCF121F3122D274101E8AB734CC9C9A9B45E
Y = 0x48D1C311D33C9B701F3B03618562A4A07A044E3AF31E3999E67B487778B53C62
During the calculation of u_1 on subject A, the parameter alpha, the point alpha*P, and u_1 take the following values:
在计算受试者A上的u_1时,参数alpha、点alpha*P和u_1取以下值:
alpha=0x1F2538097D5A031FA68BBB43C84D12B3DE47B7061C0D5E24993E0C873CDBA6B3
alpha*P:
X = 0xBBC77CF42DC1E62D06227935379B4AA4D14FEA4F565DDF4CB4FA4D31579F9676
Y = 0x8E16604A4AFDF28246684D4996274781F6CB80ABBBA1414C1513EC988509DABF
u_1:
X = 0x204F564383B2A76081B907F3FCA8795E806BE2C2ED228730B5B9E37074229E8D
Y = 0xE84F9E442C61DDE37B601A7F37E7CA11C56183FA071DFA9320EDE3E7521F9D41
alpha=0x1F2538097D5A031FA68BBB43C84D12B3DE47B7061C0D5E24993E0C873CDBA6B3
alpha*P:
X = 0xBBC77CF42DC1E62D06227935379B4AA4D14FEA4F565DDF4CB4FA4D31579F9676
Y = 0x8E16604A4AFDF28246684D4996274781F6CB80ABBBA1414C1513EC988509DABF
u_1:
X = 0x204F564383B2A76081B907F3FCA8795E806BE2C2ED228730B5B9E37074229E8D
Y = 0xE84F9E442C61DDE37B601A7F37E7CA11C56183FA071DFA9320EDE3E7521F9D41
When processing u_1, calculating the K_B key, and calculating u_2 on subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 take the following values:
在处理u_1、计算K_B密钥和计算主题B上的u_2时,参数beta、src、K_B=HASH(src)、beta*P和u_2采用以下值:
beta=0xDC497D9EF6324912FD367840EE509A2032AEDB1C0A890D133B45F596FCCBD45D
src:
2E 01 A3 D8 4F DB 7E 94 7B B8 92 9B E9 36 3D F5
F7 25 D6 40 1A A5 59 D4 1A 67 24 F8 D5 F1 8E 2C
A0 DB A9 31 05 CD DA F4 BF AE A3 90 6F DD 71 9D
BE B2 97 B6 A1 7F 4F BD 96 DC C7 23 EA 34 72 A9
K_B:
1A 62 65 54 92 1D C2 E9 2B 4D D8 D6 7D BE 5A 56
62 E5 62 99 37 3F 06 79 95 35 AD 26 09 4E CA A3
beta*P:
X = 0x6097341C1BE388E83E7CA2DF47FAB86E2271FD942E5B7B2EB2409E49F742BC29
Y = 0xC81AA48BDB4CA6FA0EF18B9788AE25FE30857AA681B3942217F9FED151BAB7D0
u_2:
X = 0xDC137A2F1D4A35AEBC0ECBF6D3486DEF8480BFDC752A86DD4F207D7D1910E22D
Y = 0x7532F0CE99DCC772A4D77861DAE57C138F07AE304A727907FB0AAFDB624ED572
beta=0xDC497D9EF6324912FD367840EE509A2032AEDB1C0A890D133B45F596FCCBD45D
src:
2E 01 A3 D8 4F DB 7E 94 7B B8 92 9B E9 36 3D F5
F7 25 D6 40 1A A5 59 D4 1A 67 24 F8 D5 F1 8E 2C
A0 DB A9 31 05 CD DA F4 BF AE A3 90 6F DD 71 9D
BE B2 97 B6 A1 7F 4F BD 96 DC C7 23 EA 34 72 A9
K_B:
1A 62 65 54 92 1D C2 E9 2B 4D D8 D6 7D BE 5A 56
62 E5 62 99 37 3F 06 79 95 35 AD 26 09 4E CA A3
beta*P:
X = 0x6097341C1BE388E83E7CA2DF47FAB86E2271FD942E5B7B2EB2409E49F742BC29
Y = 0xC81AA48BDB4CA6FA0EF18B9788AE25FE30857AA681B3942217F9FED151BAB7D0
u_2:
X = 0xDC137A2F1D4A35AEBC0ECBF6D3486DEF8480BFDC752A86DD4F207D7D1910E22D
Y = 0x7532F0CE99DCC772A4D77861DAE57C138F07AE304A727907FB0AAFDB624ED572
When processing u_2 and calculating the key on subject A, the K_A key takes the following values:
处理u_2并计算对象A上的密钥时,K_A密钥采用以下值:
K_A: 1A 62 65 54 92 1D C2 E9 2B 4D D8 D6 7D BE 5A 56 62 E5 62 99 37 3F 06 79 95 35 AD 26 09 4E CA A3
K_A:1A 62 65 54 92 1D C2 E9 2B 4D D8 D6 7D 5A 56 62 E5 62 99 37 3F 06 79 95 35 AD 26 09 4E CA A3
The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) from subject A takes the following values:
来自受试者A的消息MAC|A=HMAC(K|A,0x01 | ID|u A | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_A: 23 7A 03 C3 5F 49 17 CE 86 B3 58 94 45 F1 1E 1A 6F 10 8B 2F DD 0A A9 E8 10 66 4B 25 59 60 B5 79
MAC_A:23 7A 03 C3 5F 49 17 CE 86 B3 58 94 45 F1 1E 1A 6F 10 8B 2F DD 0A A9 E8 10 66 4B 25 59 60 B5 79
The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) from subject B takes the following values:
来自主体B的消息MAC|B=HMAC(K|B,0x02 | ID|B | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_B: 9E E0 E8 73 3B 06 98 50 80 4D 97 98 73 1D CD 1C FF E8 7A 3B 15 1F 0A E8 3E A9 6A FB 4F FC 31 E4
MAC_B:9E E0 E8 73 3B 06 98 50 80 4D 97 98 73 1D CD 1C FF E8 7A 3B 15 1F 0A E8 3E A9 6A FB 4F FC 31 E4
The input protocol parameters in this example take the following values:
本例中的输入协议参数采用以下值:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x3D715A874A4B17CB3B517893A9794A2B36C89D2FFC693F01EE4CC27E7F49E399
Y = 0x1C5A641FCF7CE7E87CDF8CEA38F3DB3096EACE2FAD158384B53953365F4FE7FE
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x3D715A874A4B17CB3B517893A9794A2B36C89D2FFC693F01EE4CC27E7F49E399
Y = 0x1C5A641FCF7CE7E87CDF8CEA38F3DB3096EACE2FAD158384B53953365F4FE7FE
The function F(PW, salt, 2000) takes the following values:
函数F(PW,salt,2000)采用以下值:
F(PW, salt, 2000): BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
F(PW,salt,2000):BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
The coordinates of the point Q_PW are:
点Q_PW的坐标为:
X = 0x6DC2AE26BC691FCA5A73D9C452790D15E34BA5404D92955B914C8D2662ABB985
Y = 0x3B02AAA9DD65AE30C335CED12F3154BBAC059F66B088306747453EDF6E5DB077
X = 0x6DC2AE26BC691FCA5A73D9C452790D15E34BA5404D92955B914C8D2662ABB985
Y = 0x3B02AAA9DD65AE30C335CED12F3154BBAC059F66B088306747453EDF6E5DB077
During the calculation of u_1 on subject A, the parameter alpha, the point alpha*P, and u_1 take the following values:
在计算受试者A上的u_1时,参数alpha、点alpha*P和u_1取以下值:
alpha=0x499D72B90299CAB0DA1F8BE19D9122F622A13B32B730C46BD0664044F2144FAD
alpha*P:
X = 0x61D6F916DB717222D74877F179F7EBEF7CD4D24D8C1F523C048E34A1DF30F8DD
Y = 0x3EC48863049CFCFE662904082E78503F4973A4E105E2F1B18C69A5E7FB209000
u_1:
X = 0x21F5437AF33D2A1171A070226B4AE82D3765CD0EEBFF1ECEFE158EBC50C63AB1
Y = 0x5C9553B5D11AAAECE738AD9A9F8CB4C100AD4FA5E089D3CBCCEA8C0172EB7ECC
alpha=0x499D72B90299CAB0DA1F8BE19D9122F622A13B32B730C46BD0664044F2144FAD
alpha*P:
X = 0x61D6F916DB717222D74877F179F7EBEF7CD4D24D8C1F523C048E34A1DF30F8DD
Y = 0x3EC48863049CFCFE662904082E78503F4973A4E105E2F1B18C69A5E7FB209000
u_1:
X = 0x21F5437AF33D2A1171A070226B4AE82D3765CD0EEBFF1ECEFE158EBC50C63AB1
Y = 0x5C9553B5D11AAAECE738AD9A9F8CB4C100AD4FA5E089D3CBCCEA8C0172EB7ECC
When processing u_1, calculating the K_B key, and calculating u_2 on subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 take the following values:
在处理u_1、计算K_B密钥和计算主题B上的u_2时,参数beta、src、K_B=HASH(src)、beta*P和u_2采用以下值:
beta=0x0F69FF614957EF83668EDC2D7ED614BE76F7B253DB23C5CC9C52BF7DF8F4669D
src:
50 14 0A 5D ED 33 43 EF C8 25 7B 79 E6 46 D9 F0
DF 43 82 8C 04 91 9B D4 60 C9 7A D1 4B A3 A8 6B
00 C4 06 B5 74 4D 8E B1 49 DC 8E 7F C8 40 64 D8
53 20 25 3E 57 A9 B6 B1 3D 0D 38 FE A8 EE 5E 0A
K_B:
A6 26 DE 01 B1 68 0F F7 51 30 09 12 2B CE E1 89
68 83 39 4F 96 03 01 72 45 5C 9A E0 60 CC E4 4A
beta*P:
X = 0x33BC6F7E9C0BA10CFB2B72546C327171295508EA97F8C8BA9F890F2478AB4D6C
Y = 0x75D57B396C396F492F057E9222CCC686437A2AAD464E452EF426FC8EEED1A4A6
u_2:
X = 0x089DDEE718EE8A224A7F37E22CFFD731C25FCBF58860364EE322412CDCEF99AC
Y = 0x0ECE03D4E395A6354C571871BEF425A532D5D463B0F8FD427F91A43E20CDA55C
beta=0x0F69FF614957EF83668EDC2D7ED614BE76F7B253DB23C5CC9C52BF7DF8F4669D
src:
50 14 0A 5D ED 33 43 EF C8 25 7B 79 E6 46 D9 F0
DF 43 82 8C 04 91 9B D4 60 C9 7A D1 4B A3 A8 6B
00 C4 06 B5 74 4D 8E B1 49 DC 8E 7F C8 40 64 D8
53 20 25 3E 57 A9 B6 B1 3D 0D 38 FE A8 EE 5E 0A
K_B:
A6 26 DE 01 B1 68 0F F7 51 30 09 12 2B CE E1 89
68 83 39 4F 96 03 01 72 45 5C 9A E0 60 CC E4 4A
beta*P:
X = 0x33BC6F7E9C0BA10CFB2B72546C327171295508EA97F8C8BA9F890F2478AB4D6C
Y = 0x75D57B396C396F492F057E9222CCC686437A2AAD464E452EF426FC8EEED1A4A6
u_2:
X = 0x089DDEE718EE8A224A7F37E22CFFD731C25FCBF58860364EE322412CDCEF99AC
Y = 0x0ECE03D4E395A6354C571871BEF425A532D5D463B0F8FD427F91A43E20CDA55C
When processing u_2 and calculating the key on subject A, the K_A key takes the following values:
处理u_2并计算对象A上的密钥时,K_A密钥采用以下值:
K_A: A6 26 DE 01 B1 68 0F F7 51 30 09 12 2B CE E1 89 68 83 39 4F 96 03 01 72 45 5C 9A E0 60 CC E4 4A
K_A:A6 26 DE 01 B1 68 0F F7 51 30 09 12 2B CE E1 89 68 83 39 4F 96 03 01 72 45 5C 9A E0 60 CC E4 4A
The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) from subject A takes the following values:
来自受试者A的消息MAC|A=HMAC(K|A,0x01 | ID|u A | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_A: B9 1F 43 90 2A FA 90 D3 E5 C6 91 CB DC 43 8A 1E BF 54 7F 4C 2C B4 14 43 CC 38 79 7B E2 47 A7 D0
MAC_A:B9 1F 43 90 2A FA 90 D3 E5 C6 91 CB DC 43 8A 1E BF 54 7F 4C 2C B4 14 43 CC 38 79 7B E2 47 A7 D0
The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) from subject B takes the following values:
来自主体B的消息MAC|B=HMAC(K|B,0x02 | ID|B | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_B: 79 D5 54 83 FD 99 B1 2B CC A5 ED C6 BB E1 D7 B9 15 CE 04 51 B0 89 1E 77 5D 4A 61 CB 16 E3 3F CC
MAC_B:79 D5 54 83 FD 99 B1 2B CC A5 ED C6 BB E1 D7 B9 15 CE 04 51 B0 89 1E 77 5D 4A 61 CB 16 E3 3F CC
The input protocol parameters in this example take the following values:
本例中的输入协议参数采用以下值:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x1E36383E43BB6CFA2917167D71B7B5DD3D6D462B43D7C64282AE67DFBEC2559D
Y = 0x137478A9F721C73932EA06B45CF72E37EB78A63F29A542E563C614650C8B6399
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x1E36383E43BB6CFA2917167D71B7B5DD3D6D462B43D7C64282AE67DFBEC2559D
Y = 0x137478A9F721C73932EA06B45CF72E37EB78A63F29A542E563C614650C8B6399
The function F(PW, salt, 2000) takes the following values:
函数F(PW,salt,2000)采用以下值:
F(PW, salt, 2000): BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
F(PW,salt,2000):BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
The coordinates of the point Q_PW are:
点Q_PW的坐标为:
X = 0x945821DAF91E158B839939630655A3B21FF3E146D27041E86C05650EB3B46B59
Y = 0x3A0C2816AC97421FA0E879605F17F0C9C3EB734CFF196937F6284438D70BDC48
X = 0x945821DAF91E158B839939630655A3B21FF3E146D27041E86C05650EB3B46B59
Y = 0x3A0C2816AC97421FA0E879605F17F0C9C3EB734CFF196937F6284438D70BDC48
During the calculation of u_1 on subject A, the parameter alpha, the point alpha*P, and u_1 take the following values:
在计算受试者A上的u_1时,参数alpha、点alpha*P和u_1取以下值:
alpha=0x3A54AC3F19AD9D0B1EAC8ACDCEA70E581F1DAC33D13FEAFD81E762378639C1A8
alpha*P:
X = 0x96B7F09C94D297C257A7DA48364C0076E59E48D221CBA604AE111CA3933B446A
Y = 0x54E4953D86B77ECCEB578500931E822300F7E091F79592CA202A020D762C34A6
u_1:
X = 0x81BBD6FCA464D2E2404A66D786CE4A777E739A89AEB68C2DAC99D53273B75387
Y = 0x6B6DBD922EA7E060998F8B230AB6EF07AD2EC86B2BF66391D82A30612EADD411
alpha=0x3A54AC3F19AD9D0B1EAC8ACDCEA70E581F1DAC33D13FEAFD81E762378639C1A8
alpha*P:
X = 0x96B7F09C94D297C257A7DA48364C0076E59E48D221CBA604AE111CA3933B446A
Y = 0x54E4953D86B77ECCEB578500931E822300F7E091F79592CA202A020D762C34A6
u_1:
X = 0x81BBD6FCA464D2E2404A66D786CE4A777E739A89AEB68C2DAC99D53273B75387
Y = 0x6B6DBD922EA7E060998F8B230AB6EF07AD2EC86B2BF66391D82A30612EADD411
When processing u_1, calculating the K_B key, and calculating u_2 on subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 take the following values:
在处理u_1、计算K_B密钥和计算主题B上的u_2时,参数beta、src、K_B=HASH(src)、beta*P和u_2采用以下值:
beta=0x448781782BF7C0E52A1DD9E6758FD3482D90D3CFCCF42232CF357E59A4D49FD4
src:
16 A1 2D 88 54 7E 1C 90 06 BA A0 08 E8 CB EC C9
D1 68 91 ED C8 36 CF B7 5F 8E B9 56 FA 76 11 94
D2 8E 25 DA D3 81 8D 16 3C 49 4B 05 9A 8C 70 A5
A1 B8 8A 7F 80 A2 EE 35 49 30 18 46 54 2C 47 0B
K_B:
BE 7E 7E 47 B4 11 16 F2 C7 7E 3B 8F CE 40 30 72
CA 82 45 0D 65 DE FC 71 A9 56 49 E4 DE EA EC EE
beta*P:
X = 0x4B9C0AB55A938121F282F48A2CC4396EB16E7E0068B495B0C1DD4667786A3EB7
Y = 0x223460AA8E09383E9DF9844C5A0F2766484738E5B30128A171B69A77D9509B96
u_2:
X = 0x2ED9B903254003A672E89EBEBC9E31503726AD124BB5FC0A726EE0E6FCCE323E
Y = 0x4CF5E1042190120391EC8DB62FE25E9E26EC60FB0B78B242199839C295FCD022
beta=0x448781782BF7C0E52A1DD9E6758FD3482D90D3CFCCF42232CF357E59A4D49FD4
src:
16 A1 2D 88 54 7E 1C 90 06 BA A0 08 E8 CB EC C9
D1 68 91 ED C8 36 CF B7 5F 8E B9 56 FA 76 11 94
D2 8E 25 DA D3 81 8D 16 3C 49 4B 05 9A 8C 70 A5
A1 B8 8A 7F 80 A2 EE 35 49 30 18 46 54 2C 47 0B
K_B:
BE 7E 7E 47 B4 11 16 F2 C7 7E 3B 8F CE 40 30 72
CA 82 45 0D 65 DE FC 71 A9 56 49 E4 DE EA EC EE
beta*P:
X = 0x4B9C0AB55A938121F282F48A2CC4396EB16E7E0068B495B0C1DD4667786A3EB7
Y = 0x223460AA8E09383E9DF9844C5A0F2766484738E5B30128A171B69A77D9509B96
u_2:
X = 0x2ED9B903254003A672E89EBEBC9E31503726AD124BB5FC0A726EE0E6FCCE323E
Y = 0x4CF5E1042190120391EC8DB62FE25E9E26EC60FB0B78B242199839C295FCD022
When processing u_2 and calculating the key on subject A, the K_A key takes the following values:
处理u_2并计算对象A上的密钥时,K_A密钥采用以下值:
K_A: BE 7E 7E 47 B4 11 16 F2 C7 7E 3B 8F CE 40 30 72 CA 82 45 0D 65 DE FC 71 A9 56 49 E4 DE EA EC EE
K_A:BE 7E 7E 47 B4 11 16 F2 C7 7E 3B 8F CE 40 30 72 CA 82 45 0D 65 DE FC 71 A9 56 49 E4 DE EA EC EE
The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) from subject A takes the following values:
来自受试者A的消息MAC|A=HMAC(K|A,0x01 | ID|u A | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_A: D3 B4 1A E2 C9 43 11 36 06 3E 6D 08 A6 1B E9 63 BD 5E D6 A1 FF F9 37 FA 8B 09 0A 98 E1 62 BF ED
MAC_A:D3 B4 1A E2 C9 43 11 36 06 3E 6D 08 A6 1B E9 63 BD 5E D6 A1 FF F9 37 FA 8B 09 0A 98 E1 62 BF ED
The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) from subject B takes the following values:
来自主体B的消息MAC|B=HMAC(K|B,0x02 | ID|B | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_B: D6 B3 9A 44 99 BE D3 E0 4F AC F9 55 50 2D 16 B2 CB 67 4A 20 5F AC 3C D8 3D 54 EC 2F D5 FC E2 58
MAC_B:D6 B3 9A 44 99 BE D3 E0 4F AC F9 55 50 2D 16 B2 CB 67 4A 20 5F AC 3C D8 3D 54 EC 2F D5 FC E2 58
The input protocol parameters in this example take the following values:
本例中的输入协议参数采用以下值:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x2A17F8833A32795327478871B5C5E88AEFB91126C64B4B8327289BEA62559425
D18198F133F400874328B220C74497CD240586CB249E158532CB8090776CD61C
Y = 0x728F0C4A73B48DA41CE928358FAD26B47A6E094E9362BAE82559F83CDDC4EC3A
4676BD3707EDEAF4CD85E99695C64C241EDC622BE87DC0CF87F51F4367F723C5
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x2A17F8833A32795327478871B5C5E88AEFB91126C64B4B8327289BEA62559425
D18198F133F400874328B220C74497CD240586CB249E158532CB8090776CD61C
Y = 0x728F0C4A73B48DA41CE928358FAD26B47A6E094E9362BAE82559F83CDDC4EC3A
4676BD3707EDEAF4CD85E99695C64C241EDC622BE87DC0CF87F51F4367F723C5
The function F(PW, salt, 2000) takes the following values:
函数F(PW,salt,2000)采用以下值:
F(PW, salt, 2000): BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02
F(PW,salt,2000):BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 EE 60 D2 00 52 0D 69 5D FD 9F 0F D5 AB A7 02
The coordinates of the point Q_PW are:
点Q_PW的坐标为:
X = 0x0C0AB53D0E0A9C607CAD758F558915A0A7DC5DC87B45E9A58FDDF30EC3385960
283E030CD322D9E46B070637785FD49D2CD711F46807A24C40AF9A42C8E2D740
Y = 0xDF93A8012B86D3A3D4F8A4D487DA15FC739EB31B20B3B0E8C8C032AAF8072C63
37CF7D5B404719E5B4407C41D9A3216A08CA69C271484E9ED72B8AAA52E28B8B
X = 0x0C0AB53D0E0A9C607CAD758F558915A0A7DC5DC87B45E9A58FDDF30EC3385960
283E030CD322D9E46B070637785FD49D2CD711F46807A24C40AF9A42C8E2D740
Y = 0xDF93A8012B86D3A3D4F8A4D487DA15FC739EB31B20B3B0E8C8C032AAF8072C63
37CF7D5B404719E5B4407C41D9A3216A08CA69C271484E9ED72B8AAA52E28B8B
During the calculation of u_1 on subject A, the parameter alpha, the point alpha*P, and u_1 take the following values:
在计算受试者A上的u_1时,参数alpha、点alpha*P和u_1取以下值:
alpha=0x3CE54325DB52FE798824AEAD11BB16FA766857D04A4AF7D468672F16D90E7396
046A46F815693E85B1CE5464DA9270181F82333B0715057BBE8D61D400505F0E
alpha*P:
X = 0xB93093EB0FCC463239B7DF276E09E592FCFC9B635504EA4531655D76A0A3078E
2B4E51CFE2FA400CC5DE9FBE369DB204B3E8ED7EDD85EE5CCA654C1AED70E396
Y = 0x809770B8D910EA30BD2FA89736E91DC31815D2D9B31128077EEDC371E9F69466
F497DC64DD5B1FADC587F860EE256109138C4A9CD96B628E65A8F590520FC882
u_1:
X = 0xE7510A9EDD37B869566C81052E2515E1563FDFE79F1D782D6200F33C3CC2764D
40D0070B73AD5A47BAE9A8F2289C1B07DAC26A1A2FF9D3ECB0A8A94A4F179F13
Y = 0xBA333B912570777B626A5337BC7F727952460EEBA2775707FE4537372E902DF5
636080B25399751BF48FB154F3C2319A91857C23F39F89EF54A8F043853F82DE
alpha=0x3CE54325DB52FE798824AEAD11BB16FA766857D04A4AF7D468672F16D90E7396
046A46F815693E85B1CE5464DA9270181F82333B0715057BBE8D61D400505F0E
alpha*P:
X = 0xB93093EB0FCC463239B7DF276E09E592FCFC9B635504EA4531655D76A0A3078E
2B4E51CFE2FA400CC5DE9FBE369DB204B3E8ED7EDD85EE5CCA654C1AED70E396
Y = 0x809770B8D910EA30BD2FA89736E91DC31815D2D9B31128077EEDC371E9F69466
F497DC64DD5B1FADC587F860EE256109138C4A9CD96B628E65A8F590520FC882
u_1:
X = 0xE7510A9EDD37B869566C81052E2515E1563FDFE79F1D782D6200F33C3CC2764D
40D0070B73AD5A47BAE9A8F2289C1B07DAC26A1A2FF9D3ECB0A8A94A4F179F13
Y = 0xBA333B912570777B626A5337BC7F727952460EEBA2775707FE4537372E902DF5
636080B25399751BF48FB154F3C2319A91857C23F39F89EF54A8F043853F82DE
When processing u_1, calculating the K_B key, and calculating u_2 on subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 take the following values:
在处理u_1、计算K_B密钥和计算主题B上的u_2时,参数beta、src、K_B=HASH(src)、beta*P和u_2采用以下值:
beta=0xB5C286A79AA8E97EC0E19BC1959A1D15F12F8C97870BA9D68CC12811A56A3BB1
1440610825796A49D468CDC9C2D02D76598A27973D5960C5F50BCE28D8D345F4
src:
84 59 C2 0C B5 C5 32 41 6D B9 28 EB 50 C0 52 0F
B2 1B 9C D3 9A 4E 76 06 B2 21 BE 15 CA 1D 02 DA
08 15 DE C4 49 79 C0 8C 7D 23 07 AF 24 7D DA 1F
89 EC 81 20 69 F5 D9 CD E3 06 AF F0 BC 3F D2 6E
D2 01 B9 53 52 A2 56 06 B6 43 E8 88 30 2E FC 8D
3E 95 1E 3E B4 68 4A DB 5C 05 7B 8F 8C 89 B6 CC
0D EE D1 00 06 5B 51 8A 1C 71 7F 76 82 FF 61 2B
BC 79 8E C7 B2 49 0F B7 00 3F 94 33 87 37 1C 1D
K_B:
53 24 DE F8 48 B6 63 CC 26 42 2F 5E 45 EE C3 4C
51 D2 43 61 B1 65 60 CA 58 A3 D3 28 45 86 CB 7A
beta*P:
X = 0x238B38644E440452A99FA6B93D9FD7DA0CB83C32D3C1E3CFE5DF5C3EB0F9DB91
E588DAEDC849EA2FB867AE855A21B4077353C0794716A6480995113D8C20C7AF
Y = 0xB2273D5734C1897F8D15A7008B862938C8C74CA7E877423D95243EB7EBD02FD2
C456CF9FC956F078A59AA86F19DD1075E5167E4ED35208718EA93161C530ED14
u_2:
X = 0xC33844126216E81B372001E77C1FE9C7547F9223CF7BB865C4472EC18BE0C79A
678CC5AE4028E3F3620CCE355514F1E589F8A0C433CEAFCBD2EE87884D953411
Y = 0x8B520D083AAF257E8A54EC90CBADBAF4FEED2C2D868C82FF04FCBB9EF6F38E56
F6BAF9472D477414DA7E36F538ED223D2E2EE02FAE1A20A98C5A9FCF03B6F30D
beta=0xB5C286A79AA8E97EC0E19BC1959A1D15F12F8C97870BA9D68CC12811A56A3BB1
1440610825796A49D468CDC9C2D02D76598A27973D5960C5F50BCE28D8D345F4
src:
84 59 C2 0C B5 C5 32 41 6D B9 28 EB 50 C0 52 0F
B2 1B 9C D3 9A 4E 76 06 B2 21 BE 15 CA 1D 02 DA
08 15 DE C4 49 79 C0 8C 7D 23 07 AF 24 7D DA 1F
89 EC 81 20 69 F5 D9 CD E3 06 AF F0 BC 3F D2 6E
D2 01 B9 53 52 A2 56 06 B6 43 E8 88 30 2E FC 8D
3E 95 1E 3E B4 68 4A DB 5C 05 7B 8F 8C 89 B6 CC
0D EE D1 00 06 5B 51 8A 1C 71 7F 76 82 FF 61 2B
BC 79 8E C7 B2 49 0F B7 00 3F 94 33 87 37 1C 1D
K_B:
53 24 DE F8 48 B6 63 CC 26 42 2F 5E 45 EE C3 4C
51 D2 43 61 B1 65 60 CA 58 A3 D3 28 45 86 CB 7A
beta*P:
X = 0x238B38644E440452A99FA6B93D9FD7DA0CB83C32D3C1E3CFE5DF5C3EB0F9DB91
E588DAEDC849EA2FB867AE855A21B4077353C0794716A6480995113D8C20C7AF
Y = 0xB2273D5734C1897F8D15A7008B862938C8C74CA7E877423D95243EB7EBD02FD2
C456CF9FC956F078A59AA86F19DD1075E5167E4ED35208718EA93161C530ED14
u_2:
X = 0xC33844126216E81B372001E77C1FE9C7547F9223CF7BB865C4472EC18BE0C79A
678CC5AE4028E3F3620CCE355514F1E589F8A0C433CEAFCBD2EE87884D953411
Y = 0x8B520D083AAF257E8A54EC90CBADBAF4FEED2C2D868C82FF04FCBB9EF6F38E56
F6BAF9472D477414DA7E36F538ED223D2E2EE02FAE1A20A98C5A9FCF03B6F30D
When processing u_2 and calculating the key on subject A, the K_A key takes the following values:
处理u_2并计算对象A上的密钥时,K_A密钥采用以下值:
K_A: 53 24 DE F8 48 B6 63 CC 26 42 2F 5E 45 EE C3 4C 51 D2 43 61 B1 65 60 CA 58 A3 D3 28 45 86 CB 7A
K_A:53 24 DE F8 48 B6 63 CC 26 42 2F 5E 45 EE C3 4C 51 D2 43 61 B1 65 60 CA 58 A3 D3 28 45 86 CB 7A
The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) from subject A takes the following values:
来自受试者A的消息MAC|A=HMAC(K|A,0x01 | ID|u A | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_A: E8 EF 9E A8 F1 E6 B1 26 68 E5 8C D2 2D D8 EE C6 4A 16 71 00 39 FA A6 B6 03 99 22 20 FA FE 56 14
MAC_A:E8 EF 9E A8 F1 E6 B1 26 68 E5 8C D2 2D D8 EE C6 4A 16 71 00 39 FA A6 B6 03 99 22 20 FA FE 56 14
The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) from subject B takes the following values:
来自主体B的消息MAC|B=HMAC(K|B,0x02 | ID|B | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_B: 61 14 34 60 83 6B 23 5C EC D0 B4 9B 58 7E A4 5D 51 3C 3A 38 78 3F 1C 9D 3B 05 97 0A 95 6A 55 BA
MAC_B:61 14 34 60 83 6B 23 5C EC D0 B4 9B 58 7E A4 5D 51 3C 3A 38 78 3F 1C 9D 3B 05 97 0A 95 6A 55 BA
The input protocol parameters in this example take the following values:
本例中的输入协议参数采用以下值:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x7E1FAE8285E035BEC244BEF2D0E5EBF436633CF50E55231DEA9C9CF21D4C8C33
DF85D4305DE92971F0A4B4C07E00D87BDBC720EB66E49079285AAF12E0171149
Y = 0x2CC89998B875D4463805BA0D858A196592DB20AB161558FF2F4EF7A85725D209
53967AE621AFDEAE89BB77C83A2528EF6FCE02F68BDA4679D7F2704947DBC408
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x7E1FAE8285E035BEC244BEF2D0E5EBF436633CF50E55231DEA9C9CF21D4C8C33
DF85D4305DE92971F0A4B4C07E00D87BDBC720EB66E49079285AAF12E0171149
Y = 0x2CC89998B875D4463805BA0D858A196592DB20AB161558FF2F4EF7A85725D209
53967AE621AFDEAE89BB77C83A2528EF6FCE02F68BDA4679D7F2704947DBC408
The function F(PW, salt, 2000) takes the following values:
函数F(PW,salt,2000)采用以下值:
F(PW, salt, 2000): BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02
F(PW,salt,2000):BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 EE 60 D2 00 52 0D 69 5D FD 9F 0F D5 AB A7 02
The coordinates of the point Q_PW are:
点Q_PW的坐标为:
X = 0x7D03E65B8050D1E12CBB601A17B9273B0E728F5021CD47C8A4DD822E4627BA5F
9C696286A2CDDA9A065509866B4DEDEDC4A118409604AD549F87A60AFA621161
Y = 0x16037DAD45421EC50B00D50BDC6AC3B85348BC1D3A2F85DB27C3373580FEF87C
2C743B7ED30F22BE22958044E716F93A61CA3213A361A2797A16A3AE62957377
X = 0x7D03E65B8050D1E12CBB601A17B9273B0E728F5021CD47C8A4DD822E4627BA5F
9C696286A2CDDA9A065509866B4DEDEDC4A118409604AD549F87A60AFA621161
Y = 0x16037DAD45421EC50B00D50BDC6AC3B85348BC1D3A2F85DB27C3373580FEF87C
2C743B7ED30F22BE22958044E716F93A61CA3213A361A2797A16A3AE62957377
During the calculation of u_1 on subject A, the parameter alpha, the point alpha*P, and u_1 take the following values:
在计算受试者A上的u_1时,参数alpha、点alpha*P和u_1取以下值:
alpha=0x715E893FA639BF341296E0623E6D29DADF26B163C278767A7982A989462A3863
FE12AEF8BD403D59C4DC4720570D4163DB0805C7C10C4E818F9CB785B04B9997
alpha*P:
X = 0x10C479EA1C04D3C2C02B0576A9C42D96226FF033C1191436777F66916030D87D
02FB93738ED7669D07619FFCE7C1F3C4DB5E5DF49E2186D6FA1E2EB5767602B9
Y = 0x039F6044191404E707F26D59D979136A831CCE43E1C5F0600D1DDF8F39D0CA3D
52FBD943BF04DDCED1AA2CE8F5EBD7487ACDEF239C07D015084D796784F35436
u_1:
X = 0x45C05CCE8290762F2470B719B4306D62B2911CEB144F7F72EF11D10498C7E921
FF163FE72044B4E7332AD8CBEC3C12117820F53A60762315BCEB5BC6DA5CF1E0
Y = 0x5BE483E382D0F5F0748C4F6A5045D99E62755B5ACC9554EC4A5B2093E121A2DD
5C6066BC9EDE39373BA19899208BB419E38B39BBDEDEB0B09A5CAAEAA984D02E
alpha=0x715E893FA639BF341296E0623E6D29DADF26B163C278767A7982A989462A3863
FE12AEF8BD403D59C4DC4720570D4163DB0805C7C10C4E818F9CB785B04B9997
alpha*P:
X = 0x10C479EA1C04D3C2C02B0576A9C42D96226FF033C1191436777F66916030D87D
02FB93738ED7669D07619FFCE7C1F3C4DB5E5DF49E2186D6FA1E2EB5767602B9
Y = 0x039F6044191404E707F26D59D979136A831CCE43E1C5F0600D1DDF8F39D0CA3D
52FBD943BF04DDCED1AA2CE8F5EBD7487ACDEF239C07D015084D796784F35436
u_1:
X = 0x45C05CCE8290762F2470B719B4306D62B2911CEB144F7F72EF11D10498C7E921
FF163FE72044B4E7332AD8CBEC3C12117820F53A60762315BCEB5BC6DA5CF1E0
Y = 0x5BE483E382D0F5F0748C4F6A5045D99E62755B5ACC9554EC4A5B2093E121A2DD
5C6066BC9EDE39373BA19899208BB419E38B39BBDEDEB0B09A5CAAEAA984D02E
When processing u_1, calculating the K_B key, and calculating u_2 on subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 take the following values:
在处理u_1、计算K_B密钥和计算主题B上的u_2时,参数beta、src、K_B=HASH(src)、beta*P和u_2采用以下值:
beta=0x30FA8C2B4146C2DBBE82BED04D7378877E8C06753BD0A0FF71EBF2BEFE8DA8F3
DC0836468E2CE7C5C961281B6505140F8407413F03C2CB1D201EA1286CE30E6D
src:
3F 04 02 E4 0A 9D 59 63 20 5B CD F4 FD 89 77 91
9B BA F4 80 F8 E4 FB D1 25 5A EC E6 ED 57 26 4B
D0 A2 87 98 4F 59 D1 02 04 B5 F4 5E 4D 77 F3 CF
8A 63 B3 1B EB 2D F5 9F 8A F7 3C 20 9C CA 8B 50
B4 18 D8 01 E4 90 AE 13 3F 04 F4 F3 F4 D8 FE 8E
19 64 6A 1B AF 44 D2 36 FC C2 1B 7F 4D 8F C6 A1
E2 9D 6B 69 AC CE ED 4E 62 AB B2 0D AD 78 AC F4
FE B0 ED 83 8E D9 1E 92 12 AB A3 89 71 4E 56 0C
K_B:
D5 90 E0 5E F5 AE CE 8B 7C FB FC 71 BE 45 5F 29
A5 CC 66 6F 85 CD B1 7E 7C C7 16 C5 9F F1 70 E9
beta*P:
X = 0x34C0149E7BB91AE377B02573FCC48AF7BFB7B16DEB8F9CE870F384688E3241A3
A868588CC0EF4364CCA67D17E3260CD82485C202ADC76F895D5DF673B1788E67
Y = 0x608E944929BD643569ED5189DB871453F13333A1EAF82B2FE1BE8100E775F13D
D9925BD317B63BFAF05024D4A738852332B64501195C1B2EF789E34F23DDAFC5
u_2:
X = 0x0535F95463444C4594B5A2E14B35760491C670925060B4BEBC97DE3A3076D1A5
81F89026E04282B040925D9250201024ACA4B2713569B6C3916A6F3344B840AD
Y = 0x40E6C2E55AEC31E7BCB6EA0242857FC6DFB5409803EDF4CA20141F72CC3C7988
706E076765F4F004340E5294A7F8E53BA59CB67502F0044558C854A7D63FE900
beta=0x30FA8C2B4146C2DBBE82BED04D7378877E8C06753BD0A0FF71EBF2BEFE8DA8F3
DC0836468E2CE7C5C961281B6505140F8407413F03C2CB1D201EA1286CE30E6D
src:
3F 04 02 E4 0A 9D 59 63 20 5B CD F4 FD 89 77 91
9B BA F4 80 F8 E4 FB D1 25 5A EC E6 ED 57 26 4B
D0 A2 87 98 4F 59 D1 02 04 B5 F4 5E 4D 77 F3 CF
8A 63 B3 1B EB 2D F5 9F 8A F7 3C 20 9C CA 8B 50
B4 18 D8 01 E4 90 AE 13 3F 04 F4 F3 F4 D8 FE 8E
19 64 6A 1B AF 44 D2 36 FC C2 1B 7F 4D 8F C6 A1
E2 9D 6B 69 AC CE ED 4E 62 AB B2 0D AD 78 AC F4
FE B0 ED 83 8E D9 1E 92 12 AB A3 89 71 4E 56 0C
K_B:
D5 90 E0 5E F5 AE CE 8B 7C FB FC 71 BE 45 5F 29
A5 CC 66 6F 85 CD B1 7E 7C C7 16 C5 9F F1 70 E9
beta*P:
X = 0x34C0149E7BB91AE377B02573FCC48AF7BFB7B16DEB8F9CE870F384688E3241A3
A868588CC0EF4364CCA67D17E3260CD82485C202ADC76F895D5DF673B1788E67
Y = 0x608E944929BD643569ED5189DB871453F13333A1EAF82B2FE1BE8100E775F13D
D9925BD317B63BFAF05024D4A738852332B64501195C1B2EF789E34F23DDAFC5
u_2:
X = 0x0535F95463444C4594B5A2E14B35760491C670925060B4BEBC97DE3A3076D1A5
81F89026E04282B040925D9250201024ACA4B2713569B6C3916A6F3344B840AD
Y = 0x40E6C2E55AEC31E7BCB6EA0242857FC6DFB5409803EDF4CA20141F72CC3C7988
706E076765F4F004340E5294A7F8E53BA59CB67502F0044558C854A7D63FE900
When processing u_2 and calculating the key on subject A, the K_A key takes the following values:
处理u_2并计算对象A上的密钥时,K_A密钥采用以下值:
K_A: D5 90 E0 5E F5 AE CE 8B 7C FB FC 71 BE 45 5F 29 A5 CC 66 6F 85 CD B1 7E 7C C7 16 C5 9F F1 70 E9
K_A:D5 90 E0 5E F5 AE CE 8B 7C FB FC 71 BE 45 5F 29 A5 CC 66 6F 85 CD B1 7E 7C C7 16 C5 9F F1 70 E9
The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) from subject A takes the following values:
来自受试者A的消息MAC|A=HMAC(K|A,0x01 | ID|u A | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_A: DE 46 BB 4C 8C E0 8A 6E F3 B8 DF AC CC 1A 39 B0 8D 8C 27 B6 CB 0F CF 59 23 86 A6 48 F4 E5 BD 8C
MAC_A:DE 46 BB 4C 8C E0 8A 6E F3 B8 DF AC CC 1A 39 B0 8D 8C 27 B6 CB 0F CF 59 23 86 A6 48 F4 E5 BD 8C
The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) from subject B takes the following values:
来自主体B的消息MAC|B=HMAC(K|B,0x02 | ID|B | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_B: EC B1 1D E2 06 1C 55 F1 D1 14 59 CB 51 CE 31 40 99 99 99 2F CA A1 22 2F B1 4F CE AB 96 EE 7A AC
MAC_B:EC B1 1D E2 06 1C 55 F1 D1 14 59 CB 51 CE 31 40 99 99 2 F CA A1 22 2 F B1 4F CE AB 96 EE 7A AC
The input protocol parameters in this example take the following values:
本例中的输入协议参数采用以下值:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0xB51ADF93A40AB15792164FAD3352F95B66369EB2A4EF5EFAE32829320363350E
Y = 0x74A358CC08593612F5955D249C96AFB7E8B0BB6D8BD2BBE491046650D822BE18
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0xB51ADF93A40AB15792164FAD3352F95B66369EB2A4EF5EFAE32829320363350E
Y = 0x74A358CC08593612F5955D249C96AFB7E8B0BB6D8BD2BBE491046650D822BE18
The function F(PW, salt, 2000) takes the following values:
函数F(PW,salt,2000)采用以下值:
F(PW, salt, 2000): BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
F(PW,salt,2000):BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67
The coordinates of the point Q_PW are:
点Q_PW的坐标为:
X = 0xDBF99827078956812FA48C6E695DF589DEF1D18A2D4D35A96D75BF6854237629
Y = 0x9FDDD48BFBC57BEE1DA0CFF282884F284D471B388893C48F5ECB02FC18D67589
X = 0xDBF99827078956812FA48C6E695DF589DEF1D18A2D4D35A96D75BF6854237629
Y = 0x9FDDD48BFBC57BEE1DA0CFF282884F284D471B388893C48F5ECB02FC18D67589
During the calculation of u_1 on subject A, the parameter alpha, the point alpha*P, and u_1 take the following values:
在计算受试者A上的u_1时,参数alpha、点alpha*P和u_1取以下值:
alpha=0x147B72F6684FB8FD1B418A899F7DBECAF5FCE60B13685BAA95328654A7F0707F
alpha*P:
X = 0x33FBAC14EAE538275A769417829C431BD9FA622B6F02427EF55BD60EE6BC2888
Y = 0x22F2EBCF960A82E6CDB4042D3DDDA511B2FBA925383C2273D952EA2D406EAE46
u_1:
X = 0xE569AB544E3A13C41077DE97D659A1B7A13F61DDD808B633A5621FE2583A2C43
Y = 0xA21A743A08F4D715661297ECD6F86553A808925BF34802BF7EC34C548A40B2C0
alpha=0x147B72F6684FB8FD1B418A899F7DBECAF5FCE60B13685BAA95328654A7F0707F
alpha*P:
X = 0x33FBAC14EAE538275A769417829C431BD9FA622B6F02427EF55BD60EE6BC2888
Y = 0x22F2EBCF960A82E6CDB4042D3DDDA511B2FBA925383C2273D952EA2D406EAE46
u_1:
X = 0xE569AB544E3A13C41077DE97D659A1B7A13F61DDD808B633A5621FE2583A2C43
Y = 0xA21A743A08F4D715661297ECD6F86553A808925BF34802BF7EC34C548A40B2C0
When processing u_1, calculating the K_B key, and calculating u_2 on subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 take the following values:
在处理u_1、计算K_B密钥和计算主题B上的u_2时,参数beta、src、K_B=HASH(src)、beta*P和u_2采用以下值:
beta=0x30D5CFADAA0E31B405E6734C03EC4C5DF0F02F4BA25C9A3B320EE6453567B4CB
src:
A3 39 A0 B8 9C EF 1A 6F FD 4C A1 28 04 9E 06 84
DF 4A 97 75 B6 89 A3 37 84 1B F7 D7 91 20 7F 35
11 86 28 F7 28 8E AA 0F 7E C8 1D A2 0A 24 FF 1E
69 93 C6 3D 9D D2 6A 90 B7 4D D1 A2 66 28 06 63
K_B:
7D F7 1A C3 27 ED 51 7D 0D E4 03 E8 17 C6 20 4B
C1 91 65 B9 D1 00 2B 9F 10 88 A6 CD A6 EA CF 27
beta*P:
X = 0x2B2D89FAB735433970564F2F28CFA1B57D640CB902BC6334A538F44155022CB2
Y = 0x10EF6A82EEF1E70F942AA81D6B4CE5DEC0DDB9447512962874870E6F2849A96F
u_2:
X = 0x190D2F283F7E861065DB53227D7FBDF429CEBF93791262CB29569BDF63C86CA4
Y = 0xB3F1715721E9221897CCDE046C9B843A8386DBF7818A112F15A02BC820AC8F6D
beta=0x30D5CFADAA0E31B405E6734C03EC4C5DF0F02F4BA25C9A3B320EE6453567B4CB
src:
A3 39 A0 B8 9C EF 1A 6F FD 4C A1 28 04 9E 06 84
DF 4A 97 75 B6 89 A3 37 84 1B F7 D7 91 20 7F 35
11 86 28 F7 28 8E AA 0F 7E C8 1D A2 0A 24 FF 1E
69 93 C6 3D 9D D2 6A 90 B7 4D D1 A2 66 28 06 63
K_B:
7D F7 1A C3 27 ED 51 7D 0D E4 03 E8 17 C6 20 4B
C1 91 65 B9 D1 00 2B 9F 10 88 A6 CD A6 EA CF 27
beta*P:
X = 0x2B2D89FAB735433970564F2F28CFA1B57D640CB902BC6334A538F44155022CB2
Y = 0x10EF6A82EEF1E70F942AA81D6B4CE5DEC0DDB9447512962874870E6F2849A96F
u_2:
X = 0x190D2F283F7E861065DB53227D7FBDF429CEBF93791262CB29569BDF63C86CA4
Y = 0xB3F1715721E9221897CCDE046C9B843A8386DBF7818A112F15A02BC820AC8F6D
When processing u_2 and calculating the key on subject A, the K_A key takes the following values:
处理u_2并计算对象A上的密钥时,K_A密钥采用以下值:
K_A: 7D F7 1A C3 27 ED 51 7D 0D E4 03 E8 17 C6 20 4B C1 91 65 B9 D1 00 2B 9F 10 88 A6 CD A6 EA CF 27
K_A:7D F7 1A C3 27 ED 51 7D 0D E4 03 E8 17 C6 20 4B C1 91 B9 D1 00 2B 9F 10 88 A6 CD A6 EA CF 27
The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) from subject A takes the following values:
来自受试者A的消息MAC|A=HMAC(K|A,0x01 | ID|u A | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_A: F9 29 B6 1A 3C 83 39 85 B8 29 F2 68 55 7F A8 11 00 9F 82 0A B1 A7 30 B5 AA 33 4C 3E 6B A3 17 7F
MAC_A:F9 29 B6 1A 3C 83 39 85 B8 29 F2 68 55 7F A8 11 00 9F 82 0A B1 A7 30 B5 AA 33 4C 3E 6B A3 17 7F
The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) from subject B takes the following values:
来自主体B的消息MAC|B=HMAC(K|B,0x02 | ID|B | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_B: A2 92 8A 5C F6 20 BB C4 90 0D E4 03 F7 FC 59 A5 E9 80 B6 8B E0 46 D0 B5 D9 B4 AE 6A BF A8 0B D6
MAC_B:A2 92 8A 5C F6 20 BB C4 90 0D E4 03 F7 FC 59 A5 E9 80 B6 8B E0 46 D0 B5 D9 B4 AE 6A BF A8 0B D6
The input protocol parameters in this example take the following values:
本例中的输入协议参数采用以下值:
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x489C91784E02E98F19A803ABCA319917F37689E5A18965251CE2FF4E8D8B298F
5BA7470F9E0E713487F96F4A8397B3D09A270C9D367EB5E0E6561ADEEB51581D
Y = 0x684EA885ACA64EAF1B3FEE36C0852A3BE3BD8011B0EF18E203FF87028D6EB5DB
2C144A0DCC71276542BFD72CA2A43FA4F4939DA66D9A60793C704A8C94E16F18
N = 1
ind = 1
ID_A:
00 00 00 00
ID_B:
00 00 00 00
PW:
31 32 33 34 35 36 ('123456')
salt:
29 23 BE 84 E1 6C D6 AE 52 90 49 F1 F1 BB E9 EB
Q_ind:
X = 0x489C91784E02E98F19A803ABCA319917F37689E5A18965251CE2FF4E8D8B298F
5BA7470F9E0E713487F96F4A8397B3D09A270C9D367EB5E0E6561ADEEB51581D
Y = 0x684EA885ACA64EAF1B3FEE36C0852A3BE3BD8011B0EF18E203FF87028D6EB5DB
2C144A0DCC71276542BFD72CA2A43FA4F4939DA66D9A60793C704A8C94E16F18
The function F(PW, salt, 2000) takes the following values:
函数F(PW,salt,2000)采用以下值:
F(PW, salt, 2000): BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 EE 60 D2 00 52 0D 69 5D FD 9F 5F 0F D5 AB A7 02
F(PW,salt,2000):BD 04 67 3F 71 49 B1 8E 98 15 5B D1 E2 72 4E 71 D0 09 9A A2 51 74 F7 92 D3 32 6C 6F 18 12 70 67 1C 62 13 E3 93 0E FD DA 26 45 17 92 C6 20 81 22 EE 60 D2 00 52 0D 69 5D FD 9F 0F D5 AB A7 02
The coordinates of the point Q_PW are:
点Q_PW的坐标为:
X = 0x0185AE6271A81BB7F236A955F7CAA26FB63849813C0287D96C83A15AE6B6A864
67AB13B6D88CE8CD7DC2E5B97FF5F28FAC2C108F2A3CF3DB5515C9E6D7D210E8
Y = 0xED0220F92EF771A71C64ECC77986DB7C03D37B3E2AB3E83F32CE5E074A762EC0
8253C9E2102B87532661275C4B1D16D2789CDABC58ACFDF7318DE70AB64F09B8
X = 0x0185AE6271A81BB7F236A955F7CAA26FB63849813C0287D96C83A15AE6B6A864
67AB13B6D88CE8CD7DC2E5B97FF5F28FAC2C108F2A3CF3DB5515C9E6D7D210E8
Y = 0xED0220F92EF771A71C64ECC77986DB7C03D37B3E2AB3E83F32CE5E074A762EC0
8253C9E2102B87532661275C4B1D16D2789CDABC58ACFDF7318DE70AB64F09B8
During the calculation of u_1 on subject A, the parameter alpha, the point alpha*P, and u_1 take the following values:
在计算受试者A上的u_1时,参数alpha、点alpha*P和u_1取以下值:
alpha=0x332F930421D14CFE260042159F18E49FD5A54167E94108AD80B1DE60B13DE799
9A34D611E63F3F870E5110247DF8EC7466E648ACF385E52CCB889ABF491EDFF0
alpha*P:
X = 0x561655966D52952E805574F4281F1ED3A2D498932B00CBA9DECB42837F09835B
FFBFE2D84D6B6B242FE7B57F92E1A6F2413E12DDD6383E4437E13D72693469AD
Y = 0xF6B18328B2715BD7F4178615273A36135BC0BF62F7D8BB9F080164AD36470AD0
3660F51806C64C6691BADEF30F793720F8E3FEAED631D6A54A4C372DCBF80E82
alpha=0x332F930421D14CFE260042159F18E49FD5A54167E94108AD80B1DE60B13DE799
9A34D611E63F3F870E5110247DF8EC7466E648ACF385E52CCB889ABF491EDFF0
alpha*P:
X = 0x561655966D52952E805574F4281F1ED3A2D498932B00CBA9DECB42837F09835B
FFBFE2D84D6B6B242FE7B57F92E1A6F2413E12DDD6383E4437E13D72693469AD
Y = 0xF6B18328B2715BD7F4178615273A36135BC0BF62F7D8BB9F080164AD36470AD0
3660F51806C64C6691BADEF30F793720F8E3FEAED631D6A54A4C372DCBF80E82
u_1:
X = 0x40645B4B9A908D74DEF98886A336F98BAE6ADA4C1AC9B7594A33D5E4A16486C5
533C7F3C5DD84797AB5B4340BFC70CAF1011B69A01A715E5B9B5432D5151CBD7
Y = 0x267FBB18D0B79559D1875909F2A15F7B49ECD8ED166CF7F4FCD1F44891550483
5E80D52BE8D34ADA5B5E159CF52979B1BCFE8F5048DC443A0983AA19192B8407
u_1:
X = 0x40645B4B9A908D74DEF98886A336F98BAE6ADA4C1AC9B7594A33D5E4A16486C5
533C7F3C5DD84797AB5B4340BFC70CAF1011B69A01A715E5B9B5432D5151CBD7
Y = 0x267FBB18D0B79559D1875909F2A15F7B49ECD8ED166CF7F4FCD1F44891550483
5E80D52BE8D34ADA5B5E159CF52979B1BCFE8F5048DC443A0983AA19192B8407
When processing u_1, calculating the K_B key, and calculating u_2 on subject B, the parameters beta, src, K_B = HASH(src), beta*P, and u_2 take the following values:
在处理u_1、计算K_B密钥和计算主题B上的u_2时,参数beta、src、K_B=HASH(src)、beta*P和u_2采用以下值:
beta=0x38481771E7D054F96212686B613881880BD8A6C89DDBC656178F014D2C093432
A033EE10415F13A160D44C2AD61E6E2E05A7F7EC286BCEA3EA4D4D53F8634FA2
src:
4F 4D 64 B5 D0 70 08 E9 E6 85 87 4F 88 2C 3E 1E
60 A6 67 5E ED 42 1F C2 34 16 3F DE B4 4C 69 18
B7 BC CE AB 88 A0 F3 FB 78 8D A8 DB 10 18 51 FF
1A 41 68 22 BA 37 C3 53 CE C4 C5 A5 23 95 B7 72
AC 93 C0 54 E3 F4 05 5C ED 6F F0 BE E4 A6 A2 4E
D6 8B 86 FE FA 70 DE 4A 2B 16 08 51 42 A4 DF F0
5D 32 EC 7D DF E3 04 F5 C7 04 FD FA 06 0F 64 E9
E8 32 14 00 25 F3 92 E5 03 50 77 0E 3F B6 2C AC
K_B:
A0 83 84 A6 2F 4B E1 AE 48 98 FC A3 6D AA 3F AA
45 1B 3E C5 B5 9C E3 75 F8 9E 92 9F 4B 13 25 8C
beta*P:
X = 0xB7C5818687083433BC1AFF61CB5CA79E38232025E0C1F123B8651E62173CE687
3F3E6FFE7281C2E45F4F524F66B0C263616ED08FD210AC4355CA3292B51D71C3
Y = 0x497F14205DBDC89BDDAF50520ED3B1429AD30777310186BE5E68070F016A44E0
C766DB08E8AC23FBDFDE6D675AA4DF591EB18BA0D348DF7AA40973A2F1DCFA55
u_2:
X = 0xB772FD97D6FDEC1DA0771BC059B3E5ADF9858311031EAE5AEC6A6EC8104B4105
C45A6C65689A8EE636C687DB62CC0AFC9A48CA66E381286CC73F374C1DD8F445
Y = 0xC64F69425FFEB2995130E85A08EDC3A686EC28EE6E8469F7F09BD3BCBDD843AC
573578DA6BA1CB3F5F069F205233853F06255C4B28586C9A1643537497B1018C
beta=0x38481771E7D054F96212686B613881880BD8A6C89DDBC656178F014D2C093432
A033EE10415F13A160D44C2AD61E6E2E05A7F7EC286BCEA3EA4D4D53F8634FA2
src:
4F 4D 64 B5 D0 70 08 E9 E6 85 87 4F 88 2C 3E 1E
60 A6 67 5E ED 42 1F C2 34 16 3F DE B4 4C 69 18
B7 BC CE AB 88 A0 F3 FB 78 8D A8 DB 10 18 51 FF
1A 41 68 22 BA 37 C3 53 CE C4 C5 A5 23 95 B7 72
AC 93 C0 54 E3 F4 05 5C ED 6F F0 BE E4 A6 A2 4E
D6 8B 86 FE FA 70 DE 4A 2B 16 08 51 42 A4 DF F0
5D 32 EC 7D DF E3 04 F5 C7 04 FD FA 06 0F 64 E9
E8 32 14 00 25 F3 92 E5 03 50 77 0E 3F B6 2C AC
K_B:
A0 83 84 A6 2F 4B E1 AE 48 98 FC A3 6D AA 3F AA
45 1B 3E C5 B5 9C E3 75 F8 9E 92 9F 4B 13 25 8C
beta*P:
X = 0xB7C5818687083433BC1AFF61CB5CA79E38232025E0C1F123B8651E62173CE687
3F3E6FFE7281C2E45F4F524F66B0C263616ED08FD210AC4355CA3292B51D71C3
Y = 0x497F14205DBDC89BDDAF50520ED3B1429AD30777310186BE5E68070F016A44E0
C766DB08E8AC23FBDFDE6D675AA4DF591EB18BA0D348DF7AA40973A2F1DCFA55
u_2:
X = 0xB772FD97D6FDEC1DA0771BC059B3E5ADF9858311031EAE5AEC6A6EC8104B4105
C45A6C65689A8EE636C687DB62CC0AFC9A48CA66E381286CC73F374C1DD8F445
Y = 0xC64F69425FFEB2995130E85A08EDC3A686EC28EE6E8469F7F09BD3BCBDD843AC
573578DA6BA1CB3F5F069F205233853F06255C4B28586C9A1643537497B1018C
When processing u_2 and calculating the key on subject A, the K_A key takes the following values:
处理u_2并计算对象A上的密钥时,K_A密钥采用以下值:
K_A: A0 83 84 A6 2F 4B E1 AE 48 98 FC A3 6D AA 3F AA 45 1B 3E C5 B5 9C E3 75 F8 9E 92 9F 4B 13 25 8C
K_A:A0 83 84 A6 2F 4B E1 AE 48 98 FC A3 6D AA 3F AA 45 1B 3E C5 B5 9C E3 75 F8 9E 92 9F 4B 13 25 8C
The message MAC_A = HMAC(K_A, 0x01 || ID_A || ind || salt || u_1 || u_2) from subject A takes the following values:
来自受试者A的消息MAC|A=HMAC(K|A,0x01 | ID|u A | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_A: 12 63 F2 89 0E 90 EE 42 6B 9B A0 8A B9 EA 7F 1F FF 26 E1 60 5C C6 5D E2 96 96 91 15 E5 31 76 87
MAC_A:12 63 F2 89 0E 90 EE 42 6B 9B A0 8A B9 EA 7F 1F FF 26 E1 60 5C C6 5D E2 96 91 15 E5 31 76 87
The message MAC_B = HMAC(K_B, 0x02 || ID_B || ind || salt || u_1 || u_2) from subject B takes the following values:
来自主体B的消息MAC|B=HMAC(K|B,0x02 | ID|B | ind | salt | u|u 1 | u|u 2)采用以下值:
MAC_B: 6D FD 06 04 5D 6D 97 A0 E4 19 B0 0E 00 35 B9 D2 E3 AB 09 8B 7C A4 AD 52 54 60 FA B6 21 85 AA 57
MAC_B:6D FD 06 04 5D 6D 97 A0 E4 19 B0 0E 00 35 B9 D2 E3 AB 09 8B 7C A4 AD 52 54 60 FA B6 21 85 AA 57
The points from Appendix A.1 were generated with the following point verification script in Python:
附录A.1中的点是使用Python中的以下点验证脚本生成的:
curvesParams = [
{
"OID":"id-GostR3410-2001-CryptoPro-A-ParamSet",
"p":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97,
"a":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94,
"b":166,
"m":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893,
"q":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893,
"x":1,
"y":0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14,
"n":32
},
{
"OID":"id-GostR3410-2001-CryptoPro-B-ParamSet",
"p":0x8000000000000000000000000000000000000000000000000000000000000C99,
"a":0x8000000000000000000000000000000000000000000000000000000000000C96,
"b":0x3E1AF419A269A5F866A7D3C25C3DF80AE979259373FF2B182F49D4CE7E1BBC8B,
"m":0x800000000000000000000000000000015F700CFFF1A624E5E497161BCC8A198F,
"q":0x800000000000000000000000000000015F700CFFF1A624E5E497161BCC8A198F,
"x":1,
"y":0x3FA8124359F96680B83D1C3EB2C070E5C545C9858D03ECFB744BF8D717717EFC,
"n":32
},
{
"OID":"id-GostR3410-2001-CryptoPro-C-ParamSet",
"p":0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D759B,
"a":0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D7598,
"b":32858,
"m":0x9B9F605F5A858107AB1EC85E6B41C8AA582CA3511EDDFB74F02F3A6598980BB9,
"q":0x9B9F605F5A858107AB1EC85E6B41C8AA582CA3511EDDFB74F02F3A6598980BB9,
"x":0,
"y":0x41ECE55743711A8C3CBF3783CD08C0EE4D4DC440D4641A8F366E550DFDB3BB67,
"n":32
},
curvesParams = [
{
"OID":"id-GostR3410-2001-CryptoPro-A-ParamSet",
"p":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97,
"a":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD94,
"b":166,
"m":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893,
"q":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6C611070995AD10045841B09B761B893,
"x":1,
"y":0x8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14,
"n":32
},
{
"OID":"id-GostR3410-2001-CryptoPro-B-ParamSet",
"p":0x8000000000000000000000000000000000000000000000000000000000000C99,
"a":0x8000000000000000000000000000000000000000000000000000000000000C96,
"b":0x3E1AF419A269A5F866A7D3C25C3DF80AE979259373FF2B182F49D4CE7E1BBC8B,
"m":0x800000000000000000000000000000015F700CFFF1A624E5E497161BCC8A198F,
"q":0x800000000000000000000000000000015F700CFFF1A624E5E497161BCC8A198F,
"x":1,
"y":0x3FA8124359F96680B83D1C3EB2C070E5C545C9858D03ECFB744BF8D717717EFC,
"n":32
},
{
"OID":"id-GostR3410-2001-CryptoPro-C-ParamSet",
"p":0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D759B,
"a":0x9B9F605F5A858107AB1EC85E6B41C8AACF846E86789051D37998F7B9022D7598,
"b":32858,
"m":0x9B9F605F5A858107AB1EC85E6B41C8AA582CA3511EDDFB74F02F3A6598980BB9,
"q":0x9B9F605F5A858107AB1EC85E6B41C8AA582CA3511EDDFB74F02F3A6598980BB9,
"x":0,
"y":0x41ECE55743711A8C3CBF3783CD08C0EE4D4DC440D4641A8F366E550DFDB3BB67,
"n":32
},
{
"OID":"id-tc26-gost-3410-2012-512-paramSetA",
"p":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\
0xFFFFFFFFFFFFFFFFFDC7L,
"a":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\
0xFFFFFFFFFFFFFFFFFDC4L,
"b":(0xE8C2505DEDFC86DDC1BD0B2B6667F1DA34B82574761CB0E879BD08L<<296)+\
(0x1CFD0B6265EE3CB090F30D27614CB4574010DA90DD862EF9D4EBEEL<<80)+\
0x4761503190785A71C760L,
"m":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2L<<80)+\
0xB85DCACDB1411F10B275L,
"q":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2L<<80)+\
0xB85DCACDB1411F10B275L,
"x":3,
"y":(0x7503CFE87A836AE3A61B8816E25450E6CE5E1C93ACF1ABC1778064L<<296)+\
(0xFDCBEFA921DF1626BE4FD036E93D75E6A50E3A41E98028FE5FC235L<<80)+\
0xF5B889A589CB5215F2A4L,
"n":64
},
{
"OID":"id-tc26-gost-3410-2012-512-paramSetB",
"p":(0x800000000000000000000000000000000000000000000000000000L<<296)+\
(0x000000000000000000000000000000000000000000000000000000L<<80)+\
0x0000000000000000006FL,
"a":(0x800000000000000000000000000000000000000000000000000000L<<296)+\
(0x000000000000000000000000000000000000000000000000000000L<<80)+\
0x0000000000000000006CL,
"b":(0x687D1B459DC841457E3E06CF6F5E2517B97C7D614AF138BCBF85DCL<<296)+\
(0x806C4B289F3E965D2DB1416D217F8B276FAD1AB69C50F78BEE1FA3L<<80)+\
0x106EFB8CCBC7C5140116L,
"m":(0x800000000000000000000000000000000000000000000000000000L<<296)+\
(0x000000000149A1EC142565A545ACFDB77BD9D40CFA8B996712101BL<<80)+\
0xEA0EC6346C54374F25BDL,
"q":(0x800000000000000000000000000000000000000000000000000000L<<296)+\
(0x000000000149A1EC142565A545ACFDB77BD9D40CFA8B996712101BL<<80)+\
0xEA0EC6346C54374F25BDL,
"x":2,
"y":(0x1A8F7EDA389B094C2C071E3647A8940F3C123B697578C213BE6DD9L<<296)+\
(0xE6C8EC7335DCB228FD1EDF4A39152CBCAAF8C0398828041055F94CL<<80)+\
0xEEEC7E21340780FE41BDL,
"n":64
},
{
"OID":"id-tc26-gost-3410-2012-512-paramSetA",
"p":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\
0xFFFFFFFFFFFFFFFFFDC7L,
"a":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\
0xFFFFFFFFFFFFFFFFFDC4L,
"b":(0xE8C2505DEDFC86DDC1BD0B2B6667F1DA34B82574761CB0E879BD08L<<296)+\
(0x1CFD0B6265EE3CB090F30D27614CB4574010DA90DD862EF9D4EBEEL<<80)+\
0x4761503190785A71C760L,
"m":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2L<<80)+\
0xB85DCACDB1411F10B275L,
"q":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFF27E69532F48D89116FF22B8D4E0560609B4B38ABFAD2L<<80)+\
0xB85DCACDB1411F10B275L,
"x":3,
"y":(0x7503CFE87A836AE3A61B8816E25450E6CE5E1C93ACF1ABC1778064L<<296)+\
(0xFDCBEFA921DF1626BE4FD036E93D75E6A50E3A41E98028FE5FC235L<<80)+\
0xF5B889A589CB5215F2A4L,
"n":64
},
{
"OID":"id-tc26-gost-3410-2012-512-paramSetB",
"p":(0x800000000000000000000000000000000000000000000000000000L<<296)+\
(0x000000000000000000000000000000000000000000000000000000L<<80)+\
0x0000000000000000006FL,
"a":(0x800000000000000000000000000000000000000000000000000000L<<296)+\
(0x000000000000000000000000000000000000000000000000000000L<<80)+\
0x0000000000000000006CL,
"b":(0x687D1B459DC841457E3E06CF6F5E2517B97C7D614AF138BCBF85DCL<<296)+\
(0x806C4B289F3E965D2DB1416D217F8B276FAD1AB69C50F78BEE1FA3L<<80)+\
0x106EFB8CCBC7C5140116L,
"m":(0x800000000000000000000000000000000000000000000000000000L<<296)+\
(0x000000000149A1EC142565A545ACFDB77BD9D40CFA8B996712101BL<<80)+\
0xEA0EC6346C54374F25BDL,
"q":(0x800000000000000000000000000000000000000000000000000000L<<296)+\
(0x000000000149A1EC142565A545ACFDB77BD9D40CFA8B996712101BL<<80)+\
0xEA0EC6346C54374F25BDL,
"x":2,
"y":(0x1A8F7EDA389B094C2C071E3647A8940F3C123B697578C213BE6DD9L<<296)+\
(0xE6C8EC7335DCB228FD1EDF4A39152CBCAAF8C0398828041055F94CL<<80)+\
0xEEEC7E21340780FE41BDL,
"n":64
},
{
"OID":"id-tc26-gost-3410-2012-256-paramSetA",
"p":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97,
"a":0xC2173F1513981673AF4892C23035A27CE25E2013BF95AA33B22C656F277E7335,
"b":0x295F9BAE7428ED9CCC20E7C359A9D41A22FCCD9108E17BF7BA9337A6F8AE9513,
"m":0x1000000000000000000000000000000003F63377F21ED98D70456BD55B0D8319C,
"q":0x400000000000000000000000000000000FD8CDDFC87B6635C115AF556C360C67,
"x":0x91E38443A5E82C0D880923425712B2BB658B9196932E02C78B2582FE742DAA28,
"y":0x32879423AB1A0375895786C4BB46E9565FDE0B5344766740AF268ADB32322E5C,
"n":32
},
{
"OID":"id-tc26-gost-3410-2012-512-paramSetC",
"p":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\
0xFFFFFFFFFFFFFFFFFDC7L,
"a":(0xDC9203E514A721875485A529D2C722FB187BC8980EB866644DE41CL<<296)+\
(0x68E143064546E861C0E2C9EDD92ADE71F46FCF50FF2AD97F951FDAL<<80)+\
0x9F2A2EB6546F39689BD3L,
"b":(0xB4C4EE28CEBC6C2C8AC12952CF37F16AC7EFB6A9F69F4B57FFDA2EL<<296)+\
(0x4F0DE5ADE038CBC2FFF719D2C18DE0284B8BFEF3B52B8CC7A5F5BFL<<80)+\
0x0A3C8D2319A5312557E1L,
"m":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFF26336E91941AAC0130CEA7FD451D40B323B6A79E9DA6L<<80)+\
0x849A5188F3BD1FC08FB4L,
"q":(0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFFC98CDBA46506AB004C33A9FF5147502CC8EDA9E7A769L<<80)+\
0xA12694623CEF47F023EDL,
"x":(0xE2E31EDFC23DE7BDEBE241CE593EF5DE2295B7A9CBAEF021D385F7L<<296)+\
(0x074CEA043AA27272A7AE602BF2A7B9033DB9ED3610C6FB85487EAEL<<80)+\
0x97AAC5BC7928C1950148L,
"y":(0xF5CE40D95B5EB899ABBCCFF5911CB8577939804D6527378B8C108CL<<296)+\
(0x3D2090FF9BE18E2D33E3021ED2EF32D85822423B6304F726AA854BL<<80)+\
0xAE07D0396E9A9ADDC40FL,
"n":64
}
]
{
"OID":"id-tc26-gost-3410-2012-256-paramSetA",
"p":0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD97,
"a":0xC2173F1513981673AF4892C23035A27CE25E2013BF95AA33B22C656F277E7335,
"b":0x295F9BAE7428ED9CCC20E7C359A9D41A22FCCD9108E17BF7BA9337A6F8AE9513,
"m":0x1000000000000000000000000000000003F63377F21ED98D70456BD55B0D8319C,
"q":0x400000000000000000000000000000000FD8CDDFC87B6635C115AF556C360C67,
"x":0x91E38443A5E82C0D880923425712B2BB658B9196932E02C78B2582FE742DAA28,
"y":0x32879423AB1A0375895786C4BB46E9565FDE0B5344766740AF268ADB32322E5C,
"n":32
},
{
"OID":"id-tc26-gost-3410-2012-512-paramSetC",
"p":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<80)+\
0xFFFFFFFFFFFFFFFFFDC7L,
"a":(0xDC9203E514A721875485A529D2C722FB187BC8980EB866644DE41CL<<296)+\
(0x68E143064546E861C0E2C9EDD92ADE71F46FCF50FF2AD97F951FDAL<<80)+\
0x9F2A2EB6546F39689BD3L,
"b":(0xB4C4EE28CEBC6C2C8AC12952CF37F16AC7EFB6A9F69F4B57FFDA2EL<<296)+\
(0x4F0DE5ADE038CBC2FFF719D2C18DE0284B8BFEF3B52B8CC7A5F5BFL<<80)+\
0x0A3C8D2319A5312557E1L,
"m":(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFF26336E91941AAC0130CEA7FD451D40B323B6A79E9DA6L<<80)+\
0x849A5188F3BD1FC08FB4L,
"q":(0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFL<<296)+\
(0xFFFFFFFFFFC98CDBA46506AB004C33A9FF5147502CC8EDA9E7A769L<<80)+\
0xA12694623CEF47F023EDL,
"x":(0xE2E31EDFC23DE7BDEBE241CE593EF5DE2295B7A9CBAEF021D385F7L<<296)+\
(0x074CEA043AA27272A7AE602BF2A7B9033DB9ED3610C6FB85487EAEL<<80)+\
0x97AAC5BC7928C1950148L,
"y":(0xF5CE40D95B5EB899ABBCCFF5911CB8577939804D6527378B8C108CL<<296)+\
(0x3D2090FF9BE18E2D33E3021ED2EF32D85822423B6304F726AA854BL<<80)+\
0xAE07D0396E9A9ADDC40FL,
"n":64
}
]
def str2list( s ):
res = []
for c in s:
res += [ ord( c ) ]
return res
def str2list( s ):
res = []
for c in s:
res += [ ord( c ) ]
return res
def list2str( l ):
r = ""
for k in l:
r += chr( k )
return r
def list2str( l ):
r = ""
for k in l:
r += chr( k )
return r
def hprint( data ):
r = ""
for i in range( len( data ) ):
r += "%02X " % data[ i ]
if i % 16 == 15:
r += "\n"
print( r )
def hprint( data ):
r = ""
for i in range( len( data ) ):
r += "%02X " % data[ i ]
if i % 16 == 15:
r += "\n"
print( r )
class Stribog:
斯特里博格级:
__A = [
0x8e20faa72ba0b470, 0x47107ddd9b505a38, 0xad08b0e0c3282d1c,
0xd8045870ef14980e, 0x6c022c38f90a4c07, 0x3601161cf205268d,
0x1b8e0b0e798c13c8, 0x83478b07b2468764, 0xa011d380818e8f40,
0x5086e740ce47c920, 0x2843fd2067adea10, 0x14aff010bdd87508,
0x0ad97808d06cb404, 0x05e23c0468365a02, 0x8c711e02341b2d01,
0x46b60f011a83988e, 0x90dab52a387ae76f, 0x486dd4151c3dfdb9,
0x24b86a840e90f0d2, 0x125c354207487869, 0x092e94218d243cba,
0x8a174a9ec8121e5d, 0x4585254f64090fa0, 0xaccc9ca9328a8950,
0x9d4df05d5f661451, 0xc0a878a0a1330aa6, 0x60543c50de970553,
0x302a1e286fc58ca7, 0x18150f14b9ec46dd, 0x0c84890ad27623e0,
0x0642ca05693b9f70, 0x0321658cba93c138, 0x86275df09ce8aaa8,
0x439da0784e745554, 0xafc0503c273aa42a, 0xd960281e9d1d5215,
0xe230140fc0802984, 0x71180a8960409a42, 0xb60c05ca30204d21,
0x5b068c651810a89e, 0x456c34887a3805b9, 0xac361a443d1c8cd2,
0x561b0d22900e4669, 0x2b838811480723ba, 0x9bcf4486248d9f5d,
0xc3e9224312c8c1a0, 0xeffa11af0964ee50, 0xf97d86d98a327728,
0xe4fa2054a80b329c, 0x727d102a548b194e, 0x39b008152acb8227,
0x9258048415eb419d, 0x492c024284fbaec0, 0xaa16012142f35760,
0x550b8e9e21f7a530, 0xa48b474f9ef5dc18, 0x70a6a56e2440598e,
0x3853dc371220a247, 0x1ca76e95091051ad, 0x0edd37c48a08a6d8,
0x07e095624504536c, 0x8d70c431ac02a736, 0xc83862965601dd1b,
0x641c314b2b8ee083
]
__A = [
0x8e20faa72ba0b470, 0x47107ddd9b505a38, 0xad08b0e0c3282d1c,
0xd8045870ef14980e, 0x6c022c38f90a4c07, 0x3601161cf205268d,
0x1b8e0b0e798c13c8, 0x83478b07b2468764, 0xa011d380818e8f40,
0x5086e740ce47c920, 0x2843fd2067adea10, 0x14aff010bdd87508,
0x0ad97808d06cb404, 0x05e23c0468365a02, 0x8c711e02341b2d01,
0x46b60f011a83988e, 0x90dab52a387ae76f, 0x486dd4151c3dfdb9,
0x24b86a840e90f0d2, 0x125c354207487869, 0x092e94218d243cba,
0x8a174a9ec8121e5d, 0x4585254f64090fa0, 0xaccc9ca9328a8950,
0x9d4df05d5f661451, 0xc0a878a0a1330aa6, 0x60543c50de970553,
0x302a1e286fc58ca7, 0x18150f14b9ec46dd, 0x0c84890ad27623e0,
0x0642ca05693b9f70, 0x0321658cba93c138, 0x86275df09ce8aaa8,
0x439da0784e745554, 0xafc0503c273aa42a, 0xd960281e9d1d5215,
0xe230140fc0802984, 0x71180a8960409a42, 0xb60c05ca30204d21,
0x5b068c651810a89e, 0x456c34887a3805b9, 0xac361a443d1c8cd2,
0x561b0d22900e4669, 0x2b838811480723ba, 0x9bcf4486248d9f5d,
0xc3e9224312c8c1a0, 0xeffa11af0964ee50, 0xf97d86d98a327728,
0xe4fa2054a80b329c, 0x727d102a548b194e, 0x39b008152acb8227,
0x9258048415eb419d, 0x492c024284fbaec0, 0xaa16012142f35760,
0x550b8e9e21f7a530, 0xa48b474f9ef5dc18, 0x70a6a56e2440598e,
0x3853dc371220a247, 0x1ca76e95091051ad, 0x0edd37c48a08a6d8,
0x07e095624504536c, 0x8d70c431ac02a736, 0xc83862965601dd1b,
0x641c314b2b8ee083
]
__Sbox = [
0xFC, 0xEE, 0xDD, 0x11, 0xCF, 0x6E, 0x31, 0x16, 0xFB, 0xC4, 0xFA,
0xDA, 0x23, 0xC5, 0x04, 0x4D, 0xE9, 0x77, 0xF0, 0xDB, 0x93, 0x2E,
0x99, 0xBA, 0x17, 0x36, 0xF1, 0xBB, 0x14, 0xCD, 0x5F, 0xC1, 0xF9,
0x18, 0x65, 0x5A, 0xE2, 0x5C, 0xEF, 0x21, 0x81, 0x1C, 0x3C, 0x42,
0x8B, 0x01, 0x8E, 0x4F, 0x05, 0x84, 0x02, 0xAE, 0xE3, 0x6A, 0x8F,
0xA0, 0x06, 0x0B, 0xED, 0x98, 0x7F, 0xD4, 0xD3, 0x1F, 0xEB, 0x34,
0x2C, 0x51, 0xEA, 0xC8, 0x48, 0xAB, 0xF2, 0x2A, 0x68, 0xA2, 0xFD,
0x3A, 0xCE, 0xCC, 0xB5, 0x70, 0x0E, 0x56, 0x08, 0x0C, 0x76, 0x12,
0xBF, 0x72, 0x13, 0x47, 0x9C, 0xB7, 0x5D, 0x87, 0x15, 0xA1, 0x96,
0x29, 0x10, 0x7B, 0x9A, 0xC7, 0xF3, 0x91, 0x78, 0x6F, 0x9D, 0x9E,
0xB2, 0xB1, 0x32, 0x75, 0x19, 0x3D, 0xFF, 0x35, 0x8A, 0x7E, 0x6D,
0x54, 0xC6, 0x80, 0xC3, 0xBD, 0x0D, 0x57, 0xDF, 0xF5, 0x24, 0xA9,
0x3E, 0xA8, 0x43, 0xC9, 0xD7, 0x79, 0xD6, 0xF6, 0x7C, 0x22, 0xB9,
0x03, 0xE0, 0x0F, 0xEC, 0xDE, 0x7A, 0x94, 0xB0, 0xBC, 0xDC, 0xE8,
0x28, 0x50, 0x4E, 0x33, 0x0A, 0x4A, 0xA7, 0x97, 0x60, 0x73, 0x1E,
0x00, 0x62, 0x44, 0x1A, 0xB8, 0x38, 0x82, 0x64, 0x9F, 0x26, 0x41,
0xAD, 0x45, 0x46, 0x92, 0x27, 0x5E, 0x55, 0x2F, 0x8C, 0xA3, 0xA5,
0x7D, 0x69, 0xD5, 0x95, 0x3B, 0x07, 0x58, 0xB3, 0x40, 0x86, 0xAC,
0x1D, 0xF7, 0x30, 0x37, 0x6B, 0xE4, 0x88, 0xD9, 0xE7, 0x89, 0xE1,
0x1B, 0x83, 0x49, 0x4C, 0x3F, 0xF8, 0xFE, 0x8D, 0x53, 0xAA, 0x90,
0xCA, 0xD8, 0x85, 0x61, 0x20, 0x71, 0x67, 0xA4, 0x2D, 0x2B, 0x09,
0x5B, 0xCB, 0x9B, 0x25, 0xD0, 0xBE, 0xE5, 0x6C, 0x52, 0x59, 0xA6,
0x74, 0xD2, 0xE6, 0xF4, 0xB4, 0xC0, 0xD1, 0x66, 0xAF, 0xC2, 0x39,
0x4B, 0x63, 0xB6
]
__Sbox = [
0xFC, 0xEE, 0xDD, 0x11, 0xCF, 0x6E, 0x31, 0x16, 0xFB, 0xC4, 0xFA,
0xDA, 0x23, 0xC5, 0x04, 0x4D, 0xE9, 0x77, 0xF0, 0xDB, 0x93, 0x2E,
0x99, 0xBA, 0x17, 0x36, 0xF1, 0xBB, 0x14, 0xCD, 0x5F, 0xC1, 0xF9,
0x18, 0x65, 0x5A, 0xE2, 0x5C, 0xEF, 0x21, 0x81, 0x1C, 0x3C, 0x42,
0x8B, 0x01, 0x8E, 0x4F, 0x05, 0x84, 0x02, 0xAE, 0xE3, 0x6A, 0x8F,
0xA0, 0x06, 0x0B, 0xED, 0x98, 0x7F, 0xD4, 0xD3, 0x1F, 0xEB, 0x34,
0x2C, 0x51, 0xEA, 0xC8, 0x48, 0xAB, 0xF2, 0x2A, 0x68, 0xA2, 0xFD,
0x3A, 0xCE, 0xCC, 0xB5, 0x70, 0x0E, 0x56, 0x08, 0x0C, 0x76, 0x12,
0xBF, 0x72, 0x13, 0x47, 0x9C, 0xB7, 0x5D, 0x87, 0x15, 0xA1, 0x96,
0x29, 0x10, 0x7B, 0x9A, 0xC7, 0xF3, 0x91, 0x78, 0x6F, 0x9D, 0x9E,
0xB2, 0xB1, 0x32, 0x75, 0x19, 0x3D, 0xFF, 0x35, 0x8A, 0x7E, 0x6D,
0x54, 0xC6, 0x80, 0xC3, 0xBD, 0x0D, 0x57, 0xDF, 0xF5, 0x24, 0xA9,
0x3E, 0xA8, 0x43, 0xC9, 0xD7, 0x79, 0xD6, 0xF6, 0x7C, 0x22, 0xB9,
0x03, 0xE0, 0x0F, 0xEC, 0xDE, 0x7A, 0x94, 0xB0, 0xBC, 0xDC, 0xE8,
0x28, 0x50, 0x4E, 0x33, 0x0A, 0x4A, 0xA7, 0x97, 0x60, 0x73, 0x1E,
0x00, 0x62, 0x44, 0x1A, 0xB8, 0x38, 0x82, 0x64, 0x9F, 0x26, 0x41,
0xAD, 0x45, 0x46, 0x92, 0x27, 0x5E, 0x55, 0x2F, 0x8C, 0xA3, 0xA5,
0x7D, 0x69, 0xD5, 0x95, 0x3B, 0x07, 0x58, 0xB3, 0x40, 0x86, 0xAC,
0x1D, 0xF7, 0x30, 0x37, 0x6B, 0xE4, 0x88, 0xD9, 0xE7, 0x89, 0xE1,
0x1B, 0x83, 0x49, 0x4C, 0x3F, 0xF8, 0xFE, 0x8D, 0x53, 0xAA, 0x90,
0xCA, 0xD8, 0x85, 0x61, 0x20, 0x71, 0x67, 0xA4, 0x2D, 0x2B, 0x09,
0x5B, 0xCB, 0x9B, 0x25, 0xD0, 0xBE, 0xE5, 0x6C, 0x52, 0x59, 0xA6,
0x74, 0xD2, 0xE6, 0xF4, 0xB4, 0xC0, 0xD1, 0x66, 0xAF, 0xC2, 0x39,
0x4B, 0x63, 0xB6
]
__Tau = [
0, 8, 16, 24, 32, 40, 48, 56,
1, 9, 17, 25, 33, 41, 49, 57,
2, 10, 18, 26, 34, 42, 50, 58,
3, 11, 19, 27, 35, 43, 51, 59,
4, 12, 20, 28, 36, 44, 52, 60,
5, 13, 21, 29, 37, 45, 53, 61,
6, 14, 22, 30, 38, 46, 54, 62,
7, 15, 23, 31, 39, 47, 55, 63
]
__Tau = [
0, 8, 16, 24, 32, 40, 48, 56,
1, 9, 17, 25, 33, 41, 49, 57,
2, 10, 18, 26, 34, 42, 50, 58,
3, 11, 19, 27, 35, 43, 51, 59,
4, 12, 20, 28, 36, 44, 52, 60,
5, 13, 21, 29, 37, 45, 53, 61,
6, 14, 22, 30, 38, 46, 54, 62,
7, 15, 23, 31, 39, 47, 55, 63
]
__C = [
[
0xb1, 0x08, 0x5b, 0xda, 0x1e, 0xca, 0xda, 0xe9,
0xeb, 0xcb, 0x2f, 0x81, 0xc0, 0x65, 0x7c, 0x1f,
0x2f, 0x6a, 0x76, 0x43, 0x2e, 0x45, 0xd0, 0x16,
0x71, 0x4e, 0xb8, 0x8d, 0x75, 0x85, 0xc4, 0xfc,
0x4b, 0x7c, 0xe0, 0x91, 0x92, 0x67, 0x69, 0x01,
0xa2, 0x42, 0x2a, 0x08, 0xa4, 0x60, 0xd3, 0x15,
0x05, 0x76, 0x74, 0x36, 0xcc, 0x74, 0x4d, 0x23,
0xdd, 0x80, 0x65, 0x59, 0xf2, 0xa6, 0x45, 0x07
],
[
0x6f, 0xa3, 0xb5, 0x8a, 0xa9, 0x9d, 0x2f, 0x1a,
0x4f, 0xe3, 0x9d, 0x46, 0x0f, 0x70, 0xb5, 0xd7,
0xf3, 0xfe, 0xea, 0x72, 0x0a, 0x23, 0x2b, 0x98,
0x61, 0xd5, 0x5e, 0x0f, 0x16, 0xb5, 0x01, 0x31,
0x9a, 0xb5, 0x17, 0x6b, 0x12, 0xd6, 0x99, 0x58,
0x5c, 0xb5, 0x61, 0xc2, 0xdb, 0x0a, 0xa7, 0xca,
0x55, 0xdd, 0xa2, 0x1b, 0xd7, 0xcb, 0xcd, 0x56,
0xe6, 0x79, 0x04, 0x70, 0x21, 0xb1, 0x9b, 0xb7
],
[
0xf5, 0x74, 0xdc, 0xac, 0x2b, 0xce, 0x2f, 0xc7,
0x0a, 0x39, 0xfc, 0x28, 0x6a, 0x3d, 0x84, 0x35,
0x06, 0xf1, 0x5e, 0x5f, 0x52, 0x9c, 0x1f, 0x8b,
0xf2, 0xea, 0x75, 0x14, 0xb1, 0x29, 0x7b, 0x7b,
0xd3, 0xe2, 0x0f, 0xe4, 0x90, 0x35, 0x9e, 0xb1,
0xc1, 0xc9, 0x3a, 0x37, 0x60, 0x62, 0xdb, 0x09,
0xc2, 0xb6, 0xf4, 0x43, 0x86, 0x7a, 0xdb, 0x31,
0x99, 0x1e, 0x96, 0xf5, 0x0a, 0xba, 0x0a, 0xb2
],
[
0xef, 0x1f, 0xdf, 0xb3, 0xe8, 0x15, 0x66, 0xd2,
0xf9, 0x48, 0xe1, 0xa0, 0x5d, 0x71, 0xe4, 0xdd,
0x48, 0x8e, 0x85, 0x7e, 0x33, 0x5c, 0x3c, 0x7d,
0x9d, 0x72, 0x1c, 0xad, 0x68, 0x5e, 0x35, 0x3f,
0xa9, 0xd7, 0x2c, 0x82, 0xed, 0x03, 0xd6, 0x75,
0xd8, 0xb7, 0x13, 0x33, 0x93, 0x52, 0x03, 0xbe,
0x34, 0x53, 0xea, 0xa1, 0x93, 0xe8, 0x37, 0xf1,
0x22, 0x0c, 0xbe, 0xbc, 0x84, 0xe3, 0xd1, 0x2e
],
__C = [
[
0xb1, 0x08, 0x5b, 0xda, 0x1e, 0xca, 0xda, 0xe9,
0xeb, 0xcb, 0x2f, 0x81, 0xc0, 0x65, 0x7c, 0x1f,
0x2f, 0x6a, 0x76, 0x43, 0x2e, 0x45, 0xd0, 0x16,
0x71, 0x4e, 0xb8, 0x8d, 0x75, 0x85, 0xc4, 0xfc,
0x4b, 0x7c, 0xe0, 0x91, 0x92, 0x67, 0x69, 0x01,
0xa2, 0x42, 0x2a, 0x08, 0xa4, 0x60, 0xd3, 0x15,
0x05, 0x76, 0x74, 0x36, 0xcc, 0x74, 0x4d, 0x23,
0xdd, 0x80, 0x65, 0x59, 0xf2, 0xa6, 0x45, 0x07
],
[
0x6f, 0xa3, 0xb5, 0x8a, 0xa9, 0x9d, 0x2f, 0x1a,
0x4f, 0xe3, 0x9d, 0x46, 0x0f, 0x70, 0xb5, 0xd7,
0xf3, 0xfe, 0xea, 0x72, 0x0a, 0x23, 0x2b, 0x98,
0x61, 0xd5, 0x5e, 0x0f, 0x16, 0xb5, 0x01, 0x31,
0x9a, 0xb5, 0x17, 0x6b, 0x12, 0xd6, 0x99, 0x58,
0x5c, 0xb5, 0x61, 0xc2, 0xdb, 0x0a, 0xa7, 0xca,
0x55, 0xdd, 0xa2, 0x1b, 0xd7, 0xcb, 0xcd, 0x56,
0xe6, 0x79, 0x04, 0x70, 0x21, 0xb1, 0x9b, 0xb7
],
[
0xf5, 0x74, 0xdc, 0xac, 0x2b, 0xce, 0x2f, 0xc7,
0x0a, 0x39, 0xfc, 0x28, 0x6a, 0x3d, 0x84, 0x35,
0x06, 0xf1, 0x5e, 0x5f, 0x52, 0x9c, 0x1f, 0x8b,
0xf2, 0xea, 0x75, 0x14, 0xb1, 0x29, 0x7b, 0x7b,
0xd3, 0xe2, 0x0f, 0xe4, 0x90, 0x35, 0x9e, 0xb1,
0xc1, 0xc9, 0x3a, 0x37, 0x60, 0x62, 0xdb, 0x09,
0xc2, 0xb6, 0xf4, 0x43, 0x86, 0x7a, 0xdb, 0x31,
0x99, 0x1e, 0x96, 0xf5, 0x0a, 0xba, 0x0a, 0xb2
],
[
0xef, 0x1f, 0xdf, 0xb3, 0xe8, 0x15, 0x66, 0xd2,
0xf9, 0x48, 0xe1, 0xa0, 0x5d, 0x71, 0xe4, 0xdd,
0x48, 0x8e, 0x85, 0x7e, 0x33, 0x5c, 0x3c, 0x7d,
0x9d, 0x72, 0x1c, 0xad, 0x68, 0x5e, 0x35, 0x3f,
0xa9, 0xd7, 0x2c, 0x82, 0xed, 0x03, 0xd6, 0x75,
0xd8, 0xb7, 0x13, 0x33, 0x93, 0x52, 0x03, 0xbe,
0x34, 0x53, 0xea, 0xa1, 0x93, 0xe8, 0x37, 0xf1,
0x22, 0x0c, 0xbe, 0xbc, 0x84, 0xe3, 0xd1, 0x2e
],
[
0x4b, 0xea, 0x6b, 0xac, 0xad, 0x47, 0x47, 0x99,
0x9a, 0x3f, 0x41, 0x0c, 0x6c, 0xa9, 0x23, 0x63,
0x7f, 0x15, 0x1c, 0x1f, 0x16, 0x86, 0x10, 0x4a,
0x35, 0x9e, 0x35, 0xd7, 0x80, 0x0f, 0xff, 0xbd,
0xbf, 0xcd, 0x17, 0x47, 0x25, 0x3a, 0xf5, 0xa3,
0xdf, 0xff, 0x00, 0xb7, 0x23, 0x27, 0x1a, 0x16,
0x7a, 0x56, 0xa2, 0x7e, 0xa9, 0xea, 0x63, 0xf5,
0x60, 0x17, 0x58, 0xfd, 0x7c, 0x6c, 0xfe, 0x57
],
[
0xae, 0x4f, 0xae, 0xae, 0x1d, 0x3a, 0xd3, 0xd9,
0x6f, 0xa4, 0xc3, 0x3b, 0x7a, 0x30, 0x39, 0xc0,
0x2d, 0x66, 0xc4, 0xf9, 0x51, 0x42, 0xa4, 0x6c,
0x18, 0x7f, 0x9a, 0xb4, 0x9a, 0xf0, 0x8e, 0xc6,
0xcf, 0xfa, 0xa6, 0xb7, 0x1c, 0x9a, 0xb7, 0xb4,
0x0a, 0xf2, 0x1f, 0x66, 0xc2, 0xbe, 0xc6, 0xb6,
0xbf, 0x71, 0xc5, 0x72, 0x36, 0x90, 0x4f, 0x35,
0xfa, 0x68, 0x40, 0x7a, 0x46, 0x64, 0x7d, 0x6e
],
[
0xf4, 0xc7, 0x0e, 0x16, 0xee, 0xaa, 0xc5, 0xec,
0x51, 0xac, 0x86, 0xfe, 0xbf, 0x24, 0x09, 0x54,
0x39, 0x9e, 0xc6, 0xc7, 0xe6, 0xbf, 0x87, 0xc9,
0xd3, 0x47, 0x3e, 0x33, 0x19, 0x7a, 0x93, 0xc9,
0x09, 0x92, 0xab, 0xc5, 0x2d, 0x82, 0x2c, 0x37,
0x06, 0x47, 0x69, 0x83, 0x28, 0x4a, 0x05, 0x04,
0x35, 0x17, 0x45, 0x4c, 0xa2, 0x3c, 0x4a, 0xf3,
0x88, 0x86, 0x56, 0x4d, 0x3a, 0x14, 0xd4, 0x93
],
[
0x9b, 0x1f, 0x5b, 0x42, 0x4d, 0x93, 0xc9, 0xa7,
0x03, 0xe7, 0xaa, 0x02, 0x0c, 0x6e, 0x41, 0x41,
0x4e, 0xb7, 0xf8, 0x71, 0x9c, 0x36, 0xde, 0x1e,
0x89, 0xb4, 0x44, 0x3b, 0x4d, 0xdb, 0xc4, 0x9a,
0xf4, 0x89, 0x2b, 0xcb, 0x92, 0x9b, 0x06, 0x90,
0x69, 0xd1, 0x8d, 0x2b, 0xd1, 0xa5, 0xc4, 0x2f,
0x36, 0xac, 0xc2, 0x35, 0x59, 0x51, 0xa8, 0xd9,
0xa4, 0x7f, 0x0d, 0xd4, 0xbf, 0x02, 0xe7, 0x1e
],
[
0x4b, 0xea, 0x6b, 0xac, 0xad, 0x47, 0x47, 0x99,
0x9a, 0x3f, 0x41, 0x0c, 0x6c, 0xa9, 0x23, 0x63,
0x7f, 0x15, 0x1c, 0x1f, 0x16, 0x86, 0x10, 0x4a,
0x35, 0x9e, 0x35, 0xd7, 0x80, 0x0f, 0xff, 0xbd,
0xbf, 0xcd, 0x17, 0x47, 0x25, 0x3a, 0xf5, 0xa3,
0xdf, 0xff, 0x00, 0xb7, 0x23, 0x27, 0x1a, 0x16,
0x7a, 0x56, 0xa2, 0x7e, 0xa9, 0xea, 0x63, 0xf5,
0x60, 0x17, 0x58, 0xfd, 0x7c, 0x6c, 0xfe, 0x57
],
[
0xae, 0x4f, 0xae, 0xae, 0x1d, 0x3a, 0xd3, 0xd9,
0x6f, 0xa4, 0xc3, 0x3b, 0x7a, 0x30, 0x39, 0xc0,
0x2d, 0x66, 0xc4, 0xf9, 0x51, 0x42, 0xa4, 0x6c,
0x18, 0x7f, 0x9a, 0xb4, 0x9a, 0xf0, 0x8e, 0xc6,
0xcf, 0xfa, 0xa6, 0xb7, 0x1c, 0x9a, 0xb7, 0xb4,
0x0a, 0xf2, 0x1f, 0x66, 0xc2, 0xbe, 0xc6, 0xb6,
0xbf, 0x71, 0xc5, 0x72, 0x36, 0x90, 0x4f, 0x35,
0xfa, 0x68, 0x40, 0x7a, 0x46, 0x64, 0x7d, 0x6e
],
[
0xf4, 0xc7, 0x0e, 0x16, 0xee, 0xaa, 0xc5, 0xec,
0x51, 0xac, 0x86, 0xfe, 0xbf, 0x24, 0x09, 0x54,
0x39, 0x9e, 0xc6, 0xc7, 0xe6, 0xbf, 0x87, 0xc9,
0xd3, 0x47, 0x3e, 0x33, 0x19, 0x7a, 0x93, 0xc9,
0x09, 0x92, 0xab, 0xc5, 0x2d, 0x82, 0x2c, 0x37,
0x06, 0x47, 0x69, 0x83, 0x28, 0x4a, 0x05, 0x04,
0x35, 0x17, 0x45, 0x4c, 0xa2, 0x3c, 0x4a, 0xf3,
0x88, 0x86, 0x56, 0x4d, 0x3a, 0x14, 0xd4, 0x93
],
[
0x9b, 0x1f, 0x5b, 0x42, 0x4d, 0x93, 0xc9, 0xa7,
0x03, 0xe7, 0xaa, 0x02, 0x0c, 0x6e, 0x41, 0x41,
0x4e, 0xb7, 0xf8, 0x71, 0x9c, 0x36, 0xde, 0x1e,
0x89, 0xb4, 0x44, 0x3b, 0x4d, 0xdb, 0xc4, 0x9a,
0xf4, 0x89, 0x2b, 0xcb, 0x92, 0x9b, 0x06, 0x90,
0x69, 0xd1, 0x8d, 0x2b, 0xd1, 0xa5, 0xc4, 0x2f,
0x36, 0xac, 0xc2, 0x35, 0x59, 0x51, 0xa8, 0xd9,
0xa4, 0x7f, 0x0d, 0xd4, 0xbf, 0x02, 0xe7, 0x1e
],
[
0x37, 0x8f, 0x5a, 0x54, 0x16, 0x31, 0x22, 0x9b,
0x94, 0x4c, 0x9a, 0xd8, 0xec, 0x16, 0x5f, 0xde,
0x3a, 0x7d, 0x3a, 0x1b, 0x25, 0x89, 0x42, 0x24,
0x3c, 0xd9, 0x55, 0xb7, 0xe0, 0x0d, 0x09, 0x84,
0x80, 0x0a, 0x44, 0x0b, 0xdb, 0xb2, 0xce, 0xb1,
0x7b, 0x2b, 0x8a, 0x9a, 0xa6, 0x07, 0x9c, 0x54,
0x0e, 0x38, 0xdc, 0x92, 0xcb, 0x1f, 0x2a, 0x60,
0x72, 0x61, 0x44, 0x51, 0x83, 0x23, 0x5a, 0xdb
],
[
0xab, 0xbe, 0xde, 0xa6, 0x80, 0x05, 0x6f, 0x52,
0x38, 0x2a, 0xe5, 0x48, 0xb2, 0xe4, 0xf3, 0xf3,
0x89, 0x41, 0xe7, 0x1c, 0xff, 0x8a, 0x78, 0xdb,
0x1f, 0xff, 0xe1, 0x8a, 0x1b, 0x33, 0x61, 0x03,
0x9f, 0xe7, 0x67, 0x02, 0xaf, 0x69, 0x33, 0x4b,
0x7a, 0x1e, 0x6c, 0x30, 0x3b, 0x76, 0x52, 0xf4,
0x36, 0x98, 0xfa, 0xd1, 0x15, 0x3b, 0xb6, 0xc3,
0x74, 0xb4, 0xc7, 0xfb, 0x98, 0x45, 0x9c, 0xed
],
[
0x7b, 0xcd, 0x9e, 0xd0, 0xef, 0xc8, 0x89, 0xfb,
0x30, 0x02, 0xc6, 0xcd, 0x63, 0x5a, 0xfe, 0x94,
0xd8, 0xfa, 0x6b, 0xbb, 0xeb, 0xab, 0x07, 0x61,
0x20, 0x01, 0x80, 0x21, 0x14, 0x84, 0x66, 0x79,
0x8a, 0x1d, 0x71, 0xef, 0xea, 0x48, 0xb9, 0xca,
0xef, 0xba, 0xcd, 0x1d, 0x7d, 0x47, 0x6e, 0x98,
0xde, 0xa2, 0x59, 0x4a, 0xc0, 0x6f, 0xd8, 0x5d,
0x6b, 0xca, 0xa4, 0xcd, 0x81, 0xf3, 0x2d, 0x1b
],
[
0x37, 0x8e, 0xe7, 0x67, 0xf1, 0x16, 0x31, 0xba,
0xd2, 0x13, 0x80, 0xb0, 0x04, 0x49, 0xb1, 0x7a,
0xcd, 0xa4, 0x3c, 0x32, 0xbc, 0xdf, 0x1d, 0x77,
0xf8, 0x20, 0x12, 0xd4, 0x30, 0x21, 0x9f, 0x9b,
0x5d, 0x80, 0xef, 0x9d, 0x18, 0x91, 0xcc, 0x86,
0xe7, 0x1d, 0xa4, 0xaa, 0x88, 0xe1, 0x28, 0x52,
0xfa, 0xf4, 0x17, 0xd5, 0xd9, 0xb2, 0x1b, 0x99,
0x48, 0xbc, 0x92, 0x4a, 0xf1, 0x1b, 0xd7, 0x20
]
]
[
0x37, 0x8f, 0x5a, 0x54, 0x16, 0x31, 0x22, 0x9b,
0x94, 0x4c, 0x9a, 0xd8, 0xec, 0x16, 0x5f, 0xde,
0x3a, 0x7d, 0x3a, 0x1b, 0x25, 0x89, 0x42, 0x24,
0x3c, 0xd9, 0x55, 0xb7, 0xe0, 0x0d, 0x09, 0x84,
0x80, 0x0a, 0x44, 0x0b, 0xdb, 0xb2, 0xce, 0xb1,
0x7b, 0x2b, 0x8a, 0x9a, 0xa6, 0x07, 0x9c, 0x54,
0x0e, 0x38, 0xdc, 0x92, 0xcb, 0x1f, 0x2a, 0x60,
0x72, 0x61, 0x44, 0x51, 0x83, 0x23, 0x5a, 0xdb
],
[
0xab, 0xbe, 0xde, 0xa6, 0x80, 0x05, 0x6f, 0x52,
0x38, 0x2a, 0xe5, 0x48, 0xb2, 0xe4, 0xf3, 0xf3,
0x89, 0x41, 0xe7, 0x1c, 0xff, 0x8a, 0x78, 0xdb,
0x1f, 0xff, 0xe1, 0x8a, 0x1b, 0x33, 0x61, 0x03,
0x9f, 0xe7, 0x67, 0x02, 0xaf, 0x69, 0x33, 0x4b,
0x7a, 0x1e, 0x6c, 0x30, 0x3b, 0x76, 0x52, 0xf4,
0x36, 0x98, 0xfa, 0xd1, 0x15, 0x3b, 0xb6, 0xc3,
0x74, 0xb4, 0xc7, 0xfb, 0x98, 0x45, 0x9c, 0xed
],
[
0x7b, 0xcd, 0x9e, 0xd0, 0xef, 0xc8, 0x89, 0xfb,
0x30, 0x02, 0xc6, 0xcd, 0x63, 0x5a, 0xfe, 0x94,
0xd8, 0xfa, 0x6b, 0xbb, 0xeb, 0xab, 0x07, 0x61,
0x20, 0x01, 0x80, 0x21, 0x14, 0x84, 0x66, 0x79,
0x8a, 0x1d, 0x71, 0xef, 0xea, 0x48, 0xb9, 0xca,
0xef, 0xba, 0xcd, 0x1d, 0x7d, 0x47, 0x6e, 0x98,
0xde, 0xa2, 0x59, 0x4a, 0xc0, 0x6f, 0xd8, 0x5d,
0x6b, 0xca, 0xa4, 0xcd, 0x81, 0xf3, 0x2d, 0x1b
],
[
0x37, 0x8e, 0xe7, 0x67, 0xf1, 0x16, 0x31, 0xba,
0xd2, 0x13, 0x80, 0xb0, 0x04, 0x49, 0xb1, 0x7a,
0xcd, 0xa4, 0x3c, 0x32, 0xbc, 0xdf, 0x1d, 0x77,
0xf8, 0x20, 0x12, 0xd4, 0x30, 0x21, 0x9f, 0x9b,
0x5d, 0x80, 0xef, 0x9d, 0x18, 0x91, 0xcc, 0x86,
0xe7, 0x1d, 0xa4, 0xaa, 0x88, 0xe1, 0x28, 0x52,
0xfa, 0xf4, 0x17, 0xd5, 0xd9, 0xb2, 0x1b, 0x99,
0x48, 0xbc, 0x92, 0x4a, 0xf1, 0x1b, 0xd7, 0x20
]
]
def __AddModulo(self, A, B):
result = [0] * 64
t = 0
for i in reversed(range(0, 64)):
t = A[i] + B[i] + (t >> 8)
result[i] = t & 0xFF
return result
def __AddModulo(self, A, B):
result = [0] * 64
t = 0
for i in reversed(range(0, 64)):
t = A[i] + B[i] + (t >> 8)
result[i] = t & 0xFF
return result
def __AddXor(self, A, B):
result = [0] * 64
for i in range(0, 64):
result[i] = A[i] ^ B[i]
return result
def __AddXor(self, A, B):
result = [0] * 64
for i in range(0, 64):
result[i] = A[i] ^ B[i]
return result
def __S(self, state):
result = [0] * 64
for i in range(0, 64):
result[i] = self.__Sbox[state[i]]
return result
def __S(self, state):
result = [0] * 64
for i in range(0, 64):
result[i] = self.__Sbox[state[i]]
return result
def __P(self, state):
result = [0] * 64
for i in range(0, 64):
result[i] = state[self.__Tau[i]]
return result
def __P(self, state):
result = [0] * 64
for i in range(0, 64):
result[i] = state[self.__Tau[i]]
return result
def __L(self, state):
result = [0] * 64
for i in range(0, 8):
t = 0
for k in range(0, 8):
for j in range(0, 8):
if ((state[i * 8 + k] & (1 << (7 - j))) != 0):
t ^= self.__A[k * 8 + j]
for k in range(0, 8):
result[i * 8 + k] = (t & (0xFF << (7 - k) * 8)) >> (7 - k) * 8
return result
def __L(self, state):
result = [0] * 64
for i in range(0, 8):
t = 0
for k in range(0, 8):
for j in range(0, 8):
if ((state[i * 8 + k] & (1 << (7 - j))) != 0):
t ^= self.__A[k * 8 + j]
for k in range(0, 8):
result[i * 8 + k] = (t & (0xFF << (7 - k) * 8)) >> (7 - k) * 8
return result
def __KeySchedule(self, K, i):
K = self.__AddXor(K, self.__C[i])
K = self.__S(K)
K = self.__P(K)
K = self.__L(K)
return K
def __KeySchedule(self, K, i):
K = self.__AddXor(K, self.__C[i])
K = self.__S(K)
K = self.__P(K)
K = self.__L(K)
return K
# E(K, m)
def __E(self, K, m):
state = self.__AddXor(K, m)
for i in range(0, 12):
state = self.__S(state)
state = self.__P(state)
state = self.__L(state)
K = self.__KeySchedule(K, i)
state = self.__AddXor(state, K)
return state
# E(K, m)
def __E(self, K, m):
state = self.__AddXor(K, m)
for i in range(0, 12):
state = self.__S(state)
state = self.__P(state)
state = self.__L(state)
K = self.__KeySchedule(K, i)
state = self.__AddXor(state, K)
return state
def __G_n(self, N, h, m):
K = self.__AddXor(h, N)
K = self.__S(K)
K = self.__P(K)
K = self.__L(K)
t = self.__E(K, m)
t = self.__AddXor(t, h)
return self.__AddXor(t, m)
def __G_n(self, N, h, m):
K = self.__AddXor(h, N)
K = self.__S(K)
K = self.__P(K)
K = self.__L(K)
t = self.__E(K, m)
t = self.__AddXor(t, h)
return self.__AddXor(t, m)
def __Padding(self, last, N, h, Sigma):
if (len(last) < 64):
padding = [0] * (64 - len(last))
padding[-1] = 1
padded_message = padding + last
h = self.__G_n(N, h, padded_message)
N_len = [0] * 64
N_len[63] = (len(last) * 8) & 0xff
N_len[62] = (len(last) * 8) >> 8
N = self.__AddModulo(N, N_len)
Sigma = self.__AddModulo(Sigma, padded_message)
return (h, N, Sigma)
def __Padding(self, last, N, h, Sigma):
if (len(last) < 64):
padding = [0] * (64 - len(last))
padding[-1] = 1
padded_message = padding + last
h = self.__G_n(N, h, padded_message)
N_len = [0] * 64
N_len[63] = (len(last) * 8) & 0xff
N_len[62] = (len(last) * 8) >> 8
N = self.__AddModulo(N, N_len)
Sigma = self.__AddModulo(Sigma, padded_message)
return (h, N, Sigma)
def digest( self, message, out=512 ):
return list2str( self.GetHash( str2list( message ), out ) )
def digest( self, message, out=512 ):
return list2str( self.GetHash( str2list( message ), out ) )
def GetHash(self, message, out=512, no_pad=False):
N = [0] * 64
Sigma = [0] * 64
if out == 512:
h = [0] * 64
elif out == 256:
h = [0x01] * 64
else:
print("Wrong hash out length!")
def GetHash(self, message, out=512, no_pad=False):
N = [0] * 64
Sigma = [0] * 64
if out == 512:
h = [0] * 64
elif out == 256:
h = [0x01] * 64
else:
print("Wrong hash out length!")
N_512 = [0] * 64
N_512[62] = 0x02 # 512 = 0x200
N_512 = [0] * 64
N_512[62] = 0x02 # 512 = 0x200
length_bits = len(message) * 8
length = len(message)
length_bits = len(message) * 8
length = len(message)
i = 0
asd = message[::-1]
while (length_bits >= 512):
tmp = (message[i * 64: (i + 1) * 64])[::-1]
h = self.__G_n(N, h, tmp)
N = self.__AddModulo(N, N_512)
Sigma = self.__AddModulo(Sigma, tmp)
length_bits -= 512
i += 1
i = 0
asd = message[::-1]
while (length_bits >= 512):
tmp = (message[i * 64: (i + 1) * 64])[::-1]
h = self.__G_n(N, h, tmp)
N = self.__AddModulo(N, N_512)
Sigma = self.__AddModulo(Sigma, tmp)
length_bits -= 512
i += 1
last = (message[i * 64: length])[::-1]
last = (message[i * 64: length])[::-1]
if (len(last) == 0 and no_pad):
pass
else:
h, N, Sigma = self.__Padding(last, N, h, Sigma)
if (len(last) == 0 and no_pad):
pass
else:
h, N, Sigma = self.__Padding(last, N, h, Sigma)
N_0 = [0] * 64
h = self.__G_n(N_0, h, N)
h = self.__G_n(N_0, h, Sigma)
N_0 = [0] * 64
h = self.__G_n(N_0, h, N)
h = self.__G_n(N_0, h, Sigma)
if out == 512:
return h[::-1]
elif out == 256:
return (h[0:32])[::-1]
if out == 512:
return h[::-1]
elif out == 256:
return (h[0:32])[::-1]
def hash(self, str_message, out=512, no_pad=False):
return list2str(self.GetHash(str2list(str_message), out, no_pad))
def hash(self, str_message, out=512, no_pad=False):
return list2str(self.GetHash(str2list(str_message), out, no_pad))
def H256(msg):
S = Stribog()
return S.hash(msg, out=256)
def H256(msg):
S = Stribog()
return S.hash(msg, out=256)
def H512(msg):
S = Stribog()
return S.hash(msg)
def H512(msg):
S = Stribog()
return S.hash(msg)
def num2le( s, n ):
res = ""
for i in range(n):
res += chr(s & 0xFF)
s >>= 8
return res
def num2le( s, n ):
res = ""
for i in range(n):
res += chr(s & 0xFF)
s >>= 8
return res
def le2num( s ):
res = 0
for i in range(len(s) - 1, -1, -1):
res = (res << 8) + ord(s[i])
return res
def le2num( s ):
res = 0
for i in range(len(s) - 1, -1, -1):
res = (res << 8) + ord(s[i])
return res
def XGCD(a,b):
"""XGCD(a,b) returns a list of form [g,x,y], where g is GCD(a,b) and
x,y satisfy the equation g = ax + by."""
a1=1; b1=0; a2=0; b2=1; aneg=1; bneg=1; swap = False
if(a < 0):
a = -a; aneg=-1
if(b < 0):
b = -b; bneg=-1
if(b > a):
swap = True
[a,b] = [b,a]
while (1):
quot = -(a / b)
a = a % b
a1 = a1 + quot*a2; b1 = b1 + quot*b2
if(a == 0):
if(swap):
return [b, b2*bneg, a2*aneg]
else:
return [b, a2*aneg, b2*bneg]
quot = -(b / a)
b = b % a
a2 = a2 + quot*a1; b2 = b2 + quot*b1
if(b == 0):
if(swap):
return [a, b1*bneg, a1*aneg]
else:
return [a, a1*aneg, b1*bneg]
def XGCD(a,b):
"""XGCD(a,b) returns a list of form [g,x,y], where g is GCD(a,b) and
x,y satisfy the equation g = ax + by."""
a1=1; b1=0; a2=0; b2=1; aneg=1; bneg=1; swap = False
if(a < 0):
a = -a; aneg=-1
if(b < 0):
b = -b; bneg=-1
if(b > a):
swap = True
[a,b] = [b,a]
while (1):
quot = -(a / b)
a = a % b
a1 = a1 + quot*a2; b1 = b1 + quot*b2
if(a == 0):
if(swap):
return [b, b2*bneg, a2*aneg]
else:
return [b, a2*aneg, b2*bneg]
quot = -(b / a)
b = b % a
a2 = a2 + quot*a1; b2 = b2 + quot*b1
if(b == 0):
if(swap):
return [a, b1*bneg, a1*aneg]
else:
return [a, a1*aneg, b1*bneg]
def getMultByMask( elems, mask ):
n = len( elems )
r = 1
for i in range( n ):
if mask & 1:
r *= elems[ n - 1 - i ]
mask = mask >> 1
return r
def getMultByMask( elems, mask ):
n = len( elems )
r = 1
for i in range( n ):
if mask & 1:
r *= elems[ n - 1 - i ]
mask = mask >> 1
return r
def subF(P, other, p): return (P - other) % p
def SUFF(P,其他,P):返回(P-其他)%P
def divF(P, other, p):
return mulF(P, invF(other, p), p)
def divF(P, other, p):
return mulF(P, invF(other, p), p)
def addF(P, other, p): return (P + other) % p
def addF(P,其他,P):返回(P+其他)%P
def mulF(P, other, p): return (P * other) % p
def mulF(P,其他,P):返回(P*其他)%P
def invF(R, p):
assert (R != 0)
return XGCD(R, p)[1] % p
def invF(R, p):
assert (R != 0)
return XGCD(R, p)[1] % p
def negF(R, p): return (-R) % p
def negF(右,右):返回(-R)%p
def powF(R, m, p):
assert R != None
assert type(m) in (int, long)
def powF(R, m, p):
assert R != None
assert type(m) in (int, long)
if m == 0:
assert R != 0
return 1
elif m < 0:
t = invF(R, p)
return powF(t, (-m), p)
else:
i = m.bit_length() - 1
r = 1
while i > 0:
if (m >> i) & 1:
r = (r * R) % p
r = (r * r) % p
i -= 1
if m & 1:
r = (r * R) % p
return r
if m == 0:
assert R != 0
return 1
elif m < 0:
t = invF(R, p)
return powF(t, (-m), p)
else:
i = m.bit_length() - 1
r = 1
while i > 0:
if (m >> i) & 1:
r = (r * R) % p
r = (r * r) % p
i -= 1
if m & 1:
r = (r * R) % p
return r
def add(Px, Py, Qx, Qy, p, a, b):
if Qx == Qy == None:
return [Px, Py]
def add(Px, Py, Qx, Qy, p, a, b):
if Qx == Qy == None:
return [Px, Py]
if Px == Py == None:
return [Qx, Qy]
if Px == Py == None:
return [Qx, Qy]
if (Px == Qx) and (Py == negF(Qy, p)):
return [None, None]
if (Px == Qx) and (Py == negF(Qy, p)):
return [None, None]
if (Px == Qx) and (Py == Qy):
assert Py != 0
return duplicate(Px, Py, p, a)
else:
l = divF( subF( Qy, Py, p ), subF( Qx, Px, p ), p )
resX = subF( subF( powF( l, 2, p ), Px, p ), Qx, p )
resY = subF( mulF( l, subF( Px, resX, p ), p ), Py, p )
return [resX, resY]
if (Px == Qx) and (Py == Qy):
assert Py != 0
return duplicate(Px, Py, p, a)
else:
l = divF( subF( Qy, Py, p ), subF( Qx, Px, p ), p )
resX = subF( subF( powF( l, 2, p ), Px, p ), Qx, p )
resY = subF( mulF( l, subF( Px, resX, p ), p ), Py, p )
return [resX, resY]
def duplicate(Px, Py, p, a):
if (Px == None) and (Py == None):
return [None, None]
def duplicate(Px, Py, p, a):
if (Px == None) and (Py == None):
return [None, None]
if Py == 0: return [None, None]
如果Py==0:返回[无,无]
l = divF(addF(mulF(powF(Px, 2, p), 3, p), a, p), mulF(Py, 2, p), p)
resX = subF(powF(l, 2, p), mulF(Px, 2, p), p)
resY = subF(mulF(l, subF(Px, resX, p), p), Py, p)
return [resX, resY]
l = divF(addF(mulF(powF(Px, 2, p), 3, p), a, p), mulF(Py, 2, p), p)
resX = subF(powF(l, 2, p), mulF(Px, 2, p), p)
resY = subF(mulF(l, subF(Px, resX, p), p), Py, p)
return [resX, resY]
def mul(Px, Py, s, p, a, b):
assert type(s) in (int, long)
assert Px != None and Py != None
def mul(Px, Py, s, p, a, b):
assert type(s) in (int, long)
assert Px != None and Py != None
X = Px Y = Py
X=Px Y=Py
i = s.bit_length() - 1
resX = None
resY = None
while i > 0:
if (s >> i) & 1:
resX, resY = add(resX, resY, X, Y, p, a, b)
resX, resY = duplicate(resX, resY, p, a)
i -= 1
if s & 1:
resX, resY = add(resX, resY, X, Y, p, a, b)
return [resX, resY]
i = s.bit_length() - 1
resX = None
resY = None
while i > 0:
if (s >> i) & 1:
resX, resY = add(resX, resY, X, Y, p, a, b)
resX, resY = duplicate(resX, resY, p, a)
i -= 1
if s & 1:
resX, resY = add(resX, resY, X, Y, p, a, b)
return [resX, resY]
def Ord(Px, Py, m, q, p, a, b):
assert Px != None and Py != None
assert (m != None) and (q != None)
assert mul(Px, Py, m, p, a, b) == [None, None]
def Ord(Px, Py, m, q, p, a, b):
assert Px != None and Py != None
assert (m != None) and (q != None)
assert mul(Px, Py, m, p, a, b) == [None, None]
X = Px
Y = Py
r = m
for mask in range(1 << len(q)):
t = getMultByMask(q, mask)
Rx, Ry = mul(X, Y, t, p, a, b)
if (Rx == None) and (Ry == None):
r = min(r, t)
return r
X = Px
Y = Py
r = m
for mask in range(1 << len(q)):
t = getMultByMask(q, mask)
Rx, Ry = mul(X, Y, t, p, a, b)
if (Rx == None) and (Ry == None):
r = min(r, t)
return r
def isQuadraticResidue( R, p ):
if R == 0:
assert False
temp = powF(R, ((p - 1) / 2), p)
if temp == (p - 1):
return False
else:
assert temp == 1
return True
def isQuadraticResidue( R, p ):
if R == 0:
assert False
temp = powF(R, ((p - 1) / 2), p)
if temp == (p - 1):
return False
else:
assert temp == 1
return True
def getRandomQuadraticNonresidue(p):
from random import randint
r = (randint(2, p - 1)) % p
while isQuadraticResidue(r, p):
r = (randint(2, p - 1)) % p
return r
def getRandomQuadraticNonresidue(p):
from random import randint
r = (randint(2, p - 1)) % p
while isQuadraticResidue(r, p):
r = (randint(2, p - 1)) % p
return r
def ModSqrt( R, p ):
assert R != None
assert isQuadraticResidue(R, p)
def ModSqrt( R, p ):
assert R != None
assert isQuadraticResidue(R, p)
if p % 4 == 3:
res = powF(R, (p + 1) / 4, p)
if powF(res, 2, p) != R:
res = None
return [res, negF(res, p)]
else:
ainvF = invF(R, p)
if p % 4 == 3:
res = powF(R, (p + 1) / 4, p)
if powF(res, 2, p) != R:
res = None
return [res, negF(res, p)]
else:
ainvF = invF(R, p)
s = p - 1
alpha = 0
while (s % 2) == 0:
alpha += 1
s = s / 2
s = p - 1
alpha = 0
while (s % 2) == 0:
alpha += 1
s = s / 2
b = powF(getRandomQuadraticNonresidue(p), s, p)
r = powF(R, (s + 1) / 2, p)
b = powF(getRandomQuadraticNonresidue(p), s, p)
r = powF(R, (s + 1) / 2, p)
bj = 1
for k in range(0, alpha - 1): # alpha >= 2 because p % 4 = 1
d = 2 ** (alpha - k - 2)
x = powF(mulF(powF(mulF(bj, r, p), 2, p), ainvF, p), d, p)
if x != 1:
bj = mulF(bj, powF(b, (2 ** k), p), p)
res = mulF(bj, r, p)
return [res, negF(res, p)]
bj = 1
for k in range(0, alpha - 1): # alpha >= 2 because p % 4 = 1
d = 2 ** (alpha - k - 2)
x = powF(mulF(powF(mulF(bj, r, p), 2, p), ainvF, p), d, p)
if x != 1:
bj = mulF(bj, powF(b, (2 ** k), p), p)
res = mulF(bj, r, p)
return [res, negF(res, p)]
def generateQs( p, pByteSize, a, b, m, q, orderDivisors, Px, Py, N ):
assert pByteSize in ( 256 / 8, 512 / 8 )
PxBytes = num2le( Px, pByteSize )
PyBytes = num2le( Py, pByteSize )
Qs = []
S = []
Hash_src = []
Hash_res = []
co_factor = m / q
def generateQs( p, pByteSize, a, b, m, q, orderDivisors, Px, Py, N ):
assert pByteSize in ( 256 / 8, 512 / 8 )
PxBytes = num2le( Px, pByteSize )
PyBytes = num2le( Py, pByteSize )
Qs = []
S = []
Hash_src = []
Hash_res = []
co_factor = m / q
seed = 0
while len( Qs ) != N:
hashSrc = PxBytes + PyBytes + num2le( seed, 4 )
if pByteSize == ( 256 / 8 ):
QxBytes = H256( hashSrc )
else:
QxBytes = H512( hashSrc )
seed = 0
while len( Qs ) != N:
hashSrc = PxBytes + PyBytes + num2le( seed, 4 )
if pByteSize == ( 256 / 8 ):
QxBytes = H256( hashSrc )
else:
QxBytes = H512( hashSrc )
Qx = le2num( QxBytes ) % p
Qx=le2num(QxBytes)%p
R = addF( addF( powF(Qx, 3, p ), mulF(Qx, a, p), p), b, p )
if ( R == 0 ) or ( not isQuadraticResidue( R, p ) ):
seed += 1
continue
R = addF( addF( powF(Qx, 3, p ), mulF(Qx, a, p), p), b, p )
if ( R == 0 ) or ( not isQuadraticResidue( R, p ) ):
seed += 1
continue
Qy_sqrt = ModSqrt( R, p )
Qy = min(Qy_sqrt)
if co_factor * Ord(Qx, Qy, m, orderDivisors, p, a, b) != m:
seed += 1
continue
Qy_sqrt = ModSqrt( R, p )
Qy = min(Qy_sqrt)
if co_factor * Ord(Qx, Qy, m, orderDivisors, p, a, b) != m:
seed += 1
continue
Qs += [(Qx, Qy)]
S += [seed]
Hash_src += [hashSrc]
Hash_res += [QxBytes]
seed += 1
Qs += [(Qx, Qy)]
S += [seed]
Hash_src += [hashSrc]
Hash_res += [QxBytes]
seed += 1
return Qs, S, Hash_src, Hash_res
返回Qs、S、Hash\u src、Hash\u res
if __name__ == "__main__":
for i, curve in enumerate(curvesParams):
print "A.1." + str(i+1) + ". Curve " + curve["OID"]
if "3410-2012-256-paramSetA" in curve["OID"] or \
"3410-2012-512-paramSetC" in curve["OID"]:
Q, S, Hash_src, Hash_res = generateQs(curve["p"],\
curve["n"],\
curve["a"],\
curve["b"],\
curve["m"],\
curve["q"],\
[ 2, 2, curve["q"]],\
curve["x"],\
curve["y"],\
1)
else:
Q, S, Hash_src, Hash_res = generateQs(curve["p"],\
curve["n"],\
curve["a"],\
curve["b"],\
curve["m"],\
curve["q"],\
[curve["q"]],\
curve["x"],\
curve["y"],\
1)
if __name__ == "__main__":
for i, curve in enumerate(curvesParams):
print "A.1." + str(i+1) + ". Curve " + curve["OID"]
if "3410-2012-256-paramSetA" in curve["OID"] or \
"3410-2012-512-paramSetC" in curve["OID"]:
Q, S, Hash_src, Hash_res = generateQs(curve["p"],\
curve["n"],\
curve["a"],\
curve["b"],\
curve["m"],\
curve["q"],\
[ 2, 2, curve["q"]],\
curve["x"],\
curve["y"],\
1)
else:
Q, S, Hash_src, Hash_res = generateQs(curve["p"],\
curve["n"],\
curve["a"],\
curve["b"],\
curve["m"],\
curve["q"],\
[curve["q"]],\
curve["x"],\
curve["y"],\
1)
j = 1
for q, s, hash_src, hash_res in zip(Q, S, Hash_src, Hash_res):
print "Point Q_" + str(j)
j += 1
j = 1
for q, s, hash_src, hash_res in zip(Q, S, Hash_src, Hash_res):
print "Point Q_" + str(j)
j += 1
print "X=", hex(q[0])[:-1]
print "Y=", hex(q[1])[:-1]
print "X=", hex(q[0])[:-1]
print "Y=", hex(q[1])[:-1]
print "SEED=","{0:#0{1}x}".format(s,6)
print
print "SEED=","{0:#0{1}x}".format(s,6)
print
Acknowledgments
致谢
We thank Lolita Sonina, Georgiy Borodin, Sergey Agafin, and Ekaterina Smyshlyaeva for their careful readings and useful comments.
我们感谢洛丽塔·索尼娜、乔治·博罗丁、谢尔盖·阿加芬和叶卡捷琳娜·斯米什列耶娃的仔细阅读和有用的评论。
Authors' Addresses
作者地址
Stanislav Smyshlyaev (editor) CRYPTO-PRO 18, Suschevsky val Moscow 127018 Russian Federation
Stanislav Smyshlyaev(编辑)CRYPTO-PRO 18,莫斯科苏切夫斯基127018俄罗斯联邦
Phone: +7 (495) 995-48-20
Email: svs@cryptopro.ru
Phone: +7 (495) 995-48-20
Email: svs@cryptopro.ru
Evgeny Alekseev CRYPTO-PRO 18, Suschevsky val Moscow 127018 Russian Federation
叶夫根尼·阿列克谢耶夫加密-PRO 18,莫斯科苏契夫斯基127018俄罗斯联邦
Phone: +7 (495) 995-48-20
Email: alekseev@cryptopro.ru
Phone: +7 (495) 995-48-20
Email: alekseev@cryptopro.ru
Igor Oshkin CRYPTO-PRO 18, Suschevsky val Moscow 127018 Russian Federation
Igor Oshkin CRYPTO-PRO 18,莫斯科苏契夫斯基127018俄罗斯联邦
Phone: +7 (495) 995-48-20
Email: oshkin@cryptopro.ru
Phone: +7 (495) 995-48-20
Email: oshkin@cryptopro.ru
Vladimir Popov CRYPTO-PRO 18, Suschevsky val Moscow 127018 Russian Federation
弗拉基米尔·波波夫CRYPTO-PRO 18,莫斯科苏契夫斯基127018俄罗斯联邦
Phone: +7 (495) 995-48-20
Email: vpopov@cryptopro.ru
Phone: +7 (495) 995-48-20
Email: vpopov@cryptopro.ru