GOST R 34.12-2015: Block Cipher "Magma"
JSC "NPK Kryptonite"
Spartakovskaya sq., 14, bld 2, JSC "NPK Kryptonite"
Moscow
105082
Russian Federation
vdolmatov@gmail.com
Auriga, Inc.
Torfyanaya Doroga, 7F
office 1410
Saint-Petersburg
197374
Russian Federation
dbaryshkov@gmail.com
Magma
Block Cipher
In addition to a new cipher with a block length of n=128 bits (referred
to as "Kuznyechik" and described in RFC 7801), Russian Federal standard
GOST R 34.12-2015 includes an updated version of the block
cipher with a block length of n=64 bits and key length of k=256 bits, which
is also referred to as "Magma". The algorithm is an updated version of
an older block cipher with a block length of n=64 bits described in GOST
28147-89 (RFC 5830). This document is intended to be a source
of information about the updated version of the 64-bit cipher. It may
facilitate the use of the block cipher in Internet applications by
providing information for developers and users of the GOST 64-bit
cipher with the revised version of the cipher for encryption and
decryption.
Introduction
The Russian Federal standard
specifies basic block ciphers used as cryptographic techniques for
information processing and information protection, including the
provision of confidentiality, authenticity, and integrity of information
during information transmission, processing, and storage in
computer-aided systems.
The cryptographic algorithms defined in this specification are
designed both for hardware and software implementation. They comply
with modern cryptographic requirements and put no restrictions on the
confidentiality level of the protected information.
This document is intended to be a source of information about the
updated version of the 64-bit cipher. It may facilitate the use of the
block cipher in Internet applications by providing information for
developers and users of a GOST 64-bit cipher with the revised version of
the cipher for encryption and decryption.
General Information
The Russian Federal standard was
developed by the Center for Information Protection and Special
Communications of the Federal Security Service of the Russian Federation,
with participation of the open joint-stock company "Information
Technologies and Communication Systems" (InfoTeCS JSC). GOST R
34.12-2015 was approved and introduced by Decree #749 of the Federal
Agency on Technical Regulating and Metrology on June 19, 2015.
Terms and concepts in the specification comply with the following
international standards:
- ISO/IEC 10116
- series of standards ISO/IEC 18033
Definitions and Notation
The following terms and their corresponding definitions are used in
the specification.
Definitions
- encryption algorithm:
- process that transforms plaintext into
ciphertext (Clause 2.19 of )
- decryption algorithm:
- process that transforms ciphertext into
plaintext (Clause 2.14 of )
- basic block cipher:
- block cipher that, for a given key, provides
a single invertible mapping of the set of fixed-length plaintext
blocks into ciphertext blocks of the same length
- block:
- string of bits of a defined length (Clause 2.6 of )
- block cipher:
- symmetric encipherment system with the property
that the encryption algorithm operates on a block of plaintext --
i.e., a string of bits of a defined length -- to yield a block of
ciphertext (Clause 2.7 of )
Note: In GOST R 34.12-2015, it is established that the
terms "block cipher" and "block encryption algorithm" are
synonyms.
- encryption:
- reversible transformation of data by a
cryptographic algorithm to produce ciphertext -- i.e., to hide the
information content of the data (Clause 2.18 of )
- round key:
- sequence of symbols that is calculated from the key
and controls a transformation for one round of a block cipher
- key:
- sequence of symbols that controls the operation of a
cryptographic transformation (e.g., encipherment, decipherment)
(Clause 2.21 of )
Note: In GOST R 34.12-2015, the key must be a binary
sequence.
- plaintext:
- unencrypted information (Clause 3.11 of )
- key schedule:
- calculation of round keys from the key,
- decryption:
- reversal of a corresponding encipherment (Clause
2.13 of )
- symmetric cryptographic technique:
- cryptographic technique that
uses the same secret key for both the originator's and the
recipient's transformation (Clause 2.32 of )
- cipher:
- alternative term for encipherment system (Clause 2.20
of )
- ciphertext:
- data that has been transformed to hide its
information content (Clause 3.3 of )
Notation
The following notation is used in the specification:
- V*
- the set of all binary vector strings of a
finite length (hereinafter referred to as the strings), including
the empty string
- V_s
- the set of all binary strings of length s,
where s is a nonnegative integer; substrings and string
components are enumerated from right to left, starting from
zero
- U[*]W
- direct (Cartesian) product of two sets U and W
- |A|
- the number of components (the length) of a
string A belonging to V* (if A is an empty string, then |A| =
0)
- A||B
- concatenation of strings A and B both
belonging to V* -- i.e., a string from V_(|A|+|B|), where the left
substring from V_|A| is equal to A and the right substring from
V_|B| is equal to B
- A<<<_11
- cyclic rotation of string A
belonging to V_32 by 11 components in the direction of components
having greater indices
- Z_(2^n)
- ring of residues modulo 2^n
- (xor)
- exclusive-or of two binary strings of the same length
- [+]
- addition in the ring Z_(2^32)
- Vec_s: Z_(2^s) -> V_s
- bijective mapping that maps an element from ring Z_(2^s) into
its binary representation; i.e., for an element z of the
ring Z_(2^s), represented by the
residue z_0 + (2*z_1) + ... + (2^(s-1)*z_(s-1)), where z_i in {0,
1}, i = 0, ..., n-1, the equality Vec_s(z) =
z_(s-1)||...||z_1||z_0 holds
- Int_s: V_s -> Z_(2^s)
- the mapping inverse to the mapping Vec_s, i.e., Int_s =
Vec_s^(-1)
- PS
- composition of mappings, where the mapping
S applies first
- P^s
- composition of mappings P^(s-1) and P, where P^1=P
Parameter Values
Nonlinear Bijection
The bijective nonlinear mapping is a set of substitutions:
V_4,
]]>
where
Z_(2^4), i = 0, 1, ..., 7.
]]>
The values of the substitution Pi' are specified below as
arrays.
Transformations
The following transformations are applicable for encryption and
decryption algorithms:
- t: V_32 -> V_32
- t(a) = t(a_7||...||a_0) =
Pi_7(a_7)||...||Pi_0(a_0), where a=a_7||...||a_0 belongs to V_32,
a_i belongs to V_4, i=0, 1, ..., 7.
- g[k]: V_32 -> V_32
- g[k](a) = (t(Vec_32(Int_32(a)
[+] Int_32(k)))) <<<_11, where k, a belong to V_32
- G[k]: V_32[*]V_32 -> V_32[*]V_32
- G[k](a_1, a_0) =
(a_0, g[k](a_0) (xor) a_1), where k, a_0, a_1 belong to V_32
- G^*[k]: V_32[*]V_32 -> V_64
- G^*[k](a_1, a_0) =
(g[k](a_0) (xor) a_1) || a_0, where k, a_0, a_1 belong to
V_32.
Key Schedule
Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from
key K = k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1,
..., 255, as follows:
Basic Encryption Algorithm
Encryption
Depending on the values of round keys K_1,...,K_32, the encryption
algorithm is a substitution E_&wj;(K_1,...,K_32) defined as follows:
where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to
V_32.
Decryption
Depending on the values of round keys K_1,...,K_32, the decryption
algorithm is a substitution D_&wj;(K_1,...,K_32) defined as follows:
where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to
V_32.
IANA Considerations
This document has no IANA actions.
Security Considerations
This entire document is about security considerations.
Unlike (GOST 28147-89), but
like , this specification does
not define exact block
modes that should be used together with the updated Magma cipher. One is
free to select block modes depending on the protocol and necessity.
References
Normative References
Information technology. Cryptographic data security. Block
ciphers.
Federal Agency on Technical Regulating and
Metrology
Informative References
Cryptographic Protection for Data Processing System, GOST
28147-89, Gosudarstvennyi Standard of USSR
Government Committee of the USSR for
Standards
Information technology -- Security techniques -- Modes of
operation for an n-bit block cipher
ISO/IEC
Information technology -- Security techniques -- Encryption
algorithms -- Part 1: General
ISO/IEC
Information technology -- Security techniques -- Encryption
algorithms -- Part 3: Block ciphers
ISO/IEC
Test Examples
This section is for information only and is not a normative part of
the specification.
Key Schedule
With key set to
the following round keys are generated:
Test Encryption
In this test example, encryption is performed on the round keys
specified in . Let the
plaintext be
then
Then the ciphertext is
Test Decryption
In this test example, decryption is performed on the round keys
specified in . Let the
ciphertext be
then
Then the plaintext is
Background
This specification is a translation of relevant parts of the standard. The order of terms
in both
parts of
comes from the original
text. Combining with this
document will create a complete translation of into English.
Algorithmically, Magma is a variation of the block cipher defined in
()
with the following clarifications and minor modifications:
- S-BOX set is fixed at id-tc26-gost-28147-param-Z
(see );
- key is parsed as a single big-endian integer (compared to the
little-endian approach used in ),
which results in different subkey values being used;
- data bytes are also parsed as a single big-endian integer (instead of being parsed as little-endian integer).