GOST R 34.12-2015: Block Cipher "Magma"JSC "NPK Kryptonite"Spartakovskaya sq., 14, bld 2, JSC "NPK Kryptonite"Moscow105082Russian Federationvdolmatov@gmail.comAuriga, IncTorfyanaya Doroga, 7F, office 1410Saint-Petersburg197374Russian Federationdbaryshkov@gmail.com
General
Internet Engineering Task ForceMagmaBlock CipherIn addition to a new cipher with block length of n=128 bits (referred
as "Kyznyechik" and described in RFC 7801) Russian Federal standard
GOST R 34.12-2015 includes an updated version of the block
cipher with block length of n=64 bits and key length k=256 bits, which
is also referred as "Magma". The algorithm is an updated version of
older block cipher with block length of n=64 bits described in GOST
28147-89 (RFC 5830). This document is intended to be a source
of information about the updated version of 64-bit cipher. It may
facilitate the use of the block cipher in Internet applications by
providing information for developers and users of GOST 64-bit
cipher with the revised version of the cipher for encryption and
decryption.The Russian Federal standard
specifies basic block ciphers used as cryptographic techniques for
information processing and information protection including the
provision of confidentiality, authenticity, and integrity of information
during information transmission, processing and storage in
computer-aided systems.The cryptographic algorithms defined in this specification are
designed both for hardware and software implementation. They comply
with modern cryptographic requirements, and put no restrictions on the
confidentiality level of the protected information.The Russian Federal standard was
developed by the Center for Information Protection and Special
Communications of the Federal Security Service of the Russian Federation
with participation of the Open Joint-Stock company "Information
Technologies and Communication Systems" (InfoTeCS JSC). GOST R
34.12-2015 was approved and introduced by Decree #749 of the Federal
Agency on Technical Regulating and Metrology on 19.06.2015.Terms and concepts in the specification comply with the following
international standards: ISO/IEC 10116 ,series of standards ISO/IEC 18033 , .The following terms and their corresponding definitions are used in
the specification.Definitions encryption algorithm: process which transforms plaintext into
ciphertext (Clause 2.19 of ),decryption algorithm: process which transforms ciphertext into
plaintext (Clause 2.14 of ),basic block cipher: block cipher which for a given key provides
a single invertible mapping of the set of fixed-length plaintext
blocks into ciphertext blocks of the same length,block: string of bits of a defined length (Clause 2.6 of ),block cipher: symmetric encipherment system with the property
that the encryption algorithm operates on a block of plaintext,
i.e. a string of bits of a defined length, to yield a block of
ciphertext (Clause 2.7 of ), Note: In GOST R 34.12-2015, it is established that the
terms "block cipher" and "block encryption algorithm" are
synonyms.encryption: reversible transformation of data by a
cryptographic algorithm to produce ciphertext, i.e., to hide the
information content of the data (Clause 2.18 of ),round key: sequence of symbols which is calculated from the key
and controls a transformation for one round of a block cipher,key: sequence of symbols that controls the operation of a
cryptographic transformation (e.g., encipherment, decipherment)
(Clause 2.21 of ), Note: In GOST R 34.12-2015, the key must be a binary
sequence.plaintext: unencrypted information (Clause 3.11 of ),key schedule: calculation of round keys from the key,decryption: reversal of a corresponding encipherment (Clause
2.13 of ),symmetric cryptographic technique: cryptographic technique that
uses the same secret key for both the originator's and the
recipient's transformation (Clause 2.32 of ),cipher: alternative term for encipherment system (Clause 2.20
of ),ciphertext: data which has been transformed to hide its
information content (Clause 3.3 of ).The following notations are used in the specification: the set of all binary vector-strings of a
finite length (hereinafter referred to as the strings) including
the empty string,the set of all binary strings of length s,
where s is a non-negative integer; substrings and string
components are enumerated from right to left starting from
zero,direct (Cartesian) product of two sets U and
W,the number of components (the length) of a
string A belonging to V* (if A is an empty string, then |A| =
0),concatenation of strings A and B both
belonging to V*, i.e., a string from V_(|A|+|B|), where the left
substring from V_|A| is equal to A and the right substring from
V_|B| is equal to B,cyclic rotation of string A
belonging to V_32 by 11 components in the direction of components
having greater indices,ring of residues modulo 2^n,exclusive-or of the two binary strings of
the same length,addition in the ring Z_(2^32)bijective mapping which
maps an element from ring Z_(2^s) into its binary representation,
i.e., for an element z of the ring Z_(2^s), represented by the
residue z_0 + (2*z_1) + ... + (2^(s-1)*z_(s-1)), where z_i in {0,
1}, i = 0, ..., n-1, the equality Vec_s(z) =
z_(s-1)||...||z_1||z_0 holds,the mapping inverse to the
mapping Vec_s, i.e., Int_s = Vec_s^(-1),composition of mappings, where the mapping
S applies first,composition of mappings P^(s-1) and P,
where P^1=P,The bijective nonlinear mapping is a set of substitutions:whereThe values of the substitution Pi' are specified below as
arraysThe following transformations are applicable for encryption and
decryption algorithms: t(a) = t(a_7||...||a_0) =
Pi_7(a_7)||...||Pi_0(a_0), where a=a_7||...||a_0 belongs to V_32,
a_i belongs to V_4, i=0, 1, ..., 7;g[k](a) = (t(Vec_32(Int_32(a)
[+] Int_32(k)))) <<<_11, where k, a belong to V_32;G[k](a_1, a_0) =
(a_0, g[k](a_0) (xor) a_1), where k, a_0, a_1 belong to V_32;G^*[k](a_1, a_0) =
(g[k](a_0) (xor) a_1) || a_0, where k, a_0, a_1 belong to
V_32.Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from
key K=k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1,
..., 255, as follows:Depending on the values of round keys K_1,...,K_32, the encryption
algorithm is a substitution E_(K_1,...,K_32) defined as follows:where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to
V_32.Depending on the values of round keys K_1,...,K_32, the decryption
algorithm is a substitution D_(K_1,...,K_32) defined as follows:where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to
V_32.This memo includes no request to IANA.This entire document is about security considerations.Unlike (GOST 28147-89) and like this specification does not define exact block
modes which should be used together with updated Magma cipher. One is
free to select block modes depending on the protocol and necessity.Information technology. Cryptographic data security. Block
ciphers. GOST R 34.12-2015Federal Agency on Technical Regulating and
Metrology"Cryptographic Protection for Data Processing System", GOST
28147-89, Gosudarstvennyi Standard of USSRGovernment Committee of the USSR for
StandardsInformation technology - Security techniques - Modes of
operation for an n-bit block cipher, ISO-IEC 10116ISO-IECInformation technology - Security techniques - Encryption
algorithms - Part 1: General, ISO-IEC 18033-1ISO-IECInformation technology - Security techniques - Encryption
algorithms - Part 3: Block ciphers, ISO-IEC 18033-3ISO-IECThis section is for information only and is not a normative part of
the specification.With key set tofollowing round keys are generated:In this test example, encryption is performed on the round keys
specified in clause . Let the
plaintext bethenThen the ciphertext isIn this test example, decryption is performed on the round keys
specified in clause . Let the
ciphertext bethenThen the plaintext isThis specification is a translation of relevant parts of standard. The order of terms in both
parts of comes from original
text. If one combines with this
document, he will have complete translation of into English.Algoritmically Magma is a variation of block cipher defined in
()
with the following clarifications and minor modifications:
S-BOX set is fixed at id-tc26-gost-28147-param-Z
(See Appendix C of );key is parsed as a single big-endian integer (compared to little-endian approach used in ),
which results in different subkey values being used;data bytes are also parsed as single big-endian integer (instead of being parsed as little-endian integer).