INTERNET-DRAFTIndependent Submission V. Dolmatov, Ed.Intended Status: Informational Cryptocom, Ltd. Expires: November 21, 2013Request for Comments: 7091 A. Degtyarev Updates: 5832 Cryptocom, Ltd.May 21,Category: Informational December 2013 ISSN: 2070-1721 GOST R 34.10-2012: Digital Signature Algorithmdraft-dolmatov-gost34102012-00Abstract This documentis intended to be a source ofprovides information about the Russian Federal standard for digital signatures (GOST R 34.10-2012), which is one of the Russian cryptographic standard algorithms (called GOST algorithms). Recently, Russian cryptography is being used in Internet applications, and this documenthas been created asprovides information for developers and users of GOST R 34.10-2012forregarding digital signature generation and verification. This document updates RFC 5832. Status ofthisThis Memo ThisInternet-Draftdocument is not an Internet Standards Track specification; it is published for informational purposes. This issubmitteda contribution toIETF in full conformance withtheprovisions of BCP 78 and BCP 79. Internet-Drafts are working documentsRFC Series, independently ofthe Internet Engineering Task Force (IETF),any other RFC stream. The RFC Editor has chosen to publish this document at itsareas,discretion and makes no statement about itsworking groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents validvalue fora maximum of six months and may be updated, replaced,implementation orobsoleteddeployment. Documents approved for publication byother documents atthe RFC Editor are not a candidate for anytime. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The listlevel of Internet Standard; see Section 2 of RFC 5741. Information about the currentInternet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The liststatus ofInternet-Draft Shadow Directories canthis document, any errata, and how to provide feedback on it may beaccessedobtained athttp://www.ietf.org/shadow.htmlhttp://www.rfc-editor.org/info/rfc7091. Copyrightand LicenseNotice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.Table of Contents 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3....................................................2 1.1. General Information. . . . . . . . . . . . . . . . . . . 3........................................2 1.2. The Purpose of GOST R 34.10-2012. . . . . . . . . . . . . 3...........................3 1.3. Requirements Language ......................................3 2. Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . 3...........................................................3 3.Terms, definitionsDefinitions andsymbols . . . . . . . . . . . . . . . . 4Notations .......................................4 3.1.Terms and definitions . . . . . . . . . . . . . . . . . . 4Definitions ................................................4 3.2.Symbols . . . . . . . . . . . . . . . . . . . . . . . . . 6Notations ..................................................6 4. General Statements. . . . . . . . . . . . . . . . . . . . . . 7..............................................7 5. Mathematical Conventions. . . . . . . . . . . . . . . . . . . 8........................................8 5.1. Mathematical Definitions. . . . . . . . . . . . . . . . . 9...................................9 5.2. Digital Signature Parameters. . . . . . . . . . . . . . . 11..............................10 5.3. Binary Vectors. . . . . . . . . . . . . . . . . . . . . . 12............................................12 6. Main Processes. . . . . . . . . . . . . . . . . . . . . . . . 12.................................................12 6.1. Digital Signature Generation Process. . . . . . . . . . . 13......................13 6.2. Digital Signature Verification. . . . . . . . . . . . . . 14............................13 7. Test Examples (Appendix to GOST R 34.10-2012). . . . . . . . 15..................14 7.1. The Digital Signature Scheme Parameters. . . . . . . . . 15...................15 7.2. Digital Signature Process (Algorithm I). . . . . . . . . 17...................17 7.3. Verification Process of Digital Signature (Algorithm II). 18..18 8. Security Considerations. . . . . . . . . . . . . . . . . . . 20........................................19 9.IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 10.References. . . . . . . . . . . . . . . . . . . . . . . . . 20 10.1......................................................19 9.1. Normative References. . . . . . . . . . . . . . . . . . 20 10.2.......................................19 9.2. Informative References. . . . . . . . . . . . . . . . . 20 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22....................................20 1. Introduction 1.1. General Information 1. GOST R 34.10-2012 [GOST3410-2012] was developed by the Center for Information Protection and Special Communications of the Federal Security Service of the Russian Federation with participation of theOpenopen joint-stock company "Information Technologies and Communication Systems" (InfoTeCS JSC). 2. GOST R 34.10-2012 was approved and introduced by Decree #215 of the Federal Agency on Technical Regulating and Metrology on 07.08.2012. 3. GOST R 34.10-2012intended to replacereplaces GOST R 34.10-2001[GOST3410-2001][GOST3410-2001], a national standard of the Russian Federation. GOST R 34.10-2001 is superseded by GOST R 34.10-2012 from 1 January 2013. That means that all new systems that are presented for certification MUST use GOST R 34.10-2012 and MAY use GOST R 34.10-2001 also for maintaining compatibility with existing systems. Usage of GOST R 34.10-2001 in current systems is allowed at least for a 5-year period. This document updates RFC 5832 [RFC5832]. This document is an English translation of GOST R 34.10-2012; [RFC6986] is an English translation of GOST R 34.11-2012; and [RFC5832] is an English translation of GOST R 34.10-2001. Terms and conceptions of this standard comply withInternational standardsthe following international standards: o ISO 2382-2 [ISO2382-2], o ISO/IEC 9796[ISO9796-2] [ISO9796-3],[ISO9796-2][ISO9796-3], o series of standards ISO/IEC 14888 [ISO14888-1] [ISO14888-2] [ISO14888-3] [ISO14888-4], and o series of standards ISO/IEC 10118 [ISO10118-1] [ISO10118-2] [ISO10118-3] [ISO10118-4]. 1.2. The Purpose of GOST R 34.10-2012 GOST R 34.10-2012 describes the generation and verification processes for digital signatures, based on operations with an elliptic curve points group, defined over a prime finite field.NecessityThe necessity for developing this standarddevelopmentis caused by the need to implement digitalsignaturesignatures of varying resistance due to growth of computer technology. Digital signature security is based on the complexity of discrete logarithm calculation in an elliptic curve points group and also on the security of the hash function used (according to GOST R 34.11-2012 [GOST3411-2012]). 1.3. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 2. Scope GOST R 34.10-2012 defines an electronic digital signature (or simply digital signature) scheme, digital signature generation and verification processes for a given message (document), meant for transmission via insecure public telecommunication channels in data processing systems of different purposes. Use of a digital signature based on GOST R 34.10-2012 makes transmitted messages more resistant to forgery and loss of integrity, in comparison with the digital signature scheme prescribed by the previous standard. GOST R 34.10-2012 is recommendedtofor the creation,operationoperation, and modernization of data processing systems of variouspurpose.purposes. 3.Terms, definitionsDefinitions andsymbolsNotations 3.1.Terms and definitionsDefinitions The following terms are used in the standard:3.1.1.appendix: bitstring,string that is formed by a digital signature and by the arbitrary textfield. [ISO14888-1] 3.1.2.field [ISO14888-1]. signature key: element of secretdata,data that is specific to the subject and used only by this subject during the signature generationprocess. [ISO14888-1] 3.1.3.process [ISO14888-1]. verification key: element of data mathematically linked to the signature key dataelement,element that is used by the verifier during the digital signature verificationprocess. [ISO14888-1] 3.1.4.process [ISO14888-1]. domain parameter: element of data that is common for all the subjects of the digital signature scheme, known or accessible to all thesubjects. [ISO14888-1] 3.1.5.subjects [ISO14888-1]. signed message: a set of dataelements, whichelements that consists of the message and the appendix, which is a part of themessage. [ISO14888-1] 3.1.6. pseudo-randommessage [ISO14888-1]. pseudorandom number sequence: a sequence ofnumbers, whichnumbers that is obtained during some arithmetic (calculation) process, used in a specific case instead of a true random number sequence.3.1.7.random number sequence: a sequence of numbersnoneof which none can be predicted (calculated) using only the preceding numbers of the same sequence.3.1.8.verification process: a process that uses the signed message, the verification key, and the digital signature scheme parameters as initial data and that gives the conclusion about digital signature validity or invalidity as aresult. [ISO14888-1] 3.1.9.result [ISO14888-1]. signature generation process: a process that uses the message, the signature key, and the digital signature scheme parameters as initial data and that generates the digital signature as theresult.result [ISO14888-1].3.1.10.witness: element of data that states to the verifier whether the digital signature is valid or invalid.3.1.11.random number: a number chosen from the definite number set in such a way that every number from the set can be chosen with equal probability.3.1.12.message: string of bits of a limitedlength. [ISO14888-1] 3.1.13.length [ISO14888-1]. hash code: string of bits that is a result of the hashfunction. [ISO14888-1] 3.1.14.function [ISO14888-1]. hash function: thefunction, mappingfunction that maps bit strings onto bit strings of fixed length observing the following properties: 1. it is difficult to calculate the inputdata,data that is thepre-imagepre- image of the given function value; 2. it is difficult to find another input data that is thepre-imagepre- image of the same function value as is the given input data; and 3. it is difficult to find a pair of different inputdata, producingdata that produces the same hash function value. [ISO14888-1] Notes: 1.propertyProperty 1 in the context of the digital signature area means that it is impossible to recover the initial message using the digital signature; property 2 means that it is difficult to find another (falsified) message that produces the same digital signature as a given message; property 3 means that it is difficult to findsomea pair of differentmessages, whichmessages that both produce the same signature. 2.inIn thisstandardstandard, the terms "hash function", "cryptographic hash function", "hashingfunction"function", and "cryptographic hashing function" are synonymous to provide terminological succession to native legal documents currently in force and scientific publications.3.1.15.(electronic) digital signature: string of bits that are obtained as a result of the signature generationprocess. This string has an internal structure, depending on the specific signature generation mechanism. [ISO14888-1]process [ISO14888-1]. Notes: 1.aA string of bits that is a signature may have an internal structure depending on the specificmechanism of signature.signature generation mechanism. 2. In thisstandardstandard, the terms "electronic signature", "digitalsignature"signature", and "electronic digital signature" are synonymous to provide terminological succession to native legal documents currently in force and scientific publications. 3.2.SymbolsNotations The followingsymbolsnotations are used in this standard: V_l set of all binary vectors ofaan l-bit length V_all set of all binary vectors of an arbitrary finite length Z set of all integers p prime number, p > 3 GF(p) finite prime field represented by a set of integers {0, 1, ..., p - 1} b (mod p) minimal non-negative number, congruent to b modulo p M user's message, M belongs to V_all (H1 || H2 ) concatenation of two binary vectors a, b elliptic curve coefficients m points of the elliptic curve group order q subgroup order of group of points of the elliptic curve O zero point of the elliptic curve P elliptic curve point of order q d integer - a signature key Q elliptic curve point - a verification key zeta digital signature for the message M ^ the power operator /= non-equality sqrt square root 4. General Statements A commonly accepted digital signature scheme (model) consists of three processes: - generation of a pair of keys (for signature generation and for signatureverification);verification), - signaturegeneration;generation, and - signature verification. In GOST R 34.10-2012, a process for generating a pair of keys (for signature and verification) is not defined. Characteristics and waysofto realize the processrealizationare defined by involved subjects, who determine corresponding parameters by their agreement. The digital signature mechanism is defined by the realization of two main processes (Section 6): - signature generation (Section6.1);6.1), and - signature verification (Section 6.2). The digital signature is meant for the authentication of the signatory of the electronic message. Besides, digital signature usage gives an opportunity to provide the following properties during signed message transmission: - realization of control of the transmitted signed message integrity, - proof of the authorship of the signatory of the message, and - protection of the message against possible forgery. A schematic representation of the signed message is shown in Figure 1. appendix | +-------------------------------+ | | +-----------+ +------------------------+- - - + | message M |---| digital signature zeta | text | +-----------+ +------------------------+- - - + Figure 1: Signedmessage schemeMessage Scheme The field "digital signature" is supplemented by the field"text","text" that can contain, for example, identifiers of the signatory of the message and/or time label. The digital signature schemedetermineddefined in GOST R 34.10-2012 must be implemented using operations of the elliptic curve points group, defined over a finite prime field, and also with the use of the hash function. The cryptographic security of the digital signature scheme is based on the complexity of solving the problem of the calculation of the discrete logarithm in the elliptic curve points group and also on the security of the hash function used. The hash function calculation algorithm isdetermineddefined in GOST R 34.11-2012 [GOST3411-2012]. The digital signature scheme parameters needed for signature generation and verification aredetermineddefined in Section 5.2. This standard provides the opportunity to select one of two optionsoffor parameter requirements. GOST R 34.10-2012 does not determine the processoffor generating the parameters needed for the digital signature scheme. Possible sets of these parameters are defined, for example, in [RFC4357]. The digital signature represented as a binary vector of a512512- or 1024-bit length must be calculated using a definite set of rules, as stated in Section 6.1. The digital signature of the received message is accepted or denied in accordance with the set of rules, as stated in Section 6.2. 5. Mathematical Conventions To define a digital signature scheme, it is necessary to describe basic mathematical objects used in the signature generation and verification processes. This section lays out basic mathematical definitions and requirements for the parameters of the digital signature scheme. 5.1. Mathematical Definitions Suppose a prime number p > 3 is given. Then, an elliptic curve E, defined over a finite prime field GF(p), is the set of number pairs (x,y), where x and y belong to Fp, satisfying the identity: y^2 = x^3 + a * x + b (mod p), (1) where a, b belong to GF(p) and 4 * a^3 + 27 * b^2 is not congruent to zero modulo p. An invariant of the elliptic curve is the value J(E), satisfying the equality: 4 * a^3 J(E) = 1728 * ------------------ (mod p) (2) 4 * a^3 + 27 * b^2 Elliptic curve E coefficients a, b are defined in the following way using the invariant J(E): | a = 3 * k (mod p), | (3) | b = 2 * k (mod p), J(E) where k = ----------- (mod p), J(E) /= 0 or 1728 1728 - J(E) The pairs (x, y) satisfying the identity (1) are called "the elliptic curve E points"; x and y are called x- and y-coordinates of the point, correspondingly. We will denote elliptic curve points as Q(x, y) or just Q. Two elliptic curve points are equal if their x- and y-coordinates are equal. On the set of all elliptic curve E points, we will define the addition operation, denoted by "+". For two arbitrary elliptic curve E points Q1 (x1, y1) and Q2 (x2, y2), we will consider several variants. Suppose coordinates of points Q1 and Q2 satisfy the condition x1 /= x2. In this case, their sum is defined as a point Q3 (x3, y3), with coordinates defined by congruencies: | x3 = lambda^2 - x1 - x2 (mod p), | (4) | y3 = lambda * (x1 - x3) - y1 (mod p), y1 - y2 where lambda = -------- (mod p). x1 - x2 If x1 = x2 and y1 = y2 /= 0, then we will define point Q3 coordinates in the following way: | x3 = lambda^2 - x1 * 2 (mod p), | (5) | y3 = lambda * (x1 - x3) - y1 (mod p), 3 * x1^2 + a where lambda = ------------ (mod p) y1 * 2 If x1 = x2 and y1 = -y2 (mod p), then the sum of points Q1 and Q2 is called a zero point O, without determination of its x- and y- coordinates. In this case, point Q2 is called a negative of point Q1. For the zero point, the equalities hold: O + Q = Q + O = Q, (6) where Q is an arbitrary point of elliptic curve E. A set of all points of elliptic curve E, including the zero point, forms a finite abelian (commutative) group of order m regarding the introduced addition operation. For m, the following inequalities hold: p + 1 - 2 * sqrt(p) =< m =< p + 1 + 2 * sqrt(p) (7) The point Q is called "a point of multiplicity k", or just "a multiple point of the elliptic curve E", if for some pointPP, the following equality holds: Q = P + ... + P = k * P (8) -----+----- k 5.2. Digital Signature Parameters The digital signature parameters are: - prime number p is an elliptic curvemodulus;modulus. - elliptic curve E, defined by its invariant J(E) or by coefficients a, b belonging to GF(p). - integer m is an elliptic curve E points grouporder;order. - prime number q is an order of a cyclic subgroup of the elliptic curve E points group, which satisfies the following conditions: | m = nq, n belongs to Z, n >= 1 | (9) | 2^254 < q < 2^256 or 2^508 < q < 2^512 - point P /= O of an elliptic curve E, with coordinates (x_p, y_p), satisfying the equality q * P = O. - hash function h(.):V_all -> V_l, which maps the messages represented as binary vectors of arbitrary finite length onto binary vectors ofaan l-bit length. The hash function isdetermineddefined in GOST R 34.11-2012 [GOST3411-2012]. If 2^254 < q <2^2562^256, then l = 256. If 2^508 < q <2^5122^512, then l = 512. Every user of the digital signature scheme must have its personal keys: - signature key, which is an integer d, satisfying the inequality 0 < d < q; - verification key, which is an elliptic curve point Q with coordinates (x_q, y_q), satisfying the equality d * P = Q. The previously introduced digital signature parameters must satisfy the following requirements: - it is necessary that the condition p^t /= 1 (mod q) holds for all integers t = 1, 2, ..., B, where B = 31 if 2^254 < q < 2^256, or B = 131 if 2^508 < q < 2^512; - it is necessary that the inequality m /= p holds; - the curve invariant must satisfy the condition J(E) /= 0, 1728. 5.3. Binary Vectors To determine the digital signature generation and verification processes, it is necessary to map the set of integers onto the set of binary vectors ofaan l-bit length. Consider the following binary vector ofaan l-bit length where low- order bits are placed on the right, and high-order ones are placed on the left: H = (alpha[l-1], ..., alpha[0]), H belongs to V_l (10) where alpha[i], i = 0, ..., l-1 are equal to 1 or to 0. The number alpha belonging to Z is mapped onto the binary vector h, if the equality holds: alpha = alpha[0]*2^0 + alpha[1]*2^1 + ... + alpha[l-1]*2^(l-1) (11) For two binary vectors H1 and H2: H1 = (alpha[l-1], ..., alpha[0]), (12) H2 = (beta[l-1], ..., beta[0]), which correspond to integers alpha and beta, we define a concatenation (union) operation in the following way: H1||H2 = (alpha[l-1], ..., alpha[0], beta[l-1], ..., beta[0]) (13) that is a binary vector of 2*l-bit length, consisting of coefficients of the vectors H1 and H2. On the other hand, the introduced formulae define a way to divide a binary vector H of 2*l-bit length into two binary vectors of l-bit length, where H is the concatenation of the two. 6. Main Processes In this section, the digital signature generation and verification processes of a user's message are defined.For the realization ofTo realize the processes, it is necessary that all users know the digital signature scheme parameters, which satisfy the requirements of Section 5.2. Besides, every user must have the signature key d and the verification key Q(x_q, y_q), which also must satisfy the requirements of Section 5.2. 6.1. Digital Signature Generation Process It is necessary to perform the following actions (steps)according to Algorithm Ito obtain the digital signature for the message M belonging toV_all:V_all. This is Algorithm I. Step 1. Calculate the message hash code M: H =h(M).h(M) (14) Step 2. Calculate an integer alpha, the binary representation of which is the vector H, and determine: e = alpha (modq ).q) (15) If e = 0, then assign e = 1. Step 3. Generate a random (pseudorandom) integer k, satisfying the inequality: 0 < k <q.q (16) Step 4. Calculate the elliptic curve point C = k * P and determine: r = x_C (mod q), (17) where x_C is the x-coordinate of the point C. If r = 0, return to step 3. Step 5. Calculate the value: s = (r * d + k * e) (modq).q) (18) If s = 0, return tostepStep 3. Step 6. Calculate the binary vectors R and S, corresponding to r and s, and determine the digital signature zeta = (R || S) as a concatenation of these two binary vectors. The initial data of this process are the signature key d and the message M to be signed. The output result is the digital signature zeta. 6.2. Digital Signature Verification To verify the digital signature for the received message M, it is necessary to perform the following actions(steps) according to(steps). This is AlgorithmII:II. Step 1. Calculate the integers r and s using the received signature zeta. If the inequalities 0 < r < q, 0 < s < q hold, go to the next step. Otherwise, the signature is invalid. Step 2. Calculate the hash code of the received message M: H = h(M) (19) Step 3. Calculate the integer alpha, the binary representation of which is the vector H, and determine if: e = alpha (mod q) (20) If e = 0, then assign e = 1. Step 4. Calculate the value: v = e^(-1) (modq).q) (21) Step 5. Calculate the values: z1 = s * v (mod q), z2 = -r * v (mod q) (22) Step 6. Calculate the elliptic curve point C = z1 * P + z2 * Q and determine: R = x_C (mod q), (23) where x_C is x-coordinate of the point. Step 7. If the equality R = r holds, then the signature is accepted. Otherwise, the signature is invalid. The input data of the process are the signed message M, the digital signature zeta, and the verification key Q. The output result is the witness of the signature validity or invalidity. 7. Test Examples (Appendix to GOST R 34.10-2012) This section is included in GOST R 34.10-2012 as a reference appendix but is not officially mentioned as a part of the standard. The values given here for the parameters p, a, b, m, q, P, the signature key d, and the verification key Q are recommended only for testing the correctness of actual realizations of the algorithms described in GOST R 34.10-2012. All numerical values are introduced in decimal and hexadecimal notations. The numbers beginning with 0x are in hexadecimal notation. The symbol "\\" denotesa hyphenation of athat the numbertocontinues on the next line. For example, the notation: 12345\\ 67890 0x499602D2 represents 1234567890 in decimal and hexadecimal number systems, respectively. 7.1. The Digital Signature Scheme Parameters The following parameters must be used forthedigital signature generation and verification (see Section 5.2). 7.1.1. Elliptic Curve Modulus The following value is assigned to parameter p in this example: p = 57896044618658097711785492504343953926\\ 634992332820282019728792003956564821041 p = 0x8000000000000000000000000000\\ 000000000000000000000000000000000431 7.1.2. Elliptic Curve Coefficients Parameters a and b take the following values in this example: a = 7 a = 0x7 b = 43308876546767276905765904595650931995\\ 942111794451039583252968842033849580414 b = 0x5FBFF498AA938CE739B8E022FBAFEF40563\\ F6E6A3472FC2A514C0CE9DAE23B7E 7.1.3. Elliptic Curve Points Group Order Parameter m takes the following value in this example: m = 5789604461865809771178549250434395392\\ 7082934583725450622380973592137631069619 m = 0x80000000000000000000000000000\\ 00150FE8A1892976154C59CFC193ACCF5B3 7.1.4. Order of Cyclic Subgroup of Elliptic Curve Points Group Parameter q takes the following value in this example: q = 5789604461865809771178549250434395392\\ 7082934583725450622380973592137631069619 q = 0x80000000000000000000000000000001\\ 50FE8A1892976154C59CFC193ACCF5B3 7.1.5. Elliptic Curve Point Coordinates Point P coordinates take the following values in this example: x_p = 2 x_p = 0x2 y_p = 40189740565390375033354494229370597\\ 75635739389905545080690979365213431566280 y_p = 0x8E2A8A0E65147D4BD6316030E16D19\\ C85C97F0A9CA267122B96ABBCEA7E8FC8 7.1.6. Signature Key It is supposed, in this example, that the user has the following signature key d: d = 554411960653632461263556241303241831\\ 96576709222340016572108097750006097525544 d = 0x7A929ADE789BB9BE10ED359DD39A72C\\ 11B60961F49397EEE1D19CE9891EC3B28 7.1.7. Verification Key It is supposed, in this example, that the user has the verification key Q with the following coordinate values: x_q = 57520216126176808443631405023338071\\ 176630104906313632182896741342206604859403 x_q = 0x7F2B49E270DB6D90D8595BEC458B5\\ 0C58585BA1D4E9B788F6689DBD8E56FD80B y_q = 17614944419213781543809391949654080\\ 031942662045363639260709847859438286763994 y_q = 0x26F1B489D6701DD185C8413A977B3\\ CBBAF64D1C593D26627DFFB101A87FF77DA 7.2. Digital Signature Process (Algorithm I) Suppose that aftersteps 1-3, according toSteps 1-3 in Algorithm I (Section6.1),6.1) are performed, the following numerical values are obtained: e = 2079889367447645201713406156150827013\\ 0637142515379653289952617252661468872421 e = 0x2DFBC1B372D89A1188C09C52E0EE\\ C61FCE52032AB1022E8E67ECE6672B043EE5 k = 538541376773484637314038411479966192\\ 41504003434302020712960838528893196233395 k = 0x77105C9B20BCD3122823C8CF6FCC\\ 7B956DE33814E95B7FE64FED924594DCEAB3 And the multiple point C = k * P has the coordinates: x_C = 297009809158179528743712049839382569\\ 90422752107994319651632687982059210933395 x_C = 0x41AA28D2F1AB148280CD9ED56FED\\ A41974053554A42767B83AD043FD39DC0493 y[C] = 328425352786846634770946653225170845\\ 06804721032454543268132854556539274060910 y[C] = 0x489C375A9941A3049E33B34361DD\\ 204172AD98C3E5916DE27695D22A61FAE46E Parameter r = x_C (mod q) takes the value: r = 297009809158179528743712049839382569\\ 90422752107994319651632687982059210933395 r = 0x41AA28D2F1AB148280CD9ED56FED\\ A41974053554A42767B83AD043FD39DC0493 Parameter s = (r * d + k * e)(mod q) takes the value: s = 57497340027008465417892531001914703\\ 8455227042649098563933718999175515839552 s = 0x1456C64BA4642A1653C235A98A602\\ 49BCD6D3F746B631DF928014F6C5BF9C40 7.3. Verification Process of Digital Signature (Algorithm II) Suppose that aftersteps 1-3, according toSteps 1-3 in Algorithm II (Section6.2),6.2) are performed, the following numerical value is obtained: e = 2079889367447645201713406156150827013\\ 0637142515379653289952617252661468872421 e = 0x2DFBC1B372D89A1188C09C52E0EE\\ C61FCE52032AB1022E8E67ECE6672B043EE5 And the parameter v = e^(-1) (mod q) takes the value: v = 176866836059344686773017138249002685\\ 62746883080675496715288036572431145718978 v = 0x271A4EE429F84EBC423E388964555BB\\ 29D3BA53C7BF945E5FAC8F381706354C2 The parameters z1 = s * v (mod q) and z2 = -r * v (mod q) take the values: z1 = 376991675009019385568410572935126561\\ 08841345190491942619304532412743720999759 z1 = 0x5358F8FFB38F7C09ABC782A2DF2A\\ 3927DA4077D07205F763682F3A76C9019B4F z2 = 141719984273434721125159179695007657\\ 6924665583897286211449993265333367109221 z2 = 0x3221B4FBBF6D101074EC14AFAC2D4F7\\ EFAC4CF9FEC1ED11BAE336D27D527665 The point C = z1 * P + z2 * Q has the coordinates: x_C = 2970098091581795287437120498393825699\\ 0422752107994319651632687982059210933395 x_C = 0x41AA28D2F1AB148280CD9ED56FED\\ A41974053554A42767B83AD043FD39DC0493 y[C] = 3284253527868466347709466532251708450\\ 6804721032454543268132854556539274060910 y[C] = 0x489C375A9941A3049E33B34361DD\\ 204172AD98C3E5916DE27695D22A61FAE46E Then the parameter R = x_C (mod q) takes the value: R = 2970098091581795287437120498393825699\\ 0422752107994319651632687982059210933395 R = 0x41AA28D2F1AB148280CD9ED56FED\\ A41974053554A42767B83AD043FD39DC0493 Since the equality R = r holds, the digital signature is accepted. 8. Security Considerations This entire document is about security considerations. 9.IANA Considerations This document has no actions for IANA. 10.References10.1.9.1. Normative References [GOST3410-2001] "Information technology. Cryptographic data security. Signature and verification processes of [electronic] digitalsignature.",signature", GOST R 34.10-2001, Gosudarstvennyi Standard of Russian Federation, Government Committee of Russia for Standards, 2001. (In Russian) [GOST3410-2012] "Information technology. Cryptographic data security. Signature and verification processes of [electronic] digitalsignature.",signature", GOST R 34.10-2012, Federal Agency on Technical Regulating and Metrology, 2012. [GOST3411-2012] "Information technology. Cryptographic Data Security. Hashingfunction.",function", GOST R 34.11-2012, Federal Agency on Technical Regulating and Metrology, 2012. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms", RFC 4357, January 2006.10.2.9.2. Informative References [ISO2382-2]ISO 2382-2:1976,ISO, "Data processing - Vocabulary - Part 2: Arithmetic and logicoperations".operations", ISO 2382-2, 1976. [ISO9796-2]ISO/IEC 9796-2:2010,ISO/IEC, "Information technology - Security techniques - Digital signatureswith appendixgiving message recovery - Part 2: Integer factorization basedmechanisms" [ISO9796-3]mechanisms", ISO/IEC9796-3:2006,9796-2, 2010. [ISO9796-3] ISO/IEC, "Information technology - Security techniques - Digital signature schemes giving message recovery - Part 3: Discrete logarithm basedmechanisms" [ISO14888-1]mechanisms", ISO/IEC14888-1:2008,9796-3, 2006. [ISO14888-1] ISO/IEC, "Information technology - Security techniques - Digital signatures with appendix - Part 1:General". [ISO14888-2]General", ISO/IEC14888-2:2008,14888-1, 2008. [ISO14888-2] ISO/IEC, "Information technology - Security techniques - Digital signatures with appendix - Part 2: Integer factorization basedmechanisms". [ISO14888-3]mechanisms", ISO/IEC14888-3:2006,14888-2, 2008. [ISO14888-3] ISO/IEC, "Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm basedmechanisms". [ISO14888-4]mechanisms", ISO/IEC14888-3:2006/Amd 1:2010,14888-3,2006. [ISO14888-4] ISO/IEC, "Information technology - Security techniques - Digital signatures with appendix - Part 3: Discrete logarithm based mechanisms.AmmendmentAmendment 1. Elliptic Curve Russian Digital Signature Algorithm, Schnorr Digital Signature Algorithm, Elliptic Curve Schnorr Digital Signature Algorithm, and Elliptic Curve Full Schnorr Digital SignatureAlgorithm" [ISO10118-1]Algorithm", ISO/IEC10118-1:2000,14888-3:2006/Amd 1, 2010. [ISO10118-1] ISO/IEC, "Information technology - Security techniques - Hash-functions - Part 1:General". [ISO10118-2]General", ISO/IEC10118-2:2000,10118-1, 2000. [ISO10118-2] ISO/IEC, "Information technology - Security techniques - Hash-functions - Part 2: Hash- functions using an n-bit block cipheralgorithm". [ISO10118-3]algorithm", ISO/IEC10118-3:2004,10118-2, 2010. [ISO10118-3] ISO/IEC, "Information technology - Security techniques - Hash-functions - Part 3: Dedicatedhash-functions". [ISO10118-4]hash-functions", ISO/IEC10118-4:1998,10118-3, 2004. [ISO10118-4] ISO/IEC, "Information technology - Security techniques - Hash-functions - Part 4: Hash- functions using modulararithmetic". Author's Address Vasilyarithmetic", ISO/IEC 10118-4, 1998. [RFC5832] Dolmatov,Ed.V., Ed., "GOST R 34.10-2001: Digital Signature Algorithm", RFC 5832, March 2010. [RFC6986] Dolmatov, V., Ed., and A. Degtyarev, "GOST R 34.11-2012: Hash Function", RFC 6986, August 2013. Authors' Addresses Vasily Dolmatov (editor) Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation EMail: dol@cryptocom.ru Alexey Degtyarev Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation EMail:degtyarev@cryptocom.rualexey@renatasystems.org