<?xml version="1.0"encoding="US-ASCII"?>encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd"> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?rfc strict="yes" ?> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes" ?> <?rfc compact="yes" ?> <?rfc subcompact="no" ?>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" submissionType="independent" category="info" docName="draft-dolmatov-magma-06" number="8891" ipr="trust200902"updates="5830">updates="5830" obsoletes="" xml:lang="en" tocInclude="true" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 2.43.0 --> <front> <title>GOST R 34.12-2015: Block Cipher "Magma"</title><!----> <!----><seriesInfo name="RFC" value="8891"/> <author fullname="Vasily Dolmatov" initials="V." surname="Dolmatov" role="editor"> <organization>JSC "NPK Kryptonite"</organization> <address> <postal> <street>Spartakovskaya sq., 14, bld 2, JSC "NPK Kryptonite"</street> <city>Moscow</city> <region/> <code>105082</code> <country>Russian Federation</country> </postal> <email>vdolmatov@gmail.com</email> </address> </author> <author fullname="Dmitry Baryshkov" initials="D." surname="Baryshkov"> <organization>Auriga,Inc</organization>Inc.</organization> <address> <postal> <street>Torfyanaya Doroga,7F, office 1410</street>7F</street> <extaddr>office 1410</extaddr> <city>Saint-Petersburg</city> <region/> <code>197374</code> <country>Russian Federation</country> </postal> <email>dbaryshkov@gmail.com</email> </address> </author> <datemonth=""month="September" year="2020"/> <area>General</area> <workgroup>Internet Engineering Task Force</workgroup> <keyword>Magma</keyword> <keyword>Block Cipher</keyword> <abstract> <t>In addition to a new cipher with a block length of n=128 bits (referred to as"Kyznyechik""Kuznyechik" and described in RFC7801)7801), Russian Federal standard GOST R 34.12-2015 includes an updated version of the block cipher with a block length of n=64 bits and key length of k=256 bits, which is also referred to as "Magma". The algorithm is an updated version of an older block cipher with a block length of n=64 bits described in GOST 28147-89 (RFC 5830). This document is intended to be a source of information about the updated version of the 64-bit cipher. It may facilitate the use of the block cipher in Internet applications by providing information for developers and users of the GOST 64-bit cipher with the revised version of the cipher for encryption and decryption.</t> </abstract> </front> <middle> <sectiontitle="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>The Russian Federal standard <xreftarget="GOSTR3412-2015"/>target="GOSTR3412-2015" format="default"/> specifies basic block ciphers used as cryptographic techniques for information processing and informationprotectionprotection, including the provision of confidentiality, authenticity, and integrity of information during information transmission,processingprocessing, and storage in computer-aided systems.</t> <t>The cryptographic algorithms defined in this specification are designed both for hardware and software implementation. They comply with modern cryptographicrequirements,requirements and put no restrictions on the confidentiality level of the protected information.</t> <t>This document is intended to be a source of information about the updated version of the 64-bit cipher. It may facilitate the use of the block cipher in Internet applications by providing information for developers and users of a GOST 64-bit cipher with the revised version of the cipher for encryption and decryption.</t> </section> <sectiontitle="General Information">numbered="true" toc="default"> <name>General Information</name> <t>The Russian Federal standard <xreftarget="GOSTR3412-2015"/>target="GOSTR3412-2015" format="default"/> was developed by the Center for Information Protection and Special Communications of the Federal Security Service of the RussianFederationFederation, with participation of theOpen Joint-Stockopen joint-stock company "Information Technologies and Communication Systems" (InfoTeCS JSC). GOST R 34.12-2015 was approved and introduced by Decree #749 of the Federal Agency on Technical Regulating and Metrology on19.06.2015.</t>June 19, 2015.</t> <t>Terms and concepts in the specification comply with the following international standards:<list style="symbols"> <t>ISO/IEC</t> <ul spacing="normal"> <li>ISO/IEC 10116 <xreftarget="ISO-IEC10116"/>,</t> <t>seriestarget="ISO-IEC10116" format="default"/></li> <li>series of standards ISO/IEC 18033 <xreftarget="ISO-IEC18033-1"/>, <xref target="ISO-IEC18033-3"/>.</t> </list></t>target="ISO-IEC18033-1" format="default"/><xref target="ISO-IEC18033-3" format="default"/></li> </ul> </section> <sectiontitle="Definitions and Notations"anchor="section_defs_notation">numbered="true" toc="default"> <name>Definitions and Notation</name> <t>The following terms and their corresponding definitions are used in the specification.</t> <sectiontitle="Definitions"> <t>Definitions <list style="empty"> <t>encryption algorithm: process whichnumbered="true" toc="default"> <name>Definitions</name> <dl> <dt>encryption algorithm:</dt><dd>process that transforms plaintext into ciphertext (Clause 2.19 of <xreftarget="ISO-IEC18033-1"/>),</t> <t>decryption algorithm: process whichtarget="ISO-IEC18033-1" format="default"/>)</dd> <dt>decryption algorithm:</dt><dd>process that transforms ciphertext into plaintext (Clause 2.14 of <xreftarget="ISO-IEC18033-1"/>),</t> <t>basic block cipher:target="ISO-IEC18033-1" format="default"/>)</dd> <dt>basic block cipher:</dt><dd>block cipherwhichthat, for a givenkeykey, provides a single invertible mapping of the set of fixed-length plaintext blocks into ciphertext blocks of the samelength,</t> <t>block: stringlength</dd> <dt>block:</dt><dd>string of bits of a defined length (Clause 2.6 of <xreftarget="ISO-IEC18033-1"/>),</t> <t>block cipher: symmetrictarget="ISO-IEC18033-1" format="default"/>)</dd> <dt>block cipher:</dt><dd><t>symmetric encipherment system with the property that the encryption algorithm operates on a block ofplaintext, i.e.plaintext -- i.e., a string of bits of a definedlength,length -- to yield a block of ciphertext (Clause 2.7 of <xreftarget="ISO-IEC18033-1"/>), <list style="empty">target="ISO-IEC18033-1" format="default"/>)</t> <t>Note: In GOST R 34.12-2015, it is established that the terms "block cipher" and "block encryption algorithm" aresynonyms.</t> </list></t> <t>encryption: reversiblesynonyms.</t></dd> <dt>encryption:</dt><dd>reversible transformation of data by a cryptographic algorithm to produceciphertext,ciphertext -- i.e., to hide the information content of the data (Clause 2.18 of <xreftarget="ISO-IEC18033-1"/>),</t> <t>round key: sequencetarget="ISO-IEC18033-1" format="default"/>)</dd> <dt>round key:</dt><dd>sequence of symbolswhichthat is calculated from the key and controls a transformation for one round of a blockcipher,</t> <t>key: sequencecipher</dd> <dt>key:</dt><dd><t>sequence of symbols that controls the operation of a cryptographic transformation (e.g., encipherment, decipherment) (Clause 2.21 of <xreftarget="ISO-IEC18033-1"/>), <list style="empty">target="ISO-IEC18033-1" format="default"/>)</t> <t>Note: In GOST R 34.12-2015, the key must be a binarysequence.</t> </list></t> <t>plaintext: unencryptedsequence.</t></dd> <dt>plaintext:</dt><dd>unencrypted information (Clause 3.11 of <xreftarget="ISO-IEC10116"/>),</t> <t>key schedule: calculationtarget="ISO-IEC10116" format="default"/>)</dd> <dt>key schedule:</dt><dd>calculation of round keys from thekey,</t> <t>decryption: reversalkey,</dd> <dt>decryption:</dt><dd>reversal of a corresponding encipherment (Clause 2.13 of <xreftarget="ISO-IEC18033-1"/>),</t> <t>symmetric cryptographic technique:target="ISO-IEC18033-1" format="default"/>)</dd> <dt>symmetric cryptographic technique:</dt><dd>cryptographic technique that uses the same secret key for both the originator's and the recipient's transformation (Clause 2.32 of <xreftarget="ISO-IEC18033-1"/>),</t> <t>cipher: alternativetarget="ISO-IEC18033-1" format="default"/>)</dd> <dt>cipher:</dt><dd>alternative term for encipherment system (Clause 2.20 of <xreftarget="ISO-IEC18033-1"/>),</t> <t>ciphertext: data whichtarget="ISO-IEC18033-1" format="default"/>)</dd> <dt>ciphertext:</dt><dd>data that has been transformed to hide its information content (Clause 3.3 of <xreftarget="ISO-IEC10116"/>).</t> </list></t>target="ISO-IEC10116" format="default"/>)</dd> </dl> </section> <sectiontitle="Notations">numbered="true" toc="default"> <name>Notation</name> <t>The followingnotations arenotation is used in the specification:<list style="hanging"> <t hangText=" V*">the</t> <dl newline="false" spacing="normal"> <dt>V*</dt> <dd>the set of all binaryvector-stringsvector strings of a finite length (hereinafter referred to as thestrings)strings), including the emptystring,</t> <t hangText=" V_s">thestring</dd> <dt>V_s</dt> <dd>the set of all binary strings of length s, where s is anon-negativenonnegative integer; substrings and string components are enumerated from right toleftleft, starting fromzero,</t> <t hangText=" U[*]W">directzero</dd> <dt>U[*]W</dt> <dd>direct (Cartesian) product of two sets U andW,</t> <t hangText=" |A|">theW</dd> <dt>|A|</dt> <dd>the number of components (the length) of a string A belonging to V* (if A is an empty string, then |A| =0),</t> <t hangText=" A||B">concatenation0)</dd> <dt>A||B</dt> <dd>concatenation of strings A and B both belonging toV*,V* -- i.e., a string from V_(|A|+|B|), where the left substring from V_|A| is equal to A and the right substring from V_|B| is equal toB,</t> <t hangText=" A<<<_11">cyclicB</dd> <dt>A<<<_11</dt> <dd>cyclic rotation of string A belonging to V_32 by 11 components in the direction of components having greaterindices,</t> <t hangText=" Z_(2^n)">ringindices</dd> <dt>Z_(2^n)</dt> <dd>ring of residues modulo2^n,</t> <t hangText=" (xor)">exclusive-or2^n</dd> <dt>(xor)</dt> <dd>exclusive-or ofthetwo binary strings of the samelength,</t> <t hangText=" [+]">additionlength</dd> <dt>[+]</dt> <dd>addition in the ringZ_(2^32)</t> <t hangText="Vec_s:Z_(2^32)</dd> <dt>Vec_s: Z_(2^s) ->V_s">bijectiveV_s</dt> <dd>bijective mappingwhichthat maps an element from ring Z_(2^s) into its binaryrepresentation,representation; i.e., for an element z of the ring Z_(2^s), represented by the residue z_0 + (2*z_1) + ... + (2^(s-1)*z_(s-1)), where z_i in {0, 1}, i = 0, ..., n-1, the equality Vec_s(z) = z_(s-1)||...||z_1||z_0holds,</t> <t hangText="Int_s:holds</dd> <dt>Int_s: V_s ->Z_(2^s)">theZ_(2^s)</dt> <dd>the mapping inverse to the mapping Vec_s, i.e., Int_s =Vec_s^(-1),</t> <t hangText=" PS">compositionVec_s^(-1)</dd> <dt>PS</dt> <dd>composition of mappings, where the mapping S appliesfirst,</t> <t hangText=" P^s">compositionfirst</dd> <dt>P^s</dt> <dd>composition of mappings P^(s-1) and P, whereP^1=P,</t> </list></t>P^1=P</dd> </dl> </section> </section> <sectiontitle="Parameter Values"> <section title="Nonlinear Bijection">numbered="true" toc="default"> <name>Parameter Values</name> <section numbered="true" toc="default"> <name>Nonlinear Bijection</name> <t>The bijective nonlinear mapping is a set of substitutions:</t><figure> <artwork><![CDATA[Pi_i<artwork name="" type="" align="left" alt=""><![CDATA[ Pi_i = Vec_4 Pi'_i Int_4: V_4 ->V_4,]]></artwork> </figure>V_4, ]]></artwork> <t>where</t><figure> <artwork><![CDATA[Pi'_i:<artwork name="" type="" align="left" alt=""><![CDATA[ Pi'_i: Z_(2^4) -> Z_(2^4), i = 0, 1, ...,7.]]></artwork> </figure>7. ]]></artwork> <t>The values of the substitution Pi' are specified below asarrays</t> <figure align="left"> <artwork><![CDATA[Pi'_iarrays.</t> <artwork name="" type="" align="left" alt=""> <![CDATA[Pi'_i = (Pi'_i(0), Pi'_i(1), ... , Pi'_i(15)), i = 0, 1, ..., 7: Pi'_0 = (12, 4, 6, 2, 10, 5, 11, 9, 14, 8, 13, 7, 0, 3, 15, 1); Pi'_1 = (6, 8, 2, 3, 9, 10, 5, 12, 1, 14, 4, 7, 11, 13, 0, 15); Pi'_2 = (11, 3, 5, 8, 2, 15, 10, 13, 14, 1, 7, 4, 12, 9, 6, 0); Pi'_3 = (12, 8, 2, 1, 13, 4, 15, 6, 7, 0, 10, 5, 3, 14, 9, 11); Pi'_4 = (7, 15, 5, 10, 8, 1, 6, 13, 0, 9, 3, 14, 11, 4, 2, 12); Pi'_5 = (5, 13, 15, 6, 9, 2, 12, 10, 11, 7, 8, 1, 4, 3, 14, 0); Pi'_6 = (8, 14, 2, 5, 6, 9, 1, 12, 15, 4, 11, 0, 13, 10, 3, 7); Pi'_7 = (1, 7, 14, 13, 0, 5, 8, 3, 4, 15, 10, 6, 9, 12, 11, 2);]]></artwork></figure></section> <sectiontitle="Transformations">numbered="true" toc="default"> <name>Transformations</name> <t>The following transformations are applicable for encryption and decryption algorithms:<list style="hanging"> <t hangText="t:</t> <dl newline="true" spacing="normal"> <dt>t: V_32 ->V_32">t(a)V_32</dt> <dd>t(a) = t(a_7||...||a_0) = Pi_7(a_7)||...||Pi_0(a_0), where a=a_7||...||a_0 belongs to V_32, a_i belongs to V_4, i=0, 1, ...,7;</t> <t hangText="g[k]:7.</dd> <dt>g[k]: V_32 ->V_32">g[k](a)V_32</dt> <dd>g[k](a) = (t(Vec_32(Int_32(a) [+] Int_32(k)))) <<<_11, where k, a belong toV_32;</t> <t hangText="G[k]:V_32</dd> <dt>G[k]: V_32[*]V_32 ->V_32[*]V_32">G[k](a_1,V_32[*]V_32</dt> <dd>G[k](a_1, a_0) = (a_0, g[k](a_0) (xor) a_1), where k, a_0, a_1 belong toV_32;</t> <t hangText="G^*[k]:V_32</dd> <dt>G^*[k]: V_32[*]V_32 ->V_64">G^*[k](a_1,V_64</dt> <dd>G^*[k](a_1, a_0) = (g[k](a_0) (xor) a_1) || a_0, where k, a_0, a_1 belong toV_32.</t> </list></t>V_32.</dd> </dl> </section> <sectiontitle="Key Schedule">numbered="true" toc="default"> <name>Key Schedule</name> <t>Round keys K_i belonging to V_32, i=1, 2, ..., 32 are derived from keyK=k_255||...||k_0K = k_255||...||k_0 belonging to V_256, k_i belongs to V_1, i=0, 1, ..., 255, as follows:</t><figure><artworkalign="left"><![CDATA[ K_1=k_255||...||k_224; K_2=k_223||...||k_192; K_3=k_191||...||k_160; K_4=k_159||...||k_128; K_5=k_127||...||k_96; K_6=k_95||...||k_64; K_7=k_63||...||k_32; K_8=k_31||...||k_0; K_(i+8)=K_i,align="left" name="" type="" alt=""><![CDATA[ K_1 = k_255||...||k_224; K_2 = k_223||...||k_192; K_3 = k_191||...||k_160; K_4 = k_159||...||k_128; K_5 = k_127||...||k_96; K_6 = k_95||...||k_64; K_7 = k_63||...||k_32; K_8 = k_31||...||k_0; K_(i+8) = K_i, i = 1, 2, ..., 8;K_(i+16)=K_i,K_(i+16) = K_i, i = 1, 2, ..., 8;K_(i+24)=K_(9-i),K_(i+24) = K_(9-i), i = 1, 2, ..., 8.]]></artwork></figure></section> </section> <sectiontitle="Basicnumbered="true" toc="default"> <name>Basic EncryptionAlgorithm">Algorithm</name> <sectiontitle="Encryption">numbered="true" toc="default"> <name>Encryption</name> <t>Depending on the values of round keys K_1,...,K_32, the encryption algorithm is a substitutionE_(K_1,...,K_32)E_&wj;(K_1,...,K_32) defined as follows:</t><figure><artworkalign="left"><![CDATA[E_(K_1,...,K_32)(a)=G^*[K_32]G[K_31]...G[K_2]G[K_1](a_1,align="left" name="" type="" alt=""><![CDATA[E_(K_1,...,K_32)(a)=G^*[K_32]G[K_31]...G[K_2]G[K_1](a_1, a_0),]]></artwork></figure><t>where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32.</t> </section> <sectiontitle="Decryption">numbered="true" toc="default"> <name>Decryption</name> <t>Depending on the values of round keys K_1,...,K_32, the decryption algorithm is a substitutionD_(K_1,...,K_32)D_&wj;(K_1,...,K_32) defined as follows:</t><figure><artworkalign="left"><![CDATA[D_(K_1,...,K_32)(a)=G^*[K_1]G[K_2]...G[K_31]G[K_32](a_1,align="left" name="" type="" alt=""><![CDATA[D_(K_1,...,K_32)(a)=G^*[K_1]G[K_2]...G[K_31]G[K_32](a_1, a_0),]]></artwork></figure><t>where a=(a_1, a_0) belongs to V_64, and a_0, a_1 belong to V_32.</t> </section> </section> <section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <t>Thismemo includesdocument has norequest to IANA.</t>IANA actions.</t> </section> <section anchor="Security"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>This entire document is about security considerations.</t> <t>Unlike <xref target="RFC5830"/>format="default"/> (GOST 28147-89), but like <xref target="RFC7801"/>format="default"/>, this specification does not define exact block modeswhichthat should be used together with the updated Magma cipher. One is free to select block modes depending on the protocol and necessity.</t> </section> </middle> <back><!----> <references title="Normative References"> <?rfc include='reference.RFC.5830.xml'?> <?rfc include='reference.RFC.7801.xml'?><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5830.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7801.xml"/> <reference anchor="GOSTR3412-2015"> <front> <title>Information technology. Cryptographic data security. Blockciphers. GOST R 34.12-2015</title>ciphers.</title> <author> <organization>Federal Agency on Technical Regulating and Metrology</organization> </author> <date year="2015"/> </front> <seriesInfo name="GOST R" value="34.12-2015" /> </reference> </references><references title="Informative References"><references> <name>Informative References</name> <reference anchor="GOST28147-89"> <front><title>"Cryptographic<title>Cryptographic Protection for Data ProcessingSystem",System, GOST 28147-89, Gosudarstvennyi Standard of USSR</title> <author> <organization>Government Committee of the USSR for Standards</organization> </author> <date year="1989"/> </front> </reference> <reference anchor="ISO-IEC10116"> <front> <title>Information technology--- Security techniques--- Modes of operation for an n-bit blockcipher, ISO-IEC 10116</title>cipher</title> <author><organization>ISO-IEC</organization><organization>ISO/IEC</organization> </author> <dateyear="2006"/>year="2017"/> </front> <seriesInfo name="ISO/IEC" value="10116" /> </reference> <reference anchor="ISO-IEC18033-1"> <front> <title>Information technology--- Security techniques--- Encryption algorithms--- Part 1:General, ISO-IEC 18033-1</title>General</title> <author><organization>ISO-IEC</organization><organization>ISO/IEC</organization> </author> <dateyear="2013"/>year="2015"/> </front> <seriesInfo name="ISO/IEC" value="18033-1:2015" /> </reference> <reference anchor="ISO-IEC18033-3"> <front> <title>Information technology--- Security techniques--- Encryption algorithms--- Part 3: Blockciphers, ISO-IEC 18033-3</title>ciphers</title> <author><organization>ISO-IEC</organization><organization>ISO/IEC</organization> </author> <date year="2010"/> </front> <seriesInfo name="ISO/IEC" value="18033-3:2010" /> </reference><?rfc include='reference.RFC.7836.xml'?><xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7836.xml"/> </references> </references> <sectiontitle="Test Examples">numbered="true" toc="default"> <name>Test Examples</name> <t>This section is for information only and is not a normative part of the specification.</t> <sectiontitle="Transformation t"> <figure> <artwork><![CDATA[t(fdb97531)numbered="true" toc="default"> <name>Transformation t</name> <sourcecode type="test-vectors"><![CDATA[t(fdb97531) = 2a196f34, t(2a196f34) = ebd9f03a, t(ebd9f03a) = b039bb3d, t(b039bb3d) =68695433.]]></artwork> </figure>68695433.]]></sourcecode> </section> <sectiontitle="Transformation g"> <figure> <artwork><numbered="true" toc="default"> <name>Transformation g</name> <sourcecode type="test-vectors">< = fdcbc20c, g[fdcbc20c](87654321) = 7e791a4b, g[7e791a4b](fdcbc20c) = c76549ec, g[c76549ec](7e791a4b) =9791c849.]]></artwork> </figure>9791c849.]]></sourcecode> </section> <section anchor="test-ks"title="Key schedule">numbered="true" toc="default"> <name>Key Schedule</name> <t>With key set to</t><figure> <artwork><![CDATA[K<sourcecode type="test-vectors"><![CDATA[K =ffeeddccbbaa99887766554433221100f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff,]]></artwork> </figure> <t>followingffeeddccbbaa99887766554433221100f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff,]]></sourcecode> <t>the following round keys are generated:</t><figure> <artwork><![CDATA[K_1<sourcecode type="test-vectors"><![CDATA[K_1 = ffeeddcc, K_2 = bbaa9988, K_3 = 77665544, K_4 = 33221100, K_5 = f0f1f2f3, K_6 = f4f5f6f7, K_7 = f8f9fafb, K_8 = fcfdfeff, K_9 = ffeeddcc, K_10 = bbaa9988, K_11 = 77665544, K_12 = 33221100, K_13 = f0f1f2f3, K_14 = f4f5f6f7, K_15 = f8f9fafb, K_16 = fcfdfeff, K_17 = ffeeddcc, K_18 = bbaa9988, K_19 = 77665544, K_20 = 33221100, K_21 = f0f1f2f3, K_22 = f4f5f6f7, K_23 = f8f9fafb, K_24 = fcfdfeff, K_25 = fcfdfeff, K_26 = f8f9fafb, K_27 = f4f5f6f7, K_28 = f0f1f2f3, K_29 = 33221100, K_30 = 77665544, K_31 = bbaa9988, K_32 =ffeeddcc.]]></artwork> </figure>ffeeddcc.]]></sourcecode> </section> <sectiontitle="Test Encryption">numbered="true" toc="default"> <name>Test Encryption</name> <t>In this test example, encryption is performed on the round keys specified inclauseClause <xref format="counter" target="test-ks"/>. Let the plaintext be</t><figure> <artwork><![CDATA[a<sourcecode type="test-vectors"><![CDATA[ a =fedcba9876543210,]]></artwork> </figure>fedcba9876543210, ]]></sourcecode> <t>then</t><figure> <artwork>< = (76543210, 28da3b14), G[K_2]G[K_1](a_1, a_0) = (28da3b14, b14337a5), G[K_3]...G[K_1](a_1, a_0) = (b14337a5, 633a7c68), G[K_4]...G[K_1](a_1, a_0) = (633a7c68, ea89c02c), G[K_5]...G[K_1](a_1, a_0) = (ea89c02c, 11fe726d), G[K_6]...G[K_1](a_1, a_0) = (11fe726d, ad0310a4), G[K_7]...G[K_1](a_1, a_0) = (ad0310a4, 37d97f25), G[K_8]...G[K_1](a_1, a_0) = (37d97f25, 46324615), G[K_9]...G[K_1](a_1, a_0) = (46324615, ce995f2a), G[K_10]...G[K_1](a_1, a_0) = (ce995f2a, 93c1f449), G[K_11]...G[K_1](a_1, a_0) = (93c1f449, 4811c7ad), G[K_12]...G[K_1](a_1, a_0) = (4811c7ad, c4b3edca), G[K_13]...G[K_1](a_1, a_0) = (c4b3edca, 44ca5ce1), G[K_14]...G[K_1](a_1, a_0) = (44ca5ce1, fef51b68), G[K_15]...G[K_1](a_1, a_0) = (fef51b68, 2098cd86) G[K_16]...G[K_1](a_1, a_0) = (2098cd86, 4f15b0bb), G[K_17]...G[K_1](a_1, a_0) = (4f15b0bb, e32805bc), G[K_18]...G[K_1](a_1, a_0) = (e32805bc, e7116722), G[K_19]...G[K_1](a_1, a_0) = (e7116722, 89cadf21), G[K_20]...G[K_1](a_1, a_0) = (89cadf21, bac8444d), G[K_21]...G[K_1](a_1, a_0) = (bac8444d, 11263a21), G[K_22]...G[K_1](a_1, a_0) = (11263a21, 625434c3), G[K_23]...G[K_1](a_1, a_0) = (625434c3, 8025c0a5), G[K_24]...G[K_1](a_1, a_0) = (8025c0a5, b0d66514), G[K_25]...G[K_1](a_1, a_0) = (b0d66514, 47b1d5f4), G[K_26]...G[K_1](a_1, a_0) = (47b1d5f4, c78e6d50), G[K_27]...G[K_1](a_1, a_0) = (c78e6d50, 80251e99), G[K_28]...G[K_1](a_1, a_0) = (80251e99, 2b96eca6), G[K_29]...G[K_1](a_1, a_0) = (2b96eca6, 05ef4401), G[K_30]...G[K_1](a_1, a_0) = (05ef4401, 239a4577), G[K_31]...G[K_1](a_1, a_0) = (239a4577, c2d8ca3d).]]></artwork> </figure>]]></sourcecode> <t>Then the ciphertext is</t><figure> <artwork><![CDATA[b<sourcecode type="test-vectors"><![CDATA[b = G^*[K_32]G[K_31]...G[K_1](a_1, a_0) =4ee901e5c2d8ca3d.]]></artwork> </figure>4ee901e5c2d8ca3d.]]></sourcecode> </section> <sectiontitle="Test Decryption">numbered="true" toc="default"> <name>Test Decryption</name> <t>In this test example, decryption is performed on the round keys specified inclause<xrefformat="counter"target="test-ks"/>. Let the ciphertext be</t><figure> <artwork><![CDATA[b<sourcecode type="test-vectors"><![CDATA[b =4ee901e5c2d8ca3d,]]></artwork> </figure>4ee901e5c2d8ca3d,]]></sourcecode> <t>then</t><figure> <artwork>< = (c2d8ca3d, 239a4577), G[K_31]G[K_32](b_1, b_0) = (239a4577, 05ef4401), G[K_30]...G[K_32](b_1, b_0) = (05ef4401, 2b96eca6), G[K_29]...G[K_32](b_1, b_0) = (2b96eca6, 80251e99), G[K_28]...G[K_32](b_1, b_0) = (80251e99, c78e6d50), G[K_27]...G[K_32](b_1, b_0) = (c78e6d50, 47b1d5f4), G[K_26]...G[K_32](b_1, b_0) = (47b1d5f4, b0d66514), G[K_25]...G[K_32](b_1, b_0) = (b0d66514, 8025c0a5), G[K_24]...G[K_32](b_1, b_0) = (8025c0a5, 625434c3), G[K_23]...G[K_32](b_1, b_0) = (625434c3, 11263a21), G[K_22]...G[K_32](b_1, b_0) = (11263a21, bac8444d), G[K_21]...G[K_32](b_1, b_0) = (bac8444d, 89cadf21), G[K_20]...G[K_32](b_1, b_0) = (89cadf21, e7116722), G[K_19]...G[K_32](b_1, b_0) = (e7116722, e32805bc), G[K_18]...G[K_32](b_1, b_0) = (e32805bc, 4f15b0bb), G[K_17]...G[K_32](b_1, b_0) = (4f15b0bb, 2098cd86), G[K_16]...G[K_32](b_1, b_0) = (2098cd86, fef51b68), G[K_15]...G[K_32](b_1, b_0) = (fef51b68, 44ca5ce1), G[K_14]...G[K_32](b_1, b_0) = (44ca5ce1, c4b3edca), G[K_13]...G[K_32](b_1, b_0) = (c4b3edca, 4811c7ad), G[K_12]...G[K_32](b_1, b_0) = (4811c7ad, 93c1f449), G[K_11]...G[K_32](b_1, b_0) = (93c1f449, ce995f2a), G[K_10]...G[K_32](b_1, b_0) = (ce995f2a, 46324615), G[K_9]...G[K_32](b_1, b_0) = (46324615, 37d97f25), G[K_8]...G[K_32](b_1, b_0) = (37d97f25, ad0310a4), G[K_7]...G[K_32](b_1, b_0) = (ad0310a4, 11fe726d), G[K_6]...G[K_32](b_1, b_0) = (11fe726d, ea89c02c), G[K_5]...G[K_32](b_1, b_0) = (ea89c02c, 633a7c68), G[K_4]...G[K_32](b_1, b_0) = (633a7c68, b14337a5), G[K_3]...G[K_32](b_1, b_0) = (b14337a5, 28da3b14), G[K_2]...G[K_32](b_1, b_0) = (28da3b14,76543210).]]></artwork> </figure>76543210). ]]></sourcecode> <t>Then the plaintext is</t><figure> <artwork><![CDATA[a<sourcecode type="test-vectors"><![CDATA[a = G^*[K_1]G[K_2]...G[K_32](b_1, b_0) =fedcba9876543210.]]></artwork> </figure>fedcba9876543210.]]></sourcecode> </section> </section> <sectiontitle="Background">numbered="true" toc="default"> <name>Background</name> <t>This specification is a translation of relevant parts of the <xref target="GOSTR3412-2015"/>format="default"/> standard. The order of terms in both parts of <xref target="section_defs_notation"/>format="default"/> comes from the original text.If one combinesCombining <xref target="RFC7801"/>format="default"/> with thisdocument, hedocument willhavecreate a complete translation of <xref target="GOSTR3412-2015"/>format="default"/> into English.</t><t>Algoritmically<t>Algorithmically, Magma is a variation of the block cipher defined in <xreftarget="RFC5830"/>target="RFC5830" format="default"/> (<xreftarget="GOST28147-89"/>)target="GOST28147-89" format="default"/>) with the following clarifications and minor modifications:<list style="numbers"> <t>S-BOX</t> <ol spacing="normal" type="1"> <li>S-BOX set is fixed at id-tc26-gost-28147-param-Z (See Appendix C of <xref target="RFC7836"/>);</t> <t>keyformat="default"/>);</li> <li>key is parsed as a single big-endian integer (compared to the little-endian approach used in <xref target="GOST28147-89"/>),format="default"/>), which results in different subkey values beingused;</t> <t>dataused;</li> <li>data bytes are also parsed as a single big-endian integer (instead of being parsed as little-endianinteger).</t> </list> </t>integer).</li> </ol> </section> </back> </rfc>