Independent Submission                                  V. Dolmatov, Ed.
Request for Comments: 5830                               Cryptocom, Ltd.
Category: Informational                                       March 2010
ISSN: 2070-1721
        
Independent Submission                                  V. Dolmatov, Ed.
Request for Comments: 5830                               Cryptocom, Ltd.
Category: Informational                                       March 2010
ISSN: 2070-1721
        

GOST 28147-89: Encryption, Decryption, and Message Authentication Code (MAC) Algorithms

GOST 28147-89:加密、解密和消息认证码(MAC)算法

Abstract

摘要

This document is intended to be a source of information about the Russian Federal standard for electronic encryption, decryption, and message authentication algorithms (GOST 28147-89), which is one of the Russian cryptographic standard algorithms called GOST algorithms). Recently, Russian cryptography is being used in Internet applications, and this document has been created as information for developers and users of GOST 28147-89 for encryption, decryption, and message authentication.

本文件旨在作为俄罗斯联邦电子加密、解密和消息认证算法标准(GOST 28147-89)的信息来源,GOST 28147-89是俄罗斯加密标准算法之一,称为GOST算法)。最近,俄罗斯密码学正在互联网应用中使用,本文件作为GOST 28147-89开发者和用户的信息,用于加密、解密和消息验证。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

这是对RFC系列的贡献,独立于任何其他RFC流。RFC编辑器已选择自行发布此文档,并且未声明其对实现或部署的价值。RFC编辑批准发布的文件不适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5830.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5830.

Copyright Notice

版权公告

Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。

This document may not be modified, and derivative works of it may not be created, except to format it for publication as an RFC or to translate it into languages other than English.

不得修改本文件,也不得创建其衍生作品,除非将其格式化为RFC出版或将其翻译为英语以外的其他语言。

Table of Contents

目录

   1. Introduction ....................................................3
      1.1. General Information ........................................3
   2. Applicability ...................................................3
   3. Definitions and Notations .......................................3
      3.1. Definitions ................................................3
      3.2. Notation ...................................................4
   4. General Statements ..............................................4
   5. The Electronic Codebook Mode ....................................6
      5.1. Encryption of Plain Text in the Electronic Codebook Mode ...6
      5.2. Decryption of the Ciphertext in the Electronic
           Codebook Mode ..............................................9
   6. The Counter Encryption Mode ....................................10
      6.1. Encryption of Plain Text in the Counter Encryption Mode ...10
      6.2. Decryption of Ciphertext in the Counter Encryption Mode ...13
   7. The Cipher Feedback Mode .......................................13
      7.1. Encryption of Plain Text in the Cipher Feedback Mode ......13
      7.2. Decryption of Ciphertext in the Cipher Feedback Mode ......14
   8. Message Authentication Code (MAC) Generation Mode ..............15
   9. Security Considerations ........................................17
   10. Normative References ..........................................17
   Appendix A. Values of the Constants C1 and C2 .....................18
   Appendix B. Contributors ..........................................19
        
   1. Introduction ....................................................3
      1.1. General Information ........................................3
   2. Applicability ...................................................3
   3. Definitions and Notations .......................................3
      3.1. Definitions ................................................3
      3.2. Notation ...................................................4
   4. General Statements ..............................................4
   5. The Electronic Codebook Mode ....................................6
      5.1. Encryption of Plain Text in the Electronic Codebook Mode ...6
      5.2. Decryption of the Ciphertext in the Electronic
           Codebook Mode ..............................................9
   6. The Counter Encryption Mode ....................................10
      6.1. Encryption of Plain Text in the Counter Encryption Mode ...10
      6.2. Decryption of Ciphertext in the Counter Encryption Mode ...13
   7. The Cipher Feedback Mode .......................................13
      7.1. Encryption of Plain Text in the Cipher Feedback Mode ......13
      7.2. Decryption of Ciphertext in the Cipher Feedback Mode ......14
   8. Message Authentication Code (MAC) Generation Mode ..............15
   9. Security Considerations ........................................17
   10. Normative References ..........................................17
   Appendix A. Values of the Constants C1 and C2 .....................18
   Appendix B. Contributors ..........................................19
        
1. Introduction
1. 介绍
1.1. General Information
1.1. 一般资料

[GOST28147-89] is the unified cryptographic transformation algorithm for information processing systems of different purposes, defining the encryption/decryption rules and the message authentication code (MAC) generation rules.

[GOST28147-89]是用于不同用途的信息处理系统的统一密码转换算法,定义了加密/解密规则和消息认证码(MAC)生成规则。

This cryptographic transformation algorithm is intended for hardware or software implementation and corresponds to the cryptographic requirements. It puts no limitations on the encrypted information secrecy level.

此加密转换算法用于硬件或软件实现,并与加密要求相对应。它对加密信息保密级别没有限制。

2. Applicability
2. 适用性

GOST 28147-89 defines the encryption/decryption model and MAC generation for a given message (document) that is meant for transmission via insecure public telecommunication channels between data processing systems of different purposes.

GOST 28147-89定义了用于在不同用途的数据处理系统之间通过不安全公共电信信道传输的给定消息(文档)的加密/解密模型和MAC生成。

GOST 28147-89 is obligatory to use in the Russian Federation in all data processing systems providing public services.

俄罗斯联邦所有提供公共服务的数据处理系统必须使用GOST 28147-89。

3. Definitions and Notations
3. 定义和符号
3.1. Definitions
3.1. 定义

The following terms are used in the standard:

本标准中使用了以下术语:

Running key: a pseudo-random bit sequence generated by a given algorithm for encrypting plain texts and decrypting encrypted texts.

运行密钥:由给定的加密明文和解密加密文本的算法生成的伪随机位序列。

Encryption: the process of transforming plain text to encrypted data using a cipher.

加密:使用密码将纯文本转换为加密数据的过程。

MAC: an information string of fixed length that is generated from plain text and a key according to some rule and added to the encrypted data for protection against data falsification.

MAC:一种固定长度的信息字符串,由明文和密钥根据某种规则生成,并添加到加密数据中以防止数据篡改。

Key: a defined secret state of some parameters of a cryptographic transformation algorithm, that provides a choice of one transformation out of all the possible transformations.

密钥:密码转换算法中某些参数的一种已定义的秘密状态,可从所有可能的转换中选择一种转换。

Cryptographic protection: data protection using the data cryptographic transformations.

加密保护:使用数据加密转换的数据保护。

Cryptographic transformation: data transformation using encryption and (or) MAC.

加密转换:使用加密和(或)MAC进行数据转换。

Decryption: the process of transforming encrypted data to plain text using a cipher.

解密:使用密码将加密数据转换为纯文本的过程。

Initialisation vector: initial values of plain parameters of a cryptographic transformation algorithm.

初始化向量:密码转换算法的普通参数的初始值。

Encryption equation: a correlation showing the process of generating encrypted data out of plain text as a result of transformations defined by the cryptographic transformation algorithm.

加密方程:一种相关性,显示了通过加密转换算法定义的转换从纯文本生成加密数据的过程。

Decryption equation: a correlation showing the process of generating plain text out of encrypted data as a result of transformations defined by the cryptographic transformation algorithm.

解密方程:一种相关性,显示加密数据通过加密转换算法定义的转换生成纯文本的过程。

Cipher: a set of reversible transformations of the set of possible plain texts onto the set of encrypted data, made after certain rules and using keys.

密码:将一组可能的明文转换为一组加密数据的一组可逆转换,按照一定规则并使用密钥进行。

3.2. Notation
3.2. 符号

In this document, the following notations are used:

在本文件中,使用了以下符号:

^ is a power operator.

^他是个电力操作员。

(+) is a bitwise addition of the words of the same length modulo 2.

(+)是相同长度的字的按位加法,模为2。

[+] is an addition of 32-bit vectors modulo 2^32.

[+]是模2^32的32位向量的加法。

[+]' is an addition of the 32-bit vectors modulo 2^32-1.

[+]”是模2^32-1的32位向量的加法。

1..N is all values from 1 to N.

1..N是从1到N的所有值。

4. General Statements
4. 一般性发言

The structure model of the cryptographic transformation algorithm (a cryptographic model) contains:

密码转换算法的结构模型(密码模型)包含:

- a 256-bit key data store (KDS) consisting of eight 32-bit registers (X0, X1, X2, X3, X4, X5, X6, X7);

- 256位密钥数据存储(KDS),由八个32位寄存器(X0、X1、X2、X3、X4、X5、X6、X7)组成;

- four 32-bit registers (N1, N2, N3, N4);

- 四个32位寄存器(N1、N2、N3、N4);

- two 32-bit registers (N5 and N6) containing constants C1 and C2;

- 包含常数C1和C2的两个32位寄存器(N5和N6);

- two 32-bit adders modulo 2^32 (CM1, CM3);

- 两个模为2^32(CM1,CM3)的32位加法器;

- a 32-bit adder of bitwise sums modulo 2 (CM2);

- 一个模为2(CM2)的位和32位加法器;

- a 32-bit adder modulo (2^32-1) (CM4);

- 模(2^32-1)(CM4)的32位加法器;

- an adder modulo 2 (CM5), with no limitation to its width;

- 模2(CM5)的加法器,不限制其宽度;

- a substitution box (K);

- 替换框(K);

- a register for a cyclic shift of 11 steps to the top digit (R).

- 一种寄存器,用于将11步循环移位到最高位(R)。

A substitution box (S-box) K consists of eight substitution points K1, K2, K3, K4, K5, K6, K7, K8, with 64-bit memory. A 32-bit vector coming to the substitution box is divided into eight successive 4-bit vectors, and each of them is transformed into a 4-bit vector by a corresponding substitution point. A substitution point is a table consisting of 16 lines, each containing four bits. The incoming vector defines the line address in the table, and the contents of that line is the outgoing vector. Then, these 4-bit outgoing vectors are successively combined into a 32-bit vector.

替换盒(S盒)K由八个替换点K1、K2、K3、K4、K5、K6、K7、K8组成,具有64位内存。将到达代换框的32位向量划分为八个连续的4位向量,并通过相应的代换点将每个向量转换为4位向量。替换点是由16行组成的表,每行包含四位。传入向量定义表中的行地址,该行的内容就是传出向量。然后,这些4位输出向量依次组合成32位向量。

Remark: the standard doesn't define any S-boxes. Some of them are defined in [RFC4357].

备注:本标准未定义任何S型盒。其中一些在[RFC4357]中定义。

When adding and cyclically shifting binary vectors, the registers with larger numbers are considered the top digits.

当添加和循环移位二进制向量时,数字较大的寄存器被视为顶部数字。

When writing a key (W1, W2, ..., W256), Wq = 0..1, q = 1..256, in the KDS the value:

在KDS中写入键(W1,W2,…,W256),Wq=0..1,q=1..256时,值:

- W1 is written into the 1st bit of the register X0;

- W1被写入寄存器X0的第一位;

- the value W2 is written into the 2nd bit of the register X0 (etc.);

- 值W2被写入寄存器X0的第二位(等);

- the value W32 is written into the 32nd bit of the register X0;

- 值W32被写入寄存器X0的第32位;

- the value W33 is written into the 1st bit of the register X1;

- 将值W33写入寄存器X1的第一位;

- the value W34 is written into the 2nd bit of the register X1 (etc.);

- 值W34被写入寄存器X1的第二位(以此类推);

- the value W64 is written into the 32nd bit of the register X1;

- 值W64被写入寄存器X1的第32位;

- the value W65 is written into the 1st bit of the register X2 (etc.);

- 将值W65写入寄存器X2的第一位(以此类推);

- the value W256 is written into the 32nd bit of the register X7.

- 值W256写入寄存器X7的第32位。

When rewriting the information, the value of the p-th bit of one register (adder) is written into the p-th bit of another register (adder).

重写信息时,一个寄存器(加法器)的第p位的值写入另一个寄存器(加法器)的第p位。

The values of the constants C1 and C2 in the registers N5 and N6 are in the Appendix 1.

寄存器N5和N6中常数C1和C2的值见附录1。

The keys defining fillings of KDS and the substitution box K tables are secret elements and are provided in accordance with the established procedure.

定义KDS和替换框K表的填充的密钥是秘密元素,并按照既定程序提供。

The filling of the substitution box K is described in GOST 28147-89 as a long-term key element common for a whole computer network. Usually, K is used as a parameter of algorithm, some possible sets of K are described in [RFC4357].

GOST 28147-89中描述了替换框K的填充,作为整个计算机网络通用的长期关键要素。通常,K被用作算法的参数,一些可能的K集在[RFC4357]中描述。

The cryptographic model contemplates four working modes:

密码模型考虑了四种工作模式:

- data encryption (decryption) in the electronic codebook (ECB) mode,

- 电子码本(ECB)模式下的数据加密(解密),

- data encryption (decryption) in the counter (CNT) mode,

- 计数器(CNT)模式下的数据加密(解密),

- data encryption (decryption) in the cipher feedback (CFB) mode, and

- 密码反馈(CFB)模式下的数据加密(解密),以及

- the MAC generation mode.

- MAC生成模式。

[RFC4357] also describes the CBC mode of GOST 28147-89, but this mode is not a part of the standard.

[RFC4357]还描述了GOST 28147-89的CBC模式,但该模式不是标准的一部分。

5. The Electronic Codebook Mode
5. 电子码本模式
5.1. Encryption of Plain Text in the Electronic Codebook Mode
5.1. 电子码本模式下的纯文本加密
   The plain text to be encrypted is split into 64-bit blocks.  Input of
   a binary data block Tp = (a1(0), a2(0), ... , a31(0), a32(0), b1(0),
   b2(0), ..., b32(0)) into the registers N1 and N2 is done so that the
   value of a1(0) is put into the first bit of N1, the value of a2(0) is
   put into the second bit of N1, etc., and the value of a32(0) is put
   into the 32nd bit of N1.  The value of b1(0) is put into the first
   bit of N2, the value of b2(0) is put into the 2nd bit of N2, etc.,
   and the value of b32(0) is input into the 32nd bit of N2.
        
   The plain text to be encrypted is split into 64-bit blocks.  Input of
   a binary data block Tp = (a1(0), a2(0), ... , a31(0), a32(0), b1(0),
   b2(0), ..., b32(0)) into the registers N1 and N2 is done so that the
   value of a1(0) is put into the first bit of N1, the value of a2(0) is
   put into the second bit of N1, etc., and the value of a32(0) is put
   into the 32nd bit of N1.  The value of b1(0) is put into the first
   bit of N2, the value of b2(0) is put into the 2nd bit of N2, etc.,
   and the value of b32(0) is input into the 32nd bit of N2.
        

The result is the state (a32(0), a31(0), ..., a2(0), a1(0)) of the register N1 and the state (b32(0), b31(0), ..., b1(0)) of the register N2.

结果是寄存器N1的状态(a32(0)、a31(0)、…、a2(0)、a1(0))和寄存器N2的状态(b32(0)、b31(0)、…、b1(0))。

The 256 bits of the key are entered into the KDS. The contents of eight 32-bit registers X0, X1, ..., X7 are:

密钥的256位被输入KDS。八个32位寄存器X0、X1、…、X7的内容为:

X0 = W32, W31, ..., W2, W1

X0=W32,W31,…,W2,W1

X1 = W64, W63, ..., W34, W33

X1=W64,W63,…,W34,W33

      . . . . . . . . . . . . . . .
        
      . . . . . . . . . . . . . . .
        

X7 = W256, W255, ..., W226, W225

X7=W256,W255,…,W226,W225

The algorithm for enciphering 64-bit blocks of plain text in the electronic codebook mode consists of 32 rounds.

在电子码本模式下加密64位纯文本块的算法由32轮组成。

In the first round, the initial value of register N1 is added modulo 2^32 in the adder CM1 to the contents of the register X0. Note: the value of register N1 is unchanged.

在第一轮中,寄存器N1的初始值被加法器CM1中的模2^32加到寄存器X0的内容中。注:寄存器N1的值不变。

The result of the addition is transformed in the substitution block K, and the resulting vector is put into the register R, where it is cyclically shifted by 11 steps towards the top digit. The result of this shift is added bitwise modulo 2 in the adder CM2 to the 32-bit contents of the register N2. The result produced in CM2 is then written into N1, and the old contents of N1 are written in N2. Thus, the first round ends.

加法的结果在代换块K中变换,得到的向量被放入寄存器R,在寄存器R中,它被循环地向顶部数字移位11步。该移位的结果将加法器CM2中的按位模2添加到寄存器N2的32位内容中。然后,以CM2为单位生成的结果写入N1,N1的旧内容写入N2。因此,第一轮结束。

The subsequent rounds are similar to the first one:

随后的几轮与第一轮类似:

- in the second round, the contents of X1 are read from the KDS;

- 在第二轮中,从KDS读取X1的内容;

- in the third round, the contents of X2 are read from the KDS, etc.;

- 在第三轮中,X2的内容从KDS中读取,等等。;

- in the 8th round, the contents of X7 are read from the KDS.

- 在第8轮中,从KDS读取X7的内容。

- in rounds 9 through 16 and 17 through 24, the contents of the KDS are read in the same order:

- 在第9轮至第16轮和第17轮至第24轮中,KDS的内容以相同的顺序读取:

X0, X1, X2, X3, X4, X5, X6, X7.

X0,X1,X2,X3,X4,X5,X6,X7。

- in the last eight rounds from the 25th to the 32nd, the contents of the KDS are read backwards:

- 在25日至32日的最后八轮中,KDS的内容被向后读取:

X7, X6, X5, X4, X3, X2, X1, X0.

X7,X6,X5,X4,X3,X2,X1,X0。

Thus, during the 32 rounds of encryption, the following order of choosing the registers' contents is implemented:

因此,在32轮加密期间,实现了以下选择寄存器内容的顺序:

X0, X1, X2, X3, X4, X5, X6, X7, X0, X1, X2, X3, X4, X5, X6, X7,

X0,X1,X2,X3,X4,X5,X6,X7,X0,X1,X2,X3,X4,X5,X6,X7,

X0, X1, X2, X3, X4, X5, X6, X7, X7, X6, X5, X4, X3, X2, X1, X0

X0,X1,X2,X3,X4,X5,X6,X7,X7,X6,X5,X4,X3,X2,X1,X0

In the 32nd round, the result in the adder CM2 is written into the register N2, and the old contents of register N1 are unchanged.

在第32轮中,加法器CM2中的结果写入寄存器N2,并且寄存器N1的旧内容不变。

After the 32nd round, the contents of the registers N1 and N2 are an encrypted data block corresponding to a block of plain text.

在第32轮之后,寄存器N1和N2的内容是对应于纯文本块的加密数据块。

The equations for enciphering in the electronic codebook mode are:

电子码本模式下的加密方程为:

      |a(j) = (a(j-1) [+] X(j-1)(mod 8))*K*R (+) b (j-1)
      |                                                      j = 1..24;
      |b(j) = a(j-1)
        
      |a(j) = (a(j-1) [+] X(j-1)(mod 8))*K*R (+) b (j-1)
      |                                                      j = 1..24;
      |b(j) = a(j-1)
        
      |a(j) = (a(j-1) [+] X(32-j))*K*R (+) b(j-1)
      |                                          j = 25..31; a32 = a31;
      |b(j) = a(j-1)
        
      |a(j) = (a(j-1) [+] X(32-j))*K*R (+) b(j-1)
      |                                          j = 25..31; a32 = a31;
      |b(j) = a(j-1)
        
      b(32) = (a(31) [+] X0)*K*R (+) b(31)                        j=32,
        
      b(32) = (a(31) [+] X0)*K*R (+) b(31)                        j=32,
        

where:

哪里:

   a(0) = (a32(0), a31(0), ..., a1(0)) constitutes the initial contents
   of N1 before the first round of encryption;
        
   a(0) = (a32(0), a31(0), ..., a1(0)) constitutes the initial contents
   of N1 before the first round of encryption;
        
   b(0) = (b32(0), b31(0), ..., b1(0)) constitutes the initial contents
   of N2 before the first round of encryption;
        
   b(0) = (b32(0), b31(0), ..., b1(0)) constitutes the initial contents
   of N2 before the first round of encryption;
        
   a(j) = (a32(j), a31(j), ..., a1(j)) constitutes the contents of N1
   after the j-th round of encryption;
        
   a(j) = (a32(j), a31(j), ..., a1(j)) constitutes the contents of N1
   after the j-th round of encryption;
        
   b(j) = (b32(j), b31(j), ..., b1(j)) constitutes the contents of N2
   after the j-th round of encryption, j = 1..32.
        
   b(j) = (b32(j), b31(j), ..., b1(j)) constitutes the contents of N2
   after the j-th round of encryption, j = 1..32.
        

R is the operation of cyclic shift towards the top digit by 11 steps, as follows:

R是向顶部数字循环移位11步的操作,如下所示:

R(r32, r31, r30, r29, r28, r27, r26, r25, r24, r23, r22, r21, r20, ..., r2, r1) =

R(r32,r31,r30,r29,r28,r27,r26,r25,r24,r23,r22,r21,r20,…,r2,r1)=

(r21, r20, ..., r2, r1, r32, r31, r30, r29, r28, r27, r26, r25, r24, r23, r22)

(r21,r20,…,r2,r1,r32,r31,r30,r29,r28,r27,r26,r25,r24,r23,r22)

The 64-bit block of ciphertext Tc is taken out of the registers N1, N2 in the following order:

密文Tc的64位块按以下顺序从寄存器N1、N2中取出:

the first, second, ..., 32nd bit of the register N1, then the first, second, ..., 32nd bit of the register N2, i.e.,

寄存器N1的第一、第二、…、第32位,然后寄存器N2的第一、第二、…、第32位,即。,

Tc = a1(32), a2(32), ..., a32(32), b1(32), b2(32), ..., b32(32)).

Tc=a1(32),a2(32),…,a32(32),b1(32),b2(32),…,b32(32))。

The remaining blocks of the plain text in electronic codebook mode are encrypted in the same fashion.

电子码本模式下的其余纯文本块以相同方式加密。

5.2. Decryption of the Ciphertext in the Electronic Codebook Mode
5.2. 电子码本模式下的密文解密

The same 256-bit key that was used for encryption is loaded into the KDS, the encrypted data to be deciphered is divided into 64-bit blocks. The loading of any binary information block

将用于加密的相同256位密钥加载到KDS中,将要解密的加密数据划分为64位块。任何二进制信息块的加载

      Tc = (a1(32), a2(32), ..., a32(32), b1(32), b2(32), ..., b32(32))
        
      Tc = (a1(32), a2(32), ..., a32(32), b1(32), b2(32), ..., b32(32))
        

into the registers N1 and N2 is done in such a way that:

寄存器N1和N2的输入方式如下:

- the contents of a1(32) are written into the first bit of N1;

- a1(32)的内容被写入N1的第一位;

- the contents of a2(32) are written into the second bit of N1 (and so on);

- a2(32)的内容被写入N1的第二位(依此类推);

- the contents of a32(32) are written into the 32nd bit of N1;

- a32(32)的内容被写入N1的第32位;

- the contents of b1(32) are written into the first bit of N2 (and so on);

- b1(32)的内容写入N2的第一位(依此类推);

- and the contents of b32(32) are written into the 32nd bit of N2.

- b32(32)的内容被写入N2的第32位。

The decryption procedure uses the same algorithm as the encryption of plain text, with one exception: the contents of the registers X0, X1, ..., X7 are read from the KDS in the decryption rounds in the following order:

解密过程使用与纯文本加密相同的算法,但有一个例外:在解密循环中,寄存器X0、X1、…、X7的内容按以下顺序从KDS读取:

X0,X1,X2,X3,X4,X5,X6,X7, X7,X6,X5,X4,X3,X2,X1,X0,

X0,X1,X2,X3,X4,X5,X6,X7,X7,X6,X5,X4,X3,X2,X1,X0,

X7,X6,X5,X4,X3,X2,X1,X0, X7,X6,X5,X4,X3,X2,X1,X0.

X7,X6,X5,X4,X3,X2,X1,X0,X7,X6,X5,X4,X3,X2,X1,X0。

The decryption equations are:

解密方程为:

      |a(32-j) = (a(32-j+1) [+] X(j-1))*K*R (+) b(32-j+1)
      |                                                        j = 1..8;
      |b(32-1) = a(32-j+1)
        
      |a(32-j) = (a(32-j+1) [+] X(j-1))*K*R (+) b(32-j+1)
      |                                                        j = 1..8;
      |b(32-1) = a(32-j+1)
        
      |a(32-j) = (a(32-j+1) [+] X(j-1)(mod 8))*K*R (+) b(32-j+1)
      |                                                       j = 9..31;
      |b(32-1) = a(32-j+1)
        
      |a(32-j) = (a(32-j+1) [+] X(j-1)(mod 8))*K*R (+) b(32-j+1)
      |                                                       j = 9..31;
      |b(32-1) = a(32-j+1)
        
      |a(0) = a(1)
      |                                                            j=32.
      |b(0) = (a(1) [+] X0)*K*R (+) b1
        
      |a(0) = a(1)
      |                                                            j=32.
      |b(0) = (a(1) [+] X0)*K*R (+) b1
        

The fillings of the adders N1 and N2 after 32 working rounds are a plain text block.

32个工作循环后,加法器N1和N2的填充为纯文本块。

      Tp = (a1(0), a2(0), ... , a32(0), b1(0), b2(0), ..., b32(0))
        
      Tp = (a1(0), a2(0), ... , a32(0), b1(0), b2(0), ..., b32(0))
        

corresponding to the encrypted data block:

对应于加密数据块:

- the value of a1(0) of the block Tp corresponds to the contents of the first bit of N1;

- 块Tp的a1(0)的值对应于N1的第一位的内容;

- the value of a2(0) corresponds to the contents of the second bit of N1 (etc.);

- a2(0)的值对应于N1(等)的第二位的内容;

- the value of b1(0) corresponds to the contents of the first bit of N2;

- b1(0)的值对应于N2的第一位的内容;

- the value of b2(0) corresponds to the contents of the second bit of N2 (etc.);

- b2(0)的值对应于N2(等)的第二位的内容;

- the value of b32(0) corresponds to the contents of 32nd bit of N2;

- b32(0)的值对应于N2的第32位的内容;

- the remaining blocks of encrypted data are decrypted similarly.

- 其余的加密数据块以类似方式解密。

The encryption algorithm in the electronic codebook mode of a 64-bit block Tp is denoted by A, that is:

64位块Tp的电子码本模式下的加密算法由a表示,即:

      A(Tp) is A(a(0), b(0)) = (a(32), b(32)) = Tc.
        
      A(Tp) is A(a(0), b(0)) = (a(32), b(32)) = Tc.
        
6. The Counter Encryption Mode
6. 计数器加密模式
6.1. Encryption of Plain Text in the Counter Encryption Mode
6.1. 在计数器加密模式下加密纯文本

The plain text divided into 64-bit blocks Tp(1), Tp(2), ..., Tp(M-1), Tp(M) is encrypted in the counter encryption mode by bitwise addition modulo 2 in the adder CM5 with the running key Gc produced in 64-bit blocks, that is:

被划分为64位块Tp(1)、Tp(2),…、Tp(M-1)、Tp(M)的纯文本在计数器加密模式下通过加法器CM5中的按位加法模2用64位块中产生的运行密钥Gc进行加密,即:

      Gc = (Gc(1), Gc(2), ..., Gc(M-1), Gc(M))
        
      Gc = (Gc(1), Gc(2), ..., Gc(M-1), Gc(M))
        

where M is defined by the size of the plain text being encrypted. Gc(i) is the i-th 64-bit block where i=1..M, the number of bits in a block Tp(M) can be less than 64. In this case, the unused part of the running key block Gc(M) is discarded.

其中M由被加密的纯文本的大小定义。Gc(i)是第i个64位块,其中i=1..M,块Tp(M)中的位数可以小于64。在这种情况下,丢弃正在运行的密钥块Gc(M)的未使用部分。

   256 bits of the key are put into the KDS.  The registers N1 and N2
   accept a 64-bit binary sequence (an initialisation vector) S = (S1,
   S2, ..., S64), that is, the initial filling of these registers for
   subsequent generation of M blocks of the running key.  The
   initialisation vector is put into the registers N1 and N2 so:
        
   256 bits of the key are put into the KDS.  The registers N1 and N2
   accept a 64-bit binary sequence (an initialisation vector) S = (S1,
   S2, ..., S64), that is, the initial filling of these registers for
   subsequent generation of M blocks of the running key.  The
   initialisation vector is put into the registers N1 and N2 so:
        

- the value of S1 is written into the first bit of N1;

- S1的值被写入N1的第一位;

- the value of S2 is written into the second bit of N1 (etc.);

- S2的值写入N1的第二位(等);

- the value of S32 is written into the 32nd bit of N1;

- 将S32的值写入N1的第32位;

- the value of S33 is written into the first bit of N2;

- 将S33的值写入N2的第一位;

- the value of S34 is written into the 33th bit of N2 (etc.);

- 将S34的值写入N2的第33位(以此类推);

- the value of S64 is written into the 32nd bit of N2.

- S64的值被写入N2的第32位。

   The initial filling of the registers N1 and N2 (the initialisation
   vector S) is encrypted in the electronic codebook mode in accordance
   with the requirements from section 5.1.  The result of that
   encryption A(S) = (Y0, Z0) is rewritten into the 32-bit registers N3
   and N4 so as the contents of N1 are written into N3, and the contents
   of N2 are written into N4.
        
   The initial filling of the registers N1 and N2 (the initialisation
   vector S) is encrypted in the electronic codebook mode in accordance
   with the requirements from section 5.1.  The result of that
   encryption A(S) = (Y0, Z0) is rewritten into the 32-bit registers N3
   and N4 so as the contents of N1 are written into N3, and the contents
   of N2 are written into N4.
        

The filling of the register N4 is added modulo (2^32-1) in the adder CM4 to the 32-bit constant C1 from the register N6; the result is written into N4. The filling of the register N3 is added modulo 2^32 in the adder CM3 with the 32-bit constant C2 from the register N5; the result is written into N3.

寄存器N4的填充被加法器CM4中的模(2^32-1)加到寄存器N6中的32位常数C1;结果被写入N4。寄存器N3的填充在加法器CM3中以模2^32与来自寄存器N5的32位常数C2相加;结果被写入N3。

The filling of N3 is copied into N1, and the filling of N4 is copied into N2, while the fillings of N3 and N4 are kept.

将N3的填充复制到N1中,将N4的填充复制到N2中,同时保留N3和N4的填充。

The filling of N1 and N2 is encrypted in the electronic codebook mode according to the requirements of section 5.1. The resulting encrypted filling of N1 and N2 is the first 64-bit block of the running key Gc(1), this block is bitwise added modulo 2 in the adder CM5 with the first 64-bit block of the plain text:

根据第5.1节的要求,在电子码本模式下对N1和N2的填充进行加密。N1和N2的加密填充结果是运行密钥Gc(1)的第一个64位块,该块与纯文本的第一个64位块在加法器CM5中按位相加模2:

      Tp(1) = (t1(1), t2(1), ..., t63(1), t64(1)).
        
      Tp(1) = (t1(1), t2(1), ..., t63(1), t64(1)).
        

The result of this addition is a 64-bit block of the encrypted data:

此添加的结果是加密数据的64位块:

      Tc(1) = (tau1(1), tau2(1), ..., tau63(1), tau64(1)).
        
      Tc(1) = (tau1(1), tau2(1), ..., tau63(1), tau64(1)).
        

The value of tau1(1) of the block Tc(1) is the result of the addition of modulo 2 in the CM5 the value t1(1) of the block Tp(1) to the value of the first bit of N1; the value of tau2(1) of the block Tc(1) is the result of addition modulo 2 in the CM5 the value of t2(1) from the block Tp(1) to the value of the second bit of N1, etc.; the value of tau64(1) of the block Tc(1) is the result of addition modulo 2 in the CM5 of the value t64(1) of the block Tp(1) to the value of the 32nd bit of N2.

块Tc(1)的tau1(1)的值是CM5中模2、块Tp(1)的值t1(1)与N1的第一位的值相加的结果;块Tc(1)的tau2(1)的值是将CM5中的模2与块Tp(1)的t2(1)的值相加到N1的第二位的值的结果,以此类推。;块Tc(1)的tau64(1)的值是将块Tp(1)的值t64(1)的CM5中的模2与N2的第32位的值相加的结果。

To get the next 64-bit block of the running key Gc(2), the filling of N4 is added modulo (2^32-1) in the adder CM4 with the constant C1 from N6; the filling of N3 is added modulo 2^32 in the adder CM3 with the constant C2 from N5. The new filling of N3 is copied into N1; the new filling of N4 is copied into N2; the fillings of N3 and N4 are kept.

为了获得运行密钥Gc(2)的下一个64位块,在加法器CM4中用来自N6的常数C1模(2^32-1)添加N4的填充;N3的填充是用N5中的常数C2在加法器CM3中模2^32相加的。将N3的新填充复制到N1中;将N4的新填充复制到N2中;保留N3和N4的填充物。

The filling of N1 and N2 is encrypted in the electronic codebook mode according to the requirements of section 5.1. The resulting encrypted filling of N1 and N2 is the second 64-bit block of the running key Gc(2); this block is bitwise added modulo 2 in the adder CM5 with the first 64-bit block of the plain text Tp(2). The remaining running key blocks Gc(3), Gc(4), ..., Gc(M) are generated and the plain text blocks Tp(3), Tp(4), ..., Tp(M) are encrypted similarly. If the length of the last M-th block of the plain text is less than 64 bits, then only the corresponding number of bits from the last M-th block of the running key is used; remaining bits are discarded.

根据第5.1节的要求,在电子码本模式下对N1和N2的填充进行加密。得到的加密填充N1和N2是运行密钥Gc(2)的第二个64位块;该块与纯文本Tp(2)的第一个64位块在加法器CM5中按位相加模2。生成剩余的运行密钥块Gc(3)、Gc(4)、…、Gc(M),并对纯文本块Tp(3)、Tp(4)、…、Tp(M)进行类似的加密。如果纯文本的最后M个块的长度小于64位,则仅使用来自运行密钥的最后M个块的相应位数;剩余的位被丢弃。

The initialisation vector S and the blocks of encrypted data Tc(1), Tc(2), ..., Tc(M) are transmitted to the telecommunication channel or to the computer memory.

初始化向量S和加密数据块Tc(1)、Tc(2)、…、Tc(M)被传输到电信信道或计算机存储器。

The encryption equation is:

加密公式为:

      Tc(i) = A(Y[i-1] [+] C2, Z[i-1]) [+]' C1) (+) Tp(i)
            = Gc(i) (+) Tp(i)     i=1..M
        
      Tc(i) = A(Y[i-1] [+] C2, Z[i-1]) [+]' C1) (+) Tp(i)
            = Gc(i) (+) Tp(i)     i=1..M
        

where:

哪里:

Y[i] is the contents of the register N3 after encrypting the i-th block of the plain text Tp(i);

Y[i]是在加密纯文本Tp(i)的第i块之后的寄存器N3的内容;

Z(i) is the contents of the register N4 after encrypting the i-th block of the plain text Tp(i);

Z(i)是在加密纯文本Tp(i)的第i块之后的寄存器N4的内容;

(Y[0], Z[0]) = A(S).

(Y[0],Z[0])=A(S)。

6.2. Decryption of Ciphertext in the Counter Encryption Mode
6.2. 在计数器加密模式下解密密文

256 bits of the key that was used for encrypting the data Tp(1), Tp(2), ..., Tp(M) are put into the KDS. The initialisation vector S is put into the registers N1 and N2 and, like in the section 6.1 M blocks of the running key, Gc(1), Gc(2), ..., Gc(M) are generated. The encrypted data blocks Tc(1), Tc(2), ..., Tc(M) are added bitwise modulo 2 in the adder CM5 with the blocks of the running key, and this results in the blocks of plain text Tp(1), Tp(2), ..., Tp(M), and Tp(M) may contain less than 64 bit.

用于加密数据Tp(1)、Tp(2)、…、Tp(M)的256位密钥被放入KDS中。初始化向量S被放入寄存器N1和N2中,并且像在第6.1m节中一样,生成运行密钥的Gc(1)、Gc(2),…、Gc(M)块。加密数据块Tc(1)、Tc(2)、…、Tc(M)在加法器CM5中与运行密钥的块按位模2相加,这导致纯文本Tp(1)、Tp(2)、…、Tp(M)和Tp(M)的块可以包含小于64位的数据。

The decryption equation is:

解密方程为:

      Tp(i) = A (Y[i-1] [+] C2, Z[i-1] [+]' C1) (+) Tc(i)
            = Gc(i) (+) Tc(i)     i = 1..M
        
      Tp(i) = A (Y[i-1] [+] C2, Z[i-1] [+]' C1) (+) Tc(i)
            = Gc(i) (+) Tc(i)     i = 1..M
        
7. The Cipher Feedback Mode
7. 密码反馈模式
7.1. Encryption of Plain Text in the Cipher Feedback Mode
7.1. 密码反馈模式下的纯文本加密
   The plain text is divided into 64-bit blocks Tp(1), Tp(2), ..., Tp(M)
   and encrypted in the cipher feedback mode by bitwise addition modulo
   2 in the adder CM5 with the running key Gc generated in 64-bit
   blocks, i.e., Gc(i)=(Gc(1), Gc(2), ..., Gc(M)), where M is defined by
                                                                   ___
   the length of the plain text, Gc(i) is the i-th 64-bit block, i=1,M.
   The number of bits in the block Tp(M) may be less than 64.
        
   The plain text is divided into 64-bit blocks Tp(1), Tp(2), ..., Tp(M)
   and encrypted in the cipher feedback mode by bitwise addition modulo
   2 in the adder CM5 with the running key Gc generated in 64-bit
   blocks, i.e., Gc(i)=(Gc(1), Gc(2), ..., Gc(M)), where M is defined by
                                                                   ___
   the length of the plain text, Gc(i) is the i-th 64-bit block, i=1,M.
   The number of bits in the block Tp(M) may be less than 64.
        
   256 bits of the key are put into the KDS.  The 64-bit initialisation
   vector S = (S1, S2, ..., S64) is put into N1 and N2 as described in
   section 6.1.
        
   256 bits of the key are put into the KDS.  The 64-bit initialisation
   vector S = (S1, S2, ..., S64) is put into N1 and N2 as described in
   section 6.1.
        
   The initial filling of N1 and N2 is encrypted in the electronic
   codebook mode in accordance with the requirements in section 6.1.  If
   resulting encrypted filling N1 and N2 is the first 64-bit block of
   the running key Gc(1)=A(S), then this block is added bitwise modulo 2
   with the first 64-bit block of plain text Tp(1) = (t1(1), t2(1), ...,
   t64(1)).
        
   The initial filling of N1 and N2 is encrypted in the electronic
   codebook mode in accordance with the requirements in section 6.1.  If
   resulting encrypted filling N1 and N2 is the first 64-bit block of
   the running key Gc(1)=A(S), then this block is added bitwise modulo 2
   with the first 64-bit block of plain text Tp(1) = (t1(1), t2(1), ...,
   t64(1)).
        

The result is a 64-bit block of encrypted data

结果是64位加密数据块

      Tc(1) = (tau1(1), tau2(1), ..., tau64(1)).
        
      Tc(1) = (tau1(1), tau2(1), ..., tau64(1)).
        

The block of encrypted data Tc(1) is simultaneously the initial state of N1 and N2 for generating the second block of the running key Gc(2) and is written on feedback in these registers. Here:

加密数据块Tc(1)同时是N1和N2的初始状态,用于生成运行密钥Gc(2)的第二块,并在这些寄存器中反馈写入。在这里:

- the value of tau1(1) is written into the first bit of N1;

- 将tau1(1)的值写入N1的第一位;

- the value of tau2(1) is written into the second bit of N1, etc.;

- 将tau2(1)的值写入N1的第二位,以此类推。;

- the value of tau32(1) is written into the 32nd bit of N1;

- 将tau32(1)的值写入N1的第32位;

- the value of tau33(1) is written into the first bit of N2;

- 将tau33(1)的值写入N2的第一位;

- the value of tau34(1) is written into the second bit of N2, etc.;

- 将tau34(1)的值写入N2的第二位,以此类推。;

- the value of tau64(1) is written into the 32nd bit of N2.

- tau64(1)的值写入N2的第32位。

The filling of N1 and N2 is encrypted in the electronic codebook mode in accordance with the requirements in the section 6.1. The encrypted filling of N1 and N2 makes the second 64-bit block of the running key Gc(2), this block is added bitwise modulo 2 in the adder CM5 to the second block of the plain text Tp(2).

根据第6.1节的要求,在电子码本模式下对N1和N2的填充进行加密。N1和N2的加密填充使得运行密钥Gc(2)的第二个64位块,该块在加法器CM5中按位模2添加到纯文本Tp(2)的第二个块。

The generation of subsequent blocks of the running key Gc(i) and the encryption of the corresponding blocks of the plain text Tp(i) (i = 3..M) are performed similarly. If the length of the last M-th block of the plain text is less than 64 bits, only the corresponding number of bits of the M-th block of the running key Gc(M) is used; remaining bits are discarded.

类似地执行运行密钥Gc(i)的后续块的生成和纯文本Tp(i)(i=3..M)的对应块的加密。如果纯文本的最后第M块的长度小于64位,则仅使用运行密钥Gc(M)的第M块的对应位数;剩余的位被丢弃。

The encryption equations in the cipher feedback mode are:

密码反馈模式下的加密方程为:

      |Tc(1) = A(S) (+) Tp(1) = Gc(1) (+) Tp(1)
      |
      |Tc(i) = A(Tc(i-1)) (+) Tp(i) = Gc(i) + Tp(i), i = 2..M.
        
      |Tc(1) = A(S) (+) Tp(1) = Gc(1) (+) Tp(1)
      |
      |Tc(i) = A(Tc(i-1)) (+) Tp(i) = Gc(i) + Tp(i), i = 2..M.
        

The initialisation vector S and the blocks of encrypted data Tc(1), Tc(2), ..., Tc(M) are transmitted into the telecommunication channel or to the computer memory.

初始化向量S和加密数据块Tc(1)、Tc(2)、…、Tc(M)被传输到电信信道或计算机存储器中。

7.2. Decryption of Ciphertext in the Cipher Feedback Mode
7.2. 密码反馈模式下的密文解密

256 bits of the key used for the encryption of Tp(1), Tp(2), ..., Tp(M) are put into the KDS. The initialisation vector S is put into N1 and N2 similar to 6.1.

将用于加密Tp(1)、Tp(2)、…、Tp(M)的256位密钥放入KDS中。初始化向量S放入N1和N2中,类似于6.1。

The initial filling of N1 and N2 (the initialisation vector S) is encrypted in the electronic codebook mode in accordance with the subsection 6.1. The encrypted filling of N1, N2 is the first block of the running key Gc(1) = A(S), this block is added bitwise modulo 2 in the adder CM5 with the encrypted data block Tc(1). This results in the first block of plain text Tp(1).

根据第6.1小节,在电子码本模式下对N1和N2(初始化向量S)的初始填充进行加密。N1,N2的加密填充是运行密钥Gc(1)=A(S)的第一块,该块在加法器CM5中与加密数据块Tc(1)按位模2相加。这将导致第一块纯文本Tp(1)。

The block of encrypted data Tc(1) makes the initial filling of N1, N2 for generating the second block of the running key Gc(2). The block Tc(1) is written in N1 and N2 in accordance with the requirements in the subsection 6.1, the resulted block Gc(2) is added bitwise modulo 2 in the adder CM5 to the second block of the encrypted data Tc(2). This results in the block of plain text Tc(2).

加密数据块Tc(1)进行N1、N2的初始填充,以生成运行密钥Gc(2)的第二块。根据第6.1小节的要求,将块Tc(1)写入N1和N2中,所得块Gc(2)在加法器CM5中按位模2添加到加密数据Tc(2)的第二块中。这将导致纯文本块Tc(2)。

Similarly, the blocks of encrypted data Tc(2), Tc(3), ..., Tc(M-1) are written in N1, N2 successively, and the blocks of the running key Gc(3), Gc(4), ..., Gc(M) are generated out of them in the electronic codebook mode. The blocks of the running key are added bitwise modulo 2 in the adder CM5 to the blocks of the encrypted data Tc(3), Tc(4), ..., Tc(M), this results in the blocks of plain text Tp(3), Tp(4), ..., Tp(M); here, the number of bits in the last block of the plain text Tp(M) can be less than 64 bit.

类似地,在N1、N2中依次写入加密数据Tc(2)、Tc(3)、…、Tc(M-1)的块,并且以电子码本模式从它们生成运行密钥Gc(3)、Gc(4)、…、Gc(M)的块。在加法器CM5中将运行密钥的块按位模2添加到加密数据Tc(3)、Tc(4)、…、Tc(M)的块中,这导致纯文本Tp(3)、Tp(4)、…、Tp(M)的块;这里,纯文本Tp(M)的最后一块中的位数可以小于64位。

The decryption equations in the cipher feedback mode are:

密码反馈模式下的解密方程为:

      |Tp(1) = A(S) (+) Tc(1) = Gc(1) (+) Tc(1)
      |
      |Tp(1) = A(Tc(i-1)) (+) Tc(i) = Gc(i) (+) Tc(i), i=2..M
        
      |Tp(1) = A(S) (+) Tc(1) = Gc(1) (+) Tc(1)
      |
      |Tp(1) = A(Tc(i-1)) (+) Tc(i) = Gc(i) (+) Tc(i), i=2..M
        
8. Message Authentication Code (MAC) Generation Mode
8. 消息身份验证码(MAC)生成模式

To provide the protection from falsification of plain text consisting of M 64-bit blocks Tp(1), Tp(2), ..., Tp(M), M >= 2, an additional l-bit block is generated (the message authentication code I(l)). The process of MAC generation is the same for all the encryption/decryption modes.

为了防止由M个64位块Tp(1)、Tp(2)、…、Tp(M)、M>=2组成的纯文本被篡改,生成了额外的l位块(消息认证码I(l))。所有加密/解密模式的MAC生成过程相同。

- The first block of plain text:

- 第一块纯文本:

      Tp(1) = (t1(1), t1(2), ..., t64(1)) = (a1(1)[0], a2(1)[0], ...,
              a32(1)[0], b1(1)[0], b2(1)[0], ..., b32(1)[0])
        
      Tp(1) = (t1(1), t1(2), ..., t64(1)) = (a1(1)[0], a2(1)[0], ...,
              a32(1)[0], b1(1)[0], b2(1)[0], ..., b32(1)[0])
        

is written to the registers N1 and N2;

写入寄存器N1和N2;

- the value of t1(1) = a1(1)[0] is written into the first bit of N1;

- t1(1)=a1(1)[0]的值被写入N1的第一位;

- the value of t2(1) = a2(1)[0] is written into the second bit of N1, etc.;

- t2(1)=a2(1)[0]的值被写入N1的第二位,以此类推。;

- the value of t32(1) = a32(1)[0] is written into the 32nd bit of N1;

- t32(1)=a32(1)[0]的值被写入N1的第32位;

- the value of t33(1) = b1(1)[0] is written into the first bit of N2, etc.;

- 将t33(1)=b1(1)[0]的值写入N2的第一位,以此类推。;

- the value of t64(1) = b32(1)[0] is written into the 32nd bit of N2.

- t64(1)=b32(1)[0]的值被写入N2的第32位。

The filling of N1 and N2 is transformed in accordance with the first 16 rounds of the encryption algorithm in the electronic codebook mode (see the subsection 6.1). In the KDS, there exists the same key that is used for encrypting the blocks of plain text Tp(1), Tp(2), ..., Tp(M) in the corresponding blocks of encrypted data Tc(1), Tc(2), ..., Tc(M).

N1和N2的填充按照电子码本模式下的前16轮加密算法进行转换(见第6.1小节)。在KDS中,存在用于加密加密数据Tc(1)、Tc(2)、Tc(M)的相应块中的纯文本Tp(1)、Tp(2)、Tp(M)块的相同密钥。

The filling of N1 and N2 after the 16 working rounds, looking like (a1(1)[16], a2(1)[16], ..., a32(1)[16], b1(1)[16], b2(1)[16], ..., b32(1)[16]), is added in CM5 modulo 2 to the second block Tp(2) = (t1(2), t2(2), ..., t64(2)).

16个工作循环之后的N1和N2填充,看起来像(a1(1)[16]、a2(1)[16]、…、a32(1)[16]、b1(1)[16]、b2(1)[16]、…、b32(1)[16]),以CM5模2添加到第二块Tp(2)=(t1(2)、t2(2)、…、t64(2))。

The result of this addition

这个加法的结果

       (a1(1)[16](+)t1(2), a2(1)[16](+)t2(2), ..., a32(1)[16](+)t32(2),
       b1(1)[16](+)t33(2), b2(1)[16](+)t34(2), ..., b32(1)[16](+)t64(2))
        
       (a1(1)[16](+)t1(2), a2(1)[16](+)t2(2), ..., a32(1)[16](+)t32(2),
       b1(1)[16](+)t33(2), b2(1)[16](+)t34(2), ..., b32(1)[16](+)t64(2))
        

=

=

       (a1(2)[0], a2(2)[0] ..., a32(2)[0], b1(2)[0], b2(2)[0], ...,
       b32(2)[0])
        
       (a1(2)[0], a2(2)[0] ..., a32(2)[0], b1(2)[0], b2(2)[0], ...,
       b32(2)[0])
        

is written into N1 and N2 and is transformed in accordance with the first 16 rounds of the encryption algorithm in the electronic codebook mode.

写入N1和N2,并按照电子码本模式下的前16轮加密算法进行转换。

   The resulting filling of N1 and N2 is added in the CM5 modulo 2 with
   the third block Tp(3), etc., the last block Tp(M) = (t1(M), t2(M),
   ..., t64(M)), padded if necessary to a complete 64-bit block by
   zeros, is added in CM5 modulo 2 with the filling N1, N2 (a1(M-1)[16],
   a2(M-1)[16], ..., a32(M-1)[16], b1(M-1)[16], b2(M-1)[16], ...,
   b32(M-1)[16]).
        
   The resulting filling of N1 and N2 is added in the CM5 modulo 2 with
   the third block Tp(3), etc., the last block Tp(M) = (t1(M), t2(M),
   ..., t64(M)), padded if necessary to a complete 64-bit block by
   zeros, is added in CM5 modulo 2 with the filling N1, N2 (a1(M-1)[16],
   a2(M-1)[16], ..., a32(M-1)[16], b1(M-1)[16], b2(M-1)[16], ...,
   b32(M-1)[16]).
        

The result of the addition

加法的结果

        (a1(M-1)[16](+)t1(M), a2(M-1)[16](+)t2(M), ..., a32(M-1)[16](+)
        t32(M), b1(M-1)[16](+)t33(M), b2(M-1)[16](+)t34(M), ...,
        b32(M-1)[16](+)t64(M))
        
        (a1(M-1)[16](+)t1(M), a2(M-1)[16](+)t2(M), ..., a32(M-1)[16](+)
        t32(M), b1(M-1)[16](+)t33(M), b2(M-1)[16](+)t34(M), ...,
        b32(M-1)[16](+)t64(M))
        

=

=

        (a1(M)[0], a2(M)[0] ..., a32(M)[0], b1(M)[0], b2(M)[0], ...,
        b32(M)[0])
        
        (a1(M)[0], a2(M)[0] ..., a32(M)[0], b1(M)[0], b2(M)[0], ...,
        b32(M)[0])
        

is written into N1, N2 and encrypted in the electronic codebook mode after the first 16 rounds of the algorithm's work. Out of the resulting filling of the registers N1 and N2:

在算法的前16轮工作后,被写入N1、N2并以电子码本模式加密。在寄存器N1和N2的结果填充中:

      (a1(M)[16], a2(M)[16] ..., a32(M)[16], b1(M)[16], b2(M)[16], ...,
      b32(M)[16])
        
      (a1(M)[16], a2(M)[16] ..., a32(M)[16], b1(M)[16], b2(M)[16], ...,
      b32(M)[16])
        

an l-bit string I(l) (the MAC) is chosen:

选择l位字符串I(l)(MAC):

      I(l) = [a(32-l+1)(M)[16], a(32-l+2)(M)[16], ..., a32(M)[16]].
        
      I(l) = [a(32-l+1)(M)[16], a(32-l+2)(M)[16], ..., a32(M)[16]].
        

The MAC I(l) is transmitted through the telecommunication channel or to the computer memory attached to the end of the encrypted data, i.e., Tc(1), Tc(2), ..., Tc(M), I(l).

MAC I(l)通过电信信道或连接到加密数据端部的计算机存储器,即Tc(1)、Tc(2)、…、Tc(M)、I(l)传输。

The encrypted data Tc(1), Tc(2), ..., Tc(M), when arriving, are decrypted, out of the resulting plain text blocks Tp(1), Tp(2), ..., Tp(M). The MAC I'(l) is generated as described in the subsection 5.3 and compared with the MAC I(l) received together with the encrypted data from the telecommunication channel or from the computer memory. If the MACs are not equal, the resulting plain text blocks Tp(1), Tp(2), ..., Tp(M) are considered false.

加密数据Tc(1),Tc(2),…,Tc(M)在到达时从得到的纯文本块Tp(1),Tp(2),…,Tp(M)中解密。MAC I’(l)按照第5.3小节中的描述生成,并与与从电信信道或计算机存储器接收的加密数据一起接收的MAC I(l)进行比较。如果mac不相等,则生成的纯文本块Tp(1)、Tp(2)、…、Tp(M)被视为假。

The MAC I(l) (I'(l)) can be generated either before encryption (after decryption, respectively) of the whole message or simultaneously with the encryption (decryption) in blocks. The first plain text blocks, used in the MAC generation, can contain service information (the address section, a time mark, the initialisation vector, etc.) and they may be unencrypted.

maci(l)(I’(l))可以在对整个消息进行加密之前(分别在解密之后)生成,也可以与块中的加密(解密)同时生成。MAC生成中使用的第一个纯文本块可以包含服务信息(地址部分、时间标记、初始化向量等),并且可以不加密。

The parameter l value (the bit length of the MAC) is defined by the actual cryptographic requirements, while considering that the possibility of imposing false data is 2^-l.

参数l值(MAC的位长度)由实际密码要求定义,同时考虑到施加虚假数据的可能性为2^-l。

9. Security Considerations
9. 安全考虑

This entire document is about security considerations.

整个文档都是关于安全方面的考虑。

10. Normative References
10. 规范性引用文件

[GOST28147-89] "Cryptographic Protection for Data Processing System", GOST 28147-89, Gosudarstvennyi Standard of USSR, Government Committee of the USSR for Standards, 1989. (In Russian)

[GOST28147-89]“数据处理系统的密码保护”,GOST 28147-89,苏联Gosudarstvenyi标准,苏联政府标准委员会,1989年。(俄语)

[RFC4357] Popov, V., Kurepkin, I., and S. Leontiev, "Additional Cryptographic Algorithms for Use with GOST 28147-89, GOST R 34.10-94, GOST R 34.10-2001, and GOST R 34.11-94 Algorithms", RFC 4357, January 2006.

[RFC4357]Popov,V.,Kurepkin,I.,和S.Leontiev,“用于GOST 28147-89,GOST R 34.10-94,GOST R 34.10-2001和GOST R 34.11-94算法的其他加密算法”,RFC 4357,2006年1月。

Appendix A. Values of the Constants C1 and C2
附录A.常数C1和C2的值

The constant C1 is:

常数C1为:

The bit of N6 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18

N6 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18的位

The bit value 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0

位值0 0 0 0 0 1 0 0 0 0 0 0 0

The bit of N6 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

N6 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1的位

The bit value 1 0 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0

位值为1 0 0 0 0 0 0 0 0 0 0 1 0 0

The constant C2 is:

常数C2为:

The bit of N6 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18

N6 32 31 30 29 28 27 26 25 24 23 22 21 20 19 18的位

The bit value 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0

位值0 0 0 0 0 1 0 0 0 0 0 0 0

The bit of N6 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

N6 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1的位

The bit value 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1

位值1 0 0 0 0 0 0 0 0 1

Appendix B. Contributors
附录B.贡献者

Dmitry Kabelev Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

Dmitry Kabelev Cryptocom有限公司,俄罗斯联邦莫斯科凯德罗瓦街14号,2号楼,117218

   EMail: kdb@cryptocom.ru
        
   EMail: kdb@cryptocom.ru
        

Igor Ustinov Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

俄罗斯联邦莫斯科凯德罗瓦街14号第2栋Igor Ustinov Cryptocom有限公司,邮编:117218

   EMail: igus@cryptocom.ru
        
   EMail: igus@cryptocom.ru
        

Irene Emelianova Cryptocom Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

俄罗斯联邦莫斯科凯德罗瓦街14号第2栋Irene Emelianova Cryptocom Ltd.117218

   EMail: irene@cryptocom.ru
        
   EMail: irene@cryptocom.ru
        

Author's Address

作者地址

Vasily Dolmatov, Ed. Cryptocom, Ltd. 14 Kedrova St., Bldg. 2 Moscow, 117218 Russian Federation

俄罗斯联邦莫斯科凯德罗瓦街14号第2栋,邮编:117218

   EMail: dol@cryptocom.ru
        
   EMail: dol@cryptocom.ru