< draft-smyshlyaev-mgm-10.txt | draft-smyshlyaev-mgm-11.txt > | |||
---|---|---|---|---|

Network Working Group S. Smyshlyaev, Ed. | Network Working Group S. Smyshlyaev, Ed. | |||

Internet-Draft CryptoPro | Internet-Draft CryptoPro | |||

Intended status: Informational V. Nozdrunov | Intended status: Informational V. Nozdrunov | |||

Expires: October 21, 2019 V. Shishkin | Expires: December 20, 2019 V. Shishkin | |||

TC 26 | TC 26 | |||

April 19, 2019 | E. Smyshlyaeva | |||

CryptoPro | ||||

June 18, 2019 | ||||

Multilinear Galois Mode (MGM) | Multilinear Galois Mode (MGM) | |||

draft-smyshlyaev-mgm-10 | draft-smyshlyaev-mgm-11 | |||

Abstract | Abstract | |||

Multilinear Galois Mode (MGM) is an authenticated encryption with | Multilinear Galois Mode (MGM) is an authenticated encryption with | |||

associated data block cipher mode based on EtM principle. MGM is | associated data block cipher mode based on EtM principle. MGM is | |||

defined for use with 64-bit and 128-bit block ciphers. | defined for use with 64-bit and 128-bit block ciphers. | |||

Status of This Memo | Status of This Memo | |||

This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||

skipping to change at page 1, line 34 ¶ | skipping to change at page 1, line 36 ¶ | |||

Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||

Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||

working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||

Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||

Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||

and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||

time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||

material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||

This Internet-Draft will expire on October 21, 2019. | This Internet-Draft will expire on December 20, 2019. | |||

Copyright Notice | Copyright Notice | |||

Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||

document authors. All rights reserved. | document authors. All rights reserved. | |||

This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||

Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||

(https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||

publication of this document. Please review these documents | publication of this document. Please review these documents | |||

carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||

to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||

include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||

the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||

described in the Simplified BSD License. | described in the Simplified BSD License. | |||

Table of Contents | Table of Contents | |||

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||

1.1. Existing Constructions . . . . . . . . . . . . . . . . . 2 | ||||

2. Conventions Used in This Document . . . . . . . . . . . . . . 2 | 2. Conventions Used in This Document . . . . . . . . . . . . . . 2 | |||

3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 2 | 3. Basic Terms and Definitions . . . . . . . . . . . . . . . . . 2 | |||

4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 | 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||

4.1. MGM Encryption and Authentication Procedure . . . . . . . 4 | 4.1. MGM Encryption and Authentication Procedure . . . . . . . 4 | |||

4.2. MGM Decryption and Authentication Check Procedure . . . . 6 | 4.2. MGM Decryption and Authentication Check Procedure . . . . 6 | |||

5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||

6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||

6.1. Normative References . . . . . . . . . . . . . . . . . . 8 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 8 | |||

6.2. Informative References . . . . . . . . . . . . . . . . . 9 | 6.2. Informative References . . . . . . . . . . . . . . . . . 9 | |||

Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 | Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 9 | |||

Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 12 | Appendix B. Contributors . . . . . . . . . . . . . . . . . . . . 12 | |||

Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | |||

1. Introduction | 1. Introduction | |||

Multilinear Galois Mode (MGM) is an authenticated encryption with | Multilinear Galois Mode (MGM) is an authenticated encryption with | |||

associated data block cipher mode based on EtM principle. MGM is | associated data block cipher mode based on EtM principle. MGM is | |||

defined for use with 64-bit and 128-bit block. The MGM design | defined for use with 64-bit and 128-bit block. The MGM design | |||

principles can easily be applied to other block sizes. | principles can easily be applied to other block sizes. | |||

1.1. Existing Constructions | ||||

The text will be added in the future versions of the draft. | ||||

2. Conventions Used in This Document | 2. Conventions Used in This Document | |||

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||

"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||

document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||

3. Basic Terms and Definitions | 3. Basic Terms and Definitions | |||

This document uses the following terms and definitions for the sets | This document uses the following terms and definitions for the sets | |||

and operations on the elements of these sets: | and operations on the elements of these sets: | |||

skipping to change at page 4, line 31 ¶ | skipping to change at page 4, line 27 ¶ | |||

4.1. MGM Encryption and Authentication Procedure | 4.1. MGM Encryption and Authentication Procedure | |||

The MGM encryption and authentication procedure takes the following | The MGM encryption and authentication procedure takes the following | |||

parameters as inputs: | parameters as inputs: | |||

1. Encryption key K in V_k. | 1. Encryption key K in V_k. | |||

2. Initial counter nonce ICN in V_{n-1}. | 2. Initial counter nonce ICN in V_{n-1}. | |||

3. Plaintext P, 0 <= |P| < 2^{n/2}. If |P| > 0, then P = P_1 || | 3. Plaintext P, 0 <= |P| < 2^{n/2}. If |P| > 0, then P = P_1 || | |||

... || P*_q, P_i in V_n, i = 1, ... , q - 1, P*_q in V_u, 1 <= u | ... || P*_q, P_i in V_n, for i = 1, ... , q - 1, P*_q in V_u, 1 | |||

<= n. If |P| = 0, then by definition P*_q is empty, and the q | <= u <= n. If |P| = 0, then by definition P*_q is empty, and the | |||

and u parameters are set as follows: q = 0, u = n. | q and u parameters are set as follows: q = 0, u = n. | |||

4. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, | 4. Associated authenticated data A, 0 <= |A| < 2^{n/2}. If |A| > 0, | |||

then A = A_1 || ... || A*_h, A_j in V_n, j = 1, ... , h - 1, A*_h | then A = A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, | |||

in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is | A*_h in V_t, 1 <= t <= n. If |A| = 0, then by definition A*_h is | |||

empty, and the h and t parameters are set as follows: h = 0, t = | empty, and the h and t parameters are set as follows: h = 0, t = | |||

n. The associated data is authenticated but is not encrypted. | n. The associated data is authenticated but is not encrypted. | |||

The MGM encryption and authentication procedure outputs the following | The MGM encryption and authentication procedure outputs the following | |||

parameters: | parameters: | |||

1. Initial counter nonce ICN. | 1. Initial counter nonce ICN. | |||

2. Associated authenticated data A. | 2. Associated authenticated data A. | |||

skipping to change at page 6, line 17 ¶ | skipping to change at page 6, line 15 ¶ | |||

4.2. MGM Decryption and Authentication Check Procedure | 4.2. MGM Decryption and Authentication Check Procedure | |||

The MGM decryption and authentication procedure takes the following | The MGM decryption and authentication procedure takes the following | |||

parameters as inputs: | parameters as inputs: | |||

1. The encryption key K in V_k. | 1. The encryption key K in V_k. | |||

2. The initial counter nonce ICN in V_{n-1}. | 2. The initial counter nonce ICN in V_{n-1}. | |||

3. The associated authenticated data A, 0 <= |A| < 2^{n/2}. A = | 3. The associated authenticated data A, 0 <= |A| < 2^{n/2}. A = | |||

A_1 || ... || A*_h, A_j in V_n, j = 1, ... , h - 1, A*_h in V_t, | A_1 || ... || A*_h, A_j in V_n, for j = 1, ... , h - 1, A*_h in | |||

1 <= t <= n. | V_t, 1 <= t <= n. | |||

4. The ciphertext C, 0 <= |C| < 2^{n/2}. C = C_1 || ... || C*_q, C_i | 4. The ciphertext C, 0 <= |C| < 2^{n/2}. C = C_1 || ... || C*_q, C_i | |||

in V_n, i = 1, ... , q - 1, C*_q in V_u, 1 <= u <= n. | in V_n, for i = 1, ... , q - 1, C*_q in V_u, 1 <= u <= n. | |||

5. The authenticated tag T in V_S. | 5. The authenticated tag T in V_S. | |||

The MGM decryption and authentication procedure outputs FAIL or the | The MGM decryption and authentication procedure outputs FAIL or the | |||

following parameters: | following parameters: | |||

1. Plaintext P in V_{|C|}. | 1. Plaintext P in V_{|C|}. | |||

2. Associated authenticated data A. | 2. Associated authenticated data A. | |||

skipping to change at page 7, line 14 ¶ | skipping to change at page 7, line 14 ¶ | |||

+----------------------------------------------------------------+ | +----------------------------------------------------------------+ | |||

| MGM-Decrypt(K, ICN, A, C, T) | | | MGM-Decrypt(K, ICN, A, C, T) | | |||

|----------------------------------------------------------------| | |----------------------------------------------------------------| | |||

| 1. Padding step: | | | 1. Padding step: | | |||

| - A_h = A*_h || 0^{n-t}, | | | - A_h = A*_h || 0^{n-t}, | | |||

| - C_q = C*_q || 0^{n-u}. | | | - C_q = C*_q || 0^{n-u}. | | |||

| | | | | | |||

| 2. Authentication tag T verification step: | | | 2. Authentication tag T verification step: | | |||

| - Z_1 = E_K(1 || ICN), | | | - Z_1 = E_K(1 || ICN), | | |||

| - sum1 = 0, sum2 = 0, | | | - sum = 0, | | |||

| - For i = 1, 2, ..., h do | | | - For i = 1, 2, ..., h do | | |||

| H_i = E_K(Z_i), | | | H_i = E_K(Z_i), | | |||

| sum1 = sum1 (xor) ( H_i (x) A_i ), | | | sum = sum (xor) ( H_i (x) A_i ), | | |||

| Z_{i+1} = incr_l(Z_i), | | | Z_{i+1} = incr_l(Z_i), | | |||

| - For j = 1, 2, ..., q do | | | - For j = 1, 2, ..., q do | | |||

| H_{h+j} = E_K(Z_{h+j}), | | | H_{h+j} = E_K(Z_{h+j}), | | |||

| sum2 = sum2 (xor) ( H_{h+j} (x) C_j ), | | | sum = sum (xor) ( H_{h+j} (x) C_j ), | | |||

| Z_{h+j+1} = incr_l(Z_{h+j}), | | | Z_{h+j+1} = incr_l(Z_{h+j}), | | |||

| - H_{h+q+1} = E_K(Z_{h+q+1}), | | | - H_{h+q+1} = E_K(Z_{h+q+1}), | | |||

| - T' = MSB_S(E_K(sum1 (xor) sum2 (xor) | | | - T' = MSB_S(E_K(sum (xor) H_{h+q+1} (x) | | |||

| H_{h+q+1} (x) (len(A) || len(C)))), | | | (len(A) || len(C)))), | | |||

| - If T' != T then return FAIL | | | - If T' != T then return FAIL. | | |||

| return FAIL. | | ||||

| | | | | | |||

| 3. Decryption step: | | | 3. Decryption step: | | |||

| - Y_1 = E_K(0 || ICN), | | | - Y_1 = E_K(0 || ICN), | | |||

| - For i = 2, 3, ... , q do | | | - For i = 2, 3, ... , q do | | |||

| Y_i = incr_r(Y_{i-1}), | | | Y_i = incr_r(Y_{i-1}), | | |||

| - For i = 1, 2, ... , q - 1 do | | | - For i = 1, 2, ... , q - 1 do | | |||

| P_i = C_i (xor) E_K(Y_i), | | | P_i = C_i (xor) E_K(Y_i), | | |||

| - P*_q = C*_q (xor) MSB_u(E_K(Y_q)), | | | - P*_q = C*_q (xor) MSB_u(E_K(Y_q)), | | |||

| - P = P_1 || ... || P*_q. | | | - P = P_1 || ... || P*_q. | | |||

| | | | | | |||

| 4. Return (P, A). | | | 4. Return (P, A). | | |||

|----------------------------------------------------------------+ | |----------------------------------------------------------------+ | |||

5. Rationale | 5. Rationale | |||

The MGM mode was originally proposed in [PDMODE]. | The MGM mode was originally proposed in [PDMODE]. | |||

From the operational point of view the MGM mode is designed to be | From the operational point of view the MGM mode is designed to be | |||

parallelizeable, inverse free, online and to provide availability of | parallelizable, inverse free, online and to provide availability of | |||

precomputations. | precomputations. | |||

Parallelizability of the MGM mode is achieved due to its counter-type | Parallelizability of the MGM mode is achieved due to its counter-type | |||

structure and the usage of the multilinear function for | structure and the usage of the multilinear function for | |||

authentication. Indeed, both encryption blocks E_K(Y_i) and | authentication. Indeed, both encryption blocks E_K(Y_i) and | |||

authentication blocks H_i are produced in the counter mode manner, | authentication blocks H_i are produced in the counter mode manner, | |||

and the multilinear function determined by H_i is parallelizeable in | and the multilinear function determined by H_i is parallelizable in | |||

itself. Additionally, the counter-type structure of the mode | itself. Additionally, the counter-type structure of the mode | |||

provides the inverse free property. | provides the inverse free property. | |||

The online property means the possibility to process message even if | The online property means the possibility to process message even if | |||

it is not completely received (so its length is unknown). To provide | it is not completely received (so its length is unknown). To provide | |||

this property the MGM mode uses blocks E_K(Y_i) and H_i which are | this property the MGM mode uses blocks E_K(Y_i) and H_i which are | |||

produced basing on two independent source blocks Y_i and Z_i. | produced basing on two independent source blocks Y_i and Z_i. | |||

Availability of precomputations for the MGM mode means the | Availability of precomputations for the MGM mode means the | |||

possibility to calculate H_i and E_K(Y_i) even before data is | possibility to calculate H_i and E_K(Y_i) even before data is | |||

skipping to change at line 568 ¶ | skipping to change at page 13, line 22 ¶ | |||

Vladislav Nozdrunov | Vladislav Nozdrunov | |||

TC 26 | TC 26 | |||

Email: nozdrunov_vi@tc26.ru | Email: nozdrunov_vi@tc26.ru | |||

Vasily Shishkin | Vasily Shishkin | |||

TC 26 | TC 26 | |||

Email: shishkin_va@tc26.ru | Email: shishkin_va@tc26.ru | |||

Ekaterina Smyshlyaeva | ||||

CryptoPro | ||||

Email: ess@cryptopro.ru | ||||

End of changes. 17 change blocks. | ||||

26 lines changed or deleted | | 22 lines changed or added | ||

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |