README | 1 + TODO | 1 - src/cypherpunks.ru/gogost/gost3410/2001_test.go | 43 +++++++++++++++++++++++++++++++++++++++++++ src/cypherpunks.ru/gogost/gost3410/private.go | 33 +++++++++++++++++++++++++++++++++ www.texi | 2 ++ diff --git a/README b/README index cd9bbfed020e8a28acececd57b599c08f099268c6b4231de770e37db975641e3..76d6240e085528a599ff6dde457f29fbc3e1d05cc92f08ff03346209f4b1f589 100644 --- a/README +++ b/README @@ -10,6 +10,7 @@ * GOST R 34.11-2012 Стрибог (Streebog) hash function (RFC 6986) * GOST R 34.10-2001 (RFC 5832) public key signature function * GOST R 34.10-2012 (RFC 7091) public key signature function * various 34.10 curve parameters included +* VKO 34.10-2001 Diffie-Hellman function (RFC 4357) * GOST R 34.12-2015 128-bit block cipher Кузнечик (Kuznechik) (RFC 7801) * GOST R 34.13-2015 padding methods diff --git a/TODO b/TODO index bc7370ad1584ba79c193d5f5a78f3751ff7fe1a7bcbd4f92ea2ec00420eea506..a9b3401636562b8cfa18ba26d08aa7aed20afff2f313d864b99517e56d404c81 100644 --- a/TODO +++ b/TODO @@ -1,3 +1,2 @@ -* VKO 34.10-2001 Diffie-Hellman function (RFC 4357) * 28147-89 and CryptoPro key wrapping (RFC 4357) * 28147-89 CryptoPro key meshing for CFB mode (RFC 4357) diff --git a/src/cypherpunks.ru/gogost/gost3410/2001_test.go b/src/cypherpunks.ru/gogost/gost3410/2001_test.go index d90bec603633e8c7fe122b82d667598445a6a5fc85563ea365c544024d39eeb9..8e9993c059f87725693a3317bfc92625191aa436e0d8e74015f48cfa5fcc6b54 100644 --- a/src/cypherpunks.ru/gogost/gost3410/2001_test.go +++ b/src/cypherpunks.ru/gogost/gost3410/2001_test.go @@ -19,6 +19,7 @@ import ( "bytes" "crypto/rand" + "encoding/hex" "testing" "testing/quick" ) @@ -161,3 +162,45 @@ for i := 0; i < b.N; i++ { pub.VerifyDigest(digest, sign) } } + +func TestVKO(t *testing.T) { + c, _ := NewCurveFromParams(CurveParamsGostR34102001Test) + ukm, _ := hex.DecodeString("33a252f825be7251") + prvRaw1, _ := hex.DecodeString("1df129e43dab345b68f6a852f4162dc69f36b2f84717d08755cc5c44150bf928") + prvRaw2, _ := hex.DecodeString("5b9356c6474f913f1e83885ea0edd5df1a43fd9d799d219093241157ac9ed473") + kek, _ := hex.DecodeString("ee4618a0dbb10cb31777b4b86a53d9e7ef6cb3e400101410f0c0f2af46c494a6") + prv1, _ := NewPrivateKey(c, DigestSize2001, prvRaw1) + prv2, _ := NewPrivateKey(c, DigestSize2001, prvRaw2) + pub1, _ := prv1.PublicKey() + pub2, _ := prv2.PublicKey() + kek1, _ := prv1.KEK(pub2, ukm) + kek2, _ := prv2.KEK(pub1, ukm) + if bytes.Compare(kek1, kek2) != 0 { + t.FailNow() + } + if bytes.Compare(kek1, kek) != 0 { + t.FailNow() + } +} + +func TestRandomVKO(t *testing.T) { + c, _ := NewCurveFromParams(CurveParamsGostR34102001Test) + f := func(prvRaw1 [32]byte, prvRaw2 [32]byte, ukm [8]byte) bool { + prv1, err := NewPrivateKey(c, DigestSize2001, prvRaw1[:]) + if err != nil { + return false + } + prv2, err := NewPrivateKey(c, DigestSize2001, prvRaw2[:]) + if err != nil { + return false + } + pub1, _ := prv1.PublicKey() + pub2, _ := prv2.PublicKey() + kek1, _ := prv1.KEK(pub2, ukm[:]) + kek2, _ := prv2.KEK(pub1, ukm[:]) + return bytes.Compare(kek1, kek2) == 0 + } + if err := quick.Check(f, nil); err != nil { + t.Error(err) + } +} diff --git a/src/cypherpunks.ru/gogost/gost3410/private.go b/src/cypherpunks.ru/gogost/gost3410/private.go index 5fb3cb55606014fc16bc198711f8020b611f455c3cdc9a78f396aa5e5cfd210d..62aeb4009da81f9e99a1e284045e3a1a891ff6db33843110bdaf0e20a3b81cd0 100644 --- a/src/cypherpunks.ru/gogost/gost3410/private.go +++ b/src/cypherpunks.ru/gogost/gost3410/private.go @@ -20,6 +20,9 @@ import ( "errors" "io" "math/big" + + "cypherpunks.ru/gogost/gost28147" + "cypherpunks.ru/gogost/gost341194" ) type PrivateKey struct { @@ -102,3 +105,33 @@ goto Retry } return append(pad(s.Bytes(), pk.ds), pad(r.Bytes(), pk.ds)...), nil } + +// Make Diffie-Hellman computation. Key Encryption Key calculation. +// UKM is user keying material, also called VKO-factor, 8-bytes long. +// It is based on RFC 4357 VKO GOST 34.10-2001 with little-endian hash +// output. +func (pk *PrivateKey) KEK(pub *PublicKey, ukm []byte) ([]byte, error) { + if len(ukm) != 8 { + return nil, errors.New("UKM must be 8 bytes long") + } + keyX, keyY, err := pk.c.Exp(pk.key, pub.x, pub.y) + if err != nil { + return nil, err + } + t := make([]byte, DigestSize2001) + copy(t[int(DigestSize2001)-len(ukm):], ukm) + keyX, keyY, err = pk.c.Exp(bytes2big(t), keyX, keyY) + if err != nil { + return nil, err + } + h := gost341194.New(&gost28147.GostR3411_94_CryptoProParamSet) + copy(t, pad(keyX.Bytes(), int(DigestSize2001))) + reverse(t) + h.Write(t) + copy(t, pad(keyY.Bytes(), int(DigestSize2001))) + reverse(t) + h.Write(t) + t = h.Sum(t[:0]) + reverse(t) + return t, nil +} diff --git a/www.texi b/www.texi index c77956f2a9ca405d96cc43f0068d4003027ee4c301a228c5dc0517947d8f1d2c..4eb71512537f0774c1f5fc8a7b82b17a4c54f31a9e3a11fce21d2967aab4b55a 100644 --- a/www.texi +++ b/www.texi @@ -25,6 +25,8 @@ block cipher with ECB, CNT (CTR), CFB, MAC, CBC (@url{https://tools.ietf.org/html/rfc4357.html, RFC 4357}) modes of operation @item various 28147-89-related S-boxes included +@item VKO 34.10-2001 Diffie-Hellman function + (@url{https://tools.ietf.org/html/rfc4357.html, RFC 4357}) @item GOST R 34.11-94 hash function (@url{https://tools.ietf.org/html/rfc5831.html, RFC 5831}) @item GOST R 34.11-2012 Стрибог (Streebog) hash function