rfc9548v3.txt		rfc9548.txt
	skipping to change at line 129 ¶		skipping to change at line 129 ¶
	capitals, as shown here.		capitals, as shown here.
	3. Basic Terms and Definitions		3. Basic Terms and Definitions
	Throughout this document, the following notations are used:		Throughout this document, the following notations are used:
	P a password encoded as a Unicode UTF-8 string		P a password encoded as a Unicode UTF-8 string
	S a random initializing value		S a random initializing value
	V^(*) the set of all binary row vectors of finite length		V_s the set of byte strings of length s, where s >= 0; the string 𝑏
	(hereinafter referred to as vectors), including an empty string		= (b_1,...,b_s) belongs to the set V_s if b_1,...,b_s∈{0,...,255}
	V_s the set of all binary row vectors of length s, where s >= 0; if
	s = 0, then the set V_s consists of an empty string of length 0
	|A| the number of components (a length) of the vector A belonging to		|A| the number of components (a length) of the vector A belonging to
	V^(*) (if A is an empty string, then |A| = 0)		V^(*) (if A is an empty string, then |A| = 0)
	A||C a concatenation of two strings A, C from V^(*), i.e., a vector		A||C a concatenation of two byte strings A, C from V_s, i.e., a
	from V_(|A|+|C|), where the left subvector from V_(|A|) is equal		string from V_(|A|+|C|), where the left substring from V_(|A|) is
	to the vector A and the right subvector from V_(|C|) is equal to		equal to the string A and the right substring from V_(|C|) is
	the vector C: A = (a_(n_1),...,a_1) in V_(n_1) and C =		equal to the string C: A = (a_(n_1),...,a_1) in V_(n_1) and C =
	(c_(n_2),...,c_1) in V_(n_2), res =		(c_(n_2),...,c_1) in V_(n_2), res =
	(a_(n_1),...,a_1,c_(n_2),...,c_1) in V_(n_1+n_2))		(a_(n_1),...,a_1,c_(n_2),...,c_1) in V_(n_1+n_2))
	F_q a finite prime field represented as a set of q integers		F_q a finite prime field represented as a set of q integers
	{0,1,...,q - 1}, where q > 3 - prime number		{0,1,...,q - 1}, where q > 3 - prime number
	b mod q the minimum non-negative number comparable to b modulo p		b mod q the minimum non-negative number comparable to b modulo p
			INT(b) integer INT(b) = b_1+b_2∙256+...+b_s∙ 256^(s-1), where b∈ V_s
	This document uses the following terms and abbreviations:		This document uses the following terms and abbreviations:
	Signature one or more data elements resulting from the signature		Signature one or more data elements resulting from the signature
	process (Clause 3.12 of [ISO14888-1]). Note: The terms "digital		process (Clause 3.12 of [ISO14888-1]). Note: The terms "digital
	signature", "electronic signature", and "electronic digital		signature", "electronic signature", and "electronic digital
	signature" are considered equivalent in this document.		signature" are considered equivalent in this document.
	Signature key set of private data elements specific to an entity and		Signature key set of private data elements specific to an entity and
	usable only by this entity in the signature process (Clause 3.13		usable only by this entity in the signature process (Clause 3.13
	of [ISO14888-1]). Note: Sometimes called a private key.		of [ISO14888-1]). Note: Sometimes called a private key.
	skipping to change at line 347 ¶		skipping to change at line 346 ¶
	K = M_1^-1(...(M_(k-1)^-1(M_k^-1(K_M))...).		K = M_1^-1(...(M_(k-1)^-1(M_k^-1(K_M))...).
	The masked key is represented as the sequence		The masked key is represented as the sequence
	I = K_M||M_1||M_2||...||M_k.		I = K_M||M_1||M_2||...||M_k.
	Let the key K be n bits in length; then, the sequence I is		Let the key K be n bits in length; then, the sequence I is
	represented in memory as a sequence of (k + 1)*n bits. I is		represented in memory as a sequence of (k + 1)*n bits. I is
	represented in little-endian format. It is possible to use an		represented in little-endian format. It is possible to use an
	unmasked private key (i.e., k = 0, K_M = K). The masking operation		unmasked private key (i.e., k = 0, K_M = K). For GOST R 34.10-2012
	is the multiplication of the key by the inverse of the mask: K_M = K		keys, the masking operation is the multiplication of the key by the
	* M^-1 mod Q, where the Q value is taken from the key parameters.		inverse of the mask: INT(K_M) = INT(K) * INT(M)^-1 mod Q, where the Q
	The operation of removing the mask is the multiplication of the		value is taken from the key parameters. The operation of removing
	masked key by the mask: K = K_M * M mod Q. The public key is		the mask is the multiplication of the masked key by the mask: INT(K)
	specified by a pair of coordinates (x, y) as defined in GOST R		= INT(K_M) * INT(M) mod Q. The public key is specified by a pair of
	34.10-2012, presented in the following format:		coordinates (x, y) as defined in GOST R 34.10-2012, presented in the
			following format:
	* a public key corresponding to the GOST R 34.10-2012 algorithm with		* a public key corresponding to the GOST R 34.10-2012 algorithm with
	a key length of 256 bits has the GostR3410-2012-256-PublicKey		a key length of 256 bits has the GostR3410-2012-256-PublicKey
	representation. It is specified by a 64-byte string, where the		representation. It is specified by a 64-byte string, where the
	first 32 bytes contain the little-endian representation of the x		first 32 bytes contain the little-endian representation of the x
	coordinate and the last 32 bytes contain the little-endian		coordinate and the last 32 bytes contain the little-endian
	representation of the y coordinate.		representation of the y coordinate.
	* a public key corresponding to the GOST R 34.10-2012 algorithm with		* a public key corresponding to the GOST R 34.10-2012 algorithm with
	a key length of 512 bits has the GostR3410-2012-512-PublicKey		a key length of 512 bits has the GostR3410-2012-512-PublicKey
	skipping to change at line 511 ¶		skipping to change at line 511 ¶
	macData.iterations fields, respectively. The HMAC_GOSTR3411_2012_512		macData.iterations fields, respectively. The HMAC_GOSTR3411_2012_512
	function is calculated from the content field of the authSafe		function is calculated from the content field of the authSafe
	structure field. The authSafe structure field is a PFX structure		structure field. The authSafe structure field is a PFX structure
	field. The value of the calculated checksum is saved in the		field. The value of the calculated checksum is saved in the
	macData.mac.digest field. The macData.mac.digestAlgorithm.algorithm		macData.mac.digest field. The macData.mac.digestAlgorithm.algorithm
	field contains the following algorithm identifier:		field contains the following algorithm identifier:
	id-tc26-gost3411-12-512 :: =		id-tc26-gost3411-12-512 :: =
	{		{
	iso(1) member-body(2) ru(643) rosstandart(7) tc26(1)		iso(1) member-body(2) ru(643) rosstandart(7) tc26(1)
	algorithms (1) digest(2) gost3411-2012-512(3)		algorithms(1) digest(2) gost3411-12-512(3)
	}		}
	The macData.mac.digestAlgorithm.parameters field isn't used and		The macData.mac.digestAlgorithm.parameters field isn't used and
	should be omitted.		should be omitted.
	8. Security Considerations		8. Security Considerations
	The masked keys SHOULD be used to ensure that private keys are		The masked keys SHOULD be used to ensure that private keys are
	protected from leaking through side channels when reading and		protected from leaking through side channels when reading and
	performing operations with keys. Applications MUST use unique values		performing operations with keys. Applications MUST use unique values
End of changes. 5 change blocks.
	17 lines changed or deleted		17 lines changed or added
This html diff was produced by rfcdiff 1.48.