GB/T 32918 consists of the following parts, under the general title Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves:
— Part 1: General;
— Part 2: Digital Signature Algorithm;
— Part 3: Key Exchange Protocol;
— Part 4: Public Key Encryption Algorithm;
— Part 5: Parameter Definition.
This part is Part 3 of GB/T 32918.
This part was drafted in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by the State Cryptography Administration of the People’s Republic of China.
This part was prepared by SAC/TC 260 (National Technical Committee 260 on Information Technology Security of Standardization Administration of China).
Drafting organizations of this part: Beijing Huada Infosec Technology Co., Ltd., The PLA Information Engineering University and DCS Center of Chinese Academy of Sciences.
Chief drafting staff of this part: Chen Jianhua, Zhu Yuefei, Ye Dingfeng, Hu Lei, Pei Dingyi, Peng Guohua, Zhang Yajuan and Zhang Zhenfeng.
Introduction
N.Koblitz and V.Miller proposed the application of elliptic curves to public key cryptography respectively in 1985. The nature of the curve on which the public key cryptography of elliptic curve is based is as follows:
— The elliptic curve on the finite field constitutes a finite exchange group under the point addition operation, and its order is similar to the base field size;
— Similar to the power operation in the finite field multiplicative group, the elliptic curve multi-point operation constitutes a one-way function.
In the multi-point operation, the multiple points and the base point are known, and the problem of solving the multiple is called the discrete logarithm of elliptic curve. For the discrete logarithm problem of general elliptic curves, there is only a solution method for exponential computational complexity. Compared with the large number decomposition problems and the discrete logarithm problems on the finite field, the discrete logarithm problem of elliptic curve is much more difficult to solve. Therefore, elliptic curve ciphers are much smaller than other public key ciphers at the same level of security.
SM2 is the standard of elliptic curve cryptographic algorithm developed and proposed by the State Cryptography Administration. The main objectives of GB/T 32918 are as follows:
— GB/T 32918.1 defines and describes the concepts and basic mathematical knowledge of cryptography algorithm SM2 based on elliptic curves, and summarizes the relationship between Part 1 and other parts.
— GB/T 32918.2 describes a signature algorithm based on elliptic curves, namely SM2 signature algorithm.
— GB/T 32918.3 describes a key exchange protocol based on elliptic curves, namely SM2 key exchange protocol.
— GB/T 32918.4 describes a public key encryption algorithm based on elliptic curves, namely SM2 encryption algorithm, which requires the SM3 cryptographic hash algorithm defined in GB/T 32905-2016.
— GB/T 32918.5 gives the elliptic curve parameters used by SM2 algorithm and the example results of SM2 operation using elliptic curve parameters.
This part is Part 3 of GB/T 32918, it specifies the key exchange protocol for cryptographic algorithm SM2 based on elliptic curves.
Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves — Part 3: Key Exchange Protocol
1 Scope
This part of GB/T 32918 specifies the key exchange protocol for the public key cryptographic algorithm SM2 based on elliptic curves, and gives examples of key exchange and verification and their corresponding processes.
This part is applicable to the key exchange in the commercial cypher application, which can satisfy the two-way or optional three-way information transmission process of the communication parties, and by which a shared secret key (session key) jointly determined by both parties can be computed and obtained.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated reference, only the edition cited applies. For undated reference, the latest edition of the referenced document (including any amendments) applies.
GB/T 32918.1-2016 Information Security Technology — Public Key Cryptographic Algorithm SM2 based on Elliptic Curves — Part 1: General
GB/T 32905-2016 Information Security Techniques — SM3 Cryptographic Hash Algorithm
3 Terms and Definitions
For the purposes of this document, the following terms and definitions apply.
3.1
key confirmation from A to B
a guarantee that makes User B confirm that User A has a particular secret key
3.2
key derivation function
a function of one or more shared secret keys is generated by acting on the shared secret and other parameters known to both parties
3.3
initiator
a user who sends the first round of exchange information during the operation of a protocol
3.4
responder
a user who doesn’t send the first round of exchange information during the operation of a protocol
3.5
distinguishing identifier
information that identifies an entity's identity without ambiguity
4 Symbols and Abbreviations
For the purpose of this part, the following symbols apply.
A, B: two users using the public key cryptosystem.
dA: User A’s private key.
dB: User B’s private key.
E(Fq): a set of all rational points (including infinity point O) of the elliptic curve E over Fq.
Fq: a finite field containing q elements.
G: a base point of an elliptic curve with prime order.
Hash (): cryptographic hash function.
Hν ( ): a cryptographic hash function with a message digest length of ν bits.
h: cofactor, h=#E(Fq)/n , where n is the order of the base point G.
IDA, IDB: distinguishing identifiers of User A and User B.
K, KA, KB: shared secret key agreed in the key exchange protocol.
KDF( ) : key derivation function.
modn: modulo-n operation. For example, 23 mod 7=2.
n: the order of the base point G [n is the prime factor of #E(Fq)].
O: a special point on the elliptic curve, called the infinity point or zero point, which is the unit element in additive group of the elliptic curve.
PA: User A’s public key.
PB: User B’s public key.
q: the number of elements in the finite field Fq.
a, b: elements in Fq, which define an elliptic curve E over Fq.
rA: temporary key value generated by User A in the key exchange.
rB: temporary key value generated by User B in the key exchange .
x‖y: splicing of x and y, where x and y can be bit strings or byte strings.
ZA: hash value of User A’s distinguishable identifier, partial elliptic curve system parameters, and User A’s public key.
ZB: hash value of User B's distinguishing identifier, partial elliptic curve system parameters, and User B’s public key.
#E(Fq): the number of points on E(Fq), which is called the order of the elliptic curve E(Fq).
[k]P: k-point on the elliptic curve point P, i.e., , where k is a positive integer.
[x, y]: a set of integers greater than or equal to x and less than or equal to y.
⌈x⌉: top function, the smallest integer greater than or equal to x. For example, , .
⌊x⌋: bottom function, the largest integer less than or equal to y. For example, , .
&: bitwise and operation of two integers.
5 Algorithm Parameters and Auxiliary Functions
5.1 General
The key exchange protocol is the information transfer between Users A and B through interaction, and their respective private keys and public key of the other party are used to agree on a secret key which is only known to them. This shared secret key is usually used in a symmetric cryptographic algorithm. This key exchange protocol can be used for key management and agreement.
5.2 Elliptic Curve System Parameters
The elliptic curve system parameters include the scale q of the finite field Fq(when q=2m, they also includes the identification of the element representation and the reduction polynomial); the two elements a, b of the equation defining the elliptic curve E(Fq); E∈Fq base point G= (xG, yG)(G≠O) over E(Fq) , where xG and yG are two elements in Fq; order n of G and other alternatives (for example, the cofactor h of n, etc.).
Elliptic curve system parameters and their verification shall comply with Clause 5 of GB/T 32918.1-2016.
5.3 User Key Pair
User A's key pair includes its private key dA and public key PA =[dA]G=(xA, yA), and User B's key pair includes its private key dB and public key PB = [dB]G=(xB, yB).
Generation algorithm of the user key pair and verification algorithm of the public key shall comply with Clause 6 of GB/T 32918.1-2016.
5.4 Auxiliary Functions
5.4.1 General
In the key exchange protocol of the elliptic curve as specified in this part, three types of auxiliary functions are involved, i.e., cryptographic hash function, key derivation function and random number generator. The strength of these three types of auxiliary functions directly affects the security of the key exchange protocol.
5.4.2 Cryptographic Hash Function
For the purpose of this part, cryptographic hash algorithm approved by the State Cryptography Administration of the People’s Republic of China, e.g., SM3 cryptographic hash algorithm is adopted.
5.4.3 Key Derivation Function
The key derivation function is used to derive key data from a shared secret bit string. In the process of key agreement, the key derivation function acts on the shared secret bit string obtained in the key exchange, from which the required session key or the key data required for further encryption is generated.
The key derivation function needs to call the cryptographic hash function.
Let the cryptographic hash function be Hν ( ), its output will be a hash value with exact length of ν bits.
Key derivation function KDF (Z, klen):
Input: bit string Z, integer klen (representing the bit length of the key data to be obtained, which is required to be less than (232-1)ν).
Output: key data bit string K with length of klen.
a) Initialize a 32-bit counter ct=0x00000001;
b) For i, execute from 1 to :
b.1) calculate Hai=Hv(Z||ct);
b.2) ct++;
c) If klen/ν is an integer, let ;
Otherwise let be bit on the leftmost of .
d) Let K=Ha1||Ha2||…|| || .
5.4.4 Random number generator
For the purpose of this part, random number generator approved by the State Cryptography Administration of the People’s Republic of China is adopted.
Foreword II
Introduction III
1 Scope
2 Normative References
3 Terms and Definitions
4 Symbols
5 Algorithm Parameters and Auxiliary Functions
5.1 General
5.2 Elliptic Curve System Parameters
5.3 User Key Pair
5.4 Auxiliary Functions
5.5 Other Information on the User
6 Key Exchange Protocol and Its Process
6.1 Key Exchange Protocol
6.2 Key Exchange Protocol Process
Annex A (Informative) Examples of Key Exchange and Verification
A.1 General Requirements
A.2 Key Exchange Protocol of Elliptic Curve over Fp
A.3 Key Exchange Protocol of Elliptic Curve over F2m
Bibliography
GB/T 32918 consists of the following parts, under the general title Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves:
— Part 1: General;
— Part 2: Digital Signature Algorithm;
— Part 3: Key Exchange Protocol;
— Part 4: Public Key Encryption Algorithm;
— Part 5: Parameter Definition.
This part is Part 3 of GB/T 32918.
This part was drafted in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by the State Cryptography Administration of the People’s Republic of China.
This part was prepared by SAC/TC 260 (National Technical Committee 260 on Information Technology Security of Standardization Administration of China).
Drafting organizations of this part: Beijing Huada Infosec Technology Co., Ltd., The PLA Information Engineering University and DCS Center of Chinese Academy of Sciences.
Chief drafting staff of this part: Chen Jianhua, Zhu Yuefei, Ye Dingfeng, Hu Lei, Pei Dingyi, Peng Guohua, Zhang Yajuan and Zhang Zhenfeng.
Introduction
N.Koblitz and V.Miller proposed the application of elliptic curves to public key cryptography respectively in 1985. The nature of the curve on which the public key cryptography of elliptic curve is based is as follows:
— The elliptic curve on the finite field constitutes a finite exchange group under the point addition operation, and its order is similar to the base field size;
— Similar to the power operation in the finite field multiplicative group, the elliptic curve multi-point operation constitutes a one-way function.
In the multi-point operation, the multiple points and the base point are known, and the problem of solving the multiple is called the discrete logarithm of elliptic curve. For the discrete logarithm problem of general elliptic curves, there is only a solution method for exponential computational complexity. Compared with the large number decomposition problems and the discrete logarithm problems on the finite field, the discrete logarithm problem of elliptic curve is much more difficult to solve. Therefore, elliptic curve ciphers are much smaller than other public key ciphers at the same level of security.
SM2 is the standard of elliptic curve cryptographic algorithm developed and proposed by the State Cryptography Administration. The main objectives of GB/T 32918 are as follows:
— GB/T 32918.1 defines and describes the concepts and basic mathematical knowledge of cryptography algorithm SM2 based on elliptic curves, and summarizes the relationship between Part 1 and other parts.
— GB/T 32918.2 describes a signature algorithm based on elliptic curves, namely SM2 signature algorithm.
— GB/T 32918.3 describes a key exchange protocol based on elliptic curves, namely SM2 key exchange protocol.
— GB/T 32918.4 describes a public key encryption algorithm based on elliptic curves, namely SM2 encryption algorithm, which requires the SM3 cryptographic hash algorithm defined in GB/T 32905-2016.
— GB/T 32918.5 gives the elliptic curve parameters used by SM2 algorithm and the example results of SM2 operation using elliptic curve parameters.
This part is Part 3 of GB/T 32918, it specifies the key exchange protocol for cryptographic algorithm SM2 based on elliptic curves.
Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves — Part 3: Key Exchange Protocol
1 Scope
This part of GB/T 32918 specifies the key exchange protocol for the public key cryptographic algorithm SM2 based on elliptic curves, and gives examples of key exchange and verification and their corresponding processes.
This part is applicable to the key exchange in the commercial cypher application, which can satisfy the two-way or optional three-way information transmission process of the communication parties, and by which a shared secret key (session key) jointly determined by both parties can be computed and obtained.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated reference, only the edition cited applies. For undated reference, the latest edition of the referenced document (including any amendments) applies.
GB/T 32918.1-2016 Information Security Technology — Public Key Cryptographic Algorithm SM2 based on Elliptic Curves — Part 1: General
GB/T 32905-2016 Information Security Techniques — SM3 Cryptographic Hash Algorithm
3 Terms and Definitions
For the purposes of this document, the following terms and definitions apply.
3.1
key confirmation from A to B
a guarantee that makes User B confirm that User A has a particular secret key
3.2
key derivation function
a function of one or more shared secret keys is generated by acting on the shared secret and other parameters known to both parties
3.3
initiator
a user who sends the first round of exchange information during the operation of a protocol
3.4
responder
a user who doesn’t send the first round of exchange information during the operation of a protocol
3.5
distinguishing identifier
information that identifies an entity's identity without ambiguity
4 Symbols and Abbreviations
For the purpose of this part, the following symbols apply.
A, B: two users using the public key cryptosystem.
dA: User A’s private key.
dB: User B’s private key.
E(Fq): a set of all rational points (including infinity point O) of the elliptic curve E over Fq.
Fq: a finite field containing q elements.
G: a base point of an elliptic curve with prime order.
Hash (): cryptographic hash function.
Hν ( ): a cryptographic hash function with a message digest length of ν bits.
h: cofactor, h=#E(Fq)/n , where n is the order of the base point G.
IDA, IDB: distinguishing identifiers of User A and User B.
K, KA, KB: shared secret key agreed in the key exchange protocol.
KDF( ) : key derivation function.
modn: modulo-n operation. For example, 23 mod 7=2.
n: the order of the base point G [n is the prime factor of #E(Fq)].
O: a special point on the elliptic curve, called the infinity point or zero point, which is the unit element in additive group of the elliptic curve.
PA: User A’s public key.
PB: User B’s public key.
q: the number of elements in the finite field Fq.
a, b: elements in Fq, which define an elliptic curve E over Fq.
rA: temporary key value generated by User A in the key exchange.
rB: temporary key value generated by User B in the key exchange .
x‖y: splicing of x and y, where x and y can be bit strings or byte strings.
ZA: hash value of User A’s distinguishable identifier, partial elliptic curve system parameters, and User A’s public key.
ZB: hash value of User B's distinguishing identifier, partial elliptic curve system parameters, and User B’s public key.
#E(Fq): the number of points on E(Fq), which is called the order of the elliptic curve E(Fq).
[k]P: k-point on the elliptic curve point P, i.e., , where k is a positive integer.
[x, y]: a set of integers greater than or equal to x and less than or equal to y.
⌈x⌉: top function, the smallest integer greater than or equal to x. For example, , .
⌊x⌋: bottom function, the largest integer less than or equal to y. For example, , .
&: bitwise and operation of two integers.
5 Algorithm Parameters and Auxiliary Functions
5.1 General
The key exchange protocol is the information transfer between Users A and B through interaction, and their respective private keys and public key of the other party are used to agree on a secret key which is only known to them. This shared secret key is usually used in a symmetric cryptographic algorithm. This key exchange protocol can be used for key management and agreement.
5.2 Elliptic Curve System Parameters
The elliptic curve system parameters include the scale q of the finite field Fq(when q=2m, they also includes the identification of the element representation and the reduction polynomial); the two elements a, b of the equation defining the elliptic curve E(Fq); E∈Fq base point G= (xG, yG)(G≠O) over E(Fq) , where xG and yG are two elements in Fq; order n of G and other alternatives (for example, the cofactor h of n, etc.).
Elliptic curve system parameters and their verification shall comply with Clause 5 of GB/T 32918.1-2016.
5.3 User Key Pair
User A's key pair includes its private key dA and public key PA =[dA]G=(xA, yA), and User B's key pair includes its private key dB and public key PB = [dB]G=(xB, yB).
Generation algorithm of the user key pair and verification algorithm of the public key shall comply with Clause 6 of GB/T 32918.1-2016.
5.4 Auxiliary Functions
5.4.1 General
In the key exchange protocol of the elliptic curve as specified in this part, three types of auxiliary functions are involved, i.e., cryptographic hash function, key derivation function and random number generator. The strength of these three types of auxiliary functions directly affects the security of the key exchange protocol.
5.4.2 Cryptographic Hash Function
For the purpose of this part, cryptographic hash algorithm approved by the State Cryptography Administration of the People’s Republic of China, e.g., SM3 cryptographic hash algorithm is adopted.
5.4.3 Key Derivation Function
The key derivation function is used to derive key data from a shared secret bit string. In the process of key agreement, the key derivation function acts on the shared secret bit string obtained in the key exchange, from which the required session key or the key data required for further encryption is generated.
The key derivation function needs to call the cryptographic hash function.
Let the cryptographic hash function be Hν ( ), its output will be a hash value with exact length of ν bits.
Key derivation function KDF (Z, klen):
Input: bit string Z, integer klen (representing the bit length of the key data to be obtained, which is required to be less than (232-1)ν).
Output: key data bit string K with length of klen.
a) Initialize a 32-bit counter ct=0x00000001;
b) For i, execute from 1 to :
b.1) calculate Hai=Hv(Z||ct);
b.2) ct++;
c) If klen/ν is an integer, let ;
Otherwise let be bit on the leftmost of .
d) Let K=Ha1||Ha2||…|| || .
5.4.4 Random number generator
For the purpose of this part, random number generator approved by the State Cryptography Administration of the People’s Republic of China is adopted.
Contents of GB/T 32918.3-2016
Foreword II
Introduction III
1 Scope
2 Normative References
3 Terms and Definitions
4 Symbols
5 Algorithm Parameters and Auxiliary Functions
5.1 General
5.2 Elliptic Curve System Parameters
5.3 User Key Pair
5.4 Auxiliary Functions
5.5 Other Information on the User
6 Key Exchange Protocol and Its Process
6.1 Key Exchange Protocol
6.2 Key Exchange Protocol Process
Annex A (Informative) Examples of Key Exchange and Verification
A.1 General Requirements
A.2 Key Exchange Protocol of Elliptic Curve over Fp
A.3 Key Exchange Protocol of Elliptic Curve over F2m
Bibliography