GB/T 32918 consists of the following parts, under the general title Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves:
— Part 1: General;
— Part 2: Digital Signature Algorithm;
— Part 3: Key Exchange Protocol;
— Part 4: Public Key Encryption Algorithm;
— Part 5: Parameter Definition.
This part is Part 5 of GB/T 32918.
This part is developed in accordance with the rules given in GB/T 1.1-2009.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This part was proposed by the State Cryptography Administration of the People’s Republic of China.
This part is under the jurisdiction of SAC/TC 260 (National Technical Committee 260 on Information Technology Security of Standardization Administration of China).
Drafting organizations of this part: Beijing Huada Infosec Technology Co., Ltd., The PLA Information Engineering University and DCS Center of Chinese Academy of Sciences.
Chief drafting staff of this part: Chen Jianhua, Zhu Yuefei, Ye Dingfeng, Hu Lei, Pei Dingyi, Peng Guohua, Zhang Yajuan and Zhang Zhenfeng.
Introduction
N.Koblitz and V.Miller proposed the application of elliptic curves to public key cryptography respectively in 1985. The nature of the curve on which the public key cryptography of elliptic curve is based is as follows:
— The elliptic curve on the finite field constitutes a finite exchange group under the point addition operation, and its order is similar to the base field size;
— Similar to the power operation in the finite field multiplication group, the elliptic curve multi-point operation constitutes a one-way function.
In the multi-point operation, the multiple points and the base point are known, and the problem of solving the multiple is called the discrete logarithm of elliptic curve. For the discrete logarithm problem of general elliptic curves, there is only a solution method for exponential computational complexity. Compared with the large number decomposition problems and the discrete logarithm problems on the finite field, the discrete logarithm problem of elliptic curve is much more difficult to solve. Therefore, elliptic curve ciphers are much smaller than other public key ciphers at the same level of security.
SM2 is an elliptic curve cryptographic algorithm standard developed and proposed by the State Cryptography Administration. The main objectives of GB/T 32918 are as follows:
— GB/T 32918.1-2016defines and describes the relevant concepts and mathematical basics of the SM2 elliptic curve cryptographic algorithm, and summarizes the relationship between this part and other parts.
— GB/T 32918.2-2016describes a signature algorithm based on elliptic curve, i.e. SM2 signature algorithm.
— GB/T 32918.3-2016describes a key exchange protocol based on elliptic curve, that is M2 key exchange protocol.
— GB/T 32918.4-2016 describes a public key encryption algorithm based on elliptic curve, that is SM2 encryption algorithm, with the SM3 cryptographic hash algorithm defined in GB/T 32905-2016 adopted.
— GB/T 32918.5-2017 defines the elliptic curve parameters used by the SM2 algorithm, and the sample results of the SM2 operation with the elliptic curve parameters.
Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves— Part 5: Parameter Definition
1 Scope
This part of GB/T 32918 specifies the curve parameters of the public key cryptographic algorithm SM2 based on elliptic curves.
This part is applied to the examples of digital signature and verification (See Annex A), key exchange and verification (See Annex B), and message encryption and decryption(See Annex C).
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 32905-2016 Information security technique - SM3 cryptographic hash algorithm
GB/T 32918.1-2016 Information security technology- Public key cryptographic algorithm SM2 based on elliptic curves- Part 1:General
GB/T 32918.2-2016 Information security technology-Public key cryptographic algorithm SM2 based on elliptic curves-Part 2:Digital signature algorithm
GB/T 32918.3-2016 Information security technology-Public key cryptographic algorithm SM2 based on elliptic curves-Part 3:Key exchange protocol
GB/T 32918.4-2016 Information security technology-Public key cryptographic algorithm SM2 based on elliptic curves- Part 4:Public key encryption algorithm
3 Symbols
For the purpose of this document, the following symbols apply.
p Prime number greater than 3
a, b Elements in Fq, which define an elliptic curve E over Fq
n The order of the base point G [n is the prime factor of #E(Fq)]
xG X coordinate of the generator
yG Y coordinate of the generator
4 Parameter Definition
SM2 uses the elliptic curve with a 256-bit prime field.
Elliptic curve equation: y2=x3+ax+b
Curve parameters:
p=FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF
a=FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC
b=28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93
n=FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123
xG=32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7
yG=BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0
Annex A
(Informative)
Examples of Digital Signature and Verification
A.1 General
This annex uses the cryptographic hash algorithm given in GB/T 32905-2016, whose input is a message bit string with a length less than 264, and output is a 256-bit hash value, denoted as H256( ).
This annex uses the digital signature algorithm specified in GB/T 32918.2-2016 to calculate the corresponding values in each step.
In this annex, all the hexadecimal figures are expressed with high-order digit at the left and low-order digit at the right.
In this annex, messages are encoded with GB/T 1988.
Suppose that GB/T 1988 code of IDA is: 31323334 35363738 31323334 35363738. ENTLA=0080.
A.2 SM2 Elliptic Curve Digital Signature
Elliptic curve equation: y2=x3+ax+b
Example: Fp-256
Prime number p: FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF
Coefficient a: FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC
Coefficient b: 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93
Base point G=(xG, yG), and its order is denoted as n.
Coordinate xG: 32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7
Coordinate yG: BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C52A4740 02DF32E5 2139F0A0
Order n: FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123
Message M to be signed: message digest
GB/T 1988 code of M is expressed as: 6D65737361676520646967657374 in hexadecimal.
Private key dA: 3945208F 7B214481 3F36E38A C6D39F95 88939369 2860B51A 42FB81EF 4DF7C588
Public key PA=(xA, yA):
Coordinate xA: 09F9DF31 1E5421A1 50DD7D16 1E4BC5C6 72179FAD 1833FC07 6BB08FF3 56F35020
Coordinate yA: CCEA490C E26775A5 2DC6EA71 8CC1AA60 0AED05FB F35E084A 6632F607 2DA9AD13
Hash value ZA=H256(ENTLA‖IDA‖a‖b‖xG‖yG‖xA‖yA).
ZA: B2E14C5C 79C6DF5B 85F4FE7E D8DB7A26 2B9DA7E0 7CCB0EA9 F4747B8C CDA8A4F3
Foreword i
Introduction ii
1 Scope
2 Normative References
3 Symbols
4 Parameter Definition
Annex A (Informative) Examples of Digital Signature and Verification
Annex B (Informative) Examples of Key Exchange and Verification
Annex C (Informative) Examples of Message Encryption and Decryption
Bibliography