GB/T 32918 consists of the following parts, under the general title Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves:
— Part 1: General;
— Part 2: Digital Signature Algorithm;
— Part 3: Key Exchange Protocol;
— Part 4: Public Key Encryption Algorithm;
— Part 5: Parameter Definition.
This part is Part 2 of GB/T 32918.
This part is developed in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by the State Cryptography Administration of the People’s Republic of China.
This part is under the jurisdiction of SAC/TC 260 (National Technical Committee 260 on Information Technology Security of Standardization Administration of China).
Drafting organizations of this part: Beijing Huada Infosec Technology Co., Ltd., The PLA Information Engineering University and DCS Center of Chinese Academy of Sciences.
Chief drafting staff of this part: Chen Jianhua, Zhu Yuefei, Ye Dingfeng, Hu Lei, Pei Dingyi, Peng Guohua, Zhang Yajuan and Zhang Zhenfeng.
Introduction
N.Koblitz and V.Miller proposed the application of elliptic curves to public key cryptography respectively in 1985. The nature of the curve on which the public key cryptography of elliptic curve is based is as follows:
— The elliptic curve on the finite field constitutes a finite exchange group under the point addition operation, and its order is similar to the base field size;
— Similar to the power operation in the finite field multiplication group, the elliptic curve multi-point operation constitutes a one-way function.
In the multi-point operation, the multiple points and the base point are known, and the problem of solving the multiple is called the discrete logarithm of elliptic curve. For the discrete logarithm problem of general elliptic curves, there is only a solution method for exponential computational complexity. Compared with the large number decomposition problems and the discrete logarithm problems on the finite field, the discrete logarithm problem of elliptic curve is much more difficult to solve. Therefore, elliptic curve ciphers are much smaller than other public key ciphers at the same level of security.
SM2 is the standard of elliptic curve cryptographic algorithm developed and proposed by the State Cryptography Administration. The main objectives of GB/T 32918 are as follows:
— GB/T 32918.1 defines and describes the concepts and basic mathematical knowledge of cryptography algorithm SM2 based on elliptic curves, and summarizes the relationship between Part 1 and other parts.
— GB/T 32918.2 describes a signature algorithm based on elliptic curves, namely SM2 signature algorithm.
— GB/T 32918.3 describes a key exchange protocol based on elliptic curves, namely SM2 key exchange protocol.
— GB/T 32918.4 describes a public key cryptographic algorithm based on elliptic curves, namely SM2 cryptographic algorithm, which requires the SM3 cryptographic hash algorithm defined in GB/T 32905-2016.
— GB/T 32918.5 gives the elliptic curve parameters used by SM2 algorithm and the example results of SM2 operation using elliptic curve parameters.
This part is Part 2 of GB/T 32918, it describes the signature algorithm based on elliptic curves.
Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves — Part 2: Digital signature algorithm
1 Scope
This part of GB/T 32918 specifies the digital signature algorithm of public key cryptographic algorithm SM2 based on elliptic curves, including generation and verification algorithm of digital signature, and gives examples of digital signature and verification and their corresponding processes.
This part is applicable to digital signature and verification in commercial cryptographic application and can satisfy security requirements of identity authentication and data integrity & authenticity in multiple cryptographic applications.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated reference, only the edition cited applies. For undated reference, the latest edition of the referenced document (including any amendments) applies.
GB/T 32918.1-2016 Information Security Technology — Public Key Cryptographic Algorithm SM2 based on Elliptic Curves — Part 1: General
GB/T 32905-2016 Information Security Techniques — SM3 Cryptographic Hash Algorithm
3 Terms and Definitions
For the purposes of this document, the following terms and definitions apply.
3.1
message
a bit string with any finite length
3.2
signed message
a set of data items consisting of message and its signature part
3.3
signature key
a private secret data item of the signer in the digital signature process, i.e. the private key of the signer
3.4
signature process
the process of inputting the message, signature key and elliptic curve system parameters as well as outputting digital signature
3.5
distinguishing identifier
information that identifies an entity's identity without ambiguity
4 Symbols
For the purpose of this part, the following symbols apply.
A, B: two users using the public key cryptosystem.
dA: User A’s private key.
E(Fq): a set of all rational points (including infinity point O) of the elliptic curve E over Fq.
e: output value when cryptographic hash function is acted on the message M.
e’: output value when cryptographic hash function is acted on the message M’.
Fq: a finite field containing q elements.
G: a base point of an elliptic curve with prime order.
Hν( ): a cryptographic hash function with a message digest length of ν bits.
IDA: User A's distinguishing identifier.
M: message to be signed.
M’: message to be verified.
modn: modulo-n operation. For example, 23 mod 7=2.
n: the order of the base point G (n is the prime factor of #E(Fq)).
O: a special point on the elliptic curve, called the infinity point or zero point, which is the unit element in additive group of the elliptic curve.
PA: User A’s public key.
q: the number of elements in the finite field Fq.
a, b: elements in Fq, which define an elliptic curve E over Fq.
x ‖ y: splicing of x and y, where x and y can be bit strings or byte strings.
ZA: hash value of User A’s distinguishable identifier, partial elliptic curve system parameters, and User A’s public key.
(r, s): signature sent.
(r′, s′): signature received.
[k]P: k-point on the elliptic curve point P, i.e., , where k is a positive integer.
[x, y]: a set of integers greater than or equal to x and less than or equal to y.
5 Digital Signature Algorithm
5.1 General
For the digital signature algorithm, a signer generates a digital signature for the data, while a verifier verifies the reliability of the signature. Each signer has a public key and a private key, and the private key is used for generating a signature and the verifier verifies the signature with the signer’s public key. In the signature process, (including ZA and the message M to be signed) shall be compressed with the cryptographic hash function; prior to the verification process, (including ZA and the message M′ to be signed) shall be compressed with the cryptographic hash function.
5.2 Elliptic Curve System Parameters
The elliptic curve system parameters include the scale q of the finite field Fq (when q=2m, they also includes the identification of the element representation and the reduction polynomial); the two elements a, b of the equation defining the elliptic curve E(Fq)∈Fq; base point G= (xG, yG)(G≠O) over E(Fq), where xG and yG are two elements in Fq; order n of G and other alternatives (for example, the cofactor h of n, etc.).
Elliptic curve system parameters and their verification shall comply with Clause 5 of GB/T 32918.1-2016.
5.3 User Key Pair
User A's key pair includes its private key dA and public key PA=[dA]G=(xA, yA).
Generation algorithm of the user key pair and verification algorithm of the public key shall comply with Clause 6 of GB/T 32918.1-2016.
5.4 Auxiliary Functions
5.4.1 General
In the digital signature algorithm of the elliptic curve as specified in this part, two types of auxiliary functions are involved, i.e., cryptographic hash function and random number generator.
5.4.2 Cryptographic Hash Function
For the purpose of this standard, cryptographic hash algorithm approved by the State Cryptography Administration of the People’s Republic of China, e.g., SM3 cryptographic hash algorithm is adopted.
5.4.3 Random Number Generator
For the purpose of this part, random number generator approved by the State Cryptography Administration of the People’s Republic of China is adopted.
Foreword II
Introduction III
1 Scope
2 Normative References
3 Terms and Definitions
4 Symbols
5 Digital Signature Algorithm
5.1 General
5.2 Elliptic Curve System Parameters
5.3 User Key Pair
5.4 Auxiliary Functions
5.5 Other Information on the User
6 Generation Algorithm and Process of Digital Signature
6.1 Generation Algorithm of Digital Signature
6.2 Generation Algorithm and Process of Digital Signature
7 Verification Algorithm and Process of Digital Signature
7.1 Verification Algorithm of Digital Signature
7.2 Verification Algorithm and Process of Digital Signature
Annex A (Informative) Digital Signature and Verification Example
A.1 General
A.2 Digital Signature of Elliptic Curve over Fq
A.3 Digital Signature of Elliptic Curve over
Bibliography