GB/T 32918 consists of the following parts, under the general title Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves:
— Part 1: General;
— Part 2: Digital Signature Algorithm;
— Part 3: Key Exchange Protocol;
— Part 4: Public Key Encryption Algorithm;
— Part 5: Parameter Definition.
This part is Part 4 of GB/T 32918.
This part is developed in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by the State Cryptography Administration of the People’s Republic of China.
This part is under the jurisdiction of SAC/TC 260 (National Technical Committee 260 on Information Technology Security of Standardization Administration of China).
Drafting organizations of this part: Beijing Huada Infosec Technology Co., Ltd., The PLA Information Engineering University and DCS Center of Chinese Academy of Sciences.
Chief drafting staff of this part: Chen Jianhua, Zhu Yuefei, Ye Dingfeng, Hu Lei, Pei Dingyi, Peng Guohua, Zhang Yajuan and Zhang Zhenfeng.
Introduction
N.Koblitz and V.Miller proposed the application of elliptic curves to public key cryptography respectively in 1985. The nature of the curve on which the public key cryptography of elliptic curve is based is as follows:
— The elliptic curve on the finite field constitutes a finite exchange group under the point addition operation, and its order is similar to the base field size;
— Similar to the power operation in the finite field multiplication group, the elliptic curve multi-point operation constitutes a one-way function.
In the multi-point operation, the multiple points and the base point are known, and the problem of solving the multiple is called the discrete logarithm of elliptic curve. For the discrete logarithm problem of general elliptic curves, there is only a solution method for exponential computational complexity. Compared with the large number decomposition problems and the discrete logarithm problems on the finite field, the discrete logarithm problem of elliptic curve is much more difficult to solve. Therefore, elliptic curve ciphers are much smaller than other public key ciphers at the same level of security.
SM2 is the standard of elliptic curve cryptographic algorithm developed and proposed by the State Cryptography Administration. The main objectives of GB/T 32918 are as follows:
— GB/T 32918.1 defines and describes the concepts and basic mathematical knowledge of cryptography algorithm SM2 based on elliptic curves, and summarizes the relationship between Part 1 and other parts.
— GB/T 32918.2 describes a signature algorithm based on elliptic curves, namely SM2 signature algorithm.
— GB/T 32918.3 describes a key exchange protocol based on elliptic curves, namely SM2 key exchange protocol.
— GB/T 32918.4 describes a public key cryptographic algorithm based on elliptic curves, namely SM2 cryptographic algorithm, which requires the SM3 cryptographic hash algorithm defined in GB/T 32905-2016.
— GB/T 32918.5 gives the elliptic curve parameters used by SM2 algorithm and the example results of SM2 operation using elliptic curve parameters.
This part is Part 4 of GB/T 32918, it specifies the encryption and decryption process of cryptographic algorithm SM2 based on elliptic curves.
Information Security Technology — Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves — Part 4: Public Key Encryption Algorithm
1 Scope
This part of GB/T 32918 specifies the public key encryption algorithm for the public key cryptographic algorithm SM2 based on elliptic curves, and gives examples of message encryption and decryption and their corresponding processes.
This part is applicable to the message encryption and decryption in the commercial cypher application, the message sender can encrypt the message with the receiver’s public key and the receiver decrypts with corresponding private key to obtain the message.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated reference, only the edition cited applies. For undated reference, the latest edition of the referenced document (including any amendments) applies.
GB/T 32918.1-2016 Information Security Technology — Public Key Cryptographic Algorithm SM2 based on Elliptic Curves — Part 1: General
GB/T 32905-2016 Information Security Techniques — SM3 Cryptographic Hash Algorithm
3 Terms and Definitions
For the purposes of this document, the following terms and definitions apply.
3.1
secret key
a kind of key that is shared by the sender and the receiver and is not known to the third party in the cryptosystem
3.2
message
a bit string with any finite length
3.3
key derivation function
a function that generates one or more shared secret keys by acting on the shared secret and other parameters known to both parties
4 Symbols
For the purpose of this part, the following symbols apply.
A, B: two users using the public key cryptosystem.
dB: User B’s private key.
E(Fq): a set of all rational points (including infinity point O) of the elliptic curve E over Fq.
Fq: a finite field containing q elements.
G: a base point of an elliptic curve with prime order.
Hash(): cryptographic hash function.
Hν( ): a cryptographic hash function with a message digest length of ν bits.
KDF( ) : key derivation function.
M: message to be encrypted.
M′: message obtained through decryption.
n: the order of the base point G [n is the prime factor of #E(Fq)].
O: a special point on the elliptic curve, called the infinity point or zero point, which is the unit element in additive group of the elliptic curve.
PB: User B’s public key.
q: the number of elements in the finite field Fq.
a, b: elements in Fq, which define an elliptic curve E over Fq.
x||y: splicing of x and y, where x and y can be bit strings or byte strings.
[k]P: k-point on the elliptic curve point P, i.e., , where k is a positive integer.
[x, y]: a set of integers greater than or equal to x and less than or equal to y.
: top function, the smallest integer greater than or equal to x. For example, , .
: bottom function, the largest integer less than or equal to x.For example, , .
#E(Fq): the number of points on E(Fq), which is called the order of the elliptic curve E(Fq).
5 Algorithm Parameters and Auxiliary Functions
5.1 General
The public key encryption algorithm specifies that the sender encrypts the message into cipher text withthe receiver’s public key, and the receiver decrypts the cipher text received into the original message with its own private key.
5.2 Elliptic Curve System Parameters
The elliptic curve system parameters include the scale q of the finite field Fq (when q=2m, they also include the identification of the element representation and the reduction polynomial); the two elements a, b of the equation defining the elliptic curve E(Fq)∈Fq; base point G=(xG, yG)(G≠O) over E(Fq) , where xG and yG are two elements in Fq; order n of G and other alternatives (for example, the cofactor h of n, etc.).
Elliptic curve system parameters and their verification shall comply with Clause 5 of GB/T 32918.1-2016.
5.3 User Key Pair
User B's key pair includes its private key dB and public key PB=[dB]G.
Generation algorithm of the user key pair and verification algorithm of the public key shall comply with Clause 6 of GB/T 32918.1-2016.
5.4 Auxiliary Functions
5.4.1 General
In the public key encryption algorithmof the elliptic curve specified in this part involves three types of auxiliary functions: cryptographic hash function, key derivation function and random number generator.The strength of these three types of auxiliary functions directly affects the security of the encryption algorithm.
5.4.2 Cryptographic Hash Function
For the purpose of this part, cryptographic hash algorithm approved by the State Cryptography Administration of the People’s Republic of China, e.g., SM3 cryptographic hash algorithm is adopted.
5.4.3 Key Derivation Function
The key derivation function is used to derive key data from a shared secret bit string.In the process of key agreement, the key derivation function acts on the shared secret bit string obtained in the key exchange, from which the required session key or the key data required for further encryption is generated.
The key derivation function needs to call the cryptographic hash function.
Let the cryptographic hash function be Hν( ), its output will be a hash value with exact length of ν bits.
Key derivation function KDF (Z, klen):
Input: bit string Z, integer klen (representing the bit length of the key data to be obtained, which is required to be less than (232-1)ν).
Output: key data bit string K with length of klen.
a) Initialize a 32-bit counterct=0x00000001;
b) For i, execute from 1 to ;
b.1) Calculate Hai=Hv(Z||ct);
b.2) ct++;
c) If klen/v is an integer, let ,
Otherwise, let be bit on the leftmost of ;
d) Let K=Ha1||Ha2||…|| || .
5.4.4 Random Number Generator
For the purpose of this part, random number generator approved by the State Cryptography Administration of the People’s Republic of China is adopted.
Foreword II
Introduction III
1 Scope
2 Normative References
3 Terms and Definitions
4 Symbols
5 Algorithm Parameters and Auxiliary Functions
5.1 General
5.2 Elliptic Curve System Parameters
5.3 User Key Pair
5.4 Auxiliary Functions
6 EncryptionAlgorithm andits Process
6.1 EncryptionAlgorithm
6.2 EncryptionAlgorithm Process
7 Decryption Algorithm and its Process
7.1 Decryption Algorithm
7.2 Decryption Algorithm Process
Annex A (Informative) Examples of Message Encryption and Decryption
A.1 General Requirements
A.2 Elliptic Curve Message Encryption and Decryption on Fp
A.3 Elliptic Curve Message Encryption and Decryption on
Bibliography