HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (15 Sep 2024)

GB/T 32918.1-2016 PDF in English


GB/T 32918.1-2016 (GB/T32918.1-2016, GBT 32918.1-2016, GBT32918.1-2016)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 32918.1-2016English365 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Public key cryptographic algorithm SM2 based on elliptic curves -- Part 1: General Valid
Standards related to: GB/T 32918.1-2016
PDF Preview

GB/T 32918.1-2016: PDF in English (GBT 32918.1-2016)

GB/T 32918.1-2016 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves - Part 1. General ISSUED ON. AUGUST 29, 2016 IMPLEMENTED ON. MARCH 01, 2017 Issued by. General Administration of Quality Supervision Inspection and Quarantine of PRC; Standardization Administration of PRC. Table of Contents Foreword ... 4  Introduction ... 5  1 Scope ... 7  2 Symbols and abbreviations ... 7  3 Field and elliptic curve ... 9  3.1 Finite field ... 9  3.2 Elliptic curve over a finite field ... 10  4 Data types and their conversion ... 14  4.1 Data types ... 14  4.2 Data type conversion... 15  5 Elliptic curve system parameters and their verification ... 19  5.1 General requirements... 20  5.2 Elliptic curve system parameters on Fp and its verification ... 20  5.3 Elliptic curve system parameters on and its verification ... 21  6 Key pair generation and public key verification ... 23  6.1 Key pair generation ... 23  6.2 Verification of the public key ... 23  Appendix A (Informative) Background knowledge about elliptic curves ... 25  A.1 Prime field Fp ... 25  A.2 Binary extension-field ... 29  A.3 Elliptic curve’s multiple-point-multiplication operation ... 46  A.4 Method for solving discrete logarithm problem of elliptic curve ... 50  A.5 Compression of points on elliptic curves ... 53  Appendix B (Informative) Number theory algorithm ... 55  B.1 Finite field and modulo operations ... 55  B.2 Polynomials over a finite field ... 62  B.3 Elliptic curve algorithm ... 66  Appendix C (Informative) Curve example ... 68  C.1 General requirements ... 68  C.2 Elliptic curve on Fp ... 68  C.3 Elliptic curve on ... 69  Appendix D (Informative) Quasi-random generation and verification of parameters of elliptic curve equation ... 71  D.1 Quasi-random generation of parameters of elliptic curve equation ... 71  D.2 Verification of parameters of elliptic curve equation ... 72  References ... 74  Information security technology - Public key cryptographic algorithm SM2 based on elliptic curves - Part 1. General 1 Scope This part of GB/T 32918 specifies the necessary mathematical basics and related cryptography techniques which are involved in the SM2 elliptic curve’s public key cryptography algorithm, to help implement the cryptographic mechanisms as specified in other parts. This part is applicable to the design, development and use of elliptic curve’s public key cryptography algorithms of which the base field is prime field and binary field. [Translator note. In Chinese, there is only single word corresponding to mathematic “domain” and “field” (identical in Chinese). Therefore, in this translation, “field” and “domain” can be replaced each other where applicable (exchangeable); likewise, limited domain  finite field] 2 Symbols and abbreviations The following symbols and abbreviations apply to this document. B. MOV threshold. A positive number B, such that the discrete logarithm from is obtained at least same difficult as obtaining the elliptic curve from Fq. deg(f). The number of times the polynomial f (x). E. An elliptic curve which is defined by a and b over a finite field. E(Fq). A set of all rational points of the elliptic curve E (including the infinity point O) on Fq. ECDLP. Elliptic curve’s discrete logarithm problem. Fp. A prime field which contains p elements. Fq. A finite field which contains q elements. Fq*. A multiplicative group which is constituted by all non-zero elements in Fq. a) The addition unit element is an integer 0; b) The multiplication unit element is an integer 1; c) The addition of the field element is a modulo p addition of integers, that is, if a, b ∈ Fp, then a + b = (a + b) mod p; d) The multiplication of the field element is a modulo p multiplication of integer, that is, if a, b ∈ Fp, then a·b = (a·b) mod p. 3.1.3 Binary extension-field When q is a power 2m of 2, the binary extension can be regarded as an m-dimensional vector space on F2, its elements can be represented by a bit string of length m. The elements in have multiple representations, the two most common of which are polynomial-based (PB) representations (see A.2.1.1) and normal basis (NB) representations (see A.2.1.3). The selection principle of the base is to make the operation efficiency in as high as possible. This part does not specify the choice of the base. The binary extension-field will be described below by taking a polynomial-based representation as an example. Let m irreducible polynomial f (x) = xm + fm -1 x m - 1 + ... + f2x2 + f1x + f0 (where fi∈F2, i = 0, 1, ..., m - 1) is the reduced polynomial of the binary extension-field . consists of all polynomials on F2 that are less than m. The polynomial set {xm - 1, xm - 2, ..., x, 1} is a set of bases of on F2, which is called the polynomial-base. The coefficient of any element a (x) = am-1xm-1 + am-2xm-2 + ... + a1x + a0 in constitutes a bit string of length m on F2, which is indicated by a = (am - 1, am - 2, ..., a1, a0). The polynomial field characteristics are as follows. a) Zero 0 is represented by an all-zero bit string; b) Multiplication unit element 1 is represented by bit string 00...001; c) The addition of two field elements is a bitwise XOR operation of the bit string; d) The multiplication of the field elements a and b is defined as follows. Let the polynomials of F2 corresponding to a and b be a (x) and b (x), then a • b is defined as the bit string corresponding to polynomial (a (x) b (x)) mod f (x). 3.2 Elliptic curve over a finite field An elliptic curve on a finite field Fq is a collection of points. In the affine The elliptic curve E (Fq), the point G∈E (Fq) and Q∈< G> of the order n are known. The elliptic curve’s discrete logarithm problem is to determine the integer l∈[0, n - 1], such that Q = [l] G is established. The elliptic curve’s discrete logarithm problem is related to the security of the elliptic curve cryptosystem, so it shall select a secure elliptic curve. See A.4 in Appendix A for how to select a secure elliptic curve. 3.2.6 Weak elliptic curve If an elliptic curve has an attack method that is better than the calculation complexity of n1/2 level (n is the order of the base point), the curve is called a weak elliptic curve. Weak elliptic curves are prohibited in this part. The hypersingular curve on Fq [feature divisibility q +1- # E (Fq) of finite field Fq] and the anomalous curve [# E (Fp) = p] on Fp are weak elliptic curves. 4 Data types and their conversion 4.1 Data types In this part, data types include bit strings, byte strings, field elements, points on elliptic curves, and integers. Bit string. An ordered sequence of 0's and 1's. Byte string. An ordered sequence of bytes, in which 8 bits form 1 byte. Field element. An element in the finite field Fq. Point on elliptic curve. point P∈E (Fq) on an elliptic curve, or a pair of field elements (xP, yP), where the field elements xP and yP satisfy the elliptic curve equation, or the infinity point O. The byte string representation of a point has multiple forms, it is identified by a one-byte PC. The byte string representation of the infinity point O is a single zero byte PC = 00. The non-infinity point P = (xP, yP) has the following three byte string representations. a) Compressed representation, PC = 02 or 03; b) Uncompressed representation, PC = 04; c) Mixed representation, PC = 06 or 07. Note. Mixed representations contain both compressed and uncompressed verification 5.1 General requirements Elliptic curve’s system parameters are publicly available, the security of the system does not depend on the confidentiality of these parameters. This part does not specify the method for generating elliptic curve’s system parameters, but specifies the verification method for system parameters. The calculation of the elliptic curve order and the selection method of the base point can be found in B.3 of Appendix B, the method of generating the curve parameters can be found in Appendix D. The elliptic curve’s system parameters can be divided into two cases in accordance with the different base fields. - When the base field is Fp (p is a prime number greater than 3), the elliptic curve’s system parameters on Fp; - When the base field is , the elliptic curve’s system parameters on . 5.2 Elliptic curve’s system parameters on Fp and its verification 5.2.1 Elliptic curve’s system parameters on Fp The elliptic curve’s system parameters on Fp include. a) The size of the field q = p, p is a prime number greater than 3; b) (Optional) a bit string SEED of length at least 192 (if an elliptic curve is generated as described in Appendix D); c) Two elements a and b in Fp, which define the equation of elliptic curve E. y2 = x3 + ax + b; d) Base point G = (xG, yG)∈E (Fp), G≠O; e) The order n of the base point G (requirement. n > 2191 and n > 4p1/2); f) (Optional) cofactor h = # E (Fp)/n. 5.2.2 Verification of elliptic curve’s system parameters on Fp The generator of the elliptic curve’s system parameters shall verify the following conditions. The user of the elliptic curve’s system parameters can choose to verify these conditions. j) If any of the above verifications fail, the output is “invalid”; otherwise, the output is “valid”. 6 Key pair generation and public key verification 6.1 Key pair generation Input. A set of valid elliptic curve’s system parameters over a valid Fq (q = p and p is a prime number greater than 3, or q = 2m). Output. A key pair (d, P) associated with the elliptic curve’s system parameters. a) Use a random number generator to generate an integer d∈[1, n - 2]; b) G is the base point, calculate the point P = (xP, yP) = [d] G (see A.3.2 in Appendix A); c) The key pair is (d, P), where d is the private key and P is the public key. 6.2 Verification of the public key 6.2.1 Verification of elliptic curve’s public key on Fp Input. A valid set of elliptic curve’s system parameters over Fp (p > 3 and p is prime number) and an associated public key P. Output. For a given elliptic curve’s system parameter, if the public key P is valid, the output is “valid”; otherwise, the output is “invalid”. a) Verify that P is not infinity point O; b) Verify that the coordinates xP and yP of the public key P are elements in the field Fp (i.e. verify that xP and yP are integers in the interval [0, p - 1]); c) Verify yP2 ≡ xP3 + axP + b (mod p); d) Verify [n] P = O; e) If all verifications have passed, the output is “valid”; otherwise, the output is “invalid”. 6.2.2 Verification of elliptic curve’s public key on Input. A valid set of elliptic curve’s system parameters on and an associated public key P. Table A.7 -- Elliptic curve’s addition complexity on binary extension-field Operation Coordinate system Affine coordinates standard projective coordinates Jacobian weighted projective coordinates General addition (α≠0) 1I + 2M + 1S 15M + 1S 15M + 5S Point-multiplication 1I + 2M + 2S 8M + 3S 5M + 5S Note. I, M, and S in the table represent the inversion, multiplication, and square operations in the finite field, respectively. Calculate the multiple-point-multiplication Q = [k] P, let the number of bits of k be l, the Hamming weight of k be W, then the algorithm 1 requires addition operation of the (l - 1) times elliptic curve’s point-doubling and (W - 1)-times point; algorithm 2 requires addition operation of l times elliptic curve’s point- doubling and l/3-times point; algorithm 3 is divided into two parts. pre- computation requires addition operation of a point-doubling operation and (2r - 1 - 1)-times point addition operation, the main loop part needs addition operation of (l - 1) times of point-doubling operation and [l/(r + 1) - 1]-times point, totally, it requires l times point-doubling operation and [2r - 1 + l/(r + 1) - 2]-times point addition operation. Generally, there is W≈l/2, then the complexity of the multiple-point-multiplication operation is as follows (when the base field is a binary extension-field, it assumes α≠0; when α = 0, minus 1 multiplication operation). Algorithm 1. The base field is the prime field. Complexity under affine coordinates. 1.5lI + 3lM + 2.5lS Complexity under standard projective coordinates. 14.5lM + 6lS Complexity under Jacobian weighted projective coordinates. 10lM + 8lS The base field is a binary extension-field. Complexity under affine coordinates. 1.5lI + 3lM + 2.5lS Complexity under standard projective coordinates. 15.5lM + 3.5lS Complexity under Jacobian weighted projective coordinates. 12.5lM + 7.5lS Algorithm 2. The base field is the prime field. Complexity under affine coordinates. 1.33lI + 2.67lM + 2.33lS • BSGS method. time complexity and space complexity are both (πn/2)1/2; • Pollard method. the algorithm complexity is (πn/2)1/2; • Parallel Pollard method. Let r be the number of parallel processors, the algorithm complexity is reduced to (πn /2)1/2/r; • MOV-method. the ESPLP of super-singular elliptic curves and curves with similar properties is reduced to the discrete logarithm problem on the small extension-field of Fq (sub-exponential computational complexity algorithm); • Abnormal curve’s discrete logarithm solving method. effective attack method (polynomial level computational complexity algorithm) for the abnormal curve [# E (Fp) = p curve]; • GHS-method. Use the Weil descent technique to solve the discrete logarithm problem of the elliptic curve on the binary extension-field with the extension number as the composite number, convert the ECDLP into a discrete logarithm problem of the hyperelliptic curve, whilst solving the hyperelliptic curve’s discrete logarithm has a sub-exponential level computational complexity algorithm. For the discrete logarithm problem of general curves, the current solution methods are exponential level computational complexity, no general attack methods for effective sub-exponential level computational complexity are found. For the discrete algorithm problems of some special curves, it exists the polynomial level computational complexity or sub-exponential level computational complexity algorithm. When choosing a curve, it shall avoid using a weakly elliptical curve in the cryptographic sense that is vulnerable to the above methods. A.4.2 Conditions to meet for secure elliptic curve A.4.2.1 Anti-MOV attack conditions A.Menezes, T.Okamoto, S.Vanstone, G.Frey, and H.Rück's reduction attacks reduce the elliptic curve’s discrete logarithm problem on the finite field Fq to the discrete logarithm problem on . This attack method is practical only when B is small, most elliptic curves do not meet this condition. Anti-MOV attack conditions ensure that an elliptic curve is not vulnerable to this reduction method. The elliptic curve on most Fq does meet the anti-MOV attack conditions. Before verifying the anti-MOV attack conditions, it shall select a MOV threshold, which is a positive integer B that makes the discrete logarithm problem on at least as difficult as calculating the elliptic curve’s discrete logarithm problem on Fq. For the standard q > 2191, B ≥ 27 is required. The selection of B ≥ 27 also Appendix B (Informative) Number theory algorithm B.1 Finite field and modulo operations B.1.1 Exponential operations in finite fields Let α be a positive integer, g be the element on the field Fq, the exponential operation is the operation of calculating gα. The exponential operation can be performed efficiently by the binary method outlined below. Input. positive integer α, field Fq, field element g. Output. gα. a) Set e = a mod (q - 1), if e = 0, then it outputs 1; b) Let the binary representation of e be e = erer-1...e1e0, of which the highest bit er is 1; c) Set x = g; d) For i, execute it by falling from r - 1 to 0. 1) Set x = x2; 2) If ei = 1, set x = g • x; e) Output x. Other acceleration algorithms are found in Brickell et al. 1993, Knuth 1981. B.1.2 Inverse operations in finite fields Let g be a non-zero element on the field Fq, then the inverse element g-1 is the field element c that makes g • c = 1. Since c = gq - 2, the inversion can be achieved by an exponential operation. Note that if q is a prime number and g is an integer satisfying 1 ≤ g ≤ q - 1, then g-1 is an integer c, 1 ≤ c ≤ q - 1, and g·c ≡1 (mod q). Input. Field Fq, non-zero element g in Fq. Output. Inverse element g-1. a) Calculate c = gq - 2 (see B.1.1); Output. If there is a square root of g, it outputs a square root mod p, otherwise, it outputs “no square root exists”. Algorithm 1. For p≡3 (mod 4), i.e., there is a positive integer u, such that p = 4u + 3. a) Calculate y = gu + 1 mod p (see B.1.1); b) Calculate z = y2 mod p; c) If z = g, it outputs y; otherwise, it outputs “no square root exists”. Algorithm 2. For p≡5 (mod 8), i.e., there is a positive integer u, such that p = 8u + 5. a) Calculate z = g2u + 1 mod p (see B.1.1); b) If z≡1 (mod p), calculate y = gu + 1 mod p, it outputs y and terminates the algorithm; c) If z≡-1 (mod p), calculate y = (2g • (4g)u) mod p, it outputs y and terminates the algorithm; d) It outputs “no square root exists”. Algorithm 3. For p≡1 (mod 8), i.e., there is a positive integer u, such that p = 8u + 1. a) Set Y = g; b) Generate a random number X, 0 < X < p; c) Calculate the Lucas sequence element (see B.1.3). U = U4u + 1 mod p, V = V4u + 1 mod p; d) If V2≡4Y (mod p), it outputs y = (V/2) mod p and terminates; e) If U mod p≠1 and U mod p≠p - 1, it outputs “no square root exists” and terminates; f) Return to step b). B.1.5 Trace function and half trace function Let α be an element in , and the trace of α is. The trace of half of the elements in is 0, the trace of half of the elements Input. A large odd number u and a large positive integer T. Output. “Probability prime number” or “composite number”. a) Calculate v and odd number w, such that u - 1 = 2v • w; b) Execute j from 1 to T. 1) Select random number α in the interval [2, u - 1]; 2) Set b = aw mod u; 3) If b = 1 or u - 1, go to step 6); 4) Execute i from 1 to v - 1. - Set b = b2 mod u; - If b = u - 1, go to step 6); - If b = 1, it outputs “composite number” and terminates; - Next i; 5) It outputs “composite number” and terminates; 6) Next j; c) It outputs “probabilistic prime number”. If the algorithm outputs “composite number”, then u is a composite number. If the algorithm outputs “probabilistic prime number”, the probability that u is a composite number is less than 2-2T. Thus, by choosing a sufficiently large T, the error can be ignored. B.1.11 Approximate primality testing Given a trial division bound lmax, if each prime factor of the positive integer h does not exceed lmax, then h is said to be lmax-smooth. Given a positive integer rmin, if there is a prime number v ≥ rmin such that a positive integer u = h • v, and the integer h is lmax-smooth, then u is called an approximate prime number. The following algorithm checks the approximate primality of u. Input. Positive integers u, lmax and rmin. Output. It outputs h and v if u is an approximate prime, otherwise, it outputs “not approximate prime”. a) Set v = u, h = 1; Appendix C (Informative) Curve example C.1 General requirements All values in this Appendix are expressed in hexadecimal, the left side is the high order and the right side is the low order. C.2 Elliptic curve on Fp The elliptic curve equation is. y2 = x3 + ax + b Example 1. Fp-192 curve Prime number p. BDB6F4FE 3E8B1D9E 0DA8C0D4 6F4C318C EFE4AFE3 B6B8551F Coefficient α. BB8E5E8F BC115E13 9FE6A814 FE48AAA6 F0ADA1AA 5DF91985 Coefficient b. 1854BEBD C31B21B7 AEFC80AB 0ECD10D5 B1B3308E 6DBF11C1 The base point G = (x, y), of which the order is n. Coordinate x. 4AD5F704 8DE709AD 51236DE6 5E4D4B48 2C836DC6 E4106640 Coordinate y. 02BB3A02 D4AAADAC AE24817A 4CA3A1B0 14B52704 32DB27D2 Order n. BDB6F4FE 3E8B1D9E 0DA8C0D4 0FC96219 5DFAE76F 56564677 Example 2. Fp-256 curve Prime number p. 8542D69E 4C044F18 E8B92435 BF6FF7DE 45728391 5C45517D 722EDB8B 08F1DFC3 Coefficient α. 787968B4 FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0 EC65228B 3937E498 Coefficient b. 63E4C6D3 B23B0C84 9CF84241 484BFE48 F61D59A5 B16BA06E 6E12D1DA 27C5249A Appendix D (Informative) Quasi-random generation and verification of parameters of elliptic curve equation D.1 Quasi-random generation of parameters of elliptic curve equation D.1.1 Quasi-random generation of parameters of elliptic curve equations on Fp Method 1. Input. The size of the prime field p. Output. Elements a, b in the bit string SEED and Fp. a) Randomly select a bit string SEED which has a length of at least 192; b) Calculate H = H256 (SEED) and record H = (h255, h254, ..., h0); c) Set ; d) Set r = R mod p; e) Randomly select the elements a and b in Fp, so that r • b2≡a3 (mod p); f) If (4a3 + 27b2) mod p = 0, then go to step a); g) The elliptic curve on the selected Fp is E. y2 = x3 + ax + b; h) Output (SEED, a, b). Method 2. Input. The size of the prime field p. Output. Elements a, b in the bit string SEED and Fp. a) Randomly select a bit string SEED which has a length of at least 192; b) Calculate H = H256 (SEED) and record H = (h255, h254, ..., h0); References [1] GB/T 15843.1-1999 Information technology - Security technology - Entity identification - Part 1. Overview [2] GB/T 25069-2010 Information security technology - Terminology [3] Agnew G, Beth T, Mullin R, et al. 1993. Arithmetic operations in GF(2m). Journal of Cryptology, (6). 3~13 [4] Agnew G, Mullin R, Onyszchuk I, et al. 1991. An implementation for a fast public-key cryptosystem. Journal of Cryptology, (3). 63~79 [5] ANSI X9.62-1999 Public Key Cryptography For The Financial Services Industry. The Elliptic Curve Digital Signature Algorithm (ECDSA). American National Standards Institute [6] ANSIX 9.63-2001 Public Key Cryptography for the Financial Services Industry. Key Agreement and key Transport Using Elliptic Curve Cryptography. American Nation Standard Institute [7] Brickell E, Gordon D, McCurley K, et al. 1993. Fast Exponentiation with precomputation. Advances in Cryptology-EUROCRYPT’92. LNCS 658. Berlin. Springer-Verlag. 200~207 [8] Blake I, Serussi G, Smart N. 1999. Elliptic Curves in Cryptography. Cambridge. Cambridge University Press [9] ISO/IEC 15946-1.2002 Information technology - Security techniques - Cryptographic techniques based on elliptic curves - Part 1. General [10] ISO/IEC 15946-2.2002 Information technology - Security techniques - Cryptographic techniques based on elliptic curves - Part 2. Digital signatures [11] ISO/IEC 15946-3.2002 Information technology - Security techniques - Cryptographic techniques based on elliptic curves - Part 3. Key establishment [12] ISO/IEC 15946-4.2003 Information technology - Security techniques - Cryptographic techniques based on elliptic curves - Part 4. Digital signatures giving message recovery [13] ITU-T Recommendation X.680 Information Technology -Abstract Syntax Notation One (ASN.1). Specification of Basic Notation (eqv ISO/IEC 8824-1) [14] ITU-T Recommendation X.681 Information Technology -Abstract Syntax Notation One (ASN.1). Information Object Specification (eqv ISO/IEC 8824-2) ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.