Standards related to:

GB/T 32918.2-2016**GB/T 32918.2-2016: PDF in English (GBT 32918.2-2016) **

GB/T 32918.2-2016

GB

NATIONAL STANDARD OF THE

PEOPLE’S REPUBLIC OF CHINA

ICS 35.040

L 80

Information security technology - Public key

cryptographic algorithm SM2 based on elliptic curves

- Part 2. Digital signature algorithm

ISSUED ON. AUGUST 29, 2016

IMPLEMENTED ON. MARCH 01, 2017

Issued by. General Administration of Quality Supervision, Inspection and

Quarantine of the People's Republic of China;

Standardization Administration of the People's Republic of

China.

Table of Contents

Foreword ... 3

Introduction ... 4

1 Scope ... 6

2 Normative references ... 6

3 Terms and definitions ... 6

4 Symbols and abbreviations ... 7

5 Digital signature algorithm ... 8

6 Digital signature generation algorithm and flow ... 10

7 Digital signature verification algorithm and flow ... 12

Annex A (informative) Examples of digital signature and verification ... 14

Bibliography ... 20

Foreword

GB/T 32918 “Information security technology - Public key cryptographic

algorithm SM2 based on elliptic curves” consists of 5 parts.

- Part 1. General;

- Part 2. Digital signature algorithm;

- Part 3. Key exchange protocol;

- Part 4. Public key encryption algorithm;

- Part 5. Parameter definition.

This Part is Part 2 of GB/T 32918.

This Part was drafted in accordance with the rules given in GB/T 1.1-2009.

This Part was proposed by State Cryptography Administration.

This Part shall be under the jurisdiction of National Information Security

Standardization Technical Committee (SAC/TC 260).

Drafting organizations of this Part. Beijing Huada Information Security

Technology Co., Ltd., People's Liberation Army Information Engineering

University, Chinese Academy of Sciences Data Assurance & Communications

Security Center.

Main drafters of this Part. Chen Jianhua, Zhu Yuefei, Ye Dingfeng, Hu Lei, Pei

Dingyi, Peng Guohua, Zhang Yajuan, Zhang Zhenfeng.

Information security technology - Public key

cryptographic algorithm SM2 based on elliptic curves

- Part 2. Digital signature algorithm

1 Scope

This Part of GB/T 32918 specifies the digital signature algorithm of public key

cryptographic algorithm SM2 based on elliptic curves, including digital signature

generation algorithm and verification algorithm, and gives examples of digital

signature and verification and the corresponding flow.

This Part applies to digital signature and verification in commercial

cryptographic applications, and meets the security requirements for identity

authentication and data integrity and authenticity in a variety of cryptographic

applications. [Translator note. In Chinese, there is only single word

corresponding to mathematic “domain” and “field” (identical in Chinese).

Therefore, in this translation, “field” and “domain” can be replaced each other

where applicable (exchangeable); likewise, limited domain finite field]

2 Normative references

The following referenced documents are indispensable for the application of

this document. For dated references, only the dated edition cited applies. For

undated references, the latest edition of the referenced document (including all

amendments) applies.

GB/T 32918.1-2016 Information security technology - Public key

cryptographic algorithm SM2 based on elliptic curves - Part 1. General

GB/T 32905-2016 Information security techniques - SM3 cryptographic hash

algorithm

3 Terms and definitions

For the purpose of this document, the following terms and definitions apply.

3.1

message

A bit string of any finite length.

3.2

signed message

A set of data elements consisting of a message and a signed portion of the

message.

3.3

signature key

A secret data element that is unique to the signer during the digital signature

generation process, i.e., signer’s private key.

3.4

signature generation process

A process of entering a message, a signature key and elliptic curve’s system

parameters, and outputting a digital signature.

3.5

distinguishing identifier

Information that makes it possible to identify an entity's identity without

ambiguity.

4 Symbols and abbreviations

For the purpose of this document, the following symbols and abbreviations

apply.

A, B. Two users that use public key cryptosystem.

dA. User A's private key.

E(Fq). A set of all rational points (including the infinity point O) of the elliptic

curve E on Fq.

e. The cryptographic hash algorithm acts on the output value of message M.

e'. The cryptographic hash algorithm acts on the output value of message M'.

Fq. A finite field containing q elements.

signature generation process, the cryptographic hash algorithm is used to

compress 𝑀ഥ (including ZA and the message to be signed M); before the

verification process, the cryptographic hash algorithm is used to compress 𝑀ഥ '

(including ZA and message to be verified M’).

5.2 Elliptic curve’s system parameters

Elliptic curve’s system parameters include the size q of the finite field Fq (when

q = 2m, it also includes the identification of the element representation and the

reduction polynomial); the two elements a, b ∈ Fq of the equation defining the

elliptic curve E(Fq); the base point G = (xG, yG) (G ≠ O) on E(Fq), where xG and

yG are two elements in Fq; the order n of G and other alternatives (such as the

cofactor h of n).

Elliptic curve’s system parameters and their verification shall comply with the

specifications of Clause 5 of GB/T 32918.1-2016.

5.3 User key pairing

User A's key pairing includes its private key dA and public key PA = [dA ] G = (xA,

yA).

The generation algorithm of the user key pairing and the public key verification

algorithm shall comply with the specifications of Clause 6 of GB/T 32918.1-

2016.

5.4 Auxiliary function

5.4.1 General

In the elliptic curve’s digital signature algorithm specified in this Part, two types

of auxiliary functions are involved. the cryptographic hash algorithm and the

random number generator.

5.4.2 Cryptographic hash algorithm

This Part specifies the use of cryptographic hash algorithms approved by State

Cryptography Administration, such as SM3 cryptographic hash algorithm.

5.4.3 Random number generator

This Part specifies the use of random number generators approved by State

Cryptography Administration.

5.5 Other user information

User A as the signer has a distinguishing identifier IDA with a length of entlenA

bits. ENTLA is denoted as a two-byte converted by the integer entlenA. In the

7 Digital signature verification algorithm and flow

7.1 Digital signature verification algorithm

In order to verify the received message M' and its digital signature (r', s'), User

B as the verifier shall implement the following operation steps.

B1. Verify if r' ∈ [1, n - 1] is true, if not, the verification fails;

B2. Verify if s' ∈ [1, n - 1] is true, if not, the verification fails;

B3. Set 𝑀ഥ ' = ZA ǁ M';

B4. Calculate e' = Hv (𝑀ഥ '); convert the data type of e' to an integer according to

the methods given in 4.2.4 and 4.2.3 of GB/T 32918.1-2016;

B5. Convert the data types of r' and s' to integers according to the method given

in 4.2.3 of GB/T 32918.1-2016; calculate t = (r' + s') mod n, if t = 0, the

verification fails;

B6. Calculate the elliptic curve point (x'1, y'1) = [s'] G + [t] PA;

B7. Convert the data type of x'1 to an integer according to the method given in

4.2.8 of GB/T 32918.1-2016; calculate R = (e' + x1') mod n; verify if R = r' is true,

if yes, the verification is passed, otherwise the verification fails.

NOTE. If ZA is not the hash value corresponding to User A, the verification will fail. See Annex

A for an example of digital signature verification process.

7.2 Digital signature verification algorithm flow

The digital signature verification algorithm flow is shown in Figure 2.

Annex A

(informative)

Examples of digital signature and verification

A.1 General

This annex uses the cryptographic hash algorithm given in GB/T 32905-2016.

The input is a message bit string with a length less than 264, and the output is

a hash value of 256 bits in length, denoted as H256 ( ).

In this annex, all numbers in hexadecimal are high on the left and low on the

right.

In this annex, the message uses the code given in GB/T 1988.

Let User A's identity be. ALICE123@YAHOO.COM. Use the code given in GB/T

1988 IDA. 414C 49434531 32334059 41484F4F 2E434F4D. ENTLA = 0090.

A.2 Elliptic curve’s digital signature on Fp

The elliptic curve equation is. y2 = x3 + ax + b

Example 1. Fp-256

Prime number p.

Coefficient a.

Coefficient b.

Base point G = (xG, yG), of which the order is n.

Coordinate xG.

Coordinate yG.

Order n.

Message to be signed M. message digest

......

Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.