GM/T 0003.3-2012 PDF in English
GM/T 0003.3-2012 (GM/T0003.3-2012, GMT 0003.3-2012, GMT0003.3-2012)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GM/T 0003.3-2012 | English | 145 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Public key cryptographic algorithm SM2 based on elliptic curves - Part 3: Key exchange protocol
| Valid |
Standards related to (historical): GM/T 0003.3-2012
PDF Preview
GM/T 0003.3-2012: PDF in English (GMT 0003.3-2012) GM/T 0003.3-2012
GM
CRYPTOGRAPHY INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
File No.. 36828-2012
Public key cryptographic algorithm SM2 based on
elliptic curves – Part 3. Key exchange protocol
ISSUED ON. MARCH 21, 2012
IMPLEMENTED ON. MARCH 21, 2012
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative references ... 4
3 Terms and definitions ... 4
4 Symbols ... 5
5 Algorithm parameters and auxiliary functions... 7
5.1 General rules ... 7
5.2 System parameters of elliptic curve ... 7
5.3 User key pair ... 7
5.4 Auxiliary functions... 7
5.4.1 General ... 7
5.4.2 Cryptographic hash functions ... 7
5.4.3 Key derivation functions ... 8
5.4.4 Random number generator ... 8
5.5 Users’ other information ... 8
6 Key exchange protocol and process ... 9
6.1 Key exchange protocol ... 9
6.2 Process of key exchange protocol ... 11
Annex A (Informative) Example of key exchange and verification ... 12
A.1 General requirements ... 12
A.2 Key exchange protocol of elliptic curve on Fp ... 12
A.3 Key exchange protocol of elliptic curve on F2m ... 16
Public key cryptographic algorithm SM2 based on
elliptic curves - Part 3. Key exchange protocol
1 Scope
This Part of GM/T 0003 specifies the key exchange protocol of public key
cryptographic algorithm SM2 based on elliptic curves and gives the examples
and their processes of key exchange.
This Part applies to the key exchange in commercial cryptography applications,
which can satisfy both sides of communication to use two or optional three
message passing processes to compute and obtain one shared secret key
(session key) decided by both sides. Meanwhile, this Part can also provide
standard positionings and standardization references of products and
technologies for security product manufacturers to improve the credibility and
interoperability of security products.
2 Normative references
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition dated applies to this document. For
undated references, the latest edition of the referenced documents (including all
amendments) applies to this document.
GM/T 0003.1-2012, Public key cryptographic algorithm SM2 based on elliptic
curves – Part 1. General
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
key confirmation from A to B
guarantee which convinces user B that user A has a certain secret key
3.2
key derivation function
K, KA, KB. a shared secret key agreed upon in the key exchange protocol.
KDF(). the key derivation function.
modn. the modulo n operation. E.g.. 23 mod 7 = 2.
n. the order of base point G (n is the prime factor of #E(Fq)).
O. one special point on the elliptic curve, called the point at infinity or null point, which
is the identity element of the additive group of the elliptic curve.
PA. the public key of user A.
PB. the public key of user B.
q. the number of elements in the finite field Fq.
rA. the value of a temporary key generated by user A in a key exchange.
rB. the value of a temporary key generated by user B in a key exchange.
. the concatenation of x and y, where x and y can be a bit string or byte string.
ZA. the hash value in regard to distinguishing identifiers of user A, some system
parameters of elliptic curve and public keys of user A.
ZB. the hash value in regard to distinguishing identifiers of user B, some system
parameters of elliptic curve and public keys of user B.
#E(Fq). the number of points on E(Fq), called the order of elliptic curve E(Fq).
[k]P. the k point-multiplication of point P on elliptic curve, i.e. ,
where k is a positive integer.
[x, y]. the set of integers which is greater than or equal to x, and less than or equal to
y.
. the ceiling function, which is the minimum integer greater than or equal to x. E.g..
. the bottom function, which is the maximum integer less than or equal to x. E.g..
Number k
5.4.3 Key derivation functions
The role of key derivation functions is to derive key data from a shared secret bit string.
During the process of key agreement, the key derivation function acts on the shared
secret bit string obtained from the key exchange to generate the session key required
or the key data required for further encryption.
The key derivation function needs to call the cryptographic hash function.
Let the cryptographic hash function be Hv (), whose output length is exactly a hash
value of v bits.
The key derivation function KDF (Z, klen).
Input. the bit string Z, integer klen (indicating the bit length of key data to be obtained,
where the values is required to be less than (232 - 1)v).
Output. the key data bit string K with the length of klen.
a) initialize a counter of 32 bits ;
b) perform for i from 1 to .
b.1) compute ;
b.2) ;
c) if klen/v is an integer, let ,
Or else, let be the left-most bit of ;
d) let .
5.4.4 Random number generator
This Part specifies the use of the random number generator approved by the State
Cryptography Administration.
5.5 Users’ other information
User A has the distinguishing identifier IDA with the length of entlenA bits, notating
ENTLA as two bytes converted from the integer entlenA; and user B has the
distinguishing identifier IDB with the length of entlenB, notating ENTLB as two bytes
converted from the integer entlenB. In the elliptic curve key exchange protocol specified
in this Part, both sides A and B in the key agreement need to use the cryptographic
hash functions to obtain the hash value ZA of user A and the hash value ZB of user B.
B6. compute the elliptic curve point . If V is a point at
infinity, then B agreement fails. Or else, convert the data type of xV and yV into a bit
string according to the methods given in 4.2.6 and 4.2.5 of GM/T 0003.1-2012;
B7. compute ;
B8. (optional) convert the data types of the coordinates of RA, x1 and y1, and the
coordinates of RB, x2 and y2, into a bit string according to the methods given in 4.2.6
and 4.2.5 of GM/T 0003.1-2012, and compute
B9. send RB (and SB, optional) to user A;
User A.
A4. take field element x1 from RA, convert the data type of x1 into an integer according
to the method given in 4.2.8 of GM/T 0003.1-2012, and compute
A5. compute ;
A6. verify whether RB satisfies the elliptic curve equation. If it does not satisfy, then the
agreement fails. Or else, take field element x2 from RB, convert the data type of x2 into
an integer according to the method given in 4.2.8 of GM/T 0003.1-2012, and compute
A7. compute the elliptic curve point . If U is a point at
infinity, then A agreement fails. Or else, convert the data type of xU and yU into a bit
string according to the methods given in 4.2.6 and 4.2.5 of GM/T 0003.1-2012;
A8. compute ;
A9. (optional) convert the data types of the coordinates of RA, x1 and y1, and the
coordinates of RB, x2 and y2, into a bit string according to the methods given in 4.2.6
and 4.2.5 of GM/T 0003.1-2012, compute
, and check whether S1 =
SB is true. If it is not true, then the key from B to A is confirmed a failure;
A10. (optional) compute ,
and send SA to user B.
User B.
B10. (optional) compute ,
and check whether S2 = SA is true. If it is not true, then the key from A to B is confirmed
a failure.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|