GB/T 32918.32016_English: PDF (GBT32918.32016)
Standard ID  Contents [version]  USD  STEP2  [PDF] delivered in  Standard Title (Description)  Related Standard  Status  PDF 
GB/T 32918.32016  English  145 
Add to Cart

03 minutes. Autodelivered.

Information security technology  Public key cryptographic algorithm SM2 based on elliptic curves  Part 3: Key exchange protocol

GB/T 32918.32016
 Valid 
GB/T 32918.32016

Standard ID  GB/T 32918.32016 (GB/T32918.32016)  Description (Translated English)  Information security technology  Public key cryptographic algorithm SM2 based on elliptic curves  Part 3: Key exchange protocol  Sector / Industry  National Standard (Recommended)  Classification of Chinese Standard  L80  Word Count Estimation  17,10  Date of Issue  20160829  Date of Implementation  20170301  Regulation (derived from)  National Standard Announcement 2016 No.14  Proposing organization  National Password Authority  Issuing agency(ies)  General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, China National Standardization Administration Committee 
GB/T 32918.32016
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology  Public key
cryptographic algorithm SM2 based on elliptic curves
 Part 3. Key exchange protocol
ISSUED ON. AUGUST 29, 2016
IMPLEMENTED ON. MARCH 1, 2017
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the PRC;
Standardization Administration of the PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Symbols and abbreviations ... 7
5 Algorithm parameters and auxiliary function ... 8
5.1 Overview ... 8
5.2 Elliptic curve’s system parameters ... 9
5.3 User key pair ... 9
5.4 Auxiliary function ... 9
5.5 Other information of user ... 10
6 Key exchange protocol and process ... 11
6.1 Key exchange protocol ... 11
6.2 Key exchange protocol process ... 13
Appendix A (Informative) Example of key exchange and verification ... 15
A.1 Overview ... 15
A.2 Elliptic curve’s key exchange protocol on Fp ... 15
A.3 Elliptic curve’s key exchange protocol on F2m ... 19
References ... 23
Introduction
In 1985, N.Koblitz and V.Miller independently proposed the application of elliptic
curves to public key cryptosystems. The nature of the curve on which the elliptic
curve’s public key cryptography is based is as follows.
 The elliptic curve on the finite field forms a finite exchange group under the
point addition operation, its order is similar to the base field size;
 Similar to the power operation in the finite field multiplication group, the
elliptic curve’s multiplepointmultiplication operation constitutes a oneway
function.
In the multiplepointmultiplication operation, the multiplepointmultiplication
and the base point are known, the problem of solving the multiplication is called
the elliptic curve’s discrete logarithm problem. For the discrete logarithm
problem of general elliptic curves, there is only a solution method for
exponential computational complexity. Compared with the large number
decomposition problem and the discrete logarithm problem on the finite field,
the elliptic curve’s discrete logarithm problem is much more difficult to solve.
Therefore, under the same level of security, the elliptic curve cryptography is
much smaller than the key size required for other public key cryptographies.
SM2 is an elliptic curve’s cryptographic algorithm standard which is developed
and proposed by the National Cryptography Authority. The main objectives of
GB/T 32918 are as follows.
 GB/T 32918.1 defines and describes the related concepts and
mathematical basics of the SM2 elliptic curve cryptographic algorithm, and
outlines the relationship between this part and other parts.
 GB/T 32918.2 describes a signature algorithm based on elliptic curve, that
is, the SM2 signature algorithm.
 GB/T 32918.3 describes a key exchange protocol based on elliptic curve,
that is, the SM2 key exchange protocol.
 GB/T 32918.4 describes a public key encryption algorithm based on elliptic
curve, that is, the SM2 encryption algorithm, which uses the SM3
cryptographic hash algorithm as defined in GB/T 329052016.
 GB/T 32918.5 gives the elliptic curve parameters used by the SM2
Information security technology  Public key
cryptographic algorithm SM2 based on elliptic curves
 Part 3. Key exchange protocol
1 Scope
This Part of GB/T 32918 specifies the key exchange protocol of public key
cryptographic algorithm SM2 based on elliptic curves, and gives examples of
key exchange and verification and their corresponding processes.
This Part is applicable to the key exchange in commercial cryptographic
application. It can satisfy twice or optional threetimes information transfer
process of the communication parties; and calculate and obtain a shared secret
key (session key) jointly determined by both parties.
2 Normative references
The following documents are indispensable for the application of this document.
For the dated references, only the versions with the dates indicated are
applicable to this document. For the undated references, the latest version
(including all the amendments) are applicable to this document.
GB/T 32918.12016 Information security technology  Public key
cryptographic algorithm SM2 based on elliptic curves  Part 1. General
GB/T 329052016 Information security techniques  SM3 cryptographic hash
algorithm
3 Terms and definitions
The following terms and definitions are applicable to this document.
3.1 Key confirmation from A to B
A guarantee which makes user B be convinced that user A has a specific secret
key.
3.2 Key derivation function
The function of one or more shared secret keys generated by acting on the
shared key and other parameters known to both parties.
3.3 Initiator
The user who sends the first round of exchange information during the
operation of a protocol.
3.4 Responder
The user who does not send the first round of information exchange during the
operation of a protocol.
3.5 Distinguishing identifier
Information which can distinguish an entity’s identity without ambiguity.
4 Symbols and abbreviations
The following symbols apply to this document.
A, B  Two users using the public key cryptosystem.
dA  User A’s private key.
dB  User B’s private key.
E(Fq)  A set of all rational points (including the point at infinity O) of the elliptic
curve E on Fq.
Fq  A finite field which contains q elements.
G  A base point of elliptic curve, of which the order is prime number.
Hash( )  Cryptographic hash algorithm.
Hv( )  A cryptographic hash algorithm with a message digest length of v bits.
h  The cofactor, h=#E(Fq)/n, where n is the order of the base point G.
IDA, IDB  Distinguishing identifiers of user A and user B.
K, KA, KB  The shared secret keys agreed upon by the key exchange protocol.
KDF( )  Key derivation function.
modn  Modulo n operation. For example, 23 mod 7=2.
n  The order of the base point G [n is the prime factor of #E(Fq)].
protocol can be used for key management and negotiation.
5.2 Elliptic curve’s system parameters
Elliptic curve’s system parameters include the size q of the finite field Fq (When
q=2m, it also includes the identification of element representation notation and
the reduced polynomial). Two elements a, b which define the equation of the
elliptic curve E(Fq) shall ∈Fq. The base point G on E(Fq) shall = (xG, yG) (G≠O),
where xG and yG are two elements in Fq; the order n of G and other alternatives
(such as the cofactor h of n, etc.).
Elliptic curve’s system parameters and their verification shall comply with the
provisions of Clause 5 of GB/T 32918.12016.
5.3 User’s key pair
User A’s key pair includes its private key dA and public key PA=[dA]G= (xA, yA).
User B’s key pair includes its private key dB and public key PB=[dB]G= (xB, yB).
The generation algorithm of user’s key pair and the public key verification
algorithm shall be in accordance with the provisions of Clause 6 of GB/T
32918.12016.
5.4 Auxiliary function
5.4.1 Overview
In the elliptic curve’s key exchange protocol specified in this Part, three types
of auxiliary functions are involved. cryptographic hash algorithm, key derivation
function, and random number generator. The strength of these three types of
auxiliary functions directly affects the security of key exchange protocol.
5.4.2 Cryptographic hash algorithm
This Part specifies the use of cryptographic hash algorithms approved by the
State Cryptography Administration, such as the SM3 cryptographic hash
algorithm.
5.4.3 Key derivation function
The key derivation function is used to derive key data from a shared secret bit
string. In the key negotiation process, the key derivation function acts on the
shared secret bit string obtained by key exchange, from which the required
session key or the key data required for further encryption is generated.
The key derivation function needs to call the cryptographic hash algorithm.
B7. CALCULATE KB=KDF(xV ǁ yV ǁ ZA ǁ ZB, klen);
B8. (option) According to the methods given by 4.2.6 and 4.2.5 in GB/T
32918.12016, CONVERT the data type of the coordinates x1, y1 of RA
and of the coordinates x2, y2 of RB into bit string; CALCULATE
SB=Hash(0x02 ǁ yV ǁ Hash(xV ǁ ZA ǁ ZB ǁ x1 ǁ y1 ǁ x2 ǁ y2));
B9. SEND RB, (option SB) to user A;
User A.
A4. TAKE the field element x1 out from RA; according to the method given
by 4.2.8 in GB/T 32918.12016, CONVERT the data type of x1 into
integer; CALCULATE x1ഥ =2w+(x1&(2w1));
A5. CALCULATE tA= (dA+x1ഥ · rA) modn;
A6. VERIFY whether RB meets the elliptic curve equation, and if not, the
negotiation fails. Otherwise, TAKE the field element x2 out from RB;
according to the method given by 4.2.8 in GB/T 32918.12016,
CONVERT the data type of x2 into integer; CALCULATE
x2ഥ =2w+(x2&(2w1));
A7. CALCULATE the elliptic curve point U= [h · tA] (PB+[x2ഥ ]RB) = (xU, yU).
If U is point at infinity, then A negotiation fails. Otherwise, according to
the methods given by 4.2.6 and 4.2.5 in GB/T 32918.12016,
CONVERT the data type of xU, yU into bit string;
A8. CALCULATE KA=KDF(xU ǁ yU ǁ ZA ǁ ZB, klen);
A9. (option) According to the methods given by 4.2.6 and 4.2.5 in GB/T
32918.12016, CONVERT the data type of the coordinates x1, y1 of RA
and of the coordinates x2, y2 of RB into bit string; CALCULATE
S1=Hash(0x02 ǁ yU ǁ Hash(xU ǁ ZA ǁ ZB ǁ x1 ǁ y1 ǁ x2 ǁ y2)); and CHECK
whether S1=SB is established. If the equation is not established, the
key confirmation from B to A fails;
A10. (option) CALCULATE SA=Hash(0x03 ǁ yU ǁ Hash(xU ǁ ZA ǁ ZB ǁ x1 ǁ
y1 ǁ x2 ǁ y2)); and SEND SA to user B.
User B.
B10. (option) CALCULATE S2=Hash(0x03 ǁ yV ǁ Hash(xV ǁ ZA ǁ ZB ǁ x1 ǁ y1 ǁ
x2 ǁ y2)); and CHECK whether S2=SA is established. If the equation is
not established, the key confirmation from A to B fails.
Note. If ZA and ZB are not the hash values corresponding to users A and B, then the same
Appendix A
(Informative)
Example of key exchange and verification
A.1 Overview
This appendix selects the cryptographic hash algorithm given in GB/T 32905
2016. The input is a message bit string of length less than 264. The output is a
hash value of 256 bits in length, which is recorded as H256().
In this appendix, all numbers expressed in hexadecimal form are high on the
left and low on the right.
Assume that user A’s identity is. ALICE123@YAHOO.COM. USE the code in
GB/T 1988 to record IDA. 414C 49434531 32334059 41484F4F 2E434F4D.
ENTLA=0090.
Assume that user B’s identity is. BILL456@YAHOO.COM. USE the code in
GB/T 1988 to record IDB. 42 494C4C34 35364059 41484F4F 2E434F4D.
ENTLB=0088.
A.2 Elliptic curve’s key exchange protocol on Fp
The elliptic curve equation is. y2=x3+ax+b
Example 1. Fp256
Cofactor h. 1
Base point G= (xG, yG). Its order is recorded as n.
User A’s public key PA= (xA, yA).
Prime number p
Factor a
Factor b
Coordinate xG
Coordinate yG
Order n
User A’s private key dA
