|
US$779.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38635.2-2020: Information security technology - Identity-based cryptographic algorithms SM9 - Part 2: Algorithms
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 38635.2-2020 | English | 779 |
Add to Cart
|
6 days [Need to translate]
|
Information security technology - Identity-based cryptographic algorithms SM9 - Part 2: Algorithms
| Valid |
GB/T 38635.2-2020
|
PDF similar to GB/T 38635.2-2020
Basic data | Standard ID | GB/T 38635.2-2020 (GB/T38635.2-2020) | | Description (Translated English) | Information security technology - Identity-based cryptographic algorithms SM9 - Part 2: Algorithms | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 42,437 | | Date of Issue | 2020-04-28 | | Date of Implementation | 2020-11-01 | | Quoted Standard | GB/T 17964; GB/T 32905; GB/T 32907; GB/T 32915; GB/T 38635.1-2020 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | | Summary | This standard specifies the digital signature algorithm, key exchange protocol, key encapsulation mechanism and encryption algorithm in the SM9 identification cryptographic algorithm. This standard applies to the realization of SM9 identification cryptographic algorithm engineering, and guides the development and testing of SM9 identification cryptographic algorithms related products. | GB/T 38635.2-2020: Information security technology - Identity-based cryptographic algorithms SM9 - Part 2: Algorithms
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology--Identity-based cryptographic algorithms SM9--Part 2.Algorithms
ICS 35.040
L80
National Standards of People's Republic of China
Information security technology SM9 logo password algorithm
Part 2.Algorithm
Part 2.Algorithms
2020-04-28 release
2020-11-01 implementation
State Administration of Market Supervision and Administration
Issued by the National Standardization Management Committee
Contents
Foreword Ⅲ
Introduction IV
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Symbol 2
5 Algorithm parameters and auxiliary functions 3
5.1 Overview 3
5.2 System parameter group 4
5.3 Auxiliary function 4
6 Digital signature generation and verification algorithms and processes 6
6.1 Generation of system signature master key and user signature key 6
6.2 Digital signature generation algorithm 6
6.3 Digital signature generation algorithm process 7
6.4 Digital signature verification algorithm 7
6.5 Digital signature verification algorithm process 8
7 Key Exchange Protocol and Process 9
7.1 Generation of system encryption master key and user encryption key 9
7.2 Key Exchange Protocol 9
7.3 Key Exchange Protocol Process 10
8 Key encapsulation mechanism and process 11
8.1 Generation of system encryption master key and user encryption key 11
8.2 Key encapsulation algorithm 11
8.3 Key Encapsulation Algorithm Process 11
8.4 Decapsulation algorithm 12
8.5 Decapsulation algorithm flow 12
9 Encryption algorithm and process 13
9.1 Generation of system encryption master key and user encryption key 13
9.2 Encryption algorithm 13
9.3 Encryption algorithm process 14
9.4 Decryption algorithm 15
9.5 Decryption algorithm process 16
Appendix A (Informative Appendix) Algorithm Example 17
Foreword
GB/T 38635 "Information Security Technology SM9 Logo Password Algorithm" is divided into two parts.
---Part 1.General Provisions;
---Part 2.Algorithms.
This part is Part 2 of GB/T 38635.
This section was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that some content of this document may involve patents. The issuer of this document does not assume responsibility for identifying these patents.
This part is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
This section was drafted by. National Information Security Engineering Technology Research Center, Beijing Guomai Xinan Technology Co., Ltd., Shenzhen Aolian Information Security
All-Tech Co., Ltd., Institute of Software, Chinese Academy of Sciences, Wuhan University, Institute of Information Engineering, Chinese Academy of Sciences.
The main drafters of this section. Chen Xiao, Cheng Zhaohui, Zhang Zhenfeng, Ye Dingfeng, Hu Lei, Chen Jianhua, Ji Qingguang, Yuan Wengong, Liu Ping, Ma Ning, Yuan Feng,
Li Zengxin, Wang Xuejin, Yang Hengliang, Zhang Qingpo, Ma Yanli, Pu Yusan, Tang Ying, Sun Yisheng, An Xuan, Feng Weiduan, Zhang Liyuan.
Introduction
A. Shamir proposed the concept of identity-based cryptography in 1984.
The user's private key is calculated by the key generation center (KGC) based on the master key and the user ID, and the user's public key is uniquely determined by the user ID.
The identity manager shall ensure the authenticity of the identity. Compared with the certificate-based public key cryptosystem, the key management link in the identification cryptosystem
Can be simplified appropriately.
In.1999, K. Ohgishi, R. Sakai and M. Kasahara proposed the use of elliptic curve pairing to construct logo-based
Key sharing scheme; in.2001, D. Boneh and M. Franklin, as well as R. Sakai, K. Ohgishi and M. Kasahara independently proposed
An elliptic curve pair construction identification public key encryption algorithm is presented. These works have triggered new developments in logo ciphers, and a number of
The identification cryptographic algorithm implemented by wire pair includes digital signature algorithm, key exchange protocol, key encapsulation mechanism and public key encryption algorithm.
The pair of elliptic curves has a bilinear property. It establishes a connection between the cyclic subgroup of the elliptic curve and the multiplicative cyclic subgroup of the extended domain.
Became the problems of bilinear DH, bilinear inverse DH, decisive bilinear inverse DH, τ-bilinear inverse DH and τ-Gap-bilinear inverse DH, etc.,
When the elliptic curve discrete logarithm problem and the extended domain discrete logarithm problem are difficult to solve, the safety and real
An identification password that takes into account both efficiency and efficiency.
Information security technology SM9 logo password algorithm
Part 2.Algorithm
1 Scope
This part of GB/T 38635 specifies the digital signature algorithm, key exchange protocol, and key encapsulation mechanism in the SM9 identification cryptographic algorithm
And encryption algorithms.
This part is applicable to the engineering realization of SM9 logo cipher algorithm and guides the development and testing of SM9 logo cipher algorithm related products.
2 Normative references
The following documents are essential for the application of this document. For dated references, only the dated version applies to this article
Pieces. For the cited documents without date, the latest version (including all amendments) applies to this document.
GB/T 17964 information security technology block cipher algorithm working mode
GB/T 32905 information security technology SM3 password hash algorithm
GB/T 32907 Information Security Technology SM4 Block Cipher Algorithm
GB/T 32915 Information security technology binary sequence randomness detection specification
GB/T 38635.1-2020 Information Security Technology SM9 Logo Cipher Algorithm Part 1.General
3 Terms and definitions
The terms and definitions defined in GB/T 38635.1-2020 and the following apply to this document. For ease of use, the following list is repeated
Some terms and definitions in GB/T 38635.1-2020.
3.1
Encryption master key
The key at the top of the identification password key hierarchy, which contains the encryption master private key and encryption master public key, of which the encryption master public key public
On, the encrypted master private key is kept secret by the Key Generation Center (KGC). KGC uses encryption master private key and user's logo to generate user's encryption
Private key. In the identification password, the encrypted master private key is generally generated by KGC through a random number generator, and the encrypted master public key is combined by the encrypted master private key
System parameters are generated.
3.2
Identity
Consists of information that the entity cannot deny, such as the entity's identifiable name, email address, ID number, phone number, street address, etc.
Uniquely determine the identity of an entity.
[GB/T 38635.1-2020, definition 3.1]
3.3
Initiator
The user who sends the first round of exchange information during the operation of a protocol.
3.4
Initialization vector/value initializationvector/initializationvalue; IV
In cipher conversion, the initial data used for data conversion introduced to increase security or synchronize cipher devices.
3.5
Key confirmation from AtoB from A to B
The user B is assured that the user A has the guarantee of a specific secret key.
3.6
Signed message
A set of data elements consisting of a message and the digital signature part of the message.
3.7
Signature key
In the process of digital signature generation, the secret data element dedicated to the signer is the signer's private key.
3.8
Signature master key
The signature root key of the system is the signature master private key and signature master public key, where the signature master public key is public, and the signature master private key is provided by KGC
Keep it secret. KGC uses the signature master private key and the user's logo to generate the user's signature private key. In the identification password, the signature master private key is generally composed of
KGC is generated by a random number generator, and the signature master public key is generated by the signature master private key combined with system parameters.
3.9
Key exchange
A scheme for safely exchanging keys between communication entities can enable both parties to the communication to securely transmit information on non-secure communication lines
Exchange keys.
3.10
Key agreement
The process of establishing a shared secret key among multiple users, no one of them can determine the value of the key in advance.
3.11
Key derivation function
By acting on the shared secret and other parameters known to both parties, one or more functions of the shared secret key are generated.
3.12
Responder
It is not the user who sent the first round of exchange information during the operation of a protocol.
3.13
Secret key
In the cryptosystem, a key that is shared by both parties and not known by the third party.
3.14
Message authentication code messageauthenticationcode; MAC
An authentication algorithm acts on a codeword derived from a specific key and message bit string to identify the source of the data and verify it
Data integrity. The function for obtaining the message authentication code is called the message authentication code function.
4 Symbol
The following symbols apply to this document.
A, B. Two users using an identification password system.
cf. Cofactor of elliptic curve order relative to N.
cid. the identifier of the curve expressed in one byte, where 0x10 represents the constant curve (that is, non-super singular curve) on Fp (prime number p >2191)
Line), 0x11 represents the hypersingular curve on Fp, and 0x12 represents the constant curve on Fp and its twisted line.
dsA. User A's signature private key.
e. Bilinear pair from G1×G2 to GT.
eid. the identifier of the bilinear pair e expressed in one byte, where 0x01 indicates a Tate pair, 0x02 indicates a Weil pair, and 0x03 table
Show Ate pair, 0x04 means R-Ate pair.
GT. Multiplicative cyclic group of order N.
G1.Additive cyclic group of order N.
G2.Additive cyclic group of order N.
gu. the power u of the element g in the multiplication group GT, that is, gu=g·g··g
, u is a positive integer.
Hv(). Password hash function.
H1(), H2(). cryptographic functions derived from cryptographic hash functions.
hid. The signature private key generation function identifier represented by one byte, selected and published by KGC.
(h,S). The signature sent.
(h',S'). The signature received.
IDA. User A's identification, which can uniquely determine user A's public key.
ks. Sign the master private key.
M. Message to be signed.
M'. Message to be verified.
modn. Modulo n operation.
Example 1.23mod7=2.
N. the order of cyclic groups G1, G2 and GT, which is a prime number greater than 2191.
Ppub-s. Sign the master public key.
P1.generator of group G1.
P2.generator of group G2.
\u003cP\u003e. Cyclic group generated by element P.
[u]P. u times the element P in addition groups G1 and G2.
x. top function, the smallest integer not less than x.
Example 2.7 = 7, 8.3 = 9.
x. base function, the largest integer not greater than x.
Example 3.7 = 7, 8.3 = 8.
x ‖y. The concatenation of x and y, where x and y are bit strings or byte strings.
[x,y]. A set of integers not smaller than x and not larger than y.
β. Twisted line parameters.
5 Algorithm parameters and auxiliary functions
5.1 Overview
Chapter 6 specifies an identification-based digital signature algorithm implemented with elliptic curve pairs. The signer of the algorithm holds an identification
And a corresponding signature private key, the signature private key is generated by the key generation center through the combination of the signature master private key and the signer's logo. signature
The author uses the signature private key to generate a digital signature on the data, and the verifier uses the signer's logo to verify the reliability of the signature.
Before the signature generation and verification process, a cryptographic hash function is used to perform hash calculation on the message M to be signed and the message M'to be verified.
Chapter 7 specifies an identity-based key exchange protocol implemented with elliptic curve pairs. Initiator user A participating in the key exchange
And the responding user B each hold an identifier and a corresponding encrypted private key. The encrypted private key is encrypted by the key generation center through the master private
The key is combined with the user's logo. Users A and B communicate with each other through an interactive message, using the logo and their respective encrypted private keys to agree on a
With the secret key they know, both users can confirm the key through the option. This shared secret key is usually used in a
Symmetric cryptographic algorithm. The key exchange protocol can be used for key management and negotiation.
In modern cryptosystems, the key is an important parameter that controls the conversion of the password, and the security of the password greatly depends on the security of the key
Full protection. The key encapsulation mechanism allows the encapsulator to generate and encrypt a secret key to the target user, and only the target user can decrypt
Encapsulate the secret key and use it as a further session key.
Chapter 8 specifies an identification-based key encapsulation mechanism implemented with elliptic curve pairs. The decapsulated user holds an identity and a
A corresponding encrypted private key is generated by the key generation center through the combination of the encrypted master private key and the unpackaged user's logo. Package
The user uses the decapsulation user's logo to generate and encrypt a secret key to the other party.
Secret key.
Chapter 9 specifies an identification-based public key encryption algorithm implemented with elliptic curve pairs. The public key encryption algorithm is the above key seal
The combination of the installation mechanism and the message encapsulation mechanism. The message encapsulation mechanism includes the serial password based on the key derivation function and the combined key derivation function
There are two types of block cipher algorithms, which can provide the confidentiality of messages. In the identification-based encryption algorithm, the decrypted user holds a
A logo and a corresponding encrypted private key, which is generated by the key generation center through the encryption of the master private key and the decrypted user's logo.
Health. The encrypted user uses the decrypted user's logo to encrypt the data, and the decrypted user uses the encrypted private key to decrypt the data.
Appendix A gives examples of digital signature algorithms, key exchange protocols, key encapsulation mechanisms, and public key encryption algorithms.
5.2 System parameter group
The system parameter group includes the curve identifier cid; the parameters of the base field Fq of the elliptic curve; the parameters a and b of the elliptic curve equation;
The number β (if the lower 4 bits of cid are 2); the prime factor N of the curve order and the co-factor cf relative to N; the embedding of the curve E(Fq) relative to N
The degree k; the generator P1 of the N-order cyclic subgroup G1 of E(Fqd1)(d1 divisible k); the N-order cyclic subgroup G2 of E(Fqd2)(d2 divisible k)
Generator P2; the identifier eid of the bilinear pair e; (option) the homomorphic mapping y of G2 to G1.
The range of the bilinear pair e is N-order multiplicative cyclic group GT.
For a detailed description of system parameters, see Appendix A in GB/T 38635.1-2020.
5.3 Helper functions
5.3.1 Overview
This section specifies that auxiliary functions are involved in the calculation of cryptographic algorithms based on identification.
5.3.2 Password hash function
5.3.2.1 Password hash function Hv()
The output of the cryptographic hash function Hv() is a hash value of exactly v bits in length. This part stipulates the use of the national password management department for approval
For the password hash function, see GB/T 32905.
5.3.2.2 Cryptographic function H1()
The input of the cryptographic function H1(Z,n) is a bit string Z and an integer n, and the output is an integer h1∈[1,n-1]. H1(Z,n) required
Call the password hash function Hv(). Regarding the cryptographic hash function Hv(), it shall comply with the provisions of 5.3.2.1.
Cryptographic function H1(Z,n).
Input. bit string Z, integer n.
Output. integer h1∈[1,n-1].
The calculation steps are.
a) Initialize a 32-bit counter ct=0x00000001.
b) Calculate hlen=8× (5×(log2n))/32.
c) For i from 1 to hlen/v.
1) Calculate Hai=Hv(0x01‖Z‖ct);
2) ct.
d) If hlen/v is an integer, let Ha hlen/v = Hahlen/v,
Otherwise, let Hahlen/v be the leftmost (hlen-(v×hlen/v)) bit of Hahlen/v.
The details given in 7.2.3 convert Ha's data type to an integer.
f) Calculate h1=(Hamod(n-1)) 1.
5.3.2.3 Cryptographic function H2()
The input of the cryptographic function H2(Z,n) is a bit string Z and an integer n, and the output is an integer h2∈[1,n-1]. H2(Z,n) needs
To call the password hash function Hv(). Regarding the cryptographic hash function Hv(), it shall comply with the provisions of 5.3.2.1.
Cryptographic function H2(Z,n).
Input. bit string Z, integer n.
Output. integer h2∈[1,n-1].
The calculation steps are.
a) Initialize a 32-bit counter ct=0x00000001.
b) Calculate hlen=8× (5×(log2n))/32.
c) For i from 1 to hlen/v.
1) Calculate Hai=Hv(0x02‖Z‖ct);
2) ct.
d) If hlen/v is an integer, let Hahlen/v = Hahlen/v,
Otherwise, let Hahlen/v be the leftmost (hlen-(v×hlen/v)) bit of Hahlen/v.
The details given in 7.2.3 convert Ha's data type to an integer.
f) Calculate h2=(Hamod(n-1)) 1.
5.3.3 Random number generator
A random number generator in accordance with GB/T 32915 should be used.
5.3.4 Block cipher algorithm
Block cipher algorithms include encryption algorithm Enc (K1, m) and decryption algorithm Dec (K1, c). Enc(K1,m) means use the key K1
Encrypt the plaintext m, and the output is the ciphertext bit string c; Dec(K1,c) means use the key K1 to decrypt the ciphertext c, and the output is
Plaintext bit string m or "error". The bit length of the key K1 is recorded as K1_len.
Should use the block cipher algorithm approved by the national password management department.
5.3.5 Message authentication code function
The function of the message authentication code function MAC (K2, Z) is to prevent the message data Z from being illegally tampered. It is under the control of the key K2.
The authentication code of the raw message data bit string Z, the bit length of the key K2 is recorded as K2_len. In this part of the identification-based encryption algorithm
In the message authentication code function, the key generated by the key derivation function is used to obtain the message authentication code for the ciphertext bit string, so that the decryptor can authenticate
The source of other messages and the integrity of the verification data.
The message authentication code function needs to call the password hash function.
Let the cryptographic hash function be Hv(), and its output is a hash value of length exactly v bits.
Message authentication code function MAC (K2, Z), where.
Input. bit string K2 (a key with a bit length of K2_len), bit string Z (a message whose message authentication code is to be obtained).
Output. Message authentication code data bit string K of length v. K=Hv(Z|K2).
5.3.6 Key derivation function
The function of the key derivation function is to derive key data from a shared secret bit string. During the key agreement process, the key pie
The generating function acts on the shared secret bit string obtained by the key exchange to generate the required session key or the key required for further encryption
data.
The key derivation function needs to call the password hash function.
Let the cryptographic hash function be Hv(), and its output is a hash value of length exactly v bits.
Key derivation function KDF(Z,klen), where.
Input. bit string Z (data shared by both parties), integer klen [represents the bit length of the key data to be obtained, the value is required to be less than
(232-1)v].
Output. The key data bit string K of length klen.
The calculation steps are.
a) Initialize a 32-bit counter ct=0x00000001.
b) For i from 1 to klen/v.
1) Calculate Hai=Hv(Z‖ct);
2) ct.
c) If klen/v is an integer, let Haklen/v = Haklen/v,
Otherwise, let Haklen/v be the leftmost (klen-(v×klen/v)) bit of Haklen/v.
6 Digital signature generation and verification algorithms and processes
6.1 Generation of system signature master key and user signature key
KGC generates a random number ks ∈ [1, N-1] as the signature master private key, and calculates the element Ppub-s=[ks]P2 in G2 as the signature principal
Key, the signature master key pair is (ks, Ppub-s). KGC keeps ks secretly and exposes Ppub-s.
KGC selects and discloses the signature private key generation function identifier hid expressed in one byte.
User A's ID is IDA. To generate user A's signature private key dsA, KGC first calculates t1=H1(IDA on the finite field FN
‖Hid,N) ks, if t1=0, you need to regenerate the signature master private key, calculate and publish the signature master public key, and update the signature private
Key; otherwise, calculate t2=k·t1-1, then calculate dsA=[t2]P1.
6.2 Digital signature generation algorithm
Let the message to be signed be the bit string M. In order to obtain the digital signature (h, S) of the message M, the user A who is the signer should implement
The following calculation steps.
A1.Calculate the element g = e(P1, Ppub-s) in the group GT;
A2.Generate random number r ∈ [1, N-1];
A3.The element w=gr in the calculation group GT, according to the details given in 7.2.6 and 7.2.5 in GB/T 38635.1-2020
Convert data type to bit string;
A4.Calculate the integer h = H2(M‖w,N);
A5.Calculate the integer l = (rh) modN, if l = 0 then return A2;
A6.Calculate the element S = [l]dsA in group G1;
A7.According to the details given in 7.2.2 of GB/T 38635.1-2020, convert the data type of h to a byte string, according to
The details given in 7.2.8 of GB/T 38635.1-2020 convert the data type of S to a byte string, and the signature of message M is
(h,S).
6.3 Digital signature generation algorithm process
The digital signature generation algorithm flow is shown in Figure 1.
Figure 1 Digital signature generation algorithm process
6.4 Digital signature verification algorithm
In order to verify the received message M'and its digital signature (h', S'), user B as a verifier should implement the following calculation steps.
B1.Convert the data type of h'to an integer according to the details given in 7.2.3 of GB/T 38635.1-2020, and verify that h'∈[1,N-1]
Whether it is established, if it is not established, the verification fails;
B2.Convert the data type of S'to a point on an elliptic curve according to the details given in 7.2.9 of GB/T 38635.1-2020, press
The details given in 5.5 of GB/T 38635.1-2020 test whether S'∈ G1 is true, if not, the verification fails;
B3.Calculate the element g = e(P1, Ppub-s) in the group GT;
B4.Calculate the element t=gh' in the group GT;
B5.Calculate the integer h1 = H1(IDA‖hid,N);
B6.Calculate the element P = [h1]P2 Ppub-s in group G2;
B7.Calculate the element u = e(S', P) in the group GT;
B8.The element w'=u·t in the calculation group GT, according to the details given in 7.2.6 and 7.2.5 in GB/T 38635.1-2020, replace w'
The data type of the is converted to a bit string;
B9.Calculate the integer h2=H2(M'‖w',N), check whether h2=h' is true, if it is true, the verification is passed; otherwise, the verification is not
by.
6.5 Digital signature verification algorithm process
The digital signature verification algorithm flow is shown in Figure 2.
Figure 2 Digital signature verification algorithm process
7 Key exchange protocol and process
7.1 Generation of system encryption master key and user encryption key
KGC generates a random number ke ∈ [1, N-1] as the encryption master private key, and calculates the element Ppub-e=[ke]P1 in G1 as the encryption master
Key, the encryption master key pair is (ke, Ppub-e). KGC keeps ke secretly and discloses Ppub-e.
KGC selects and publishes the encryption private key generation function identifier hid expressed in one byte.
The identifiers of user A and user B are IDA and IDB, respectively. In order to generate user A's encrypted private key deA, KGC first in the limited domain
Calculate t1=H1(IDA‖hid,N) ke on FN, if t1=0, you need to regenerate the encryption master private key, calculate and publicize the encry...
|