Standards related to:

GM/T 0003.4-2012GM/T 0003.4-2012

GM

CRYPTOGRAPHY INDUSTRY STANDARD

OF THE PEOPLE’S REPUBLIC OF CHINA

ICS 35.040

L 80

File No.. 36829-2012

Public key cryptographic algorithm

SM2 based on elliptic curves -

Part 4. Public key encryption algorithm

ISSUED ON. MARCH 21, 2012

IMPLEMENTED ON. MARCH 21, 2012

Issued by. State Cryptography Administration

Table of Contents

Foreword ... 3

Introduction .. 4

1 Scope .. 5

2 Normative references ... 5

3 Terms and definitions ... 5

4 Symbols.. 6

5 Algorithm parameters and auxiliary functions .. 7

5.1 General .. 7

5.2 Elliptic curve system parameters ... 7

5.3 User key-pair ... 7

5.4 Auxiliary functions ... 7

5.4.1 General .. 7

5.4.2 Cryptographic hash function ... 8

5.4.3 Key derivation function ... 8

5.4.4 Random number generator ... 8

6 Encryption algorithm and flow .. 9

6.1 Encryption algorithm .. 9

6.2 Encryption algorithm flow... 9

7 Decryption algorithm and flow ... 10

7.1 Decryption algorithm ... 10

7.2 Decryption algorithm flow ... 11

Annex A (Informative) Examples of message encryption and decryption ... 13

A.1 General requirements... 13

A.2 Message encryption and decryption of an elliptic curve on .. 13

A.3 Message encryption and decryption of an elliptic curve on .. 17

Foreword

GM/T 0003-2012 Public key cryptographic algorithm SM2 based on elliptic

curves is divided into 5 parts.

— Part 1. General;

— Part 2. Digital signature algorithm;

— Part 3. Key exchange protocol;

— Part 4. Public key encryption algorithm;

— Part 5. Parameter definition.

This is Part 4 of GM/T 0003-2012.

This Part was drafted in accordance with the rules given in GB/T 1.1-2009.

Attention is drawn to the possibility that some of the elements of this document

may be the subject of patent rights. The issuing authority shall not be held

responsible for identifying any or all such patent rights.

Annex A of this Part is an informative annex.

This Part was proposed by and shall be under the jurisdiction of State

Cryptography Administration.

Drafting organizations of this Part. Beijing Huada Information Safety

Technology Co., Ltd, PLA Information Engineering University, Data Assurance

and Communication Security Research Center of Chinese Academy of

Sciences.

Main drafters of this Part. Chen Jianhua, Zhu Yuefei, Ye Dingfeng, Hu Lei, Pei

Dingyi, Peng Guohua, Zhang Yajuan, Zhang Zhenfeng.

Public key cryptographic algorithm

SM2 based on elliptic curves -

Part 4. Public key encryption algorithm

1 Scope

This Part of GM/T 0003 specifies the public key encryption algorithm for the

public key cryptographic algorithm SM2 based on elliptic curves, and gives an

example of message encryption and decryption as well as the corresponding

flow.

This Part is applicable to the message encryption and decryption in commercial

cryptographic application. The message sender may use the receiver’s public

key to encrypt the message; the receiver decrypts the message using the

corresponding private key. Meanwhile, this Part also provides standard

positioning and standardized reference of products and technologies for

manufacturers of security products to enhance the reliability and interoperability

of the security products.

2 Normative references

The following documents are essential to the application of this document. For

dated references, only the editions with the dates indicated are applicable to

this document. For undated references, only the latest editions (including all the

amendments) are applicable to this document.

GM/T 0003.1-2012 Public key cryptographic algorithm SM2 based on elliptic

curves - Part 1. General

3 Terms and definitions

The following terms and definitions are applicable to this document.

3.1 Secret key

A key that is shared by both sender and receiver but not known by the third

party in the cryptographic system.

3.2 Message

ܲ ܲ ⋯ ܲᇣᇧᇧᇧᇧᇤᇧᇧᇧᇧᇥ

, where k is a positive integer.

ሾݔ, ݕሿ. A set of integers greater than or equal to x and less than or equal to y.

ڿݔۀ. Ceiling function, the minimal integer greater than or equal to x. For instance,

ڿ7ۀ ൌ 7, ڿ8.3ۀ ൌ 9.

ہݔۂ. Floor function, the maximal integer less than or equal to x. For instance,

ہ7ۂ ൌ 7, ہ8.3ۂ ൌ 8.

⋕ ܧ൫ܨ൯. Number of points on ܧ൫ܨ൯, called the order of the elliptic curve ܧ൫ܨ൯.

5 Algorithm parameters and auxiliary functions

5.1 General

The public key encryption algorithm requires the sender to use the receiver’s

public key to encrypt the message into ciphertext. The receiver uses his own

private key to decrypt the received ciphertext, thus reverting to the original

message.

5.2 Elliptic curve system parameters

The elliptic curve system parameters include the size q (in case of q = 2m, it

also includes the identity and reduced polynomial of the element notation) of

the finite field ܨ; two elements ܽ, ܾ ∈ ܨ of the equation that defines the elliptic

curve ܧ൫ܨ൯ ; base point ܩ ൌ ሺݔீ, ݕீሻ ሺܩ ് ܱሻ on ܧ൫ܨ൯ , where ݔீ and ݕீ

are two elements in ܨ; order n of G and other options (such as cofactor h of n,

etc.).

The elliptic curve system parameters and the verification thereof shall meet the

requirements of Chapter 5 in GM/T 0003.1-2012.

5.3 User key-pair

User B’s key-pair includes the private key ݀ and public key ܲ ൌ ሾ݀ሿܩ.

The generation algorithm of the user key-pair and the verification algorithm of

the public key shall meet the requirements of Chapter 6 in GM/T 0003.1-2012.

5.4 Auxiliary functions

5.4.1 General

The public key encryption algorithm based on elliptic curves specified in this

B1. TAKE out the bit string C1 from C; CONVERT the data type of C1 to the

point on an elliptic curve, in accordance with the methods given in 4.2.4

and 4.2.10 of GM/T 0003.1-2012; VERIFY whether C1 meets the elliptic

curve equation; if not, REPORT an error and EXIT;

B2. CALCULATE the point ܵ ൌ ሾ݄ሿܥଵ on an elliptic curve; if S is a point at

infinity, REPORT an error and EXIT;

B3. CALCULATE ሾ݀ሿܥଵ ൌ ሺݔଶ, ݕଶሻ ;CONVERT the data type of the

coordinates x2 and y2 to a bit string, in accordance with the methods given

in 4.2.6 and 4.2.5 of GM/T 0003.1-2012;

B4. CALCULATE ݐ ൌ ܭܦܨሺݔଶ ∥ ݕଶ, ݈݇݁݊ሻ; if t is a full-0 bit string, REPORT an

error and EXIT;

B5. TAKE out the bit string C2 from C; CALCULATE ܯᇱ ൌ ܥଶ⨁ݐ;

B6. CALCULATE ݑ ൌ ܪܽݏ݄ሺݔଶ ∥ ܯᇱ ∥ ݕଶሻ; TAKE out the bit string C3 from C;

if ݑ ് ܥଷ, REPORT an error and EXIT;

B7. OUTPUT the plaintext ܯᇱ.

NOTE. SEE Annex A for an example of the decryption process.

7.2 Decryption algorithm flow

The decryption algorithm flow is illustrated in Figure 2.

...