Standards related to:

GM/T 0080-2020GM/T 0080-2020

GM

CRYPTOGRAPHY INDUSTRY STANDARD

OF THE PEOPLE’S REPUBLIC OF CHINA

ICS 38.040

CCS L 80

SM9 Cryptographic Algorithm Application Specification

ISSUED ON: DECEMBER 28, 2020

IMPLEMENTED ON: JULY 01, 2021

Issued by: State Cryptography Administration

Table of Contents

Foreword ... 4

Introduction ... 5

1 Scope ... 6

2 Normative References ... 6

3 Terms and Definitions ... 6

4 Abbreviations ... 7

5 SM9 Key Pair ... 8

5.1 Generator ... 8

5.2 SM9 master private key... 8

5.3 SM9 master public key ... 8

5.4 SM9 user private key ... 9

5.5 SM9 user public key ... 9

6 Data Format ... 9

6.1 Key data structure ... 9

6.2 Signature data structure ... 11

6.3 Encryption data structure ... 11

6.4 Key encapsulation data format ... 12

7 Pre-processing ... 12

7.1 Pre-processing hash function H1 ... 12

7.2 Pro-processing hash function H2 ... 12

7.3 Pre-processing pair calculation e ... 13

7.4 Pre-processing user’s signature verification QD ... 13

7.5 Pre-processing user’s encryption QE ... 14

8 Calculation Process ... 14

8.1 Key generation ... 14

8.2 Digital signature ... 16

8.3 Signature verification ... 16

8.4 Key encapsulation ... 17

8.5 Key unsealing ... 17

8.6 Encryption ... 18

8.7 Decryption ... 18

8.8 Key agreement ... 19

SM9 Cryptographic Algorithm Application Specification

1 Scope

This Document defines the application method of SM9 cryptographic algorithm, as well

as data formats such as keys, encryption, and signatures, etc.

This Document is applicable to the application of SM9 cryptographic algorithm, and

the development and testing of equipment and systems that support SM9

cryptographic algorithm.

2 Normative References

The following documents are essential to the application of this Document. For the

dated documents, only the versions with the dates indicated are applicable to this

Document; for the undated documents, only the latest version (including all the

amendments) is applicable to this Document.

GB/T 32905 Information Security Technology - SM3 Cryptographic Hash

Algorithm

GB/T 32907 Information Security Techno1ogy - SM4 Block Cipher Algorithm

GB/T 32918 (all parts) Information Security Technology - Public Key

Cryptographic Algorithm SM2 Based on Elliptic Curves

GB/T 38635.1-2020 Information Security Technology - Identity-Based

Cryptographic Algorithms SM9 - Part 1: General

GB/T 38635.2-2020 Information Security Technology - Identity-Based

Cryptographic Algorithms SM9 - Part 2: Algorithm

3 Terms and Definitions

For the purpose of this Document, the following terms and definitions apply.

3.1 Algorithm identifier

Digitized information that is used to indicate algorithmic mechanisms.

3.2 SM9 algorithm

PPS: Public Parameter Service.

5 SM9 Key Pair

5.1 Generator

The Generator P1 point on G1 is marked as (xp1, yP1); and the ASN.1 of the data format

is defined as SM9P1::=BIT STRING; the type is BIT STRING; and its content is:

04‖X1‖Y1, where X1 and Y1 respectively identify the x component and y component

of the point; and each component has a length of 256 bits.

The Generator P2 point on G2 is marked as (xp2, yP2); and the ASN.1 of the data format

is defined as SM9P2::=BIT STRING; the type is BIT STRING; and its content is:

04‖X1‖X2‖Y1‖Y2, where X1, X2 and Y1, Y2 respectively identify the x component

and y component of the public key; and each component has a length of 256 bits, or

03‖X1‖X2, where X1 and X2 respectively identify each x component of the public key;

and each component has a length of 256 bits. Select the value whose rightmost bit is

1 in the decompressed Y root value (Y1‖Y2). After the restoration, the rightmost bit of

the Y root value shall be 1; otherwise, Y1=base field q - root Y1, Y2=base field q - root

Y2. or

02‖X1‖X2, where X1 and X2 respectively identify the 2 x components of the public

key; and each component has a length of 256 bits. Select the option value whose

rightmost bit is 0 in the decompressed Y root value (Y1‖Y2). After the restoration, the

Y root value takes the option value whose rightmost bit is 0, otherwise Y1=base field q

- root Y1, Y2=base field q - root Y2.

5.2 SM9 master private key

It includes the SM9 signature master private key and the encryption master private key;

both are an integer greater than or equal to 1 and less than N-1 (N is the order of the

cyclic group G1, G2, and GT, and its value is shown in Appendix A.1 of GB/T 38635.2-

2020), abbreviated as s, with the length of 256 bits.

5.3 SM9 master public key

It includes SM9 signature master public key Ppub2 and encryption master public key

Ppub1. They are points on G2 and G1; and the coordinates are expressed as (xSPub,

ySPub) and (xEPub, yEPub). Thereof, the x and y coordinates of the signature master public

key also contain two components, namely x1 component and x2 component, y1

component and y2 component, and the length of each component is 256 bits. The

length of the x and y coordinates of the encryption master public key are both 256 bits.

5.4 SM9 user private key

It includes SM9 user signature private key and user encryption private key, which are

points on G1 and G2 respectively; and the coordinates are expressed as (xSPri, ySPri)

and (xEPri, yEPri). The length of the x and y coordinates of the user signature key are

both 256 bits. The x and y coordinates of the user's encryption private key also contain

two components, namely x1 component and x2 component, y1 component and y2

component, and the length of each component is 256 bits.

5.5 SM9 user public key

In IBC technology, the user identification ID can uniquely determine the user's public

key, which represents the public key in applications. The representation of ID

coordinates based on bilinear pairing can be divided into user signature public key

coordinates and user encryption public key coordinates. The user signature public key

and the signature master public key are of the same coordinate structure; and there

are two respective components on the x and y coordinates, which are marked as QS;

and user encryption public key and the encryption master public key are of the same

coordinate structure, which is marked as QE.

NOTE: Here is how to generate the user's public key coordinates.

Input: Algorithm function H, userID, hid, master public key Ppubi, generator Pi i=1,2.

Output: User public key QA.

Calculation method:

, signature public key coordinates are

used for signature/verification of signature.

, encryption public key coordinates are

used for key encapsulation, encryption/decryption.

6 Data Format

6.1 Key data structure

The key is divided into signature/encryption master key, and signature/encryption user

key:

a) The ASN.1 of data format of SM9 algorithm signature master private key is

defined as:

...