OSCCA Extensions For OpenPGPRiboseSuite 1111, 1 Pedder StreetCentralHong KongHong Kongronald.tse@ribose.comhttps://www.ribose.comHang Seng Management CollegeHang Shin Link, Siu Lek YuenShatinHong KongNew Territorieswongwk@hsmc.edu.hkhttps://www.hsmc.edu.hk
Internet
This document enables OpenPGP (RFC4880) usage in an compliant manner
with OSCCA regulations for use within China.
Specifically, it extends OpenPGP to support the usage of SM2,
SM3 and SM4 algorithms.
SM2 ,
SM3 and SM4
are cryptographic standards issued by the
Organization of State Commercial Administration of China as
authorized cryptographic algorithms for the use within China. These
algorithms are published in public.
Adoption of this document enables exchange of OpenPGP-secured email
in a OSCCA-compliant manner through usage of the authorized combination of
SM2, SM3 and SM4.
SM2 is a set of public key cryptographic algorithms
based on elliptic curves that include:
Digital Signature Algorithm Key Exchange Protocol Public Key Encryption Algorithm SM3 is a hash algorithm designed for electronic
authentication purposes.
SM4 is a symmetric encryption algorithm designed for data encryption.
This document extends OpenPGP and its ECC extension
to support SM2, SM3 and SM4:
support the SM3 hash algorithm for data validation purposessupport signatures utilizing the combination of SM3 with other digital signing algorithms, such as RSA and SM2support the SM2 asymmetric encryption algorithm for public key operationssupport usage of SM2 in combination with supported hash algorithms, such as SHA-256 and SM4support the SM4 symmetric encryption algorithm for data protection purposesdefines the OpenPGP "OSCCA-compliant profile" to enable usage of OpenPGP
in an OSCCA-compliant manner.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted
as described in .
Compliant applications are a subset of the broader set of OpenPGP
applications described in . Any keyword within
this document applies to compliant applications only.
All algorithms used for encryption and signatures are compliant with
OSCCA regulations.
The elliptic curve digital signature algorithm defined in and
The elliptic curve key exchange protocol defined in
The public key encryption algorithm defined in SM2 is an elliptic curve based cryptosystem (ECC) designed by
Xiaoyun Wang et al and published by .
The SM2 cryptosystem is composed of three distinct algorithms:
an elliptical curve digital signature algorithm ("SM2DSA") , also
described in ;a key exchange protocol ("SM2KEP") ; anda public key encryption algorithm ("SM2PKE") .This document will refer to all three algorithms for the usage of
OpenPGP .
The SM2 Digital Signature Algorithm is intended for digital signature
and verifications in commercial cryptographic applications, including,
but not limited to:
identity authenticationprotection of data integrityverification of data authenticityThe process of digital signature signing and verifying along with their
examples are found in , and also described in .
In OpenPGP, SM2DSA is an alternative to the ECDSA algorithm specified in
.
The SM2DSA algorithm has been cryptanalyzed to a certain extent, with the
current strongest attack being nonce
and lattice attacks .
The SM2 Key Exchange Protocol is used for cryptographic key exchange,
allowing the negoatiation and exchange of a session key within two to
three message transfers.
The process of key exchange and verification along with their examples
are found in , and also described in .
SM2KEP is not used with OpenPGP as it is a two- to three- pass key
exchange mechanism, while in OpenPGP public keys of recipients are
available initially.
The SM2KEP is now considered insecure due to , similar
in status to the Unified Model and MQV schemes described in .
The SM2 Public Key Encryption algorithm is an elliptic curve
(ECC) based asymmetric encryption algorithm. It is used for
cryptographic encryption and decryption, allowing the message sender to
utilize the public key of the message receiver to encrypt the message,
with the recipient decrypting the messaging using his private key.
The full description of SM2PKE is provided in .
It utilizes a public key size of 512 bits and private key size of 256
bits .
The process of encryption and decryption, along with their examples are
found in .
In OpenPGP, SM2PKE is an alternative to RSA specified in .
The recommended curve is specified in and provided here for reference.
SM2 uses a 256-bit elliptic curve.
a number larger than 3
elements of F_q, defines an elliptic curve E on F_q
Order of base point G (n is a prime factor of E(F_q))
x-coordinate of generator G
y-coordinate of generator G
y^2 = x^3 + ax + b
The SM3 Cryptographic Hash Algorithm is an iterated hash function
designed by Xiaoyun Wang et al., published by as an alternative
to SHA-2 .
The algorithm is designed to be used for various commercial
cryptographic applications including, but not limited to:
digital signatures and their verificationmessage authentication code generation and their verificationgeneration of random numbersAccording to the authors, SM3 is designed with a Merkle-Damgard
construction and is very similar to SHA-2
of the MD4 family, with
the addition of several strengthening features such as a more complex
step function and stronger message dependency than SHA-256
.
SM3 produces an output hash value of 256 bits long, based on 512-bit
input message blocks , on input lengths up to 2^(m).
The specification of SM3 is described in and .
SM4 is a symmetric encryption algorithm designed by Shuwang Lu et
al. in 2006 as SMS4, and officially published published by the OSCCA in
2012 as SM4.
The algorithm is publicly described in
"GM/T 0002-2012 SM4 Block Cipher Algorithm Standard" ,
and is used in WAPI (Wired Authentication and Privacy Infrastructure),
the Chinese National Standard for Wireless LAN .
SM4 is a 128-bit block cipher, uses a key size of 128 bits and
internally uses an 8-bit S-box.
It performs 32 rounds per block, and decryption simply reverses the
order of encryption.
The SM2 algorithm is supported with the following extension.
The following public key algorithm IDs are added to expand Section
9.1 of , "Public-Key Algorithms":
IDDescription of AlgorithmTBDSM2Compliant applications MUST support both usages of SM2:
SM2 Digital Signature Algorithm (SM2DSA) SM2 Public Key Encryption (SM2PKE) The SM4 algorithm is supported with the following extension.
The following symmetric encryption algorithm ID is added to expand
Section 9.2 of , "Symmetric-Key Algorithms":
IDDescription of AlgorithmTBDSM4Compliant applications MUST support SM4.
The SM3 algorithm is supported with the following extension.
The following symmetric encryption algorithm IDs are added to expand
Section 9.3 of , "Hash Algorithms":
IDDescription of AlgorithmTBDSM3Compliant applications MUST support SM3.
The encoding method of Section 6 MUST be used, and is
compatible with the definition given in .
For clarity, according to the EC curve MPI encoding method of ,
the exact size of the MPI payload for the "SM2 Recommended" 256-bit curve,
is 515 bits.
A key derivation function (KDF) is necessary to implement EC encryption.
The SM2PKE KDF is defined in Section 5.4.3 of
(originally from Section 3.4.3 of ) and SHOULD be used in
conjunction with an OSCCA-approved hash algorithm, such as SM3 .
The pseudocode is provided here for convenience.
H_v() is a hash function that outputs a v-bit long hash value.Bit stream ZLength of output key klen (an integer less than (2^32 - 1) x v).Key K of length klenThe following algorithm-specific packets are added to Section 5.5.2
of , "Public-Key Packet Formats", to support SM2DSA and
SM2PKE.
This document extends the algorithm-specific portion with the following
fields.
Algorithm-Specific Fields for SM2DSA keys:
a variable-length field containing a curve OID, formatted
as follows:
a one-octet size of the following field; values 0 and
0xFF are reserved for future extensionsoctets representing a curve OID, described in MPI of an EC point representing a public keyAlgorithm-Specific Fields for SM2PKE keys:
a variable-length field containing a curve OID, formatted
as follows:
a one-octet size of the following field; values 0 and
0xFF are reserved for future extensionsoctets representing a curve OID, described in MPI of an EC point representing a public keya variable-length field containing KDF parameters, formatted as
follows:
a one-octet size of the following fields; values 0 and 0xff are
reserved for future extensionsa one-octet value 01, reserved for future extensionsa one-octet hash function ID used with a KDFAn SM2PKE public key is composed of the same sequence of fields that
define an SM2DSA key, plus the KDF parameters field.
The following algorithm-specific packets are added to Section 5.5.3.
of , "Secret-Key Packet Formats", to support SM2DSA and
SM2PKE.
This document extends the algorithm-specific portion with the following
fields.
Algorithm-Specific Fields for SM2DSA or SM2PKE secret keys:
an MPI of an integer representing the secret key, which is a
scalar of the public EC pointSection 5.1 of [RFC4880], "Public-Key Encrypted Session Key Packets
(Tag 1)" is extended to support SM2PKE using the following
algorithm specific fields for SM2PKE, through applying the KDF described
in .
Algorithm Specific Fields for SM2 encryption:
MPI of SM2 encrypted value C = (C1 || C2 || C3), described in step A2 of
Section 7.2.1. of A one-octet number giving the hash algorithm used for the calculation of
C3, described in step A7 of Section 7.2.1. of .Section 5.2.2 of define the signature format for "Version 3 Signature Packet Format".
Similar to ECDSA , no changes in the format is necessary for SM2DSA.
Section 5.2.3 of define the signature format for "Version 4 Signature Packet Format".
Similar to ECDSA , no changes in the format is necessary for SM2DSA.
This section provides the "SM2 Recommended Curve" described in
according to the method of .
The named curves are referenced as a sequence of bytes in this
document, called throughout, curve OID. Section 11 describes in
detail how this sequence of bytes is formed.
The parameter curve OID is an array of octets that define a named
curve. The table below specifies the exact sequence of bytes for
each named curve referenced in this document:
ASN.1 Object IdentifierOID lenCurve OID bytes in hexadecimal representationCurve name1.2.156.10197.1.30182A 81 1C CF 55 01 82 2DSM2 RecommendedThe sequence of octets in the third column is the result of applying
the Distinguished Encoding Rules (DER) to the ASN.1 Object Identifier
with subsequent truncation. The truncation removes the two fields of
encoded Object Identifier. The first omitted field is one octet
representing the Object Identifier tag, and the second omitted field
is the length of the Object Identifier body.
The complete ASN.1 DER encoding for the SM2 Recommended curve
OID is "06 08 2A 81 1C CF 55 01 82 2D", from which the first entry in
the table above is constructed by omitting the first two octets. Only
the truncated sequence of octets is the valid representation of a curve
OID.
A compliant application MUST implement:
SM2 Recommended CurveSM2 (SM2DSA and SM2PKE)SM3SM4Products and services that utilize cryptography are regulated by OSCCA ;
they must be explicitly approved or certified by OSCCA before being allowed to
be sold or used in China.SM2 is an elliptic curve cryptosystem (ECC) published by OSCCA .
Its security relies on the assumption that the elliptic curve discrete
logarithm problem (ECLP) is computationally infeasible. With advances in
cryptanalysis, new attack algorithms may reduce the complexity of ECLP, making
it easier to attack the SM2 cryptosystem that is considered secure at the time
this document is published. You SHOULD check current literature to
determine if the algorithms in SM2 have been found vulnerable.SM3 is a cryptographic hash algorithm published by OSCCA .
No formal proof of security is provided. As claimed in ,
the security properties of SM3 are under public study. There are no known
feasible attacks against the SM3 algorithm at the time this document is
published.SM4 is a block cipher certified by OSCCA .
No formal proof of security is provided. There are no known feasible
attacks against SM4 algorithm by the time of publishing this document.
On the other hand, there are security concerns with regards to
side-channel attacks, when the SM4 algorithm is implemented in a
device . For instance, illustrated an attack
by measuring the power consumption of the device. A chosen ciphertext
attack, assuming a fixed correlation between the sub-keys and data
mask, is able to recover the round key successfully. When the SM4
algorithm is implemented in hardware, the parameters/keys SHOULD
be randomly generated without fixed correlation.SM2 has a key length of 512 bits for public key and 256 bits for private key.
It is considered an alternative to ECDSA P-256 . Its security strength
is comparable to a 128-bit symmetric key strength ,
e.g., AES-128 .SM3 is a hash function that generates a 256-bit hash value. It is considered
as an alternative to SHA-256.SM4 is a block cipher symmetric algorithm with key length of 128 bits. It is
considered as an alternative to AES-128 .Security considerations offered in and also apply.The IANA "Pretty Good Privacy (PGP)" registry has made the following
assignments for algorithms described in this document, namely:
ID XXX of the "Public Key Algorithms" namespace for ID XXX of the "Hash Algorithms" namespace for ID XXX of the "Symmetric Key Algorithms" namespace for TODO!
Public Key Cryptographic Algorithm SM2 Based on Elliptic CurvesOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 2: Digital Signature AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 4: Public Key Encryption AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 5: Parameter definitionsOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnSM3 Cryptographic Hash AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnSM4 block cipher algorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnInformation technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) SpecificationsStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGM/T 0003.1-2012: Public Key Cryptographic Algorithm SM2 Based on Elliptic Curves Part 1: GeneralOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnFIPS 180-4 Secure Hash Standard (SHS)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/FIPS 197 Advanced Encryption Standard (AES)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/SP 800-56Ar2 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm CryptographyNational Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899United Stateshttp://www.nist.gov/National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899United Stateshttp://www.nist.gov/National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899United Stateshttp://www.nist.gov/Orion Security Solutions, Inc.1489 Chain Bridge RoadSuite 300McLeanVA22101United Stateshttp://www.orionsecuritysolutions.comOrganization of State Commercial Administration of ChinaOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnSEC 1: Elliptic Curve CryptographyStandards for Efficient Cryptography GroupPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 3: Key Exchange ProtocolOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPractical Lattice-Based Fault Attack and Countermeasure on SM2 Signature AlgorithmTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnBeijing Key Laboratory of RFID Chip Test Technology, CEC Huada Electronic Design Co., LtdBuilding C, CEC Network Security and Information Technology Base, South Region of Future Science And Technology Park, Beiqijia county, Changping DistrictBeijing102209People's Republic of Chinahttp://www.hed.com.cnBeijing Key Laboratory of RFID Chip Test Technology, CEC Huada Electronic Design Co., LtdBuilding C, CEC Network Security and Information Technology Base, South Region of Future Science And Technology Park, Beiqijia county, Changping DistrictBeijing102209People's Republic of Chinahttp://www.hed.com.cnPartially Known Nonces and Fault Injection Attacks on SM2 Signature AlgorithmBeijing International Center for Mathematical Research, Peking UniversityNo. 5 Yiheyuan Road Haidian DistrictBeijing100871People's Republic of Chinahttp://www.bicmr.orgChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinahttp://www.itsec.gov.cnChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinahttp://www.itsec.gov.cnMind Your Nonces Moving: Template-Based Partially-Sharing Nonces Attack on SM2 Digital Signature AlgorithmChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinajiazhechen@gmail.comhttp://www.itsec.gov.cnBeijing Research Institute of Telemetry, China Aerospace Science and Technology Corporation1 Nan Da Hong Men Lu, Fengtai QuBeijing100194People's Republic of Chinaliumj9705@gmail.comhttp://www.spacechina.comChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinahttp://www.itsec.gov.cnChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinalihx@secemail.cnhttp://www.itsec.gov.cnComments on the SM2 Key Exchange ProtocolState Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinaxujing@is.iscas.ac.cnhttp://english.is.cas.cnState Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnImproved Boomerang Attacks on Round-Reduced SM3 and Keyed Permutation of BLAKE-256Department of Computer Science and Technology, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinabaidx10@mails.tsinghua.edu.cnhttp://www.tsinghua.edu.cnTsinghua UniversityBeijing100084People's Republic of Chinayuhongbo@mail.tsinghua.edu.cnhttp://www.tsinghua.edu.cnSchool of Computer Science and Technology, Donghua UniversityDonghua UniversityShanghai201620People's Republic of Chinawanggaoli@dhu.edu.cnhttps://www.dhu.edu.cnInstitute for Advanced Study, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinaxiaoyunwang@mail.tsinghua.edu.cnhttp://www.tsinghua.edu.cnImproved chosen-plaintext power analysis attack against SM4 at the round-outputCollege of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/The authors would like to thank the following persons for their valuable advice and input.
Jack Lloyd and Daniel Wyatt of the Ribose rnp team for their input and implementation