The SM3 Cryptographic Hash FunctionChinese Academy of Science4 South 4th Zhongguancun StreetBeijing100190People's Republic of China+86 10-58813038shenshuo@cnnic.cnhttp://www.cas.cnCNNIC4 South 4th Zhongguancun StreetBeijing100190People's Republic of China+86 10-58813038xl@cnnic.cnhttps://cnnic.com.cnRiboseSuite 1111, 1 Pedder StreetCentralHong KongPeople's Republic of Chinaronald.tse@ribose.comhttps://www.ribose.comHang Seng Management CollegeHang Shin Link, Siu Lek YuenShatinHong KongPeople's Republic of Chinawongwk@hsmc.edu.hkhttps://www.hsmc.edu.hkBaishan CloudShenyangShenyangLiaoningPeople's Republic of Chinapaulyang.inf@gmail.comhttps://www.baishancloud.com
cfrg
Crypto Forum Research GroupThis document describes the SM3 cryptographic hash algorithm
published as GB/T 32905-2016 by the Organization of State Commercial
Administration of China (OSCCA).This document is a product of the Crypto Forum Research Group (CFRG).SM3 is a cryptographic hash algorithm
published by the Organization of State Commercial Administration of China
as an authorized cryptographic hash algorithm for the use within China.
The algorithm is published in public.The SM3 algorithm is intended to address multiple use cases for commercial
cryptography, including, but not limited to:the use of digital signatures and their verification;the generation and verification of message authenticity codes; as well asthe generation of random numbers.SM3 has a Merkle-Damgard construction and is similar to SHA-2
of the MD4 family, with the addition of several
strengthening features including a more complex step function and stronger
message dependency than SHA-256 .SM3 produces an output hash value of 256 bits long, based on 512-bit
input message blocks, on input lengths up to 2^(m) .This document details the SM3 algorithm and its internal steps together
with demonstrative examples.This document does not aim to introduce a new algorithm, but to
provide a clear and open description of the SM3 algorithm in English,
and also to serve as a stable reference for IETF documents that utilize
this algorithm.This document follows the updated description and structure of
published in 2016.Sections 1 to 5 of this document directly map to the corresponding sections
(and numbering) of the standard for
convenience of the reader.Sections 6 to 8 of this document provides a translation of the design
considerations, hardware adaptability, and cryptanalysis results of
SM3 in the words of its designer, Xiaoyun Wang, given in .
The cryptanalysis section has also been updated to include the latest published
research on SM3.The SM3 algorithm was designed by Xiaoyun Wang et al.It was first published by the OSCCA in public in 2010 ,
then published as a China industry standard in 2012 , and
finally published as a Chinese National Standard (GB Standard)
in 2016. SM3 has been standardized in by
the International Organization for Standardization in 2017.The latest SM3 standard was proposed by the OSCCA,
standardized through TC 260 of the Standardization Administration of the
People’s Republic of China (SAC), and was drafted by the following
individuals at Tsinghua University,
the China Commercial Cryptography Testing Center,
the People’s Liberation Army Information Engineering University,
and the Data Assurance and Communication Security Research
Center (DAS Center) of the Chinese Academy of Sciences:Xiao-Yun WangZheng LiYong-Chuan WangHong-Bo YuYong-Quan XieChao ZhangPeng LuoShu-Wang LuSM3 has prevalent hardware implementations, due to its being the only
OSCCA-approved cryptographic hash algorithm allowed for use in China
.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted
as described in .The following terms and definitions apply to this document.a binary string composed of 0s and 1s.describes the order in which data is stored in memory, where the more significant digits are stored at the lower storage addresses, the less significant digits are stored at the high storage addresses.a bit string of arbitrary length. In this document, the message is the input to the hash algorithm.the output bit string of the hash algorithm given input of a message.a 32-bit quantity.The length of string S in bits (e.g., bitlen(101) == 3).addition of two 32-bit vectors S and T with a mod 2^32 bit
wrap around.bitwise "and" of two 32-bit vectors S and T.
S and T will always have the same length.bitwise "or" of two 32-bit vectors S and T.
S and T will always have the same length.bitwise exclusive-or of two 32-bit vectors S and T.
S and T will always have the same length.bitwise "not" of a 32-bit vectors S.32-bit bitwise cyclic shift on a with i bits shifted left.String S concatenated with string T (e.g., 000 || 111 == 000111).Assignment operator of value S to variable a.The n-bit string whose base-2 interpretation is i
(e.g., num2str(14,4) == 1110 and num2str(1,2) == 01).Each a 8 word-width register.The i-th message sectionThe compression function.Boolean functions, changes according to j.The initialization vector, used to determine the initial state of the compression function registers.The permutation function within the compression function.The permutation function for message expansion.The algorithm constant, changes according to j.The message.The message m after padding.Number of message blocks within a message.When 0 <= j <= 15:When 16 <= j <= 63:When 0 <= j <= 15:When 16 <= j <= 63:Where X, Y, Z are 32-bit words.Where X is a 32-bit word.The SM3 cryptographic hash algorithm takes input of a message m of length
l (where l < 2^64), and after padding and iterative compression,
creates a hash value of 256-bits long.Examples are provided in .The following steps pads a message m to m', where bitlen(m')
is a multiple of 512.Input message m has a length of l bits.Append a bit "1" to the end of the message m.Append a k-bit string K, which is a series of "0"s, to the end of
message m, where k is the smallest non-negative number that satisfies
l + 1 + k = 448 (mod 512).Append a 64-bit bit string L, where L = num2str(l, 64).Inputs:m, the original message m of length l bits.Output:m', the padded message of m, where bitlen(m')
is a multiple of 512.m' is defined as follows:For example, given a message 01100001 01100010 01100011, its length l is
24, after padding m' will be:Inputs:m', the padded message of m, composed of n 512-bit blocks, where
n = (l + k + 65) / 512IV, a 256-bit initialization vectorOutput:V_n, the resulting hash value of m.V_n is defined as follows.Where,CF is the compression function;ME is the message expansion function;B_i is the i-th block of the padded message m'.This steps expands each message block B_i into bit string E_i for the
compression function CF, where E is made up of 132 words:
E_i = W_0 || ... || W_67 || W'_0 || ... || W'_63.Inputs:B_i, the i-th message block of the padded message m'Output:E_i, the result of the message expansion functionME(B_i) is defined as the following:E_i is defined as follows.CF(V_i, E_i) is defined as the following function.Inputs:V_i, the output value of the i-th iterationE_i, the expanded form of the i-th message block B_iVariables:A, B, C, D, E, F, G, H, 32-bit registersSS1, SS2, TT1, TT2, 32-bit intermediate variablesOutput:V_{i + 1}, the result of the compression function, where 0 <= i <= n - 1.V_{i + 1} defined as follows.All 32-bit words used here are stored in big-endian format.The final hash value y, of 256 bits long, is given by:The SM3 iterative compression function while similar in structure to that of
SHA-256, it incorporates a number of novel design techniques including its 16
steps of exclusive-or operations, double-word message entry and accelerated
avalanche using the permutation function P. These techniques reduces its
locality sensitivity and increases both weak and strong collision resistance,
against differential cryptanalysis, linear cryptanalysis and bit-tracing
cryptanalysis techniques .The SM3 algorithm uses word addition, carry operations and a 4-stage pipeline.
The P permutation is used to accelerate the avalanche effect and efficiency of
the algorithm without increasing cost of hardware.SM3 is designed to be highly efficient and widely applicable across platforms,
and its operations can be easily realized in hardware on 32-bit microprocessors
and 8-bit smartcards.The SM3 cryptographic hash algorithm follows the following principles:Effectively resist bit-tracing and other cryptanalysis techniques 2.
Reasonable requirements for implementation in hardware and software 3. While
satisfying security requirements, generally match the performance of SHA-256
under the same conditions.The SM3 compression function is designed to have a clear structure and provide
a strong avalanche effect, utilizing the following design techniques.Double-word message intervention. The double-word message input is selected
from the output of the message expansion algorithm. To produce the avalanche
effect as early as possible, mod 2^32 arithmetic addition and the P
permutation are used.Each step uses message bits from the previous step for non-linear rapid
diffusion, each message bit is rapidly incorporated into the current step’s
diffusion and mixing.Uses a mixture of different groups of operations, including modulus 2^32
addition, exclusive-or, ternary boolean functions and P permutation.While satisfying the security requirements, the algorithm should be easily
realized in hardware and smartcards and therefore its non-linear operations
mainly utilize boolean and additive operations.Compression function parameters should facilitate the characteristics of
distribution completeness and the rapid avalanche effect.The selection of permutation P_0 should exclude short displacement distances,
bit-shifts at word-length multiples and bit-shifts of composite numbers.The numbers of 9 and 17 have been selected as shift constants having considered
the security and implementability of the algorithm.Boolean functions are used to guard against bit-tracing cryptanalysis
techniques, improve the non-linearity and reduce differential image
characteristics.The selection of boolean functions should fulfill the following requirements.The first 0-15 steps only utilizes exclusive-or operations to prevent
bit-tracing.Steps 16-63 use non-linear operations to improve the algorithm’s
non-linearity. At the same time, differentials should be well distributed to
combine with the shift performed in the compression function, in order to
reduce the differential between input and output.A non-degenerate boolean function that is 0, 1 balanced.The boolean function must be clear, simple and easy to implement.Selection of rotational constants R and R' is based on the following
requirements:When value x is rotated on 0-15, R . x mod 32, R' . x mod 32, x
mod 32 is well distributed among 0-31, making message distribution more
balanced.Should work with rotational constants S, S' and the permutation P_0 to
accelerate the distribution of message bits.The purpose of rotational constants S and S' is to accelerate
distribution of message bits, to increase the mixture of the three inputs of
the boolean functions.Selection of rotational constants S and S' is based on the following
requirements:The absolute difference of S and S' should be around 8. S' should be
a prime number, S should be a further odd number, to make message distribution
more balanced.Should work with rotational constants R and R' to accelerate the
distribution of message bits.The choice of S and S' should be easily usable on 8-bit smartcards.S and S' should not counteract the functionality of the permutation P_0,
especially the avalanche effect.Addition constants are used to provide randomness. For mod 2^32
calculations, addition constants can reduce the linearity and probability of
differential inheritance .The requirements for the addition constants are:The addition constants should be 0, 1 balanced in binary form.The addition constants in binary form, should have a maximum run length of 1
and 0 of less than 5 and 4 respectively.Addition constants should be easy to represent and memorize.Message expansion is used to expand a message packet of 512 bits to 2176 bits.
A better distribution effect with minimal computation is achieved through the
usage of linear feedback shift registers.The message expansion algorithm is mainly used to enhance the correlation
between message bits, and reduce the possibility of attacking the SM3 algorithm
through message expansion vulnerabilities.Requirements of the message extension algorithm are:The algorithm must be entropy-preserving.Linear expansion of the message to preserve correlation within the expanded
message.Has a strong avalanche effect.Suitable for hardware and smartcard implementation.The Object Identifier for SM3 is identified through these OIDs."1.2.156.10197.1.401" for "Hash Algorithm: SM3 Algorithm" ."1.2.156.10197.1.401.1" for "Hash Algorithm: SM3 Algorithm used without secret key" ."1.2.156.10197.1.401.2" for "Hash Algorithm: SM3 Algorithm used with secret key" ."1.0.10118.3.0.65" for "id-dhf-SM3" , described below."is10118-3" {iso(1) standard(0) hash-functions(10118) part3(3)}"id-dhf" { is10118-3 algorithm(0) }"id-dhf-SM3" { id-dhf sm3 (65) }"1.2.156.10197.1.501" for "Digital Signature: Based on SM2 and SM3""1.2.156.10197.1.504" for "Digital Signature: Based on RSA and SM3"Products and services that utilize cryptography are regulated by the OSCCA
; they must be explicitly approved or certified by the OSCCA before
being allowed to be sold or used in China.SM3 is a cryptographic hash algorithm published by the
OSCCA . No formal proof of security is provided. The security
properties of SM3 are under public study. There are no known feasible attacks
against the SM3 algorithm at the time this document is published.SM3 is a hash function that generates a 256-bit hash value. It is considered
as an alternative to SHA-256 .This document does not require any action by IANA.GB/T 32905-2016: Information security techniques -- SM3 cryptographic hash algorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnISO/IEC FDIS 10118-3 -- Information technology -- Security techniques -- Hash-functions -- Part 3: Dedicated hash-functionsInternational Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Addend Dependency of Differential/Linear Probability of AdditionYokohama Research Center, Telecommunications Advancement Organization of Japan1-1-32 Shin-urashima-cho, Kanagawa-kuYokohamaKanagawa221-0031Japan+81-45-414-9170https://www.nict.go.jpBotan: Crypto and TLS for C++11Botan ProjectUnited States of Americajack@randombit.nethttps://botan.randombit.netGB/T 32918.2-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 2: Digital Signature AlgorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.3-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 3: Key ExchangeStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.4-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 4: Public Key Encryption AlgorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnThe GmSSL ProjectPeking University24 Jinyuan RoadDaxing Industrial DistrictBeijing102600People's Republic of Chinahttps://www.gmssl.orgGM/T 0004-2012: SM3 Cryptographic Hash AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnNIST Federal Information Processing Standard 180-1: Secure Hash Standard (SHS)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/NIST Federal Information Processing Standard 180-2: Secure Hash Standard (SHS)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/FIPS 180-4 Secure Hash Standard (SHS)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/NIST Federal Information Processing Standard 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output FunctionsNational Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/OpenSSL: Cryptography and SSL/TLS ToolkitOpenSSL Software Foundation20-22 Wenlock RoadLondonN1 7GUUnited Kingdom+44 17 8550 8015info@opensslfoundation.orghttps://www.openssl.orgSM3 Cryptographic Hash AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnOrganization of State Commercial Administration of ChinaOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnImproved Boomerang Attacks on Round-Reduced SM3 and Keyed Permutation of BLAKE-256Department of Computer Science and Technology, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinabaidx10@mails.tsinghua.edu.cnhttp://www.tsinghua.edu.cnTsinghua UniversityBeijing100084People's Republic of Chinayuhongbo@mail.tsinghua.edu.cnhttp://www.tsinghua.edu.cnSchool of Computer Science and Technology, Donghua UniversityDonghua UniversityShanghai201620People's Republic of Chinawanggaoli@dhu.edu.cnhttps://www.dhu.edu.cnInstitute for Advanced Study, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinaxiaoyunwang@mail.tsinghua.edu.cnhttp://www.tsinghua.edu.cnSM3 Cryptographic Hash AlgorithmInstitute for Advanced Study, Tsinghua UniversityBeijing100084People's Republic of Chinaxiaoyunwang@mail.tsinghua.edu.cnDepartment of Computer Science and Technology, Tsinghua UniversityBeijing100084People's Republic of ChinaXiaoyun Wang -- Institute of Advanced Study -- Tsinghua UniversityInstitute for Advanced Study, Tsinghua UniversityBeijing100084People's Republic of Chinaxiaoyunwang@mail.tsinghua.edu.cnMD4 to Historic StatusThis document retires RFC 1320, which documents the MD4 algorithm, and discusses the reasons for doing so. This document moves RFC 1320 to Historic status. This document is not an Internet Standards Track specification; it is published for informational purposes.US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)Federal Information Processing Standard, FIPSThis is example 1 provided by to demonstrate hashing of a
plaintext that requires padding.The input abc is represented in hexadecimal form as 616263.The message after padding is shown below.The message after expansion is shown below.W_0 W_1 ... W_67:W'_0 W'_1 ... W'_63:This is example 2 provided by to demonstrate hashing of a
512-bit plaintext.The message after padding is shown below.W_0 W_1 ... W_67:W'_0 W'_1 ... W'_63:W_0 W_1 ... W_67:W'_0 W'_1 ... W'_63:These examples only provide results of hashing, and can be found in the Botan
, OpenSSL and GmSSL cryptographic libraries.From A.2,
"Z_A = H_256(ENTL_A || ID_A || a || b || x_G || y_G || x_A || y_A)".Input:Output:From A.2,
"e = H_256(M)".Input:Output:From A.3,
"Z_A = H_256(ENTL_A || ID_A || a || b || x_G || y_G || x_A || y_A)".Input:Output:From A.3, "e = H_256(M)".Input:Output:From A.2,
"Z_A = H_256(ENTL_A || ID_A || a || b || x_G || y_G || x_A || y_A)".Input:Output:From A.2,
"Z_B = H_256(ENTL_B || ID_B || a || b || x_G || y_G || x_B || y_B)".Input:Output:From A.2,
"Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.2,
"S_B = 0x02 || y_V || Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.2,
"S_A = 0x03 || y_V || Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.3,
"Z_B = H_256(ENTL_B || ID_B || a || b || x_G || y_G || x_B || y_B)".Input:Output:From A.3,
"Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.3,
"S_B = 0x02 || y_V || Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.3,
"S_A = 0x03 || y_V || Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From , "C_3 = Hash(x_2 || M || y_2)".Input:Output:From , "C_3 = Hash(x_2 || M || y_2)".Input:Output:From , "C_3 = Hash(x_2 || M || y_2)".Input:Output:From , "C_3 = Hash(x_2 || M || y_2)".Input:Output:This sample implementation is used to generate the examples given in this
document."sm3.h" is the header file for the SM3 function."sm3.c" contains the main implementation of SM3."sm3_main.c" is used to run the examples provided in this document
and print out internal state for implementation reference."print.c" and "print.h" are used to provide pretty formatting used
to print out the examples for this document."print.h""print.c"The authors would like to thank the following persons for their valuable advice and input.Erick Borsboom for assisting the lengthy review of this document;Jack Lloyd and Daniel Wyatt of the Ribose RNP team for their input and implementation;