OSCCA Extensions For OpenPGPRiboseSuite 1111, 1 Pedder StreetCentralHong KongHong Kongronald.tse@ribose.comhttps://www.ribose.comHang Seng Management CollegeHang Shin Link, Siu Lek YuenShatinHong KongHong Kongwongwk@hsmc.edu.hkhttps://www.hsmc.edu.hkRiboseUnited States of Americajack.lloyd@ribose.comhttps://www.ribose.comRibose608 W Cork St, Apt 2WinchesterVAUnited States of Americadaniel.wyatt@ribose.comhttps://www.ribose.comRiboseSuite 1111, 1 Pedder StreetCentralHong KongHong Kongerick.borsboom@ribose.comhttps://www.ribose.com
internet
Network Working GroupThis document enables OpenPGP (RFC4880) usage in an compliant manner with OSCCA
(Office of State Commercial Cipher Administration) regulations for use within
China.Specifically, it extends OpenPGP to support the usage of SM2, SM3 and SM4
algorithms, and provides the OSCCA-compliant OpenPGP profile "OSCCA-SM234".SM2 ,
SM3 and
kM4 are
cryptographic standards issued by the Organization of State
Commercial Cipher Administration of China as authorized
cryptographic algorithms for use within China. These algorithms are
published in public.Adoption of this document enables exchange of OpenPGP-secured email
in a OSCCA-compliant manner through usage of the
authorized combination of SM2, SM3 and SM4.SM2 is an elliptic curve cryptosystem (ECC) that is composed of
a set of public key cryptographic algorithms based on
elliptic curves and also a recommended elliptic curve:Digital Signature Algorithm Key Exchange Protocol Public Key Encryption Algorithm SM2 Recommended Elliptic Curve SM3 is a hash algorithm designed for electronic
authentication purposes.SM4 is a symmetric encryption algorithm designed
for data encryption.SM2, SM3 and SM4 are standardized at ISO as ,
, and respectively.This document extends OpenPGP and its ECC extension
to support SM2, SM3 and SM4:support the SM3 hash algorithm for data validation purposessupport signatures utilizing the combination of SM3 with other
digital signing algorithms, such as RSA, ECDSA and SM2support the SM2 asymmetric encryption algorithm for public key
operationssupport usage of SM2 in combination with supported hash algorithms,
such as SHA-256 and SM3support the SM4 symmetric encryption algorithm for data protection
purposesdefines the OpenPGP profile "OSCCA-SM234" to enable usage of OpenPGP
in an OSCCA-compliant manner.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted
as described in .Compliant applications are a subset of the broader set of OpenPGP
applications described in . Any keyword within
this document applies to compliant applications only.The following terms and definitions apply to this document.All cryptographic algorithms used are compliant with OSCCA
regulations.The elliptic curve digital signature algorithm defined in
The elliptic curve key exchange protocol defined in
The public key encryption algorithm defined in This document utilizes definitions of operations from and
are included here for reference.The integer c raised to the i-th power.String S concatenated with string T (e.g., 000 || 111 == 000111).SM2 is an elliptic curve based cryptosystem (ECC) designed by Xiaoyun Wang et al. and published by
.It was first published by the OSCCA in public in 2010 , then
standardized as in 2012, included in in
2015, published as a Chinese National Standard as , and
published in in 2017.The SM2 cryptosystem is composed of three distinct algorithms:an elliptical curve digital signature algorithm ("SM2DSA")
, also described in
;a key exchange protocol ("SM2KEP") ; anda public key encryption algorithm ("SM2PKE") .This document refers to the SM2DSA and SM2PKE algorithms for the usage of
OpenPGP . provides specifications on interoperable usage of SM2 data
formats, and they are adhered to within within this document.The SM2 Digital Signature Algorithm is intended for digital signature
and verifications in commercial cryptographic applications, including,
but not limited to:identity authenticationprotection of data integrityverification of data authenticityThe process of digital signature signing and verification along with their
examples are found in , , ,
and also described in .The SM2DSA process requires usage of a hash function within. For
OSCCA-compliant usage, a OSCCA-compliant hash function such as
SM3 MUST also be used.Formal security proofs for SM2 are provided in indicating
that it satisfies both EUF-CMA security and security against generalized
strong key substitution attacks.The SM2DSA algorithm has been cryptanalyzed by multiple parties with the
current strongest attack being nonce
and lattice attacks .In terms of OpenPGP usage, SM2DSA is an alternative to the ECDSA algorithm
specified in .For OpenPGP compatibility, these additional requirements MUST be adhered
to:SM2DSA allows use of an optional "user identity" string which is
hashed into ZA (Section 3.5 of and Section 5.1.4.4 of
). In OpenPGP, the user identifier IDAMUST be the empty string.While SM2DSA usually signs H(ZA || msg) (Section 4.1 of ),
this document follows the OpenPGP convention of of not directly
signing the raw message msg, but its hash H(msg). Therefore when
a message is signed by SM2DSA in OpenPGP, the algorithm MUST sign
the content of H(ZA || H(msg)) instead of H(ZA || msg).
Both hash algorithms used here MUST be identical.The SM2 Key Exchange Protocol is used for cryptographic key exchange,
allowing the negotiation and exchange of a session key within two to
three message transfers.The process of key exchange and verification along with their examples
are found in , and also described in
.SM2KEP is not used with OpenPGP as it is a two- to three- pass key
exchange mechanism, while in OpenPGP, public keys of recipients are
available initially.The SM2KEP is now considered insecure due to , similar
in status to the Unified Model and MQV schemes described in
.The SM2 Public Key Encryption algorithm is an elliptic curve
based asymmetric encryption algorithm. It is used for
cryptographic encryption and decryption, allowing the message sender to
utilize the public key of the message receiver to encrypt the message,
with the recipient decrypting the messaging using his private key.The full description of SM2PKE is provided in .It utilizes a public key size of 512 bits and private key size of 256
bits .The process of encryption and decryption, along with their examples are
found in and .The SM2PKE process requires usage of a hash function within. For
OSCCA-compliant usage, a OSCCA-compliant hash function such as
SM3 MUST also be used.In OpenPGP, SM2PKE is an alternative to RSA specified in .The recommended curve is specified in
and provided here for reference. SM2 uses a 256-bit elliptic curve.an integer larger than 3elements of F_q, defines an elliptic curve E on F_qOrder of base point G (n is a prime factor of E(F_q))x-coordinate of generator Gy-coordinate of generator G defines a number of data formats for the
SM2 algorithm to allow interoperable implementations.
This document adheres to these conventions.SM2 secret key data format is described in ASN.1 as :SM2 public key data format is described in ASN.1 as :Where:SM2PublicKey is of type BIT STRING and with content 04 | X | Y.X and Y specifies the x- and y-coordinates of the public key, each of
256-bits long.The SM2 encrypted data format is provided by as
the following in ASN.1 format:Where:XCoordinate and YCoordinate are x- and y-coordinates on the
elliptic curve, both 256 bits long.HASH is the hash value calculated from the hash function used in
KDF of a fixed bit length of 256-bits.CipherText is of same length as its plaintext.SM2 signature data format is described in ASN.1 as :R and S represent the first and second portion of the signature,
and both are 256 bits long.The SM3 Cryptographic Hash Algorithm is an iterative hash
function designed by Xiaoyun Wang et al., published by as an
alternative to SHA-2 .It was first published by the OSCCA in public in 2010 , then published
in the OSCCA standard in 2012, published as a Chinese National
Standard as in 2016, and included in the
standard in 2017.The algorithm is designed to be used for commercial cryptographic applications
including, but not limited to:digital signatures and their verificationmessage authentication code generation and their verificationgeneration of random numbersSM3 has a Merkle-Damgard construction and is similar to SHA-2
of the MD4 family, with the addition of several
strengthening features including a more complex step function and stronger
message dependency than SHA-256 .SM3 produces an output hash value of 256 bits long, based on 512-bit
input message blocks , on input lengths up to 2^(m).The specification of SM3 is described in , and
.SM4 is a symmetric encryption algorithm designed by
Shuwang Lu et al. originally intended for the usage of wireless local area
network (Wireless LAN) products.SM4 is a 128-bit blockcipher, uses a key size of 128 bits and
internally uses an 8-bit S-box. It performs 32 rounds per block.
Decryption is achieved by reversing the order of encryption.SMS4 was first published in public as part of WAPI (Wired Authentication
and Privacy Infrastructure), the Chinese National Standard for Wireless LAN
. It was then published independently by the OSCCA in 2006
, formally renamed to SM4 in 2012 ,
published as a Chinese National Standard in 2016 , and
included in in 2017.It is a required encryption algorithm specified in WAPI .The SM2 algorithm is supported with the following extension.The following public key algorithm IDs are added to expand Section
9.1 of , "Public-Key Algorithms":IDDescription of AlgorithmTBDSM2Compliant applications MUST support both usages of SM2 :SM2 Digital Signature Algorithm (SM2DSA) SM2 Public Key Encryption (SM2PKE) The SM4 algorithm is supported with the following extension.The following symmetric encryption algorithm ID is added to expand
Section 9.2 of , "Symmetric-Key Algorithms":IDDescription of AlgorithmTBDSM4Compliant applications MUST support SM4 .The SM3 algorithm is supported with the following extension.The following symmetric encryption algorithm IDs are added to expand
Section 9.3 of , "Hash Algorithms":IDDescription of AlgorithmTBDSM3Compliant applications MUST support SM3 .The encoding method of Section 6 MUST be used, and is
compatible with the definition given in .For clarity, according to the EC curve MPI encoding method of ,
the exact size of the MPI payload for the "SM2 Recommended" 256-bit curve
, is 515 bits.A key derivation function (KDF) is necessary to implement EC encryption.The SM2PKE KDF is defined in Section 3.4.3 of (and
Section 5.4.3 of , Section 3.4.3 of ).For OSCCA-compliance, it SHOULD be used in conjunction with an
OSCCA-approved hash algorithm, such as SM3 .The SM2PKE KDF is equivalent to the KDF2 function defined in
Section 13.2 of given the following assignments:Parameterv as hBits, the output length of the selected hash function HashInputKEYLEN as oBitsZ as the plaintext string; andPB is set to the empty bit string.Pseudocode of the SM2KDF function is provided here for convenience. This
function contains edited variable names for clarity.Hash(S) is a hash function that outputs a v-bit long hash value
based on input S.MSB(b, S) is a function that outputs the b most significant bits of
the bitstream S.Floor(r) and Ceil(r) are the floor and ceiling functions
respectively for the input of real number r. Both functions
outputs an integer.Desired key length. A positive integer less than (2^32 - 1) x v.Plaintext. String of any length.Generated key. String of length KEYLEN.K is defined as follows.The following algorithm-specific packets are added to Section 5.5.2
of , "Public-Key Packet Formats", to support SM2DSA and
SM2PKE.This document extends the algorithm-specific portion with the following
fields.Algorithm-Specific Fields for SM2DSA keys:a variable-length field containing a curve OID, formatted
as follows:a one-octet size of the following field; values 0 and
0xFF are reserved for future extensionsoctets representing a curve OID, described in MPI of an EC point representing a public keyAlgorithm-Specific Fields for SM2PKE keys:a variable-length field containing a curve OID, formatted
as follows:a one-octet size of the following field; values 0 and
0xFF are reserved for future extensionsoctets representing a curve OID, described in MPI of an EC point representing a public keyNote that both SM2DSA and SM2PKE public keys are composed of the same
sequence of fields, and use the same codepoint to identify them.
They are distinguished by the key usage flags.The following algorithm-specific packets are added to Section 5.5.3.
of , "Secret-Key Packet Formats", to support SM2DSA and
SM2PKE.This document extends the algorithm-specific portion with the following
fields.Algorithm-Specific Fields for SM2DSA or SM2PKE secret keys:an MPI of an integer representing the secret key, which is a
scalar of the public EC pointSection 5.1 of , "Public-Key Encrypted Session Key Packets
(Tag 1)" is extended to support SM2PKE using the following
algorithm specific fields for SM2PKE, through applying the KDF described
in .Algorithm Specific Fields for SM2 encryption:The SM2 ciphertext is formatted in the OpenPGP bitstream as a single MPI.
This consists of:The data format described in containing data
provided by Section 6.1 step A8
(C = (C1 || C3 || C2)), followed bya single octet giving the code for the hash algorithm used within
the calculation of the KDF mask t (step A5 of
Section 6.1) and the calculation of C3 (step A7 of
Section 6.1). For OSCCA compliance, this
MUST be an OSCCA-approved hash function, and in any case, it
SHOULD be a hash which is listed in the receiving keys "Preferred
Hash Algorithms" list (Section 5.2.3.8 of ).Section 5.2.2 of defines the signature format for "Version 3
Signature Packet Format". Similar to ECDSA , no change in the
format is necessary for SM2DSA.Section 5.2.3 of defines the signature format for "Version 4
Signature Packet Format". Similar to ECDSA , no change in the
format is necessary for SM2DSA.This section provides the curve ASN.1 Object Identifier (OID) of the "SM2
Recommended Curve" described in ,
according to the method of .We specify the curve OID of the "SM2 Recommended Curve" to be the registered
OID entry of "SM2 Elliptic Curve Cryptography" according to ,
which is "1.2.156.10197.1.301".The table below specifies the exact sequence of bytes of the mentioned curve:ASN.1 OIDOID lenCurve OID bytes in hexCurve name1.2.156.10197.1.30182A 81 1C CF 55 01 82 2DSM2 RecommendedThe complete ASN.1 DER encoding for the SM2 Recommended curve
OID is "06 08 2A 81 1C CF 55 01 82 2D", from which the first entry in
the table above is constructed by omitting the first two octets. Only
the truncated sequence of octets is the valid representation of a curve
OID.The "OSCCA SM234" profile is designed to be compliant to OSCCA regulations.
A compliant OpenPGP implementation MUST implement the following
items as described by this document:SM2 Recommended Curve ()SM2 (SM2DSA and SM2PKE) ()The hash function selected in SM2DSA and SM2PKE MUST also be
OSCCA-compliant, such as SM3 SM3 ()SM4 ()Products and services that utilize cryptography are regulated by
the OSCCA ; they must be explicitly approved or certified by
the OSCCA before being allowed to be sold or used in China.SM2 is an elliptic curve cryptosystem (ECC)
approved by the OSCCA . Its security relies on the
assumption that the elliptic curve discrete logarithm problem (ECLP)
is computationally infeasible. With advances in cryptanalysis, new
attack algorithms may reduce the complexity of ECLP, making it easier
to attack the SM2 cryptosystem that is considered secure at the time
this document is published. You SHOULD check current literature
to determine if the algorithms in SM2 have been found vulnerable.There are security concerns with regards to side-channel attacks
against ECCs, including template attacks (such as )
that rely on physical access to the computation device. An
implementer of ECC systems SHOULD be aware of potential
vulnerabilities in this regard.SM3 is a cryptographic hash algorithm approved
by the OSCCA . No formal proof of security is provided. As
claimed in , the security properties of SM3 are
under public study. There are no known feasible attacks against the
SM3 algorithm at the time this document is published.SM4 is a blockcipher approved by the OSCCA
. Security considerations of SM4 offered in
apply. No formal proof of security is
provided but there are no known feasible attacks against the SM4
algorithm by the time of publishing this document.There are, however, security concerns with regards to side-channel
attacks, when the SM4 algorithm is implemented in a device
. For instance, illustrated an attack by
measuring the power consumption of the device. A chosen ciphertext
attack, assuming a fixed correlation between the sub-keys and data
mask, is able to recover the round key successfully. When the SM4
algorithm is implemented in hardware, the parameters/keys SHOULD
be randomly generated without fixed correlation.SM2 has a key length of 512 bits for the public key and 256 bits
for the private key. It is considered an alternative to ECDSA P-256
. Its security strength is comparable to a 128-bit
symmetric key strength , e.g., AES-128
.SM3 is a hash function that generates a 256-bit hash value. It is
considered as an alternative to SHA-256 .SM4 is a blockcipher symmetric algorithm with a key length of 128
bits. It is considered as an alternative to AES-128 .Security considerations offered in and also
apply.The IANA "Pretty Good Privacy (PGP)" registry has made the
following assignments for algorithms described in this document, namely:ID XXX of the "Public Key Algorithms" namespace for SM2 ID XXX of the "Hash Algorithms" namespace for SM3 ID XXX of the "Symmetric Key Algorithms" namespace for SM4 GB/T 32905-2016 Information Security Techniques -- SM3 Cryptographic Hash AlgorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32907-2016 Information Security Technology -- SM4 Block Cipher AlgorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.2-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 2: Digital Signature AlgorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.4-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 4: Public Key Encryption AlgorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.5-2017 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 5: Parameter DefinitionStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnKey words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.OpenPGP Message FormatThis document is maintained in order to publish all necessary information needed to develop interoperable applications based on the OpenPGP format. It is not a step-by-step cookbook for writing an application. It describes only the format and methods needed to read, check, generate, and write conforming packets crossing any network. It does not deal with storage and implementation questions. It does, however, discuss implementation issues necessary to avoid security flaws.OpenPGP software uses a combination of strong public-key and symmetric cryptography to provide security services for electronic communications and data storage. These services include confidentiality, key management, authentication, and digital signatures. This document specifies the message formats used in OpenPGP. [STANDARDS-TRACK]Elliptic Curve Cryptography (ECC) in OpenPGPThis document defines an Elliptic Curve Cryptography extension to the OpenPGP public key format and specifies three Elliptic Curves that enjoy broad support by other standards, including standards published by the US National Institute of Standards and Technology. The document specifies the conventions for interoperability between compliant OpenPGP implementations that make use of this extension and these Elliptic Curves. [STANDARDS-TRACK]Botan: Crypto and TLS for C++11Botan ProjectUnited States of Americajack@randombit.nethttps://botan.randombit.netInformation technology -- Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements -- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) SpecificationsStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.1-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 1: GeneralStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.3-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 3: Key ExchangeStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGM/T 0002-2012: SM4 Block Cipher AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnGM/T 0003-2012: Public Key Cryptographic Algorithm SM2 Based on Elliptic CurvesOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnGM/T 0004-2012: SM3 Hash AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnGM/T 0006-2012: Cryptographic Application Identifier Criterion SpecificationOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnGM/T 0009-2012: SM2 cryptography algorithm application specificationOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnIEEE Std 1363a-2004: IEEE Standard Specifications for Public-Key Cryptography -- Amendment 1: Additional TechniquesInstitute of Electrical and Electronics Engineers3 Park AvenueNew YorkNY10016-5997United Stateshttps://www.ieee.org/ISO/IEC FDIS 10118-3 -- Information technology -- Security techniques -- Hash-functions -- Part 3: Dedicated hash-functionsInternational Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/ISO/IEC 11889-1:2015 -- Information technology -- Trusted platform module libraryInternational Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/ISO/IEC 14888-3:2016-03 -- Information technology -- Security techniques -- Digital signatures with appendix -- Part 3: Discrete logarithm based mechanismsInternational Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/ISO/IEC WD1 18033-3/AMD2 -- Information technology -- Security techniques -- Encryption algorithms -- Part 3: Block ciphers -- Amendment 2International Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/FIPS 180-4 Secure Hash Standard (SHS)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/FIPS 197 Advanced Encryption Standard (AES)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/SP 800-56Ar2 Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm CryptographyNational Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899United Stateshttp://www.nist.gov/National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899United Stateshttp://www.nist.gov/National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899United Stateshttp://www.nist.gov/Orion Security Solutions, Inc.1489 Chain Bridge RoadSuite 300McLeanVA22101United Stateshttp://www.orionsecuritysolutions.comPublic Key Cryptographic Algorithm SM2 Based on Elliptic CurvesOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnOrganization of State Commercial Cipher Administration of ChinaOrganization of State Commercial Cipher Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnBotan: Crypto and TLS for C++11Ribose Inc.Suite 1111, 1 Pedder StreetCentralHong KongHong Kongopen.source@ribose.comhttps://www.ribose.comSEC 1: Elliptic Curve CryptographyStandards for Efficient Cryptography GroupPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 1: GeneralOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 2: Digital Signature AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 3: Key Exchange ProtocolOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 4: Public Key Encryption AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPublic Key Cryptographic Algorithm SM2 Based on Elliptic Curves -- Part 5: Parameter definitionsOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnPractical Lattice-Based Fault Attack and Countermeasure on SM2 Signature AlgorithmTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnTrusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnBeijing Key Laboratory of RFID Chip Test Technology, CEC Huada Electronic Design Co., LtdBuilding C, CEC Network Security and Information Technology Base, South Region of Future Science And Technology Park, Beiqijia county, Changping DistrictBeijing102209People's Republic of Chinahttp://www.hed.com.cnBeijing Key Laboratory of RFID Chip Test Technology, CEC Huada Electronic Design Co., LtdBuilding C, CEC Network Security and Information Technology Base, South Region of Future Science And Technology Park, Beiqijia county, Changping DistrictBeijing102209People's Republic of Chinahttp://www.hed.com.cnPartially Known Nonces and Fault Injection Attacks on SM2 Signature AlgorithmBeijing International Center for Mathematical Research, Peking UniversityNo. 5 Yiheyuan Road Haidian DistrictBeijing100871People's Republic of Chinahttp://www.bicmr.orgChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinahttp://www.itsec.gov.cnChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinahttp://www.itsec.gov.cnMind Your Nonces Moving: Template-Based Partially-Sharing Nonces Attack on SM2 Digital Signature AlgorithmChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinajiazhechen@gmail.comhttp://www.itsec.gov.cnBeijing Research Institute of Telemetry, China Aerospace Science and Technology Corporation1 Nan Da Hong Men Lu, Fengtai QuBeijing100194People's Republic of Chinaliumj9705@gmail.comhttp://www.spacechina.comChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinahttp://www.itsec.gov.cnChina Information Technology Security Evaluation CenterBuilding 1, No.8, Shangdi West Road, Haidian DistrictBeijing100085People's Republic of Chinalihx@secemail.cnhttp://www.itsec.gov.cnComments on the SM2 Key Exchange ProtocolState Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinaxujing@is.iscas.ac.cnhttp://english.is.cas.cnState Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinahttp://english.is.cas.cnSecurity of the SM2 Signature Scheme Against Generalized Key Substitution AttacksLaboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinazfzhang@tca.iscas.ac.cnhttp://tca.iscas.ac.cnLaboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinayangkang@tca.iscas.ac.cnhttp://tca.iscas.ac.cnState Key Laboratory of CryptologyP.O. Box 5159Beijing100878People's Republic of Chinajiangzhang09@gmail.comLaboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences4# South Fourth Street, Zhong Guan CunBeijing100190People's Republic of Chinachencheng@tca.iscas.ac.cnhttp://tca.iscas.ac.cnA Novel Template Attack on wNAF Algorithm of ECCInstitute of Microelectronics, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinahttp://www.tsinghua.edu.cnInstitute of Microelectronics, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinahttp://www.tsinghua.edu.cnInstitute of Microelectronics, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinahttp://www.tsinghua.edu.cnDatang Microelectronics Technololgy Co., LtdBeijingPeople's Republic of Chinahttp://www.dmt.com.cnImproved Boomerang Attacks on Round-Reduced SM3 and Keyed Permutation of BLAKE-256Department of Computer Science and Technology, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinabaidx10@mails.tsinghua.edu.cnhttp://www.tsinghua.edu.cnTsinghua UniversityBeijing100084People's Republic of Chinayuhongbo@mail.tsinghua.edu.cnhttp://www.tsinghua.edu.cnSchool of Computer Science and Technology, Donghua UniversityDonghua UniversityShanghai201620People's Republic of Chinawanggaoli@dhu.edu.cnhttps://www.dhu.edu.cnInstitute for Advanced Study, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinaxiaoyunwang@mail.tsinghua.edu.cnhttp://www.tsinghua.edu.cnSM3 Cryptographic Hash AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnImproved chosen-plaintext power analysis attack against SM4 at the round-outputCollege of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/College of Information Security Engineering, Chengdu University of Information TechnologyNo. 24 Block 1, Xuefu RoadChengduMD610225Chinahttp://www.cuit.edu.cn/SM4 block cipher algorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnECC Algorithms for MIKEYThis document proposes extensions to the authentication, encryption and digital signature methods described for use in MIKEY, employing elliptic-curve cryptography (ECC). These extensions are defined to align MIKEY with other ECC implementations and standards. It should be noted that this document is not self-contained; it uses the notations and definitions of [RFC3830].The SM4 Block Cipher Algorithm And Its Modes Of OperationsThis document describes the SM4 symmetric blockcipher algorithm published as GB/T 32907-2016 by the Organization of State Commercial Administration of China (OSCCA). This document is a product of the Crypto Forum Research Group (CFRG).SM2 Digital Signature AlgorithmThis document discribles a set of public key cryptographic algorithms based on elliptic curves which is invented by Xiaoyun Wang et al. These algorithms and recommended parameters are published by Chinese Commercial Cryptography Administration Office ([SM2 Algorithms] and [SM2 Algorithms Parameters]) for the use of electronic authentication service system. This document gives IETF standard description of the algorithms and parameters in [SM2 Algorithms] and [SM2 Algorithms Parameters]. The document [SM2 Algorithms] published by Chinese Commercial Cryptography Administration Office includes four parts: general introdocution, Digital Signature Algorithm, Key Exchange Protocol and Public Key Encryption Algorithm. The document [SM2 Algorithms Parameters] gives a set of recommended parameters.SM3 Hash functionThis document discribles a hash function which is invented by Xiaoyun Wang et al. This algorithm is published by Chinese Commercial Cryptography Administration Office ([SM3]) for the use of electronic authentication service system. This document gives IETF standard description of the algorithm.MD4 to Historic StatusThis document retires RFC 1320, which documents the MD4 algorithm, and discusses the reasons for doing so. This document moves RFC 1320 to Historic status. This document is not an Internet Standards Track specification; it is published for informational purposes.US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)Federal Information Processing Standard, FIPSThe OCB Authenticated-Encryption AlgorithmThis document specifies OCB, a shared-key blockcipher-based encryption scheme that provides confidentiality and authenticity for plaintexts and authenticity for associated data. This document is a product of the Crypto Forum Research Group (CFRG).Guidelines for Writing an IANA Considerations Section in RFCsMany protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.This is the third edition of this document; it obsoletes RFC 5226.This example is generated using the OpenPGP implementation RNP ,
with the SM2 and SM3 implementations from Botan .This example is also created using RNP and Botan .Detached signature of the string "SM2 example" using the above key:The authors would like to thank the following persons for their
valuable advice and input.The Ribose RNP team for their input and implementation