]>
The SM3 Cryptographic Hash FunctionComputer Network Information Center, Chinese Academy of Sciences4 Zhongguancun South Fourth Street, Zhongguancun, Haidian DistrictBeijing100190People's Republic of Chinasean.s.shen@gmail.comhttp://www.cnic.cnInstitute of Computing Technology, Chinese Academy of Sciences6 Kexueyuan South Street, Haidian DistrictBeijing100190People's Republic of Chinaxl@ict.ac.cnhttp://www.ict.ac.cnRiboseSuite 1111, 1 Pedder StreetCentralHong KongPeople's Republic of Chinaronald.tse@ribose.comhttps://www.ribose.comHang Seng Management CollegeHang Shin Link, Siu Lek YuenShatinHong KongPeople's Republic of Chinawongwk@hsmc.edu.hkhttps://www.hsmc.edu.hkBaishanCloudBuilding 16-3, Baitasan StreetShenyangLiaoning110000People's Republic of Chinayang.yang@baishancloud.comhttps://www.baishancloud.com
sec
This document describes the SM3 cryptographic hash algorithm published
as GB/T 32905-2016 by the State Cryptography Administration of China
(SCA).This document is a product of the Crypto Forum Research Group (CFRG).SM3 is a cryptographic hash
algorithm published by the State Cryptography Administration (SCA) of
China (formerly the Office of State Commercial Cryptography
Administration, OSCCA) as an authorized cryptographic hash algorithm
for the use within China. The algorithm is published in public.The SM3 algorithm is intended to address multiple use cases for
commercial cryptography, including, but not limited to:the use of digital signatures and their verification;the generation and verification of message authenticity codes;
as well asthe generation of random numbers.SM3 has a Merkle-Damgard construction and is similar to SHA-2
of the MD4 family, with the addition
of several strengthening features including a more complex step
function and stronger message dependency than SHA-256 .SM3 produces an output hash value of 256 bits long, based on 512-bit
input message blocks, on input lengths up to 2^(m)
.This document details the SM3 algorithm and its internal steps
together with demonstrative examples.This document does not aim to introduce a new algorithm, but to
provide a clear and open description of the SM3 algorithm in English,
and also to serve as a stable reference for IETF documents that utilize
this algorithm.This document follows the updated description and structure of
published in 2016. to of this document directly map to the
corresponding sections (and numbering) of the standard for
convenience of the reader. to of this document provides a translation of the
design considerations, hardware adaptability, and cryptanalysis results of SM3
in the words of its designer, Xiaoyun Wang, given in . The
cryptanalysis section has also been updated to include the latest published
research on SM3.The SM3 algorithm was designed by Xiaoyun Wang et al.It was first published by the SCA (OSCCA at that time) in
public in 2010 , then published as a China industry
standard in 2012 , and finally published as a Chinese
National Standard (GB Standard) in 2016. SM3 has
been standardized in by the International
Organization for Standardization in 2017.The latest SM3 standard was proposed by the SCA,
standardized through TC 260 of the Standardization Administration of
the People’s Republic of China (SAC), and was drafted by the following
individuals at Tsinghua University,
the China Commercial Cryptography Testing Center,
the People’s Liberation Army Information Engineering University,
and the Data Assurance and Communication Security Research
Center (DAS Center) of the Chinese Academy of Sciences:Xiao-Yun WangZheng LiYong-Chuan WangHong-Bo YuYong-Quan XieChao ZhangPeng LuoShu-Wang LuSM3 has prevalent hardware implementations, due to its being the only
SCA-approved cryptographic hash algorithm allowed for use in China
.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
"SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted
as described in .The following terms and definitions apply to this document.a binary string composed of 0s and 1s.describes the order in which data is stored in memory, where the more significant digits are stored at the lower storage addresses, the less significant digits are stored at the high storage addresses.a bit string of arbitrary length. In this document, the message is the input to the hash algorithm.the output bit string of the hash algorithm given input of a message.a 32-bit quantity.The length of string S in bits (e.g., bitlen(101) == 3).addition of two 32-bit vectors S and T with a mod 2^32 bit
wrap around.bitwise "and" of two 32-bit vectors S and T.
S and T will always have the same length.bitwise "or" of two 32-bit vectors S and T.
S and T will always have the same length.bitwise exclusive-or of two 32-bit vectors S and T.
S and T will always have the same length.bitwise "not" of a 32-bit vectors S.32-bit bitwise cyclic shift on a with i bits shifted left.String S concatenated with string T (e.g., 000 || 111 == 000111).Assignment operator of value S to variable a.The n-bit string whose base-2 interpretation is i
(e.g., num2str(14,4) == 1110 and num2str(1,2) == 01).Each a 8 word-width register.The i-th message sectionThe compression function.Boolean functions, changes according to j.The initialization vector, used to determine the initial state of the compression function registers.The permutation function within the compression function.The permutation function for message expansion.The algorithm constant, changes according to j.The message.The message m after padding.Number of message blocks within a message.When 0 <= j <= 15:When 16 <= j <= 63:Selection of T_j is based on considerations provided in
.When 0 <= j <= 15:When 16 <= j <= 63:Where X, Y, Z are 32-bit words.Note that FF_j and GG_j are identical for 0 <= j <= 15.
Design considerations of these boolean functions are detailed
in .Where X is a 32-bit word.Design considerations of these permutation functions are detailed
in .The SM3 cryptographic hash algorithm takes input of a message m of length
l (where l < 2^64), and after padding and iterative compression,
creates a hash value of 256-bits long.Examples are provided in .The following steps pads a message m to m', where bitlen(m')
is a multiple of 512.Input message m has a length of l bits.Append a bit "1" to the end of the message m.Append a k-bit string K, which is a series of "0"s, to the end of
message m, where k is the smallest non-negative number that satisfies
l + 1 + k = 448 (mod 512).Append a 64-bit bit string L, where L = num2str(l, 64).Inputs:m, the original message m of length l bits.Output:m', the padded message of m, where bitlen(m')
is a multiple of 512.m' is defined as follows:For example, given a message 01100001 01100010 01100011, its length l is
24, after padding m' will be:Inputs:m', the padded message of m, composed of n 512-bit blocks, where
n = (l + k + 65) / 512IV, a 256-bit initialization vectorOutput:V_n, the resulting hash value of m.V_n is defined as follows.Where,CF is the compression function;ME is the message expansion function;B_i is the i-th block of the padded message m'.This steps expands each message block B_i into bit string E_i for the
compression function CF, where E is made up of 132 words:
E_i = W_0 || ... || W_67 || W'_0 || ... || W'_63.Inputs:B_i, the i-th message block of the padded message m'Output:E_i, the result of the message expansion functionME(B_i) is defined as the following:E_i is defined as follows.The design considerations of ME are detailed in .Selection criteria for the rotational constants 7 and 15 are provided
in .CF(V_i, E_i) is defined as the following function.Inputs:V_i, the output value of the i-th iterationE_i, the expanded form of the i-th message block B_iVariables:A, B, C, D, E, F, G, H, 32-bit registersSS1, SS2, TT1, TT2, 32-bit intermediate variablesOutput:V_{i + 1}, the result of the compression function, where 0 <= i <= n - 1.V_{i + 1} defined as follows.All 32-bit words used here are stored in big-endian format.The design considerations of CF are detailed in .The final hash value y, of 256 bits long, is given by:SM3’s iterative compression function, while similar in structure to that of
SHA-256, incorporates a number of novel design techniques including its 16
steps of pure exclusive-or operations, double-word message entry and the
permutation function P that accelerates the avalanche effect. These techniques
reduces its sensitivity to locality and increases both weak and strong
collision resistance, against differential cryptanalysis, linear cryptanalysis
and bit-tracing cryptanalysis techniques .The SM3 algorithm uses word addition, carry operations and a 4-stage pipeline.
The P permutation is used to accelerate the avalanche effect and efficiency of
the algorithm without increasing cost of hardware.SM3 is designed to be highly efficient and widely applicable across platforms,
and its operations can be easily realized in hardware on 32-bit microprocessors
and 8-bit smartcards.The design of SM3 took into account of the following principles:Effectively resist bit-tracing and other cryptanalysis techniques;Reasonable requirements for implementation in hardware and software; andGenerally match or exceed performance of SHA-256 under the same
conditions, while satisfying security requirements.The SM3 compression function is designed to have a clear structure and provide
a strong avalanche effect, utilizing the following design techniques.Double-word message intervention. The double-word message input is selected
from the output of the message expansion algorithm. To produce the avalanche
effect as early as possible, mod 2^32 arithmetic addition and the P
permutations are used.Each step uses message bits from the previous step for nonlinear rapid
diffusion, each message bit is rapidly incorporated into the current step’s
diffusion and mixing.Uses a mixture of different groups of operations, including modulus 2^32
addition, exclusive-or, ternary boolean functions and P permutations.While satisfying the security requirements, the algorithm should be easily
realized in hardware and smartcards and therefore its nonlinear operations
mainly utilize boolean and additive operations.Compression function parameters should facilitate the characteristics of
diffusion completeness and the rapid avalanche effect.The selection of permutation P_0 constants should exclude short displacement
distances, bit-shifts at word-length multiples and bit-shifts of composite
numbers.Numbers 9 and 17 have been selected as shift constants having considered
the security and implementability of the algorithm.Boolean functions are used to guard against bit-tracing cryptanalysis
techniques, improve the nonlinearity and reduce differential image
characteristics.The selection of boolean functions should fulfill the following requirements.Steps 0-15 uses pure exclusive-or operations to prevent bit-tracing.Steps 16-63 use nonlinear operations to improve the algorithm’s
nonlinearity. At the same time, bits should be well-diffused to
combine with the shift performed inside the compression function to
reduce differentials between input and output.The function should be a non-degenerate boolean function that is 0- and
1-balanced.The boolean function must be obvious and simple to understand, as well as
easy to implement.The selection of rotational constants R and R' are based on the
following requirements:When value x is rotated on 0-15, R . x mod 32, R' . x mod 32,
R + R') . x mod 32$$ is well distributed among 0-31, making message
diffusion more balanced. See .R and R' should complement the rotational constants S,
S' as well as the permutation P_0 to accelerate diffusion of message
bits.Rotational constants S and S' are used to accelerate message-bit
diffusion and to increase mixture of the three inputs of the boolean functions.
These constants are used in the message expansion stage.The selection of rotational constants S and S' are based on the
following requirements:The absolute difference of S and S' should be around 8. S'
should be a prime number, S should be a "further" odd number, to make message
diffusion more balanced.Needs to complement the rotational constants R and R' in accelerating
diffusion of message bits.The choice of S and S' should be easily implementable on 8-bit smartcards.S and S' should not counteract the functionality of the permutation P_0,
especially the avalanche effect.Addition constants are used to provide randomness.For mod 2^32 calculations, addition constants can reduce the linearity and
probability of differential inheritance .The requirements for the addition constants are:The addition constants should be 0-, 1-balanced in binary form.The addition constants in binary form, should have a maximum run length of 1
and 0 of less than 5 and 4 respectively.Addition constants should be easy to represent and memorize.Message expansion is used to expand a message block of 512 bits to 2176 bits.
A better diffusion effect with minimal computation is achieved through the
usage of linear feedback shift registers.The message expansion algorithm is mainly used to enhance the correlation
between message bits, and reduce the possibility of attacking the SM3 algorithm
through message expansion vulnerabilities.Requirements of the message extension algorithm are:The algorithm must be entropy-preserving.Linear expansion of the message to preserve correlation within the expanded
message.Provides a strong avalanche effect.Suitable for hardware and smartcard implementations.This section provides the latest cryptanalysis results of the SM3
algorithm, and compares it with cryptanalysis of algorithms specified
in as well as other standard hash algorithms.Current published cryptanalysis research mainly focuses on collision
attacks, preimage attacks and distinguishing attacks.Modular differential cryptanalysis is the most common method for finding collisions of hash
algorithms.It is generally described as the following steps:Select a proper input difference, which decides the probability of a
successful attack.Search for a feasible differential path for the selected input difference.Export the sufficient conditions that guarantee the feasibility of the
differential path. During the search of the differential path, if conditions
of chaining variables are fixed, a feasible differential path means all conditions
of chaining variables that are derived from the path have no conflicts with
each other.Apply message modification techniques to fulfill as many sufficient
conditions as possible.Several automated searching methods for differential paths have been published
in recent years .Based on differential characteristics of the SM3 algorithm, Mendel et al.
presented a 20-step collision attack and a 24-step freestart
collision attack against SM3 at CT-RSA 2013.Preimage attacks against hash algorithms with a Merkle-Damgard construction
have been mainly the meet-in-the-middle attack
and its improved variants, such as the differential meet-in-the-middle
technique .While searching for preimages, the pseudo preimage of a single message block
has to be first found, and then the pseudo preimage is converted to a preimage
of multiple blocks .The steps of finding a pseudo preimage can be generally described as:Select a proper independent message word (or bit), note as independent
message word 1 and independent message word 2 and split the compression
function into three parts, the independent part 1, the independent part 2 and
the match part base on the independent message. The independent message word 1
and the independent part 2 are independent from each other, as well as the
independent message word 2 and the independent part 1.Randomly set other messages other than the independent message word 1 and 2,
and also the chaining variables of the independent part 1 and 2.Calculate list L_1 by independent message word 1 and independent part 1.
Calculate list L_2 by independent message word 2 and independent part 2.Search for a collision of L_1 and L_2, the corresponding initial value and
message of this collision will be a pseudo preimage.The biclique attack is an initial structure for creating meet-in-the-middle
attacks . By using bicliques, Zou et al. at ICISC 2011, presented a
preimage attack on SM3 from step 1 to step 28, and a 30-step preimage attack
that starts from the middle.In 2012, Wang and Shen mounted a differential biclique attack to give a
29 and 30 step preimage attack against SM3, as well as a 31 and 32 step pseudo
preimage attack against SM3. These results start from step 1.The boomerang attack is the main distinguishing attack used against SM3.The boomerang attack uses chaining variables from one or multiple steps, to form
a long differential path by connecting two short differential paths, and then
constructing a quartet that can fulfill the input and output differentials.The process is generally described as the following steps:Select a proper message differential and construct the short differential
paths. The message differential should be selected that the sufficient conditions
appear around the conjunction position.Test sufficient conditions that are around the conjunction position to see
if they conflict.Randomly select chaining variables at the conjunction position and then
apply message modification techniques to allow the modified message to fulfill
as many sufficient conditions as possible.Start from the conjunction position, construct corresponding differential
paths toward each side, to derive corresponding input and output differentials.At SAC 2012, Kircanski et al. presented 32-step to 35-step boomerang
distinguishing attack against SM3 algorithm along with the instances of 32-step
and 33-step attack. They also utilized the shifting characteristic of SM3
algorithm to replace all non-linear operations with XOR operations to get the
SM3-XOR characteristic.In 2014, Bai et al. improved the boomerang attack against SM3
with 34 to 37 step attacks, and presented instances of that attack at 34 and 35
steps.The best cryptanalysis results of the SM3 algorithm are shown in
as of publication of this document.Attack TypeTargetStepsComplexityReferenceCollisionHF20PracticalFreestart CollisionCF24PracticalPreimageHF282^241.5PreimageHF302^249PreimageHF292^245PreimageHF302^251.1Pseudo-PreimageCF312^245Pseudo-PreimageCF322^251.1BoomerangCF33PracticalBoomerangCF352^117.1BoomerangCF35PracticalBoomerangCF372^192The results of SM3 algorithm compares with other hash algorithms as SHA-1
, SHA-2 , RIPEMD-128
, RIPEMD-160 , Whirlpool , Stribog
and SHA-3 are shown in
.AlgorithmAttack TypeSteps / Rounds%ReferencesSM3Collision2031SM3Preimage3047SM3Distinguisher3758SHA-1Collision80100SHA-1Preimage6277.5RIPEMD-128Collision4062.5RIPEMD-128Preimage3662.5RIPEMD-128Distinguisher64100RIPEMD-160Preimage3453.12RIPEMD-160Distinguisher5179.68SHA-256Collision3148.4SHA-256Preimage4570.3SHA-256Distinguisher4773.4WhirlpoolCollision880WhirlpoolPreimage660WhirlpoolDistinguisher10100Stribog-256Collision6.554.2Stribog-512Collision7.562.5Stribog-512Preimage650Stribog-512Distinguisher650SHA3-224Collision520.8SHA3-256Collision520.8SHA3-256Preimage416.7SHA3-512Collision312.5SHAKE-128Collision520.8Keccak-fDistinguisher24100 indicates:Collision attacks: the attack percentage of SM3 is slightly higher
than SHA-3, lower than the other compared algorithms, and the lowest
among MD-SHA-like algorithms at 31% of steps.Preimage attacks: the attack percentage of SM3 is slightly higher
than SHA-3, lower than the other compared algorithms, and the lowest
among MD-SHA-like algorithms at 47% of steps.Distinguisher attacks: the attack percentage of SM3 is lower than
all compared algorithms, with only 58% of steps distinguished.These results demonstrate that the SM3 algorithm is highly resistant.The Object Identifier for SM3 is identified through these OIDs.All SM3 GM/T OIDs belong under the "1.2.156.10197" OID prefix,
registered by the Chinese Cryptography Standardization Technology
Committee ("CCSTC"), a committee under the SCA. Its components are
described below in ASN.1 notation."id-ccstc" {iso(1) member-body(2) cn(156) ccstc(10197)}These SM3 OIDs are assigned in and described in
."1.2.156.10197.1.400" for "Hash Algorithms":"id-hash" {id-ccstc sm-scheme(1) hash(400)}"1.2.156.10197.1.401" for "Hash Algorithm: SM3 Algorithm":"id-hash-sm3" {id-ccstc sm-scheme(1) sm3(401)}"1.2.156.10197.1.401.1" for "Hash Algorithm: SM3 Algorithm used
without secret key":"id-hash-sm3-nsk" {id-hash-sm3 no-secret-key(1)}"1.2.156.10197.1.401.2" for "Hash Algorithm: SM3 Algorithm used with
secret key":"id-hash-sm3-sk" {id-hash-sm3 secret-key(2)}These OIDs that involves SM3 are described in ."1.2.156.10197.1.500" for "Integrated Algorithms":"id-int" {id-ccstc sm-scheme(1) integrated(500)}"1.2.156.10197.1.501" for "Digital Signature: SM2 and SM3""id-dsa-sm2sm3" {id-int dsa-sm2sm3(501)}"1.2.156.10197.1.502" for "Digital Signature: SM9 and SM3""id-dsa-sm9sm3" {id-int dsa-sm9sm3(502)}"1.2.156.10197.1.504" for "Digital Signature: RSA and SM3""id-dsa-rsasm3" {id-int dsa-rsasm3(504)}The "SM3 Hash Algorithm" standard is assigned the
"1.2.156.10197.6.1.1.4" OID in and this assignment
is also described in ."id-standard-sm3" {id-ccstc standard(1) fundamental(1) algorithm(1) sm3(4)}Note that this OID is purely used for identifying the SM3 standard
itself.SM3 is assigned the OID "1.0.10118.3.0.65" ("id-dhf-SM3") in
. Its components are described below in ASN.1
notation."is10118-3" {iso(1) standard(0) hash-functions(10118) part3(3)}"id-dhf" {is10118-3 algorithm(0)}"id-dhf-SM3" {id-dhf sm3(65)}Products and services that utilize cryptography in China are
regulated by the SCA : they must be explicitly approved or
certified by the SCA before being allowed to be sold or used in
China.SM3 is a cryptographic hash algorithm published
by the SCA . No formal proof of security is provided. The
security properties of SM3 are under public study. There are no known
feasible attacks against the SM3 algorithm at the time this document
is published.SM3 is a hash function that generates a 256-bit hash value. It is
considered as an alternative to SHA-256 .This document does not require any action by IANA.GB/T 32905-2016: Information security techniques -- SM3 cryptographic hash algorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnISO/IEC FDIS 10118-3 -- Information technology -- Security techniques -- Hash-functions -- Part 3: Dedicated hash-functionsInternational Organization for StandardizationBIBC IIChemin de Blandonnet 8CP 401VernierGeneva1214Switzerland+41 22 749 01 11central@iso.orghttps://www.iso.org/
&RFC2119;
Addend Dependency of Differential/Linear Probability of AdditionYokohama Research Center, Telecommunications Advancement Organization of Japan1-1-32 Shin-urashima-cho, Kanagawa-kuYokohamaKanagawa221-0031Japan+81-45-414-9170https://www.nict.go.jpBotan: Crypto and TLS for C++11Botan ProjectUnited States of Americajack@randombit.nethttps://botan.randombit.netGB/T 32918.2-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 2: Digital Signature AlgorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.3-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 3: Key ExchangeStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 32918.4-2016 Information Security Technology -- Public Key Cryptographic Algorithm SM2 Based On Elliptic Curves -- Part 4: Public Key Encryption AlgorithmStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnGB/T 33560-2017: Information security technology -- Cryptographic application identifier criterion specificationStandardization Administration of the People's Republic of ChinaNo. 9 Madian Donglu, Haidian DistrictBeijingBeijing100088People's Republic of China+86 (0)10 8226-2609http://www.sac.gov.cnThe GmSSL ProjectPeking University24 Jinyuan RoadDaxing Industrial DistrictBeijing102600People's Republic of Chinahttps://www.gmssl.orgGM/T 0004-2012: SM3 Cryptographic Hash AlgorithmOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnGOST R 34.11-2012: Information technology -- Cryptographic Data Security -- Hash-functionFederal Agency on Technical Regulation And MetrologyMoscowRussiaHandbook of Applied CryptographyImproved zero-sum distinguisher for full round Keccak-f permutationShanghai Jiao Tong UniversityDepartment of Computer Science and EngineeringShanghai200240Chinadodoxixi@gmail.comShanghai Jiao Tong UniversityDepartment of Computer Science and EngineeringShanghai200240ChinaCollisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMDShandong UniversityJinan250100People's Republic of ChinaInstitute of Software, Chinese Academy of SciencesBeijing100080People's Republic of ChinaShanghai Jiao Tong UniversityDepartment of Computer Science and EngineeringShanghai200240ChinaShandong UniversityJinan250100People's Republic of ChinaPreimage attacks on one-block MD4, 63-step MD5 and moreNTT Corporation3-9-11 MidorichoMusashino-shiTokyo180-8585JapanNTT3-9-11 MidorichoMusashino-shiTokyo180-8585JapanHow to Break MD5 and Other Hash FunctionsShandong UniversityJinan250100People's Republic of ChinaShandong UniversityJinan250100People's Republic of ChinaSpecial Feature Exhaustive Cryptanalysis of the NBS Data Encryption StandardStanford UniversityUSAStanford UniversityUSANIST Federal Information Processing Standard 180-1: Secure Hash Standard (SHS)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/NIST Federal Information Processing Standard 180-2: Secure Hash Standard (SHS)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/FIPS 180-4 Secure Hash Standard (SHS)National Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8900United Stateshttp://www.nist.gov/NIST Federal Information Processing Standard 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output FunctionsNational Institute of Standards and Technology100 Bureau DriveGaithersburgMD20899-8930United Stateshttp://www.nist.gov/OpenSSL: Cryptography and SSL/TLS ToolkitOpenSSL Software Foundation20-22 Wenlock RoadLondonN1 7GUUnited Kingdom+44 17 8550 8015info@opensslfoundation.orghttps://www.openssl.orgPublic Key Cryptographic Algorithm SM2 Based on Elliptic CurvesOrganization of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnSM3 Cryptographic Hash AlgorithmOffice of State Commercial Administration of China7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.oscca.gov.cnDistinguishers beyond Three Rounds of the RIPEMD-128/-160 Compression FunctionsNTT Secure Platform LaboratoriesNTT CorporationMusashino-shiJapanThe University of Electro-CommunicationsChoufu-shiJapanPractical collision attack on 40-step RIPEMD-128School of Computer Science and Technology, Donghua UniversityShanghai201620People's Republic of Chinawanggaoli@dhu.edu.cnCryptanalysis Of Full RIPEMD-128DGA MIFranceNanyang Technological UniversityDivision of Mathematical SciencesSchool of Physical and Mathematical SciencesNanyang Technological UniversitySingapore(Second) Preimage Attacks on Step-Reduced RIPEMD/RIPEMD-128 with a New Local-Collision ApproachThe University of Electro-CommunicationsJapanNTT CorporationJapanThe University of Electro-CommunicationsJapanThe University of Electro-CommunicationsJapanThe University of Electro-CommunicationsJapan(Pseudo-) Preimage Attacks on Step-Reduced HAS-160 and RIPEMD-160School of Computer Science and Technology, Donghua UniversityShanghai201620People's Republic of Chinawanggaoli@dhu.edu.cnKey Laboratory of Cryptologic Technology and Information SecurityMinistry of EducationShandong UniversityJinanPeople's Republic of ChinaRIPEMD-160: A Strengthened Version of RIPEMDKatholieke Universiteit LeuvenDept. Elektrotechniek-ESATKasteelpark Arenberg 10 busHeverleeB-3001Belgiumhttp://www.esat.kuleuven.beKatholieke Universiteit LeuvenDept. Elektrotechniek-ESATKasteelpark Arenberg 10 busHeverleeB-3001Belgiumhttp://www.esat.kuleuven.beKatholieke Universiteit LeuvenDept. Elektrotechniek-ESATKasteelpark Arenberg 10 busHeverleeB-3001Belgiumhttp://www.esat.kuleuven.beState Cryptography Administration of ChinaState Cryptography Administration7 Dian Chang Lu, Fengtai QuBeijingBeijing100036People's Republic of China+86 (0)10 5970-3789http://www.sca.gov.cnBicliques for Preimages: Attacks on Skein-512 and the SHA-2 FamilyInstitute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustriaInstitute for Applied Information Processing and CommunicationsGraz University of TechnologyGrazAustriaFinding collisions in the full SHA-1Shandong UniversityJinan250100People's Republic of ChinaIndependent Security ConsultantGreenwichCTUnited States of AmericaShandong UniversityJinan250100People's Republic of ChinaCryptanalysis on SHA-1Shandong UniversityJinan250100People's Republic of ChinaTsinghua UniversityBeijingPeople's Republic of ChinaCity University of Hong KongHong KongHong KongNew Collision Attacks on SHA-1 Based on Optimal Joint Local-Collision AnalysisCWIAmsterdamThe NetherlandsHigher-Order Differential Meet-in-the-middle Preimage Attacks on SHA-1 and BLAKEcole normale suprieure de CachanFranceUniversit de Rennes 1FranceInriaFranceNew Preimage Attacks against Reduced SHA-1Microsoft ResearchRedmondUSAETH Zurich and FHNWZurichSwitzerlandFinding SHA-2 Characteristics: Searching through a Minefield of ContradictionsInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaBicliques for Preimages: Attacks on Skein-512 and the SHA-2 FamilyMicrosoft ResearchRedmondUSADTU MATDenmarkNational Research University Higher School of EconomicsRussiaImproving Local Collisions: New Attacks on Reduced SHA-256Institute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaSecond-Order Differential Collisions for Reduced SHA-256University of LuxembourgLuxembourgLuxembourgInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaUniversity of LuxembourgLuxembourgLuxembourgCollision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal DifferentialsThe Weizmann InstituteComputer Science DepartmentThe Weizmann InstituteRehovotIsraelitaid@weizmann.ac.ilThe Weizmann InstituteComputer Science DepartmentThe Weizmann InstituteRehovotIsraelThe Weizmann InstituteComputer Science DepartmentThe Weizmann InstituteRehovotIsraelNew Collision Attacks on Round-Reduced KeccakState Key Laboratory of Information SecurityInstitute of Information EngineeringChinese Academy of SciencesBeijingChinaqiaokexin@iie.ac.cnState Key Laboratory of Information SecurityInstitute of Information EngineeringChinese Academy of SciencesBeijingChinasongling@iie.ac.cnState Key Laboratory of Information SecurityInstitute of Information EngineeringChinese Academy of SciencesBeijingChinaliumeicheng@iie.ac.cnNanyang Technological UniversitySingaporeSingaporeguojian@ntu.edu.sgRotational Cryptanalysis of Round-Reduced KeccakSection of Informatics, University of CommerceKielcePolandDepartment of Computing, Macquarie UniversitySydneyAustraliaSection of Informatics, University of CommerceKielcePolandNon-Full Sbox Linearization: Applications to Collision Attacks on Round-Reduced KeccakNanyang Technological UniversitySingaporeSingaporesongling.alpha@gmail.comSouth China Normal UniversityGuangzhouChinaliaogh.cs@gmail.comNanyang Technological UniversitySingaporeSingaporentu.guo@gmail.comBoomerang and slide-rotational analysis of the SM3 hash functionConcordia Institute for Information Systems EngineeringConcordia UniversityMontrealQuebecCandadaSchool of Computer Science and Technology, Donghua UniversityShanghai201620People's Republic of Chinawanggaoli@dhu.edu.cnSchool of Computer Science and Technology, Donghua UniversityShanghai201620People's Republic of ChinaConcordia Institute for Information Systems EngineeringConcordia UniversityMontrealQuebecCandadaImproved Boomerang Attacks on Round-Reduced SM3 and Keyed Permutation of BLAKE-256Department of Computer Science and Technology, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinabaidx10@mails.tsinghua.edu.cnhttp://www.tsinghua.edu.cnTsinghua UniversityBeijing100084People's Republic of Chinayuhongbo@mail.tsinghua.edu.cnhttp://www.tsinghua.edu.cnSchool of Computer Science and Technology, Donghua UniversityDonghua UniversityShanghai201620People's Republic of Chinawanggaoli@dhu.edu.cnhttps://www.dhu.edu.cnInstitute for Advanced Study, Tsinghua UniversityTsinghua UniversityBeijing100084People's Republic of Chinaxiaoyunwang@mail.tsinghua.edu.cnhttp://www.tsinghua.edu.cnFinding collisions for round-reduced SM3Institute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaSM3 Cryptographic Hash AlgorithmInstitute for Advanced Study, Tsinghua UniversityBeijing100084People's Republic of Chinaxiaoyunwang@mail.tsinghua.edu.cnDepartment of Computer Science and Technology, Tsinghua UniversityBeijing100084People's Republic of Chinayuhongbo@mail.tsinghua.edu.cnPreimage attacks on step-reduced SM3 hash functionState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of ChinaState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of ChinaState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of ChinaState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of ChinaState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of ChinaPreimage and Pseudo-Collision Attacks on Step-Reduced SM3 Hash FunctionSchool of Computer Science and Technology, Donghua UniversityShanghai201620People's Republic of ChinaSchool of Computer Science and Technology, Donghua UniversityShanghai201620People's Republic of ChinaPreimage Attacks on Reduced-Round StribogConcordia Institute for Information Systems EngineeringConcordia UniversityMontrealQuebecCandadaConcordia Institute for Information Systems EngineeringConcordia UniversityMontrealQuebecCandadaImproved Cryptanalysis on Reduced-Round GOST and Whirlpool Hash FunctionState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of Chinabkma@is.ac.cnState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of Chinalb@is.ac.cnState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of Chinahaorl@mail.ustc.edu.cnState Key Laboratory of Information SecurityInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of Chinaxqli@is.ac.cnThe WHIRLPOOL Hash FunctionInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyGrazAustriaUniversity of Sao PauloSao PauloBrazilhttp://www.larc.usp.brInvestigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision AttacksNTT Secure Platform LaboratoriesNTT CorporationMusashino-shiJapanThe University of Electro-CommunicationsChoufu-shiJapanInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of ChinaInstitute of Software, Chinese Academy of SciencesBeijingPeople's Republic of ChinaThe Rebound Attack and Subspace Distinguishers: Application to Whirlpool NXP Semiconductors Austria, Gratkorn, Austria 8101GratkornA-8101AustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyInffeldgasse 16aGrazA-8010AustriaInstitute for Applied Information Processing and Communications (IAIK), Graz University of TechnologyInffeldgasse 16aGrazA-8010AustriaDTU ComputeLyngby3001DenmarkKU Leuven and iMindsDepartment of Electrical Engineering ESAT/COSICKU Leuven and iMindsKasteelpark Arenberg 10HeverleeB-3001BelgiumXiaoyun Wang -- Institute of Advanced Study -- Tsinghua UniversityInstitute for Advanced Study, Tsinghua UniversityBeijing100084People's Republic of Chinaxiaoyunwang@mail.tsinghua.edu.cn
&RFC6150;
&RFC6234;
This is example 1 provided by to demonstrate hashing of a
plaintext that requires padding.The input abc is represented in hexadecimal form as 616263.The message after padding is shown below.The message after expansion is shown below.W_0 W_1 ... W_67:W'_0 W'_1 ... W'_63:This is example 2 provided by to demonstrate hashing of a
512-bit plaintext.The message after padding is shown below.W_0 W_1 ... W_67:W'_0 W'_1 ... W'_63:W_0 W_1 ... W_67:W'_0 W'_1 ... W'_63:These examples only provide results of hashing, and can be found in the Botan
, OpenSSL and GmSSL cryptographic libraries.From A.2,
"Z_A = H_256(ENTL_A || ID_A || a || b || x_G || y_G || x_A || y_A)".Input:Output:From A.2,
"e = H_256(M)".Input:Output:From A.3,
"Z_A = H_256(ENTL_A || ID_A || a || b || x_G || y_G || x_A || y_A)".Input:Output:From A.3, "e = H_256(M)".Input:Output:From A.2,
"Z_A = H_256(ENTL_A || ID_A || a || b || x_G || y_G || x_A || y_A)".Input:Output:From A.2,
"Z_B = H_256(ENTL_B || ID_B || a || b || x_G || y_G || x_B || y_B)".Input:Output:From A.2,
"Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.2,
"S_B = 0x02 || y_V || Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.2,
"S_A = 0x03 || y_V || Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.3,
"Z_A = H_256(ENTL_A || ID_A || a || b || x_G || y_G || x_A || y_A)".Note: This example appears in Part 3 A.3 of,
Section A.3 of , however the following value given for
X_A is found to be erroneous during the authoring of this document:A brute force search by the authors yielded the actual value for
X_A as shown below:Input:Output:From A.3,
"Z_B = H_256(ENTL_B || ID_B || a || b || x_G || y_G || x_B || y_B)".Input:Output:From A.3,
"Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.3,
"S_B = 0x02 || y_V || Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From A.3,
"S_A = 0x03 || y_V || Hash(x_V || Z_A || Z_B || x_1 || y_1 || x_2 || y_2)".Input:Output:From , "C_3 = Hash(x_2 || M || y_2)".Input:Output:From , "C_3 = Hash(x_2 || M || y_2)".Input:Output:From , "C_3 = Hash(x_2 || M || y_2)".Input:Output:From , "C_3 = Hash(x_2 || M || y_2)".Input:Output:This sample implementation is used to generate the examples given in this
document."sm3.h" is the header file for the SM3 function."sm3.c" contains the main implementation of SM3."sm3_main.c" is used to run the examples provided in this document
and print out internal state for implementation reference."print.c" and "print.h" are used to provide pretty formatting used
to print out the examples for this document."print.h""print.c"The authors would like to thank the following persons for their valuable advice
and input.Erick Borsboom for the lengthy review of this document and example
verification;Jack Lloyd and Daniel Wyatt of the Ribose RNP team for their input and
implementation.