idnits 2.17.1 draft-ribose-openpgp-sca-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC6637, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC4880, but the abstract doesn't seem to directly say this. It does mention RFC4880 though, so this could be OK. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC4880, updated by this document, for RFC5378 checks: 1999-12-21) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 15, 2017) is 2323 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'SM2-1' is defined on line 1038, but no explicit reference was found in the text == Outdated reference: A later version (-10) exists of draft-ribose-cfrg-sm4-08 == Outdated reference: A later version (-02) exists of draft-sca-cfrg-sm3-00 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Research Task Force R. Tse 3 Internet-Draft Ribose 4 Updates: 4880, 6637 (if approved) W. Wong 5 Intended status: Standards Track Hang Seng Management College 6 Expires: June 18, 2018 J. Lloyd 7 D. Wyatt 8 E. Borsboom 9 Ribose 10 December 15, 2017 12 SCA Extensions For OpenPGP 13 draft-ribose-openpgp-sca-00 15 Abstract 17 This document enables OpenPGP (RFC4880) to be used in a compliant 18 manner according to regulations set by the SCA (the State 19 Cryptography Administration of China) within China. 21 Specifically, it extends OpenPGP to support the usage of SM2, SM3 and 22 SM4 algorithms, and provides the SCA-compliant OpenPGP profile "SCA- 23 SM234". 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on June 18, 2018. 42 Copyright Notice 44 Copyright (c) 2017 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (https://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 4 58 3. Symbols And Abbreviations . . . . . . . . . . . . . . . . . . 4 59 4. SM2 Algorithms . . . . . . . . . . . . . . . . . . . . . . . 5 60 4.1. SM2 Digital Signature Algorithm . . . . . . . . . . . . . 6 61 4.2. SM2 Key Exchange Protocol . . . . . . . . . . . . . . . . 7 62 4.3. SM2 Public Key Encryption . . . . . . . . . . . . . . . . 7 63 4.4. Recommended SM2 Curve . . . . . . . . . . . . . . . . . . 7 64 4.4.1. Definitions . . . . . . . . . . . . . . . . . . . . . 8 65 4.4.2. Elliptic Curve Formula . . . . . . . . . . . . . . . 8 66 4.4.3. Curve Parameters . . . . . . . . . . . . . . . . . . 8 67 4.5. Data Formats . . . . . . . . . . . . . . . . . . . . . . 8 68 4.5.1. Secret Key Data Format . . . . . . . . . . . . . . . 8 69 4.5.2. Encrypted Data Format . . . . . . . . . . . . . . . . 9 70 4.5.3. Signature Data Format . . . . . . . . . . . . . . . . 9 71 5. SM3 Hash Algorithm . . . . . . . . . . . . . . . . . . . . . 10 72 6. SM4 Symmetric Encryption Algorithm . . . . . . . . . . . . . 10 73 7. Supported Algorithms . . . . . . . . . . . . . . . . . . . . 11 74 7.1. Public Key Algorithms . . . . . . . . . . . . . . . . . . 11 75 7.2. Symmetric Key Algorithms . . . . . . . . . . . . . . . . 11 76 7.3. Hash Algorithms . . . . . . . . . . . . . . . . . . . . . 12 77 8. Conversion Primitives . . . . . . . . . . . . . . . . . . . . 12 78 9. SM2 Key Derivation Function . . . . . . . . . . . . . . . . . 12 79 9.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . 13 80 9.2. Inputs . . . . . . . . . . . . . . . . . . . . . . . . . 13 81 9.3. Outputs . . . . . . . . . . . . . . . . . . . . . . . . . 13 82 10. Encoding of Public and Private Keys . . . . . . . . . . . . . 14 83 10.1. Public-Key Packet Formats . . . . . . . . . . . . . . . 14 84 10.2. Secret-Key Packet Formats . . . . . . . . . . . . . . . 15 85 11. Message Encoding with Public Keys . . . . . . . . . . . . . . 15 86 11.1. Public-Key Encrypted Session Key Packets (Tag 1) . . . . 15 87 11.2. Signature Packet (Tag 2) . . . . . . . . . . . . . . . . 16 88 11.2.1. Version 3 Signature Packet Format . . . . . . . . . 16 89 11.2.2. Version 4 Signature Packet Format . . . . . . . . . 16 90 12. SM2 ECC Curve OID . . . . . . . . . . . . . . . . . . . . . . 16 91 13. Compatibility Profiles . . . . . . . . . . . . . . . . . . . 17 92 13.1. SCA SM234 Profile . . . . . . . . . . . . . . . . . . . 17 93 14. Security Considerations . . . . . . . . . . . . . . . . . . . 17 94 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 95 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 96 16.1. Normative References . . . . . . . . . . . . . . . . . . 18 97 16.2. Informative References . . . . . . . . . . . . . . . . . 20 98 Appendix A. Examples . . . . . . . . . . . . . . . . . . . . . . 25 99 A.1. Public Key Example . . . . . . . . . . . . . . . . . . . 25 100 A.2. Signature Example . . . . . . . . . . . . . . . . . . . . 25 101 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 26 102 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 104 1. Introduction 106 SM2 [GBT.32918.1-2016] [I-D.shen-sm2-ecdsa], SM3 [GBT.32905-2016] 107 [I-D.sca-cfrg-sm3] and kM4 [GBT.32907-2016] [I-D.ribose-cfrg-sm4] are 108 cryptographic standards issued by the State Cryptography 109 Administration [SCA] (formerly OSCCA, the Office of State Commercial 110 Cryptography Administration of China) as authorized cryptographic 111 algorithms for use within China. These algorithms are published in 112 public. 114 Adoption of this document enables exchange of OpenPGP-secured email 115 [RFC4880] in a SCA-compliant manner through usage of the authorized 116 combination of SM2, SM3 and SM4. 118 SM2 is an elliptic curve cryptosystem (ECC) that is composed of a set 119 of public key cryptographic algorithms based on elliptic curves and 120 also a recommended elliptic curve: 122 o Digital Signature Algorithm [GBT.32918.2-2016] 124 o Key Exchange Protocol [GBT.32918.3-2016] 126 o Public Key Encryption Algorithm [GBT.32918.4-2016] 128 o SM2 Recommended Elliptic Curve [GBT.32918.5-2017] 130 SM3 [GBT.32905-2016] is a hash algorithm designed for electronic 131 authentication purposes. 133 SM4 [GBT.32907-2016] is a symmetric encryption algorithm designed for 134 data encryption. 136 SM2, SM3 and SM4 are standardized at ISO as [ISO.IEC.14888-3], 137 [ISO.IEC.10118-3], and [ISO.IEC.18033-3.AMD2] respectively. 139 This document extends OpenPGP [RFC4880] and its ECC extension 140 [RFC6637] to support SM2, SM3 and SM4: 142 o support the SM3 hash algorithm for data validation purposes 143 o support signatures utilizing the combination of SM3 with other 144 digital signing algorithms, such as RSA, ECDSA and SM2 146 o support the SM2 asymmetric encryption algorithm for public key 147 operations 149 o support usage of SM2 in combination with supported hash 150 algorithms, such as SHA-256 and SM3 152 o support the SM4 symmetric encryption algorithm for data protection 153 purposes 155 o defines the OpenPGP profile "SCA-SM234" to enable usage of OpenPGP 156 in an SCA-compliant manner. 158 2. Terms and Definitions 160 The key words "*MUST*", "*MUST NOT*", "*REQUIRED*", "*SHALL*", 161 "*SHALL NOT*", "*SHOULD*", "*SHOULD NOT*", "*RECOMMENDED*", "*MAY*", 162 and "*OPTIONAL*" in this document are to be interpreted as described 163 in [RFC2119]. 165 Compliant applications are a subset of the broader set of OpenPGP 166 applications described in [RFC4880]. Any [RFC2119] keyword within 167 this document applies to compliant applications only. 169 The following terms and definitions apply to this document. 171 SCA-compliant 172 All cryptographic algorithms used are compliant with SCA [SCA] 173 regulations. 175 SM2DSA 176 The elliptic curve digital signature algorithm defined in 177 [GBT.32918.2-2016] 179 SM2KEP 180 The elliptic curve key exchange protocol defined in 181 [GBT.32918.3-2016] 183 SM2PKE 184 The public key encryption algorithm defined in [GBT.32918.4-2016] 186 3. Symbols And Abbreviations 188 This document utilizes definitions of operations from [RFC7253] and 189 are included here for reference. 191 c^i 192 The integer c raised to the i-th power. 194 S || T 195 String S concatenated with string T (e.g., 000 || 111 == 000111). 197 4. SM2 Algorithms 199 SM2 is an elliptic curve based cryptosystem (ECC) [GBT.32918.1-2016] 200 [I-D.shen-sm2-ecdsa] published by [SCA]. 202 It was first published by the SCA ("OSCCA" at that time) in public in 203 2010 [OSCCA-SM2], then standardized as [GMT-0003-2012] in 2012, 204 included in [ISO.IEC.11889] in 2015, published as a Chinese National 205 Standard as [GBT.32918.1-2016], and published in [ISO.IEC.14888-3] in 206 2017. 208 The SM2 cryptosystem [I-D.shen-sm2-ecdsa] is published in 5 parts, 209 covering: 211 o Part 1: General [GBT.32918.1-2016] 213 o Part 2: Digital Signature Algorithm [GBT.32918.2-2016] 215 o Part 3: Key Exchange [GBT.32918.3-2016] 217 o Part 4: Public Key Encryption Algorithm [GBT.32918.4-2016] 219 o Part 5: Parameter Definition [GBT.32918.5-2017] 221 Specifically, it is composed of three distinct algorithms: 223 o an elliptical curve digital signature algorithm ("SM2DSA") 224 [GBT.32918.2-2016] [ISO.IEC.14888-3] [SM2-2] 226 o a key exchange protocol ("SM2KEP") [GBT.32918.3-2016]; and 228 o a public key encryption algorithm ("SM2PKE") [GBT.32918.4-2016]. 230 This document refers to the SM2DSA and SM2PKE algorithms for the 231 usage of OpenPGP [RFC4880]. 233 [GMT-0009-2012] provides specifications on interoperable usage of SM2 234 data formats, and they are adhered to within within this document. 236 4.1. SM2 Digital Signature Algorithm 238 The SM2 Digital Signature Algorithm is intended for digital signature 239 and verifications in commercial cryptographic applications, 240 including, but not limited to: 242 o identity authentication 244 o protection of data integrity 246 o verification of data authenticity 248 The process of digital signature signing and verification along with 249 their examples are found in [GBT.32918.2-2016], [ISO.IEC.14888-3], 250 [SM2-2], and also described in [I-D.shen-sm2-ecdsa]. 252 The SM2DSA process requires usage of a hash function within. For 253 SCA-compliant usage, a SCA-compliant hash function such as SM3 254 [GBT.32905-2016] *MUST* also be used. 256 Formal security proofs for SM2 are provided in [SM2-SigSecurity] 257 indicating that it satisfies both EUF-CMA security and security 258 against generalized strong key substitution attacks. 260 The SM2DSA algorithm has been cryptanalyzed by multiple parties with 261 the current strongest attack being nonce [SM2-DSA-Nonces] 262 [SM2-DSA-Nonces2] and lattice attacks [SM2-DSA-Lattice]. 264 In terms of OpenPGP usage, SM2DSA is an alternative to the ECDSA 265 algorithm specified in [RFC6637]. 267 For OpenPGP compatibility, these additional requirements *MUST* be 268 adhered to: 270 o SM2DSA allows use of an optional "user identity" string which is 271 hashed into "ZA" (Section 3.5 of [SM2-2] and Section 5.1.4.4 of 272 [I-D.shen-sm2-ecdsa]). In OpenPGP, the user identifier "IDA" 273 *MUST* be the empty string. 275 o While SM2DSA usually signs "H(ZA || msg)" (Section 4.1 of 276 [SM2-2]), this document follows the OpenPGP convention of 277 [RFC6637] of not directly signing the raw message "msg", but its 278 hash "H(msg)". Therefore when a message is signed by SM2DSA in 279 OpenPGP, the algorithm *MUST* sign the content of "H(ZA || 280 H(msg))" instead of "H(ZA || msg)". The hash algorithm used here 281 *MUST* be identical. 283 4.2. SM2 Key Exchange Protocol 285 The SM2 Key Exchange Protocol is used for cryptographic key exchange, 286 allowing the negotiation and exchange of a session key within two to 287 three message transfers. 289 The process of key exchange and verification along with their 290 examples are found in [GBT.32918.3-2016] [SM2-3], and also described 291 in [I-D.shen-sm2-ecdsa]. 293 SM2KEP is not used with OpenPGP as it is a two- to three- pass key 294 exchange mechanism, while in OpenPGP, public keys of recipients are 295 available initially. 297 The SM2KEP is now considered insecure due to [SM2-KEP-Comments], 298 similar in status to the Unified Model and MQV schemes described in 299 [NIST.SP.800-56Ar2]. 301 4.3. SM2 Public Key Encryption 303 The SM2 Public Key Encryption algorithm is an elliptic curve based 304 asymmetric encryption algorithm. It is used for cryptographic 305 encryption and decryption, allowing the message sender to utilize the 306 public key of the message receiver to encrypt the message, with the 307 recipient decrypting the messaging using his private key. 309 The full description of SM2PKE is provided in [GBT.32918.4-2016]. 311 It utilizes a public key size of 512 bits and private key size of 256 312 bits [GBT.32918.4-2016] [GMT-0003-2012]. 314 The process of encryption and decryption, along with their examples 315 are found in [GBT.32918.4-2016] and [SM2-4]. 317 The SM2PKE process requires usage of a hash function within. For 318 SCA-compliant usage, a SCA-compliant hash function such as SM3 319 [GBT.32905-2016] *MUST* also be used. 321 In OpenPGP, SM2PKE is an alternative to RSA specified in [RFC4880]. 323 4.4. Recommended SM2 Curve 325 The recommended curve is specified in [GBT.32918.5-2017] [SM2-5] and 326 provided here for reference. SM2 uses a 256-bit elliptic curve. 328 4.4.1. Definitions 330 p 331 an integer larger than 3 333 a, b 334 elements of F_q, defines an elliptic curve E on F_q 336 n 337 Order of base point G (n is a prime factor of E(F_q)) 339 x_G 340 x-coordinate of generator G 342 y_G 343 y-coordinate of generator G 345 4.4.2. Elliptic Curve Formula 347 y^2 = x^3 + ax + b 349 4.4.3. Curve Parameters 351 p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 352 FFFFFFFF 00000000 FFFFFFFF FFFFFFFF 353 a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 354 FFFFFFFF 00000000 FFFFFFFF FFFFFFFC 355 b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 356 F39789F5 15AB8F92 DDBCBD41 4D940E93 357 n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 358 7203DF6B 21C6052B 53BBF409 39D54123 359 x_G = 32C4AE2C 1F198119 5F990446 6A39C994 360 8FE30BBF F2660BE1 715A4589 334C74C7 361 y_G = BC3736A2 F4F6779C 59BDCEE3 6B692153 362 D0A9877C C62A4740 02DF32E5 2139F0A0 364 4.5. Data Formats 366 [GMT-0009-2012] defines a number of data formats for the SM2 367 algorithm to allow interoperable implementations. This document 368 adheres to these conventions. 370 4.5.1. Secret Key Data Format 372 SM2 secret key data format is described in ASN.1 as [GMT-0009-2012]: 374 SM2PrivateKey ::= INTEGER 375 SM2 public key data format is described in ASN.1 as [GMT-0009-2012]: 377 SM2PublicKey ::= BIT STRING 379 Where: 381 o "SM2PublicKey" is of type "BIT STRING" and with content "04 || 382 X || Y". 384 * "X" and "Y" specifies the x- and y-coordinates of the public 385 key, each of 256-bits long. 387 4.5.2. Encrypted Data Format 389 The SM2 encrypted data format is provided by [GMT-0009-2012] as the 390 following in ASN.1 format: 392 SM2Cipher ::= SEQENCE{ 393 XCoordinate INTEGER, -- x-coordinate 394 YCoordinate INTEGER, -- y-coordinate 395 HASH OCTET STRING SIZE(32), -- hash value 396 CipherText OCTET STRING -- ciphertext 397 } 399 Where: 401 o "XCoordinate" and "YCoordinate" are x- and y-coordinates on the 402 elliptic curve, both 256 bits long. 404 o "HASH" is the hash value calculated from the hash function used in 405 "KDF" of a fixed bit length of 256-bits. 407 o "CipherText" is of same length as its plaintext. 409 4.5.3. Signature Data Format 411 SM2 signature data format is described in ASN.1 as [GMT-0009-2012]: 413 SM2Signature ::= SEQUENCE{ 414 R INTEGER, -- first portion of signature 415 S INTEGER -- second portion of signature 416 } 418 "R" and "S" represent the first and second portion of the signature, 419 and both are 256 bits long. 421 5. SM3 Hash Algorithm 423 The SM3 Cryptographic Hash Algorithm [GBT.32905-2016] is an iterative 424 hash function designed by Xiaoyun Wang et al., published by [SCA] as 425 an alternative to SHA-2 [NIST.FIPS.180-4]. 427 The specification, security considerations and cryptanalysis results 428 of SM3 are thoroughly presented in [I-D.sca-cfrg-sm3]. 430 It was first published by the SCA ("OSCCA" at that time) in public in 431 2010 [SM3], then published as an industry cryptogrpahic standard in 432 2012 [GMT-0004-2012], published as a Chinese National Standard in 433 2016 as [GBT.32905-2016], and included in the [ISO.IEC.10118-3] 434 standard in 2017. 436 The algorithm is designed to be used for commercial cryptographic 437 applications including, but not limited to: 439 o digital signatures and their verification 441 o message authentication code generation and their verification 443 o generation of random numbers 445 SM3 has a Merkle-Damgard construction and is similar to SHA-2 446 [NIST.FIPS.180-4] of the MD4 [RFC6150] family, with the addition of 447 several strengthening features including a more complex step function 448 and stronger message dependency than SHA-256 [SM3-Boomerang]. 450 SM3 produces an output hash value of 256 bits long, based on 512-bit 451 input message blocks [GBT.32905-2016], on input lengths up to 2^(m). 453 6. SM4 Symmetric Encryption Algorithm 455 SM4 [GBT.32907-2016] is a symmetric encryption algorithm designed by 456 Shuwang Lu et al. originally intended for the usage of wireless local 457 area network (Wireless LAN) products. 459 The specification, security considerations and cryptanalysis results 460 of SM4 are thoroughly presented in [I-D.ribose-cfrg-sm4] . 462 SM4 is a 128-bit blockcipher, uses a key size of 128 bits and 463 internally uses an 8-bit S-box. It performs 32 rounds per block. 464 Decryption is achieved by reversing the order of encryption. 466 SMS4 was first published in public as part of WAPI (Wired 467 Authentication and Privacy Infrastructure), the Chinese National 468 Standard for Wireless LAN [GB.15629.11-2003]. It was then published 469 independently by SCA ("OSCCA" at that time) in 2006 [SM4], formally 470 renamed to SM4 in 2012 [GMT-0002-2012], published as a Chinese 471 National Standard in 2016 [GBT.32907-2016], and included in 472 [ISO.IEC.18033-3.AMD2] in 2017. 474 It is a required encryption algorithm specified in WAPI 475 [GB.15629.11-2003]. 477 7. Supported Algorithms 479 7.1. Public Key Algorithms 481 The SM2 algorithm is supported with the following extension. 483 The following public key algorithm IDs are added to expand 484 Section 9.1 of [RFC4880], "Public-Key Algorithms": 486 +-----+--------------------------+ 487 | ID | Description of Algorithm | 488 +-----+--------------------------+ 489 | TBD | SM2 | 490 +-----+--------------------------+ 492 Compliant applications *MUST* support both usages of SM2 Section 4: 494 o SM2 Digital Signature Algorithm (SM2DSA) [GBT.32918.2-2016] 496 o SM2 Public Key Encryption (SM2PKE) [GBT.32918.4-2016] 498 7.2. Symmetric Key Algorithms 500 The SM4 algorithm is supported with the following extension. 502 The following symmetric encryption algorithm ID is added to expand 503 Section 9.2 of [RFC4880], "Symmetric-Key Algorithms": 505 +-----+--------------------------+ 506 | ID | Description of Algorithm | 507 +-----+--------------------------+ 508 | TBD | SM4 | 509 +-----+--------------------------+ 511 Compliant applications *MUST* support SM4 Section 6. 513 7.3. Hash Algorithms 515 The SM3 algorithm is supported with the following extension. 517 The following symmetric encryption algorithm IDs are added to expand 518 Section 9.3 of [RFC4880], "Hash Algorithms": 520 +-----+--------------------------+ 521 | ID | Description of Algorithm | 522 +-----+--------------------------+ 523 | TBD | SM3 | 524 +-----+--------------------------+ 526 Compliant applications *MUST* support SM3 Section 5. 528 8. Conversion Primitives 530 The encoding method of [RFC6637] Section 6 *MUST* be used, and is 531 compatible with the definition given in [SEC1]. 533 For clarity, according to the EC curve MPI encoding method of 534 [RFC6637], the exact size of the MPI payload for the "SM2 535 Recommended" 256-bit curve [GBT.32918.5-2017], is 515 bits. 537 9. SM2 Key Derivation Function 539 A key derivation function (KDF) is necessary to implement EC 540 encryption. 542 The SM2PKE KDF is defined in Section 3.4.3 of [GBT.32918.4-2016] (and 543 Section 5.4.3 of [I-D.shen-sm2-ecdsa], Section 3.4.3 of [SM2-4]). 545 For SCA-compliance, it *SHOULD* be used in conjunction with an SCA- 546 approved hash algorithm, such as SM3 [GBT.32905-2016]. 548 The SM2PKE KDF is equivalent to the KDF2 function defined in 549 Section 13.2 of [IEEE.1363a.2004] given the following assignments: 551 o Parameter 553 * v as hBits, the output length of the selected hash function 554 Hash 556 o Input 558 * KEYLEN as oBits 560 * Z as the plaintext string; and 561 * PB is set to the empty bit string. 563 Pseudocode of the SM2KDF function is provided here for convenience. 564 This function contains edited variable names for clarity. 566 9.1. Prerequisites 568 o Hash(S) is a hash function that outputs a v-bit long hash value 569 based on input S. 571 o MSB(b, S) is a function that outputs the b most significant bits 572 of the bitstream S. 574 o Floor(r) and Ceil(r) are the floor and ceiling functions 575 respectively for the input of real number r. Both functions 576 outputs an integer. 578 9.2. Inputs 580 KEYLEN 581 Desired key length. A positive integer less than (2^32 - 1) x v. 583 Z 584 Plaintext. String of any length. 586 9.3. Outputs 588 K 589 Generated key. String of length KEYLEN. 591 K is defined as follows. 593 _____________________________________________________________________ 595 Counter = 1 // a 32-bit counter 596 n = KEYLEN / v 598 for each 1 <= i <= Ceil(n) 599 Ha_i = Hash( Z || Counter ) 600 Counter = Counter + 1 601 end for 603 if n is a whole number then 604 Ha! = Ha_{Ceil(n)} 605 else 606 Ha! = MSB(KEYLEN - (v x Floor(n)), Ha_{Ceil(n)}) 607 end if 609 K = Ha_1 || Ha_2 || ... || Ha_{Ceil(n)-1} || Ha! 610 _____________________________________________________________________ 612 10. Encoding of Public and Private Keys 614 10.1. Public-Key Packet Formats 616 The following algorithm-specific packets are added to Section 5.5.2 617 of [RFC4880], "Public-Key Packet Formats", to support SM2DSA and 618 SM2PKE. 620 This document extends the algorithm-specific portion with the 621 following fields. 623 Algorithm-Specific Fields for SM2DSA keys: 625 o a variable-length field containing a curve OID, formatted as 626 follows: 628 * a one-octet size of the following field; values 0 and 0xFF are 629 reserved for future extensions 631 * octets representing a curve OID, described in Section 12 633 o MPI of an EC point representing a public key 635 Algorithm-Specific Fields for SM2PKE keys: 637 o a variable-length field containing a curve OID, formatted as 638 follows: 640 * a one-octet size of the following field; values 0 and 0xFF are 641 reserved for future extensions 643 * octets representing a curve OID, described in Section 12 645 o MPI of an EC point representing a public key 647 Note that both SM2DSA and SM2PKE public keys are composed of the same 648 sequence of fields, and use the same codepoint to identify them. 649 They are distinguished by the key usage flags. 651 10.2. Secret-Key Packet Formats 653 The following algorithm-specific packets are added to Section 5.5.3. 654 of [RFC4880], "Secret-Key Packet Formats", to support SM2DSA and 655 SM2PKE. 657 This document extends the algorithm-specific portion with the 658 following fields. 660 Algorithm-Specific Fields for SM2DSA or SM2PKE secret keys: 662 o an MPI of an integer representing the secret key, which is a 663 scalar of the public EC point 665 11. Message Encoding with Public Keys 667 11.1. Public-Key Encrypted Session Key Packets (Tag 1) 669 Section 5.1 of [RFC4880], "Public-Key Encrypted Session Key Packets 670 (Tag 1)" is extended to support SM2PKE using the following algorithm 671 specific fields for SM2PKE, through applying the KDF described in 672 Section 9. 674 Algorithm Specific Fields for SM2 encryption: 676 o The SM2 ciphertext is formatted in the OpenPGP bitstream as a 677 single MPI. This consists of: 679 * The data format described in Section 4.5.2 containing data 680 provided by [GBT.32918.4-2016] Section 6.1 step A8 ("C = (C1 || 681 C3 || C2)"), followed by 683 * a single octet giving the code for the hash algorithm used 684 within the calculation of the KDF mask "t" (step A5 of 685 [GBT.32918.4-2016] Section 6.1) and the calculation of "C3" 686 (step A7 of [GBT.32918.4-2016] Section 6.1). For SCA 687 compliance, this *MUST* be an SCA-approved hash function, and 688 in any case, it *SHOULD* be a hash which is listed in the 689 receiving keys "Preferred Hash Algorithms" list 690 (Section 5.2.3.8 of [RFC4880]). 692 11.2. Signature Packet (Tag 2) 694 11.2.1. Version 3 Signature Packet Format 696 Section 5.2.2 of [RFC4880] defines the signature format for "Version 697 3 Signature Packet Format". Similar to ECDSA [RFC6637], no change in 698 the format is necessary for SM2DSA. 700 11.2.2. Version 4 Signature Packet Format 702 Section 5.2.3 of [RFC4880] defines the signature format for "Version 703 4 Signature Packet Format". Similar to ECDSA [RFC6637], no change in 704 the format is necessary for SM2DSA. 706 12. SM2 ECC Curve OID 708 This section provides the curve ASN.1 Object Identifier (OID) of the 709 "SM2 Recommended Curve" [GBT.32918.5-2017] described in Section 4, 710 according to the method of [RFC6637]. 712 We specify the curve OID of the "SM2 Recommended Curve" to be the 713 registered OID entry of "SM2 Elliptic Curve Cryptography" according 714 to [GMT-0006-2012], which is "1.2.156.10197.1.301". 716 The table below specifies the exact sequence of bytes of the 717 mentioned curve: 719 +---------------------+--------+--------------------+---------------+ 720 | ASN.1 OID | OID | Curve OID bytes in | Curve name | 721 | | len | hex | | 722 +---------------------+--------+--------------------+---------------+ 723 | 1.2.156.10197.1.301 | 8 | 2A 81 1C CF 55 01 | SM2 | 724 | | | 82 2D | Recommended | 725 +---------------------+--------+--------------------+---------------+ 727 The complete ASN.1 DER encoding for the SM2 Recommended curve OID is 728 "06 08 2A 81 1C CF 55 01 82 2D", from which the first entry in the 729 table above is constructed by omitting the first two octets. Only 730 the truncated sequence of octets is the valid representation of a 731 curve OID. 733 13. Compatibility Profiles 735 13.1. SCA SM234 Profile 737 The "SCA SM234" profile is designed to be compliant to SCA 738 regulations. A compliant OpenPGP implementation *MUST* implement the 739 following items as described by this document: 741 o SM2 Recommended Curve (Section 12) 743 o SM2 (SM2DSA and SM2PKE) (Section 4) 745 * The hash function selected in SM2DSA and SM2PKE *MUST* also be 746 SCA-compliant, such as SM3 [SM3] 748 o SM3 (Section 5) 750 o SM4 (Section 6) 752 14. Security Considerations 754 o Products and services that utilize cryptography are regulated by 755 the SCA [SCA]; they must be explicitly approved or certified by 756 the SCA before being allowed to be sold or used in China. 758 o SM2 [GBT.32918.1-2016] is an elliptic curve cryptosystem (ECC) 759 approved by the SCA [SCA]. Its security relies on the assumption 760 that the elliptic curve discrete logarithm problem (ECLP) is 761 computationally infeasible. With advances in cryptanalysis, new 762 attack algorithms may reduce the complexity of ECLP, making it 763 easier to attack the SM2 cryptosystem that is considered secure at 764 the time this document is published. You *SHOULD* check current 765 literature to determine if the algorithms in SM2 have been found 766 vulnerable. 768 o There are security concerns with regards to side-channel attacks 769 against ECCs, including template attacks (such as [SM2-Template]) 770 that rely on physical access to the computation device. An 771 implementer of ECC systems *SHOULD* be aware of potential 772 vulnerabilities in this regard. 774 o SM3 [GBT.32905-2016] is a cryptographic hash algorithm approved by 775 the SCA [SCA]. Security considerations provided in 776 [I-D.sca-cfrg-sm3] apply. There are no known practical attacks 777 against the SM3 algorithm at the time this document is published. 779 o SM4 [GBT.32907-2016] is a blockcipher approved by the SCA [SCA]. 780 Security considerations of SM4 offered in [I-D.ribose-cfrg-sm4] 781 apply. No formal proof of security is provided but there are no 782 known practical attacks against the SM4 algorithm by the time of 783 publishing this document. 784 There are security concerns with regards to side-channel attacks, 785 when the SM4 algorithm is implemented in a device [SM4-Power]. 786 Side-channel security concerns are described in 787 [I-D.ribose-cfrg-sm4]. When the SM4 algorithm is implemented in 788 hardware, the parameters/keys *SHOULD* be randomly generated 789 without fixed correlation. 791 o SM2 has a key length of 512 bits for the public key and 256 bits 792 for the private key. It is considered an alternative to ECDSA 793 P-256 [RFC6637]. Its security strength is comparable to a 128-bit 794 symmetric key strength [I-D.ietf-msec-mikey-ecc], e.g., AES-128 795 [NIST.FIPS.197]. 797 o SM3 is a hash function that generates a 256-bit hash value. It is 798 considered as an alternative to SHA-256 [RFC6234]. 800 o SM4 is a blockcipher symmetric algorithm with a key length of 128 801 bits. It is considered as an alternative to AES-128 802 [NIST.FIPS.197]. 804 o Security considerations offered in [RFC6637] and [RFC4880] also 805 apply. 807 15. IANA Considerations 809 The IANA "Pretty Good Privacy (PGP)" registry [RFC8126] has made the 810 following assignments for algorithms described in this document, 811 namely: 813 o ID XXX of the "Public Key Algorithms" namespace for SM2 Section 4 815 o ID XXX of the "Hash Algorithms" namespace for SM3 Section 5 817 o ID XXX of the "Symmetric Key Algorithms" namespace for SM4 818 Section 6 820 16. References 822 16.1. Normative References 824 [GBT.32905-2016] 825 Standardization Administration of the People's Republic of 826 China, "GB/T 32905-2016 Information Security Techniques -- 827 SM3 Cryptographic Hash Algorithm", August 2016, 828 . 831 [GBT.32907-2016] 832 Standardization Administration of the People's Republic of 833 China, "GB/T 32907-2016 Information Security Technology -- 834 SM4 Block Cipher Algorithm", August 2016, 835 . 838 [GBT.32918.2-2016] 839 Standardization Administration of the People's Republic of 840 China, "GB/T 32918.2-2016 Information Security Technology 841 -- Public Key Cryptographic Algorithm SM2 Based On 842 Elliptic Curves -- Part 2: Digital Signature Algorithm", 843 August 2016, . 846 [GBT.32918.4-2016] 847 Standardization Administration of the People's Republic of 848 China, "GB/T 32918.4-2016 Information Security Technology 849 -- Public Key Cryptographic Algorithm SM2 Based On 850 Elliptic Curves -- Part 4: Public Key Encryption 851 Algorithm", August 2016, . 854 [GBT.32918.5-2017] 855 Standardization Administration of the People's Republic of 856 China, "GB/T 32918.5-2017 Information Security Technology 857 -- Public Key Cryptographic Algorithm SM2 Based On 858 Elliptic Curves -- Part 5: Parameter Definition", May 859 2017, . 862 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 863 Requirement Levels", BCP 14, RFC 2119, 864 DOI 10.17487/RFC2119, March 1997, 865 . 867 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 868 Thayer, "OpenPGP Message Format", RFC 4880, 869 DOI 10.17487/RFC4880, November 2007, 870 . 872 [RFC6637] Jivsov, A., "Elliptic Curve Cryptography (ECC) in 873 OpenPGP", RFC 6637, DOI 10.17487/RFC6637, June 2012, 874 . 876 16.2. Informative References 878 [BOTAN] Lloyd, J., "Botan: Crypto and TLS for C++11", October 879 2017, . 881 [GB.15629.11-2003] 882 Standardization Administration of the People's Republic of 883 China, "Information technology -- Telecommunications and 884 information exchange between systems -- Local and 885 metropolitan area networks -- Specific requirements -- 886 Part 11: Wireless LAN Medium Access Control (MAC) and 887 Physical Layer (PHY) Specifications", May 2003, 888 . 891 [GBT.32918.1-2016] 892 Standardization Administration of the People's Republic of 893 China, "GB/T 32918.1-2016 Information Security Technology 894 -- Public Key Cryptographic Algorithm SM2 Based On 895 Elliptic Curves -- Part 1: General", August 2016, 896 . 899 [GBT.32918.3-2016] 900 Standardization Administration of the People's Republic of 901 China, "GB/T 32918.3-2016 Information Security Technology 902 -- Public Key Cryptographic Algorithm SM2 Based On 903 Elliptic Curves -- Part 3: Key Exchange", August 2016, 904 . 907 [GMT-0002-2012] 908 Office of State Commercial Cryptography Administration of 909 China, "GM/T 0002-2012: SM4 Block Cipher Algorithm", March 910 2012, . 912 [GMT-0003-2012] 913 Office of State Commercial Cryptography Administration of 914 China, "GM/T 0003-2012: Public Key Cryptographic Algorithm 915 SM2 Based on Elliptic Curves", March 2012, 916 . 918 [GMT-0004-2012] 919 Office of State Commercial Cryptography Administration of 920 China, "GM/T 0004-2012: SM3 Hash Algorithm", March 2012, 921 . 923 [GMT-0006-2012] 924 Office of State Commercial Cryptography Administration of 925 China, "GM/T 0006-2012: Cryptographic Application 926 Identifier Criterion Specification", March 2012, 927 . 929 [GMT-0009-2012] 930 Office of State Commercial Cryptography Administration of 931 China, "GM/T 0009-2012: SM2 cryptography algorithm 932 application specification", March 2012, 933 . 935 [I-D.ietf-msec-mikey-ecc] 936 Milne, A., "ECC Algorithms for MIKEY", draft-ietf-msec- 937 mikey-ecc-03 (work in progress), June 2007. 939 [I-D.ribose-cfrg-sm4] 940 Tse, R. and W. Wong, "The SM4 Blockcipher Algorithm And 941 Its Modes Of Operations", draft-ribose-cfrg-sm4-08 (work 942 in progress), December 2017. 944 [I-D.sca-cfrg-sm3] 945 Shen, S., Lee, X., Tse, R., Wong, W., and P. Yang, "The 946 SM3 Cryptographic Hash Function", draft-sca-cfrg-sm3-00 947 (work in progress), December 2017. 949 [I-D.shen-sm2-ecdsa] 950 Shen, S., Shen, S., and X. Lee, "SM2 Digital Signature 951 Algorithm", draft-shen-sm2-ecdsa-02 (work in progress), 952 February 2014. 954 [IEEE.1363a.2004] 955 Institute of Electrical and Electronics Engineers, "IEEE 956 Std 1363a-2004: IEEE Standard Specifications for Public- 957 Key Cryptography -- Amendment 1: Additional Techniques", 958 September 2004, . 960 [ISO.IEC.10118-3] 961 International Organization for Standardization, "ISO/IEC 962 FDIS 10118-3 -- Information technology -- Security 963 techniques -- Hash-functions -- Part 3: Dedicated hash- 964 functions", September 2017, 965 . 967 [ISO.IEC.11889] 968 International Organization for Standardization, "ISO/IEC 969 11889-1:2015 -- Information technology -- Trusted platform 970 module library", August 2015, 971 . 973 [ISO.IEC.14888-3] 974 International Organization for Standardization, "ISO/IEC 975 14888-3:2016-03 -- Information technology -- Security 976 techniques -- Digital signatures with appendix -- Part 3: 977 Discrete logarithm based mechanisms", September 2017, 978 . 980 [ISO.IEC.18033-3.AMD2] 981 International Organization for Standardization, "ISO/IEC 982 WD1 18033-3/AMD2 -- Information technology -- Security 983 techniques -- Encryption algorithms -- Part 3: Block 984 ciphers -- Amendment 2", June 2017, 985 . 987 [NIST.FIPS.180-4] 988 National Institute of Standards and Technology, "FIPS 989 180-4 Secure Hash Standard (SHS)", August 2015, 990 . 992 [NIST.FIPS.197] 993 National Institute of Standards and Technology, "FIPS 197 994 Advanced Encryption Standard (AES)", November 2001, 995 . 997 [NIST.SP.800-56Ar2] 998 Barker, B., Chen, L., Roginsky, A., and M. Smid, "SP 999 800-56Ar2 Recommendation for Pair-Wise Key Establishment 1000 Schemes Using Discrete Logarithm Cryptography", May 2013, 1001 . 1003 [OSCCA-SM2] 1004 Office of State Commercial Cryptography Administration of 1005 China, "Public Key Cryptographic Algorithm SM2 Based on 1006 Elliptic Curves", December 2010, 1007 . 1009 [RFC6150] Turner, S. and L. Chen, "MD4 to Historic Status", 1010 RFC 6150, DOI 10.17487/RFC6150, March 2011, 1011 . 1013 [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms 1014 (SHA and SHA-based HMAC and HKDF)", RFC 6234, 1015 DOI 10.17487/RFC6234, May 2011, 1016 . 1018 [RFC7253] Krovetz, T. and P. Rogaway, "The OCB Authenticated- 1019 Encryption Algorithm", RFC 7253, DOI 10.17487/RFC7253, May 1020 2014, . 1022 [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for 1023 Writing an IANA Considerations Section in RFCs", BCP 26, 1024 RFC 8126, DOI 10.17487/RFC8126, June 2017, 1025 . 1027 [RNP] Ribose Inc., "Botan: Crypto and TLS for C++11", October 1028 2017, . 1030 [SCA] State Cryptography Administration of China, "State 1031 Cryptography Administration of China", Dec 2017, 1032 . 1034 [SEC1] Standards for Efficient Cryptography Group, "SEC 1: 1035 Elliptic Curve Cryptography", September 2010, 1036 . 1038 [SM2-1] Office of State Commercial Cryptography Administration of 1039 China, "Public Key Cryptographic Algorithm SM2 Based on 1040 Elliptic Curves -- Part 1: General", December 2010, 1041 . 1043 [SM2-2] Office of State Commercial Cryptography Administration of 1044 China, "Public Key Cryptographic Algorithm SM2 Based on 1045 Elliptic Curves -- Part 2: Digital Signature Algorithm", 1046 December 2010, 1047 . 1049 [SM2-3] Office of State Commercial Cryptography Administration of 1050 China, "Public Key Cryptographic Algorithm SM2 Based on 1051 Elliptic Curves -- Part 3: Key Exchange Protocol", 1052 December 2010, 1053 . 1055 [SM2-4] Office of State Commercial Cryptography Administration of 1056 China, "Public Key Cryptographic Algorithm SM2 Based on 1057 Elliptic Curves -- Part 4: Public Key Encryption 1058 Algorithm", December 2010, 1059 . 1061 [SM2-5] Office of State Commercial Cryptography Administration of 1062 China, "Public Key Cryptographic Algorithm SM2 Based on 1063 Elliptic Curves -- Part 5: Parameter definitions", 1064 December 2010, 1065 . 1067 [SM2-DSA-Lattice] 1068 Cao, W., Feng, J., Zhu, S., Chen, H., Wu, W., Han, X., and 1069 X. Zheng, "Practical Lattice-Based Fault Attack and 1070 Countermeasure on SM2 Signature Algorithm", November 2016, 1071 . 1073 [SM2-DSA-Nonces] 1074 Liu, M., Chen, J., and H. Li, "Partially Known Nonces and 1075 Fault Injection Attacks on SM2 Signature Algorithm", 1076 November 2013, 1077 . 1079 [SM2-DSA-Nonces2] 1080 Chen, J., Liu, M., Shi, H., and H. Li, "Mind Your Nonces 1081 Moving: Template-Based Partially-Sharing Nonces Attack on 1082 SM2 Digital Signature Algorithm", November 2015, 1083 . 1085 [SM2-KEP-Comments] 1086 Xu, X. and D. Feng, "Comments on the SM2 Key Exchange 1087 Protocol", December 2011, 1088 . 1090 [SM2-SigSecurity] 1091 Zhang, Z., Yang, K., Zhang, J., and C. Chen, "Security of 1092 the SM2 Signature Scheme Against Generalized Key 1093 Substitution Attacks", December 2015, 1094 . 1097 [SM2-Template] 1098 Zhang, Z., Wu, L., Mu, Z., and X. Zhang, "A Novel Template 1099 Attack on wNAF Algorithm of ECC", November 2014, 1100 . 1102 [SM3] Office of State Commercial Cryptography Administration of 1103 China, "SM3 Cryptographic Hash Algorithm", December 2010, 1104 . 1106 [SM3-Boomerang] 1107 Bai, D., Yu, H., Wang, G., and X. Wang, "Improved 1108 Boomerang Attacks on Round-Reduced SM3 and Keyed 1109 Permutation of BLAKE-256", April 2015, 1110 . 1112 [SM4] Office of State Commercial Cryptography Administration of 1113 China, "SM4 block cipher algorithm", December 2010, 1114 . 1116 [SM4-Power] 1117 Du, Z., Wu, Z., Wang, M., and J. Rao, "Improved chosen- 1118 plaintext power analysis attack against SM4 at the round- 1119 output", October 2015, . 1124 Appendix A. Examples 1126 A.1. Public Key Example 1128 This example is generated using the OpenPGP implementation RNP [RNP], 1129 with the SM2 and SM3 implementations from Botan [BOTAN]. 1131 -----BEGIN PGP PUBLIC KEY BLOCK----- 1132 xlIEWbGKWmMIKoEcz1UBgi0CAwQx5lUJNwGp01AB7YfAye0oMmyIPYe/cQPVwh8/7RCu 1133 ywZLMDDAM7qn6TNqTtdKW+7tLFhtOC4yzDVK8UjN/ccazSBTTTIgMjU2LWJpdCBrZXkg 1134 PGphY2tAbG9jYWxob3N0PsJ0BBNjaQAmBQJZsYpfAhsDBQsJCAcCBhUICQoLAgUWAgMB 1135 AAkQC/UcNw0bAZcAAJt5AP4oXvi3xl2RUwAvVjlzXtLL87g6x9cIBS7EB/cvAsw78AEA 1136 /Wt6qWlBVZ6TYiqNPt9An/4cjKyNpAv7S9u3neGXWUU= 1137 =RJ3C 1138 -----END PGP PUBLIC KEY BLOCK----- 1140 A.2. Signature Example 1142 This example is also created using RNP [RNP] and Botan [BOTAN]. 1144 Detached signature of the string "SM2 example" using the above key: 1146 -----BEGIN PGP SIGNATURE----- 1147 wmQEAGMIABYFAlmxj+cFAwAAAAAJEAv1HDcNGwGXAAB+SQEAy5AHKgiRxgOogB/2sfge 1148 JaVoLgpxvDp9yIcaLfP++xkBAPGuZ1f9FjxVd5jlCGd1jFzAPpt8N2Lc3FQDqVjgJvV9 1149 =Xbbj 1150 -----END PGP SIGNATURE----- 1152 Appendix B. Acknowledgements 1154 The authors would like to thank the following persons for their 1155 valuable advice and input. 1157 o The Ribose RNP team for their input and implementation 1159 Authors' Addresses 1161 Ronald Henry Tse 1162 Ribose 1163 Suite 1111, 1 Pedder Street 1164 Central, Hong Kong 1165 Hong Kong 1167 Email: ronald.tse@ribose.com 1168 URI: https://www.ribose.com 1170 Dr. Wai Kit Wong 1171 Hang Seng Management College 1172 Hang Shin Link, Siu Lek Yuen 1173 Shatin, Hong Kong 1174 Hong Kong 1176 Email: wongwk@hsmc.edu.hk 1177 URI: https://www.hsmc.edu.hk 1179 Jack E. Lloyd 1180 Ribose 1181 United States of America 1183 Email: jack.lloyd@ribose.com 1184 URI: https://www.ribose.com 1186 D. E. Wyatt 1187 Ribose 1188 608 W Cork St, Apt 2 1189 Winchester, VA 1190 United States of America 1192 Email: daniel.wyatt@ribose.com 1193 URI: https://www.ribose.com 1194 Erick Borsboom 1195 Ribose 1196 Suite 1111, 1 Pedder Street 1197 Central, Hong Kong 1198 Hong Kong 1200 Email: erick.borsboom@ribose.com 1201 URI: https://www.ribose.com