idnits 2.17.1 draft-shen-sm2-ecdsa-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 186 instances of too long lines in the document, the longest one being 26 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 180 has weird spacing: '...enation of x ...' == Line 209 has weird spacing: '...enation of x ...' == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 14, 2013) is 3938 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC2119' is mentioned on line 138, but not defined == Unused Reference: 'RFC1341' is defined on line 965, but no explicit reference was found in the text == Unused Reference: 'RFC2049' is defined on line 972, but no explicit reference was found in the text ** Obsolete normative reference: RFC 1341 (Obsoleted by RFC 1521) Summary: 4 errors (**), 0 flaws (~~), 8 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force S. Shen, Ed. 3 Internet-Draft X. Lee, Ed. 4 Intended status: Standards Track Chinese Academy of Science 5 Expires: January 15, 2014 July 14, 2013 7 SM2 Digital Signature Algorithm 8 draft-shen-sm2-ecdsa-01 10 Abstract 12 This document discribles an Digital Signature Algorithm based on 13 elliptic curves which is invented by Xiaoyun Wang et al. This 14 digital signature algorithm is published by Chinese Commercial 15 Cryptography Administration Office for the use of electronic 16 authentication service system. 18 The document *** published by Chinese Commercial Cryptography 19 Administration Office includes four parts: general introdocution, 20 Digital Signature Algorithm, Key Exchange Protocol and Public Key 21 Encryption Algorithm. This document only gives the general 22 introduction and digital signature algorithm. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at http://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on January 15, 2014. 41 Copyright Notice 43 Copyright (c) 2013 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (http://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 This document may contain material from IETF Documents or IETF 57 Contributions published or made publicly available before November 58 10, 2008. The person(s) controlling the copyright in some of this 59 material may not have granted the IETF Trust the right to allow 60 modifications of such material outside the IETF Standards Process. 61 Without obtaining an adequate license from the person(s) controlling 62 the copyright in such materials, this document may not be modified 63 outside the IETF Standards Process, and derivative works of it may 64 not be created outside the IETF Standards Process, except to format 65 it for publication as an RFC or to translate it into languages other 66 than English. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . ancho 71 2. Conventions Used in this Document . . . . . . . . . . . . . ancho 72 3. Symbols and Terms . . . . . . . . . . . . . . . . . . . . . ancho 73 3.1. Symbols . . . . . . . . . . . . . . . . . . . . . . . . ancho 74 3.2. Terms . . . . . . . . . . . . . . . . . . . . . . . . . ancho 75 4. General Introdoction to ECC . . . . . . . . . . . . . . . . ancho 76 5. Digital Signature Algorithm . . . . . . . . . . . . . . . . ancho 77 5.1. Digital Signature System . . . . . . . . . . . . . . . ancho 78 5.1.1. General Rules . . . . . . . . . . . . . . . . . . . ancho 79 5.1.2. Parameters of Elliptic Curve System . . . . . . . . ancho 80 5.1.3. Key pairs . . . . . . . . . . . . . . . . . . . . . ancho 81 5.1.4. Auxilary Functions . . . . . . . . . . . . . . . . ancho 82 5.2. Generation of Signature . . . . . . . . . . . . . . . . ancho 83 5.2.1. Digital Signature Generation Algorithm . . . . . . ancho 84 5.2.2. Flow Chart of Digital Signature Generation . . . . ancho 85 5.3. Verification of Signature . . . . . . . . . . . . . . . ancho 86 5.3.1. Digital Signagure Vefification Algorithm . . . . . ancho 87 5.3.2. Flow Chart of Digital Signature Verification . . . ancho 88 6. SM2 Key Exchange Protocol . . . . . . . . . . . . . . . . . ancho 89 6.1. Parameters of the Algorithm and Auxiliary Functions . . ancho 90 6.1.1. General Rules . . . . . . . . . . . . . . . . . . . ancho 91 6.1.2. Parameters of Elliptic Curve System . . . . . . . . ancho 92 6.1.3. Key pairs . . . . . . . . . . . . . . . . . . . . . ancho 93 6.1.4. Auxiliary Functions . . . . . . . . . . . . . . . . ancho 94 6.1.5. Other User Information . . . . . . . . . . . . . . ancho 95 6.2. Key Exchange Protocol and the Flow Chart . . . . . . . ancho 96 6.2.1. Key Exchange Protocol . . . . . . . . . . . . . . . ancho 97 6.2.2. Flow Chart of Key Exchange Protocol . . . . . . . . ancho 98 7. SM2 Public Key Encryption Algorithm . . . . . . . . . . . . ancho 99 7.1. Parameters of the Algorithm and Auxiliary Functions . . ancho 100 7.1.1. General Rules . . . . . . . . . . . . . . . . . . . ancho 101 7.1.2. Parameters of Elliptic Curve System . . . . . . . . ancho 102 7.1.3. Key pairs . . . . . . . . . . . . . . . . . . . . . ancho 103 7.1.4. Auxiliary Functions . . . . . . . . . . . . . . . . ancho 104 7.2. Algorithm for Encryption and the Flow Chart . . . . . . ancho 105 7.2.1. Algorithm for Encryption . . . . . . . . . . . . . ancho 106 7.2.2. Flow Chart of Algorithm for Encryption . . . . . . ancho 107 7.3. Algorithm for Decryption and the Flow Chart . . . . . . ancho 108 7.3.1. Algorithm for Decryption . . . . . . . . . . . . . ancho 109 7.3.2. Flow Chart of Algorithm for Decryption . . . . . . ancho 110 8. References . . . . . . . . . . . . . . . . . . . . . . . . ancho 111 8.1. Normative References . . . . . . . . . . . . . . . . . ancho 112 8.2. Informative References . . . . . . . . . . . . . . . . ancho 113 Appendix A. Examples of Digital Signatures . . . . . . . . . . ancho 114 A.1. General Introduction . . . . . . . . . . . . . . . . . ancho 115 A.2. Digital Signature of over E(Fp) . . . . . . . . . . . . ancho 116 A.3. Digital Signature of over E(F2^m) . . . . . . . . . . . ancho 117 Appendix B. Examples of Key Exchanges . . . . . . . . . . . . ancho 118 B.1. General Introduction . . . . . . . . . . . . . . . . . ancho 119 B.2. Key Exchange Protocal over E(Fp) . . . . . . . . . . . ancho 120 B.3. Key Exchange Protocal over E(F2^m) . . . . . . . . . . ancho 121 Appendix C. Example of Public Key Encryption . . . . . . . . . ancho 122 C.1. General Introduction . . . . . . . . . . . . . . . . . ancho 123 C.2. Encryption and Decryption over E(Fp) . . . . . . . . . ancho 124 C.3. Encryption and Decryption over E(F2^m) . . . . . . . . ancho 126 1. Introduction 128 This document is mainly the tranlation of the algorithm published by 129 Chinese Commercial Cryptography Administration Office for the 130 convenience of IETF and IRTF community. The credit of inventing this 131 algorithm goes to the authors of the algorithm. 133 2. Conventions Used in this Document 135 The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY" 136 in this document are to be interpreted as defined in "Key words for 137 use in RFCs to Indicate Requirement Levels" [RFC2119]. 139 3. Symbols and Terms 141 3.1. Symbols 143 a, b Elements in finite field Fq and they defines a Elliptic 144 Curve E over Fq 145 B The MOV threshold. This is a positive integer B such that 146 taking discrete logarithms over GF (q^B) is judged to be at 147 least as difficult as taking elliptic discrete logarithms over 148 GF (q). 149 deg(f) The degree of a polynomial f(x) 150 E The elliptic curve defined by a and b over a finite field Fq 151 E(Fq) The set of all the rational points of E 152 #E(Fq) The number of elements in E(Fq), the degree of elliptic curve E(Fq) 153 ECDLP Elliptic Curve Discrete Logarithm Problem 154 Fp A prime field with p elements 155 Fq A prime field with q elements 156 F*q The multiplicative group composed of all non-zero elememnts in Fq 157 F2^m The binary field extension with 2^m elements 158 G A base point on the elliptic curve E, with prime order 159 gcd(x;y) The greatest common devisor of x and y 160 h The cofactor h= #E(Fp)/n, where n is the degree of a base point G 161 LeftRotate( ) The operation of Rotation to left 162 lmax The upper limit of the largest prime factor of the cofactor h 163 m The extention degree of the field F2^m over the binary field F2 164 modf(x) The operation module the polynomial f(x). All the coefficients 165 mod 2 when f(x) is a polynomial over F2. 166 modn The operation of modulo n, for example, 23 mod7 = 2 168 n The degree of a base point G (n is a prime factor of #E(Fq) 169 O The point of infinity (or zero) on the elliptic curre E. 170 P A point P on the elliptic curre E which is not O. The coordinates 171 xP and yP satisfies the elliptic curve equation 172 P1+P2 The summation of the two points P1 and P2 on elliptic curve E 173 p A prime number greater than 3 174 q The number of elements in the finite field Fq 175 rmin The lower limit of the degree n of a base point G 176 Tr( ) The trace function 177 xP The x-coordinate of the point P 178 yP The y-coordinate of the point P 179 x^(-1) The only y such that x*y=1 (modn), 1 < = y < = n, gcd(x, n)=1 180 x||y The concatenation of x and y, where x and y are bit string or byte string 181 x == y (modn) x modn = y modn 182 ** y~P The point compression expression of yP 183 Zp The ring of integers modulo p 184 < G > The cyclic group generated by base point G 185 [k]P The k multiple of a point P over elliptic curve, where k is a positive integer 186 [x;y] The set of integers which greater than or equal to x and less than or equal to y 187 /x\ The smallest integer greater than or equal to x, for example AGBPA[not]/7\=7, /8.3\=9 188 \x/ The largest integer less than or equal to x, for example AGBPA[not]\7/=7, \8.3/=8 189 XOR The exclusive-or operation of two bit strings or byte strings of same length 190 *********** 191 A,B The two users using the public key system 192 a, b Elements in finite field Fq and they defines a Elliptic 193 Curve E over Fq 194 dA The private key of the user A 195 E(Fq) The set of all the rational points of E 196 e The hash of message M 197 e' The hash of message M' 198 Fq A prime field with q elements 199 G A base point on the elliptic curve E, with prime order 200 Hv( ) The hash function with output of legnth v bits 201 IDA The identifier of user A 202 M The message for signature 203 MA!a� The message for verification 204 modn The operation of modulo n, for example, 23 mod7 = 2 205 n The degree of base point G (n is a prime factor of #E(Fq)) 206 O The point of infinity (or zero) on the elliptic curre E 207 PA The public key of user A 208 q The number of elements in the finite field Fq 209 x||y The concatenation of x and y, where x and y are bit string or byte string 210 ZA The identifier of user A, part of parameters of elliptic curve and hash value of PA 211 (r,s) The sent signature 212 (r',s') The received signature 213 [k]P The k multiple of a point P over elliptic curve, where k is a positive integer 214 [x;y] The set of integers which greater than or equal to x and less than or equal to y 215 /x\ The smallest integer greater than or equal to x, for example AGBPA[not]/7\=7, /8.3\=9 216 \x/ The largest integer less than or equal to x, for example AGBPA[not]\7/=7, \8.3/=8 217 #E(Fq) The number of elements in E(Fq), the degree of elliptic curve E(Fq) 218 ********** 220 3.2. Terms 222 The following terms are used in this document. 224 digital signature 225 The metadata over some data. It should provide authentication, 226 integrity protection and non repudiation. 227 [ANSI X9.63-2001] 229 message 230 The bits string of arbitary length. 231 [ISO/IEC 15946-4 3.7] 233 signed message 234 The data composed of a message and its digital signature. 235 [ISO/IEC 15946-4 3.14] 237 key 238 A parameter for cryptographic calculation. It was used for encryption 239 or decryption, shared sectet and verification of digital signature. 240 [ANSI X9.63-2001] 242 4. General Introdoction to ECC 244 TBD 246 5. Digital Signature Algorithm 248 5.1. Digital Signature System 250 5.1.1. General Rules 252 In the digital signtature algorithm, one signer generate digital 253 signature over given data and one verifier verifies the validation of 254 the signature. Each signer ownes one public key and one private key. 255 The private key was used for signing and verifier verfifies the 256 signature using the public key. Before generation of the digital 257 signature, the message M and ZA need to be compressed via a hash 258 function; before the verification of the digital signature, the 259 message M' and ZA need to be compressed via a hash function. 261 5.1.2. Parameters of Elliptic Curve System 263 The parameters of an elliptic curve systme include the size q of a 264 finite field Fq (when q=2^m, also include basis representation and 265 irreducible polynomial); the two elements a and b (in Fq) which 266 defines the elliptic curve equation; the base point G=(xG, yG) (G not 267 euqals O), where xG and yG are ellements in Fq; the degree n of G and 268 other optional parameter such as cofactor h. 270 5.1.3. Key pairs 272 The user A's key pair include his private key dA and public key 273 PA=[dA]G=(xA, yA). 275 5.1.4. Auxilary Functions 277 5.1.4.1. Introduction 279 The auxilary functions in the elliptic curve digital signature 280 algorithm in this document include hash algorithm and random number 281 generator. 283 5.1.4.2. Hash Functions 285 The sm2 digital signature algorithm requires the hash functions 286 approved by Chinese Commercial Cryptography Administration Office, 287 such as sm3. 289 5.1.4.3. Random Number Generator 291 The sm2 digital signature algorithm requires random number generators 292 approved by by Chinese Commercial Cryptography Administration Office. 294 5.1.4.4. Other User Information 296 As teh signer, User A has the identifier IDA of length entlenA bits, 297 denote ENTLA as the two bytes transformed from the integer entlenA. 298 In the digital signature algorithms in this document, both signer and 299 verifier need to obtain ZA by calculating the hash value of ZA. 301 ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) 303 5.2. Generation of Signature 305 5.2.1. Digital Signature Generation Algorithm 307 Let M be the message for signing, in order to obtain the signature 308 (r, s), the signer A need to perform the following: 310 A1: set M~=ZA || M 311 A2: calculate e=Hv(M~) 312 A3: pick a random number k in [1, n-1] via a random number generator 313 A4: calculate the elliptic curve point (x1, y1)=[k]G 314 A5: calculate r=(e+x1) modn, return to A3 if r=0 or r+k=n 315 A6: calculate s=((1+dA)^(-1)*(k-r*dA)) modn, return to A3 if s=0 316 A7: the digital signature of M is (r, s) 318 5.2.2. Flow Chart of Digital Signature Generation 320 +-------------------------------------------+ 321 | the original data of user A | 322 | (parameters of elliptic curve | 323 | system, ZA, M, PA, dA) | | 324 +-------------------------------------------+ 325 | 326 | 327 v 328 +-------------------------------------------+ 329 | +------------------------+ | 330 | | A1: set M~=ZA || M | | 331 | +------------------------+ | 332 | | | 333 | v | 334 | +------------------------+ | 335 | | A2: calculate e=Hv(M~)| | 336 | +------------------------+ | 337 | | | 338 | v | 339 | +------------------------+ | 340 | | A3: set M~=ZA || M | < ----+ | 341 | +------------------------+ | | 342 | | | | 343 | v | | 344 | +--------------------------+ | | 345 | | A4: pick a random number | | | 346 | | k in [1, n-1] | | | 347 | +--------------------------+ | | 348 | | | | 349 | +--------------------------+ | | 350 | | A5: calculate the point | | | 351 | | (x1, y1)=[k]G | | | 352 | +--------------------------+ | | 353 | | | | 354 | v | | 355 | /---------------------\ YES | | 356 | | r=0 or r+k=n ? | ----->| | 357 | \---------------------/ | | 358 | | | | 359 | | NO | | 360 | v | | 361 | +---------------------------------+ | | 362 | | A6: calculate | | | 363 | | s=((1+dA)^(-1)*(k-r*dA)) modn | | | 364 | +---------------------------------+ | | 365 | | | | 366 | v | | 367 | /---------------------\ YES | | 368 | | r=0 ? | ------+ | 369 | \---------------------/ | 370 | | | 371 | | NO | 372 | v | 373 | +----------------------------+ | 374 | | A6: the digital signature | | 375 | | of M is (r, s) | | 376 | +----------------------------+ | 377 +-------------------------------------------+ 378 | 379 | 380 v 381 +-------------------------------------------+ 382 | Output the message M | 383 | and its digital signature (r,s) | 384 +-------------------------------------------+ 386 Figure 1: Flow Chart of Digital Signature Generation 388 5.3. Verification of Signature 390 5.3.1. Digital Signagure Vefification Algorithm 392 To verfify the received message M' and it's digital signature, the 393 verifier need to perform the following: 395 B1: verify whether r' in [1,n-1], verification failed if not 396 B2: vefify whether s' in [1,n-1], verification failed if not 397 B3: set M'~=ZA || M' 398 B4: calculate e'=Hv(M'~) 399 B5: calculate t = (r' + s') modn, verification failed if t=0 400 B6: calculate the point (x1', y1')=[s']G + [t]PA 401 B7: calculate R=(e'+x1') modn, verfication pass if yes, otherwise failed 403 Note: The verification will certainly fail if ZA does not correspond to 404 teh hash value of A. 406 5.3.2. Flow Chart of Digital Signature Verification 408 +-------------------------------------------+ 409 | the original data of user B | 410 | (parameters of elliptic curve | 411 | system, ZA, M', PA, (r', s')) | | 412 +-------------------------------------------+ 413 | 414 | 415 v 416 +-------------------------------------------+ 417 | +---------------------------+ | 418 | | B1: verify r' in [1,n-1] | | 419 | +---------------------------+ | 420 | | | 421 | v | 422 | /---------------------\ NO | 423 | | r' in [1,n-1] ? | ------+ | 424 | \---------------------/ | 425 | | | 426 | | YES | 427 | v | 428 | +---------------------------+ | 429 | | B2: verify s' in [1,n-1] | | 430 | +---------------------------+ | 431 | | | 432 | v | 433 | /---------------------\ NO | 434 | | s' in [1,n-1] ? | ------+ | 435 | \---------------------/ | 436 | | | 437 | | YES | 438 | v | 439 | +------------------------+ | 440 | | B3: set M'~=ZA || M' | < ----+ | 441 | +------------------------+ | | 442 | | | | 443 | v | | 444 | +--------------------------+ | | 445 | | B4: calculate e'=Hv(M'~) | | | 446 | +--------------------------+ | | 447 | | | | 448 | v | | 449 | +--------------------------+ | | 450 | | B5: calculate | | | 451 | | t = (r' + s') modn | | | 452 | +--------------------------+ | | 453 | | | | 454 | v | | 455 | /---------------------\ YES | | 456 | | t=0 ? | ----->| | 457 | \---------------------/ | | 458 | | | | 459 | | NO | | 460 | v | | 461 | +---------------------------------+ | | 462 | | B6: calculate | | | 463 | | s=((1+dA)^(-1)*(k-r*dA)) modn | | | 464 | +---------------------------------+ | | 465 | | | | 466 | v | | 467 | /---------------------\ YES | | 468 | | r=0 ? | ------+ | 469 | \---------------------/ | | 470 | | | | 471 | | NO | | 472 | v | | 473 | +----------------------------+ | | 474 | | B6: calculate | | | 475 | | (x1', y1')=[s']G + [t]PA | | | 476 | +----------------------------+ | | 477 | | | | 478 | v | | 479 | +----------------------------+ | | 480 | | B7: calculate | | | 481 | | R=(e'+x1') modn | | | 482 | +----------------------------+ | | 483 | | | | 484 | v | | 485 | /---------------------\ NO | | 486 | | R=r' ? | ------+ | 487 | \---------------------/ | | 488 | | | | 489 | | YES | | 490 | | | | 491 +-------------------------------------------+ 492 | | 493 v v 494 +-------------------+ +-------------------+ 495 | Verification Pass | | Verification Fail | 496 +-------------------+ +-------------------+ 498 Figure 2: Flow Chart of Digital Signature Verification 500 6. SM2 Key Exchange Protocol 502 6.1. Parameters of the Algorithm and Auxiliary Functions 504 6.1.1. General Rules 506 In the key exchange protocol, user A and user B use respective 507 private key and opposite public key to get agreement on a secret key 508 only known by themselves through alternate communications. The 509 shared secret key is generally used in a symmetric cryptographic 510 algorithm. The key exchange protocol can be used in key management 511 and key agreement. 513 6.1.2. Parameters of Elliptic Curve System 515 The parameters of an elliptic curve systme include the size q of a 516 finite field Fq (when q=2^m, also include basis representation and 517 irreducible polynomial); the two elements a and b (in Fq) which 518 defines the elliptic curve equation; the base point G=(xG, yG) (G not 519 euqals O), where xG and yG are ellements in Fq; the degree n of G and 520 other optional parameter such as cofactor h. 522 6.1.3. Key pairs 524 The user A's key pair include his private key dA and public key 525 PA=[dA]G=(xA, yA). The user B's key pair include his private key dB 526 and public key PB=[dB]G=(xB, yB). 528 6.1.4. Auxiliary Functions 530 6.1.4.1. Introduction 532 The auxiliary functions in the elliptic curve key exchange protocol 533 in this document include hash functions, key derivation function and 534 random number generator. 536 6.1.4.2. Hash Function 538 The sm2 key exchange protocol requires the hash functions approved by 539 Chinese Commercial Cryptography Administration Office, such as sm3. 541 6.1.4.3. key derivation function 543 The key derivation function is used for deriving a secret key from a shared 544 secret bit string. In the process of key agreement, the key derivation function 545 acts on a secret bit string shared through key exchange to generate a secret 546 key used for communication or further encryption. 547 The key derivation function needs to call the hash function. 548 Let Hv( ) be the hash function whose outputs are hash values of v bits in length. 550 The key derivation function KDF(Z, klen): 551 Input: a bit string Z, an integer klen(denoted as the length in bits of secret 552 keys to be obtained, which is supposed to be less than (2^32-1)*v). 553 Output: a bit string of klen bits in length as the secret key. 554 a) Initialize a counter of 32 bits, i.e. ct=0x00000001; 555 b) From i=1 to / klen/v \, do: 556 b.1) calculate Ha(i)=Hv(Z || ct); 557 b.2) ct++; 558 c) Let Ha!(/ klen/v \) equal Ha(/ klen/v \) if klen/v is an integer, and let Ha!(/ klen/v \) 559 be the left (klen-(v*\ klen/v /)) bits of Ha(/ klen/v \) if not. 560 d) let K=Ha(1) || Ha(2) || ... || Ha(/ klen/v \-1) || Ha!(/ klen/v \). 562 6.1.4.4. Random Number Generator 564 The sm2 key exchange protocol requires random number generators 565 approved by Chinese Commercial Cryptography Administration Office. 567 6.1.5. Other User Information 569 User A has the identifier IDA of length entlenA bits, denote ENTLA as 570 the two bytes transformed from the integer entlenA; User B has the 571 identifier IDB of length entlenB bits, denote ENTLB as the two bytes 572 transformed from the integer entlenB. In the key exchange protocol 573 in this document, both A and B as the participants of key agreement 574 need to obtain ZA and ZB by calculating the hash value of ZA and ZB. 576 ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) 577 ZB=H256(ENTLB || IDB || a || b || xG || yG || xB || yB) 579 6.2. Key Exchange Protocol and the Flow Chart 581 6.2.1. Key Exchange Protocol 583 Let user A be the initiator, user B be the responder and klen be the length in bits of 584 the secret key agreed by user A and user B. 585 In order to obtain the identical secret key by both user A and user B, they need to 586 perform the following: 587 Set w=/(/log2(n)\/2)\-1 588 USER A: 589 A1: pick a random number rA in [1, n-1] via a random number generator; 590 A2: calculate the elliptic curve point RA=[rA]G=(x1, y1); 591 A3: send RA to user B; 592 USER B: 593 B1: pick a random number rB in [1, n-1] via a random number generator; 594 B2: calculate the elliptic curve point RB=[rB]G=(x2, y2); 595 B3: calculate x2~=2^w+(x2 AND (2^w-1)); 596 B4: calculate tB=(dB+x2~*rB) modn; 597 B5: verify whether RA satisfies the elliptic curve equation, agreement failed if not; 598 otherwise calculate x1~=2^w+(x1 AND (2^w-1)); 599 B6: calculate the elliptic curve point V=[h*tB](PA+[x1~]RA)=(xV, yV), agreement of B 600 failed if V is the point of infinity; 601 B7: calculate KB=KDF(xV || yV || ZA || ZB, klen); 602 B8: (option) calculate SB=Hash(0x02 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2)); 603 B9: (option) send RB, (option SB) to user A; 604 USER A: 605 A4: calculate x1~=2^w+(x1 AND (2^w-1)); 606 A5: calculate tA=(dA+x1~*rA) modn; 607 A6: verify whether RB satisfies the elliptic curve equation, agreement failed if not; 608 otherwise calculate x2~=2^w+(x2 AND (2^w-1)); 609 A7: calculate the elliptic curve point U=[h*tA](PB+[x2~]RB)=(xU, yU), agreement of A 610 failed if U is the point of infinity; 611 A8: calculate KA=KDF(xU || yU || ZA || ZB, klen); 612 A9: (option) calculate S1=Hash(0x02 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2)), 613 verify whether S1 equals SB, key confirmation from B to A failed if not; 614 A10: (option) calculate SA=Hash(0x03 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2)), 615 send SA to user B; 616 USER B: 617 B10: (option) calculate S2=Hash(0x03 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2)), 618 verify whether S2 equals SA, key confirmation from A to B failed if not; 620 Note: The agreement of the shared secret key will certainly fail if ZA or ZB does not 621 correspond to the hash value of A or B. 623 6.2.2. Flow Chart of Key Exchange Protocol 625 +-------------------------------+ +--------------------------------+ 626 | the original data of | | the original data of | 627 | the initiator user A | | the responder user B | 628 | (parameters of elliptic curve | | (parameters of elliptic curve | 629 | system, ZA, ZB, dA, PA, PB) | | system, ZA, ZB, dB, PB, PA) | 630 +-------------------------------+ +--------------------------------+ 631 | | 632 v v 633 +-------------------------------+ +--------------------------------+ 634 |A1: pick a random number | |B1: pick a random number | 635 | rA in [1, n-1] | | rB in [1, n-1] | 636 |A2: calculate RA=[rA]G=(x1, y1)| |B2: calculate RB=[rB]G=(x2, y2) | 637 |A3: send RA to user B |-+ |B3: calculate | 638 +-------------------------------+ | | x2~=2^w+(x2 AND (2^w-1)) | 639 | | |B4: calculate | 640 v | | tB=(dB+x2~*rB) modn | 641 +-----------------------------+ | +--------------------------------+ 642 | A4: calculate | | | 643 | x1~=2^w+(x1 AND (2^w-1))| | v 644 | A5: calculate | | /-------------------------\ 645 | tA=(dA+x1~*rA) modn | | / RA satisfies the elliptic \ NO 646 +-----------------------------+ +--->\ curve equation ? /-----+ 647 | \-------------------------/ | 648 v | | 649 /-----------------------\ | YES | 650 NO /RB satisfies the elliptic\ v | 651 +---\ curve equation ? /<--+ +--------------------------------+ | 652 | \-----------------------/ | | B5: calculate | | 653 | | | | x1~=2^w+(x1 AND (2^w-1)) | | 654 | | YES | | B6: calculate the point | | 655 | v | | V=[h*tB](PA+[x1~]RA)=(xV, yV) | | 656 | +-----------------------------+ | +--------------------------------+ | 657 | |A6: calculate | | | | 658 | | x2~=2^w+(x2 AND (2^w-1)) | | v | 659 | |A7: calculate the point | | /---------------------\ | 660 | |U=[h*tA](PB+[x2~]RB)=(xU, yU)| | | V=O ? | YES | 661 | +-----------------------------+ | \---------------------/ ------>| 662 | | | | | 663 | v | | NO | 664 | YES /-------------------\ | v | 665 |<----| U=O ? | | +----------------------------------+ | 666 | \-------------------/ | |B7: calculate | | 667 | | | | KB=KDF(xV||yV||ZA||ZB, klen) | | 668 | | NO | |B8: (option) calculate | | 669 | v | | SB=Hash(0x02||yV||Hash(xV|| | | 670 | +-----------------------------+ | | ZA||ZB||x1||y1||x2||y2)) | | 671 | |A8: calculate | +-|B9: send RB, (option SB) to user A| | 672 | |KA=KDF(xU||yU||ZA||ZB, klen) | +----------------------------------+ | 673 | |A9: (option) calculate | | | 674 | |S1=Hash(0x02||yU||Hash(xU|| | v | 675 | | ZA||ZB||x1||y1||x2||y2)) | +--------------------------------+ | 676 | +-----------------------------+ | B10: (option) calculate | | 677 | | | S2=Hash(0x03||yV||Hash(xV | | 678 | v | ||ZA|| ZB||x1||y1||x2||y2)) | | 679 | NO /-------------------\ +--------------------------------+ | 680 |<----| S1=SB ? | | | 681 | \-------------------/ v | 682 | | /---------------------\ NO | 683 | | YES +--->| S2=SA ? |------>| 684 | v | \---------------------/ | 685 | +-----------------------------+ | | | 686 | |A10: (option) calculate | | | YES | 687 | |SA=Hash(0x03||yU||Hash(xU | | v | 688 | | ||ZA||ZB||x1||y1||x2||y2))| | +---------------------+ | 689 | |send SA to user B |---+ | key confirmation | | 690 | +-----------------------------+ | from A to B succeed | | 691 | +---------------------+ | 692 | +-----------------------+ +-----------------------+ | 693 +--->| Agreement of A failed | | Agreement of B failed |<------+ 694 +----------------------+ +-----------------------+ 695 | | 696 | | 697 +-------------+ +---------+ 698 | | 699 v v 700 +----------------------+ 701 | Agreement failed | 702 +----------------------+ 704 Figure 1: Flow Chart of Key Exchange Protocol 706 7. SM2 Public Key Encryption Algorithm 708 7.1. Parameters of the Algorithm and Auxiliary Functions 710 7.1.1. General Rules 712 In the public key encryption algorithm, the sender generates 713 ciphertext by encrypting the message with the receiver's public key, 714 and the receiver recovers the original message by decrypting the 715 ciphertext received with his own private key. 717 7.1.2. Parameters of Elliptic Curve System 719 The parameters of an elliptic curve systme include the size q of a 720 finite field Fq (when q=2^m, also include basis representation and 721 irreducible polynomial); the two elements a and b (in Fq) which 722 defines the elliptic curve equation; the base point G=(xG, yG) (G not 723 euqals O), where xG and yG are ellements in Fq; the degree n of G and 724 other optional parameter such as cofactor h. 726 7.1.3. Key pairs 728 The user B's key pair include his private key dB and public key 729 PB=[dB]G=(xB, yB). 731 7.1.4. Auxiliary Functions 733 7.1.4.1. Introduction 735 The auxiliary functions in the elliptic curve public key encryption 736 algorithm in this document include hash functions, key derivation 737 function and random number generator. 739 7.1.4.2. Hash Function 741 The sm2 public key encryption algorithm requires the hash functions 742 approved by Chinese Commercial Cryptography Administration Office, 743 such as sm3. 745 7.1.4.3. key derivation function 747 The key derivation function is used for deriving a secret key from a shared 748 secret bit string. In the process of key agreement, the key derivation function 749 acts on a secret bit string shared through key exchange to generate a secret 750 key used for communication or further encryption. 751 The key derivation function needs to call the hash function. 752 Let Hv( ) be the hash function whose outputs are hash values of v bits in length. 754 The key derivation function KDF(Z, klen): 755 Input: a bit string Z, an integer klen(denoted as the length in bits of secret 756 keys to be obtained, which is supposed to be less than (2^32-1)*v). 757 Output: a bit string of klen bits in length as the secret key. 758 a) Initialize a counter of 32 bits, i.e. ct=0x00000001; 759 b) From i=1 to / klen/v \, do: 760 b.1) calculate Ha(i)=Hv(Z || ct); 761 b.2) ct++; 762 c) Let Ha!(/ klen/v \) equal Ha(/ klen/v \) if klen/v is an integer, and let Ha!(/ klen/v \) 763 be the left (klen-(v*\ klen/v /)) bits of Ha(/ klen/v \) if not. 765 d) let K=Ha(1) || Ha(2) || ... || Ha(/ klen/v \-1) || Ha!(/ klen/v \). 767 7.1.4.4. Random Number Generator 769 The sm2 public key encryption algorithm requires random number 770 generators approved by Chinese Commercial Cryptography Administration 771 Office. 773 7.2. Algorithm for Encryption and the Flow Chart 775 7.2.1. Algorithm for Encryption 777 Let the bit string M be the message for sending, klen be the length 778 in bits of M. 779 In order to encrypt M, user A need to perform the following: 780 A1: pick a random number k in [1, n-1] via a random number generator; 781 A2: calculate the elliptic curve point C1=[k]G=(x1, y1); 782 A3: calculate the elliptic curve point S=[h]PB, report error and quit 783 if S is the point of infinity; 784 A4: calculate the elliptic curve point [k]PB=(x2, y2); 785 A5: calculate t=KDF(x2 || y2, klen), return to A1 if t is an all zero 786 bit string; 787 A6: calculate C2=M XOR t; 788 A7: calculate C3=Hash(x2 || M || y2); 789 A8: output the ciphertext C=C1 || C2 || C3). 791 7.2.2. Flow Chart of Algorithm for Encryption 793 +-------------------------------------------+ 794 | the original data of user A | 795 | (parameters of elliptic curve system, | 796 | message M of klen bits in length, | 797 | public key PB) | 798 +-------------------------------------------+ 799 | 800 | 801 +---------------------|---------------------+ 802 | v | 803 | +--------------------------+ | 804 | | A1: pick a random number | | 805 | +--->| k in [1, n-1] | | 806 | | +--------------------------+ | 807 | | | | 808 | | v | 809 | | +------------------------------+ | 810 | | |A2: calculate C1=[k]G=(x1, y1)| | 811 | | +------------------------------+ | 812 | | | | 813 | | v | 814 | | +--------------------------+ | 815 | | | A3: calculate S=[h]PB | | 816 | | +--------------------------+ | 817 | | | | 818 | | v | 819 | | /---------------------\ | 820 | | | S=O ? |------+ | 821 | | \---------------------/ | | 822 | | | | | 823 | | | NO | | 824 | | v | | 825 | | +------------------------------+ | | 826 | | | A4: calculate [k]PB=(x2, y2) | | | 827 | | +------------------------------+ | | 828 | | | | | 829 | | v | | 830 | | +-------------------------+ | | 831 | | | A5: calculate | | | 832 | | | t=KDF(x2 || y2, klen) | | | 833 | | +-------------------------+ | | 834 | | | | | 835 | | v | | 836 | | YES /---------------------\ | | 837 | +-----| t is all zero ? | | | 838 | \---------------------/ | | 839 | | | | 840 | | NO | | 841 | v | | 842 | +----------------------------+ | | 843 | | A6: calculate C2=M XOR t | | | 844 | +----------------------------+ | | 845 | | | | 846 | v | | 847 | +-------------------------+ | | 848 | | A7: calculate | | | 849 | | C3=Hash(x2 || M || y2) | | | 850 | +-------------------------+ | | 851 +-------------|--------------------------|--+ 852 | | 853 | | 854 v v 855 +---------------------------+ +-------------+ 856 | A8: output the ciphertext | | Report error| 857 | C=C1 || C2 || C3) | | and quit | 858 +---------------------------+ +-------------+ 859 Figure 1: Flow Chart of Algorithm for Encryption 861 7.3. Algorithm for Decryption and the Flow Chart 863 7.3.1. Algorithm for Decryption 865 Let klen be the length in bits of C2 in the ciphertext. 866 In order to decrypt the ciphertext C=C1 || C2 || C3, 867 user B need to perform the following: 868 B1: pick out the bit string C1 from C and transform it into the point on the 869 elliptic curve, verify whether C1 satisfies the elliptic curve equation, 870 report error and quit if not; 871 B2: calculate the elliptic curve point S=[h]C1, report error and quit if S 872 is the point of infinity; 873 B3: calculate [dB]C1=(x2, y2); 874 B4: calculate t=KDF(x2 || y2, klen), report error and quit if t is an all zero 875 bit string; 876 B5: pick out the bit string C2 from C, calculate M'=C2 XOR t; 877 B6: calculate u=Hash(x2 || M' || y2), pick out the bit string C3 from C, report 878 error and quit if u doesnot equal C3; 879 B7: output the plaintext M'. 881 7.3.2. Flow Chart of Algorithm for Decryption 883 +-------------------------------------------+ 884 | the original data of user B | 885 | (parameters of elliptic curve system, | 886 | the ciphertext C=C1 || C2 || C3, | 887 | private key dB) | 888 +-------------------------------------------+ 889 | 890 | 891 +---------------------|---------------------+ 892 | v | 893 | +--------------------------+ | 894 | | B1: pick out C1 from C | | 895 | +--------------------------+ | 896 | | | 897 | v | 898 | /---------------------------\ | 899 | | verify whether C1 satisfies | NO | 900 | the elliptic curve equation |---+ | 901 | \---------------------------/ | | 902 | | | | 903 | | YES | | 904 | v | | 905 | +--------------------------+ | | 906 | | B2: calculate S=[h]C1 | | | 907 | +--------------------------+ | | 908 | | | | 909 | v | | 910 | /---------------------\ YES | | 911 | | S=O ? |------>| | 912 | \---------------------/ | | 913 | | | | 914 | | NO | | 915 | v | | 916 | +------------------------------+ | | 917 | | B3: calculate [dB]C1=(x2, y2)| | | 918 | +------------------------------+ | | 919 | | | | 920 | v | | 921 | +-----------------------+ | | 922 | | B4: calculate | | | 923 | t=KDF(x2 || y2, klen) | | | 924 | +-----------------------+ | | 925 | | | | 926 | v | | 927 | /---------------------\ YES | | 928 | | t is all zero ? |------>| | 929 | \---------------------/ | | 930 | | | | 931 | | NO | | 932 | v | | 933 | +----------------------------+ | | 934 | | B5: calculate M'=C2 XOR t | | | 935 | +----------------------------+ | | 936 | | | | 937 | v | | 938 | +-----------------------+ | | 939 | | B6: calculate | | | 940 | u=Hash(x2 || M' || y2)| | | 941 | +-----------------------+ | | 942 | | | | 943 | v | | 944 | /---------------------\ NO | | 945 | | u=C3 ? |------>| | 946 | \---------------------/ | | 947 | | | | 948 | | YES | | 949 | | | | 950 +-----------------------------------------|-+ 951 | | 952 v v 954 +----------------+ +---------------+ 955 | B7: Output the | | Report error | 956 | plaintext M' | | and quit | 957 +----------------+ +---------------+ 959 Figure 2: Flow Chart of Algorithm for Decryption 961 8. References 963 8.1. Normative References 965 [RFC1341] Borenstein, N. and N. Freed, "MIME (Multipurpose Internet 966 Mail Extensions): Mechanisms for Specifying and Describing 967 the Format of Internet Message Bodies", RFC 1341, 968 June 1992. 970 8.2. Informative References 972 [RFC2049] Freed, N. and N. Borenstein, "Multipurpose Internet Mail 973 Extensions (MIME) Part Five: Conformance Criteria and 974 Examples", RFC 2049, November 1996. 976 Appendix A. Examples of Digital Signatures 978 A.1. General Introduction 980 This appendix uses the hash algorithm described in 981 draft-shen-sm3-hash-00, which applies on a bit string of length less 982 than 2^54 and output a hash value of size 256, denotes as H256( ). 984 In this appendix, all the hexadecimal number has high digits on the 985 left and low digits on teh right. 987 In this appendix, all the messages are in ASCII code. 989 Let the user A's identity be: ALICE123@YAHOO.COM. Denoted in ASCII 990 code IDA: 992 414C 49434531 32334059 41484F4F 2E434F4 994 ENTLA=0090. 996 A.2. Digital Signature of over E(Fp) 998 The elliptic curve equationi is: 1000 y^2 = x^3 + ax + b 1002 Example 1: Fp-256 1003 A Prime p: 1004 8542D69E 4C044F18 E8B92435 BF6FF7DE 45728391 5C45517D 722EDB8B 08F1DFC3 1006 The coefficient a: 1007 787968B4 FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0 EC65228B 3937E498 1009 The coefficient b: 1010 63E4C6D3 B23B0C84 9CF84241 484BFE48 F61D59A5 B16BA06E 6E12D1DA 27C5249A 1012 The base point G=(xG,yG)AGBPA[not]whose degree is n: 1013 x-coordinate xG: 1014 421DEBD6 1B62EAB6 746434EB C3CC315E 32220B3B ADD50BDC 4C4E6C14 7FEDD43D 1015 y-coordinate yG: 1016 0680512B CBB42C07 D47349D2 153B70C4 E5D7FDFC BFA36EA1 A85841B9 E46E09A2 1017 degree n: 1018 8542D69E 4C044F18 E8B92435 BF6FF7DD 29772063 0485628D 5AE74EE7 C32E79B7 1020 The message M to be signed:message digest 1022 The private key dA: 1023 128B2FA8 BD433C6C 068C8D80 3DFF7979 2A519A55 171B1B65 0C23661D 15897263 1025 The public key PA=(xA,yA): 1026 x-coordinate xA: 1027 0AE4C779 8AA0F119 471BEE11 825BE462 02BB79E2 A5844495 E97C04FF 4DF2548A 1028 y-coordinate yA: 1029 7C0240F8 8F1CD4E1 6352A73C 17B7F16F 07353E53 A176D684 A9FE0C6B B798E857 1031 Hash value ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) 1033 ZA: 1034 F4A38489 E32B45B6 F876E3AC 2168CA39 2362DC8F 23459C1D 1146FC3D BFB7BC9A 1036 The intermediate value during signing processing: 1037 M~=ZA || M: 1038 F4A38489 E32B45B6 F876E3AC 2168CA39 2362DC8F 23459C1D 1146FC3D BFB7BC9A 1039 6D657373 61676520 64696765 7374 1040 hash value e=H256(M): 1041 B524F552 CD82B8B0 28476E00 5C377FB1 9A87E6FC 682D48BB 5D42E3D9 B9EFFE76 1042 random number k: 1043 6CB28D99 385C175C 94F94E93 4817663F C176D925 DD72B727 260DBAAE 1FB2F96F 1044 point (x1,y1)=[k]G: 1045 x-coordinate x1: 1046 110FCDA5 7615705D 5E7B9324 AC4B856D 23E6D918 8B2AE477 59514657 CE25D112 1047 y-coordinate y1: 1048 1C65D68A 4A08601D F24B431E 0CAB4EBE 084772B3 817E8581 1A8510B2 DF7ECA1A 1049 r=(e+x1) modn: 1051 40F1EC59 F793D9F4 9E09DCEF 49130D41 94F79FB1 EED2CAA5 5BACDB49 C4E755D1 1052 (1 + dA)^(-1) 1053 79BFCF30 52C80DA7 B939E0C6 914A18CB B2D96D85 55256E83 122743A7 D4F5F956 1054 s = ((1 + dA)^(-1)1 * (k - r * dA)) modn: 1055 6FC6DAC3 2C5D5CF1 0C77DFB2 0F7C2EB6 67A45787 2FB09EC5 6327A67E C7DEEBE7 1057 Digital Signature of the message M: (r,s) 1058 r: 1059 40F1EC59 F793D9F4 9E09DCEF 49130D41 94F79FB1 EED2CAA5 5BACDB49 C4E755D1 1060 s: 1061 6FC6DAC3 2C5D5CF1 0C77DFB2 0F7C2EB6 67A45787 2FB09EC5 6327A67E C7DEEBE7 1063 The intermediate value during verification processing: 1064 hash value e' = H256(M'~): 1065 B524F552 CD82B8B0 28476E00 5C377FB1 9A87E6FC 682D48BB 5D42E3D9 B9EFFE76 1066 t=(rA!aa^3A!aS. modn: 1067 2B75F07E D7ECE7CC C1C8986B 991F441A D324D6D6 19FE06DD 63ED32E0 C997C801 1068 point (x0A!aa y0')=[s']G: 1069 x-coordinate x0': 1070 7DEACE5F D121BC38 5A3C6317 249F413D 28C17291 A60DFD83 B835A453 92D22B0A 1071 y-coordinate y0': 1072 2E49D5E5 279E5FA9 1E71FD8F 693A64A3 C4A94611 15A4FC9D 79F34EDC 8BDDEBD0 1073 point (x00', y00')=[t]PA: 1074 x-coordinate x00': 1075 1657FA75 BF2ADCDC 3C1F6CF0 5AB7B45E 04D3ACBE 8E4085CF A669CB25 64F17A9F 1076 y-coordinate y00': 1077 19F0115F 21E16D2F 5C3A485F 8575A128 BBCDDF80 296A62F6 AC2EB842 DD058E50 1078 point (x1', y1')=[s']G + [t]PA: 1079 x-coordinate x1': 1080 110FCDA5 7615705D 5E7B9324 AC4B856D 23E6D918 8B2AE477 59514657 CE25D112 1081 y-coordinate y1': 1082 1C65D68A 4A08601D F24B431E 0CAB4EBE 084772B3 817E8581 1A8510B2 DF7ECA1A 1083 R = (e' + x1') modn: 1084 40F1EC59 F793D9F4 9E09DCEF 49130D41 94F79FB1 EED2CAA5 5BACDB49 C4E755D1 1086 A.3. Digital Signature of over E(F2^m) 1088 The elliptic curve equationi is: 1090 y^2 + xy = x^3 + ax + b 1092 Example 1: F2^m -257 1093 The polynomial to generate base field is: x^257 + x^12 + 1 1095 The coefficient a: 1096 0 1097 The coefficient b: 1098 00 E78BCD09 746C2023 78A7E72B 12BCE002 66B9627E CB0B5A25 367AD1AD 4CC6242B 1100 The base point G=(xG,yG)AGBPA[not]whose degree is n: 1101 x-coordinate xG: 1102 00 CDB9CA7F 1E6B0441 F658343F 4B10297C 0EF9B649 1082400A 62E7A748 5735FADD 1104 y-coordinate yG: 1105 01 3DE74DA6 5951C4D7 6DC89220 D5F7777A 611B1C38 BAE260B1 75951DC8 060C2B3E 1107 degree n: 1108 7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF BC972CF7 E6B6F900 945B3C6A 0CF6161D 1110 The message M to be signed:message digest 1112 The private key dA: 1113 771EF3DB FF5F1CDC 32B9C572 93047619 1998B2BF 7CB981D7 F5B39202 645F0931 1115 The public key PA=(xA,yA): 1116 x-coordinate xA: 1117 01 65961645 281A8626 607B917F 657D7E93 82F1EA5C D931F40F 6627F357 542653B2 1118 y-coordinate yA: 1119 01 68652213 0D590FB8 DE635D8F CA715CC6 BF3D05BE F3F75DA5 D5434544 48166612 1121 Hash value ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) 1122 ZA: 1123 26352AF8 2EC19F20 7BBC6F94 74E11E90 CE0F7DDA CE03B27F 801817E8 97A81FD5 1125 The intermediate value during signing processing: 1126 M~=ZA || M: 1127 26352AF8 2EC19F20 7BBC6F94 74E11E90 CE0F7DDA CE03B27F 801817E8 97A81FD5 1128 6D657373 61676520 64696765 7374 1130 hash value e=H256(M~): 1131 AD673CBD A3114171 29A9EAA5 F9AB1AA1 633AD477 18A84DFD 46C17C6F A0AA3B12 1132 random number k: 1133 36CD79FC 8E24B735 7A8A7B4A 46D454C3 97703D64 98158C60 5399B341 ADA186D6 1134 point (x1,y1)=[k]G: 1135 x-coordinate x1: 1136 00 3FD87D69 47A15F94 25B32EDD 39381ADF D5E71CD4 BB357E3C 6A6E0397 EEA7CD66 1137 y-coordinate y1: 1138 00 80771114 6D73951E 9EB373A6 58214054 B7B56D1D 50B4CD6E B32ED387 A65AA6A2 1139 r=(e+x1) modn: 1140 6D3FBA26 EAB2A105 4F5D1983 32E33581 7C8AC453 ED26D339 1CD4439D 825BF25B 1141 (1 + dA)^(-1) 1142 73AF2954 F951A9DF F5B4C8F7 119DAA1C 230C9BAD E60568D0 5BC3F432 1E1F4260 1143 s = ((1 + dA)^(-1)1 * (k - r * dA)) modn: 1144 3124C568 8D95F0A1 0252A9BE D033BEC8 4439DA38 4621B6D6 FAD77F94 B74A9556 1145 Digital Signature of the message M: (r,s) 1146 r: 1147 6D3FBA26 EAB2A105 4F5D1983 32E33581 7C8AC453 ED26D339 1CD4439D 825BF25B 1148 s: 1149 3124C568 8D95F0A1 0252A9BE D033BEC8 4439DA38 4621B6D6 FAD77F94 B74A9556 1151 The intermediate value during verification processing: 1152 hash value e' = H256(M'~): 1153 AD673CBD A3114171 29A9EAA5 F9AB1AA1 633AD477 18A84DFD 46C17C6F A0AA3B12 1154 t=(rA!aa^3A!aS. modn: 1155 1E647F8F 784891A6 51AFC342 0316F44A 042D7194 4C91910F 835086C8 2CB07194 1156 point (x0A!aa y0')=[s']G: 1157 x-coordinate x0': 1158 00 252CF6B6 3A044FCE 553EAA77 3E1E9264 44E0DAA1 0E4B8873 89D11552 EA6418F7 1159 y-coordinate y0': 1160 00 776F3C5D B3A0D312 9EAE44E0 21C28667 92E4264B E1BEEBCA 3B8159DC A382653A 1161 point (x00', y00')=[t]PA: 1162 x-coordinate x00': 1163 00 07DA3F04 0EFB9C28 1BE107EC C389F56F E76A680B B5FDEE1D D554DC11 EB477C88 1164 y-coordinate y00': 1165 01 7BA2845D C65945C3 D48926C7 0C953A1A F29CE2E1 9A7EEE6B E0269FB4 803CA68B 1166 point (x1', y1')=[s']G + [t]PA: 1167 x-coordinate x1': 1168 00 3FD87D69 47A15F94 25B32EDD 39381ADF D5E71CD4 BB357E3C 6A6E0397 EEA7CD66 1169 y-coordinate y1': 1170 00 80771114 6D73951E 9EB373A6 58214054 B7B56D1D 50B4CD6E B32ED387 A65AA6A2 1171 R = (e' + x1') modn: 1172 6D3FBA26 EAB2A105 4F5D1983 32E33581 7C8AC453 ED26D339 1CD4439D 825BF25B 1174 Appendix B. Examples of Key Exchanges 1176 B.1. General Introduction 1178 This appendix uses the hash algorithm described in 1179 draft-shen-sm3-hash-00, which applies on a bit string of length less 1180 than 2^64 and output a hash value of size 256, denotes as H256( ). 1182 In this appendix, all the hexadecimal number has high digits on the 1183 left and low digits on the right. 1185 Let the user A's identity be: ALICE123@YAHOO.COM. Denoted in ASCII 1186 code IDA: 1188 414C 49434531 32334059 41484F4F 2E434F4D 1190 ENTLA=0090. 1192 Let the user B's identity be: BILL456@YAHOO.COM. Denoted in ASCII 1193 code IDB: 1195 42 494C4C34 35364059 41484F4F 2E434F4D 1197 ENTLB=0088. 1199 B.2. Key Exchange Protocal over E(Fp) 1201 The elliptic curve equation is: 1203 y^2 = x^3 + ax + b 1205 Example 1: Fp-256 1206 A Prime p: 1207 8542D69E 4C044F18 E8B92435 BF6FF7DE 45728391 5C45517D 722EDB8B 08F1DFC3 1209 The coefficient a: 1210 787968B4 FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0 EC65228B 3937E498 1212 The coefficient b: 1213 63E4C6D3 B23B0C84 9CF84241 484BFE48 F61D59A5 B16BA06E 6E12D1DA 27C5249A 1215 The cofactor h: 1 1217 The base point G=(xG, yG), whose degree is n: 1218 x-coordinate xG: 1219 421DEBD6 1B62EAB6 746434EB C3CC315E 32220B3B ADD50BDC 4C4E6C14 7FEDD43D 1220 y-coordinate yG: 1221 0680512B CBB42C07 D47349D2 153B70C4 E5D7FDFC BFA36EA1 A85841B9 E46E09A2 1222 degree n: 1223 8542D69E 4C044F18 E8B92435 BF6FF7DD 29772063 0485628D 5AE74EE7 C32E79B7 1225 The private key dA: 1226 6FCBA2EF 9AE0AB90 2BC3BDE3 FF915D44 BA4CC78F 88E2F8E7 F8996D3B 8CCEEDEE 1228 The public key PA=(xA, yA): 1229 x-coordinate xA: 1230 3099093B F3C137D8 FCBBCDF4 A2AE50F3 B0F216C3 122D7942 5FE03A45 DBFE1655 1231 y-coordinate yA: 1232 3DF79E8D AC1CF0EC BAA2F2B4 9D51A4B3 87F2EFAF 48233908 6A27A8E0 5BAED98B 1234 The private key dB: 1235 5E35D7D3 F3C54DBA C72E6181 9E730B01 9A84208C A3A35E4C 2E353DFC CB2A3B53 1237 The public key PB=(xB, yB): 1238 x-coordinate xB: 1240 245493D4 46C38D8C C0F11837 4690E7DF 633A8A4B FB3329B5 ECE604B2 B4F37F43 1241 y-coordinate yB: 1242 53C0869F 4B9E1777 3DE68FEC 45E14904 E0DEA45B F6CECF99 18C85EA0 47C60A4C 1244 Hash value ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) 1246 ZA: 1247 E4D1D0C3 CA4C7F11 BC8FF8CB 3F4C02A7 8F108FA0 98E51A66 8487240F 75E20F31 1249 Hash value ZB=H256(ENTLB || IDB || a || b || xG || yG || xB || yB) 1251 ZB: 1252 6B4B6D0E 276691BD 4A11BF72 F4FB501A E309FDAC B72FA6CC 336E6656 119ABD67 1254 The intermediate value during key exchange processing A1-A3: 1255 random number rA: 1256 83A2C9C8 B96E5AF7 0BD480B4 72409A9A 327257F1 EBB73F5B 073354B2 48668563 1257 point RA=[rA]G=(x1, y1): 1258 x-coordinate x1: 1259 6CB56338 16F4DD56 0B1DEC45 8310CBCC 6856C095 05324A6D 23150C40 8F162BF0 1260 y-coordinate y1: 1261 0D6FCF62 F1036C0A 1B6DACCF 57399223 A65F7D7B F2D9637E 5BBBEB85 7961BF1A 1263 The intermediate value during key exchange processing B1-B9: 1264 random number rB: 1265 33FE2194 0342161C 55619C4A 0C060293 D543C80A F19748CE 176D8347 7DE71C80 1266 point RB=[rB]G=(x2, y2): 1267 x-coordinate x2: 1268 1799B2A2 C7782953 00D9A232 5C686129 B8F2B533 7B3DCF45 14E8BBC1 9D900EE5 1269 y-coordinate y2: 1270 54C9288C 82733EFD F7808AE7 F27D0E73 2F7C73A7 D9AC98B7 D8740A91 D0DB3CF4 1271 x2~=2^127+(x2 AND (2^127-1)): 1272 B8F2B533 7B3DCF45 14E8BBC1 9D900EE5 1273 tB=(dB+x2~*rB) modn: 1274 2B2E11CB F03641FC 3D939262 FC0B652A 70ACAA25 B5369AD3 8B375C02 65490C9F 1275 x1~=2^127+(x1 AND (2^127-1)): 1276 E856C095 05324A6D 23150C40 8F162BF0 1277 point [x1~]RA=(xA0, yA0): 1278 x-coordinate xA0: 1279 2079015F 1A2A3C13 2B67CA90 75BB2803 1D6F2239 8DD8331E 72529555 204B495B 1280 y-coordinate yA0: 1281 6B3FE6FB 0F5D5664 DCA16128 B5E7FCFD AFA5456C 1E5A914D 1300DB61 F37888ED 1282 point PA+[x1~]RA=(xA1, yA1): 1283 x-coordinate xA1: 1284 1C006A3B FF97C651 B7F70D0D E0FC09D2 3AA2BE7A 8E9FF7DA F32673B4 16349B92 1285 y-coordinate yA1: 1286 5DC74F8A CC114FC6 F1A75CB2 86864F34 7F9B2CF2 9326A270 79B7D37A FC1C145B 1287 point V=[h*tB](PA+[x1~]RA)=(xV, yV): 1289 x-coordinate xV: 1290 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF29 00F8B7F5 66E40905 1291 y-coordinate yV: 1292 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866B BB5C6846 A4C4A295 1293 KB=KDF(xV || yV || ZA || ZB, klen): 1294 xV || yV || ZA || ZB: 1295 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF29 00F8B7F5 66E40905 1296 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866B BB5C6846 A4C4A295 1297 E4D1D0C3 CA4C7F11 BC8FF8CB 3F4C02A7 8F108FA0 98E51A66 8487240F 75E20F31 1298 6B4B6D0E 276691BD 4A11BF72 F4FB501A E309FDAC B72FA6CC 336E6656 119ABD67 1299 klen=128 1300 shared secret key KB: 1301 55B0AC62 A6B927BA 23703832 C853DED4 1302 option SB=Hash(0x02 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2)): 1303 xV || ZA || ZB || x1 || y1 || x2 || y2: 1304 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF29 00F8B7F5 66E40905 1305 E4D1D0C3 CA4C7F11 BC8FF8CB 3F4C02A7 8F108FA0 98E51A66 8487240F 75E20F31 1306 6B4B6D0E 276691BD 4A11BF72 F4FB501A E309FDAC B72FA6CC 336E6656 119ABD67 1307 6CB56338 16F4DD56 0B1DEC45 8310CBCC 6856C095 05324A6D 23150C40 8F162BF0 1308 0D6FCF62 F1036C0A 1B6DACCF 57399223 A65F7D7B F2D9637E 5BBBEB85 7961BF1A 1309 1799B2A2 C7782953 00D9A232 5C686129 B8F2B533 7B3DCF45 14E8BBC1 9D900EE5 1310 54C9288C 82733EFD F7808AE7 F27D0E73 2F7C73A7 D9AC98B7 D8740A91 D0DB3CF4 1311 Hash(xV || ZA || ZB || x1 || y1 || x2 || y2): 1312 FF49D95B D45FCE99 ED54A8AD 7A709110 9F513944 42916BD1 54D1DE43 79D97647 1313 0x02 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2): 1314 02 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866B BB5C6846 A4C4A295 1315 FF49D95B D45FCE99 ED54A8AD 7A709110 9F513944 42916BD1 54D1DE43 79D97647 1316 option SB: 1317 284C8F19 8F141B50 2E81250F 1581C7E9 EEB4CA69 90F9E02D F388B454 71F5BC5C 1319 The intermediate value during key exchange processing A4-A10: 1320 x1~=2^127+(x1 AND (2^127-1)): 1321 E856C095 05324A6D 23150C40 8F162BF0 1322 tA=(dA+x1~*rA) modn: 1323 236CF0C7 A177C65C 7D55E12D 361F7A6C 174A7869 8AC099C0 874AD065 8A4743DC 1324 x2~=2^127+(x2 AND (2^127-1)): 1325 B8F2B533 7B3DCF45 14E8BBC1 9D900EE5 1326 point [x2~]RB=(xB0, yB0): 1327 x-coordinate xB0: 1328 66864274 6BFC066A 1E731ECF FF51131B DC81CF60 9701CB8C 657B25BF 55B7015D 1329 y-coordinate yB0: 1330 1988A7C6 81CE1B50 9AC69F49 D72AE60E 8B71DB6C E087AF84 99FEEF4C CD523064 1331 point PB+[x2~]RB=(xB1, yB1): 1332 x-coordinate xB1: 1333 7D2B4435 10886AD7 CA3911CF 2019EC07 078AFF11 6E0FC409 A9F75A39 01F306CD 1334 y-coordinate yB1: 1335 331F0C6C 0FE08D40 5FFEDB30 7BC255D6 8198653B DCA68B9C BA100E73 197E5D24 1336 point U=[h*tA](PB+[x2~]RB)=(xU, yU): 1338 x-coordinate xU: 1339 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF29 00F8B7F5 66E40905 1340 y-coordinate yU: 1341 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866B BB5C6846 A4C4A295 1342 KA=KDF(xU || yU || ZA || ZB, klen): 1343 xU || yU || ZA || ZB: 1344 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF29 00F8B7F5 66E40905 1345 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866B BB5C6846 A4C4A295 1346 E4D1D0C3 CA4C7F11 BC8FF8CB 3F4C02A7 8F108FA0 98E51A66 8487240F 75E20F31 1347 6B4B6D0E 276691BD 4A11BF72 F4FB501A E309FDAC B72FA6CC 336E6656 119ABD67 1348 klen=128 1349 shared secret key KA: 1350 55B0AC62 A6B927BA 23703832 C853DED4 1351 option S1=Hash(0x02 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2)): 1352 xU || ZA || ZB || x1 || y1 || x2 || y2: 1353 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF29 00F8B7F5 66E40905 1354 E4D1D0C3 CA4C7F11 BC8FF8CB 3F4C02A7 8F108FA0 98E51A66 8487240F 75E20F31 1355 6B4B6D0E 276691BD 4A11BF72 F4FB501A E309FDAC B72FA6CC 336E6656 119ABD67 1356 6CB56338 16F4DD56 0B1DEC45 8310CBCC 6856C095 05324A6D 23150C40 8F162BF0 1357 0D6FCF62 F1036C0A 1B6DACCF 57399223 A65F7D7B F2D9637E 5BBBEB85 7961BF1A 1358 1799B2A2 C7782953 00D9A232 5C686129 B8F2B533 7B3DCF45 14E8BBC1 9D900EE5 1359 54C9288C 82733EFD F7808AE7 F27D0E73 2F7C73A7 D9AC98B7 D8740A91 D0DB3CF4 1360 Hash(xU || ZA || ZB || x1 || y1 || x2 || y2): 1361 FF49D95B D45FCE99 ED54A8AD 7A709110 9F513944 42916BD1 54D1DE43 79D97647 1362 0x02 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2): 1363 02 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866B BB5C6846 A4C4A295 1364 FF49D95B D45FCE99 ED54A8AD 7A709110 9F513944 42916BD1 54D1DE43 79D97647 1365 option S1: 1366 284C8F19 8F141B50 2E81250F 1581C7E9 EEB4CA69 90F9E02D F388B454 71F5BC5C 1367 option SA=Hash(0x03 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2)): 1368 xU || ZA || ZB || x1 || y1 || x2 || y2: 1369 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF29 00F8B7F5 66E40905 1370 E4D1D0C3 CA4C7F11 BC8FF8CB 3F4C02A7 8F108FA0 98E51A66 8487240F 75E20F31 1371 6B4B6D0E 276691BD 4A11BF72 F4FB501A E309FDAC B72FA6CC 336E6656 119ABD67 1372 6CB56338 16F4DD56 0B1DEC45 8310CBCC 6856C095 05324A6D 23150C40 8F162BF0 1373 0D6FCF62 F1036C0A 1B6DACCF 57399223 A65F7D7B F2D9637E 5BBBEB85 7961BF1A 1374 1799B2A2 C7782953 00D9A232 5C686129 B8F2B533 7B3DCF45 14E8BBC1 9D900EE5 1375 54C9288C 82733EFD F7808AE7 F27D0E73 2F7C73A7 D9AC98B7 D8740A91 D0DB3CF4 1376 Hash(xU || ZA || ZB || x1 || y1 || x2 || y2): 1377 FF49D95B D45FCE99 ED54A8AD 7A709110 9F513944 42916BD1 54D1DE43 79D97647 1378 0x03 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2): 1379 03 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866B BB5C6846 A4C4A295 1380 FF49D95B D45FCE99 ED54A8AD 7A709110 9F513944 42916BD1 54D1DE43 79D97647 1381 option SA: 1382 23444DAF 8ED75343 66CB901C 84B3BDBB 63504F40 65C1116C 91A4C006 97E6CF7A 1384 The intermediate value during key exchange processing B10: 1385 option S2=Hash(0x03 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2)): 1387 xV || ZA || ZB || x1 || y1 || x2 || y2: 1388 47C82653 4DC2F6F1 FBF28728 DD658F21 E174F481 79ACEF29 00F8B7F5 66E40905 1389 E4D1D0C3 CA4C7F11 BC8FF8CB 3F4C02A7 8F108FA0 98E51A66 8487240F 75E20F31 1390 6B4B6D0E 276691BD 4A11BF72 F4FB501A E309FDAC B72FA6CC 336E6656 119ABD67 1391 6CB56338 16F4DD56 0B1DEC45 8310CBCC 6856C095 05324A6D 23150C40 8F162BF0 1392 0D6FCF62 F1036C0A 1B6DACCF 57399223 A65F7D7B F2D9637E 5BBBEB85 7961BF1A 1393 1799B2A2 C7782953 00D9A232 5C686129 B8F2B533 7B3DCF45 14E8BBC1 9D900EE5 1394 54C9288C 82733EFD F7808AE7 F27D0E73 2F7C73A7 D9AC98B7 D8740A91 D0DB3CF4 1395 Hash(xV || ZA || ZB || x1 || y1 || x2 || y2): 1396 FF49D95B D45FCE99 ED54A8AD 7A709110 9F513944 42916BD1 54D1DE43 79D97647 1397 0x03 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2): 1398 03 2AF86EFE 732CF12A D0E09A1F 2556CC65 0D9CCCE3 E249866B BB5C6846 A4C4A295 1399 FF49D95B D45FCE99 ED54A8AD 7A709110 9F513944 42916BD1 54D1DE43 79D97647 1400 option S2: 1401 23444DAF 8ED75343 66CB901C 84B3BDBB 63504F40 65C1116C 91A4C006 97E6CF7A 1403 B.3. Key Exchange Protocal over E(F2^m) 1405 The elliptic curve equation is: 1407 y^2 + xy = x^3 + ax + b 1409 Example 2: F2^m -257 1410 The polynomial to generate base field is: x^257 + x^12 + 1 1412 The coefficient a: 1413 0 1415 The coefficient b: 1416 00 E78BCD09 746C2023 78A7E72B 12BCE002 66B9627E CB0B5A25 367AD1AD 4CC6242B 1418 The cofactor h: 4 1420 The base point G=(xG, yG), whose degree is n: 1421 x-coordinate xG: 1422 00 CDB9CA7F 1E6B0441 F658343F 4B10297C 0EF9B649 1082400A 62E7A748 5735FADD 1423 y-coordinate yG: 1424 01 3DE74DA6 5951C4D7 6DC89220 D5F7777A 611B1C38 BAE260B1 75951DC8 060C2B3E 1425 degree n: 1426 7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF BC972CF7 E6B6F900 945B3C6A 0CF6161D 1428 The private key dA: 1429 4813903D 254F2C20 A94BC570 42384969 54BB5279 F861952E F2C5298E 84D2CEAA 1431 The public key PA=(xA, yA): 1432 x-coordinate xA: 1434 00 8E3BDB2E 11F91933 88F1F901 CCC857BF 49CFC065 FB38B906 9CAAE6D5 AFC3592F 1435 y-coordinate yA: 1436 00 4555122A AC0075F4 2E0A8BBD 2C0665C7 89120DF1 9D77B4E3 EE4712F5 98040415 1438 The private key dB: 1439 08F41BAE 0922F47C 212803FE 681AD52B 9BF28A35 E1CD0EC2 73A2CF81 3E8FD1DC 1441 The public key PB=(xB, yB): 1442 x-coordinate xB: 1443 00 34297DD8 3AB14D5B 393B6712 F32B2F2E 938D4690 B095424B 89DA880C 52D4A7D9 1444 y-coordinate yB: 1445 01 99BBF11A C95A0EA3 4BBD00CA 50B93EC2 4ACB6833 5D20BA5D CFE3B33B DBD2B62D 1447 Hash value ZA=H256(ENTLA || IDA || a || b || xG || yG || xA || yA) 1449 ZA: 1450 ECF00802 15977B2E 5D6D61B9 8A99442F 03E8803D C39E349F 8DCA5621 A9ACDF2B 1452 Hash value ZB=H256(ENTLB || IDB || a || b || xG || yG || xB || yB) 1454 ZB: 1455 557BAD30 E183559A EEC3B225 6E1C7C11 F870D22B 165D015A CF9465B0 9B87B527 1457 The intermediate value during key exchange processing A1-A3: 1458 random number rA: 1459 54A3D667 3FF3A6BD 6B02EBB1 64C2A3AF 6D4A4906 229D9BFC E68CC366 A2E64BA4 1460 point RA=[rA]G=(x1, y1): 1461 x-coordinate x1: 1462 01 81076543 ED19058C 38B313D7 39921D46 B80094D9 61A13673 D4A5CF8C 7159E304 1463 y-coordinate y1: 1464 01 D8CFFF7C A27A01A2 E88C1867 3748FDE9 A74C1F9B 45646ECA 0997293C 15C34DD8 1466 The intermediate value during key exchange processing B1-B9: 1467 random number rB: 1468 1F219333 87BEF781 D0A8F7FD 708C5AE0 A56EE3F4 23DBC2FE 5BDF6F06 8C53F7AD 1469 point RB=[rB]G=(x2, y2): 1470 x-coordinate x2: 1471 00 2A4832B4 DCD399BA AB3FFFE7 DD6CE6ED 68CC43FF A5F2623B 9BD04E46 8D322A2A 1472 y-coordinate y2: 1473 00 16599BB5 2ED9EAFA D01CFA45 3CF3052E D60184D2 EECFD42B 52DB7411 0B984C23 1474 x2~=2^127+(x2 AND (2^127-1)): 1475 E8CC43FF A5F2623B 9BD04E46 8D322A2A 1476 tB=(dB+x2~*rB) modn: 1477 3D51D331 14A453A0 5791DB63 5B45F8DB C54686D7 E2212D49 E4A717C6 B10DEDB0 1478 h*tB modn: 1479 75474CC4 52914E81 5E476D8D 6D17E36F 5882EE67 A1CDBC26 FE4122B0 B741A0A3 1480 x1~=2^127+(x1 AND (2^127-1)): 1481 B80094D9 61A13673 D4A5CF8C 7159E304 1482 point [x1~]RA=(xA0, yA0): 1483 x-coordinate xA0: 1484 01 98AB5F14 349B6A46 F77FBFCB DDBFCD34 320DC1F4 C546D13C 3A9F0E83 0C39B579 1485 y-coordinate yA0: 1486 00 BFB49224 ACCE2E51 04CD4519 C0CBE3AD 0C19BF11 805BE108 59069AA6 9317A2B7 1487 point PA+[x1~]RA=(xA1, yA1): 1488 x-coordinate xA1: 1489 00 24A92F64 66A37C5C 12A2C68D 58BFB0F0 32F2B976 60957CB0 5E63F961 F160FE57 1490 y-coordinate yA1: 1491 00 F74A4F17 DC560A55 FDE0F1AB 168BCBF7 6502E240 BA2D6BD6 BE6E5D79 16B288FC 1492 point V=[h*tB](PA+[x1~]RA)=(xV, yV): 1493 x-coordinate xV: 1494 00 DADD0874 06221D65 7BC3FA79 FF329BB0 22E9CB7D DFCFCCFE 277BE8CD 4AE9B954 1495 y-coordinate yV: 1496 01 F0464B1E 81684E5E D6EF281B 55624EF4 6CAA3B2D 37484372 D91610B6 98252CC9 1497 KB=KDF(xV || yV || ZA || ZB, klen): 1498 xV || yV || ZA || ZB: 1499 00DADD08 7406221D 657BC3FA 79FF329B B022E9CB 7DDFCFCC FE277BE8 CD4AE9B9 1500 5401F046 4B1E8168 4E5ED6EF 281B5562 4EF46CAA 3B2D3748 4372D916 10B69825 1501 2CC9ECF0 08021597 7B2E5D6D 61B98A99 442F03E8 803DC39E 349F8DCA 5621A9AC 1502 DF2B557B AD30E183 559AEEC3 B2256E1C 7C11F870 D22B165D 015ACF94 65B09B87 1503 B527 1504 klen=128 1505 shared secret key KB: 1506 4E587E5C 66634F22 D973A7D9 8BF8BE23 1507 option SB=Hash(0x02 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2)): 1508 xV || ZA || ZB || x1 || y1 || x2 || y2: 1509 00DADD08 7406221D 657BC3FA 79FF329B B022E9CB 7DDFCFCC FE277BE8 CD4AE9B9 1510 54ECF008 0215977B 2E5D6D61 B98A9944 2F03E880 3DC39E34 9F8DCA56 21A9ACDF 1511 2B557BAD 30E18355 9AEEC3B2 256E1C7C 11F870D2 2B165D01 5ACF9465 B09B87B5 1512 27018107 6543ED19 058C38B3 13D73992 1D46B800 94D961A1 3673D4A5 CF8C7159 1513 E30401D8 CFFF7CA2 7A01A2E8 8C186737 48FDE9A7 4C1F9B45 646ECA09 97293C15 1514 C34DD800 2A4832B4 DCD399BA AB3FFFE7 DD6CE6ED 68CC43FF A5F2623B 9BD04E46 1515 8D322A2A 0016599B B52ED9EA FAD01CFA 453CF305 2ED60184 D2EECFD4 2B52DB74 1516 110B984C 23 1517 Hash(xV || ZA || ZB || x1 || y1 || x2 || y2): 1518 E05FE287 B73B0CE6 639524CD 86694311 562914F4 F6A34241 01D885F8 8B05369C 1519 0x02 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2): 1520 02 01F0464B 1E81684E 5ED6EF28 1B55624E F46CAA3B 2D374843 72D91610 B698252C 1521 C9E05FE2 87B73B0C E6639524 CD866943 11562914 F4F6A342 4101D885 F88B0536 9C 1522 option SB: 1523 4EB47D28 AD3906D6 244D01E0 F6AEC73B 0B51DE15 74C13798 184E4833 DBAE295A 1525 The intermediate value during key exchange processing A4-A10: 1526 x1~=2^127+(x1 AND (2^127-1)): 1527 B80094D9 61A13673 D4A5CF8C 7159E304 1528 tA=(dA+x1~*rA) modn: 1529 18A1C649 B94044DF 16DC8634 993F1A4A EE3F6426 DFE14AC1 3644306A A5A94187 1530 h*tA modn: 1531 62871926 E501137C 5B7218D2 64FC692B B8FD909B 7F852B04 D910C1AA 96A5061C 1532 x2~=2^127+(x2 AND (2^127-1)): 1533 E8CC43FF A5F2623B 9BD04E46 8D322A2A 1534 point [x2~]RB=(xB0, yB0): 1535 x-coordinate xB0: 1536 01 0AA3BAC9 7786B629 22F93414 57AC64F7 2552AA15 D9321677 A10C7021 33B16735 1537 y-coordinate yB0: 1538 00 C10837F4 8F53C46B 714BCFBF AA1AD627 11FCB03C 0C25B366 BF176A2D C7B8E62E 1539 point PB+[x2~]RB=(xB1, yB1): 1540 x-coordinate xB1: 1541 00 C7A446E1 98DB4278 60C3BB50 ED2197DE B8161973 9141CA61 03745035 9FAD9A99 1542 y-coordinate yB1: 1543 00 602E5A42 17427EAB C5E3917D E81BFFA1 D806591A F949DD7C 97EF90FD 4CF0A42D 1544 point U=[h*tA](PB+[x2~]RB)=(xU, yU): 1545 x-coordinate xU: 1546 00 DADD0874 06221D65 7BC3FA79 FF329BB0 22E9CB7D DFCFCCFE 277BE8CD 4AE9B954 1547 y-coordinate yU: 1548 01 F0464B1E 81684E5E D6EF281B 55624EF4 6CAA3B2D 37484372 D91610B6 98252CC9 1549 KA=KDF(xU || yU || ZA || ZB, klen): 1550 xU || yU || ZA || ZB: 1551 00DADD08 7406221D 657BC3FA 79FF329B B022E9CB 7DDFCFCC FE277BE8 CD4AE9B9 1552 5401F046 4B1E8168 4E5ED6EF 281B5562 4EF46CAA 3B2D3748 4372D916 10B69825 1553 2CC9ECF0 08021597 7B2E5D6D 61B98A99 442F03E8 803DC39E 349F8DCA 5621A9AC 1554 DF2B557B AD30E183 559AEEC3 B2256E1C 7C11F870 D22B165D 015ACF94 65B09B87 1555 B527 1556 klen=128 1557 shared secret key KA: 1558 4E587E5C 66634F22 D973A7D9 8BF8BE23 1559 option S1=Hash(0x02 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2)): 1560 xU || ZA || ZB || x1 || y1 || x2 || y2: 1561 00DADD08 7406221D 657BC3FA 79FF329B B022E9CB 7DDFCFCC FE277BE8 CD4AE9B9 1562 54ECF008 0215977B 2E5D6D61 B98A9944 2F03E880 3DC39E34 9F8DCA56 21A9ACDF 1563 2B557BAD 30E18355 9AEEC3B2 256E1C7C 11F870D2 2B165D01 5ACF9465 B09B87B5 1564 27018107 6543ED19 058C38B3 13D73992 1D46B800 94D961A1 3673D4A5 CF8C7159 1565 E30401D8 CFFF7CA2 7A01A2E8 8C186737 48FDE9A7 4C1F9B45 646ECA09 97293C15 1566 C34DD800 2A4832B4 DCD399BA AB3FFFE7 DD6CE6ED 68CC43FF A5F2623B 9BD04E46 1567 8D322A2A 0016599B B52ED9EA FAD01CFA 453CF305 2ED60184 D2EECFD4 2B52DB74 1568 110B984C 23 1569 Hash(xU || ZA || ZB || x1 || y1 || x2 || y2): 1570 E05FE287 B73B0CE6 639524CD 86694311 562914F4 F6A34241 01D885F8 8B05369C 1571 0x02 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2): 1572 02 01F0464B 1E81684E 5ED6EF28 1B55624E F46CAA3B 2D374843 72D91610 B698252C 1573 C9E05FE2 87B73B0C E6639524 CD866943 11562914 F4F6A342 4101D885 F88B0536 9C 1574 option S1: 1575 4EB47D28 AD3906D6 244D01E0 F6AEC73B 0B51DE15 74C13798 184E4833 DBAE295A 1576 option SA=Hash(0x03 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2)): 1577 xU || ZA || ZB || x1 || y1 || x2 || y2: 1579 00DADD08 7406221D 657BC3FA 79FF329B B022E9CB 7DDFCFCC FE277BE8 CD4AE9B9 1580 54ECF008 0215977B 2E5D6D61 B98A9944 2F03E880 3DC39E34 9F8DCA56 21A9ACDF 1581 2B557BAD 30E18355 9AEEC3B2 256E1C7C 11F870D2 2B165D01 5ACF9465 B09B87B5 1582 27018107 6543ED19 058C38B3 13D73992 1D46B800 94D961A1 3673D4A5 CF8C7159 1583 E30401D8 CFFF7CA2 7A01A2E8 8C186737 48FDE9A7 4C1F9B45 646ECA09 97293C15 1584 C34DD800 2A4832B4 DCD399BA AB3FFFE7 DD6CE6ED 68CC43FF A5F2623B 9BD04E46 1585 8D322A2A 0016599B B52ED9EA FAD01CFA 453CF305 2ED60184 D2EECFD4 2B52DB74 1586 110B984C 23 1587 Hash(xU || ZA || ZB || x1 || y1 || x2 || y2): 1588 E05FE287 B73B0CE6 639524CD 86694311 562914F4 F6A34241 01D885F8 8B05369C 1589 0x03 || yU || Hash(xU || ZA || ZB || x1 || y1 || x2 || y2): 1590 03 01F0464B 1E81684E 5ED6EF28 1B55624E F46CAA3B 2D374843 72D91610 B698252C 1591 C9E05FE2 87B73B0C E6639524 CD866943 11562914 F4F6A342 4101D885 F88B0536 9C 1592 option SA: 1593 588AA670 64F24DC2 7CCAA1FA B7E27DFF 811D500A D7EF2FB8 F69DDF48 CC0FECB7 1595 The intermediate value during key exchange processing B10: 1596 option S2=Hash(0x03 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2)): 1597 xV || ZA || ZB || x1 || y1 || x2 || y2: 1598 00DADD08 7406221D 657BC3FA 79FF329B B022E9CB 7DDFCFCC FE277BE8 CD4AE9B9 1599 54ECF008 0215977B 2E5D6D61 B98A9944 2F03E880 3DC39E34 9F8DCA56 21A9ACDF 1600 2B557BAD 30E18355 9AEEC3B2 256E1C7C 11F870D2 2B165D01 5ACF9465 B09B87B5 1601 27018107 6543ED19 058C38B3 13D73992 1D46B800 94D961A1 3673D4A5 CF8C7159 1602 E30401D8 CFFF7CA2 7A01A2E8 8C186737 48FDE9A7 4C1F9B45 646ECA09 97293C15 1603 C34DD800 2A4832B4 DCD399BA AB3FFFE7 DD6CE6ED 68CC43FF A5F2623B 9BD04E46 1604 8D322A2A 0016599B B52ED9EA FAD01CFA 453CF305 2ED60184 D2EECFD4 2B52DB74 1605 110B984C 23 1606 Hash(xV || ZA || ZB || x1 || y1 || x2 || y2): 1607 E05FE287 B73B0CE6 639524CD 86694311 562914F4 F6A34241 01D885F8 8B05369C 1608 0x03 || yV || Hash(xV || ZA || ZB || x1 || y1 || x2 || y2): 1609 03 01F0464B 1E81684E 5ED6EF28 1B55624E F46CAA3B 2D374843 72D91610 B698252C 1610 C9E05FE2 87B73B0C E6639524 CD866943 11562914 F4F6A342 4101D885 F88B0536 9C 1611 option S2: 1612 588AA670 64F24DC2 7CCAA1FA B7E27DFF 811D500A D7EF2FB8 F69DDF48 CC0FECB7 1614 Appendix C. Example of Public Key Encryption 1616 C.1. General Introduction 1618 This appendix uses the hash algorithm described in 1619 draft-shen-sm3-hash-00, which applies on a bit string of length less 1620 than 2^64 and output a hash value of size 256, denotes as H256( ). 1622 In this appendix, all the hexadecimal number has high digits on the 1623 left and low digits on the right. 1625 In this appendix, all the plaintexts are in ASCII code. 1627 C.2. Encryption and Decryption over E(Fp) 1629 The elliptic curve equation is: 1631 y^2 = x^3 + ax + b 1633 Example 1: Fp-256 1634 A Prime p: 1635 8542D69E 4C044F18 E8B92435 BF6FF7DE 45728391 5C45517D 722EDB8B 08F1DFC3 1637 The coefficient a: 1638 787968B4 FA32C3FD 2417842E 73BBFEFF 2F3C848B 6831D7E0 EC65228B 3937E498 1640 The coefficient b: 1641 63E4C6D3 B23B0C84 9CF84241 484BFE48 F61D59A5 B16BA06E 6E12D1DA 27C5249A 1643 The base point G=(xG,yG), whose degree is n: 1644 x-coordinate xG: 1645 421DEBD6 1B62EAB6 746434EB C3CC315E 32220B3B ADD50BDC 4C4E6C14 7FEDD43D 1646 y-coordinate yG: 1647 0680512B CBB42C07 D47349D2 153B70C4 E5D7FDFC BFA36EA1 A85841B9 E46E09A2 1648 degree n: 1649 8542D69E 4C044F18 E8B92435 BF6FF7DD 29772063 0485628D 5AE74EE7 C32E79B7 1651 The message M to be encrypted: encryption standard 1652 M denoted in hexadecimal: 1653 656E63 72797074 696F6E20 7374616E 64617264 1655 The private key dB: 1656 1649AB77 A00637BD 5E2EFE28 3FBF3535 34AA7F7C B89463F2 08DDBC29 20BB0DA0 1658 The public key PB=(xB,yB): 1659 x-coordinate xB: 1660 435B39CC A8F3B508 C1488AFC 67BE491A 0F7BA07E 581A0E48 49A5CF70 628A7E0A 1661 y-coordinate yB: 1662 75DDBA78 F15FEECB 4C7895E2 C1CDF5FE 01DEBB2C DBADF453 99CCF77B BA076A42 1664 The intermediate value during encrypting processing: 1665 random number k: 1666 4C62EEFD 6ECFC2B9 5B92FD6C 3D957514 8AFA1742 5546D490 18E5388D 49DD7B4F 1667 point C1=[k]G=(x1,y1): 1668 x-coordinate x1: 1669 245C26FB 68B1DDDD B12C4B6B F9F2B6D5 FE60A383 B0D18D1C 4144ABF1 7F6252E7 1670 y-coordinate y1: 1671 76CB9264 C2A7E88E 52B19903 FDC47378 F605E368 11F5C074 23A24B84 400F01B8 1672 The point C1 here is uncompressed and can be transformed into a byte string 1673 PC || x1 || x2, where PC is the byte 04. The byte string is still denoted 1674 as C1. 1675 point [k]PB=(x2,y2): 1676 x-coordinate x2: 1677 64D20D27 D0632957 F8028C1E 024F6B02 EDF23102 A566C932 AE8BD613 A8E865FE 1678 y-coordinate y2: 1679 58D225EC A784AE30 0A81A2D4 8281A828 E1CEDF11 C4219099 84026537 5077BF78 1680 the length of message M: klen=152 1681 t=KDF(x2 || y2,klen): 1682 006E30 DAE231B0 71DFAD8A A379E902 64491603 1683 C2=M XOR t: 1684 650053 A89B41C4 18B0C3AA D00D886C 00286467 1685 C3=Hash(x2 || M || y2): 1686 x2 || M || y2: 1687 64D20D27 D0632957 F8028C1E 024F6B02 EDF23102 A566C932 AE8BD613 A8E865FE 1688 656E6372 79707469 6F6E2073 74616E64 61726458 D225ECA7 84AE300A 81A2D482 1689 81A828E1 CEDF11C4 21909984 02653750 77BF78 1690 C3: 1691 9C3D7360 C30156FA B7C80A02 76712DA9 D8094A63 4B766D3A 285E0748 0653426D 1692 ciphertext C=C1 || C2 || C3: 1693 04245C26 FB68B1DD DDB12C4B 6BF9F2B6 D5FE60A3 83B0D18D 1C4144AB F17F6252 1694 E776CB92 64C2A7E8 8E52B199 03FDC473 78F605E3 6811F5C0 7423A24B 84400F01 1695 B8650053 A89B41C4 18B0C3AA D00D886C 00286467 9C3D7360 C30156FA B7C80A02 1696 76712DA9 D8094A63 4B766D3A 285E0748 0653426D 1698 The intermediate value during decrypting processing: 1699 point [dB]C1=(x2,y2): 1700 x-coordinate x2: 1701 64D20D27 D0632957 F8028C1E 024F6B02 EDF23102 A566C932 AE8BD613 A8E865FE 1702 y-coordinate y2: 1703 58D225EC A784AE30 0A81A2D4 8281A828 E1CEDF11 C4219099 84026537 5077BF78 1704 t=KDF(x2 || y2,klen): 1705 006E30 DAE231B0 71DFAD8A A379E902 64491603 1706 M'=C2 XOR t: 1707 656E63 72797074 696F6E20 7374616E 64617264 1708 u=Hash(x2 || M' || y2): 1709 9C3D7360 C30156FA B7C80A02 76712DA9 D8094A63 4B766D3A 285E0748 0653426D 1710 plaintext M': 1711 656E63 72797074 696F6E20 7374616E 64617264 1712 M': encryption standard 1714 C.3. Encryption and Decryption over E(F2^m) 1716 The elliptic curve equation is: 1718 y^2 + xy = x^3 + ax + b 1720 Example 2: F2^m -257 1721 The polynomial to generate base field is: x^257 + x^12 + 1 1723 The coefficient a: 1724 0 1726 The coefficient b: 1727 00 E78BCD09 746C2023 78A7E72B 12BCE002 66B9627E CB0B5A25 367AD1AD 4CC6242B 1729 The base point G=(xG,yG), whose degree is n: 1730 x-coordinate xG: 1731 00 CDB9CA7F 1E6B0441 F658343F 4B10297C 0EF9B649 1082400A 62E7A748 5735FADD 1732 y-coordinate yG: 1733 01 3DE74DA6 5951C4D7 6DC89220 D5F7777A 611B1C38 BAE260B1 75951DC8 060C2B3E 1734 degree n: 1735 7FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF BC972CF7 E6B6F900 945B3C6A 0CF6161D 1737 The message M to be encrypted: encryption standard 1738 M denoted in hexadecimal: 1739 656E63 72797074 696F6E20 7374616E 64617264 1741 The private key dB: 1742 56A270D1 7377AA9A 367CFA82 E46FA526 7713A9B9 1101D077 7B07FCE0 18C757EB 1744 The public key PB=(xB,yB): 1745 x-coordinate xB: 1746 00 A67941E6 DE8A6180 5F7BCFF0 985BB3BE D986F1C2 97E4D888 0D82B821 C624EE57 1747 y-coordinate yB: 1748 01 93ED5A67 07B59087 81B86084 1085F52E EFA7FE32 9A5C8118 43533A87 4D027271 1750 The intermediate value during encrypting processing: 1751 random number k: 1752 6D3B4971 53E3E925 24E5C122 682DBDC8 705062E2 0B917A5F 8FCDB8EE 4C66663D 1753 point C1=[k]G=(x1,y1): 1754 x-coordinate x1: 1755 01 9D236DDB 305009AD 52C51BB9 32709BD5 34D476FB B7B0DF95 42A8A4D8 90A3F2E1 1756 y-coordinate y1: 1757 00 B23B938D C0A94D1D F8F42CF4 5D2D6601 BF638C3D 7DE75A29 F02AFB7E 45E91771 1758 The point C1 here is uncompressed and can be transformed into a byte string 1759 PC || x1 || x2, where PC is the byte 04. The byte string is still denoted 1760 as C1. 1761 point [k]PB=(x2,y2): 1762 x-coordinate x2: 1763 00 83E628CF 701EE314 1E8873FE 55936ADF 24963F5D C9C64805 66C80F8A 1D8CC51B 1764 y-coordinate y2: 1765 01 524C647F 0C0412DE FD468BDA 3AE0E5A8 0FCC8F5C 990FEE11 60292923 2DCD9F36 1766 the length of message M: klen=152 1767 t=KDF(x2 || y2,klen): 1769 983BCF 106AB2DC C92F8AEA C6C60BF2 98BB0117 1770 C2=M XOR t: 1771 FD55AC 6213C2A8 A040E4CA B5B26A9C FCDA7373 FCDA7373 1772 C3=Hash(x2 || M || y2): 1773 x2 || M || y2: 1774 0083E628 CF701EE3 141E8873 FE55936A DF24963F 5DC9C648 0566C80F 8A1D8CC5 1775 1B656E63 72797074 696F6E20 7374616E 64617264 01524C64 7F0C0412 DEFD468B 1776 DA3AE0E5 A80FCC8F 5C990FEE 11602929 232DCD9F 36 1777 C3: 1778 73A48625 D3758FA3 7B3EAB80 E9CFCABA 665E3199 EA15A1FA 8189D96F 579125E4 1779 ciphertext C=C1 || C2 || C3: 1780 04019D23 6DDB3050 09AD52C5 1BB93270 9BD534D4 76FBB7B0 DF9542A8 A4D890A3 1781 F2E100B2 3B938DC0 A94D1DF8 F42CF45D 2D6601BF 638C3D7D E75A29F0 2AFB7E45 1782 E91771FD 55AC6213 C2A8A040 E4CAB5B2 6A9CFCDA 737373A4 8625D375 8FA37B3E 1783 AB80E9CF CABA665E 3199EA15 A1FA8189 D96F5791 25E4 1785 The intermediate value during decrypting processing: 1786 point [dB]C1=(x2,y2): 1787 x-coordinate x2: 1788 00 83E628CF 701EE314 1E8873FE 55936ADF 24963F5D C9C64805 66C80F8A 1D8CC51B 1789 y-coordinate y2: 1790 01 524C647F 0C0412DE FD468BDA 3AE0E5A8 0FCC8F5C 990FEE11 60292923 2DCD9F36 1791 t=KDF(x2 || y2,klen): 1792 983BCF 106AB2DC C92F8AEA C6C60BF2 98BB0117 1793 M'=C2 XOR t: 1794 656E63 72797074 696F6E20 7374616E 64617264 1795 u=Hash(x2 || M' || y2): 1796 73A48625 D3758FA3 7B3EAB80 E9CFCABA 665E3199 EA15A1FA 8189D96F 579125E4 1797 plaintext M': 1798 656E63 72797074 696F6E20 7374616E 64617264 1799 M': encryption standard 1801 Authors' Addresses 1803 Sean Shen (editor) 1804 Chinese Academy of Science 1805 No.4 South 4th Zhongguancun Street 1806 Beijing, 100190 1807 China 1809 Phone: +86 10-58813038 1810 EMail: shenshuo@cnnic.cn 1811 Xiaodong Lee (editor) 1812 Chinese Academy of Science 1813 No.4 South 4th Zhongguancun Street 1814 Beijing, 100190 1815 China 1817 Phone: +86 10-58813038 1818 EMail: shenshuo@cnnic.cn