Table of contents
1. Introduction
SM2 asymmetric encryption algorithm. Released by the State Cryptozoology Administration on December 17, 2010. The public key cryptography algorithm standard based on elliptic curve cryptography has a key length of 256 bits and includes digital signature, key exchange and public key encryption. It is used to replace international algorithms such as RSA/DH/ECDSA/ECDH.
SM2 uses a type of ECC 256-bit, which has higher security strength than RSA 2048-bit, and the operation speed is faster than RSA. With the development of cryptography and computing technology, the currently commonly used 1024-bit RSA algorithm faces serious security threats. After research, our national cryptography management department decided to use the SM2 elliptic curve algorithm to replace the RSA algorithm. The SM2 algorithm has advantages in both security and performance.
2. Mathematical formulas
Get the public and private keys:
Elliptic curve equation:
y^2 = x^3 + ax + b mod p
- Confirm a, b, p and the curve.
- Select a point P ( xg , yg ) P(x_g, y_g)P(xg,yg) is the base point.
- Perform tangent and x-symmetry point operations on the curve. The degree is d, and the operation multiple point is Q
- d is the private key, Q is the public key
Generation of key pair:
- Generate random integers d [ 1 , n − 2 ] d[1,n−2]d[1,n−2]
- G is the base point, and the calculation point P = ( x P , y P ) = [ d ] GP = (xP, yP) = [d]GP=(xP,yP)=[d]G;
- The key pair is: ( d , P ) (d,P)(d,P ) where d is the private key and P is the public key
A very typical example:
a = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFC
b = 0x28E9FA9E9D9F5E344D5A9E4BCF6509A7F39789F515AB8F92DDBCBD414D940E93
p = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFF
x_g = 0x32c4ae2c1f1981195f9904466a39c9948fe30bbff2660be1715a4589334c74c7
y_g = 0xbc3736a2f4f6779c59bdcee36b692153d0a9877cc62a474002df32e52139f0a0
n = 0xFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFF7203DF6B21C6052B53BBF40939D54123
SM signature
M is the message to be signed, and the digital signature result is ( r , s ) (r, s)(r,s ) , user key pair(d, P) (d,P)(d,P)。
Implementation steps:
- e = h a s h ( M ) e = hash(M) e=ha s h ( M ) => Get the message hash value
- Generate a random number k => so that even if it is the same message, the result of each signature will be different.
- Using random numbers, calculate the elliptic curve point (x 1, y 1) = [k] G (x_1, y_1) = [k]G(x1,y1)=[k]G
- r = ( e + x 1 ) m o d n r = (e + x1) mod n r=(e+x 1 ) m o d n => Judgment:r = 0 r = 0r=0 orr + k = nr + k = nr+k=n , continue to step 2.
- s = ( ( 1 + d ) − 1 ∗ ( k − r ∗ d ) ) m o d n s = ((1 + d)^{-1} ∗ (k − r ∗ d )) mod n s=((1+d)−1∗(k−r∗d )) m o d n , if s = 0, continue to step 2
- r,s are signature information.
SM signature verification
M is plain text, ( r , s ) (r, s)(r,s ) is the signature result, user public key P
Implementation steps:
- e = h a s h ( M ) e=hash(M) e=hash(M)
- t = ( r + s ) m o d n t = (r+s)\ mod\ n t=(r+s ) m o d n
- ( x , y ) = [ s ] G + [ t ] P (x,y)=[s]G + [t]P (x,y)=[s]G+[t]P
- R = ( e + x ) m o d n R=(e+x)\ mod\ n R=(e+x ) m o d n
- Calculate whether R is equal to r
[ s ] G + [ t ] P [s]G + [t]P [s]G+The result of [ t ] P can be deduced to be equal to[ k ] G [k]G[k]G
Verification principle
[s]G + [t]P = sG + (r + s)P
= sG + (r + s)dG
= sG + sdG + rdG
= (1 + d)sG + rdG
= (1 + d)(1 + d)^{-1} * (k − rd)G + rdG
= (k − rd)G + rdG
= kG − rdG + rdG
= kG = (x1, y1)
SM encryption
M is a plain text string
- Get random number k
- (x1,y1) = [k]G
- S = [h]P => h is the cofactor
- C 1 = ( x 2 , y 2 ) = [ k ] P C1=(x2,y2)= [k]P C 1=( x 2 ,y2 ) _=[k]P
- t = KDF ( x 2 ∣ ∣ y 2 , klen ) t = KDF( x2 || y2 , klen)t=KDF(x2∣∣y2,k l e n ) => klen is the length of M. KDF is the key derivation function of sm2
- C 2 = M + t C2 = M + t C2=M+t
- C 3 = H a s h ( x 2 ∥ M ∥ y 2 ) C3 = Hash( x2 ∥ M ∥ y 2 ) C 3=Hash(x2∥M∥y2)
- C = C 1 ∥ C 2 ∥ C 3 C = C 1 ∥ C 2 ∥ C 3 C=C1∥C2∥C3
SM decryption
C is the ciphertext string, klen is the length of C2 in the ciphertext
- C 1 = C C1 = C C 1=Get it in C and verify whether C1 satisfies the elliptic curve. ⇒ The length of C2 is determined and the content of C1 can be obtained.
- S = [ h ] C 1 S = [h]C1 S=[ h ] C 1 , S is an infinite point, exit.
- ( x 2 , y 2 ) = [ d ] C 1 (x2, y2) = [d]C1 ( x 2 ,y2 ) _=[d]C1
- t = KDF ( m 2 ∣ ∣ y 2 , klen ) t = KDF(m2 || y2, klen)t=KDF(m2∣∣y2,k l e n )
- M = C 2 + t M^~ = C2 + t M =C2+t
- u = H a s h ( x 2 ∣ ∣ M ∣ ∣ y 2 ) , u ? = = C 3 u = Hash(x2 || M^~ || y2), u? == C3 u=Hash(x2∣∣M ∣∣y2),u?==C 3
- M M^~ M for clear text
C1, C2, C3 in encryption and decryption
The result of SM2 asymmetric encryption consists of three parts: C1, C2, and C3.
Where C1 is the calculated elliptic curve point that generates the random number, C2 is the ciphertext data, and C3 is the digest value of SM3.
The results of the original national secret standard are in the order of C1C2C3, and the results of the new standard are stored in the order of C1C3C2.