--> Buy True-PDF --> Auto-delivered in 0~10 minutes. GM/T Translated English of Chinese Standard: GM/T0044.

Size: px

Start display at page:

Download "--> Buy True-PDF --> Auto-delivered in 0~10 minutes. GM/T Translated English of Chinese Standard: GM/T0044."

Eileen Terry
5 years ago
Views:

1 Translated English of Chinese Standard: GM/T Buy True-PDF Auto-delivery. CRYPTOGRAPHY INDUSTRY STANDARD OF THE PEOPLE S REPUBLIC OF CHINA GM ICS L 80 File No.: Identity-based cryptographic algorithms SM9 - Part 1: General SM9 标识密码算法第 1 部分 : 总则 Issued on: March 28, 2016 Implemented on: March 28, 2016 Issued by: State Cryptography Administration Buy True-PDF Auto-delivery. Page 1 of 61

2 Table of Contents Foreword... 3 Introduction Scope Terms and definitions Symbols and abbreviations Finite fields and elliptic curves Finite fields Elliptic curves on finite fields Elliptic curve groups Multi-point operation of elliptic curves Verification of points on elliptic curve subgroups Discrete logarithm problems Bilinear pairings and safety curves Bilinear pairings Security Number of embedding and safety curves Data types and their conversion Data types Data type conversion System parameters and their verification System parameters Verification of system parameters Annex A (informative) Background knowledge about elliptic curves Annex B (informative) Calculation of bilinear pairings on elliptic curves Annex C (informative) Number theory algorithm Bibliography Buy True-PDF Auto-delivery. Page 2 of 61

3 Identity-based cryptographic algorithms SM9 - Part 1: General 1 Scope This Part of GM/T 0044 describes the necessary basic knowledge of mathematics and related cryptographic technology, to help implement the cryptographic mechanisms specified in other parts of GM/T This Part is applicable to the implementation, application and testing of identification cryptography in commercial cryptographic algorithms. This Part specifies and uses Fp (prime-number p > ) elliptic curves. 2 Terms and definitions For the purpose of this document, the following terms and definitions apply. 2.1 identity Information that uniquely identifies an entity. The identity shall be composed of information that the entity cannot deny, such as identifiable name, address, ID number, phone number, street address, etc. of the entity. 2.2 signature master key A key at the top of the key hierarchical structure of identity-based cryptography, including master private key and master public key, where the master public key is public and the master private key is kept secret by KGC. KGC uses master private key and user identity to generate the user s private key. In the identity-based cryptography, master private key is generally generated by KGC by a random number generator, and master public key is generated by master private key in combination with system parameters. In this Part, the signature system's master key is different from the encryption system's master key. The digital signature algorithm belongs to the signature system, and its master key is the signature master key; the key exchange Buy True-PDF Auto-delivery. Page 5 of 61

4 where K is the finite field (including Fq and Fqk). <P>: cyclic group generated by element P. [u]p: u times element P in addition group G1, G2. [x, y]: a set of integers not less than x and not more than y. : ceiling function, the minimum integer not less than x. For example, 7 = 7, 8.3 = 9. : floor function, the maximum integer not greater than x. For example, 7 = 7, 8.3 = 8. β: twist curve parameter. ψ: homomorphic map from G2 to G1, which satisfies P1 = ψ(p2). : modulo 2 addition operation, in bits, of two bit-strings of equal length. 4 Finite fields and elliptic curves 4.1 Finite fields General A filed consists of a non-empty set F and two kinds of operations. These two kinds of operations are addition (represented by + ) and multiplication (represented by ), which satisfy the following arithmetic characteristics: a) (F, +), for addition operation, forms an addition exchange group; the unit element is represented by 0. b) (F\{0}, ), for multiplication operation, forms a multiplicative exchange group; the unit element is represented by 1. c) The distribution law is true: for all a, b, c F, there is (a + b) c = a c + b c. If the set F is a finite set, the filed is called a finite field. The number of elements in a finite field is called the order of the finite field Prime field Fp The finite field of which the order is prime is the prime filed. Let p be a prime, then the set {0, 1, 2,..., p - 1} of the all remainders of the Buy True-PDF Auto-delivery. Page 8 of 61

5 g in * that makes, g is called a generator. The order of the elements a in is the smallest positive integer t that satisfies a t = 1. The order of the group * is q m - 1, therefore t I q m - 1. Let the generator of the multiplicative cyclic group * be g, y *. The discrete logarithm problem on finite fields refers to the determination of integer x [0, q m - 2] that makes y = g x true on * Elliptic curve discrete logarithm problem (ECDLP) With known elliptic curve E( ) (m 1), points P E( ) and Q <P> with the order of n, the elliptic curve discrete logarithm problem refers to the determination of integer J [0, n - 1] that makes Q = [l]p true. 5 Bilinear pairings and safety curves 5.1 Bilinear pairings Let (G1, +), (G2, +) and (G T, ) be three cyclic groups, the order of G1, G2 and G T be prime N, P1 be the generator of G1, and P2 be the generator of G2. There is a homomorphism map ψ of G2 to G1 such that ψ(p2) = P1. The bilinear pairing e is a map of G1 G2 G T and satisfies the following conditions: a) Bilinearity: For any P G1, Q G2, a, b Z N, there is e([a]p, [b]q) = e(p, Q) ab ; b) Non-degeneracy: ; c) Computability: For any P G1, Q G2, there is an effective algorithm for calculating e(p, Q). The bilinear pairings used in this Part are defined on elliptic curve groups, which mainly include Weil pairings, Tate pairings, Ate pairings and R-ate pairings. 5.2 Security The security of bilinear pairings is mainly based on the intractability of the following problems: Problem 1 (bilinear inverse DH (BIDH)): for a, b [1, N - 1], with given ([a]p1, [b]p2), it is difficult to calculate e(p1, P2) b/a. Problem 2 (decisive bilinear inverse DH (DBIDH)): for a, b, r [1, N - 1], it is Buy True-PDF Auto-delivery. Page 13 of 61

6 c) N - 1 contains a prime factor greater than ; d) N + 1 contains a prime factor greater than Data types and their conversion 6.1 Data types In this Part, data types include bit strings, byte strings, field elements, points on elliptic curves and integers. Bit strings: ordered sequences of 0 and 1. Byte strings: ordered sequences of bytes, where 8 bits are 1 byte and the leftmost bit is the most significant bit. Field elements: elements on the finite field (m 1). Points on elliptic curves: point P on the elliptic curve E( ) (m 1) or infinity point O, or a pair of filed elements (x P, y P ) where the field elements x P and y P satisfy the ellipse curve equation. There are several representation forms of the byte string of points, which are identified by one byte, PC. The representation form of the byte string of infinity point O is a single zero-byte, PC = 00. Non-infinity point, P = (x P, y P ), has the following 3 representation forms of byte string: a) compressed representation form, PC = 02 or 03; b) uncompressed representation form, PC = 04; c) mixed representation form, PC = 06 or 07. NOTE: The mixed representation form includes both compressed and uncompressed representation forms. In the implementation, it is allowed to be converted to the compressed representation form or the uncompressed representation form. The compressed representation form and the mixed representation form of points on elliptic curves are specified as optional in this Part. For the compression form of points on elliptic curves, see Annex A Data type conversion Data type conversion relationship Figure 1 shows the conversion relationship between various data types. The mark on the line is the subclause where the corresponding data conversion method is located. Buy True-PDF Auto-delivery. Page 15 of 61

7 6.2.7 Conversion from byte strings to field elements Case 1: Converting to elements in the base field Input: Field F q, q = p; byte string S with length of l, l = /8. Output: Element a in F q. If q = p, then convert S to integer a, according to the details of 6.2.3, if a [0, q - 1], an error is reported; Case 2: Converting to elements in the extension field Input: Field (m 2), q = p; byte string S with length of l, where l = /8 m. Output: Element a in. a) Divide the byte string S into m segments, the length of each segment is l/m, denoted as S = (Sm-1, Sm-2,..., S1, S0); b) Execute i from m - 1 to 0: Convert Si to integer ai according to the details of 6.2.3, if ai [0, q - 1], an error is reported; c) If q = p, output a = (am-1, am-2,..., a1, a0) Conversion from points to byte strings The conversion from points to byte strings is divided into two cases: one is that, in the calculation process, the elliptic curve point can be used as the input of a certain function (such as hash function) only after being converted to a byte string; in this case it only needs to convert points directly to byte strings. One is that, when transmitting or storing elliptic curve points, the compressed or mix compressed representation form may be used to reduce the amount of transmission or storage space; in this case, the one-byte identifier PC needs to be added to indicate the representation form of points. The detailed conversion process is described in two cases: Case 1: Direct conversion Input: Point P = (x P, y P ) on the elliptic curve (m 1) and P 0. Output: Byte string X1 ll Y1 with length of 2l. (When m=1, l = /8 ; when m > 1, l = /8 m). a) Convert the field element x P to the byte string X1 with length of l according Buy True-PDF Auto-delivery. Page 18 of 61

8 g) The generator P2 of N-order cyclic group (G2, +) is (x P2, y P2), P2 0; h) The bilinear pairing e: G1 G2 G T, represented by the one-byte identifier eid: 0x01 for Tate pairing, 0x02 for Weil pairing, 0x03 for Ate pairing, 0x01 for R-ate pairing; i) (Option) parameters d1, d2, where d1, d2 divide k; j) (Option) the homomorphism map ψ of G2 to G1, such that P1 = ψ(p2); k) (Option) the base field characteristic q of the BN curve, the curve order r, and the track tr of the Frobenius map can be determined by the parameter t, and t shall at least 63 bits. 7.2 Verification of system parameters The following conditions shall be verified by the generator of the system parameters. These conditions can also be verified by the user of the system parameters. Input: System parameter set. Output: If all parameters are valid, output "valid"; otherwise, output "invalid". a) Verify that q is a prime greater than 3 (see Annex C.1.5); b) Verify that a, b are integers in the interval [0, q - 1]; c) Verify that 4a b 2 0 on Fq; if the lower 4 digits of cid is 2, verify that β is a non-square element (see Annex C ); d) Verify that N is a prime greater than and N does not divide cf. If N is less than 2 360, verify that N - 1 contains a prime factor greater than 2 190, and N + 1 contains a prime factor greater than ; e) Verify that I q cf N I < 2q 1/2 ; f) Verify that q k > , and k is the smallest positive integer m that makes N I (q m-1 ) true; g) Verify that (x P1, y P1) is an element in group G1; h) Verify that (x P2, y P2) is an element in group G2; i) Verify that and e(p1, P2) N = 1; j) (Option) verify that d1, d2 divide k; Buy True-PDF Auto-delivery. Page 22 of 61

9 elements a0, a1,..., am-1 in, so that a. a can be uniquely expressed as:, where ai Fq, and {am-1,..., a1, a0} is called a set of bases of on Fq. By giving such a set of bases, the field element a can be represented by the vector (am-1, am-2,..., a1, a0). There are many choices for the bases of on Fq: polynomial bases and normal bases. The irreducible polynomial f(x) can be taken as the first polynomial (where fi Fq, i = 0, 1,..., m - 1); the elements in is made up of all the polynomials with the number of times less than m in the polynomial ring Fq[x], i.e. =. The set of polynomials is a set of bases of as the vector space on Fq, called polynomial bases. When m contains a factor d (1 < d < m), can be generated by extension; select an appropriate m/d-time irreducible polynomial from [x] as the reduced polynomial of on ; may be obtained by the towering method. The basic form of this extension is still the vector formed by the elements in Fq. For example, when m = 6, Fq may be first extended three times to obtain the extension field, and then may be extended twice to obtain the extension field ;or Fq may be first extended twice to obtain the extension field, and then may be extended three times to obtain the extension field. A group of bases like where β. a on are called normal bases,, a can be uniquely expressed as:, where ai Fq, i = 0, 1,, m - 1. For any finite field Fq and its extension field, such bases are always present. Unless otherwise specified, elements in are all represented by polynomial bases. The filed element bases may be represented by the vector relative to polynomial, therefore Buy True-PDF Auto-delivery. Page 25 of 61

10 A.3 Discrete logarithm problem A.3.1 Methods for solving discrete logarithm problems on finite fields All the non-zero elements of the finite field F q form a multiplicative cycle group, denoted as F q *. In F q *, there is an element g, which is called a generator, so that. The order of a F q is the smallest positive integer t that satisfies a t = l. The order of the cyclic group F q * is q - 1, so t l q - 1. Let the generator of the multiplicative cyclic group F q * be g, y F q *. The discrete logarithm problem on the finite field refers to the determination of integer x [0, q - 2] that makes y = g x mod q true. The existing attack methods for discrete logarithm problems on finite fields are: a) Pohlig-Hellman method: let l be the largest prime factor of q - 1, then the time complexity is O(l 1/2 ); b) BSGS method: both time complexity and space complexity are (πn/2) 1/2 ; c) Pollard method: the time complexity is (πn/2) 1/2 ; d) Parallel Pollard method: let s be the number of parallel processors, and the time complexity is (πn/2) 1/2 /s; e) Linear sieve method (for prime field F q ): the time complexity is ; f) Gauss integer method (for prime field F q ): the time complexity is ; g) Remaining enumerate sieve method (for prime field F q ): the time complexity is ; h) Number field sieve method (for prime field F q ): the time complexity is ; i) Function field sieve method (for small feature fields): the time complexity is and quasi-polynomial time. From the above-mentioned methods for solving discrete logarithm problems and their time complexity, it can be known that for discrete logarithm problems on general large feature fields, there are attack methods with sub-exponential computational complexity, and for discrete logarithm problems on small feature fields, there are quasi-polynomial time attack methods. A.3.2 Methods for solving elliptic curve discrete logarithm problems Buy True-PDF Auto-delivery. Page 33 of 61

11 Annex B (informative) Calculation of bilinear pairings on elliptic curves B.1 General Let the elliptic curve on the finite field Fq be E(Fq), if #E(Fq) = cf r, r is prime and gcd (r, q) = 1, cf is cofactor, then the smallest positive integer k of r I q k -1 is called the number of embedding of the elliptic curve relative to r. If G is the r- order subgroup of E(Fq), the number of embedding of G is also k. Let be the algebraic closure of the finite field Fq, and E[r] denotes the set of all r-order points on E( ). B.2 Miller algorithm Let the equation of the elliptic curve E( ) on be y 2 = x 3 + ax + b, and define the straight line that passes through U and V on E( ) to be g U,V : E( ). If the equation of the straight line that passes through U and V is λx + δy + τ = 0, then let the function g U,V (Q) = λx Q + δy Q + τ, where Q = (x Q y Q ). When U = V, g U,V is defined as a tangent to the point U; if there is a point in U and V that is an infinity point O, g U,V is a straight line passing through another point and perpendicular to the x-axis. g U is generally used as shorthand for g U,- U. then there are the following properties: The Miller algorithm is an efficient algorithm for calculating bilinear pairings. Miller algorithm Buy True-PDF Auto-delivery. Page 36 of 61

12 e) Calculate. f) Calculate. g) Calculate. h) Output f. For more calculation methods for Weil, Tate, Ate and R-ate pairings, see (Barreto P, Lynn, Scott M. 2003), (Barreto P, Galbraith S, et al. 2001), (Eisentragcr K, Lauter K, Montgomery P. 2003), (Galbraith S, Harrison K, Soldcra D. 2002), (Kobayashi T, Aoki K, Imai H. 2006), (Lauter K, Montgomery P, Naehrig M.2010), (Miller V. 2001), (Scott M. 2005), ( Scott M.2006 ), (Scott M, Barreto P. 2004). B.7 Elliptic curves suitable for pairings For hyper-singular curves, the construction of bilinear pairings is relatively easy, but for randomly generated curves, it is relatively difficult to construct bilinear pairings that can be calculated. Therefore, when using constant curves, it is necessary to construct a curve suitable for pairings. Assume that E is an elliptic curve defined on Fq. If the following three conditions are true, E is said to be a curve suitable for pairings: a) #E(Fq) has a prime factor r that is not less than ; b) The number of embedding of E relative to r is less than log2 (r)/8; c) The scale of the largest prime factor for r ± 1 is comparable to r. The steps for constructing an elliptic curve suitable for pairings are as follows: Step 1: Select k, calculate integers t, r, q, so that there is an elliptic curve E(Fq), of which the trace is t, with a subgroup of prime order r and the number of embedding is k; Step 2: Use the complex multiplication method to calculate the equation parameters of the curve on Fq. For the method for constructing elliptic curve suitable for pairings, see (Atkin A, Morain F. 1993), (Barreto P, Lynn B, Scott M. 2002), (Barreto P, Lynn B, Scott M. 2003), (Barreto P)., Naehrig M ), (Brezing F, Weng A. 2005), (Duan P, Cui S, Wah Chan C. 2005), (Dupont R, Enge A, Morain F. 2005), (Freeman Buy True-PDF Auto-delivery. Page 47 of 61

13 Annex C (informative) Number theory algorithm C.1 Operations in finite fields C.1.1 Exponential operation in finite fields Let a be a positive integer, g be an element on the filed Fq, then the exponential operation is the operation process of calculating g a. The exponential operation can be efficiently performed by the following binary method. Input: Positive integer a; filed Fq; filed element g. Output: g a. a) Set e = a mod (q - 1), if e = 0, output 1. b) Let the binary representation of e to erer-1... e1e0, where the highest bit er is 1. c) Set x = g. d) Execute i from r - 1 to 0: 1) set x = x 2 ; 2) if ei = 1, set x = g x. e) Output x. For other acceleration algorithms, see (Brickell E, Gordon D, McCurlcy K, et al. 1993), (Knuth D. 1981). C.1.2 Inverse operation in finite fields Let g be a non-zero element on the filed Fq, then the inverse element g -1 is the filed element c that makes g c = 1 true. Since c = g q-2, the inversion may be achieved by exponential operations. If q is a prime and g is an integer that satisfies 1 g q - 1, then g -1 is the integer c, 1 c q - 1, and g c 1 (mod q). Input: Filed Fq; non-zero element g in Fq. Output: Inverse element g Buy True-PDF Auto-delivery. Page 49 of 61

14 The following algorithms can determine whether g has square roots, and if any, calculate one of the roots. Input: Odd prime q, integer g, 0 < g < q. Output: If g has square roots, then output a square root, otherwise output there is no square root. Algorithm 1: For q 3 (mod 4), i.e. there is a positive integer u that makes q = 4u + 3. a) Calculate y = g u+1 mod q (see C.1.1); b) Calculate z = y 2 mod q; c) If z = g, then output y; otherwise output there is no square root. Algorithm 2: For q 5 (mod 8), i.e. there is a positive integer u that makes q = 8u + 5. a) Calculate z = g 2u+1 mod q (see C.1.1); b) If z 1 (mod q), calculate y = g u+1 mod q, output y, terminate the algorithm; c) If z -1 (mod q), calculate y = (2g (4g) u ) mod q, output y, terminate the algorithm; d) Output there is no square root. Algorithm 3: For q 1 (mod 8), i.e. there is a positive integer u that makes q = 8u + 1. a) Set Y = g; b) Generate a random number X, 0 < X < q; c) Calculate Lucas sequence elements (see Annex C.1.3): U = U4u+1 mod q, V = V4u+1 mod q; d) If V 2 4Y (mod q), then output y = (V/2) mod q, and terminate; e) If U mod q 1 and U mod q q - 1, then output there is no square root and terminate; f) Return to step b). C Solving of square roots on Buy True-PDF Auto-delivery. Page 51 of 61

15 f(x) and g(x). The polynomial d(x) is called the largest common factor of f(x) and g(x) and is denoted as gcd (f(x), g(x)). By using the following algorithm (Euclidean algorithm), the largest common factor of the two polynomials can be calculated. Input: Finite field Fq; two non-zero polynomials f(x) 0, g(x) 0 on Fq. Output: d(x) = gcd (f(x), g(x)). a) Set a(x) = f(x), b(x) = g(x). b) When b(x) 0, cycle: 1) Set c(x) = a(x) mod b(x); 2) Set a(x) = b(x); 3) Set b(x) = c(x). Let a be the first coefficient of a(x) and output α -1 a(x). C.2.2 Detection of polynomial irreducibility on Fq Let f(x) be a polynomial on Fq. By using the following algorithm, the irreducibility of f(x) can be effectively detected. Input: First polynomial f(x) on Fq, prime q. Output: If f(x) is irreducible on Fq, output correct ; otherwise output error. a) Set u(x) = x, m = deg (f(x)). b) Execute i from 1 to /2 : 1) calculate u(x) = u q (x) mod f(x); 2) calculate d(x) = gcd (f(x), u(x) - x); 3) if d(x) 1, output error and terminate the algorithm. c) Output correct. C.3 Elliptic curve algorithms C.3.1 Finding of elliptic curve points For elliptic curves on the given finite field, the following algorithms can be used to effectively find any non-infinity point on the curve. Buy True-PDF Auto-delivery. Page 55 of 61

16 C Finding of points on E(Fp) Input: Prime p; parameters a, b of the elliptic curve E on Fp. Output: A non-infinity point on E(Fp). a) Select a random integer x, 0 x < p; b) Set a = (x 3 + ax + b) mod p; c) If a = 0, then output (x, 0) and terminate the algorithm; d) Calculate the square root y of a mod p (see C.1.4.1); e) If the output of step d) is there is no square root, return to step a); f) Output (x, y). C Finding of points on E( ) (m 2) Input: Finite field (q is an odd prime); parameters a, b of the elliptic curve E on. Output: A non-infinity point on E. a) Randomly select the element x on ; b) Calculate a = x 3 + ax + b on ; c) If a = 0, then output (x, 0) and terminate the algorithm; d) Calculate the square root y of a on (see C.1.4.3); e) If the output of step d) is there is no square root, return to step a); f) Output (x, y). C.3.2 Finding of l-order points on elliptic curves This algorithm can be used to obtain the generator of l-order subgroup of elliptic curves. Input: Parameters a, b of the elliptic curve E(Fq), curve s order #E(Fq) = n' = l r, where l is a prime. Output: A l-order point on E(Fq). a) Randomly select point Q using the method of C.3.1; Buy True-PDF Auto-delivery. Page 56 of 61

SM9 identity-based cryptographic algorithms Part 2: Digital signature algorithm

SM9 identity-based cryptographic algorithms Part 2: Digital signature algorithm Contents 1 Scope... 1 2 Normative references... 1 3 Terms and definitions... 1 3.1 message... 1 3.2 signed message... 1 3.3