Explanation of the SM2 Algorithm Used in pboc3.0

Reprinted please indicate the source

Http://blog.csdn.net/pony_maggie/article/details/39780825

Author: Pony

 

I. Knowledge preparation

 

SM2 is an asymmetric commercial cryptographic algorithm launched by the MIIT. It is based on the ECC Elliptic Curve Algorithm. Therefore, we need to understand ECC first when talking about SM2.

 

A complete understanding of the ECC algorithm requires a certain degree of mathematical knowledge, because it involves concepts such as the projective plane coordinate system, homogeneous equation solving, and curve calculation rules. I don't do much mathematical analysis here (I don't fully understand it myself ). <Introduction to elliptic curve ECC encryption algorithms>. This person is a moderator of the snow forum in his early years and has a lot of research on algorithms and cryptography.

 

The purpose of this article is to explain the SM2 concepts used in the pboc3.0 certification process in a simple and popular language, including its implementation and use.

 

1. What is an elliptic curve?

 

Figure 1

Figure 2

 

The above is the geometric representation of two different elliptical curves in the coordinate system. However, this coordinate system is not a two-dimensional coordinate system, but a projective coordinate system. You can think about it in space (but note that it is not a three-dimensional coordinate system). For example, you stand in front of a street lamp at night and have your shadow on the ground, you are in a two-dimensional coordinate system (think of you as a piece of paper), and form a coordinate system together with your shadow.

 

Each point of a curve is represented by three parameters (x, y, z ). We know that every graph in a two-dimensional coordinate system follows an equation. For example, the direct binary equation is Y = kx + B, and the circle equation is (X-) 2 + (Y-B) 2 = R2. the elliptic curve also has its own definition in the projective coordinate system:

 

Y2z + a1xyz + a3yz2 = X3 + a2x2z + a4xz2 + a6z3

 

The points on all elliptic curves satisfy the above equation. A1, A2, A3, A4, and A6 are coefficients, which determine the shape and position of the curve.

 

There is a ing between two-dimensional coordinates and inner coordinates, that is, x = x/Z, y = y/z. In this way, the above equation can be converted into a normal two-dimensional coordinate system equation:

Y2 + a1xy + a3y = X3 + a2x2 + a4x + A6

 

 

2 discrete Elliptic Curve

The above coordinate systems are all based on real numbers, and the elliptic curves look smooth. If we limit the points of the curves to be integers, the curves become discrete, as shown in 3:

Figure 3

 

Further restrictions require that the integer must be greater than 0, less than a large integer p, thus forming a finite field FP. then, we define some addition, subtraction, multiplication, division, and operation rules between points in this finite field. For example, point A and point B are used to obtain point C (a + B ≡ C (mod p )), or multiply a point by N to get K points (record as a × n ≡ K (mod p )). You don't need to worry about the details of specific rules, as long as you know such an operation.

 

Select a curve, such

Y2 = X3 + ax + B

Define it on FP and require that a and B meet the following requirements:

4a3 + 27b2 = 0 (mod P)

 

We record this curve as EP (A, B)

 

Encryption and decryption is based on this mathematical problem. k = kg, where K and G are the points on EP (a, B), k is an integer, less than the G point (note that distinction, it's not what we usually mean ). Given K and G, it is easy to calculate K. But given K and G, K is difficult to calculate. In this way, G is called the base point, k is the private key, and K is the public key.

 

Summary. Describes an elliptic curve on a FP with six parameters:
T = (P, A, B, G, N, H ).

P, A, and B are used to determine an elliptic curve,
G is the base point,
N is the order of vertex G,
H is the number of all vertices on an elliptic curve. M is an integer that is divided by N)

 

The knowledge preparation stage knows so much.

 

 

Use of SM2 in PBOC Authentication

 

1. Principles of signatures and signatures

 

According to different coefficients, there may be many ECC curves. SM2 uses one of them, which indicates that its curve equation and the six parameters mentioned above are fixed. According to the specifications provided by the MIIT, the definitions are as follows:

 

y2=x3+ax+b p=FFFFFFFE FFFFFFFFFFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFFa=FFFFFFFE FFFFFFFFFFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFCb=28E9FA9E 9D9F5E344D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93n=FFFFFFFE FFFFFFFFFFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123Gx=32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7Gy=BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0

It is easy to misunderstand that the parameters are fixed. Is there only one pair of public and private keys? Of course not. Pay attention to the K = kg model mentioned above. k is the public key, so the public key is actually a curve point that meets the conditions in the discrete coordinate system. There can be many. In addition, we can know from these parameters that the length of the public key of PBOC 3.0 is 256 bits.

 

The SM2 Algorithm Based on the discrete elliptic curve has three common usage methods: Signature Verification, encryption and decryption, and key exchange. In PBOC 3.0, offline data authentication only applies to the signature verification function. The terminal is concerned with how to sign, and the card should consider how to generate a signature.

 

2. Implement SM2 Based on OpenSSL

An OpenSSL-based SM2 implementation is provided here. If you do not know about OpenSSL, you can search for related knowledge first. OpenSSL has implemented the ECC algorithm interface, that is, the core of the interface. It is not difficult to implement SM2. The key is to understand how to use various interfaces in it. The following describes the implementation of SM2 for a terminal signature. In addition, it must be noted that only the code snippets are provided here for understanding purposes.

 

Function Interface

int SM2_Verify(BYTE* Px,BYTE* Py, BYTE* DataIn,DWORD DataLen, BYTE* sigrs)

The first two parameters are the coordinate values of K, that is, the public key. DataIn and datalen are plaintext data and their lengths respectively. The last parameter is the signature to be verified.

 

The parameter constants of a curve are defined as follows:

//////////////////////////////////////// ////////////// Static const char * group_p = "fffffffeffffffffffffffffffffffffffffffffffffffffff "; static const char * group_a = "regular"; static const char * group_ B = "regular"; static const char * group_gx = "regular"; static const char * group_gy = "regular "; static const char * group_n = "ffffffffffffffffffffffffffffffff7203df6b21c6052b53bbf40939d54123"; static const char * entl_id = "008031323334353637383132333435363738 "; # define sm2_key_length 32 // 256-bit curve /////////////////////////////// /////////////////////////////////

Entl_id is the header data specified in the PBOC specification for Sm3 to generate summaries.

 

 

strcpy(szBuff, ENTL_ID);strcat(szBuff,group_a);strcat(szBuff,group_b);strcat(szBuff,group_Gx);strcat(szBuff,group_Gy);AscToBcd(szDataForDigest,(unsigned char *)szBuff, nLen);       …. SM3(szDataForDigest,nLen+SM2_KEY_LENGTH*2, digestZA); memcpy(szDataForDigest,digestZA, ECC_LENGTH);memcpy(szDataForDigest+ECC_LENGTH,DataIn, DataLen); SM3(szDataForDigest,DataLen+ECC_LENGTH, digestH);

Step 1: Use Sm3 to abstract the above data, and splice the summary results with the data before making the summary.

 

p = BN_new();a = BN_new();b = BN_new();group = EC_GROUP_new(EC_GFp_mont_method()); BN_hex2bn(&p, group_p))BN_hex2bn(&a, group_a))BN_hex2bn(&b, group_b))

Here, the defined curve constant is converted into a big data table, so that the interface in OpenSSL can be used.

Group is the curve group in ECC. It is the core of ECC algorithms. Why? Because all the fields in this group determine all the information of the curve, we will see that here we only use ec_group_new to generate an empty group, and then P,, B and other parameters to fill the group, and then generate points on the curve based on this group.

 

if (!EC_GROUP_set_curve_GFp(group, p, a, b,ctx)){                   gotoerr_process;} P = EC_POINT_new(group);Q = EC_POINT_new(group);R = EC_POINT_new(group);if (!P || !Q || !R){         gotoerr_process;}

This section determines all information about the group and generates three points on the curve based on the group (the point must be on the curve, which is very important ).

 

 

<span style="white-space:pre"></span>x = BN_new();         y= BN_new();         z= BN_new();         if(!x || !y || !z)         {                   gotoerr_process;         }          //Gx         if(!BN_hex2bn(&x, group_Gx))         {                   gotoerr_process;         }          if(!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx))         {                   gotoerr_process;         }                 if(!BN_hex2bn(&z, group_n))         {                   gotoerr_process;         }         if(!EC_GROUP_set_generator(group, P, z, BN_value_one()))         {                   gotoerr_process;         }          if(!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx))         {                   gotoerr_process;         }

The first step is to set N to group. n is the order of the curve. In addition, the point P is determined by the gpoint coordinates X and Y. I don't quite understand here. The gpoint coordinate Y is actually known. Why do we need to generate y by means of a curve transformation table, do you want to check whether the group information is correct? Just for verification?

 

 

if ((eckey = EC_KEY_new()) == NULL)         {                   gotoerr_process;         }         if(EC_KEY_set_group(eckey, group) == 0)         {                   gotoerr_process;         } EC_KEY_set_public_key(eckey, P);         if(!EC_KEY_check_key(eckey))         {                   gotoerr_process;         }           if(SM2_do_verify(1, digestH, SM2_KEY_LENGTH, signature, sig_len, eckey) != 1)         {                   gotoerr_process;         }

This section is easy to understand. The public key Eckey is generated and verified by the Eckey. The execution function sm2_do_verify of the verification signature is a bit complicated. I will not explain it too much here (in fact, I cannot explain it clearly, wow haha). I will find a good description on a foreign website for use.

 

3. specific process for using SM2 for offline data authentication

I assume that the person reading this article has a good understanding of the offline data authentication process based on the RSA International Algorithm in PBOC 2.0. The related concepts are not described too much and focus on the differences between the two.

 

In addition, Let's briefly talk about SM3, because it will be used below. Sm3 is a hash-like hashing algorithm that generates a fixed-length output (Sm3 is 32 bytes and hash is 20 bytes) given an input (generally long ). It has two features:

1. The output cannot be exported.

2. Different inputs generate different outputs.

 

Next we will take the terminal SDA authentication card to see how SM2 is used in PBOC.

 

First, the issuer's public key certificate is generated by the CA's private key signature (note that it is not encrypted, this certificate is personal to the IC card. Shows the data:

Figure 4

 

The signature is actually a series of operations on the Data in this table, and finally generates a 64-byte data, which is spliced by 32-byte R and S respectively (R and S are just symbols, ). The 64-byte signature is spliced to figure 4, followed by the issuer's Public Key Certificate.

 

There is a significant difference between this and international algorithm Public Key Certificates. The International algorithm certificate is ciphertext, and the issuer's public key is encrypted with RSA. The State Key Certificate is in plain text. For example, the following data comes from the pboc3.0 card inspection guide, that is, the data in the card must be customized during detection.

 

[Issuer's public key]: issuer [Ca hash value] (r | S): issuer [tag_90] (issuer's Public Key Certificate): issuer

You can parse it to see if it is consistent with the data in the table above and it is in plain text.

 

 

The terminal obtains the Public Key Certificate of the issuing bank in the reading and record phase. The International algorithm needs to use the RSA public key to decrypt the entire certificate, verify the hash, and obtain the public key of the issuing bank. However, as long as the terminal uses the SM2 public key to authenticate the 64-byte signature, the client directly obtains the public key of the plaintext issuer, therefore, the signature verification is equivalent to the international RSA decryption and hash comparison.

 

The terminal then performs static data signature verification, in a similar situation. For country secrets, the data is in plain text format, followed by a 64-byte SM2 signature, these 64 bytes are obtained by signing the plaintext data with the private key of the issuing bank. The terminal must verify the 64-byte data with the obtained public key of the issuing bank.

 

4. Why should PBOC choose China secret?

 

First, from the technical point of view, the implementation of the same computing complexity, ECC calculation is relatively small, so the efficiency is high. RSA is constantly increasing the modulo length and currently uses 2048 bits. It does not mean that it is safe to use 2048 bits, but it is more secure and more difficult to crack. In this case, a high number of BITs also means a high cost. Some big companies, such as Google, have already used 2048 bits in their Gmail email services. Pboc3.0 certification currently only uses 1984 BITs, which is actually relatively secure.

 

However, this point of view is still controversial. Some time ago, I attended a course on cryptographic algorithms at Tsinghua University. A professor in Tsinghua thought that SM2 is not necessarily more advanced than RSA, but its principle is more difficult to understand than RSA, therefore, most people think it is safer. Once the elliptic curve is thoroughly studied, the halo of SM2 may also fade away. Of course, this is his personal point of view.

 

Another factor is that, from the perspective of national strategy, RSA has been spread to work with the U.S. security agency to add backdoors to algorithms. At least we develop our own secret algorithms. All the process details are clear, so we don't have to handle backdoors.

The Central Bank now attaches great importance to the promotion of domestic security chips. The last few days, the central bank's Li Xiaofeng also publicly stressed that the future localization of financial IC card chips is a key step in the National density algorithm. In the future, only domestic chips, coupled with the National cryptography algorithm, will have domestically-made financial IC card products that are truly autonomous and secure.

 

Explanation of the SM2 Algorithm Used in pboc3.0