Skip to main content

OSCCA Extensions For OpenPGP
draft-openpgp-oscca-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
Authors Ronald Henry Tse , Wong Wai Kit
Last updated 2017-08-28
Replaced by draft-ribose-openpgp-oscca
RFC stream (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-openpgp-oscca-00
Network Working Group                                             R. Tse
Internet-Draft                                                    Ribose
Updates: 4880, 6637 (if approved)                                W. Wong
Intended status: Standards Track            Hang Seng Management College
Expires: March 2, 2018                                   August 29, 2017

                      OSCCA Extensions For OpenPGP
                         draft-openpgp-oscca-00

Abstract

   This document enables OpenPGP (RFC4880) usage in an compliant manner
   with OSCCA regulations for use within China.

   Specifically, it extends OpenPGP to support the usage of SM2, SM3 and
   SM4 algorithms.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 2, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Tse & Wong                Expires March 2, 2018                 [Page 1]
Internet-Draft                                               August 2017

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions Used in This Document . . . . . . . . . . . . . .   4
     2.1.  Definitions . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  SM2 ECC Algorithms  . . . . . . . . . . . . . . . . . . . . .   4
     3.1.  SM2 Digital Signature Algorithm . . . . . . . . . . . . .   4
     3.2.  SM2 Key Exchange Protocol . . . . . . . . . . . . . . . .   5
     3.3.  SM2 Public Key Encryption . . . . . . . . . . . . . . . .   5
     3.4.  Recommended SM2 Curve . . . . . . . . . . . . . . . . . .   6
       3.4.1.  Definitions . . . . . . . . . . . . . . . . . . . . .   6
       3.4.2.  Elliptic Curve Formula  . . . . . . . . . . . . . . .   6
       3.4.3.  Curve Parameters  . . . . . . . . . . . . . . . . . .   6
   4.  SM3 Hash Algorithm  . . . . . . . . . . . . . . . . . . . . .   7
   5.  SM4 Symmetric Encryption Algorithm  . . . . . . . . . . . . .   7
   6.  Supported Algorithms  . . . . . . . . . . . . . . . . . . . .   7
     6.1.  Public Key Algorithms . . . . . . . . . . . . . . . . . .   8
     6.2.  Symmetric Key Algorithms  . . . . . . . . . . . . . . . .   8
     6.3.  Hash Algorithms . . . . . . . . . . . . . . . . . . . . .   8
   7.  Conversion Primitives . . . . . . . . . . . . . . . . . . . .   9
   8.  SM2 Key Derivation Function . . . . . . . . . . . . . . . . .   9
     8.1.  Prerequisites . . . . . . . . . . . . . . . . . . . . . .   9
     8.2.  Inputs  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.3.  Output  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.4.  Pseudocode  . . . . . . . . . . . . . . . . . . . . . . .   9
   9.  Encoding of Public and Private Keys . . . . . . . . . . . . .  10
     9.1.  Public-Key Packet Formats . . . . . . . . . . . . . . . .  10
     9.2.  Secret-Key Packet Formats . . . . . . . . . . . . . . . .  11
   10. Message Encoding with Public Keys . . . . . . . . . . . . . .  11
     10.1.  Public-Key Encrypted Session Key Packets (Tag 1) . . . .  11
     10.2.  Signature Packet (Tag 2) . . . . . . . . . . . . . . . .  12
       10.2.1.  Version 3 Signature Packet Format  . . . . . . . . .  12
       10.2.2.  Version 4 Signature Packet Format  . . . . . . . . .  12
   11. SM2 ECC Curve OID . . . . . . . . . . . . . . . . . . . . . .  12
   12. Compatibility Profiles  . . . . . . . . . . . . . . . . . . .  13
     12.1.  OSCCA Compliant Profile  . . . . . . . . . . . . . . . .  13
   13. Security Considerations . . . . . . . . . . . . . . . . . . .  13
   14. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  14
   15. Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  14
   16. References  . . . . . . . . . . . . . . . . . . . . . . . . .  14
     16.1.  Normative References . . . . . . . . . . . . . . . . . .  14
     16.2.  Informative References . . . . . . . . . . . . . . . . .  15
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .  18
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  18

Tse & Wong                Expires March 2, 2018                 [Page 2]
Internet-Draft                                               August 2017

1.  Introduction

   SM2 [SM2] [I-D.shen-sm2-ecdsa], SM3 [SM3] [I-D.shen-sm3-hash] and SM4
   [SM4] are cryptographic standards issued by the Organization of State
   Commercial Administration of China [OSCCA] as authorized
   cryptographic algorithms for the use within China.  These algorithms
   are published in public.

   Adoption of this document enables exchange of OpenPGP-secured email
   [RFC4880] in a OSCCA-compliant manner through usage of the authorized
   combination of SM2, SM3 and SM4.

   SM2 [SM2] [I-D.shen-sm2-ecdsa] is a set of public key cryptographic
   algorithms based on elliptic curves that include:

   o  Digital Signature Algorithm [SM2-2]

   o  Key Exchange Protocol [SM2-3]

   o  Public Key Encryption Algorithm [SM2-4]

   SM3 [SM3] [I-D.shen-sm3-hash] is a hash algorithm designed for
   electronic authentication purposes.

   SM4 [SM4] is a symmetric encryption algorithm designed for data
   encryption.

   This document extends OpenPGP [RFC4880] and its ECC extension
   [RFC6637] to support SM2, SM3 and SM4:

   o  support the SM3 hash algorithm for data validation purposes

   o  support signatures utilizing the combination of SM3 with other
      digital signing algorithms, such as RSA and SM2

   o  support the SM2 asymmetric encryption algorithm for public key
      operations

   o  support usage of SM2 in combination with supported hash
      algorithms, such as SHA-256 and SM4

   o  support the SM4 symmetric encryption algorithm for data protection
      purposes

   o  defines the OpenPGP "OSCCA-compliant profile" to enable usage of
      OpenPGP in an OSCCA-compliant manner.

Tse & Wong                Expires March 2, 2018                 [Page 3]
Internet-Draft                                               August 2017

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Compliant applications are a subset of the broader set of OpenPGP
   applications described in [RFC4880].  Any [RFC2119] keyword within
   this document applies to compliant applications only.

2.1.  Definitions

   OSCCA-compliant
      All algorithms used for encryption and signatures are compliant
      with OSCCA regulations.

   SM2DSA
      The elliptic curve digital signature algorithm defined in [SM2-2]
      and [I-D.shen-sm2-ecdsa]

   SM2KEP
      The elliptic curve key exchange protocol defined in [SM2-3]

   SM2PKE
      The public key encryption algorithm defined in [SM2-4]

3.  SM2 ECC Algorithms

   SM2 is an elliptic curve based cryptosystem (ECC) [SM2] designed by
   Xiaoyun Wang et al and published by [OSCCA] [I-D.shen-sm2-ecdsa].

   The SM2 cryptosystem is composed of three distinct algorithms:

   o  an elliptical curve digital signature algorithm ("SM2DSA")
      [SM2-2], also described in [I-D.shen-sm2-ecdsa];

   o  a key exchange protocol ("SM2KEP") [SM2-3]; and

   o  a public key encryption algorithm ("SM2PKE") [SM2-4].

   This document will refer to all three algorithms for the usage of
   OpenPGP [RFC4880].

3.1.  SM2 Digital Signature Algorithm

   The SM2 Digital Signature Algorithm is intended for digital signature
   and verifications in commercial cryptographic applications,
   including, but not limited to:

Tse & Wong                Expires March 2, 2018                 [Page 4]
Internet-Draft                                               August 2017

   o  identity authentication

   o  protection of data integrity

   o  verification of data authenticity

   The process of digital signature signing and verifying along with
   their examples are found in [SM2-2], and also described in
   [I-D.shen-sm2-ecdsa].

   In OpenPGP, SM2DSA is an alternative to the ECDSA algorithm specified
   in [RFC6637].

   The SM2DSA algorithm has been cryptanalyzed to a certain extent, with
   the current strongest attack being nonce [SM2-DSA-Nonces]
   [SM2-DSA-Nonces2] and lattice attacks [SM2-DSA-Lattice].

3.2.  SM2 Key Exchange Protocol

   The SM2 Key Exchange Protocol is used for cryptographic key exchange,
   allowing the negoatiation and exchange of a session key within two to
   three message transfers.

   The process of key exchange and verification along with their
   examples are found in [SM2-3], and also described in
   [I-D.shen-sm2-ecdsa].

   SM2KEP is not used with OpenPGP as it is a two- to three- pass key
   exchange mechanism, while in OpenPGP public keys of recipients are
   available initially.

   The SM2KEP is now considered insecure due to [SM2-KEP-Comments],
   similar in status to the Unified Model and MQV schemes described in
   [NIST.SP.800-56Ar2].

3.3.  SM2 Public Key Encryption

   The SM2 Public Key Encryption algorithm is an elliptic curve (ECC)
   based asymmetric encryption algorithm.  It is used for cryptographic
   encryption and decryption, allowing the message sender to utilize the
   public key of the message receiver to encrypt the message, with the
   recipient decrypting the messaging using his private key.

   The full description of SM2PKE is provided in [I-D.shen-sm2-ecdsa].

   It utilizes a public key size of 512 bits and private key size of 256
   bits [GMT-0003.1-2012].

Tse & Wong                Expires March 2, 2018                 [Page 5]
Internet-Draft                                               August 2017

   The process of encryption and decryption, along with their examples
   are found in [SM2-4].

   In OpenPGP, SM2PKE is an alternative to RSA specified in [RFC4880].

3.4.  Recommended SM2 Curve

   The recommended curve is specified in [SM2-5] and provided here for
   reference.  SM2 uses a 256-bit elliptic curve.

3.4.1.  Definitions

   p
      a number larger than 3

   a, b
      elements of F_q, defines an elliptic curve E on F_q

   n
      Order of base point G (n is a prime factor of E(F_q))

   x_G
      x-coordinate of generator G

   y_G
      y-coordinate of generator G

3.4.2.  Elliptic Curve Formula

   y^2 = x^3 + ax + b

3.4.3.  Curve Parameters

                 p   = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF
                       FFFFFFFF 00000000 FFFFFFFF FFFFFFFF
                 a   = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF
                       FFFFFFFF 00000000 FFFFFFFF FFFFFFFC
                 b   = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7
                       F39789F5 15AB8F92 DDBCBD41 4D940E93
                 n   = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF
                       7203DF6B 21C6052B 53BBF409 39D54123
                 x_G = 32C4AE2C 1F198119 5F990446 6A39C994
                       8FE30BBF F2660BE1 715A4589 334C74C7
                 y_G = BC3736A2 F4F6779C 59BDCEE3 6B692153
                       D0A9877C C62A4740 02DF32E5 2139F0A0

Tse & Wong                Expires March 2, 2018                 [Page 6]
Internet-Draft                                               August 2017

4.  SM3 Hash Algorithm

   The SM3 Cryptographic Hash Algorithm [SM3] is an iterated hash
   function designed by Xiaoyun Wang et al., published by [OSCCA] as an
   alternative to SHA-2 [NIST.FIPS.180-4].

   The algorithm is designed to be used for various commercial
   cryptographic applications including, but not limited to:

   o  digital signatures and their verification

   o  message authentication code generation and their verification

   o  generation of random numbers

   According to the authors, SM3 is designed with a Merkle-Damgard
   construction and is very similar to SHA-2 [NIST.FIPS.180-4] of the
   MD4 [RFC6150] family, with the addition of several strengthening
   features such as a more complex step function and stronger message
   dependency than SHA-256 [SM3-Boomerang].

   SM3 produces an output hash value of 256 bits long, based on 512-bit
   input message blocks [SM3-Boomerang], on input lengths up to 2^(m).

   The specification of SM3 is described in [SM3] and
   [I-D.shen-sm3-hash].

5.  SM4 Symmetric Encryption Algorithm

   SM4 [SM4] is a symmetric encryption algorithm designed by Shuwang Lu
   et al. in 2006 as SMS4, and officially published published by the
   OSCCA in 2012 as SM4.

   The algorithm is publicly described in "GM/T 0002-2012 SM4 Block
   Cipher Algorithm Standard" [SM4], and is used in WAPI (Wired
   Authentication and Privacy Infrastructure), the Chinese National
   Standard for Wireless LAN [GB15629.11-2003].

   SM4 is a 128-bit block cipher, uses a key size of 128 bits and
   internally uses an 8-bit S-box.  It performs 32 rounds per block, and
   decryption simply reverses the order of encryption.

6.  Supported Algorithms

Tse & Wong                Expires March 2, 2018                 [Page 7]
Internet-Draft                                               August 2017

6.1.  Public Key Algorithms

   The SM2 algorithm is supported with the following extension.

   The following public key algorithm IDs are added to expand
   Section 9.1 of [RFC4880], "Public-Key Algorithms":

                    +-----+--------------------------+
                    | ID  | Description of Algorithm |
                    +-----+--------------------------+
                    | TBD | SM2                      |
                    +-----+--------------------------+

   Compliant applications MUST support both usages of SM2:

   o  SM2 Digital Signature Algorithm (SM2DSA) [SM2-2]
      [I-D.shen-sm2-ecdsa]

   o  SM2 Public Key Encryption (SM2PKE) [SM2-4] [I-D.shen-sm2-ecdsa]

6.2.  Symmetric Key Algorithms

   The SM4 algorithm is supported with the following extension.

   The following symmetric encryption algorithm ID is added to expand
   Section 9.2 of [RFC4880], "Symmetric-Key Algorithms":

                    +-----+--------------------------+
                    | ID  | Description of Algorithm |
                    +-----+--------------------------+
                    | TBD | SM4                      |
                    +-----+--------------------------+

   Compliant applications MUST support SM4.

6.3.  Hash Algorithms

   The SM3 algorithm is supported with the following extension.

   The following symmetric encryption algorithm IDs are added to expand
   Section 9.3 of [RFC4880], "Hash Algorithms":

                    +-----+--------------------------+
                    | ID  | Description of Algorithm |
                    +-----+--------------------------+
                    | TBD | SM3                      |
                    +-----+--------------------------+

Tse & Wong                Expires March 2, 2018                 [Page 8]
Internet-Draft                                               August 2017

   Compliant applications MUST support SM3.

7.  Conversion Primitives

   The encoding method of [RFC6637] Section 6 MUST be used, and is
   compatible with the definition given in [SEC1].

   For clarity, according to the EC curve MPI encoding method of
   [RFC6637], the exact size of the MPI payload for the "SM2
   Recommended" 256-bit curve, is 515 bits.

8.  SM2 Key Derivation Function

   A key derivation function (KDF) is necessary to implement EC
   encryption.

   The SM2PKE KDF is defined in Section 5.4.3 of [I-D.shen-sm2-ecdsa]
   (originally from Section 3.4.3 of [SM2-4]) and SHOULD be used in
   conjunction with an OSCCA-approved hash algorithm, such as SM3 [SM3].

   The pseudocode is provided here for convenience.

8.1.  Prerequisites

   o  H_v() is a hash function that outputs a v-bit long hash value.

8.2.  Inputs

   o  Bit stream "Z"

   o  Length of output key "klen" (an integer less than (2^32 - 1) x v).

8.3.  Output

   o  Key "K" of length "klen"

8.4.  Pseudocode

Tse & Wong                Expires March 2, 2018                 [Page 9]
Internet-Draft                                               August 2017

 KDF (Z, klen) {
   Counter = 0x00000001 [a 32-bit register]
   n = klen / v

   Iterate from i = 1 to Ceil(n)
     Ha[i] = H_v( Z || Counter )
     Counter++

   If n is a whole number
     Ha![Ceil(n)] = Ha[Ceil(n)]
   Else
     Ha![Ceil(n)] = leftmost (klen - (v x Floor(n))) bits of Ha[Ceil(n)]

   K = Ha[1] || Ha[2] || ... || Ha[Ceil(n)-1] || Ha![Ceil(n)]
 }

9.  Encoding of Public and Private Keys

9.1.  Public-Key Packet Formats

   The following algorithm-specific packets are added to Section 5.5.2
   of [RFC4880], "Public-Key Packet Formats", to support SM2DSA and
   SM2PKE.

   This document extends the algorithm-specific portion with the
   following fields.

   Algorithm-Specific Fields for SM2DSA keys:

   o  a variable-length field containing a curve OID, formatted as
      follows:

      *  a one-octet size of the following field; values 0 and 0xFF are
         reserved for future extensions

      *  octets representing a curve OID, described in Section 11

   o  MPI of an EC point representing a public key

   Algorithm-Specific Fields for SM2PKE keys:

   o  a variable-length field containing a curve OID, formatted as
      follows:

      *  a one-octet size of the following field; values 0 and 0xFF are
         reserved for future extensions

      *  octets representing a curve OID, described in Section 11

Tse & Wong                Expires March 2, 2018                [Page 10]
Internet-Draft                                               August 2017

   o  MPI of an EC point representing a public key

   o  a variable-length field containing KDF parameters, formatted as
      follows:

      *  a one-octet size of the following fields; values 0 and 0xff are
         reserved for future extensions

      *  a one-octet value 01, reserved for future extensions

      *  a one-octet hash function ID used with a KDF

   An SM2PKE public key is composed of the same sequence of fields that
   define an SM2DSA key, plus the KDF parameters field.

9.2.  Secret-Key Packet Formats

   The following algorithm-specific packets are added to Section 5.5.3.
   of [RFC4880], "Secret-Key Packet Formats", to support SM2DSA and
   SM2PKE.

   This document extends the algorithm-specific portion with the
   following fields.

   Algorithm-Specific Fields for SM2DSA or SM2PKE secret keys:

   o  an MPI of an integer representing the secret key, which is a
      scalar of the public EC point

10.  Message Encoding with Public Keys

10.1.  Public-Key Encrypted Session Key Packets (Tag 1)

   Section 5.1 of [RFC4880], "Public-Key Encrypted Session Key Packets
   (Tag 1)" is extended to support SM2PKE using the following algorithm
   specific fields for SM2PKE, through applying the KDF described in
   Section 8.

   Algorithm Specific Fields for SM2 encryption:

   o  MPI of SM2 encrypted value "C = (C1 || C2 || C3)", described in
      step A2 of Section 7.2.1. of [I-D.shen-sm2-ecdsa]

   o  A one-octet number giving the hash algorithm used for the
      calculation of "C3", described in step A7 of Section 7.2.1. of
      [I-D.shen-sm2-ecdsa].

Tse & Wong                Expires March 2, 2018                [Page 11]
Internet-Draft                                               August 2017

10.2.  Signature Packet (Tag 2)

10.2.1.  Version 3 Signature Packet Format

   Section 5.2.2 of [RFC4880] define the signature format for "Version 3
   Signature Packet Format".  Similar to ECDSA [RFC6637], no changes in
   the format is necessary for SM2DSA.

10.2.2.  Version 4 Signature Packet Format

   Section 5.2.3 of [RFC4880] define the signature format for "Version 4
   Signature Packet Format".  Similar to ECDSA [RFC6637], no changes in
   the format is necessary for SM2DSA.

11.  SM2 ECC Curve OID

   This section provides the "SM2 Recommended Curve" described in
   [SM2-5] according to the method of [RFC6637].

   The named curves are referenced as a sequence of bytes in this
   document, called throughout, curve OID.  Section 11 describes in
   detail how this sequence of bytes is formed.  The parameter curve OID
   is an array of octets that define a named curve.  The table below
   specifies the exact sequence of bytes for each named curve referenced
   in this document:

   +---------------------+-------+-----------------------+-------------+
   | ASN.1 Object        | OID   | Curve OID bytes in    | Curve name  |
   | Identifier          | len   | hexadecimal           |             |
   |                     |       | representation        |             |
   +---------------------+-------+-----------------------+-------------+
   | 1.2.156.10197.1.301 | 8     | 2A 81 1C CF 55 01 82  | SM2         |
   |                     |       | 2D                    | Recommended |
   +---------------------+-------+-----------------------+-------------+

   The sequence of octets in the third column is the result of applying
   the Distinguished Encoding Rules (DER) to the ASN.1 Object Identifier
   with subsequent truncation.  The truncation removes the two fields of
   encoded Object Identifier.  The first omitted field is one octet
   representing the Object Identifier tag, and the second omitted field
   is the length of the Object Identifier body.

   The complete ASN.1 DER encoding for the SM2 Recommended curve OID is
   "06 08 2A 81 1C CF 55 01 82 2D", from which the first entry in the
   table above is constructed by omitting the first two octets.  Only
   the truncated sequence of octets is the valid representation of a
   curve OID.

Tse & Wong                Expires March 2, 2018                [Page 12]
Internet-Draft                                               August 2017

12.  Compatibility Profiles

12.1.  OSCCA Compliant Profile

   A compliant application MUST implement:

   o  SM2 Recommended Curve

   o  SM2 (SM2DSA and SM2PKE)

   o  SM3

   o  SM4

13.  Security Considerations

   o  Products and services that utilize cryptography are regulated by
      OSCCA [OSCCA]; they must be explicitly approved or certified by
      OSCCA before being allowed to be sold or used in China.

   o  SM2 [SM2] is an elliptic curve cryptosystem (ECC) published by
      OSCCA [OSCCA].  Its security relies on the assumption that the
      elliptic curve discrete logarithm problem (ECLP) is
      computationally infeasible.  With advances in cryptanalysis, new
      attack algorithms may reduce the complexity of ECLP, making it
      easier to attack the SM2 cryptosystem that is considered secure at
      the time this document is published.  You SHOULD check current
      literature to determine if the algorithms in SM2 have been found
      vulnerable.

   o  SM3 [SM3] is a cryptographic hash algorithm published by OSCCA
      [OSCCA].  No formal proof of security is provided.  As claimed in
      [I-D.shen-sm3-hash], the security properties of SM3 are under
      public study.  There are no known feasible attacks against the SM3
      algorithm at the time this document is published.

   o  SM4 [SM4] is a block cipher certified by OSCCA [OSCCA].  No formal
      proof of security is provided.  There are no known feasible
      attacks against SM4 algorithm by the time of publishing this
      document.  On the other hand, there are security concerns with
      regards to side-channel attacks, when the SM4 algorithm is
      implemented in a device [SM4-Power].  For instance, [SM4-Power]
      illustrated an attack by measuring the power consumption of the
      device.  A chosen ciphertext attack, assuming a fixed correlation
      between the sub-keys and data mask, is able to recover the round
      key successfully.  When the SM4 algorithm is implemented in
      hardware, the parameters/keys SHOULD be randomly generated without
      fixed correlation.

Tse & Wong                Expires March 2, 2018                [Page 13]
Internet-Draft                                               August 2017

   o  SM2 has a key length of 512 bits for public key and 256 bits for
      private key.  It is considered an alternative to ECDSA P-256
      [RFC6637].  Its security strength is comparable to a 128-bit
      symmetric key strength [I-D.ietf-msec-mikey-ecc], e.g., AES-128
      [NIST.FIPS.197].

   o  SM3 is a hash function that generates a 256-bit hash value.  It is
      considered as an alternative to SHA-256.

   o  SM4 is a block cipher symmetric algorithm with key length of 128
      bits.  It is considered as an alternative to AES-128
      [NIST.FIPS.197].

   o  Security considerations offered in [RFC6637] and [RFC4880] also
      apply.

14.  IANA Considerations

   The IANA "Pretty Good Privacy (PGP)" registry [RFC8126] has made the
   following assignments for algorithms described in this document,
   namely:

   o  ID XXX of the "Public Key Algorithms" namespace for Section 3

   o  ID XXX of the "Hash Algorithms" namespace for Section 4

   o  ID XXX of the "Symmetric Key Algorithms" namespace for Section 5

15.  Examples

   TODO!

16.  References

16.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
              editor.org/info/rfc2119>.

   [RFC4880]  Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
              Thayer, "OpenPGP Message Format", RFC 4880,
              DOI 10.17487/RFC4880, November 2007, <https://www.rfc-
              editor.org/info/rfc4880>.

Tse & Wong                Expires March 2, 2018                [Page 14]
Internet-Draft                                               August 2017

   [RFC6637]  Jivsov, A., "Elliptic Curve Cryptography (ECC) in
              OpenPGP", RFC 6637, DOI 10.17487/RFC6637, June 2012,
              <https://www.rfc-editor.org/info/rfc6637>.

   [SM2]      Organization of State Commercial Administration of China,
              "Public Key Cryptographic Algorithm SM2 Based on Elliptic
              Curves", December 2010,
              <http://www.oscca.gov.cn/UpFile/2010122214822692.pdf>.

   [SM2-2]    Organization of State Commercial Administration of China,
              "Public Key Cryptographic Algorithm SM2 Based on Elliptic
              Curves -- Part 2: Digital Signature Algorithm", December
              2010,
              <http://www.oscca.gov.cn/UpFile/2010122214822692.pdf>.

   [SM2-4]    Organization of State Commercial Administration of China,
              "Public Key Cryptographic Algorithm SM2 Based on Elliptic
              Curves -- Part 4: Public Key Encryption Algorithm",
              December 2010,
              <http://www.oscca.gov.cn/UpFile/2010122214822692.pdf>.

   [SM2-5]    Organization of State Commercial Administration of China,
              "Public Key Cryptographic Algorithm SM2 Based on Elliptic
              Curves -- Part 5: Parameter definitions", December 2010,
              <http://www.oscca.gov.cn/UpFile/2010122214836668.pdf>.

   [SM3]      Organization of State Commercial Administration of China,
              "SM3 Cryptographic Hash Algorithm", December 2010,
              <http://www.oscca.gov.cn/UpFile/20101222141857786.pdf>.

   [SM4]      Organization of State Commercial Administration of China,
              "SM4 block cipher algorithm", December 2010,
              <http://www.oscca.gov.cn/UpFile/200621016423197990.pdf>.

16.2.  Informative References

   [GB15629.11-2003]
              Standardization Administration of the People's Republic of
              China, "Information technology -- Telecommunications and
              information exchange between systems -- Local and
              metropolitan area networks -- Specific requirements --
              Part 11: Wireless LAN Medium Access Control (MAC) and
              Physical Layer (PHY) Specifications", May 2003,
              <http://www.gb688.cn/bzgk/gb/
              newGbInfo?hcno=74B9DD11287E72408C19C4D3A360D1BD>.

Tse & Wong                Expires March 2, 2018                [Page 15]
Internet-Draft                                               August 2017

   [GMT-0003.1-2012]
              Organization of State Commercial Administration of China,
              "GM/T 0003.1-2012: Public Key Cryptographic Algorithm SM2
              Based on Elliptic Curves Part 1: General", March 2012,
              <http://www.oscca.gov.cn/Column/Column_32.htm>.

   [I-D.ietf-msec-mikey-ecc]
              Milne, A., "ECC Algorithms for MIKEY", draft-ietf-msec-
              mikey-ecc-03 (work in progress), June 2007.

   [I-D.shen-sm2-ecdsa]
              Shen, S., Shen, S., and X. Lee, "SM2 Digital Signature
              Algorithm", draft-shen-sm2-ecdsa-02 (work in progress),
              February 2014.

   [I-D.shen-sm3-hash]
              Shen, S. and S. Shen, "SM3 Hash function", draft-shen-
              sm3-hash-01 (work in progress), February 2014.

   [NIST.FIPS.180-4]
              National Institute of Standards and Technology, "FIPS
              180-4 Secure Hash Standard (SHS)", August 2015,
              <http://dx.doi.org/10.6028/NIST.FIPS.180-4>.

   [NIST.FIPS.197]
              National Institute of Standards and Technology, "FIPS 197
              Advanced Encryption Standard (AES)", November 2001,
              <https://doi.org/10.6028/NIST.FIPS.197>.

   [NIST.SP.800-56Ar2]
              Barker, B., Chen, L., Roginsky, A., and M. Smid, "SP
              800-56Ar2 Recommendation for Pair-Wise Key Establishment
              Schemes Using Discrete Logarithm Cryptography", May 2013,
              <http://dx.doi.org/10.6028/NIST.SP.800-56Ar2>.

   [OSCCA]    Organization of State Commercial Administration of China,
              "Organization of State Commercial Administration of
              China", May 2017, <http://www.oscca.gov.cn>.

   [RFC6150]  Turner, S. and L. Chen, "MD4 to Historic Status",
              RFC 6150, DOI 10.17487/RFC6150, March 2011,
              <https://www.rfc-editor.org/info/rfc6150>.

   [RFC8126]  Cotton, M., Leiba, B., and T. Narten, "Guidelines for
              Writing an IANA Considerations Section in RFCs", BCP 26,
              RFC 8126, DOI 10.17487/RFC8126, June 2017,
              <https://www.rfc-editor.org/info/rfc8126>.

Tse & Wong                Expires March 2, 2018                [Page 16]
Internet-Draft                                               August 2017

   [SEC1]     Standards for Efficient Cryptography Group, "SEC 1:
              Elliptic Curve Cryptography", September 2010,
              <http://www.secg.org/SEC1-Ver-1.0.pdf>.

   [SM2-3]    Organization of State Commercial Administration of China,
              "Public Key Cryptographic Algorithm SM2 Based on Elliptic
              Curves -- Part 3: Key Exchange Protocol", December 2010,
              <http://www.oscca.gov.cn/UpFile/2010122214822692.pdf>.

   [SM2-DSA-Lattice]
              Cao, W., Feng, J., Zhu, S., Chen, H., Wu, W., Han, X., and
              X. Zheng, "Practical Lattice-Based Fault Attack and
              Countermeasure on SM2 Signature Algorithm", November 2016,
              <https://doi.org/10.1007/978-3-319-29814-6_6>.

   [SM2-DSA-Nonces]
              Liu, M., Chen, J., and H. Li, "Partially Known Nonces and
              Fault Injection Attacks on SM2 Signature Algorithm",
              November 2013,
              <https://dx.doi.org/10.1007/978-3-319-12087-4_22>.

   [SM2-DSA-Nonces2]
              Chen, J., Liu, M., Shi, H., and H. Li, "Mind Your Nonces
              Moving: Template-Based Partially-Sharing Nonces Attack on
              SM2 Digital Signature Algorithm", November 2015,
              <https://doi.acm.org/10.1145/2714576.2714587>.

   [SM2-KEP-Comments]
              Xu, X. and D. Feng, "Comments on the SM2 Key Exchange
              Protocol", December 2011,
              <https://dx.doi.org/10.1007/978-3-642-25513-7_12>.

   [SM3-Boomerang]
              Bai, D., Yu, H., Wang, G., and X. Wang, "Improved
              Boomerang Attacks on Round-Reduced SM3 and Keyed
              Permutation of BLAKE-256", April 2015,
              <https://doi.org/10.1049/iet-ifs.2013.0380>.

   [SM4-Power]
              Du, Z., Wu, Z., Wang, M., and J. Rao, "Improved chosen-
              plaintext power analysis attack against SM4 at the round-
              output", October 2015,
              <http://dx.doi.org/10.6028/NIST.FIPS.180-4>.

Tse & Wong                Expires March 2, 2018                [Page 17]
Internet-Draft                                               August 2017

Appendix A.  Acknowledgements

   The authors would like to thank the following persons for their
   valuable advice and input.

   o  Jack Lloyd and Daniel Wyatt of the Ribose rnp team for their input
      and implementation

Authors' Addresses

   Ronald Henry Tse
   Ribose
   Suite 1111, 1 Pedder Street
   Central, Hong Kong
   Hong Kong

   Email: ronald.tse@ribose.com
   URI:   https://www.ribose.com

   Dr. Wai Kit Wong
   Hang Seng Management College
   Hang Shin Link, Siu Lek Yuen
   Shatin, New Territories
   Hong Kong

   Email: wongwk@hsmc.edu.hk
   URI:   https://www.hsmc.edu.hk

Tse & Wong                Expires March 2, 2018                [Page 18]