SM2

doc/crypt.tex

@@ -2998,6 +2998,7 @@ \subsection{Hash Registration}
       \hline RIPEMD-256 & rmd160\_desc & 32 & 13 \\
       \hline BLAKE2S-256 & blake2s\_256\_desc & 32 & 24 \\
       \hline BLAKE2B-256 & blake2b\_256\_desc & 32 & 26 \\
+      \hline SM3 & sm3\_desc & 32 & 34 \\
       \hline SHA-512/224 & sha512\_224\_desc & 28 & 15 \\
       \hline Keccak224 & keccak\_224\_desc & 28 & 29 \\
       \hline SHA3-224 & sha3\_224\_desc & 28 & 17 \\
@@ -3224,7 +3225,7 @@ \subsection{KangarooTwelve}
 These hashes are provided for completeness and they still can be used for the purposes of password hashing or one-way accumulators
 (e.g. Yarrow).
 
-The other hashes such as the SHA-2 (that includes SHA-512, SHA-512/384, SHA-384, SHA-512/256, SHA-256 and SHA-224), TIGER-192 and TIGER2-192 are still
+The other hashes such as the SHA-2 (that includes SHA-512, SHA-512/384, SHA-384, SHA-512/256, SHA-256 and SHA-224), SM3, TIGER-192 and TIGER2-192 are still
 considered secure for all purposes you would normally use a hash for.
 
 \chapter{Checksum Functions}
@@ -5278,6 +5279,7 @@ \chapter{Elliptic Curve Cryptography - $GF(p)$}
 \hline \texttt{secp224k1}       &                                      & 1.3.132.0.32          \\
 \hline \texttt{secp256r1}       & nistp256, prime256v1, ECC-256, P-256 & 1.2.840.10045.3.1.7   \\
 \hline \texttt{secp256k1}       &                                      & 1.3.132.0.10          \\
+\hline \texttt{sm2p256v1}       & sm2                                  & 1.2.156.10197.1.301   \\
 \hline \texttt{secp384r1}       & nistp384, ECC-384, P-384             & 1.3.132.0.34          \\
 \hline \texttt{secp521r1}       & nistp521, ECC-521, P-521             & 1.3.132.0.35          \\
 \hline \texttt{prime239v1}      &                                      & 1.2.840.10045.3.1.4   \\
@@ -5908,6 +5910,47 @@ \subsection{Signature Formats}
 the option to use \code{LTC\_ECCSIG\_ANSIX962}. Also it is possible to disable \code{LTC\_SSH} which will disable
 the option to use \code{LTC\_ECCSIG\_RFC5656}.
 
+\mysection{Signatures (SM2)}
+The library also provides helpers for the \textit{SM2} signature scheme. In contrast to the hash-level \textit{ECDSA} API,
+these functions operate on the original message and the signer identifier (application-defined user ID bound into ZA). Internally they compute the SM2 message digest
+\textit{Hash(ZA || M)}, where \textit{ZA} is the SM2 digest of the signer identifier, curve parameters, and public key, and produce or verify a DER-encoded \textit{(r, s)} signature. Standard deployments typically use
+the built-in curve \texttt{sm2p256v1} together with the \textit{SM3} hash. These SM2 functions accept only keys on the built-in
+\texttt{sm2p256v1} curve.
+
+\textbf{NOTE:} These functions require \code{LTC\_DER}.
+
+\subsection{Signature Generation}
+\index{ecc\_sign\_sm2()}
+\begin{verbatim}
+int ecc_sign_sm2(const unsigned char *id, unsigned long idlen,
+                 const unsigned char *msg, unsigned long msglen,
+                 unsigned char *out, unsigned long *outlen,
+                 prng_state *prng, int wprng, int hash_idx,
+                 const ecc_key *key);
+\end{verbatim}
+
+This function signs the message in \code{msg} of length \code{msglen} octets using the signer identifier (application-defined user ID bound into ZA) \code{id} of
+length \code{idlen} octets. The resulting DER-encoded signature is stored in \code{out}. The \code{hash\_idx} parameter
+selects the hash used for both \code{ZA} and the message digest. If \code{hash\_idx} is \code{-1}, the default \textit{SM3}
+hash is used. Other hashes are supported for compatibility and testing, but should only rarely be used in practice. The
+\code{key} must be a private ECC key on the built-in \texttt{sm2p256v1} curve.
+
+\subsection{Signature Verification}
+\index{ecc\_verify\_sm2()}
+\begin{verbatim}
+int ecc_verify_sm2(const unsigned char *id, unsigned long idlen,
+                   const unsigned char *msg, unsigned long msglen,
+                   const unsigned char *sig, unsigned long siglen,
+                   int hash_idx, int *stat, const ecc_key *key);
+\end{verbatim}
+
+This function verifies the DER-encoded signature in \code{sig} against the message in \code{msg} and the signer identifier
+(application-defined user ID bound into ZA) \code{id}. The same identifier and hash must be used as during signature generation. The result is stored in \code{stat},
+which is set to a non-zero value if the signature is valid. If \code{hash\_idx} is \code{-1}, the default \textit{SM3}
+hash is used. Other hashes are supported for compatibility and testing, but should only rarely be used in practice. The
+\code{key} must contain the corresponding public key (or the private key matching that public key) on the built-in
+\texttt{sm2p256v1} curve.
+
 \mysection{Shared Secret (ECDH)}
 To construct a Diffie-Hellman shared secret with a private and public ECC key, use the following function:
 \index{ecc\_shared\_secret()}
@@ -5973,6 +6016,39 @@ \subsection{Encryption Format}
 }
 \end{verbatim}
 
+\mysection{Encrypt and Decrypt (SM2)}
+The library also provides \textit{SM2} public-key encryption. The interface uses the raw SM2 ciphertext layout
+\code{C1 || C3 || C2}, not the ASN.1 wrapper used by \code{ecc\_encrypt\_key()}. These SM2 functions accept only keys on the
+built-in \texttt{sm2p256v1} curve.
+
+\subsection{Encryption}
+\index{ecc\_encrypt\_key\_sm2()}
+\begin{verbatim}
+int ecc_encrypt_key_sm2(const unsigned char *in, unsigned long inlen,
+                        unsigned char *out, unsigned long *outlen,
+                        prng_state *prng, int wprng, int hash_idx,
+                        const ecc_key *key);
+\end{verbatim}
+
+This function encrypts the plaintext in \code{in} using the recipient public key in \code{key}. The \code{hash\_idx}
+parameter selects the hash used by the SM2 KDF and for computing \code{C3}. If \code{hash\_idx} is \code{-1}, the default
+\textit{SM3} hash is used. Other hashes are supported for compatibility and testing, but should only rarely be used in
+practice. The ciphertext is written to \code{out} in \code{C1 || C3 || C2} format, where \code{C1} is the ephemeral public
+point, \code{C3} is the authentication hash, and \code{C2} is the masked plaintext.
+
+\subsection{Decryption}
+\index{ecc\_decrypt\_key\_sm2()}
+\begin{verbatim}
+int ecc_decrypt_key_sm2(const unsigned char *in, unsigned long inlen,
+                        unsigned char *out, unsigned long *outlen,
+                        int hash_idx, const ecc_key *key);
+\end{verbatim}
+
+This function decrypts an SM2 ciphertext in \code{C1 || C3 || C2} format using the recipient private key in \code{key}.
+The \code{hash\_idx} parameter must match the hash used during encryption. If \code{hash\_idx} is \code{-1}, the default
+\textit{SM3} hash is used. Other hashes are supported for compatibility and testing, but should only rarely be used in
+practice. The function verifies \code{C3} before returning the recovered plaintext in \code{out}.
+
 \chapter{Elliptic Curve Cryptography - $Montgomery/Twisted Edwards$}
 \mysection{Introduction}
 

libtomcrypt_VS2008.vcproj

@@ -903,6 +903,10 @@
 				RelativePath="src\hashes\sha3_test.c"
 				>
 			</File>
+			<File
+				RelativePath="src\hashes\sm3.c"
+				>
+			</File>
 			<File
 				RelativePath="src\hashes\tiger.c"
 				>
@@ -2590,6 +2594,10 @@
 					RelativePath="src\pk\ecc\ecc_sizes.c"
 					>
 				</File>
+				<File
+					RelativePath="src\pk\ecc\ecc_sm2.c"
+					>
+				</File>
 				<File
 					RelativePath="src\pk\ecc\ecc_ssh_ecdsa_encode_name.c"
 					>

makefile.mingw

@@ -73,7 +73,7 @@ src/hashes/sha1_desc.o src/hashes/sha1_x86.o src/hashes/sha2/sha224.o src/hashes
 src/hashes/sha2/sha224_x86.o src/hashes/sha2/sha256.o src/hashes/sha2/sha256_desc.o \
 src/hashes/sha2/sha256_x86.o src/hashes/sha2/sha384.o src/hashes/sha2/sha512.o \
 src/hashes/sha2/sha512_224.o src/hashes/sha2/sha512_256.o src/hashes/sha3.o src/hashes/sha3_test.o \
-src/hashes/tiger.o src/hashes/whirl/whirl.o src/mac/blake2/blake2bmac.o \
+src/hashes/sm3.o src/hashes/tiger.o src/hashes/whirl/whirl.o src/mac/blake2/blake2bmac.o \
 src/mac/blake2/blake2bmac_file.o src/mac/blake2/blake2bmac_memory.o \
 src/mac/blake2/blake2bmac_memory_multi.o src/mac/blake2/blake2bmac_test.o src/mac/blake2/blake2smac.o \
 src/mac/blake2/blake2smac_file.o src/mac/blake2/blake2smac_memory.o \
@@ -200,8 +200,8 @@ src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_rfc6979_key.o src/pk/ecc/ecc_set_cur
 src/pk/ecc/ecc_set_curve_internal.o src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o \
 src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sign_hash_eth27.o src/pk/ecc/ecc_sign_hash_internal.o \
 src/pk/ecc/ecc_sign_hash_rfc5656.o src/pk/ecc/ecc_sign_hash_rfc7518.o src/pk/ecc/ecc_sign_hash_x962.o \
-src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o \
-src/pk/ecc/ecc_verify_hash_eth27.o src/pk/ecc/ecc_verify_hash_internal.o \
+src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_sm2.o src/pk/ecc/ecc_ssh_ecdsa_encode_name.o \
+src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ecc_verify_hash_eth27.o src/pk/ecc/ecc_verify_hash_internal.o \
 src/pk/ecc/ecc_verify_hash_rfc5656.o src/pk/ecc/ecc_verify_hash_rfc7518.o \
 src/pk/ecc/ecc_verify_hash_x962.o src/pk/ecc/ltc_ecc_export_point.o src/pk/ecc/ltc_ecc_import_point.o \
 src/pk/ecc/ltc_ecc_is_point.o src/pk/ecc/ltc_ecc_is_point_at_infinity.o src/pk/ecc/ltc_ecc_map.o \
@@ -240,12 +240,13 @@ src/stream/sosemanuk/sosemanuk_memory.o src/stream/sosemanuk/sosemanuk_test.o
 #List of test objects to compile
 TOBJECTS=tests/argon2_test.o tests/base16_test.o tests/base32_test.o tests/base64_test.o \
 tests/bcrypt_test.o tests/cipher_hash_test.o tests/common.o tests/deprecated_test.o tests/der_test.o \
-tests/dh_test.o tests/dsa_test.o tests/ecc_test.o tests/ed25519_test.o tests/file_test.o tests/mac_test.o \
-tests/misc_test.o tests/modes_test.o tests/mpi_test.o tests/multi_test.o \
-tests/no_null_termination_check_test.o tests/no_prng.o tests/padding_test.o tests/pem_test.o \
-tests/pk_oid_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o tests/pkcs_1_oaep_test.o \
-tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o tests/rotate_test.o tests/rsa_test.o \
-tests/scrypt_test.o tests/ssh_test.o tests/store_test.o tests/test.o tests/x25519_test.o
+tests/dh_test.o tests/dsa_test.o tests/ecc_sm2_test.o tests/ecc_test.o tests/ed25519_test.o \
+tests/file_test.o tests/mac_test.o tests/misc_test.o tests/modes_test.o tests/mpi_test.o \
+tests/multi_test.o tests/no_null_termination_check_test.o tests/no_prng.o tests/padding_test.o \
+tests/pem_test.o tests/pk_oid_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o \
+tests/pkcs_1_oaep_test.o tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o \
+tests/rotate_test.o tests/rsa_test.o tests/scrypt_test.o tests/ssh_test.o tests/store_test.o tests/test.o \
+tests/x25519_test.o
 
 #The following headers will be installed by "make install"
 HEADERS_PUB=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \

makefile.msvc

@@ -66,7 +66,7 @@ src/hashes/sha1_desc.obj src/hashes/sha1_x86.obj src/hashes/sha2/sha224.obj src/
 src/hashes/sha2/sha224_x86.obj src/hashes/sha2/sha256.obj src/hashes/sha2/sha256_desc.obj \
 src/hashes/sha2/sha256_x86.obj src/hashes/sha2/sha384.obj src/hashes/sha2/sha512.obj \
 src/hashes/sha2/sha512_224.obj src/hashes/sha2/sha512_256.obj src/hashes/sha3.obj src/hashes/sha3_test.obj \
-src/hashes/tiger.obj src/hashes/whirl/whirl.obj src/mac/blake2/blake2bmac.obj \
+src/hashes/sm3.obj src/hashes/tiger.obj src/hashes/whirl/whirl.obj src/mac/blake2/blake2bmac.obj \
 src/mac/blake2/blake2bmac_file.obj src/mac/blake2/blake2bmac_memory.obj \
 src/mac/blake2/blake2bmac_memory_multi.obj src/mac/blake2/blake2bmac_test.obj src/mac/blake2/blake2smac.obj \
 src/mac/blake2/blake2smac_file.obj src/mac/blake2/blake2smac_memory.obj \
@@ -193,8 +193,8 @@ src/pk/ecc/ecc_recover_key.obj src/pk/ecc/ecc_rfc6979_key.obj src/pk/ecc/ecc_set
 src/pk/ecc/ecc_set_curve_internal.obj src/pk/ecc/ecc_set_key.obj src/pk/ecc/ecc_shared_secret.obj \
 src/pk/ecc/ecc_sign_hash.obj src/pk/ecc/ecc_sign_hash_eth27.obj src/pk/ecc/ecc_sign_hash_internal.obj \
 src/pk/ecc/ecc_sign_hash_rfc5656.obj src/pk/ecc/ecc_sign_hash_rfc7518.obj src/pk/ecc/ecc_sign_hash_x962.obj \
-src/pk/ecc/ecc_sizes.obj src/pk/ecc/ecc_ssh_ecdsa_encode_name.obj src/pk/ecc/ecc_verify_hash.obj \
-src/pk/ecc/ecc_verify_hash_eth27.obj src/pk/ecc/ecc_verify_hash_internal.obj \
+src/pk/ecc/ecc_sizes.obj src/pk/ecc/ecc_sm2.obj src/pk/ecc/ecc_ssh_ecdsa_encode_name.obj \
+src/pk/ecc/ecc_verify_hash.obj src/pk/ecc/ecc_verify_hash_eth27.obj src/pk/ecc/ecc_verify_hash_internal.obj \
 src/pk/ecc/ecc_verify_hash_rfc5656.obj src/pk/ecc/ecc_verify_hash_rfc7518.obj \
 src/pk/ecc/ecc_verify_hash_x962.obj src/pk/ecc/ltc_ecc_export_point.obj src/pk/ecc/ltc_ecc_import_point.obj \
 src/pk/ecc/ltc_ecc_is_point.obj src/pk/ecc/ltc_ecc_is_point_at_infinity.obj src/pk/ecc/ltc_ecc_map.obj \
@@ -233,12 +233,13 @@ src/stream/sosemanuk/sosemanuk_memory.obj src/stream/sosemanuk/sosemanuk_test.ob
 #List of test objects to compile
 TOBJECTS=tests/argon2_test.obj tests/base16_test.obj tests/base32_test.obj tests/base64_test.obj \
 tests/bcrypt_test.obj tests/cipher_hash_test.obj tests/common.obj tests/deprecated_test.obj tests/der_test.obj \
-tests/dh_test.obj tests/dsa_test.obj tests/ecc_test.obj tests/ed25519_test.obj tests/file_test.obj tests/mac_test.obj \
-tests/misc_test.obj tests/modes_test.obj tests/mpi_test.obj tests/multi_test.obj \
-tests/no_null_termination_check_test.obj tests/no_prng.obj tests/padding_test.obj tests/pem_test.obj \
-tests/pk_oid_test.obj tests/pkcs_1_eme_test.obj tests/pkcs_1_emsa_test.obj tests/pkcs_1_oaep_test.obj \
-tests/pkcs_1_pss_test.obj tests/pkcs_1_test.obj tests/prng_test.obj tests/rotate_test.obj tests/rsa_test.obj \
-tests/scrypt_test.obj tests/ssh_test.obj tests/store_test.obj tests/test.obj tests/x25519_test.obj
+tests/dh_test.obj tests/dsa_test.obj tests/ecc_sm2_test.obj tests/ecc_test.obj tests/ed25519_test.obj \
+tests/file_test.obj tests/mac_test.obj tests/misc_test.obj tests/modes_test.obj tests/mpi_test.obj \
+tests/multi_test.obj tests/no_null_termination_check_test.obj tests/no_prng.obj tests/padding_test.obj \
+tests/pem_test.obj tests/pk_oid_test.obj tests/pkcs_1_eme_test.obj tests/pkcs_1_emsa_test.obj \
+tests/pkcs_1_oaep_test.obj tests/pkcs_1_pss_test.obj tests/pkcs_1_test.obj tests/prng_test.obj \
+tests/rotate_test.obj tests/rsa_test.obj tests/scrypt_test.obj tests/ssh_test.obj tests/store_test.obj tests/test.obj \
+tests/x25519_test.obj
 
 #The following headers will be installed by "make install"
 HEADERS_PUB=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \

makefile.unix

@@ -87,7 +87,7 @@ src/hashes/sha1_desc.o src/hashes/sha1_x86.o src/hashes/sha2/sha224.o src/hashes
 src/hashes/sha2/sha224_x86.o src/hashes/sha2/sha256.o src/hashes/sha2/sha256_desc.o \
 src/hashes/sha2/sha256_x86.o src/hashes/sha2/sha384.o src/hashes/sha2/sha512.o \
 src/hashes/sha2/sha512_224.o src/hashes/sha2/sha512_256.o src/hashes/sha3.o src/hashes/sha3_test.o \
-src/hashes/tiger.o src/hashes/whirl/whirl.o src/mac/blake2/blake2bmac.o \
+src/hashes/sm3.o src/hashes/tiger.o src/hashes/whirl/whirl.o src/mac/blake2/blake2bmac.o \
 src/mac/blake2/blake2bmac_file.o src/mac/blake2/blake2bmac_memory.o \
 src/mac/blake2/blake2bmac_memory_multi.o src/mac/blake2/blake2bmac_test.o src/mac/blake2/blake2smac.o \
 src/mac/blake2/blake2smac_file.o src/mac/blake2/blake2smac_memory.o \
@@ -214,8 +214,8 @@ src/pk/ecc/ecc_recover_key.o src/pk/ecc/ecc_rfc6979_key.o src/pk/ecc/ecc_set_cur
 src/pk/ecc/ecc_set_curve_internal.o src/pk/ecc/ecc_set_key.o src/pk/ecc/ecc_shared_secret.o \
 src/pk/ecc/ecc_sign_hash.o src/pk/ecc/ecc_sign_hash_eth27.o src/pk/ecc/ecc_sign_hash_internal.o \
 src/pk/ecc/ecc_sign_hash_rfc5656.o src/pk/ecc/ecc_sign_hash_rfc7518.o src/pk/ecc/ecc_sign_hash_x962.o \
-src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_ssh_ecdsa_encode_name.o src/pk/ecc/ecc_verify_hash.o \
-src/pk/ecc/ecc_verify_hash_eth27.o src/pk/ecc/ecc_verify_hash_internal.o \
+src/pk/ecc/ecc_sizes.o src/pk/ecc/ecc_sm2.o src/pk/ecc/ecc_ssh_ecdsa_encode_name.o \
+src/pk/ecc/ecc_verify_hash.o src/pk/ecc/ecc_verify_hash_eth27.o src/pk/ecc/ecc_verify_hash_internal.o \
 src/pk/ecc/ecc_verify_hash_rfc5656.o src/pk/ecc/ecc_verify_hash_rfc7518.o \
 src/pk/ecc/ecc_verify_hash_x962.o src/pk/ecc/ltc_ecc_export_point.o src/pk/ecc/ltc_ecc_import_point.o \
 src/pk/ecc/ltc_ecc_is_point.o src/pk/ecc/ltc_ecc_is_point_at_infinity.o src/pk/ecc/ltc_ecc_map.o \
@@ -254,12 +254,13 @@ src/stream/sosemanuk/sosemanuk_memory.o src/stream/sosemanuk/sosemanuk_test.o
 #List of test objects to compile (all goes to libtomcrypt_prof.a)
 TOBJECTS=tests/argon2_test.o tests/base16_test.o tests/base32_test.o tests/base64_test.o \
 tests/bcrypt_test.o tests/cipher_hash_test.o tests/common.o tests/deprecated_test.o tests/der_test.o \
-tests/dh_test.o tests/dsa_test.o tests/ecc_test.o tests/ed25519_test.o tests/file_test.o tests/mac_test.o \
-tests/misc_test.o tests/modes_test.o tests/mpi_test.o tests/multi_test.o \
-tests/no_null_termination_check_test.o tests/no_prng.o tests/padding_test.o tests/pem_test.o \
-tests/pk_oid_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o tests/pkcs_1_oaep_test.o \
-tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o tests/rotate_test.o tests/rsa_test.o \
-tests/scrypt_test.o tests/ssh_test.o tests/store_test.o tests/test.o tests/x25519_test.o
+tests/dh_test.o tests/dsa_test.o tests/ecc_sm2_test.o tests/ecc_test.o tests/ed25519_test.o \
+tests/file_test.o tests/mac_test.o tests/misc_test.o tests/modes_test.o tests/mpi_test.o \
+tests/multi_test.o tests/no_null_termination_check_test.o tests/no_prng.o tests/padding_test.o \
+tests/pem_test.o tests/pk_oid_test.o tests/pkcs_1_eme_test.o tests/pkcs_1_emsa_test.o \
+tests/pkcs_1_oaep_test.o tests/pkcs_1_pss_test.o tests/pkcs_1_test.o tests/prng_test.o \
+tests/rotate_test.o tests/rsa_test.o tests/scrypt_test.o tests/ssh_test.o tests/store_test.o tests/test.o \
+tests/x25519_test.o
 
 #The following headers will be installed by "make install"
 HEADERS_PUB=src/headers/tomcrypt.h src/headers/tomcrypt_argchk.h src/headers/tomcrypt_cfg.h \