layout |
title |
description |
author |
date |
last_modified |
published |
post |
SM2DSA vs ECDSA |
Comparison of SM2DSA and ECDSA |
Nicola Tuveri |
2020-06-23 20:00 CEST |
2020-06-23 22:55 CEST |
false |
SM2DSA keygen differs in the range for the random secret scalar
The signature generation differs between SM2DSA and ECDSA.
Compare the respective points A3, A5 and A6 in the definitions of the two algorithms below.
Let
- π_π΄ be the (static) secret key of user A
- πΌπ·_π΄ be the distinguishing identifier of user A
- π_π΄ be the hash value of πΌπ·_π΄ (part of the system parameters of elliptic curves and the public key of user A)
- π be the message to be signed
- π»π£() be a cryptographic hash function with π£ bits message digest
- π be the order of a base point πΊ, where π is a prime factor of #πΈ(πΉπ)
- Q = (π₯Q, π¦Q) = [π₯]P denote the scalar multiplication between a scalar π₯ and a EC point P, resulting in a point Q with affine coordinates (π₯Q, π¦Q)
In order to obtain a signature (π, π ) of the message π, user A as a signer should do the following:
- SM2::A1: Set πΜ
= π_π΄ β₯ π;
- SM2::A2: Compute π = π»π£(πΜ
),
- and convert the type of data π to be integer as specified in Clauses 4.2.4 and 4.2.3 of GM/T 0003.1β2012;
- SM2::A3: Generate a random number π β [1, π β 1) using cryptographic RNG
- SM2::A4: Compute (π₯1, π¦1) = [π]πΊ,
- and convert the type of data π₯1 to be integer as specified in Clause 4.2.8 of GM/T 0003.1β2012;
- SM2::A5: Compute π = (π + π₯1) mod π.
- If π = 0 or π + π = π, then go to SM2::A3;
- SM2::A6: Compute π = ((1 + π_π΄)^(-1) β
(π β π β
π_π΄)) mod π.
- If π = 0, then go to SM2::A3;
- SM2::A7: Convert the type of data π, π to be bit strings according to the details in Clause 4.2.2 of GM/T 0003.1β2012.
- Then the signature of message π is (π, π ).
Let
- π_π΄ be the (static) secret key of user A
- π be the message to be signed
- HASH() be the selected cryptographic hash function
- π be the order of a base point πΊ, where π is a prime factor of #πΈ(πΉπ)
- Q = (π₯Q, π¦Q) = [π₯]P denote the scalar multiplication between a scalar π₯ and a EC point P, resulting in a point Q with affine coordinates (π₯Q, π¦Q)
In order to obtain a signature (π, π ) of the message π, user A as a signer should do the following:
- ECDSA::A1: Compute π = HASH(π)
- and convert the output to an integer
- ECDSA::A2: Let π be the π_π leftmost bits of π, where π_π is bitlen(π)
- ECDSA::A3: Generate a random number π β [1, π β 1] using cryptographic RNG
- (notice the upper boundary is inclusive);
- ECDSA::A4: Compute (π₯1, π¦1) = [π]πΊ
- ECDSA::A5: Compute π = π₯1 mod π.
- If π = 0, then go to ECDSA::A3;
- ECDSA::A6: Compute π = (π^(-1) β
(π + π β
π_π΄)) mod π.
- If π = 0, then go to ECDSA::A3;
- ECDSA::A7: Then the signature of message π is (π, π ).
- (notice that (π, -π mod π) is also a valid signature)
Without going into too much details, the algorithms to verify an SM2 key and to verify an ECDSA key, differ given that the definitions of π and π differ.
Sources for this post:
Miscellaneous: