回复：[PATCH] sm3: implement SM3 hash algorithm
qianyue.zj at alibaba-inc.com
Sun Oct 15 17:25:03 CEST 2017
And yes, the author also mentiones they used the similiar tech for collision attack on sha2.
Jia------------------------------------------------------------------发件人：Weikeng Chen <w.k at berkeley.edu>发送时间：2017年10月15日(星期日) 16:18收件人：R0b0t1 <r030t1 at gmail.com>抄 送：张佳(乾越) <qianyue.zj at alibaba-inc.com>; wk <wk at gnupg.org>; gcrypt-devel <gcrypt-devel at gnupg.org>主 题：Re: [PATCH] sm3: implement SM3 hash algorithm
Finding Collisions for Round-Reduced SM3
On Sat, Oct 14, 2017 at 1:16 PM, R0b0t1 <r030t1 at gmail.com> wrote:
> On Sat, Oct 14, 2017 at 12:05 PM, 张佳(乾越) <qianyue.zj at alibaba-inc.com> wrote:
>> Hi Werner,
>> This is the review request for SM3 hash algorithm. Plz see the commit
>> header and patch for more details.
>> SM3 hash algorithm is already accepted and supported by TPM 2.0 spec.
>> So it is necessary to implement this algorithm in a famous open source
>> software for checking the digest value computed by TPM.
>> Plz refer to this PR (https://github.com/gpg/libgcrypt/pull/2) for code
> It is my understanding that SM3 was not accepted into any global TPM
> specification and is merely mandated for use within China.
> My research on SM3 has turned up only one detailed cryptanalysis of
> the function. That cryptanalysis implies that the techniques used
> to "strengthen" SM3 do not accomplish what the creators claim, and may
> even weaken the hash function when compared to its inspiration, SHA-2.
> Less detailed analysis of the claims presented by the creators
> reflect poorly on their work. For starters, none of the techniques
> meant to increase the security of SM3 are explained. Their utility is
> unknown, and a cursory glance shows that in at least one case a round
> operation is simplified. Perhaps more distressing is the selection of
> constants with no justification.
> It seems very likely that the algorithm has undisclosed backdoors.
> Also pertinent is the existence of GmSSL, a fork of OpenSSL which
> contains various cryptographic standards developed by the Chinese
> government that were, presumably, not deemed fit for inclusion in
> Inclusion of weak cryptography in gcrypt would be a disservice to
> those users which trust gcrypt with their life. I understand I am not
> the person to whom you addressed your message, nor am I a gcrypt
> developer, but I felt it necessary to reply to this conversation.
> : https://eprint.iacr.org/2012/274.pdf, also attached.
> : https://tinycrypt.wordpress.com/2017/02/22/asmcodes-sm3/
> : http://gmssl.org/
> Gcrypt-devel mailing list
> Gcrypt-devel at gnupg.org
Weikeng Chen @ 795 Soda Hall
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gcrypt-devel