[PATCH] sm3: implement SM3 hash algorithm

张佳(乾越) qianyue.zj at alibaba-inc.com
Sun Oct 15 18:30:47 CEST 2017



于 2017/10/16 上午12:17, Weikeng Chen 写道:
> I think now the two questions are:
>
> (1) following the common practice of gcrypt, what requirement should be
> met to add a new hash function?

I'm quite new to libgcrypt, but I think SM3 would be OK as long as it is 
still not a weak algorithm such as sha1 and md5.

Finally, we seem to not evict sha1 and md5 from the default libgcrypt 
configuration. Generally, they should have to be enabled via explicitly 
specifying, e.g, --enforce-digest-algs=sha1,md5, to let people "trust 
gcrypt with their life".

I mean currently I don't see why sm3 should not be here.

>
> (2) there are very few resources available for SM3 -- even the Chinese
> resource. This makes it really hard to double check and make code
> review. The problem is, there is no English official release? This is a
> very crucial step because open-source community is very international.

After all SM3 is explicitly supported by TPM 2.0 spec, assuming TCG is 
not stupid.

Jia

>
> Weikeng
>
> On Oct 15, 2017 8:31 AM, "张佳(乾越)" <qianyue.zj at alibaba-inc.com
> <mailto:qianyue.zj at alibaba-inc.com>> wrote:
>
>     Plz search "Trusted Platform Module Library" spec rev 1.38 for the
>     references to SM3. Also, I have a working TPM 2.0 hardware showing
>     the capability of support on sm3.
>
>     $tpm2_dump_capability -c algorithms | grep 'hash:\s*set' -B 3
>     TPMA_ALGORITHM for ALG_ID: 0x4 - sha1
>        asymmetric: clear
>        symmetric:  clear
>        hash:       set
>     --
>     TPMA_ALGORITHM for ALG_ID: 0x5 - hmac
>        asymmetric: clear
>        symmetric:  clear
>        hash:       set
>     --
>     TPMA_ALGORITHM for ALG_ID: 0x7 - mgf1
>        asymmetric: clear
>        symmetric:  clear
>        hash:       set
>     --
>     TPMA_ALGORITHM for ALG_ID: 0x8 - keyedhash
>        asymmetric: clear
>        symmetric:  clear
>        hash:       set
>     --
>     TPMA_ALGORITHM for ALG_ID: 0xa - xor
>        asymmetric: clear
>        symmetric:  set
>        hash:       set
>     --
>     TPMA_ALGORITHM for ALG_ID: 0xb - sha256
>        asymmetric: clear
>        symmetric:  clear
>        hash:       set
>     --
>     TPMA_ALGORITHM for ALG_ID: 0x12 - sm3_256
>        asymmetric: clear
>        symmetric:  clear
>        hash:       set
>     --
>     TPMA_ALGORITHM for ALG_ID: 0x20 - kdf1_sp800_56a
>        asymmetric: clear
>        symmetric:  clear
>        hash:       set
>     --
>     TPMA_ALGORITHM for ALG_ID: 0x22 - kdf1_sp800_108
>        asymmetric: clear
>        symmetric:  clear
>        hash:       set
>
>     Jia
>
>         ------------------------------------------------------------------
>         发件人:Weikeng Chen <w.k at berkeley.edu <mailto:w.k at berkeley.edu>>
>         发送时间:2017年10月15日(星期日) 16:47
>         收件人:R0b0t1 <r030t1 at gmail.com <mailto:r030t1 at gmail.com>>
>         抄 送:张佳(乾越) <qianyue.zj at alibaba-inc.com
>         <mailto:qianyue.zj at alibaba-inc.com>>; wk <wk at gnupg.org
>         <mailto:wk at gnupg.org>>; gcrypt-devel <gcrypt-devel at gnupg.org
>         <mailto:gcrypt-devel at gnupg.org>>
>         主 题:Re: [PATCH] sm3: implement SM3 hash algorithm
>
>         I think it is unlikely that SM3 contains a backdoor.
>
>         It is intended to be used in governments and mission-critical devices.
>         There is no reason to use something dangerous (then U.S. can break?).
>         And it is generally not that easy to add a backdoor in a symmetric
>         algorithm if we obtain randomness from a physical source.
>
>
>         gcrypt cannot have all new functions -- otherwise, why not balloon
>         hashing and scrypt (the latter is used in many kinds of
>         cryptocurrency)?
>
>
>
>         On Sat, Oct 14, 2017 at 1:16 PM, R0b0t1 <r030t1 at gmail.com
>         <mailto:r030t1 at gmail.com>> wrote:
>          > On Sat, Oct 14, 2017 at 12:05 PM, 张佳(乾
>         越) <qianyue.zj at alibaba-inc.com
>         <mailto:qianyue.zj at alibaba-inc.com>> wrote:
>          >> Hi Werner,
>          >>
>          >> This is the review request
>         for SM3 hash algorithm. Plz see the commit
>          >> header and patch for more details.
>          >>
>          >> SM3 hash algorithm is already accepted and supported by TPM 2.0 spec.
>          >> So it is necessary to implement this algorithm in a famous open source
>          >> software for checking the digest value computed by TPM.
>          >>
>          >> Plz refer to this PR (https://github.com/gpg/libgcrypt/pull/2 <https://github.com/gpg/libgcrypt/pull/2>) for code
>          >> review.
>          >>
>          >> Thanks,
>          >> Jia
>          >>
>          >
>          > Jia,
>          >
>          > It is my understanding that SM3 was not accepted into any
>         global TPM
>          > specification and is merely mandated for use within China.
>          >
>          > My research on SM3 has turned up only one detailed cryptanalysis of
>          > the function.[1] That cryptanalysis implies that the techniques used
>          > to "strengthen" SM3 do not accomplish what the creators claim, and may
>          > even weaken the hash function when compared to its inspiration, SHA-2.
>          >
>          > Less detailed analysis[3] of the claims presented by the creators
>          > reflect poorly on their work. For starters, none of the techniques
>          > meant to increase the security of SM3 are explained. Their utility is
>          > unknown, and a cursory glance shows that in at least one case a round
>          > operation is simplified. Perhaps more distressing is the selection of
>          > constants with no justification.
>          >
>          > It seems very likely that the algorithm has undisclosed backdoors.
>          >
>          > Also pertinent is the existence of GmSSL,[3] a fork of OpenSSL which
>          > contains various cryptographic standards developed by the Chinese
>          > government that were, presumably, not deemed fit for inclusion in
>          > OpenSSL.
>          >
>          > Inclusion of weak cryptography in gcrypt would be a disservice to
>          > those users which trust gcrypt with their life. I understand I am not
>          > the person to whom you addressed your message, nor am I a gcrypt
>          > developer, but I felt it necessary to reply to this conversation.
>          >
>          > Respectfully,
>          >      R0b0t1
>          >
>          >
>          > [1]: https://eprint.iacr.org/2012/274.pdf
>         <https://eprint.iacr.org/2012/274.pdf>, also attached.
>          > [2]: https://tinycrypt.wordpress.com/2017/02/22/asmcodes-sm3/
>         <https://tinycrypt.wordpress.com/2017/02/22/asmcodes-sm3/>
>          > [3]: http://gmssl.org/
>          >
>          > _______________________________________________
>          > Gcrypt-devel mailing list
>          > Gcrypt-devel at gnupg.org <mailto:Gcrypt-devel at gnupg.org>
>          > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
>         <http://lists.gnupg.org/mailman/listinfo/gcrypt-devel>
>          >
>
>
>
>         --
>
>         Weikeng Chen @ 795 Soda Hall
>
>



More information about the Gcrypt-devel mailing list