[PATCH] sm3: implement SM3 hash algorithm
Jia Zhang
qianyue.zj at alibaba-inc.com
Sun Oct 15 18:40:15 CEST 2017
于 2017/10/16 上午12:17, Weikeng Chen 写道:
> I think now the two questions are:
>
> (1) following the common practice of gcrypt, what requirement should be
> met to add a new hash function?
>
> (2) there are very few resources available for SM3 -- even the Chinese
> resource. This makes it really hard to double check and make code
> review. The problem is, there is no English official release? This is a
Here is a copy of English version of SM3 spec.
https://tools.ietf.org/html/draft-shen-sm3-hash-01
Jia
> very crucial step because open-source community is very international.
>
> Weikeng
>
> On Oct 15, 2017 8:31 AM, "张佳(乾越)" <qianyue.zj at alibaba-inc.com
> <mailto:qianyue.zj at alibaba-inc.com>> wrote:
>
> Plz search "Trusted Platform Module Library" spec rev 1.38 for the
> references to SM3. Also, I have a working TPM 2.0 hardware showing
> the capability of support on sm3.
>
> $tpm2_dump_capability -c algorithms | grep 'hash:\s*set' -B 3
> TPMA_ALGORITHM for ALG_ID: 0x4 - sha1
> asymmetric: clear
> symmetric: clear
> hash: set
> --
> TPMA_ALGORITHM for ALG_ID: 0x5 - hmac
> asymmetric: clear
> symmetric: clear
> hash: set
> --
> TPMA_ALGORITHM for ALG_ID: 0x7 - mgf1
> asymmetric: clear
> symmetric: clear
> hash: set
> --
> TPMA_ALGORITHM for ALG_ID: 0x8 - keyedhash
> asymmetric: clear
> symmetric: clear
> hash: set
> --
> TPMA_ALGORITHM for ALG_ID: 0xa - xor
> asymmetric: clear
> symmetric: set
> hash: set
> --
> TPMA_ALGORITHM for ALG_ID: 0xb - sha256
> asymmetric: clear
> symmetric: clear
> hash: set
> --
> TPMA_ALGORITHM for ALG_ID: 0x12 - sm3_256
> asymmetric: clear
> symmetric: clear
> hash: set
> --
> TPMA_ALGORITHM for ALG_ID: 0x20 - kdf1_sp800_56a
> asymmetric: clear
> symmetric: clear
> hash: set
> --
> TPMA_ALGORITHM for ALG_ID: 0x22 - kdf1_sp800_108
> asymmetric: clear
> symmetric: clear
> hash: set
>
> Jia
>
> ------------------------------------------------------------------
> 发件人:Weikeng Chen <w.k at berkeley.edu <mailto:w.k at berkeley.edu>>
> 发送时间:2017年10月15日(星期日) 16:47
> 收件人:R0b0t1 <r030t1 at gmail.com <mailto:r030t1 at gmail.com>>
> 抄 送:张佳(乾越) <qianyue.zj at alibaba-inc.com
> <mailto:qianyue.zj at alibaba-inc.com>>; wk <wk at gnupg.org
> <mailto:wk at gnupg.org>>; gcrypt-devel <gcrypt-devel at gnupg.org
> <mailto:gcrypt-devel at gnupg.org>>
> 主 题:Re: [PATCH] sm3: implement SM3 hash algorithm
>
> I think it is unlikely that SM3 contains a backdoor.
>
> It is intended to be used in governments and mission-critical devices.
> There is no reason to use something dangerous (then U.S. can break?).
> And it is generally not that easy to add a backdoor in a symmetric
> algorithm if we obtain randomness from a physical source.
>
>
> gcrypt cannot have all new functions -- otherwise, why not balloon
> hashing and scrypt (the latter is used in many kinds of
> cryptocurrency)?
>
>
>
> On Sat, Oct 14, 2017 at 1:16 PM, R0b0t1 <r030t1 at gmail.com
> <mailto:r030t1 at gmail.com>> wrote:
> > On Sat, Oct 14, 2017 at 12:05 PM, 张佳(乾
> 越) <qianyue.zj at alibaba-inc.com
> <mailto:qianyue.zj at alibaba-inc.com>> wrote:
> >> Hi Werner,
> >>
> >> This is the review request
> for SM3 hash algorithm. Plz see the commit
> >> header and patch for more details.
> >>
> >> SM3 hash algorithm is already accepted and supported by TPM 2.0 spec.
> >> So it is necessary to implement this algorithm in a famous open source
> >> software for checking the digest value computed by TPM.
> >>
> >> Plz refer to this PR (https://github.com/gpg/libgcrypt/pull/2 <https://github.com/gpg/libgcrypt/pull/2>) for code
> >> review.
> >>
> >> Thanks,
> >> Jia
> >>
> >
> > Jia,
> >
> > It is my understanding that SM3 was not accepted into any
> global TPM
> > specification and is merely mandated for use within China.
> >
> > My research on SM3 has turned up only one detailed cryptanalysis of
> > the function.[1] That cryptanalysis implies that the techniques used
> > to "strengthen" SM3 do not accomplish what the creators claim, and may
> > even weaken the hash function when compared to its inspiration, SHA-2.
> >
> > Less detailed analysis[3] of the claims presented by the creators
> > reflect poorly on their work. For starters, none of the techniques
> > meant to increase the security of SM3 are explained. Their utility is
> > unknown, and a cursory glance shows that in at least one case a round
> > operation is simplified. Perhaps more distressing is the selection of
> > constants with no justification.
> >
> > It seems very likely that the algorithm has undisclosed backdoors.
> >
> > Also pertinent is the existence of GmSSL,[3] a fork of OpenSSL which
> > contains various cryptographic standards developed by the Chinese
> > government that were, presumably, not deemed fit for inclusion in
> > OpenSSL.
> >
> > Inclusion of weak cryptography in gcrypt would be a disservice to
> > those users which trust gcrypt with their life. I understand I am not
> > the person to whom you addressed your message, nor am I a gcrypt
> > developer, but I felt it necessary to reply to this conversation.
> >
> > Respectfully,
> > R0b0t1
> >
> >
> > [1]: https://eprint.iacr.org/2012/274.pdf
> <https://eprint.iacr.org/2012/274.pdf>, also attached.
> > [2]: https://tinycrypt.wordpress.com/2017/02/22/asmcodes-sm3/
> <https://tinycrypt.wordpress.com/2017/02/22/asmcodes-sm3/>
> > [3]: http://gmssl.org/
> >
> > _______________________________________________
> > Gcrypt-devel mailing list
> > Gcrypt-devel at gnupg.org <mailto:Gcrypt-devel at gnupg.org>
> > http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
> <http://lists.gnupg.org/mailman/listinfo/gcrypt-devel>
> >
>
>
>
> --
>
> Weikeng Chen @ 795 Soda Hall
>
>
More information about the Gcrypt-devel
mailing list