(高清版)GB∕T 38635.2-2020 信息安全技术 SM9标识密码算法 第2部分：算法

信息安全技术SM9标识密码算法第2部分：算法2020-04-28发布2020-11-01实施国家市场监督管理总局国家标准化管理委员会I Ⅲ 12规范性引用文件 13术语和定义 1 2 35.1概述 35.2系统参数组 45.3辅助函数 4 6 6 66.3数字签名生成算法流程 7 76.5数字签名验证算法流程 8 97.1系统加密主密钥和用户加密密钥的产生 97.2密钥交换协议 97.3密钥交换协议流程 8密钥封装机制及流程 8.1系统加密主密钥和用户加密密钥的产生 8.2密钥封装算法 8.3密钥封装算法流程 8.4解封装算法 8.5解封装算法流程 9加密算法及流程 9.1系统加密主密钥和用户加密密钥的产生 9.2加密算法 9.3加密算法流程 9.4解密算法 9.5解密算法流程 附录A(资料性附录)算法示例 Ⅲ本部分为GB/T38635的第2部分。引户的私钥由密钥生成中心(KGC)根据主密钥和用户标识计算得出，用户的公钥由用户标识唯一确定，1GB/T38635的本部分规定了SM9标识密码算法中数字签名算法、密钥交换协议、密钥封装机制GB/T17964信息安全技术分组密码算法的工作模式GB/T32907信息安全技术SM4分组密码算法GB/T32915信息安全技术二元序列随机性检测规范GB/T38635.1—2020信息安全技术SM9标识密码算法第1部分：总则开，加密主私钥由密钥生成中心(KGC)秘密保存。KGC用加密主私钥和用户的标识生成用户的加密[GB/T38635.1—2020,定义3.1]2使用户B确信用户A拥有特定秘密密钥的保证。一种认证算法作用于特定的密钥和消息比特串所得出的一段码字，4符号cf:椭圆曲线阶相对于N的余因子。cid:用一个字节表示的曲线的识别符，其中0x10表示F,(素数p>2¹⁹1)上常曲线(即非超奇异曲dsA:用户A的签名私钥。e:从G₁×G₂到Gr的双线性对。G₁:阶为素数N的加法循环群。G₂:阶为素数N的加法循环群。是正整数，《P>:由元素P生成的循环群。[x,y]:不小于x且不大于y的整数的集合。5算法参数与辅助函数第6章规定了一个用椭圆曲线对实现的基于标识的数字签名算法。该算法的签名者持有一个标识和一个相应的签名私钥，该签名私钥由密钥第7章规定了一个用椭圆曲线对实现的基于标识的密钥交换协议。参与密钥交换的发起方用户A和响应方用户B各自持有一个标识和一个相应的加密私钥，加密私钥均由密钥生成中心通过加密主私34数β(若cid的低4位为2);曲线阶的a)初始化一个32比特构成的计数器ct=0x00000001。b)计算hlen=8×[(5×(log₂n))/32]。51)计算Ha;=H,(0x01|Z||ct);e)令Ha=Ha₁IlHaz…ⅡHa[nm-1lHa![mmo],按照GB/T38635.1—2020中7.2.4和f)计算h₁=(Hamod(n—1))+1。b)计算hlen=8×[(5×(log₂n))/32]。c)对i从1～[hlen/v执行：1)计算Ha,=H,(0x02||Z||ct);否则令Ha![nao]为Ha[nmo7最左边的(hlen-(v×Lhlen/v]))e)令Ha=Ha₁IlHa₂IIHafnm₁-1lHa!ru/],按照GB/T38635.1-2020中7.2.4和f)计算h₂=(Hamod(n—1))+1。6输入：比特串K₂(比特长度为K₂_len的密钥),比特串Z(待求取消息认证码的消息)。输出：长度为v的消息认证码数据比特串K。K=H,(Z|K₂)。5.3.6密钥派生函数密钥派生函数的作用是从一个共享的秘密比特串中派生出密钥数据。在密钥协商过程中，密钥派生函数作用在密钥交换所获共享的秘密比特串上，从中产生所需的会话密钥或进一步加密所需的密钥密钥派生函数需要调用密码杂凑函数。设密码杂凑函数为H,(),其输出是长度恰为v比特的杂凑值。密钥派生函数KDF(Z,klen),其中：输入：比特串Z(双方共享的数据),整数klen[表示要获得的密钥数据的比特长度，要求该值小于输出：长度为klen的密钥数据比特串K。计算步骤为：a)初始化一个32比特构成的计数器ct=0x00000001。1)计算Ha;=H,(Z|ct);6数字签名生成和验证算法及流程6.1系统签名主密钥和用户签名密钥的产生KGC产生随机数ks∈[1,N-1]作为签名主私钥，计算G₂中的元素Pps=[ks]P₂作为签名主公KGC选择并公开用一个字节表示的签名私钥生成函数识别符hid。用户A的标识为IDA,为产生用户A的签名私钥dsa,KGC首先在有限域Fn上计算t₁=H₁(IDAlhid,N)+ks,若t₁=0则需重新产生签名主私钥，计算和公开签名主公钥，并更新已有用户的签名私钥；否则计算t₂=k·t₁-¹,然后计算dsa=[t₂]P₁。6.2数字签名生成算法设待签名的消息为比特串M,为了获取消息M的数字签名(h,S),作为签名者的用户A应实现以下运算步骤：A1:计算群Gr中的元素g=e(P₁,Ppuos);A2:产生随机数r∈[1,N-1];A3:计算群Gr中的元素w=g',按照GB/T38635.1—2020中7.2.6和7.2.5给出的细节将w的数据类型转换为比特串；A4:计算整数h=H₂(M||w,N);A5:计算整数l=(r—h)modN,若l=0则返回A2;A6:计算群G₁中的元素S=[l]dsA;A7:按照GB/T38635.1—2020中7.2.2给出的细节，将h的数据类型转换为字节串，按照GB/T38635.1—2020中7.2.8给出的细节将S的数据类型转换为字节串，消息M的签名为(h,S)。7是否B5:计算整数h₁=H₁(IDAl|hid,N8数字签名验证算法流程如图2所示。否是否是否是9用户A和用户B的标识分别为IDA和IDp。为产生用户A的加密私钥dea,KGC首先在有限域A3:计算群G₁中的元素RA=[rA]Qp;用户B:则计算群Gr中的元素g₁=e(RA,dep),g₂=e(Ppme,P₂)'B,g₃=g₁'B,按B6:(选项)计算Sp=Hash(0x82||g₁|Hash(g₂Ilg₃IDA|用户A:则计算群Gr中的元素g₁¹=e(Ppube,P₂)rA,g₂¹=e(Rp,dea),g₃'=(g₂)rA,按照(选项)计算S₁=Hash(0x82|lg₁'l|Hash(g₂'lⅡg₃'||IDA||A7:计算SKA=KDF(IDAl|IDb|RA||Rblg₁'llgz'llg₃',klen);A8:(选项)计算SA=Hash(0x83lg₁'l|Hash(g₂'llg₃'||IDAlIDs发起方用户A的原始数据加密私钥deA和标识/DA、IDg)第1步：计算Q₃=[H₁(Dg/hid,N)]P₁+Ppwb-否是g₁'=e(Pm-,P2)^,g₂'=e(Rg,deA),gg'=(8₂)否SA=Hash(Ox831|g,I|Hash(g₂Ilg₂IIDAIDIIRAI并将SA发送给用户B响应方用户B的原始数据否是8₁=e(RA,den),8₂=e(PpmSKs=KDF(IDAIDIRAIRlg|l8₂lg,klSn=Hash(0x821|g,|IHash(g₂Ig,IDAIDBIRAS₂=Hash(0x83|g||Hash(g₂lg,IDAIIDIIRAIIRp否协商失败KGC产生随机数ke∈[1,N-1]作为加密主私钥，计算G₁中的元素Ppmbe=[ke]P₁作为加密主公用户A和B的标识分别为IDA和IDp。为产生用户A的加密私钥dea,KGC首先在有限域Fn上已有用户的加密私钥；否则计算t₂=ke·t₁-¹,然后计算dea=[t₂]P₂。为产生用户KGC首先在有限域Fn上计算t₃=H₁(IDBllhid,N)+ke,若t₃=0则需重新产生加密主私钥，计算为了封装比特长度为klen的密钥给用户B,作为封装者的用户A需要执行以下运算步骤：A1:计算群G₁中的元素Qp=[H₁(IDglhid,N)]P₁+Ppuse;A2:产生随机数r∈[1,N-1];A3:计算群G₁中的元素C=[r]Qp,按照GB/T38635.1—2020中7.2.8和7.2.5给出的细节将CA4:计算群Gr中的元素g=e(Ppe,P₂);A5:计算群Gr中的元素w=g',按照GB/T38635.1—2020中7.2.6和7.2.5给出的细节将w的数A6:计算K=KDF(C||w||IDp,klen),若K为全0比特串，则返回A2;密钥封装算法流程如图4所示。第6步：计算：K=KDF(C|MIDs,kem)是否B2:计算群Gr中的元素w¹=e(C,dep),按照GB/T38635.1—2020中7.B4:输出密钥K'。否否是是K'=是否全0否第4步：输出密钥K'KGC产生随机数ke∈[1,N-1]作为加密主私钥，计算G₁中的元素Ppube=[ke]P₁作为加密主公用户A和B的标识分别为IDA和IDp。为产生用户A的加密私钥dea,KGC首先在有限域Fn上已有用户的加密私钥；否则计算t₂=ke·t₁-¹,然后计算dea=[t₂]P₂。为产生用户B的加密私钥deg,KGC首先在有限域Fn上计算t₃=H₁(IDgllhid,N)+ke,若t₃=0则需重新产生加密主私钥，为了加密明文M给用户B,作为加密者的用户A应实现以下运算步骤：A1:计算群G₁中的元素QB=[H₁(IDbllhid,N)]P₁+Ppbe。A2:产生随机数r∈[1,N-1]。A3:计算群G₁中的元素C₁=[r]Qg,按照G1)计算整数klen=mlen+K₂_len,然后计算K=KDF(C₁||w||IDp,klen)。令K₁为1)计算整数klen=K₁_len+K₂_len,然后计算K=KDF(C₁||w||IDp,klen)。令0202kk……kklmodk=0A7:计算C₃=MAC(K₂,C₂)。第1步：计算Qg=[H₁(IDg|lhid,N)]P₁+Pm1)计算kHlen=mlen+K₂len,然后计算1)计算klen=K₁_len+K₂len,然后计算是是否否2)计算C₂=MOK2)计算C₂=IV|Enc(K₁,M,I)设mlen为密文C=C₁ⅡC₃lC₂中C₂的比特长度，K₁_len为分组密码算法中密钥K₁的比特长B1:从C中取出比特串C₁,按照GB/T38635.1—2020中7.2.4和7.2.9给出的细节将C₁的数据类型转换为椭圆曲线上的点，按照GB/T38635.1—2020中5.5给出的细节验证C₁∈G₁是否成B2:计算群Gr中的元素w¹=e(C₁,dep),按照GB/T38635.1—2020中7.2.6和7.2.5给出的细节将w'的数据类型转换为比特串。B3:按加密明文的方法分类进行计算：1)计算整数klen=mlen+K₂_len,然后计算K'=KDF(C₁llw'l|IDg,klen)。令K₁'为K'1)计算整数klen=K₁_len+K₂_len,然后计算K'=KDF(C₁|w'||IDp,klen)。令B4:计算u=MAC(K₂',C₂),否是第2步：计算w⁷=e(C₂,deg)1)计算klen=mlen+K₂_len,然后计算K'=KDF(CiIlw'|IDg,klen,令K₁为K'最1)计算klen=K₁_len+K₂_len,然后计算K是否全0K₁是否全02)计算M=C₂ΦK₁2)计算M'=Dec(K₁',C₂)第4步：计算x=MAC(K₂',C₂否是为256比特的杂凑值。余因子cf:1群G₁的生成元P₁=(xp₁,yp)群G₂的生成元P₂=(xp₂,Yp₂)坐标xp₂:(85AEF3D078640C98597B6027B441A01FF1DD2C190F5E93C454806C11D8806141,签名主私钥ks:0130E78459D78545CB54C587E02CF480CEOB66签名主公钥Ppub=[ks]P₂=(xpu,VPubs)实体A的标识IDA:AliceIDA的16进制表示：416C696365在有限域Fn上计算t₁=H(IDAl|hid,N)+ksIDAl|hid:416C69636501H(IDAl|hid,N):2ACC468C3926B0BDB2767E99FF26E084DE9t₁:2ACD7773BD808842F841D35F87070D795F6AF8F3F08C915E760A451186B3F59F坐标xsA:A5702F05CF1315305E2D6EB64BODEB923DB1AOBCFOCAFF90523AC8754AA69820坐标yasA:78559A844411F9825C109F5EE3F52D72ODD01785392A727BB1556952B2B013D3签名步骤中的相关值：待签名消息M:ChineseIBSstandardM的16进制表示：4368696E65736520494253207374616E64617264计算群Gr中的元素g=e(P₁,Ppub-s):28B3404A61908F5D6198838BFFE40A22D529A0C66124B67E0E0C2EED7A6993DCE28FE9AA2EB3129A75D31D17194675A1BC56947920898FB4C744E69C4A2E1C8ED72F796D151A17CE2325B943260FC460B9F73CB584B87422330D7936EABA1109FA5A7A7181EE16F243产生随机数r:033C8616B06704813203DFD00965022ED15975C662337AED648835DC4B1CBE计算群Gr中的元素w=g:8EAF5D179A1836B359A9D1D9BFC19F2EFCDB829328620962BDA543D25609AE943920679194ED30328BB33FD3F012DB04BA59FE88DB889321CC2373D4F8624EB435B838CCA77B2D0347E65D5E46964412A096F4150D8C5EDE5440DDF,0656FCB663D24731E80292188A2471B8B68AA993899268499D23C89755A1A897,898D60848026B7EFB8FCC1B2442ECF0795计算h=H₂(M|w,N)9A1836B359A9D1D9BFC19F2EFCDB829328620962BD3FDF15F2567F5ED30328BB33FD15660BDE485C6B79A7B32B013983F012DB04BA59FE88DB889321CC2373D4C0C35E84F7AB1FF33679BCA575D67654F8624EB435B838CCA77B2D0347E65D5E46964412A096F415E5440DDF0656FCB663D24731E80292188A2471B8B68AA993899268499D23C89755A1A89744643C442ECF0795F8A81CEE99A6248F294C82C90D26BD6A814AAFC8F68E42计算l=(r-h)modN:h:823C4B21E4BD2DFE1ED92C606653E996668563152FC33F55D7BFBB9BD9705ADBS:0473BF96923CE58B6ADOE13E9643A406D8EB98417C50EF1B29CEF9ADB48B6D856712F1C2E0968AB7769F42A9202E3F160C96C160595A1034B51h:2ACC468C3926B0BDB2767E99FF26E084DE9CED8DBC7D5FBF418027B667计算群G₂中的元素P=[h]P₂+Ppubs=(xp,yp)坐标xp:(511F2C823C7484DDFC16BBC53AAD33B78D2429AFCF7F8AD8B72261B4E1FF73B542A69058F4601AC19F237203686368FEC436C13C2B0761F9F9B6E14A36E4)计算群Gr中的元素u=e(S',P):(A97A171304A0316FC8BA21B911289C4371E73B7D2163AC5B44F3B52588EB69A1,1838972BFOCA86E17147468A869A3261FCC27993291663C49DF9B4A82B122412B749BF144341F2E22564506145E0B775FCC7DBDFC714FC8989E0331838142275EAE6B6305C53DC7E4D8AOB7557920B21FA5F2E75B38C44AE8D62318D2BA35F9494189100BCD82F1B1399B0B14867700701409A66ED452DEC4586735CF3631379501DC756466F6F18E3BC002722531AE,计算群Gr中的元素w'=u·t:8EAF5D179A1836B359A9D1D9BFC19F2EFCDBA543D25609AE943920679194ED30328BB33FD15660BDE485C6B79A7B32B013F012DB04BA59FE88DB889321CC2373D4C0C35E84F7A4F8624EB435B838CCA77B2D0347E65D5E4696440656FCB663D24731E80292188A2471B8B68AA993899268499D23C89755A1A897,44643CEAD40F0965F28E1CD2895C3D118E4F898D60848026B7EFB8FCC1B2442ECF0795F8A81CEE99A6248F294C82C90D26BD,GB/T38635.2—2020A.3密钥交换方程参数b:05坐标xp₂:(85AEF3D078640C98597B6027B441A01FF1DD2C190F5E93C454806C11D8806141,加密主公钥Ppub-e=[ke]P₁=(xpuse实体A的标识IDA:AliceIDA的16进制表示：416C696365坐标Xdea:(4C5EC9C8CA8DEBA238CC3E500458F5147911F2251A4BDOAA903BB5F8D5F68AFFFD503C768A765731F62FC3CB7B7705456D40830E868CC17IDB的16进制表示：426F62H(IDBllhid,N):9CB1F6288CE0E51043CE72344582FFC301E0A812A7F5F2004B85547A在有限域Fy上计算t₄=ke·₃-计算QB=[H(IDsIhid,N]P₁+Ppub-e=(xQs,Vos)坐标yRA:02A4E50351092133252BA61609779B455DF9C4A0109ACE241485A955D5B81726计算Rg=[rs]QA=(xrB,Vrg)647BA154C3E8E185DFC33657C1F128D480F3F7E373F21693C66FC23724DB26380C526223C705DAF6BA18B763A68623C86A632B05,8C8E9D8D905780D50E779067F2C4B1861CCD9978617267CE4AD9789F79B1CA08F64712E33AEDA3F44(1052D6E9D13E381909DFF7B2B41E13C987D0A9068423B769480DACCE6A06F492,5FFEB92AD870F97DC0893114DA22A44DBC9E7A8B6CA31A0CF04672C5C3B37E4F2FF83DB33D98C036CED9E2D7C9CD3D5AD630DEFAB0B831506298DBC791D0671CACA12236CDF8F39E15AEB96FAEB39606D5B04AC581746A663D,00DD2B7416BAA91172E89D5309D834F78C1E31B4483BB97185931BAD7BE1B9B5,7EBAC0349F8544469E60C32F6075FB0468A610CC2B561A62B62DA36AEFD60850714F49170FD94A0010C6D4B651B64F3A3A5E,2A430968F16086061904CE201847934B11CA0F9E9528F5A9DOCE8F015C9AEA7934FDDA6D3AB48C8571CE2354B79742AA498CB8CDDE6BD1FA5946345A1A652F6)(A76B6777AD87C9124C7D7065F74808DB2E80242FA31FF8E139FAE169A16992F5F029162664CE78B333324B3B0626D64DCE603F332E9593F62B67A6B002DEB6DD2E7D4FAD3F33C38F202DE204,5327490611B2AE6F849CF779B9B74AD9BA6CF397F61326120777CE4692F85DC2,ADC269D1B62332582D823132A971275477A0CF1DCCF4B2BF096D9110F74E2A0128F65B3651E184BCED030661EE4A8D670FBAE26796E8CDB66F388ED6644AF851,885C7F924CC7CB20968AA50E8230A3B39C2BB5DD4D753D94BE5DD9A4272CF827,4A40AC8FC5B7168FA54AD3D0B81A0F8F50C164366CCDEC1C9A40DCE9F035D89EAEB36F4D31BB6713064CDA8835E2AA4529F42129327C6F7E8AB760654D,58D17E448F6D5CBCA66BD7E33810D270DD3B9436B416C696365426F62767A4BED09FFBB5229D9CAA165548FFA8284A315B15FB02A4E50351092133252BA61609779B455DF9C4A0109ACE241485A955D5B817268168903E4A56DC41A1ABFCD30C57DBOF1A838E3A8F2BF8238029E19434C733BB73F21693C66FC23724DB26380C526223C705DAF6BA18B763A68623C86A632B050E779067F2C4B1C8F83A8B59D735BB52AF35F5662F2E57B48C2FF26D2E90A79A1D86B939B1CA08F64712E33AEDA3F44BD6CB633E0F1052D6E9D13E381909DFF7B2B41E13C987D0A972E89D5309D834F78C1E31B4483BB97185931BAD7BE1B9B57EBAC0349F8544469E60C32F6075FB0468A68147FF013537DF792FFCE024F85710CC2B561A62B62DA36AEFD60850714F49170FD92A430968F16086061904CE201847934B11CAOF9E9528F5A9DOCE8F015C9AEA79934F2E80371C70471580BOC7C457A79EA5E7242FA31FF8E139FAE169A14B3BDB4C682BF9B20626D64DCE603F332E95935327490611B2AE6F849CF779B9B74AD9BA6CF397F6E47B0431831706CB5AFCD75754FA79528F65B3651E184BCED030661EE4A8D670FBAE26796E8CDB66F388ED6644AF851885C7F924CC7CB20968AA50E8230A3B39E2AA4529F42129327C6F7E8AB760654D58D17E448F6D5CBCA66BD7E33810D270DD3B9436计算选项Sp=Hash(0x821lgi₁|Hash(g₂llg3|IDA|IDp|IRAl|RB))1052D6E9D13E381909DFF7B2B41E13C987DO72E89D5309D834F78C1E31B4483BB97185931BAD7BE1B9B57EBAC0349F8544469E60C32F6075FB0468A68147FF013537DF792FFCE024F85710CC2B561A62B62DA36AEFD60850714F49170FD92A430968F16086061904CE201847934B11CAOF9E9528F5A9DOCE8F015C9AEA79934F2E80371C70471580BOC7C457A79EA5E7242FA31FF8E139FAE169A14B3BDB4C682BF9B20626D64DCE603F332E95935327490611B2AE6F849CF779B9B74AD9BA6CF397F6E47B0431831706CB5AFCD75754FA79528F65B3651E184BCED030661EE4A8D670FBAE26796E8CDB6GB/T38635.2—20206F388ED6644AF851885C7F924CC7CB20968AA50E8230A3B39C2BB5DD4D753D94BE5A17C9D11A5A6B148416C696365426F62767A4BED09FFBB5229D9CAA165548FFA8284A315B154887A9AFA5B755FC02A4E50351092133252BA61609779B455DF9C4A0109ACE241485A955D5B81726Hash(g2lg31|IDA|IDB||RB6F6F71EFCEAOE02DF19842228AD50A9EFD7A4B0x82|lgil|Hash(g₂llg3||I8228542FB6954C84BE6A5F2988A31CB6817BA0781966FA83D9673A9577D3C0C1345E27C19FC02ED923479C978BD137230506EA6249C891049E3497477913AB89F5E2960F382B1B5C8EE09DE0FA498BA9D1647BA154C3E8E185DFC33657C1F128D480F3F7E3F16801208029E19434C733BB73F21693C66FC23724DB26380C526223C705DAF6BA18B763A68623C86A632B0552AF35F56730BDE5AC861CCD9978617267CE4AD9789F77A9EFD7A4B2F12DAFE2BE354AD0107547选项SB:E122B3BFA8965562AA0A4A92B671A193352F28328A129BFF45C4DD262EBCB9EE密钥交换步骤A5～A8中的相关值：(28542FB6954C84BE6A5F2988A31CB6817BA0781966FA5E27C19FC02ED9AE37F5BB7BE9C03C2B87DE027539CCF03E6B7D3497477913AB89F5E2960F382B1B5C8EE09DEOFA498BA95C4409D630D343DA40,4FEC93472DA33A4DB6599095COCF895E3A7647BA154C3E8E185DFC33657C1F128D480F3F7E3F16873F21693C66FC23724DB26380C526223C705DAF6BA18B763A68623C86A632B05,8C8E9D8D905780D50E779067F2C4B1C861CCD9978617267CE4AD9789F77739E62F2E57B48C2FF26D2E90A79A1D86B93,9B1CA08F64712E33AEDA3F44计算g₂'=e(Rp,deA):(1052D6E9D13E381909DFF7B2B41E13C987D0A9068423B769485FFEB92AD870F97DC0893114DA22A44DBC9E7A8B6CA31A0CF04672C5C3B37E4F2FF83DB33D98C036CED9E2D7C9CD3D5AD630DEFABOB83150620AE7BF3E1AECOCB67A03440906C7DFB3BC00DD2B7416BAA91172E89D5309D834F78C1E31B4483BB97185931BAD7BE1B9B5,7EBAC0349F8544469E60C32F6075FB0468A68147FF013537DF792FFCE024F857,10CC2B561A62B62DA36AEFD60850714F49170FD2A430968F16086061904CE2018242FA31FF8E139FAE169A16992F5F02910626D64DCE603F332E5327490611B2AE6F849CF779B9B74AADC269D1B62332582D823132A971275477A0CF1DCCF4B2BF096D9110F74EB1ED06502333B2AB1AE697EA34F2EF8C6E428F65B3651E184BCED030661EE4A8D670FBAE26796E8CDB66F388ED6644AF851,35D89EAEB36F4D31BB671306计算选项S₁=Hash(0x82||gi'|Hash(g₂'lg3'|IDA||IDg||RAl|RB))g₂'|lg3'||IDAl|IDBl|GB/T38635.2—2020Hash(g₂'|lg₃||IDA|IDB||RAl|RB):B6F6F71EFCEA0E02DF19842228AD50A9EFD7A4B20x82||gi'|Hash(g₂'llg₃'||IDAl|ID8228542FB6954C84BE6A5F2988A31CB6817BA0781966FA83D9673A23479C978BD137230506EA6249C891049E3497477913AB89F5E2960F382B1B5C8EE09DED1647BA154C3E8E185DFC33657C1F128D480F3F7E3F16801208029E19434C733BB733724DB26380C526223C705DAF6BA18B763A68623C86A632B0552AF35F56730BDE5AC861CCD9978617267CE4AD9789F77739E62F2E57A9EFD7A4B2F12DAFE2BE354AD0107547选项S₁:E122B3BFA8965562AA0A4A92B671A193352F28328A129计算SKA=KDF(IDAllIDpIIRAllRpllgi'lg₂'lg₃',klen)IDAlIDB||RAIRBllgi'l416C696365426F62767A4BED09FFBB5229D9CAA165548FFA8284A315B15FB02A4E50351092133252BA61609779B455DF9C4A0109ACE241485A955D5B817268168903E4A56DC41A1ABFCD30C57DBOF1A838E3A8F2BF823479C978BD138029E19434C733BB73F21693C66FC23724DB2630E779067F2C4B1C8F83A8B59D71052D6E9D13E381909DFF7B2B41E13C987D072E89D5309D834F78C1E31B4483BB97185931BAD7BE1B9B57EBAC0349F8544469E668A68147FF013537DF792FFCE024F85710CC2B561A62B62DA36AEF2E80371C70471580BOC7C457A79EA5E7242FA31FF8E139F5327490611B2AE6F849CF779B9B74AD9BA6CF397F6E47B0431831706CB5AFCD75754FA79528F65B3651E184BCED030661EE4A8D670FBAE26796E8CDB66F388ED6644AF851885C7F924CC7CB20968AA50E8230A3B39E2AA4529F42129327C6F7E8AB760654D58D1SKA:68B20D3077EA6E2B825315836FD计算选项SA=Hash(0x831lgi'|Hash(g₂llg3'|IDAlIDg||RAllRB)):1052D6E9D13E381909DFF7B2B41E13C987D072E89D5309D834F78C1E31B4483BB97185931BAD7BE1B9B57EBAC0349F8544468A68147FF013537DF792FFCE024F85710CC2B561A62B62DA36AEF2A430968F16086061904CE201847934B11CAOF9E9528F5A9DOC571CE2354B79742AA498CB8CDDE6BD1FA5946345AlA652F68228542FB6954C84BE6A5F2988A31CB6817BA0781966FA83D9673A9577D3COC1345E27C19FC02ED9AE37F5BB7BE9C03C9E3497477913AB89F5E2960F382B1B5C8EE09DEOFA498BA95C4409D630D343DA404F4DB6599095COCF895E3A7B993EE5E4EBE3B9AB7D7D5FF2A3D1647BA154C3E8E185DFC33657C1F128D480F3F7E3F16801208029E19434C733BB73F21693C66FC23724DB26380C526223C705DA63A68623C86A632B050F63A071A6D62EA45B59A1942DFF5335D1A232C9C566467CE4AD9789F77739E62F2E57B48C2FFF187A9AFA5B755FC02A4E50351092133252BA61609779B455DF9C4A0109ACE241485A955Hash(g₂'lg₃'|IDAl|IDBl|RAl|RB):B6F6F71EFCEAOE02DF19842228AD50A9EFD7A4B2F12DAFE2BE354ADO1075470x83|lg₁'||Hash(g₂'lg3'||IDAl|ID8328542FB6954C84BE6A5F2988A31CB6817BA0781966FA83D9673A23479C978BD137230506EA6249C891049E3497477913AB89F5E2960F382B1B5C8EE09D1647BA154C3E8E185DFC33657C1F128D480F3F7E3F16801208029E19434C73724DB26380C526223C705DAF6BA18B763A68623C86A632B0552AF35F56730BDE5AC861CCD9978617267CE4AD9789F77A9EFD7A4B2F12DAFE2BE354AD0107547密钥交换步骤B8中的相关值：计算选项S₂=Hash(0x831lgi₁lHash(g₂llg31IDAlIDgl|RAlIRB))1052D6E9D13E381909DFF7B2B41E13C987D072E89D5309D834F78C1E31B4483BB97185931BAD7BE1B9B57EBAC68A68147FF013537DF792FFCE024F85710CC2B561A62B62DA36AEF2E80371C70471580BOC7C457A79EA5E7242FA31FF8E1395327490611B2AE6F849CF779B9B74AD9BA6CF397F6E47B0431831706CB5AFCD75754FA79528F65B3651E184BCED0306616F388ED6644AF851885C7F924CC7CB20968AA50E8230A3B39C2BB5DD4D753D94BE5A17C9D11A5A6B148416C696365426F62767A4BED09FFBB5229D9CAA165548FFA8284A315B4887A9AFA5B755FC02A4E50351092133252BA61609779B455DF9C4A0109ACEHash(g2llg31|IDA|IDB|/RA|Rg):B6F6F71EFCEA0E02DF19842228AD50A9EFD7A4B0x83|lgi|Hash(g₂llg₃||I8328542FB6954C84BE6A5F2988A31CB6817BA0781966FA83D9673A9577D3COC1345E27C19FC02ED923479C978BD137230506EA6249C891049E3497477913AB89F5E2960F382B1B5C8EE09DEOFA498BA9D1647BA154C3E8E185DFC33657C1F128D480F3F7E3F16801208029E19434C733BB733724DB26380C526223C705DAF6BA18B763A68623C86A632B0530选项S₂:6CD5231217E73D80548A1A65DED178493F4282E6E471FE3EF62271EA758470E6基域特征q:B640000002A3A6F1D603AB4FF58EC74521F2934B1A7AEEDBE56F9B27E351457D方程参数b:05余因子cf:1嵌入次数k:12群G₁的生成元P₁=(xp₁,yp)坐标xp₂:(85AEF3D07864A7CF28D519BE3DA65F3双线性对的识别符eid:0x04加密主密钥和用户密钥产生过程中的相关值：加密主公钥Ppub-e=[ke]Pi=(xpube,VPube)加密私钥生成函数识别符hid:0x03在有限域Fn上计算t₁=H₁(IDBI|hid,N)+keH(IDB||hid,N):9CB1F6288CE0E51043CE72344582FFC301E0A812A7F5F2004B85547A24B82716在有限域Fn上计算t₂=ke·t₁-¹t₂:864E4D8391948B37535ECFA44C3F8D4E545ADA502FF8229C7C32F529AF406E06坐标Xdeg:(94736ACD2C8C8796CC4785E93827538A62E7F7BFB51DCE087047密钥封装步骤A1～A7中的相关值：H₁(IDB||hid,N):9CB1F6288CE0E51043CE72344582FFC301E0A812A7F5F2004B85547A24B82716坐标xos:709D165808BOA43E2574E203FA885ABCBAB16A240C4C1916552E7C43D09763B8坐标yog:693269A6BE2456F43333758274786B6051FF87B7F198DA4BAlA2C6E336F51FCC产生随机数r:74015F8489CO1EF4270456F9E6475BFB602BDE7F33FD482AB4E3684A67计算C=[r]QB=(xc,yc)坐标yc:1C9B4C435ECA35AB83BB734174C0F78FDE81A53374AFF3B3602BBC5E37BE9A4C计算g=e(Ppub-e,P₂):A140EAEF3893D574CB83C01D951A53F51975760BE57F3BBD89817498D215B04320190B1E90CEDF6AC570147A23AE6FOEAE45034E6CA504E3B43C1DD36794217FAlB05AC046C41324443BB424B12C41EAF6D34D925205901F5CBA59CFEBA35224660DB378082BB40152DC35AC774442CC6408FFD68494D9953计算K=KDF(C|lw|IDB,klen)BB7051AC848FDFB9689E5E5C486B1294557189B3CC6408FFD68494D9953D77BF55E30E84697F66745AAF52239E46B048B5FAEBABFA1F7F9BA6B4COC90E65B075F6A2D9ED54C87CDDD2EAA787032320D7FEAA8695AB2BF7F5710861247C2034CCF4A1432DA1876D023AD6D74FF1678FDA3AF37A3D9F613CDE8057988B07151BAC93AF48D78D86C26EA97F24E2DACC84104CCE8791FE90BA61B2049CAAC6AB38EA07F9966173FD9BBF34AAB58EE84CD3777A9FDO0BBCA1DC0A1040465BD723AE513C4BE3EF2CFDC088A935FOB207DEEE9B3B58765B1252A0880952B4FF3C97510B93BBCD98EB70E0192B821D14D69908EE558DF5F5E072131K:4FF5CF86D2AD40C8F4B解封装步骤B1～B4中的相关值：(8EABOCD6DOC95A6BBB7051AC848FDF78082BB40152DC35AC774442CC6408FFD68494D9953D77BF55AAF52239E46B0373B3168BAB75C32E048B575F6A2D9ED54C87CDDD2EAA787032320205E7AC7247C2034CCF4A1432DA1876D023A8B07151BAC93AF48D78D86C26EA97F24E2DACC84104CCE8791FAAC6AB38EA07F9966173FD9BBF34AAB58EE84CD3777A9FDO0BBCA1DC09CA1040465BD723AE513C4BE3EF2CFDC088A935F04D874A4CE9B3B58765B1252A0880952B43924EABC443B0503510B93BBCD98EB70A018A035E8FB61F271DE1C5B3E781C63508C113B3EAC537805EAE164D732FADO,56BEA27C8624D5064C9C278A193D63F6908EE5581EDEE2C3F465914491DE44CEFB2CB434AB02C308D9DC5E20BB7051AC848FDFB9689E5E5C486B1294557189B338B53B1D78082BB40152CC6408FFD68494D9953D77BF55E30E84697F66745AAF52239E46B048B5FAEBABFA1F7F9BA6B4COC90E65B075F6A2D9ED54C87CDDD2EAA787032320D7FEAA8695AB2BF7F5710861247C2034CCF4A1432DA1876D023AD6D74FF1678FDA3AF37A3D9F613CDE8057988B07151BAC93AF48D78D86C26EA97F24E2DACC84104CCE8791FE90BA61B2049CAAC6AB38EA07F9966173FD9BBF34AAB58EE84CD3777A9FDO0BBCA1DC0A1040465BD723AE513C4BE3EF2CFDC088A935FOB207DEEE9B3B58765B1252A0880952B4FF3C97510B93BBCD98EB70E0192B821D14D693E781C63508C113B3EAC537805EAE164D73908EE558DF5F5E072131GB/T38635.2—2020方程参数b:05群G₂的生成元P₂=(xp₂,YP₂)IDB的16进制表示：426F62在有限域FN上计算t₂=ke·t₁-¹:消息M的16进制表示为：4368696E65736520494245207374616E64617计算Qg=[H(IDp|hid,N]P₁+Ppub-e=(xog,Yos)IDB||hid:426F6203H₁(IDphid,N):9CB1F6288CEOE51043CE72344582FFC301E0A812A7F5F2004B85547A24B827产生随机数r:AACO541779C8FC45E3E2CB25C12B5D2576B2129AE8BB5EE2CBE5EC9E785C计算C₁=[r]QB=(xc₁,yc)坐标xc₁:2445471164490618E1EE20528FF1D545B0F14C8BCAA44544F03DAB5DAC07D8FF坐标yc₁:42FFCA97D57CDDCO5EA405F2E586FEB3A6930715532B8000759F13059ED59ACO(9746FC5B231CEDF36F835232A2F80CFBAE061F196BB968E8A16C0AC905F692904AB9436A60C403F4F8BAC4DD3E395A2BCCE25359D033FC654BD6A9EB04320190B1E90CEDF6AC570147A23AE6FOEAE45034E6A504E3B43C1DD36794217FA1B05AC046C4131854C3D3E3A5B5967A64A861FOA2897F7B35D1COE21D84D75C24443BB424B12C41EAF6D34D925205901F5CBA59CFEBA35224660DB3849CE7BC68062182CF5D9F4A98C5A4ED1F