Ribose

Suite 1111, 1 Pedder Street Central Hong Kong Hong Kong ronald.tse@ribose.com https://www.ribose.com

Hang Seng Management College

Hang Shin Link, Siu Lek Yuen Shatin Hong Kong New Territories wongwk@hsmc.edu.hk https://www.hsmc.edu.hk

Ribose

United States of America jack@randombit.net https://www.ribose.com

Ribose

608 W Cork St, Apt 2 Winchester United States of America VA daniel.wyatt@ribose.com https://www.ribose.com

Ribose

Suite 1111, 1 Pedder Street Central Hong Kong Hong Kong erick.borsboom@ribose.com https://www.ribose.com

Internet Network Working Group This document enables OpenPGP (RFC4880) usage in an compliant manner with OSCCA regulations for use within China. Specifically, it extends OpenPGP to support the usage of SM2, SM3 and SM4 algorithms, and provides the OSCCA-compliant OpenPGP profile "OSCCA-SM234".

SM2 , SM3 and SM4 are cryptographic standards issued by the Organization of State Commercial Administration of China as authorized cryptographic algorithms for use within China. These algorithms are published in public. Adoption of this document enables exchange of OpenPGP-secured email in a OSCCA-compliant manner through usage of the authorized combination of SM2, SM3 and SM4. SM2 is a set of public key cryptographic algorithms based on elliptic curves that include: Digital Signature Algorithm Key Exchange Protocol Public Key Encryption Algorithm SM3 is a hash algorithm designed for electronic authentication purposes. SM4 is a symmetric encryption algorithm designed for data encryption. This document extends OpenPGP and its ECC extension to support SM2, SM3 and SM4: support the SM3 hash algorithm for data validation purposes support signatures utilizing the combination of SM3 with other digital signing algorithms, such as RSA, ECDSA and SM2 support the SM2 asymmetric encryption algorithm for public key operations support usage of SM2 in combination with supported hash algorithms, such as SHA-256 and SM3 support the SM4 symmetric encryption algorithm for data protection purposes defines the OpenPGP profile "OSCCA-SM234" to enable usage of OpenPGP in an OSCCA-compliant manner.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in . Compliant applications are a subset of the broader set of OpenPGP applications described in . Any keyword within this document applies to compliant applications only.

All cryptographic algorithms used are compliant with OSCCA regulations. The elliptic curve digital signature algorithm defined in The elliptic curve key exchange protocol defined in The public key encryption algorithm defined in

This document utilizes definitions of operations from and are included here for reference. The integer c raised to the i-th power. String S concatenated with string T (e.g., 000 || 111 == 000111).

SM2 is an elliptic curve based cryptosystem (ECC) designed by Xiaoyun Wang et al. and published by . It was first published by the OSCCA in public in 2010 , then standardized as in 2012, included in in 2015, published as a Chinese National Standard as , and published in in 2017. The SM2 cryptosystem is composed of three distinct algorithms: an elliptical curve digital signature algorithm ("SM2DSA") , , , also described in ; a key exchange protocol ("SM2KEP") ; and a public key encryption algorithm ("SM2PKE") . This document will refer to all three algorithms for the usage of OpenPGP .

The SM2 Digital Signature Algorithm is intended for digital signature and verifications in commercial cryptographic applications, including, but not limited to: identity authentication protection of data integrity verification of data authenticity The process of digital signature signing and verification along with their examples are found in , , , and also described in . The SM2DSA process requires usage of a hash function within. For OSCCA-compliant usage, a OSCCA-compliant hash function such as SM3 MUST also be used. Formal security proofs for SM2 are provided in indicating that it satisfies both EUF-CMA security and security against generalized strong key substitution attacks. The SM2DSA algorithm has been cryptanalyzed by multiple parties with the current strongest attack being nonce and lattice attacks . In terms of OpenPGP usage, SM2DSA is an alternative to the ECDSA algorithm specified in . For OpenPGP compatibility, these additional requirements MUST be adhered to: SM2DSA allows use of an optional "user identity" string which is hashed into ZA (Section 3.5 of and Section 5.1.4.4 of ). In OpenPGP, the user identifier IDA MUST be the empty string. While SM2DSA usually signs H(ZA || msg) (Section 4.1 ), but in OpenPGP, following the convention of , we do not directly sign the raw message msg, but its hash H(msg). Therefore when a message is signed by SM2DSA in OpenPGP, the algorithm MUST sign the content of H(ZA || H(msg)) instead of H(ZA || msg). Both hash algorithms used here MUST be identical.

The SM2 Key Exchange Protocol is used for cryptographic key exchange, allowing the negotiation and exchange of a session key within two to three message transfers. The process of key exchange and verification along with their examples are found in , and also described in . SM2KEP is not used with OpenPGP as it is a two- to three- pass key exchange mechanism, while in OpenPGP, public keys of recipients are available initially. The SM2KEP is now considered insecure due to , similar in status to the Unified Model and MQV schemes described in .

The SM2 Public Key Encryption algorithm is an elliptic curve (ECC) based asymmetric encryption algorithm. It is used for cryptographic encryption and decryption, allowing the message sender to utilize the public key of the message receiver to encrypt the message, with the recipient decrypting the messaging using his private key. The full description of SM2PKE is provided in . It utilizes a public key size of 512 bits and private key size of 256 bits . The process of encryption and decryption, along with their examples are found in and . The SM2PKE process requires usage of a hash function within. For OSCCA-compliant usage, a OSCCA-compliant hash function such as SM3 MUST also be used. In OpenPGP, SM2PKE is an alternative to RSA specified in .

The recommended curve is specified in and provided here for reference. SM2 uses a 256-bit elliptic curve.

an integer larger than 3 elements of F_q, defines an elliptic curve E on F_q Order of base point G (n is a prime factor of E(F_q)) x-coordinate of generator G y-coordinate of generator G

y^2 = x^3 + ax + b

p = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFF a = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00000000 FFFFFFFF FFFFFFFC b = 28E9FA9E 9D9F5E34 4D5A9E4B CF6509A7 F39789F5 15AB8F92 DDBCBD41 4D940E93 n = FFFFFFFE FFFFFFFF FFFFFFFF FFFFFFFF 7203DF6B 21C6052B 53BBF409 39D54123 x_G = 32C4AE2C 1F198119 5F990446 6A39C994 8FE30BBF F2660BE1 715A4589 334C74C7 y_G = BC3736A2 F4F6779C 59BDCEE3 6B692153 D0A9877C C62A4740 02DF32E5 2139F0A0

The SM3 Cryptographic Hash Algorithm is an iterative hash function designed by Xiaoyun Wang et al., published by as an alternative to SHA-2 . It was first published by the OSCCA in public in 2010 , then published in the OSCCA standard in 2012, published as a Chinese National Standard as in 2016, and included in the standard in 2017. The algorithm is designed to be used for commercial cryptographic applications including, but not limited to: digital signatures and their verification message authentication code generation and their verification generation of random numbers SM3 has a Merkle-Damgard construction and is similar to SHA-2 of the MD4 family, with the addition of several strengthening features including a more complex step function and stronger message dependency than SHA-256 . SM3 produces an output hash value of 256 bits long, based on 512-bit input message blocks , on input lengths up to 2^(m). The specification of SM3 is described in , and .

SM4 is a symmetric encryption algorithm designed by Shuwang Lu et al. originally intended for the usage of wireless local area network (Wireless LAN) products. SM4 is a 128-bit blockcipher, uses a key size of 128 bits and internally uses an 8-bit S-box. It performs 32 rounds per block. Decryption is achieved by reversing the order of encryption. SMS4 was first published in public as part of WAPI (Wired Authentication and Privacy Infrastructure), the Chinese National Standard for Wireless LAN . It was then published independently by the OSCCA in 2006 , formally renamed to SM4 in 2012 , published as a Chinese National Standard in 2016 , and included in in 2017. It is a required encryption algorithm specified in WAPI .

The SM2 algorithm is supported with the following extension. The following public key algorithm IDs are added to expand Section 9.1 of , "Public-Key Algorithms": ID Description of Algorithm TBDSM2 Compliant applications MUST support both usages of SM2 : SM2 Digital Signature Algorithm (SM2DSA) SM2 Public Key Encryption (SM2PKE)

The SM4 algorithm is supported with the following extension. The following symmetric encryption algorithm ID is added to expand Section 9.2 of , "Symmetric-Key Algorithms": ID Description of Algorithm TBDSM4 Compliant applications MUST support SM4 .

The SM3 algorithm is supported with the following extension. The following symmetric encryption algorithm IDs are added to expand Section 9.3 of , "Hash Algorithms": ID Description of Algorithm TBDSM3 Compliant applications MUST support SM3 .

The encoding method of Section 6 MUST be used, and is compatible with the definition given in . For clarity, according to the EC curve MPI encoding method of , the exact size of the MPI payload for the "SM2 Recommended" 256-bit curve , is 515 bits.

A key derivation function (KDF) is necessary to implement EC encryption. The SM2PKE KDF is defined in Section 3.4.3 of (and Section 5.4.3 of , Section 3.4.3 of ). For OSCCA-compliance, it SHOULD be used in conjunction with an OSCCA-approved hash algorithm, such as SM3 . The SM2PKE KDF is equivalent to the KDF2 function defined in Section 13.2 of given the following assignments: Parameter v as hBits, the output length of the selected hash function Hash Input KEYLEN as oBits Z as the plaintext string; and PB is set to the empty bit string. Pseudocode of the SM2KDF function is provided here for convenience. This function contains edited variable names for clarity.

Hash(S) is a hash function that outputs a v-bit long hash value based on input S. MSB(b, S) is a function that outputs the b most significant bits of the bitstream S. Floor(r) and Ceil(r) are the floor and ceiling functions respectively for the input of real number r. Both functions outputs an integer.

Desired key length. A positive integer less than (2^32 - 1) x v. Plaintext. String of any length.

Generated key. String of length KEYLEN. K is defined as follows.

Counter = 1 // a 32-bit counter n = KEYLEN / v for each 1 <= i <= Ceil(n) Ha_i = Hash( Z || Counter ) Counter = Counter + 1 end for if n is a whole number then Ha! = Ha_{Ceil(n)} else Ha! = MSB(KEYLEN − (v x Floor(n)), Ha_{Ceil(n)}) end if K = Ha_1 || Ha_2 || ... || Ha_{Ceil(n)−1} || Ha!

The following algorithm-specific packets are added to Section 5.5.2 of , "Public-Key Packet Formats", to support SM2DSA and SM2PKE. This document extends the algorithm-specific portion with the following fields. Algorithm-Specific Fields for SM2DSA keys: a variable-length field containing a curve OID, formatted as follows: a one-octet size of the following field; values 0 and 0xFF are reserved for future extensions octets representing a curve OID, described in MPI of an EC point representing a public key Algorithm-Specific Fields for SM2PKE keys: a variable-length field containing a curve OID, formatted as follows: a one-octet size of the following field; values 0 and 0xFF are reserved for future extensions octets representing a curve OID, described in MPI of an EC point representing a public key Note that both SM2DSA and SM2PKE public keys are composed of the same sequence of fields, and use the same codepoint to identify them. They are distinguished by the key usage flags.

The following algorithm-specific packets are added to Section 5.5.3. of , "Secret-Key Packet Formats", to support SM2DSA and SM2PKE. This document extends the algorithm-specific portion with the following fields. Algorithm-Specific Fields for SM2DSA or SM2PKE secret keys: an MPI of an integer representing the secret key, which is a scalar of the public EC point

Section 5.1 of [RFC4880], "Public-Key Encrypted Session Key Packets (Tag 1)" is extended to support SM2PKE using the following algorithm specific fields for SM2PKE, through applying the KDF described in . Algorithm Specific Fields for SM2 encryption: The SM2 ciphertext is formatted in the OpenPGP bitstream as a single MPI. This consists of: C = (C1 || C3 || C2) (step A8 of Section 4.1 ), followed by a single octet giving the code for the hash algorithm used within the calculation of the KDF mask t (step A5 of Section 4.1 ) and the calculation of C3 (step A7 of Section 4.1 ). For OSCCA compliance, this MUST be an OSCCA-approved hash function, and in any case, it SHOULD be a hash which is listed in the receiving keys "Preferred Hash Algorithms" list (Section 5.2.3.8 of ).

Section 5.2.2 of defines the signature format for "Version 3 Signature Packet Format". Similar to ECDSA , no change in the format is necessary for SM2DSA.

Section 5.2.3 of defines the signature format for "Version 4 Signature Packet Format". Similar to ECDSA , no change in the format is necessary for SM2DSA.

This section provides the curve OID of the "SM2 Recommended Curve" described in , according to the method of . We specify the curve OID of the "SM2 Recommended Curve" to be the registered OID entry of "SM2 Elliptic Curve Cryptography" according to , which is "1.2.156.10197.1.301". The table below specifies the exact sequence of bytes of the mentioned curve: ASN.1 Object Identifier OID len Curve OID bytes in hexadecimal representation Curve name 1.2.156.10197.1.30182A 81 1C CF 55 01 82 2DSM2 Recommended The complete ASN.1 DER encoding for the SM2 Recommended curve OID is "06 08 2A 81 1C CF 55 01 82 2D", from which the first entry in the table above is constructed by omitting the first two octets. Only the truncated sequence of octets is the valid representation of a curve OID.

The "OSCCA SM234" profile is designed to be compliant to OSCCA regulations. A compliant OpenPGP implementation MUST implement the following items as described by this document: SM2 Recommended Curve () SM2 (SM2DSA and SM2PKE) () The hash function selected in SM2DSA and SM2PKE MUST also be OSCCA-compliant, such as SM3 SM3 () SM4 ()

Products and services that utilize cryptography are regulated by the OSCCA ; they must be explicitly approved or certified by the OSCCA before being allowed to be sold or used in China. SM2 is an elliptic curve cryptosystem (ECC) published by the OSCCA . Its security relies on the assumption that the elliptic curve discrete logarithm problem (ECLP) is computationally infeasible. With advances in cryptanalysis, new attack algorithms may reduce the complexity of ECLP, making it easier to attack the SM2 cryptosystem that is considered secure at the time this document is published. You SHOULD check current literature to determine if the algorithms in SM2 have been found vulnerable. SM3 is a cryptographic hash algorithm published by the OSCCA . No formal proof of security is provided. As claimed in , the security properties of SM3 are under public study. There are no known feasible attacks against the SM3 algorithm at the time this document is published. SM4 is a blockcipher certified by the OSCCA . No formal proof of security is provided. There are no known feasible attacks against the SM4 algorithm by the time of publishing this document. On the other hand, there are security concerns with regards to side-channel attacks, when the SM4 algorithm is implemented in a device . For instance, illustrated an attack by measuring the power consumption of the device. A chosen ciphertext attack, assuming a fixed correlation between the sub-keys and data mask, is able to recover the round key successfully. When the SM4 algorithm is implemented in hardware, the parameters/keys SHOULD be randomly generated without fixed correlation. SM2 has a key length of 512 bits for the public key and 256 bits for the private key. It is considered an alternative to ECDSA P-256 . Its security strength is comparable to a 128-bit symmetric key strength , e.g., AES-128 . SM3 is a hash function that generates a 256-bit hash value. It is considered as an alternative to SHA-256 . SM4 is a blockcipher symmetric algorithm with a key length of 128 bits. It is considered as an alternative to AES-128 . Security considerations offered in and also apply.

The IANA "Pretty Good Privacy (PGP)" registry has made the following assignments for algorithms described in this document, namely: ID XXX of the "Public Key Algorithms" namespace for SM2 ID XXX of the "Hash Algorithms" namespace for SM3 ID XXX of the "Symmetric Key Algorithms" namespace for SM4

-----BEGIN PGP PUBLIC KEY BLOCK----- xlIEWbGKWmMIKoEcz1UBgi0CAwQx5lUJNwGp01AB7YfAye0oMmyIPYe/cQPVwh8/7RCu ywZLMDDAM7qn6TNqTtdKW+7tLFhtOC4yzDVK8UjN/ccazSBTTTIgMjU2LWJpdCBrZXkg PGphY2tAbG9jYWxob3N0PsJ0BBNjaQAmBQJZsYpfAhsDBQsJCAcCBhUICQoLAgUWAgMB AAkQC/UcNw0bAZcAAJt5AP4oXvi3xl2RUwAvVjlzXtLL87g6x9cIBS7EB/cvAsw78AEA /Wt6qWlBVZ6TYiqNPt9An/4cjKyNpAv7S9u3neGXWUU= =RJ3C -----END PGP PUBLIC KEY BLOCK-----

Detached signature of the string "SM2 example" using the above key:

-----BEGIN PGP SIGNATURE----- wmQEAGMIABYFAlmxj+cFAwAAAAAJEAv1HDcNGwGXAAB+SQEAy5AHKgiRxgOogB/2sfge JaVoLgpxvDp9yIcaLfP++xkBAPGuZ1f9FjxVd5jlCGd1jFzAPpt8N2Lc3FQDqVjgJvV9 =Xbbj -----END PGP SIGNATURE-----

Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

Standardization Administration of the People's Republic of China

No. 9 Madian Donglu, Haidian District Beijing Beijing 100088 People's Republic of China +86 (0)10 8226-2609 http://www.sac.gov.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Institute of Electrical and Electronics Engineers

3 Park Avenue New York NY 10016-5997 United States https://www.ieee.org/

International Organization for Standardization

BIBC II Chemin de Blandonnet 8 CP 401 Vernier Geneva 1214 Switzerland +41 22 749 01 11 central@iso.org https://www.iso.org/

International Organization for Standardization

BIBC II Chemin de Blandonnet 8 CP 401 Vernier Geneva 1214 Switzerland +41 22 749 01 11 central@iso.org https://www.iso.org/

International Organization for Standardization

BIBC II Chemin de Blandonnet 8 CP 401 Vernier Geneva 1214 Switzerland +41 22 749 01 11 central@iso.org https://www.iso.org/

International Organization for Standardization

BIBC II Chemin de Blandonnet 8 CP 401 Vernier Geneva 1214 Switzerland +41 22 749 01 11 central@iso.org https://www.iso.org/

National Institute of Standards and Technology

100 Bureau Drive Gaithersburg MD 20899-8900 United States http://www.nist.gov/

National Institute of Standards and Technology

100 Bureau Drive Gaithersburg MD 20899-8900 United States http://www.nist.gov/

National Institute of Standards and Technology

100 Bureau Drive Gaithersburg MD 20899 United States http://www.nist.gov/

National Institute of Standards and Technology

100 Bureau Drive Gaithersburg MD 20899 United States http://www.nist.gov/

National Institute of Standards and Technology

100 Bureau Drive Gaithersburg MD 20899 United States http://www.nist.gov/

Orion Security Solutions, Inc.

1489 Chain Bridge Road Suite 300 McLean VA 22101 United States http://www.orionsecuritysolutions.com

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Standards for Efficient Cryptography Group Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China http://english.is.cas.cn

Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China http://english.is.cas.cn

Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China http://english.is.cas.cn

Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China http://english.is.cas.cn

Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China http://english.is.cas.cn

Beijing Key Laboratory of RFID Chip Test Technology, CEC Huada Electronic Design Co., Ltd

Building C, CEC Network Security and Information Technology Base, South Region of Future Science And Technology Park, Beiqijia county, Changping District Beijing 102209 People's Republic of China http://www.hed.com.cn

Beijing Key Laboratory of RFID Chip Test Technology, CEC Huada Electronic Design Co., Ltd

Building C, CEC Network Security and Information Technology Base, South Region of Future Science And Technology Park, Beiqijia county, Changping District Beijing 102209 People's Republic of China http://www.hed.com.cn

Beijing International Center for Mathematical Research, Peking University

No. 5 Yiheyuan Road Haidian District Beijing 100871 People's Republic of China http://www.bicmr.org

China Information Technology Security Evaluation Center

Building 1, No.8, Shangdi West Road, Haidian District Beijing 100085 People's Republic of China http://www.itsec.gov.cn

China Information Technology Security Evaluation Center

Building 1, No.8, Shangdi West Road, Haidian District Beijing 100085 People's Republic of China http://www.itsec.gov.cn

China Information Technology Security Evaluation Center

Building 1, No.8, Shangdi West Road, Haidian District Beijing 100085 People's Republic of China jiazhechen@gmail.com http://www.itsec.gov.cn

Beijing Research Institute of Telemetry, China Aerospace Science and Technology Corporation

1 Nan Da Hong Men Lu, Fengtai Qu Beijing 100194 People's Republic of China liumj9705@gmail.com http://www.spacechina.com

China Information Technology Security Evaluation Center

Building 1, No.8, Shangdi West Road, Haidian District Beijing 100085 People's Republic of China http://www.itsec.gov.cn

China Information Technology Security Evaluation Center

Building 1, No.8, Shangdi West Road, Haidian District Beijing 100085 People's Republic of China lihx@secemail.cn http://www.itsec.gov.cn

State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China xujing@is.iscas.ac.cn http://english.is.cas.cn

State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China http://english.is.cas.cn

Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China zfzhang@tca.iscas.ac.cn http://tca.iscas.ac.cn

Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China yangkang@tca.iscas.ac.cn http://tca.iscas.ac.cn

State Key Laboratory of Cryptology

P.O. Box 5159 Beijing 100878 People's Republic of China jiangzhang09@gmail.com

Laboratory of Trusted Computing and Information Assurance, Institute of Software, Chinese Academy of Sciences

4# South Fourth Street, Zhong Guan Cun Beijing 100190 People's Republic of China chencheng@tca.iscas.ac.cn http://tca.iscas.ac.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

Department of Computer Science and Technology, Tsinghua University

Tsinghua University Beijing 100084 People's Republic of China baidx10@mails.tsinghua.edu.cn http://www.tsinghua.edu.cn

Tsinghua University Beijing 100084 People's Republic of China yuhongbo@mail.tsinghua.edu.cn http://www.tsinghua.edu.cn

School of Computer Science and Technology, Donghua University

Donghua University Shanghai 201620 People's Republic of China wanggaoli@dhu.edu.cn https://www.dhu.edu.cn

Institute for Advanced Study, Tsinghua University

Tsinghua University Beijing 100084 People's Republic of China xiaoyunwang@mail.tsinghua.edu.cn http://www.tsinghua.edu.cn

Organization of State Commercial Administration of China

7 Dian Chang Lu, Fengtai Qu Beijing Beijing 100036 People's Republic of China +86 (0)10 5970-3789 http://www.oscca.gov.cn

College of Information Security Engineering, Chengdu University of Information Technology

No. 24 Block 1, Xuefu Road Chengdu MD 610225 China http://www.cuit.edu.cn/

College of Information Security Engineering, Chengdu University of Information Technology

No. 24 Block 1, Xuefu Road Chengdu MD 610225 China http://www.cuit.edu.cn/

College of Information Security Engineering, Chengdu University of Information Technology

No. 24 Block 1, Xuefu Road Chengdu MD 610225 China http://www.cuit.edu.cn/

College of Information Security Engineering, Chengdu University of Information Technology

No. 24 Block 1, Xuefu Road Chengdu MD 610225 China http://www.cuit.edu.cn/

The authors would like to thank the following persons for their valuable advice and input. The Ribose RNP team for their input and implementation