Security Analysis of SM9 Key Agreement and Encryption

Abstract

SM9 is a Chinese cryptography standard that defines a set of identity-based cryptographic schemes from pairings. Although the SM9 key agreement protocol and the SM9 encryption scheme have been used for years, there is no public available security analysis of these two schemes. In this paper, we formally analyze the security of these two schemes in the random oracle model.

A    Proof of Lemma 1

Proof:

If there is a polynomial time algorithm \(\mathcal {A}\,\,\)to solve the (\(\tau \)-1)-BCAA1\(_{i,2}\) problem, we can construct a polynomial time algorithm \(\mathcal {B}\,\,\)to solve the \(\tau \)-BDHI\(_2\) problem as follows. Given an instance of the \(\tau \)-BDHI\(_2\) problem

$$ (P_1, P_2, [x]P_2, [x^2]P_2,\ldots ,[x^\tau ] P_2), $$

\(\mathcal {B}\,\,\)works as follows to compute \(\hat{e}(P_1,P_2)^{1/x}\).

1. 1.

   Randomly choose different \(h_0,\ldots ,h_{\tau -1}\in \mathbb {Z}_{r}^{*}\). Let f(z) be the polynomial

   $$ f(z)=\prod _{a=1}^{\tau -1}(z+h_a)=\sum _{a=0}^{\tau -1}c_az^a. $$

   The constant term \(c_0\) is non-zero because \(h_a\)’s are different and \(c_i\) is computable from \(h_a\)’s.

2. 2.

   Set

   $$ Q_2=\sum _{a=0}^{\tau -1} [c_ax^a]P_2=[f(x)]P_2, $$

   and

   $$ [x]Q_2=\sum _{a=0}^{\tau -1} [c_{a}x^{a+1}]P_2=[xf(x)]P_2. $$
3. 3.

   Set

   $$ f_b(z)=\frac{z-h_0}{z+h_b}f(z)=\sum _{a=0}^{\tau -1}d_a z^a, $$

   and compute

   $$ [\frac{x-h_0}{x+h_b}]Q_2 =[\frac{x-h_0}{x+h_b}f(x)]P_2=[f_b(x)]P_2=\sum _{a=0}^{\tau -1}[d_ax^a]P_2 $$

   for \(1\le b\le \tau -1\).

4. 4.

   Set \(Q_1=\psi (Q_2)\) and pass the following instance of the (\(\tau \)-1)-BCAA1\(_{i,2}\) problem to \(\mathcal {A}\,\,\)

   $$ (Q_1, Q_2, \psi ([x-h_0]Q_2), h_0, (h_1\!+\!h_0, [\frac{x-h_0}{x+h_1}]Q_2), \ldots , (h_{\tau -1}\!+\!h_0, [\frac{x-h_0}{x+h_{\tau -1}}]Q_2)) $$

   if \(i=1\), or

   $$ (Q_1, Q_2, [x-h_0]Q_2, h_0, (h_1+h_0, [\frac{x-h_0}{x+h_1}]Q_2), \ldots , (h_{\tau -1}+h_0, [\frac{x-h_0}{x+h_{\tau -1}}]Q_2)) $$

   to get

   $$ T=\hat{e}(Q_1,Q_2)^{\frac{x-h_0}{x}}=\hat{e}(Q_1,Q_2)\cdot \hat{e}(Q_1,Q_2)^{-h_0/x}. $$
5. 5.

   Note that

   $$ [\frac{1}{x}](Q_2-[c_0]P_2)=[\frac{1}{x}]([f(x)]P_2-[c_0]P_2)=\sum _{a=1}^{\tau -1}[c_ax^{a-1}]P_2. $$

   Set

   $$ T'=\sum _{a=1}^{\tau -1}[c_ax^{a-1}]P_2=[\frac{f(x)-c_0}{x}]P_2. $$

   Then,

   $$ T_0=\hat{e}(\psi (T'),Q_2+[c_0]P_2)=\hat{e}([f(x)-c_0]P_1,Q_2+[c_0]P_2)^{1/x} $$
   $$ =\,\hat{e}(Q_1, Q_2)^{1/x}\cdot \hat{e}(P_1, P_2)^{-c_0^2/x}. $$

   Finally, compute

   $$ \hat{e}(P_1,P_2)^{1/x}=((T/\hat{e}(Q_1,Q_2))^{-1/h_0}/T_0)^{1/c_0^2}. $$

   \(\square \)