SM9 mechanism

Mécanisme SM9

General Information

Status
Published
Publication Date
21-Feb-2021
Current Stage
5060 - Close of voting Proof returned by Secretariat
Start Date
05-Feb-2021
Completion Date
05-Feb-2021
Ref Project

RELATIONS

Buy Standard

Standard
ISO/IEC 18033-5:2015/Amd 1:2021 - SM9 mechanism
English language
8 pages
sale 15% off
Preview
sale 15% off
Preview
Draft
ISO/IEC 18033-5:2015/PRF Amd 1:Version 16-jan-2021 - SM9 mechanism
English language
8 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 18033-5
First edition
2015-12-01
AMENDMENT 1
2021-02
Information technology —
Security techniques — Encryption
algorithms —
Part 5:
Identity-based ciphers
AMENDMENT 1: SM9 mechanism
Technologies de l'information — Techniques de sécurité —
Algorithmes de chiffrement —
Partie 5: Chiffrements identitaires
AMENDEMENT 1: Mécanisme SM9
Reference number
ISO/IEC 18033-5:2015/Amd.1:2021(E)
ISO/IEC 2021
---------------------- Page: 1 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see https:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 18033 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2021 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Information technology — Security techniques —
Encryption algorithms —
Part 5:
Identity-based ciphers
AMENDMENT 1: SM9 mechanism
Introduction
Replace the second sentence of the fourth paragraph with the following:

The specified mechanisms are the BF identity-based encryption mechanism, the SK identity-based

key encapsulation mechanism, the BB1 identity-based key encapsulation mechanism and the SM9

identity-based key encapsulation mechanism and encryption mechanisms.
Insert the following sentence between the sixth and seventh paragraphs.
The content of 9.4 follows Reference [8].
4.1
Insert the following line at the end of the table:
⎾x⏋ smallest integer greater than or equal to the real number x.
5.1
Replace the first sentence with the following:

The schemes specified in this document make use of four cryptographic transformations, IHF1,

SHF1, PHF1 and IHF2 as specified below.
5.1
Add the following to the end:

Annex A lists the object identifiers which shall be used to identify the algorithms specified in this

document.
Annex B describes security considerations for each specified mechanism.
Annex C provides numerical examples.

Annex D introduces techniques which can be used to remove the decryption capability of the PKG,

and thereby reduce the level of trust required in this entity.
© ISO/IEC 2021 – All rights reserved 1
---------------------- Page: 4 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
5.5
Add new subclause 5.5 as follows:
5.5 The function IHF2

IHF2 is based on the key derivation function KDF2 defined in ISO/IEC 18033-2. KDF2(x, l) parameterized

by a cryptographic hash function takes an octet string x and a non-negative integer l as input, and

outputs an octet string of length l. KDF2-a(x, b) outputs the first b bits from KDF2(x, ⎾b/8⏋). IHF2 take

three items as input and outputs an integer in a specified range.
Input:
— A bit string str ∈ {0,1}
— A security parameter κ ∈ {128}
— A non-negative integer n with bit-length b
Output:
— An integer x, 0 Operation: Perform the following steps.
a) If κ = 128, KDF2 uses SM3 as the hash function.
b) Let hlen = 8⎾(5 b )/32⏋.
c) Compute Ha = KDF2-a(str, hlen).
d) Output (BS2IP (Ha) mod (n-1)) + 1.
7.3.1
Replace the fifth paragraph with the following:

The allowable data encapsulation mechanisms are those described in ISO/IEC 18033-2.

7.4.1
Insert new NOTE 4 at the end as follows:

NOTE 4 The third mechanism defined in 9.4 will work to encrypt messages with either DEM2 or DEM3,

which are specified in ISO/IEC 18033-2. In these DEMs, the required hash function is SM3, specified in ISO/

IEC 10118-3, and the required block cipher is described in ISO/IEC 18033-3. The required message authen-

tication code is generated by the evaluation function MA.eval(K'', MS) = SM3(MS || K''), where K'' is a secret

key which is part of the session key K, and MS is the octet string to be authenticated as specified in DEM2 and

DEM3. The label input to both DEMs is empty.
9.1
Replace the first sentence with the following:

In this clause, three identity-based key encapsulation mechanisms are specified. These mechanisms

use the following primitives.
Replace list item b) with the following:
2 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
b) Four hash functions:
Add new fourth list item as follows:
— H : {0,1}* →Z where H (s) = IHF2(0x01 || s || 0x03, p, κ)
4 4
9.4
Add new Subclause 9.4 as follows:
9.4 The SM9 key encapsulation mechanism
9.4.1 Set up

The setup operation creates public system parameters and a master-secret key. This operation shall be

completed by the private key issuer, an entity which shall be trusted by its subscribers.

The steps to create public system parameters and a master-secret key are:

a) Establish the set of base groups G , G , G , and a pairing e: GG×→ G . The order of each group is p.

1 2 3
12 3
b) Select a random generator Q in G and a random generator Q in G .
1 1 2 2

c) Generate a random master secret s in Z . Calculate the corresponding R as sQ .

d) Pre-calculate the pairing value J = e(R, Q ).

e) Make the system parameters and the master-public key set params = ˂J, Q , Q , G , G , G , e, p> and

1 2 1 2 3
mpk = R available. Secure the master-secret key msk = s.
9.4.2 Private key extraction

The extract operation takes an arbitrary identity string ID in {0,1} and calculates the corresponding

private key sk in G . The algorithm to compute the private key sk corresponding to an identity string

ID 2 ID
ID is as follows:
Input:
— The system parameters params = ˂J, Q , Q , G , G , G , e, p>
1 2 1 2 3
— The master-public key mpk = R
— The master-secret key msk = s
— An identity string ID
Output:
— The derived private key sk , an element of G .
ID 2
Operation: Use the following steps to compute sk .
a) Compute M = H (ID ).
4 b
b) If M + s = 0 mod p, output "error" and stop.
c) Compute t = (M + s) s mod p.
d) Compute sk = tQ .
ID 2
e) Output sk .

The correctness of the value sk can be verified by using the following algorithm:

© ISO/IEC 2021 – All rights reserved 3
---------------------- Page: 6 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Input:
— The system parameters params = ˂J, Q , Q , G , G , G , e, p>
1 2 1 2 3
— The master-public key mpk = R
— An identity string ID
— The corresponding private key sk
Output:

— The value "valid" if sk is consistent with params, msk and ID , and "invalid" otherwise.

ID b
Operation: Use the following steps.
a) Compute M = H (ID ).
4 b
b) Compute T = e(MQ + R, sk ).
1 ID

c) If T = J, then output the value "valid", otherwise output the value "invalid".

9.4.3 Session key encapsulation

The encapsulate operation (KEM.Enc) takes an arbitrary identity string ID in {0,1} and the master-

public key mpk = R with the system parameters parms, and outputs the pair ˂K, CT > where K is a

KEM

session key to be used to encrypt a message, and CT is the encapsulation of K to be transmitted to

KEM
the receiver.
The steps to compute the encapsulation values are:
a) Select a random integer r in Z .
b) Compute M = H (ID ).
4 b
c) Compute E = r(MQ + R).
d) Compute B = J .

e) Compute K = KDF2-a(EC2OSP(E) || FE2OSP(B) || ID , klen), where klen is the bit-length of the required

session key.
f) Set CT = EC2OSP(E).
KEM
g) Output .
KEM
9.4.4 Session key de-encapsulation

The de-encapsulate operation (KEM.Dec) takes an encapsulated value CT computed for identity ID

KEM b

and the private sk that corresponds to ID , and computes the key value K that can be used to decrypt

ID b
the message that was encrypted by the sender.
The steps to compute the de-encapsulation key are:
a) Parse CT as an element E = OS2ECP(CT ).
KEM KEM
b) Check whether E is in G ; if not, output "error".
c) Compute B = e(E, sk ).

d) Compute K = KDF2-a(EC2OSP(E) || FE2OSP(B) || ID , klen), where klen is the bit-length of the required

session key.
e) Output K.
4 © ISO/IEC 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Annex A
Insert the following lines after ib-enc-mechanism-bf:

ib-enc-mechanism-sm9a OID ::= { ib-enc sm9a(2) } -- sm9 kem with DEM2 as in 7.4.1

ib-enc-mechanism-sm9b OID ::= { ib-enc sm9b(3) } -- sm9 kem with DEM3 as in 7.4.1

Insert the following lines after ib-kem-mechanism-bb1:
ib-kem-mechanism-sm9 OID ::= { ib-kem sm9(3) }
sm9-dem-one-time-mac OID ::= { ib-kem-mechanism-sm9 one-time-mac(1) }
Insert the following lines after { OID ib-enc-mechanism-bf PARMS HashFunction }:
|{ OID ib-enc-mechanism-sm9a PARMS HashFunction }
|{ OID ib-enc-mechanism-sm9b PARMS HashFunction }
Insert the following line after { OID ib-kem-mechanism-bb1 PARMS HashFunction }:
|{ OID ib-kem-mechanism-sm9 PARMS HashFunction }
Annex B
Replace the last sentence with the following:

Security analyses of the BF, SK, BB1 and SM9 mechanisms can be found in References [4], [5], [3]

and [9], respectively.
Annex C
Add new Clause C.4 as follows:
C.4 SM9 ID-based key encapsulation mechanism
C.4.1 Example 1
C.4.1.1 Set up
2 3

This example makes use of the same Barreto-Naehrig elliptic curve y = x + 5 used in

ISO/IEC 14888-3:2018, F.15.1. An element A in Fq is represented as A σ+A , where A and A are

0 0,1 0,0 0,0 0,1
2 2 4

elements of Fq and σ is an element of Fq such that σ + 2 = 0 mod q. Let ν be an element of Fq such that

2 2 12 3 4 12

ν - σ = 0 in Fq and ω be an element of Fq such that ω − ν = 0 in Fq , an element of Fq is represented

2 4

as Aω +Bω+C, where A, B, C are elements of Fq which are represented as A = A ν + A , B = B ν + B ,

1 0 1 0

C = C ν + C respectively, and A , A , B , B , C , C are elements of Fq . In this towered fashion, an element

1 0 0 1 0 1 0 1
of Fq is represented as a vector (A , A A , A , B , B , B , B , C , C C , C ) w
...

INTERNATIONAL ISO/IEC
STANDARD 18033-5
First edition
2015-12-01
AMENDMENT 1
Information technology —
Security techniques — Encryption
algorithms —
Part 5:
Identity-based ciphers
AMENDMENT 1: SM9 mechanism
Technologies de l'information — Techniques de sécurité —
Algorithmes de chiffrement —
Partie 5: Chiffrements identitaires
AMENDEMENT 1: Mécanisme SM9
PROOF/ÉPREUVE
Reference number
ISO/IEC 18033-5:2015/Amd.1:2021(E)
ISO/IEC 2021
---------------------- Page: 1 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2021

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that

are members of ISO or IEC participate in the development of International Standards through

technical committees established by the respective organization to deal with particular fields of

technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other

international organizations, governmental and non-governmental, in liaison with ISO and IEC, also

take part in the work.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents) or the IEC

list of patent declarations received (see https:// patents .iec .ch).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC1, Information technology,

Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 18033 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE iii
---------------------- Page: 3 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Information technology — Security techniques —
Encryption algorithms —
Part 5:
Identity-based ciphers
AMENDMENT 1: SM9 mechanism
Introduction
Replace the second sentence of the fourth paragraph with the following:

The specified mechanisms are the BF identity-based encryption mechanism, the SK identity-based

key encapsulation mechanism, the BB1 identity-based key encapsulation mechanism and the SM9

identity-based key encapsulation mechanism and encryption mechanisms.
Insert the following sentence between the sixth and seventh paragraphs.
The content of 9.4 follows Reference [8].
4.1
Insert the following line at the end of the table:
⎾x⏋ smallest integer greater than or equal to the real number x.
5.1
Replace the first sentence with the following:

The schemes specified in this document make use of four cryptographic transformations, IHF1,

SHF1, PHF1 and IHF2 as specified below.
5.1
Add the following to the end:

Annex A lists the object identifiers which shall be used to identify the algorithms specified in this

document.
Annex B describes security considerations for each specified mechanism.
Annex C provides numerical examples.

Annex D introduces techniques which can be used to remove the decryption capability of the PKG,

and thereby reduce the level of trust required in this entity.
© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 1
---------------------- Page: 4 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
5.5
Add new subclause 5.5 as follows:
5.5 The function IHF2

IHF2 is based on the key derivation function KDF2 defined in ISO/IEC 18033-2. KDF2(x, l) parameterized

by a cryptographic hash function takes an octet string x and a non-negative integer l as input, and

outputs an octet string of length l. KDF2-a(x, b) outputs the first b bits from KDF2(x, ⎾b/8⏋). IHF2 take

three items as input and outputs an integer in a specified range.
Input:
— A bit string str ∈ {0,1}
— A security parameter κ ∈ {128}
— A non-negative integer n with bit-length b
Output:
— An integer x, 0 Operation: Perform the following steps.
a) If κ = 128, KDF2 uses SM3 as the hash function.
b) Let hlen = 8⎾(5 b )/32⏋.
c) Compute Ha = KDF2-a(str, hlen).
d) Output (BS2IP (Ha) mod (n-1)) + 1.
7.3.1
Replace the fifth paragraph with the following:

The allowable data encapsulation mechanisms are those described in ISO/IEC 18033-2.

7.4.1
Insert new NOTE 4 at the end as follows:

NOTE 4 The third mechanism defined in 9.4 will work to encrypt messages with either DEM2 or DEM3,

which are specified in ISO/IEC 18033-2. In these DEMs, the required hash function is SM3, specified in ISO/

IEC 10118-3, and the required block cipher is described in ISO/IEC 18033-3. The required message authen-

tication code is generated by the evaluation function MA.eval(K'', MS) = SM3(MS || K''), where K'' is a secret

key which is part of the session key K, and MS is the octet string to be authenticated as specified in DEM2 and

DEM3. The label input to both DEMs is empty.
9.1
Replace the first sentence with the following:

In this clause, three identity-based key encapsulation mechanisms are specified. These mechanisms

use the following primitives.
Replace list item b) with the following:
2 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
b) Four hash functions:
Add new fourth list item as follows:
— H : {0,1}* →Z where H (s) = IHF2(0x01 || s || 0x03, p, κ)
4 4
9.4
Add new Subclause 9.4 as follows:
9.4 The SM9 key encapsulation mechanism
9.4.1 Set up

The setup operation creates public system parameters and a master-secret key. This operation shall be

completed by the private key issuer, an entity which shall be trusted by its subscribers.

The steps to create public system parameters and a master-secret key are:

a) Establish the set of base groups G , G , G , and a pairing e: GG×→ G . The order of each group is p.

1 2 3
12 3
b) Select a random generator Q in G and a random generator Q in G .
1 1 2 2

c) Generate a random master secret s in Z . Calculate the corresponding R as sQ .

d) Pre-calculate the pairing value J = e(R, Q ).

e) Make the system parameters and the master-public key set params = ˂J, Q , Q , G , G , G , e, p> and

1 2 1 2 3
mpk = R available. Secure the master-secret key msk = s.
9.4.2 Private key extraction

The extract operation takes an arbitrary identity string ID in {0,1} and calculates the corresponding

private key sk in G . The algorithm to compute the private key sk corresponding to an identity string

ID 2 ID
ID is as follows:
Input:
— The system parameters params = ˂J, Q , Q , G , G , G , e, p>
1 2 1 2 3
— The master-public key mpk = R
— The master-secret key msk = s
— An identity string ID
Output:
— The derived private key sk , an element of G .
ID 2
Operation: Use the following steps to compute sk .
a) Compute M = H (ID ).
4 b
b) If M + s = 0 mod p, output "error" and stop.
c) Compute t = (M+s) s mod p.
d) Compute sk = tQ .
ID 2
e) Output sk .

The correctness of the value sk can be verified by using the following algorithm:

© ISO/IEC 2021 – All rights reserved PROOF/ÉPREUVE 3
---------------------- Page: 6 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Input:
— The system parameters params = ˂J, Q , Q , G , G , G , e, p>
1 2 1 2 3
— The master-public key mpk = R
— An identity string ID
— The corresponding private key sk
Output:

— The value "valid" if sk is consistent with params, msk and ID , and "invalid" otherwise.

ID b
Operation: Use the following steps.
a) Compute M = H (ID ).
4 b
b) Compute T = e(MQ + R, sk ).
1 ID

c) If T = J, then output the value "valid", otherwise output the value "invalid".

9.4.3 Session key encapsulation

The encapsulate operation (KEM.Enc) takes an arbitrary identity string ID in {0,1} and the master-

public key mpk = R with the system parameters parms, and outputs the pair ˂K, CT > where K is a

KEM

session key to be used to encrypt a message, and CT is the encapsulation of K to be transmitted to

KEM
the receiver.
The steps to compute the encapsulation values are:
a) Select a random integer r in Z .
b) Compute M = H (ID ).
4 b
c) Compute E = r(MQ + R).
d) Compute B = J .

e) Compute K = KDF2-a(EC2OSP(E) || FE2OSP(B) || ID , klen), where klen is the bit-length of the required

session key.
f) Set CT = EC2OSP(E).
KEM
g) Output .
KEM
9.4.4 Session key de-encapsulation

The de-encapsulate operation (KEM.Dec) takes an encapsulated value CT computed for identity ID

KEM b

and the private sk that corresponds to ID , and computes the key value K that can be used to decrypt

ID b
the message that was encrypted by the sender.
The steps to compute the de-encapsulation key are:
a) Parse CT as an element E = OS2ECP(CT ).
KEM KEM
b) Check whether E is in G ; if not, output "error".
c) Compute B = e(E, sk ).

d) Compute K = KDF2-a(EC2OSP(E) || FE2OSP(B) || ID , klen), where klen is the bit-length of the required

session key.
e) Output K.
4 PROOF/ÉPREUVE © ISO/IEC 2021 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 18033-5:2015/Amd.1:2021(E)
Annex A
Insert the following lines after ib-enc-mechanism-bf:

ib-enc-mechanism-sm9a OID ::= { ib-enc sm9a(2) } -- sm9 kem with DEM2 as in 7.4.1

ib-enc-mechanism-sm9b OID ::= { ib-enc sm9b(3) } -- sm9 kem with DEM3 as in 7.4.1

Insert the following lines after ib-kem-mechanism-bb1:
ib-kem-mechanism-sm9 OID ::= { ib-kem sm9(3) }
sm9-dem-one-time-mac OID ::= { ib-kem-mechanism-sm9 one-time-mac(1) }
Insert the following lines after { OID ib-enc-mechanism-bf PARMS HashFunction }:
|{ OID ib-enc-mechanism-sm9a PARMS HashFunction }
|{ OID ib-enc-mechanism-sm9b PARMS HashFunction }
Insert the following line after { OID ib-kem-mechanism-bb1 PARMS HashFunction }:
|{ OID ib-kem-mechanism-sm9 PARMS HashFunction }
Annex B
Replace the last sentence with the following:

Security analyses of the BF, SK, BB1 and SM9 mechanisms can be found in References [4], [5], [3]

and [9], respectively.
Annex C
Add new Clause C.4 as follows:
C.4 SM9 ID-based key encapsulation mechanism
C.4.1 Example 1
C.4.1.1 Set up
2 3

This example makes use of the same Barreto-Naehrig elliptic curve y = x + 5 used in

ISO/IEC 14888-3:2018, F.15.1. An element A in Fq is represented as A σ+A , where A and A are

0 0,1 0,0 0,0 0,1
2 2 4

elements of Fq and σ is an element of Fq such that σ + 2 = 0 mod q. Let ν be an element of Fq such that

2 2 12 3 4 12

ν - σ = 0 in Fq and ω be an element of Fq such that ω − ν = 0 in Fq , an element of Fq is represented

2 4

as Aω +Bω+C, where A, B, C are elements of Fq which are represented as A = A ν + A , B = B ν + B ,

1 0 1 0

C = C ν + C respectively, and A , A , B , B , C , C are elements of Fq . In this towered fashion, an element

1 0 0 1 0 1 0 1
of Fq is represented as a vector (A , A A , A , B , B , B , B , C , C C , C ) wi
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.