1. Background and Significance
SM9 is a complete algorithm system defined in China’s cryptographic industry standard GM/T 0044-2016 “SM9 Identity Cryptography Algorithm”. It belongs to the Identity-Based Cryptography (IBC) framework. Traditional algorithms such as RSA and ECC rely on Public Key Infrastructure (PKI) to manage and verify public key certificates, while the uniqueness of SM9 lies in:
-
The public key of SM9 is not a randomly stored number, but is dynamically calculated from the user’s identity identifier (ID, such as email, phone number, employee number, etc.) combined with scenario parameters (hid), using the hash mapping function H1 defined in the GM/T 0044-2016 standard (based on the SM3 hash algorithm, with an additional mapping step to the elliptic curve group G1), ultimately represented as a valid mathematical point in the elliptic curve group G1 (denoted as Q_id = H1(ID || hid)), without relying on digital certificates to bind the relationship between “identity and public key”..
-
Users do not need to apply for, store, and distribute complex digital certificates, greatly simplifying the key management process.
Therefore, SM9 has extremely high application value in commercial cryptography, finance, telecommunications, the Internet of Things, and e-government, and has become an international standard ISO/IEC 18033-5.
2. Core Ideas of the Algorithm
The core of SM9 is based onbilinear pairing technology. Its basic framework is as follows:
-
Key Generation Center (KGC):
-
During system initialization, a master public key (MPK) and a master secret key (MSK) are generated.
-
The KGC securely stores the MSK and uses it to generate personal private keys for all users.
-
User Key Generation:
-
The user’spublic key is not a separately stored number, but is dynamically calculated from their identity ID through hashing (SM3) and elliptic curve operations to produce a mathematical point (
<span><span>Q_id = H1(ID)</span></span>). -
The user’sprivate key is computed by the KGC using the master secret key (MSK) and the user’s public key (
<span><span>Q_id</span></span>) and securely distributed to the user. -
Encryption and Decryption:
-
The encrypting party only needs to know the other party’s ID and the publicsystem parameters to generate the recipient’s public key and encrypt the message.
-
The decrypting party uses their ownprivate key to decrypt.
-
It achieves the convenient experience of “as long as you know the other party’s identity, you can encrypt messages“.
3. SM9 Encryption Process
3.1 System Initialization
-
Select an elliptic curve that supports bilinear pairing, determine three cyclic groups G1, G2, and Gt, and the bilinear pairing mapping
<span><span>e: G1 × G2 → Gt</span></span>. -
Select generators of groups G1 and G2
<span><span>P1</span></span>and<span><span>P2</span></span>. -
The KGC randomly selects a master secret key
<span><span>k</span></span>(a large integer) and computes the master public key<span><span>P_pub = k * P2</span></span>. -
Public system parameters:
<span><span>(P1, P2, P_pub, e, H1, H2)</span></span>, where H1, H2 are hash functions (such as SM3).
3.2 User Private Key Generation
-
The user submits their identity ID to the KGC.
-
The KGC computes the user’s public key point:
<span><span>Q_id = H1(ID | | hid) ∈ G1</span></span>(hid is a specific parameter). -
The KGC uses the master secret key to compute the user’s private key:
<span><span>d_id = k * Q_id ∈ G1</span></span>. -
The user securely receives and stores their private key
<span><span>d_id</span></span>from the KGC.
3.3 Encryption (Sender’s Operation)
To encrypt the message <span><span>M</span></span> for the user with ID “Alice”:
-
Calculate Alice’s public key point:
<span><span>Q_Alice = H1("Alice" | | hid)</span></span>. -
Select a random number
<span><span>r ∈ [1, n-1]</span></span>. -
Compute the element in group Gt:
<span><span>g = e(Q_Alice, P_pub)</span></span>. -
Compute the shared secret:
<span><span>K = g^r</span></span>. This value will be used to derive the key. -
Compute the key encapsulation ciphertext:
<span><span>C1 = r * P1 ∈ G1</span></span>. -
Use a key derivation function (KDF, based on SM3) to derive a symmetric session key
<span><span>KEK</span></span>from<span><span>K</span></span>. -
Use
<span><span>KEK</span></span>and a symmetric encryption algorithm (such as SM4) to encrypt the plaintext<span><span>M</span></span>, resulting in ciphertext<span><span>C2</span></span>. -
Optionally compute a message authentication code (MAC) to ensure integrity.
-
The complete ciphertext format is (C1, C2, [C3]), where C3 is an optional message authentication code (MAC), which is enabled by default in some implementations.
-
Send the complete ciphertext
<span><span>(C1, C2)</span></span>to Alice.
3.4 Decryption (Receiver’s Operation)
Alice receives the ciphertext <span><span>(C1, C2)</span></span>:
-
Using her private key
<span><span>d_Alice</span></span>to compute the shared secret:<span><span>K' = e(d_Alice, C1)</span></span>.
-
Correctness Principle (based on the properties of bilinear pairing):
<span><span>e(d_Alice, C1) = e(k * Q_Alice, r * P1) = e(Q_Alice, P1)^(k*r) = e(Q_Alice, k * P1)^r = e(Q_Alice, P_pub)^r = g^r = K</span></span>
Use the same KDF to derive the session key <span><span>KEK</span></span> from <span><span>K'</span></span>.
Use <span><span>KEK</span></span> to decrypt <span><span>C2</span></span>, recovering the original message <span><span>M</span></span>.
4. Functional Modules of SM9
SM9 is a complete cryptographic system that includes four main functions:
-
Digital Signature: Users sign messages with their private key, and verifiers only need the signer’s ID and system parameters to verify.
-
Key Exchange: Both parties can negotiate a secure session key using only each other’s identity ID.
-
Encryption/Decryption: As described above.
-
Key Encapsulation Mechanism (KEM): Similar to the encryption process, the core is to encapsulate and securely transmit the session key.
5. Typical Application Scenarios
-
Internet of Things (IoT): Device IDs can directly serve as public keys, eliminating the enormous overhead of managing certificates for billions of devices.
-
Finance and Payments: Phone numbers and bank card numbers can directly serve as public keys for identity authentication and transaction encryption.
-
Enterprise Office and Communication: Use employee numbers/emails to directly encrypt emails or documents, simplifying internal system security design.
-
Vehicle-to-Everything (V2X): Vehicle identities (VIN) and roadside device IDs can be used to quickly establish secure communication links.
6. Advantages, Challenges, and Comparisons
| Feature | RSA/ECC (PKI) | SM9 (IBC) |
|---|---|---|
| Public Key Form | Independent number, requires certificate binding to identity | Dynamic generation from ID + system parameters |
| Private Key Generation | User-generated | KGC generates and distributes |
| Certificate Management | Must maintain a complex CA system | No certificates required |
| Core Advantages | Universal, no key management issues | Extremely simple management, easy to integrate |
| Main Challenges | Complex certificate lifecycle management | Key management issues exist, full trust in KGC required |
Key Management Issues: This is an inherent characteristic of IBC, where the KGC holds all users’ private keys, meaning it can decrypt any ciphertext or forge any signature. Strict checks and trust mechanisms must be established for the KGC in technology (such as threshold secret sharing), law, and management. Solutions include threshold secret sharing (distributing the MSK to multiple entities), multi-center architecture (different applications managed by different KGCs), etc.
7. Conclusion
As an independently controllable identity cryptography algorithm in China, SM9 successfully addresses the core pain point of complex traditional PKI certificate management, realizing the vision of “identity as public key” and can significantly enhance security efficiency in specific scenarios. Its core is based on bilinear pairing mathematical theory, providing a complete set of cryptographic primitives.
In summary: SM9 ≈ An elegant combination of security and convenience, but the key management issue must be properly addressed.