Research Article  Open Access
ProvablySecure (Chinese Government) SM2 and Simplified SM2 Key Exchange Protocols
Abstract
We revisit the SM2 protocol, which is widely used in Chinese commercial applications and by Chinese government agencies. Although it is by now standard practice for protocol designers to provide security proofs in widely accepted security models in order to assure protocol implementers of their security properties, the SM2 protocol does not have a proof of security. In this paper, we prove the security of the SM2 protocol in the widely accepted indistinguishabilitybased BellareRogaway model under the elliptic curve discrete logarithm problem (ECDLP) assumption. We also present a simplified and more efficient version of the SM2 protocol with an accompanying security proof.
1. Introduction
Due to the potential of elliptic curve cryptography (ECC) to offer similar security to established publickey cryptosystems at reduced key sizes, it has become a subject of research focus. For example, we observe an emerging trend in the use of identitybased (IDbased) cryptography, such as IDbased key agreement protocols using pairings. The latter include IDbased authenticated key agreement (IDAKA) protocol. IDAKA protocols (as well as other key establishment protocols such as [1–4]) allow a shared secret key to be established between two or more parties for subsequent cryptographic use. The first twoparty IDAKA protocol was proposed by Shamir, which is based on Weil Pairing [5]. Shamir’s protocol requires a trusted key generation center (KGC). Challenges associated with KGC are well documented, and Alriyami and Paterson proposed the first certificateless twoparty authenticated key agreement (CTAKA) protocol that does not require a KGC [6]. Since then, a number of CTAKA protocols have been proposed in the literature [7–9]. Most of these CTAKA protocols are, however, based on bilinear pairings. The latter is expensive, especially in comparison to RSA algorithm [10, 11].
A number of recently published certificateless ECCbased AKA protocols that do not require the use of pairings have been proposed. For example, in 2007, Zhu et al. proposed a pairingfree IDAKA protocol [12]. However, the combination of a pairingfree IDbased signature scheme with the DiffieHellman key exchange in the proposed protocol results in larger computation complexity and message size. In addition, the protocol and the ECCbased pairingfree IDAKA protocol of Cao et al. [13] require three rounds of message exchanges. Another later protocol of Cao et al. reduces the minimum message exchange rounds to two and the protocol was proven secure in the BellareRogaway model [10]. He et al. also independently proposed a tworound certificateless IDAKA protocol without the use of pairings [14] and a threeround certificateless IDAKA protocol without the use of pairings [2], respectively.
In 2011, the Chinese government published an ECCbased key exchange protocol, SM2 [15]. According to the official report from the Chinese Government State Cryptography Administration and various media releases, SM2 protocol is mandatory in various cryptographic applications used by Chinese government agencies from 1st July, 2011 [16–18]. A 2005 survey by Boyd and Choo revealed that the purported security of several published IDbased protocols is based on heurstic security arguments. A number of protocols were also found to be proven secure in a restricted model. This study highlighted the need for more rigorously tested identitybased protocols [19]. Surprisingly, we observed that despite the wide usage of the SM2 protocol among Chinese commercial applications/electronics, it does not have a security proof.
A protocol’s goal is defined as the properties that the protocol aims to achieve. As Boyd and Mathuria suggested, any attack on a protocol is only valid if it violates some property that the protocol was intended to achieve [20]. Without identifying at an early stage the properties and/or goals that a protocol offers, one can debate the validity of attacks against a published protocol since it may not be clear whether the protocol is not intended to provide assurances against the properties being exploited [21]. This reinforced the importance of having a security proof for protocols, particularly those that are widely used by government agencies and in the private sector.
Our contributions in this paper are twofold.(1)We prove the SM2 protocol secure in the widely accepted indistinguishabilitybased model of Bellare and Rogaway under the ECDLP assumption.(2)We propose a simplified version of SM2 protocol that is more efficient, and prove it secure in the BellareRogaway model under the ECDLP assumption.
In the next section, we will briefly review the model that we work in. We revisit the SM2 protocol and prove it secure in Section 3. Section 4 describes our simplified SM2 protocol and its proof of security. Finally, the last section concludes the paper.
2. Overview of the BellareRogaway Model
In the BellareRogaway model [22, 23], the adversary (denoted by ) controls the communication channel by interacting with a set of oracles. is defined to be the th instantiation of a protocol participant, in a specific protocol run and is the other protocol participant, with whom wishes to establish a secret key. The predefined oracle queries are described informally as follows.(i)The Send query allows to send a message to another protocol participant at will. In other words,(a), upon receiving the query, will compute what the protocol specification demands. The response message and/or decision will then be sent to ,(b)if has either accepted with some session key or terminated, this will be made known to .(ii)The Reveal query allows to expose a previously accepted session key. In other words, , upon receiving this query and if it has accepted and holds some session key, will send this session key back to .(iii)The Corrupt query allows to learn the complete internal state of . This models the real world scenario of a corrupted insider.(iv)The Test query is the only oracle query that does not correspond to any of ’s abilities. If has accepted with some session key and is being asked a Test query; then depending on a randomly chosen bit , is given either the actual session key or a session key drawn randomly from the session key distribution.
Definition 1 (Definition of Partnership). Let us denote and as two oracles in the protocol run. These two oracles are considered partners if and only if(i)both and have accepted the same session key,(ii)only and (i.e., no other oracle) have accepted with the same session ID (i.e., SID, which is defined to be the concatenation of the message flows) and agreed on the same set of principals (i.e., the initiator and the responder of the protocol).
Definition 2 (Definition of Freshness). Oracle holds a fresh session key at the end of execution, if and only if all the following conditions are satisfied: (i) has accepted with, or without, a partner oracle ,(ii) and (if such a partner oracle exists) has/have not been sent a Reveal query,(iii)both and (if such a partner exists) has/have not been sent a Corrupt query.
The definition of security depends on the notions of partnership as outlined in Definition 1 and freshness as outlined in Definition 2 and is defined using the game and played between and a collection of oracles for players and instances . runs the game simulation , whose setting is as follows.(i)Send, Reveal, and Corrupt oracle queries are sent by in any order at will.(ii) chooses a fresh session on which to be tested by sending a Test query to the fresh oracle associated with the test session at some point during . This chosen test session must be fresh (in the sense of Definition 2). Depending on a randomly chosen bit , is given either the actual session key or a session key drawn randomly from the session key distribution.(iii) continues making any Send, Reveal, and Corrupt oracle queries of its choice.(iv) will eventually terminate and outputs its guess of the value of , denoted as .
We measure ’s success in in terms of ’s advantage in distinguishing whether receives the real key or a random value (i.e., whether ).
Let be a security parameter. Then, the advantage function of is denoted by, where
Definition 3 (Definition of Security). A protocol is secure in the BellareRogaway model if both the following requirements are satisfied. (1)Two oracles accept the same key when the protocol is run in the absence of a malicious adversary.(2)For all probabilistic, polynomialtime (PPT) adversaries, is negligible.
3. A ProvablySecure SM2 Key Exchange Protocol
3.1. SM2 Key Exchange Protocol
The notations used in SM2 protocol (Table 1) are as follows:(i), : two SM2 protocol participants with identities and respectively,(ii), : , : the parameters of the elliptic curve on where elliptic function is ,(iii): the prime field includes elements,(iv): the set of all points on the elliptic curve defined over ,(v): the base point of elliptic curve, order of is prime number that ,(vi): cofactor, , is the order of ,(vii): the space of number that ,(viii): longterm private and public key pair,(ix): session key,(x): identification of client,(xi): hash value of identification, the length of is bits,(xii): oneway hash function,(xiii): temporary private and public key pair,(xiv) and : the bit length of the key and , respectively,(xv): the oneway key derivation hash function whose output length is ,(xvi): concatenation of two strings and ,(xvii): there is no message or the value is not known.

randomly selects and computes , prior to sending to . will also randomly select and compute , before sending to . The public parameters are . And and are hash values of the identification of and , respectively, where and . To establish a session key with client ,(1)client will now run the protocol as follows:(a)randomly selects ,(b)computes and where ,(c)computes ,(d)sends to client ;(2)upon receiving the message from client , will perform the following:(a)randomly selects ,(b)computes , , , and ,(c)(optional for key confirmation) computes ,(d)Sends to client (optional for key confirmation, will also send to );(3)upon receiving the messages, (and ), from , client will perform the following:(a)computes , and ,(b)(optional for key confirmation) computes ,(c)verifies , and if it returns true then is assured that actually has possession of the session key, otherwise, terminates the protocol run and outputs ,(i)(optional for key confirmation, computes ),(ii)Sends to client ;(4)(optional for key confirmation) upon receiving the message () from client , client will perform the following: (a)computes ,(b)verifies whether ,(c)if the verification returns wrong, then client terminates the protocol run and outputs ,(d)otherwise, client is assured that actually has possession of the session key;(5)session key established is ,(6)SID is or in the case where key confirmation is required.
3.2. Security Proof
The security of the protocol—see Theorem 5—is based on the ECDLP assumption (see Definition 4) in the random oracle model.
Definition 4 (ECDLP Assumption). The ECDLP problem is defined as follows: If we can solve the discrete logarithm problem (DLP) [26], then we can also (immediately) solve the ECDLP problem.
Theorem 5. SM2 protocol is secure in the sense of Definition 3 when the underlying hash and key derivation schemes are modelled as random oracles and the elliptic curve discrete logarithm problem (ECDLP) assumption is satisfied in .
The soundness requirement is trivial to verify. We will now concentrate on proving the indistinguishability requirement.
In the usual tradition of reductionist proofs, we assume that there exists an adversary against the protocol (i.e., has a nonnegligible advantage, , where is the security parameter), and we then construct a solver that makes use of to solve the problem. In other words, will simulate the view of by answering all Send, Reveal, Corrupt, and Test queries of . will start by randomly selecting two users, and , and a session number, , as the test session. will also manage two random oracles, and , in order to answer ’s queries. More specifically when the oracle is queried, will check whether the tuple is already in the list and output the stored response. Otherwise, will respond with the appropriate output, , and adds the tuple to the list. will answer queries in the same manner.(i)Send queries: for any wellformed Send queries from , can trivially answer with the right output as the protocol specification demands. Specifically, answers the query as follows.(a)If = initiator and = responder, then the will output the message .(b)Consider the case that = initiator, = responder, and message .(1)If has rejected the message , then will respond with . Otherwise, will verify whether is the right format or not. (2)If verifies correctly, then will output messages to . Otherwise, will abort the simulation and output .(c)Assume = initiator, = responder, and messages .(1)If has rejected the messages , then will respond with . Otherwise, will verify whether is the right format or not. (2)If verifies correctly, then will output messages to . Otherwise, will abort the simulation and output .(ii)Reveal queries: if or , then will abort the simulation and fail. Otherwise this query can be answered with the right session key as long as has accepted and neither nor its partner has been corrupted. However, such a session will be rendered unfresh.(iii)Corrupt queries: this query can be easily answered as per the protocol specifications, unless or . In the latter scenario, will abort the simulation and fail.(iv)Test queries: if , then will abort the simulation and fail. Otherwise, will check whether has accepted and that the session is fresh. If so, will be given either the actual session key or a session key drawn randomly from the session key distribution, depending on the randomly chosen bit .
For to distinguish whether the value returned is the actual session key or a session key drawn randomly from the session key distribution, has to determine the correct values of or to compute the session key (since , and , ). For this to happen,(i) has to guess the longterm private key and shortterm private key in order to compute and hence, the session key . If is able to successfully guess and via and , then would be able to use to solve the problem. Let and denote ’s advantage in computing the correct values of and , respectively, and denotes the event that can successfully guess the session key using the computed values of and . So we have (ii) has to guess the correct value of . Similar to the above, we let and denote ’s advantage in computing the correct value of and , respectively, and denotes the event that can successfully guess the session key using the computed values of and . So we have There is, therefore, a negligible advantage of distinguishing whether the value returned is the actual session key or a session key drawn randomly from the session key distribution. Let and denote the number of Test queries asked and the event that can correctly distinguish the session key, respectively. We now have
Since , , , , , , and , , we have and . Therefore,
This concludes the proof for Theorem 5.
4. A ProvablySecure Simplified SM2 Key Exchange Protocol
In this section, we propose a more efficient version of the SM2 protocol—see Table 2—and prove its security in the BellareRogaway model.

4.1. Protocol Description
randomly selects and computes longterm public key and . It then sends and to . also randomly selects and computes and , prior to sending and to . are system parameters. To establish a session key with ,(1) will now run the protocol as follows:(a)randomly selects ,(b)computes and ,(c)sends to ;(2)upon receiving from , will perform the following:(a)randomly selects ,(b)computes , , , and ,(c)(optional for key confirmation) computes ,(d)sends to (optionally for key confirmation, will also send to );(3)upon receiving (and , optionally for key confirmation) from , will perform the following:(a)computes and , ,(b)(optional for key confirmation) compute ,(c)verifies that , and if it returns true, then is assured that actually has possession of the session key, otherwise, terminates the protocol run and outputs ,(i)(optional for key confirmation) computes ,(ii)Send to client ;(4)(optional for key confirmation) upon receiving , will perform the following:(a)computes ,(b)verifies whether ,(c)if the verification returns wrong, then client terminates the protocol run and outputs . If it returns true, then is assured that actually has possession of the session key. Otherwise, terminates the protocol run and outputs ; session key established is , SID is or in the case where key confirmation is required.
4.2. Security Proof
Theorem 6. The simplified SM2 protocol (Table 2) is secure in the sense of Definition 3 when the underlying hash and key derivation schemes are modelled as random oracles and the ECDLP assumption is satisfied in .
The proof process is similar to that of Section 3.2.(i)Send queries: for any wellformed Send queries from , can trivially answer with the right output as the protocol specification demands. Specifically, answers the query as follows.(a)If = initiator and = responder, then the will output the message, , to the query.(b)Consider the case that = initiator, = responder, and messages .(1)If has rejected the message , then will respond with . Otherwise, will verify whether is the right format or not.(2)If verifies correctly, then will output messages to . Otherwise, will abort the simulation and output .(c)Assume = initiator, = responder, and messages .(1)If has rejected the messages , then will respond with . Otherwise, will verify whether is the right format or not.(2)If verifies correctly, then will output messages to . Otherwise, will abort the simulation and output .
Simulations for the Reveal, Corrupt, and Test follow that of Section 3.2.
For to distinguish whether the value returned is the actual session key or a session key drawn randomly from the session key distribution (i.e., whether or ), has to determine the correct values of or (since , and , ). For this to happen, has to obtain the correct value of in order to compute and consequently, the session key . For to obtain , has to be able to compute from since .
Let denote ’s advantage in computing from , and we have
Let denote ’s advantage in computing from , and we have
Let denote the event that is able to distinguish whether the value returned is the actual session key or a session key drawn randomly from the session key distribution. We then have
Since, , , , , , and , , we have − and . It follows that .
This concludes the proof for Theorem 6.
5. Conclusion
Key exchange protocols are the cornerstone of any secure communication. By proving the widely used Chinese Government SM2 protocol secure in the BellareRogaway model under the ECDLP assumption, we hope that this provides a strong assurance to protocol implementers that the protocol is behaving as desired. In addition, we presented a more efficient version of the SM2 protocol with a proof of security in the BellareRogaway model under the ECDLP assumption.
A comparison with six existing pairingfree protocols reveals that the computational load of our simplified SM2 protocol is no more than that of the six and the SM2 protocols, yet provides both implicit key confirmation ( is assured that can compute the session key) and explicit key confirmation ( is assured that has actually computed the session key)—see Table 3. In Table 3, , , , and denote addition, multiplication, exponentiation, and hash operations, respectively.
Conflict of Interests
As the authors of the paper, we do not have a direct financial relation with any institution or organization mentioned in our paper that might lead to a conflict of interests for any of the authors.
References
 Z. Cheng, Y. Liu, C. Chang, and C. Guo, “A faulttolerant group key agreement protocol exploiting dynamic setting,” International Journal of Communication Systems, vol. 26, no. 2, pp. 259–275, 2013. View at: Publisher Site  Google Scholar
 D. He, J. Chen, and J. Hu, “A pairingfree certificateless authenticated key agreement protocol,” International Journal of Communication Systems, vol. 25, no. 2, pp. 221–230, 2012. View at: Publisher Site  Google Scholar
 D. He, C. Chen, M. Ma, S. Chan, and J. Bu, “A secure and efficient passwordauthenticated group key exchange protocol for mobile ad hoc networks,” International Journal of Communication Systems, vol. 26, no. 4, pp. 495–504, 2013. View at: Publisher Site  Google Scholar
 K. R. Choo, J. Nam, and D. Won, “A mechanical approach to derive identitybased protocols from DiffieHellmanbased protocols,” Information Sciences, vol. 281, pp. 182–200, 2014. View at: Publisher Site  Google Scholar  MathSciNet
 A. Shamir, “Identitybased cryptosystems and signature schemes,” in in Advances in Cryptology—CRYPTO 1984, vol. 196 of Lecture Notes in Computer Science, pp. 47–53, Springer, Berlin, Germany, 1985. View at: Google Scholar
 S. AlRiyami and K. Paterson, “Certificateless public key cryptography,” in Advances in Cryptology—ASIACRYPT 2003, vol. 2894 of Lecture Notes in Computer Science, pp. 452–473, Springer, Berlin, Germany, 2003. View at: Google Scholar
 G. Lippold, C. Boyd, and J. Nieto, “Strongly secure certificateless key agreement,” in PairingBased Cryptography—Pairing 2009, vol. 5671 of Lecture Notes in Computer Science, pp. 206–230, Springer, Berlin, Germany, 2009. View at: Google Scholar
 C. Swanson, Security in key agreement: twoparty certificateless schemes [M.S. thesis], University of Waterloo, 2008.
 L. Zhang, F. Zhang, Q. Wu, and J. Domingo Ferrer, “Simulatable certificateless twoparty authenticated key agreement protocol,” Information Sciences, vol. 180, no. 6, pp. 1020–1030, 2010. View at: Publisher Site  Google Scholar  MathSciNet
 X. Cao, W. Kou, and X. Du, “A pairingfree identitybased authenticated key agreement protocol with minimal message exchanges,” Information Sciences, vol. 180, no. 15, pp. 2895–2903, 2010. View at: Publisher Site  Google Scholar  MathSciNet
 M. Joye and G. Neven, IdentityBased Cryptography, IOS Press, 2009.
 R. W. Zhu, G. Yang, and D. S. Wong, “An efficient identitybased key exchange protocol with KGS forward secrecy for lowpower devices,” Theoretical Computer Science, vol. 378, no. 2, pp. 198–207, 2007. View at: Publisher Site  Google Scholar  MathSciNet
 X. Cao, W. Kou, Y. Yu, and R. Sun, “Identitybased authenticated key agreement protocols without bilinear pairings,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E91A, no. 12, pp. 3833–3836, 2008. View at: Publisher Site  Google Scholar
 D. He, Y. Chen, J. Chen, R. Zhang, and W. Han, “A new tworound certificateless authenticated key agreement protocol without bilinear pairings,” Mathematical and Computer Modelling, vol. 54, no. 1112, pp. 3143–3152, 2011. View at: Publisher Site  Google Scholar  Zentralblatt MATH  MathSciNet
 Chinese Government State Cryptography Administration, “Public key cryptographic algorithm SM2 based on elliptic curves,” (Chinese), 2010, http://www.oscca.gov.cn/UpFile/2010122214822692.pdf. View at: Google Scholar
 Chinese Government State Cryptography Administration, “Chinese government state cryptography administration no: 24 announcement,” 2012 (Chinese), http://www.oscca.gov.cn/News/201212/News_1234.htm. View at: Google Scholar
 Chinese Government State Cryptography Administ ration and Chinese Administration of Customs, “Chinese government st ate cryptography administration no.64 announcement,” 2012, http://www.oscca.gov.cn/WebSite/smb/Upload/File/201301/20130125170704188.pdf. View at: Google Scholar
 J. Xu and D. Feng, “Comments on the SM2 key exchange protocol,” in Cryptology and Network Security, vol. 7092 of Lecture Notes in Computer Science, pp. 160–171, Springer, Berlin, Germany, 2011. View at: Publisher Site  Google Scholar
 C. Boyd and K. K. R. Choo, “Security of twoparty identitybased key agreement,” in Progress in Cryptology—Mycrypt 2005, vol. 3715 of Lecture Notes in Computer Science, pp. 229–243, Springer, Berlin, Germany, 2005. View at: Google Scholar
 C. Boyd and A. Mathuria, Protocols for Authentication and Key Establishment, Springer, Berlin, Germany, 2003. View at: Publisher Site
 K.K. R. Choo, Secure Key Establishment, vol. 41 of Advances in Information Security, Springer, 2009.
 M. Bellare and P. Rogaway, “Entity authentication and key distribution,” in Advances in Cryptology—CRYPTO 1993, vol. 773 of Lecture Notes in Computer Science, pp. 232–249, Springer, Berlin, Germany, 1994. View at: Google Scholar
 M. Bellare and P. Rogaway, “Provably secure session key distribution—the three party case,” in Proceedings of of 27th ACM Symposium on Theory of Computing, pp. 57–66, 1995. View at: Google Scholar
 G. Yang and C. Tan, “Strongly secure certificateless key exchange without pairing,” in Proceedings of the 6th International Symposium on Information, Computer and Communications Security (ASIACCS '11), pp. 71–79, Hong Kong, March 2011. View at: Publisher Site  Google Scholar
 Y. Chen and W. Han, “Efficient identitybased auth enticated multiple key exchange protocol,” Acta Scientiarum, Technology, vol. 35, no. 4, pp. 629–636, 2013. View at: Google Scholar
 D. Boneh and R. Lipton, “Algorithms for blackbox fields and their application to cryptography,” in Advances in Cryptology—CRYPTO '96, vol. 1109 of Lecture Notes in Computer Science, pp. 283–297, Springer, Berlin, Germany, 1996. View at: Google Scholar
Copyright
Copyright © 2014 Ang Yang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.