ShangMi (SM) Cipher Suites for TLS 1.3
RFC 8998

Document Type RFC - Informational (March 2021; No errata)
Author Paul Yang 
Last updated 2021-03-10
Stream Independent Submission
Formats plain text html xml pdf htmlized (tools) htmlized bibtex
IETF conflict review conflict-review-yang-tls-tls13-sm-suites
Additional Resources
- Github repository for original Markdown file of this draft.
Stream ISE state Published RFC
Consensus Boilerplate Unknown
Document shepherd Adrian Farrel
Shepherd write-up Show (last changed 2020-12-15)
IESG IESG state RFC 8998 (Informational)
Telechat date
Responsible AD (None)
Send notices to Adrian Farrel <>
IANA IANA review state IANA OK - Actions Needed
IANA action state RFC-Ed-Ack
IANA expert review state Expert Reviews OK

Independent Submission                                           P. Yang
Request for Comments: 8998                                     Ant Group
Category: Informational                                       March 2021
ISSN: 2070-1721

                 ShangMi (SM) Cipher Suites for TLS 1.3


   This document specifies how to use the ShangMi (SM) cryptographic
   algorithms with Transport Layer Security (TLS) protocol version 1.3.

   The use of these algorithms with TLS 1.3 is not endorsed by the IETF.
   The SM algorithms are becoming mandatory in China, so this document
   provides a description of how to use the SM algorithms with TLS 1.3
   and specifies a profile of TLS 1.3 so that implementers can produce
   interworking implementations.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This is a contribution to the RFC Series, independently of any other
   RFC stream.  The RFC Editor has chosen to publish this document at
   its discretion and makes no statement about its value for
   implementation or deployment.  Documents approved for publication by
   the RFC Editor are not candidates for any level of Internet Standard;
   see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction
     1.1.  The SM Algorithms
     1.2.  Terminology
   2.  Algorithm Identifiers
   3.  Algorithm Definitions
     3.1.  TLS Versions
     3.2.  Authentication
       3.2.1.  SM2 Signature Scheme
     3.3.  Key Exchange
       3.3.1.  Hello Messages
       3.3.2.  CertificateRequest
       3.3.3.  Certificate
       3.3.4.  CertificateVerify
     3.4.  Key Scheduling
     3.5.  Cipher
       3.5.1.  AEAD_SM4_GCM
       3.5.2.  AEAD_SM4_CCM
   4.  IANA Considerations
   5.  Security Considerations
   6.  References
     6.1.  Normative References
     6.2.  Informative References
   Appendix A.  Test Vectors
     A.1.  SM4-GCM Test Vectors
     A.2.  SM4-CCM Test Vectors
   Author's Address

1.  Introduction

   This document describes two new cipher suites, a signature algorithm
   and a key exchange mechanism for the Transport Layer Security (TLS)
   protocol version 1.3 (TLS 1.3) ([RFC8446]).  These all utilize
   several ShangMi (SM) cryptographic algorithms to fulfill the
   authentication and confidentiality requirements of TLS 1.3.  The new
   cipher suites are as follows (see also Section 2):

      CipherSuite TLS_SM4_GCM_SM3 = { 0x00, 0xC6 };
      CipherSuite TLS_SM4_CCM_SM3 = { 0x00, 0xC7 };

   For a more detailed introduction to SM cryptographic algorithms,
   please see Section 1.1.  These cipher suites follow the TLS 1.3
   requirements.  Specifically, all the cipher suites use SM4 in either
   Galois/Counter (GCM) mode or Counter with CBC-MAC (CCM) mode to meet
   the needs of TLS 1.3 to have an encryption algorithm that is
   Authenticated Encryption with Associated Data (AEAD) capable.  The
   key exchange mechanism utilizes Elliptic Curve Diffie-Hellman
   Ephemeral (ECDHE) over the SM2 elliptic curve, and the signature
   algorithm combines the SM3 hash function and the SM2 elliptic curve
   signature scheme.

   For details about how these mechanisms negotiate shared encryption
   keys, authenticate the peer(s), and protect the record structure,
   please see Section 3.

   The cipher suites, signature algorithm, and key exchange mechanism
   defined in this document are not recommended by the IETF.  The SM
   algorithms are becoming mandatory in China, so this document provides
   a description of how to use them with TLS 1.3 and specifies a profile
   of TLS 1.3 so that implementers can produce interworking

1.1.  The SM Algorithms

   Several different SM cryptographic algorithms are used to integrate
   with TLS 1.3, including SM2 for authentication, SM4 for encryption,
   and SM3 as the hash function.

   SM2 is a set of cryptographic algorithms based on elliptic curve
   cryptography, including a digital signature, public key encryption
   and key exchange scheme.  In this document, only the SM2 digital
   signature algorithm and basic key exchange scheme are involved, which
   have already been added to ISO/IEC 14888-3:2018 [ISO-SM2] (as well as
   to [GBT.32918.2-2016]).  SM4 is a block cipher defined in
   [GBT.32907-2016] and now is being standardized by ISO to ISO/IEC
Show full document text