China has developed its own suite of cryptographic standards, known as the SM (ShangMi) algorithms, to address national security concerns and reduce reliance on foreign technologies. The State Cryptography Administration (SCA) oversees these standards, which are now mandatory in many sectors, especially those involving government, finance, and critical infrastructure. The SM series includes symmetric ciphers, hash functions, and public-key algorithms, with SM4 and SM3 being the most widely adopted for encryption and hashing, respectively.

For more on global cryptography standards, see NIST SP 800-175B.

The SM algorithms are a family of cryptographic primitives designed to meet China’s unique regulatory and security requirements. They include:

• SM2 – Public key cryptography based on elliptic curves
• SM3 – Cryptographic hash function
• SM4 – Block cipher for symmetric encryption

This article focuses on SM4 and SM3, which are now integral to secure communications, data integrity, and compliance in China.

SM4 is a block cipher algorithm developed by the Chinese government for symmetric encryption. It is the official standard for wireless LAN products in China and is widely used in government and commercial applications. The algorithm was published by the SCA in 2006 and later standardized as GB/T 32907-2016.

SM3 is a cryptographic hash function, similar in purpose to SHA-256. It is designed to provide data integrity and authentication, forming the backbone of digital signatures and message authentication codes (MACs) in Chinese cryptographic systems. SM3 was published in 2010 and standardized as GB/T 32905-2016.

The SM4 algorithm is a symmetric-key block cipher, meaning the same key is used for both encryption and decryption. It is optimized for both software and hardware implementations, making it suitable for a wide range of applications, from embedded devices to enterprise systems.

• Block size: 128 bits
• Key size: 128 bits
• Structure: Unbalanced Feistel network
• Number of rounds: 32
• Standardization: GB/T 32907-2016

The SM4 cipher is similar in block and key size to the AES standard but uses a unique round function and key schedule.

The SM4 encryption process involves the following steps:

1. Key Expansion: The 128-bit key is expanded into 32 round keys using a non-linear key schedule.
2. Initial Transformation: The plaintext block is divided into four 32-bit words.
3. Round Function: Each round applies a combination of non-linear substitution (using S-boxes), linear transformation, and XOR operations with the round key.
4. Final Transformation: After 32 rounds, the output is recombined to form the ciphertext block.

Here is a simplified pseudocode of one round of SM4:

for i = 0 to 31:
    temp = X[i+1] ^ X[i+2] ^ X[i+3] ^ rk[i]
    X[i+4] = X[i] ^ T(temp)

Where T() is a non-linear transformation involving S-box and linear operations.

• Resistance to Known Attacks: No practical attacks against full-round SM4 have been published as of 2024.
• Efficient Performance: Optimized for both hardware and software, making it suitable for high-throughput environments.
• Mandatory Use: Required in Chinese government and many regulated sectors.

For more on block cipher security, see CISA’s guide to encryption.

• Wireless LAN Security: Standard encryption for WLAN products in China.
• Financial Transactions: Securing payment systems and banking applications.
• Government Communications: Protecting classified and sensitive data.
• IoT Devices: Embedded encryption in smart devices and industrial control systems.

The SM3 algorithm is a cryptographic hash function designed to provide data integrity and authentication. It is similar in design and purpose to the SHA-256 algorithm but incorporates unique structural elements. For a deeper technical comparison between these and other hash algorithms, see Hash Algorithms Explained: Secure Password Storage.

• Digest size: 256 bits
• Block size: 512 bits
• Structure: Merkle–Damgård construction
• Rounds: 64 per message block
• Standardization: GB/T 32905-2016

The SM3 hashing process follows these steps:

1. Padding: The input message is padded to a multiple of 512 bits.
2. Message Expansion: Each block is expanded into 68 32-bit words through permutation and mixing.
3. Compression Function: The expanded words are processed through 64 rounds of non-linear and linear transformations, updating the hash state.
4. Finalization: After processing all blocks, the final 256-bit hash is produced.

Here is a simplified pseudocode for the compression function:

for j = 0 to 63:
    SS1 = ROTL((ROTL(A, 12) + E + ROTL(Tj, j)), 7)
    SS2 = SS1 ^ ROTL(A, 12)
    TT1 = FFj(A, B, C) + D + SS2 + Wj
    TT2 = GGj(E, F, G) + H + SS1 + Wj'
    // Update state variables

Where FFj and GGj are non-linear functions, and Wj, Wj' are expanded message words.

• Collision Resistance: No practical collisions have been found as of 2024.
• Preimage Resistance: Designed to resist preimage and second-preimage attacks.
• Performance: Comparable to SHA-256 in speed and efficiency.

For a detailed analysis, see CRYPTREC’s technical report on SM3.

• Digital Signatures: Used with SM2 for secure electronic signatures.
• Message Authentication: Ensuring integrity of messages and files.
• Blockchain: Hashing transactions and blocks in Chinese blockchain platforms.
• PKI Systems: Certificate generation and validation.

Understanding how SM4 and SM3 compare to international standards is essential for organizations operating globally or interfacing with Chinese systems. If you need to quickly identify hash algorithms like SM3, this online free hash identification tool can help recognize over 250 types.

Both algorithms are considered secure for practical use, but SM4 is primarily used within China due to regulatory requirements.

For more on AES, see NIST FIPS 197. For an in-depth look at AES, see Understanding AES: The Cornerstone of Modern Cryptographic Defense.

Both SM3 and SHA-256 offer strong security, but interoperability can be a challenge when integrating Chinese and international systems. For a comprehensive guide to secure hashing with SHA-256, see Understanding SHA-256: A Comprehensive Guide to Secure Hashing.

For more on SHA-256, see NIST FIPS 180-4.

The adoption of SM4 and SM3 algorithms is driven by regulatory mandates and the need for secure, sovereign cryptography in China. However, their implementation poses unique challenges, especially for multinational organizations.

• Government Mandates: Use of SM algorithms is required in government, finance, and telecom sectors.
• Industry Adoption: Widespread in banking, insurance, and payment systems.
• Technology Ecosystem: Supported by major Chinese hardware and software vendors.

For regulatory context, see ISACA’s analysis of China’s Cryptography Law.

• Interoperability: Integrating SM algorithms with global systems can be complex due to differing standards.
• Export Controls: Some countries have restrictions on the import or use of Chinese cryptographic algorithms.
• Vendor Support: Limited support for SM4 and SM3 in mainstream international cryptographic libraries.

For cross-border compliance, see ISO/IEC 19896-1:2018.

• Technical Integration: Adapting existing systems to support SM4 and SM3 may require significant development effort.
• Performance Tuning: Ensuring optimal performance in hardware and software environments.
• Compliance Verification: Demonstrating adherence to Chinese cryptographic standards during audits. To ensure your implementation remains robust and compliant, regular professional password audits and recovery testing are recommended.
• Key Management: Secure generation, storage, and distribution of cryptographic keys.

For implementation best practices, refer to CIS Cryptographic Controls.

The use of SM4 and SM3 algorithms has significant implications for security and regulatory compliance, particularly for organizations handling sensitive data in China.

• Mandatory Use: Chinese law requires the use of SM algorithms in many sectors.
• Certification: Products using SM4 and SM3 may need certification from Chinese authorities.
• Data Localization: Cryptographic operations may be required to occur within Chinese borders.

For compliance guidance, see CrowdStrike’s overview of China’s Cybersecurity Law.

• Algorithm Agility: Design systems to support multiple cryptographic algorithms for future-proofing.
• Vetting Implementations: Use certified libraries and avoid custom or untested implementations.
• Regular Audits: Conduct periodic security assessments to ensure compliance and detect vulnerabilities.
• Key Protection: Implement strong key management and access controls.

For risk management, see SANS Institute’s cryptography white papers.

The future of SM4 and SM3 algorithms is closely tied to China’s ongoing efforts to enhance digital sovereignty and cybersecurity. As the global landscape evolves, several trends are emerging:

• Increased Adoption: Expansion into new sectors such as healthcare, automotive, and smart cities.
• International Standardization: Ongoing efforts to promote SM algorithms in international standards bodies like ISO/IEC.
• Post-Quantum Cryptography: Research into quantum-resistant variants and integration with next-generation cryptographic protocols. For more on the global shift to quantum-resistant standards, see Post‑Quantum Encryption Guide: Shield Data Now.
• Interoperability Solutions: Development of hybrid cryptographic frameworks to bridge Chinese and international systems.

For updates on cryptographic trends, follow ENISA’s cryptography resources.

SM4 & SM3 algorithms are foundational to China’s cryptographic landscape, offering robust security and compliance with national regulations. As digital ecosystems become increasingly interconnected, understanding these standards is vital for secure operations, regulatory compliance, and international collaboration. Organizations should stay informed about evolving requirements, implementation best practices, and emerging trends to ensure effective and secure use of SM4 and SM3 algorithms.

• NIST SP 800-175B: Guideline for Using Cryptographic Standards in the Federal Government
• ISO/IEC 19896-1:2018: Competence requirements for information security testers and evaluators
• CISA: Understanding Encryption and Why It Matters
• CrowdStrike: China Cybersecurity Law
• CRYPTREC: Technical Report on SM3
• NIST FIPS 197: Advanced Encryption Standard (AES)
• NIST FIPS 180-4: Secure Hash Standard
• SANS Institute: Cryptography White Papers
• ENISA: SM4 Algorithm
• Online Free Hash Generator: calculate 50+ algorithms