[volta83]

> SM3/4 are required for use in certain places in China. RISC-V is popular in China, hence their inclusion in the RISC-V spec.

That sounds like a pretty poor reason.

China could create the RISC-V SCE-China spec that extends RISC-V SCE with these, and call it a day, instead of requiring the rest of the world to waste transistors for something that's useless.

[bem94]

The algorithm specific instructions are all optional. You can have AES without SM4 or vice versa. RISC-V is great like that, it's designed to be modular.

> instead of requiring the rest of the world to waste transistors for something that's useless.

I'm sure Chinese manufacturers might feel the same about NIST standards.

[tialaramex]

> I'm sure Chinese manufacturers might feel the same about NIST standards.

Don't count on it. For example have you ever wondered why there isn't a Russian Certificate Authority trusted in the Web PKI? There's no market for one. If you're a Russian, you can see that a Russian CA is obviously subject to control by Putin, which even if you like Putin today doesn't seem like a perpetually great idea, so you would choose some European CA instead. And if you're not a Russian you clearly don't want to trust this CA.

Now, there are some Chinese CAs, but it's again interesting that they're not popular in China. China has a huge population, plenty of potential customers, but somehow even though there is more than one CA in China, very few certificates between them. Similar to the number issued to the Government of Spain (not all companies in Spain, just their government). Same reasoning. Even if I think Xi Jinping is great and I'm a proud Chinese national, a certificate from the US or Switzerland seems like a better choice.

The Americans fall far below the lofty moral standards they set for others [in the other room is my redacted copy of the Committee Study of the Central Intelligence Agency's Detention and Interrogation Program, grim reading about American torture even though much of what the senate were shown is redacted], but only at your considerable peril should you would mistake that for meaning their cryptography is no better than whatever home grown offering has been chosen in your country despite their billions spent and their expertise in this domain.

[nullc]

> For example have you ever wondered why there isn't a Russian Certificate Authority trusted in the Web PKI? There's no market for one.

A more direct comparison would be Russian ciphers and there absolutely are modern Russian ciphers, e.g. https://en.wikipedia.org/wiki/Kuznyechik

[mananaysiempre]

Nobody uses those, either, except possibly as required to interact with the cursed government PKI (about as cursed as early 00s EU government PKIs... are those still around?). Also maybe the government people with clearances, but the less said about them the better. But that’s mostly network effects, frankly, not trust. (Nobody uses Camellia, either.) Trust issues as described by the GP do exist but mostly factor into choosing domain names, registrars, hosting, and such.

But China, unlike Russia, does have an internal technological environment meaningfully separate from the world at large. It may also be trying to cultivate an ecosystem of private government contractors, which the intense criminality of Russian government procurement doesn’t permit. (China also has a general-purpose IC fabrication industry worth a damn, whereas for Russia the equivalent question is in any case largely moot.)

[Taniwha]

My quick summary of sm3/sm4 is: - sm3 is pretty trivial to implement - sm4 is about 1/16 the complexity of the spec's aes implementation (one box lookup per clock rather than 8 and no inverted version)

So if you want to court the (giant) Chinese market it's kind of a no brainer