SM3National SM hash tool user guide
SM3is a cryptographic hash algorithm released by China’s State Cryptography Administration in 2010 and an important part of China’s commercial cryptography (SM) standards. SM3 became the national cryptographic industry standard (GB/T 32905) in 2016 and was approved as a national standard by the Standardization Administration of China in 2018. This tool provides a professional online SM3 hash calculation service, producing a fixed 256-bit (64 hexadecimal characters) hash value, supporting text and file processing, and suited to government systems, financial institutions, and other scenarios that require SM compliance。
Key features
🇨🇳 SM/GM standard compliance
Fully compliant with the GB/T 32905 national standard and meets SM compliance requirements。
Input:
Hello WorldHex:
44f0061e69fa6fdfc290c494654a05dc0c053da7e5c52b84ef93a9d67d3fff88Base64:
RPAGHmn6b9/CkMSUZUoF3AwFPaflxSuE75Op1n0//4g=Use cases:
- Data integrity verification for government systems
- Transaction data digests for financial institutions
- Enterprise SM/GM compliance applications
- Digital signature message digest
- Password storage hash value
- File integrity verification
🔐 256-bit fixed output
produces a fixed 256-bit (32-byte) hash value, with security comparable to SHA-256。
- Output length: 256 bits(32 bytes)
- Hex:64characters
- Base64Encode:44characters
- Security strength:128 bits
- Strong collision resistance
- Meets cryptographic assessment requirements
📁 File processing support
Supports SM3 hashing of text and any file, making batch processing easy。
- Text file import (TXT, JSON, CSS, JS, …)
- Any file import (images, documents, videos, etc.))
- Export results
- File information display
- Preserves encoding
- Large file support (up to100MB)
⚡ High-performance computation
Uses an optimized algorithm to support fast SM3 computation on large files with real-time progress feedback。
- Process large files in chunks
- Real-time progress display
- Memory-optimized algorithm
- Multi-format output(Hex/Base64)
- Batch file processing
- Result comparison
How to use
Input data
Enter the text to process in the editor on the left, or click"Import text file"Loading document content, click"Import file"Load any file (images, videos, programs, etc.)
Run calculation
Click"Calculate"button, and the system will compute the SM3 hash of the text or file content. After a file is imported, its information and processing options are shown automatically
View results
The SM3 hash result is shown on the right in three formats — lowercase, uppercase, and Base64 — each with its own copy button. Error messages appear at the bottom. One-click copy is supported
SM3SM/GM algorithms explained
SM3is a cryptographic hash algorithm developed by China’s State Cryptography Administration and a key part of the national commercial cryptography (SM) algorithm family. SM3 was released in 2010, became the national cryptographic industry standard (GB/T 32905) in 2016, and was approved as a national standard by the Standardization Administration of China in 2018. SM3’s design draws on SHA-256 but uses different round functions, message expansion, and compression functions, producing a fixed 256-bit (32-byte) hash value. SM3 is widely used across China’s e-government, financial systems, and e-commerce, and is a core component of the national cryptographic algorithm system。
SM3 Algorithm principles
🔢 Technical specifications
Key characteristics:
- Output length: 256 bits(32 bytes)
- Hex:64characters
- Base64:44characters
- Block size:512 bits(64bytes)
- Compression function:64rounds of iteration
- Security strength:128 bits
- Collision-resistant:2^128operations
🔐 Algorithm workflow
Calculation steps:
- Message padding(Padding)
- Message blocking (512 bits per block)
- Message expansion (132 words)
- Compression function (64 rounds of iteration)
- Output256 bitsHash value
Features:One-way, collision-resistant, avalanche effect
SM3 Technical features
🇨🇳 National standard
SM3is a Chinese national cryptographic standard (GB/T 32905) that has been incorporated into ISO/IEC international standards. It carries legal effect in critical fields such as government and finance and is the mandatory algorithm for SM compliance。
🔒 Safe & reliable
Rigorously evaluated by the State Cryptography Administration, its security is comparable to the international SHA-256 and can withstand known cryptographic attacks, including collision and preimage attacks。
⚡ Excellent performance
SM3Using a 64-round compression function, it maintains security while delivering performance comparable to SHA-256, making it suitable for large-scale data processing and real-time applications。
🌐 Widely supported
Fully supported by mainstream domestic cryptographic libraries (GmSSL, Tongsuo, etc.), with mature implementations across many programming languages. Together with SM2 and SM4 it forms a complete national cryptographic algorithm system。
SM3 vs SHA-256 vs MD5 Compare
| Features | SM3 | SHA-256 | MD5 |
|---|---|---|---|
| Output length | 256 bits(32 bytes) | 256 bits(32 bytes) | 128 bits(16bytes) |
| Block size | 512 bits | 512 bits | 512 bits |
| Number of compression rounds | 64rounds | 64rounds | 64rounds |
| Security strength | 128 bits | 128 bits | 64digits |
| Collision-resistant | 2^128 | 2^128 | Broken |
| Performance | Fast | Fast | Fast |
| Standardized | GB/T 32905(National standard) | FIPS 180-4(United States) | RFC 1321 |
| SM compliant | ✅ Yes | ❌ No | ❌ No |
| Security status | Security | Security | Insecure (deprecated) |
| Recommended use cases | SM compliant | Internationally common | Compatibility only |
SM3 Use cases
🏛️ Government systems
Data integrity verification in government domains such as e-government, government information systems, and official document workflows
🏦 Financial industry
Transaction digests in financial domains such as banking systems, securities trading, insurance, and payment systems
📱 Mobile payment
Data integrity verification in mobile payment apps such as Alipay and WeChat Pay
✍️ Digital Signature
Used with SM2 for electronic contract signing, software code signing, and document digital signatures
🏢 Enterprise applications
Business applications requiring SM/GM compliance, such as enterprise information systems, OA systems, and ERP systems
📁 File verification
Verify that files remain intact during transmission or storage, ensuring data integrity
🔐 Password storage
Securely store the hash of user passwords, combined with a salt for stronger security
🌐 IoT
Data integrity protection for IoT scenarios such as smart devices, industrial control systems, and smart cities
SM3Usage recommendations and best practices
When it is mandatorySM3
✅ Scenarios with mandatory SM/GM compliance
Under the Measures for the Administration of Commercial Cryptography Application Security Assessment, the following scenariosMandatorySM algorithms:
- Critical information infrastructure
- Government systems and e-government
- Core systems of financial institutions
- Critical industries such as telecom and energy
- Systems involving state secrets
- Systems that must pass a cryptography assessment
✅ Recommended use cases
- Systems deployed within China
- Systems that interface with government agencies and financial institutions
- Projects requiring domestic replacement of foreign technology
- Data integrity verification
- Secure password storage
- Digital signature message digest (withSM2)
- Products aimed at the domestic market
SM3 Used together with other hash algorithms
🔐 SM3 + SM2(Recommended)
Digital signature scheme:
- Compute the message digest with SM3
- Sign the digest with the SM2 private key
- Verify the signature with the SM2 public key
- Ensures data integrity and source authenticity
Application:E-contracts, software signing, and identity authentication
🔒 SM3 + Salt
Password storage scheme:
- Generate a random salt(Salt)
- Combine the password with the salt
- Compute the hash value with SM3
- Store the salt and the hash value
- Recompute for verification at login
Benefits:Resist rainbow table attacks and improve password security
SM3 vs SHA-256 Selection guide
🇨🇳 Select SM3
- Requires SM compliance (mandatory)
- Government systems and financial institutions
- Critical information infrastructure
- Must pass a cryptographic assessment
- Domestic replacement projects
- Systems deployed within mainland China
- Used with SM2 and SM4
🌐 Select SHA-256
- International standard applications
- Cross-border business systems
- Scenarios without compliance requirements
- International open-source projects
- Interoperating with international standards
- Blockchain applications
- General web applications
Security Considerations
⚠️ Avoid Common Mistakes
- ❌ Storing plaintext passwords directly
- ❌ Not using a salt(Salt)
- ❌ Using a fixed salt
- ❌ computing the hash only once (in password storage scenarios)
- ❌ Mixing SM3 withSHA-256
- ❌ Using uncertified cryptography libraries
- ❌ Ignoring assessment requirements
✅ Recommended Practices
- ✅ Password storage must use a salt
- ✅ Use a different random salt for each user
- ✅ Consider using a slow hash(PBKDF2-SM3)
- ✅ Standardize on the national SM algorithm system
- ✅ Use SM/GM-certified cryptography products
- ✅ Perform regular assessments and security audits
- ✅ Used together with SM2 and SM4
SM/GM migration guide
Assess compliance requirements
Confirm whether your system is critical information infrastructure and whether it must pass a cryptography assessment. Consult an assessment body certified by the State Cryptography Administration to learn the specific compliance requirements
Choose SM/GM products
Choose cryptographic modules, devices, or services certified by the State Cryptography Administration for commercial cryptography products. Common open-source libraries include GmSSL and Tongsuo
Implement algorithm replacement
Replace SHA-256 with SM3, RSA with SM2, and AES with SM4. A dual-algorithm transition approach is recommended to complete the migration gradually
Data migration
For existing SHA-256 hash data, plan a migration strategy. A dual-storage approach can be used — SM3 for new data while legacy data is migrated gradually
Testing and assessment
Conduct thorough functional and performance testing. Apply for a commercial cryptography application security assessment; only after passing may the system go into production
Cross-language implementation reference
💻 Common Programming Languages
JavaScript/Node.js:
- sm-crypto(used by this tool) - browser-side
- node-sm-crypto - Node.js-side
Java:
- Bouncy Castle(SupportSM3)
- Vendors’ SM/GM Java libraries
Python:
- gmssl - PythonSM/GM library
- python-sm3
Go:
- github.com/tjfoc/gmsm - GoSM/GM library
C/C++:
- GmSSL - Open-source SM/GM toolkit
- Tongsuo(formerlyBabaSSL)
🔧 Command-Line Tools
GmSSL:
- SM3Hash calculation
- File integrity checking
- Batch file processing
Example command:
gmssl sm3 file.txtecho "Hello" | gmssl sm3
FAQ
❓ SM3What are the differences from SHA-256?
SM3and SHA-256 are both hash algorithms with 256-bit output,Comparable security strength。The main differences are:1) SM3is a Chinese national standard (GB/T 32905), whereas SHA-256 is a U.S. standard(FIPS 180-4);2) SM3Uses different round functions and message expansion;3) InMandatory in SM compliance scenariosSM3,cannot be replaced by SHA-256. Performance is comparable, but SM3 may be faster in environments with SM hardware acceleration。
❓ When you must use itSM3?
Under the Measures for the Administration of Commercial Cryptography Application Security Assessment》,Critical information infrastructure, and important networks and information systemsmust be protected with commercial cryptography. These include government systems, financial institutions, telecom carriers, energy enterprises, and critical industrial control systems. In these scenarios you must use SM algorithms such as SM3 and passCryptography assessment (commercial cryptography application security assessment)。
❓ SM3Can it be used for password storage?
Yes, but adding a salt is recommended。Storing passwords with SM3 directly is not secure enough and is vulnerable to rainbow table attacks。Recommended practice:1) generate a random salt for each user; 2) combine the password with the salt and compute SM3; 3) store the salt and the hash value。A better approachis to use PBKDF2-SM3 or another slow hashing algorithm, increasing cracking difficulty through many iterations。
❓ SM3How does it compare to MD5?
SM3Far more secure than MD5。MD5has been proven to have serious collision vulnerabilities,should no longer be used in any security-sensitive scenario。SM3produces 256-bit output (MD5 only 128-bit), with 128-bit security strength (MD5 only 64-bit) and collision resistance of2^128(MD5has been broken). If your system still usesMD5,Migration to SM3 is strongly recommended, orSHA-256。
❓ How to pass the cryptography assessment?
Passing the assessment requires:1)Use commercial cryptography products certified by the State Cryptography Administration;2)Establish a robust key management system;3)Correctly implement SM/GM algorithms such as SM2/SM3/SM4;4)Draft a cryptography application plan and security policy;5)Engage a qualified assessment body to perform the evaluation. RecommendedFactor in assessment requirements as early as the system design phase,Avoids large-scale rework later。
Learning resources
📚 Technical Standards
- GB/T 32905 - SM3standard
- GB/T 32918 - SM2standard
- GB/T 32907 - SM4standard
- GM/T 0004 - SM3Cryptographic hash algorithm
- 《Measures for the Administration of Commercial Cryptography Application Security Assessment》
🔧 Tool Documentation
- GmSSLDocumentation and tutorials
- sm-cryptoUser Guide
- Tongsuo(formerly BabaSSL) documentation
- State Cryptography Administration official website