Ant Group’s Tongsuo Open‑Source Cryptography Project Earns Commercial Cryptography Product Certification (Level 2)

Recently, Ant Group’s cryptography team, based on the open‑source Tongsuo project and Ant Group’s self‑developed cryptographic card, received a commercial cryptography product certification from the National Cryptography Administration’s Commercial Cryptography Testing Center, meeting the Level 2 security requirements of GM/T 0028 "Cryptographic Module Security Technical Requirements". The hybrid software‑hardware approach, known as a mixed‑software cryptographic module, helps users rigorously satisfy China’s commercial cryptography compliance during national secret‑remodeling, security assessments, and graded protection processes.

China’s Cryptography Law, enacted in 2020, introduced classified management of cryptographic tools—core, ordinary, and commercial cryptography. While core and ordinary cryptography protect state secrets, commercial cryptography safeguards non‑secret information and is widely deployed across government, finance, communications, transportation, healthcare, and energy sectors.

The law promotes the establishment of a commercial cryptography testing and certification system, encouraging voluntary compliance with technical specifications such as GM/T 0028 for cryptographic modules. Certified testing agencies must be authorized and conduct evaluations in line with legal and regulatory requirements, including classification and grading assessments for critical information infrastructure as mandated by the Cybersecurity Law.

Commercial cryptography testing agencies assess submitted products against relevant standards; upon successful testing, they issue a Commercial Cryptography Product Certification Certificate indicating the applicable standards (e.g., GM/T 0028) and confirming technical correctness and compatibility.

The certificate serves as formal proof that a product has passed rigorous testing, enabling its use in security assessments, graded protection, and other compliance scenarios that require certified cryptographic solutions.

Because commercial cryptography is often referred to as “national secret” (国密) in the industry, the certification is colloquially called the “national secret qualification”.

The Tongsuo project, an open‑source cryptographic library providing modern algorithms and secure communication protocols, offers foundational capabilities for storage, networking, key management, and privacy‑preserving computation. After donation to the OpenAtom Foundation, Tongsuo has launched the “Tongsuo Embedded Edition” and the “RustyVault Key Management System”. Ant Group continues to support the project through a management committee and collaborations with leading enterprises.

The hybrid solution combines Ant Card’s cryptographic management and high‑performance features with Tongsuo’s algorithm APIs, national‑secret secure transmission protocol (TLCP), and hardware engine framework, delivering data‑security capabilities to applications.

Tongsuo supports common national‑secret algorithms SM2, SM3, and SM4, providing SM2 encryption/decryption, signing/verification, SM3 hashing, SM4 symmetric encryption, a software random number generator, and TLCP communication functions for both client and server.

The software portion of the Level 2 cryptographic module (excluding card‑related code) will be contributed back to the open‑source community and merged into the Tongsuo project in the near future. Future plans include adapting Tongsuo to additional cryptographic hardware and collaborating with more hardware vendors to build secure, compliant solutions for enterprise national‑secret transformation, security assessments, and graded protection scenarios.