[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits] [IPR]

Versions: 00 01 02 03 04 05 06 07 08 09 10

IPSec Working Group                               S. Blake-Wilson, BCI
INTERNET-DRAFT                 D. Brown and Y. Poeluev, Certicom Corp.
                                                        M. Salter, NSA
Expires January 23, 2003                                 July 23, 2002




                       Additional ECC Groups For IKE
                  <draft-ietf-ipsec-ike-ecc-groups-04.txt>


                          Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026. Internet-Drafts are working
   documents of the Internet Engineering Task Force (IETF), its areas,
   and its working groups.  Note that other groups may also distribute
   working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or made obsolete by other documents at
   any time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as work in progress.

   The list of current Internet-Drafts may be found at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories may be found at
   http://www.ietf.org/shadow.html.


                               Abstract

   This document describes new ECC groups for use in IKE [IKE] in
   addition to the Oakley groups included therein.  These groups are
   defined to align IKE with other ECC implementations and standards,
   and in addition, many of them provide higher strength than the
   Oakley groups. It should be noted that this document is not
   self-contained.  It uses the notations and definitions of [IKE].

















Blake-Wilson, Brown, Poeluev and Salter                         [Page 1]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


                           Table of Contents

   1. Introduction ............................................... 2
   2. Additional ECC Groups ...................................... 5
   2.1. Sixth Group .............................................. 5
   2.2. Seventh Group ............................................ 6
   2.3. Eighth Group ............................................. 7
   2.4. Ninth Group .............................................. 8
   2.5. Tenth Group .............................................. 9
   2.6. Eleventh Group .......................................... 10
   2.7. Twelfth Group ........................................... 12
   2.8. Thirteenth Group ........................................ 13
   3. Security Considerations ................................... 14
   4. Intellectual Property Rights .............................. 15
   5. Acknowledgments ........................................... 15
   6. References ................................................ 15
   7. Authors' Addresses ........................................ 17

1.  Introduction

This document describes default groups for use in elliptic curve
Diffie-Hellman in IKE in addition to the Oakley groups included in
[IKE].  The document assumes that the reader is familiar with the IKE
protocol and the concept of Oakley Groups, as defined in RFC 2409
[IKE].

RFC2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over
GF[2^N]. One modular exponentiation group (768 bits - Oakley Group 1)
is mandatory for all implementations to support, while the other
four are optional. Both elliptic curve groups (Oakley Groups 3 and 4)
are defined over GF[2^N] with N composite.

Implementations have shown that users of elliptic curve groups can
significantly improve their performance and achieve more security by
using groups other than the Oakley Groups 1, 2, or 5. The purpose of
this document is to expand the options available to implementers of
elliptic curve groups by adding eight new groups.  The reasons for
adding these new groups include the following.












Blake-Wilson, Brown, Poeluev and Salter                         [Page 2]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


- The groups proposed encourage alignment with other elliptic curve
  standards. Oakley Groups 3 and 4 were defined prior to the
  availability of other elliptic curve standards and they are
  therefore not aligned with other efforts.  Specifically, unlike
  Oakley groups 3 and 4, the proposed groups use base points whose
  order is prime (as required by IEEE [P1363] and ANSI [X9.62, X9.63]),
  they use base points whose prime order is greater than 2^160
  (as required by ANSI [X9.62, X9.63]), and they use the octet
  string representation for points recommended in IEEE [P1363] and
  ANSI [X9.62, X9.63].

- In addition the new groups are capable of providing security
  consistent with AES keys of 128, 192, and 256 bits. The following
  table, taken from [HOF] and [LEN], gives approximate comparable key
  sizes for symmetric systems, ECC systems, and DH/DSA/RSA
  systems. The estimates are based on the running times of the best
  algorithms known today.

                 Symmetric   |  ECC    |  DH/DSA/RSA
                   80        |  163    |   1024
                  128        |  283    |   3072
                  192        |  409    |   7680
                  256        |  571    |  15360

                  Table 1: comparable key sizes

  Thus, for example, when securing a 192-bit symmetric key, it is
  prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA. Of course
  it is possible to use shorter asymmetric keys, but it should be
  recognized in this case that the security of the system is likely
  dependent on the strength of the public-key algorithm and claims
  such as "this system is highly secure because it uses 192-bit
  encryption" are misleading.


- The eight groups proposed in this document use elliptic curves over
  GF[2^N] with N prime, unlike the existing Oakley Groups. This
  addresses concerns expressed by many experts regarding curves
  defined over GF[2^N] with N composite -- concerns highlighted by the
  recent attacks on such curves due to Gaudry, Hess, and Smart [WEIL]
  and due to Jacobson, Menezes and Stein [JMS].

- The eight groups proposed are amongst those recently standardized by
  NIST in FIPS 186-2 [DSS], by the SECG in SEC2 [SEC2], and by ANSI in
  ANSI X9.63 [X9.63].






Blake-Wilson, Brown, Poeluev and Salter                         [Page 3]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


These groups could also be defined using the New Group Mode but
including them in this RFC will encourage interoperability of IKE
implementations based upon elliptic curve groups. This is particularly
critical since the available Oakley Groups based on elliptic curves
are insufficient for the reasons given above.  In addition, the
availability of standardized groups will result in optimizations for a
particular curve and field size as well as allowing precomputation
that could result in faster implementations.

The groups proposed here have been assigned identifiers by IANA
[IANA]. Thus the full list of assigned values for the Group
Description class within IKE is the following. (The first four groups
may be found in RFC 2409 [IKE]; the last eight groups are defined in
this document.)

  Group Description                                           Value
  -----------------                                           -----
  Default 768-bit MODP group                                    1
  Alternate 1024-bit MODP group                                 2
  EC2NGF155 group over GF[2^155]                                3
  EC2NGF185 group over GF[2^185]                                4
  Reserved to IANA                                              5
  EC2NGF163Random group over GF[2^163] (Section 2.1)            6
  EC2NGF163Koblitz group over GF[2^163] (Section 2.2)           7
  EC2NGF283Random group over GF[2^283] (Section 2.3)            8
  EC2NGF283Koblitz group K-283 over GF[2^283] (Section 2.4)     9
  EC2NGF409Random group B-409 over GF[2^409] (Section 2.5)     10
  EC2NGF409Koblitz group K-409 over GF[2^409] (Section 2.6)    11
  EC2NGF571Random group B-571 over GF[2^571] (Section 2.7)     12
  EC2NGF571Koblitz group K-571 over GF[2^571] (Section 2.8)    13

In summary, due to the performance advantages of elliptic curve groups
in IKE implementations and the need for standardized groups as
alternatives to Oakley Groups 3 and 4, this document defines eight new
groups based on elliptic curve groups. The groups are defined at four
field sizes: GF[2^163], GF[2^283], GF[2^409] and GF[2^571]. These
field sizes correspond to 80-bit, 128-bit, 192-bit and 256-bit
symmetric key strengths respectively.

Two curves are defined at each strength - a Koblitz curve that enables
especially efficient implementations due to the special structure of
the curve [KOB, NSA] and a curve chosen verifiably at random (as
defined in ANSI [X9.62]). The groups are assigned numbers numbers 6 to
13 by IANA [IANA].







Blake-Wilson, Brown, Poeluev and Salter                         [Page 4]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


2. Additional ECC Groups

The notation adopted in RFC2409 [IKE] is used below to describe the
new groups proposed.

2.1 Sixth Group

IKE implementations SHOULD support an EC2N group with the following
characteristics. This group is assigned id 6 (six). The curve is
based on the Galois Field GF[2^163]. The field size is 163. The
irreducible polynomial used to represent the field is:
           u^163 + u^7 + u^6 + u^3 + 1.
The equation for the elliptic curve is:
           y^2 + xy = x^3 + ax^2 + b.

Specifically the group is defined by the following characteristics:

Field size:
  163

Irreducible polynomial:
  0x0800000000000000000000000000000000000000C9

Group Curve a:
  0x07B6882CAAEFA84F9554FF8428BD88E246D2782AE2

Group Curve b:
  0x0713612DCDDCB40AAB946BDA29CA91F73AF958AFD9

Group Generator point P (compressed):
  0x030369979697AB43897789566789567F787A7876A654

Group Generator point P (uncompressed):
  0x040369979697AB43897789566789567F787A7876A654
      00435EDB42EFAFB2989D51FEFCE3C80988F41FF883

The order of the base point P defined above is the prime:
  0x03FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279B

The group order is twice this prime.

The group was chosen verifiably at random using SHA-1 as specified in
[X9.62] from the seed:
  0x24B7B137C8A14D696E6768756151756FD0DA2E5C







Blake-Wilson, Brown, Poeluev and Salter                         [Page 5]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


However, for historical reasons, the method to generate the group from
the seed differs slightly from the method described in
[X9.62]. Specifically the coefficient Group Curve b produced from the
seed is the reverse of the coefficient that would have been produced
by the method described in [X9.62].

The data in the KE payload when using this group is the octet string
representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and
IEEE P1363 of the point on the curve chosen by taking the randomly
chosen secret Ka and computing Ka*P, where * is the repetition of the
group addition and double operations.  Note that this payload differs
from the payload specified for groups 3 and 4 - it is aligned instead
with other recent standardization efforts in ECC.

This group corresponds to the curve sect163r1 in SEC 2 [SEC2].  It is
also recommended in ANSI X9.63 [X9.63] and eCheck [ECHECK].

2.2 Seventh Group

IKE implementations SHOULD support an EC2N group with the following
characteristics. This group is assigned id 7 (seven). The curve is
based on the Galois Field GF[2^163]. The field size is 163. The
irreducible polynomial used to represent the field is:
           u^163 + u^7 + u^6 + u^3 + 1.
The equation for the elliptic curve is:
           y^2 + xy = x^3 + ax^2 + b.

Specifically the group is defined by the following characteristics:

Field size:
  163

Irreducible polynomial:
  0x0800000000000000000000000000000000000000C9

Group Curve a:
  0x000000000000000000000000000000000000000001

Group Curve b:
  0x000000000000000000000000000000000000000001

Group Generator point P (compressed):
  0x0302FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8

Group Generator point P (uncompressed):
  0x0402FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8
      0289070FB05D38FF58321F2E800536D538CCDAA3D9




Blake-Wilson, Brown, Poeluev and Salter                         [Page 6]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


The order of the base point P above is the prime:
  0x04000000000000000000020108A2E0CC0D99F8A5EF

The group order is twice this prime.

The data in the KE payload when using this group is the octet string
representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and
IEEE P1363 of the point on the curve chosen by taking the randomly
chosen secret Ka and computing Ka*P, where * is the repetition of the
group addition and double operations.  Note that the format of this
data is identical to the format used with Group 6 (six).

This group corresponds to the curve K-163 in FIPS 186-2 [DSS] and
sect163k1 in SEC 2 [SEC2].  It is also recommended in ANSI [X9.63],
eCheck [ECHECK], and WAP [WTLS].

2.3 Eighth Group

IKE implementations SHOULD support an EC2N group with the following
characteristics. This group is assigned id 8 (eight). The curve is
based on the Galois Field GF[2^283]. The field size is 283. The
irreducible polynomial used to represent the field is:
           u^283 + u^12 + u^7 + u^5 + 1.
The equation for the elliptic curve is:
           y^2 + xy = x^3 + ax^2 + b.

Specifically the group is defined by the following characteristics:

Field size:
  283

Irreducible polynomial:
  0x0800000000000000000000000000000000000000000000000000000000000000000010A1

Group Curve a:
  0x000000000000000000000000000000000000000000000000000000000000000000000001

Group Curve b:
  0x027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5

Group Generator point P (compressed):
  0x0305F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053

Group Generator point P (uncompressed):
  0x0405F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053
      03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4





Blake-Wilson, Brown, Poeluev and Salter                         [Page 7]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


The order of the base point P is the prime:
  0x03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307

The group order is twice this prime.

The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:

  0x77E2B07370EB0F832A6DD5B62DFC88CD06BB84BE

The data in the KE payload when using this group is the octet string
representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and
IEEE P1363 of the point on the curve chosen by taking the randomly
chosen secret Ka and computing Ka*P, where * is the repetition of the
group addition and double operations.  Note that the format of this
data is identical to the format used with Group 6 (six).

This group corresponds to the curve B-283 (in the polynomial basis) in
FIPS 186-2 [DSS] and sect283r1 in SEC 2 [SEC2].  It is also
recommended in ANSI [X9.63] and eCheck [ECHECK].

2.4 Ninth Group

IKE implementations SHOULD support an EC2N group with the following
characteristics. This group is assigned id 9 (nine). The curve is
based on the Galois Field GF[2^283]. The field size is 283. The
irreducible polynomial used to represent the field is:
           u^283 + u^12 + u^7 + u^5 + 1.
The equation for the elliptic curve is:
           y^2 + xy = x^3 + ax^2 + b.

Specifically the group is defined by the following characteristics:

Field size:
  283

Irreducible polynomial:
  0x0800000000000000000000000000000000000000000000000000000000000000000010A1

Group Curve a:
  0x000000000000000000000000000000000000000000000000000000000000000000000000

Group Curve b:
  0x000000000000000000000000000000000000000000000000000000000000000000000001

Group Generator point P (compressed):
  0x020503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836




Blake-Wilson, Brown, Poeluev and Salter                         [Page 8]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


Group Generator point P (uncompressed):
  0x040503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836
      01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259

The order of the base point P is the prime:
  0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61

The group order is four times this prime.

The data in the KE payload when using this group is the octet string
representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and
IEEE P1363 of the point on the curve chosen by taking the randomly
chosen secret Ka and computing Ka*P, where * is the repetition of the
group addition and double operations.  Note that the format of this
data is identical to the format used with Group 6 (six).

This group corresponds to the curve K-283 (in the polynomial basis) in
FIPS 186-2 [DSS] and sect283k1 in SEC 2 [SEC2].  It is also
recommended in ANSI [X9.63] and eCheck [ECHECK].

2.5 Tenth Group

IKE implementations SHOULD support an EC2N group with the following
characteristics. This group is assigned id 10 (ten). The curve is
based on the Galois Field GF[2^409]. The field size is 409. The
irreducible polynomial used to represent the field is:
           u^409 + u^87 + 1.
The equation for the elliptic curve is:
           y^2 + xy = x^3 + ax^2 + b.

Specifically the group is defined by the following characteristics:

Field size:
  409

Irreducible polynomial:
  0x2000000000000000000000000000000000000000000000000000000
           000000000000000000000000008000000000000000000001

Group Curve a:
  0x0000000000000000000000000000000000000000000000000000000
           000000000000000000000000000000000000000000000001

Group Curve b:
  0x021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99
           D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F





Blake-Wilson, Brown, Poeluev and Salter                         [Page 9]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


Group Generator point P (compressed):
  0x03015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01F
      FE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7

Group Generator point P (uncompressed):
  0x04015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01F
      FE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7
      0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158
      AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706

The order of the base point P is the prime:

  0x10000000000000000000000000000000000000000000000000001E2
           AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173

The group order is twice this prime.

The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:
  0x4099B5A457F9D69F79213D094C4BCD4D4262210B

The data in the KE payload when using this group is the octet string
representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and
IEEE P1363 of the point on the curve chosen by taking the randomly
chosen secret Ka and computing Ka*P, where * is the repetition of the
group addition and double operations.  Note that the format of this
data is identical to the format used with Group 6 (six).

This group corresponds to the curve B-409 (in the polynomial basis) in
FIPS 186-2 [DSS] and sect409r1 in SEC 2 [SEC2].  It is also
recommended in ANSI [X9.63].

2.6 Eleventh Group

IKE implementations SHOULD support an EC2N group with the following
characteristics. This group is assigned id 11 (eleven). The curve is
based on the Galois Field GF[2^409]. The field size is 409. The
irreducible polynomial used to represent the field is:
           u^409 + u^87 + 1.
The equation for the elliptic curve is:
           y^2 + xy = x^3 + ax^2 + b.










Blake-Wilson, Brown, Poeluev and Salter                        [Page 10]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


Specifically the group is defined by the following characteristics:

Field size:
  409

Irreducible polynomial:
  0x2000000000000000000000000000000000000000000000000000000
           000000000000000000000000008000000000000000000001

Group Curve a:
  0x0000000000000000000000000000000000000000000000000000000
           000000000000000000000000000000000000000000000000


Group Curve b:
  0x0000000000000000000000000000000000000000000000000000000
           000000000000000000000000000000000000000000000001

Group Generator point P (compressed):
  0x030060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27AC
      CFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746

Group Generator point P (uncompressed):
  0x040060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27AC
      CFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746
      01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E632
      5165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B

The order of the base point P is the prime:
  0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F8
            3B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF

The group order is four times this prime.

The data in the KE payload when using this group is the octet string
representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and
IEEE P1363 of the point on the curve chosen by taking the randomly
chosen secret Ka and computing Ka*P, where * is the repetition of the
group addition and double operations.  Note that the format of this
data is identical to the format used with Group 6 (six).

This group corresponds to the curve K-409 (in the polynomial basis) in
FIPS 186-2 [DSS] and sect409k1 in SEC 2 [SEC2].  It is also
recommended in ANSI [X9.63].







Blake-Wilson, Brown, Poeluev and Salter                        [Page 11]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


2.7 Twelfth Group

IKE implementations SHOULD support an EC2N group with the following
characteristics. This group is assigned id 12 (twelve). The curve is
based on the Galois Field GF[2^571]. The field size is 571. The
irreducible polynomial used to represent the field is:
           u^571 + u^10 + u^5 + u^2 + 1.
The equation for the elliptic curve is:
           y^2 + xy = x^3 + ax^2 + b.

Specifically the group is defined by the following characteristics:

Field size:
  571

Irreducible polynomial:
  0x80000000000000000000000000000000000000000000000000000000000000000000000
   000000000000000000000000000000000000000000000000000000000000000000000425

Group Curve a:
  0x00000000000000000000000000000000000000000000000000000000000000000000000
   000000000000000000000000000000000000000000000000000000000000000000000001

Group Curve b:
  0x2F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD
   8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A

Group Generator point P (compressed):
  0x030303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950
      F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19

Group Generator point P (uncompressed):
  0x040303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950
      F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19
      037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43
      BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B

The order of the base point P is the prime:

  0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
   E661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47

The group order is twice this prime.








Blake-Wilson, Brown, Poeluev and Salter                        [Page 12]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:
  0x2AA058F73A0E33AB486B0F610410C53A7F132310

The data in the KE payload when using this group is the octet string
representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and
IEEE P1363 of the point on the curve chosen by taking the randomly
chosen secret Ka and computing Ka*P, where * is the repetition of the
group addition and double operations.  Note that the format of this
data is identical to the format used with Group 6 (six).

This group corresponds to the curve B-571 (in the polynomial basis) in
FIPS 186-2 [DSS] and sect571r1 in SEC 2 [SEC2].  It is also
recommended in ANSI [X9.63].

2.8 Thirteenth Group

IKE implementations SHOULD support an EC2N group with the following
characteristics. This group is assigned id 13 (thirteen). The curve
is based on the Galois Field GF[2^571]. The field size is 571. The
irreducible polynomial used to represent the field is:
           u^571 + u^10 + u^5 + u^2 + 1.
The equation for the elliptic curve is:
           y^2 + xy = x^3 + ax^2 + b.


Specifically the group is defined by the following characteristics:

Field size:
  571

Irreducible polynomial:
  0x80000000000000000000000000000000000000000000000000000000000000000000000
   000000000000000000000000000000000000000000000000000000000000000000000425

Group Curve a:
  0x00000000000000000000000000000000000000000000000000000000000000000000000
   000000000000000000000000000000000000000000000000000000000000000000000000

Group Curve b:
  0x00000000000000000000000000000000000000000000000000000000000000000000000
   000000000000000000000000000000000000000000000000000000000000000000000001

Group Generator point P (compressed):
  0x02026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA443709584
      93B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972





Blake-Wilson, Brown, Poeluev and Salter                        [Page 13]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


Group Generator point P (uncompressed):
  0x04026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA443709584
      93B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972
      0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0
      AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3

The order of the base point P is the prime:
  0x20000000000000000000000000000000000000000000000000000000000000000000000
   131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001

The group order is four times this prime.

The data in the KE payload when using this group is the octet string
representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and
IEEE P1363 of the point on the curve chosen by taking the randomly
chosen secret Ka and computing Ka*P, where * is the repetition of the
group addition and double operations.  Note that the format of this
data is identical to the format used with Group 6 (six).

This group corresponds to the curve K-571 (in the polynomial basis) in
FIPS 186-2 [DSS] and sect571k1 in SEC 2 [SEC2].  It is also
recommended in ANSI [X9.63],

3. Security Considerations

Since this document proposes new groups for use within IKE, many of
the security considerations contained within RFC 2409 apply here as
well.

Six of the groups proposed in this document offer higher strength than
those proposed in RFC 2409. In particular, there are two elliptic
curves corresponding to each of the symmetric key sizes 80 bits, 128
bits, 192 bits, and 256 bits. This allows the IKE key exchange to
offer security comparable with the proposed AES algorithms.

In addition, since all the new groups are defined over GF[2^N] with N
prime, they address the concerns expressed regarding the elliptic
curve groups included in RFC 2409, which are curves defined over
GF[2^N] with N composite. The works of Gaudry, Hess, and Smart [WEIL]
and of Jacobson, Menezes and Stein [JMS] reveal some of the weaknesses
in such groups.

Proper validation of elliptic curve public keys can help prevent the
attacks described in [BMM].







Blake-Wilson, Brown, Poeluev and Salter                        [Page 14]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


4. Intellectual Property Rights

The IETF has been notified of intellectual property rights claimed in
regard to the specification contained in this document.
For more information, consult the online list of claimed rights
(http://www.ietf.org/ipr.html).

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.

5. Acknowledgments

The authors would like to thank Prakash Panjwani and John O. Goyo
(Certicom Corp.) for their comments and recommendations.

6. References

  [ECHECK] Financial Services Technology Consortium. FSML - Financial
     Services Markup Language. Working draft, August 1999.
     (http://www.fstc.org)

  [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC
     2409, November 1998.

  [IANA] Internet Assigned Numbers Authority. Attribute Assigned
     Numbers.
     (http://www.isi.edu/in-notes/iana/assignments/ipsec-registry)

  [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE
     1363-2000, Standard for Public Key Cryptography. IEEE
     Microprocessor Standards Committee. August 2001.
     (http://grouper.ieee.org/groups/1363/index.html)

  [KOB] N. Koblitz, CM curves with good cryptographic properties.
     Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992.





Blake-Wilson, Brown, Poeluev and Salter                        [Page 15]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002


  [DSS] U.S. Department of Commerce/National Institute of Standards
     and Technology. Digital Signature Standard (DSS), FIPS PUB 186-2,
     January 2000.  (http://csrc.nist.gov/fips/fips186-2.pdf)

  [HOF] P. Hoffman and H. Orman, Determining strengths for public keys
     used for exchanging symmetric keys, Internet-draft. August 2000.

  [LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes.
     Available at: www.cryptosavvy.com.

  [JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic Curve
     Discrete Logarithm Problems Using Weil Descent, Combinatorics and
     Optimization Research Report 2001-31, May 2001.  Available at
     http://www.cacr.math.uwaterloo.ca/.

  [MODP-IKE] T. Kivinen and M. Kojo, More MODP Diffie-Hellman groups
     for IKE, draft-ietf-ipsec-ike-modp-groups-04.txt, June 2002.

  [BMM] I. Biehl, B. Meyer and V. Muller, Differential Fault Attacks
     on Elliptic Curve Cryptosystems, in Advances in Cryptology - Crypto
     2000, Lecture Notes in Compute Science 1880, Pages 131-146,
     Springer-Verlag, August 2000.

  [NSA] J. Solinas, An improved algorithm for arithmetic on a family
     of elliptic curves, Proceedings of Crypto '97, Pages 357-371,
     Springer-Verlag, 1997.

  [RFC-3278] S. Blake-Wilson, D. Brown and P. Lambert, The Use of
     Elliptic Curve Cryptography (ECC) Algorithms in the Cryptographic
     Message Syntax (CMS), RFC 3279, April 2002.

  [RFC-3279] W. Polk, R. Housley, and L. Bassham, Algorithms and
     Identifiers for the Internet X.509 Public Key Infrastructure
     Certificate and Certificate Revocation List (CRL) Profile, RFC
     3279, April 2002.

  [SEC2] Standards for Efficient Cryptography Group. SEC 2 -
     Recommended Elliptic Curve Domain Parameters. Working Draft
     Ver. 1.0., 2000.  (http://www.secg.org)

  [WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and
     Destructive Facets of Weil Descent on Elliptic Curves, HP Labs
     Technical Report No. HPL-2000-10, 2000.
     (http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html)

  [WTLS] Wireless Application Forum. WAP WTLS - Wireless Application
     Protocol Wireless Transport Layer Security Specification,
     February 1999.  (http://www.wapforum.org)



Blake-Wilson, Brown, Poeluev and Salter                        [Page 16]

INTERNET-DRAFT       Additional ECC Groups For IKE             July 2002

  [X9.62] American National Standards Institute, ANS X9.62-1998:
     Public Key Cryptography for the Financial Services Industry: The
     Elliptic Curve Digital Signature Algorithm.  January 1999.

  [X9.63] American National Standards Institute. ANSI X9.63-2001,
     Public Key Cryptography for the Financial Services Industry: Key
     Agreement and Key Transport using Elliptic Curve Cryptography.
     November 2001.

7. Authors' Addresses

    Authors:

           Simon Blake-Wilson
           Basic Commerce & Industries, Inc.
           sblakewilson@bcisse.com

           Daniel Brown
                   Certicom Corp.
           dbrown@certicom.com

           Yuri Poeluev
           Certicom Corp.
           ypoeluev@certicom.com

           Margaret Salter
           National Security Agency
           msalter@radium.ncsc.mil
























Blake-Wilson, Brown, Poeluev and Salter                        [Page 17]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/