IPSec Working Group S. Blake-Wilson, BCI INTERNET-DRAFT D. Brown and Y. Poeluev, Certicom Corp. M. Salter, NSA Expires January 23, 2003 July 23, 2002 Additional ECC Groups For IKE <draft-ietf-ipsec-ike-ecc-groups-04.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or made obsolete by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as work in progress. The list of current Internet-Drafts may be found at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories may be found at http://www.ietf.org/shadow.html. Abstract This document describes new ECC groups for use in IKE [IKE] in addition to the Oakley groups included therein. These groups are defined to align IKE with other ECC implementations and standards, and in addition, many of them provide higher strength than the Oakley groups. It should be noted that this document is not self-contained. It uses the notations and definitions of [IKE]. Blake-Wilson, Brown, Poeluev and Salter [Page 1]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 Table of Contents 1. Introduction ............................................... 2 2. Additional ECC Groups ...................................... 5 2.1. Sixth Group .............................................. 5 2.2. Seventh Group ............................................ 6 2.3. Eighth Group ............................................. 7 2.4. Ninth Group .............................................. 8 2.5. Tenth Group .............................................. 9 2.6. Eleventh Group .......................................... 10 2.7. Twelfth Group ........................................... 12 2.8. Thirteenth Group ........................................ 13 3. Security Considerations ................................... 14 4. Intellectual Property Rights .............................. 15 5. Acknowledgments ........................................... 15 6. References ................................................ 15 7. Authors' Addresses ........................................ 17 1. Introduction This document describes default groups for use in elliptic curve Diffie-Hellman in IKE in addition to the Oakley groups included in [IKE]. The document assumes that the reader is familiar with the IKE protocol and the concept of Oakley Groups, as defined in RFC 2409 [IKE]. RFC2409 [IKE] defines five standard Oakley Groups - three modular exponentiation groups and two elliptic curve groups over GF[2^N]. One modular exponentiation group (768 bits - Oakley Group 1) is mandatory for all implementations to support, while the other four are optional. Both elliptic curve groups (Oakley Groups 3 and 4) are defined over GF[2^N] with N composite. Implementations have shown that users of elliptic curve groups can significantly improve their performance and achieve more security by using groups other than the Oakley Groups 1, 2, or 5. The purpose of this document is to expand the options available to implementers of elliptic curve groups by adding eight new groups. The reasons for adding these new groups include the following. Blake-Wilson, Brown, Poeluev and Salter [Page 2]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 - The groups proposed encourage alignment with other elliptic curve standards. Oakley Groups 3 and 4 were defined prior to the availability of other elliptic curve standards and they are therefore not aligned with other efforts. Specifically, unlike Oakley groups 3 and 4, the proposed groups use base points whose order is prime (as required by IEEE [P1363] and ANSI [X9.62, X9.63]), they use base points whose prime order is greater than 2^160 (as required by ANSI [X9.62, X9.63]), and they use the octet string representation for points recommended in IEEE [P1363] and ANSI [X9.62, X9.63]. - In addition the new groups are capable of providing security consistent with AES keys of 128, 192, and 256 bits. The following table, taken from [HOF] and [LEN], gives approximate comparable key sizes for symmetric systems, ECC systems, and DH/DSA/RSA systems. The estimates are based on the running times of the best algorithms known today. Symmetric | ECC | DH/DSA/RSA 80 | 163 | 1024 128 | 283 | 3072 192 | 409 | 7680 256 | 571 | 15360 Table 1: comparable key sizes Thus, for example, when securing a 192-bit symmetric key, it is prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA. Of course it is possible to use shorter asymmetric keys, but it should be recognized in this case that the security of the system is likely dependent on the strength of the public-key algorithm and claims such as "this system is highly secure because it uses 192-bit encryption" are misleading. - The eight groups proposed in this document use elliptic curves over GF[2^N] with N prime, unlike the existing Oakley Groups. This addresses concerns expressed by many experts regarding curves defined over GF[2^N] with N composite -- concerns highlighted by the recent attacks on such curves due to Gaudry, Hess, and Smart [WEIL] and due to Jacobson, Menezes and Stein [JMS]. - The eight groups proposed are amongst those recently standardized by NIST in FIPS 186-2 [DSS], by the SECG in SEC2 [SEC2], and by ANSI in ANSI X9.63 [X9.63]. Blake-Wilson, Brown, Poeluev and Salter [Page 3]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 These groups could also be defined using the New Group Mode but including them in this RFC will encourage interoperability of IKE implementations based upon elliptic curve groups. This is particularly critical since the available Oakley Groups based on elliptic curves are insufficient for the reasons given above. In addition, the availability of standardized groups will result in optimizations for a particular curve and field size as well as allowing precomputation that could result in faster implementations. The groups proposed here have been assigned identifiers by IANA [IANA]. Thus the full list of assigned values for the Group Description class within IKE is the following. (The first four groups may be found in RFC 2409 [IKE]; the last eight groups are defined in this document.) Group Description Value ----------------- ----- Default 768-bit MODP group 1 Alternate 1024-bit MODP group 2 EC2NGF155 group over GF[2^155] 3 EC2NGF185 group over GF[2^185] 4 Reserved to IANA 5 EC2NGF163Random group over GF[2^163] (Section 2.1) 6 EC2NGF163Koblitz group over GF[2^163] (Section 2.2) 7 EC2NGF283Random group over GF[2^283] (Section 2.3) 8 EC2NGF283Koblitz group K-283 over GF[2^283] (Section 2.4) 9 EC2NGF409Random group B-409 over GF[2^409] (Section 2.5) 10 EC2NGF409Koblitz group K-409 over GF[2^409] (Section 2.6) 11 EC2NGF571Random group B-571 over GF[2^571] (Section 2.7) 12 EC2NGF571Koblitz group K-571 over GF[2^571] (Section 2.8) 13 In summary, due to the performance advantages of elliptic curve groups in IKE implementations and the need for standardized groups as alternatives to Oakley Groups 3 and 4, this document defines eight new groups based on elliptic curve groups. The groups are defined at four field sizes: GF[2^163], GF[2^283], GF[2^409] and GF[2^571]. These field sizes correspond to 80-bit, 128-bit, 192-bit and 256-bit symmetric key strengths respectively. Two curves are defined at each strength - a Koblitz curve that enables especially efficient implementations due to the special structure of the curve [KOB, NSA] and a curve chosen verifiably at random (as defined in ANSI [X9.62]). The groups are assigned numbers numbers 6 to 13 by IANA [IANA]. Blake-Wilson, Brown, Poeluev and Salter [Page 4]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 2. Additional ECC Groups The notation adopted in RFC2409 [IKE] is used below to describe the new groups proposed. 2.1 Sixth Group IKE implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 6 (six). The curve is based on the Galois Field GF[2^163]. The field size is 163. The irreducible polynomial used to represent the field is: u^163 + u^7 + u^6 + u^3 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Specifically the group is defined by the following characteristics: Field size: 163 Irreducible polynomial: 0x0800000000000000000000000000000000000000C9 Group Curve a: 0x07B6882CAAEFA84F9554FF8428BD88E246D2782AE2 Group Curve b: 0x0713612DCDDCB40AAB946BDA29CA91F73AF958AFD9 Group Generator point P (compressed): 0x030369979697AB43897789566789567F787A7876A654 Group Generator point P (uncompressed): 0x040369979697AB43897789566789567F787A7876A654 00435EDB42EFAFB2989D51FEFCE3C80988F41FF883 The order of the base point P defined above is the prime: 0x03FFFFFFFFFFFFFFFFFFFF48AAB689C29CA710279B The group order is twice this prime. The group was chosen verifiably at random using SHA-1 as specified in [X9.62] from the seed: 0x24B7B137C8A14D696E6768756151756FD0DA2E5C Blake-Wilson, Brown, Poeluev and Salter [Page 5]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 However, for historical reasons, the method to generate the group from the seed differs slightly from the method described in [X9.62]. Specifically the coefficient Group Curve b produced from the seed is the reverse of the coefficient that would have been produced by the method described in [X9.62]. The data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations. Note that this payload differs from the payload specified for groups 3 and 4 - it is aligned instead with other recent standardization efforts in ECC. This group corresponds to the curve sect163r1 in SEC 2 [SEC2]. It is also recommended in ANSI X9.63 [X9.63] and eCheck [ECHECK]. 2.2 Seventh Group IKE implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 7 (seven). The curve is based on the Galois Field GF[2^163]. The field size is 163. The irreducible polynomial used to represent the field is: u^163 + u^7 + u^6 + u^3 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Specifically the group is defined by the following characteristics: Field size: 163 Irreducible polynomial: 0x0800000000000000000000000000000000000000C9 Group Curve a: 0x000000000000000000000000000000000000000001 Group Curve b: 0x000000000000000000000000000000000000000001 Group Generator point P (compressed): 0x0302FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8 Group Generator point P (uncompressed): 0x0402FE13C0537BBC11ACAA07D793DE4E6D5E5C94EEE8 0289070FB05D38FF58321F2E800536D538CCDAA3D9 Blake-Wilson, Brown, Poeluev and Salter [Page 6]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 The order of the base point P above is the prime: 0x04000000000000000000020108A2E0CC0D99F8A5EF The group order is twice this prime. The data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations. Note that the format of this data is identical to the format used with Group 6 (six). This group corresponds to the curve K-163 in FIPS 186-2 [DSS] and sect163k1 in SEC 2 [SEC2]. It is also recommended in ANSI [X9.63], eCheck [ECHECK], and WAP [WTLS]. 2.3 Eighth Group IKE implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 8 (eight). The curve is based on the Galois Field GF[2^283]. The field size is 283. The irreducible polynomial used to represent the field is: u^283 + u^12 + u^7 + u^5 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Specifically the group is defined by the following characteristics: Field size: 283 Irreducible polynomial: 0x0800000000000000000000000000000000000000000000000000000000000000000010A1 Group Curve a: 0x000000000000000000000000000000000000000000000000000000000000000000000001 Group Curve b: 0x027B680AC8B8596DA5A4AF8A19A0303FCA97FD7645309FA2A581485AF6263E313B79A2F5 Group Generator point P (compressed): 0x0305F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053 Group Generator point P (uncompressed): 0x0405F939258DB7DD90E1934F8C70B0DFEC2EED25B8557EAC9C80E2E198F8CDBECD86B12053 03676854FE24141CB98FE6D4B20D02B4516FF702350EDDB0826779C813F0DF45BE8112F4 Blake-Wilson, Brown, Poeluev and Salter [Page 7]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 The order of the base point P is the prime: 0x03FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEF90399660FC938A90165B042A7CEFADB307 The group order is twice this prime. The group was chosen verifiably at random in normal basis representation using SHA-1 as specified in [X9.62] from the seed: 0x77E2B07370EB0F832A6DD5B62DFC88CD06BB84BE The data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations. Note that the format of this data is identical to the format used with Group 6 (six). This group corresponds to the curve B-283 (in the polynomial basis) in FIPS 186-2 [DSS] and sect283r1 in SEC 2 [SEC2]. It is also recommended in ANSI [X9.63] and eCheck [ECHECK]. 2.4 Ninth Group IKE implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 9 (nine). The curve is based on the Galois Field GF[2^283]. The field size is 283. The irreducible polynomial used to represent the field is: u^283 + u^12 + u^7 + u^5 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Specifically the group is defined by the following characteristics: Field size: 283 Irreducible polynomial: 0x0800000000000000000000000000000000000000000000000000000000000000000010A1 Group Curve a: 0x000000000000000000000000000000000000000000000000000000000000000000000000 Group Curve b: 0x000000000000000000000000000000000000000000000000000000000000000000000001 Group Generator point P (compressed): 0x020503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836 Blake-Wilson, Brown, Poeluev and Salter [Page 8]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 Group Generator point P (uncompressed): 0x040503213F78CA44883F1A3B8162F188E553CD265F23C1567A16876913B0C2AC2458492836 01CCDA380F1C9E318D90F95D07E5426FE87E45C0E8184698E45962364E34116177DD2259 The order of the base point P is the prime: 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9AE2ED07577265DFF7F94451E061E163C61 The group order is four times this prime. The data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations. Note that the format of this data is identical to the format used with Group 6 (six). This group corresponds to the curve K-283 (in the polynomial basis) in FIPS 186-2 [DSS] and sect283k1 in SEC 2 [SEC2]. It is also recommended in ANSI [X9.63] and eCheck [ECHECK]. 2.5 Tenth Group IKE implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 10 (ten). The curve is based on the Galois Field GF[2^409]. The field size is 409. The irreducible polynomial used to represent the field is: u^409 + u^87 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Specifically the group is defined by the following characteristics: Field size: 409 Irreducible polynomial: 0x2000000000000000000000000000000000000000000000000000000 000000000000000000000000008000000000000000000001 Group Curve a: 0x0000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000001 Group Curve b: 0x021A5C2C8EE9FEB5C4B9A753B7B476B7FD6422EF1F3DD674761FA99 D6AC27C8A9A197B272822F6CD57A55AA4F50AE317B13545F Blake-Wilson, Brown, Poeluev and Salter [Page 9]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 Group Generator point P (compressed): 0x03015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01F FE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7 Group Generator point P (uncompressed): 0x04015D4860D088DDB3496B0C6064756260441CDE4AF1771D4DB01F FE5B34E59703DC255A868A1180515603AEAB60794E54BB7996A7 0061B1CFAB6BE5F32BBFA78324ED106A7636B9C5A7BD198D0158 AA4F5488D08F38514F1FDF4B4F40D2181B3681C364BA0273C706 The order of the base point P is the prime: 0x10000000000000000000000000000000000000000000000000001E2 AAD6A612F33307BE5FA47C3C9E052F838164CD37D9A21173 The group order is twice this prime. The group was chosen verifiably at random in normal basis representation using SHA-1 as specified in [X9.62] from the seed: 0x4099B5A457F9D69F79213D094C4BCD4D4262210B The data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations. Note that the format of this data is identical to the format used with Group 6 (six). This group corresponds to the curve B-409 (in the polynomial basis) in FIPS 186-2 [DSS] and sect409r1 in SEC 2 [SEC2]. It is also recommended in ANSI [X9.63]. 2.6 Eleventh Group IKE implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 11 (eleven). The curve is based on the Galois Field GF[2^409]. The field size is 409. The irreducible polynomial used to represent the field is: u^409 + u^87 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Blake-Wilson, Brown, Poeluev and Salter [Page 10]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 Specifically the group is defined by the following characteristics: Field size: 409 Irreducible polynomial: 0x2000000000000000000000000000000000000000000000000000000 000000000000000000000000008000000000000000000001 Group Curve a: 0x0000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000 Group Curve b: 0x0000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000001 Group Generator point P (compressed): 0x030060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27AC CFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746 Group Generator point P (uncompressed): 0x040060F05F658F49C1AD3AB1890F7184210EFD0987E307C84C27AC CFB8F9F67CC2C460189EB5AAAA62EE222EB1B35540CFE9023746 01E369050B7C4E42ACBA1DACBF04299C3460782F918EA427E632 5165E9EA10E3DA5F6C42E9C55215AA9CA27A5863EC48D8E0286B The order of the base point P is the prime: 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F8 3B2D4EA20400EC4557D5ED3E3E7CA5B4B5C83B8E01E5FCF The group order is four times this prime. The data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations. Note that the format of this data is identical to the format used with Group 6 (six). This group corresponds to the curve K-409 (in the polynomial basis) in FIPS 186-2 [DSS] and sect409k1 in SEC 2 [SEC2]. It is also recommended in ANSI [X9.63]. Blake-Wilson, Brown, Poeluev and Salter [Page 11]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 2.7 Twelfth Group IKE implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 12 (twelve). The curve is based on the Galois Field GF[2^571]. The field size is 571. The irreducible polynomial used to represent the field is: u^571 + u^10 + u^5 + u^2 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Specifically the group is defined by the following characteristics: Field size: 571 Irreducible polynomial: 0x80000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000425 Group Curve a: 0x00000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000001 Group Curve b: 0x2F40E7E2221F295DE297117B7F3D62F5C6A97FFCB8CEFF1CD6BA8CE4A9A18AD84FFABBD 8EFA59332BE7AD6756A66E294AFD185A78FF12AA520E4DE739BACA0C7FFEFF7F2955727A Group Generator point P (compressed): 0x030303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950 F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19 Group Generator point P (uncompressed): 0x040303001D34B856296C16C0D40D3CD7750A93D1D2955FA80AA5F40FC8DB7B2ABDBDE53950 F4C0D293CDD711A35B67FB1499AE60038614F1394ABFA3B4C850D927E1E7769C8EEC2D19 037BF27342DA639B6DCCFFFEB73D69D78C6C27A6009CBBCA1980F8533921E8A684423E43 BAB08A576291AF8F461BB2A8B3531D2F0485C19B16E2F1516E23DD3C1A4827AF1B8AC15B The order of the base point P is the prime: 0x3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF E661CE18FF55987308059B186823851EC7DD9CA1161DE93D5174D66E8382E9BB2FE84E47 The group order is twice this prime. Blake-Wilson, Brown, Poeluev and Salter [Page 12]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 The group was chosen verifiably at random in normal basis representation using SHA-1 as specified in [X9.62] from the seed: 0x2AA058F73A0E33AB486B0F610410C53A7F132310 The data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations. Note that the format of this data is identical to the format used with Group 6 (six). This group corresponds to the curve B-571 (in the polynomial basis) in FIPS 186-2 [DSS] and sect571r1 in SEC 2 [SEC2]. It is also recommended in ANSI [X9.63]. 2.8 Thirteenth Group IKE implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 13 (thirteen). The curve is based on the Galois Field GF[2^571]. The field size is 571. The irreducible polynomial used to represent the field is: u^571 + u^10 + u^5 + u^2 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Specifically the group is defined by the following characteristics: Field size: 571 Irreducible polynomial: 0x80000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000425 Group Curve a: 0x00000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000000 Group Curve b: 0x00000000000000000000000000000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000000000000000000000000001 Group Generator point P (compressed): 0x02026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA443709584 93B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972 Blake-Wilson, Brown, Poeluev and Salter [Page 13]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 Group Generator point P (uncompressed): 0x04026EB7A859923FBC82189631F8103FE4AC9CA2970012D5D46024804801841CA443709584 93B205E647DA304DB4CEB08CBBD1BA39494776FB988B47174DCA88C7E2945283A01C8972 0349DC807F4FBF374F4AEADE3BCA95314DD58CEC9F307A54FFC61EFC006D8A2C9D4979C0 AC44AEA74FBEBBB9F772AEDCB620B01A7BA7AF1B320430C8591984F601CD4C143EF1C7A3 The order of the base point P is the prime: 0x20000000000000000000000000000000000000000000000000000000000000000000000 131850E1F19A63E4B391A8DB917F4138B630D84BE5D639381E91DEB45CFE778F637C1001 The group order is four times this prime. The data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations. Note that the format of this data is identical to the format used with Group 6 (six). This group corresponds to the curve K-571 (in the polynomial basis) in FIPS 186-2 [DSS] and sect571k1 in SEC 2 [SEC2]. It is also recommended in ANSI [X9.63], 3. Security Considerations Since this document proposes new groups for use within IKE, many of the security considerations contained within RFC 2409 apply here as well. Six of the groups proposed in this document offer higher strength than those proposed in RFC 2409. In particular, there are two elliptic curves corresponding to each of the symmetric key sizes 80 bits, 128 bits, 192 bits, and 256 bits. This allows the IKE key exchange to offer security comparable with the proposed AES algorithms. In addition, since all the new groups are defined over GF[2^N] with N prime, they address the concerns expressed regarding the elliptic curve groups included in RFC 2409, which are curves defined over GF[2^N] with N composite. The works of Gaudry, Hess, and Smart [WEIL] and of Jacobson, Menezes and Stein [JMS] reveal some of the weaknesses in such groups. Proper validation of elliptic curve public keys can help prevent the attacks described in [BMM]. Blake-Wilson, Brown, Poeluev and Salter [Page 14]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 4. Intellectual Property Rights The IETF has been notified of intellectual property rights claimed in regard to the specification contained in this document. For more information, consult the online list of claimed rights (http://www.ietf.org/ipr.html). The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. 5. Acknowledgments The authors would like to thank Prakash Panjwani and John O. Goyo (Certicom Corp.) for their comments and recommendations. 6. References [ECHECK] Financial Services Technology Consortium. FSML - Financial Services Markup Language. Working draft, August 1999. (http://www.fstc.org) [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, November 1998. [IANA] Internet Assigned Numbers Authority. Attribute Assigned Numbers. (http://www.isi.edu/in-notes/iana/assignments/ipsec-registry) [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE 1363-2000, Standard for Public Key Cryptography. IEEE Microprocessor Standards Committee. August 2001. (http://grouper.ieee.org/groups/1363/index.html) [KOB] N. Koblitz, CM curves with good cryptographic properties. Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992. Blake-Wilson, Brown, Poeluev and Salter [Page 15]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 [DSS] U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS), FIPS PUB 186-2, January 2000. (http://csrc.nist.gov/fips/fips186-2.pdf) [HOF] P. Hoffman and H. Orman, Determining strengths for public keys used for exchanging symmetric keys, Internet-draft. August 2000. [LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes. Available at: www.cryptosavvy.com. [JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent, Combinatorics and Optimization Research Report 2001-31, May 2001. Available at http://www.cacr.math.uwaterloo.ca/. [MODP-IKE] T. Kivinen and M. Kojo, More MODP Diffie-Hellman groups for IKE, draft-ietf-ipsec-ike-modp-groups-04.txt, June 2002. [BMM] I. Biehl, B. Meyer and V. Muller, Differential Fault Attacks on Elliptic Curve Cryptosystems, in Advances in Cryptology - Crypto 2000, Lecture Notes in Compute Science 1880, Pages 131-146, Springer-Verlag, August 2000. [NSA] J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, Proceedings of Crypto '97, Pages 357-371, Springer-Verlag, 1997. [RFC-3278] S. Blake-Wilson, D. Brown and P. Lambert, The Use of Elliptic Curve Cryptography (ECC) Algorithms in the Cryptographic Message Syntax (CMS), RFC 3279, April 2002. [RFC-3279] W. Polk, R. Housley, and L. Bassham, Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC 3279, April 2002. [SEC2] Standards for Efficient Cryptography Group. SEC 2 - Recommended Elliptic Curve Domain Parameters. Working Draft Ver. 1.0., 2000. (http://www.secg.org) [WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and Destructive Facets of Weil Descent on Elliptic Curves, HP Labs Technical Report No. HPL-2000-10, 2000. (http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html) [WTLS] Wireless Application Forum. WAP WTLS - Wireless Application Protocol Wireless Transport Layer Security Specification, February 1999. (http://www.wapforum.org) Blake-Wilson, Brown, Poeluev and Salter [Page 16]

INTERNET-DRAFT Additional ECC Groups For IKE July 2002 [X9.62] American National Standards Institute, ANS X9.62-1998: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm. January 1999. [X9.63] American National Standards Institute. ANSI X9.63-2001, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport using Elliptic Curve Cryptography. November 2001. 7. Authors' Addresses Authors: Simon Blake-Wilson Basic Commerce & Industries, Inc. sblakewilson@bcisse.com Daniel Brown Certicom Corp. dbrown@certicom.com Yuri Poeluev Certicom Corp. ypoeluev@certicom.com Margaret Salter National Security Agency msalter@radium.ncsc.mil Blake-Wilson, Brown, Poeluev and Salter [Page 17]