[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits] [IPR]

Versions: 00 01 02 03 04 05 06 07 08 09 10

IPSec Working Group                               S. Blake-Wilson, BCI
INTERNET-DRAFT                       D. Brown and Y. Poeluev, Certicom
Intended Status: Informational                          M. Salter, NSA
Expires October                                         April 11, 2005

                    Additional ECC Groups For IKE

                          Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of Section 3 of RFC 3978.

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she become
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on October, 2005.


   This document describes new ECC groups for use in IKE [IKE] in
   addition to the Oakley groups included therein.  These groups are
   defined to align IKE with other ECC implementations and standards,
   and in addition, many of them provide higher strength than the
   Oakley groups. It should be noted that this document is not
   self-contained.  It uses the notations and definitions of [IKE].

Blake-Wilson, Brown, Poeluev and Salter                      [Page  1]

INTERNET-DRAFT             NIST Curves for IKE              April 2005

                           Table of Contents

   1. Introduction ............................................... 2
   2. The NIST Groups ............................................ 3
   3. Security Considerations .................................... 5
   4. Intellectual Property Rights ............................... 5
   5. Acknowledgments ............................................ 5
   6. References ................................................. 5
   7. Author's Address ........................................... 7

1.  Introduction

This document describes groups for use in elliptic curve
Diffie-Hellman in IKE in addition to the Oakley groups included in
[IKE], [ECC-IKE] and [MODP-IKE].  The document assumes that the reader
is familiar with the IKE protocol and the concept of Oakley Groups, as
defined in RFC 2409 [IKE].  The ECC groups given here are the fifteen
groups that NIST recommends in FIPS 186-2 [FIPS-182-2].

RFC2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over GF[2^N].  One
modular exponentiation group (768 bits - Oakley Group 1) is mandatory
for all implementations to support, while the other four are optional.
Both elliptic curve groups (Oakley Groups 3 and 4) are defined over
GF[2^N] with N composite.

The Internet-Draft "More MODP Groups For IKE" [MODP-IKE] describes
several additional groups that can be used with IKE.

Detailed descriptions of the ECC groups recommended here for IKE in
this are not given in this document but can be found elsewhere: all
fifteen groups in each of FIPS 186-2 [FIPS-186-2] and SEC 2 [SEC-2].
The elliptic curve domain paramenters are uniquely identified in this
document using the ASN.1 object identifiers provided in ANS X9.63
[X9.63], which are also given in SEC 2 [SEC-2].

Blake-Wilson, Brown, Poeluev and Salter                       [Page 2]

INTERNET-DRAFT             NIST Curves for IKE              April 2005

2.  The NIST Groups

The groups given in this document are capable of providing security
consistent with AES keys of 128, 192, and 256 bits, and also with TDES
keys of lengths 168 and 112 bits, whose corresponding strengths of 112
and 80 bits, respectively.  The following table, based on tables from
[HOF] and [LEN], gives approximate comparable key sizes for symmetric
systems, ECC systems, and DH/DSA/RSA systems.  The estimates are based
on the running times of the best algorithms known today.

                  Strength   |  ECC2N/PR |  DH/DSA/RSA
                   80        |  163/192  |  1024
                  112        |  233/224  |  2048
                  128        |  283/256  |  3072
                  192        |  409/384  |  7680
                  256        |  571/521  |  15360

                  Table 1: Comparable key sizes

Thus, for example, when securing a 192-bit symmetric key, it is
prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA.  Of course
it is possible to use shorter asymmetric keys, but it should be
recognized in this case that the security of the system is likely
dependent on the strength of the public-key algorithm and claims such
as "this system is highly secure because it uses 192-bit encryption"
are misleading.

The fifteen groups proposed in this document use elliptic curves over
GF[2^N] with N prime or over GF[P] with P prime.  This addresses
concerns expressed by many experts regarding curves defined over
GF[2^N] with N composite -- concerns highlighted by the recent attacks
on such curves due to Gaudry, Hess, and Smart [WEIL] and due to
Jacobson, Menezes and Stein [JMS].

Seven of the groups proposed here have been assigned identifiers by
IANA [IANA] and the remaining eight might latter be assigned
identifiers by IANA.  A brief summary of the IANA identified groups
for IKE as follows.  Groups with IANA numbers 1 through 4 are
identified in [IKE].  The group with IANA number 5 is identifed in
[MODP-IKE].  The group with IANA number 6 is identified in [ECC-IKE],
[X9.62] and [SEC 2], with object identifer sect163r1, but it is not
one of the fifteen curves that NIST recommends [FIPS-186-2].  The
seven groups with IANA numbers numbers between 7 and 13 have already
been identified in [ECC-IKE] and are included here.  The remaining
eight curves recommended by NIST might be assigned numbers between X-2
and X+5 for some X.

Blake-Wilson, Brown, Poeluev and Salter                       [Page 3]

INTERNET-DRAFT             NIST Curves for IKE              April 2005

The groups recommended for IKE in this document are the ECC groups
that NIST recommends [FIPS-186-2].  These fifteen ECC groups are
given in the following table.

IANA  Group Description                SEC 2 OID
----  -----------------                ---------

 X+1  ECPRGF192Random  group P-192     secp192r1
 X-2  EC2NGF163Random  group B-163     sect163r2
   7  EC2NGF163Koblitz group K-163     sect163k1

 X+2  ECPRGF224Random  group P-224     secp224r1
   X  EC2NGF233Random  group B-233     sect233r1
 X-1  EC2NGF233Koblitz group K-233     sect233k1

 X+3  ECPRGF256Random  group P-256     secp256r1
 X+3  EC2NGF283Random  group B-283     sect283r1
   9  EC2NGF283Koblitz group K-283     sect283k1

 X+4  ECPRGF384Random  group P-384     secp384r1
  10  EC2NGF409Random  group B-409     sect409r1
  11  EC2NGF409Koblitz group K-409     sect409k1

 X+5  ECPRGF521Random  group P-521     secp521r1
  12  EC2NGF571Random  group B-571     sect571r1
  13  EC2NGF571Koblitz group K-571     sect571k1

Three curves are defined at each strength - two curves chosen
verifiably at random (as defined in ANSI [X9.62]), one over a binary
field and another over a prime field, and a Koblitz curve over a
binary field that, which enables especially efficient implementations
due to the special structure of the curve [KOB] and [SOL].

Blake-Wilson, Brown, Poeluev and Salter                       [Page 4]

INTERNET-DRAFT             NIST Curves for IKE              April 2005

3. Security Considerations

Since this document proposes new groups for use within IKE, many of the
security considerations contained within RFC 2409 apply here as well.

Nine of the groups proposed in this document offer higher strength
than the groups in RFC 2409.  This allows the IKE and IKEv2 to offer
security comparable with the proposed AES algorithms.

In addition, since all the new groups are defined over GF[P] with P
prime or GF[2^N] with N prime, they address the concerns expressed
regarding the elliptic curve groups included in RFC 2409, which are
curves defined over GF[2^N] with N composite.  The work of
Gaudry,Hess, and Smart [WEIL] reveal some of the weaknesses in such

4. Intellectual Property Rights

The IETF has been notified of intellectual property rights claimed in
regard to the specification contained in this document.
For more information, consult the online list of claimed rights

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights.  Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11.  Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.

5. Acknowledgments

To be added.

Blake-Wilson, Brown, Poeluev and Salter                       [Page 5]

INTERNET-DRAFT             NIST Curves for IKE              April 2005

6. References

  [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC
     2409, November 1998.

  [IANA] Internet Assigned Numbers Authority. Attribute Assigned

  [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE
     1363-2000, Standard for Public Key Cryptography. IEEE
     Microprocessor Standards Committee. August 2001.

  [KOB] N. Koblitz, CM curves with good cryptographic properties.
     Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992.

  [FIPS-186-2] U.S. Department of Commerce/National Institute of
     Standards and Technology. Digital Signature Standard (DSS), FIPS
     PUB 186-2, January 2000.

  [HOF] P. Hoffman and H. Orman, Determining strengths for public keys
     used for exchanging symmetric keys, Internet-draft. August 2000.

  [LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes.
     Available at: www.cryptosavvy.com.

  [JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic
     Curve Discrete Logarithm Problems Using Weil Descent,
     Combinatorics and Optimization Research Report 2001-31, May 2001.
     Available at http://www.cacr.math.uwaterloo.ca/.

  [MODP-IKE] T. Kivinen and M. Kojo, More Modular Exponential (MODP)
     Diffie-Hellman groups for Internet Key Exchange (IKE),
     rfc3526.txt, May 2003.

  [SEC2] Standards for Efficient Cryptography Group. SEC 2 -
     Recommended Elliptic Curve Domain Parameters. Working Draft
     Ver. 1.0., 2000.  (http://www.secg.org)

  [SOL] J. Solinas, An improved algorithm for arithmetic on a family
     of elliptic curves, Proceedings of Crypto '97, Pages 357-371,
     Springer-Verlag, 1997.

  [WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and
     Destructive Facets of Weil Descent on Elliptic Curves, HP Labs
     Technical Report No. HPL-2000-10, 2000.

Blake-Wilson, Brown, Poeluev and Salter                       [Page 6]

INTERNET-DRAFT             NIST Curves for IKE              April 2005

  [X9.62] American National Standards Institute, ANS X9.62-1998:
     Public Key Cryptography for the Financial Services Industry: The
     Elliptic Curve Digital Signature Algorithm.  January 1999.

  [X9.63] American National Standards Institute. ANSI X9.63-2001,
     Public Key Cryptography for the Financial Services Industry: Key
     Agreement and Key Transport using Elliptic Curve Cryptography.
     November 2001.

7. Authors' Addresses

  Simon Blake-Wilson
  Basic Commerce & Industries, Inc.

  Daniel R. L. Brown
  Certicom Corp.

  Yuri Poeluev
  Certicom Corp.

  Margaret Salter
  National Security Agency

8. Full Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is
   subject to the rights, licenses and restrictions contained in BCP
   78, and except as set forth therein, the authors retain all their

   This document and the information contained herein are provided on

Blake-Wilson, Brown, Poeluev and Salter                       [Page 7]

Html markup produced by rfcmarkup 1.108, available from http://tools.ietf.org/tools/rfcmarkup/