IPSec Working Group S. Blake-Wilson, BCI INTERNET-DRAFT D. Brown and Y. Poeluev, Certicom Intended Status: Informational M. Salter, NSA Expires October April 11, 2005 Additional ECC Groups For IKE <draft-ietf-ipsec-ike-ecc-groups-05.txt> Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3978. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October, 2005. Abstract This document describes new ECC groups for use in IKE [IKE] in addition to the Oakley groups included therein. These groups are defined to align IKE with other ECC implementations and standards, and in addition, many of them provide higher strength than the Oakley groups. It should be noted that this document is not self-contained. It uses the notations and definitions of [IKE]. Blake-Wilson, Brown, Poeluev and Salter [Page 1]

INTERNET-DRAFT NIST Curves for IKE April 2005 Table of Contents 1. Introduction ............................................... 2 2. The NIST Groups ............................................ 3 3. Security Considerations .................................... 5 4. Intellectual Property Rights ............................... 5 5. Acknowledgments ............................................ 5 6. References ................................................. 5 7. Author's Address ........................................... 7 1. Introduction This document describes groups for use in elliptic curve Diffie-Hellman in IKE in addition to the Oakley groups included in [IKE], [ECC-IKE] and [MODP-IKE]. The document assumes that the reader is familiar with the IKE protocol and the concept of Oakley Groups, as defined in RFC 2409 [IKE]. The ECC groups given here are the fifteen groups that NIST recommends in FIPS 186-2 [FIPS-182-2]. RFC2409 [IKE] defines five standard Oakley Groups - three modular exponentiation groups and two elliptic curve groups over GF[2^N]. One modular exponentiation group (768 bits - Oakley Group 1) is mandatory for all implementations to support, while the other four are optional. Both elliptic curve groups (Oakley Groups 3 and 4) are defined over GF[2^N] with N composite. The Internet-Draft "More MODP Groups For IKE" [MODP-IKE] describes several additional groups that can be used with IKE. Detailed descriptions of the ECC groups recommended here for IKE in this are not given in this document but can be found elsewhere: all fifteen groups in each of FIPS 186-2 [FIPS-186-2] and SEC 2 [SEC-2]. The elliptic curve domain paramenters are uniquely identified in this document using the ASN.1 object identifiers provided in ANS X9.63 [X9.63], which are also given in SEC 2 [SEC-2]. Blake-Wilson, Brown, Poeluev and Salter [Page 2]

INTERNET-DRAFT NIST Curves for IKE April 2005 2. The NIST Groups The groups given in this document are capable of providing security consistent with AES keys of 128, 192, and 256 bits, and also with TDES keys of lengths 168 and 112 bits, whose corresponding strengths of 112 and 80 bits, respectively. The following table, based on tables from [HOF] and [LEN], gives approximate comparable key sizes for symmetric systems, ECC systems, and DH/DSA/RSA systems. The estimates are based on the running times of the best algorithms known today. Strength | ECC2N/PR | DH/DSA/RSA 80 | 163/192 | 1024 112 | 233/224 | 2048 128 | 283/256 | 3072 192 | 409/384 | 7680 256 | 571/521 | 15360 Table 1: Comparable key sizes Thus, for example, when securing a 192-bit symmetric key, it is prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA. Of course it is possible to use shorter asymmetric keys, but it should be recognized in this case that the security of the system is likely dependent on the strength of the public-key algorithm and claims such as "this system is highly secure because it uses 192-bit encryption" are misleading. The fifteen groups proposed in this document use elliptic curves over GF[2^N] with N prime or over GF[P] with P prime. This addresses concerns expressed by many experts regarding curves defined over GF[2^N] with N composite -- concerns highlighted by the recent attacks on such curves due to Gaudry, Hess, and Smart [WEIL] and due to Jacobson, Menezes and Stein [JMS]. Seven of the groups proposed here have been assigned identifiers by IANA [IANA] and the remaining eight might latter be assigned identifiers by IANA. A brief summary of the IANA identified groups for IKE as follows. Groups with IANA numbers 1 through 4 are identified in [IKE]. The group with IANA number 5 is identifed in [MODP-IKE]. The group with IANA number 6 is identified in [ECC-IKE], [X9.62] and [SEC 2], with object identifer sect163r1, but it is not one of the fifteen curves that NIST recommends [FIPS-186-2]. The seven groups with IANA numbers numbers between 7 and 13 have already been identified in [ECC-IKE] and are included here. The remaining eight curves recommended by NIST might be assigned numbers between X-2 and X+5 for some X. Blake-Wilson, Brown, Poeluev and Salter [Page 3]

INTERNET-DRAFT NIST Curves for IKE April 2005 The groups recommended for IKE in this document are the ECC groups that NIST recommends [FIPS-186-2]. These fifteen ECC groups are given in the following table. IANA Group Description SEC 2 OID ---- ----------------- --------- X+1 ECPRGF192Random group P-192 secp192r1 X-2 EC2NGF163Random group B-163 sect163r2 7 EC2NGF163Koblitz group K-163 sect163k1 X+2 ECPRGF224Random group P-224 secp224r1 X EC2NGF233Random group B-233 sect233r1 X-1 EC2NGF233Koblitz group K-233 sect233k1 X+3 ECPRGF256Random group P-256 secp256r1 X+3 EC2NGF283Random group B-283 sect283r1 9 EC2NGF283Koblitz group K-283 sect283k1 X+4 ECPRGF384Random group P-384 secp384r1 10 EC2NGF409Random group B-409 sect409r1 11 EC2NGF409Koblitz group K-409 sect409k1 X+5 ECPRGF521Random group P-521 secp521r1 12 EC2NGF571Random group B-571 sect571r1 13 EC2NGF571Koblitz group K-571 sect571k1 Three curves are defined at each strength - two curves chosen verifiably at random (as defined in ANSI [X9.62]), one over a binary field and another over a prime field, and a Koblitz curve over a binary field that, which enables especially efficient implementations due to the special structure of the curve [KOB] and [SOL]. Blake-Wilson, Brown, Poeluev and Salter [Page 4]

INTERNET-DRAFT NIST Curves for IKE April 2005 3. Security Considerations Since this document proposes new groups for use within IKE, many of the security considerations contained within RFC 2409 apply here as well. Nine of the groups proposed in this document offer higher strength than the groups in RFC 2409. This allows the IKE and IKEv2 to offer security comparable with the proposed AES algorithms. In addition, since all the new groups are defined over GF[P] with P prime or GF[2^N] with N prime, they address the concerns expressed regarding the elliptic curve groups included in RFC 2409, which are curves defined over GF[2^N] with N composite. The work of Gaudry,Hess, and Smart [WEIL] reveal some of the weaknesses in such groups. 4. Intellectual Property Rights The IETF has been notified of intellectual property rights claimed in regard to the specification contained in this document. For more information, consult the online list of claimed rights (http://www.ietf.org/ipr.html). The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. 5. Acknowledgments To be added. Blake-Wilson, Brown, Poeluev and Salter [Page 5]

INTERNET-DRAFT NIST Curves for IKE April 2005 6. References [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, November 1998. [IANA] Internet Assigned Numbers Authority. Attribute Assigned Numbers. (http://www.isi.edu/in-notes/iana/assignments/ipsec-registry) [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE 1363-2000, Standard for Public Key Cryptography. IEEE Microprocessor Standards Committee. August 2001. (http://grouper.ieee.org/groups/1363/index.html) [KOB] N. Koblitz, CM curves with good cryptographic properties. Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992. [FIPS-186-2] U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS), FIPS PUB 186-2, January 2000. (http://csrc.nist.gov/fips/fips186-2.pdf) [HOF] P. Hoffman and H. Orman, Determining strengths for public keys used for exchanging symmetric keys, Internet-draft. August 2000. [LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes. Available at: www.cryptosavvy.com. [JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent, Combinatorics and Optimization Research Report 2001-31, May 2001. Available at http://www.cacr.math.uwaterloo.ca/. [MODP-IKE] T. Kivinen and M. Kojo, More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE), rfc3526.txt, May 2003. [SEC2] Standards for Efficient Cryptography Group. SEC 2 - Recommended Elliptic Curve Domain Parameters. Working Draft Ver. 1.0., 2000. (http://www.secg.org) [SOL] J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, Proceedings of Crypto '97, Pages 357-371, Springer-Verlag, 1997. [WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and Destructive Facets of Weil Descent on Elliptic Curves, HP Labs Technical Report No. HPL-2000-10, 2000. (http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html) Blake-Wilson, Brown, Poeluev and Salter [Page 6]

INTERNET-DRAFT NIST Curves for IKE April 2005 [X9.62] American National Standards Institute, ANS X9.62-1998: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm. January 1999. [X9.63] American National Standards Institute. ANSI X9.63-2001, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport using Elliptic Curve Cryptography. November 2001. 7. Authors' Addresses Simon Blake-Wilson Basic Commerce & Industries, Inc. sblakewilson@bcisse.com Daniel R. L. Brown Certicom Corp. dbrown@certicom.com Yuri Poeluev Certicom Corp. ypoeluev@certicom.com Margaret Salter National Security Agency msalter@radium.ncsc.mil 8. Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Blake-Wilson, Brown, Poeluev and Salter [Page 7]