IPSec Working Group D. Brown, Certicom INTERNET-DRAFT January 27, 2006 Expires: July 27, 2006 Additional ECC Groups For IKE and IKEv2 <draft-ietf-ipsec-ike-ecc-groups-08.txt> Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on July 27, 2006. Abstract This document describes new ECC groups for use in IKE [IKE] and IKEv2 [IKEv2] in addition to the Oakley groups included therein. These groups are defined to align IKE with other ECC implementations and standards, and in addition, many of them provide higher strength than the Oakley groups. It should be noted that this document is not self-contained. It uses the notations and definitions of [IKE] and IKEv2 [IKEv2]. Brown [Page 1]

```
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
Table of Contents
1. Introduction ............................................... 2
2. The Additional ECC Groups .................................. 3
2.1 Sixth Group ............................................... 5
2.2 Seventh Group ............................................. 6
2.3 Eighth Group .............................................. 6
2.4 Ninth Group ............................................... 7
2.5 Tenth Group ............................................... 7
2.6 Eleventh Group ............................................ 8
2.7 Twelfth Group ............................................. 8
2.8 Thirteenth Group .......................................... 9
2.9 Twenty-Second Group ....................................... 9
2.10 Twenty-Third Group ....................................... 10
2.11 Twenty-Fourth Group ...................................... 11
2.12 Twenty-Fifth Group........................................ 11
2.13 Twenty-Sixth Group ....................................... 12
3. Test vectors ............................................... 12
4. Security Considerations .................................... 16
5. Intellectual Property Rights ............................... 17
6. Acknowledgments ............................................ 17
7. References ................................................. 17
8. Author's Address ........................................... 18
1. Introduction
This document describes groups for use in elliptic curve
Diffie-Hellman in IKE in addition to the Oakley groups included in
[IKE], [IKEv2], and [MODP-IKE]. The document assumes that the reader
is familiar with the IKE protocol and the concept of Oakley Groups, as
defined in RFC 2409 [IKE] and IKEv2 [IKEv2]. The ECC groups given
here are among the fifteen groups that NIST recommends in FIPS 186-2
[FIPS-186-2].
RFC2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over GF[2^N]. One
modular exponentiation group (768 bits - Oakley Group 1) is mandatory
for all implementations to support, while the other four are optional.
Both elliptic curve groups (Oakley Groups 3 and 4) are defined over
GF[2^N] with N composite.
The Internet-Draft "More MODP Groups For IKE" [MODP-IKE] describes
several additional groups that can be used with IKE and IKEv2.
The Internet-Draft "ECP Groups For IKE and IKEv2" [ECP-IKE] describes
three elliptic curve groups recommended by NIST. This document
describes the remaining twelve.
Brown [Page 2]
```

```
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
The reasons for supporting these twelve ellipitc curve groups are are
for bettern alignment with other standards, such as [FIPS 186-2],
[X9.62], [X9.63], and [SEC-2]. Some of these groups also afford
efficiency advantages in hardware applications since the underlying
arithmetic is binary field arithmetic. The groups proposed are
capable of providing security consistent with both the new Advanced
Encryption Standard and with Triple DES.
These groups could also be defined with the New Group Mode but
including them in this document will encourage interoperability of IKE
and IKEv2 implementations based on elliptic curve groups.
2. The Additional Elliptic Curve Groups
The groups given in this document are capable of providing security
consistent with AES keys of 128, 192, and 256 bits, and also with TDES
keys of lengths 168 and 112 bits, whose corresponding strengths of 112
and 80 bits, respectively. The following table, based on tables from
[HOF] and [LEN], gives approximate comparable key sizes for symmetric
systems, ECC systems, and DH/DSA/RSA systems. The estimates are based
on the running times of the best algorithms known today.
Strength | ECC2N/ECP | DH/DSA/RSA
80 | 163/192 | 1024
112 | 233/224 | 2048
128 | 283/256 | 3072
192 | 409/384 | 7680
256 | 571/521 | 15360
Table 1: Comparable key sizes
Thus, for example, when securing a 192-bit symmetric key, it is
prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA. Of course
it is possible to use shorter asymmetric keys, but it should be
recognized in this case that the security of the system is likely
dependent on the strength of the public-key algorithm and claims such
as "this system is highly secure because it uses 192-bit encryption"
are misleading.
The fifteen groups proposed in this document use elliptic curves over
GF[2^N] with N prime or over GF[P] with P prime. This addresses
concerns expressed by many experts regarding curves defined over
GF[2^N] with N composite -- concerns highlighted by the recent attacks
on such curves due to Gaudry, Hess, and Smart [WEIL] and due to
Jacobson, Menezes and Stein [JMS].
Brown [Page 3]
```

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 Seven of the groups proposed here have been assigned identifiers by IANA [IANA] and the remaining eight might latter be assigned identifiers by IANA. A brief summary of the IANA identified groups for IKE as follows. Groups with IANA numbers 1 through 4 are identified in [IKE]. The group with IANA number 5 is identifed in [MODP-IKE]. The group with IANA number 6, [X9.62] and [SEC 2], with object identifer sect163r1, but it is not one of the fifteen curves that NIST recommends [FIPS-186-2]. Nevertheless, it is included here for backwards interoperability with existing implementations. The seven groups with IANA numbers numbers between 7 and 13 have also been identified in [ECP-IKE] and are included here. Three NIST groups have proposed numbers 19, 20 and 21 in [ECP-IKE]. The remaining five NIST groups are suggested and anticipate to be assigned IANA numbers 22 to 26. The groups recommended for IKE and IKEv2 in this document are the ECC groups that NIST recommends [FIPS-186-2]. These fifteen ECC groups are given in the following table. IANA Group Type Group Description NIST Name SEC 2 OID ---- ---------- ----------------- --------- --------- 22 2 ECP ECPRGF192Random P-192 secp192r1 23 3 EC2N EC2NGF163Random B-163 sect163r2 7 3 EC2N EC2NGF163Koblitz K-163 sect163k1 6 3 EC2N EC2NGF163Random2 none sect163r1 24 2 ECP ECPRGF224Random P-224 secp224r1 25 3 EC2N EC2NGF233Random B-233 sect233r1 26 3 EC2N EC2NGF233Koblitz K-233 sect233k1 19 2 ECP ECPRGF256Random P-256 secp256r1 8 3 EC2N EC2NGF283Random B-283 sect283r1 9 3 EC2N EC2NGF283Koblitz K-283 sect283k1 20 2 ECP ECPRGF384Random P-384 secp384r1 10 3 EC2N EC2NGF409Random B-409 sect409r1 11 3 EC2N EC2NGF409Koblitz K-409 sect409k1 21 2 ECP ECPRGF521Random P-521 secp521r1 12 3 EC2N EC2NGF571Random B-571 sect571r1 13 3 EC2N EC2NGF571Koblitz K-571 sect571k1 Three curves are defined at each strength - two curves chosen verifiably at random (as defined in ANSI [X9.62]), one over a binary field and another over a prime field, and a Koblitz curve over a binary field that, which enables especially efficient implementations due to the special structure of the curve [KOB] and [SOL]. Brown [Page 4]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 For elliptic curve groups, the data in the KE payload when using this group is the octet string representation specified in ANSI X9.62, ANSI X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*G, where * is the repetition of the group addition. If the initiator chooses secret i and the responder chooses secret r, then the KEi is i*G and KEr is r*G. The raw shared secret is the x-coordinate (only) of (ir)*G. 2.1 Sixth Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 6 (six). The curve is based on the Galois Field GF[2^163]. The field size is 163. The irreducible polynomial used to represent the field is: u^163 + u^7 + u^6 + u^3 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b. Group Curve a: 0x07b6882caaefa84f9554ff8428bd88e246d2782ae2 Group Curve b: 0x0713612dcddcb40aab946bda29ca91f73af958afd9 Group Generator G: 0x030369979697ab43897789566789567f787a7876a654 The order of the generator G defined above is the prime: 0x03ffffffffffffffffffff48aab689c29ca710279b The curve order is twice this prime. The group was chosen verifiably at random using SHA-1 as specified in [X9.62] from the seed: 0x24b7b137c8a14d696e6768756151756fd0da2e5c However, for historical reasons, the method to generate the group from the seed differs slightly from the method described in [X9.62]. Specifically the coefficient Group Curve b produced from the seed is the reverse of the coefficient that would have been produced by the method described in [X9.62]. Brown [Page 5]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 2.2 Seventh Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 7 (seven). The curve is based on the Galois Field GF[2^163]. The field size is 163. The irreducible polynomial used to represent the field is: u^163 + u^7 + u^6 + u^3 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + x^2 + 1. Group Generator G: 0x0302fe13c0537bbc11acaa07d793de4e6d5e5c94eee8 The order of the generator G is the prime: 0x04000000000000000000020108a2e0cc0d99f8a5ef The curve order is twice this prime. 2.3 Eighth Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 8 (eight). The curve is based on the Galois Field GF[2^283]. The field size is 283. The irreducible polynomial used to represent the field is: u^283 + u^12 + u^7 + u^5 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + x^2 + b. Group Curve b: 0x027b680ac8b8596da5a4af8a19a0303fca97fd7645309fa2a581485af6263e313b79a2f5 Group Generator G: 0x0305f939258db7dd90e1934f8c70b0dfec2eed25b8557eac9c80e2e198f8cdbecd86b12053 The order of the generator G is the prime: 0x03ffffffffffffffffffffffffffffffffffef90399660fc938a90165b042a7cefadb307 The curve order is twice this prime. Brown [Page 6]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 The group was chosen verifiably at random in normal basis representation using SHA-1 as specified in [X9.62] from the seed: 0x77e2b07370eb0f832a6dd5b62dfc88cd06bb84be 2.4 Ninth Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 9 (nine). The curve is based on the Galois Field GF[2^283]. The field size is 283. The irreducible polynomial used to represent the field is: u^283 + u^12 + u^7 + u^5 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + 1. Group Generator G: 0x020503213f78ca44883f1a3b8162f188e553cd265f23c1567a16876913b0c2ac2458492836 The order of the generator G is the prime: 0x01ffffffffffffffffffffffffffffffffffe9ae2ed07577265dff7f94451e061e163c61 The curve order is four times this prime. 2.5 Tenth Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 10 (ten). The curve is based on the Galois Field GF[2^409]. The field size is 409. The irreducible polynomial used to represent the field is: u^409 + u^87 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + x^2 + b. Group Curve b: 0x021a5c2c8ee9feb5c4b9a753b7b476b7fd6422ef1f3dd674761fa99d6ac27c8a9a197b272822f6cd57a55aa4f50ae317b13545f Group Generator G: 0x03015d4860d088ddb3496b0c6064756260441cde4af1771d4db01ffe5b34e59703dc255a868a1180515603aeab60794e54bb7996a7 The order of the generator G is the prime: Brown [Page 7]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 0x10000000000000000000000000000000000000000000000000001e2aad6a612f33307be5fa47c3c9e052f838164cd37d9a21173 The curve order is twice this prime. The curve was chosen verifiably at random in normal basis representation using SHA-1 as specified in [X9.62] from the seed: 0x4099b5a457f9d69f79213d094c4bcd4d4262210b 2.6 Eleventh Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 11 (eleven). The curve is based on the Galois Field GF[2^409]. The field size is 409. The irreducible polynomial used to represent the field is: u^409 + u^87 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + 1. Group Generator G: 0x030060f05f658f49c1ad3ab1890f7184210efd0987e307c84c27accfb8f9f67cc2c460189eb5aaaa62ee222eb1b35540cfe9023746 The order of the generator G is the prime: 0x7ffffffffffffffffffffffffffffffffffffffffffffffffffe5f83b2d4ea20400ec4557d5ed3e3e7ca5b4b5c83b8e01e5fcf The curve order is four times this prime. 2.7 Twelfth Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 12 (twelve). The curve is based on the Galois Field GF[2^571]. The field size is 571. The irreducible polynomial used to represent the field is: u^571 + u^10 + u^5 + u^2 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + x^2 + b. Group Curve b: 0x2f40e7e2221f295de297117b7f3d62f5c6a97ffcb8ceff1cd6ba8ce4a9a18ad84ffabbd8efa59332be7ad6756a66e294afd185a78ff12aa520e4de739baca0c7ffeff7f2955727a Group Generator G: Brown [Page 8]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 0x030303001d34b856296c16c0d40d3cd7750a93d1d2955fa80aa5f40fc8db7b2abdbde53950f4c0d293cdd711a35b67fb1499ae60038614f1394abfa3b4c850d927e1e7769c8eec2d19 The order of the generator G is the prime: 0x3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe661ce18ff55987308059b186823851ec7dd9ca1161de93d5174d66e8382e9bb2fe84e47 The curve order is twice this prime. The group was chosen verifiably at random in normal basis representation using SHA-1 as specified in [X9.62] from the seed: 0x2aa058f73a0e33ab486b0f610410c53a7f132310 2.8 Thirteenth Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 13 (thirteen). The curve is based on the Galois Field GF[2^571]. The field size is 571. The irreducible polynomial used to represent the field is: u^571 + u^10 + u^5 + u^2 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + 1. Group Generator G: 0x02026eb7a859923fbc82189631f8103fe4ac9ca2970012d5d46024804801841ca44370958493b205e647da304db4ceb08cbbd1ba39494776fb988b47174dca88c7e2945283a01c8972 The order of the generator G is the prime: 0x20000000000000000000000000000000000000000000000000000000000000000000000131850e1f19a63e4b391a8db917f4138b630d84be5d639381e91deb45cfe778f637c1001 The group order is four times this prime. 2.9 Twenty-Second Group IKE and IKEv2 implementations SHOULD support an ECP group with the following characteristics. This group is assigned id 22 (twenty-two). The curve is based on the integers modulo the generalized Mersenne prime p given by p = 2^192 - 2^64 - 1. The equation for the elliptic curve is: y^2 = x^3 - 3 x + b. Group Curve b: Brown [Page 9]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1 Group Generator G: 0x03188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012 The order of the generator G is the prime: 0xffffffffffffffffffffffff99def836146bc9b1b4d22831 The group was chosen verifiably at random using SHA-1 as specified in [X9.62] from the seed: 0x3045ae6fc8422f64ed579528d38120eae12196d5 2.10 Twenty-Third Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 23 (twenty-three). The curve is based on the Galois Field GF[2^163]. The field size is 163. The irreducible polynomial used to represent the field is: u^163 + u^7 + u^6 + u^3 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + x^2 + b. Group Curve b: 0x020a601907b8c953ca1481eb10512f78744a3205fd Group Generator G: 0x0303f0eba16286a2d57ea0991168d4994637e8343e36 The order of the generaotr G above is the prime: 0x040000000000000000000292fe77e70c12a4234c33 The curve order is twice this prime. The group was chosen verifiably at random in normal basis representation using SHA-1 as specified in [X9.62] from the seed: 0x85e25bfe5c86226cdb12016f7553f9d0e693a268 Brown [Page 10]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 2.11 Twenty-Fourth Group IKE and IKEv2 implementations SHOULD support an ECP group with the following characteristics. This group is assigned id 24 (twenty-four). The curve is based on the integers modulo the generalized Mersenne prime p given by p = 2^224 - 2^96 + 1. The equation for the elliptic curve is: y^2 = x^3 - 3 x + b. Group Curve b: 0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4 Group Generator G: 0x02b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21 The order of the generator G is the prime: 0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d The group was chosen verifiably at random using SHA-1 as specified in [X9.62] from the seed: 0xbd71344799d5c7fcdc45b59fa3b9ab8f6a948bc5 2.12 Twenty-Fifth Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 25 (twenty-five). The curve is based on the Galois Field GF[2^233]. The field size is 233. The irreducible polynomial used to represent the field is: u^233 + u^74 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + x^2 + b. Group Curve b: 0x0066647ede6c332c7f8c0923bb58213b333b20e9ce4281fe115f7d8f90ad Group Generator G: 0x0300fac9dfcbac8313bb2139f1bb755fef65bc391f8b36f8f8eb7371fd558b Brown [Page 11]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 The order of the generator G above is the prime: 0x01000000000000000000000000000013e974e72f8a6922031d2603cfe0d7 The curve order is twice this prime. The group was chosen verifiably at random in normal basis representation using SHA-1 as specified in [X9.62] from the seed: 0x74d59ff07f6b413d0ea14b344b20a2db049b50c3 2.13 Twenty-Sixth Group IKE and IKEv2 implementations SHOULD support an EC2N group with the following characteristics. This group is assigned id 26 (twenty-six). The curve is based on the Galois Field GF[2^233]. The field size is 233. The irreducible polynomial used to represent the field is: u^233 + u^74 + 1. The equation for the elliptic curve is: y^2 + xy = x^3 + 1. Group Generator G: 0x02017232ba853a7e731af129f22ff4149563a419c26bf50a4c9d6eefad6126 The order of the generator G is the prime: 0x8000000000000000000000000000069d5bb915bcd46efb1ad5f173abdf The curve order is four times this prime. 3. Test Vectors What follows is a set of test vectors, in the form: <SEC 2 name for elliptic curve group> i = <initiator secret value> r = <responder secret value> KEi = <initiator key exchange payload> KEr = <responder key exchange payload> Z = <raw shared secret> Brown [Page 12]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 Here are the test vectors: secp192r1 i = 0x7092e5fd43a17f6a3375325989284eba093564e1944e176d r = 0xd6185566ec0b1f52cc56276560907cb1a8683d8449b882ce KEi = 0x00000021001600003841c988076d857fdda4ccf3bae5cf5f521336a650fdc7dc4 KEr = 0x000000210016000003445a52f30ce615c53e1175c04db6f0bb7a03d3096e2c209e Z = 0xcac49383d8bf6b5fd8e5d5b769c0a91f68f9b5d091b831d8 secp224r1 i = 0x626167f5e43652607a9cc40035c6dca7256fa3721a68baf4e40f86e1 r = 0x38524a05e71d023361bfdb290b69d15b7d8390aa5ac837a0c82d9f63 KEi = 0x000000250018000029167b2a96e1cbde468976e364d4d3110c8f58f579c44a0be3c98a1a8 KEr = 0x000000250018000002dc7765dea1a085f3f077f138854fe0850ca89c2e32d0377bde245815 Z = 0x7b1bf04233c15681ba5302221a2ce34b18a92dbbb37cc0a772a91516 secp256r1 i = 0x9d3ae8148192a83f20530cb25edb11e8b7ea13583a70ca345b0f571b91317abe r = 0x922d3e7c675bb9b4d9613ff21793991b3623844f072e53d28a6baff89cf85ab4 KEi = 0x00000029001300003084cc47b198b640da01bc10dfcfa034db89dbb072ea0ae9cd6eac60900ffc492 KEr = 0x000000290013000002b9528b7eb564634315ebe2f1e3e4fabd671d8e6f487b6ee35796a6a6daaed1f7 Z = 0x52c8f824e13b40651b0ec4ad8dbdb116b15aebc48fbc0360d84ff8cdc3c73e6c secp384r1 i = 0x52d3051d6675ed1e52a4e9224fb2ad9a910358bb9a72ddf7d96a2383bad90ef815f83a94edfe52a01193f843d29f1958 r = 0xf13ba4709dee2f4532b251bfb3b1b87b1adac356299e4ea9472356aca6ddad290b00f2214740f693c6a03c2dc52bd419 KEi = 0x000000390014000032991ae8b27d7080db619140023dc7241cdbcd8130de451f9268c420674b8169973f89be2f3d9f3082cb049511457db35 KEr = 0x00000039001400000270a447c2e24022c3a52f95634a17052a02831cca790e6f0c1feff9515a38cfd7c487abd9e19e8f4ef49b8a4b268b1a0f Z = 0xf3cde42e0e9dd28982294ac1af62cbd1429f289911b3e0535a81ebb513a2903bc53f0ecd5c5110835e5a4a903629b0c5 secp521r1 Brown [Page 13]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 i = 0xea78946abd68bb79a55f8f9993cf5389fbb0a10d3b58062429c6322a987c957f8854a5a4ec636d702a7b07537341f6319cc6d03c447da5e9f59d28460caa98dbeb r = 0xe68807bbdc90cca27848c6bc38426ddf5b19c09d144d041706bc9ed1afade9e81585faf9e173f340001016ef82ea5b4a8b785fee0c403a6e39228df62a337e479c KEi = 0x0000004b00150000300584c2476258dd61c098761710976c4b50fc4c47177f42562f2d575bf933c7699122bc37c77da0a7079e0a4c2d1318d33764241e4c562c7ff7bad5cf0ce1edddfa0 KEr = 0x0000004b0015000002011483326d756d8600c5d8c6a0bc60c80297c37e3368f45bbcf4d5db78ad4b1b1d8584b019416f92e8e65f5fe370fb35558a61327903042ae798095c5638e093a0b4 Z = 0x006ea860d9c8518ce2de03a00a9d4c6648cd33cb665302c9e41163e9b6b7ededf892c9c85c63d7c2cc76e3c2f3cfe2fd8cd13314658f6f4da6198dd9fd99cd42de1b sect163r1 i = 0x647f8bc4fa3fa625b41456b91c899269ffe277bc r = 0xef8fa305ed836a8fdf206e6594f086f9762e6f69 KEi = 0x0000001e000600000300e772d9e512e971a512b9406edce999b50bee78b2 KEr = 0x0000001e00060000020115ed6148869f8be399230825b2207ee9e4949381 Z = 0x01d75dd0142db15a25b6f8024bab20ee78f90f409f sect163r2 i = 0x027e06da864be3862c261654c15ec5568e45eb7fb6 r = 0x03a7c88fa7363f8ff9ff1d2813027089bd96e07c48 KEi = 0x0000001e001700000302ed80fc3986c4a978b09c34dcbc376a7975b92276 KEr = 0x0000001e001700000201aed6520fb2468fb424dec3c31c4a1fc0e1cf702a Z = 0x07befaa40951cf0d1c972d4df6297d5c30b726cf98 sect163k1 i = 0x0137fb36360a457b6a23b29e11a4760a177881808a r = 0x010c489bbb3b602a7df626e9f0625294b1d795a032 KEi = 0x0000001e000700000305be095b0829318fa0e3e0096e31bfb829b8ee95ec KEr = 0x0000001e000700000205d9c945eb02dec3b7ad1bace077bf37753e3326b3 Z = 0x07b13e8c9452ab89113680725df13128c055c9d3ce sect233r1 i = 0x5b038de50df0f1f49a06c1fb46c45d5ac63e4541b99df19421c33b7902 r = 0x3b48a62665e29c5f78ff6b7714c1bb82ad210c8c29572eaccbdc3abbce Brown [Page 14]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 KEi = 0x00000027001900000301334d9878fa49d0dbbf5978f49e57aeaad93a1c3fbd7a17acc369dd68d1 KEr = 0x0000002700190000030158db2605ce543cc4220248bcce6cc055d8d4ee4ea1e49ef1b9dd823797 Z = 0x00b0dcfc6d66c3d1d987f8b075edc92763257bfcbaa7af34b8f6242d5d3c sect233k1 i = 0x4ea153c305784cf023a54756a99281e1a8105ab85bb638980d07de46a2 r = 0x424a89451d6cd439305e44f06fc574ec8268b626560a44ee85b624d589 KEi = 0x00000027001a000003014e271e22edf7df456f59b366b8462c5f6ef26bddfb67ed764a5b39e6dc KEr = 0x00000027001a000002014b5633f29fdf353ebb6375ddffec46f162f419d7962a8d04fdb93e38ee Z = 0x00f3ef4179b17ceb7e041581727d01cf3d7423ec249f44d353d1e2de7412 sect283r1 i = 0x0294203ab7551182dec6b777f4d1c65bdb75275217a356a7efad130355aa3f17aeb3852f r = 0x033149120a7d8d984f2c3346d9ec88962f5b05451d5ead843dd278dedf49bd8424009110 KEi = 0x0000002d000800000201959e200deaa62d055e1d4e141ed7dcdfde810570864431cc5a280a229418b8dfc4c186 KEr = 0x0000002d0008000003034237aff2fae31d2bed603ba7e0aa9cbefee1313bec6905f40e270cf448c36ec7d95981 Z = 0x066c0249c890ffeda0ce0fd3bd76a6506423f8685e649d035842bf25a388ec4edd207eff sect283k1 i = 0x0902492408f4d64e351eabe7b9da659f089a20a2d19f62b92499a3ebf24106374ab51b r = 0x0e2a59cb494b49784436e0532cf25ee444225ffd39139bba2e19d3bae482f651368716 KEi = 0x0000002d0009000002044e95ad563972553e8c29c89e4f57155c179938ec1b864487e287fe94a48ba59de2f44b KEr = 0x0000002d00090000030658a18c6946e19f17a1f8eb44b4610d0052c97cb522962738a58438a5ecc96deffd84b5 Z = 0x0194027ad85e4075d89247b2e3c3500debff0dce5ad63a02a07652dfb7da3b75afe11e88 sect409r1 i = 0x18624d825f61d687d6f7707ff35a23b329feea913ec45afe81d79e4a09b7d026e8da7fb40f972a53d6fa1e6f0de235c781254b r = 0xf73eec0f98ab794f0633f4ee84cca2f8dc1a1fdebe8503376418029c5cf14e34788d8ea32857128c67297413902e9dd7b8c730 KEi = 0x0000003d000a000002016f9e561b996d1d3ac2720e7cace86cc96d58c2518814ff92209638daee256e405590cbd7a05c2a4e24daec0bf005777e89eb49 KEr = 0x0000003d000a00000300ea451ad0be01cdeba8f3b7c1270810f8725f03e76768bd07cd78cbd7a1c4d354abba3615658ef81e397d99b6c261a77f7103f5 Brown [Page 15]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 Z = 0x00beb0ecd7886e0bc13dead143621dd17133dbdae112b0f9168ee853e259c5b026b4582f6ccb69cde62c7000fbb3545d2d89e25f sect409k1 i = 0x600b86e20b7a66d8af5cd1e3a22adbcf1f6e65563dd932af6589d0953b517a566f6230de70f368399c13533ecba3292490cbfb r = 0x77d677250e919500a410cbb02c6842d9c12fa8a8b57f539da192a025b92b4166e317b75764a4235854ed3dac477483de03e2f2 KEi = 0x0000003d000b00000300964b2b14557951de6ffea67eec4239a2660022a45b2659db5d924251c4005b0d4de347b6fde76fc43bce546d7cd4f977d5797a KEr = 0x0000003d000b000003016ecd20beea517ae36a40e330d8a56812559f5e5ffd16fa6716f953814d9bf37570d79b180687b5a385bfb9420f2550e4b6138e Z = 0x00a1f44a752e980f3db78ee562786949afa2e5867d8cc9cf078c8f54a7de9107af70fc876f5bd1e194c53e7a56043397ef2c8b50 sect571r1 i = 0xe422d8400d8e629990c7ca8b26b74a0d873d8d6d906f4af6e44c617663327773f0a1c5f0355ac9dcb2c4c0b6a13e38e18b35cda665a1e5134be36044d3d387789e01c2be6d0713 r = 0x01e58461bb4f5bbb737dfe617150968b2a9773e7f4425ac5a40a9ef4280f97d7a057b2df91b3ccf77beb2990596e998fd57b3c42a46e694faf1923a6b1899a706ce4b346424b1b7d KEi = 0x00000051000c00000302c17e8482e65e8eafd4ebe150bf93fd8797db78b7c36539724d6979c7b2b9428be38e0bbf94f643bd6647477a33e589cb491b1f2015f9bb5e5999153de52d8150e50ec557c720da KEr = 0x00000051000c000003030e89d2c1aa8a278e43b853066adf742fdd7491414d907a74c011371bdf64dc38502f2e18ae79ac7024005398959de999e25965294561024ff0b510855f27263dd0d1cff78cbeb3 Z = 0x0579791ff1725f09c70e7378278137c07dcb5c412b30f7ae681a868141404ea95d945f26d4d0da1ba38602915b67184e23288e4f3021b57802821d44948689871e68cfc282862cc5 sect571k1 i = 0x01fb96e0fb6f5c5703b258e032ee9cf3fc5eb27b37bfc797cf7954ef82e37cfa551e549208af3365882343cffc7fca72949b3346ff49cd3251a3a17200a0eef8b64bce70a5087cad r = 0x2b25d3d5fd86cb53a0fef2fb4ffc4e20f1ac33a147d69d4531676dfd8a92a6b9bf6c34379189eba87679bdee05e0f8a45790fb77e4fc47c7babe4170839a93beb58e214c1a8470 KEi = 0x00000051000d00000301e4dc1f82924ea99921babda3ee48792836ec1d033578e7a3d372f93601182b511589d2a84d9fab6e86d5ea8f00dddf5c8b1c22bbd9bc96b191da5bab247af9e666e6824ffe2b72 KEr = 0x00000051000d0000020496673c15e735aba12ea6a1413c4ea6e50eddec8f21b222df40925f483d85e779f48e3439f88118e325f6e3aa6e4ee285544079ed2ea4d8680b5d9c06ab232944e62e93e1cf8f9b Z = 0x066c0d8bcf8c17f27d7367bf0e8a9c2931fa258be3b7861a6c021a5bb52d214ab19235280e9c6b61bf72c20a8d64c26a9a4b9ff075fd3be6be03c33c56e6cf3ff7517e5b08dcbe65 4. Security Considerations Since this document proposes new groups for use within IKE and IKEv2, many of the security considerations contained within RFC 2409 apply here as well. Many of the groups proposed in this document offer higher strength than the groups in RFC 2409. This allows the IKE and IKEv2 to offer security comparable with the proposed AES algorithms. Brown [Page 16]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 In addition, since all the new groups are defined over GF[P] with P prime or GF[2^N] with N prime, they address the concerns expressed regarding the elliptic curve groups included in RFC 2409, which are curves defined over GF[2^N] with N composite. The work of Gaudry, Hess, and Smart [WEIL] reveal some of the weaknesses in such groups. 5. Intellectual Property Rights The IETF has been notified of intellectual property rights claimed in regard to the specification contained in this document. For more information, consult the online list of claimed rights (http://www.ietf.org/ipr.html). The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. 6. Acknowledgments To be added. 7. References [ECP-IKE] D. Fu, J. Solinas, ECP Groups for IKE and IKEv2, draft-ietf-ipsec-ike-ecp-groups-02.txt, work in progress. [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409, November 1998. [IKEv2] C. Kaufman, Editor, Internt Key Exchange (IKEv2) Protocol, draft-ietf-ipsec-ikev2-17.txt, work in progress. [IANA] Internet Assigned Numbers Authority. Attribute Assigned Numbers. (http://www.isi.edu/in-notes/iana/assignments/ipsec-registry) [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE 1363-2000, Standard for Public Key Cryptography. IEEE Microprocessor Standards Committee. August 2001. (http://grouper.ieee.org/groups/1363/index.html) Brown [Page 17]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 [KOB] N. Koblitz, CM curves with good cryptographic properties. Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992. [FIPS-186-2] U.S. Department of Commerce/National Institute of Standards and Technology. Digital Signature Standard (DSS), FIPS PUB 186-2, January 2000. (http://csrc.nist.gov/fips/fips186-2.pdf) [HOF] P. Hoffman and H. Orman, Determining strengths for public keys used for exchanging symmetric keys, Internet-draft. August 2000. [LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes. Available at: www.cryptosavvy.com. [JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic Curve Discrete Logarithm Problems Using Weil Descent, Combinatorics and Optimization Research Report 2001-31, May 2001. Available at http://www.cacr.math.uwaterloo.ca/. [MODP-IKE] T. Kivinen and M. Kojo, More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE), rfc3526.txt, May 2003. [SEC2] Standards for Efficient Cryptography Group. SEC 2 - Recommended Elliptic Curve Domain Parameters. Working Draft Ver. 1.0., 2000. (http://www.secg.org) [SOL] J. Solinas, An improved algorithm for arithmetic on a family of elliptic curves, Proceedings of Crypto '97, Pages 357-371, Springer-Verlag, 1997. [WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and Destructive Facets of Weil Descent on Elliptic Curves, HP Labs Technical Report No. HPL-2000-10, 2000. (http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html) [X9.62] American National Standards Institute, ANS X9.62-2005: Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm. November 2005. [X9.63] American National Standards Institute. ANSI X9.63-2001, Public Key Cryptography for the Financial Services Industry: Key Agreement and Key Transport using Elliptic Curve Cryptography. November 2001. 8. Author's Addresses Daniel R. L. Brown Certicom Corp. dbrown@certicom.com Brown [Page 18]

INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006 9. Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Brown [Page 19]