[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits] [IPR]

Versions: 00 01 02 03 04 05 06 07 08 09 10

IPSec Working Group                                D. Brown, Certicom
INTERNET-DRAFT                                       January 27, 2006
Expires: July 27, 2006

                Additional ECC Groups For IKE and IKEv2
               <draft-ietf-ipsec-ike-ecc-groups-08.txt>

                          Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on July 27, 2006.

                               Abstract

   This document describes new ECC groups for use in IKE [IKE] and
   IKEv2 [IKEv2] in addition to the Oakley groups included therein.
   These groups are defined to align IKE with other ECC
   implementations and standards, and in addition, many of them
   provide higher strength than the Oakley groups. It should be noted
   that this document is not self-contained.  It uses the notations
   and definitions of [IKE] and IKEv2 [IKEv2].















Brown                                                         [Page  1]
INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

                           Table of Contents

   1. Introduction ............................................... 2
   2. The Additional ECC Groups .................................. 3
   2.1 Sixth Group ............................................... 5
   2.2 Seventh Group ............................................. 6
   2.3 Eighth Group .............................................. 6
   2.4 Ninth Group ............................................... 7
   2.5 Tenth Group ............................................... 7
   2.6 Eleventh Group ............................................ 8
   2.7 Twelfth Group ............................................. 8
   2.8 Thirteenth Group .......................................... 9
   2.9 Twenty-Second Group ....................................... 9
   2.10 Twenty-Third Group ....................................... 10
   2.11 Twenty-Fourth Group ...................................... 11
   2.12 Twenty-Fifth Group........................................ 11
   2.13 Twenty-Sixth Group ....................................... 12
   3. Test vectors ............................................... 12
   4. Security Considerations .................................... 16
   5. Intellectual Property Rights ............................... 17
   6. Acknowledgments ............................................ 17
   7. References ................................................. 17
   8. Author's Address ........................................... 18

1.  Introduction

This document describes groups for use in elliptic curve
Diffie-Hellman in IKE in addition to the Oakley groups included in
[IKE], [IKEv2], and [MODP-IKE].  The document assumes that the reader
is familiar with the IKE protocol and the concept of Oakley Groups, as
defined in RFC 2409 [IKE] and IKEv2 [IKEv2].  The ECC groups given
here are among the fifteen groups that NIST recommends in FIPS 186-2
[FIPS-186-2].

RFC2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over GF[2^N].  One
modular exponentiation group (768 bits - Oakley Group 1) is mandatory
for all implementations to support, while the other four are optional.
Both elliptic curve groups (Oakley Groups 3 and 4) are defined over
GF[2^N] with N composite.

The Internet-Draft "More MODP Groups For IKE" [MODP-IKE] describes
several additional groups that can be used with IKE and IKEv2.

The Internet-Draft "ECP Groups For IKE and IKEv2" [ECP-IKE] describes
three elliptic curve groups recommended by NIST.  This document
describes the remaining twelve.





Brown                                                         [Page  2]
INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

The reasons for supporting these twelve ellipitc curve groups are are
for bettern alignment with other standards, such as [FIPS 186-2],
[X9.62], [X9.63], and [SEC-2].  Some of these groups also afford
efficiency advantages in hardware applications since the underlying
arithmetic is binary field arithmetic.  The groups proposed are
capable of providing security consistent with both the new Advanced
Encryption Standard and with Triple DES.

These groups could also be defined with the New Group Mode but
including them in this document will encourage interoperability of IKE
and IKEv2 implementations based on elliptic curve groups.

2.  The Additional Elliptic Curve Groups

The groups given in this document are capable of providing security
consistent with AES keys of 128, 192, and 256 bits, and also with TDES
keys of lengths 168 and 112 bits, whose corresponding strengths of 112
and 80 bits, respectively.  The following table, based on tables from
[HOF] and [LEN], gives approximate comparable key sizes for symmetric
systems, ECC systems, and DH/DSA/RSA systems.  The estimates are based
on the running times of the best algorithms known today.

                  Strength   |  ECC2N/ECP |  DH/DSA/RSA
                   80        |  163/192   |  1024
                  112        |  233/224   |  2048
                  128        |  283/256   |  3072
                  192        |  409/384   |  7680
                  256        |  571/521   |  15360

                  Table 1: Comparable key sizes

Thus, for example, when securing a 192-bit symmetric key, it is
prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA.  Of course
it is possible to use shorter asymmetric keys, but it should be
recognized in this case that the security of the system is likely
dependent on the strength of the public-key algorithm and claims such
as "this system is highly secure because it uses 192-bit encryption"
are misleading.

The fifteen groups proposed in this document use elliptic curves over
GF[2^N] with N prime or over GF[P] with P prime.  This addresses
concerns expressed by many experts regarding curves defined over
GF[2^N] with N composite -- concerns highlighted by the recent attacks
on such curves due to Gaudry, Hess, and Smart [WEIL] and due to
Jacobson, Menezes and Stein [JMS].







Brown                                                         [Page  3]
INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

Seven of the groups proposed here have been assigned identifiers by
IANA [IANA] and the remaining eight might latter be assigned
identifiers by IANA.  A brief summary of the IANA identified groups
for IKE as follows.  Groups with IANA numbers 1 through 4 are
identified in [IKE].  The group with IANA number 5 is identifed in
[MODP-IKE].  The group with IANA number 6, [X9.62] and [SEC 2], with
object identifer sect163r1, but it is not one of the fifteen curves
that NIST recommends [FIPS-186-2].  Nevertheless, it is included here
for backwards interoperability with existing implementations.  The
seven groups with IANA numbers numbers between 7 and 13 have also been
identified in [ECP-IKE] and are included here. Three NIST groups have
proposed numbers 19, 20 and 21 in [ECP-IKE].  The remaining five NIST
groups are suggested and anticipate to be assigned IANA numbers 22 to
26.

The groups recommended for IKE and IKEv2 in this document are the ECC
groups that NIST recommends [FIPS-186-2].  These fifteen ECC groups
are given in the following table.

IANA  Group Type  Group Description  NIST Name  SEC 2 OID
----  ----------  -----------------  ---------  ---------

  22   2 ECP      ECPRGF192Random     P-192     secp192r1
  23   3 EC2N     EC2NGF163Random     B-163     sect163r2
   7   3 EC2N     EC2NGF163Koblitz    K-163     sect163k1
   6   3 EC2N     EC2NGF163Random2    none      sect163r1

  24   2 ECP      ECPRGF224Random     P-224     secp224r1
  25   3 EC2N     EC2NGF233Random     B-233     sect233r1
  26   3 EC2N     EC2NGF233Koblitz    K-233     sect233k1

  19   2 ECP      ECPRGF256Random     P-256     secp256r1
   8   3 EC2N     EC2NGF283Random     B-283     sect283r1
   9   3 EC2N     EC2NGF283Koblitz    K-283     sect283k1

  20   2 ECP      ECPRGF384Random     P-384     secp384r1
  10   3 EC2N     EC2NGF409Random     B-409     sect409r1
  11   3 EC2N     EC2NGF409Koblitz    K-409     sect409k1

  21   2 ECP      ECPRGF521Random     P-521     secp521r1
  12   3 EC2N     EC2NGF571Random     B-571     sect571r1
  13   3 EC2N     EC2NGF571Koblitz    K-571     sect571k1

Three curves are defined at each strength - two curves chosen
verifiably at random (as defined in ANSI [X9.62]), one over a binary
field and another over a prime field, and a Koblitz curve over a
binary field that, which enables especially efficient implementations
due to the special structure of the curve [KOB] and [SOL].




Brown                                                         [Page  4]
INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

For elliptic curve groups, the data in the KE payload when using this
group is the octet string representation specified in ANSI X9.62, ANSI
X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by
taking the randomly chosen secret Ka and computing Ka*G, where * is
the repetition of the group addition.

If the initiator chooses secret i and the responder chooses secret r,
then the KEi is i*G and KEr is r*G.  The raw shared secret is the
x-coordinate (only) of (ir)*G.

2.1 Sixth Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 6 (six). The
curve is based on the Galois Field GF[2^163]. The field size is
163. The irreducible polynomial used to represent the field is:

           u^163 + u^7 + u^6 + u^3 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + ax^2 + b.

Group Curve a:

  0x07b6882caaefa84f9554ff8428bd88e246d2782ae2

Group Curve b:

  0x0713612dcddcb40aab946bda29ca91f73af958afd9

Group Generator G:

  0x030369979697ab43897789566789567f787a7876a654

The order of the generator G defined above is the prime:

  0x03ffffffffffffffffffff48aab689c29ca710279b

The curve order is twice this prime.

The group was chosen verifiably at random using SHA-1 as specified in
[X9.62] from the seed:

  0x24b7b137c8a14d696e6768756151756fd0da2e5c

However, for historical reasons, the method to generate the group from
the seed differs slightly from the method described in
[X9.62]. Specifically the coefficient Group Curve b produced from the
seed is the reverse of the coefficient that would have been produced
by the method described in [X9.62].

Brown                                                         [Page  5]
INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

2.2 Seventh Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 7 (seven). The
curve is based on the Galois Field GF[2^163]. The field size is
163. The irreducible polynomial used to represent the field is:

           u^163 + u^7 + u^6 + u^3 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + x^2 + 1.

Group Generator G:

  0x0302fe13c0537bbc11acaa07d793de4e6d5e5c94eee8

The order of the generator G is the prime:

  0x04000000000000000000020108a2e0cc0d99f8a5ef

The curve order is twice this prime.

2.3 Eighth Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 8 (eight). The
curve is based on the Galois Field GF[2^283]. The field size is
283. The irreducible polynomial used to represent the field is:

           u^283 + u^12 + u^7 + u^5 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + x^2 + b.

Group Curve b:

  0x027b680ac8b8596da5a4af8a19a0303fca97fd7645309fa2a581485af6263e313b79a2f5

Group Generator G:

  0x0305f939258db7dd90e1934f8c70b0dfec2eed25b8557eac9c80e2e198f8cdbecd86b12053

The order of the generator G is the prime:

  0x03ffffffffffffffffffffffffffffffffffef90399660fc938a90165b042a7cefadb307

The curve order is twice this prime.



Brown                                                         [Page  6]
INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:

  0x77e2b07370eb0f832a6dd5b62dfc88cd06bb84be

2.4 Ninth Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 9 (nine). The
curve is based on the Galois Field GF[2^283]. The field size is
283. The irreducible polynomial used to represent the field is:

           u^283 + u^12 + u^7 + u^5 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + 1.

Group Generator G:

  0x020503213f78ca44883f1a3b8162f188e553cd265f23c1567a16876913b0c2ac2458492836

The order of the generator G is the prime:

  0x01ffffffffffffffffffffffffffffffffffe9ae2ed07577265dff7f94451e061e163c61

The curve order is four times this prime.

2.5 Tenth Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 10 (ten). The
curve is based on the Galois Field GF[2^409]. The field size is
409. The irreducible polynomial used to represent the field is:

           u^409 + u^87 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + x^2 + b.

Group Curve b:

  0x021a5c2c8ee9feb5c4b9a753b7b476b7fd6422ef1f3dd674761fa99d6ac27c8a9a197b272822f6cd57a55aa4f50ae317b13545f

Group Generator G:

  0x03015d4860d088ddb3496b0c6064756260441cde4af1771d4db01ffe5b34e59703dc255a868a1180515603aeab60794e54bb7996a7

The order of the generator G is the prime:


Brown                                                         [Page  7]
INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

  0x10000000000000000000000000000000000000000000000000001e2aad6a612f33307be5fa47c3c9e052f838164cd37d9a21173

The curve order is twice this prime.

The curve was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:

  0x4099b5a457f9d69f79213d094c4bcd4d4262210b

2.6 Eleventh Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 11 (eleven). The
curve is based on the Galois Field GF[2^409]. The field size is
409. The irreducible polynomial used to represent the field is:

           u^409 + u^87 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + 1.

Group Generator G:

  0x030060f05f658f49c1ad3ab1890f7184210efd0987e307c84c27accfb8f9f67cc2c460189eb5aaaa62ee222eb1b35540cfe9023746

The order of the generator G is the prime:

  0x7ffffffffffffffffffffffffffffffffffffffffffffffffffe5f83b2d4ea20400ec4557d5ed3e3e7ca5b4b5c83b8e01e5fcf

The curve order is four times this prime.

2.7 Twelfth Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 12 (twelve). The
curve is based on the Galois Field GF[2^571]. The field size is
571. The irreducible polynomial used to represent the field is:

           u^571 + u^10 + u^5 + u^2 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + x^2 + b.

Group Curve b:

  0x2f40e7e2221f295de297117b7f3d62f5c6a97ffcb8ceff1cd6ba8ce4a9a18ad84ffabbd8efa59332be7ad6756a66e294afd185a78ff12aa520e4de739baca0c7ffeff7f2955727a

Group Generator G:


Brown                                                         [Page  8]
INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

  0x030303001d34b856296c16c0d40d3cd7750a93d1d2955fa80aa5f40fc8db7b2abdbde53950f4c0d293cdd711a35b67fb1499ae60038614f1394abfa3b4c850d927e1e7769c8eec2d19

The order of the generator G is the prime:

  0x3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe661ce18ff55987308059b186823851ec7dd9ca1161de93d5174d66e8382e9bb2fe84e47

The curve order is twice this prime.

The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:

  0x2aa058f73a0e33ab486b0f610410c53a7f132310

2.8 Thirteenth Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 13
(thirteen). The curve is based on the Galois Field GF[2^571]. The
field size is 571. The irreducible polynomial used to represent the
field is:

           u^571 + u^10 + u^5 + u^2 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + 1.

Group Generator G:

  0x02026eb7a859923fbc82189631f8103fe4ac9ca2970012d5d46024804801841ca44370958493b205e647da304db4ceb08cbbd1ba39494776fb988b47174dca88c7e2945283a01c8972

The order of the generator G is the prime:

  0x20000000000000000000000000000000000000000000000000000000000000000000000131850e1f19a63e4b391a8db917f4138b630d84be5d639381e91deb45cfe778f637c1001

The group order is four times this prime.

2.9 Twenty-Second Group

IKE and IKEv2 implementations SHOULD support an ECP group with the
following characteristics.  This group is assigned id 22 (twenty-two).
The curve is based on the integers modulo the generalized Mersenne
prime p given by

                  p = 2^192 - 2^64 - 1.

The equation for the elliptic curve is:

                  y^2 = x^3 - 3 x + b.

Group Curve b:

Brown                                                         [Page  9]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1

Group Generator G:

 0x03188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012

The order of the generator G is the prime:

 0xffffffffffffffffffffffff99def836146bc9b1b4d22831

The group was chosen verifiably at random using SHA-1 as specified in
[X9.62] from the seed:

 0x3045ae6fc8422f64ed579528d38120eae12196d5

2.10 Twenty-Third Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 23
(twenty-three). The curve is based on the Galois Field GF[2^163]. The
field size is 163. The irreducible polynomial used to represent the
field is:

           u^163 + u^7 + u^6 + u^3 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + x^2 + b.

Group Curve b:

  0x020a601907b8c953ca1481eb10512f78744a3205fd

Group Generator G:

  0x0303f0eba16286a2d57ea0991168d4994637e8343e36

The order of the generaotr G above is the prime:

  0x040000000000000000000292fe77e70c12a4234c33

The curve order is twice this prime.

The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:

  0x85e25bfe5c86226cdb12016f7553f9d0e693a268





Brown                                                         [Page 10]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

2.11 Twenty-Fourth Group

IKE and IKEv2 implementations SHOULD support an ECP group with the
following characteristics.  This group is assigned id 24
(twenty-four).  The curve is based on the integers modulo the
generalized Mersenne prime p given by

                  p = 2^224 - 2^96 + 1.

The equation for the elliptic curve is:

                  y^2 = x^3 - 3 x + b.

Group Curve b:

 0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4

Group Generator G:

 0x02b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21

The order of the generator G is the prime:

 0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d

The group was chosen verifiably at random using SHA-1 as specified in
[X9.62] from the seed:

 0xbd71344799d5c7fcdc45b59fa3b9ab8f6a948bc5

2.12 Twenty-Fifth Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 25
(twenty-five). The curve is based on the Galois Field GF[2^233]. The
field size is 233. The irreducible polynomial used to represent the
field is:

           u^233 + u^74 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + x^2 + b.

Group Curve b:

  0x0066647ede6c332c7f8c0923bb58213b333b20e9ce4281fe115f7d8f90ad

Group Generator G:

  0x0300fac9dfcbac8313bb2139f1bb755fef65bc391f8b36f8f8eb7371fd558b

Brown                                                         [Page 11]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

The order of the generator G above is the prime:

  0x01000000000000000000000000000013e974e72f8a6922031d2603cfe0d7

The curve order is twice this prime.

The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:

  0x74d59ff07f6b413d0ea14b344b20a2db049b50c3

2.13 Twenty-Sixth Group

IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 26
(twenty-six). The curve is based on the Galois Field GF[2^233]. The
field size is 233. The irreducible polynomial used to represent the
field is:

           u^233 + u^74 + 1.

The equation for the elliptic curve is:

           y^2 + xy = x^3 + 1.

Group Generator G:

  0x02017232ba853a7e731af129f22ff4149563a419c26bf50a4c9d6eefad6126

The order of the generator G is the prime:

  0x8000000000000000000000000000069d5bb915bcd46efb1ad5f173abdf

The curve order is four times this prime.

3. Test Vectors

What follows is a set of test vectors, in the form:

<SEC 2 name for elliptic curve group>

i = <initiator secret value>

r = <responder secret value>

KEi = <initiator key exchange payload>

KEr = <responder key exchange payload>

Z = <raw shared secret>


Brown                                                         [Page 12]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

Here are the test vectors:

secp192r1

i = 0x7092e5fd43a17f6a3375325989284eba093564e1944e176d

r = 0xd6185566ec0b1f52cc56276560907cb1a8683d8449b882ce

KEi = 0x00000021001600003841c988076d857fdda4ccf3bae5cf5f521336a650fdc7dc4

KEr = 0x000000210016000003445a52f30ce615c53e1175c04db6f0bb7a03d3096e2c209e

Z = 0xcac49383d8bf6b5fd8e5d5b769c0a91f68f9b5d091b831d8

secp224r1

i = 0x626167f5e43652607a9cc40035c6dca7256fa3721a68baf4e40f86e1

r = 0x38524a05e71d023361bfdb290b69d15b7d8390aa5ac837a0c82d9f63

KEi = 0x000000250018000029167b2a96e1cbde468976e364d4d3110c8f58f579c44a0be3c98a1a8

KEr = 0x000000250018000002dc7765dea1a085f3f077f138854fe0850ca89c2e32d0377bde245815

Z = 0x7b1bf04233c15681ba5302221a2ce34b18a92dbbb37cc0a772a91516

secp256r1

i = 0x9d3ae8148192a83f20530cb25edb11e8b7ea13583a70ca345b0f571b91317abe

r = 0x922d3e7c675bb9b4d9613ff21793991b3623844f072e53d28a6baff89cf85ab4

KEi = 0x00000029001300003084cc47b198b640da01bc10dfcfa034db89dbb072ea0ae9cd6eac60900ffc492

KEr = 0x000000290013000002b9528b7eb564634315ebe2f1e3e4fabd671d8e6f487b6ee35796a6a6daaed1f7

Z = 0x52c8f824e13b40651b0ec4ad8dbdb116b15aebc48fbc0360d84ff8cdc3c73e6c

secp384r1

i = 0x52d3051d6675ed1e52a4e9224fb2ad9a910358bb9a72ddf7d96a2383bad90ef815f83a94edfe52a01193f843d29f1958

r = 0xf13ba4709dee2f4532b251bfb3b1b87b1adac356299e4ea9472356aca6ddad290b00f2214740f693c6a03c2dc52bd419

KEi = 0x000000390014000032991ae8b27d7080db619140023dc7241cdbcd8130de451f9268c420674b8169973f89be2f3d9f3082cb049511457db35

KEr = 0x00000039001400000270a447c2e24022c3a52f95634a17052a02831cca790e6f0c1feff9515a38cfd7c487abd9e19e8f4ef49b8a4b268b1a0f

Z = 0xf3cde42e0e9dd28982294ac1af62cbd1429f289911b3e0535a81ebb513a2903bc53f0ecd5c5110835e5a4a903629b0c5

secp521r1

Brown                                                         [Page 13]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

i = 0xea78946abd68bb79a55f8f9993cf5389fbb0a10d3b58062429c6322a987c957f8854a5a4ec636d702a7b07537341f6319cc6d03c447da5e9f59d28460caa98dbeb

r = 0xe68807bbdc90cca27848c6bc38426ddf5b19c09d144d041706bc9ed1afade9e81585faf9e173f340001016ef82ea5b4a8b785fee0c403a6e39228df62a337e479c

KEi = 0x0000004b00150000300584c2476258dd61c098761710976c4b50fc4c47177f42562f2d575bf933c7699122bc37c77da0a7079e0a4c2d1318d33764241e4c562c7ff7bad5cf0ce1edddfa0

KEr = 0x0000004b0015000002011483326d756d8600c5d8c6a0bc60c80297c37e3368f45bbcf4d5db78ad4b1b1d8584b019416f92e8e65f5fe370fb35558a61327903042ae798095c5638e093a0b4

Z = 0x006ea860d9c8518ce2de03a00a9d4c6648cd33cb665302c9e41163e9b6b7ededf892c9c85c63d7c2cc76e3c2f3cfe2fd8cd13314658f6f4da6198dd9fd99cd42de1b

sect163r1

i = 0x647f8bc4fa3fa625b41456b91c899269ffe277bc

r = 0xef8fa305ed836a8fdf206e6594f086f9762e6f69

KEi = 0x0000001e000600000300e772d9e512e971a512b9406edce999b50bee78b2

KEr = 0x0000001e00060000020115ed6148869f8be399230825b2207ee9e4949381

Z = 0x01d75dd0142db15a25b6f8024bab20ee78f90f409f

sect163r2

i = 0x027e06da864be3862c261654c15ec5568e45eb7fb6

r = 0x03a7c88fa7363f8ff9ff1d2813027089bd96e07c48

KEi = 0x0000001e001700000302ed80fc3986c4a978b09c34dcbc376a7975b92276

KEr = 0x0000001e001700000201aed6520fb2468fb424dec3c31c4a1fc0e1cf702a

Z = 0x07befaa40951cf0d1c972d4df6297d5c30b726cf98

sect163k1

i = 0x0137fb36360a457b6a23b29e11a4760a177881808a

r = 0x010c489bbb3b602a7df626e9f0625294b1d795a032

KEi = 0x0000001e000700000305be095b0829318fa0e3e0096e31bfb829b8ee95ec

KEr = 0x0000001e000700000205d9c945eb02dec3b7ad1bace077bf37753e3326b3

Z = 0x07b13e8c9452ab89113680725df13128c055c9d3ce

sect233r1

i = 0x5b038de50df0f1f49a06c1fb46c45d5ac63e4541b99df19421c33b7902

r = 0x3b48a62665e29c5f78ff6b7714c1bb82ad210c8c29572eaccbdc3abbce

Brown                                                         [Page 14]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

KEi = 0x00000027001900000301334d9878fa49d0dbbf5978f49e57aeaad93a1c3fbd7a17acc369dd68d1

KEr = 0x0000002700190000030158db2605ce543cc4220248bcce6cc055d8d4ee4ea1e49ef1b9dd823797

Z = 0x00b0dcfc6d66c3d1d987f8b075edc92763257bfcbaa7af34b8f6242d5d3c

sect233k1

i = 0x4ea153c305784cf023a54756a99281e1a8105ab85bb638980d07de46a2

r = 0x424a89451d6cd439305e44f06fc574ec8268b626560a44ee85b624d589

KEi = 0x00000027001a000003014e271e22edf7df456f59b366b8462c5f6ef26bddfb67ed764a5b39e6dc

KEr = 0x00000027001a000002014b5633f29fdf353ebb6375ddffec46f162f419d7962a8d04fdb93e38ee

Z = 0x00f3ef4179b17ceb7e041581727d01cf3d7423ec249f44d353d1e2de7412

sect283r1

i = 0x0294203ab7551182dec6b777f4d1c65bdb75275217a356a7efad130355aa3f17aeb3852f

r = 0x033149120a7d8d984f2c3346d9ec88962f5b05451d5ead843dd278dedf49bd8424009110

KEi = 0x0000002d000800000201959e200deaa62d055e1d4e141ed7dcdfde810570864431cc5a280a229418b8dfc4c186

KEr = 0x0000002d0008000003034237aff2fae31d2bed603ba7e0aa9cbefee1313bec6905f40e270cf448c36ec7d95981

Z = 0x066c0249c890ffeda0ce0fd3bd76a6506423f8685e649d035842bf25a388ec4edd207eff

sect283k1

i = 0x0902492408f4d64e351eabe7b9da659f089a20a2d19f62b92499a3ebf24106374ab51b

r = 0x0e2a59cb494b49784436e0532cf25ee444225ffd39139bba2e19d3bae482f651368716

KEi = 0x0000002d0009000002044e95ad563972553e8c29c89e4f57155c179938ec1b864487e287fe94a48ba59de2f44b

KEr = 0x0000002d00090000030658a18c6946e19f17a1f8eb44b4610d0052c97cb522962738a58438a5ecc96deffd84b5

Z = 0x0194027ad85e4075d89247b2e3c3500debff0dce5ad63a02a07652dfb7da3b75afe11e88

sect409r1

i = 0x18624d825f61d687d6f7707ff35a23b329feea913ec45afe81d79e4a09b7d026e8da7fb40f972a53d6fa1e6f0de235c781254b

r = 0xf73eec0f98ab794f0633f4ee84cca2f8dc1a1fdebe8503376418029c5cf14e34788d8ea32857128c67297413902e9dd7b8c730

KEi = 0x0000003d000a000002016f9e561b996d1d3ac2720e7cace86cc96d58c2518814ff92209638daee256e405590cbd7a05c2a4e24daec0bf005777e89eb49

KEr = 0x0000003d000a00000300ea451ad0be01cdeba8f3b7c1270810f8725f03e76768bd07cd78cbd7a1c4d354abba3615658ef81e397d99b6c261a77f7103f5

Brown                                                         [Page 15]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

Z = 0x00beb0ecd7886e0bc13dead143621dd17133dbdae112b0f9168ee853e259c5b026b4582f6ccb69cde62c7000fbb3545d2d89e25f

sect409k1

i = 0x600b86e20b7a66d8af5cd1e3a22adbcf1f6e65563dd932af6589d0953b517a566f6230de70f368399c13533ecba3292490cbfb

r = 0x77d677250e919500a410cbb02c6842d9c12fa8a8b57f539da192a025b92b4166e317b75764a4235854ed3dac477483de03e2f2

KEi = 0x0000003d000b00000300964b2b14557951de6ffea67eec4239a2660022a45b2659db5d924251c4005b0d4de347b6fde76fc43bce546d7cd4f977d5797a

KEr = 0x0000003d000b000003016ecd20beea517ae36a40e330d8a56812559f5e5ffd16fa6716f953814d9bf37570d79b180687b5a385bfb9420f2550e4b6138e

Z = 0x00a1f44a752e980f3db78ee562786949afa2e5867d8cc9cf078c8f54a7de9107af70fc876f5bd1e194c53e7a56043397ef2c8b50

sect571r1

i = 0xe422d8400d8e629990c7ca8b26b74a0d873d8d6d906f4af6e44c617663327773f0a1c5f0355ac9dcb2c4c0b6a13e38e18b35cda665a1e5134be36044d3d387789e01c2be6d0713

r = 0x01e58461bb4f5bbb737dfe617150968b2a9773e7f4425ac5a40a9ef4280f97d7a057b2df91b3ccf77beb2990596e998fd57b3c42a46e694faf1923a6b1899a706ce4b346424b1b7d

KEi = 0x00000051000c00000302c17e8482e65e8eafd4ebe150bf93fd8797db78b7c36539724d6979c7b2b9428be38e0bbf94f643bd6647477a33e589cb491b1f2015f9bb5e5999153de52d8150e50ec557c720da

KEr = 0x00000051000c000003030e89d2c1aa8a278e43b853066adf742fdd7491414d907a74c011371bdf64dc38502f2e18ae79ac7024005398959de999e25965294561024ff0b510855f27263dd0d1cff78cbeb3

Z = 0x0579791ff1725f09c70e7378278137c07dcb5c412b30f7ae681a868141404ea95d945f26d4d0da1ba38602915b67184e23288e4f3021b57802821d44948689871e68cfc282862cc5

sect571k1

i = 0x01fb96e0fb6f5c5703b258e032ee9cf3fc5eb27b37bfc797cf7954ef82e37cfa551e549208af3365882343cffc7fca72949b3346ff49cd3251a3a17200a0eef8b64bce70a5087cad

r = 0x2b25d3d5fd86cb53a0fef2fb4ffc4e20f1ac33a147d69d4531676dfd8a92a6b9bf6c34379189eba87679bdee05e0f8a45790fb77e4fc47c7babe4170839a93beb58e214c1a8470

KEi = 0x00000051000d00000301e4dc1f82924ea99921babda3ee48792836ec1d033578e7a3d372f93601182b511589d2a84d9fab6e86d5ea8f00dddf5c8b1c22bbd9bc96b191da5bab247af9e666e6824ffe2b72

KEr = 0x00000051000d0000020496673c15e735aba12ea6a1413c4ea6e50eddec8f21b222df40925f483d85e779f48e3439f88118e325f6e3aa6e4ee285544079ed2ea4d8680b5d9c06ab232944e62e93e1cf8f9b

Z = 0x066c0d8bcf8c17f27d7367bf0e8a9c2931fa258be3b7861a6c021a5bb52d214ab19235280e9c6b61bf72c20a8d64c26a9a4b9ff075fd3be6be03c33c56e6cf3ff7517e5b08dcbe65

4. Security Considerations

Since this document proposes new groups for use within IKE and IKEv2,
many of the security considerations contained within RFC 2409 apply
here as well.

Many of the groups proposed in this document offer higher strength
than the groups in RFC 2409.  This allows the IKE and IKEv2 to offer
security comparable with the proposed AES algorithms.





Brown                                                         [Page 16]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

In addition, since all the new groups are defined over GF[P] with P
prime or GF[2^N] with N prime, they address the concerns expressed
regarding the elliptic curve groups included in RFC 2409, which are
curves defined over GF[2^N] with N composite.  The work of Gaudry,
Hess, and Smart [WEIL] reveal some of the weaknesses in such groups.

5. Intellectual Property Rights

The IETF has been notified of intellectual property rights claimed in
regard to the specification contained in this document.
For more information, consult the online list of claimed rights
(http://www.ietf.org/ipr.html).

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights.  Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11.  Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.

6. Acknowledgments

To be added.

7. References

  [ECP-IKE] D. Fu, J. Solinas, ECP Groups for IKE and IKEv2,
     draft-ietf-ipsec-ike-ecp-groups-02.txt, work in progress.

  [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC
     2409, November 1998.

  [IKEv2] C. Kaufman, Editor, Internt Key Exchange (IKEv2) Protocol,
     draft-ietf-ipsec-ikev2-17.txt, work in progress.

  [IANA] Internet Assigned Numbers Authority. Attribute Assigned
     Numbers.
     (http://www.isi.edu/in-notes/iana/assignments/ipsec-registry)

  [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE
     1363-2000, Standard for Public Key Cryptography. IEEE
     Microprocessor Standards Committee. August 2001.
     (http://grouper.ieee.org/groups/1363/index.html)


Brown                                                         [Page 17]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

  [KOB] N. Koblitz, CM curves with good cryptographic properties.
     Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992.

  [FIPS-186-2] U.S. Department of Commerce/National Institute of
     Standards and Technology. Digital Signature Standard (DSS), FIPS
     PUB 186-2, January 2000.
     (http://csrc.nist.gov/fips/fips186-2.pdf)

  [HOF] P. Hoffman and H. Orman, Determining strengths for public keys
     used for exchanging symmetric keys, Internet-draft. August 2000.

  [LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes.
     Available at: www.cryptosavvy.com.

  [JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic
     Curve Discrete Logarithm Problems Using Weil Descent,
     Combinatorics and Optimization Research Report 2001-31, May 2001.
     Available at http://www.cacr.math.uwaterloo.ca/.

  [MODP-IKE] T. Kivinen and M. Kojo, More Modular Exponential (MODP)
     Diffie-Hellman groups for Internet Key Exchange (IKE),
     rfc3526.txt, May 2003.

  [SEC2] Standards for Efficient Cryptography Group. SEC 2 -
     Recommended Elliptic Curve Domain Parameters. Working Draft
     Ver. 1.0., 2000.  (http://www.secg.org)

  [SOL] J. Solinas, An improved algorithm for arithmetic on a family
     of elliptic curves, Proceedings of Crypto '97, Pages 357-371,
     Springer-Verlag, 1997.

  [WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and
     Destructive Facets of Weil Descent on Elliptic Curves, HP Labs
     Technical Report No. HPL-2000-10, 2000.
     (http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html)

  [X9.62] American National Standards Institute, ANS X9.62-2005:
     Public Key Cryptography for the Financial Services Industry: The
     Elliptic Curve Digital Signature Algorithm.  November 2005.

  [X9.63] American National Standards Institute. ANSI X9.63-2001,
     Public Key Cryptography for the Financial Services Industry: Key
     Agreement and Key Transport using Elliptic Curve Cryptography.
     November 2001.

8. Author's Addresses

  Daniel R. L. Brown
  Certicom Corp.
  dbrown@certicom.com


Brown                                                         [Page 18]

INTERNET-DRAFT   Additional ECC Groups for IKE and IKEv2   January 2006

9. Full Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is
   subject to the rights, licenses and restrictions contained in BCP
   78, and except as set forth therein, the authors retain all their
   rights.

   This document and the information contained herein are provided on
   an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
   REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
   EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
   THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
   ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
   PARTICULAR PURPOSE.





































Brown                                                         [Page 19]


Html markup produced by rfcmarkup 1.108, available from http://tools.ietf.org/tools/rfcmarkup/