[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04 05 06 RFC 6954

Network Working Group                                          J. Merkle
Internet-Draft                                 secunet Security Networks
Intended status: Informational                                M. Lochter
Expires: February 28, 2013              Bundesamt fuer Sicherheit in der
                                               Informationstechnik (BSI)
                                                         August 27, 2012


         Using the ECC Brainpool Curves for IKEv2 Key Exchange
                   draft-merkle-ikev2-ke-brainpool-00

Abstract

   This document specifies the use of the ECC Brainpool elliptic curve
   groups for key exchange in the Internet Key Exchange version 2
   (IKEv2) protocol.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 28, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Merkle & Lochter        Expires February 28, 2013               [Page 1]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  IKEv2 Key Exchange using the ECC Brainpool Curves  . . . . . .  4
     2.1.  Diffie-Hellman Group Transform IDs . . . . . . . . . . . .  4
     2.2.  Key Exchange Payload and Shared Secret . . . . . . . . . .  5
   3.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
   4.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  8
   5.  Intellectual Property Rights . . . . . . . . . . . . . . . . .  9
   6.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     6.1.  Normative References . . . . . . . . . . . . . . . . . . . 10
     6.2.  Informative References . . . . . . . . . . . . . . . . . . 10
   Appendix A.  Test Vectors  . . . . . . . . . . . . . . . . . . . . 12
     A.1.  160 Bit Curves . . . . . . . . . . . . . . . . . . . . . . 12
     A.2.  192 Bit Curves . . . . . . . . . . . . . . . . . . . . . . 13
     A.3.  224 Bit Curves . . . . . . . . . . . . . . . . . . . . . . 14
     A.4.  256 Bit Curves . . . . . . . . . . . . . . . . . . . . . . 15
     A.5.  320 Bit Curves . . . . . . . . . . . . . . . . . . . . . . 16
     A.6.  384 Bit Curves . . . . . . . . . . . . . . . . . . . . . . 17
     A.7.  512 Bit Curves . . . . . . . . . . . . . . . . . . . . . . 18































Merkle & Lochter        Expires February 28, 2013               [Page 2]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


1.  Introduction

   In RFC 5639 [RFC5639], a new set of elliptic curve groups over finite
   prime fields for use in cryptographic applications was specified.
   These groups, denoted as Brainpool curves, were generated in a
   verifiably pseudo-random way and comply with the security
   requirements of relevant standards from ISO [ISO1] [ISO2], ANSI
   [ANSI1], NIST [FIPS], and SecG [SEC2].

   While the ASN.1 object identifiers defined in RFC 5639 allow usage of
   the ECC Brainpool curves in certificates and certificate revocation
   lists, their utilization for key exchange in IKEv2 [RFC4306] requires
   the definition and assignment of additional transform IDs in the
   respective IANA registry.  Furthermore, the encoding of the key
   exchange payload and derivation of the shared secret are defined,
   because previous RFCs specified this encoding only for the curves
   proposed therein.


































Merkle & Lochter        Expires February 28, 2013               [Page 3]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


2.  IKEv2 Key Exchange using the ECC Brainpool Curves

2.1.  Diffie-Hellman Group Transform IDs

   In order to use the Brainpool curves for key exchange within IKEv2,
   the Diffie-Hellman Group Transform IDs (Transform Type 4) listed in
   the following table are to be registered with IANA [IANA-IKE2].  The
   parameters associated with these curves are defined in RFC 5639
   [RFC5639].

                    +-----------------+--------------+
                    |      Curve      | Transform ID |
                    +-----------------+--------------+
                    | brainpoolP160r1 |     TBD1     |
                    |                 |              |
                    | brainpoolP160t1 |     TBD2     |
                    |                 |              |
                    | brainpoolP192r1 |     TBD3     |
                    |                 |              |
                    | brainpoolP192t1 |     TBD4     |
                    |                 |              |
                    | brainpoolP224r1 |     TBD5     |
                    |                 |              |
                    | brainpoolP224t1 |     TBD6     |
                    |                 |              |
                    | brainpoolP256r1 |     TBD7     |
                    |                 |              |
                    | brainpoolP256t1 |     TBD8     |
                    |                 |              |
                    | brainpoolP320r1 |     TBD9     |
                    |                 |              |
                    | brainpoolP320t1 |     TBD10    |
                    |                 |              |
                    | brainpoolP384r1 |     TBD11    |
                    |                 |              |
                    | brainpoolP384t1 |     TBD12    |
                    |                 |              |
                    | brainpoolP512r1 |     TBD13    |
                    |                 |              |
                    | brainpoolP512t1 |     TBD14    |
                    +-----------------+--------------+

                                  Table 1

   Test vectors for the groups defined by the Brainpool curves are
   provided in Appendix A





Merkle & Lochter        Expires February 28, 2013               [Page 4]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


2.2.  Key Exchange Payload and Shared Secret

   RFC4306 [RFC4306] only specifies the use of MODP groups and GF[2^N]
   elliptic curve groups for Diffie-Hellman key exchange with IKEv2.
   For Diffie-Hellman groups of elliptic curves defined over prime
   fields (ECP Diffie-Hellman groups), however, the format of key
   exchange payloads and the derivation of a shared secret has thus far
   not been specified generally but on a group-by-group basis.  To
   accomodate for different bandwidth limitations, for the groups
   defined in this document, two different methods for encoding the key
   exchange payload, compressed and uncompressed, are specified.

   In an ECP key exchange, the Diffie-Hellman public value passed in a
   KE payload consists of two components, x and y, corresponding to the
   coordinates of an elliptic curve point.  Each component MUST be
   computed from the corresponding coordinate using the FieldElement-to-
   OctetString conversion method specified in [SEC1] and MUST have bit
   length as indicated in Table 2.  This length is enforced by the
   FieldElement-to-OctetString conversion method, if necessary, by
   prepending the value with zeros.

           +------------------------------------+-------------+
           |               Curves               | Bit lengths |
           +------------------------------------+-------------+
           | brainpoolP160r1 or brainpoolP160t1 |     160     |
           |                                    |             |
           | brainpoolP192r1 or brainpoolP192t1 |     191     |
           |                                    |             |
           | brainpoolP224r1 or brainpoolP224t1 |     224     |
           |                                    |             |
           | brainpoolP256r1 or brainpoolP256t1 |     256     |
           |                                    |             |
           | brainpoolP320r1 or brainpoolP320t1 |     320     |
           |                                    |             |
           | brainpoolP384r1 or brainpoolP384t1 |     384     |
           |                                    |             |
           | brainpoolP512r1 or brainpoolP512t1 |     512     |
           +------------------------------------+-------------+

                                  Table 2

   From these components, the key exchange payload MUST be computed
   using one of the two following encodings.

   1.  Uncompressed.  This method equals the method specified in RFC
       5903 [RFC5903] for the ECP curves proposed therein.  The key
       exchange payload is defined as the concatenation of the x and y
       coordinates.  Using this method, the bit length of the key



Merkle & Lochter        Expires February 28, 2013               [Page 5]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


       exchange payload is twice the bit length of each component listed
       in Table 2.  If a peer receives a key exchange payload for an ECC
       Brainpool curve having twice the bitlength indicated for that
       curve in Table 2, it MUST assume that the uncompressed encoding
       has been used.

   2.  Compressed.  The key exchange payload is defined as x.  Using
       this method, the bit length of the key exchange payload equals
       the bit length of each component listed in Table 2.  If a peer
       receives a key exchange payload for an ECC Brainpool curve having
       the bitlength indicated for that curve in Table 2, it MUST assume
       that the compressed encoding has been used.

   The Diffie-Hellman shared secret value MUST be computed from the x
   coordinate of the Diffie-Hellman common value using the FieldElement-
   to-OctetString conversion method specified in [SEC1] and MUST have
   bit length as indicated in the Table 2.  The parties MUST verify that
   the Diffie-Hellman common value is not the "point at infinity", i.e.
   that the shared secret derived contains non-zero octets.

   When compressed encoding is used, computation of the Diffie-Hellman
   common value, and hence, of the shared secret value from the
   x-coordinate transmitted in the key exchange payload requires
   recovery of a correspoding y-coordinate.  Since there are up to two
   possible points on the elliptic curve having a given x-coordinate,
   the recovered y-component is not unique.  However, as explained in
   [RFC6090], any of the two y-coordinates corresponding to the x-value
   transmitted in the key exchange payload can be used to compute the
   Diffie-Hellman common value.






















Merkle & Lochter        Expires February 28, 2013               [Page 6]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


3.  Security Considerations

   The level of security provided by the authentication method in IKEv2
   and the symmetric enryption and message integrity protection in IPSEc
   should roughly match or exceed the level provided by the group chosen
   for key exchange.  RFC 5639 gives guidance in selection symmetric key
   sizes and hash functions for the ECC Brainpool curves.  Furthermore,
   the security considerations of [RFC4306] apply as well.











































Merkle & Lochter        Expires February 28, 2013               [Page 7]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


4.  IANA Considerations

   Before this document can become an RFC, IANA is required to update
   the Transform Type 4 (Diffie-Hellman Group Transform) IDs in its
   Internet Key Exchange Version 2 (IKEv2) Parameters registry
   [IANA-IKE2].  In particular, numbers are to be assigned to the 14
   groups specified in Table 1.  Another I-D is being submitted for
   publication as RFC [BP_IKE] requesting assignment for the same groups
   in the corresponding registry for IKEv1; in order to keep the
   registries for IKEv1 and IKEv2 in accordance, it is advisable to
   assign the same values in both registries.








































Merkle & Lochter        Expires February 28, 2013               [Page 8]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


5.  Intellectual Property Rights

   Although, the authors have no knowledge about any intellectual
   property rights which cover the general usage of the ECP groups
   defined herein, implementations based on these domain parameters may
   require use of inventions covered by patent rights.  In particular,
   the compressed encoding method for the key exchange payload defined
   in Section 2.2 may by covered by patents.











































Merkle & Lochter        Expires February 28, 2013               [Page 9]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


6.  References

6.1.  Normative References

   [IANA-IKE2]  Internet Assigned Numbers Authority, "Internet Key
                Exchange Version 2 (IKEv2) Parameters",
                <http://www.iana.org/assignments/ikev2-parameters>.

   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4306]    Kaufman, C., "Internet Key Exchange (IKEv2) Protocol",
                RFC 4306, December 2005.

   [RFC5639]    Lochter, M. and J. Merkle, "Elliptic Curve Cryptography
                (ECC) Brainpool Standard Curves and Curve Generation",
                RFC 5639, March 2010.

6.2.  Informative References

   [ANSI1]      American National Standards Institute, "Public Key
                Cryptography For The Financial Services Industry: The
                Elliptic Curve Digital Signature Algorithm (ECDSA)",
                ANSI X9.62, 2005.

   [FIPS]       National Institute of Standards and Technology, "Digital
                Signature Standard (DSS)", FIPS PUB 186-2,
                December 1998.

   [BP_IKE]     Harkins, D., "Brainpool Elliptic Curves for the IKE
                Group Description Registry",
                draft-harkins-brainpool-ike-groups-00 (work in
                progress), August 2012.

   [ISO1]       International Organization for Standardization,
                "Information Technology - Security Techniques - Digital
                Signatures with Appendix - Part 3: Discrete Logarithm
                Based Mechanisms", ISO/IEC 14888-3, 2006.

   [ISO2]       International Organization for Standardization,
                "Information Technology - Security Techniques -
                Cryptographic Techniques Based on Elliptic Curves - Part
                2: Digital signatures", ISO/IEC 15946-2, 2002.

   [RFC5903]    Fu, D. and J. Solinas, "Elliptic Curve Groups modulo a
                Prime (ECP Groups) for IKE and IKEv2", RFC 5903,
                June 2010.




Merkle & Lochter        Expires February 28, 2013              [Page 10]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


   [RFC6090]    McGrew, D., Igoe, K., and M. Salter, "Fundamental
                Elliptic Curve Cryptography Algorithms", RFC 6090,
                February 2011.

   [SEC1]       Certicom Research, "Elliptic Curve Cryptography",
                Standards for Efficient Cryptography (SEC) 1,
                September 2000.

   [SEC2]       Certicom Research, "Recommended Elliptic Curve Domain
                Parameters", Standards for Efficient Cryptography
                (SEC) 2, September 2000.








































Merkle & Lochter        Expires February 28, 2013              [Page 11]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


Appendix A.  Test Vectors

   This section provides some test vectors for example Diffie-Hellman
   key exchanges using each of the curves defined in Section 2 .  In all
   of the following sections the following notation is used:

      d_A: the secret key of party A

      x_qA: the x-coordinate of the public key of party A

      y_qA: the y-coordinate of the public key of party A

      d_B: the secret key of party B

      x_qB: the x-coordinate of the public key of party B

      y_qB: the y-coordinate of the public key of party B

      x_Z: the x-coordinate of the shared secret that results from
      completion of the Diffie-Hellman computation

      y_Z: the y-coordinate of the shared secret that results from
      completion of the Diffie-Hellman computation

   The field elements x_qA, y_qA, x_qB, y_qB, x_Z, y_Z are represented
   as hexadecimal values using the FieldElement-to-OctetString
   conversion method specified in [SEC1].

A.1.  160 Bit Curves

   Curve brainpoolP160r1

      dA = 8BF7BC5CBE8AC8B34940C2C5652D6AE4EC9F53CE

      x_qA = 651DA24C7FF64DD863F8F650E53F07B8EC943C39

      y_qA = D1C68C656E44034D0DAD60A1589FD49594E7C2A4

      dB = B6F7160F0DE61CCEAAC528A32BD7AD942E8017B2

      x_qB = DF9F259AEA6DFA1F28B16B8FEC52044CC1DFBA35

      y_qB = DF72AEA65A5E3EF69166DA161ABE00FC9C81C4D0

      x_Z = D78792AC4CBE3390DDD6557060066BC25579CA97

      y_Z = 3A3DAB50421585FB9DE9D87BB3BBBAFE3379A571




Merkle & Lochter        Expires February 28, 2013              [Page 12]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


   Twisted Curve brainpoolP160t1

      dA = A1FED74247778596E0FFEA292DF215D291FB8A6A

      x_qA = 1CDBF3D03C8CE04183600B99F80661129AB17B64

      y_qA = 5FF702E42CFEB890329439CD9594FB26D52CDCC5

      dB = A98B640213F32546F7A527EA7C75EACDADC001AB

      x_qB = D7FB21ED2FD367B21B663C77ECD233FE97B7B39B

      y_qB = A475B6F2BDB551A8303262814C2A5B1F3C77009C

      x_Z = 87BFBDB38B161DA82C7696F80403610213419FF5

      y_Z = 51D2ECA90C28ACBD7162A7700EB7FD3D60D9722B

A.2.  192 Bit Curves

   Curve brainpoolP192r1

      dA = 4B32E699290E3F052A99C7F0CFFD1C5707898015C743FE2A

      x_qA = 31DB86048351629CFCA68541D65D909A0F1DC8E77AC440B2

      y_qA = 7FB2925E1FDC609CF2252F0469836BA4F216ADF8A812893D

      dB = 6916B2A336B3305A256238EA2BAB549D9C893F47D07964B8

      x_qB = 15B795C67C5E47510116B0DE419C45835C209AE77D971536

      y_qB = 0D1ADD9881EF6115EDF5B5CEF854B42E435CD9260A5719FB

      x_Z = B946A6914877922A40F6D588D47FC7D44691C346FD384570

      y_Z = AAD4E9CBC5BB6C7C308A95F445287580A09EBC93624FB24E

   Twisted Curve brainpoolP192t1

      dA = BA0D8C324347CD29B6EBC40540A4EB46C293F18E799E4748

      x_qA = 29541AD06E6BC4C3CF28D7D0A505037D527A165889AF2646

      y_qA = 0222140F457C044F5F585E5943A7411BCF7B95676C938E9C

      dB = 479499E64FF4F30A5F4F08B1A451A113B166A32328ED549B




Merkle & Lochter        Expires February 28, 2013              [Page 13]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


      x_qB = 885FC460B907C9F7C1CF91C7C6AD3BF6343F381D06139021

      y_qB = 704257DFF34C99B623FE6DF24A2719B9D5901285519977EB

      x_Z = 1C6BE551CA60C6D24AF434915A381FBDC9EC934F4DB73257

      y_Z = 110BA8C4446A689F1A526087DF8A9A620F75286F36B07014

A.3.  224 Bit Curves

   Curve brainpoolP224r1

      dA = 39F155483CEE191FBECFE9C81D8AB1A03CDA6790E7184ACE44BCA161

      x_qA = A9C21A569759DA95E0387041184261440327AFE33141CA04B82DC92E

      y_qA = 98A0F75FBBF61D8E58AE5511B2BCDBE8E549B31E37069A2825F590C1

      dB = 6060552303899E2140715816C45B57D9B42204FB6A5BF5BEAC10DB00

      x_qB = 034A56C550FF88056144E6DD56070F54B0135976B5BF77827313F36B

      y_qB = 75165AD99347DC86CAAB1CBB579E198EAF88DC35F927B358AA683681

      x_Z = 1A4BFE705445120C8E3E026699054104510D119757B74D5FE2462C66

      y_Z = BB6802AC01F8B7E91B1A1ACFB9830A95C079CEC48E52805DFD7D2AFE

   Twisted Curve brainpoolP224t1

      dA = B9324E65766C765036E8AFBD2611864C195F893B9256F40AA23B2738

      x_qA = 3DA543100518A53531EBB3D1C14514C13EECA0A78CE92E71E2546FC1

      y_qA = 67580D56C0C89AF632911B3F99934CA2AB154E7E6F5E47CB2980E084

      dB = C9452FA256A710BEA19DFE6C7B4A848F82C2586BB815909B0C8099D6

      x_qB = 5DC490CFBD576B1DAC7462BE6B567CA371A108BBCD3609F0C33C679B

      y_qB = 8FBBAB24A248B676DF9D739478ABCCD593169297F2DEC2552C3F8DA0

      x_Z = 62F1A83BE792608C1D2AAFB229779B47D3F88B1EE2F9686E8CD8EF3C

      y_Z = B7F4B16BE902487127A605FED0069CB451CC56E0F9186B462D8BDD04






Merkle & Lochter        Expires February 28, 2013              [Page 14]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


A.4.  256 Bit Curves

   Curve brainpoolP256r1

      dA =
      81DB1EE100150FF2EA338D708271BE38300CB54241D79950F77B063039804F1D

      x_qA =
      44106E913F92BC02A1705D9953A8414DB95E1AAA49E81D9E85F929A8E3100BE5

      y_qA =
      8AB4846F11CACCB73CE49CBDD120F5A900A69FD32C272223F789EF10EB089BDC

      dB =
      55E40BC41E37E3E2AD25C3C6654511FFA8474A91A0032087593852D3E7D76BD3

      x_qB =
      8D2D688C6CF93E1160AD04CC4429117DC2C41825E1E9FCA0ADDD34E6F1B39F7B

      y_qB =
      990C57520812BE512641E47034832106BC7D3E8DD0E4C7F1136D7006547CEC6A

      x_Z =
      89AFC39D41D3B327814B80940B042590F96556EC91E6AE7939BCE31F3A18BF2B

      y_Z =
      49C27868F4ECA2179BFD7D59B1E3BF34C1DBDE61AE12931648F43E59632504DE

   Twisted Curve brainpoolP256t1

      dA =
      67CF7C2A6537E1E135C131B06958D388B97AC6173A2E669103A6F55EFCA51726

      x_qA =
      356AEB7B004AD59A48E46373BF2D413A52987BF8FE7073729AB56920C4B2FFE1

      y_qA =
      791116DEA74A3724F84F68ED3E18F01E3B9ABD90A26E38028322066FD7A09BAF

      dB =
      A74E29848D27882B6B7817694CC82EE81330AF856F243939B5F8B57CE59FD7EC

      x_qB =
      7D9FD6B1FAAF13C9C34DD8D713E9759D7A0F7E34206B8566C8D771C02871A702

      y_qB =
      45A49EDEBA249C9DBB0FE8B42CF4765650DB68C84B4BD467BE151E6D6C60F5C1




Merkle & Lochter        Expires February 28, 2013              [Page 15]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


      x_Z =
      A0AF0A63DE5579343129183FF958582A19D63DDBAAA91E07536421DEAB1064AF

      y_Z =
      78162E9FB4E2E0CA1F7B30ED51685864F9AB1B59E40E0E8DA046D4E897A77DD7

A.5.  320 Bit Curves

   Curve brainpoolP320r1

      dA = 7CD9C454BA907F7617E262A7FD73764C4A3157C13F82279EF9F062BE5D49A
      8E390B66A4DCEDFA867

      x_qA = BC43666C00E4B943FE1C785DD8AA842A42AB54B0B49819F960F77694193
      CD3AFA71B6B3C826C7734

      y_qA = 69E998892C0764468023C8E3A7B8F219A1446042BE175D4476B2FDFD85B
      22EAD2F29101A1242A578

      dB = B832A73DA5F671E80D87F09372544801F6812224B19A4BC1B37AA7DB0842E
      6DD3CA11DE0F802BFED

      x_qB = B1246229429354D1D687BCA48BCCD6FC733B146DAC03642A0AD4B896F5D
      8BCBD2F4BCA16776E4526

      y_qB = A41683898F9A76EF36EA2DC7B74D419E55CF3664721890D6A2B2FB8CEB7
      C113167ED137A358EE37F

      x_Z = 730314D906B2F21DC11BE05031B028D665696BEEC7139328CDF70C718BE5
      D208659BB96743A88067

      y_Z = C338B5B7A3FB62EDE9BAA9C06DF9BC36D4B5F0D35EFDF79249913E6DC4DB
      6DBC7BA9B74E59C840F1

   Twisted Curve brainpoolP320t1

      dA = 61ACFDF3C9C0E50B6ED58EC6B2750725D90C94D368EFA665B8800AFF31F21
      9AF39DA188ABAD9D6BC

      x_qA = 4DEABAB307DDD924E302EFABC15E4BC588FE67ECF92F03B918E5F4AE43B
      62FFDE0F115015D9AD732

      y_qA = 6E312549C939A9FCCD17D454B9212A39F670D4738B175EE5755A5BAAFF6
      D94992A5EA7541250E8FA

      dB = CDF6A4032DA09679DDE13D74F12C0F2E838D4CBE062E65CDDB595799EDA4C
      22D3A69A4794DD4B032




Merkle & Lochter        Expires February 28, 2013              [Page 16]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


      x_qB = B3B33997A7047C32F2FCBC76960FFD71910316177E059AE77FFDE107722
      C6B05D019A71AE7FCEA05

      y_qB = 2D97625CB68013D900C169FD1336FC27A5531F0F54461AD91E38C49584D
      8ECCDE3AE66BA4D1E7D29

      x_Z = 13FB6B5E601AB1FAD84210E087EAE185F8CDC6D54EF63CF62950D0DA3437
      4BEF4DE4998E9A87263A

      y_Z = 6A969AE380DC0B22A0112F602DE3188EE2DE14EA453A2F5D2963CAF11CA9
      AEFEE241C7038411C27C

A.6.  384 Bit Curves

   Curve brainpoolP384r1

      dA = 1E20F5E048A5886F1F157C74E91BDE2B98C8B52D58E5003D57053FC4B0BD6
      5D6F15EB5D1EE1610DF870795143627D042

      x_qA = 68B665DD91C195800650CDD363C625F4E742E8134667B767B1B47679358
      8F885AB698C852D4A6E77A252D6380FCAF068

      y_qA = 55BC91A39C9EC01DEE36017B7D673A931236D2F1F5C83942D049E3FA206
      07493E0D038FF2FD30C2AB67D15C85F7FAA59

      dB = 032640BC6003C59260F7250C3DB58CE647F98E1260ACCE4ACDA3DD869F74E
      01F8BA5E0324309DB6A9831497ABAC96670

      x_qB = 4D44326F269A597A5B58BBA565DA5556ED7FD9A8A9EB76C25F46DB69D19
      DC8CE6AD18E404B15738B2086DF37E71D1EB4

      y_qB = 62D692136DE56CBE93BF5FA3188EF58BC8A3A0EC6C1E151A21038A42E91
      85329B5B275903D192F8D4E1F32FE9CC78C48

      x_Z = 0BD9D3A7EA0B3D519D09D8E48D0785FB744A6B355E6304BC51C229FBBCE2
      39BBADF6403715C35D4FB2A5444F575D4F42

      y_Z = 0DF213417EBE4D8E40A5F76F66C56470C489A3478D146DECF6DF0D94BAE9
      E598157290F8756066975F1DB34B2324B7BD

   Twisted Curve brainpoolP384t1

      dA = 820B55599BA830FB45BD280FE20D32F9A114F6E2EA4F9AC1D5EBE67F7C0B1
      A0506413A4B49E372A56620454FC0735481

      x_qA = 0C1C3E48C8072055EC617DECC3B5F6EE2566CBB16E9EAB2E8D839AB6E98
      1FCF13B2EDF86E27877B1AF99D8F2280BEA76




Merkle & Lochter        Expires February 28, 2013              [Page 17]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


      y_qA = 3365AC30C33AABB342C6FC30C2E3C0AAC15E4D521633185899687742188
      F96588C03DE656BD308C1906F67B033981603

      dB = 3DF90919D4970788047B1FA0FBB716546ECF2A784CDD9CA53D5101B5BCA1A
      7CCAD7A7180B4C9F9D7D2A8F24E2B5936BD

      x_qB = 4C3949372FF295B6708C4180F6CF3616CA8BDF7CC792BAB582C27EC42EE
      FF0E563F2512B592438616E45D01309A06C0C

      y_qB = 1C43A48648C857189D9F2799B06F8253DF1BA8187622EDBF5C2C4A34164
      22877E7A2056FE6165271899DDD86DEC2CBC7

      x_Z = 8549A7BC6523128176322B295F5806971F9C2B6C10A6595D252CCA4B404E
      940BDB193AE0AB664959DBE638C8BB75A55E

      y_Z = 0C9D339F9ECA04924E2B73619DB30CADAF344AAB15938D4EE4E9DC7A81A4
      66A1CDC0D4C422DC75A5333DE8F226E9707C

A.7.  512 Bit Curves

   Curve brainpoolP512r1

      dA = 16302FF0DBBB5A8D733DAB7141C1B45ACBC8715939677F6A56850A38BD87B
      D59B09E80279609FF333EB9D4C061231FB26F92EEB04982A5F1D1764CAD5766542
      2

      x_qA = 0A420517E406AAC0ACDCE90FCD71487718D3B953EFD7FBEC5F7F27E28C6
      149999397E91E029E06457DB2D3E640668B392C2A7E737A7F0BF04436D11640FD0
      9FD

      y_qA = 72E6882E8DB28AAD36237CD25D580DB23783961C8DC52DFA2EC138AD472
      A0FCEF3887CF62B623B2A87DE5C588301EA3E5FC269B373B60724F5E82A6AD147F
      DE7

      dB = 230E18E1BCC88A362FA54E4EA3902009292F7F8033624FD471B5D8ACE49D1
      2CFABBC19963DAB8E2F1EBA00BFFB29E4D72D13F2224562F405CB80503666B2542
      9

      x_qB = 9D45F66DE5D67E2E6DB6E93A59CE0BB48106097FF78A081DE781CDB31FC
      E8CCBAAEA8DD4320C4119F1E9CD437A2EAB3731FA9668AB268D871DEDA55A54731
      99F

      y_qB = 2FDC313095BCDD5FB3A91636F07A959C8E86B5636A1E930E8396049CB48
      1961D365CC11453A06C719835475B12CB52FC3C383BCE35E27EF194512B7187628
      5FA

      x_Z = A7927098655F1F9976FA50A9D566865DC530331846381C87256BAF322624
      4B76D36403C024D7BBF0AA0803EAFF405D3D24F11A9B5C0BEF679FE1454B21C4CD



Merkle & Lochter        Expires February 28, 2013              [Page 18]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


      1F

      y_Z = 7DB71C3DEF63212841C463E881BDCF055523BD368240E6C3143BD8DEF8B3
      B3223B95E0F53082FF5E412F4222537A43DF1C6D25729DDB51620A832BE6A26680
      A2

   Twisted Curve brainpoolP512t1

      dA = 7938A373E32ECDCB3A88B725531EF0A41165904FDE02879EE738FE81B3B87
      A4F5730A8EB5FBA650609D7A5979099F058500EB160D3557D69B90FB2BAFE8AA3B
      4

      x_qA = 587335843CF88ACBC4110DD3711E21238280FD9D6BCDCB5F5AC8DB599D3
      77DE168AA32276FB068A3EF05EE61021668EC7C5BB1DDB96E392F6AC5C03F4A7C6
      05A

      y_qA = 501E2C43716E3F5D6D2F5960A33ECD2BA2D812AFB76B8C158E6E25FD37F
      82EE7299E2E64BCB39C0B739A5493C99615E62AE79C8719E40DDD9B7A44D990C73
      683

      dB = 5538DF5451063E1CE7351C1A750C29D38FA2348F2FA097A1DB75D24AC8F83
      D8F13ED009F02621F6A0E3796101FB1EC9F1890B66635DDCEB5EF1ED083A28CF01
      2

      x_qB = A6400A41B64FCD6E451DD3B42B0247B24596118058B4DF8E34EC3EC33B1
      9CDCF5A9B2ECA4F1DB2D58C2AFD047550996CA361FCA8497233AF8C0F406FD9FC0
      CD1

      y_qB = 7B7DB683F90DE91F3814139CC83E0693FED68A302458CA7690BA66067E3
      C963EB4D073F72723E01E05B6D0484D80FBE2EE830DB1F8F0B58570E5D8342267B
      2DE

      x_Z = 540789E4BA46DD1925ED37A9FCAFC927A3FE264F924FDA130790B1429AA2
      449C6FDFF21EC506672E2E9E1DB3D69B04461FFB1736D7E7F7764BE4BDD9F8D271
      B1

      y_Z = 37C113154C495B136D495B6864EC85C31AC46C19E3131E736D1C0B42BC00
      B05452AF0AB408B244ED0B4B3ECB65634C603829C72396D8D6072DE5663935DD89
      5F












Merkle & Lochter        Expires February 28, 2013              [Page 19]

Internet-Draft   Brainpool Curves for IKEv2 Kex Exchange     August 2012


Authors' Addresses

   Johannes Merkle
   secunet Security Networks
   Mergenthaler Allee 77
   65760 Eschborn
   Germany

   Phone: +49 201 5454 3091
   EMail: johannes.merkle@secunet.com


   Manfred Lochter
   Bundesamt fuer Sicherheit in der Informationstechnik (BSI)
   Postfach 200363
   53133 Bonn
   Germany

   Phone: +49 228 9582 5643
   EMail: manfred.lochter@bsi.bund.de































Merkle & Lochter        Expires February 28, 2013              [Page 20]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/