[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits] [IPR]

Versions: 00 01 02 03 04 05 06 07 08 09 10

IPSec Working Group                               S. Blake-Wilson, BCI
INTERNET-DRAFT                       D. Brown and Y. Poeluev, Certicom
Intended Status: Informational
Expires: June 15, 2006                               December 15, 2005

                    Additional ECC Groups For IKE

                          Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on June 15, 2006.


   This document describes new ECC groups for use in IKE [IKE] and
   IKEv2 [IKEv2] in addition to the Oakley groups included therein.
   These groups are defined to align IKE with other ECC
   implementations and standards, and in addition, many of them
   provide higher strength than the Oakley groups. It should be noted
   that this document is not self-contained.  It uses the notations
   and definitions of [IKE] and IKEv2 [IKEv2].

Blake-Wilson, Brown and Poeluev                              [Page  1]

INTERNET-DRAFT             NIST Curves for IKE           December 2005

                           Table of Contents

   1. Introduction ............................................... 2
   2. The NIST Groups ............................................ 3
   3. Security Considerations .................................... 5
   4. Intellectual Property Rights ............................... 5
   5. Acknowledgments ............................................ 5
   6. References ................................................. 5
   7. Author's Address ........................................... 7

1.  Introduction

This document describes groups for use in elliptic curve
Diffie-Hellman in IKE in addition to the Oakley groups included in
[IKE], [IKEv2], and [MODP-IKE].  The document assumes that
the reader is familiar with the IKE protocol and the concept of Oakley
Groups, as defined in RFC 2409 [IKE] and IKEv2 [IKEv2].  The ECC
groups given here are the fifteen groups that NIST recommends in FIPS
186-2 [FIPS-182-2].

RFC2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over GF[2^N].  One
modular exponentiation group (768 bits - Oakley Group 1) is mandatory
for all implementations to support, while the other four are optional.
Both elliptic curve groups (Oakley Groups 3 and 4) are defined over
GF[2^N] with N composite.

The Internet-Draft "More MODP Groups For IKE" [MODP-IKE] describes
several additional groups that can be used with IKE and IKEv2.

Detailed descriptions of the ECC groups recommended here for IKE in
this are not given in this document but can be found elsewhere: all
fifteen groups in each of FIPS 186-2 [FIPS-186-2] and SEC 2 [SEC-2].
The elliptic curve domain paramenters are uniquely identified in this
document using the ASN.1 object identifiers provided in ANS X9.62
[X9.62], ANS X9.63 [X9.63], and SEC 2 [SEC-2].

Blake-Wilson, Brown and Poeluev                               [Page 2]

INTERNET-DRAFT             NIST Curves for IKE           December 2005

2.  The NIST Groups

The groups given in this document are capable of providing security
consistent with AES keys of 128, 192, and 256 bits, and also with TDES
keys of lengths 168 and 112 bits, whose corresponding strengths of 112
and 80 bits, respectively.  The following table, based on tables from
[HOF] and [LEN], gives approximate comparable key sizes for symmetric
systems, ECC systems, and DH/DSA/RSA systems.  The estimates are based
on the running times of the best algorithms known today.

                  Strength   |  ECC2N/PR |  DH/DSA/RSA
                   80        |  163/192  |  1024
                  112        |  233/224  |  2048
                  128        |  283/256  |  3072
                  192        |  409/384  |  7680
                  256        |  571/521  |  15360

                  Table 1: Comparable key sizes

Thus, for example, when securing a 192-bit symmetric key, it is
prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA.  Of course
it is possible to use shorter asymmetric keys, but it should be
recognized in this case that the security of the system is likely
dependent on the strength of the public-key algorithm and claims such
as "this system is highly secure because it uses 192-bit encryption"
are misleading.

The fifteen groups proposed in this document use elliptic curves over
GF[2^N] with N prime or over GF[P] with P prime.  This addresses
concerns expressed by many experts regarding curves defined over
GF[2^N] with N composite -- concerns highlighted by the recent attacks
on such curves due to Gaudry, Hess, and Smart [WEIL] and due to
Jacobson, Menezes and Stein [JMS].

Seven of the groups proposed here have been assigned identifiers by
IANA [IANA] and the remaining eight might latter be assigned
identifiers by IANA.  A brief summary of the IANA identified groups
for IKE as follows.  Groups with IANA numbers 1 through 4 are
identified in [IKE].  The group with IANA number 5 is identifed in
[MODP-IKE].  The group with IANA number 6, [X9.62] and [SEC 2], with
object identifer sect163r1, but it is not one of the fifteen curves
that NIST recommends [FIPS-186-2].  The seven groups with IANA numbers
numbers between 7 and 13 have also been identified in [ECP-IKE] and
are included here, as have the NIST groups with numbers 19, 20 and 21.
The remaining five NIST groups are suggested and anticipate to be
assigned IANA numbers 22 to 26.

Blake-Wilson, Brown and Poeluev                               [Page 3]

INTERNET-DRAFT             NIST Curves for IKE           December 2005

The groups recommended for IKE and IKEv2 in this document are the ECC
groups that NIST recommends [FIPS-186-2].  These fifteen ECC groups
are given in the following table.

IANA  Group Description                SEC 2 OID
----  -----------------                ---------

  22  ECPRGF192Random  group P-192     secp192r1
  23  EC2NGF163Random  group B-163     sect163r2
   7  EC2NGF163Koblitz group K-163     sect163k1

  24  ECPRGF224Random  group P-224     secp224r1
  25  EC2NGF233Random  group B-233     sect233r1
  26  EC2NGF233Koblitz group K-233     sect233k1

  19  ECPRGF256Random  group P-256     secp256r1
  27  EC2NGF283Random  group B-283     sect283r1
   9  EC2NGF283Koblitz group K-283     sect283k1

  20  ECPRGF384Random  group P-384     secp384r1
  10  EC2NGF409Random  group B-409     sect409r1
  11  EC2NGF409Koblitz group K-409     sect409k1

  21  ECPRGF521Random  group P-521     secp521r1
  12  EC2NGF571Random  group B-571     sect571r1
  13  EC2NGF571Koblitz group K-571     sect571k1

Three curves are defined at each strength - two curves chosen
verifiably at random (as defined in ANSI [X9.62]), one over a binary
field and another over a prime field, and a Koblitz curve over a
binary field that, which enables especially efficient implementations
due to the special structure of the curve [KOB] and [SOL].

Blake-Wilson, Brown and Poeluev                               [Page 4]

INTERNET-DRAFT             NIST Curves for IKE           December 2005

3. Security Considerations

Since this document proposes new groups for use within IKE, many of the
security considerations contained within RFC 2409 apply here as well.

Nine of the groups proposed in this document offer higher strength
than the groups in RFC 2409.  This allows the IKE and IKEv2 to offer
security comparable with the proposed AES algorithms.

In addition, since all the new groups are defined over GF[P] with P
prime or GF[2^N] with N prime, they address the concerns expressed
regarding the elliptic curve groups included in RFC 2409, which are
curves defined over GF[2^N] with N composite.  The work of Gaudry,
Hess, and Smart [WEIL] reveal some of the weaknesses in such groups.

4. Intellectual Property Rights

The IETF has been notified of intellectual property rights claimed in
regard to the specification contained in this document.
For more information, consult the online list of claimed rights

The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights.  Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11.  Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.

5. Acknowledgments

To be added.

Blake-Wilson, Brown and Poeluev                               [Page 5]

INTERNET-DRAFT             NIST Curves for IKE           December 2005

6. References

  [ECP-IKE] J. Solinas, ECP Groups for IKE,
  draft-ietf-ipsec-ike-ecp-groups-01.txt, work in progress.

  [IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC
     2409, November 1998.

  [IKEv2] C. Kaufman, Editor, Internt Key Exchange (IKEv2) Protocol,
  draft-ietf-ipsec-ikev2-17.txt, work in progress.

  [IANA] Internet Assigned Numbers Authority. Attribute Assigned

  [IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE
     1363-2000, Standard for Public Key Cryptography. IEEE
     Microprocessor Standards Committee. August 2001.

  [KOB] N. Koblitz, CM curves with good cryptographic properties.
     Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992.

  [FIPS-186-2] U.S. Department of Commerce/National Institute of
     Standards and Technology. Digital Signature Standard (DSS), FIPS
     PUB 186-2, January 2000.

  [HOF] P. Hoffman and H. Orman, Determining strengths for public keys
     used for exchanging symmetric keys, Internet-draft. August 2000.

  [LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes.
     Available at: www.cryptosavvy.com.

  [JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic
     Curve Discrete Logarithm Problems Using Weil Descent,
     Combinatorics and Optimization Research Report 2001-31, May 2001.
     Available at http://www.cacr.math.uwaterloo.ca/.

  [MODP-IKE] T. Kivinen and M. Kojo, More Modular Exponential (MODP)
     Diffie-Hellman groups for Internet Key Exchange (IKE),
     rfc3526.txt, May 2003.

  [SEC2] Standards for Efficient Cryptography Group. SEC 2 -
     Recommended Elliptic Curve Domain Parameters. Working Draft
     Ver. 1.0., 2000.  (http://www.secg.org)

  [SOL] J. Solinas, An improved algorithm for arithmetic on a family
     of elliptic curves, Proceedings of Crypto '97, Pages 357-371,
     Springer-Verlag, 1997.

Blake-Wilson, Brown and Poeluev                               [Page 6]

INTERNET-DRAFT             NIST Curves for IKE           December 2005

  [WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and
     Destructive Facets of Weil Descent on Elliptic Curves, HP Labs
     Technical Report No. HPL-2000-10, 2000.

  [X9.62] American National Standards Institute, ANS X9.62-2005:
     Public Key Cryptography for the Financial Services Industry: The
     Elliptic Curve Digital Signature Algorithm.  November 2005.

  [X9.63] American National Standards Institute. ANSI X9.63-2001,
     Public Key Cryptography for the Financial Services Industry: Key
     Agreement and Key Transport using Elliptic Curve Cryptography.
     November 2001.

7. Authors' Addresses

  Simon Blake-Wilson
  Basic Commerce & Industries, Inc.

  Daniel R. L. Brown
  Certicom Corp.

  Yuri Poeluev
  Certicom Corp.

8. Full Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is
   subject to the rights, licenses and restrictions contained in BCP
   78, and except as set forth therein, the authors retain all their

   This document and the information contained herein are provided on

Blake-Wilson, Brown and Poeluev                               [Page 7]

Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/