One document matched: draft-ietf-ipsec-ike-ecc-groups-08.txt
Differences from draft-ietf-ipsec-ike-ecc-groups-07.txt
IPSec Working Group D. Brown, Certicom
INTERNET-DRAFT January 27, 2006
Expires: July 27, 2006
Additional ECC Groups For IKE and IKEv2
<draft-ietf-ipsec-ike-ecc-groups-08.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 27, 2006.
Abstract
This document describes new ECC groups for use in IKE [IKE] and
IKEv2 [IKEv2] in addition to the Oakley groups included therein.
These groups are defined to align IKE with other ECC
implementations and standards, and in addition, many of them
provide higher strength than the Oakley groups. It should be noted
that this document is not self-contained. It uses the notations
and definitions of [IKE] and IKEv2 [IKEv2].
Brown [Page 1]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
Table of Contents
1. Introduction ............................................... 2
2. The Additional ECC Groups .................................. 3
2.1 Sixth Group ............................................... 5
2.2 Seventh Group ............................................. 6
2.3 Eighth Group .............................................. 6
2.4 Ninth Group ............................................... 7
2.5 Tenth Group ............................................... 7
2.6 Eleventh Group ............................................ 8
2.7 Twelfth Group ............................................. 8
2.8 Thirteenth Group .......................................... 9
2.9 Twenty-Second Group ....................................... 9
2.10 Twenty-Third Group ....................................... 10
2.11 Twenty-Fourth Group ...................................... 11
2.12 Twenty-Fifth Group........................................ 11
2.13 Twenty-Sixth Group ....................................... 12
3. Test vectors ............................................... 12
4. Security Considerations .................................... 16
5. Intellectual Property Rights ............................... 17
6. Acknowledgments ............................................ 17
7. References ................................................. 17
8. Author's Address ........................................... 18
1. Introduction
This document describes groups for use in elliptic curve
Diffie-Hellman in IKE in addition to the Oakley groups included in
[IKE], [IKEv2], and [MODP-IKE]. The document assumes that the reader
is familiar with the IKE protocol and the concept of Oakley Groups, as
defined in RFC 2409 [IKE] and IKEv2 [IKEv2]. The ECC groups given
here are among the fifteen groups that NIST recommends in FIPS 186-2
[FIPS-186-2].
RFC2409 [IKE] defines five standard Oakley Groups - three modular
exponentiation groups and two elliptic curve groups over GF[2^N]. One
modular exponentiation group (768 bits - Oakley Group 1) is mandatory
for all implementations to support, while the other four are optional.
Both elliptic curve groups (Oakley Groups 3 and 4) are defined over
GF[2^N] with N composite.
The Internet-Draft "More MODP Groups For IKE" [MODP-IKE] describes
several additional groups that can be used with IKE and IKEv2.
The Internet-Draft "ECP Groups For IKE and IKEv2" [ECP-IKE] describes
three elliptic curve groups recommended by NIST. This document
describes the remaining twelve.
Brown [Page 2]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
The reasons for supporting these twelve ellipitc curve groups are are
for bettern alignment with other standards, such as [FIPS 186-2],
[X9.62], [X9.63], and [SEC-2]. Some of these groups also afford
efficiency advantages in hardware applications since the underlying
arithmetic is binary field arithmetic. The groups proposed are
capable of providing security consistent with both the new Advanced
Encryption Standard and with Triple DES.
These groups could also be defined with the New Group Mode but
including them in this document will encourage interoperability of IKE
and IKEv2 implementations based on elliptic curve groups.
2. The Additional Elliptic Curve Groups
The groups given in this document are capable of providing security
consistent with AES keys of 128, 192, and 256 bits, and also with TDES
keys of lengths 168 and 112 bits, whose corresponding strengths of 112
and 80 bits, respectively. The following table, based on tables from
[HOF] and [LEN], gives approximate comparable key sizes for symmetric
systems, ECC systems, and DH/DSA/RSA systems. The estimates are based
on the running times of the best algorithms known today.
Strength | ECC2N/ECP | DH/DSA/RSA
80 | 163/192 | 1024
112 | 233/224 | 2048
128 | 283/256 | 3072
192 | 409/384 | 7680
256 | 571/521 | 15360
Table 1: Comparable key sizes
Thus, for example, when securing a 192-bit symmetric key, it is
prudent to use either 409-bit ECC or 7680-bit DH/DSA/RSA. Of course
it is possible to use shorter asymmetric keys, but it should be
recognized in this case that the security of the system is likely
dependent on the strength of the public-key algorithm and claims such
as "this system is highly secure because it uses 192-bit encryption"
are misleading.
The fifteen groups proposed in this document use elliptic curves over
GF[2^N] with N prime or over GF[P] with P prime. This addresses
concerns expressed by many experts regarding curves defined over
GF[2^N] with N composite -- concerns highlighted by the recent attacks
on such curves due to Gaudry, Hess, and Smart [WEIL] and due to
Jacobson, Menezes and Stein [JMS].
Brown [Page 3]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
Seven of the groups proposed here have been assigned identifiers by
IANA [IANA] and the remaining eight might latter be assigned
identifiers by IANA. A brief summary of the IANA identified groups
for IKE as follows. Groups with IANA numbers 1 through 4 are
identified in [IKE]. The group with IANA number 5 is identifed in
[MODP-IKE]. The group with IANA number 6, [X9.62] and [SEC 2], with
object identifer sect163r1, but it is not one of the fifteen curves
that NIST recommends [FIPS-186-2]. Nevertheless, it is included here
for backwards interoperability with existing implementations. The
seven groups with IANA numbers numbers between 7 and 13 have also been
identified in [ECP-IKE] and are included here. Three NIST groups have
proposed numbers 19, 20 and 21 in [ECP-IKE]. The remaining five NIST
groups are suggested and anticipate to be assigned IANA numbers 22 to
26.
The groups recommended for IKE and IKEv2 in this document are the ECC
groups that NIST recommends [FIPS-186-2]. These fifteen ECC groups
are given in the following table.
IANA Group Type Group Description NIST Name SEC 2 OID
---- ---------- ----------------- --------- ---------
22 2 ECP ECPRGF192Random P-192 secp192r1
23 3 EC2N EC2NGF163Random B-163 sect163r2
7 3 EC2N EC2NGF163Koblitz K-163 sect163k1
6 3 EC2N EC2NGF163Random2 none sect163r1
24 2 ECP ECPRGF224Random P-224 secp224r1
25 3 EC2N EC2NGF233Random B-233 sect233r1
26 3 EC2N EC2NGF233Koblitz K-233 sect233k1
19 2 ECP ECPRGF256Random P-256 secp256r1
8 3 EC2N EC2NGF283Random B-283 sect283r1
9 3 EC2N EC2NGF283Koblitz K-283 sect283k1
20 2 ECP ECPRGF384Random P-384 secp384r1
10 3 EC2N EC2NGF409Random B-409 sect409r1
11 3 EC2N EC2NGF409Koblitz K-409 sect409k1
21 2 ECP ECPRGF521Random P-521 secp521r1
12 3 EC2N EC2NGF571Random B-571 sect571r1
13 3 EC2N EC2NGF571Koblitz K-571 sect571k1
Three curves are defined at each strength - two curves chosen
verifiably at random (as defined in ANSI [X9.62]), one over a binary
field and another over a prime field, and a Koblitz curve over a
binary field that, which enables especially efficient implementations
due to the special structure of the curve [KOB] and [SOL].
Brown [Page 4]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
For elliptic curve groups, the data in the KE payload when using this
group is the octet string representation specified in ANSI X9.62, ANSI
X9.63, FIPS 186-2, and IEEE P1363 of the point on the curve chosen by
taking the randomly chosen secret Ka and computing Ka*G, where * is
the repetition of the group addition.
If the initiator chooses secret i and the responder chooses secret r,
then the KEi is i*G and KEr is r*G. The raw shared secret is the
x-coordinate (only) of (ir)*G.
2.1 Sixth Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 6 (six). The
curve is based on the Galois Field GF[2^163]. The field size is
163. The irreducible polynomial used to represent the field is:
u^163 + u^7 + u^6 + u^3 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + ax^2 + b.
Group Curve a:
0x07b6882caaefa84f9554ff8428bd88e246d2782ae2
Group Curve b:
0x0713612dcddcb40aab946bda29ca91f73af958afd9
Group Generator G:
0x030369979697ab43897789566789567f787a7876a654
The order of the generator G defined above is the prime:
0x03ffffffffffffffffffff48aab689c29ca710279b
The curve order is twice this prime.
The group was chosen verifiably at random using SHA-1 as specified in
[X9.62] from the seed:
0x24b7b137c8a14d696e6768756151756fd0da2e5c
However, for historical reasons, the method to generate the group from
the seed differs slightly from the method described in
[X9.62]. Specifically the coefficient Group Curve b produced from the
seed is the reverse of the coefficient that would have been produced
by the method described in [X9.62].
Brown [Page 5]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
2.2 Seventh Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 7 (seven). The
curve is based on the Galois Field GF[2^163]. The field size is
163. The irreducible polynomial used to represent the field is:
u^163 + u^7 + u^6 + u^3 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + x^2 + 1.
Group Generator G:
0x0302fe13c0537bbc11acaa07d793de4e6d5e5c94eee8
The order of the generator G is the prime:
0x04000000000000000000020108a2e0cc0d99f8a5ef
The curve order is twice this prime.
2.3 Eighth Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 8 (eight). The
curve is based on the Galois Field GF[2^283]. The field size is
283. The irreducible polynomial used to represent the field is:
u^283 + u^12 + u^7 + u^5 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + x^2 + b.
Group Curve b:
0x027b680ac8b8596da5a4af8a19a0303fca97fd7645309fa2a581485af6263e313b79a2f5
Group Generator G:
0x0305f939258db7dd90e1934f8c70b0dfec2eed25b8557eac9c80e2e198f8cdbecd86b12053
The order of the generator G is the prime:
0x03ffffffffffffffffffffffffffffffffffef90399660fc938a90165b042a7cefadb307
The curve order is twice this prime.
Brown [Page 6]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:
0x77e2b07370eb0f832a6dd5b62dfc88cd06bb84be
2.4 Ninth Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 9 (nine). The
curve is based on the Galois Field GF[2^283]. The field size is
283. The irreducible polynomial used to represent the field is:
u^283 + u^12 + u^7 + u^5 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + 1.
Group Generator G:
0x020503213f78ca44883f1a3b8162f188e553cd265f23c1567a16876913b0c2ac2458492836
The order of the generator G is the prime:
0x01ffffffffffffffffffffffffffffffffffe9ae2ed07577265dff7f94451e061e163c61
The curve order is four times this prime.
2.5 Tenth Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 10 (ten). The
curve is based on the Galois Field GF[2^409]. The field size is
409. The irreducible polynomial used to represent the field is:
u^409 + u^87 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + x^2 + b.
Group Curve b:
0x021a5c2c8ee9feb5c4b9a753b7b476b7fd6422ef1f3dd674761fa99d6ac27c8a9a197b272822f6cd57a55aa4f50ae317b13545f
Group Generator G:
0x03015d4860d088ddb3496b0c6064756260441cde4af1771d4db01ffe5b34e59703dc255a868a1180515603aeab60794e54bb7996a7
The order of the generator G is the prime:
Brown [Page 7]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
0x10000000000000000000000000000000000000000000000000001e2aad6a612f33307be5fa47c3c9e052f838164cd37d9a21173
The curve order is twice this prime.
The curve was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:
0x4099b5a457f9d69f79213d094c4bcd4d4262210b
2.6 Eleventh Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 11 (eleven). The
curve is based on the Galois Field GF[2^409]. The field size is
409. The irreducible polynomial used to represent the field is:
u^409 + u^87 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + 1.
Group Generator G:
0x030060f05f658f49c1ad3ab1890f7184210efd0987e307c84c27accfb8f9f67cc2c460189eb5aaaa62ee222eb1b35540cfe9023746
The order of the generator G is the prime:
0x7ffffffffffffffffffffffffffffffffffffffffffffffffffe5f83b2d4ea20400ec4557d5ed3e3e7ca5b4b5c83b8e01e5fcf
The curve order is four times this prime.
2.7 Twelfth Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 12 (twelve). The
curve is based on the Galois Field GF[2^571]. The field size is
571. The irreducible polynomial used to represent the field is:
u^571 + u^10 + u^5 + u^2 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + x^2 + b.
Group Curve b:
0x2f40e7e2221f295de297117b7f3d62f5c6a97ffcb8ceff1cd6ba8ce4a9a18ad84ffabbd8efa59332be7ad6756a66e294afd185a78ff12aa520e4de739baca0c7ffeff7f2955727a
Group Generator G:
Brown [Page 8]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
0x030303001d34b856296c16c0d40d3cd7750a93d1d2955fa80aa5f40fc8db7b2abdbde53950f4c0d293cdd711a35b67fb1499ae60038614f1394abfa3b4c850d927e1e7769c8eec2d19
The order of the generator G is the prime:
0x3ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe661ce18ff55987308059b186823851ec7dd9ca1161de93d5174d66e8382e9bb2fe84e47
The curve order is twice this prime.
The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:
0x2aa058f73a0e33ab486b0f610410c53a7f132310
2.8 Thirteenth Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 13
(thirteen). The curve is based on the Galois Field GF[2^571]. The
field size is 571. The irreducible polynomial used to represent the
field is:
u^571 + u^10 + u^5 + u^2 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + 1.
Group Generator G:
0x02026eb7a859923fbc82189631f8103fe4ac9ca2970012d5d46024804801841ca44370958493b205e647da304db4ceb08cbbd1ba39494776fb988b47174dca88c7e2945283a01c8972
The order of the generator G is the prime:
0x20000000000000000000000000000000000000000000000000000000000000000000000131850e1f19a63e4b391a8db917f4138b630d84be5d639381e91deb45cfe778f637c1001
The group order is four times this prime.
2.9 Twenty-Second Group
IKE and IKEv2 implementations SHOULD support an ECP group with the
following characteristics. This group is assigned id 22 (twenty-two).
The curve is based on the integers modulo the generalized Mersenne
prime p given by
p = 2^192 - 2^64 - 1.
The equation for the elliptic curve is:
y^2 = x^3 - 3 x + b.
Group Curve b:
Brown [Page 9]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1
Group Generator G:
0x03188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012
The order of the generator G is the prime:
0xffffffffffffffffffffffff99def836146bc9b1b4d22831
The group was chosen verifiably at random using SHA-1 as specified in
[X9.62] from the seed:
0x3045ae6fc8422f64ed579528d38120eae12196d5
2.10 Twenty-Third Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 23
(twenty-three). The curve is based on the Galois Field GF[2^163]. The
field size is 163. The irreducible polynomial used to represent the
field is:
u^163 + u^7 + u^6 + u^3 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + x^2 + b.
Group Curve b:
0x020a601907b8c953ca1481eb10512f78744a3205fd
Group Generator G:
0x0303f0eba16286a2d57ea0991168d4994637e8343e36
The order of the generaotr G above is the prime:
0x040000000000000000000292fe77e70c12a4234c33
The curve order is twice this prime.
The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:
0x85e25bfe5c86226cdb12016f7553f9d0e693a268
Brown [Page 10]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
2.11 Twenty-Fourth Group
IKE and IKEv2 implementations SHOULD support an ECP group with the
following characteristics. This group is assigned id 24
(twenty-four). The curve is based on the integers modulo the
generalized Mersenne prime p given by
p = 2^224 - 2^96 + 1.
The equation for the elliptic curve is:
y^2 = x^3 - 3 x + b.
Group Curve b:
0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4
Group Generator G:
0x02b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21
The order of the generator G is the prime:
0xffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d
The group was chosen verifiably at random using SHA-1 as specified in
[X9.62] from the seed:
0xbd71344799d5c7fcdc45b59fa3b9ab8f6a948bc5
2.12 Twenty-Fifth Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 25
(twenty-five). The curve is based on the Galois Field GF[2^233]. The
field size is 233. The irreducible polynomial used to represent the
field is:
u^233 + u^74 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + x^2 + b.
Group Curve b:
0x0066647ede6c332c7f8c0923bb58213b333b20e9ce4281fe115f7d8f90ad
Group Generator G:
0x0300fac9dfcbac8313bb2139f1bb755fef65bc391f8b36f8f8eb7371fd558b
Brown [Page 11]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
The order of the generator G above is the prime:
0x01000000000000000000000000000013e974e72f8a6922031d2603cfe0d7
The curve order is twice this prime.
The group was chosen verifiably at random in normal basis
representation using SHA-1 as specified in [X9.62] from the seed:
0x74d59ff07f6b413d0ea14b344b20a2db049b50c3
2.13 Twenty-Sixth Group
IKE and IKEv2 implementations SHOULD support an EC2N group with the
following characteristics. This group is assigned id 26
(twenty-six). The curve is based on the Galois Field GF[2^233]. The
field size is 233. The irreducible polynomial used to represent the
field is:
u^233 + u^74 + 1.
The equation for the elliptic curve is:
y^2 + xy = x^3 + 1.
Group Generator G:
0x02017232ba853a7e731af129f22ff4149563a419c26bf50a4c9d6eefad6126
The order of the generator G is the prime:
0x8000000000000000000000000000069d5bb915bcd46efb1ad5f173abdf
The curve order is four times this prime.
3. Test Vectors
What follows is a set of test vectors, in the form:
<SEC 2 name for elliptic curve group>
i = <initiator secret value>
r = <responder secret value>
KEi = <initiator key exchange payload>
KEr = <responder key exchange payload>
Z = <raw shared secret>
Brown [Page 12]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
Here are the test vectors:
secp192r1
i = 0x7092e5fd43a17f6a3375325989284eba093564e1944e176d
r = 0xd6185566ec0b1f52cc56276560907cb1a8683d8449b882ce
KEi = 0x00000021001600003841c988076d857fdda4ccf3bae5cf5f521336a650fdc7dc4
KEr = 0x000000210016000003445a52f30ce615c53e1175c04db6f0bb7a03d3096e2c209e
Z = 0xcac49383d8bf6b5fd8e5d5b769c0a91f68f9b5d091b831d8
secp224r1
i = 0x626167f5e43652607a9cc40035c6dca7256fa3721a68baf4e40f86e1
r = 0x38524a05e71d023361bfdb290b69d15b7d8390aa5ac837a0c82d9f63
KEi = 0x000000250018000029167b2a96e1cbde468976e364d4d3110c8f58f579c44a0be3c98a1a8
KEr = 0x000000250018000002dc7765dea1a085f3f077f138854fe0850ca89c2e32d0377bde245815
Z = 0x7b1bf04233c15681ba5302221a2ce34b18a92dbbb37cc0a772a91516
secp256r1
i = 0x9d3ae8148192a83f20530cb25edb11e8b7ea13583a70ca345b0f571b91317abe
r = 0x922d3e7c675bb9b4d9613ff21793991b3623844f072e53d28a6baff89cf85ab4
KEi = 0x00000029001300003084cc47b198b640da01bc10dfcfa034db89dbb072ea0ae9cd6eac60900ffc492
KEr = 0x000000290013000002b9528b7eb564634315ebe2f1e3e4fabd671d8e6f487b6ee35796a6a6daaed1f7
Z = 0x52c8f824e13b40651b0ec4ad8dbdb116b15aebc48fbc0360d84ff8cdc3c73e6c
secp384r1
i = 0x52d3051d6675ed1e52a4e9224fb2ad9a910358bb9a72ddf7d96a2383bad90ef815f83a94edfe52a01193f843d29f1958
r = 0xf13ba4709dee2f4532b251bfb3b1b87b1adac356299e4ea9472356aca6ddad290b00f2214740f693c6a03c2dc52bd419
KEi = 0x000000390014000032991ae8b27d7080db619140023dc7241cdbcd8130de451f9268c420674b8169973f89be2f3d9f3082cb049511457db35
KEr = 0x00000039001400000270a447c2e24022c3a52f95634a17052a02831cca790e6f0c1feff9515a38cfd7c487abd9e19e8f4ef49b8a4b268b1a0f
Z = 0xf3cde42e0e9dd28982294ac1af62cbd1429f289911b3e0535a81ebb513a2903bc53f0ecd5c5110835e5a4a903629b0c5
secp521r1
Brown [Page 13]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
i = 0xea78946abd68bb79a55f8f9993cf5389fbb0a10d3b58062429c6322a987c957f8854a5a4ec636d702a7b07537341f6319cc6d03c447da5e9f59d28460caa98dbeb
r = 0xe68807bbdc90cca27848c6bc38426ddf5b19c09d144d041706bc9ed1afade9e81585faf9e173f340001016ef82ea5b4a8b785fee0c403a6e39228df62a337e479c
KEi = 0x0000004b00150000300584c2476258dd61c098761710976c4b50fc4c47177f42562f2d575bf933c7699122bc37c77da0a7079e0a4c2d1318d33764241e4c562c7ff7bad5cf0ce1edddfa0
KEr = 0x0000004b0015000002011483326d756d8600c5d8c6a0bc60c80297c37e3368f45bbcf4d5db78ad4b1b1d8584b019416f92e8e65f5fe370fb35558a61327903042ae798095c5638e093a0b4
Z = 0x006ea860d9c8518ce2de03a00a9d4c6648cd33cb665302c9e41163e9b6b7ededf892c9c85c63d7c2cc76e3c2f3cfe2fd8cd13314658f6f4da6198dd9fd99cd42de1b
sect163r1
i = 0x647f8bc4fa3fa625b41456b91c899269ffe277bc
r = 0xef8fa305ed836a8fdf206e6594f086f9762e6f69
KEi = 0x0000001e000600000300e772d9e512e971a512b9406edce999b50bee78b2
KEr = 0x0000001e00060000020115ed6148869f8be399230825b2207ee9e4949381
Z = 0x01d75dd0142db15a25b6f8024bab20ee78f90f409f
sect163r2
i = 0x027e06da864be3862c261654c15ec5568e45eb7fb6
r = 0x03a7c88fa7363f8ff9ff1d2813027089bd96e07c48
KEi = 0x0000001e001700000302ed80fc3986c4a978b09c34dcbc376a7975b92276
KEr = 0x0000001e001700000201aed6520fb2468fb424dec3c31c4a1fc0e1cf702a
Z = 0x07befaa40951cf0d1c972d4df6297d5c30b726cf98
sect163k1
i = 0x0137fb36360a457b6a23b29e11a4760a177881808a
r = 0x010c489bbb3b602a7df626e9f0625294b1d795a032
KEi = 0x0000001e000700000305be095b0829318fa0e3e0096e31bfb829b8ee95ec
KEr = 0x0000001e000700000205d9c945eb02dec3b7ad1bace077bf37753e3326b3
Z = 0x07b13e8c9452ab89113680725df13128c055c9d3ce
sect233r1
i = 0x5b038de50df0f1f49a06c1fb46c45d5ac63e4541b99df19421c33b7902
r = 0x3b48a62665e29c5f78ff6b7714c1bb82ad210c8c29572eaccbdc3abbce
Brown [Page 14]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
KEi = 0x00000027001900000301334d9878fa49d0dbbf5978f49e57aeaad93a1c3fbd7a17acc369dd68d1
KEr = 0x0000002700190000030158db2605ce543cc4220248bcce6cc055d8d4ee4ea1e49ef1b9dd823797
Z = 0x00b0dcfc6d66c3d1d987f8b075edc92763257bfcbaa7af34b8f6242d5d3c
sect233k1
i = 0x4ea153c305784cf023a54756a99281e1a8105ab85bb638980d07de46a2
r = 0x424a89451d6cd439305e44f06fc574ec8268b626560a44ee85b624d589
KEi = 0x00000027001a000003014e271e22edf7df456f59b366b8462c5f6ef26bddfb67ed764a5b39e6dc
KEr = 0x00000027001a000002014b5633f29fdf353ebb6375ddffec46f162f419d7962a8d04fdb93e38ee
Z = 0x00f3ef4179b17ceb7e041581727d01cf3d7423ec249f44d353d1e2de7412
sect283r1
i = 0x0294203ab7551182dec6b777f4d1c65bdb75275217a356a7efad130355aa3f17aeb3852f
r = 0x033149120a7d8d984f2c3346d9ec88962f5b05451d5ead843dd278dedf49bd8424009110
KEi = 0x0000002d000800000201959e200deaa62d055e1d4e141ed7dcdfde810570864431cc5a280a229418b8dfc4c186
KEr = 0x0000002d0008000003034237aff2fae31d2bed603ba7e0aa9cbefee1313bec6905f40e270cf448c36ec7d95981
Z = 0x066c0249c890ffeda0ce0fd3bd76a6506423f8685e649d035842bf25a388ec4edd207eff
sect283k1
i = 0x0902492408f4d64e351eabe7b9da659f089a20a2d19f62b92499a3ebf24106374ab51b
r = 0x0e2a59cb494b49784436e0532cf25ee444225ffd39139bba2e19d3bae482f651368716
KEi = 0x0000002d0009000002044e95ad563972553e8c29c89e4f57155c179938ec1b864487e287fe94a48ba59de2f44b
KEr = 0x0000002d00090000030658a18c6946e19f17a1f8eb44b4610d0052c97cb522962738a58438a5ecc96deffd84b5
Z = 0x0194027ad85e4075d89247b2e3c3500debff0dce5ad63a02a07652dfb7da3b75afe11e88
sect409r1
i = 0x18624d825f61d687d6f7707ff35a23b329feea913ec45afe81d79e4a09b7d026e8da7fb40f972a53d6fa1e6f0de235c781254b
r = 0xf73eec0f98ab794f0633f4ee84cca2f8dc1a1fdebe8503376418029c5cf14e34788d8ea32857128c67297413902e9dd7b8c730
KEi = 0x0000003d000a000002016f9e561b996d1d3ac2720e7cace86cc96d58c2518814ff92209638daee256e405590cbd7a05c2a4e24daec0bf005777e89eb49
KEr = 0x0000003d000a00000300ea451ad0be01cdeba8f3b7c1270810f8725f03e76768bd07cd78cbd7a1c4d354abba3615658ef81e397d99b6c261a77f7103f5
Brown [Page 15]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
Z = 0x00beb0ecd7886e0bc13dead143621dd17133dbdae112b0f9168ee853e259c5b026b4582f6ccb69cde62c7000fbb3545d2d89e25f
sect409k1
i = 0x600b86e20b7a66d8af5cd1e3a22adbcf1f6e65563dd932af6589d0953b517a566f6230de70f368399c13533ecba3292490cbfb
r = 0x77d677250e919500a410cbb02c6842d9c12fa8a8b57f539da192a025b92b4166e317b75764a4235854ed3dac477483de03e2f2
KEi = 0x0000003d000b00000300964b2b14557951de6ffea67eec4239a2660022a45b2659db5d924251c4005b0d4de347b6fde76fc43bce546d7cd4f977d5797a
KEr = 0x0000003d000b000003016ecd20beea517ae36a40e330d8a56812559f5e5ffd16fa6716f953814d9bf37570d79b180687b5a385bfb9420f2550e4b6138e
Z = 0x00a1f44a752e980f3db78ee562786949afa2e5867d8cc9cf078c8f54a7de9107af70fc876f5bd1e194c53e7a56043397ef2c8b50
sect571r1
i = 0xe422d8400d8e629990c7ca8b26b74a0d873d8d6d906f4af6e44c617663327773f0a1c5f0355ac9dcb2c4c0b6a13e38e18b35cda665a1e5134be36044d3d387789e01c2be6d0713
r = 0x01e58461bb4f5bbb737dfe617150968b2a9773e7f4425ac5a40a9ef4280f97d7a057b2df91b3ccf77beb2990596e998fd57b3c42a46e694faf1923a6b1899a706ce4b346424b1b7d
KEi = 0x00000051000c00000302c17e8482e65e8eafd4ebe150bf93fd8797db78b7c36539724d6979c7b2b9428be38e0bbf94f643bd6647477a33e589cb491b1f2015f9bb5e5999153de52d8150e50ec557c720da
KEr = 0x00000051000c000003030e89d2c1aa8a278e43b853066adf742fdd7491414d907a74c011371bdf64dc38502f2e18ae79ac7024005398959de999e25965294561024ff0b510855f27263dd0d1cff78cbeb3
Z = 0x0579791ff1725f09c70e7378278137c07dcb5c412b30f7ae681a868141404ea95d945f26d4d0da1ba38602915b67184e23288e4f3021b57802821d44948689871e68cfc282862cc5
sect571k1
i = 0x01fb96e0fb6f5c5703b258e032ee9cf3fc5eb27b37bfc797cf7954ef82e37cfa551e549208af3365882343cffc7fca72949b3346ff49cd3251a3a17200a0eef8b64bce70a5087cad
r = 0x2b25d3d5fd86cb53a0fef2fb4ffc4e20f1ac33a147d69d4531676dfd8a92a6b9bf6c34379189eba87679bdee05e0f8a45790fb77e4fc47c7babe4170839a93beb58e214c1a8470
KEi = 0x00000051000d00000301e4dc1f82924ea99921babda3ee48792836ec1d033578e7a3d372f93601182b511589d2a84d9fab6e86d5ea8f00dddf5c8b1c22bbd9bc96b191da5bab247af9e666e6824ffe2b72
KEr = 0x00000051000d0000020496673c15e735aba12ea6a1413c4ea6e50eddec8f21b222df40925f483d85e779f48e3439f88118e325f6e3aa6e4ee285544079ed2ea4d8680b5d9c06ab232944e62e93e1cf8f9b
Z = 0x066c0d8bcf8c17f27d7367bf0e8a9c2931fa258be3b7861a6c021a5bb52d214ab19235280e9c6b61bf72c20a8d64c26a9a4b9ff075fd3be6be03c33c56e6cf3ff7517e5b08dcbe65
4. Security Considerations
Since this document proposes new groups for use within IKE and IKEv2,
many of the security considerations contained within RFC 2409 apply
here as well.
Many of the groups proposed in this document offer higher strength
than the groups in RFC 2409. This allows the IKE and IKEv2 to offer
security comparable with the proposed AES algorithms.
Brown [Page 16]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
In addition, since all the new groups are defined over GF[P] with P
prime or GF[2^N] with N prime, they address the concerns expressed
regarding the elliptic curve groups included in RFC 2409, which are
curves defined over GF[2^N] with N composite. The work of Gaudry,
Hess, and Smart [WEIL] reveal some of the weaknesses in such groups.
5. Intellectual Property Rights
The IETF has been notified of intellectual property rights claimed in
regard to the specification contained in this document.
For more information, consult the online list of claimed rights
(http://www.ietf.org/ipr.html).
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
6. Acknowledgments
To be added.
7. References
[ECP-IKE] D. Fu, J. Solinas, ECP Groups for IKE and IKEv2,
draft-ietf-ipsec-ike-ecp-groups-02.txt, work in progress.
[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC
2409, November 1998.
[IKEv2] C. Kaufman, Editor, Internt Key Exchange (IKEv2) Protocol,
draft-ietf-ipsec-ikev2-17.txt, work in progress.
[IANA] Internet Assigned Numbers Authority. Attribute Assigned
Numbers.
(http://www.isi.edu/in-notes/iana/assignments/ipsec-registry)
[IEEE-1363] Institute of Electrical and Electronics Engineers. IEEE
1363-2000, Standard for Public Key Cryptography. IEEE
Microprocessor Standards Committee. August 2001.
(http://grouper.ieee.org/groups/1363/index.html)
Brown [Page 17]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
[KOB] N. Koblitz, CM curves with good cryptographic properties.
Proceedings of Crypto '91. Pages 279-287. Springer-Verlag, 1992.
[FIPS-186-2] U.S. Department of Commerce/National Institute of
Standards and Technology. Digital Signature Standard (DSS), FIPS
PUB 186-2, January 2000.
(http://csrc.nist.gov/fips/fips186-2.pdf)
[HOF] P. Hoffman and H. Orman, Determining strengths for public keys
used for exchanging symmetric keys, Internet-draft. August 2000.
[LEN] A. Lenstra and E. Verhuel, Selecting cryptographic key sizes.
Available at: www.cryptosavvy.com.
[JMS] M. Jacobson, A. Menezes and A. Stein, Solving Elliptic
Curve Discrete Logarithm Problems Using Weil Descent,
Combinatorics and Optimization Research Report 2001-31, May 2001.
Available at http://www.cacr.math.uwaterloo.ca/.
[MODP-IKE] T. Kivinen and M. Kojo, More Modular Exponential (MODP)
Diffie-Hellman groups for Internet Key Exchange (IKE),
rfc3526.txt, May 2003.
[SEC2] Standards for Efficient Cryptography Group. SEC 2 -
Recommended Elliptic Curve Domain Parameters. Working Draft
Ver. 1.0., 2000. (http://www.secg.org)
[SOL] J. Solinas, An improved algorithm for arithmetic on a family
of elliptic curves, Proceedings of Crypto '97, Pages 357-371,
Springer-Verlag, 1997.
[WEIL] Gaudry, P., Hess, F., Smart, Nigel P. Constructive and
Destructive Facets of Weil Descent on Elliptic Curves, HP Labs
Technical Report No. HPL-2000-10, 2000.
(http://www.hpl.hp.com/techreports/2000/HPL-2000-10.html)
[X9.62] American National Standards Institute, ANS X9.62-2005:
Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm. November 2005.
[X9.63] American National Standards Institute. ANSI X9.63-2001,
Public Key Cryptography for the Financial Services Industry: Key
Agreement and Key Transport using Elliptic Curve Cryptography.
November 2001.
8. Author's Addresses
Daniel R. L. Brown
Certicom Corp.
dbrown@certicom.com
Brown [Page 18]
INTERNET-DRAFT Additional ECC Groups for IKE and IKEv2 January 2006
9. Full Copyright Statement
Copyright (C) The Internet Society (2006). This document is
subject to the rights, licenses and restrictions contained in BCP
78, and except as set forth therein, the authors retain all their
rights.
This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Brown [Page 19]
| PAFTECH AB 2003-2026 | 2026-04-23 13:32:53 |