 1/draftietfipsecikeecpgroups02.txt 20071106 23:48:38.000000000 +0100
+++ 2/draftietfipsecikeecpgroups03.txt 20071106 23:48:38.000000000 +0100
@@ 1,16 +1,17 @@
+
IPSec Working Group D. Fu, NSA
INTERNETDRAFT J. Solinas, NSA
Expires March 30, 2006 September 30, 2005
+Expires November 15, 2006 May 15, 2006
ECP Groups For IKE and IKEv2

+
Status of this Memo
By submitting this InternetDraft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
InternetDrafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
@@ 34,42 +35,45 @@
in addition to previously defined groups. Specifically, the new
curve groups are based on modular arithmetic rather than binary
arithmetic. These new groups are defined to align IKE and IKEv2
with other ECC implementations and standards, particularly NIST
standards. In addition, the curves defined here can provide more
efficient implementation than previously defined ECC groups.
Table of Contents
1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . 3
 2. Additional ECC Groups . . . . . . . . . . . . . . . . . . . 4
 2.1 Nineteenth Group. . . . . . . . . . . . . . . . . . . 4
 2.2. Twentieth Group . . . . . . . . . . . . . . . . . . . 5
 2.3. TwentyFirst Group. . . . . . . . . . . . . . . . . . 6
 3. Security Considerations . . . . . . . . . . . . . . . . . . 7
 4. Alignment with Other Standards. . . . . . . . . . . . . . . 7
 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . 8
 6. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 8
 6.1 Nineteenth Group. . . . . . . . . . . . . . . . . . . 8
 6.2. Twentieth Group . . . . . . . . . . . . . . . . . . . 9
 6.3. TwentyFirst Group. . . . . . . . . . . . . . . . . . 10
 7. References. . . . . . . . . . . . . . . . . . . . . . . . . 11
 7.1 Normative . . . . . . . . . . . . . . . . . . . . . . 11
 7.2. Informative . . . . . . . . . . . . . . . . . . . . . 11
+ 2. Requirements Terminology. . . . . . . . . . . . . . . . . . 4
+ 3. Additional ECC Groups . . . . . . . . . . . . . . . . . . . 4
+ 3.1 256bit Random Curve Group. . . . . . . . . . . . . . 4
+ 3.2. 384bit Random Curve Group. . . . . . . . . . . . . . 5
+ 3.3. 521bit Random Curve Group. . . . . . . . . . . . . . 5
+ 4. Security Considerations . . . . . . . . . . . . . . . . . . 6
+ 5. Alignment with Other Standards. . . . . . . . . . . . . . . 7
+ 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . 7
+ 7. ECP Key Exchange Data Formats . . . . . . . . . . . . . . . 8
+ 8. Test Vectors. . . . . . . . . . . . . . . . . . . . . . . . 8
+ 8.1 256bit Random Curve Group. . . . . . . . . . . . . . 8
+ 8.2. 384bit Random Curve Group. . . . . . . . . . . . . . 9
+ 8.3. 521bit Random Curve Group. . . . . . . . . . . . . . 11
+ 9. References. . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 9.1 Normative . . . . . . . . . . . . . . . . . . . . . . 13
+ 9.2. Informative . . . . . . . . . . . . . . . . . . . . . 13
+ 10. Authors' Addresses. . . . . . . . . . . . . . . . . . . . . 14
1. Introduction
This document describes default DiffieHellman groups for use in
IKE and IKEv2 in addition to the Oakley groups included in [IKE] and
 the additional groups defined since [IANA]. The document assumes
 that the reader is familiar with the IKE protocol and the concept of
 Oakley Groups, as defined in RFC 2409 [IKE].
+ the additional groups defined since [IANAIKE]. This document
+ assumes that the reader is familiar with the IKE protocol and the
+ concept of Oakley Groups, as defined in RFC 2409 [IKE].
RFC 2409 [IKE] defines five standard Oakley Groups  three modular
exponentiation groups and two elliptic curve groups over GF[2^N].
One modular exponentiation group (768 bits  Oakley Group 1) is
mandatory for all implementations to support, while the other four
are optional. Thirteen additional groups subsequently have been
defined and assigned values by IANA. All of these additional groups
are optional. Of the eighteen groups defined so far, eight are MODP
groups (exponentiation groups modulo a prime) and ten are EC2N groups
(elliptic curve groups over GF[2^N]).
@@ 79,79 +83,53 @@
(elliptic curve groups modulo a prime). The reasons for adding such
groups include the following.
 The groups proposed afford efficiency advantages in software
applications since the underlying arithmetic is integer arithmetic
modulo a prime rather than binary field arithmetic. (Additional
computational advantages for these groups are presented in [GMN].)
 The groups proposed encourage alignment with other elliptic curve
standards. The proposed groups are among those standardized by
 NIST, by the SECG, by ISO, and by ANSI. (See section 3 for
+ NIST, by the SECG, by ISO, and by ANSI. (See Section 3 for
details.)
 The groups proposed are capable of providing security consistent
with the new Advanced Encryption Standard.
These groups could also be defined using the New Group Mode but
including them in this RFC will encourage interoperability of IKE
implementations based upon elliptic curve groups. In addition, the
availability of standardized groups will result in optimizations for
a particular curve and field size as well as allowing precomputation
that could result in faster implementations.
 It is anticipated that the groups proposed here will be assigned
 identifiers by IANA [IANA]. In that case the full list of assigned
 values for the Group Description class within IKE will be the
 following. (The groups defined in this document are listed as
 19, 20, and 21.)
 IANA IANA NIST
 Value Group Type Identifier Group Description
    
 1 1 MODP 768bit MODP group
 2 1 MODP 1024bit MODP group
 3 3 EC2N Elliptic curve group over GF[2^155]
 4 3 EC2N Elliptic curve group over GF[2^185]
 5 1 MODP 1536bit MODP group
 6 3 EC2N B163 Random curve group over GF[2^163]
 7 3 EC2N K163 Koblitz curve group over GF[2^163]
 8 3 EC2N B283 Random curve group over GF[2^283]
 9 3 EC2N K283 Koblitz curve group over GF[2^283]
 10 3 EC2N B409 Random curve group over GF[2^409]
 11 3 EC2N K409 Koblitz curve group over GF[2^409]
 12 3 EC2N B571 Random curve group over GF[2^571]
 13 3 EC2N K571 Koblitz curve group over GF[2^571]
 14 1 MODP 2048bit MODP group
 15 1 MODP 3072bit MODP group
 16 1 MODP 4096bit MODP group
 17 1 MODP 6144bit MODP group
 18 1 MODP 8192bit MODP group
 19 2 ECP P256 256bit random curve group
 20 2 ECP P384 384bit random curve group
 21 2 ECP P521 521bit random curve group

In summary, due to the performance advantages of elliptic curve
groups in IKE implementations and the need for further alignment with
other standards, this document defines three elliptic curve groups
based on modular arithmetic.
2. Additional ECC Groups
+2. Requirements Terminology
+
+ Keywords "MUST" and "SHOULD" that appear in this document are to be
+ interpreted as described in [RFC2119].
+
+3. Additional ECC Groups
The notation adopted in RFC 2409 [IKE] is used below to describe the
new groups proposed.
2.1 Nineteenth Group
+3.1 256bit Random ECP Group
IKE and IKEv2 implementations SHOULD support an ECP group with the
 following characteristics. This group is assigned id 19 (nineteen).
 The curve is based on the integers modulo the generalized Mersenne
 prime p given by
+ following characteristics. The curve is based on the integers modulo
+ the generalized Mersenne prime p given by
p = 2^(256)2^(224)+2^(192)+2^(96)1 .
The equation for the elliptic curve is:
y^2 = x^3  3 x + b.
Field size:
256
@@ 170,25 +148,25 @@
C49D3608 86E70493 6A6678E1 139D26B7 819F7E90
The generator for this group is given by g=(gx,gy) where
gx:
6B17D1F2 E12C4247 F8BCE6E5 63A440F2 77037D81 2DEB33A0 F4A13945 D898C296
gy:
4FE342E2 FE1A7F9B 8EE7EB4A 7C0F9E16 2BCE3357 6B315ECE CBB64068 37BF51F5
2.2 Twentieth Group
+3.2 384bit Random ECP Group
IKE implementations SHOULD support an ECP group with the following
characteristics. This group is assigned id 20 (twenty). The curve is
based on the integers modulo the generalized Mersenne prime p given by
+ IKE and IKEv2 implementations SHOULD support an ECP group with the
+ following characteristics. The curve is based on the integers modulo
+ the generalized Mersenne prime p given by
p = 2^(384)2^(128)2^(96)+2^(32)1 .
The equation for the elliptic curve is:
y^2 = x^3  3 x + b.
Field size:
384
@@ 212,25 +190,25 @@
The generator for this group is given by g=(gx,gy) where
gx:
AA87CA22 BE8B0537 8EB1C71E F320AD74 6E1D3B62 8BA79B98 59F741E0 82542A38
5502F25D BF55296C 3A545E38 72760AB7
gy:
3617DE4A 96262C6F 5D9E98BF 9292DC29 F8F41DBD 289A147C E9DA3113 B5F0B8C0
0A60B1CE 1D7E819D 7A431D7C 90EA0E5F
2.3 TwentyFirst Group
+3.3 521bit Random ECP Group
 IKE implementations SHOULD support an ECP group with the following
 characteristics. This group is assigned id 21 (twentyone). The
 curve is based on the integers modulo the Mersenne prime p given by
+ IKE and IKEv2 implementations SHOULD support an ECP group with the
+ following characteristics. The curve is based on the integers modulo
+ the Mersenne prime p given by
p = 2^(521)1 .
The equation for the elliptic curve is:
y^2 = x^3  3 x + b.
Field size:
521
@@ 259,73 +237,113 @@
gx:
00C6858E 06B70404 E9CD9E3E CB662395 B4429C64 8139053F B521F828 AF606B4D
3DBAA14B 5E77EFE7 5928FE1D C127A2FF A8DE3348 B3C1856A 429BF97E 7E31C2E5
BD66
gy:
01183929 6A789A3B C0045C8A 5FB42C7D 1BD998F5 4449579B 446817AF BD17273E
662C97EE 72995EF4 2640C550 B9013FAD 0761353C 7086A272 C24088BE 94769FD1
6650
3. Security Considerations
+4. Security Considerations
 Since this document proposes new groups for use within IKE, many of
 the security considerations contained within RFC 2409 apply here as
 well.
+ Since this document proposes new groups for use within IKE and IKEv2,
+ many of the security considerations contained within [IKE] and
+ [IKEv2] apply here as well.
The groups proposed in this document correspond to the symmetric key
sizes 128 bits, 192 bits, and 256 bits. This allows the IKE key
exchange to offer security comparable with the AES algorithms [AES].
4. Alignment with Other Standards
+5. Alignment with Other Standards
The following table summarizes the appearance of these three
elliptic curve groups in other standards.
 Standard Group 19 Group 20 Group 21
+ 256bit 384bit 521bit
+ Random Random Random
+ Standard ECP Group ECP Group ECP Group
+    
NIST [DSS] P256 P384 P521
ISO/IEC [ISO159461] P256
ISO/IEC [ISO18031] P256 P384 P521
ANSI [X9.621998] Sect. J.5.3,
Example 1
ANSI [X9.622003] Sect. J.6.5.3 Sect. J.6.6 Sect. J.6.7
ANSI [X9.63] Sect. J.5.4, Sect. J.5.5 Sect. J.5.6
Example 2
SECG [SEC2] secp256r1 secp384r1 secp521r1
See also [NIST], [ISO148883], [ISO159462], [ISO159463], and
[ISO159464].
5. IANA Considerations
+6. IANA Considerations
Before this document can become an RFC, it is required that IANA
 update its registry of DiffieHellman groups for IKE in [IANA] to
 include the three groups defined above.
+ update its registries of DiffieHellman groups for IKE in [IANAIKE]
+ and for IKEv2 in [IANAIKEv2] to include the groups defined above.
6. Test Vectors
+ In [IANAIKE], the groups are to appear as new entries in the list of
+ DiffieHellman groups given by Group Description (attribute class 4).
+ The descriptions are "256bit random ECP group", "384bit random ECP
+ group", and "521bit random ECP group". In each case, the group type
+ (attribute class 5) has the value 2 (ECP, elliptic curve group over
+ GF[P]).
+
+ In [IANAIKEv2], the groups are to appear as new entries in the list
+ of IKEv2 transform type values for Transform Type 4 (DiffieHellman
+ groups).
+
+7. ECP Key Exchange Data Formats
+
+ In an ECP key exchange, the DiffieHellman public value passed in a
+ KE payload consists of two components, x and y, corresponding to the
+ coordinates of an elliptic curve point. Each component MUST have
+ bit length as given in the following table.
+
+ DiffieHellman group component bit length
+  
+
+ 256bit Random ECP Group 256
+ 384bit Random ECP Group 384
+ 521bit Random ECP Group 528
+
+ This length is enforced, if necessary, by prepending the value with
+ zeros.
+
+ The DiffieHellman public value is obtained by concatenating the x
+ and y values.
+
+ The format of the DiffieHellman shared secret value is the same as
+ that of the DiffieHellman public value.
+
+8. Test Vectors
The following are examples of the IKEv2 key exchange payload for each
of the three groups specified in this document.
We denote by g^n the scalar multiple of the point g by the
integer n; it is another point on the curve. In the literature, the
scalar multiple is typically denoted ng; the notation g^n is
used in order to conform to the notation used in [IKE] and [IKEv2].
6.1 Nineteenth Group
+8.1 256bit Random ECP Group
+
+ It is assumed for this example that this DiffieHellman group is
+ assigned the id number 19 by IANA.
We suppose that the initiator's DiffieHellman private key is
i:
C88F01F5 10D9AC3F 70A292DA A2316DE5 44E9AAB8 AFE84049 C62A9C57 862D1433
Then the public key is given by g^i=(gix,giy) where
gix:
DAD0B653 94221CF9 B051E1FE CA5787D0 98DFE637 FC90B9EF 945D0C37 72581180
@@ 367,21 +385,24 @@
522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2
These are concatenated to form
g^ir:
D6840F6B 42F6EDAF D13116E0 E1256520 2FEF8E9E CE7DCE03 812464D0 4B9442DE
522BDE0A F0D8585B 8DEF9C18 3B5AE38F 50235206 A8674ECB 5D98EDB2 0EB153A2
This is the value which is used in the formation of SKEYSEED.
6.2 Twentieth Group
+8.2 384bit Random ECP Group
+
+ It is assumed for this example that this DiffieHellman group is
+ assigned the id number 20 by IANA.
We suppose that the initiator's DiffieHellman private key is
i:
099F3C70 34D4A2C6 99884D73 A375A67F 7624EF7C 6B3C0F16 0647B674 14DCE655
E35B5380 41E649EE 3FAEF896 783AB194
Then the public key is given by g^i=(gix,giy) where
gix:
@@ 434,28 +455,32 @@
These are concatenated to form
g^ir:
11187331 C279962D 93D60424 3FD592CB 9D0A926F 422E4718 7521287E 7156C5C4
D6031355 69B9E9D0 9CF5D4A2 70F59746 A2A9F38E F5CAFBE2 347CF7EC 24BDD5E6
24BC93BF A82771F4 0D1B65D0 6256A852 C983135D 4669F879 2F2C1D55 718AFBB4
This is the value which is used in the formation of SKEYSEED.
6.3 TwentyFirst Group
+8.3 521bit Random ECP Group
+
+ It is assumed for this example that this DiffieHellman group is
+ assigned the id number 21 by IANA.
We suppose that the initiator's DiffieHellman private key is
i:
0037ADE9 319A89F4 DABDB3EF 411AACCC A5123C61 ACAB57B5 393DCE47 608172A0
95AA85A3 0FE1C295 2C6771D9 37BA9777 F5957B26 39BAB072 462F68C2 7A57382D
4A52
+
Then the public key is given by g^i=(gix,giy) where
gix:
0015417E 84DBF28C 0AD3C278 713349DC 7DF153C8 97A1891B D98BAB43 57C9ECBE
E1E3BF42 E00B8E38 0AEAE57C 2D107564 94188594 2AF5A7F4 601723C4 195D176C
ED3E
giy:
017CAE20 B6641D2E EB695786 D8C94614 6239D099 E18E1D5A 514C739D 7CB4A10A
D8A78801 5AC405D7 799DC75E 7B7D5B6C F2261A6A 7F150743 8BF01BEB 6CA3926F
@@ 512,34 +537,37 @@
g^ir:
01144C7D 79AE6956 BC8EDB8E 7C787C45 21CB086F A64407F9 7894E5E6 B2D79B04
D1427E73 CA4BAA24 0A347868 59810C06 B3C715A3 A8CC3151 F2BEE417 996D19F3
DDEA01B9 01E6B17D B2947AC0 17D853EF 1C1674E5 CFE59CDA 18D078E0 5D1B5242
ADAA9FFC 3C63EA05 EDB1E13C E5B3A8E5 0C3EB622 E8DA1B38 E0BDD1F8 8569D6C9
9BAFFA43
This is the value which is used in the formation of SKEYSEED.
7. References
+9. References
7.1 Normative
+9.1 Normative
 [IANA] Internet Assigned Numbers Authority, Internet Key Exchange
+ [IANAIKE] Internet Assigned Numbers Authority, Internet Key Exchange
(IKE) Attributes. (http://www.iana.org/assignments/ipsecregistry)
+ [IANAIKEv2] IKEv2 Parameters.
+ (http://www.iana.org/assignments/ikev2parameters)
+
[IKE] D. Harkins and D. Carrel, The Internet Key Exchange, RFC 2409,
November 1998.
 [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, 2004,
 http://www.ietf.org/internetdrafts/draftietfipsecikev217.txt
+ [IKEv2] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, RFC 4306,
+ December 2005.
7.2 Informative
+9.2 Informative
[AES] U.S. Department of Commerce/National Institute of Standards
and Technology, Advanced Encryption Standard (AES), FIPS PUB 197,
November 2001. (http://csrc.nist.gov/publications/fips/index.html)
[DSS] U.S. Department of Commerce/National Institute of Standards
and Technology, Digital Signature Standard (DSS), FIPS PUB 1862,
January 2000. (http://csrc.nist.gov/publications/fips/index.html)
[GMN] J. Solinas, Generalized Mersenne Numbers, Combinatorics
@@ 603,39 +633,62 @@
[X9.622003] American National Standards Institute, X9.621998:
Public Key Cryptography for the Financial Services Industry: The
Elliptic Curve Digital Signature Algorithm,
RevisedDraft20030226, February 2003.
[X9.63] American National Standards Institute. X9.632001,
Public Key Cryptography for the Financial Services Industry: Key
Agreement and Key Transport using Elliptic Curve Cryptography.
November 2001.
7. Authors' Addresses
+10. Authors' Addresses
David E. Fu
National Information Assurance Research Laboratory
National Security Agency
defu@orion.ncsc.mil

Jerome A. Solinas
National Information Assurance Research Laboratory
National Security Agency
jasolin@orion.ncsc.mil
Comments are solicited and should be addressed to the author.
 Copyright (C) The Internet Society (2005).
+ Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
 Expires March 30, 2006
+Intellectual Property
+
+ The IETF takes no position regarding the validity or scope of any
+ Intellectual Property Rights or other rights that might be claimed to
+ pertain to the implementation or use of the technology described in
+ this document or the extent to which any license under such rights
+ might or might not be available; nor does it represent that it has
+ made any independent effort to identify any such rights. Information
+ on the procedures with respect to rights in RFC documents can be
+ found in BCP 78 and BCP 79.
+
+ Copies of IPR disclosures made to the IETF Secretariat and any
+ assurances of licenses to be made available, or the result of an
+ attempt made to obtain a general license or permission for the use of
+ such proprietary rights by implementers or users of this
+ specification can be obtained from the IETF online IPR repository at
+ http://www.ietf.org/ipr.
+
+ The IETF invites any interested party to bring to its attention any
+ copyrights, patents or patent applications, or other proprietary
+ rights that may cover technology that may be required to implement
+ this standard. Please address the information to the IETF at ietf
+ ipr@ietf.org.
+
+ Expires November 15, 2006