ECP Groups For IKE and IKEv2
RFC 4753

Document Type RFC - Informational (January 2007; Errata)
Obsoleted by RFC 5903
Was draft-ietf-ipsec-ike-ecp-groups (individual in sec area)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Consensus Unknown
Document shepherd No shepherd assigned
IESG IESG state RFC 4753 (Informational)
Telechat date
Responsible AD Russ Housley
Send notices to jsolinas@orion.ncsc.mil, defu@orion.ncsc.mil
Network Working Group                                              D. Fu
Request for Comments: 4753                                    J. Solinas
Category: Informational                                              NSA
                                                            January 2007

                      ECP Groups for IKE and IKEv2

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document describes new Elliptic Curve Cryptography (ECC) groups
   for use in the Internet Key Exchange (IKE) and Internet Key Exchange
   version 2 (IKEv2) protocols in addition to previously defined groups.
   Specifically, the new curve groups are based on modular arithmetic
   rather than binary arithmetic.  These new groups are defined to align
   IKE and IKEv2 with other ECC implementations and standards,
   particularly NIST standards.  In addition, the curves defined here
   can provide more efficient implementation than previously defined ECC
   groups.

Table of Contents

   1. Introduction ....................................................2
   2. Requirements Terminology ........................................3
   3. Additional ECC Groups ...........................................3
      3.1. 256-bit Random ECP Group ...................................3
      3.2. 384-bit Random ECP Group ...................................4
      3.3. 521-bit Random ECP Group ...................................5
   4. Security Considerations .........................................6
   5. Alignment with Other Standards ..................................6
   6. IANA Considerations .............................................6
   7. ECP Key Exchange Data Formats ...................................7
   8. Test Vectors ....................................................7
      8.1. 256-bit Random ECP Group ...................................8
      8.2. 384-bit Random ECP Group ...................................9
      8.3. 521-bit Random ECP Group ..................................10
   9. References .....................................................12

Fu & Solinas                 Informational                      [Page 1]
RFC 4753              ECP Groups for IKE and IKEv2          January 2007

1.  Introduction

   This document describes default Diffie-Hellman groups for use in IKE
   and IKEv2 in addition to the Oakley groups included in [IKE] and the
   additional groups defined since [IANA-IKE].  This document assumes
   that the reader is familiar with the IKE protocol and the concept of
   Oakley Groups, as defined in RFC 2409 [IKE].

   RFC 2409 [IKE] defines five standard Oakley Groups: three modular
   exponentiation groups and two elliptic curve groups over GF[2^N].
   One modular exponentiation group (768 bits - Oakley Group 1) is
   mandatory for all implementations to support, while the other four
   are optional.  Thirteen additional groups subsequently have been
   defined and assigned values by IANA.  All of these additional groups
   are optional.  Of the eighteen groups defined so far, eight are MODP
   groups (exponentiation groups modulo a prime), and ten are EC2N
   groups (elliptic curve groups over GF[2^N]).  See [RFC3526] for more
   information on MODP groups.

   The purpose of this document is to expand the options available to
   implementers of elliptic curve groups by adding three ECP groups
   (elliptic curve groups modulo a prime).  The reasons for adding such
   groups include the following.

   - The groups proposed afford efficiency advantages in software
     applications since the underlying arithmetic is integer arithmetic
     modulo a prime rather than binary field arithmetic.  (Additional
     computational advantages for these groups are presented in [GMN].)

   - The groups proposed encourage alignment with other elliptic curve
     standards.  The proposed groups are among those standardized by
     NIST, the Standards for Efficient Cryptography Group (SECG), ISO,
     and ANSI.  (See Section 5 for details.)

   - The groups proposed are capable of providing security consistent
     with the new Advanced Encryption Standard.

   These groups could also be defined using the New Group Mode, but
   including them in this RFC will encourage interoperability of IKE
   implementations based upon elliptic curve groups.  In addition, the
   availability of standardized groups will result in optimizations for
   a particular curve and field size and allow precomputation that could
   result in faster implementations.

   In summary, due to the performance advantages of elliptic curve
   groups in IKE implementations and the need for further alignment with
Show full document text