Internet Engineering Task Force (IETF) D. Harkins, Ed. Request for Comments: 6932 Aruba Networks Category: Informational May 2013 ISSN: 2070-1721
Brainpool Elliptic Curves for the Internet Key Exchange (IKE) Group Description Registry
Abstract
This memo allocates code points for four new elliptic curve domain parameter sets over finite prime fields into a registry that was established by the Internet Key Exchange (IKE) but is used by other protocols.
Status of This Memo
This document is not an Internet Standards Track specification; it is published for informational purposes.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc6932.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Harkins Informational [Page 1]
RFC 6932 Brainpool ECC for IKE Group Registry May 2013
[RFC5639] defines new elliptic curve domain parameters for curves over a number of different prime fields, each with a "twisted" variant. These curves have a number of interesting security properties (as described in [EBP]) that make them desirable to use.
IANA maintains a registry for [RFC2409] to map complete domain parameter sets into easily referenced numbers. While [RFC2409] is deprecated, other protocols, for example [IEEE802.11] and [RFC5931], refer to this registry for its convenience. Therefore, this memo instructs IANA to allocate new code points for the Brainpool curves defined in [RFC5639] to the registry established by [RFC2409] for use by other protocols.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
[RFC5639] defines several elliptic curves over finite prime fields (ECP, in the parlance of [RFC2409]). The domain parameter sets for each of the elliptic curves defined in [RFC5639] are copied here for convenient reference.
Harkins Informational [Page 2]
RFC 6932 Brainpool ECC for IKE Group Registry May 2013
The equation for all elliptic curves defined here is:
y^2 = x^3 + ax + b (mod p)
Domain parameter sets consist of:
o p: the prime
o a, b: parameters to the equation of the curve
o x, y: the coordinates of the generator for the group, G
o q: the order of the group formed by the generator G
o h: the co-factor
o z: the "twist" (for conversion into twisted curves)
[RFC5639] defines elliptic curves over seven (7) prime fields with a random and a "twisted" variety for each, for a total of fourteen (14) distinct curves. However, some of those curves are not particularly useful: the 160-bit curves provide only 80 bits of strength and that is too small to be of use in current cryptographic applications, and there is no standard hash function to use with the 196-bit and 320-bit curves -- it would make more sense to use the 224-bit and 384-bit curves, respectively, instead. For this reason, the curves defined over 160-bit, 192-bit, and 320-bit primes are not being added to the registry created by [RFC2409].
The twisted curves in [RFC5639] are isomorphic to the random curves of the same length. The curve parameter "a" for the twisted curves equals -3 mod p, and there are certain arithmetical advantages to using such curves. It is possible to convert a point from a random curve (x,y) into a point on the twisted curve (x', y') and back again using this equation:
(x',y') = (x*z^2, y*z^3)
This would allow an implementation to internally use the twisted version of the curve, taking full advantage of the arithmetical advantages, while exchanging points on the random versions of the curve with peers.
Therefore, the twisted curves are not being added to the registry created by [RFC2409]. Implementations that desire to use the twisted curves internally MUST refer to [RFC5639] for the complete domain parameter sets, only the "twist" is defined here.
Harkins Informational [Page 3]
RFC 6932 Brainpool ECC for IKE Group Registry May 2013
IANA has assigned four values from the unassigned portion of the "Group Description" component of the [IANA-IKE] registry and updated the registry by appending Table 1 to the registry table.
+----------+-----------------------+-------------+------------------+ | Value | Group Description | Reference | Note | +----------+-----------------------+-------------+------------------+ | 27 | 224-bit Brainpool | RFC 6932, | Not for RFC 2409 | | | ECP group | Section 2.1 | | | | | | | | 28 | 256-bit Brainpool | RFC 6932, | Not for RFC 2409 | | | ECP group | Section 2.2 | | | | | | | | 29 | 384-bit Brainpool | RFC 6932, | Not for RFC 2409 | | | ECP group | Section 2.3 | | | | | | | | 30 | 512-bit Brainpool | RFC 6932, | Not for RFC 2409 | | | ECP group | Section 2.4 | | +----------+-----------------------+-------------+------------------+
[EBP] describes the security properties of the curves referenced here. The curves support security levels of 112 (Section 2.1), 128 (Section 2.2), 192 (Section 2.3), and 256 (Section 2.4). These security levels assume that when these elliptic curves are used with discrete logarithm cryptography, for example elliptic curve Diffie- Hellman, that the private key used is a uniformly random number in the range [1..(q-1)], where q is the order from the curve's domain parameter set. In order to achieve system security commensurate with
Harkins Informational [Page 6]
RFC 6932 Brainpool ECC for IKE Group Registry May 2013
the security level of a particular elliptic curve, it is incumbent upon an implementation to choose key derivation functions, hash functions, pseudo-random functions, and ciphers according to the recommendations from [SP800-57].
The notes in Table 1 are an administrative prohibition, not a technical one. The notes are there because, although [RFC2409] has been deprecated, it is still widely used. There is a desire among some in the IETF to not do anything that would prolong the use of [RFC2409], and the addition of these curves was perceived as doing just that. The registry could not have been updated without including notes to indicate that these curves are not for use with [RFC2409] and not updating the [RFC2409] registry would have a detrimental affect on the other protocols that use it.
[EBP] The Brainpool Workgroup, "ECC Brainpool Standard Curves and Curve Generation", October 2005, <http://www.ecc-brainpool.org/download/ Domain-parameters.pdf>.
[IEEE802.11] IEEE, "Telecommunications and information exchange between systems Local and metropolitan area networks-- Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", IEEE Std 802.11-2012, 2012.
[RFC2409] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998.
Harkins Informational [Page 7]
RFC 6932 Brainpool ECC for IKE Group Registry May 2013
[RFC5931] Harkins, D. and G. Zorn, "Extensible Authentication Protocol (EAP) Authentication Using Only a Password", RFC 5931, August 2010.
[SP800-57] National Institute of Standards and Technology, "Recommendation for Key Management - Part 1: General (Revised)", NIST Special Publication 800-57, March 2007.
Harkins Informational [Page 8]
RFC 6932 Brainpool ECC for IKE Group Registry May 2013
This section provides some test vectors for example Diffie-Hellman key exchanges using each of the curves defined in Section 2. The following notation is used in subsequent sections:
o dA: the secret key of party A
o x_qA: the x-coordinate of the public key of party A
o y_qA: the y-coordinate of the public key of party A
o dB: the secret key of party B
o x_qB: the x-coordinate of the public key of party B
o y_qB: the y-coordinate of the public key of party B
o x_Z: the x-coordinate of the shared secret that results from completion of the Diffie-Hellman computation
o y_Z: the y-coordinate of the shared secret that results from completion of the Diffie-Hellman computation