Regrouping for IPSEC WORKING GROUP LAST CALL

[plambert@certicom.com]

The "Internet Key Exchange" <draft-ietf-ipsec-isakmp-oakley-06.txt>
specification includes definitions for well known groups for Elliptic Curve
cryptographic implementations.  Implementations using these techniques
should have considerable performance improvements.  One problem, the groups
defined are composite :-(

     Third  Oakley Group is on Galois Field GF[2^^155]
     Fourth Oakley Group is on Galois Field GF[2^^185]

These groups should be prime!

<from correspondance with ajmeneze@math.uwaterloo.ca
<
>In his talks at Eurocrypt '97 and at the ECDLP Workshop in Waterloo
>(Nov '97), Gerhard Frey suggested that elliptic curves over GF(2^^m),
>where m is composite, *may* have serious security flaws. This
>opinion was also stated by Clauss Schnorr at Crypto '97 (in
>response to the breaking of the Chor-Rivest knapsack scheme which
>exploited such composite finite fields), and by Volker Mueller
>and Sachar Paulus in their paper "On the generation of
>cryptographically strong elliptic curves" (available from
>http://www.informatik.th-darmstadt.de/TI/Mitarbeiter/vmueller.html).
>>  Mueller and Paulus state:
>>  If the Galois group G(F_{p^^k}/F_p) has small factors
>>  (as for composite fields, where k>1 is not a prime number),
>>  or if the curve is already defined over F_p, as is the case
>>  for anomalous curves, then there might be better methods than
>>  those cited above. Thus the exponent k should be a prime or
>>  equal to 1.

There are a wide variety of excellent curves defined ... mostly in ANSI.
I'll try to find someone to help submit some other predefined curves before
the end of the last call.


Paul A. Lambert

---

• Prev by Date: Re: IPSEC WORKING GROUP LAST CALL
• Next by Date: ISAKMP Draft: NotifyCodes, alignment
• Prev by thread: Re: new draft-ietf-ipsec-isakmp?
• Next by thread: Re: Regrouping for IPSEC WORKING GROUP LAST CALL
• Index(es):
  • Main
  • Thread