EC groups over F2**m, m composite

[Yuri Poeluev <YPoeluev@certicom.com>]

We've been trying to implement IPSec and have encountered some issues.
These are related to
the problem which Neils Provo observed in his email on 13.Aug.98 at
15:42
GMT.

Specifically, the IKE specification currently only facilitates the use
of
elliptic curve groups over F2**m, m composite.  The world's leading
experts
in elliptic
curve cryptography have publicly questioned the security of these
curves.
These experts include:

   Prof Gerhard Frey, Essen University
   Prof Alfred Menezes, Waterloo University and Certicom
   Dr Volker Mueller, Darmstadt University
   Dr Sachar Paulus, Darmstadt University
   Prof Bart Preneel, Leuven University
   Prof Claus Schnorr, Frankfurt University and RSA
   Prof Scott Vanstone, Waterloo University and Certicom
   Mike Wiener, Entrust

We will provide copies of these references.

We therefore suggest that, due to the fact that they are suspect and
appear
to provide neither hardware nor software benefits versus F2**m, m prime,

the specification should preclude the use of F2**m, m composite, curves,

which should be replaced with elliptic curve groups over F2**m, m prime.
At
the minimum, we feel that the specification should facilitate use of
some
non-suspect F2**m, m prime. In addition, it may also be beneficial to
consider facilitating use of some elliptic curve groups over Fp.  We
hope
to discuss this in more detail at the meeting in Chicago and will bring
in
specific suggested text. In the meantime, please let us know if you have

any questions or comments.

Regards,
Yuri Poeluev & Simon Blake-Wilson
Certicom Corp.

---

• Prev by Date: Text to be sent to
• Next by Date: Re: Text to be sent to
• Prev by thread: EC over F2**m, m composite
• Next by thread: Update: IPSec interop workshop Aug 31st - Sept 3
• Index(es):
  • Main
  • Thread