[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Remove SHOULD for elliptic curve groups in IKEv2
> Your explanation of co-factors with ECC sheds no light on the matter
> for me.
Here is how I understand IKE implementing ECC DH should work.
Initiator generates secret scalar x, calculates x*G and sends it to the
responder in KE.
Responder generates secret scalar y, calculates y*G and sends it to the
initiator in KE.
Both peers calculate x*y*G and use it in place of "g^xy" for SKEYID_xxx
generation.
'*' here is a scalar multiplication.
As it turns out, one well-known vendor interpreted "g^xy" as x*y*c*G. In
this case cofactor multiplication changes the IKE state so that two
implementations cannot interoperate. In addition, I mentioned before my
concerns about patent(s) for cofactor multiplication.
> I'll note as an aside that because IKE requires Sophie-Germain
> primes, this is note an issue for modexp groups, either.
This is a good analogy. I would like to see g^xy is interpreted the same way
as it is interpreted for MODP groups, i.e. without cofactor multiplication
in g^xy.
For MODP cofactor is always 2. This allows implementation to store constant
value 2^(MOPD_prime-1)/2 for each MOPD_prime and then memcmp() received g^x
with this value. If implementation checks for small g^x and g^xy, this
covers the small subgroup attack for any MODP group.
For ECC Koblitz groups cofactor is 4, but similar checks can be performed.