Re: Elliptic-Curve Diffie-Hellman Key Exchange draft

[Daniel Brown <DBrown%certicom.com@localhost>]

Hi Douglas,

Some questions about your draft.

Standards [6] and [7] that you cite
are incompatible with respect to their key derivation functions.  In
[6], the KDF is essentially Hash ( raw-shared-ECDH-secret || [extra-info]
), whereas in [7] it is Hash ( raw-shared-ECDH-secret || counter = 1||
[extra-info] ) || Hash (raw-shared-ECDH-secret || counter = 2 || [extra-info]
) || ...

I suggest using the KDF from [7].  It
is also specified in SEC1, and will be specified as KDF2 in IEEE P1363a,
a revision of [6] that has been approved and will appear soon. Furthermore,
NIST Draft Special Publication 800-56 recommends the KDF from [7]. 

I also suggest not to use any curves
with field size less than 160 bits, or field sizes 2^m with m prime.  These
field sizes will not be allowed for elliptic curves in future ANSI standards
(such as the revision of [10] being draft now) on elliptic curve cryptography.
 Therefore some of the named curves that you listed, such as "secp112r1"
and "c2pnb176v1", should not be used.  So, perhaps you should
omit from your list.

Thanks,

        Dan

Douglas Stebila wrote on 05/11/2004 06:12:54 PM:

> I recently posted a draft to add support for the use of elliptic curve
> cryptography in the form of Elliptic Curve Diffie-Hellman (ECDH) key
> agreement to the exchange portion of the SSH Transport Layer protocol.
> 
> I would appreciate any feedback on the draft, which can be found at:
> 
> http://www.ietf.org/internet-drafts/draft-stebila-secsh-ecdh-01.txt
> 
> -- 
> 
> Douglas Stebila
> Sun Microsystems Laboratories
> Email: douglas.stebila%sun.com@localhost