Re: [pkix] Question about Curve P-192

Dan Brown <> Thu, 10 May 2018 18:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0D58912EB82 for <>; Thu, 10 May 2018 11:51:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id E7LJrbUihhF4 for <>; Thu, 10 May 2018 11:51:03 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3BC98127077 for <>; Thu, 10 May 2018 11:51:03 -0700 (PDT)
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 10 May 2018 14:51:02 -0400
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 10 May 2018 14:51:01 -0400
Received: from ([fe80::45d:f4fe:6277:5d1b]) by ([fe80::a15e:e4be:7302:3372%12]) with mapi id 14.03.0319.002; Thu, 10 May 2018 14:51:01 -0400
From: Dan Brown <>
To: Russ Housley <>, Ernst G Giessmann <>
Thread-Topic: [pkix] Question about Curve P-192
Thread-Index: AQHT6IFeYuIm9dZtR0OYr6kEQvvxAqQpeaaAgAABjwD//8xYwA==
Date: Thu, 10 May 2018 18:51:00 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US, en-CA
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_005E_01D3E86E.4F54CB00"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [pkix] Question about Curve P-192
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 May 2018 18:51:06 -0000

Hi Denis,


Please, do not use P-192, unless there are some severe constraints.


Even if you credit EC with a very generous 16 extra bits in security
(compared to hashes & ciphers), P-192 would only reach 96+16=112-bit
security, which does not meet the current best practice of 128 bit security.


History as I understand it: NIST P-192 was meant for the 80-bit level
(though it looks like 96-bit). This low security level has been widely
deprecated since 2010, at least informally - to what extent it is formally
deprecated, I don't recall off-hand. I recall added text to ANSI X9.62/63
deprecating this security level.

Anyway, originally, the idea was to use P-192 with SHA-1, P-224 with
SHA-224, etc.

I think that there were also OIDs for P-192, e.g. secp192k1, and OIDs for
ECDSA-with-SHA1, which could be combined in some ways.  I do not recall how
far these OIDs made into IETF, i.e. as algorithm identifiers.

Using 160-bit hash in ECDSA with P-192 renders the EU-CMA security to 80
bits, which is waste considering that P-192 potentially provides 96-bit
security.  As noted in the thread below, the standards have options to
truncate a longer hash, which should correct this.


Arguably, the security of P-192 has fared far better than SHA-1 in some
ways, yet SHA-1 is probably much more widely used than P-192, though
admittedly hashes are considered a general purpose tool.


Best regards,




From: pkix [] On Behalf Of Russ Housley
Sent: Thursday, May 10, 2018 1:30 PM
To: Ernst G Giessmann <>
Subject: Re: [pkix] Question about Curve P-192




Of course, this technique works.  That said, I am not aware of any algorithm
identifiers that make use of the P-192 curve for digital signature or key





On May 10, 2018, at 1:24 PM, Ernst G Giessmann
< <>
> wrote:


Yes, there is a standardized way: 
Pick up a corresponding hash function, in case of P-192 it should be SHA-224
and take the 192 left most bits of the hash value as the input to the EC
sign primitive.
The correspondig signature suite can be defined with ISO 14888-3, which
allows the specification of the algo (e.g. EC-DSA, EC-KCDSA or whatsoever),
the curve and the hash function.
Kind regards,

Am 2018-05-10 um 19:07 schrieb Denis:

Hello everybody,

Curve P-192 is specified in FIPS PUB 186-4 (Digital Signature Standard

There is no "SHA-192" hash function defined in FIPS PUB 180-4 (Secure Hash
Standard (SHS)).

Is there any standardized way to use a hash function with Curve P-192 ? 

Is there any RFC or any another document that specifies a cryptographic
suite for Curve P-192 ?



pkix mailing list <>


pkix mailing list <>