Re: [pkix] Question about Curve P-192

Denis <denis.ietf@free.fr> Thu, 10 May 2018 21:46 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC14C12E035 for <pkix@ietfa.amsl.com>; Thu, 10 May 2018 14:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id geGrCjpVpUyJ for <pkix@ietfa.amsl.com>; Thu, 10 May 2018 14:46:49 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 700B912D94D for <pkix@ietf.org>; Thu, 10 May 2018 14:46:49 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id A7B74780310 for <pkix@ietf.org>; Thu, 10 May 2018 23:46:47 +0200 (CEST)
To: pkix@ietf.org
References: <5481b2bb-25cc-6d1f-d255-16403f2221de@free.fr> <38461622-c7e9-58f4-acd2-5451c37408ba@informatik.hu-berlin.de> <9721F6F1-BA0F-4A86-A1C9-7910003D00E8@vigilsec.com> <810C31990B57ED40B2062BA10D43FBF501C71CBD@XMB116CNC.rim.net>
From: Denis <denis.ietf@free.fr>
Message-ID: <77eb0920-c6a2-2697-46d0-b0ab0366d9da@free.fr>
Date: Thu, 10 May 2018 23:46:48 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF501C71CBD@XMB116CNC.rim.net>
Content-Type: multipart/alternative; boundary="------------FA2C705029467611668F3ADB"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/R-NFph6XCp-LCUsDe94m9-Pdq40>
Subject: Re: [pkix] Question about Curve P-192
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 21:46:53 -0000

Hi Ernst, Russ and Dan,

Thank your for your replies. This is what I feared : there is no 
cryptographic suite defined for P-192.
Quite strange that NIST defined the algorithm and didn't defined a hash 
function to go with it.

Key sizes need to be appreciated relative to the environment where they 
are used.

P-192 would be used in a constrained environment where the size of the 
digital signature matters (i.e. the smaller, the better).

The verification of the digital signature would be real time. The 
private key should resist one year, because it would be changed every year.

P-192 seems to be a good trade-off between the security level and the 
size of the digital signature.

A SHA-192 function has been defined in a paper available at: 
http://www.ijctee.org/files/VOLUME2ISSUE3/IJCTEE_0612_24.pdf.
The title of this paper is : Performance Analysis of SHA Algorithms 
(SHA-1 and SHA-192): A Review
However, I don't believe that any crypto-library supports it.

So Ernst's method would certainly be one way to do it, but why not take 
the 192 low bits ?

The last question would be for Ernst who wrote:

    The corresponding signature suite can be defined with ISO 14888-3,
    which allows the specification of the algo
    (e.g. EC-DSA, EC-KCDSA or whatsoever), the curve and the hash function.

What would the OID or the URI for this suite, if we take the 192 left 
bits ? Same question if we take the 192 low bits ?

Denis

> Hi Denis,
>
> Please, do not use P-192, unless there are some severe constraints.
>
> Even if you credit EC with a very generous 16 extra bits in security 
> (compared to hashes & ciphers), P-192 would only reach 96+16=112-bit 
> security, which does not meet the current best practice of 128 bit 
> security.
>
> History as I understand it: NIST P-192 was meant for the 80-bit level 
> (though it looks like 96-bit). This low security level has been widely 
> deprecated since 2010, at least informally - to what extent it is 
> formally deprecated, I don’t recall off-hand. I recall added text to 
> ANSI X9.62/63 deprecating this security level.
>
> Anyway, originally, the idea was to use P-192 with SHA-1, P-224 with 
> SHA-224, etc.
>
> I think that there were also OIDs for P-192, e.g. secp192k1, and OIDs 
> for ECDSA-with-SHA1, which could be combined in some ways.  I do not 
> recall how far these OIDs made into IETF, i.e. as algorithm identifiers.
>
> Using 160-bit hash in ECDSA with P-192 renders the EU-CMA security to 
> 80 bits, which is waste considering that P-192 potentially provides 
> 96-bit security. As noted in the thread below, the standards have 
> options to truncate a longer hash, which should correct this.
>
> Arguably, the security of P-192 has fared far better than SHA-1 in 
> some ways, yet SHA-1 is probably much more widely used than P-192, 
> though admittedly hashes are considered a general purpose tool.
>
> Best regards,
>
> Dan
>
> *From:* pkix [mailto:pkix-bounces@ietf.org] *On Behalf Of *Russ Housley
> *Sent:* Thursday, May 10, 2018 1:30 PM
> *To:* Ernst G Giessmann <giessman@informatik.hu-berlin.de>;
> *Cc:* IETF PKIX <pkix@ietf.org>;
> *Subject:* Re: [pkix] Question about Curve P-192
>
> Ernst:
>
> Of course, this technique works.  That said, I am not aware of any 
> algorithm identifiers that make use of the P-192 curve for digital 
> signature or key agreement.
>
> Russ
>
>     On May 10, 2018, at 1:24 PM, Ernst G Giessmann
>     <giessman@informatik.hu-berlin.de
>     <mailto:giessman@informatik.hu-berlin.de>> wrote:
>
>     Yes, there is a standardized way:
>     Pick up a corresponding hash function, in case of P-192 it should
>     be SHA-224 and take the 192 left most bits of the hash value as
>     the input to the EC sign primitive.
>     The correspondig signature suite can be defined with ISO 14888-3,
>     which allows the specification of the algo (e.g. EC-DSA, EC-KCDSA
>     or whatsoever), the curve and the hash function.
>     Kind regards,
>     /Ernst.
>
>     Am 2018-05-10 um 19:07 schrieb Denis:
>
>         Hello everybody,
>
>         Curve P-192 is specified in FIPS PUB 186-4 (Digital Signature
>         Standard (DSS)).
>
>         There is no "SHA-192" hash function defined in FIPS PUB 180-4
>         (Secure Hash Standard (SHS)).
>
>         Is there any standardized way to use a hash function with
>         Curve P-192 ?
>
>         Is there any RFC or any another document that specifies a
>         cryptographic suite for Curve P-192 ?
>
>         Denis
>
>
>
>
>
>         _______________________________________________
>
>         pkix mailing list
>
>         pkix@ietf.org <mailto:pkix@ietf.org>
>
>         https://www.ietf.org/mailman/listinfo/pkix
>
>     _______________________________________________
>     pkix mailing list
>     pkix@ietf.org <mailto:pkix@ietf.org>
>     https://www.ietf.org/mailman/listinfo/pkix
>
>
>
> _______________________________________________
> pkix mailing list
> pkix@ietf.org
> https://www.ietf.org/mailman/listinfo/pkix