On 11/16/2010 09:50 AM, Paul Hoffman wrote:
At 8:47 PM +1000 11/16/10, James A. Donald wrote:
I don't think that elliptic curves are more patented or less
patented than everything else. The proposition that there are
unusual patent hazards looks like FUD to me.
+1
Marsh: could you be more specific on which patents you think apply
to normal use of ECDSA and ECDH? Or were you just saying "because
some company says they have patents, I believe them"?
Neither, really.
For extra credit, please read draft-mcgrew-fundamental-ecc-03.txt and
suggest where it might be wrong.
What I'm saying is that even if the basic math or whatever patents
aren't expected to hold up, the realities of patent litigation make the
whole thing $Risky. Even if you prevail in court, it's likely to cost
you heavily.
For example:
http://www.certicom.com/index.php/2007-press-releases/32-2007-press-releases/20-certicom-files-suit-against-sony-for-patent-infringement
Toronto, Ontario – May 30, 2007 -- Certicom Corp. (TSX: CIC) today
announced it has initiated litigation in the Eastern District of
Texas, Marshall Division, against Sony Corporation, and related Sony
companies, for patent infringement.
In its filing, Certicom alleged infringement concerning two United
States patents used in the content protection technologies found in
Sony products.
The patents-in-suit are two of Certicom's fundamental patents used in
consumer electronics, in particular its world-leading version of
Elliptic Curve Cryptography (ECC). In its complaint, Certicom alleges
Sony has, and continues to, infringe, contribute to and induce the
infringement of Certicom's patents by making, using, importing,
offering for sale and selling their products in the U.S. without
being licensed by Certicom to do so.
http://www.certicom.com/pdfs/FAQ-TheNSAECCLicenseAgreement.pdf 73.
What are the benefits of licensing from Certicom? The primary
reasons are to get a proven implementation without security risks,
faster NSA approvals, no risk of patent infringement, and a wider
field of use.
http://www.certicom.com/index.php/licensing/certicom-ip
The Certicom Patent Portfolio includes more than 350 patents and
patents pending worldwide. Many of our issued patents can be found
at the United States Patent and Trademark Office simply by searching
for the keyword - Certicom. Certicom is known for many patents
related, but not limited to the area of Elliptic Curve Cryptography
(ECC).
In the past 20 years of research in the area of elliptic curve
cryptography, Certicom discovered and patented many fundamental
innovations related to:
* Basic cryptographic operations
* Digital signatures and Public Key Infrastructures
* Key agreement or Key Exchange
* Optimization of security and efficiency for constrained
environments
[...]
The following list gives you a sample of some of the key patented
ideas:
* Implementation Patents * General Concept Hardware Patents *
Protocol Patents * Security-Related Patents * Small-subgroup attack
prevention * Key-generation * Curve Selection Patents * Efficiencies
* Certificate Patents
Certicom continuously performs research and adds to its patent
portfolio.
How can it be any clearer?
This company believes it has "over 350" patents they could potentially
sue you for infringing, many of which relate to ECC, and they have
actually sued companies in East Texas over its "fundamental patents" "in
particular its world-leading version of Elliptic Curve Cryptography (ECC)".
http://en.wikipedia.org/wiki/Patent_thicket
If you're walking down the street, and you see a guy threatening people
with a gun, bragging about having 350 bullets, and he fires 2 or 3 of
them at some Japanese dude, then the sensible thing to do is to walk the
long way around the block.
One doesn't need to having an opinion about the relevance or validity of
any specific patents, or estimate the probability of any hypothetical
set of lawsuits to succeed, to recognize this situation as a minefield.
As Ian G wisely pointed out a month ago:
The result of 15-20 years is that nobody has ever lost money because
of a cryptographic failure, to a high degree of reliability. Certainly
within the bounds of any open and/or commercial risk management model,
including orders of magnitude of headroom.
Well, here you go. Perhaps there's no precedent for losing money due to
a weakness in RSA, but there's a clear risk in shipping products which
do things related to ECC without an agreement in place with Certicom.
It seems prudent to ask if the benefits outweigh the risks before
adopting what may be approximately a single-vendor-controlled technology.
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
