[cryptography] ECC patent FUD

Jack Lloyd lloyd at randombit.net
Tue Nov 16 08:16:30 EST 2010


On Mon, Nov 15, 2010 at 09:36:58PM -0600, Marsh Ray wrote:

> For one thing, open source projects wouldn't go along with it.
> http://fedoraproject.org/wiki/User:Peter/Disabled_applications

This is due to excessive paranoia on the part of RH's legal department
(they are assuming even ECDH over GF(p) is still patented, for
instance). I pointed them to draft-mcgrew-fundamental-ecc [1],
hopefully once that hits RFC they will take it into
consideration.

> elliptic curves using keys a bit shorter than RSA, but that those who do 
> so sometimes end up paying ++$M. From my perspective, this is 
> effectively equivalent to the algorithm having a rather severe form of 
> security vulnerability.
> 
> Thus ECC just does not seem technically relevant to me at this time.

I think you (as with RH) are making too many simplifying assumptions.
A particular implementation of, say, ECDSA, probably is covered by a
number of implementation patents, but then again so is the modexp
algorithm your RSA implementation uses, because to a first order
approximation everything is patented. Using an algorithm invented in
1978 won't necessarily be any safer for you than using one from 1985,
especially in the current patent landscape. If someone wants to sue
you, not using ECC isn't exactly going to save you.

It's also worth noting that the Certicom patent that they
actually sued Sony over does not seem to be specific to ECC but
would cover the same usage in a standard mod-p group.

-Jack

[1] http://tools.ietf.org/html/draft-mcgrew-fundamental-ecc-03



More information about the cryptography mailing list