[cryptography] NSA's position in the dominance stakes

Marsh Ray marsh at extendedsubset.com
Tue Nov 16 14:43:02 EST 2010

On 11/16/2010 09:50 AM, Paul Hoffman wrote:
> At 8:47 PM +1000 11/16/10, James A. Donald wrote:
>> I don't think that elliptic curves are more patented or less
>> patented than everything else.  The proposition that there are
>> unusual patent hazards looks like FUD to me.
> +1
> Marsh: could you be more specific on which patents you think apply
> to normal use of ECDSA and ECDH? Or were you just saying "because
> some company says they have patents, I believe them"?

Neither, really.

> For extra credit, please read draft-mcgrew-fundamental-ecc-03.txt and
> suggest where it might be wrong.

What I'm saying is that even if the basic math or whatever patents
aren't expected to hold up, the realities of patent litigation make the
whole thing $Risky. Even if you prevail in court, it's likely to cost 
you heavily.

For example:
> http://www.certicom.com/index.php/2007-press-releases/32-2007-press-releases/20-certicom-files-suit-against-sony-for-patent-infringement
>Toronto, Ontario – May 30, 2007 -- Certicom Corp. (TSX: CIC) today
> announced it has initiated litigation in the Eastern District of
> Texas, Marshall Division, against Sony Corporation, and related Sony
>  companies, for patent infringement.
> In its filing, Certicom alleged infringement concerning two United
> States patents used in the content protection technologies found in
> Sony products.
> The patents-in-suit are two of Certicom's fundamental patents used in
> consumer electronics, in particular its world-leading version of
> Elliptic Curve Cryptography (ECC). In its complaint, Certicom alleges
> Sony has, and continues to, infringe, contribute to and induce the
> infringement of Certicom's patents by making, using, importing,
> offering for sale and selling their products in the U.S. without
> being licensed by Certicom to do so.

> http://www.certicom.com/pdfs/FAQ-TheNSAECCLicenseAgreement.pdf 73.
> What are the benefits of licensing from Certicom? The primary
> reasons are to get a proven implementation without security risks,
> faster NSA approvals, no risk of patent infringement, and a wider
> field of use.

> http://www.certicom.com/index.php/licensing/certicom-ip
> The Certicom Patent Portfolio includes more than 350 patents and
> patents pending worldwide. Many of our issued patents can be found
> at the United States Patent and Trademark Office simply by searching
> for the keyword - Certicom. Certicom is known for many patents
> related, but not limited to the area of Elliptic Curve Cryptography
> (ECC).
> In the past 20 years of research in the area of elliptic curve
> cryptography, Certicom discovered and patented many fundamental
> innovations related to:
> * Basic cryptographic operations
> * Digital signatures and Public Key Infrastructures
> * Key agreement or Key Exchange
> * Optimization of security and efficiency for constrained
> environments
> [...]
> The following list gives you a sample of some of the key patented
> ideas:
> * Implementation Patents * General Concept Hardware Patents *
> Protocol Patents * Security-Related Patents * Small-subgroup attack
> prevention * Key-generation * Curve Selection Patents * Efficiencies
> * Certificate Patents
> Certicom continuously performs research and adds to its patent
> portfolio.

How can it be any clearer?

This company believes it has "over 350" patents they could potentially 
sue you for infringing, many of which relate to ECC, and they have 
actually sued companies in East Texas over its "fundamental patents" "in 
particular its world-leading version of Elliptic Curve Cryptography (ECC)".


If you're walking down the street, and you see a guy threatening people 
with a gun, bragging about having 350 bullets, and he fires 2 or 3 of 
them at some Japanese dude, then the sensible thing to do is to walk the 
long way around the block.

One doesn't need to having an opinion about the relevance or validity of 
any specific patents, or estimate the probability of any hypothetical 
set of lawsuits to succeed, to recognize this situation as a minefield.

As Ian G wisely pointed out a month ago:
> The result of 15-20 years is that nobody has ever lost money because
> of a cryptographic failure, to a high degree of reliability. Certainly
> within the bounds of any open and/or commercial risk management model,
> including orders of magnitude of headroom.

Well, here you go. Perhaps there's no precedent for losing money due to 
a weakness in RSA, but there's a clear risk in shipping products which 
do things related to ECC without an agreement in place with Certicom.

It seems prudent to ask if the benefits outweigh the risks before 
adopting what may be approximately a single-vendor-controlled technology.

- Marsh

More information about the cryptography mailing list