IETF Logo Mail Archive

Re: [Cfrg] patent situation regarding hash2curve as used in some PAKE nominations

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Thu, 17 October 2019 19:41 UTC

Return-Path: <prvs=5193f5c6b2=uri@ll.mit.edu>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F9FD120837 for <cfrg@ietfa.amsl.com>; Thu, 17 Oct 2019 12:41:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y34dRFZQQdpY for <cfrg@ietfa.amsl.com>; Thu, 17 Oct 2019 12:41:33 -0700 (PDT)
Received: from llmx3.ll.mit.edu (LLMX3.LL.MIT.EDU [129.55.12.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB16A12081D for <cfrg@irtf.org>; Thu, 17 Oct 2019 12:41:32 -0700 (PDT)
Received: from LLE2K16-MBX03.mitll.ad.local (LLE2K16-MBX03.mitll.ad.local) by llmx3.ll.mit.edu (unknown) with ESMTPS id x9HJfQQ3011084; Thu, 17 Oct 2019 15:41:27 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: Björn Haase <bjoern.haase@endress.com>, "cfrg@irtf.org" <cfrg@irtf.org>
Thread-Topic: [Cfrg] patent situation regarding hash2curve as used in some PAKE nominations
Thread-Index: AQHVhMzZ/GFAyE9j1Ua4Aw27rshJ96dekeaAgAACUsCAACyfgIAAAslQgAB4f4A=
Date: Thu, 17 Oct 2019 19:41:25 +0000
Message-ID: <68855562-CACC-464C-ACFE-20512EA091C1@ll.mit.edu>
References: <5e1610c6-2038-31ce-6bb8-a6e18f40434d@web.de> <ac0ed5bf-cc4b-14e6-59c6-f24c7cb43f1a@web.de> <20191016202223.lbuavuery4yj6qib@positron.jfet.org> <trinity-77782fb3-2939-452c-85d8-95592c7829b8-1571301291317@3c-app-webde-bs25> <VI1PR0501MB22556D3FA849989AAFFFD1FA836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com> <VI1PR0501MB22555DA1CD400E64259EA39D836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com> <VI1PR0501MB2255C90CDB1AA88516A1CFDC836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com> <FDA52182-FA58-497F-B083-0A929753A8C9@ll.mit.edu> <VI1PR0501MB225547A7721BE3D81D937EAF836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com>
In-Reply-To: <VI1PR0501MB225547A7721BE3D81D937EAF836D0@VI1PR0501MB2255.eurprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
x-originating-ip: [172.25.1.84]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3654171685_1897172219"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-17_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910170174
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/3Cq2sEryV7q32sU7izgCUfGEQn0>
Subject: Re: [Cfrg] patent situation regarding hash2curve as used in some PAKE nominations
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Oct 2019 19:41:38 -0000

Excellent, thanks! 

I'm glad to hear that P-384 is still "safe" for hash2curve.

On 10/17/19, 8:59 AM, "Björn Haase" <bjoern.haase@endress.com> wrote:

    Dear Uri,
    
    The possible patent problem persists for curves with p = 1 mod 4.  I did believe P-384 to belong to this class.
    
    I see now that among the NIST curves the case p mod 4 == 1 seems only to apply to P-224. I was confused by the fact that the draft 04 did suggest Icart's mapping for  p = 2 mod 3 for the case of P-384.
    
    
    The approach for simplified SWU from Appendix D.2 from WD19 could only be taken for p = 3 mod 4. 
    The general simplified SWU which works also for p = 1 mod 4 (without the approach D.2 from WD19) would be different but still quite close to the patented method.
    Icart's special method for p = 2 mod 3 is also patented.
    
    
    So the increased patent-collision risk seems only to apply to P-224 which should not be recommended anyway as having less than 128 bit security level.
    
    Yours,
    
    Björn.
    
    
    
    
    
    Mit freundlichen Grüßen I Best Regards 
    
    Dr. Björn Haase 
    
    Senior Expert Electronics | TGREH Electronics Hardware
    Endress+Hauser Conducta GmbH+Co.KG | Dieselstrasse 24 | 70839 Gerlingen | Germany
    Phone: +49 7156 209 377 | Fax: +49 7156 209 221
    bjoern.haase@endress.com |  www.conducta.endress.com 
    
    
    
    
    
    Endress+Hauser Conducta GmbH+Co.KG
    Amtsgericht Stuttgart HRA 201908
    Sitz der Gesellschaft: Gerlingen
    Persönlich haftende Gesellschafterin:
    Endress+Hauser Conducta Verwaltungsgesellschaft mbH
    Sitz der Gesellschaft: Gerlingen
    Amtsgericht Stuttgart HRA 201929
    Geschäftsführer: Dr. Manfred Jagiella
    
     
    Gemäss Datenschutzgrundverordnung sind wir verpflichtet, Sie zu informieren, wenn wir personenbezogene Daten von Ihnen erheben.
    Dieser Informationspflicht kommen wir mit folgendem Datenschutzhinweis (https://www.endress.com/de/cookies-endress+hauser-website) nach.
    
     
    
    
    
    Disclaimer: 
    
    The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential, proprietary, and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you receive this in error, please contact the sender and delete the material from any computer. This e-mail does not constitute a contract offer, a contract amendment, or an acceptance of a contract offer unless explicitly and conspicuously designated or stated as such.
     
    
    
    -----Ursprüngliche Nachricht-----
    Von: Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> 
    Gesendet: Donnerstag, 17. Oktober 2019 14:20
    An: Björn Haase <bjoern.haase@endress.com>; cfrg@irtf.org
    Betreff: Re: [Cfrg] patent situation regarding hash2curve as used in some PAKE nominations
    
    >    -	Don’t specify cipher-suites using P-384 for PAKE algorithms requiring mapping
    >  algorithms but recommend only Edwards/Montgomery curves or Short-Weierstrass
    >  curves with p = 3 mod 4, such as BrainPool, P-256 and P-521.
    
    I have a problem with exclusion of P-384. Are there patent issues with mapping for P-384, and do you see a way to avoid them, but still use P-384?
    
    Thanks!

v2.23.0 | Report a Bug | By Email