Re: [Cfrg] Questions regarding new draft-irtf-cfrg-voprf-00 from A. Davidson, N. Sullivan and Chr. Wood // Will we need to consider IPR issues here?

"Björn Haase" <> Sat, 13 July 2019 21:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E74E5120131 for <>; Sat, 13 Jul 2019 14:54:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BWQu83OQSCw2 for <>; Sat, 13 Jul 2019 14:54:20 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BB23412008B for <>; Sat, 13 Jul 2019 14:54:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=dbaedf251592; t=1563054856; bh=hVJ/uEriOZCIqfjzTU1NrsZuplVG9yDic9J0K+UZLkY=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=Yt61MqdYx4K7S0h9czasA3d8t4RrDZ4W0b2wWP1o5wDpDK8LYwz8TxWbR2/ReU8pt LbgRIiwscFdxA4hYHyd1W+9WXOCThksGRzLzA9pt8uybeMxc/AyAoe2jE2I90qXmTG 6xPt88opwwyyU3xOGaZ2lxysOgp/nzoHfEEhZjp0=
X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9
Received: from [] ([]) by (3c-app-webde-bs22.server.lan []) (via HTTP); Sat, 13 Jul 2019 23:54:16 +0200
MIME-Version: 1.0
Message-ID: <trinity-49f7aa0f-f474-4bf3-89d2-dff0217e6b38-1563054856103@3c-app-webde-bs22>
From: =?UTF-8?Q?=22Bj=C3=B6rn_Haase=22?= <>
To: =?UTF-8?Q?=22Bj=C3=B6rn_Haase=22?= <>
Content-Type: text/plain; charset=UTF-8
Date: Sat, 13 Jul 2019 23:54:16 +0200
Importance: normal
Sensitivity: Normal
In-Reply-To: <>
References: <>
Content-Transfer-Encoding: quoted-printable
X-UI-Message-Type: mail
X-Priority: 3
X-Provags-ID: V03:K1:MfftsvVWKuH16AhtEL51nOV45rSM0W0ur2LgGEPMyzsoIYO8mGY9oHjmo7pRqxMNZVFHk 3jSG3NfTFEKvIVNiAEaU9DFL6gZnFYLzLmpwn/wyVtTSY1VWSMcGggdfJbz+GDbaGafodIY5yE0u 9regFoEdcd6R5gGYaNCYD+OXzNOzj3FiMTfVAdJSqqqeJZYSsR/5Mpqqns60JFl5iO8prK611Vdf 7ztCM+7P+3iVg6jyI2vkF76raqttabVK1kXwcfzfxuLrlVxYM15Eyvacodp7cmEbIAlT4su6yZX3 7M=
X-UI-Out-Filterresults: notjunk:1;V03:K0:1Fc7UFnMgvM=:xUr516CrhboD6/FnsOZxuZ dd14Y6NWk1pVFgcgtJ20/ywWwVT5LBIW4xyIZmOKu80AhwN1LhJypbKeYtBIrM36Vlrp/WA7I dYi5Pwl2pqM0GFM0pGTAzP9f+5hBTdD8/sbsNh4uWRLtvCSKnrLw3s15PqMBFoK9WmJ2yYXeW EhhaUJJ4gtBdy52unxNy814ENuJakhuNpTvOOzp3FFEFun2NRqgWO7IdebmM+A/OIDhJv8g9S kwTDwol5th2MT5q/XN+F45yXaxSIOfPYUGR8P9LVSSyXE7fkTOueSxC97E9Z4nnwxTOOI2cSF 0pRmACgnf1zanjjlkcaHV8YEs/UmNiye+Q/LDquUyekoCLD1MJHrPZWRZWDO7oP3LuRAq0AlQ xs259tdfh5kiNlzRojYCltrkPAx6ujr5E+35KJK6xdcVazsPOVs11da/dY4C9yswsQx3mW4Kf V9HvITlEiWCPU91lKvHK1qY3jG6Q4sWOJ2SUgmj/t8KzwYwIBjU0uVbHgyj/kbDbVJZaPsxoU GIKOXCoD4NXnTjB77HKSe+bjBu4vaLvqOnepl47V/hD+QSFPV7dVhRCDmbu0tXMvNplo8UBWa E5rm3vvM9O6gUWwO7+W2UeuuZQQiPf84O0n0ynyCrSurNW4ZYbFZeHhA==
Archived-At: <>
Subject: Re: [Cfrg] Questions regarding new draft-irtf-cfrg-voprf-00 from A. Davidson, N. Sullivan and Chr. Wood // Will we need to consider IPR issues here?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 13 Jul 2019 21:54:22 -0000

Hi to all,
during the last days I have spent a bit of time reviewed the IPR situation for hashing to curves such as P-256. 

The true issue seems rather to be Icart's invention from FR2946818A1 (held by morpho) and not FR2946819B1 (Icart and Coron). Both of these refer to some particular use of SWU for hashing to curves.

After re-reading the patentents, my personal assessment is now that simplified SWU as specified in the hash2curve RFC could be freely used for both, OPRF and PAKE applications also on curves such as P-256. 
However, I'd appreciate if somebody else could have a closer look.

In the more critical patent FR2946818A1 one of the three polynoms from SWU ( P_3(x) ) has been required to be -1 explicitly.
In fact for simplifying SWU, P_3(x) could be chosen such that it is any non-square. It seems that this latter thing
is what the current hash2curve RFC draft is doing when choosing the value Z from section 6.5.2 (i.e. avoiding the non-square value -1 that is claimed in the patent).
I thus conclude that this morpho patent does not apply to the algorithm of the RFC. Also in the text body of the patent I did not find any statement regarding the fact that instead of -1 any non-square could be used, such that any divisional application based on the contents of the descriptive text should not be able to cover the general case of a "non-square" P_3 as used in the RFC.

In fact in the other patent text by Icart and Coron, claim 4 explicitly refers also to the case that P_3(x) from SWU is an arbitrary non-square, i.e. not having the restriction above. However claim 4 of this patent refers to the context of claim 1 only which (in my opinion) does not correspond to what the hash2curve RFC is doing. Thus I believe that also this second patent will not be any issue for what is done in draft-irtf-cfrg-hash-to-curve.