[Cfrg] IPR and algorithms (was Re: Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd))

Watson Ladd <watsonbladd@gmail.com> Fri, 06 March 2015 02:59 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6AB411A92F7 for <cfrg@ietfa.amsl.com>; Thu, 5 Mar 2015 18:59:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 861kHjUt8MBs for <cfrg@ietfa.amsl.com>; Thu, 5 Mar 2015 18:59:26 -0800 (PST)
Received: from mail-yk0-x22f.google.com (mail-yk0-x22f.google.com [IPv6:2607:f8b0:4002:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0812F1A924B for <cfrg@irtf.org>; Thu, 5 Mar 2015 18:59:18 -0800 (PST)
Received: by ykq19 with SMTP id 19so25156478ykq.9 for <cfrg@irtf.org>; Thu, 05 Mar 2015 18:59:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=AgUsE9M4rYQVflmDGSNRecssYaFZb+qyyXLTEh09zgM=; b=r0sGxxxa0lK8TnhmDrUNXWp4mmkkP/SmbHYyfCooqZvTIrpxLtCb7uORTBAZC86OWo wiyAfwteEoLWwvzs06zV+end2XbM/BXKcUwQHQINDAeiEWiKjSkYLvcbVqswlkHTug/n f9F/UBPpcm2PiewoY3dS8N165QM+qccv/87hY5/kkvg+GsCsHdfFgijJ04je6StSHcAK ijoQMCbK3wFLkH6SWBciezvvQOHptwdHp5Ls4UbvD39Zfp4CxqLdPyZLIzs6TVYFFilQ ufu89ooimT50BDIshKpwILS84vXSQ9pHqBs7LPd1Ho9rSgQMHTNcGJC5BfLvTmf7LeGe TdWA==
MIME-Version: 1.0
X-Received: by 10.236.220.65 with SMTP id n61mr10445058yhp.44.1425610757345; Thu, 05 Mar 2015 18:59:17 -0800 (PST)
Received: by 10.170.58.198 with HTTP; Thu, 5 Mar 2015 18:59:17 -0800 (PST)
Date: Thu, 5 Mar 2015 18:59:17 -0800
Message-ID: <CACsn0ckKPzjmsbpD4Fgwj+xK48EoX2guXna0PEXLJi1++i3fBQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Benjamin Black <b@b3k.us>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/QeG-vc2-XgQ25f1uwL_E3sxC7Ms>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: [Cfrg] IPR and algorithms (was Re: Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd))
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 02:59:29 -0000

On Mar 5, 2015 3:55 PM, "Benjamin Black" <b@b3k.us> wrote:
>
> As you say, it would be equally a problem for every curve, which was my argument repeatedly rejected by Alyssa and Robert. As they have never made a statement, public or private, of which I am aware withdrawing their assertions, I can only assume they still believe what they said. If they would like to pipe up and explain that they no longer hold those views that'd be swell.

The above ignores the substantial differences between original NUMS
and the proposals made last fall, and between curves and algorithms.
The original NUMS presentation placed a great deal of importance on
the specific algorithms discussed, and it was very clear that these
algorithms were the ones that the NUMS group wanted specified.

It's a moot point when deciding : there are plenty of comb variations
that are not patented. But were we to have turned the NUMS proposal
into an RFC containing the algorithms presented, it would have been a
problem. I really don't see why we're wasting words on this debate:
Ed448 won out for other reason.

Sincerely,
Watson Ladd

>
> I cannot comment on Microsoft as I am no longer there.
>
>
> On Thu, Mar 5, 2015 at 3:41 PM, Michael Hamburg <mike@shiftleft.org> wrote:
>>
>> Hi Benjamin,
>>
>> Robert Ransom was concerned about Microsoft’s paper and code release possibly containing material based on the patent US7602907.  This wasn’t particularly to do with the curve, but with the combs algorithm for fast fixed-point multiplications.  If this is a problem with any curve, it’s equally a problem for (implementations of) every curve.  I believe that Robert was motivated in this pursuit by a deep-seated conviction that Microsoft was trying to pull something shady, but Alyssa and I just want to make sure that the patent landscape is clear so that nobody infringes by accident.
>>
>> Since my code uses signed all-bits set combs, and if I understand correctly your patent specifically covers modified LSB-set combs, I don’t believe that my implementation has patent problems.  Again, this is a property of the implementation and not of the curve.
>>
>> I asked if you and/or the Microsoft legal team concurred with this analysis.  You said that your team was unaware of the patent and didn’t use it intentionally, but that you would ask legal if it happened to be covered, and whether they thought the Goldilocks code might be affected.  Nearly 6 months have passed and we haven’t heard anything from legal.  Do you have an update for us?
>>
>> Cheers,
>> — Mike
>>
>>> On Mar 5, 2015, at 3:22 PM, Benjamin Black <b@b3k.us> wrote:
>>>
>>> What happened to the earlier, vigorous arguments by Robert Ransom, Alyssa Rowan and Mike Hamburg that Goldilocks448, and perhaps all of the curves based on large primes, would be covered by Microsoft IP?
>>>
>>> On Thu, Mar 5, 2015 at 3:11 PM, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
>>>>
>>>> On 25/02/2015 14:27, Alexey Melnikov wrote:
>>>>>
>>>>> CFRG chairs are starting another poll:
>>>>>
>>>>> Q3: This is a Quaker poll (please answer one of "preferred", "acceptable" or "no") for each curve specified below:
>>>>>
>>>>> 1) 448 (Goldilocks)
>>>>> 2) 480
>>>>> 3) 521
>>>>> 4) other curve (please name another curve that you "prefer" or "accept", or state "no")
>>>>
>>>> Thank you for all responses.
>>>>
>>>> 521 - 6 preferred, 14 - acceptable
>>>> 448 - 16 preferred, 4 - acceptable
>>>>
>>>> Very few prefer others (512 NUMS, 480).
>>>>
>>>> So CFRG prefers curve 448.
>>>>>
>>>>>
>>>>> If you stated your curve preferences in the poll that ended on February 23rd (see the attachment), you don't need to reply to this poll, your opinion is already recorded. But please double check what chairs recorded (see the attachment).
>>>>>
>>>>> If you changed your mind or only answered the question about performance versa memory usage for curves 512 and 521, feel free to reply.
>>>>>
>>>>> Once this issues is settled, we will be discussing (in no particular order. Chairs reserve the right to add additional questions) implementation specifics and coordinate systems for Diffie-Hellman. We will then make decisions on signature schemes. Please don't discuss any of these future topics at this time.
>>>>
>>>>
>>>> _______________________________________________
>>>> Cfrg mailing list
>>>>Cfrg@irtf.org
>>>>http://www.irtf.org/mailman/listinfo/cfrg
>>>
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>>Cfrg@irtf.org
>>>http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>
>
> _______________________________________________
> Cfrg mailing list
>Cfrg@irtf.org
>http://www.irtf.org/mailman/listinfo/cfrg
>

As you say, it would be equally a problem for every curve, which was
my argument repeatedly rejected by Alyssa and Robert. As they have
never made a statement, public or private, of which I am aware
withdrawing their assertions, I can only assume they still believe
what they said. If they would like to pipe up and explain that they no
longer hold those views that'd be swell.

I cannot comment on Microsoft as I am no longer there.

As you say, it would be equally a problem for every curve, which was
my argument repeatedly rejected by Alyssa and Robert. As they have
never made a statement, public or private, of which I am aware
withdrawing their assertions, I can only assume they still believe
what they said. If they would like to pipe up and explain that they no
longer hold those views that'd be swell.

I cannot comment on Microsoft as I am no longer there.


On Thu, Mar 5, 2015 at 3:41 PM, Michael Hamburg <mike@shiftleft.org> wrote:
>
> Hi Benjamin,
>
> Robert Ransom was concerned about Microsoft’s paper and code release possibly containing material based on the patent US7602907.  This wasn’t particularly to do with the curve, but with the combs algorithm for fast fixed-point multiplications.  If this is a problem with any curve, it’s equally a problem for (implementations of) every curve.  I believe that Robert was motivated in this pursuit by a deep-seated conviction that Microsoft was trying to pull something shady, but Alyssa and I just want to make sure that the patent landscape is clear so that nobody infringes by accident.
>
> Since my code uses signed all-bits set combs, and if I understand correctly your patent specifically covers modified LSB-set combs, I don’t believe that my implementation has patent problems.  Again, this is a property of the implementation and not of the curve.
>
> I asked if you and/or the Microsoft legal team concurred with this analysis.  You said that your team was unaware of the patent and didn’t use it intentionally, but that you would ask legal if it happened to be covered, and whether they thought the Goldilocks code might be affected.  Nearly 6 months have passed and we haven’t heard anything from legal.  Do you have an update for us?
>
> Cheers,
> — Mike
>
> On Mar 5, 2015, at 3:22 PM, Benjamin Black <b@b3k.us> wrote:
>
> What happened to the earlier, vigorous arguments by Robert Ransom, Alyssa Rowan and Mike Hamburg that Goldilocks448, and perhaps all of the curves based on large primes, would be covered by Microsoft IP?
>
> On Thu, Mar 5, 2015 at 3:11 PM, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
>>
>> On 25/02/2015 14:27, Alexey Melnikov wrote:
>>>
>>> CFRG chairs are starting another poll:
>>>
>>> Q3: This is a Quaker poll (please answer one of "preferred", "acceptable" or "no") for each curve specified below:
>>>
>>> 1) 448 (Goldilocks)
>>> 2) 480
>>> 3) 521
>>> 4) other curve (please name another curve that you "prefer" or "accept", or state "no")
>>
>> Thank you for all responses.
>>
>> 521 - 6 preferred, 14 - acceptable
>> 448 - 16 preferred, 4 - acceptable
>>
>> Very few prefer others (512 NUMS, 480).
>>
>> So CFRG prefers curve 448.
>>>
>>>
>>> If you stated your curve preferences in the poll that ended on February 23rd (see the attachment), you don't need to reply to this poll, your opinion is already recorded. But please double check what chairs recorded (see the attachment).
>>>
>>> If you changed your mind or only answered the question about performance versa memory usage for curves 512 and 521, feel free to reply.
>>>
>>> Once this issues is settled, we will be discussing (in no particular order. Chairs reserve the right to add additional questions) implementation specifics and coordinate systems for Diffie-Hellman. We will then make decisions on signature schemes. Please don't discuss any of these future topics at this time.
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>
>
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>
>


_______________________________________________
Cfrg mailing list
Cfrg@irtf.org
http://www.irtf.org/mailman/listinfo/cfrg