Re: [Cfrg] Elliptic Curve patents

"D. J. Bernstein" <djb@cr.yp.to> Fri, 07 October 2016 23:13 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 475A1129473 for <cfrg@ietfa.amsl.com>; Fri, 7 Oct 2016 16:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mmzCXMmoGO-9 for <cfrg@ietfa.amsl.com>; Fri, 7 Oct 2016 16:13:47 -0700 (PDT)
Received: from calvin.win.tue.nl (calvin.win.tue.nl [131.155.70.11]) by ietfa.amsl.com (Postfix) with SMTP id 819FA12946C for <cfrg@irtf.org>; Fri, 7 Oct 2016 16:13:46 -0700 (PDT)
Received: (qmail 17573 invoked by uid 1017); 7 Oct 2016 23:13:43 -0000
Received: from unknown (unknown) by unknown with QMTP; 7 Oct 2016 23:13:43 -0000
Received: (qmail 4927 invoked by uid 1000); 7 Oct 2016 23:13:38 -0000
Date: 7 Oct 2016 23:13:38 -0000
Message-ID: <20161007231338.4926.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: cfrg@irtf.org
Mail-Followup-To: cfrg@irtf.org
In-Reply-To: <CAEseHRo8HPiyC62Q6wuXkC1THxFJDM+m9ivTRuMfif-AcUWE_w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/h_kopTHkQkde7MQ42UdJ748Zhag>
Subject: Re: [Cfrg] Elliptic Curve patents
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 23:13:49 -0000

Michael Scott writes:
> But I would read this as suggesting that Siemens holds a patent on
> twist secure curves (like GoldiLocks).

https://cr.yp.to/talks/2001.10.29/slides.ps gives an example of a curve
for ECC selected with 16*prime order. It summarizes the performance of
the Montgomery ladder and says "Twist has order 8*prime, so don't need
to check whether compressed input K_b is on curve."

https://groups.google.com/forum/message/raw?msg=sci.crypt/mu_paShEU3w/m491pYxHbtAJ
has a similar comment.

As far as I know, the first attempt to patent twist security was
http://www.freepatentsonline.com/DE10161138A1.html, but this was filed
in Germany after my slides were posted, so the slides automatically
count as prior art even if the "inventors" claim that they were first.

In the US, back then, there was a 1-year period after publication when
other people were free to file a patent on the same idea, as long as
they claimed that they had invented it earlier. For some reason this
1-year period was called a "grace period" rather than a "fraud period".
Anyway, Germany never had any similar rule, and as far as I know these
"inventors" didn't start filing for ECC patents in the US until many
years later.

---Dan