Re: [Cfrg] IPR and algorithms (was Re: Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd))

Harry Halpin <hhalpin@w3.org> Fri, 06 March 2015 03:34 UTC

Return-Path: <hhalpin@w3.org>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48D611AC402 for <cfrg@ietfa.amsl.com>; Thu, 5 Mar 2015 19:34:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dVsiDNc57evg for <cfrg@ietfa.amsl.com>; Thu, 5 Mar 2015 19:34:05 -0800 (PST)
Received: from jay.w3.org (ssh.w3.org [128.30.52.60]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B23331AC41E for <cfrg@irtf.org>; Thu, 5 Mar 2015 19:34:02 -0800 (PST)
Received: from [199.254.238.154] (helo=[172.27.0.12]) by jay.w3.org with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <hhalpin@w3.org>) id 1YTj1U-00027T-7k; Thu, 05 Mar 2015 22:34:00 -0500
Message-ID: <54F92025.2080709@w3.org>
Date: Fri, 06 Mar 2015 04:33:57 +0100
From: Harry Halpin <hhalpin@w3.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, Benjamin Black <b@b3k.us>
References: <CACsn0ckKPzjmsbpD4Fgwj+xK48EoX2guXna0PEXLJi1++i3fBQ@mail.gmail.com>
In-Reply-To: <CACsn0ckKPzjmsbpD4Fgwj+xK48EoX2guXna0PEXLJi1++i3fBQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/wLeCHUX78Wat5zjvgeU5VE96RZY>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] IPR and algorithms (was Re: Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd))
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 03:34:08 -0000



On 03/06/2015 03:59 AM, Watson Ladd wrote:
> On Mar 5, 2015 3:55 PM, "Benjamin Black" <b@b3k.us> wrote:
>>
>> As you say, it would be equally a problem for every curve, which was my argument repeatedly rejected by Alyssa and Robert. As they have never made a statement, public or private, of which I am aware withdrawing their assertions, I can only assume they still believe what they said. If they would like to pipe up and explain that they no longer hold those views that'd be swell.
> 
> The above ignores the substantial differences between original NUMS
> and the proposals made last fall, and between curves and algorithms.
> The original NUMS presentation placed a great deal of importance on
> the specific algorithms discussed, and it was very clear that these
> algorithms were the ones that the NUMS group wanted specified.
> 
> It's a moot point when deciding : there are plenty of comb variations
> that are not patented. But were we to have turned the NUMS proposal
> into an RFC containing the algorithms presented, it would have been a
> problem. I really don't see why we're wasting words on this debate:
> Ed448 won out for other reason.

Although I am not a lawyer, I think possible patents are an issue that
can be solved and should not prevent CFRG from making the *technically*
correct choice.

As stated before, *if* CFRG clearly recommends elliptic curves to IETF
TLS and W3C WebCrypto, the W3C WebCrypto WG will specify in either the
body of the main W3C WebCrypto Recommendation or (depending on timing of
CFRG recommendation) in other Recommendation-track drafts the curves
once the implementers decide they are mature.

Given patent agreements already exist from Microsoft, IBM, and many
other large companies in the W3C, we would believe that any patents on
the particular implementations of these curves would be available under
a W3C royalty-free license, and any challenges by patent trolls would
have to cope with W3C's patent policy.

    cheers,
       harry
> 
> Sincerely,
> Watson Ladd
> 
>>
>> I cannot comment on Microsoft as I am no longer there.
>>
>>
>> On Thu, Mar 5, 2015 at 3:41 PM, Michael Hamburg <mike@shiftleft.org> wrote:
>>>
>>> Hi Benjamin,
>>>
>>> Robert Ransom was concerned about Microsoft’s paper and code release possibly containing material based on the patent US7602907.  This wasn’t particularly to do with the curve, but with the combs algorithm for fast fixed-point multiplications.  If this is a problem with any curve, it’s equally a problem for (implementations of) every curve.  I believe that Robert was motivated in this pursuit by a deep-seated conviction that Microsoft was trying to pull something shady, but Alyssa and I just want to make sure that the patent landscape is clear so that nobody infringes by accident.
>>>
>>> Since my code uses signed all-bits set combs, and if I understand correctly your patent specifically covers modified LSB-set combs, I don’t believe that my implementation has patent problems.  Again, this is a property of the implementation and not of the curve.
>>>
>>> I asked if you and/or the Microsoft legal team concurred with this analysis.  You said that your team was unaware of the patent and didn’t use it intentionally, but that you would ask legal if it happened to be covered, and whether they thought the Goldilocks code might be affected.  Nearly 6 months have passed and we haven’t heard anything from legal.  Do you have an update for us?
>>>
>>> Cheers,
>>> — Mike
>>>
>>>> On Mar 5, 2015, at 3:22 PM, Benjamin Black <b@b3k.us> wrote:
>>>>
>>>> What happened to the earlier, vigorous arguments by Robert Ransom, Alyssa Rowan and Mike Hamburg that Goldilocks448, and perhaps all of the curves based on large primes, would be covered by Microsoft IP?
>>>>
>>>> On Thu, Mar 5, 2015 at 3:11 PM, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
>>>>>
>>>>> On 25/02/2015 14:27, Alexey Melnikov wrote:
>>>>>>
>>>>>> CFRG chairs are starting another poll:
>>>>>>
>>>>>> Q3: This is a Quaker poll (please answer one of "preferred", "acceptable" or "no") for each curve specified below:
>>>>>>
>>>>>> 1) 448 (Goldilocks)
>>>>>> 2) 480
>>>>>> 3) 521
>>>>>> 4) other curve (please name another curve that you "prefer" or "accept", or state "no")
>>>>>
>>>>> Thank you for all responses.
>>>>>
>>>>> 521 - 6 preferred, 14 - acceptable
>>>>> 448 - 16 preferred, 4 - acceptable
>>>>>
>>>>> Very few prefer others (512 NUMS, 480).
>>>>>
>>>>> So CFRG prefers curve 448.
>>>>>>
>>>>>>
>>>>>> If you stated your curve preferences in the poll that ended on February 23rd (see the attachment), you don't need to reply to this poll, your opinion is already recorded. But please double check what chairs recorded (see the attachment).
>>>>>>
>>>>>> If you changed your mind or only answered the question about performance versa memory usage for curves 512 and 521, feel free to reply.
>>>>>>
>>>>>> Once this issues is settled, we will be discussing (in no particular order. Chairs reserve the right to add additional questions) implementation specifics and coordinate systems for Diffie-Hellman. We will then make decisions on signature schemes. Please don't discuss any of these future topics at this time.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Cfrg mailing list
>>>>> Cfrg@irtf.org
>>>>> http://www.irtf.org/mailman/listinfo/cfrg
>>>>
>>>>
>>>> _______________________________________________
>>>> Cfrg mailing list
>>>> Cfrg@irtf.org
>>>> http://www.irtf.org/mailman/listinfo/cfrg
>>>
>>>
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
> 
> As you say, it would be equally a problem for every curve, which was
> my argument repeatedly rejected by Alyssa and Robert. As they have
> never made a statement, public or private, of which I am aware
> withdrawing their assertions, I can only assume they still believe
> what they said. If they would like to pipe up and explain that they no
> longer hold those views that'd be swell.
> 
> I cannot comment on Microsoft as I am no longer there.
> 
> As you say, it would be equally a problem for every curve, which was
> my argument repeatedly rejected by Alyssa and Robert. As they have
> never made a statement, public or private, of which I am aware
> withdrawing their assertions, I can only assume they still believe
> what they said. If they would like to pipe up and explain that they no
> longer hold those views that'd be swell.
> 
> I cannot comment on Microsoft as I am no longer there.
> 
> 
> On Thu, Mar 5, 2015 at 3:41 PM, Michael Hamburg <mike@shiftleft.org> wrote:
>>
>> Hi Benjamin,
>>
>> Robert Ransom was concerned about Microsoft’s paper and code release possibly containing material based on the patent US7602907.  This wasn’t particularly to do with the curve, but with the combs algorithm for fast fixed-point multiplications.  If this is a problem with any curve, it’s equally a problem for (implementations of) every curve.  I believe that Robert was motivated in this pursuit by a deep-seated conviction that Microsoft was trying to pull something shady, but Alyssa and I just want to make sure that the patent landscape is clear so that nobody infringes by accident.
>>
>> Since my code uses signed all-bits set combs, and if I understand correctly your patent specifically covers modified LSB-set combs, I don’t believe that my implementation has patent problems.  Again, this is a property of the implementation and not of the curve.
>>
>> I asked if you and/or the Microsoft legal team concurred with this analysis.  You said that your team was unaware of the patent and didn’t use it intentionally, but that you would ask legal if it happened to be covered, and whether they thought the Goldilocks code might be affected.  Nearly 6 months have passed and we haven’t heard anything from legal.  Do you have an update for us?
>>
>> Cheers,
>> — Mike
>>
>> On Mar 5, 2015, at 3:22 PM, Benjamin Black <b@b3k.us> wrote:
>>
>> What happened to the earlier, vigorous arguments by Robert Ransom, Alyssa Rowan and Mike Hamburg that Goldilocks448, and perhaps all of the curves based on large primes, would be covered by Microsoft IP?
>>
>> On Thu, Mar 5, 2015 at 3:11 PM, Alexey Melnikov <alexey.melnikov@isode.com> wrote:
>>>
>>> On 25/02/2015 14:27, Alexey Melnikov wrote:
>>>>
>>>> CFRG chairs are starting another poll:
>>>>
>>>> Q3: This is a Quaker poll (please answer one of "preferred", "acceptable" or "no") for each curve specified below:
>>>>
>>>> 1) 448 (Goldilocks)
>>>> 2) 480
>>>> 3) 521
>>>> 4) other curve (please name another curve that you "prefer" or "accept", or state "no")
>>>
>>> Thank you for all responses.
>>>
>>> 521 - 6 preferred, 14 - acceptable
>>> 448 - 16 preferred, 4 - acceptable
>>>
>>> Very few prefer others (512 NUMS, 480).
>>>
>>> So CFRG prefers curve 448.
>>>>
>>>>
>>>> If you stated your curve preferences in the poll that ended on February 23rd (see the attachment), you don't need to reply to this poll, your opinion is already recorded. But please double check what chairs recorded (see the attachment).
>>>>
>>>> If you changed your mind or only answered the question about performance versa memory usage for curves 512 and 521, feel free to reply.
>>>>
>>>> Once this issues is settled, we will be discussing (in no particular order. Chairs reserve the right to add additional questions) implementation specifics and coordinate systems for Diffie-Hellman. We will then make decisions on signature schemes. Please don't discuss any of these future topics at this time.
>>>
>>>
>>> _______________________________________________
>>> Cfrg mailing list
>>> Cfrg@irtf.org
>>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
>> _______________________________________________
>> Cfrg mailing list
>> Cfrg@irtf.org
>> http://www.irtf.org/mailman/listinfo/cfrg
>>
>>
> 
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg
>