Re: [Cfrg] IPR and algorithms (was Re: Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd))
Benjamin Black <b@b3k.us> Fri, 06 March 2015 03:07 UTC
Return-Path: <b@b3k.us>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30BD51AC3BB for <cfrg@ietfa.amsl.com>; Thu, 5 Mar 2015 19:07:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.976
X-Spam-Level:
X-Spam-Status: No, score=-1.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hwBCjiDH-dfG for <cfrg@ietfa.amsl.com>; Thu, 5 Mar 2015 19:07:33 -0800 (PST)
Received: from mail-ig0-f178.google.com (mail-ig0-f178.google.com [209.85.213.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 716F31AC3BE for <cfrg@irtf.org>; Thu, 5 Mar 2015 19:07:33 -0800 (PST)
Received: by igbhl2 with SMTP id hl2so917579igb.0 for <cfrg@irtf.org>; Thu, 05 Mar 2015 19:07:32 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=GWoEvgh/+PTfKwUfV3n6wSYc57MBiu/MxpIpzzPXZDE=; b=Hwe7WiN0TkTIRlIkwcx0UG1BygvvnJ+j0wE36GPbwBuAqSjSydrF5hykNUoCQKA9D+ rAsYl9PHkUD2SRH2aFCTXlO79dBVb20io2WIEHkJ9hllPSsOwMYAaLJOW68XPmF2MBI9 jxCySe39aY8brqhty+ctuWBpmBczztslnnsOepyo3iFTxeRPEdJnm4G86FBG7vngKzKn eTAoiIftzyFonQ5M/qVgLlbWWdCjvIdHNIK06itmoF7c14S/gFpBlJp9Jk2igwN/koyf B0v/l5wJ54pf7nTCJLifAqWItpMnQ6RI+IQi+d5fcOiDclWXCrGkIAyurSIpLKym5U26 Qvmw==
X-Gm-Message-State: ALoCoQnNZkAXLsIS6kLt3+vRiduSk09UeKMvbYy/uBmziJ8qcqMCeZKRdwF9V2BuB/MQa3uSS52B
X-Received: by 10.50.253.12 with SMTP id zw12mr50838361igc.24.1425611252691; Thu, 05 Mar 2015 19:07:32 -0800 (PST)
MIME-Version: 1.0
Received: by 10.36.28.145 with HTTP; Thu, 5 Mar 2015 19:07:12 -0800 (PST)
In-Reply-To: <CACsn0ckKPzjmsbpD4Fgwj+xK48EoX2guXna0PEXLJi1++i3fBQ@mail.gmail.com>
References: <CACsn0ckKPzjmsbpD4Fgwj+xK48EoX2guXna0PEXLJi1++i3fBQ@mail.gmail.com>
From: Benjamin Black <b@b3k.us>
Date: Thu, 05 Mar 2015 19:07:12 -0800
Message-ID: <CA+Vbu7x43edXddsi6KZUEjH2C7ba_xJ0nNTnOskBv_FtWs2MRw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a11346e3c4e1b04051095fc6e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/xuuHXZtrk3ZnzK7kbn6JMjh9WBc>
Cc: "cfrg@irtf.org" <cfrg@irtf.org>
Subject: Re: [Cfrg] IPR and algorithms (was Re: Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd))
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 03:07:41 -0000
There were serious claims made against us based on the assertion that there were techniques, specifically those described in the '907 patent, which were _required_ for efficient implementation. These assertions were then used to claim that we were attempting to bamboozle CFRG into some sort of patent troll trap. I bring this up now exactly because Ed448 has been selected. That selection makes clear the prior assertions about us were false and those who made the false claims should own up. On Thu, Mar 5, 2015 at 6:59 PM, Watson Ladd <watsonbladd@gmail.com> wrote: > On Mar 5, 2015 3:55 PM, "Benjamin Black" <b@b3k.us> wrote: > > > > As you say, it would be equally a problem for every curve, which was my > argument repeatedly rejected by Alyssa and Robert. As they have never made > a statement, public or private, of which I am aware withdrawing their > assertions, I can only assume they still believe what they said. If they > would like to pipe up and explain that they no longer hold those views > that'd be swell. > > The above ignores the substantial differences between original NUMS > and the proposals made last fall, and between curves and algorithms. > The original NUMS presentation placed a great deal of importance on > the specific algorithms discussed, and it was very clear that these > algorithms were the ones that the NUMS group wanted specified. > > It's a moot point when deciding : there are plenty of comb variations > that are not patented. But were we to have turned the NUMS proposal > into an RFC containing the algorithms presented, it would have been a > problem. I really don't see why we're wasting words on this debate: > Ed448 won out for other reason. > > Sincerely, > Watson Ladd > > > > > I cannot comment on Microsoft as I am no longer there. > > > > > > On Thu, Mar 5, 2015 at 3:41 PM, Michael Hamburg <mike@shiftleft.org> > wrote: > >> > >> Hi Benjamin, > >> > >> Robert Ransom was concerned about Microsoft’s paper and code release > possibly containing material based on the patent US7602907. This wasn’t > particularly to do with the curve, but with the combs algorithm for fast > fixed-point multiplications. If this is a problem with any curve, it’s > equally a problem for (implementations of) every curve. I believe that > Robert was motivated in this pursuit by a deep-seated conviction that > Microsoft was trying to pull something shady, but Alyssa and I just want to > make sure that the patent landscape is clear so that nobody infringes by > accident. > >> > >> Since my code uses signed all-bits set combs, and if I understand > correctly your patent specifically covers modified LSB-set combs, I don’t > believe that my implementation has patent problems. Again, this is a > property of the implementation and not of the curve. > >> > >> I asked if you and/or the Microsoft legal team concurred with this > analysis. You said that your team was unaware of the patent and didn’t use > it intentionally, but that you would ask legal if it happened to be > covered, and whether they thought the Goldilocks code might be affected. > Nearly 6 months have passed and we haven’t heard anything from legal. Do > you have an update for us? > >> > >> Cheers, > >> — Mike > >> > >>> On Mar 5, 2015, at 3:22 PM, Benjamin Black <b@b3k.us> wrote: > >>> > >>> What happened to the earlier, vigorous arguments by Robert Ransom, > Alyssa Rowan and Mike Hamburg that Goldilocks448, and perhaps all of the > curves based on large primes, would be covered by Microsoft IP? > >>> > >>> On Thu, Mar 5, 2015 at 3:11 PM, Alexey Melnikov < > alexey.melnikov@isode.com> wrote: > >>>> > >>>> On 25/02/2015 14:27, Alexey Melnikov wrote: > >>>>> > >>>>> CFRG chairs are starting another poll: > >>>>> > >>>>> Q3: This is a Quaker poll (please answer one of "preferred", > "acceptable" or "no") for each curve specified below: > >>>>> > >>>>> 1) 448 (Goldilocks) > >>>>> 2) 480 > >>>>> 3) 521 > >>>>> 4) other curve (please name another curve that you "prefer" or > "accept", or state "no") > >>>> > >>>> Thank you for all responses. > >>>> > >>>> 521 - 6 preferred, 14 - acceptable > >>>> 448 - 16 preferred, 4 - acceptable > >>>> > >>>> Very few prefer others (512 NUMS, 480). > >>>> > >>>> So CFRG prefers curve 448. > >>>>> > >>>>> > >>>>> If you stated your curve preferences in the poll that ended on > February 23rd (see the attachment), you don't need to reply to this poll, > your opinion is already recorded. But please double check what chairs > recorded (see the attachment). > >>>>> > >>>>> If you changed your mind or only answered the question about > performance versa memory usage for curves 512 and 521, feel free to reply. > >>>>> > >>>>> Once this issues is settled, we will be discussing (in no particular > order. Chairs reserve the right to add additional questions) implementation > specifics and coordinate systems for Diffie-Hellman. We will then make > decisions on signature schemes. Please don't discuss any of these future > topics at this time. > >>>> > >>>> > >>>> _______________________________________________ > >>>> Cfrg mailing list > >>>>Cfrg@irtf.org > >>>>http://www.irtf.org/mailman/listinfo/cfrg > >>> > >>> > >>> _______________________________________________ > >>> Cfrg mailing list > >>>Cfrg@irtf.org > >>>http://www.irtf.org/mailman/listinfo/cfrg > >> > >> > > > > > > _______________________________________________ > > Cfrg mailing list > >Cfrg@irtf.org > >http://www.irtf.org/mailman/listinfo/cfrg > > > > As you say, it would be equally a problem for every curve, which was > my argument repeatedly rejected by Alyssa and Robert. As they have > never made a statement, public or private, of which I am aware > withdrawing their assertions, I can only assume they still believe > what they said. If they would like to pipe up and explain that they no > longer hold those views that'd be swell. > > I cannot comment on Microsoft as I am no longer there. > > As you say, it would be equally a problem for every curve, which was > my argument repeatedly rejected by Alyssa and Robert. As they have > never made a statement, public or private, of which I am aware > withdrawing their assertions, I can only assume they still believe > what they said. If they would like to pipe up and explain that they no > longer hold those views that'd be swell. > > I cannot comment on Microsoft as I am no longer there. > > > On Thu, Mar 5, 2015 at 3:41 PM, Michael Hamburg <mike@shiftleft.org> > wrote: > > > > Hi Benjamin, > > > > Robert Ransom was concerned about Microsoft’s paper and code release > possibly containing material based on the patent US7602907. This wasn’t > particularly to do with the curve, but with the combs algorithm for fast > fixed-point multiplications. If this is a problem with any curve, it’s > equally a problem for (implementations of) every curve. I believe that > Robert was motivated in this pursuit by a deep-seated conviction that > Microsoft was trying to pull something shady, but Alyssa and I just want to > make sure that the patent landscape is clear so that nobody infringes by > accident. > > > > Since my code uses signed all-bits set combs, and if I understand > correctly your patent specifically covers modified LSB-set combs, I don’t > believe that my implementation has patent problems. Again, this is a > property of the implementation and not of the curve. > > > > I asked if you and/or the Microsoft legal team concurred with this > analysis. You said that your team was unaware of the patent and didn’t use > it intentionally, but that you would ask legal if it happened to be > covered, and whether they thought the Goldilocks code might be affected. > Nearly 6 months have passed and we haven’t heard anything from legal. Do > you have an update for us? > > > > Cheers, > > — Mike > > > > On Mar 5, 2015, at 3:22 PM, Benjamin Black <b@b3k.us> wrote: > > > > What happened to the earlier, vigorous arguments by Robert Ransom, > Alyssa Rowan and Mike Hamburg that Goldilocks448, and perhaps all of the > curves based on large primes, would be covered by Microsoft IP? > > > > On Thu, Mar 5, 2015 at 3:11 PM, Alexey Melnikov < > alexey.melnikov@isode.com> wrote: > >> > >> On 25/02/2015 14:27, Alexey Melnikov wrote: > >>> > >>> CFRG chairs are starting another poll: > >>> > >>> Q3: This is a Quaker poll (please answer one of "preferred", > "acceptable" or "no") for each curve specified below: > >>> > >>> 1) 448 (Goldilocks) > >>> 2) 480 > >>> 3) 521 > >>> 4) other curve (please name another curve that you "prefer" or > "accept", or state "no") > >> > >> Thank you for all responses. > >> > >> 521 - 6 preferred, 14 - acceptable > >> 448 - 16 preferred, 4 - acceptable > >> > >> Very few prefer others (512 NUMS, 480). > >> > >> So CFRG prefers curve 448. > >>> > >>> > >>> If you stated your curve preferences in the poll that ended on > February 23rd (see the attachment), you don't need to reply to this poll, > your opinion is already recorded. But please double check what chairs > recorded (see the attachment). > >>> > >>> If you changed your mind or only answered the question about > performance versa memory usage for curves 512 and 521, feel free to reply. > >>> > >>> Once this issues is settled, we will be discussing (in no particular > order. Chairs reserve the right to add additional questions) implementation > specifics and coordinate systems for Diffie-Hellman. We will then make > decisions on signature schemes. Please don't discuss any of these future > topics at this time. > >> > >> > >> _______________________________________________ > >> Cfrg mailing list > >> Cfrg@irtf.org > >> http://www.irtf.org/mailman/listinfo/cfrg > > > > > > _______________________________________________ > > Cfrg mailing list > > Cfrg@irtf.org > > http://www.irtf.org/mailman/listinfo/cfrg > > > > > > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg > > _______________________________________________ > Cfrg mailing list > Cfrg@irtf.org > http://www.irtf.org/mailman/listinfo/cfrg >
- [Cfrg] IPR and algorithms (was Re: Results of the… Watson Ladd
- Re: [Cfrg] IPR and algorithms (was Re: Results of… Benjamin Black
- Re: [Cfrg] IPR and algorithms (was Re: Results of… Harry Halpin