Re: [Cfrg] Results of the poll: Elliptic Curves - preferred curves around 256bit work factor (ends on March 3rd)

[Michael Hamburg <mike@shiftleft.org>]

Hi Benjamin,

Robert Ransom was concerned about Microsoft’s paper and code release possibly containing material based on the patent US7602907.  This wasn’t particularly to do with the curve, but with the combs algorithm for fast fixed-point multiplications.  If this is a problem with any curve, it’s equally a problem for (implementations of) every curve.  I believe that Robert was motivated in this pursuit by a deep-seated conviction that Microsoft was trying to pull something shady, but Alyssa and I just want to make sure that the patent landscape is clear so that nobody infringes by accident.

Since my code uses signed all-bits set combs, and if I understand correctly your patent specifically covers modified LSB-set combs, I don’t believe that my implementation has patent problems.  Again, this is a property of the implementation and not of the curve.

I asked if you and/or the Microsoft legal team concurred with this analysis.  You said that your team was unaware of the patent and didn’t use it intentionally, but that you would ask legal if it happened to be covered, and whether they thought the Goldilocks code might be affected.  Nearly 6 months have passed and we haven’t heard anything from legal.  Do you have an update for us?

Cheers,
— Mike

> On Mar 5, 2015, at 3:22 PM, Benjamin Black <b@b3k.us> wrote:
> 
> What happened to the earlier, vigorous arguments by Robert Ransom, Alyssa Rowan and Mike Hamburg that Goldilocks448, and perhaps all of the curves based on large primes, would be covered by Microsoft IP?
> 
> On Thu, Mar 5, 2015 at 3:11 PM, Alexey Melnikov <alexey.melnikov@isode.com <mailto:alexey.melnikov@isode.com>> wrote:
> On 25/02/2015 14:27, Alexey Melnikov wrote:
> CFRG chairs are starting another poll:
> 
> Q3: This is a Quaker poll (please answer one of "preferred", "acceptable" or "no") for each curve specified below:
> 
> 1) 448 (Goldilocks)
> 2) 480
> 3) 521
> 4) other curve (please name another curve that you "prefer" or "accept", or state "no")
> Thank you for all responses.
> 
> 521 - 6 preferred, 14 - acceptable
> 448 - 16 preferred, 4 - acceptable
> 
> Very few prefer others (512 NUMS, 480).
> 
> So CFRG prefers curve 448.
> 
> If you stated your curve preferences in the poll that ended on February 23rd (see the attachment), you don't need to reply to this poll, your opinion is already recorded. But please double check what chairs recorded (see the attachment).
> 
> If you changed your mind or only answered the question about performance versa memory usage for curves 512 and 521, feel free to reply.
> 
> Once this issues is settled, we will be discussing (in no particular order. Chairs reserve the right to add additional questions) implementation specifics and coordinate systems for Diffie-Hellman. We will then make decisions on signature schemes. Please don't discuss any of these future topics at this time.
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org <mailto:Cfrg@irtf.org>
> http://www.irtf.org/mailman/listinfo/cfrg <http://www.irtf.org/mailman/listinfo/cfrg>
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg@irtf.org
> http://www.irtf.org/mailman/listinfo/cfrg