Vin McLellan <me> wrote:
My comment was simply that the Hitachi patent claims set the stage for rumors that may shadow the AES choice for years. I think that is unfortunate. Personally, I think it is embarrassing that the Hitachi patents were ever issued.
Arnold G. Reinhold <reinhold@world.std.com> replied:
Maybe I am missing something, but what would be the big deal if NIST did take patent claims into account? There were five excellent candidates. If NIST picked Rijndael in part because it least likely to be tied up in court for the next N years, does that diminish their glory?
Myself, I wouldn't blame NIST if they factored, as you suggest, avoidance of endless legal hassles into their decision-making process. (Nor, when you come down to it, would I be shocked to discover that NIST subsequently lied, or issued misleading comments, about whether the Hitachi patent claims were a factor in their decision... just to keep the AES Process out of the Courts.) The Hitachi patents become an inevitable issue -- for conspiracy buffs, if no one else -- only because the winner was the single AES Finalist that Hitachi did not claim was infringing upon its "data rotation" crypto patents.(See <http://csrc.nist.gov/encryption/aes/round2/comments/20000410-sharano.pdf>) (This, in turn, becomes a little more complicated because, as Schneier et al argue, Rijndael -- despite *not* being mentioned in the Hitachi letter than tagged the other four Finalist -- seems to be as vulnerable, or not, to the Hitachi patents as the named four: MARS, RC6, TwoFish, and Serpent.) I don't think anything that (might have) happened in NIST's private AES deliberations can lessen the accomplishment of this historically open process of soliciting, evaluating, and choosing (to the extent that any final selection can be open;-) Rijndael as the AES, from among the five great cryptosystems that were AES Finalists. While I appreciate how difficult it is for many -- Yanks and non-Yanks (indeed, anyone who knows anything about US Crypto Politics and the historic subservience of NIST to the NSA) -- to dismiss the influence of the US signals intelligence agencies upon the AES process as negligible, I think we lucked out. In the aftermath of the flawed Clipper Chip fiasco -- the Fortezza disaster; the pro-crypto rebellion of the EC; with the steady deterioration of the NSA's stature mystique in Congress and among American businessmen, and the common presumption that electronic commerce is the economic engine for the first decade of the 21st Century -- I think we got an open AES review, and a reasonable final choice among the best cryptosystems that could be solicited from the most capable (non-governmental) cryptographers available. Hosanna! Skeptics may quibble on relative weight put on various stated criteria, but no one familiar with the professional stature, respective egos, and personal independence of the "AES cryptographers," as a group, is going to suggest that these development teams were tame, tainted with some spooky impulses to offer only so much crypto strength and no more. That a Belgian cryptosystem was eventually selected as the American AES may make it easier to dismiss those fears overseas, and may hasten the adoption of AES internationally. Full AES standardization and interoperability, a good thing, should come more quickly. Given the integrity of the larger AES process -- and the universal respect Rijndael seemed to win among all the cryptographers involved -- I think it is clear that the relative weight of the Hitachi patent claims in NIST's AES selection process was minor. Whether, minor or not, that impact might have shifted the balance from another contender to Rijndael is impossible to say. Unless, of course, you accept NIST's simple declaration in its Report on the Development of the AES: <http://csrc.nist.gov/encryption/aes/>, pg. 79. Noting that NISt had solicited, collected, and analyzed IP claims relevant to the AES candidates, the report baldly states: "...IP was not a factor in NIST's selection of the proposed AES algorithm." That says, I think, that no IP claims against the AES Finalists were substantive enough to influence the final selection. (As an American, of course, I believe that skepticism about the truthfulness of any governmental declarations is an inalienable right, as well as common sense.) NIST's bureaucratic language is also just cryptic enough to support alternative interpretations. How "not a factor?" A recent C'punk tirade about NIST, AES, and HItachi from the irrepressible John Young, patron and editor of the Cryptome website, beats this drum; Mr. Young seeks deep secrets, undocumented considerations, tell-all revelations. (My own feeling is that it may be a bit much to expect NIST to publicly piss all over valid US patents and the US PTO. Maybe a terse declaration like that in the AES Report is about all cynics should expect at this time.) Mind you, NIST's AES Report also explained that the AES (Rijndael) will be published as a FIPS with a pro forma warning that existing patents might lead to claims against users of the AES standard. In truth, I'm not sure how big a deal it would be if the Hitachi patents -- and inadequacies of the US PTO and its recent history of issuing unlikely and bizarre patents in IT -- were found to have been, despite current denials, a factor in the eventual selection of Rijndael over the other contenders. Politically, I suspect that hanging a "deciding factor" in the AES decision on the US Patent and Trademark Office (PTO) would not be a prudent thing for NIST executives to do, particularly in the heat of a Gore/Bush Presidential race. It might focus a lot of querulous public attention on the less than glorious track record of the US Patent Office under the Clinton/Gore Administration. I figure there are always a lot of things unspoken, certainly unreported, in any big policy decision like this. Who can doubt it? (Even the AES timetable -- with the decision dropped in the middle of a Presidential race -- seems to a cynic like me designed to give NIST its best chance for keeping the AES Selection Process open and above board.) Given the quality of all the Final Five, others might make as good a case for an (unacknowledged by NIST) pro-Rijndael bias by noting that only Rijndael and Serpent were "non-corporate" entries. Or that Rijndael and Serpent were the only non-American AES Finalists -- and that Rijndael's designers (unlike Serpent's team of Ross Anderson et al) seem to be comparatively unpolitical or apolitical. [I chuckle to think of the consternation at GCHQ and several British Ministries if Prof. Anderson -- long an articulate and effective critic of the UK's slide toward a "Surveillance Society" -- picked up the additional stature of being co-author of the AES.] One can blither through endless permutations. And some will. Cryptographic standards like the proposed AES will inevitably attract doubtful critics and conspiratorial rumors. I trust that the ongoing validation of Rijndael over the next few years will settle them. Suerte, _Vin