Plenty of people gripe about PKP patents. Assume for the sake of argument that the patents will be upheld, that they are valid. What, exactly, is claimed? The RSA patent claims the RSA cryptosystem. So we don't use that. The Diffie-Hellman-Merkle patent claims all of public key cryptography; in particular it claims knapsack algorithms. So we don't use knapsacks. But does this patent really prevent us from using public key cryptosystems? I think not. Mind you, I'm only an amateur legal hacker, but this seems like a straightforward situtation. Consider use of another public key encryption scheme, say LUC encryption. Does use of this infringe the "public key" patent? Not directly, since we're not using knapsacks (presumably). We then look the equivalents doctine. From Blacks: Equivalents doctrine. In patent infringement law, doctrine of "equivalents" means that if two devices do the same work in substantially the same way and accomplish substantially the same result, they are the same, even though they differ in name, form, or shape. [...] A doctrine which declares that a device infringes a patented invention if it does the same work as the invention in substantially the same way, even if it is outside the literal terms of the claims of the patent. The doctrine prevents parties from infringing patents with impunity by making merely trivial changes in an invention. The more significant the patented invetion the greater the scope of this doctrine. So we have three criteria. "Same work" refers to function, "same way" refers to internal structure, "same result" refers to end product. Now public key cryptosystems all have the same function, to provide encryption and decryption with different keys. The result is the same at the end of each public key communication: a message has been passed securely from one end of the channel to the other. The structure, however, is completely different for the different systems. All three criteria must be satisfied in order for the equivalents doctrine to hold. The requirement of same structure is not satisfied. (Matt Miszewski has today offered to do legal research in anticipation of a patent fight. I'd like to ask him here to check out this theory with some references to case law.) RIPEM, as I understand it, came out originally with a different public key algorithm and later changed it. Perhaps Mark Henderson (who seems to have done some work on it) could comment. The equivalents doctrine seems to my mind to be a dual of the criteria required for patentability. There are four such criteria: statutory class (is it the right kind of thing), utility (is is good for anything), novelty (does it have new features), and unobviousness (does it have new results). The equivalence of function means that the utility of the two objects is the same. The equivalence of structure meanse that the new invention does not exhibit novelty. The equivalence of end result means that someone already thought of that before, i.e. it's obvious. Statutory class is the same for both, since if they're that close, they both are the kind of thing which might be patented. It is interesting as well to examine which can be patented: processes, machines, manufactures, compositions (of matter), and new uses of any of the above. Note that a bundle of properties and purposes, e.g. public key cryptography, is not patentable; it fails to specify structure, so any structure would be novel. The new use clause, though, is exceedingly scary. Under this class, existing equations could be used for different purposes and be separately patentable. For example, if you were to use the RSA equations for some purpose other that public key crypto and digital signature, that would be separately patentable. It behooves us all to think widely of possible applications and talk about them in order to make them part of the prior art. I'd like to see a document containing a good argument against the claim that all public key crypto is covered. It should have the full scholarly apparatus with it and an appendix explaining the apparatus to non-lawyers. This document could then be circulated widely, starting on sci.crypt. After that, developing a test case is easy. We would need for someone to write some public key crypto code (it need not be very complicated) and market it, claiming explicitly that the "public key" patent does not apply. We'd want them to be extremely loud in their claims, for example, writing the legal departments of all of the big RSADSI licensees and offering their wares for sale. If you could collect money, so much the better. This would almost invariably draw a lawsuit, since it so directly threatens RSADSI's business. Witness the speed with which the recent PGP board was asked to shut down. Assuming that we've already arranged for the up-front cost of legal defense, we'd be ready to go. Comments? Eric