---------- Forwarded message ---------- From: D. J. Bernstein <djb@cr.yp.to> Date: Sun, Jan 5, 2014 at 1:36 AM Subject: [cryptography] ECC patent FUD revisited NSA's Kevin Igoe writes, on the semi-moderated cfrg@irtf.org list:

Certicom has granted permission to the IETF to use the NIST curves, and at least two of these, P256 and P384, have p = 3 mod 4. Not being a patent lawyer, I have no idea what impact the Certicom patents have on the use of newer families of curves, such as Edwards curves.

There are several interesting aspects to this patent FUD. Notice that the FUD is being used to argue against switching to curves that improve ECC security. Notice also the complete failure to specify any patent numbers---so the FUD doesn't have any built-in expiration date, and there's no easy way for the reader to investigate further. http://www.certicom.com/index.php/licensing/certicom-ip says that Certicom "discovered and patented many fundamental innovations" and has "more than 350 patents and patents pending worldwide". This sounds impressive until you look at what the portfolio actually contains. The reality is that Certicom has contributed essentially nothing to state-of-the-art ECC. Its patent portfolio consists of a few fringe ideas and a few obsolete ideas---nothing essential for mainstream ECC usage. Nobody needs MQV, for example: traditional DH achieves the same security goals in a much more straightforward way, and very few people notice the marginal performance benefit provided by MQV. The reason that Certicom has so many "patents and patents pending worldwide", despite having contributed so few ideas, is that it keeps splitting its patent applications. For example, the original MQV patent filings in early 1995 ended up being split into an incredibly redundant collection of US patents 5761305, 5889865, 5896455, 5933504, 6122736, 6487661, 7243232, 7334127, 7779259, 8090947, and 8209533, not to mention the corresponding non-US patents CA2237688, DE69636815, EP0873617, etc. ---Dan