Rijndael & Hitachi

Vin McLellan vin at shore.net
Sun Oct 8 00:39:59 PDT 2000 

         Vin McLellan <me> wrote:

>>        My comment was simply that the Hitachi patent claims set the 
>> stage for rumors that may shadow the AES choice for years. I think that 
>> is unfortunate. Personally, I think it is embarrassing that the Hitachi 
>> patents were ever issued.

         Arnold G. Reinhold <reinhold at world.std.com> replied:

>Maybe I am missing something, but what would be the big deal if NIST did 
>take patent claims into account?  There were five excellent candidates. If 
>NIST picked Rijndael in part because it least likely to be tied up in 
>court for the next N years, does that diminish their glory?

         Myself, I wouldn't blame NIST if they factored, as you suggest, 
avoidance of endless legal hassles into their decision-making process.

         (Nor, when you come down to it, would I be shocked to discover 
that NIST subsequently lied, or issued misleading comments, about whether 
the Hitachi patent claims were a factor in their decision... just to keep 
the AES Process out of the Courts.)

         The Hitachi patents become an inevitable issue -- for conspiracy 
buffs, if no one else -- only because the winner was the single AES 
Finalist that Hitachi did not claim was infringing upon its "data rotation" 
crypto patents.(See 
<http://csrc.nist.gov/encryption/aes/round2/comments/20000410-sharano.pdf>)

         (This, in turn, becomes a little more complicated because, as 
Schneier et al argue, Rijndael -- despite *not* being mentioned in the 
Hitachi letter than tagged the other four Finalist -- seems to be as 
vulnerable, or not, to the Hitachi patents as the named four: MARS, RC6, 
TwoFish, and Serpent.)

         I don't think anything that (might have) happened in NIST's 
private AES deliberations can lessen the accomplishment of this 
historically open process of soliciting, evaluating, and choosing (to the 
extent that any final selection can be open;-) Rijndael as the AES, from 
among the five great cryptosystems that were AES Finalists.

         While I appreciate how difficult it is for many -- Yanks and 
non-Yanks (indeed, anyone who knows anything about US Crypto Politics and 
the historic subservience of NIST to the NSA) -- to dismiss the influence 
of the US signals intelligence agencies upon the AES process as negligible, 
I think we lucked out.

         In the aftermath of the flawed Clipper Chip fiasco -- the Fortezza 
disaster; the pro-crypto rebellion of the EC; with the steady deterioration 
of the NSA's stature mystique in Congress and among American businessmen, 
and the common presumption that electronic commerce is the economic engine 
for the first decade of the 21st Century -- I think we got an open AES 
review, and a reasonable final choice among the best cryptosystems that 
could be solicited from the most capable (non-governmental) cryptographers 
available.  Hosanna!

         Skeptics may quibble on relative weight put on various stated 
criteria, but no one familiar with the professional stature, respective 
egos, and personal independence of the "AES cryptographers," as a group, is 
going to suggest that these development teams were tame, tainted with some 
spooky impulses to offer only so much crypto strength and no more.

         That a Belgian cryptosystem was eventually selected as the 
American AES may make it easier to dismiss those fears overseas, and may 
hasten the adoption of AES internationally. Full AES standardization and 
interoperability, a good thing, should come more quickly.

         Given the integrity of the larger AES process -- and the universal 
respect Rijndael seemed to win among all the cryptographers involved -- I 
think it is clear that the relative weight of the Hitachi patent claims in 
NIST's AES selection process was minor.

         Whether, minor or not, that impact might have shifted the balance 
from another contender to Rijndael is impossible to say. Unless, of course, 
you accept NIST's simple declaration in its Report on the Development of 
the AES: <http://csrc.nist.gov/encryption/aes/>, pg. 79. Noting that NISt 
had solicited, collected, and analyzed IP claims relevant to the AES 
candidates, the report baldly states: "...IP was not a factor in NIST's 
selection of the proposed AES algorithm."

         That says, I think, that no IP claims against the AES Finalists 
were substantive enough to influence the final selection. (As an American, 
of course, I believe that skepticism about the truthfulness of any 
governmental declarations is an inalienable right, as well as common 
sense.) NIST's bureaucratic language is also just cryptic enough to support 
alternative interpretations. How "not a factor?"

         A recent C'punk tirade about NIST, AES, and HItachi from the 
irrepressible John Young, patron and editor of the Cryptome website, beats 
this drum; Mr. Young seeks deep secrets, undocumented considerations, 
tell-all revelations. (My own feeling is that it may be a bit much to 
expect NIST to publicly piss all over valid US patents and the US 
PTO.  Maybe a terse declaration like that in the AES Report is about all 
cynics should expect at this time.)

         Mind you, NIST's AES Report also explained that the AES (Rijndael) 
will be published as a FIPS with a pro forma warning that existing patents 
might lead to claims against users of the AES standard.

         In truth, I'm not sure how big a deal it would be if the Hitachi 
patents -- and inadequacies of the US PTO and its recent history of issuing 
unlikely and bizarre patents in IT -- were found to have been, despite 
current denials, a factor in the eventual selection of Rijndael over the 
other contenders.

         Politically, I suspect that hanging a "deciding factor" in the AES 
decision on the US Patent and Trademark Office (PTO) would not be a prudent 
thing for NIST executives to do, particularly in the heat of a Gore/Bush 
Presidential race. It might focus a lot of querulous public attention on 
the less than glorious track record of the US Patent Office under the 
Clinton/Gore Administration.

         I figure there are always a lot of things unspoken, certainly 
unreported, in any big policy decision like this. Who can doubt it?

         (Even the AES timetable -- with the decision dropped in the middle 
of a Presidential race -- seems to a cynic like me designed to give NIST 
its best chance for keeping the AES Selection Process open and above board.)

         Given the quality of all the Final Five, others might make as good 
a case for an (unacknowledged by NIST) pro-Rijndael bias by noting that 
only Rijndael and Serpent were "non-corporate" entries.

         Or that Rijndael and Serpent were the only non-American AES 
Finalists -- and that Rijndael's designers (unlike Serpent's team of Ross 
Anderson et al) seem to be comparatively unpolitical or apolitical.

         [I chuckle to think of the consternation at GCHQ and several 
British Ministries if Prof. Anderson -- long an articulate and effective 
critic of the UK's slide toward a "Surveillance Society" -- picked up the 
additional stature of being co-author of the AES.]

         One can blither through endless permutations. And some will. 
Cryptographic standards like the proposed AES will inevitably attract 
doubtful critics and conspiratorial rumors.  I trust that the ongoing 
validation of Rijndael over the next few years will settle them.

         Suerte,
                 _Vin

More information about the cypherpunks-legacy mailing list