[Cryptography] To what is Anderson referring here?

[Jerry Leichter]

On Jun 4, 2014, at 8:50 PM, Kevin W. Wall <kevin.w.wall at gmail.com> wrote:
>> If the only real effect of crypto patents is to make the subject of the patent unavailable to the public for the patent's lifetime, then patenting of such material does not fulfill the public interest goals of making inventions broadly available.  From a practical point of view, if it can be shown that patents in this area are essentially worthless - you pay to get a piece of paper, but no one will buy what you're selling - it might be easier to convince people to freely license their patents (assuming they get them at all).
> OT wrt TC, but as long as we're discussing crypto patents, wouldn't it
> depend on how viable the alternatives are? For instance, if you wanted
> to signature blinding, didn't Chaum's and Brand's patents about cover
> all other conceivable alternatives? Of course maybe there was not that
> much of a market for signature blinding once the digital cash market
> spun out. Of course, in general, I'd agree with you, but I think it's usually
> because there's some other way--albeit not as efficient--to achieve
> similar outcomes.
There are generally design-arounds available for most patents in most areas - albeit at additional cost, complexity, whatever.  What's interesting in the crypto area in particular is that in many cases there are no practical work-arounds.  What you might then expect is that there would be an active interest in licensing.  But, for whatever reason, that doesn't appear to happen.  Instead, the functionality that the patent could deliver is simply never marketed.

I suspect a big part of this is that the *economic* value of the functionality - i.e., the value that customers are actually willing to put down their money for - is actually quite small.  Selling crypto is hard in general; selling "better" crypto at greater cost is even harder.  As I said, an interesting subject for a master's thesis.  (Expand it to a general study of the economics of cryptography and you might have a PhD, though there's already work in this field.)

A personal story:  Many years ago, I was asked to design and implement a cryptographic protocol to use with a product the small company I was working for was selling.  This was back in the day when export of crypto went through DoD, and you couldn't export anything with symmetric keys longer than 40 bits.  (There were other unwritten rules, such as if you used anything other than DES, you would probably be denied.)

It turned out that IBM had developed a scheme, called something like the Data Masking Facility, for expanding a 40-bit key into a 56-bit key for use with DES.  (Yes, I know, real rocket science.)  The big selling point:  NSA/DoD had effectively (again, nothing in the official writing) pre-approved systems using DMF for export.  The gotcha':  DMF was patented.  I approached IBM about a license, which they were glad to provide.  For some absurd amount - I think there was a base plus a couple of percent of the total value of the product in which DMF was embedded.  We were a startup; there was no way we would give away that big a piece of our product.

I wonder if anyone ever licensed DMF.

This was a case for design-around.  I designed my own bit of "rocket science" in a different protocol.  I was actually rather proud of it - rather than using a 40-bit key, it used a full 56 bit key but included the encryption of 16 bits - using a key we would share with NSA - in the negotiation.  Except that it wasn't quite like that:  It was set up so that NSA could do its 2^40 brute force search, recognize when they had the right 40 bits, then use them plus a shared secret to recover the remaining 16 bits.  I submitted all this to NSA, but right around that time, enforcement of the crypto regs moved from DoD to State.  All movement stalled while they figured out what they would do.  Eventually the policy became "you can ship unless we say no in 90 days" or something like that, and they almost never said no.  I never heard back from NSA, DoD, or State; and we ended up losing all interest in crypto in our product for several years.  Later, I designed and implemented an entirely different protocol based on full AES.
                                                        -- Jerry