[Cryptography] Large companies sued for using Elliptic Curve TLS?

Phillip Hallam-Baker phill at hallambaker.com
Tue Dec 1 12:48:52 EST 2015

On Tue, Dec 1, 2015 at 10:08 AM, John Levine <johnl at iecc.com> wrote:

> In article <20151201070719.10e0cafa at jabberwock.cb.piermont.com> you write:
> >Anyone know anything about this? The claim is huge numbers of
> >companies (that is, end users like Macy's and GoPro) are being sued by
> >a patent troll for using elliptic curve cryptography on their web
> >sites.
> >
> >http://www.theregister.co.uk/2015/12/01/cryptopeak_sues_/
> The patent in question is 6,202,150.  Here's the first claim:
> 1. A method and apparatus for generating public keys and a proof that
>  the keys were generated by a specific algorithm comprising the steps of:
>  the user's system generating a random string of bits based on system
>  parameters;
>  the user running a key generation algorithm to get a secret key and
>  public key using the random string and public parameters;
>  the user constructing a proof being a string of bits whose public
>  availability does not compromise the secret key and wherein said
>  constructing of said proof requires access to said secret key, but at
>  the same time said proof provides confidence to at least one of a
>  plurality of other entities that said public key was generated
>  properly by the specified algorithm, and wherein said confidence is
>  gained without having access to any portion of said secret key.
> Perhaps I'm dim, but isn't that just a description of certificate
> signing?  It couldn't possibly have been novel in 1997 when this
> patent was filed.
> That suggests this is the usual shakedown in which the patent owner knows
> it's invalid, but is willing to settle for less than it would cost to
> invalidate it.
> R's,
> John

No, the operative clause is "and a proof that the keys were generated by a
specific algorithm"

What is being claimed here is the invention of a method that allows relying
parties to verify that a public key has been generated securely without
compromise to the key itself.

There are certainly novel ways of doing that, in fact I have a patent
application in process that suggests a new one.

I suspect that the basis of their claim is that shared ECC parameters are
part of the public key and those are in fact subject to public review, see
CFRG process. But that also fails. "wherein said constructing of said proof
requires access to said secret key" The generation of a curve does not
require knowledge of any private key in any of the crypto schemes we use.
The generation of shared parameters does not require knowledge of a private
key by definition.

I have found that in the typical patent case that I am involved in, I am
the first person with specific expertise review the patent for either side
and usually that is a few weeks before the initial findings have to be
submitted. This looks like something that a non-expert might imagine would
be done in TLS. But as it happens, the protocol doesn't support anything of
the sort.

Sometimes the plaintiffs are so ignorant of the weakness of the claims that
they go looking for punishment. I was due to give a deposition last month
as a third party. When the plaintiff discovered that in the ordinary course
of business I regularly refer to the original PEM specs that the patent
application in question was simply a copy of, they dropped the case
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151201/a3c9f398/attachment.html>

More information about the cryptography mailing list