[Cryptography] Anybody sorted out the MQV patent claims?

Sat May 28 21:32:45 EDT 2016

On Sat, May 28, 2016 at 3:26 PM, Thierry Moreau <
thierry.moreau at connotech.com> wrote:

> Hi,
>
> While looking at discrete logarithm signatures in relation with
> Diffie-Hellman key establishment, I (re-)discovered a whole facet of public
> key cryptography.
>
> Certicom is aggressive in asserting intellectual property rights in this
> area.
>
> In a 2005 letter to a standardization body, Certicom indicated four US
> patents as pertaining to the MQV protocol (two "continuation in part") and
> one european patent.
>
> US 5,896,455 --> US 5,761,305
>
> US 6,785,813 --> US 6,122,736 (EP 0 739 105)
>
> In all of these, the independent claims include the limitation that each
> party computes a digital signature value separate from the ephemeral D-H
> shared secret.
>
> However, the MTI (ref [47] in [0]) protocol (the seminal idea for MQV,
> HMQV, and OAKE [0] as well) precisely *avoids* such a signature value (and
> thus avoids the DSA-type vulnerability to ephemeral private random number
> leakage -- neat achievement).
>
> Thus, I see the above four patents as claiming something other than MQV.
> Anybody ever sorted this out?
>
> The question pertains to patents that appears either expired (in
> first-to-file jurisdictions) or about to expire (in first-to-invent
> jurisdiction). I ask because the technical issues at stake appear
> relatively simple: compare figure 2 in US 6,122,736 and/or claim 1 in EP 0
> 739 105 with the basic MQV operating principle.
>
> - Thierry Moreau
>
> [0] Andrew C. Yao and Yunlei Zhao, "A New Family of Implicitly
> Authenticated Diffie-Hellman Protocols", Cryptology ePrint Archive: Report
> 2011/035, http://eprint.iacr.org/2011/035
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography

I don't know and I don't care.

The first patent has a priority date in 1995 so it has expired. The second
mentions a signature in the independent claim. I do not believe that an
authentication protocol should use signature unless the purpose of the
exchange is to provide non repudiation in which case they should probably
just be signing the data.

Diffie Hellman is a fine key exchange protocol as it stands. All you really
need to provide authentication proofs to each party is for each side to
contribute a random nonce (to prevent replay attacks) and to push all the
output data through a one way function.

e^x, y -> e^xy
e^y, e -> e^xy

Agreed Key = H (e^xy + nx + ny)
Proof = <some one way function of agreed key >

If you want an ephemeral then use it as a mix in on the master key, not a
replacement for it.

I am sure there are examples of that protocol written down back in the
1980s. It works, it is robust. Recent supreme court precedent holds that
replacement of like with like is 'obvious' and so upgrading from DH to ECDH
isn't an enforceable claim.

I am pretty conservative when it comes to patent claims. I am sure that the
ContentGuard patent that I found the other month isn't actually enforceable
but why risk it when the patent expires in 18 months and I will be hard
pressed to have a working demo by then anyway.

In this case, I don't think there is anything to worry about but as always,
I am not a lawyer, use at your own risk. If you want to pay me I can give
an expert opinion but nobody is an infallible expert in what a jury might
decide.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160528/f065e98b/attachment.html>