[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove SHOULD for elliptic curve groups in IKEv2



 > Through P1363, Certicom's intentions to patent point compression have
 > been public for some time.  The observation that point compression
 > is possible has been around for some years, there are several ways to
 > choose the meaning of the bit that encodes the second coordinate.
 > It's not at all clear that IKE's method infringes Certicom's, to my
 > actual knowledge.

 >From patent 6,141,420, claim 32:

32. A method according to claim 30 wherein said algebraic curve is an
elliptic curve of the form y.sup.2 +xy=x.sup.3 +ax.sup.2 +b and said other
coordinate is determined by solving a quadratic equation to provide two
possible values of said other coordinate, said identifying information
indicating the appropriate one of said values.

last bit of (y/x) would qualify for "identifying information". Many people
said that this claim is invalid, but claim is there along with others
(33,36,37).

 > I don't understand the claim about the co-factor.  How is it that
 > you claim the computation cannot be done with it?

It can be done, but if one peer uses xyc * G in place of "g^xy" then you
must use it as well, after somehow guessing that the peer is using it. If
xyc * G is patented, you cannot support ECC groups without patent violation.
The solutions are either to disallow cofactor multiplication in the shared
secret, or make sure it is not patented and then document what is the
meaning of g^xy for ECC, since it is logical to assume that "g^xy" is xy *
G.