[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Remove SHOULD for elliptic curve groups in IKEv2



For point compression, the claim seems quite broad, flying in the face
of prior art, as you note that others have noted.

Your explanation of co-factors with ECC sheds no light on the matter
for me.  I'll note as an aside that because IKE requires Sophie-Germain
primes, this is note an issue for modexp groups, either.

Hilarie

Andrey Jivsov wrote:

>  > Through P1363, Certicom's intentions to patent point compression have
>  > been public for some time.  The observation that point compression
>  > is possible has been around for some years, there are several ways to
>  > choose the meaning of the bit that encodes the second coordinate.
>  > It's not at all clear that IKE's method infringes Certicom's, to my
>  > actual knowledge.
> 
>  >From patent 6,141,420, claim 32:
> 
> 32. A method according to claim 30 wherein said algebraic curve is an
> elliptic curve of the form y.sup.2 +xy=x.sup.3 +ax.sup.2 +b and said other
> coordinate is determined by solving a quadratic equation to provide two
> possible values of said other coordinate, said identifying information
> indicating the appropriate one of said values.
> 
> last bit of (y/x) would qualify for "identifying information". Many people
> said that this claim is invalid, but claim is there along with others
> (33,36,37).
> 
>  > I don't understand the claim about the co-factor.  How is it that
>  > you claim the computation cannot be done with it?
> 
> It can be done, but if one peer uses xyc * G in place of "g^xy" then you
> must use it as well, after somehow guessing that the peer is using it. If
> xyc * G is patented, you cannot support ECC groups without patent violation.
> The solutions are either to disallow cofactor multiplication in the shared
> secret, or make sure it is not patented and then document what is the
> meaning of g^xy for ECC, since it is logical to assume that "g^xy" is xy *
> G.
> 
> 
> 
>