Newsgroups: sci.crypt
Path: msuinfo!caen!zaphod.mps.ohio-state.edu!rpi!batcomputer!cornell!rochester!cantaloupe.srv.cs.cmu.edu!mnr
From: mnr+@cs.cmu.edu (Marc Ringuette)
Subject: Re: Pretty Good (tm) Privacy
Message-ID: <1992Jan22.175033.72072@cs.cmu.edu>
Date: Wed, 22 Jan 92 17:50:33 GMT
Organization: School of Computer Science, Carnegie Mellon
Nntp-Posting-Host: daisy.learning.cs.cmu.edu
Lines: 419

> I get the impression that if Phil were to rewrite (hint, hint) his
> package using the discrete logarathm aproach instead of the modular
> prime approach all would be well in patent land and we could use it.

Nope.  It's worth reposting the following summary of the patents owned
by Public Key Partners.  Note that the RSA patent is not the one with
the strongest claim -- the earlier Hellman, Merkle patent (the 2nd in
this list) contains, in claim 1, a very general description of a public
key cryptosystem.  It may be challengeable, but would almost certainly
have to be challenged before a company could sell a non-RSA public key
system.

--Marc


From: gordoni@chook.ua.oz (Gordon Irlam)
Subject: Re: rpem: RSA patent questions
Date: 20 May 91 18:35:18 GMT
Sender: news@ucs.adelaide.edu.au
Followup-To: sci.crypt
Nntp-Posting-Host: chook.ua.oz.au

Here is a brief synopsis of the four U.S. patents controlled by Public
Key Partners relating to public key cryptography.  The patents cover
much more than the RSA algorithm.  Indeed from the point of view of
trying to invent around them the RSA patent is probably one of the two
less significant patents.  Most of the patents have claims of a very
broad scope, and taken together it is hard to see how it would be
possible to write any public key cryptosystem or other similar program
without risking the possibility of infringing one or more patents.

Note, an object infringes a patent if all the features listed in any
one claim of the patent are present in the object.  Typically a patent
will include many overlapping claims.  So that if one claim is ruled
invalid by a court the other claims will still stand.

I have picked out what I consider to be the more significant claims.
In most cases both method and apparatus claims are made.  I will just
mention one or the other.

If in reading this you feel that the establishment of such patent
monopolies is likely to effect your freedom to program you might like
to consider joining the League for Programming Freedom (send e-mail to
league@ai.mit.edu).

                                         Gordon Irlam
                                         (gordoni@cs.adelaide.edu.au)

---------------------------------------------------------------------

U.S. Patent Number: 4200770
Title: Cryptographic Apparatus and Method
Inventors: Hellman, Diffie, Merkle
Assignee: Stanford University
Filed: September 6, 1977
Granted: April 29, 1980
[Expires: April 28, 1997]

[Deals with schemes for establishing a secret key for use by a
conventional cryptographic system without revealing the key to an
eavesdropper.

This patent contains a very broad claim relating to secret key
exchange.

The scheme described differs from "pure" public key cryptography in
that a conventional cryptographic system is used for communication,
although the applications of both types of systems are very similar.

The instance given is that of exponential key exchange, viz,

Party 1 generates a random number, X1, which is kept secret, and
transmits Y1 to party 2, where

    Y1 = (a^X1) mod q

Party 2 generates a random number, X2, which is kept secret, and
transmits Y2 to party 1, where

    Y2 = (a^X2) mod q

Parties 1 and 2 can then both evaluate K, where

    K = (a^(X1 * X2)) mod q

      == (Y2^X1) mod q
      == (Y1^X2) mod q

which is then used as the key for a conventional cryptosystem.  Any
eavesdropper who has only seen Y1 and Y2 has no computationally
feasible way of evaluating K.]

What is claimed is:

1. A secure key generator comprising:
  a first input connected to receive an applied first signal;
  a second input connected to receive an applied second signal;
  a first output;
  a second output; and
  means for generating at the first output a third signal, that is a
    transformation of said first signal and which transformation is
    infeasible to invert, and for generating at the second output a
    fourth signal, that is a transformation of said second signal with
    said first signal, which represents a secure key and is infeasible
    to generate solely with said second signal and said third signal.

[To understand this claim consider the example of exponential key
exchange given above.  The arrangement is as shown below.

                              4th signal
                           K = (Y2^X1) mod q
                                   ^
                                   |
                                   |
             2nd signal -----> secure key -----> 3rd signal
         Y2 = (a^X2) mod q     generator      Y1 = (a^X1) mod q
                                   ^
                                   |
                                   |
                              1st signal
                         X1 (and possibly a, q)

But note, this claim does not just apply to the example of exponential
key exchange, it is likely to apply to virtually any possible form of
secret key exchange.]

2. [Performing the above generic operation at a transmitter, and a
receiver to generate a secure cipher key, and using the secure cipher
key to encipher and decipher a message sent from the transmitter to the
receiver.]

3. In a method of communicating securely over an insecure communication
channel as in claim 2, further comprising:
  authenticating the receiver's identity at the transmitter from the
    receiver's ability to generate the fourth signal, representing the
    secure cipher key.

4. [Performing the aforementioned generic operation between a
transmitter, and a receiver to generate a secure cipher key.]

8. [Performing exponential key exchange between two key generators to
generate a secure cipher key.]

---------------------------------------------------------------------

U.S. Patent Number: 4218582
Title: Public Key Cryptographic Apparatus and Method
Inventors: Hellman, Merkle
Assignee: The Board of Trustees of the Leland Stanford Junior University
Filed: October 6, 1977
Granted: August 19, 1980
[Expires: August 18, 1997]

[Deals with public key cryptography.

This patent contains a very broad claim relating to public key
cryptosystems.

The instance given is that of trapdoor knapsack systems.

I would think that the validity of many of the claims in this patent
are open to challenge.  The disclosure contained in a patent is
supposed to explain to one skilled in the art how to construct the
patented invention.  This patent does not do this because the scheme
given does not work.  That is the trapdoor knapsack system is not an
example of a public key cryptosystem because the trapdoor knapsack
system has failed as a cryptosystem.  Between 1982 and 1984
successively more powerful attacks on trapdoor knapsack systems were
made, culminating in the demolition of a system that performed multiple
iterations of the trapdoor knapsack algorithm.  Diffie speaks of these
events thus,

      "The press wrote that knapsacks were dead.  I was skeptical but
  ventured that the results were sufficiently threatening that I felt
  "nobody should entrust anything of great value to a knapsack system
  unless he had a much deeper theory of their functioning than was
  currently available."  Nor was Merkle's enthusiasm dampened.  He
  promptly raised his bet and offered $1000 to anyone who could break a
  multiple iteration knapsack.

      It took two years, but in the end, Merkle had to pay.  The money
  was finally claimed by Ernie Brickell in the summer of 1984 when he
  announced the destruction of a knapsack system of forty iterations and
  a hundred weights in the cargo vector in about an hour of Cray-1
  time.  That fall I was forced to admit: "knapsacks are flat on their
  back."

    ["The first ten years of public key cryptography", Diffie, W.,
    Proceedings of the IEEE 76:5, 1988, pp 560-577.]

The patent document itself goes out of its way to talk down the
significance of a publication that contained all of the ideas behind
public key cryptography but that failed to provide a working system.
This is because the idea of public key cryptography had already been
published more than one year earlier in the paper "Multi-user
cryptographic techniques" [Diffie and Hellman, AFIPS Proceedings 45,
pp109-112, June 8, 1976] and hence this paper thus constituted prior
art.  The patent document includes the following,

        "...  While suggesting the plausibility of designing such
    systems, Diffie presents neither proof that public key
    cryptosystems exist, nor a demonstration system.

        Diffie suggests three plausibility arguments for the existence
    of public key cryptosystems: ...
    ... lack of practical utility ...
    ... no way shown to design them in such a manner that they would
    require demonstrably infeasible cryptanalytic time.

        ...  However, the authentication procedure relies on the
    existence of a public key cryptosystem which Diffie did not
    provide."

If this patented was granted on the ground that the prior art lacked
practical utility.  Then surely the fact that the trapdoor knapsack
system lacks practical utility challenges the validity of this patent.]

What is claimed is:

1. In a method of communicating securely over an insecure communication
channel of the type which communicates a message from a transmitter to
a receiver, the improvement characterized by:
  providing random numbers at the receiver;
  generating from said random numbers a public enciphering key at the
    receiver;
  generating from said random numbers a secret deciphering key at the
    receiver such that the secret deciphering key is directly related to
    and computationally infeasible to generate from the public enciphering
    key;
  communicating the public enciphering key from the receiver to the
    transmitter;
  processing the message and the public enciphering key at the
    transmitter and generating an enciphered message by an enciphering
    transformation, such that the enciphering transformation is easy to
    effect but computationally infeasible to invert without the secret
    deciphering key;
  transmitting the enciphered message from the transmitter to the
    receiver; and
  processing the enciphered message and the secret deciphering key at
    the receiver to transform the enciphered message with the secret
    deciphering key to generate the message.

[This claim is of a very general nature.  It would appear to cover
almost any public key cryptosystem.]

2. In a method of communicating securely over an insecure communication
channel as in claim 1, further comprising:
  authenticating the receiver's identity to the transmitter by the
    receiver's ability to decipher the enciphered message.

3. In a method of communicating securely over an insecure communication
channel as in claim 2 wherein the step of:
  authenticating the receiver's identity includes the receiver
    transmitting a representation of the message to the transmitter.

4. [Swapping the role of the transmitter and receiver in claim 1 so as
to provide a digital signature capability.]

7. [An additive trapdoor knapsack system.]

9. [A multiplicative trapdoor knapsack system.]

13. In an apparatus for enciphering a message that is to be transmitted
over an insecure communication channel having an input connected to
receive a message to be maintained secret, having another input
connected to receive a public enciphering key, and having an output for
generating the enciphered message, characterized by:
  means for receiving the message and converting the message to a
    vector representation of the message;
  means for receiving the public enciphering key and converting the
    public enciphering key to a vector representation of the public
    enciphering key; and
  means for generating the enciphered message by computing the dot
    product of the vector representation of the message and the vector
    representation of the public enciphering key, having an input
    connected to receive the vector representation of the message,
    having another input connected to receive the vector representation
    of the public enciphering key, and having an output for generating
    the enciphered message.

[This claim covers the use of vector dot product in public key
cryptosystems.]

16. [The decoder of an additive trapdoor knapsack system.]

17. [The decoder of a multiplicative trapdoor knapsack system.]

---------------------------------------------------------------------

U.S. Patent Number: 4405829
Title: Cryptographic Communications System and Method
Inventors: Rivest, Shamir, Adleman
Assignee: Massachusetts Institute of Technology
Filed: December 14, 1977
Granted: September 20, 1983
[Expires: September 19, 2000]

[Deals with the RSA public key cryptosystem.

This patent contains a broad claim relating to communication systems
that evaluate modular polynomials.]

We claim:

1. A cryptographic communications system comprising:
  A. a communications channel,
  B. an encoding means coupled to said channel and adapted for
    transforming a transmit message word signal M to a ciphertext word
    signal C and for transmitting C on said channel,
    where M corresponds to a number representative of a message and

        0 <= M <= n-1

    where n is a composite number of the form

        n = p.q

    where p and q are prime numbers, and
    where C corresponds to a number representative of an enciphered
      form of said message and corresponds to

        C == M^e (mod n)

    where e is a number relatively prime to lcm(p-1, q-1), and
  C. a decoding means coupled to said channel and adapted for receiving
    C from said channel and for transforming C to a receive message
    word signal M'
    where M' corresponds to a number representative of a deciphered
      form of C and corresponds to

        M' == C^d (mod n)

    where d is a multiplicative inverse of e (mod lcm(p-1, q-1)).

[This claim covers an RSA cryptosystem.]

3. [A system that computes an RSA digital signature.]

5. [The system of claim 3 further comprising a system that transmits
and evaluates the signature.]

8. [The encoder of an RSA cryptosystem.]

33. In a communications system,
  an encoding means for transforming a transmit message word signal M
    to a ciphertext word signal C
  where M corresponds to a number representative of a message and

      0 <= M <= n-1

  where n is a composite number, and
  where C corresponds to a number representative of an enciphered form
    of said message and corresponds to

                 e           e-1
      C == a  . M  + a    . M    + ... + a  (mod n)
            e         e-1                 0

  where e and a , a   , ... a  are numbers.
               e   e-1       0

[This claim covers communication systems that compute an enciphered
value as a modular polynomial of the message to be sent.

Note, this claim only covers those cases where the modulus is a
composite number.  See the next patent for the case of the modulus
being a prime number.]

36. [Claim 33 such that the encoding given is but one step of the
complete encoding.]

---------------------------------------------------------------------

U.S. Patent Number: 4424414
Title: Exponentiation Cryptographic Apparatus and Method
Inventors: Hellman, Pohlig
Assignee: Board of Trustees of the Leland Stanford Junior University
Filed: May 1, 1978
Granted: January 3, 1984
[Expires: January 2, 2001]

[Deals with conventional cryptosystems that perform modular
exponentiation.]

What is claimed is:

1. In a method of communicating securely over an insecure communication
channel of the type which communicates a message from a transmitter to
a receiver by enciphering the message with message with a secret
enciphering key at the transmitter, transmitting the enciphered message
from the transmitter to the receiver, and deciphering the enciphered
message with a secret deciphering key at the receiver, the improvement
characterized by:
  generating the secret deciphering key as the multiplicative inverse,
    in modular arithmetic, of the secret enciphering key;
  generating the enciphered message by exponentiating, in modular
    arithmetic, the message with the secret enciphering key;
  deciphering the enciphered message by exponentiating, in modular
    arithmetic, the enciphered message with the secret deciphering key,
    wherein the step of:
  generating the secret deciphering key is performed by generating a
    secret deciphering key D, such that

        D = K^-1 (mod (q-1))

    where 1 <= D <= q-2, q is a prime number, and the secret
    enciphering key K is an independent random number chosen uniformly
    from the set of integers (1, 2, .. q-2) which are relatively prime
    to q-1;
  generating the enciphered message is performed by generating an
    enciphered message C, such that

        C = P^K (mod q)

    where P is the message; and
  deciphering the enciphered message is performed by generating the
    message P, where

        P = C^D (mod q).
