Re: Elliptic Curve Cryptography in SSH

[Nils Larsch <larsch%trustcenter.de@localhost>]

Damien Miller wrote:
....
> > I don't think that patents are a problem (for ECDSA and ECDH) if only
> > curves over GF(p), p prime, are used (see for example:
> > http://grouper.ieee.org/groups/1363/P1363/patents.html). Using
> > curves over GF(2**m) without some features (point compression,
> > onb basis etc.) should be possible as well.
>
>
> I was under the (possibly mistaken) impression that avoiding these 
> patents eliminated many of the benefits of EC. (Not to mention that 
> avoiding patents is a difficult and potentially expensive game.)

As far as I know is this not true if only curve ober GF(p), p prime,
are used. Curves over GF(2^m) are another story as for example the
point compression as defined in X9.62 is afaik patented (or the
use normal bases).

> > Note: Implementing ECDSA and ECDH in OpenSSH shouldn't very difficult
> > as soon as OpenSSL 0.9.8 is released as OpenSSL 0.9.8 will support
> > ecdsa and ecdh.
>
>
> The license that the EC stuff in OpenSSL is released under contains some 
> terms that we won't accept. In particular, the patent license:

Well, the basic GF(p) ec stuff and the ecdsa code were mostly written
by Bodo Moeller and me and are therefore under the standard OpenSSL
license. Sun wrote the ECDH code, but put it under the standard OpenSSL
license.

> http://research.sun.com/projects/crypto/FrequenlyAskedQuestions.html

Greping trough the OpenSSL source code I could only find one file
with the "covenant" license and that's crypto/bn/bn_gf2m.c =>
not using GF(2^m) should avoid this license.

Nils