Niels Möller wrote:
I recently posted a draft to add support for the use of elliptic curve
cryptography in the form of Elliptic Curve Diffie-Hellman (ECDH) key
agreement to the exchange portion of the SSH Transport Layer protocol.
What's the current patent status on that area? Is it possible to
implement any cryptography on elliptic curves without getting a patent
license from the patent holders (certicom? Others?).
Yes, it is possible and it can be easily done.
ECC as an algorithm was introduced in 1985 by Neal Koblitz and Victor
Miller with no patents over the algorithm. Certicom does not hold an
umbrella patent right over the algorithm. It only holds patents on some
peripheral implementation or optimization techniques.
RSA has a FAQ about patents related to elliptic curve cryptography at
http://www.rsasecurity.com/rsalabs/faq/6-3-4.html. Highlights include:
"Elliptic curve cryptosystems, as introduced in 1985 by Neal Koblitz
and Victor Miller, have no general patents, though some newer elliptic
curve algorithms and certain efficient implementation techniques may
be covered by patents. ..."
and
"... In all of these cases, it is the implementation technique that is
patented, not the prime or representation, and there are alternative,
compatible implementation techniques that are not covered by the
patents."
Elliptic curve crypto can be implemented using basic school book
techniques which have no patent infringement concern. Simple standard
techniques such as "window table lookup", "projective coordinate space",
and "non-adjacent form wNAF" can be used for performance optimization
with no patent concern. These techniques are school book techniques
commonly used for RSA optimization and other multi-precision integer
arithmetic computation.