John Kelsey (kelsey@plnet.net)
Mon, 20 Jul 1998 23:05:12 -0500
-----BEGIN PGP SIGNED MESSAGE-----
[ To: CodherPlunks ## Date: 07/20/98 ##
Subject: RC5/6 patents ]
>From: Bob Baldwin <baldwin@rsa.com>
>To: CodherPlunks@toad.com
>Subject: RC5/6 patents
>Date: Mon, 20 Jul 1998 11:04:36 -0700
>One of the ground rules for AES is that the winner will not
>enforce patent rights against implementations of AES that
>conform to the FIPS standards that will be published for the
>winner. This does not mean that the patent rights go away.
>For example, if RC6 becomes the AES, then RC5 does not
>become unencumbered by patents. Similarly, if the RC6 cipher
>is used in modes that are not covered by the FIPS, then
>implementations of those modes could be subject to patent
>enforcement. For example, if the modes do not cover
>building a digest function out of AES, then the winner will
>does not need to give up rights to AES as the basis for a
>digest function.
This raises a whole set of issues that I think should be
officially addressed by RSADSI and all the other AES
contestants. I would much rather have an AES that is a
little slower on a Pentium Pro, or a little more painful to
implement on an 8-bit architecture, but that I know I can
actually use however I would like. That means that I can
use it in counter mode (not a FIPS standard), or use it to
build a variable-length block cipher using many rounds of
CBC-encryption over a circular buffer, or use it to
construct a ``good enough'' one-way hash function for when I
only need one-wayness, and I can't include a SHA1 engine.
In a later comment, you said it was your understanding that
these additional patent rights won't be enforced. However,
I think it's important to raise them now, and get them
answered in public before an AES candidate is selected as
the new standard. It would be dishonest to get a cipher
accepted as a standard on the assumption that it would be
freely available to use, and then announce that it was
freely available only for the four basic modes, only when
used for encryption, etc.
This isn't meant as RSADSI bashing. I think it's important
for all the contestants to make it clear they don't intend
to do anything like this. Or to make it clear that they
will do this, so that the new AES is chosen with this
position in mind.
Disclaimer: I am one of the designers of Twofish (another
AES submission), so I'm not impartial in all this, though I
don't expect that requiring submittors to waive all patent
rights to the algorithm, rather than just some of them, will
knock anyone out of the race. Indeed, I thought that was
what we'd done.
> --Bob Baldwin Technical Director, RSA Data Security
- --John Kelsey, kelsey@counterpane.com / kelsey@plnet.net
NEW PGP print = 5D91 6F57 2646 83F9 6D7F 9C87 886D 88AF
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNbQTmiZv+/Ry/LrBAQEKbgP/SXJjpTgozP2rhQ5+c+iao8E7SueWftAG
8ZehoWmB8dRpAt9Ppr6gocc0pM8GSihDv5RBXB9Qlln2TYhrtUzwBbAXPqjBjTit
BpODfza+qnKfukY5cbWDHduZete12NhutODOtyZPcbpIAGBde5K9iND3qSIxbZVI
NE3VhvhSKTw=
=4WWv
-----END PGP SIGNATURE-----
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:20:43 ADT