It was: Certicoms ECC patents got them acquired for roughly 7 times what Matasano got. A neater trick would be if you're right, the patents don't exist, and Blackberry was scammed. It go down as one of the greatest cons of that year with Blackberry's shareholders having more to gripe about. I'm just going with Occam's Razor: the ECC patents exist and you're just trolling my latest comment without any evidence to back up your claims. That's been your M.O. so far.
You write this as if the comment I responded to wasn't right there for everyone to read. You said:
NSA has a patent on ECC, expects licenses for commercial use, and has some kind of conditions you must adhere to
My presumption was that you were referring to patents assigned to NSA. NSA had patents relevant to number theoretic crypto. They're long-expired.
Apparently, what you actually meant was:
NSA has licensed a patent now owned by Blackberry.
What this has to do with open source ECC software, you have not made clear. Nobody is talking about using MQV.
It had never occurred to me that I'd sold a company that came within a factor of 7 of the value of Certicom's ECC patents. I did better than I thought I did! Woohoo!
RSA is significantly less safe than ECC alternatives. The situation is not as clear with DH, but it is if you just use Curve25519; Curve25519 is much safer than multiplicative group DH.
That's a semi-clarification. You brought up foundational patents and NSA patents in a dismissal form. You didn't acknowledge any patent risk on ECC, the gist of my comment, at all. Anyone reading your comment would think there was no patent risk much like the other commenters. Might have not been your intention.
Far as open source, the BSD licenses are used in part to encourage proprietary adoption of superior technology for everyone's benefit. Well, OpenBSD team might have their own reasons as they often do for a lot of things. Any company using BSD code in a commercial product (many do) is fine unless it's covered by patents. It's why Apache license mentions patents specifically. If this ECC was covered by ECC patents, then this could add risk to such a company over other technologies unless they licensed the patents from Blackberry. A specific example would be Genua, a German defense contractor that builds security appliances on OpenBSD.
And congratulations for beating your own expectations on the sale. One of a rare few. ;)
You keep using the words "ECC patents" as if they meant something. If you used the term "computer patents", your comments would be semantically identical.
Key agreement based on the elliptic curve discrete log problem isn't patented.
Straightforward, efficient point multiplication for elliptic curves --- the foundation of the ECDLP --- is not patented.
The the DLP-based DSA algorithm, which was invented at NSA, is not patented. Every browser uses it.
The elliptic curve variant of DSA, ECDSA, is not patented.
Fast floating point math mod 2^255-19: not patented. First published by a rabidly anti-patent researcher.
Elliptic curve point compression --- sending just the x, not the y --- was patented. Most researchers believe the patent was invalid; lots of very popular software ignored it. The patent has since expired.
Edwards curves? Bernstein claims to have invented Edwards curve cryptography, after being in the room when Harold Edwards published them.
Using elliptic curves in random number generators as a key escrow system? Certicom does appear to have a valid patent on that. So maybe that will cramp your style a bit.
I could keep going, breaking down binary extension fields, 3-party DH, ratchets, specific multiplication ladders, but that would defeat my point, which is that the most important, most mainstream, most typical uses of ECC --- the only things anyone should be doing with them --- are all unencumbered. That you can generate a first-principles binary extension field curve without tripping over a patent hardly matters. But it's also true.
