AES and Patent Rights (original) (raw)

ACiphers By Ritter Page

Terry Ritter

A major discussion about the Advanced Encryption Standard and individual patent rights.

First: Crypto manufacturers have found a way to get society to pay twice for a new cipher: first for the research and development, and then again for the software to run it. Is this country great or what?

Then: Is a web page considered "publication"?


Contents


Subject: AES and patent rights Date: Sat, 26 Sep 1998 15:41:03 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360d0782.2157160@news.visi.com References: 360a964c.9610170@news.io.com jgfunj-2409981205490001@dialup60.itexas.net Newsgroups: sci.crypt Lines: 82

On Thu, 24 Sep 1998 18:58:28 GMT, ritter@io.com (Terry Ritter) wrote:

I continue to believe that the AES requirement for submitters to give up their property rights by their submission was un-American, unconstitutional, and also inappropriate at the first stage of a technical comparison process.

I would tend to agree with you more if NIST received no submissions, and nothing but protests. But fifteen groups, including the most aggressive crypto patent company (RSADSI), submitted algorithms. We're all happy to give away our patent rights if we are chosen as the standard.

Why should NIST consider options that cost when there are many--and some very good ones--that don't cost? That just seems smart business sense to me.

In everything I've read about the Dept of Justice's case against Microsoft, they never cleam that it is unconstitutional (or even un-American) for them to give away their browser. Their case hinges on whether they used their Windows monopoly to manipulate the broswer market. Unless you can show a similar environment, I don't think you have much of a case.

However, if you can break or otherwise show that the fifteen free candidates are not good AES choices, NIST will have no option but to look at patented ideas.

I have serious alternate ciphering approaches, but I also own those approaches, and I am not going to simply make them "free, worldwide" until people "worldwide" start funding the research that brought these things forth. If the government wants my stuff to be "free," they can first pay my salary, equipment, and an investment profit for a decade of work.

Indeed. This is your choice, and you are free to make it.

The result of this AES requirement is that those who have not invested significantly in such research (or who can afford to give it away), have been granted an advantage by the government over those who have invested in such research. This is the wrong message to send.

I disagree. I believe that RSADSI, IBM, and NTT have invested significant resources in their submissions. (I choose these three because their submissions reflect those resources.) I personally have invested over 1000 hours of Counterpane Systems time, time that we did not spend doing billable work, on Twofish.

We all believe two things. One, that the collateral knowledge gained by donating those resources is worth someting. And two, that the PR benefit of being chosen as AES is worth something. I don't believe that it was un-American, unconstitutional, or inappropriate for AT&T to give away their rights to the transistor, or to do research on background radiation in the universe. I don't believe that it is un-American, unconstitutional, or inappropriate for automobile companies to sponsor race cars, either.

Note that this isn't about making things free for users: It is not like NIST will demand that software which uses AES will be "free worldwide." NIST doesn't want software companies to lose any money on their productive efforts. But NIST (or NSA) apparently does want cipher designers to lose money on their efforts. This is wrong, and may be about as close to a government conspiracy to restrict commerce as one might want to see.

It's not NIST. The cipher designers agreed to the rules. Again, if no one submitted a free candidate, then you would have a case. There are fifteen submitters who don't feel that the "problem" of losing money for their efforts as a significant one.

It is unfortunate that Bruce Schneier was a prime factor in getting the original rules changed so that only free designs would even be considered for AES.

Was I? Wow. I thought that was NIST's idea. Whatever, it seems like the idea was a good one. As I said before, we have fifteen submissions, some of them very good.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Sat, 26 Sep 1998 18:22:16 GMT From: ritter@io.com (Terry Ritter) Message-ID: 360d30d2.9039808@news.io.com References: 360d0782.2157160@news.visi.com Newsgroups: sci.crypt Lines: 212

On Sat, 26 Sep 1998 15:41:03 GMT, in 360d0782.2157160@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

On Thu, 24 Sep 1998 18:58:28 GMT, ritter@io.com (Terry Ritter) wrote:

I continue to believe that the AES requirement for submitters to give up their property rights by their submission was un-American, unconstitutional, and also inappropriate at the first stage of a technical comparison process.

I would tend to agree with you more if NIST received no submissions, and nothing but protests. But fifteen groups, including the most aggressive crypto patent company (RSADSI), submitted algorithms. We're all happy to give away our patent rights if we are chosen as the standard.

But while you can give your own patent rights away, you cannot give away those rights which someone else may have established. So if someone else has established rights to what you have done, the cipher will be just as encumbered as it might have been from you.

This means that the rule cannot make a cipher "free worldwide." What it does is prohibit competition from those who have actually invested in research and developed new technology, and who cannot effectively benefit in other ways.

DES, for example, was free for use, but not worldwide. And even those rights were intensely negotiated right up to the date of publication of the standard. Note that there were many ways for the leading computer company at the time to benefit without direct payment, from guaranteed government contracts to reduced export hassles. We do not know what was negotiated or hinted with a wink and a nod. But we do know that negotiations were long and arduous. At the time, IBM took those rights very seriously.

Why should NIST consider options that cost when there are many--and some very good ones--that don't cost? That just seems smart business sense to me.

First, NIST is not a business. It is an arm of my government as well as it is yours. Somehow it just happens to respect your rights more than it does mine. Somehow it just happens that the rules -- that you publicly suggested and promoted before they were adopted -- favor you. Odd.

In everything I've read about the Dept of Justice's case against Microsoft, they never cleam that it is unconstitutional (or even un-American) for them to give away their browser. Their case hinges on whether they used their Windows monopoly to manipulate the broswer market. Unless you can show a similar environment, I don't think you have much of a case.

While I am not overly eager to spend years of my life rectifying yet another legal disaster, this is exactly the sort of goading that might push me to do just that.

My argument would more likely be based on "equal protection under the law" than antitrust; when government participation is limited by what one owns, there have to be questions. There is also "taking without compensation."

But I have often wondered why Microsoft does not open a new front with Justice by supporting a challenge to AES. This would put them on the side of the little guy, thus giving them some good press, but more importantly could establish a precedent which could be vitally important to their business: If AES goes through as planned, the next government thing might be the definition of a "standard" operating system, and only those willing to give up their rights need apply. A US standard operating system available "free worldwide" could bring down Microsoft far faster than any decades-long antitrust action.

However, if you can break or otherwise show that the fifteen free candidates are not good AES choices, NIST will have no option but to look at patented ideas.

Once again, there is really no way to know what is patented in these submissions. All we know is that the submitters will give up their rights. But that does not mean that someone else does not have rights in those very same submissions.

If I were in the position where somebody had proposed a system using my owned technology, I would shut up and wait and hope to be chosen.

I have serious alternate ciphering approaches, but I also own those approaches, and I am not going to simply make them "free, worldwide" until people "worldwide" start funding the research that brought these things forth. If the government wants my stuff to be "free," they can first pay my salary, equipment, and an investment profit for a decade of work.

Indeed. This is your choice, and you are free to make it.

Thank you so much.

The result of this AES requirement is that those who have not invested significantly in such research (or who can afford to give it away), have been granted an advantage by the government over those who have invested in such research. This is the wrong message to send.

I disagree. I believe that RSADSI, IBM, and NTT have invested significant resources in their submissions. (I choose these three because their submissions reflect those resources.) I personally have invested over 1000 hours of Counterpane Systems time, time that we did not spend doing billable work, on Twofish.

Frankly, 1000 hours is really small change compared to the long-term development of new ciphering technology. You do use Feistel ciphering, of course, as does most everybody else. But you did not develop it.

There are various ways large companies can benefit, both from the competition and possible selection. The fact that they lose something on the design process does not mean that they will not make it up. But I suspect even they were not overjoyed at the idea of simply giving away their technology because it was good. Maybe that is why we see so many submissions based on old Feistel technology.

We all believe two things. One, that the collateral knowledge gained by donating those resources is worth someting. And two, that the PR benefit of being chosen as AES is worth something. I don't believe that it was un-American, unconstitutional, or inappropriate for AT&T to give away their rights to the transistor,

This seems to be an odd comparison, since Bell Labs licensed those rights to Sony, which is why we had a period in the 50's and 60's when everybody had a Japanese portable transistor AM radio. And Bell Labs was not a government department.

or to do research on background radiation in the universe. I don't believe that it is un-American, unconstitutional, or inappropriate for automobile companies to sponsor race cars, either.

Really? You would force everyone who entered a car in the race to sign over their rights to their design -- including any new innovations -- if they won?

That sounds like a very strange race to me.

Race drivers and their organizations have to make real money, and they depend upon the innovations in their cars. I doubt they would give up their rights -- unless of course they simply have no rights, and so take the opportunity to exclude their competition.

Somebody might even have the balls to take something like that to court. Especially if the race was government-sponsored.

Note that this isn't about making things free for users: It is not like NIST will demand that software which uses AES will be "free worldwide." NIST doesn't want software companies to lose any money on their productive efforts. But NIST (or NSA) apparently does want cipher designers to lose money on their efforts. This is wrong, and may be about as close to a government conspiracy to restrict commerce as one might want to see.

It's not NIST. The cipher designers agreed to the rules. Again, if no one submitted a free candidate, then you would have a case.

I have a case anyway.

There are fifteen submitters who don't feel that the "problem" of losing money for their efforts as a significant one.

There are various other reasons for someone to participate; the fact that someone participates does not imply that ownership is not a significant issue.

It is unfortunate that Bruce Schneier was a prime factor in getting the original rules changed so that only free designs would even be considered for AES.

Was I? Wow. I thought that was NIST's idea.

Oh, please. Are we to believe you have forgotten your letter to NIST after the first conference? Shall we re-post it?

As I see it, and since you had no new technology of your own to enter, it was in your business interest to prevent everyone who had such technology from competing with you. Good business, presumably, but poor competition, and very bad science.

Whatever, it seems like the idea was a good one. As I said before, we have fifteen submissions, some of them very good.

The competition is being conducted in a way which I believe is unconstitutional, which means that the result -- whatever it is -- will be open to challenge.

More than that, these rules act to restrict the long term development of crypto technology by not allowing fundamentally-new technology to compete, and by not rewarding the crypto design process itself. These rules are tools to minimize the open development of cryptographic technology, and every entrant who participates is another government argument that this is a good thing.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Sat, 26 Sep 1998 21:37:43 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360d5983.3024744@news.visi.com References: 360d30d2.9039808@news.io.com Newsgroups: sci.crypt Lines: 228

I generally hate Usenet arguments. I will respond to this, and you are welcome to as many last words as you like. If there is something very new, interesting, or comment-worthy, I will respond. But I see no reason to continue volleying back and forth.

Bruce

On Sat, 26 Sep 1998 18:22:16 GMT, ritter@io.com (Terry Ritter) wrote:

On Sat, 26 Sep 1998 15:41:03 GMT, in 360d0782.2157160@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

On Thu, 24 Sep 1998 18:58:28 GMT, ritter@io.com (Terry Ritter) wrote:

I continue to believe that the AES requirement for submitters to give up their property rights by their submission was un-American, unconstitutional, and also inappropriate at the first stage of a technical comparison process.

I would tend to agree with you more if NIST received no submissions, and nothing but protests. But fifteen groups, including the most aggressive crypto patent company (RSADSI), submitted algorithms. We're all happy to give away our patent rights if we are chosen as the standard.

But while you can give your own patent rights away, you cannot give away those rights which someone else may have established. So if someone else has established rights to what you have done, the cipher will be just as encumbered as it might have been from you.

This means that the rule cannot make a cipher "free worldwide." What it does is prohibit competition from those who have actually invested in research and developed new technology, and who cannot effectively benefit in other ways.

Indeed. This is true, and worrisome. It is possible that one (or more) of the AES submissions infringes on some patent (or some pending patent) held by some third party, and that third party will not say anything until it is too late. This has happened in other computer standards committees, and the results are generally disasterous. All we can do is to hope for the best.

But yes, I do think about this and I am concerned.

DES, for example, was free for use, but not worldwide. And even those rights were intensely negotiated right up to the date of publication of the standard. Note that there were many ways for the leading computer company at the time to benefit without direct payment, from guaranteed government contracts to reduced export hassles. We do not know what was negotiated or hinted with a wink and a nod. But we do know that negotiations were long and arduous. At the time, IBM took those rights very seriously.

From what I have been researched, IBM has never sued or even threatened anyone for using DES. If you have other evidence, I very much want to hear it?

Why should NIST consider options that cost when there are many--and some very good ones--that don't cost? That just seems smart business sense to me.

First, NIST is not a business. It is an arm of my government as well as it is yours. Somehow it just happens to respect your rights more than it does mine. Somehow it just happens that the rules -- that you publicly suggested and promoted before they were adopted -- favor you. Odd.

Probably a government conspiracy, that's what I think.

Although more likely the government didn't want to force users of AES to pay royalties, when there was the very strong possibility that free alternatives migh be out there. So NIST took a risk in only asking for unencumbered submissions, but it looks like their risk paid off. You and I and everyone else who builds encryption systems using AES will benefit.

My argument would more likely be based on "equal protection under the law" than antitrust; when government participation is limited by what one owns, there have to be questions. There is also "taking without compensation."

NIST is not taking anything without compensation. Everything is being given freely. You are not being compelled to submit and to give up your rights.

However, if you can break or otherwise show that the fifteen free candidates are not good AES choices, NIST will have no option but to look at patented ideas.

Once again, there is really no way to know what is patented in these submissions. All we know is that the submitters will give up their rights. But that does not mean that someone else does not have rights in those very same submissions.

If I were in the position where somebody had proposed a system using my owned technology, I would shut up and wait and hope to be chosen.

I know. You and many others. All we can do is hope. There is some caselaw on the subject. NIST will make a public call to all third parties to state any potential patent claims regarding the submissions. If someone chooses not to, NIST could argue in court that the patentholder deliberately withheld information in an attempt to hide his rights until after AES was awarded. Will this do any good? No one knows.

The result of this AES requirement is that those who have not invested significantly in such research (or who can afford to give it away), have been granted an advantage by the government over those who have invested in such research. This is the wrong message to send.

I disagree. I believe that RSADSI, IBM, and NTT have invested significant resources in their submissions. (I choose these three because their submissions reflect those resources.) I personally have invested over 1000 hours of Counterpane Systems time, time that we did not spend doing billable work, on Twofish.

Frankly, 1000 hours is really small change compared to the long-term development of new ciphering technology. You do use Feistel ciphering, of course, as does most everybody else. But you did not develop it.

Of course, every cryptography algorithm builds on the work of others. I was only talking about direct Twofish development. We used Feistel networks (invented by Feistel), key-dependent S-boxes (I first saw this in Khufu by Raph Merkle), S-boxes build out of a combination of fixed S-boxes and a linear operation (basically, a rotor machine), MDS matrices (used in Square, researched by Serge Vaudenay, and etc), pseudo-Hadamard transforms (invented by Jim Massey), the idea of mixing operations from different groups (researched by Xujia Lai, and then by lots of other people), and analytic techniques for differential, linear, higher-order differential, interpolation, related-key, and other cryptanalyses (invented and extended by Eli Biham, Adi Shamir, Lars Knudsen, Vincent Rijmen, us, Carlo Harpes, Thomas Jakkobson, Mitsuru Matsui, Shiho Morai, and countless others).

Let it never be said that we did our work in a vacuum.

There are various ways large companies can benefit, both from the competition and possible selection. The fact that they lose something on the design process does not mean that they will not make it up. But I suspect even they were not overjoyed at the idea of simply giving away their technology because it was good.

I suspect you are wrong, but that may be a false impression that I got from having conversations on this topic with them.

Maybe that is why we see so many submissions based on old Feistel technology.

No, the reason is because it is a good technology. Decoupling the design of the F-function from the encryption/decryption strucuture is nice, as is not having to worry about things working in the reverse direction. What is interesting to me is that we saw some of the never variations of the Feistel network: target-heavy unbalanced Feistel networks in MARS, and incomplete Feistel networks in CAST-256. Even the E2 work shows that there are still things to learn about the Feistel structure.

There are fifteen submitters who don't feel that the "problem" of losing money for their efforts as a significant one.

There are various other reasons for someone to participate; the fact that someone participates does not imply that ownership is not a significant issue.

Again, you may be right. All I have done is talk with the people involved.

It is unfortunate that Bruce Schneier was a prime factor in getting the original rules changed so that only free designs would even be considered for AES.

Was I? Wow. I thought that was NIST's idea.

Oh, please. Are we to believe you have forgotten your letter to NIST after the first conference? Shall we re-post it?

I believe you are confusing my endorsement of an idea with my origination of an idea. I find it hard to believe that I imposed my desire for a free standard onto a reluctant NIST. If so, good for me. But I remember NIST wanting to ensure that AES was unencumbered by patents. Of course I agree with that position, and of course I said so in my letter to NIST. Thanks for the compliment, all the same.

As I see it, and since you had no new technology of your own to enter, it was in your business interest to prevent everyone who had such technology from competing with you. Good business, presumably, but poor competition, and very bad science.

On the contrary, I am seeing some excellent science. But as I said before, you are welcome to break the submissions and show all of us wrong. In all honesty, if you can do that people will be willing to pay for the patented technology that your techniques cannot break.

(I'll also pay for a strong bock cipher that encrypt data (ECB mode) in less than 2 clock cycles per byte. I don't know how to do that.)

Whatever, it seems like the idea was a good one. As I said before, we have fifteen submissions, some of them very good.

The competition is being conducted in a way which I believe is unconstitutional, which means that the result -- whatever it is -- will be open to challenge.

Unconstitutional!? Neat. Which part of the constitution do you see being trampled on in this competition?

More than that, these rules act to restrict the long term development of crypto technology by not allowing fundamentally-new technology to compete, and by not rewarding the crypto design process itself. These rules are tools to minimize the open development of cryptographic technology, and every entrant who participates is another government argument that this is a good thing.

As a crypto designer, I have found the whole process more rewarding than almost anything else I have done. I expect those rewards to continue, even if Twofish does not get chosen.

And honestly, in a standard I would rather see a conservative design than fundamentally new technology. If you have the latter, start writing papers and getting your ideas into the literature. Time needs to test things; this is cryptography, after all.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Sun, 27 Sep 1998 07:45:15 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 360DECE4.33B6870C@null.net References: 360d5983.3024744@news.visi.com Newsgroups: sci.crypt Lines: 32

Bruce Schneier wrote:

Probably a government conspiracy, that's what I think.

Absolutely! Everything anybody doesn't like must be due to some evil government consipracy. Could there possibly be any other explanation?

On the contrary, I am seeing some excellent science. But as I said before, you are welcome to break the submissions and show all of us wrong. In all honesty, if you can do that people will be willing to pay for the patented technology that your techniques cannot break. (I'll also pay for a strong bock cipher that encrypt data (ECB mode) in less than 2 clock cycles per byte. I don't know how to do that.)

The way I would put this is, if people can obtain free technology that provides adequate security and meets their other requirements, then of course there is not much incentive to develop competing security technology, except as an intellectual pastime. But that's not a conspiracy, it's simple economics.

Unconstitutional!? Neat. Which part of the constitution do you see being trampled on in this competition?

You're right; the US constitution (unfortunately) does not prohibit government intervention in the marketplace. That's how we migrated from an essentially laisse-faire capitalist society into a mixed economy.

If freedom of speech, or the right to bear arms, or due process, etc. were involved, then there would be a constitutional issue, but so far as I can see there is no significant problem along those lines involving AES.


Subject: Re: AES and patent rights Date: Sun, 27 Sep 1998 22:34:37 GMT From: ritter@io.com (Terry Ritter) Message-ID: 360ebd79.18691713@news.io.com References: 360d5983.3024744@news.visi.com Newsgroups: sci.crypt Lines: 232

On Sat, 26 Sep 1998 21:37:43 GMT, in 360d5983.3024744@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) seemed to respond, yet failed to address his own analogy:

[...] I don't believe that it is

un-American, unconstitutional, or inappropriate for automobile companies to sponsor race cars, either.

Really? You would force everyone who entered a car in the race to sign over their rights to their design -- including any new innovations -- if they won?

That sounds like a very strange race to me.

Race drivers and their organizations have to make real money, and they depend upon the innovations in their cars. I doubt they would give up their rights -- unless of course they simply have no rights, and so take the opportunity to exclude their competition.

Somebody might even have the balls to take something like that to court. Especially if the race was government-sponsored.

[...] From what I have been researched, IBM has never sued or even threatened anyone for using DES. If you have other evidence, I very much want to hear it?

Please try to follow along: DES was a US standard. It was free for use in the US. Presumably IBM got something for that. Lawsuits and threatening have nothing to do with it.

[...] Although more likely the government didn't want to force users of AES to pay royalties, when there was the very strong possibility that free alternatives migh be out there. So NIST took a risk in only asking for unencumbered submissions, but it looks like their risk paid off. You and I and everyone else who builds encryption systems using AES will benefit.

A standard cipher should be an advantage for bankers who want the liability protection of "due diligence."

But companies and individuals can make their own decisions about what cipher to use, based on the opinions of experts they trust, or just random chance. Freedom is like that.

On the other hand, a government interface standard which could handle (virtually) any cipher of any sort as dynamically selected, would be useful.

My argument would more likely be based on "equal protection under the law" than antitrust; when government participation is limited by what one owns, there have to be questions. There is also "taking without compensation."

NIST is not taking anything without compensation. Everything is being given freely. You are not being compelled to submit and to give up your rights.

Indeed, I did not submit.

But you get to participate in a government-funded process which took nothing from you, but would take property from me.

This is a little more than "not being compelled to submit."

[...] If I were in the position where somebody had proposed a system using my owned technology, I would shut up and wait and hope to be chosen.

I know. You and many others.

Life in the property lane: You don't own the land you travel over unless you got there first and registered your claim. Deal with it.

All we can do is hope.

Exactly how I feel! The whole process could be quite amusing.

It's something like a small herd of nearsighted bumbling sheep with their own blind shepherd.

There is some caselaw on the subject. NIST will make a public call to all third parties to state any potential patent claims regarding the submissions. If someone chooses not to, NIST could argue in court that the patentholder deliberately withheld information in an attempt to hide his rights until after AES was awarded. Will this do any good? No one knows.

As far as I know, there is no responsibility in patents to take offensive action at any particular time or to respond to governmental calls for clarification. Perhaps you are thinking of copyright.

[...]

It is unfortunate that Bruce Schneier was a prime factor in getting the original rules changed so that only free designs would even be considered for AES.

Was I? Wow. I thought that was NIST's idea.

Oh, please. Are we to believe you have forgotten your letter to NIST after the first conference? Shall we re-post it?

I believe you are confusing my endorsement of an idea with my origination of an idea.

I'm surprised you aren't crying "I don't remember, I can't recall." Of course that would do no good, since all this is in the public record, but at least it would be more amusing than you blaming me for your words.

The NIST position coming out of the first conference was that "patented algorithms" (sic) would be accepted, but there would be a bias against them. You then argued in a letter -- which you made public -- that patented algorithms should not be accepted at all. And that became the rule. And of course it was just a coincidence that this also stripped off some of your competition.

Are you in charge of NIST? No. Do you bear ultimate responsibility? No. Would you be the target of a lawsuit? Probably not. Was your letter a major factor in the internal debate? My guess is yes. So, are you the proximate cause of the rules change? Probably so.

I find it hard to believe that I imposed my desire for a free standard onto a reluctant NIST.

Everybody has limited resources, so we all want everything free. Many of us are marketplace infants or defeated warriors who would prefer to suck at the government teat. Unfortunately, there are social consequences to free things, and those consequences lead to less funding for cipher design and technology. I see this as a bad trade for society. In the end, it is better to actually pay the worth of production, rather than to "depend upon the kindness of strangers."

If so, good for me. But I remember NIST wanting to ensure that AES was unencumbered by patents. Of course I agree with that position, and of course I said so in my letter to NIST. Thanks for the compliment, all the same.

[...] (I'll also pay for a strong bock cipher that encrypt data (ECB mode) in less than 2 clock cycles per byte. I don't know how to do that.)

And once you know, would you still pay?

Certainly my stuff can do 1 cycle PER BLOCK with enough hardware, but I don't think that's unique. I suppose it might be unique that those blocks can be 64 BYTES WIDE, and so avoid CBC chaining, which means faster ciphering overall, beyond per-block measures.

[...] The competition is being conducted in a way which I believe is unconstitutional, which means that the result -- whatever it is -- will be open to challenge.

Unconstitutional!? Neat. Which part of the constitution do you see being trampled on in this competition?

  1. Equal protection under the law.
  2. Taking without compensation.
  3. Misuse of power; ruling beyond color of law.

You have heard of such things, right? Well you should have -- the first two were in my previous response. Do try to keep up.

More than that, these rules act to restrict the long term development of crypto technology by not allowing fundamentally-new technology to compete, and by not rewarding the crypto design process itself. These rules are tools to minimize the open development of cryptographic technology, and every entrant who participates is another government argument that this is a good thing.

As a crypto designer, I have found the whole process more rewarding than almost anything else I have done. I expect those rewards to continue, even if Twofish does not get chosen.

And honestly, in a standard I would rather see a conservative design than fundamentally new technology. If you have the latter, start writing papers and getting your ideas into the literature.

If you want articles, I have articles all over my pages. Many have been on-line for years; some are new in the last few months. Since they are available for reading by the public, they are published. Any alleged scientist in cryptography who hasn't kept up with my stuff has nobody to blame but their own lazy self. The major topics are:

  1. Dynamic Substitution: keyed, table-based, nonlinear-yet-reversible statistically-balanced combiners for stream ciphers

http://www.io.com/~ritter/#DynSubTech

  1. Balanced Block Mixing: arguably perfect balanced reversible mixing, now by keyed nonlinear tables.

http://www.io.com/~ritter/#BBMTech

  1. Mixing Ciphers: scalable block ciphers based on (2), supporting toy implementations and huge block sizes which can be dynamically selected (in powers-of-2) at ciphering time. Large blocks avoid the need for CBC chaining and all the sequentiality that implies.

http://www.io.com/~ritter/#MixTech

  1. Variable Size Block Ciphers: scalable block ciphers with constant-depth logic and size dynamically-variable to the byte as selected at ciphering time. Modest use of padding in the ciphertext implies that individual blocks cannot even be distinguished, let alone attacked.

http://www.io.com/~ritter/#VSBCTech


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 00:39:39 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360ed738.1402804@news.visi.com References: 360ebd79.18691713@news.io.com Newsgroups: sci.crypt Lines: 185

On Sun, 27 Sep 1998 22:34:37 GMT, ritter@io.com (Terry Ritter) wrote:

On Sat, 26 Sep 1998 21:37:43 GMT, in 360d5983.3024744@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) seemed to respond, yet failed to address his own analogy:

The analogy was not very good; it wasn't worth defending. I was thinking of auto racing sponsorship as something done for publicity; you pointed out that the auto manufacturers got to keep rights to their designs. Perhaps better would be the sponsorship of a particular olympics team. When Company X sponsors the U.S. ski team, they spend money and expertise (or at least, buy expertise) and receive nothing back except publicity.

[...] From what I have been researched, IBM has never sued or even threatened anyone for using DES. If you have other evidence, I very much want to hear it?

Please try to follow along: DES was a US standard. It was free for use in the US. Presumably IBM got something for that. Lawsuits and threatening have nothing to do with it.

Again, if you know of anything IBM got from DES besides publicity, please let me know.

My argument would more likely be based on "equal protection under the law" than antitrust; when government participation is limited by what one owns, there have to be questions. There is also "taking without compensation."

NIST is not taking anything without compensation. Everything is being given freely. You are not being compelled to submit and to give up your rights.

Indeed, I did not submit.

But you get to participate in a government-funded process which took nothing from you, but would take property from me.

This is a little more than "not being compelled to submit."

What is AES process taking from you? You were not compelled to submit, so AES will not take your work away from you. I know that you patent your ideas, so if the eventual AES algorithm infringes on any of your patents then you will demand your rights. I don't see anything of yours being taken away.

[...] If I were in the position where somebody had proposed a system using my owned technology, I would shut up and wait and hope to be chosen.

I know. You and many others.

Life in the property lane: You don't own the land you travel over unless you got there first and registered your claim. Deal with it.

I am, as wel all are.

All we can do is hope.

Exactly how I feel! The whole process could be quite amusing.

It's something like a small herd of nearsighted bumbling sheep with their own blind shepherd.

Moo. Oops, sorry. Baaa.

There is some caselaw on the subject. NIST will make a public call to all third parties to state any potential patent claims regarding the submissions. If someone chooses not to, NIST could argue in court that the patentholder deliberately withheld information in an attempt to hide his rights until after AES was awarded. Will this do any good? No one knows.

As far as I know, there is no responsibility in patents to take offensive action at any particular time or to respond to governmental calls for clarification. Perhaps you are thinking of copyright.

No, I am thinking of patents. Patentholders must exercise their rights, or they lose them. In this case, though, I believe you are correct.

[...]

It is unfortunate that Bruce Schneier was a prime factor in getting the original rules changed so that only free designs would even be considered for AES.

Was I? Wow. I thought that was NIST's idea.

Oh, please. Are we to believe you have forgotten your letter to NIST after the first conference? Shall we re-post it?

I believe you are confusing my endorsement of an idea with my origination of an idea.

I'm surprised you aren't crying "I don't remember, I can't recall." Of course that would do no good, since all this is in the public record, but at least it would be more amusing than you blaming me for your words.

The NIST position coming out of the first conference was that "patented algorithms" (sic) would be accepted, but there would be a bias against them. You then argued in a letter -- which you made public -- that patented algorithms should not be accepted at all. And that became the rule. And of course it was just a coincidence that this also stripped off some of your competition.

Are you in charge of NIST? No. Do you bear ultimate responsibility? No. Would you be the target of a lawsuit? Probably not. Was your letter a major factor in the internal debate? My guess is yes. So, are you the proximate cause of the rules change? Probably so.

Well, good for me then. I'm glad I restricted the competition to free candidates. The last thing we need is another RSADSI-like monopoly.

[...] (I'll also pay for a strong bock cipher that encrypt data (ECB mode) in less than 2 clock cycles per byte. I don't know how to do that.)

And once you know, would you still pay?

Certainly my stuff can do 1 cycle PER BLOCK with enough hardware, but I don't think that's unique. I suppose it might be unique that those blocks can be 64 BYTES WIDE, and so avoid CBC chaining, which means faster ciphering overall, beyond per-block measures.

Sorry, I meant on a general-purpose CPU. And I mean a 64-bit codebook (or a 128-bit codebook).

[...] The competition is being conducted in a way which I believe is unconstitutional, which means that the result -- whatever it is -- will be open to challenge.

Unconstitutional!? Neat. Which part of the constitution do you see being trampled on in this competition?

  1. Equal protection under the law.
  2. Taking without compensation.
  3. Misuse of power; ruling beyond color of law.

You have heard of such things, right? Well you should have -- the first two were in my previous response. Do try to keep up.

I'm trying to keep up, but it's hard. I believe that everyone is being treated equally under the law here. The rules for you are not different than the rules for me. I don't see anything being taken without compensation, since the competition is voluntary. And misuse of power is really stretching things.

I guess I can't keep up. Good luck with your constitutional challenge.

And honestly, in a standard I would rather see a conservative design than fundamentally new technology. If you have the latter, start writing papers and getting your ideas into the literature.

If you want articles, I have articles all over my pages. Many have been on-line for years; some are new in the last few months. Since they are available for reading by the public, they are published. Any alleged scientist in cryptography who hasn't kept up with my stuff has nobody to blame but their own lazy self.

Unfortunately, that's not true. (And it is unfortunate.) Publication does not mean self-publication on a website, it means publication in a workshop, conference, or journal.

In any case, even if you don't want to publish in conferences or journals, put cryptanalysis papers on your website. As I said before, new ideas just for their own sake aren't very interesting. You need to show how the old ideas are insufficient. You need to break ciphers designed with the old ideas, and then show how your own ideas are better.

Designs are dime a dozen, so it's hard to seperate the good ones from the silly ones. Good cryptanalysis is hard; it will force people to take notice of your work.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: 28 Sep 1998 03:46:54 GMT From: stl137@aol.com (STL137) Message-ID: 19980927234654.06997.00002851@ng111.aol.com References: 360ed738.1402804@news.visi.com Newsgroups: sci.crypt Lines: 9

<<Moo. Oops, sorry. Baaa.>> Har har - this one goes on my quotes page...

STL137@aol.com ===> Website: http://members.aol.com/stl137/ PGP keys: ~~~pgp.html Quotes: ~~~quotes.html "I have sworn upon the altar of God eternal hostility against every form of tyranny over the mind of man" - Thomas Jefferson


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 03:57:06 GMT From: ritter@io.com (Terry Ritter) Message-ID: 360f0886.6675979@news.io.com References: 360ed738.1402804@news.visi.com Newsgroups: sci.crypt Lines: 85

On Mon, 28 Sep 1998 00:39:39 GMT, in 360ed738.1402804@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

[...] NIST is not taking anything without compensation. Everything is being given freely. You are not being compelled to submit and to give up your rights.

Indeed, I did not submit.

But you get to participate in a government-funded process which took nothing from you, but would take property from me.

This is a little more than "not being compelled to submit."

What is AES process taking from you? You were not compelled to submit, so AES will not take your work away from you. I know that you patent your ideas, so if the eventual AES algorithm infringes on any of your patents then you will demand your rights. I don't see anything of yours being taken away.

Well, this is progress! Now we're about halfway there:

Clearly, if someone else used my work in their submission, I would "participate" in AES without loss to me. My patents would still apply even if that design was selected.

But I could not submit my own work without loss of rights.

This means that a government process -- one that should apply to me just the same as you -- would cost me more than it cost you. This is just not equal protection under the law.

[...] If you want articles, I have articles all over my pages. Many have been on-line for years; some are new in the last few months. Since they are available for reading by the public, they are published. Any alleged scientist in cryptography who hasn't kept up with my stuff has nobody to blame but their own lazy self.

Unfortunately, that's not true. (And it is unfortunate.) Publication does not mean self-publication on a website, it means publication in a workshop, conference, or journal.

Fortunately, Science is not the exclusive province of journals, or even academia. It does not require obeisance from acolytes in pretentious self-congratulatory symposia nor exist solely in expensive ink-on-paper prayer books. Science just is.

My stuff is available to anyone. It is not restricted to students who are physically close to a major library system. It doesn't cost anything at all, not the price of a symposium, not the price of a book, not even the price of a CD. In my view, this is the way Science should be, and that is the way I do it.

The role of a "refereed publication" is (or was useful at one time) to winnow out some of the chaff and make the resulting journal more worthwhile. This is a service to the reader. While this process does define what appears in a particular journal, it is not the distinction between Science good and bad. Nor does the term "archival journal" mean what it used to mean.

Academic works generally are required to acknowledge the sources of ideas, and this is often done even for "private communications" such as personal letters and even private discussions. These are certainly far more questionable than any published works.

Web pages and Usenet articles are published worldwide in form fixed as of a specific date, should have the author's name and a title, and carry both a legal copyright and ethical pride-of-authorship. This is indeed "publication" for academic purposes. Electronic publication can establish legal and moral priority in a field, and is disregarded only by those who wish to be known as academic thieves.

Again, my stuff is available free on my pages. Any alleged scientist in cryptography who hasn't kept up with it has nobody to blame but their own lazy self.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Sun, 27 Sep 1998 21:43:49 -0700 From: Jim Gillogly jim@acm.org Message-ID: 360F1405.ACCBFB83@acm.org References: 360f0886.6675979@news.io.com Newsgroups: sci.crypt Lines: 49

Bruce Schneier wrote:

What is AES process taking from you? You were not compelled to submit, so AES will not take your work away from you. I know that you patent your ideas, so if the eventual AES algorithm infringes on any of your patents then you will demand your rights. I don't see anything of yours being taken away.

Terry Ritter wrote:

Well, this is progress! Now we're about halfway there:

Clearly, if someone else used my work in their submission, I would "participate" in AES without loss to me. My patents would still apply even if that design was selected.

But I could not submit my own work without loss of rights.

This means that a government process -- one that should apply to me just the same as you -- would cost me more than it cost you. This is just not equal protection under the law.

Are you trying to make this into one of those "The rich as well as the poor are prohibited by the law from sleeping under bridges" things? You'll need to spell this one out for me. The way I see it is this:

Bruce & Co. designed and analyzed an algorithm. They submitted it as an AES candidate and chose not to exert any patent rights. They presumably could have patented it if they'd wanted -- the patent office is taking just about anything these days.

You designed and analyzed an algorithm. You patented it. If you had submitted it as an AES candidate you would have had to give up some of those patent rights. You chose not to submit it.

How is this not equal protection under the law? You've simply chosen a different path. Have you yet answered the question about what IBM has received for DES beyond publicity?

You say in another posting that your work has been taken without compensation. Which work? Do one or more of the AES candidates infringe on your patents? What is the extent of the damage to you? Do you think that the process will somehow invalidate your patents?

Feel free to ignore any of these you've already answered -- I stipulate that I have not read all the messages in this thread.

-- Jim Gillogly Highday, 7 Winterfilth S.R. 1998, 04:27 12.19.5.9.19, 3 Cauac 12 Chen, First Lord of Night


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 08:24:51 GMT From: ritter@io.com (Terry Ritter) Message-ID: 360f47cb.22874233@news.io.com References: 360F1405.ACCBFB83@acm.org Newsgroups: sci.crypt Lines: 145

On Sun, 27 Sep 1998 21:43:49 -0700, in 360F1405.ACCBFB83@acm.org, in sci.crypt Jim Gillogly jim@acm.org wrote:

[...] Are you trying to make this into one of those "The rich as well as the poor are prohibited by the law from sleeping under bridges" things?

I'm not trying to make it anything. It is what it is. I am trying to explain it, although that does seem rather futile here, everyone being so anxious for their free meal of AES and all. That being the case, what is there to discuss?

You'll need to spell this one out for me. The way I see it is this:

Bruce & Co. designed and analyzed an algorithm. They submitted it as an AES candidate and chose not to exert any patent rights. They presumably could have patented it if they'd wanted -- the patent office is taking just about anything these days.

Oh, yeah. Why don't you just sit down, write a patent, draw figures, construct claims, and prosecute that case through several responses over a period of years to issuance and see how goddamn easy it is? Maybe the process won't seem quite as funny thereafter.

You designed and analyzed an algorithm. You patented it.

We do not patent algorithms. We can patent implementations of algorithms; they are called "processes." But most of my claims are "machine claims."

If you had submitted it as an AES candidate you would have had to give up some of those patent rights. You chose not to submit it.

How is this not equal protection under the law?

OK, one last shot:

Entrant A has no intellectual property to speak of, so he has none to lose. Entering (with the possibility of winning), therefore, is not costly to him.

Entrant B does have intellectual property, established through a complex process of some cost, effort, and time. Entrant B thus has property and investment to lose. Entering, therefore, is costly to him.

SO... entering is cheap for A, who has no property, and costly for B, who does.

Why is this hard to understand?

It is true that various interactions with government are based on the property we have: tax rates vary, and welfare and other grants are sometimes means-based. But would it be reasonable to pay more for parking based on the value of one's car? The ideal in the US (which admittedly we never achieve) is that each person has the same vote, and the same worth to the government as any other, independent of property holdings or wealth.

Somewhere there is a dividing line between those services which are provided equally to citizens independent of their means, and those which are not. I claim that AES crossed the line.

You've simply chosen a different path.

Indeed. But I chose this path because the alternative as wrong.

Have you yet answered the question about what IBM has received for DES beyond publicity?

Asking this question makes no sense, and the very fact that it keeps being asked brings into question the motives of those who ask it. It would be just as unreasonable to insist that you show me that IBM received nothing more than publicity. Have you showed that yet?

We do know that intensive negotiation was going on right up until DES was actually published. Negotiation normally means that some form of compromise or reciprocal bargain is being struck. It simply does not take much negotiation to say: "We'll just make this cipher free for use in the US." (There is no question about free use of DES being limited to the US; although AES is to be free worldwide.)

There were many ways the government could have provided compensation to the largest computer company in the world, ranging from shifting government contracts to easing export. None of this is necessarily cash on the barrel head, but it would be compensation. From the right person, a wink and a nod would probably be sufficient. We don't know.

You say in another posting that your work has been taken without compensation.

No, I did not say that, but presumably you took that implication from what I actually did say.

What I mean is that -- as a condition of AES participation -- rights had to be given up for the chosen submission. What was actually given was an option on rights, just as one might take an option on land. But options are themselves worth something. Requiring such an option as a condition of participation sounds like taking without compensation to me.

Which work? Do one or more of the AES candidates infringe on your patents?

I doubt it, but I suppose it is possible. Do you have something particular in mind?

What is the extent of the damage to you?

Damage?

I suppose the damage here is that I became even more cynical and disgusted than before by the obvious political manipulations in what should have been a technical process. Just Washington as usual, I guess, but that doesn't make it right.

I had been planning to participate in AES for years before AES was even proposed. You can see work on my pages now about 5 years old which describes problems with DES and proposes alternatives. I was one of the first to insist that a 64-bit block was too small. By not participating I was naturally disappointed, but I feel more knifed in the back by my government than really caring about the "contest." It is not a contest.

Do you think that the process will somehow invalidate your patents?

What? Certainly not. Where did that come from?


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 13:35:51 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360f8f29.3658837@news.visi.com References: 360f47cb.22874233@news.io.com Newsgroups: sci.crypt Lines: 77

On Mon, 28 Sep 1998 08:24:51 GMT, ritter@io.com (Terry Ritter) wrote:

OK, one last shot:

Entrant A has no intellectual property to speak of, so he has none to lose. Entering (with the possibility of winning), therefore, is not costly to him.

Entrant B does have intellectual property, established through a complex process of some cost, effort, and time. Entrant B thus has property and investment to lose. Entering, therefore, is costly to him.

SO... entering is cheap for A, who has no property, and costly for B, who does.

Why is this hard to understand?

It is hard to understand because you are starting in the middle of the process. Under your assumptions, A does not have any patent rights and B does. But we're looking at it one step back, at the idea phase:

Entrant A has an idea. He chooses not to patent it, and instead to submit it to AES.

Entrant B has an idea. He choosed to patent it, and not to submit it to AES.

This seems to be the difference here.

Have you yet answered the question about what IBM has received for DES beyond publicity?

Asking this question makes no sense, and the very fact that it keeps being asked brings into question the motives of those who ask it. It would be just as unreasonable to insist that you show me that IBM received nothing more than publicity. Have you showed that yet?

We do know that intensive negotiation was going on right up until DES was actually published. Negotiation normally means that some form of compromise or reciprocal bargain is being struck. It simply does not take much negotiation to say: "We'll just make this cipher free for use in the US." (There is no question about free use of DES being limited to the US; although AES is to be free worldwide.)

I suppose he's right. There could have been a secret payoff between NBS and IBM, one that all of DES's designers were kept in the dark about (or which they have lied about all these years). There could be secret payoffs going on to this day between IBM and foreign companies who are using DES.

All we can say is that everyone associated with DES has claimed that IBM gave up all patent right in exchange for nothing, that the official documents agree, and that no one in any country has said that they have paid IBM something for using DES. But Terry is right, this could all be a conspiracy.

You say in another posting that your work has been taken without compensation.

No, I did not say that, but presumably you took that implication from what I actually did say.

What I mean is that -- as a condition of AES participation -- rights had to be given up for the chosen submission. What was actually given was an option on rights, just as one might take an option on land. But options are themselves worth something. Requiring such an option as a condition of participation sounds like taking without compensation to me.

The difference seems to me that we see that participation is a choice, so there is no taking. He seems to feel differently.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 20:36:25 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 360ff05c.18633593@news.prosurfr.com References: 360f8f29.3658837@news.visi.com Newsgroups: sci.crypt Lines: 33

schneier@counterpane.com (Bruce Schneier) wrote, in part:

But Terry is right, this could all be a conspiracy.

I doubt that Terry Ritter was alleging that sort of conspiracy...

of course, there are other people who claim that DES, IDEA, Blowfish, and all the other well-known block cipher designs are horribly insecure, and suggest that instead we should go and use block ciphers with key-dependent S-boxes with 65,536 entries in them, or Genuine Artificial Imitation One-Time Pads, as the only true road to security.

Obviously, reading your book Applied Cryptography will lead people to suspecting that you are one of the members of this "conspiracy" as well.

As for myself, I'm trying to lead the way to universal security, with designs like the baroque, slow, and hideously complicated Quadibloc II, including a 256-byte key-dependent S-box, the earlier Mishmash proposal which redefines the word "nonlinearity", and my latest large-key brainstorm which rolls together DES, the other Vernam machine (the two-tape system) and the SIGABA, that, on the one hand, are genuinely secure by conventional methods, and yet also include attributes that seem to warm the hearts of those often called "snake-oil vendors", i.e., a huge key, a novel structure that seems bewildering to analyze.

Of course, if I expect incompetent people to use my designs, I really will have to sit down and write some code for them to use...

John Savard http://members.xoom.com/quadibloc/index.html


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 07:49:18 -0700 From: Jim Gillogly jim@acm.org Message-ID: 360FA1EE.32D300F1@acm.org References: 360f47cb.22874233@news.io.com Newsgroups: sci.crypt Lines: 37

I can see we're on different enough wavelengths that doing a point-by-point argument would be pointless and end up in a dozen different arguments that don't belong in sci.crypt, but here's one I can't help objecting to.

On Sun, 27 Sep 1998 21:43:49 -0700, in 360F1405.ACCBFB83@acm.org, in sci.crypt Jim Gillogly jim@acm.org wrote:

You designed and analyzed an algorithm. You patented it.

Terry Ritter wrote:

We do not patent algorithms. We can patent implementations of algorithms; they are called "processes."

I recognize that algorithms are not supposed to be patentable, but in fact a great many algorithms are patented. The patents are written in stilted and contorted language that casts the algorithm as a process or machine. In fact this is nonsense, as anyone who's had the pleasure of reading one of them should be able to attest. If anybody hasn't, I recommend the LZ77 compression algorithm patent.

If algorithms couldn't be patented, then programming algorithms on computers wouldn't violate any patents. Whether you say I've implemented the process by programming the computer, or you say I've developed a machine that realizes that patent by programming a computer, in fact what I have done is implemented an algorithm by programming the computer.

I don't disagree that designing an important algorithm such as RSA is a significant piece of intellectual property and the authors deserve a reward. I do disagree that the patent process is set up to offer that reward.

-- Jim Gillogly Highday, 7 Winterfilth S.R. 1998, 14:39 12.19.5.10.0, 4 Ahau 13 Chen, Second Lord of Night


Subject: Re: AES and patent rights Date: 28 Sep 1998 16:48:50 GMT From: lamontg@bite.me.spammers Message-ID: 6uoeli$1amu$1@nntp6.u.washington.edu References: 360f47cb.22874233@news.io.com Newsgroups: sci.crypt Lines: 64

ritter@io.com (Terry Ritter) writes:

How is this not equal protection under the law?

OK, one last shot:

Entrant A has no intellectual property to speak of, so he has none to lose. Entering (with the possibility of winning), therefore, is not costly to him.

Entrant B does have intellectual property, established through a complex process of some cost, effort, and time. Entrant B thus has property and investment to lose. Entering, therefore, is costly to him.

SO... entering is cheap for A, who has no property, and costly for B, who does.

Why is this hard to understand?

Because nobody is forcing you to enter the contest if you judge it to be too costly to you.

What I mean is that -- as a condition of AES participation -- rights had to be given up for the chosen submission. What was actually given was an option on rights, just as one might take an option on land. But options are themselves worth something. Requiring such an option as a condition of participation sounds like taking without compensation to me.

Don't participate. Then it isn't taking without compensation. For those that participate they are entirely free to sign over their rights provided that they do so without coercion.

Most of your "constitutional argument" is invalidated simply by the fact that there's nothing illegal or unconstitutional about waiving your rights.

What is the extent of the damage to you?

Damage?

I suppose the damage here is that I became even more cynical and disgusted than before by the obvious political manipulations in what should have been a technical process. Just Washington as usual, I guess, but that doesn't make it right.

I'd love it if I could sue the government based on my cynicism.

I had been planning to participate in AES for years before AES was even proposed. You can see work on my pages now about 5 years old which describes problems with DES and proposes alternatives. I was one of the first to insist that a 64-bit block was too small. By not participating I was naturally disappointed, but I feel more knifed in the back by my government than really caring about the "contest." It is not a contest.

It is not a contest that you care to enter, clearly. And you're clearly upset because you thought you'd get a whole lot of money out of possibly winning the contest, and you won't. The lottery isn't as rich as you thought it was going to be, so you're not participating. Here's the world's smallest violin for you -> .

-- Lamont Granquist (lamontg@u.washington.edu) looking for unix administration / security work


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 07:34:40 GMT From: ritter@io.com (Terry Ritter) Message-ID: 36108d59.28142960@news.io.com References: 6uoeli$1amu$1@nntp6.u.washington.edu Newsgroups: sci.crypt Lines: 20

On 28 Sep 1998 16:48:50 GMT, in 6uoeli$1amu$1@nntp6.u.washington.edu, in sci.crypt lamontg@bite.me.spammers wrote:

[...] It is not a contest that you care to enter, clearly. And you're clearly upset because you thought you'd get a whole lot of money out of possibly winning the contest, and you won't.

Had you been around here when this all started, you would know that I have never had any delusions about possibly winning. I did have the delusion that I would be able to participate without giving away my second-born child.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 20:23:14 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 360fecd4.17729575@news.prosurfr.com References: 360f47cb.22874233@news.io.com Newsgroups: sci.crypt Lines: 53

ritter@io.com (Terry Ritter) wrote, in part:

Entrant A has no intellectual property to speak of, so he has none to lose. Entering (with the possibility of winning), therefore, is not costly to him.

Entrant B does have intellectual property, established through a complex process of some cost, effort, and time. Entrant B thus has property and investment to lose. Entering, therefore, is costly to him.

SO... entering is cheap for A, who has no property, and costly for B, who does.

Why is this hard to understand?

This point does have some validity in the current context, where a surrender of patent rights is mandatory in the AES. I remember you making this point earlier, when it was merely "preferred", and there I found it hard, not to understand, but to believe.

Choosing the lowest bidder (including specifying in advance a maximum amount one is prepared to pay) is not discrimination; and it looks like that's what you're trying to argue.

Essentially, NIST is not in the business of awarding free publicity to whoever has the best cipher algorithm. If that was what AES was about, discrimination of the type you note would be unfair, since the patented status of an algorithm is irrelevant to its merit.

What it is instead doing by means of the AES process is: searching for a good cipher algorithm that the U.S. government can use in practice for safeguarding unclassified but sensitive communications. And a waiver of royalties with respect to use by parties other than the U.S. government will further facilitate use of that same algorithm in communications between the U.S. government and other parties (i.e., computerized filing of tax returns).

The free publicity is an incidental consequence of the AES process meeting a goal of the U.S. government, it is not the purpose of the thing from their point of view, however important it may be to the entrants.

However, come to think of it, if we're talking about computerized filing of tax returns, such an application will depend on the use of public-key cryptography, still controlled by patents. Presumably, the main effect of using a royalty-free symmetric algorithm will be to increase the amount the holders of those patents are able to charge while the application remains economically viable. So there is a valid argument for discrimination of a sort...

John Savard http://members.xoom.com/quadibloc/index.html


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 05:04:06 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 36106A23.82C0D322@null.net References: 360f47cb.22874233@news.io.com Newsgroups: sci.crypt Lines: 11

Terry Ritter wrote:

There were many ways the government could have provided compensation to the largest computer company in the world, ranging from shifting government contracts to easing export. None of this is necessarily cash on the barrel head, but it would be compensation. From the right person, a wink and a nod would probably be sufficient. We don't know.

When government officials get caught engaging in such illegal procurement activities, the penalties can be severe. If they didn't need to take that course, there would thus be considerable incentive not to.


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 19:51:44 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-2909981951440001@dialup163.itexas.net References: 36106A23.82C0D322@null.net Newsgroups: sci.crypt Lines: 27

In article 36106A23.82C0D322@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

Terry Ritter wrote:

There were many ways the government could have provided compensation to the largest computer company in the world, ranging from shifting government contracts to easing export. None of this is necessarily cash on the barrel head, but it would be compensation. From the right person, a wink and a nod would probably be sufficient. We don't know.

When government officials get caught engaging in such illegal procurement activities, the penalties can be severe. If they didn't need to take that course, there would thus be considerable incentive not to.

Are you naive enough to not see what goes on. So much bidding is only done to present the guise of a credible process. I've seen some of the worst of this sort of thing. It is not pretty, but almost always gets hushed up. Under one set of circumstances, the company told me that it just cost them lots of money to the right places, and it was all my fault for calling attention to the fradulent activities.


Show me a politician who does not lie through his teeth, and.....I'll show you one who can't find his dentures.

Decrypt with ROT13 to get correct email address.


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 13:25:01 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360f8dcf.3312669@news.visi.com References: 360f0886.6675979@news.io.com Newsgroups: sci.crypt Lines: 53

On Mon, 28 Sep 1998 03:57:06 GMT, ritter@io.com (Terry Ritter) wrote:

On Mon, 28 Sep 1998 00:39:39 GMT, in 360ed738.1402804@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

[...] NIST is not taking anything without compensation. Everything is being given freely. You are not being compelled to submit and to give up your rights.

Indeed, I did not submit.

But you get to participate in a government-funded process which took nothing from you, but would take property from me.

This is a little more than "not being compelled to submit."

What is AES process taking from you? You were not compelled to submit, so AES will not take your work away from you. I know that you patent your ideas, so if the eventual AES algorithm infringes on any of your patents then you will demand your rights. I don't see anything of yours being taken away.

Well, this is progress! Now we're about halfway there:

Clearly, if someone else used my work in their submission, I would "participate" in AES without loss to me. My patents would still apply even if that design was selected.

But I could not submit my own work without loss of rights.

This means that a government process -- one that should apply to me just the same as you -- would cost me more than it cost you. This is just not equal protection under the law.

Fascinating.

To me it looks like we were both given the same decision to make, and you chose one path and I chose the other. You believed that your patent rights were worth more than NIST was willing to give you for them. I felt that my patent rights were worth less than the PR NIST was offering. I believe we were both treated fairly, since were allowed to make the same decision under the same rules.

But clearly I don't understand constitutional law as well as you do. Good luck with your suit.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 07:38:05 GMT From: ritter@io.com (Terry Ritter) Message-ID: 36108e34.28361720@news.io.com References: 360f8dcf.3312669@news.visi.com Newsgroups: sci.crypt Lines: 22

On Mon, 28 Sep 1998 13:25:01 GMT, in 360f8dcf.3312669@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

[...] To me it looks like we were both given the same decision to make, and you chose one path and I chose the other. You believed that your patent rights were worth more than NIST was willing to give you for them.

This is sort of a strange comment, isn't it? It might even be the basis for a sort of occupational joke, where a mathematician gets "paid" with zero dollars and goes away satisfied! Ha ha, very funny!

Had AES offered even token real compensation for these rights, you might have a point. They did not.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 09:52:37 GMT From: amungedtempdog@munged.see.sig (A [Temporary] Dog) Message-ID: 3610a518.969320@news.erols.com References: 36108e34.28361720@news.io.com Newsgroups: sci.crypt Lines: 38

On Tue, 29 Sep 1998 07:38:05 GMT, ritter@io.com (Terry Ritter) wrote:

On Mon, 28 Sep 1998 13:25:01 GMT, in 360f8dcf.3312669@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

[...] To me it looks like we were both given the same decision to make, and you chose one path and I chose the other. You believed that your patent rights were worth more than NIST was willing to give you for them.
[...] Had AES offered even token real compensation for these rights, you might have a point. They did not.

If you really believe that the prestige of wining the AES contest is worth nothing, why do you care if you participate or not? If the prestige is worth something (to anyone), it is an offer of compensation. If it's worth nothing, then you have lost nothing by not participating. The AES contestants evidently believe that winning the contest is worth something to them. For some of them, prestige is readily convertible to cash via increased charges for consulting work, etc.

They made an offer (prestige for algorithm). You chose not to accept their offer. Others did choose to accept their offer. This is an example of free trade. The fact that their offer of payment is in intangibles doesn't change that. They didn't force you to participate on their terms and you can't force them to participate on your terms. The fact that they are the government and not a business is also irrelevent; it's still an example of free trade.

Put together as name@domain |in record store


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 18:09:20 GMT From: ritter@io.com (Terry Ritter) Message-ID: 361121c4.4707551@news.io.com References: 3610a518.969320@news.erols.com Newsgroups: sci.crypt Lines: 87

On Tue, 29 Sep 1998 09:52:37 GMT, in 3610a518.969320@news.erols.com, in sci.crypt amungedtempdog@munged.see.sig (A [Temporary] Dog) wrote:

[...] If you really believe that the prestige of wining the AES contest is worth nothing,

I do not so believe.

why do you care if you participate or not?

Well, I was disappointed. But the reason I care is that I think it is wrong.

If the prestige is worth something (to anyone), it is an offer of compensation.

I disagree. This idea of working for prestige demeans the creative element and, indeed, work itself:

Anyone deserves prestige for the quality of their work. But they also deserve to be compensated for doing the work. Here the work is design, and that work deserves compensation. But AES rewards fall to manufacturing, who get a design free. So even though the whole point of this will be to enable a profit-based industry of ciphering hardware and software, there is no profit for the designers. This demeans cipher designers in general, and (what a surprise!) acts to prevent a profit-based industry of cipher design.

If it's worth nothing, then you have lost nothing by not participating.

Some people here have been implying that I lost out by not participating. They may be right. I do not feel that way now.

The AES contestants evidently believe that winning the contest is worth something to them.

I am sure it would be.

For some of them, prestige is readily convertible to cash via increased charges for consulting work, etc.

Yes. That would be somewhat more difficult in my case.

They made an offer (prestige for algorithm).

Silly me, but I would say that it is not NIST that provides prestige, but rather the content of each proposal. In my view, simply being associated with NIST is either of no prestige at all, or is negative.

You chose not to accept their offer. Others did choose to accept their offer. This is an example of free trade. The fact that their offer of payment is in intangibles doesn't change that.

I believe it does.

They didn't force you to participate on their terms and you can't force them to participate on your terms. The fact that they are the government and not a business is also irrelevent; it's still an example of free trade.

Government is bound by different rules. In AES I believe government stepped over the line.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: 29 Sep 1998 14:23:21 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: 6urc39$13i$1@quine.mathcs.duq.edu References: 361121c4.4707551@news.io.com Newsgroups: sci.crypt Lines: 44

In article 361121c4.4707551@news.io.com, Terry Ritter ritter@io.com wrote:

If the prestige is worth something (to anyone), it is an offer of compensation.

I disagree. This idea of working for prestige demeans the creative element and, indeed, work itself:

Anyone deserves prestige for the quality of their work. But they also deserve to be compensated for doing the work.

Wrong, sir!

Anyone deserves prestige for the quality of their work. If they choose to work for prestige alone, then (by their own choice), that's possibly all the compensation that they get. The world is full of small theatrical productions with amateur actors, putting on plays written by non-professionals, in many cases doing it simply for the love of the work as well as for the exposure and the publicity.

If you're good enough -- and well enough known -- to be able to demand additional compensation for your work, then I congratulate you. But you can't demand that I pay more than I'm willing to pay, especially if there are demonstrably others who are willing to work merely for the praise and exposure.

Here the work is design, and that work deserves compensation.

And the designers get their compensation in the prestige and exposure from having their candidate algorithms considered.

Perhaps you don't want to work on those terms.

So, don't.

But anyone else who wishes to is free to -- and will reap the appropriate rewards. That's part of the choice they, and you, made, going into the competition (or not).

-kitten

Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 20:38:05 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 36114507.6025232C@null.net References: 361121c4.4707551@news.io.com Newsgroups: sci.crypt Lines: 12

They made an offer (prestige for algorithm). Terry Ritter wrote: Silly me, but I would say that it is not NIST that provides prestige, but rather the content of each proposal. In my view, simply being associated with NIST is either of no prestige at all, or is negative.

Prestige is awarded by others, not by yourself. Consider: (A) "My system was selected as the replacement for DES." (B) "I have a better algorithm than AEA." I think most people are more impressed by the first claim, which has the merit of being easy to verify.


Subject: Re: AES and patent rights Date: 30 Sep 1998 03:54:52 GMT From: jpeschel@aol.com (JPeschel) Message-ID: 19980929235452.29773.00004008@ng137.aol.com References: 361121c4.4707551@news.io.com Newsgroups: sci.crypt Lines: 23

ritter@io.com (Terry sour grapes Ritter) writes:

Crazy man -- can you dig it! When do we do zap the capitalist system into a blue way-gone haze?

Jack Kerouac

oh yeah, Joe says -- go here, too...cool...


Joe Peschel D.O.E. SysWorks http://members.aol.com/jpeschel/index.htm



Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 14:55:05 +0900 From: "Lenz" lenz@als.aoyama.ac.jp Message-ID: 6ushf2$lao@enews2.newsguy.com References: 361121c4.4707551@news.io.com Newsgroups: sci.crypt Lines: 30

Terry Ritter wrote in message 361121c4.4707551@news.io.com...

Government is bound by different rules. In AES I believe government stepped over the line.

Is there a rule in American law which prevents NIST from doing what they did? If so, in what law? Looking at an article at lawlinks.com/beck.html my impression is that both options are possible. Certainly the people at NIST should know about any restricting rule if there is one, since the patent question seems to be important in just about any standardization process.

If a government standard adopts patented technology, that would be government influence on the market competition. The job of the government is to stop restrictions of market competition, not to take part in them. So I think that a government standard should avoid patented technology.

Any compensation for cipher design needs to come from winning in the marketplace, not in AES. Since many good ciphers are available for free, anyone wanting to charge for cipher design needs to beat major league teams as NTT and IBM, as well as many other serious players. Not participating in AES does not stop anyone from trying to do so. That means that any lack of compensation is just an indication of failure in the marketplace, which you probably would not want to claim for your designs.

Karl-Friedrich Lenz :-) <www.toptext.com/crypto/>


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 08:11:26 GMT From: bryanolson@my-dejanews.com Message-ID: 6usp3c$o3l$1@nnrp1.dejanews.com References: 361121c4.4707551@news.io.com Newsgroups: sci.crypt Lines: 22

Terry Ritter wrote:

Anyone deserves prestige for the quality of their work. But they also deserve to be compensated for doing the work. Here the work is design, and that work deserves compensation.

Actually we pay what we have to, to get what we want. No one advertises by saying he deserves the money. NIST correctly predicted that the worlds best cryptographers would offer top quality designs for free. It's not a government decree that pushed the monetary price of symmetric ciphers to zero; it's competition.

Very few people were paying for symmetric ciphers before the AES announcement. The market had spoken and NIST listened.

--Bryan

-----== Posted via Deja News, The Leader in Internet Discussion ==----- http://www.dejanews.com/rg_mkgrp.xp Create Your Own Free Member Forum


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 14:25:58 GMT From: nospam@pd.jaring.my (Lincoln Yeoh) Message-ID: 36123b24.4347337@nntp.jaring.my References: 361121c4.4707551@news.io.com Newsgroups: sci.crypt Lines: 36

On Tue, 29 Sep 1998 18:09:20 GMT, ritter@io.com (Terry Ritter) wrote:

They didn't force you to participate on their terms and you can't force them to participate on your terms. The fact that they are the government and not a business is also irrelevent; it's still an example of free trade.

Government is bound by different rules. In AES I believe government stepped over the line.

I see AES as a crypto donation drive- "Donate Decent Crypto to the World". You can't give and keep at the same time. If you want to keep, you can't qualify.

You are still free to charge for your crypto. It won't be the world famous free AES but it'll still be yours and you'll get to keep it.

I don't see how you have been wronged. How has the Gov stepped over the line?

Hmm, I haven't complained to the blood donating organisers that it is wrong to tell willing donors beforehand that if their blood is suitable they have to give it for free.

What would be wrong if they purposely selected bad or flawed crypto. That is my worry - how would we know? Perhaps the NSA have figured out the flaws in all the free stuff out there? Pure speculation of course.

Link.


Reply to: @Spam to lyeoh at @people@uu.net pop.jaring.my @



Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 20:39:55 -0500 From: "Stephen M. Gardner" gardner@metronet.com Message-ID: 3612DD6B.93586E63@metronet.com References: 361121c4.4707551@news.io.com Newsgroups: sci.crypt Lines: 103

Terry Ritter wrote:

I disagree. This idea of working for prestige demeans the creative element and, indeed, work itself: I'm really amazed at this statement. The vast majority of creative people outside of entrepreneurial engineering sorts would think you have it completely upside down. Many would say that when you do something just for money you cheapen it. After all, when you have the talent it just has to come out whether someone is willing to pay or not. Many artists work for the simple joy of creating. You really have to talk to more artists and actors. The really good ones live for their art and do what they can to survive. Often they are not "rewarded" until after death. There is a great line in an old Charles Aznavour song "La Boheme" that talks about this:

Dans les cafes voisins, nous etions quelques uns qui attendions la

gloire. Et, bien que misereux, avec le ventre creux, nous ne cessions d'y croire. Et, quand quelque bistro, contre un bon repas chaud nous prenait une toile. Nous recitions des vers groupe autours du poele en oubliant l'hiver. . .

In the neighborhood cafes, there were a few of us expecting glory.
And, even though we were destitute, with our bellies empty, we never

stopped believing. And when a bistro took one of our canvases in exchange for a hot meal. We sat around the stove reciting poetry, forgetting the winter. . .

Perhaps I'm a hopeless romantic but I find this easy to understand. In fact, I can get downright misty eyed about this song if it is cold out and I'm drinking a nice French red. ;-) And it's not just artists either. Don't forget that Einstein never made a lot of money off of his amazing creativity. I think he would have considered it crass and bourgeois. He did his best work while working at a deadly boring job in the Swiss Patent Office. He didn't get a red cent for "On the Electrodynamics of Moving Bodies" but it made him the most famous man in the world a few years later. I don't think he would understand the late 20th century Texas entrepreneur very well. ;-)

Perhaps writers should write for the privilege of being published. They often do until they are discovered.

Perhaps actors should act for the privilege of being seen. Does Summer Stock mean anything to you?

Perhaps we all should work for praise alone. Terry, I'm sorry but I think you sound petulant and spoiled here. Giving a single algorithm to the public domain could have had great benefits. It makes you sound very spoiled and childish to be complaining this way. I bet Linus Torvalds isn't sorry that Linux is in the public domain. There is an ol' boy that could get a job anywhere in the world.

Anyone deserves prestige for the quality of their work. But they also deserve to be compensated for doing the work. Here the work is design, and that work deserves compensation. You need to talk to more creative people outside of engineering. Actors, writers, poets, painters, sculptors they all do a lot of their best work for pennies or nothing at all until they get famous.

Some people here have been implying that I lost out by not participating. They may be right. I do not feel that way now. Then you should be happy. You didn't get taken in by that facile fraud. ;-)

Silly me, but I would say that it is not NIST that provides prestige, but rather the content of each proposal. In my view, simply being associated with NIST is either of no prestige at all, or is negative. Perhaps some of your failure to thrive economically is due to a misunderstanding of your market. I think most of your potential customers would beg to differ here. And here is a little fact for you about capitalism: it doesn't matter one whit whether your customers are right in their appreciation of the NIST or not. If they have money, want tons of shit and you have shit to sell then you are a good business man. I think perhaps you have a hard time figuring out whether you want to be a business man or an "artiste". ;-) Charles Aznavour might understand. ;-)

They didn't force you to participate on their terms and you can't force them to participate on your terms. The fact that they are the government and not a business is also irrelevent; it's still an example of free trade.

Government is bound by different rules. In AES I believe government stepped over the line. That is your perogative. The nice thing about living in relative freedom is that you get to believe that about government without being dragged off in the night. I happen to believe differently in this particular point. And sadly for you I think your potential customers are on a different wavelength too.

-- Take a walk on the wild side: http://www.metronet.com/~gardner/ Still a lot of lands to see but I wouldn't want to stay here, it's too old and cold and settled in its ways here. Joni Mitchell ("California")


Subject: Re: AES and patent rights Date: 1 Oct 1998 13:43:58 GMT From: mdw@catbert.ebi.ac.uk (Mark Wooding) Message-ID: slrn7171ot.8vf.mdw@catbert.ebi.ac.uk References: 361121c4.4707551@news.io.com Newsgroups: sci.crypt Lines: 25

Terry Ritter ritter@io.com wrote:

I disagree. This idea of working for prestige demeans the creative element and, indeed, work itself:

Anyone deserves prestige for the quality of their work. But they also deserve to be compensated for doing the work.

I do lots of things I enjoy. One of them is writing software. Another is administrating Unix systems. Yet another is writing low-quality poetry.

If I could, I'd do them all for the joy of it. It's a cause of annoyance to me that this isn't possible. So I have to do a job in order to have enough money to do the things I like doing. Lucky me: my job involves doing at least one of the things I like doing anyway.

Creativity exists because, fundamentally, people enjoy being creative. That ought to be enough. It's a real shame it isn't.

-- [mdw]


Subject: Re: AES and patent rights Date: Thu, 01 Oct 1998 11:28:33 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-0110981128330001@dialup81.itexas.net References: slrn7171ot.8vf.mdw@catbert.ebi.ac.uk Newsgroups: sci.crypt Lines: 32

In article slrn7171ot.8vf.mdw@catbert.ebi.ac.uk, mdw@ebi.ac.uk wrote:

Creativity exists because, fundamentally, people enjoy being creative. That ought to be enough. It's a real shame it isn't.

Perhaps people who can be especially creative in a particular field that produces worthwhile technology should be supported by those who are not particularily creative themselves. Boy, that sound's like lots of commercial enterprises.

If patents are truely justified, they should simply be issued and not need to be serviced. To do otherwise is to punish and discourage individual initiative. Too often this is simply done to keep upstarts from entering the market, rather an unAmerican thing to do. Consider the willing involvement by big buisiness for targeted subversion of the intellectual property area.

When it comes to crypto, some other areas too, things are twisted upside down from the classic, nice talk about free enterprise, so the government becomes the fixer, manipulator, and irreverant boss who ultimately selects blesses the commercial endeavors that submit to the rules. This is an old and not too pretty pattern that is hard to defeat out of habit.

Cut the payola, the bribes, which is a Constitutional sanctioned trigger for impeachment of elective and certain appointed governmental officials, and the processes would be cleaner. So much else is mere cookiework.


Show me a politician who does not lie through his teeth, and.....I'll show you one who can't find his dentures.

Decrypt with ROT13 to get correct email address.


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 19:49:22 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 3611399D.9643C097@null.net References: 3610a518.969320@news.erols.com Newsgroups: sci.crypt Lines: 14

A [Temporary] Dog wrote:

If you really believe that the prestige of wining the AES contest is worth nothing, why do you care if you participate or not?

I think a key (tacit) element in Terry's reasoning is that AES will be widely used, even mandatory in some cases, displacing commercial systems that might have been used instead.

My immediate response is that without AES, we'd be seeing either 3DES or some NSA ISSO-devised system instead, which would still be free etc.

If AES had resulted in a mandatory-federal-use commercial product, now that might reasonably be viewed as unfair.


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 13:35:51 GMT From: "Joseph K. Nilaad" jknilaad@ssd.bna.boeing.com Message-ID: 361233B7.5E20@ssd.bna.boeing.com References: 3610a518.969320@news.erols.com Newsgroups: sci.crypt Lines: 32

A [Temporary] Dog wrote:

If you really believe that the prestige of wining the AES contest is worth nothing, why do you care if you participate or not? If the prestige is worth something (to anyone), it is an offer of compensation. If it's worth nothing, then you have lost nothing by not participating. The AES contestants evidently believe that winning the contest is worth something to them. For some of them, prestige is readily convertible to cash via increased charges for consulting work, etc.

They made an offer (prestige for algorithm). You chose not to accept their offer. Others did choose to accept their offer. This is an example of free trade. The fact that their offer of payment is in intangibles doesn't change that. They didn't force you to participate on their terms and you can't force them to participate on your terms. The fact that they are the government and not a business is also irrelevent; it's still an example of free trade.

I see. What if Boston marathon gives only the trophy and no other incentives, I wonder how many world class runners would participate?
I do agree with you that nobody forces anybody to participate, but if you put a very strict constraints to your requirements, there may not be enough contestants to determine which is the best. If Boston marathon committee say that only people who live in Boston and never win any marathon before can participate, then how many people will participate? Probably, there would be just a bunch of amateur entries.

I don't think we're all working for charity!



Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 10:12:40 -0500 From: "R H Braddam" rbraddam@aic-fl.com Message-ID: 6uthqg$5an$1@server.cntfl.com References: 361233B7.5E20@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 114

Joseph K. Nilaad wrote in message 361233B7.5E20@ssd.bna.boeing.com...

I see. What if Boston marathon gives only the trophy and no other incentives, I wonder how many world class runners would participate? I do agree with you that nobody forces anybody to participate, but if you put a very strict constraints to your requirements, there may not be enough contestants to determine which is the best. If Boston marathon committee say that only people who live in Boston and never win any marathon before can participate, then how many people will participate? Probably, there would be just a bunch of amateur entries.

Being amateur doesn't necessarily mean not being good. Olympic atheletes train for years to be the best at what they do. Some of them do it for the self-satisfaction they get from their accomplishments.

I don't think we're all working for charity!

It may be more a matter of competition with their peers to "build the better mousetrap". And just because the encryption algorithm is free don't mean that the applications using them will be. Who will be the established expert on the algorithm which is chosen? Who will be in the best position to assist program developers with incorporating the algorithm into their products?

I have a question for the group about the AES entrants. How many of them were public domain before being submitted to the AES?

Ritter suggests that those who entered their algorithms gave up nothing, that their property had no value. If their entries were secret until submitted, they could have patented them and licensed them, and therefore may have lost as much through their donations as anyone would have lost who had patented algorithms. And if they will reap benefits through their business as a result of their donations. So could have anyone else who donated their patented work if their algorithms were chosen as the standard.

I don't intend this to be critical of Terry Ritter. I visited his web site, and saved his pages to disk so I can go back to them and study them offline. I can work my way through the code for Blowfish, SHA1, et al, but I can read and understand Ritter's description of his methods much quicker. They seem to make sense, and I'm sure they weren't developed overnight. I understand why a patent is important to him, to protect years of research and work. I think he has a valid complaint, it is just that he over simplified his analogy. I also agree with Bruce that no one is compelled (by outside forces) to donate their algorithms to the public domain via the AES.

I also believe that a public domain standard will result in the incorporation of cryptography into products much quicker than a licensed standard would. Sure, large software houses can pay "fair and non-discriminatory" licensing fees easily, but what is fair for a large business is often out of reach for an independent programmer. And far more applications software, often of very high quality, comes from independents than from the large businesses.

I don't believe that adoption of a public domain AES will reduce anyone's ability to derive income from their patented crypto technology. There is plenty of room for more than one way to do things here. Also, the more choices available for individual users, the harder for an attacker to keep up. The business market is very large, with millions of transactions daily. There aren't that many users, though, when you consider that they all have to communicate with each other. They have to talk the same cryptography.

The personal market doesn't have the same requirements or restrictions. There are potentially thousands of times more personal users than businesses. The issue for them is privacy, and they are going to demand it when they realize how open their communications are. People from all nations around the world will fight and die for freedom, and privacy is an essential part of freedom.

It would seem to me that the way to get widespread acceptance of a particular method would be to get it into as many products as possible, as quickly as possible. No method or product can capture a market share without being on the market. Often, the first of a new type of product becomes the leader and sets the standards for those that follow.

Eventually, encryption of the operating system itself may be considered necessary, to prevent damage to systems which are on-line 100% of the time. That may require a completely different way of looking at cryptography. I expect to see cryptographic software combined with existing hardware in new systems. Many systems can now be configured to require a password before they even begin to boot the operating system. Combine that with a mag stripe or barcode reader for credit card sized plastic cards, and you have a good user login system.

Anyone could carry a notarized signature around by carrying a card with a certificate written on the mag stripe by an institution (bank) or branch of the government. Businesses could issue their own cards for access control to their network from anywhere in the world over the internet. Smart cards may be a great idea, but credit cards are here now, widely accepted, and inexpensive to field.

It takes more than a good (or great) algorithm to achieve commercial success. It has to be easily available to the public, inexpensive, and easy to install. Once installed, it has to be practically invisible to the user.

Another need is for an SSL filter dll for Personal Web Server. PWS is widely available, for free, for Windows 95 and 98. It has adequate capacity for small businesses, and handles ActiveX and Active Server Pages. Eighty percent of the businesses in the US are small businesses. Many of them have a large regional and even national market area. They have sales reps and distributors nationwide. But they won't pay the price to move to a large and complicated to maintain operating system like NT or UNIX. Many of them won't even pay for an extra machine to use as a server for Novell for their LAN. They CAN be brought into the 21st century if there exists an entry-level way to do it, then they'll move up to larger systems when they find out that it will work for them.

Sorry this got so long. I hope someone takes the time to read it. Rickey


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 19:15:13 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 36128239.16547455@news.visi.com References: 6uthqg$5an$1@server.cntfl.com Newsgroups: sci.crypt Lines: 38

On Wed, 30 Sep 1998 10:12:40 -0500, "R H Braddam" rbraddam@aic-fl.com wrote:

I have a question for the group about the AES entrants. How many of them were public domain before being submitted to the AES?

None were, since they were all new. But several entries have been put in the public domain at the time of submitting, regardless of whether they win or lose.

Twofish, Serpent, Rijndael, LOKI-97, HPC, DEAL, and SAFER+ are in the public domain right now.

RC6, Mars, and DFC are not in the public domain right now.

CAST-256, E2, Frog, Magenta, and Crypton I don't know about. CAST-128 is in the public domain (without being any standard), so CAST-256 may be as well. E2 is from NTT, so it is probably not in the public domain. Crypton is by a Korean academic, and is probably in the public domain. Magenta is by Deutche Telcom, and is probably not. Frog...well the designers are on this newsgroup and can comment for themselves.

Ritter suggests that those who entered their algorithms gave up nothing, that their property had no value. If their entries were secret until submitted, they could have patented them and licensed them, and therefore may have lost as much through their donations as anyone would have lost who had patented algorithms. And if they will reap benefits through their business as a result of their donations. So could have anyone else who donated their patented work if their algorithms were chosen as the standard.

Presumably some of the AES submissions have patent applications pending.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Thu, 01 Oct 1998 05:38:11 GMT From: dianelos@tecapro.com Message-ID: 6uv4g3$f5g$1@nnrp1.dejanews.com References: 36128239.16547455@news.visi.com Newsgroups: sci.crypt Lines: 19

In article 36128239.16547455@news.visi.com, schneier@counterpane.com (Bruce Schneier) wrote:

[...] CAST-256, E2, Frog, Magenta, and Crypton I don't know about. CAST-128 is in the public domain (without being any standard), so CAST-256 may be as well. E2 is from NTT, so it is probably not in the public domain. Crypton is by a Korean academic, and is probably in the public domain. Magenta is by Deutche Telcom, and is probably not. Frog...well the designers are on this newsgroup and can comment for themselves.

FROG is in the public domain too.

-- http://www.tecapro.com email: dianelos@tecapro.com

-----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own


Subject: Re: AES and patent rights Date: 30 Sep 1998 11:05:52 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: 6utkt0$2p7$1@quine.mathcs.duq.edu References: 361233B7.5E20@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 29

In article 361233B7.5E20@ssd.bna.boeing.com, Joseph K. Nilaad jknilaad@ssd.bna.boeing.com wrote:

A [Temporary] Dog wrote:

If you really believe that the prestige of wining the AES contest is worth nothing, why do you care if you participate or not? If the prestige is worth something (to anyone), it is an offer of compensation. If it's worth nothing, then you have lost nothing by not participating. The AES contestants evidently believe that winning the contest is worth something to them. For some of them, prestige is readily convertible to cash via increased charges for consulting work, etc.

They made an offer (prestige for algorithm). You chose not to accept their offer. Others did choose to accept their offer. This is an example of free trade. The fact that their offer of payment is in intangibles doesn't change that. They didn't force you to participate on their terms and you can't force them to participate on your terms. The fact that they are the government and not a business is also irrelevent; it's still an example of free trade.

I see. What if Boston marathon gives only the trophy and no other incentives, I wonder how many world class runners would participate?

Probably a hell of a lot. The Olympics certainly pay "only the medal," yet have no problem getting competitors.

-kitten

Subject: Re: AES and patent rights Date: Sat, 03 Oct 1998 14:24:11 GMT From: nospam@pd.jaring.my (Lincoln Yeoh) Message-ID: 3616314d.2983645@nntp.jaring.my References: 3612a746.1207056@news.erols.com 361233B7.5E20@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 36

On Wed, 30 Sep 1998 22:59:46 GMT, amungedtempdog@munged.see.sig (A [Temporary] Dog) wrote:

My post wasn't really intended to address the question of whether it was wise to restrict entry to public domain algorithms. My main point was that an intangible reward is still a reward, and can still be a basis for trade.

Heh the only intangible reward is one which isn't a reward in the first place.

Patpat, good boy! ;).

Of course most people don't get paid in pats on backs, praises, respect etc, but it actually matters a lot to many people. But in an increasingly monetary minded society, people tend to lose sight of how much they might enjoy such things.

It ain't just money, if it was, well then it really is stupid. Money/wealth is just a concept which most people agree to recognise. Society agrees that if A has a bigger number than B in the net worth field, A is richer.

There are many other worthwhile concepts that people should not forget to recognise. If I do something for a friend as an act of friendship, then I don't expect payment, in fact it kind of spoils things.

Pity the High Priests of the Free Market seem to have a louder voice nowadays, I'm not even sure of what their real doctrines are anymore, given what they say.

Link.


Reply to: @Spam to lyeoh at @people@uu.net pop.jaring.my @



Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 18:59:32 GMT From: "Joseph K. Nilaad" jknilaad@ssd.bna.boeing.com Message-ID: 36127F94.5955@ssd.bna.boeing.com References: 3610a518.969320@news.erols.com Newsgroups: sci.crypt Lines: 75

R H Braddam wrote:

Being amateur doesn't necessarily mean not being good. Olympic atheletes train for years to be the best at what they do. Some of them do it for the self-satisfaction they get from their accomplishments. Olympic? Hmm. Why did I see Magic Johnson, Michael Jordan, Graff, etc. in Bacelona, Spain? I thought the whole idea of Olympic atheletes is to bring out the best atheletes in each field from each country. Thanks for bringing Olympic scenario up, who is collecting the money? Certainly not the atheletes.
I have not yet seen any free admission in Olympic.

mousetrap". And just because the encryption algorithm is free don't mean that the applications using them will be. Who will be the established expert I agree. But what is bugging me is that AES to be "free world wide". That is a joke unless NIST can change the export law (40-bit), can't they? I had asked Bruce, himself couldn't give a definite answer what does "free world wide" really mean. The major concern is the algorithm. "Free world wide" sounds pretty good mousetrap.

Ritter suggests that those who entered their algorithms gave up nothing, that their property had no value. If their entries were secret until submitted, they could have patented them and licensed them, and therefore If something is patented, it is not secret. Using it without permission from the invertor that is a no no. It should be up to the inventor he/she wants to charge for use, not somebody telling him/her what to do. By the way, did IBM give up their rights to DES?

why a patent is important to him, to protect years of research and work. I think he has a valid complaint, it is just that he over simplified his analogy. I also agree with Bruce that no one is compelled (by outside forces) to donate their algorithms to the public domain via the AES. I understand both point of views.

business is often out of reach for an independent programmer. And far more applications software, often of very high quality, comes from independents than from the large businesses. I agree totally, eg., Alan Cooper, Fox Software, etc.

The personal market doesn't have the same requirements or restrictions. There are potentially thousands of times more personal users than businesses. The issue for them is privacy, and they are going to demand it when they realize how open their communications are. People from all nations around the world will fight and die for freedom, and privacy is an essential part of freedom.

It would seem to me that the way to get widespread acceptance of a particular method would be to get it into as many products as possible, as quickly as possible. No method or product can capture a market share without being on the market. Often, the first of a new type of product becomes the leader and sets the standards for those that follow. I see some potential problem here. See my second reply.

Sorry this got so long. I hope someone takes the time to read it. That's alright. We haven't had a good thread for a while now.


Joe Nilaad Would that be great if we have a cryptosystem that could survive the test, providing that the adversary has complete plaintext and complete ciphers. I wonder...


Subject: Re: AES and patent rights Date: Thu, 1 Oct 1998 21:25:27 -0500 From: "R H Braddam" rbraddam@aic-fl.com Message-ID: 6v1dip$ojk$1@server.cntfl.com References: 36127F94.5955@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 34

Joseph K. Nilaad wrote in message 36127F94.5955@ssd.bna.boeing.com...

I thought the whole idea of Olympic athletes is to bring out the best athletes in each field from each country. Thanks for

Haven't Olympic champions been stripped of their awards because of professional/commercial activity, even if it was miniscule or accidental??

If something is patented, it is not secret. Using it without permission from

I meant, if their entries were not in the public domain before they submitted them to the AES, they could patent them instead of submitting them to the AES. Until they had released the secret, they could patent their algorithm. Once they release the secret, they may have difficulty getting a patent or enforcing one. However, if they obtained a patent, then the AES came up, then they would have had to make the same decision under the came conditions as faced Mr.. Ritter. They would have also had to consider the potential loss of income from sales or licensing, same as Mr.. Ritter. Therefore, just because the other submissions were not YET patented, that doesn't mean they were unpatentable, or worthless.

I see some potential problem here. See my second reply.

Agreed. However, the times, they are a-changing, and so will the export laws. Also, there is a major market in the U.S. alone, and software for the US market can be written elsewhere and exported to the US. Get things started here, and watch them spread. BTW, Windows bashing may be fun, but there (in Windows products) exists a MAJOR market.


Subject: Re: AES and patent rights Date: Fri, 2 Oct 1998 14:04:57 GMT From: "Joseph K. Nilaad" jknilaad@ssd.bna.boeing.com Message-ID: 3614DD89.4F95@ssd.bna.boeing.com References: 6v1dip$ojk$1@server.cntfl.com Newsgroups: sci.crypt Lines: 52

R H Braddam wrote:

I meant, if their entries were not in the public domain before they submitted them to the AES, they could patent them instead of submitting them to the AES. Until they had released the secret, they could patent their algorithm. Once they release the secret, they may have difficulty getting a patent or enforcing one. However, if they obtained a patent, then the AES came up, then they would have had to make the same decision under the came conditions as faced Mr.. Ritter. They would have also had to consider the potential loss of income from sales or licensing, same as Mr.. Ritter. Therefore, just because the other submissions were not YET patented, that doesn't mean they were unpatentable, or worthless. Why don't AES just simply state that PATENT PENDING ALGORITHM IS NOT ACCEPTABLE. Then for those who had patented algorithm can enter and Mr. Ritter can rest his case. Those guys who have patent pendings and wish to enter AES contest, they have to make decision whether they want to relinquish the rights on their algorithm or not, in which they know darn well that in crypto society, THE ALGORITHM MUST BE OPENED!

Agreed. However, the times, they are a-changing, and so will the export laws. Also, there is a major market in the U.S. alone, and software for the Changing? That would take the act of God. As big as beuracrats is, I don't see it in anytime in near future. I mean like less than 5 years. This may not include time to determine AES winner.

Free worldwide and 40bit export law at this moment and in this country, is a contradiction! For those who jump in "free worldwide" band wagon, I don't know what are they thinking. I am sure they all have good deed, but they just might have forgot some other issue.

Sorry world, you have to wait.

started here, and watch them spread. BTW, Windows bashing may be fun, but there (in Windows products) exists a MAJOR market. Boy boy do I agree with you on this. As long as people keep spending money on beta test units and keep debugging for WHEELIE BILLY, the market will always exist. It seems to me that writing buggy program is good business so that the sellers can say "Oh, you'll have to wait or upgrade the next version/release" I do use MS products, but not by choice.


Subject: Re: AES and patent rights Date: Fri, 2 Oct 1998 14:06:31 -0500 From: "R H Braddam" rbraddam@aic-fl.com Message-ID: 6v387p$65l$1@server.cntfl.com References: 3614DD89.4F95@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 57

Joseph K. Nilaad wrote in message 3614DD89.4F95@ssd.bna.boeing.com... -- snipped my remarks --

Changing? That would take the act of God. As big as beuracrats is, I don't see it in anytime in near future. I mean like less than 5 years. This may not include time to determine AES winner.

Yes, changing. The original ITAR export controls were very likely unconstitutional, and the movement of control to Department of Commerce was just a stop-gap measure to delay or circumvent having all or a majority of them thrown out by the Supreme Court. Recent government announcements of reduction of export controls, and elimination of some (for banking & insurance) is the start of a down hill slide. The more they do, the more they attract the attention of the general public, and the more pressure they will get to further de-control crypto.

Free worldwide and 40bit export law at this moment and in this country, is a contradiction! For those who jump in "free worldwide" band wagon, I don't know what are they thinking. I am sure they all have good deed, but they just might have forgot some other issue.

Not if "free worldwide" only refers to purchase price. Availability is a different issue. When (if) the 40-bit law is no longer a factor the price will be the same as it is now.

Sorry world, you have to wait.

For now.

Boy boy do I agree with you on this. As long as people keep spending money on beta test units and keep debugging for WHEELIE BILLY, the market will always exist. It seems to me that writing buggy program is good business so that the sellers can say "Oh, you'll have to wait or upgrade the next version/release" I do use MS products, but not by choice.

I use Microsoft products, too, and by choice. The number of people using Microsoft products seems to indicate that it works pretty well, in spite of any bugs. Windows has gotten better with every release, as well it should have. It now has features that weren't even possible in Win3.1. Win95 and Win98 support for devices is also very extensive. I'm 52 years old, and I don't even have time left to READ 5,000,000 lines of code, much less try to write a competitor to Windows. Sure, it still has bugs in it. Some of them will never be found. Not because no one is looking for them, but because there is just too much ground to cover. Does that mean it should be scrapped? I don't think so, it still works well enough to suit me. It must work well enough to suit others, too. I don't see a mass movement to any other operating system, DOS or windows based. The future will tell.


Subject: Re: AES and patent rights Date: 2 Oct 1998 09:19:28 GMT From: Casper.Dik@Holland.Sun.Com (Casper H.S. Dik - Network Security Engineer) Message-ID: casper.907319695@nl-usenet.sun.com References: 36127F94.5955@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 25

[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

"Joseph K. Nilaad" jknilaad@ssd.bna.boeing.com writes:

Olympic? Hmm. Why did I see Magic Johnson, Michael Jordan, Graff, etc. in Bacelona, Spain? I thought the whole idea of Olympic atheletes is to bring out the best atheletes in each field from each country. Thanks for bringing Olympic scenario up, who is collecting the money? Certainly not the atheletes. I have not yet seen any free admission in Olympic.

The Olympics started out as a venture for amateurs only.

While this has been made to sound admirable, it really was only a ploy to keep the "underclass" who couldn't possibly afford to compete for free away. Women weren't allowed to compete either.

And it had nothing to do with the classical olympics; those were very much for profit.

Casper

Expressed in this posting are my opinions. They are in no way related to opinions held by my employer, Sun Microsystems. Statements on Sun products included here are not gospel and may be fiction rather than truth.


Subject: Re: AES and patent rights Date: 30 Sep 1998 23:44:28 GMT From: lamontg@bite.me.spammers Message-ID: 6uufos$15v0$1@nntp6.u.washington.edu References: 3610a518.969320@news.erols.com Newsgroups: sci.crypt Lines: 74

ritter@io.com (Terry Ritter) writes:

I disagree. This idea of working for prestige demeans the creative element and, indeed, work itself:

they not infrequently do.

they not infrequently do.

sounds good, i don't think it's a bad idea at all for everyone to do some work for no tangible compensation. of course you probably meant that nobody should get paid for anything, which is just a bad debating tactic.

Anyone deserves prestige for the quality of their work. But they also deserve to be compensated for doing the work.

no. if i go out and do something which i consider to be work and everyone else considers to be worthless then i certainly don't deserve to be compensated for doing the work. and if i do work without entering into a contractual agreement with someone then they should not be obligated to pay me. i can also freely elect to do work for no compensation or for substantially less compensation than i would otherwise obtain. you seem to be arguing that volunteerism is somehow morally wrong.

Here the work is design, and that work deserves compensation. But AES rewards fall to manufacturing, who get a design free. So even though the whole point of this will be to enable a profit-based industry of ciphering hardware and software, there is no profit for the designers.

that's right. it also enables non-profit-based industry of ciphering software -- e.g. PGP.

This demeans cipher designers in general, and (what a surprise!) acts to prevent a profit-based industry of cipher design.

the AES contest is, unfortunately, not the totality of the cipher design industry.

i suggest that if you really have something better, that you publish your methods of breaking the AES candidates and sell your improved algorithm to corporations in the private sector who are willing to pay you for your services.

however, if you're interested in money i strongly suggest that you go into some other industry -- given the availability of algorithms like Blowfish, Twofish, TEA, 3DES, Serpent, Rijndael, SAFER and CAST-128 there isn't a whole lot of need for stronger for-profit crypto algorithm design unless you can break all of those. i suggest getting paid for doing implimentations and doing cipher design and cryptanalysis in your off-time.

oh, do you feel that NIST should have created a market for for-profit ciphers? isn't that creating a demand when there isn't one, and isn't that an interference in the free market?

You chose not to accept their offer. Others did choose to accept their offer. This is an example of free trade. The fact that their offer of payment is in intangibles doesn't change that.

I believe it does.

but you still haven't explained how.

-- Lamont Granquist (lamontg@u.washington.edu) looking for unix administration / security work


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 15:52:20 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 361101b6.5807814@news.visi.com References: 36108e34.28361720@news.io.com Newsgroups: sci.crypt Lines: 29

On Tue, 29 Sep 1998 07:38:05 GMT, ritter@io.com (Terry Ritter) wrote:

On Mon, 28 Sep 1998 13:25:01 GMT, in 360f8dcf.3312669@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

[...] To me it looks like we were both given the same decision to make, and you chose one path and I chose the other. You believed that your patent rights were worth more than NIST was willing to give you for them.

This is sort of a strange comment, isn't it? It might even be the basis for a sort of occupational joke, where a mathematician gets "paid" with zero dollars and goes away satisfied! Ha ha, very funny!

Had AES offered even token real compensation for these rights, you might have a point. They did not.

As funny as it may seem, that is exactly the deal that all of the AES submitters accepted. And it is the deal that you didn't accept. And I still believe that you and I both were given the same decision to make. And I still believe that we chose to respond differently. I don't think I have a "point," other than you chose not to submit and I chose to submit.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 21:25:52 +0200 From: tbb03ar@mail.lrz-muenchen.de Message-ID: <Pine.GSO.4.03.9809292117190.29627-100000@sun5> References: 36108e34.28361720@news.io.com Newsgroups: sci.crypt Lines: 41

On Tue, 29 Sep 1998, Terry Ritter wrote:

On Mon, 28 Sep 1998 13:25:01 GMT, in 360f8dcf.3312669@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

[...] To me it looks like we were both given the same decision to make, and you chose one path and I chose the other. You believed that your patent rights were worth more than NIST was willing to give you for them.

This is sort of a strange comment, isn't it? It might even be the basis for a sort of occupational joke, where a mathematician gets "paid" with zero dollars and goes away satisfied! Ha ha, very funny!

Had AES offered even token real compensation for these rights, you might have a point. They did not.

AES wouldn't be worth anything if it would be patented: Nobody is willing to pay for an algorithm if there are lots of others in the public domain.

To get a standard it was neccessary to find free programs.

But I don't see that there is any problem: You didn't make money with DES and you won't make money with the next standard. NIST didn't need you to get DES and they don't need you to get AES :) Others think it is worth developing algorithms only to be come the person or group that developed AES.

BTW: Do you think the development of GNU C is unfair against Borland and Microsoft?

Andreas Enterrottacher

enterrottacher@t-online.de enterrottacher@lrz.tu-muenchen.de


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 20:22:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3611414c.1821978@news.io.com References: <Pine.GSO.4.03.9809292117190.29627-100000@sun5> Newsgroups: sci.crypt Lines: 43

On Tue, 29 Sep 1998 21:25:52 +0200, in <Pine.GSO.4.03.9809292117190.29627-100000@sun5>, in sci.crypt tbb03ar@mail.lrz-muenchen.de wrote:

[...] AES wouldn't be worth anything if it would be patented: Nobody is willing to pay for an algorithm if there are lots of others in the public domain.

RSA.

RC4 (in the sense that it was easy to export).

(Both of which are not free.)

To get a standard it was neccessary to find free programs.

First, AES is a cipher; a major component, assuredly, but still only one component of a complete system. It is not a "program."

And while there may be some "free" programs which use AES, we can be sure that commercial software firms will compensate their programmers by charging for the software. Programmers thus will be compensated -- and justly so -- for the time they spend; but cipher designers will not be compensated for the vastly greater time they spend. And though I do wear both hats, I still find this irritating, since it is a direct result of government action.

[...] BTW: Do you think the development of GNU C is unfair against Borland and Microsoft?

I guess that would first depend upon whether the government was supporting GNU C, and next whether the government would be recommending GNU C and even requiring it for their own use.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 09:04:05 +0200 From: tbb03ar@mail.lrz-muenchen.de Message-ID: <Pine.GSO.4.03.9809300841410.15029-100000@sun5> References: 3611414c.1821978@news.io.com Newsgroups: sci.crypt Lines: 41

On Tue, 29 Sep 1998, Terry Ritter wrote:

On Tue, 29 Sep 1998 21:25:52 +0200, in <Pine.GSO.4.03.9809292117190.29627-100000@sun5>, in sci.crypt tbb03ar@mail.lrz-muenchen.de wrote:

[...] AES wouldn't be worth anything if it would be patented: Nobody is willing to pay for an algorithm if there are lots of others in the public domain.

RSA.

RC4 (in the sense that it was easy to export).

(Both of which are not free.)

And since DH has become free RSA isn't used any more in PGP. As well others don't use RSA because DH has become free.

RC4 is de facto free: Everybody does a small change and uses the resulting cipher in free programs.

To get a standard it was neccessary to find free programs.

First, AES is a cipher; a major component, assuredly, but still only one component of a complete system. It is not a "program."

Sorry for the mistake. I should have written 'it was neccessary to find free ciphers'.

...

Andreas Enterrottacher

enterrottacher@lrz.tu-muenchen.de enterrottacher@t-online.de


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 15:46:33 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 36124f26.2015479@news.prosurfr.com References: <Pine.GSO.4.03.9809300841410.15029-100000@sun5> Newsgroups: sci.crypt Lines: 37

tbb03ar@mail.lrz-muenchen.de wrote, in part:

RC4 is de facto free: Everybody does a small change and uses the resulting cipher in free programs.

The point is, though, that some people do pay for RC4, because 40-bit RC4 gets them through the export approval process quickly.

Unlike RSA - which has technical merit behind it, being more convenient to use than Diffie-Hellman for many purposes - RC4 is the beneficiary of a government monopoly; the people paying for 40-bit RC4 would have been happy to use DES instead were it not for certain laws.

Ironically, RC4 was never patented, but was protected instead as a trade secret. It used to be that a trade secret, once it ceased to be secret, had no legal protection at all (although there is certainly legal recourse to people who obtain access to a trade secret by trespass or violation of contract), but now the area is quite confusing and complicated; the state of California, for example, has extended trade secret laws IIRC. (However, my understanding is that the free programs usually don't make a small change to the algorithm, they merely avoid using the "RC4" trademark.)

Also, the alleged RC4 algorithm has a considerable similarity to Terry Ritter's own patented Dynamic Substitution algorithm. Apparently, though, it misses infringing because the Dynamic Substitution patent's claims refer only to the use of the construction as a new kind of combiner, for the purpose of applying a stream cipher keystream directly to plaintext (including intermediate forms of plaintext on their way to becoming final ciphertext). Applying one stream output to another stream output prior to its application to plaintext was not claimed, either by simple omission, or because that case was too similar to the cited prior art of the MacLaren-Marsaglia PRNG.

John Savard http://members.xoom.com/quadibloc/index.html


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 13:28:17 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360f8e3c.3422058@news.visi.com References: 360f0886.6675979@news.io.com Newsgroups: sci.crypt Lines: 35

On Mon, 28 Sep 1998 03:57:06 GMT, ritter@io.com (Terry Ritter) wrote:

Academic works generally are required to acknowledge the sources of ideas, and this is often done even for "private communications" such as personal letters and even private discussions. These are certainly far more questionable than any published works.

Web pages and Usenet articles are published worldwide in form fixed as of a specific date, should have the author's name and a title, and carry both a legal copyright and ethical pride-of-authorship. This is indeed "publication" for academic purposes. Electronic publication can establish legal and moral priority in a field, and is disregarded only by those who wish to be known as academic thieves.

Again, my stuff is available free on my pages. Any alleged scientist in cryptography who hasn't kept up with it has nobody to blame but their own lazy self.

Probably, but it takes a lot of work to keep with the Internet, and some might argue that it is impossible. There is just so much out there, and such a high percentage of it is trash, that it just isn't cost effective to wade through it all. For everyone like you, who is doing serious work, there are dozens of yahoos who aren't. And from first glance, you can't tell the difference.

I believe this is going to be true not just for cryptography, but for everything else. In a world where everyone is a publisher, editors become more vital. Those who self publish will just find themselves more and more marginalized, as anyone who has searched for information on Alta Vista can see.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 15:26:53 GMT From: nospam@pd.jaring.my (Lincoln Yeoh) Message-ID: 360fa4d6.7266602@nntp.jaring.my References: 360f0886.6675979@news.io.com Newsgroups: sci.crypt Lines: 43

On Mon, 28 Sep 1998 03:57:06 GMT, ritter@io.com (Terry Ritter) wrote:

Clearly, if someone else used my work in their submission, I would "participate" in AES without loss to me. My patents would still apply even if that design was selected.

But I could not submit my own work without loss of rights.

This means that a government process -- one that should apply to me just the same as you -- would cost me more than it cost you. This is just not equal protection under the law.

It is true: you can't give and keep at the same time. I don't see how equal protection under the law comes into this.

I see the AES as a donation of your work if you are selected. If you aren't selected you get to keep it. No one is forcing you to give.

You don't have to donate your blood (sweat and tears) if you don't want to. Perhaps you're anaemic and it'll cost you more, in which case don't donate.

You won't get people telling you how grateful they are for your gift and sacrifice. My heart bleeds for you, not. :).

So what if Bruce has already given his blood to the blood banks, and thus it "costs him less"(?).

If you think his blood is inferior and not suitable, do tell us why and how.

Don't go to the Crypto Donation Drive, if you don't want to give.

Link.

p.s. Remember too- if your blood ain't suitable, they don't take it from you.


Reply to: @Spam to lyeoh at @people@uu.net pop.jaring.my @



Subject: Re: AES and patent rights Date: 28 Sep 1998 16:36:49 GMT From: lamontg@bite.me.spammers Message-ID: 6uodv1$123u$1@nntp6.u.washington.edu References: 360f0886.6675979@news.io.com Newsgroups: sci.crypt Lines: 32

ritter@io.com (Terry Ritter) writes: [...]

Well, this is progress! Now we're about halfway there:

Clearly, if someone else used my work in their submission, I would "participate" in AES without loss to me. My patents would still apply even if that design was selected.

That isn't at all obvious. At any rate, NIST will probably not select an algorithm which uses prior work that might be patented -- at least they should disqualify algorithms where there are questions raised about this. In the case of twofish, Bruce seems to have a pretty good idea of the "intellectual history" of his cipher so he should be able to make a fairly good case for it containing un-patentable algorithms -- other algorithms should do the same.

[...]

Again, my stuff is available free on my pages. Any alleged scientist in cryptography who hasn't kept up with it has nobody to blame but their own lazy self.

Yeah, so now every cryptographer our there is expected to do frequent and comprehensive web searches and stay abrest of Usenet newsgroups or else they are "lazy." You are the one that is lazy. Writing an article and sticking it up on a website is something that any college student can do.
Doing the work to make it suitable for publication in a journal takes substantially longer. That standard of quality is why "lazy" cryptographers read journals rather than browse random web pages.

-- Lamont Granquist (lamontg@u.washington.edu) looking for unix administration / security work


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 16:03:58 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-2809981603590001@dialup154.itexas.net References: 6uodv1$123u$1@nntp6.u.washington.edu Newsgroups: sci.crypt Lines: 72

In article 6uodv1$123u$1@nntp6.u.washington.edu, lamontg@bite.me.spammers wrote:

Yeah, so now every cryptographer our there is expected to do frequent and comprehensive web searches and stay abrest of Usenet newsgroups or else they are "lazy." You are the one that is lazy. Writing an article and sticking it up on a website is something that any college student can do.
Doing the work to make it suitable for publication in a journal takes substantially longer. That standard of quality is why "lazy" cryptographers read journals rather than browse random web pages.

It all depends on whether you actually want to keep up with a fast changing field or not; this affects everything, not cryptography alone. I would suggest that you discard email as well since, according to the same reasoning, nothing not carefully written out and properly mailed would constitute laziness. I guess doing away with computers could be also justified that way.

Consider the importance of form vs. substance. Learning the approved form is not essential with grasping substance. The internet facilitates communication, and works to shortcircuit obstacles. To get to new information, the removal of hinderances should be everyones priority. You certailnly object when government attempts to restrict spread of your information.

The formal requirement to jump throught x number of hoops before anyone will listen is simply a mistatement of the facts that people much can be accomplished in nontraditional ways.

The internet is causing a shift, from established entities as centers, who assumed that they were gatekeepers, the lord protectors of something they could define and redefine as they saw fit, to the democratic voices of all who what to be involved. Those in power centers who accomidate and use this new input face brighter futures than those who cannot adapt.

The most obvious change is the fruitbasket turnover of the way the news media works, or has been incapable of maintaining its old identity lately. It will get sorted out somehow, but none can predict how.

Requiring that everything pipe through approved channels is simply the same the old governmental position that they can force such, control the channels, and therefore manage communications whether anyone likes it or not. The biggest single item is that it is increasingly difficult to mask dissent, something our founding fathers would cheer about had they seen it coming. The very fall of the Soviet Union is keyed to no longer being able to run all communications through government turnstyles.

Requirements for formalism can mean just as much, it just depends who the masters are, which in too many cases can mean adopting self-serving arbitrariness of tenured professors, who do not give a good name to authoritarian.

Thankfully, most of them in cryptography are sincere, sympathetic, and reasonable. But, I've met a few prima donnas who would decry the internet as spoiling the value of their publish-or-perish world. The ones that understand are most likely to be fully into the electronic media as well.

All media should complement each other, not kick each other around so as to bury vital information. To demand otherwise is pro-censorship, something you surely would not be in favor of if given the choice. You cannot stop the world if things get too fast for you. Nor, can you expect everyone to run the same crinulated pattern you might have taken.


Are you tired, rundown, can't find a corner in the office to hide in?

Then, try Jimmy Carter's Little Pills, which are apt to cause you to want to get out your frustrations constructively, but might tend to make you fear rabbits.

Decrypt with ROT13 to get correct email address.


Subject: Re: AES and patent rights Date: 30 Sep 1998 04:13:42 GMT From: lamontg@bite.me.spammers Message-ID: 6usb5m$nic$1@nntp6.u.washington.edu References: 6uodv1$123u$1@nntp6.u.washington.edu Newsgroups: sci.crypt Lines: 58

Look, I have been on the Internet since 1989 and I've made exactly the same arguments that you have. The fact is, however, that the author of some work bears a responsibility to attempt to get the word out. I entirely appreciate the authoritarian argument, but some centralization is simply necessary.

I think, however, that this centralization can take many forms. Certainly anyone is free to put up their work on their private web pages. I think also that people should look to examples like the physics pre-print server at xxx.lanl.gov as being a model of how to communicate rapidly, informally and without as many "authoritarian" controls.

However, the existance of refereed print journals (or e-print journals) is still going to be necessary since they do enforce a very high standard. You simply will not get high quality refereeing and low signal to noise ratio without paying people to be gatekeepers of information. This then sets a standard which other sources of information can strive to achieve -- while they may distribute otherwise inaccessable information, which might be rejected by the "authoritarian" controls. I'm fine with this.

And I wouldn't arbitrarily throw out anything which wasn't published in a refereed journal, but I think the author should have some responsbility to attempt to publish it in semi-formal forums like the physics pre-print server and to attempt to get it into the refereed journals. Ideally they should also attempt to come to conferences and spread their ideas. Saying "I put it up on my web site 6 months ago, why haven't you read it?" is egotistical b.s. and it isn't publishing -- getting it into central repositories of information is publishing.

jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) writes: [...]

The formal requirement to jump throught x number of hoops before anyone will listen is simply a mistatement of the facts that people much can be accomplished in nontraditional ways.

The internet is causing a shift, from established entities as centers, who assumed that they were gatekeepers, the lord protectors of something they could define and redefine as they saw fit, to the democratic voices of all who what to be involved. Those in power centers who accomidate and use this new input face brighter futures than those who cannot adapt. [...] Requiring that everything pipe through approved channels is simply the same the old governmental position that they can force such, control the channels, and therefore manage communications whether anyone likes it or not. The biggest single item is that it is increasingly difficult to mask dissent, something our founding fathers would cheer about had they seen it coming. The very fall of the Soviet Union is keyed to no longer being able to run all communications through government turnstyles. [...] All media should complement each other, not kick each other around so as to bury vital information. To demand otherwise is pro-censorship, something you surely would not be in favor of if given the choice. You cannot stop the world if things get too fast for you. Nor, can you expect everyone to run the same crinulated pattern you might have taken.

-- Lamont Granquist (lamontg@u.washington.edu) looking for unix administration / security work


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 00:53:27 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-2809980053280001@207.22.198.201 References: 360ed738.1402804@news.visi.com Newsgroups: sci.crypt Lines: 76

In article 360ed738.1402804@news.visi.com, schneier@counterpane.com (Bruce Schneier) wrote:

Unfortunately, that's not true. (And it is unfortunate.) Publication does not mean self-publication on a website, it means publication in a workshop, conference, or journal.

Publication means, amongst other things, "3. Communication of information to the public."

We are at a great transition where actual printed matter is fastly being usurped by electronic media...it's in all the papers. Holding to the old standard as the one true path is merely quaint.

In any case, even if you don't want to publish in conferences or journals, put cryptanalysis papers on your website. As I said before, new ideas just for their own sake aren't very interesting. You need to show how the old ideas are insufficient. You need to break ciphers designed with the old ideas, and then show how your own ideas are better.

Designs are dime a dozen, so it's hard to seperate the good ones from the silly ones. Good cryptanalysis is hard; it will force people to take notice of your work.

The big word generally preached as gospel for ages has that the world would be your oyster if anyone could come up with a really good algorithm.

Things have changed, it seems....the welcome wagon is no longer out.

I remember not too long ago when you dwelt on how difficult writing crypto was. . I suppose that certain algorithms are harder to write than others. Yet, that does not necessarily mean ones more difficult to do are better than all others.

The harder it is to sort algorithms out, the more implicitly they must all tend to be similiar in goodness, strenght, etc., to each other. To criticise any particular one that you cannot break yourself, if noone else has, as silly would be rather unscientific.

Something is to be said about analysis of weaker ciphers, something that I do on a limited scale routinely, but wish I had more time to do. I enjoy those pursuits as it can be most satisfying to get into the mind of the one who contrived a devilishly difficult cipertext. The varied lessons are all relevant, even from that level to sophistocated ones since logic is common in all of these things. It is simply a matter of economy where one places his time, something you cannot determine for anyone but yourself.

To demand anyone must break an old algorithm to be noticed as a hurdle is too much given the effort required to preform feats and the sparce nature of such challenges. You might spend lots of effort trying to break one that would surpass all others as well. It is rather tempting to try to make algorithms that could be broken, just to increase the supply, and therefore qualify more people into a higher realm.

I would not discount your formula; it should, however, not be the only formula. Making and breaking algorithms is surely not always highly correlated.

A word about Terry Ritter, he has experience the ugly end of the government crypto stick in the past in ways that you obviously have not. It is his story to tell if he wishes. I understand why he is not willing to let something similiar happen again.


Are you tired, rundown, can't find a corner in the office to hide in?

Then, try Jimmy Carter's Little Pills, which are apt to cause you to want to get out your frustrations constructively, but might tend to make you fear rabbits.

Decrypt with ROT13 to get correct email address.


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 13:16:27 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360f8959.2170729@news.visi.com References: jgfunj-2809980053280001@207.22.198.201 Newsgroups: sci.crypt Lines: 140

On Mon, 28 Sep 1998 00:53:27 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote:

In article 360ed738.1402804@news.visi.com, schneier@counterpane.com (Bruce Schneier) wrote:

Unfortunately, that's not true. (And it is unfortunate.) Publication does not mean self-publication on a website, it means publication in a workshop, conference, or journal.

Publication means, amongst other things, "3. Communication of information to the public."

We are at a great transition where actual printed matter is fastly being usurped by electronic media...it's in all the papers. Holding to the old standard as the one true path is merely quaint.

The difference is not "dead trees versus electrons." The difference is "recognised publication versus self publication." If random person X puts some kind of crypto design paper on his website, almost no one in the community will read it. Yes, it is available to them. Yes, they have the technical ability to read it. But they have no idea if it is a waste of time to read or not.

Anyone can put their ideas up on the web; it's the ultimate vanity press. But there is just too much out there; the community needs some way to determine if a particular something is worth reading. The way the community uses is publication. This way is inperfect, and not without flaws, but it's pretty good.

Things that aren't published just aren't recognised by the community.

When I submitted my second related-key cryptanalysis to a conference for the first time, it contained a cryptanalysis of an algorithm that appeared on the web. It illustrated the attack nicely, and I thought it was a good addition. One reviewer commented, in his anonymous review, that ciphers posted on the web are not worth breaking. We had to take that section out of the paper before publication.

Now you can argue whether or not that is a good thing, but that's the way the world works.

In any case, even if you don't want to publish in conferences or journals, put cryptanalysis papers on your website. As I said before, new ideas just for their own sake aren't very interesting. You need to show how the old ideas are insufficient. You need to break ciphers designed with the old ideas, and then show how your own ideas are better.

Designs are dime a dozen, so it's hard to seperate the good ones from the silly ones. Good cryptanalysis is hard; it will force people to take notice of your work.

The big word generally preached as gospel for ages has that the world would be your oyster if anyone could come up with a really good algorithm.

Things have changed, it seems....the welcome wagon is no longer out.

Indeed it isn't. Algorithms are easy, and it is hard to figure out whether or not something is really good. I get about two algorithms a week in letters and email. I don't have the time or patience to wade through every one of them looking for the few good ideas. Designers are expected to do their own analysis work.

I remember not too long ago when you dwelt on how difficult writing crypto was. . I suppose that certain algorithms are harder to write than others. Yet, that does not necessarily mean ones more difficult to do are better than all others.

It's difficult to design and analyze a new algorithm; just creating one is easy.

The harder it is to sort algorithms out, the more implicitly they must all tend to be similiar in goodness, strenght, etc., to each other. To criticise any particular one that you cannot break yourself, if noone else has, as silly would be rather unscientific.

I don't think I am doing that. Remember, just because no one has broken a cipher does not mean that it is secure. If everyone has TRIED to break the cipher and no one has broken it, that's a much better indication.

The problem is that random ciphers posted on the Internet are just not looked at, so no one knows if they are good or not. They are not looked at because if we break them, we can't even publish our work. That's not much incentive, when there are fifteen AES candidates out there whose breaks can be published.

Again, it's imperfect, but there really isn't any good alternative. There are only so many cryptanalysis hours in a day.

Something is to be said about analysis of weaker ciphers, something that I do on a limited scale routinely, but wish I had more time to do. I enjoy those pursuits as it can be most satisfying to get into the mind of the one who contrived a devilishly difficult cipertext. The varied lessons are all relevant, even from that level to sophistocated ones since logic is common in all of these things. It is simply a matter of economy where one places his time, something you cannot determine for anyone but yourself.

Agreed. We break weaker things all the time: the weak AES candidates, the random stupid cellphone algorithms. If I am going to break some amateur design, I prefer that it be something in a well-known product. Then, at least, I can make a little PR noise.

To demand anyone must break an old algorithm to be noticed as a hurdle is too much given the effort required to preform feats and the sparce nature of such challenges. You might spend lots of effort trying to break one that would surpass all others as well. It is rather tempting to try to make algorithms that could be broken, just to increase the supply, and therefore qualify more people into a higher realm.

I want it to be a difficult hurdle. Anyone can create a cipher that he himself cannot break. Before I look at a cipher that someone created and cannot break, I want some indication that his lack of ability to break the cipher means something. And honestly, there is still a lot of low hanging fruit out there; published ciphers that are very breakable.

I would not discount your formula; it should, however, not be the only formula. Making and breaking algorithms is surely not always highly correlated.

Probably not, but it is the only reasonable formula I can think of.

A word about Terry Ritter, he has experience the ugly end of the government crypto stick in the past in ways that you obviously have not. It is his story to tell if he wishes. I understand why he is not willing to let something similiar happen again.

This is not meant to be a person attack in any way. I'm sorry if he feels that way.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 05:22:31 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 36106E74.D61C1C92@null.net References: 360f8959.2170729@news.visi.com Newsgroups: sci.crypt Lines: 13

Bruce Schneier wrote:

When I submitted my second related-key cryptanalysis to a conference for the first time, it contained a cryptanalysis of an algorithm that appeared on the web. It illustrated the attack nicely, and I thought it was a good addition. One reviewer commented, in his anonymous review, that ciphers posted on the web are not worth breaking. We had to take that section out of the paper before publication.

The reviewer clearly exhibited some snobbery there; most of the truly classic papers on cryptanalysis used as examples systems that had never been published. If it makes a good example, it is pedagogically useful to have it in your article, regardless of its origin.


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 15:53:17 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 3611024a.5955845@news.visi.com References: 36106E74.D61C1C92@null.net Newsgroups: sci.crypt Lines: 26

On Tue, 29 Sep 1998 05:22:31 GMT, "Douglas A. Gwyn" DAGwyn@null.net wrote:

Bruce Schneier wrote:

When I submitted my second related-key cryptanalysis to a conference for the first time, it contained a cryptanalysis of an algorithm that appeared on the web. It illustrated the attack nicely, and I thought it was a good addition. One reviewer commented, in his anonymous review, that ciphers posted on the web are not worth breaking. We had to take that section out of the paper before publication.

The reviewer clearly exhibited some snobbery there; most of the truly classic papers on cryptanalysis used as examples systems that had never been published. If it makes a good example, it is pedagogically useful to have it in your article, regardless of its origin.

I agree with you, more or less. But this is the reality of academic cryptography. I cannot change that, even if I sit on program committees and argue the point.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 13:13:52 GMT From: "Joseph K. Nilaad" jknilaad@ssd.bna.boeing.com Message-ID: 3610DD10.7753@ssd.bna.boeing.com References: 360f8959.2170729@news.visi.com Newsgroups: sci.crypt Lines: 84

Bruce Schneier wrote:

On Mon, 28 Sep 1998 00:53:27 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote:

Publication means, amongst other things, "3. Communication of information to the public."

We are at a great transition where actual printed matter is fastly being usurped by electronic media...it's in all the papers. Holding to the old standard as the one true path is merely quaint.

The difference is not "dead trees versus electrons." The difference is "recognised publication versus self publication." If random person X puts some kind of crypto design paper on his website, almost no one in the community will read it. Yes, it is available to them. Yes, they have the technical ability to read it. But they have no idea if it is a waste of time to read or not. If it is good for the goose, it's also good for the gander. Do you think everybody will read all the works published on paper by NIST? Beside paper copies may not be free and take too long to be delivered.

Anyone can put their ideas up on the web; it's the ultimate vanity press. But there is just too much out there; the community needs some way to determine if a particular something is worth reading. The way the community uses is publication. This way is inperfect, and not without flaws, but it's pretty good. How can you quantify which publication is worth reading either it is on the web or hard copy? Whether it is on the web or hard copy, there exists some merits to it.

Things that aren't published just aren't recognised by the community. Are you referring to government sponsored community? Why must one's work be endorsed by an organization and putting on paper in order to be recognized by the "community". To me, recognition is majority of public acceptance. For example, Windows was not endorsed by any organization; however, the majority of public accept it.

Indeed it isn't. Algorithms are easy, and it is hard to figure out whether or not something is really good. I get about two algorithms a I have to agree with you here.

I remember not too long ago when you dwelt on how difficult writing crypto was. . I suppose that certain algorithms are harder to write than others. Yet, that does not necessarily mean ones more difficult to do are better than all others.

It's difficult to design and analyze a new algorithm; just creating one is easy. Is this anamoly? Isn't that normally before you create something you must have some procedures in mind how about doing it first? Maybe you should talk to him about his algorithm, it is simple and it doesn't take that long to figure out that his stuff is pretty good.

I don't think I am doing that. Remember, just because no one has broken a cipher does not mean that it is secure. If everyone has TRIED to break the cipher and no one has broken it, that's a much better indication. How can you get everyone to TRIED to break a given cipher? if "no one has broken a cipher", it is secure! Think about it.

Anyway this thread is getting to long. Since you're involved with AES, I have a few questions to you:

  1. When NIST said that AES is to be "free world wide", will NIST make exception to export law which limit to 40 bits?

  2. How will NIST deal with key escrow stuffs or will there be any key escrow issue?

  3. Where is available site to find out about AES candidates?

Joe Nilaad Nature is simple and beautiful...


Subject: Re: AES and patent rights Date: 29 Sep 1998 10:47:06 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: 6uqvdq$i2$1@quine.mathcs.duq.edu References: 3610DD10.7753@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 61

In article 3610DD10.7753@ssd.bna.boeing.com, Joseph K. Nilaad jknilaad@ssd.bna.boeing.com wrote:

Bruce Schneier wrote:

On Mon, 28 Sep 1998 00:53:27 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote:

Publication means, amongst other things, "3. Communication of information to the public."

We are at a great transition where actual printed matter is fastly being usurped by electronic media...it's in all the papers. Holding to the old standard as the one true path is merely quaint.

The difference is not "dead trees versus electrons." The difference is "recognised publication versus self publication." If random person X puts some kind of crypto design paper on his website, almost no one in the community will read it. Yes, it is available to them. Yes, they have the technical ability to read it. But they have no idea if it is a waste of time to read or not. If it is good for the goose, it's also good for the gander. Do you think everybody will read all the works published on paper by NIST? Beside paper copies may not be free and take too long to be delivered.

Well, no. Because NIST has something that most people don't -- to wit, credibility. The reason that NIST has credibility is because of something else that NIST has that most people haven't -- technical expertise and knowledge of the subject.

So the important thing about papers published by NIST is not that they are on paper, but that they're published under the aegis and auspices of someone who knows what they're talking about. The current gold standard for establishing credibility (at least in the sciences) is "peer review" -- to wit, having a bunch of established experts look at any particular contribution and figure out if it's worth reading. If they decide that it is, then it will be published (and read, and examined in detail), irrespective of the method of publication -- I've seen several electronic-only peer reviewed journals. But because peer-review is a lengthy and expensive process, most people want the "worthwhile" contributions to be put on a medium a little bit less transient than a web page -- and most organizations want to be able to charge money to cover the costs of the review.

The problem with "free information" is that most of the time it's worth what you pay for it. The advantage of information that you pay for is that it's more likely to be worth the cost.

Things that aren't published just aren't recognised by the community. Are you referring to government sponsored community? Why must one's work be endorsed by an organization and putting on paper in order to be recognized by the "community". To me, recognition is majority of public acceptance. For example, Windows was not endorsed by any organization; however, the majority of public accept it.

Evidently Microsoft doesn't count as an organization? This is odd....

-kitten

Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 16:00:27 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 36110282.6012001@news.visi.com References: 3610DD10.7753@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 70

On Tue, 29 Sep 1998 13:13:52 GMT, "Joseph K. Nilaad" jknilaad@ssd.bna.boeing.com wrote:

Bruce Schneier wrote:

The difference is not "dead trees versus electrons." The difference is "recognised publication versus self publication." If random person X puts some kind of crypto design paper on his website, almost no one in the community will read it. Yes, it is available to them. Yes, they have the technical ability to read it. But they have no idea if it is a waste of time to read or not. If it is good for the goose, it's also good for the gander. Do you think everybody will read all the works published on paper by NIST? Beside paper copies may not be free and take too long to be delivered.

Again, it's not the medium. If academic cryptographer A reads and cryptanalyzes a method that appears at a conference, workshop, or as an AES submission, he can publish his results. If he reads and cryptanalyzes a method that appears on Usenet, all he can do is post his results on Usenet. Now some people do this, but many people do not. It's not a perfect filter--some of the AES submissions were really lousy and some Usenet posts are good--but it's the filter that most academics use.

Anyone can put their ideas up on the web; it's the ultimate vanity press. But there is just too much out there; the community needs some way to determine if a particular something is worth reading. The way the community uses is publication. This way is inperfect, and not without flaws, but it's pretty good. How can you quantify which publication is worth reading either it is on the web or hard copy? Whether it is on the web or hard copy, there exists some merits to it.

You can't. The premise is that it is impossible to read everything. People have to filter in some way. Most academic cryptographers use the publication process as a way to filter. Again, it is not a perfect process.

Things that aren't published just aren't recognised by the community. Are you referring to government sponsored community? Why must one's work be endorsed by an organization and putting on paper in order to be recognized by the "community". To me, recognition is majority of public acceptance. For example, Windows was not endorsed by any organization; however, the majority of public accept it.

By "community" I mean research community.

It's difficult to design and analyze a new algorithm; just creating one is easy. Is this anamoly? Isn't that normally before you create something you must have some procedures in mind how about doing it first? Maybe you should talk to him about his algorithm, it is simple and it doesn't take that long to figure out that his stuff is pretty good.

It's somewhat an anomoly, since functionality is orthogonal to security. If someone invents a new compression algorithm, it's easy to hand him the standard compression benchmarks and ask him to test his algorithm against them. If someone invents a new factoring algorithm, it's easy to tell him to factor the next RSA challenge before he talks to you. (This got rid of many, many factoring crackpots that would call RSADSI.) But if someone has a new encryption algorithm, you can't just give him a battery of tests and tell him to go away.

For me to look at an algorithm that someone sends me, it has to have some serious advantage over the currently existing alternatives.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 04:37:48 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3611b512.31466865@news.io.com References: 36110282.6012001@news.visi.com Newsgroups: sci.crypt Lines: 105

On Tue, 29 Sep 1998 16:00:27 GMT, in 36110282.6012001@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

Again, it's not the medium. If academic cryptographer A reads and cryptanalyzes a method that appears at a conference, workshop, or as an AES submission, he can publish his results. If he reads and cryptanalyzes a method that appears on Usenet, all he can do is post his results on Usenet.

The reality I see is that an academic can write -- and publish -- about anything that reveals new information. Various "papers" have been written about toy ciphers that the author herself has simply thought up, and which therefore also have no previous existence in the academic literature.

As a matter of fact, now that I think of it, Biham actually did write and publish an academic "paper" on my own "Ladder DES" proposal, which was basically a Usenet thing. Indeed, as I recall, you were somewhat involved in this, as you also have been on other occasions. So, clearly, one can write about Usenet proposals.

In my particular case, many of my "methods that appear on Usenet" have a basis in issued patents. Now, you may not like patents, but they are more of an "archival publication" than any conference proceeding. I would say that an expert is expected to know the state of the art, and not just the state of the academic literature.

Yet we still have not seen my Dynamic Substitution -- a 1990 patent -- described in AC, have we?

Now some people do this, but many people do not. It's not a perfect filter--some of the AES submissions were really lousy and some Usenet posts are good--but it's the filter that most academics use.

The whole process is incestuous. Everybody works on what everybody "knows" is significant. The situation is ripe for some young Turks to open up whole new classes of structure about which the older guys simply have no clue.

[...] The premise is that it is impossible to read everything.

It may be impossible for one person to read everything. But that does not mean that each person cannot expand their horizons beyond the current group reading assignment. And if someone finds something interesting, they might recommend it to others -- even if it is not on a bookshelf.

People have to filter in some way. Most academic cryptographers use the publication process as a way to filter. Again, it is not a perfect process.

Peer-reviewed publication is certainly not perfect, and it is my impression that it has gotten worse. You can blame the net if you wish, but the real problem is that there is just more information. This has meant increasing numbers of journals, and a general inability of editors to perceive the import of new work, or detect gobbledygook.

The advantages of the "archival journal" system are less than they were, and the disadvantage of a year or two publication delay is increasingly significant to an author.

But if someone has a new encryption algorithm, you can't just give him a battery of tests and tell him to go away.

For me to look at an algorithm that someone sends me, it has to have some serious advantage over the currently existing alternatives.

I support this, but it is all too easy to think, "What I really want is just like DES, with a few changes." And that is much too small a box to fit new architectures into.

For example, a block cipher with huge blocks can:

Variable Size Block Ciphers also have advantages which are not apparent in the context of a DES-style "cipher box."

My point is that seeing the "serious advantage" of new ciphers may require some re-understanding of what a "cipher" is. But then we may find that the new cipher is actually a better fit to the rest of the system than the old DES box was.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 19:24:59 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 36128411.17019891@news.visi.com References: 3611b512.31466865@news.io.com Newsgroups: sci.crypt Lines: 99

On Wed, 30 Sep 1998 04:37:48 GMT, ritter@io.com (Terry Ritter) wrote:

As a matter of fact, now that I think of it, Biham actually did write and publish an academic "paper" on my own "Ladder DES" proposal, which was basically a Usenet thing. Indeed, as I recall, you were somewhat involved in this, as you also have been on other occasions. So, clearly, one can write about Usenet proposals.

Of course one can. Biham's paper is certainly a good example.

In my particular case, many of my "methods that appear on Usenet" have a basis in issued patents. Now, you may not like patents, but they are more of an "archival publication" than any conference proceeding. I would say that an expert is expected to know the state of the art, and not just the state of the academic literature.

I've tried referencing patents, and while I get a better reception than I do with Usenet posting, it's still dicey. There's a zeta function cryptosystem that we analyzed for a client; we can publish our work once the patent issues. We'll see if we can get that paper accepted anywhere.

Yet we still have not seen my Dynamic Substitution -- a 1990 patent -- described in AC, have we?

Don't worry. I have all your patents. And I get an alert when a new one is issued. (I assume others are in the pipeline.)

The whole process is incestuous. Everybody works on what everybody "knows" is significant. The situation is ripe for some young Turks to open up whole new classes of structure about which the older guys simply have no clue.

I, for one, would love that. Do it. Rip through the field with some devistating cryptanalysis that breaks things left and right. One nice thing about cryptography is that if have have a new attack, it's hard not to be noticed.

Peer-reviewed publication is certainly not perfect, and it is my impression that it has gotten worse. You can blame the net if you wish, but the real problem is that there is just more information. This has meant increasing numbers of journals, and a general inability of editors to perceive the import of new work, or detect gobbledygook.

I agree that it has gotten worse, at least in cryptography. There are far too many workshops and conferences that take pretty much anything in the cryptography field.

The advantages of the "archival journal" system are less than they were, and the disadvantage of a year or two publication delay is increasingly significant to an author.

Agreed as well. The Journal of Cryptology has something like a two year delay, which is absurd. I know of many people who are not bothering with the journal because of that. Workshops are better; the deadline fo the March 1999 Fast Software Encrytption workshop is in December.

But if someone has a new encryption algorithm, you can't just give him a battery of tests and tell him to go away.

For me to look at an algorithm that someone sends me, it has to have some serious advantage over the currently existing alternatives.

I support this, but it is all too easy to think, "What I really want is just like DES, with a few changes." And that is much too small a box to fit new architectures into.

I agree, actually. This is why FSE still takes cipher designs, and papers about new architectures (even though most of them are medeocre).

For example, a block cipher with huge blocks can:

Variable Size Block Ciphers also have advantages which are not apparent in the context of a DES-style "cipher box."

My point is that seeing the "serious advantage" of new ciphers may require some re-understanding of what a "cipher" is. But then we may find that the new cipher is actually a better fit to the rest of the system than the old DES box was.

I agree with you 100%. Write it. Submit it to FSE. I am on the committee. If it is a halfway decent paper, I will support it.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 20:22:14 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 3611414B.5D6A5474@null.net References: 3610DD10.7753@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 63

Joseph K. Nilaad wrote:

Things that aren't published just aren't recognised by the community. Are you referring to government sponsored community?

No, he's talking about the public workers in a field, the same "peers" that review articles submitted for publication in refereed journals.

The issue isn't whether or not you can access the document on-line, it's whether or not the document has made it through a reasonable "antijunk" filter.

To me, recognition is majority of public acceptance. For example, Windows was not endorsed by any organization; however, the majority of public accept it.

You ought to choose better examples. Windows is an atrocious excuse for an operating system, although we use it anyway. If operating systems had to pass a peer-review process (one not confined to the developing organization) before they were released for public consumption, they might be a whole lot better.

40 million Frenchmen can be wrong (and usually are).

Is this anamoly? Isn't that normally before you create something you must have some procedures in mind how about doing it first?

Unfortunately, there's no good body of engineering theory for cryptosystem design. There is much knowledge about it, but an essential step is still to turn the design over to the cryptanalysts to see what attacks they are able to devise.

How can you get everyone to TRIED to break a given cipher? if "no one has broken a cipher", it is secure! Think about it.

No, that is a horrible error. If nobody can break a cipher, it is secure. Just because you don't happen to know of a way to break it doesn't mean that nobody does, nor that a successful attack won't be devised in the near future.

  1. When NIST said that AES is to be "free world wide", will NIST make exception to export law which limit to 40 bits?

NIST doesn't make US export law. AES is intended for US federal government (unclassified) use only.

  1. How will NIST deal with key escrow stuffs or will there be any key escrow issue?

Key escrow capability is not a requirement for AES. Presumably, the key management system would retain a record of keys (remember: US government use) if escrow is desired.

  1. Where is available site to find out about AES candidates?

http://csrc.nist.gov/encryption/aes/aes_home.htm

I found that in less than a minute using a Web search engine; try it sometime.


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 20:44:28 -0500 From: "Stephen M. Gardner" gardner@metronet.com Message-ID: 3612DE7C.94888555@metronet.com References: 3610DD10.7753@ssd.bna.boeing.com Newsgroups: sci.crypt Lines: 14

Joseph K. Nilaad wrote:

How can you get everyone to TRIED to break a given cipher? if "no one has broken a cipher", it is secure! Think about it. There is a word missing from your sentence: "yet". And when something is not broken yet and it hasn't had a lot of attempts made yet it is really not secure. Insecurity in a cipher seems a lot like bugs in software. You can't prove they are not there but the more people bang on it the more bug free you can assume it is.

-- Take a walk on the wild side: http://www.metronet.com/~gardner/ Still a lot of lands to see but I wouldn't want to stay here, it's too old and cold and settled in its ways here. Joni Mitchell ("California")


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 13:52:41 GMT From: phr@netcom.com (Paul Rubin) Message-ID: phrEzzyJt.1rH@netcom.com References: jgfunj-2809980053280001@207.22.198.201 Newsgroups: sci.crypt Lines: 18

In article jgfunj-2809980053280001@207.22.198.201, W T Shaw jgfunj@EnqvbSerrGrknf.pbz wrote:

Designs are dime a dozen, so it's hard to seperate the good ones from the silly ones. Good cryptanalysis is hard; it will force people to take notice of your work.

The big word generally preached as gospel for ages has that the world would be your oyster if anyone could come up with a really good algorithm.

I don't remember ever hearing anything like that. What I remember is hearing that it's hard for a cipher designer to be taken seriously until they've gotten some serious, interesting results at breaking other people's algorithms.

Things have changed, it seems....the welcome wagon is no longer out.

I don't see that anything has changed.


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 10:48:54 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-2809981049090001@207.101.116.71 References: phrEzzyJt.1rH@netcom.com Newsgroups: sci.crypt Lines: 44

In article phrEzzyJt.1rH@netcom.com, phr@netcom.com (Paul Rubin) wrote:

In article jgfunj-2809980053280001@207.22.198.201, W T Shaw jgfunj@EnqvbSerrGrknf.pbz wrote:

The big word generally preached as gospel for ages has that the world would be your oyster if anyone could come up with a really good algorithm.

I don't remember ever hearing anything like that. What I remember is hearing that it's hard for a cipher designer to be taken seriously until they've gotten some serious, interesting results at breaking other people's algorithms.

Over the years, it is something I have heard from many, that were searching for real breakthroughs. Seeking to discourage, to limit such endeavors even today, is a rather snobbish response, not very scientific, more a political statement in line with old governmental policy:

The official line was that you had bettter not even try; if you wanted to think in the area, you had better register; and don't think of implementing anything without going through some sort of Greek Debate on its utility first.

Fortunately, official propaganda did not conclusively work; it merely translated the fears of the government into something to disregard as it went hard astern to the obvious problem it saw.

Things have changed, it seems....the welcome wagon is no longer out.

I don't see that anything has changed.

Well, I'll put a fresh coat of paint on it, publish your new ideas here....be brave....be clear....be straightforward.....and, don't send 'em where they are not appreciated.


Are you tired, rundown, can't find a corner in the office to hide in?

Then, try Jimmy Carter's Little Pills, which are apt to cause you to want to get out your frustrations constructively, but might tend to make you fear rabbits.

Decrypt with ROT13 to get correct email address.


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 04:59:00 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 361068F1.EDD53427@null.net References: jgfunj-2809980053280001@207.22.198.201 Newsgroups: sci.crypt Lines: 30

W T Shaw wrote:

(Bruce Schneier) wrote:

Publication does not mean self-publication on a website, it means publication in a workshop, conference, or journal. We are at a great transition where actual printed matter is fastly being usurped by electronic media...it's in all the papers. Holding to the old standard as the one true path is merely quaint.

There is something in both points of view. The essential difference is between peer review and lack of review. There undoubtedly is some good unreviewed Web publication, as well as a lot of bogosity. And there are also dubious or even bogus peer-reviewed articles. Bruce's belief, shared by many, seems to be that peer review on the average contributes to the quality (thus utility) of the publication.

To demand anyone must break an old algorithm to be noticed as a hurdle is too much given the effort required to preform feats and the sparce nature of such challenges. You might spend lots of effort trying to break one that would surpass all others as well. It is rather tempting to try to make algorithms that could be broken, just to increase the supply, and therefore qualify more people into a higher realm.

I think the intent was to not waste people's time with arbitrary claims, but only with claims (for security) that have some reasonable chance of being true. One (not the only) way to get cryptographers to pay attention to your new cryptosystem design is to have developed a reputation as one who understands where other designs have been vulnerable.


Subject: Re: AES and patent rights Date: 29 Sep 1998 22:59:48 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6urop4$8am$1@news.ysu.edu References: jgfunj-2809980053280001@207.22.198.201 Newsgroups: sci.crypt Lines: 45

In a previous article, juola@mathcs.duq.edu (Patrick Juola) says:

In article 3610DD10.7753@ssd.bna.boeing.com, Joseph K. Nilaad jknilaad@ssd.bna.boeing.com wrote:

Bruce Schneier wrote:

On Mon, 28 Sep 1998 00:53:27 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote:

Publication means, amongst other things, "3. Communication of information to the public."

We are at a great transition where actual printed matter is fastly being usurped by electronic media...it's in all the papers. Holding to the old standard as the one true path is merely quaint.

The difference is not "dead trees versus electrons." The difference is "recognised publication versus self publication." If random person X puts some kind of crypto design paper on his website, almost no one in the community will read it. Yes, it is available to them. Yes, they have the technical ability to read it. But they have no idea if it is a waste of time to read or not. If it is good for the goose, it's also good for the gander. Do you think everybody will read all the works published on paper by NIST? Beside paper copies may not be free and take too long to be delivered.

Well, no. Because NIST has something that most people don't -- to wit, credibility. The reason that NIST has credibility is because of something else that NIST has that most people haven't -- technical expertise and knowledge of the subject.

That is why the NSA is trying to use them for a front. To fool people into thinking that the contest was above board. But very little in crypto in this country and else where is not poisioned by the self serving NSA. Maybe the letter NSA really stands for Nazi's Sink America after all they got a german front man in the form of B.S. Bruce.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 20:32:20 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-2909982032210001@dialup163.itexas.net References: 6urop4$8am$1@news.ysu.edu Newsgroups: sci.crypt Lines: 34

In article 6urop4$8am$1@news.ysu.edu, an096@yfn.ysu.edu (David A. Scott) wrote:

Maybe the letter NSA really stands for Nazi's Sink America...

In various contests with the Russians, it was a question of whose captured Germans were better.....but, that is beside the point that your comment is really offensive.

after all they got a german front man in the form of B.S. Bruce.

Now, your getting personal as I was called by those initials by my ag teacher in high school, admittedly for good reason. As a matter of fact, I'm a good bit German in heritage myself, but have no sympathy for irrational governmental behavior regardless of where or when it occured.... So, I find your comments here also offensive.

I saw recently Bruce impressively in action in ways I did not appreciate before, not that I automatically now agree with him in all major areas. Yep, he is a sympathetic favorite in some circles, but I see so many in NIST going out of their way to be fair even if it hurts for as long as their reins will let them run that way.

This whole business is far from simple, darn it. But, that is the appeal of the multiact play, never knowing what will happen the next time the lights go up. Only a rough temporary outline is in hand, and the players will create their own roles as they go along.


Show me a politician who does not lie through his teeth, and.....I'll show you one who can't find his dentures.

Decrypt with ROT13 to get correct email address.


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 16:03:47 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 3612534d.3078640@news.prosurfr.com References: 6urop4$8am$1@news.ysu.edu Newsgroups: sci.crypt Lines: 39

an096@yfn.ysu.edu (David A. Scott) wrote, in part:

Maybe the letter NSA really stands for Nazi's Sink America after all they got a german front man in the form of B.S. Bruce.

Well, the NSA has a proud history which includes sinking a lot of Nazis (and not a few personnel of Imperial Japan as well) - and, for that matter, I'm surprised you didn't drag in Phil Zimmerman, Terry Ritter, or, better yet, Horst Feistel - whose progress towards U.S. citizenship was interrupted by World War II, making him an "enemy alien" for a few years; the others' ancestors could have come over on the Mayflower or soon thereafter AFAIK.

Although I am unwilling to search for the appropriate words to describe the offensiveness of this particular comment, I'm not surprised, given the cautious and conservative tone of his most famous work, that you harbor such sentiments: as I said in a recent post,

of course, there are other people who claim that DES, IDEA, Blowfish, and all the other well-known block cipher designs are horribly insecure, and suggest that instead we should go and use block ciphers with key-dependent S-boxes with 65,536 entries in them, or Genuine Artificial Imitation One-Time Pads, as the only true road to security.

Obviously, reading your book Applied Cryptography will lead people to suspecting that you are one of the members of this "conspiracy" as well.

to which you replied, IIRC, noting that Scott16u and the others allow the use of keys of different sizes.

Why you consistently fail to realize that ever more spectacular displays of your ignorance and stupidity are not the way to convince people that cipher designs which you have produced merit serious consideration ... is one of life's little mysteries.

John Savard http://members.xoom.com/quadibloc/index.html


Subject: Re: AES and patent rights Date: 28 Sep 1998 14:26:45 GMT From: rreynard@aol.com (RREYNARD) Message-ID: 19980928102645.11011.00000390@ngol07.aol.com References: 360ed738.1402804@news.visi.com Newsgroups: sci.crypt Lines: 60

In article 360ed738.1402804@news.visi.com, schneier@counterpane.com (Bruce Schneier) writes:

DES was a US standard. It was free for use in the US. Again, if you know of anything IBM got from DES besides publicity, please let me know.

Off hand, I would guess that IBM got to avoid being sued for constraint of trade.

I worked for IBM at the time they introduced DES as an option (free). It was pretty much a "no interest" item at the time since very few of the many computer installations needed such a capability. There was very little TP (teleprocessing) and the main concern for data security was for back-up purposed not so much protection from theft. I believe IBM included it as an option to be able to sell their wares to those very few companies that required it. There was a bit of R&D involved also that indicated that there would be a greater need later on as more and more systems went "on-line." Probably 99% of the marketing force "forgot" about DES even being available 24 hours after it was announced.

The is an old saying - "Invent a better mousetrap and the world will beat a is the Mother of Invention."

I don't begin to understand the the "problems" of providing secure communication using cryptography so it is impossible for me to really appreciate this exchange of opinions about "free" vs patented/copyrighted cryptographic algorithms and systems. However, as a retired businessman, it appears that the creator/inventor of cryptographic algorithms and systems finds himself in the unfortunate position of being in the wrong business at the wrong time.

The manner in which cryptography has evolved has created a situation in which there seems to be very little demand for the "product." I think a thorough market analysis would show that it has little or no chance to be a profitable venture.

What does appear to have profit potential is the sale of crytographic system implementation. If I may, an analogy - Rather than spend time and effort trying to invent an new and "better" tool for the cryptographic toolbox, which seems filled with more than are needed, it would seem that the better course for the cryptanalyst would be to direct his expertise into the use of the tools and the creation of systems using those tools as a way to make a living.

It doesn't seem fair, that a person who knows more than most about "mouse traps" and can create better "mouse traps" than anyone else should not be able to "profit" from this capability. Unfortunately, the marketplace is not always fair, but it is nearly always "Darwinistic."

Timing is extremely important and this seems to be a time when the "mouse problem" is under control (another analogy) and it is but a small part of a much larger "pest control" problem. Therefore my "make a profit" advice would be to stop inventing "better" mousetraps and start selling "pest control" capability. My "have a good time and do interesting things" advice would be to work on "mousetrap technology."


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 12:20:08 -0400 From: Jerry Leichter leichter@smarts.com Message-ID: 360FB738.290D@smarts.com References: 360ebd79.18691713@news.io.com Newsgroups: sci.crypt Lines: 76

A minor sub-point:

| >There is some caselaw on the subject. NIST will make a public call | >to all third parties to state any potential patent claims regarding | >the submissions. If someone chooses not to, NIST could argue in | >court that the patentholder deliberately withheld information in an | >attempt to hide his rights until after AES was awarded. Will this do | >anygood? No one knows. | | As far as I know, there is no responsibility in patents to take | offensive action at any particular time or to respond to | governmental calls for clarification. Perhaps you are thinking of | copyright.

There's no such requirement in copyright law either. There are a couple of areas of law in which such a requirement exists; trademarks, bank accounts, and real estate come to mind. The last has a very long history, and is quite precisely defined: If you own real estate, and someone else "visibly" - to your knowledge - uses it without your permission, and you do nothing about that use for some number of years (defined by state law - typically around 20 years), the real estate is his. (That's why the owners of private streets or pieces of sidewalk normally left open to the public close them for a day every every couple of years.)

Bank accounts that haven't been accessed in some period of time are publically listed. If the owner doesn't respond, the state ultimately takes the money. (The timeout here has gotten shorter in some states in recent years as legislators have found this a quick way to get some money into state coffers. I think it may be as short as 7 years in some states.)

For trademarks, if you don't defend you claim, you lose it. However, there's no fixed time limit - you have to show that the term hasn't slipped into common, generic usage.

These are specific special cases. There are all kinds of other "statutes of limitation" which start running as soon as you become aware that you can raise a legal claim. These limits are in the 3 year range, though there are variations for particular kinds of cases. As far as I know, there is no special limitation for patent lawsuits, beyond general statutes of limitation on civil claims. An interesting distinction here is that you may not be able to recover for old infringements, but still be able to recover for more recent - and ongoing - ones. This showed up in some recently-decided patent case - I can't recall the details.

However, there's a general legal principle, called I think laches, which basically says that if you arbitrarily delay raising a legal claim for too long, you may lose your right to do so. There's no black and white definition of what "too long" is in this case; it's probably stated in terms like "unreasonable delay".

"Submarine" patents - patents that surface only after some invention has been practiced, apparently without problem, for a substantial period of time - are viewed as a "bug" in the current patent system, not a feature. Remember that the constitutional basis for the existence of patents is in a trade-off: In return for making public how your invention works, you get exclusive rights to it for some number of years. Waiting for others to re-invent what you have invented, then use it for a while - and only then come along and try to take the profits - is a corruption of the intent of the system.

If, indeed, NIST aggressively searches existing patents for potential infringements, and makes a very public call for anyone who thinks they can claim infringement to come forward, then keeping your patent (well, likely pending patent) secret and trying to collect on it later would be a very risky strategy. You'd probably be viewed as coming to court with "dirty hands", and there's likely plenty of room in existing law for a judge to find some way to throw your case out.

Of course, as with all things not based on established precendent, no one can ever be really sure until the case is tried and all the appeals are heard. You should have little trouble finding lawyers willing - for a suitable fee - to argue either side. :-) -- Jerry


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 07:11:00 GMT From: ritter@io.com (Terry Ritter) Message-ID: 361087a8.26684962@news.io.com References: 360FB738.290D@smarts.com Newsgroups: sci.crypt,misc.int-property Lines: 77

misc.int-property added, since that is where patent lawyers hang out.

This thread concerns the competition being held by the US National Institute of Standards and Technology (NIST), an agency of Commerce. The competition is to select a standard cipher to replace the US Data Encryption Standard (DES) with an Advanced Encryption Standard (AES).

Entry is now closed, but the competition will proceed for next several years. The issue in contention here is that all those who wished to participate in AES were required to give up any patent rights they had on their ciphers, so that NIST could make AES available "free worldwide."

On Mon, 28 Sep 1998 12:20:08 -0400, in 360FB738.290D@smarts.com, in sci.crypt Jerry Leichter leichter@smarts.com wrote:

[...] | As far as I know, there is no responsibility in patents to take | offensive action at any particular time or to respond to | governmental calls for clarification. Perhaps you are thinking of | copyright.

[...] However, there's a general legal principle, called I think laches, which basically says that if you arbitrarily delay raising a legal claim for too long, you may lose your right to do so. There's no black and white definition of what "too long" is in this case; it's probably stated in terms like "unreasonable delay".

Yes. Thank you for re-acquainting me with laches.

[...] If, indeed, NIST aggressively searches existing patents for potential infringements, and makes a very public call for anyone who thinks they can claim infringement to come forward, then keeping your patent (well, likely pending patent) secret and trying to collect on it later would be a very risky strategy. You'd probably be viewed as coming to court with "dirty hands", and there's likely plenty of room in existing law for a judge to find some way to throw your case out.

First let me remind everyone that I am no sort of lawyer at all, let alone a patent lawyer.

However, I would argue that we have various problems asserting laches in the present situation, and here are the most obvious to me:

  1. A patent is an offensive right, yes, but it is a right to collect damages. To be asserted, there should be damages. But looking at a patented cipher is not (or may not be) damage. In fact, damage probably will not start to accrue until after the standard is set and manufacturers use it in volume. I would see that as the appropriate time to assert patent rights on AES. Indeed, until a particular cipher is picked, there is likely to be little or no damage at all.

  2. I have essentially argued many times that the government does not enter this process with clean hands. The government has specifically worked to prevent those who will not give up their rights from having a place in the AES process. Not satisfied with that, the government now asks patent holders to come forth and be recognized for the explicit purpose of excluding any submitted cipher which may be covered by patents. But I argue that a patent holder has no responsibility to assist the government in abrogating his own properly-granted patent rights.

Of course, as with all things not based on established precendent, no one can ever be really sure until the case is tried and all the appeals are heard. You should have little trouble finding lawyers willing - for a suitable fee - to argue either side. :-)


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 16:06:11 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: 361102c0.2440117@news.prosurfr.com References: 361087a8.26684962@news.io.com Newsgroups: sci.crypt,misc.int-property Lines: 37

ritter@io.com (Terry Ritter) wrote, in part:

Not satisfied with that, the government now asks patent holders to come forth and be recognized for the explicit purpose of excluding any submitted cipher which may be covered by patents. But I argue that a patent holder has no responsibility to assist the government in abrogating his own properly-granted patent rights.

One certainly would think that, should an AES submission be chosen that infringes on a patent, the patent-holder would not be considered negligent in enforcing his patent merely because he did not act until an infringment actually took place - someone implemented the algorithm commercially.

Plus, if waiting for someone with deep pockets to sue constitutes an invalidation of patent rights, then so would waiting for someone to sue with small pockets for hiring a lawyer with...and there was a case a few years ago where recording companies sued a barber for having a radio on in his barber shop, in an effort to establish a new precedent on the commercial use of music.

Strictly speaking, however, this isn't assisting the government in "abrogating" patent rights, but assisting it to respect them, by using some other algorithm.

Several of the AES candidates may be infringing the IDEA patent, if its claims are broadly interpreted, since several of them improve their security by making use of both addition and XOR in certain places. (My use of an S-box in between in Quadibloc II may help avoid this problem...) Does MARS, with a variable-length shift, come into conflict with the RC5 patent as well? The algorithms don't, however, appear to raise any issues unless it is possible to patent the use of very basic arithmetic operations in cryptography.

John Savard http://members.xoom.com/quadibloc/index.html


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 19:52:42 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 36113a43.20286586@news.visi.com References: 361102c0.2440117@news.prosurfr.com Newsgroups: sci.crypt,misc.int-property Lines: 23

On Tue, 29 Sep 1998 16:06:11 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote:

Several of the AES candidates may be infringing the IDEA patent, if its claims are broadly interpreted, since several of them improve their security by making use of both addition and XOR in certain places.

Interesting comment. I will look at the IDEA patent.

(My use of an S-box in between in Quadibloc II may help avoid this problem...) Does MARS, with a variable-length shift, come into conflict with the RC5 patent as well?

Both companies seem to think that this is a possibility. IBM made pains to talk about prior art in their submission. The RC5 patent, though, explicitly mentions that prior art. This is something that must be resolved

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 20:08:36 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-2909982008360001@dialup163.itexas.net References: 36113B71.1FE7EFEB@null.net 19980929085820.04701.00001110@ngol08.aol.com 361087a8.26684962@news.io.com Newsgroups: sci.crypt Lines: 23

In article 36113B71.1FE7EFEB@null.net, "Douglas A. Gwyn" DAGwyn@null.net wrote:

RREYNARD wrote:

This sounds very much like "crypto" COBOL and I would think has about the same chance of achieving it's objective.

Could you explain that? Your reasoning is not at all obvious. It appears to me that, unless all 15 AES submissions turn out to have significant flaws, one of them is bound to be selected and be mandated as the new FIPS for unclassified encryption. That would be the same status that DES had.

The government reserves the right to refuse to approve a standard based on the entries and adopt something else, or not set any standard...and not tell why.


Show me a politician who does not lie through his teeth, and.....I'll show you one who can't find his dentures.

Decrypt with ROT13 to get correct email address.


Subject: Re: AES and patent rights Date: 27 Sep 1998 05🔞35 GMT From: lamontg@bite.me.spammers Message-ID: 6ukhrb$92g$1@nntp6.u.washington.edu References: 360d30d2.9039808@news.io.com Newsgroups: sci.crypt Lines: 39

ritter@io.com (Terry Ritter) writes:

Whatever, it seems like the idea was a good one. As I said before, we have fifteen submissions, some of them very good.

The competition is being conducted in a way which I believe is unconstitutional, which means that the result -- whatever it is -- will be open to challenge.

On what constitutional basis? The fact that you can't make money off of it does not imply that it is unconstitutional.

More than that, these rules act to restrict the long term development of crypto technology by not allowing fundamentally-new technology to compete,

  1. Is it a good thing for fundamentally-new technology to compete? Feistel ciphers have the benefit of an awful lot of cryptanalysis. I wouldn't want the AES to be broken 5 years later when everyone goes "oops, i guess that new approach wasn't all that good."

  2. Fundamentally-new technology is not banned from competition. The submitters simply have to accept other forms of compensation (e.g. PR) rather than obtaining a guaranteed lump of money from the government after their cipher design is mandated in all government contracts.

and by not rewarding the crypto design process itself. These rules are tools to minimize the open development of cryptographic technology, and every entrant who participates is another government argument that this is a good thing.

If ANYTHING is unconstitutional and un-american it is giving the winner of this contest a guaranteed 15 or so year contract to reap royalties from every government-used encryption product out there. It's like saying that all the cars the government uses for the next 15 years will be Fords.

-- Lamont Granquist (lamontg@u.washington.edu) looking for unix administration / security work


Subject: Re: AES and patent rights Date: Sun, 27 Sep 1998 08:22:42 GMT From: ritter@io.com (Terry Ritter) Message-ID: 360df5b4.17036475@news.io.com References: 6ukhrb$92g$1@nntp6.u.washington.edu Newsgroups: sci.crypt Lines: 81

On 27 Sep 1998 05🔞35 GMT, in 6ukhrb$92g$1@nntp6.u.washington.edu, in sci.crypt lamontg@bite.me.spammers wrote:

ritter@io.com (Terry Ritter) writes:

The competition is being conducted in a way which I believe is unconstitutional, which means that the result -- whatever it is -- will be open to challenge.

On what constitutional basis? The fact that you can't make money off of it does not imply that it is unconstitutional.

Perhaps if you would read more, and delete less, the answer would become apparent:

(from that same article)

My argument would more likely be based on "equal protection under the law" than antitrust; when government participation is limited by what one owns, there have to be questions. There is also "taking without compensation."

More than that, these rules act to restrict the long term development of crypto technology by not allowing fundamentally-new technology to compete,

  1. Is it a good thing for fundamentally-new technology to compete? Feistel ciphers have the benefit of an awful lot of cryptanalysis. I wouldn't want the AES to be broken 5 years later when everyone goes "oops, i guess that new approach wasn't all that good."

Competition is competition. For Feistel technology to be "better," it must survive in competition. If it can't, maybe Feistel technology is not as much "better" as we thought it was.

  1. Fundamentally-new technology is not banned from competition. The submitters simply have to accept other forms of compensation (e.g. PR) rather than obtaining a guaranteed lump of money from the government after their cipher design is mandated in all government contracts.

I do not "have to accept" "other forms of compensation."

Personally, I would have been willing to give the government a very attractive license. But that is not enough for our government: AES demanded that I give a free license to every for-profit company who would be selling software based on that technology. That sure sounds like a government-mandated subsidy for those guys, doesn't it?

Then I would get to compete with those guys, "on an equal footing," after they used their resources getting ahead in other areas, and with no free help from them. Yeah, that sounds fair.

and by not rewarding the crypto design process itself. These rules are tools to minimize the open development of cryptographic technology, and every entrant who participates is another government argument that this is a good thing.

If ANYTHING is unconstitutional and un-american it is giving the winner of this contest a guaranteed 15 or so year contract to reap royalties from every government-used encryption product out there. It's like saying that all the cars the government uses for the next 15 years will be Fords.

MULTIPLE CHOICE:

If Ford is the winner in a contest for the most-efficient car design, based on long-term, very expensive and privately-funded research, would we expect:

a) they should be made to give their superior technology to all their competitors, free of charge, or

b) they should reap just rewards for their successful research.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: 27 Sep 1998 23:02:14 GMT From: lamontg@bite.me.spammers Message-ID: 6umg5m$19ke$1@nntp6.u.washington.edu References: 360df5b4.17036475@news.io.com Newsgroups: sci.crypt Lines: 113

ritter@io.com (Terry Ritter) writes:

On 27 Sep 1998 05🔞35 GMT, in 6ukhrb$92g$1@nntp6.u.washington.edu, in sci.crypt lamontg@bite.me.spammers wrote:

ritter@io.com (Terry Ritter) writes:

The competition is being conducted in a way which I believe is unconstitutional, which means that the result -- whatever it is -- will be open to challenge.

On what constitutional basis? The fact that you can't make money off of it does not imply that it is unconstitutional.

Perhaps if you would read more, and delete less, the answer would become apparent:

(from that same article)

My argument would more likely be based on "equal protection under the law" than antitrust; when government participation is limited by what one owns, there have to be questions.

Perhaps if you would clarify then it would become apparent. Explain how you think that equal protection applies.

There is also "taking without compensation."

Which is silly. The government isn't taking anything which isn't freely offered.

More than that, these rules act to restrict the long term development of crypto technology by not allowing fundamentally-new technology to compete,

  1. Is it a good thing for fundamentally-new technology to compete? Feistel ciphers have the benefit of an awful lot of cryptanalysis. I wouldn't want the AES to be broken 5 years later when everyone goes "oops, i guess that new approach wasn't all that good."

Competition is competition. For Feistel technology to be "better," it must survive in competition. If it can't, maybe Feistel technology is not as much "better" as we thought it was.

Well, it seems to be quite adequately surviving in the non-AES marketplace just fine.

  1. Fundamentally-new technology is not banned from competition. The submitters simply have to accept other forms of compensation (e.g. PR) rather than obtaining a guaranteed lump of money from the government after their cipher design is mandated in all government contracts.

I do not "have to accept" "other forms of compensation."

Yes, you do because that's how the AES competition is set up.

Personally, I would have been willing to give the government a very attractive license.

Yes, and everyone else would have to license from you, which would inhibit the implimentation of the algorithm in other forms of software. If it is to be widely used, it should be free.

But that is not enough for our government: AES demanded that I give a free license to every for-profit company who would be selling software based on that technology.

No, NIST is demanding that whoever wins the competition give free license to anyone who wants to use it -- irregardless of if they are selling or not. They are not demanding that you give a free license to anything -- just don't enter the competition.

That sure sounds like a government-mandated subsidy for those guys, doesn't it?

And it also allows every not-for-profit company or person to write AES software and distribute it unencumbered, as well. If it's a subsidy then it's your subsidy against their subsidy.

Then I would get to compete with those guys, "on an equal footing," after they used their resources getting ahead in other areas, and with no free help from them. Yeah, that sounds fair.

Then don't enter the competition. Simple.

and by not rewarding the crypto design process itself. These rules are tools to minimize the open development of cryptographic technology, and every entrant who participates is another government argument that this is a good thing.

If ANYTHING is unconstitutional and un-american it is giving the winner of this contest a guaranteed 15 or so year contract to reap royalties from every government-used encryption product out there. It's like saying that all the cars the government uses for the next 15 years will be Fords.

MULTIPLE CHOICE:

If Ford is the winner in a contest for the most-efficient car design, based on long-term, very expensive and privately-funded research, would we expect:

a) they should be made to give their superior technology to all their competitors, free of charge, or

b) they should reap just rewards for their successful research.

b. In this case "just rewards" are the PR and cipher design expertise which is entirely sufficient for counterpane and apparently sufficient for the 15 other applicants. It doesn't mean that you can kick back for 15 years and do nothing other than license the cipher -- is that "innovative" is that promoting "competition" or is that one company winning the lottery and getting to kick back on guaranteed money?

-- Lamont Granquist (lamontg@u.washington.edu) looking for unix administration / security work


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 04:23:48 GMT From: "Douglas A. Gwyn" DAGwyn@null.net Message-ID: 360F0F30.65F94F17@null.net References: 360df5b4.17036475@news.io.com Newsgroups: sci.crypt Lines: 16

Terry Ritter wrote:

If ANYTHING is unconstitutional and un-american it is giving the winner of this contest a guaranteed 15 or so year contract to reap royalties from every government-used encryption product out there. It's like saying that all the cars the government uses for the next 15 years will be Fords. MULTIPLE CHOICE: If Ford is the winner in a contest for the most-efficient car design, based on long-term, very expensive and privately-funded research, would we expect: a) they should be made to give their superior technology to all their competitors, free of charge, or b) they should reap just rewards for their successful research.

The correct answer is "None of the above."

You should know better than to argue via inexact analogies.


Subject: Re: AES and patent rights Date: Sun, 27 Sep 1998 22:40:31 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360ebdde.481581@news.visi.com References: 6ukhrb$92g$1@nntp6.u.washington.edu Newsgroups: sci.crypt Lines: 32

On 27 Sep 1998 05🔞35 GMT, lamontg@bite.me.spammers wrote:

  1. Is it a good thing for fundamentally-new technology to compete? Feistel ciphers have the benefit of an awful lot of cryptanalysis. I wouldn't want the AES to be broken 5 years later when everyone goes "oops, i guess that new approach wasn't all that good."

Different submitters have different ideas. The Twofish design team decided that fundamentally new technologies and ideas were too risky for a long-term standard. Other submitters thought differently. RC6, for example, is heavily dependent on modular multiplications and data-dependent rotations, two technologies that are very new and don't have a track record. CAST-256, by using an incomplete Feistel network, has opened itself to a lot of truncated diffferential attacks and the new impossible crytpanalysis. Serpent, on the other hand, was even more conservative than we were.

The best way for a new technique to gain acceptance is for it to be obviously better than the old techniques. If someone invented a form of cryptanalysis that blew everything else out of the water, and then described a technique that is resistant, everyone would take a serious look at it. And if it were patented, there would be nothing we could do.

Fundamentally new techniques for the sake of themselves have no place in a conservative standard. Fundamentally new techniques that resist attacks that break other things are much more interesting.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: 27 Sep 1998 12:28:37 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6ulb1l$jmr$1@news.ysu.edu References: N906423249.20630@ruby.ansuz.sooke.bc.ca 6ubqtt$245$1@quine.mathcs.duq.edu 360df5b4.17036475@news.io.com Newsgroups: sci.crypt Lines: 58

In a previous article, ritter@io.com (Terry Ritter) says:

On 27 Sep 1998 05🔞35 GMT, in 6ukhrb$92g$1@nntp6.u.washington.edu, in sci.crypt lamontg@bite.me.spammers wrote:

ritter@io.com (Terry Ritter) writes:

The competition is being conducted in a way which I believe is unconstitutional, which means that the result -- whatever it is -- will be open to challenge.

On what constitutional basis? The fact that you can't make money off of it does not imply that it is unconstitutional.

Perhaps if you would read more, and delete less, the answer would become apparent:

(from that same article)

My argument would more likely be based on "equal protection under the law" than antitrust; when government participation is limited by what one owns, there have to be questions. There is also "taking without compensation."

More than that, these rules act to restrict the long term development of crypto technology by not allowing fundamentally-new technology to compete,

  1. Is it a good thing for fundamentally-new technology to compete? Feistel ciphers have the benefit of an awful lot of cryptanalysis. I wouldn't want the AES to be broken 5 years later when everyone goes "oops, i guess that new approach wasn't all that good."

Competition is competition. For Feistel technology to be "better," it must survive in competition. If it can't, maybe Feistel technology is not as much "better" as we thought it was.

  1. Fundamentally-new technology is not banned from competition. The submitters simply have to accept other forms of compensation (e.g. PR) rather than obtaining a guaranteed lump of money from the government after their cipher design is mandated in all government contracts.

I do not "have to accept" "other forms of compensation."

IF they would just give me a life time pass to the MUSTANG I would stop the spreading of my advacned crypto so the NSA would have an easier time breaking every thing. But I don't think the US government wants to really compensate anybodys who is not political correct and I have a feeling that I am to honest for government any more.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: 27 Sep 1998 19:09:07 GMT From: jsavard@freenet.edmonton.ab.ca () Message-ID: 6um2gj$du0$3@news.sas.ab.ca References: 360d0782.2157160@news.visi.com Newsgroups: sci.crypt Lines: 21

Bruce Schneier (schneier@counterpane.com) wrote: Terry Ritter wrote:

: >It is unfortunate that Bruce Schneier was a prime factor in getting : >the original rules changed so that only free designs would even be : >considered for AES.

: Was I? Wow. I thought that was NIST's idea. Whatever, it seems like : the idea was a good one. As I said before, we have fifteen : submissions, some of them very good.

Having followed the discussions leading up to the final call for AES submissions, I know what Mr. Ritter is basing his claim on here. Initially the AES committee was expressing a strong preference for royalty-free submissions; this changed to a mandatory requirement shortly after a statement by you that the preference was unlikely to create problems.

That they may have had other input, or other reasons for making that change, certainly isn't disproven by the record.

John Savard


Subject: Re: AES and patent rights Date: Sun, 27 Sep 1998 22:35:06 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360ebd88.396141@news.visi.com References: 6um2gj$du0$3@news.sas.ab.ca Newsgroups: sci.crypt Lines: 29

On 27 Sep 1998 19:09:07 GMT, jsavard@freenet.edmonton.ab.ca () wrote:

Bruce Schneier (schneier@counterpane.com) wrote: Terry Ritter wrote:

: >It is unfortunate that Bruce Schneier was a prime factor in getting : >the original rules changed so that only free designs would even be : >considered for AES.

: Was I? Wow. I thought that was NIST's idea. Whatever, it seems like : the idea was a good one. As I said before, we have fifteen : submissions, some of them very good.

Having followed the discussions leading up to the final call for AES submissions, I know what Mr. Ritter is basing his claim on here. Initially the AES committee was expressing a strong preference for royalty-free submissions; this changed to a mandatory requirement shortly after a statement by you that the preference was unlikely to create problems.

That they may have had other input, or other reasons for making that change, certainly isn't disproven by the record.

Thanks for the explanation.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: 27 Sep 1998 19:52:22 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6um51m$drq$1@news.ysu.edu References: N906423249.20630@ruby.ansuz.sooke.bc.ca 6ubqtt$245$1@quine.mathcs.duq.edu 6um2gj$du0$3@news.sas.ab.ca Newsgroups: sci.crypt Lines: 33

In a previous article, jsavard@freenet.edmonton.ab.ca () says:

Bruce Schneier (schneier@counterpane.com) wrote: Terry Ritter wrote:

: >It is unfortunate that Bruce Schneier was a prime factor in getting : >the original rules changed so that only free designs would even be : >considered for AES.

: Was I? Wow. I thought that was NIST's idea. Whatever, it seems like : the idea was a good one. As I said before, we have fifteen : submissions, some of them very good.

I really wonder which if not all of the methods are NSA fronts. I think it is udder foolish to think the winner will not be a NSA entry no matter how they try to denny it. The beauty of this is more than most realize. Suppose it turns out weak. Then they can claim they knew it all along but for security reasins decided not to tell. That way they will recieve no blame no matter what happens. When you stop to think about it. It can't be any other way. They have to by there charter get envovled in all american crypto. Or at least what little we know about there secret charter. Of course that could get Clinton to come on TV and deny there involvemnet in such a scheme. I am sure that most americans still so blinded my his skill that they would belive him.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: Sun, 27 Sep 1998 22:35:48 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: 360ebda9.428333@news.visi.com References: 6um51m$drq$1@news.ysu.edu Newsgroups: sci.crypt Lines: 28

On 27 Sep 1998 19:52:22 GMT, an096@yfn.ysu.edu (David A. Scott) wrote:

In a previous article, jsavard@freenet.edmonton.ab.ca () says:

Bruce Schneier (schneier@counterpane.com) wrote: Terry Ritter wrote:

: >It is unfortunate that Bruce Schneier was a prime factor in getting : >the original rules changed so that only free designs would even be : >considered for AES.

: Was I? Wow. I thought that was NIST's idea. Whatever, it seems like : the idea was a good one. As I said before, we have fifteen : submissions, some of them very good.

I really wonder which if not all of the methods are NSA fronts. I think it is udder foolish to think the winner will not be a NSA entry no matter how they try to denny it.

Well, I know that Twofish is not an NSA entry, but there is no way I can prove that to you.

Bruce


Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com


Subject: Re: AES and patent rights Date: 27 Sep 1998 23:04:35 GMT From: lamontg@bite.me.spammers Message-ID: 6umga3$td0$1@nntp6.u.washington.edu References: 6um51m$drq$1@news.ysu.edu Newsgroups: sci.crypt Lines: 9

an096@yfn.ysu.edu (David A. Scott) writes:

I really wonder which if not all of the methods are NSA fronts.

Yeah, twofish was designed by the NSA, fronted by Bruce and Counterpane. Likewise, RSADSI is another NSA front.

-- Lamont Granquist (lamontg@u.washington.edu) looking for unix administration / security work


Subject: Re: AES and patent rights Date: 28 Sep 1998 02:36:56 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6umso8$3k6$1@news.ysu.edu References: N906423249.20630@ruby.ansuz.sooke.bc.ca 6ubqtt$245$1@quine.mathcs.duq.edu 360ebd79.18691713@news.io.com Newsgroups: sci.crypt Lines: 91

In a previous article, ritter@io.com (Terry Ritter) says:

On Sat, 26 Sep 1998 21:37:43 GMT, in 360d5983.3024744@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) seemed to respond, yet failed to address his own analogy:

[...] I don't believe that it is

un-American, unconstitutional, or inappropriate for automobile companies to sponsor race cars, either.

Really? You would force everyone who entered a car in the race to sign over their rights to their design -- including any new innovations -- if they won?

That sounds like a very strange race to me.

Race drivers and their organizations have to make real money, and they depend upon the innovations in their cars. I doubt they would give up their rights -- unless of course they simply have no rights, and so take the opportunity to exclude their competition.

Somebody might even have the balls to take something like that to court. Especially if the race was government-sponsored.

[...] From what I have been researched, IBM has never sued or even threatened anyone for using DES. If you have other evidence, I very much want to hear it?

Please try to follow along: DES was a US standard. It was free for use in the US. Presumably IBM got something for that. Lawsuits and threatening have nothing to do with it.

[...] Although more likely the government didn't want to force users of AES to pay royalties, when there was the very strong possibility that free alternatives migh be out there. So NIST took a risk in only asking for unencumbered submissions, but it looks like their risk paid off. You and I and everyone else who builds encryption systems using AES will benefit.

A standard cipher should be an advantage for bankers who want the liability protection of "due diligence."

But companies and individuals can make their own decisions about what cipher to use, based on the opinions of experts they trust, or just random chance. Freedom is like that.

Terry I agree with you here people should be FREE to pick what they want. The AES competation is just another clipper chip in sheeps clothing. It would be best to let market place decide on its own. Some will sell like microsoft and some like GNU LINUX would be free but the free market should decide.

On the other hand, a government interface standard which could handle (virtually) any cipher of any sort as dynamically selected, would be useful.

My argument would more likely be based on "equal protection under the law" than antitrust; when government participation is limited by what one owns, there have to be questions. There is also "taking without compensation."

NIST is not taking anything without compensation. Everything is being given freely. You are not being compelled to submit and to give up your rights.

Indeed, I did not submit.

But you get to participate in a government-funded process which took nothing from you, but would take property from me.

Actually Bruce will make a bundle out of this process. The very nature of his position makes Bruce look like an expert and he will sell more books. It makes him look like an expert while people like you are cut out and forgotten. Government has a way of creating its own experts. And the association he has with government we make the sheep blindly follow him. Just a thought.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: 28 Sep 1998 02:49:55 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6umtgj$512$1@news.ysu.edu References: N906423249.20630@ruby.ansuz.sooke.bc.ca 6ubqtt$245$1@quine.mathcs.duq.edu 360ebdde.481581@news.visi.com Newsgroups: sci.crypt Lines: 38

In a previous article, schneier@counterpane.com (Bruce Schneier) says:

Different submitters have different ideas. The Twofish design team decided that fundamentally new technologies and ideas were too risky for a long-term standard. Other submitters thought differently. RC6, for example, is heavily dependent on modular multiplications and data-dependent rotations, two technologies that are very new and don't have a track record. CAST-256, by using an incomplete Feistel network, has opened itself to a lot of truncated diffferential attacks and the new impossible crytpanalysis. Serpent, on the other hand, was even more conservative than we were.

The best way for a new technique to gain acceptance is for it to be obviously better than the old techniques. If someone invented a form of cryptanalysis that blew everything else out of the water, and then described a technique that is resistant, everyone would take a serious look at it. And if it were patented, there would be nothing we could do.

No the best way will never be found like what you described. More like the current history of crypto that is so called new is NSA blessed since they do not want good crypto. It will be very hard to get good crypto to the masses when so called experts poo poo the idea of long keys as snake oil. And the obvious use the inferior way blocks are chained together is nothing but a bald face trick to keep good crypto out of the hands of ordinary people. It should be obvious what is going on but people like you are good at distorting the truth. Hell you will never run a contest like I did at d o e sysworks because if you only changed 4 chars in the file some one might break it. If my stuff is so bad you try to break the contest. You can even use your friends at the NSA.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: 28 Sep 1998 02:52:13 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6umtkt$587$1@news.ysu.edu References: 6ubqtt$245$1@quine.mathcs.duq.edu 6um2gj$du0$3@news.sas.ab.ca Newsgroups: sci.crypt Lines: 17

In a previous article, lamontg@bite.me.spammers () says:

an096@yfn.ysu.edu (David A. Scott) writes:

I really wonder which if not all of the methods are NSA fronts.

Yeah, twofish was designed by the NSA, fronted by Bruce and Counterpane. Likewise, RSADSI is another NSA front.

I know you are jesting but TWOFISH would have my bet as NSA plant I just am not sure which of the rest are.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: Mon, 28 Sep 1998 01:11:20 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-2809980111210001@207.22.198.201 References: 6umtkt$587$1@news.ysu.edu Newsgroups: sci.crypt Lines: 44

In article 6umtkt$587$1@news.ysu.edu, an096@yfn.ysu.edu (David A. Scott) wrote:

In a previous article, lamontg@bite.me.spammers () says:

an096@yfn.ysu.edu (David A. Scott) writes:

I really wonder which if not all of the methods are NSA fronts.

Yeah, twofish was designed by the NSA, fronted by Bruce and Counterpane. Likewise, RSADSI is another NSA front.

I know you are jesting but TWOFISH would have my bet as NSA plant I just am not sure which of the rest are.

If some are merely traveling a convenient trail laid out by the government, leading them to do things a particular way because of established crypto practices, all would be swayed to do things in certain conventional ways, probably some of which would be compatible with NSA notions. However, I get the drift that some aspects of the process are not so sympathetic to the desires in certain corners of our government. Internal opinions vary wildly within all relevant organizations regarding what is best.

In the various presentations, I was looking for some unusual information, including a basic honesty, sincerity, knowledge and focus of the presenters. In those areas, as well as others, Bruce shined. If anything, government is probably a bit resentful of his status, and of the gall of so many to take on things that they wished they still exclusively controlled.

If I were looking for plants, and I'm not, I would rather look at those who already have their hands in each others pockets. It would be hard not to consider that a company would be beholden in some way if it were involved extensively in cooperative areas with the government, contracts, personel sharing, etc.


Are you tired, rundown, can't find a corner in the office to hide in?

Then, try Jimmy Carter's Little Pills, which are apt to cause you to want to get out your frustrations constructively, but might tend to make you fear rabbits.

Decrypt with ROT13 to get correct email address.


Subject: Re: AES and patent rights Date: 28 Sep 1998 03:09:21 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6umul1$7c8$1@news.ysu.edu References: N906423249.20630@ruby.ansuz.sooke.bc.ca 6ubqtt$245$1@quine.mathcs.duq.edu 360ed738.1402804@news.visi.com Newsgroups: sci.crypt Lines: 35

In a previous article, schneier@counterpane.com (Bruce Schneier) says:

What is AES process taking from you? You were not compelled to submit, so AES will not take your work away from you. I know that you patent your ideas, so if the eventual AES algorithm infringes on any of your patents then you will demand your rights. I don't see anything of yours being taken away. To be more honest. If the government ends up using your ideas. Its a fuck you situation since you don't have the money to hire the lawyers to win. So Bruce is wrong again and you would be the loser Terry

Moo. Oops, sorry. Baaa. Terry if you did this kind of crap that Bruce did here people would not like you. But Bruce has the money and power to laugh in your face even if he knows that some of your ideas better than his. Because he is the recognized government expert while you are a has been drip in his eyes. Of course I am on the list to but he fears you more since you can string english together a hell of a lot better than me.

Terry wake up the contest is a joke anyway. It is nothing but another clipper chip in disgise. If enough people wake up maybe it will die just like the stupid clipper chip. Socierty would be better served if there are many methods out there. Since stupid to but all eggs in one basket.

Yes it would be dumb if every one in the world used mine. But it least I think even Bruce realizes I don't work for the NSA I am not sure that they want free thinkers.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: 29 Sep 1998 11:35:29 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6uqgm1$gc7$1@news.ysu.edu References: jgfunj-2209982001430001@207.22.198.219 N906423249.20630@ruby.ansuz.sooke.bc.ca 3610a518.969320@news.erols.com Newsgroups: sci.crypt Lines: 53

In a previous article, amungedtempdog@munged.see.sig (A [Temporary] Dog) says:

On Tue, 29 Sep 1998 07:38:05 GMT, ritter@io.com (Terry Ritter) wrote:

On Mon, 28 Sep 1998 13:25:01 GMT, in 360f8dcf.3312669@news.visi.com, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote:

[...] To me it looks like we were both given the same decision to make, and you chose one path and I chose the other. You believed that your patent rights were worth more than NIST was willing to give you for them.
[...] Had AES offered even token real compensation for these rights, you might have a point. They did not.

If you really believe that the prestige of wining the AES contest is worth nothing, why do you care if you participate or not? If the prestige is worth something (to anyone), it is an offer of compensation. If it's worth nothing, then you have lost nothing by not participating. The AES contestants evidently believe that winning the contest is worth something to them. For some of them, prestige is readily convertible to cash via increased charges for consulting work, etc.

They made an offer (prestige for algorithm). You chose not to accept their offer. Others did choose to accept their offer. This is an example of free trade. The fact that their offer of payment is in intangibles doesn't change that. They didn't force you to participate on their terms and you can't force them to participate on your terms. The fact that they are the government and not a business is also irrelevent; it's still an example of free trade.

Actually they most likely would not take his method in consideration just as they would not take mine. The competetion is a fucking joke only open to snobbish assholes like bruce him self and yes it will rasise the opiniun of the sheep by giving more prestige to the snobbish assholes involved. Of course the NSA horse will win. I think Bruce is on that horse but I am sure the NSA has more than one. candidate in that race. It would be foolish to think otherwise. And if you are wondering yes I did try to get in but I am sure what little corresponabce there was has long been filed in that round circular file. So fuck the so called openness of the contest.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: 29 Sep 1998 22🔞06 GMT From: rreynard@aol.com (RREYNARD) Message-ID: 19980929181806.04330.00019263@ngol01.aol.com References: 36113B71.1FE7EFEB@null.net Newsgroups: sci.crypt Lines: 38

In article 36113B71.1FE7EFEB@null.net, "Douglas A. Gwyn" DAGwyn@null.net writes:

RREYNARD wrote:

This sounds very much like "crypto" COBOL and I would think has about the same chance of achieving it's objective.

Could you explain that? Your reasoning is not at all obvious.

I rather thought that everyone who reads Sci.Crypt would have seen my post, smiled, and pressed on with the grim business of determining the future of cryptography.

But, since you asked -

As I recall, COBOL was the government's "standardized" Common Business Oriented Language to be used by all government agencies for application programming.

I don't believe it ever achieved "standardization", it never became "common" and many government agencies opted not to use it. It is my opinion, that the "standard" crypto algorithm will realize similar success.

Also, did the government programming standards committee that was responsible for COBOL have the foresight to require as a standard - an 8 position date field - and will a similar group be determining the size of the key length? :-)

While were are on the topic of "standards", I have a meter wrench set that I would like to sell that I purchased in anticipation of the "measurement standards" that the government were to adopt a few years ago. ;-)

And, just to get it all out, it would seem to me that rather than giving "it" away for free, the government should operate on the basis that whatever they decide to "use" as a standard, it should have a price tag. If those who would use it must pay for it, it is more likely to be "worth the cost." Actually, upon reflection, that is probably how it will turn out regardless. ;-)


Subject: Re: AES and patent rights Date: 29 Sep 1998 23:38:36 GMT From: an096@yfn.ysu.edu (David A. Scott) Message-ID: 6urr1s$chf$1@news.ysu.edu References: N906423249.20630@ruby.ansuz.sooke.bc.ca 6ubqtt$245$1@quine.mathcs.duq.edu 3611414c.1821978@news.io.com Newsgroups: sci.crypt Lines: 58

In a previous article, ritter@io.com (Terry Ritter) says:

On Tue, 29 Sep 1998 21:25:52 +0200, in <Pine.GSO.4.03.9809292117190.29627-100000@sun5>, in sci.crypt tbb03ar@mail.lrz-muenchen.de wrote:

[...] AES wouldn't be worth anything if it would be patented: Nobody is willing to pay for an algorithm if there are lots of others in the public domain.

RSA.

RC4 (in the sense that it was easy to export).

(Both of which are not free.)

To get a standard it was neccessary to find free programs.

First, AES is a cipher; a major component, assuredly, but still only one component of a complete system. It is not a "program."

And while there may be some "free" programs which use AES, we can be sure that commercial software firms will compensate their programmers by charging for the software. Programmers thus will be compensated -- and justly so -- for the time they spend; but cipher designers will not be compensated for the vastly greater time they spend. And though I do wear both hats, I still find this irritating, since it is a direct result of government action.

[...] BTW: Do you think the development of GNU C is unfair against Borland and Microsoft?

I guess that would first depend upon whether the government was supporting GNU C, and next whether the government would be recommending GNU C and even requiring it for their own use.

I think most management mistakenly thinks that you have to pay lots of money to get something good. When I worked for the government we got the people at are site to use GNU C which produces faster running code than the SUN compiler. Upper management being as blind as ass hole Bruce was not real happy but I worked on a base where getting things to work was at least for a while more important than wasting tax payers money for crap that does work. May be your stuff is good Terry but I know GNU C is dam good. But managers like to toss money that is why Gates is so rich. He does not have to make a good operating system. Since the ones buying are not the working programers since they would use Linux.

-- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip for the version with a real key of voer one million bytes. also scott16u.zip and scott4u.zip


Subject: Re: AES and patent rights Date: Wed, 30 Sep 1998 04:39:10 GMT From: ritter@io.com (Terry Ritter) Message-ID: 3611b5aa.31618675@news.io.com References: 6urr1s$chf$1@news.ysu.edu Newsgroups: sci.crypt Lines: 74

On 29 Sep 1998 23:38:36 GMT, in 6urr1s$chf$1@news.ysu.edu, in sci.crypt an096@yfn.ysu.edu (David A. Scott) wrote:

[...] BTW: Do you think the development of GNU C is unfair against Borland and Microsoft?

I guess that would first depend upon whether the government was supporting GNU C, and next whether the government would be recommending GNU C and even requiring it for their own use.

I think most management mistakenly thinks that you have to pay lots of money to get something good. When I worked for the government we got the people at are site to use GNU C which produces faster running code than the SUN compiler. Upper management being as blind as ass hole Bruce was not real happy but I worked on a base where getting things to work was at least for a while more important than wasting tax payers money for crap that does work. May be your stuff is good Terry but I know GNU C is dam good. But managers like to toss money that is why Gates is so rich. He does not have to make a good operating system. Since the ones buying are not the working programers since they would use Linux.

Since I don't understand your point, I guess it is possible that you misunderstood mine:

Do I think the development of GNU C is unfair to Borland and Microsoft. Of course not.

But the question was presumably intended as an analogy to AES: The AES competition is government funded; presumably GNU C is not. The government may recommend AES for various uses (such as financial transfers), and may require AES for government internal use. None of this is like GNU C.

This really might have been a "watershed" question as in: "Since all the right guys like GNU C, if you don't, you're not worth respecting." I see that sort of stuff a lot, unfortunately.

Frankly, I don't know GNU C. I liked Borland from the time they started up, and I liked a number of things about the Pascal packages, especially including the super-fast linkage and unused code removal. This made the development of "library" units very practical. But I suppose the main advantage was the edit / compile / debug environment which later became common, but seemed particularly nice in the Pascal.

Well, there is no Borland anymore, and I don't like the route taken by Delphi environment, and my Borland C++ 4.52 environment crashes every time I look at it. What am I going to do, get Microsoft stuff? Maybe I'm the only guy who never had a wonderful experience with Microsoft tools, but I always end up saying "damn this stupid design." Maybe there is no real alternative now, but I'm still chugging along with what I've got.

I sure would like to have the opportunity to get into an OS design project and especially get rid of the old-timey load and address fix-up stuff, and also prepare for nonvolatile main memory (which should permit instant-on). Ideally we would innovate a new processor architecture too, but there is only so much one can do at once. There is a lot of stuff to do to catch up to where we could be if only our systems were engineered to perform instead of being hacked together to almost-always work.

As for GNU C, I don't like "copyleft," so I have stayed away from all that stuff.


Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary 1998-08-27: http://www.io.com/~ritter/GLOSSARY.HTM


Subject: Re: AES and patent rights Date: Tue, 29 Sep 1998 21:13:33 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: jgfunj-2909982113340001@dialup163.itexas.net References: 6us2ol$q7e$1@news.ysu.edu 6ubqtt$245$1@quine.mathcs.duq.edu 6uqvdq$i2$1@quine.mathcs.duq.edu Newsgroups: sci.crypt Lines: 17

In article 6us2ol$q7e$1@news.ysu.edu, an096@yfn.ysu.edu (David A. Scott) wrote:

I am sure the NSA has already decided a long time ago who would get to win this farce. Only if people don't use this blessed crap do they have a hope of descent crypto. And I again say as proof just like at his chicken shit contest.

Current events beat the soaps. It seems that what will happen next in the world is as much a surprise to their leadership as anything. Meanwhile, lots of inside low-level events predictors are saying" Told you so."


Show me a politician who does not lie through his teeth, and.....I'll show you one who can't find his dentures.

Decrypt with ROT13 to get correct email address.


Terry Ritter, hiscurrent address, and histop page.

Last updated: 1999-01-19