Vin McLellan <vinshore.net> sent:
> That suggests that the essential product of any crypto vendor is trust --
> and, perhaps, that boards of directors like to have someone with deep
> pockets standing behind the Crypto Wizards for when something goes wrong;-)

I agree, and that's why I find RSA's use of patent & copyright law
especially disappointing. But, this all gets into crypto-politics, and
I'm really much more interesting in coding.

> Folks here would know better than I, but my impression was that all five
> AES finalists were impressive cryptosystems, each of which had some areas
> in which it held some advantage relative to the other four. (Matt Robshaw
> published a brief post-AES paper which explored this for RC6 vs Rijndael:
> <ftp://ftp.rsasecurity.com/pub/rsalabs/rc6/rc6%2Baes.pdf>)

I agree, all of the finalists were very impressive.

> I think I'd remember it if the code Mr. Salasio posted to the Cryptography
> list last year had such a Get-Out-of-Jail card attached to it. (If it did
> -- or if some other version of his work was so labelled -- he was
> wrong.) No implementation of RC6 is "public domain;" although multiple
> versions of the RC6 code abound. Surely, it would take a real innocent to
> believe that because a design for something is published, it is unencumbered?

The version I saw was actually posted by "Anonymous <nobodyreplay.com>" on
or about Fri, 19 Jun 1998 18:45:45 -0700 to coderpunkstoad.com under the
title "RC6 (TM) redux... this time with decryption". It came with this
comment at the start:

/* rc6 (TM)
 * Unoptimized sample implementation of Ron Rivest's submission to the
 * AES bakeoff.
 *
 * Salvo Salasio, 19 June 1998
 *
 * Intellectual property notes: The name of the algorithm (RC6) is
 * trademarked; any property rights to the algorithm or the trademark
 * should be discussed with discussed with the authors of the defining
 * paper "The RC6(TM) Block Cipher": Ronald L. Rivest (MIT),
 * M.J.B. Robshaw (RSA Labs), R. Sidney (RSA Labs), and Y.L. Yin (RSA Labs),
 * distributed 18 June 1998 and available from the lead author's web site.
 *
 * This sample implementation is placed in the public domain by the author,
 * Salvo Salasio. The ROTL and ROTR definitions were cribbed from RSA Labs'
 * RC5 reference implementation.
 */

I have no idea what Mr. Salasio may have posted to the Cryptography
list last year. There are two interesting legal issues with the 1998
version. The first is whether this is indeed the authentic wishes of
the actual author (being that it was posted anonymously this would be
hard to prove), and the 2nd is that term "public domain", which is less
meaningful in this era of implicit copyrights than it used to be.
Presumably, if RSA's evil lawyers got nasty or the NSA guys got
courtly, Mr. Salasio would have an easier time escaping risk than the
OpenSSL project. With these caveats, I believe the above to be
actually more liberal than the OpenSSL licensing terms, and the major
objection would be that they are "too" liberal and risky.

It's possible someone pointed out the problems with "public domain" and
anonymous distribution to Mr. Salasio and that he released a later
version with a BSD style copyright. Alternatively, there is always
Brian Gladman's implementation.

I believe the "cribbed" rotate sequences compile down to 1 or 2
instruction sequences in somebody's 386+ C compiler. There's
apparently only one way to code that such that the efficient sequence
is produced. As such, I doubt the code fragement is copyrightable, any
more than a word or phrase would be in English. It's been claimed
that risc processors don't have a rotate instruction, but I believe
that's mainly true of the Sparc. It's certainly not true of ppc.
As an experiment I coded up a rios implementation a while back; here's
a small part of it:
        #
        # do the key loop
        # for s=0;s<v;++s)
        # { A=S[i]=ROTL(S[i]+A+B,3);
        # B=L[j]=ROTL(L[j]+A+B,A+B);
        # i=i+1;if(i>=R24)i=0;
        # j=j+1;if(j>=c)j=0; }
        #
                b __L1ac
        __L1d0:
                bc BO_IF_1,CR0_LT,__L1e0
                cal r11,0(r0) # j=0
        __L1e0:
                a r7,r9,r0 # B = A+B
                rlinm r6,r11,2,0,29
                lx r0,r8,r6 # L[j]
                cmpi 1,r10,44 # i >= R24
                a r0,r0,r7 # L[j]+B
                rlnm r0,r0,r7,0,31 # B = ROTL(L[j]+B,B)
                ai r11,r11,1 # ++j
                stx r0,r8,r6 # L[j] = B
                bc BO_IF_1,CR1_FX,__L228
                cal r10,0(r0) # i=0
        __L228:
                rlinm r7,r10,2,0,29
                ai r10,r10,1 # ++i
        __L1ac:
        # r0 B r3 S r7 i*sizeof long
        # r9 A r10 i r11 j
        # r12 c r8 L
                cmp 0,r11,r12 # j >= c
                lx r6,r3,r7 # A = S[i]
                a r6,r6,r9 # S[i] + A
                a r6,r6,r0 # S[i] + A + B
                rlinm r9,r6,3,0,31 # A = ROTL(S[i]+A+B,3)
                stx r9,r3,r7 # S[i] = A
                bc BO_dCTR_NZERO,CR0_LT,__L1d0
The C version with gcc does 'setkey' in 30 microseconds; with xlc, it's
only 16.5 microseconds. My assembler version, with the clever rotate
and other changes, gets this down to a mere 13.3 microseconds. (If you
think these speeds are slow, consider this was all on a 33.3 Mhz rios
machine, hardly state of the art.) So, using the proper instruction is
indeed slightly more efficient, though I wouldn't say the difference is
earth-shaking.

But, I've disgressed into coding (oh the shame, the shame)...

also
>
> On RC6, Ben Laurie <benalgroup.co.uk> also noted:
>
> >> The OpenSSL implementation is freely redistributable.
>
> Yup. But that simply transfers the risk of patent infringement to any firm
> which uses the code.
...
(interesting tangent omitted...)

Salvo Salasio's "public domain" version warns of the very same risks.

Gladman's code, as well as Salasio's above, both warn of RSA's
interests. Patent law covers *use* not *copying* - so RSA can't stop
anyone from distributing copies of either implementation, just as with any
regular hardware patent, anyone can write up a discription of the
process or hardware and publish it in any magazine. In fact, one of
the original purposes of patent law was to *force* you to publish a
non-copyrighted description of the process [it was published by the US
federal government which is by design excluded from copyright law] so
that other people could study, discuss, publish descriptions of, and,
in time, improve upon your process or gizmo. Assuming software patents
are enforceable, during the lifetime of the patent, the owner *can*
regulate the use of it, up to and including requiring that you only use
certain implementations, operate it on hardware sold by the owner, only
run it during a full moon, or that you rent a specially trained and
licensed operator from the owner to be on hand at all times. These are
all allowed by patent law and have been used many times in the past
(well, ok, maybe not the moon thing.) It's up to the owner of the
patent to decide how they wish to best exploit their patent. The
patent owner can't stop you from experimental use of his algorithm, or
claim copyright on your own independent description or implementation
of his patent. Hence Gladman and Salasio should both be in the clear
here. Neither Gladman nor Salasio claim their independent
implementations of RC6 are unencumbered, merely free to publish.

I think RSA also claims another IP right -- "trademark" on the use of
the term RC6 to describe implementations of the algorithm.

Of course, I am not a lawyer too. Your mileage may vary. Since I'm
not a lawyer, you can't sue me for my legal advice. At least, I think
you can't and win. Or at least I hope you won't. I'd really rather
code.

                                        -Marcus Watts
                                        UM ITCS Umich Systems Group

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]