On Tue, Dec 21, 2010 at 7:12 PM, Daniel Kahn Gillmor dkg@fifthhorseman.net wrote:
On 12/21/2010 04:24 AM, Niels Möller wrote:
which spec to implement,
Well, for my purposes, i'd start with the curves slated for use in the upcoming OpenPGP ECC extension:
https://tools.ietf.org/html/draft-jivsov-openpgp-ecc-06#section-4
I think this has allows for conformance to the NSA's Suite B recommendations, for whatever that's worth.
I think Daniel is on the right track by choosing standardized domain parameter support. When using standard parameters, you only have to choose your private key and publish the public key. In this case, RFC 5114 - Additional Diffie-Hellman Groups for Use with IETF Standards (et al), would also be of interest.
If you want to offer a full blown EC implementation, you will need to implement domain parameter generation. The tricky part of custom curves is the pointing counting to ensure the curve meets the requisite security level. I don't believe OpenSSL offers domain parameter generation, and I know Crypto++ does not offer domain parameter generation.
When I need a custom curve due to relaxed security requirements, I use Marcel Martin's Elliptic Curve Builder. Martin implemented the point counting algorithms to ensure the group order meets requirements. The way I use ECB with Crypto++ can be found at http://www.cryptopp.com/wiki/Elliptic_Curve_Builder.
If you look at IEEE/IETF/ISO-IEC/NESSIE/NIST/NSA/{Favorite Standards Body} support as a base implementation in Nettle, then think of domain parameter generation as incremental.
patents situation,
Unfortunately, the patent system seems to be such that even if i were a patent lawyer (i am not, fortunately), i could make no iron-clad guarantees.
Offload the responsibility on the users of the library, seek counsel from the FSF, or consult with an outside attorney.
I am not aware of Certicom ever bringing suit against users, developers or libraries. Most likely, you will not have to worry about Certicom since persuing a lawsuit would be a waste of time and money for the company. The only technology company that appears to voraciously assert its rights against folks like users and developers is Apple.
For those interested, Certicom, which holds many EC patents and is owned by RIM, lost a few "slam dunk" cases recently. The events caused paralysis in RIM's legal department to the point where the sales team has not inked a license in over a year. When I inquired about licensing over the summer, I was told to go to RSA Data Securities even though RSA is probably violating Certicom. The fellow who advised me worked for Certicom.
Jeff