Cryptography-Digest Digest #80, Volume #14 Thu, 5 Apr 01 02:13:01 EDT
Contents:
Re: Royalty free use of Mars ("Scott Fluhrer")
Re: A gift for cryptanalysts ("Scott Fluhrer")
Re: A group ? ("Scott Fluhrer")
Re: Simple private key encryptions ("Joseph Ashwood")
Re: PGP Private key cracking service ("Flakdaddy")
Newbie looking for texts about DES and Blowfish (John Stanford)
Re: Data dependent arcfour via sbox feedback (Bryan Olson)
Re: patent this and patent that ("John A. Malley")
Re: Valid condition for multiplicative generator? ("David Thompson")
Re: patent this and patent that (Vernon Schryver)
Re: Data dependent arcfour via sbox feedback (Terry Ritter)
Re: patent this and patent that (Terry Ritter)
----------------------------------------------------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Royalty free use of Mars
Date: Wed, 4 Apr 2001 16:52:45 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> "M.S. Bob" wrote:
> >
> > Let's see, let's go to the MARS home page at IBM
> > <http://www.research.ibm.com/security/mars.html>.
> > Oh, what's the link at the top of the page...
> >
> > "MARS is now available worldwide under a royalty-free license from
> > Tivoli. Read the press release or contact Ron Silletti at 914-765-4373
> > for more details"
> >
> ><http://www.tivoli.com/news/press/pressreleases/en/2000/mars.html>
>
> The other finalists of AES seem also to be free. However,
> remember that Hitachi has raised claims of conflict of
> these with its rotation patents. (See the web page of
> AES.) So one needs to clarify the patent issue before
> employing such algorithms in countries where Hitachi's
> patents are in force.
In addition (unless RSA Security has changed their policy, and forgot to
tell me), RC6 is definitely not "free" -- you have to license it.
BTW: why'd the OP want to use MARS anyways? Most people (don't you love
vague references like that) consider MARS to be the worst of the AES
finalists.
--
poncho
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: A gift for cryptanalysts
Date: Wed, 4 Apr 2001 16:46:12 -0700
Mark Wooding <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> The other day I was thinking about a block cipher I could implement
> easily in my HP-48 calculator. I wanted to avoid tables and polynomial
> arithmetic, because it's too painful, and I wanted to minimize memory
> usage as much as possible. I didn't care about performance.
>
> I constructed a 64-bit block cipher with a 128-bit key. I used 32-bit
> integer multiplication, OR, XOR, and fixed rotations. There is a magic
> constant, C = 0xb7e15163.
>
>
> The cipher, Gift, is a 16-round Feistel network.
>
> We define the function F_z(x) for two 32-bit words x and z, to be:
>
> F_z(x) = ((x * (z OR 1)) XOR C) <<< 16
>
> where * denotes multiplication mod 2^{32}, OR denotes bitwise
> inclusive-OR, XOR denotes bitwise exclusive-OR and <<< denotes a
> circular left shift.
>
> The key schedule constructs 18 32-bit subkeys from the 4 32-bit key
> (k_0, k_1, k_2, k_3):
>
> z_i = F_{k_{i+3}}(k_{i+1})
> k_{i+4} = k_i XOR z_i
>
> for 0 <= i < 18. The z_i are the round subkeys.
>
> To encrypt a block represented as a pair of 32-bit words (x_0, x_1):
>
> Let x_2 = x_0 XOR z_0. Now define
>
> x_{i+3} = x_{i+1} XOR F_{z_{i+1}}(x_{i+2})
>
> for 0 <= i < 16. Then let x_19 = x_17 XOR z_17. The ciphertext is the
> pair (x_19, x_18).
>
>
> I wanted to save code by using the same F function in the key schedule
> and cipher. The key schedule can be run backwards as well as forwards,
> so for decryption you just need to remember (k_{18}, k_{19}, k_{20},
> k_{21}) on a long-term basis. The keys are used in the order they're
> generated. Apart from the key schedule, decryption is the same as
> encryption.
>
> The function F_z is bijective. (z OR 1) is coprime to 2^{32}, so the
> multiplication is invertable. XOR with a constant, and fixed rotation
> are obviously bijective. However, it's not possible, in general, to
> determine z given x and F_z(x), since x might be even.
>
> The multiplication is easy on the HP-48, and provides good upwards
> diffusion. The only problem is that if x = 0, x * z = 0 too; hence the
> XOR. The rotation provides downwards diffusion.
>
> I think that we get total avalanche in the cipher within four rounds.
>
> The key schedule avalanches well too. Note that at each stage the
> output of the previous Feistel-like round is used as the key in the next
> one in the forward direction; in the backwards direction, we get strong
> avalanche because of the Feistel structure of the key schedule.
>
> There's no particular reason not to allow other block sizes. The
> rotation should be by a quarter of the block size. Similarly, different
> sized keys can be accommodated by minor and obvious tweaks to the key
> schedule.
>
>
> The multiplication should sort out any problems with differential or
> linear cryptanalysis extremely rapidly. I think I'm mainly worried
> about techniques like mod-n analysis.
I first would like to note that this cipher is quite similar to Nimbus,
which was just completely and utterly broken by Vladimir Furman at FSE2001
earlier this week. The major differences are that Nimbus uses a SPN
structure rather than a Feistel structure, and that Nimbus uses bitreversal,
which Gift uses half-word rotates (oh, and Nimbus has only 5 rounds). If
Gift used bitreversal, the differentials that Furman used would apply
directly. However, those particular differentials are not preserved by
rotates. However, his results strongly suggest that 'multiplying mod 2**N
by a key dependant constant' doesn't disrupt xor differentials nearly as
well as people had hoped.
However, by adapting the general idea, I believe I have found a differential
over 15 rounds that exists with probability circa 2**-60. I believe that
this can be used as a distinguisher against the full Gift given the entire
code book, but just barely. It works by using two nontrivial differentials
through the F function:
Input delta 0x80000000 => Output delta 0x00008000 (probability 1)
Input delta 0x00008000 => Output delta 0x80000000 (probability 2**-15)
Using these two differentials (and the trivial differential), you get a 6
round differential which starts out (0x000080000 0x80000000) and ends up
with the same differential with probability 2**-30, and a three round
differential that starts out (0x000080000 0x80000000) and ends up with
differential (0x80000000 0x00008000) with probability one. Take two copies
of the 6 round differential, one copy of the 3 round differential, and you
get the 15 round differential.
>
> I'll be astonished if Gift is actually strong. It's just too simple.
> And too fast. It's *very* fast. 50% faster than Blowfish (Catacomb
> version, on a P3).
>
> Gift is free to everyone, for any use.
>
> -- [mdw]
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: A group ?
Date: Wed, 4 Apr 2001 17:00:31 -0700
Jack Lindso <[EMAIL PROTECTED]> wrote in message
news:3acad95a$[EMAIL PROTECTED]...
> Well I wold like to know whether there are any specific guidelines by wich
> you should test
> a given F().
That would appear to be a hard problem. Most real block ciphers have no
proof whatsoever that the permutations are neither groups or "near groups"
(where such a K3 exists with nontrivial probability). About the only
counterexample I can think of is DES, which was proven not to be a group,
however, that proof took advantage of the weak (self-inverse) keys, and so
that technique would not appear to be useful on other block ciphers. If you
want the reference anyways, look at:
Kaliski, Burton S. Jr.; Ronald L. Rivest; and Alan T. Sherman, ``Is the Data
Encryption Standard a group?'' in Advances in Cryptology: Proceedings of
Eurocrypt 85, Franz Pichler, ed., Springer-Verlag (New York, 1986), 81--95.
>
> Cheers.
>
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Jack Lindso wrote:
> > > Hey, to all I'm just starting to learn cryptology and i've gotten to
the
> > > need of
> > > finding out :
> > > if we know that F(P,K1)==>C1
> > > and F(C1,K2)==>C2 {C1!=C2}
> > > then can we find K3 such that F(P,K3)=C2
> >
> > So what do you want us to do? The answer is, it depends on F.
>
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Simple private key encryptions
Date: Mon, 2 Apr 2001 14:42:36 -0700
I've personally found that taking a pre-value called S of whatever size is
appropriate, postpending the user passphrase, applying SHA-1 to the result,
to be quite effective. As to the sanity check, it leaks less information if
you recompute the public key from the new private and verify that they do
actually match.
Joe
in pseudo-code:
Retrieve S from disk
priv_key = SHA-1(S, passphrase)
t_pub = g^priv_key mod p
if(t_pub != pub_key)
tell pretender to go away
"Darryl Wagoner - WA1GON" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Greetings,
>
> Keep in mind that the TrustedQSL tool is mainly to keep
> honest people honest.
>
> What seem to me as an easy way to encrypt the DSA private key
> is to take sha1 hash of the passphrase and xor it with
> the private key. Same number of bits.
>
> Then as a sanity check for the user I return the first
> 2 bytes of a sha1 hash of the uncrypted private key.
> Which is passed back on the decryption call and it
> has to match the decrypted private key. I started
> out by passing back all of the hash, but that was too
> insecure for my liking and I think the 2 bytes is enough
> for the sanity check.
>
> Input?
> --
> Darryl Wagoner - WA1GON
>
> Join the TrustedQSL mailing list. An Open Source solution.
> Post message: [EMAIL PROTECTED]
> Subscribe: [EMAIL PROTECTED]
> List owner: [EMAIL PROTECTED]
> http://www.trustedQSL.org
>
>
>
>
>
------------------------------
From: "Flakdaddy" <[EMAIL PROTECTED]>
Crossposted-To:
alt.security.pgp,comp.security,comp.security.misc,comp.security.pgp.discuss,comp.security.pgp.tech,de.comp.security
Subject: Re: PGP Private key cracking service
Date: Wed, 4 Apr 2001 22:12:02 -0400
You should be directing your question to those crazy guys and gals over in
alt.binaries.cracks, maybe they would be a little more receptive to your
problem.
Alternatively, you could send me US$500,000.00 up front, along with the
private key, which I would crack using my ultra-secret proprietary
algorithm. A bargain at twice the price. Cash only, small bills please.
"Peter" <[EMAIL PROTECTED]> wrote in message
news:01c0bd1f$7f5756c0$2471310a@u51376...
> I forgot my passphrase...
>
> Are there any tools I could use to try to crack my private key passphrase?
>
> Is there a (commercial) service that does this for me?
>
> Peter
------------------------------
From: John Stanford <[EMAIL PROTECTED]>
Subject: Newbie looking for texts about DES and Blowfish
Date: Thu, 05 Apr 2001 02:54:13 GMT
I'm new to cryptography. Can anyone tell me where I can find texts
about how Blowfish and DES work? Thanks
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Wed, 04 Apr 2001 19:53:09 -0700
Bryan Olson wrote:
> > Terry Ritter wrote:
> > >The "second data source" is modified by said "result data" before use,
> > >but no part of the claims excludes that possibility.
> >
> > The word "source" excludes the possibility. The sequence of
> > y values is in fact a _product_ of the substitution process,
> > not a source. If unclear of the interpretation of "source",
> > just read the background and look at the diagrams in the
> > patent.
> Any sequence of data values is "a source." We can see this
> throughout the patent, including: "A first data source and
> a second data source are combined into a complex
> intermediate form or result. . . ." Note the lack of
> description about the "ultimate" origin of any data sequence
> treated as a "source."
It may be any sequence of values, but it must be a source,
not a product. Neither does the ultimate origin matter;
just that it comes in from the outside.
> But, if you don't like the word "source," perhaps you would
> prefer the word "value": [...]
Which is not the word in the claim at issue.
[...]
> > doesn't the following
> > algorithm fulfill the description from claim 1? How about
> > claims 2, 7 and 8?
> >
> > Assume a (pseudo) random data source S
> >
> > initialize T[0..k-1] to hold 0..k-1
> > for i in 0..k-2
> > j = S.next() scaled/shifted to be in i..k-1
> > output T[j]
> > swap(T[i], T[j])
> I'm not happy with any mechanism claimed to be Dynamic
> Substitution being inherently limited to a sequence of a
> particular length.
Didn't you recently write:
| The appropriate way to check for infringement is to take
| the actual words from a claim and try to fit them to the
| design being checked.
What you are happy with doesn't enter into it. Why do you
not apply the same standard here that you stated previously?
> It is implied throughout the patent body that there is no such
> limitation.
What text from claim 1 implies that? How about claims 2, 7
and 8? Didn't you also write:
| When we check for patent infringement, we don't look at the
| whole description and then just somehow form an impression
| one way or the other. Instead, we try to match the specific
| words of each requirement, phrase by phrase, with the design
| being checked,
If we do that, we see it matches at least as well as the
algorithm you argued to match.
You also went through the claim and showed DES obviously
does't match. Shouldn't this algorithm be handled the same
way?
> Thus, I expect that the Dynamic Substitution patent
> distinguishes from the described mechanism. I think you can
> probably use it without patent implications.
That wasn't the question; we both know it's clear of patent
protection by now.
--Bryan
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: patent this and patent that
Date: Wed, 04 Apr 2001 19:58:58 -0700
Terry Ritter wrote:
>
>
> I have no idea what is meant by the term "blocking patent." It is not
> possible to obtain a patent on just anything, it is only possible to
> obtain a patent on something new. If "blocking patent" means that it
> prevents a manufacturer from producing something without license, that
> is the whole point of having a patent.
>
Blocking patents are an interesting "weapon" in business "warfare".
Company A gets a patent on an invention of some measurable value with
respect to potential or actual market penetration. Company B patents
legitimate incremental improvements to Company A's patent after it
appears, anticipating the probable improvements the market will desire
after product introduction, or improvements that increase manufacturing
yields, etc. Meanwhile, Company A's product's market share rapidly
climbs but eventually growth levels off. Company A improves its product
to expand its market share and to maintain "momentum".
These improvements infringe on Company B's patent portfolio. Company B's
patents block Company A.
Company B asks Company A for generous licensing terms for Company A's
patent (such as exclusive licensing or exclusive licensing in certain
geographic areas of the marketplace). In return, Company B will license
its patents on the improvements Company A needs for its next-generation
product line.
Company A cannot grow its product line substantially more unless it
agrees to Company B's terms. Company B gambles on its investment in
those patents with the chance that Company A eventually gives in. All
Company B stands to loose is the cost of securing the patents on
improvements (far less non-recurring engineering cost than Company A's
R&D cost to come up with the original patent.)
Company B generally sets up a distribution "partnership" with Company A
in some geographic marketplace of mutual interest, effectively allowing
A and B to sell their own competing versions of that product line in
that area.
Company B is the throttle on Company A's expansion.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: "David Thompson" <[EMAIL PROTECTED]>
Subject: Re: Valid condition for multiplicative generator?
Date: Thu, 05 Apr 2001 05:08:11 GMT
Paul Crowley <[EMAIL PROTECTED]> wrote :
...
> Short answer: A pseudorandom generator stretches a small random
> quantity (perhaps 128 bits) into what appears to be a large random
> quantity. If you don't even have a small random quantity, you need
> somewhere to get them from.
That's one use. Even with no random seeding, a PRxG
can generate _statistically_ random, but not crypto-random,
data. This is sufficient for many _non-security_ applications
such as Monte Carlo simulation, screensavers and other
eye candy, Ethernet-style contention backoff, etc.
All off-topic here.
--
- David.Thompson 1 now at worldnet.att.net
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Subject: Re: patent this and patent that
Date: 4 Apr 2001 17:30:40 -0600
In article <[EMAIL PROTECTED]>,
John Savard <[EMAIL PROTECTED]> wrote:
> ...
>Actually, it's highly relevant. If the statement "software is a name
>we give to customizing a machine to do something" is held to be
>literally and fully true, then including computer software within the
>reach of the patent law is a natural and proper outgrowth of the prior
>functioning of the patent law, and is not an illegitimate extension
>thereof.
>
>On the other hand, if one views a computer program as primarily an
>_algorithm_, a mathematical procedure for doing something, like the
>set of rules for long division, that can be used by a human to perform
>calculations - and the fact that the algorithm might be performed
>automatically by a computer instead is a trivial detail - then the
>objections to "software patents", real and so-called, become apparent.
>
>So it actually addresses the central issue of this controversy.
No, while it is an issue central to the controversy of whether software
patents are legitimate as a matter of law, it is irrelevant to whether
patents are are a good idea in general or for any particular field such
as software.
I'd like to agree with the many people who insist that software patents
are legally bogus, but the U.S. courts have repeatedly decided otherwise.
As long as programers and protocol designers must worry about patents
(e.g. RSA, LZW, or the years that Motorola-Codex stalled PPP compression),
the theoretical legal legitimacy of software patents is moot.
As for the other controversy, Mr. Ritter clearly agrees with many patent
experts that patents are a good thing for software. His talk about a
social obligation of innovators to publish strikes me as an odd sort of
collectivism. Other than that, he seems to agree with the many patent
experts who insist their services are valuable and even vital to me and
my art. I think software patents are a legalized extortion by people
who want to be a part of the latest new thing but cannot find a role as
productive as members of organized crime selling "protection" to merchants.
At least those mobsters make the costs of crime more predictable.
But maybe my views are distorted by not having gone to law school.
Mr. Ritter does disagree on a smaller point with the patent professionals
I've heard. They all seem to agree that many patents are as valid as
the faster than speed of light idea described in
http://www.delphion.com/details?&pn=US05446889__
The existence of that patent either proves and an awesome ignorance of
science and technology for at least one patent examiner or it disproves
Mr. Ritter's description of the patent process.
I've not heard attorneys in the business of helping people get patents
say that most patents are bogus, but even they agree there is lots of
patented bogosity. I think I recall official statements from the USPTO
that implicitly acknowledge that the history of software patents has been
nothing to brag about...something about decades of not having examiners
with clues about computing.
The new craze of business method patents must give intellectually honest
people reason to wonder about the fundamental legitimacy of patents. Yes,
the USPTO has talked about backing off from some of the worst of those,
but they will not back off enough to notice. Since the dot-com crazy is
over, IP professionals are probably not as enthused about the field as
they were. Still, business method patents will not follow B-to-C and the
rest of the SuperHypeWay into oblivion. No bureaucracy or regulatory
outfit including Congress ever quits willingly.
Even if the Congress and the USPTO wanted to reduce the flood of bogus
patents, they wouldn't be allowed by the large segment of the public that
dreams of going into a garage, inventing intermittent windshield wipers
or an unbreakable cipher, and getting rich. The IP professionals that
live on fees from those dreamers would also have something to say.
Vernon Schryver [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Data dependent arcfour via sbox feedback
Date: Thu, 05 Apr 2001 05:18:25 GMT
On Wed, 04 Apr 2001 19:53:09 -0700, in
<[EMAIL PROTECTED]>, in sci.crypt Bryan Olson
<[EMAIL PROTECTED]> wrote:
>Bryan Olson wrote:
>> > Terry Ritter wrote:
>
>> > >The "second data source" is modified by said "result data" before use,
>> > >but no part of the claims excludes that possibility.
>> >
>> > The word "source" excludes the possibility. The sequence of
>> > y values is in fact a _product_ of the substitution process,
>> > not a source. If unclear of the interpretation of "source",
>> > just read the background and look at the diagrams in the
>> > patent.
>
>> Any sequence of data values is "a source." We can see this
>> throughout the patent, including: "A first data source and
>> a second data source are combined into a complex
>> intermediate form or result. . . ." Note the lack of
>> description about the "ultimate" origin of any data sequence
>> treated as a "source."
>
>It may be any sequence of values, but it must be a source,
>not a product. Neither does the ultimate origin matter;
>just that it comes in from the outside.
The ultimate origin is of course outside *the* *combiner*, but not
necessarily outside the system containing the combiner.
When you present a system which is more than just the combiner, I am
free to select what signals there are and try to match them to a
claim. You don't get to decide what signals I select. You can add
whatever you want around an invention in an attempt to obscure which
parts actually constitute the invention, but the invention is still
there somewhere, and I get to find it.
If signals exist in any form which can match the claim, they count.
>> But, if you don't like the word "source," perhaps you would
>> prefer the word "value": [...]
>
>Which is not the word in the claim at issue.
It only takes one claim. Any claim counts.
>[...]
>> > doesn't the following
>> > algorithm fulfill the description from claim 1? How about
>> > claims 2, 7 and 8?
>> >
>> > Assume a (pseudo) random data source S
>> >
>> > initialize T[0..k-1] to hold 0..k-1
>> > for i in 0..k-2
>> > j = S.next() scaled/shifted to be in i..k-1
>> > output T[j]
>> > swap(T[i], T[j])
>
>> I'm not happy with any mechanism claimed to be Dynamic
>> Substitution being inherently limited to a sequence of a
>> particular length.
>
>Didn't you recently write:
>
>| The appropriate way to check for infringement is to take
>| the actual words from a claim and try to fit them to the
>| design being checked.
>
>What you are happy with doesn't enter into it. Why do you
>not apply the same standard here that you stated previously?
As far as I can see, the standard is the same.
The body of the patent is used as a dictionary to interpret the
meaning of words used in the claims. I have quoted several times
where it does not support your interpretations.
>> It is implied throughout the patent body that there is no such
>> limitation.
>
>What text from claim 1 implies that? How about claims 2, 7
>and 8? Didn't you also write:
It doesn't matter. Any one claim counts. It is only necessary for
all aspects of any one claim to be satisfied for a design to read on
the claim.
Dependent claims further restrict the claim upon which they depend.
In this way, dependent claim 2 thus further restricts independent
claim 1. The reason for this is to accommodate newly-found prior art
which may invalidate the most inclusive (independent) claim. If that
happens, one or more of the more restrictive (dependent) claims may
survive. Dependent claims otherwise have little use, other than
demonstrating various possibilities to the examiner and reader.
That is straightforward patent interpretation.
>| When we check for patent infringement, we don't look at the
>| whole description and then just somehow form an impression
>| one way or the other. Instead, we try to match the specific
>| words of each requirement, phrase by phrase, with the design
>| being checked,
>
>If we do that, we see it matches at least as well as the
>algorithm you argued to match.
I have no idea what that statement means.
If your implication is that shuffling constitutes prior art, it should
be quite clear that shuffling was not considered to be any sort of
combiner -- let alone a cryptographic combiner -- prior to my
publications on Dynamic Substitution. That in itself would be enough:
The simple use of old art in a new way is patentable material.
However, that did not happen in this case.
Shuffle, originally presented by Durstenfeld, was cited as prior art
in the patent, and was formally examined. Dynamic Substitution was
found to distinguish beyond Shuffle; the issue has thus been formally
addressed and is now decided.
>You also went through the claim and showed DES obviously
>does't match. Shouldn't this algorithm be handled the same
>way?
Yes, it should and was. DES is not a substitution table.
>> Thus, I expect that the Dynamic Substitution patent
>> distinguishes from the described mechanism. I think you can
>> probably use it without patent implications.
>
>That wasn't the question; we both know it's clear of patent
>protection by now.
I guess that depends on what "it" means.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: patent this and patent that
Date: Thu, 05 Apr 2001 05:18:46 GMT
On Wed, 04 Apr 2001 19:58:58 -0700, in
<[EMAIL PROTECTED]>, in sci.crypt "John A. Malley"
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>>
>> I have no idea what is meant by the term "blocking patent." It is not
>> possible to obtain a patent on just anything, it is only possible to
>> obtain a patent on something new. If "blocking patent" means that it
>> prevents a manufacturer from producing something without license, that
>> is the whole point of having a patent.
>>
>
>Blocking patents are an interesting "weapon" in business "warfare".
>Company A gets a patent on an invention of some measurable value with
>respect to potential or actual market penetration. Company B patents
>legitimate incremental improvements to Company A's patent after it
>appears, anticipating the probable improvements the market will desire
>after product introduction, or improvements that increase manufacturing
>yields, etc. Meanwhile, Company A's product's market share rapidly
>climbs but eventually growth levels off. Company A improves its product
>to expand its market share and to maintain "momentum".
>
>These improvements infringe on Company B's patent portfolio. Company B's
>patents block Company A.
>
>Company B asks Company A for generous licensing terms for Company A's
>patent (such as exclusive licensing or exclusive licensing in certain
>geographic areas of the marketplace). In return, Company B will license
>its patents on the improvements Company A needs for its next-generation
>product line.
>
>Company A cannot grow its product line substantially more unless it
>agrees to Company B's terms. Company B gambles on its investment in
>those patents with the chance that Company A eventually gives in. All
>Company B stands to loose is the cost of securing the patents on
>improvements (far less non-recurring engineering cost than Company A's
>R&D cost to come up with the original patent.)
>
>Company B generally sets up a distribution "partnership" with Company A
>in some geographic marketplace of mutual interest, effectively allowing
>A and B to sell their own competing versions of that product line in
>that area.
>
>Company B is the throttle on Company A's expansion.
Thank you for the explanation. I am familiar with the concept, just
not the name, and not the negative implications.
I think this is inherent in patents and always has been. Somebody can
design a cipher using Dynamic Substitution (which I control), and then
patent that cipher. Their patent means I can't produce their
particular cipher -- but they can't either, without a license from me,
unless and until my patent lapses.
On the other hand, I can still produce all other unpatented ciphers
that depend on Dynamic Substitution; I can patent other ciphers and so
on. In other words, they are stopped, nothing has changed for me, and
if they want to start, they need to meet my terms. What more can one
possibly ask from a mere patent?
My point here is that I would think Company A is more in the driver's
seat than you indicate. If A has been "blocked," surely that is a
natural result of not building on their original lead in technology.
When companies get old, they get sold, and life goes on.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
