TL;DR
Using Elliptic Curve Cryptography (ECC) can be tricky due to patents. This guide explains how to minimise risk, focusing on freely available implementations and curves. It’s not legal advice, but a practical approach for developers.
Understanding the Problem
ECC is covered by several patents, primarily held by companies like Qualcomm. These patents relate to specific algorithms and curve parameters used in ECC. Using patented technology without a license can lead to legal issues. However, many implementations and curves are now freely available.
Step-by-Step Guide
- Choose a Free Curve: The most important step is selecting an ECC curve not covered by active patents. Some popular options include:
- Curve25519: Designed for speed and security, widely used in TLS 1.3 and Signal protocol. It’s considered patent-free.
- secp256k1: Used by Bitcoin. While initially patented, the key patents have expired or are generally not enforced for open-source implementations.
- Curve480: Another option with good security properties and a permissive license.
- Use a Patent-Friendly Library: Avoid libraries that explicitly require licenses for ECC functionality. Consider these options:
- OpenSSL (with Curve25519): OpenSSL supports Curve25519 and other curves, but ensure you’re using the latest version with patent-friendly defaults.
- Bouncy Castle: A Java cryptography library offering ECC support; check licensing terms carefully for specific algorithms.
- Libsodium: A modern crypto library that includes Curve25519 and other secure primitives, designed to be easy to use and audit.
- Check Library Documentation: Always review the documentation of any cryptography library you use. Look for information about patent implications or licensing requirements related to ECC.
# Example (Python with cryptography library)from cryptography.hazmat.primitives import hashes from cryptography.hazmat.backends import default_backend # Using secp256k1 - be aware of potential historical patent concerns. key = ec.generate_private_key(ec.SECP256K1(), default_backend()) - Avoid Patented Algorithms: Some specific ECC algorithms are more likely to be patented than others. Stick to well-established and widely used standards like ECDSA (Elliptic Curve Digital Signature Algorithm) with a free curve.
- Be cautious of less common or proprietary ECC variants.
- Consider Software Patents: Beyond core algorithms, software patents related to specific implementations can exist. Using well-maintained and widely reviewed libraries reduces this risk.
- Stay Updated: Patent landscapes change. Regularly check for new patent filings or legal developments that might affect your ECC implementation.
- Monitor crypto news sources and relevant patent databases.
- Consult Legal Counsel (Important): This guide provides general information only. If you’re developing a commercial product, it’s crucial to consult with a lawyer specialising in intellectual property law to assess your specific risks and ensure compliance.
Resources
- Curve25519 Website: https://www.curve25519.org/
- OpenSSL Documentation: https://docs.openssl.org/
- Libsodium Website: https://libsodium.gitbook.io/