[Cryptography Team] ECC and/or NSA Suite B?

[Cerebus]

On 11/24/06, Matthew S. Hamrick <mhamrick at cryptonomicon.net> wrote:

> With all the discussion of FIPS 140, I had assumed that most everyone
> on the list is working on government contracts. Otherwise, why bother
> with it?

Because it enables its use in products.  Without a FIPS certificate, a
crypto implementation faces serious hurdles for inclusion in a product
(and lately DoD has been cracking down on FIPS waivers).  But it's
hard to get people to pony up to pay for certification unless there's
an immediate use.  Chicken, meet egg.  :)

> The NSA negotiated a blanket US Federal Government deal for
> Certicom's patent portfolio for use in ECDSA, ECDH and ECMQV. So...
> if you're a federal government agency, you get to use these
> algorithms without having to pay Certicom anything extra. So... if
> part of what you're hoping to do is to create an ECC implementation
> that can be used by a federal agency, then you can do so without fear
> of the Certicom lawyers. Now... the moment the implementation gets
> used in a commercial product, then you've got issues.

And that's the rub.  I'd love to implement something because:

1) I love crypto, and building an ECC implementation would teach me a
great deal about it;

2) It gives me a reason to learn Smalltalk, something I've toyed with
a dozen times in the past but never made progress at because I had
nothing concrete to work on; and

3) It would just be fun.  I'm weird that way.

But the last thing I want to do is run afoul of Certicom (or cause
others to run afoul of them).

So, advice?  Should I press ahead?

-- Tim