
End-to-end double-ratchet encryption with epoch key exchange - DyslexicAtheist
https://patentswarm.com/patents/US10412063B1
======
elmo2you
I'm not surprised to see the name of Qrypt's CTO (Denis Mandich) listed as one
of the "inventors" on the application, but to see the name of a New York
University professor (Yevgeniy Dodis) is rather baffling to me. Even more
since the latter is supposed to be an expert in the field of crypto.

I would think that an academic professor should know better than to try patent
something that is already known publicly so well. I can't help but wonder if
this is just pure cynicism at work: gaming a broken patent system (for
profit), at the expense of (and to hell with) any academic/scientific
authority/credibility/reputation. Or is there something I'm completely missing
here?

Regardless of whether the patent is granted or not, and unless I'm
misunderstanding the whole situation, this professor should probably be deeply
ashamed of himself and maybe even be ousted from academia altogether.

EDIT: Not to even start the discussion of how mathematical algorithms
shouldn't be patentible in the first place.

EDIT #2: Changed CEO to CTO (typo mistake)

~~~
xwowsersx
The haste with which you call for someone to be ousted from their field is
frightening.

~~~
Nullabillity
Your acceptance of people who abuse the patent system is frightening.

~~~
xwowsersx
If I don't call for someone to be ousted from their field/career then it means
I accept all of their behaviors? You do realize by that logic, you have
condoned a neverending list of bad behavior by anyone who has done something
wrong (which, newsflash, is pretty much every human being) where you haven't
called for their ouster? You may want to rethink this.

~~~
Nullabillity
> If I don't call for someone to be ousted from their field/career then it
> means I accept all of their behaviors?

There's a difference between not asking for something, and asking for
something not to happen.

Besides.. There are many cases where it's a he-said-she-said debate with no
clear truth, or where the ethics aren't entirely clear to begin with. But
sometimes you're just dealing with the identity killer[0].

[0]:
[https://www.youtube.com/watch?v=oL895peZpqY](https://www.youtube.com/watch?v=oL895peZpqY)

------
lucb1e
I don't understand: the patent mentions that this is currently "ubiquitous" in
the form of the Signal protocol. Isn't that basically telling the patent
office there is prior art, i.e. they undermine their own patent application?

The relevant part of the patent application:

> The Axolotl Ratchet aka the Double Ratchet Algorithm is modeled on the
> Diffie-Hellman asymmetric ratchet in the Off-the-Record (OTR) messaging
> system and symmetric key ratchets used by the Silent Circle messaging
> protocol, resulting in the currently ubiquitous Signal Protocol.

It goes on to say "While there are a limited number of security proofs of
specific implementations, there are none for the generalized protocol". So
even if the patent were to be granted on the basis of that this is general
instead of specific, then the specific Signal protocol should not be in
violation of this patent.

~~~
tialaramex
I _think_ what they're going for is a "But X" variant where this time X is
post-quantum cryptography.

You might remember "But X" patents from when they were all for the Internet.
You know "It's a bookshop but Internet" or "It's paying for a magazine
subscription but Internet". Some of these patents were subsequently
invalidated, many made their "Inventors" plenty of money anyway.

Most of today's sensible crypto designs can be mechanically transformed into
something safe for a post-quantum world by sprinkling the right post-quantum
ingredients in the right places and putting a XOR somewhere.

The "great" thing about patents is that you can be vague about parts that you
don't specifically claim, to the point where they aren't even invented yet,
and still succeed in the application. You have to guess that the missing
pieces will get discovered, doesn't matter who by, before you stop being able
to incrementally file modified patents for the same "invention" and then you
can collect all the money because your "invention" is essential.

So they won't even need to propose a specific post quantum algorithm anywhere,
they can leave that as a black box. When something gets invented, their patent
covers it being used in the obvious way.

This sort of nonsense is another reason patents should be scrapped rather than
reformed.

~~~
matthewdgreen
The main independent claim doesn’t specifically call out quantum algorithms.
I’m struggling to see how Signal/Axolotl doesn’t match every element.

~~~
hcknwscommenter
And I am struggling to see how Signal/Axolotl does match every element of
claim 1.

------
z0mbie42
Just in case: the methodology by which CloudFlare destroyed a patent troll:
[https://blog.cloudflare.com/the-project-jengo-saga-how-
cloud...](https://blog.cloudflare.com/the-project-jengo-saga-how-cloudflare-
stood-up-to-a-patent-troll-and-won/)

------
kdkdkch
I want to politely express my distaste of software patents, especially such
trivial algorithms.

~~~
lucb1e
If this is trivial, it should be rejected. I also don't find this to be
obvious -- there is a reason it took decades of working on end to end
encrypted chat algorithms before they came up with something that has all the
desirable properties of the double ratchet algorithm.

This doesn't mean I'm in favor of or against software patents, I know too
little about the topic. I just wanted to say that this isn't that trivial, and
if it were, it would not be patentable:
[https://en.wikipedia.org/wiki/Patentability](https://en.wikipedia.org/wiki/Patentability)

~~~
maqp
Double ratchet was built on top of 2004 OTR's Diffie-Hellman ratchet. From
what I understood the difference was using different, post-quantum, algorithms
for this patent. The thing is, post-quantum algorithms haven't even been
standardized yet: NIST competition is currently on round 2.

Generalized patent for using post-quantum cipher together with double ratchet
takes two hard things that have taken a ton of hard work and basically makes
the claim they were the first ones to discover they are compatible and that
it's a good idea -- which is not the case, key exchange algorithms are trivial
to plug into protocols. They are implemented separately to be used together.
It's like trying to patent portable music player, but with open design
headphones! It took the industry a lot of time to come up with portable music
players, and good headphones also took time and effort, but a generalized
patent for using them together is just nonsense.

~~~
hcknwscommenter
This patent does not derive its patentability from using different, post-
quantum, algorithms. You have not read all elements of claim 1. Moreover, even
if you were correct in your understanding that this patent is directed to
using different, post-quantum, algorithms, you still fail to understand the
impact of that. To whit, it doesn't matter that such algorithms have not been
standardized. At that stage, different entities can patent whatever their
preferred method is, and if one takes over the industry, then they can maybe
receive some licensing revenue for having developed the best method.

------
dang
We changed the title from "Somebody is trying to patent Signal's double-
ratchet crypto", which broke the site guidelines by editorializing—and which,
based on how common it is for patent applications to be misread on HN, I
suspect someone will point out is not strictly true.

If you want to say what you think is important about an article, do not do so
by cherry-picking a detail to put in the title. Instead, post it is a comment
in the thread. Then your view will be on a level playing field with everyone
else's.

[https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...](https://hn.algolia.com/?dateRange=all&page=0&prefix=false&query=by%3Adang%20%22level%20playing%20field%22&sort=byDate&type=comment)

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

Edit: since
[https://twitter.com/AlecMuffett/status/1213356702399115267](https://twitter.com/AlecMuffett/status/1213356702399115267)
was the context for this, it would have been ok to submit that itself. Note
how that tweet doesn't make the same claim. It just asks the question. So even
the tweet was editorialized here.

~~~
missosoup
I think this change of title is detrimental.

The original title signalled the context of this article which is far more
important than the premise. The new title reveals nothing of the context and a
layman interpretation changes from 'is someone is trying to patent an existing
crypto algorithm?' to 'some article about some crypto algorithm'.

~~~
ricardobeat
Seconded. The whole news story here is that someone is patenting Signal's
algorithm (or something very similar to it) and not just a random interesting
patent.

~~~
pvg
You can't make up your own title to say what you think the story is but there
are lots of options that are not that like - find a story that has the
framing/title you want, write a comment, write your own story/title and post
that.

~~~
missosoup
If you can make up a story and link it, then you should be able to 'make up' a
title within constraints.

There's a pretty clear cut line between editorialising (injecting spin or
opinion) and clarifying the context of the title.

In this case the change of title was objectively harmful and the traffic to
this post died after the admins made the change, because most readers had no
indication as to the importance of this anymore.

~~~
pvg
There's no such 'clear line' and this is not a 'story' it's a patent
application - things that are themselves notoriously easy to misinterpret and
misrepresent. If there is something important about the application, someone
could have written a better-titled story about it or, again, left a comment.
You're basically asking for made-up titles because you don't like what
happened to this submission. The solution to this problem is better
submissions, not made-up titles.

------
rzzzt
That screenshot with the timeline reminds me of a post earlier this year - the
event page is trying to tell you that "Application status is Active (as of
today)", ie. it will always be shown with the current date:
[https://news.ycombinator.com/item?id=21932752](https://news.ycombinator.com/item?id=21932752)

The application was already granted in 2019-09, and is set to expire 20 years
from filing, 2039-02-05.

------
DyslexicAtheist
more context:
[https://twitter.com/AlecMuffett/status/1213356702399115267](https://twitter.com/AlecMuffett/status/1213356702399115267)

~~~
onetimemanytime
Reading that thread, Alec apparently is not a patent lawyer and others pointed
out what is really happening

~~~
alecmuffett
Indeed, I am not a patent lawyer; I am a crypto geek attempting to ascertain
whether and to what extent this treads on current, and future, implementations
of (edit: and enhancements to) the double ratchet algorithm. I believe that my
tweets are pretty clear about that.

ps: other people have simply said to "read the claims", which is fine but does
not help clarify anything.

~~~
matthewdgreen
I’ve read the claims, and don’t currently see how they exclude Signal. Perhaps
on claim construction it might be possible to dig into the specification and
find non-standard interpretations of some terms that walk around the existing
prior art. But that feels like a very unreliable approach.

~~~
hcknwscommenter
The patent office specifically looked at Signal and other implementations and
states that the Examiner "has been unable to locate prior art that would
suggest that the device sending a message in a particular epoch require its
own private key in generation of the shared first refresh key and first state
with the recipient device. Although using public keys to securely transmit
data is known in the art . . . ." The patent Applicant states "Sarafa fails to
[suggest each and every step of] 'generating on the first device, a first
epoch key . . . transmitting, from the first device, the first epoch key . . .
generating, independently on each of the first device and the second device, a
first refresh key . . . *wherein the first refresh key is generated on the
first device without requiring a private key corresponding to the first epoch
key"

~~~
matthewdgreen
I haven’t read the specification carefully enough yet to determine what they
mean by “refresh key” since that’s not really a standard term of art. If this
could refer to a Diffie-Hellman ephemeral, then said key would be generated
without requiring a separate private key corresponding to the epoch key,
something that’s also not really a standard term.

My concern with patents like this is that, since many of the terms are non-
standard and thus defined by the specification, any vagueness in the spec
leaves room for future interpretations in an infringement case that may, in
fact, lead to de facto Signal implementations being found to infringe.

ETA: I’ll read the spec later this weekend and see how they define all these
terms.

------
hackworks
Most software companies I have worked for, encourages filing patents just to
build their arsenal and increase their market value in times of acquisitions
or patent wars. They are not focused on creativity, innovation or advancement.

I have seen a patent to use SSH to administer a storage system! It was just
depressing and sad to see such patents granted and the inventors bragging
about it.

~~~
_jal
> I have seen a patent to use SSH to administer a storage system

People should be embarrassed.

So many nerds have this self-image of being a change-the-world conquering
intellect, and then spend their day trying to game a bullshit system to pull a
few bucks from their neighbor's pocket. And they're not capable of actually
making anything, so they try to patent bog-standard uses of other people's
tools.

Their bragging about it is a blessing, though. Makes them easier to avoid.

~~~
Psyladine
As long as there are no rounded corners, ya.

 _Sent from my i-branded device_

------
nickthemagicman
Is Signal fighting it? What's to stop this from happening?

~~~
ryanlol
> Is Signal fighting it?

Why should they? This doesn’t affect them.

~~~
nickthemagicman
I interpreted it to mean:

if Signal is using the technology, and the technology is patented, then Signal
will be affected?

~~~
analog31
I'm not a lawyer, but making something and selling or publishing it
constitutes a public disclosure, and invalidates anybody's attempt (including
your own) to patent it after the fact. Somebody can't come along and patent
your product.

Now if you're working on an invention in your basement, and haven't disclosed
it yet, someone else can take the same idea to the patent office.

~~~
elmo2you
True, at least in theory.

While not all that much relevant in this particularly case (or at least not
likely), I've heard from several patent lawyers (granted, this is still
hearsay) that it is a rather common practice for big companies to patent any
potentially relevant new technologies from smaller players (often when still
under development), only to bully these potential competitors.

Considering the high price of patent lawyers, this is sadly a rather effective
method for protecting a dominant market position, but it's also very
destructive to innovation as a whole (because apparently many of these patents
are subsequently never used to actually produce anything).

It's a rather cynical abuse of the system, and one that goes directly against
its stated goal: to promote innovation. However, it could also be argued, from
the (early) history of patents and how they have been used throughout time,
that this has always been a charade, and it really was always more about
controlling innovation and technological progress, rather than actually
stimulating it.

------
motohagiography
Great way to get free strong crypto software chased out of app stores, and
prevent its proliferation.

If I were in the bulk signals collection business, I would also file a patent
that legally discouraged the implementation of the best known scheme for end
to end encryption as well. Patent office may grant it under pressure.

------
RedComet
The real tragedy of a troll patenting parts of the protocol developed at
Signal is that Signal had millions of dollars of US government funding behind
it.

------
deith
Does it matter when there's prior art?

~~~
alerighi
It does, but even if in a court you will probably win, you have to spend
thousands of dollar of lawyers. This is why the patent system is unfair and
should be abolished at all. It favors big companies that cross license their
patents and crush the small developers, especially free software developers.

~~~
caro_douglos
You’re right it is not fair if that crossover occurs but keep in mind that the
system hooks into international agreements the US has made and it’s not as if
they can be overhauled for the little guy/gal.

~~~
tialaramex
Speaking of ratchets, that's the purpose of such "international agreements"
for patents, copyrights and so on. Countries A and B agree to accept each
others "intellectual property". Then Country A says, well, for parity we ought
to set X=10 in our law, like theirs, and since we're setting X=10 and we've
always made Y ten more that X we should also set Y=20. Then in Country B they
say oh, well there ought to be parity in our law too we should set Y=20 also,
and we've always wanted X the same as Y so X=20. Back to Country A, there's
just no choice, we have this international agreement but it wouldn't be fair
unless we set X=20 like Country B did, and so now Y=30.

You can keep doing this back and forth forever as you have time, ratcheting up
both variables forever and always assuring any concerned citizens that your
goal isn't "really" to just make the variables go up and steal from them, it's
just "international agreements" force your hand.

Nobody should fall for this.

