lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 18 Jul 2015 16:06:03 -0700
From: Bill Cox <>
To: "" <>
Subject: Re: [PHC] patents

On Sat, Jul 18, 2015 at 12:11 PM, Solar Designer <> wrote:

> On Thu, Jul 16, 2015 at 11:32:17AM -0700, Bill Cox wrote:
> > I found this patent <>.
> What is
> > the other?

Well, crud.  I don't see how Jeremy's able to run his business without
violating this patent.  It seems to clearly patent the use of _secret_ ROM
data in password hashing.  Jeremy's patent mentions using salt, but surely
the 2006 implementation used salt.

> This patent does seem to cover hashing ROM into a salted password to
> > generate the stored password hash, IMO.  I am not a lawyer, and my
> opinion
> > caries no legal weight, but I am an author on 26 patents, and have read
> > plenty more.  However, like so many of these software patents, this one
> is
> > clearly invalid due to prior art, such as this paper published in 2006
> > <>, 7 years before this patent
> was
> > filed.
> So you found the paper leading to the other patent.

Yeah... I know one of the authors.  His desk is near mine at work.

> > IMO, this patent will not affect using Yescrypt for ROM-port-hard (what I
> > have been calling bandwidth-hardened) PoW systems in any way.  The claims
> > require hashing a password in every claim.
> It sounds like you feel it does cover using yescrypt for ROM-port-hard
> password hashing, even if the ROM is not secret.  That's really bad if so.
> But that's not my current understanding.

I think you are right.  Both patents mention "random data" in their
claims.  Having a ROM full of non-secret non-random data should be fine.

> > I see Jeremy claims to have invented this in 2012, after the Linked-In
> > hack.  I find this plausible, because I independently worked hard on the
> > password security problem at the same time for the same reason.  My
> > invention was to use a lot of memory with random  read-writes :-)  I'm
> > always a few years too late...
> >
> > However, giving him this benefit of the doubt, didn't he see that you
> published
> > it in 2012
> > <
> >?
> He did.  Jeremy claims to have independently arrived at this in July
> 2012, but intentionally not publishing it yet for the purpose of
> patenting it.  I find this plausible.

Given the timing of the Linked-in hack, I also find it plausible.  However,
he still runs up against the secret-ROM for password hashing patent from

> > I will prefer to believe this is a simple mistake by Jeremy for now.
> > However, it looks pretty bad.
> It did look pretty bad to me in this way at first, but Jeremy managed to
> convince me it was in fact independent discovery, a few months before my
> ZeroNights talk.  What still looks bad to me is the very fact this
> useful stuff is patented (although the patent might be fully or
> partially invalid due to other prior art).

Jeremy's patent isn't the problem, IMO.  It's weak, invalid, and not worth
worrying about as a competitor.  The previous patent I am purposely going
to avoid looking into.  Having one of the authors work near me is a bit too
close to home :-)

However, I've been on the record for many years as being against these
sorts of software-patents.  I see far more damage caused by them than
benefit.  I have several software patents.  Part of the evil in this system
is you are compelled to do what you can to protect your company, even if it
means patenting software, even if you are against software patents.  It's
basically a tax on business to support lawyers, with the side-effect of
squashing innovation.

> I think Jeremy did nothing illegal.

If he already informed the USPTO of this paper, then he has fulfilled his
legal requirements.  The USPTO seems quite lenient in these cases.  I am
not too surprised that they would allow his patent to stand unmodified.

> However, there are ethical concerns
> about patenting anything at all.  It's like:
> atomic {
>         person.patents++;
>         person.respect--;
> }
> ... with rare exceptions.
> Alexander

Haha!  It's a messed system generally, but particularly for software.  I
blame the Federal Circuit Appeals Court
as the main culprit.  Before they were given sole control over patent law
in the US, it used to be possible to make a living as an inventor.  I've
met a few older guys who basically did just that.  For example, IIRC, an
acquaintance's father invented the milk carton, and used money from that
invention to raise his kids.

Since these dorks on the Federal Circuit came into power, it is now no
longer possible to make a living as an inventor.  Instead, we have patent


Content of type "text/html" skipped

Powered by blists - more mailing lists