69 comments

[ 0.63 ms ] story [ 143 ms ] thread
Reading that thread, Alec apparently is not a patent lawyer and others pointed out what is really happening
Indeed, I am not a patent lawyer; I am a crypto geek attempting to ascertain whether and to what extent this treads on current, and future, implementations of (edit: and enhancements to) the double ratchet algorithm. I believe that my tweets are pretty clear about that.

ps: other people have simply said to "read the claims", which is fine but does not help clarify anything.

I’ve read the claims, and don’t currently see how they exclude Signal. Perhaps on claim construction it might be possible to dig into the specification and find non-standard interpretations of some terms that walk around the existing prior art. But that feels like a very unreliable approach.
The patent office specifically looked at Signal and other implementations and states that the Examiner "has been unable to locate prior art that would suggest that the device sending a message in a particular epoch require its own private key in generation of the shared first refresh key and first state with the recipient device. Although using public keys to securely transmit data is known in the art . . . ." The patent Applicant states "Sarafa fails to [suggest each and every step of] 'generating on the first device, a first epoch key . . . transmitting, from the first device, the first epoch key . . . generating, independently on each of the first device and the second device, a first refresh key . . . *wherein the first refresh key is generated on the first device without requiring a private key corresponding to the first epoch key"
I haven’t read the specification carefully enough yet to determine what they mean by “refresh key” since that’s not really a standard term of art. If this could refer to a Diffie-Hellman ephemeral, then said key would be generated without requiring a separate private key corresponding to the epoch key, something that’s also not really a standard term.

My concern with patents like this is that, since many of the terms are non-standard and thus defined by the specification, any vagueness in the spec leaves room for future interpretations in an infringement case that may, in fact, lead to de facto Signal implementations being found to infringe.

ETA: I’ll read the spec later this weekend and see how they define all these terms.

What are these others then pointing out, regarding what's really happening? All I see is how Alec is advised to focus on the claims of the patent. However, I do not see how that substantially changes the situation regard the double-ratched/signal algorithm and this patent. Could you be so kind to elaborate, please?
Alex admitted "someone with a better attention span than myself" would need to read claim 1 to determine whether this reads on Signal or not (it does not).
That screenshot with the timeline reminds me of a post earlier this year - the event page is trying to tell you that "Application status is Active (as of today)", ie. it will always be shown with the current date: https://news.ycombinator.com/item?id=21932752

The application was already granted in 2019-09, and is set to expire 20 years from filing, 2039-02-05.

Is Signal fighting it? What's to stop this from happening?
> Is Signal fighting it?

Why should they? This doesn’t affect them.

I interpreted it to mean:

if Signal is using the technology, and the technology is patented, then Signal will be affected?

I'm not a lawyer, but making something and selling or publishing it constitutes a public disclosure, and invalidates anybody's attempt (including your own) to patent it after the fact. Somebody can't come along and patent your product.

Now if you're working on an invention in your basement, and haven't disclosed it yet, someone else can take the same idea to the patent office.

True, at least in theory.

While not all that much relevant in this particularly case (or at least not likely), I've heard from several patent lawyers (granted, this is still hearsay) that it is a rather common practice for big companies to patent any potentially relevant new technologies from smaller players (often when still under development), only to bully these potential competitors.

Considering the high price of patent lawyers, this is sadly a rather effective method for protecting a dominant market position, but it's also very destructive to innovation as a whole (because apparently many of these patents are subsequently never used to actually produce anything).

It's a rather cynical abuse of the system, and one that goes directly against its stated goal: to promote innovation. However, it could also be argued, from the (early) history of patents and how they have been used throughout time, that this has always been a charade, and it really was always more about controlling innovation and technological progress, rather than actually stimulating it.

(comment deleted)
Pretty sure this is a bunch of hoo-ra-ra started on twitter and hasn't yet been a proven threat to Signal itself to warrant legal action by them. Or whether this Qrypt company is going to do anything meaningful with it.

The title is also misleading as the patent has already been approved apparently.

Does it matter when there's prior art?
It does, but even if in a court you will probably win, you have to spend thousands of dollar of lawyers. This is why the patent system is unfair and should be abolished at all. It favors big companies that cross license their patents and crush the small developers, especially free software developers.
You’re right it is not fair if that crossover occurs but keep in mind that the system hooks into international agreements the US has made and it’s not as if they can be overhauled for the little guy/gal.
Speaking of ratchets, that's the purpose of such "international agreements" for patents, copyrights and so on. Countries A and B agree to accept each others "intellectual property". Then Country A says, well, for parity we ought to set X=10 in our law, like theirs, and since we're setting X=10 and we've always made Y ten more that X we should also set Y=20. Then in Country B they say oh, well there ought to be parity in our law too we should set Y=20 also, and we've always wanted X the same as Y so X=20. Back to Country A, there's just no choice, we have this international agreement but it wouldn't be fair unless we set X=20 like Country B did, and so now Y=30.

You can keep doing this back and forth forever as you have time, ratcheting up both variables forever and always assuring any concerned citizens that your goal isn't "really" to just make the variables go up and steal from them, it's just "international agreements" force your hand.

Nobody should fall for this.

There’s always prior art. The question is how similar the prior art is.
I want to politely express my distaste of software patents, especially such trivial algorithms.
Is an algorithm patent really a defensible claim?
Simple question, but the answer is really complicated. The caselaw on Section 101 (patent-eligible subject matter) is extremely hard to make sense of.
One of the things I am glad about in my country - India has a higher bar for "software" patents:

> ... following CANNOT be considered as inventions within the meaning of the act. "A mathematical or business method or a computer program or algorithms"

If this is trivial, it should be rejected. I also don't find this to be obvious -- there is a reason it took decades of working on end to end encrypted chat algorithms before they came up with something that has all the desirable properties of the double ratchet algorithm.

This doesn't mean I'm in favor of or against software patents, I know too little about the topic. I just wanted to say that this isn't that trivial, and if it were, it would not be patentable: https://en.wikipedia.org/wiki/Patentability

Double ratchet was built on top of 2004 OTR's Diffie-Hellman ratchet. From what I understood the difference was using different, post-quantum, algorithms for this patent. The thing is, post-quantum algorithms haven't even been standardized yet: NIST competition is currently on round 2.

Generalized patent for using post-quantum cipher together with double ratchet takes two hard things that have taken a ton of hard work and basically makes the claim they were the first ones to discover they are compatible and that it's a good idea -- which is not the case, key exchange algorithms are trivial to plug into protocols. They are implemented separately to be used together. It's like trying to patent portable music player, but with open design headphones! It took the industry a lot of time to come up with portable music players, and good headphones also took time and effort, but a generalized patent for using them together is just nonsense.

This patent does not derive its patentability from using different, post-quantum, algorithms. You have not read all elements of claim 1. Moreover, even if you were correct in your understanding that this patent is directed to using different, post-quantum, algorithms, you still fail to understand the impact of that. To whit, it doesn't matter that such algorithms have not been standardized. At that stage, different entities can patent whatever their preferred method is, and if one takes over the industry, then they can maybe receive some licensing revenue for having developed the best method.
I think a lot of the complaints about our parent system is that a lot of trivial things have been granted patents.

We aren't complaining about the system as it is supposed to work, but rather how it works in practice.

Claim 1 seems quite specific and detailed. What’s trivial about it?
Maybe simple is a better word, it is just glueing a few blocks of known cryptography together to achieve this particular task.
I'm not surprised to see the name of Qrypt's CTO (Denis Mandich) listed as one of the "inventors" on the application, but to see the name of a New York University professor (Yevgeniy Dodis) is rather baffling to me. Even more since the latter is supposed to be an expert in the field of crypto.

I would think that an academic professor should know better than to try patent something that is already known publicly so well. I can't help but wonder if this is just pure cynicism at work: gaming a broken patent system (for profit), at the expense of (and to hell with) any academic/scientific authority/credibility/reputation. Or is there something I'm completely missing here?

Regardless of whether the patent is granted or not, and unless I'm misunderstanding the whole situation, this professor should probably be deeply ashamed of himself and maybe even be ousted from academia altogether.

EDIT: Not to even start the discussion of how mathematical algorithms shouldn't be patentible in the first place.

EDIT #2: Changed CEO to CTO (typo mistake)

That "somebody" is Qrypt, Inc [1]. (I've never heard of them.) Denis Mandich is the CTO. Interestingly, the patent application mentions Axolotl, Signal, and what not. Not sure how this sauce is different? Because of quantum cryptography? I did find [2] from their website as well.

From [1] it says: "Kevin and Denis have hand-selected a talented team of seasoned leaders in engineering, physics, and cryptography to build Qrypt’s patented solution." I guess they can add "patent pending", too.

[1] https://www.qrypt.com/about

[2] https://www.ornl.gov/news/qrypt-licenses-ornls-quantum-rando...

This actually is a granted patent. Claim 1 seems quite specific and detailed to me, although I’m no crypto expert. Is everything in the claims well known?
Apparently you are right. I was mistakenly under the impression that it was still under review.

I would call that claim first and foremost convoluted, more than specific and detailed, but that is a rather normal practice in patents (IFAIK).

From what I've read (so far), I didn't see anything particularly innovative; not within the field of crypto at least. I'm quite confident that this is nothing particularly new to a crypto expert. I'd say it's all rather well known. Maybe not to Joe next door, but that's irrelevant.

I'd say that this patent should never have been granted, but I can't say that I'm surprised that it did. However, those who filed for this patent must have known what they were doing. Unless my current view on this radically changes, I sincerely hope that it will (somehow, eventually) cost the people involved dearly. I have no sympathy for anyone who would game a broken system like that, as it so far appears they did. Even if not criminal, legally speaking, I still consider it moral corruption to a high degree.

Convoluted? How? For all your talk of criminality and moral corruption, you seem to have no idea how to read a patent claim. You'd say it is all rather well known, but you cite to literally nothing.
Universities patent IP all the time and some make a lot of money from it.
Luckily there are still people who consider that a travesty of academia. The fact that it exists, doesn't make it right. Just as slave trade existed for a long time, both profitable and considered a reputable business, didn't make that right.
The haste with which you call for someone to be ousted from their field is frightening.
Your acceptance of people who abuse the patent system is frightening.
If I don't call for someone to be ousted from their field/career then it means I accept all of their behaviors? You do realize by that logic, you have condoned a neverending list of bad behavior by anyone who has done something wrong (which, newsflash, is pretty much every human being) where you haven't called for their ouster? You may want to rethink this.
> If I don't call for someone to be ousted from their field/career then it means I accept all of their behaviors?

There's a difference between not asking for something, and asking for something not to happen.

Besides.. There are many cases where it's a he-said-she-said debate with no clear truth, or where the ethics aren't entirely clear to begin with. But sometimes you're just dealing with the identity killer[0].

[0]: https://www.youtube.com/watch?v=oL895peZpqY

Why exactly is this an abuse of the patent system?
I don't understand: the patent mentions that this is currently "ubiquitous" in the form of the Signal protocol. Isn't that basically telling the patent office there is prior art, i.e. they undermine their own patent application?

The relevant part of the patent application:

> The Axolotl Ratchet aka the Double Ratchet Algorithm is modeled on the Diffie-Hellman asymmetric ratchet in the Off-the-Record (OTR) messaging system and symmetric key ratchets used by the Silent Circle messaging protocol, resulting in the currently ubiquitous Signal Protocol.

It goes on to say "While there are a limited number of security proofs of specific implementations, there are none for the generalized protocol". So even if the patent were to be granted on the basis of that this is general instead of specific, then the specific Signal protocol should not be in violation of this patent.

I think what they're going for is a "But X" variant where this time X is post-quantum cryptography.

You might remember "But X" patents from when they were all for the Internet. You know "It's a bookshop but Internet" or "It's paying for a magazine subscription but Internet". Some of these patents were subsequently invalidated, many made their "Inventors" plenty of money anyway.

Most of today's sensible crypto designs can be mechanically transformed into something safe for a post-quantum world by sprinkling the right post-quantum ingredients in the right places and putting a XOR somewhere.

The "great" thing about patents is that you can be vague about parts that you don't specifically claim, to the point where they aren't even invented yet, and still succeed in the application. You have to guess that the missing pieces will get discovered, doesn't matter who by, before you stop being able to incrementally file modified patents for the same "invention" and then you can collect all the money because your "invention" is essential.

So they won't even need to propose a specific post quantum algorithm anywhere, they can leave that as a black box. When something gets invented, their patent covers it being used in the obvious way.

This sort of nonsense is another reason patents should be scrapped rather than reformed.

The main independent claim doesn’t specifically call out quantum algorithms. I’m struggling to see how Signal/Axolotl doesn’t match every element.
And I am struggling to see how Signal/Axolotl does match every element of claim 1.
X is certainly not post-quantumn cryptography. You need to look at all elements of claim 1. IN particular, "wherein the first refresh key is generated on the first device based at least in part on the first public key and the root state, wherein the first refresh key is generated on the first device without requiring a private key corresponding to the first epoch key, and" . . . "wherein the first state is generated on the first device without requiring a private key corresponding to the first epoch key, and wherein, the first state is generated on the second device based at least in part on the first private key, the first epoch key, and the root state;" and . . . "wherein, on each of the first device and the second device, the first message key is generated based at least in part on the first state and the first refresh key;"
I'm not a lawyer, but disclosing prior art is 1) your obligation, and 2) strengthens your patent if it's granted. If an existing method is cited in the patent, and the patent is approved, it means the patent office has declared that the cited method is officially recognized as not being prior art.

If you look at a patent and say: "This isn't valid because of patent X," but you see patent X in the list of citations, then it means the patent office has already said: "Oh yes it is."

We changed the title from "Somebody is trying to patent Signal's double-ratchet crypto", which broke the site guidelines by editorializing—and which, based on how common it is for patent applications to be misread on HN, I suspect someone will point out is not strictly true.

If you want to say what you think is important about an article, do not do so by cherry-picking a detail to put in the title. Instead, post it is a comment in the thread. Then your view will be on a level playing field with everyone else's.

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

https://news.ycombinator.com/newsguidelines.html

Edit: since https://twitter.com/AlecMuffett/status/1213356702399115267 was the context for this, it would have been ok to submit that itself. Note how that tweet doesn't make the same claim. It just asks the question. So even the tweet was editorialized here.

I think this change of title is detrimental.

The original title signalled the context of this article which is far more important than the premise. The new title reveals nothing of the context and a layman interpretation changes from 'is someone is trying to patent an existing crypto algorithm?' to 'some article about some crypto algorithm'.

Seconded. The whole news story here is that someone is patenting Signal's algorithm (or something very similar to it) and not just a random interesting patent.
You can't make up your own title to say what you think the story is but there are lots of options that are not that like - find a story that has the framing/title you want, write a comment, write your own story/title and post that.
If you can make up a story and link it, then you should be able to 'make up' a title within constraints.

There's a pretty clear cut line between editorialising (injecting spin or opinion) and clarifying the context of the title.

In this case the change of title was objectively harmful and the traffic to this post died after the admins made the change, because most readers had no indication as to the importance of this anymore.

There's no such 'clear line' and this is not a 'story' it's a patent application - things that are themselves notoriously easy to misinterpret and misrepresent. If there is something important about the application, someone could have written a better-titled story about it or, again, left a comment. You're basically asking for made-up titles because you don't like what happened to this submission. The solution to this problem is better submissions, not made-up titles.
>or something very similar to it

The original title did not reflect that.

The comments make that clear.
The comments will be seen only by those not misled by the obscure title.
Most software companies I have worked for, encourages filing patents just to build their arsenal and increase their market value in times of acquisitions or patent wars. They are not focused on creativity, innovation or advancement.

I have seen a patent to use SSH to administer a storage system! It was just depressing and sad to see such patents granted and the inventors bragging about it.

> I have seen a patent to use SSH to administer a storage system

People should be embarrassed.

So many nerds have this self-image of being a change-the-world conquering intellect, and then spend their day trying to game a bullshit system to pull a few bucks from their neighbor's pocket. And they're not capable of actually making anything, so they try to patent bog-standard uses of other people's tools.

Their bragging about it is a blessing, though. Makes them easier to avoid.

As long as there are no rounded corners, ya.

Sent from my i-branded device

Great way to get free strong crypto software chased out of app stores, and prevent its proliferation.

If I were in the bulk signals collection business, I would also file a patent that legally discouraged the implementation of the best known scheme for end to end encryption as well. Patent office may grant it under pressure.

The real tragedy of a troll patenting parts of the protocol developed at Signal is that Signal had millions of dollars of US government funding behind it.