There are still two unexpired patents that may be in conflict with Schnorr signatures in BTC

There are still two unexpired patents that may be in conflict with Schnorr signatures in BTC

Either lawsuits fly or they shake hands.

Many argue that the main reason ECDSA was favoured over Schnorr signatures despite its supposed advantages over the former were merely to avoid complications with patents. Schnorr signatures were covered by a patent which forced developers to use free alternatives, and kept it from being standardized.

Luckily, that patent expired in 2008.

Earlier this month, Pieter Wuille published a proposal for the use of Schnorr signatures instead of ECDSA (Elliptic Curve Digital Signature Algorithm)—which has been the standard for Bitcoin since its inception.

But despite the expiration of the Schnorr signature patent, there are two existing and unexpired patents that may botch this plan. While Schnorr signatures in general are now fair game, there are certain specific applications of the algorithm that are covered by patents—which are still very much in force.

Patents clash

It can be quite hard to find conflicting patents especially in a field as complex as cryptography and digital signatures, particularly because applications are written as outlines of methods rather than specifically naming prior inventions they are based on.

But a gruelling search yields to two patents that could spell trouble as they are similar to how BTC devs intend to use Schnorr signatures for the legacy chain.

1. Masking and Additive Decomposition Techniques for Cryptographic Field Operations, Vincent Dupaquis, Michel Douguet

“Masking and additive decomposition techniques are used to mask secret material used in field operations (e.g., point multiplication operations) performed by cryptographic processes (e.g., elliptic curve cryptographic processes). The masking and additive decomposition techniques help thwart “side-channel” attacks (e.g., power and electromagnetic analysis attacks).”

2. Signing Methods for Delivering Partial Signatures, and/or Threshold Signatures, Corresponding Verification Methods, and Corresponding Electronic Devices, Marc Joye, Benoit Libert

“…a signing method delivering a partial signature associated with a message, said partial signature being used in a threshold signing method, the signing method being executed on an electronic device. The signing method is remarkable in that it comprises: – obtaining a partial secret key SK i being obtained from an output of a secret sharing scheme, said partial secret key SK i being equal to {u1 (i), uK+1 (i)}, where elements uj (i) ∈ Zp for all j ∈ {1,…, K + 1}, with p being a prime number, and K being an integer greater or equal to one; – determining from said partial key, K elements tj = g -uj(i) , with j ∈ {1,…,K + 1} and g being a generator of a group G, said group G being part of a bilinear group (G, Ĝ, G T ) with Ĝ being a group and G T being a target group; – determining from said message a vector so as to define a Groth-Sahai common reference string; – determining Groth-Sahai commitments on said K + 1 elements t j with j ∈ {1,…,Κ + 1} from said Groth-Sahai common reference string, said Groth-Sahai commitments belonging to said group G; and – determining a non-interactive witness indistinguishable proof comprising K(K + 1) elements, all the K(K + 1) elements belonging to said group Ĝ, said proof guarantying that said K + 1 elements tj verify K pairing equations; – delivering said partial signature associated with said message, said partial signature comprising said Groth-Sahai commitments, and said non-interactive witness indistinguishable proof.”

If the devs are unaware of these existing patents, that means they will potentially invite a string of lawsuits towards the BTC camp. It’s either that or they submit to the patent terms. If they do, we have yet to see how that will play out.

New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.