Cryptography Research wins legal battle against Visa and licensees begin to sign

By Chris Corum, Executive Editor

I met Kit Rodgers from Cryptography Research in 2004 when his company announced its intent to license the countermeasures that protect smart card chips from a specific attack called Differential Power Analysis (DPA). He passionately argued that it was time for the chip and card manufacturers to pay up for the security measures his colleagues had developed in the late 1990s. Indeed the patents had just recently been issued and Cryptography Research was preparing itself for battle.

As I wrote my initial article on the topic, A new license fee for every smart card? January 2005, I was pessimistic of their chances to prevail. It seemed to me like David vs. Goliath and Goliath and Goliath and Goliath … a relatively small San Francisco-based team of mathematicians and electrical engineers were going to convince the card associations, the semiconductor industry, card manufacturers and maybe even end issuers that they should send them money every time they made a smart card. Sure they were.

I enjoyed my conversations with Kit but figured it unlikely I’d be doing a follow-up article. Yet four years later here we are … half of the Big 6 chip manufacturers have signed license agreements, Visa has a license to cover all of its issuers, and I am re-reading patent documents on DPA.

Before we get into just how David managed to succeed against a handful of Goliaths, let’s take a step back and look at the history of DPA.

How did all this get started?

In 1998 a cryptographer named Paul Kocher, founder of Cryptography Research, figured out that information, such as security keys, could be obtained from certain integrated circuits (ICs) by measuring the chip’s power consumption during processing. At the most basic level, a transistor in a chip uses a different amount of power to process a one than a zero. Using this fundamental idea, Kocher found that it was possible to crack the security of certain chips such as those used in smart cards.

When news of the discovery hit the press in June 1998, the smart card industry went into panic mode. The Australian Financial Review broke the story stating, “A ruinous security problem has jeopardized the viability of millions of smart cards.”

Headlines warned that cryptographers had discovered a way to extract the encryption keys from a chip, but the smart card industry brushed off the attack’s significance suggesting that it was only theoretical and no cards were really at risk.

But it was more than a theoretical attack, as Kocher would show executives in the card associations and manufacturers in 1998 and 1999. He advised the manufacturers how to modify chip design to mask the power differential and thus protect against the attack.

“Under NDA we showed them how to minimize the vulnerabilities,” explained Rodgers. “We told them we would be coming back for licensing once the patents were issued.”

The industry, it seems, took the advice to heart and protected the bulk of smart card ICs from DPA. The panic quickly subsided and DPA was no longer the topic du jour … at least not for five or six more years.

In April 2004, Cryptography Research announced it had been granted a series of U.S. patents broadly covering countermeasures to DPA attacks. The company began talking to chip and card manufacturers about licenses and fees. It was then that I had that initial meeting with Rodgers.

The battle begins

As I said, I was skeptical that manufacturers would agree to pay a license fee for something they had built into their products many years prior and had long since taken for granted. Rodgers mentioned in our initial conversation that his company had “allocated $20 million to launch the licensing program.” Of course, all assumed that a major portion of this would be allocated to legal wranglings.

It didn’t take long. Early negotiations didn’t get anywhere, so Cryptography Research filed its suit against Visa for breach of contract and patent infringement later that year. According to the lawsuit, back in 1998 Visa had acquired a DPA countermeasure license for all Visa suppliers. The publicized terms of the license included a $0.25 fee per smart card. Later, Visa terminated the license, ceased payments, but continued to use the countermeasures.

About two years after the case was filed, the judge provided a boost to Cryptography Research. During patent infringement cases, an interim step involves the judge’s ruling as to what the key terms in the patent mean. This is called a Markman Ruling, and according to Rodgers, they received a strong reading from the judge – a good sign for their chances at trial.

New lawyers, new patents, and new opportunities

In 2008 Visa retained its 6th different law firm for the case and when the new lawyers asked about Cryptography Research’s business terms, no one at Visa knew what Cryptography Research wanted. There hadn’t been any substantive business discussions in the four years since the suit was filed.

At the same time, Cryptography Research’s European patents began to issue. “This was a huge boost,” says Rodgers, since Europe is the largest smart card market and many of the chip and card manufacturers are European companies.

It appeared that a trial date would be set for the Spring 2009, but talks progressed rapidly and a settlement was announced in September 2008.

Details, as expected, were not disclosed but what is known is that Visa obtained a license to the patented countermeasures and Cryptography Research made a lot of money. How much? Rodgers smiles stating only that “it was a very confidential settlement.”

I am reminded of the story of the small kid that goes to school the first day, picks out the biggest bully on the playground, and socks him in the jaw. From then on, none of the other kids pick on him.

Visa’s settlement did two important things for Cryptography Research. It sent a clear message that the patents were enforceable and it increased the company’s war chest should others choose to do battle.

Licensing process makes great strides

“Integrated circuit suppliers and smart card manufacturers are the two parts of the smart card industry supply chain most familiar with DPA,” says Rodgers. “To date, our main licensing deals in this industry have been with IC manufacturers. Six major chip manufacturers make more than 90% of the world’s silicon, and three of the six – Infineon, Renesas, and NXP – are now licensed.”

Only one part of the supply chain for a given card needs to carry a license, he explains. If the chip supplier is licensed then the finished product is typically licensed. Thus, the card manufacturer and its downstream customers would not be expected to pay again for the patented countermeasures. However, if the chip is obtained from an unlicensed supplier, the card manufacturer would need to pay the license.

“The pressure from customers is significant,” says Rodgers, suggesting that an end issuer will not want to put their organization at risk by providing an unlicensed product, particularly when there are licensed alternatives readily available.

As I did in my first meeting with Rodgers, I again ask how much the license impacts the cost of the smart card to the end issuer. Again, he is purposefully vague.

“It does not substantially change the end cost of a smart card,” he says. “We seek to get paid a reasonable fee for the use of our technology; our philosophy is to structure licenses so that our customers can broadly adopt the technology and sell more secure products. The license cost for the card manufacturer (or chip supplier) is small compared to the potential legal exposure if not licensed.”

“There is a window here,” he adds. “We have been giving companies a chance to get in at a low pricing point, but over time we need to give our licensees a competitive advantage.”

A lesson in intellectual property rights

The patent process is in place to protect the intellectual property rights of inventors and developers. Cryptography Research is primarily comprised of researchers and engineers who develop technologies that solve complex security problems. The firm’s successes to date in the DPA licensing process suggest that the patent process is important and can still protect an inventor’s rights. While I don’t like the idea of paying more for the products that I purchase, I do believe that society must support the creative process and intellectual property protection is fundamental to that support.

“The rule of thumb in the licensing business is that valuable patents begin to reap benefit at the half-way point in the 20 year patent lifecycle,” he adds. For the DPA patents, that is exactly the point at which the Visa suit settled and the tide started to turn.

“I don’t know how or if a small company could do it,” reflects Rodgers when asked if he thinks the system works. “We’ve had a strong business in other parts of our company for many years so we were able to see it through.”