Redirecting you to
Podcast Mar 23, 2023

Root Causes 288: ISARA Releases Patents on Hybrid Certificates

In this episode we are joined by Atsushi Yamada, CEO of ISARA. He explains how ISARA has put its patents on hybrid certificates into the public domain and why. We explain the role of hybrid certificates in PQC and ongoing crypto agility.

  • Original Broadcast Date: March 23, 2023

Episode Transcript

Lightly edited for flow and brevity.

  • Tim Callan

    We are fortunate enough to have a guest today, Atsushi Yamada. Atsushi is the CEO of ISARA. ISARA is a Sectigo partner. How are you doing today, Atsushi?

  • Atsushi Yamada

    Oh, pretty good. Thanks.

  • Tim Callan

    Thank you so much for being on the podcast. What we wanted to talk about today is that ISARA has been very early in the post-quantum cryptography space. Among other things, you guys had a series of patents in the space, and recently, those patents, you’ve put them in the public domain. We thought that was an interesting development, and we’d like to unpack that. So, maybe to start with, tell us a little bit about these patents. What were they and why were they important?

  • Atsushi Yamada

    This is so-called hybrid certificates. What happens is in the extension you can have another crypto system, meaning public key and signature. So that one digital certificate contains two cryptographic, digital signature algorithms. By doing so it will enable two digital algorithms, something like RSA and PQC digital signature algorithms, so that it can help migrating to new crypto - in this case, PQC – a little bit easier.

  • Tim Callan

    We’ve described that in some earlier episodes, so, I’ll encourage you to go back, listeners, and you can hear a description about what goes on with hybrid certificates. Atsushi, was ISARA an inventor of hybrid certificates or certain methods of hybrid certificates? Obviously, you did something that was early enough that you could patent it. What specifically was your history with hybrid certificates?

  • Atsushi Yamada

    Oh, essentially we were working on migration because ISARA’s business is to help customers migrate to PQC and we have thought about many different ways to migrate, and one of the methods was to put PQC in the extension so the old system can ignore because it’s a known critical extension so that it allows two crypto systems to mix and keeping backward compatibility. So, it’s essentially this extension, on how you interpret this extension with the patent. It was quite old by now.

  • Tim Callan

    But these patents are important to the way that we are actually intending to do this migration of PQC. Is that correct?

  • Atsushi Yamada

    I think so. It’s not almighty but in certain scenarios, it is quite powerful.

  • Tim Callan

    Are all four of the patents that you brought into the public domain are all basically around hybrid certs and various aspects of them. Is that correct?

  • Atsushi Yamada

    Yeah. It essentially can go to extension.

  • Tim Callan

    Ok. When did you put them in the public domain?

  • Atsushi Yamada

    Last October.

  • Tim Callan

    Has there been an impact or a change? Like what are you expecting the value of making these patents in the public domain to be? How do you think industry is going to use them as a result?

  • Atsushi Yamada

    This patent, we really had a long discussion internally and came down to if we monopolize this patent, we thought that this industry may not grow that nicely, and that was the concern because if the industry doesn’t grow then we will not be able to grow either. We think that this is still a young industry. We have to grow it and there are certain things that has to be shared to grow the market, the new industry. And that was the largest driver to actually dedicate it to public because this is a foundation to build a new industry. That shall not be monopolized. That was our conclusion.

  • Tim Callan

    That makes a lot of sense. If you think about a lot of the foundational pieces that we use in cryptography or in computers in general, think about if somebody was enforcing a patent on the RSA algorithm, for instance How would anybody proceed? Like, we wouldn’t be able to use it as cryptographic standard. We’d basically have to find something else.

  • Atsushi Yamada

    Exactly. Actually, I used to work at Certicom. At the time there was work between RSA and Certicom between RSA and ECC. And the patent work did not bring anything to either party. That’s where I learned that certain things need to be shared to encourage the world to deploy.

  • Tim Callan

    Yeah. We can’t have something that’s gonna be foundational. You know, digital identity is foundational for every digital system we have, and the real de facto method for digital identity is certificates, and so that means essentially they are ubiquitous, right? They have to be in everything that has a chip, or eventually they’ll be in everything that has chip, and if somebody is trying to say, well, ok, every time you use your telephone you have to pay me a 10th of a cent then that mechanism just isn’t gonna work

  • Atsushi Yamada

    Exactly.

  • Tim Callan

    It’s interesting because, Jay, you and I did a podcast not that long ago, maybe a month or two ago, about something very similar where there was another potential patent problem with - I believe it was with the CRYSTALS-Kyber mechanism if I recall – and at the end of the day that had to be resolved before everything could move forward as well. That was resolved in the summer of 2022.

  • Jason Soroko

    Yeah. And that actually resulted, that kind of patent negotiation ended up delaying some of the NIST announcements that were quite important. So, it was very important. I’m thinking about these hybrid certificates, Atsushi, and I really, I’m gonna give you credit. For understanding them as much I do, I think they really are foundational to move us forward in the whole topic area of crypto agility and post-quantum certificates, post-quantum algorithms, being able to use them. I really have to think that the whole idea of this, that extra field in that x.509 certificate was just such an elegant idea and the fact that we are gonna be able to bridge between today’s systems and the systems that we are going to need to have. I’d like to get some of your comments. Especially because you are so closely connected within that industry about how those hybrid certificates are going to be used in the context of crypto agility and how long they are probably going to be in our ecosystems going forward. I’ve been asked the question before is, you know, hybrid certificates as a bridge do you think they’ll only last a certain amount of time and the way I see it they will probably be a nearly permanent fixture at some point in our future. Would you agree with that?

  • Atsushi Yamada

    I agree with it’s a sort of bridge – interim solution. Hybrid certificate is interim solution. In the end, you want a certificate with the new crypto. However, history tells us that the crypto algorithms needs to be updated. If you think about it, NIST is calling out for new digital signature algorithms. PQC digital signatures for the next round. So that means that it has to grow. Well, think about it. RSA, we started with 1024-bit and we had to grow it and then ECC and then you have to change the curve. So, the cryptographic algorithm is not fixed. It’s not constant. Therefore, you need to set your system’s built in agility to go to the new ones in every five years, every ten years, in essence. Hybrid certificates should be there.

  • Jason Soroko

    I think I know what you are saying, Atsushi. Especially, let’s even back it up to more current times instead of so deeply into the future. We could end up in a time where the RSA algorithm may end up needing to be deprecated because of some Eureka moment in mathematics. And so, therefore, a widespread switchover from RSA to ECC, as an example, might be a more near term usage for hybrid certificates. Would that be right?

  • Atsushi Yamada

    I think so.

  • Tim Callan

    And at the same time, Atsushi, not to put too fine a point on it, part of what you are saying here is don’t imagine hybrid certificates are a one-time phenomenon while we migrate to PQC. Think about hybrid certificates as a continual ongoing part of our crypto agility system that will be used time and again in the decades to come as we continue to upgrade our cryptography. Am I getting that right?

  • Atsushi Yamada

    Oh yeah. Exactly. Jason, you got it right. You said it so eloquently. Thank you.

  • Jason Soroko

    And therefore, the whole topic of this podcast being the ISARA’s basically making open-source these critical patents allows for the industry to then embrace this and bring these ideas into all their systems so that we can have a singular standard for how to accomplish this kind of crypto agility from now into the deep future. I hate to say it, but I’m glad we are bringing it up on this podcast, but I think like a lot of things in PKI in general, it will be just one of those foundational things that become ubiquitous and barely thought about and yet this is fundamental in terms of how things work. Like, a lot of people don’t talk about the x.509 standard all that much because it’s just around, and it just works and thankfully, this kind of an idea will continue to help make things work so cleanly and effortlessly down the road. It’s just good to remember these things and to mark the times at which they occurred. So, thanks so much, Atsushi, for keeping us up on this.