top | item 31991354

(no title)

ENOTTY | 3 years ago

What's up with this?

> In addition, NIST has engaged with third parties that own various patents directed to cryptography, and NIST acknowledges cooperation of ISARA, Philippe Gaborit, Carlos Aguilar Melchor, the laboratory XLIM, the French National Center for Scientific Research (CNRS), the University of Limoges, and Dr. Jintai Ding. NIST and these third parties are finalizing agreements such that the patents owned by the third parties will not be asserted against implementers (or end-users) of a standard for the selected cryptographic algorithm

and

> NIST expects to execute the various agreements prior to publishing the standard. If the agreements are not executed by the end of 2022, NIST may consider selecting NTRU instead of KYBER. NTRU was proposed in 1996, and U.S. patents were dedicated to the public in 2007.

discuss

hn_throwaway_99|3 years ago

NIST is going the proper route to ensure that any standards they publish can be freely implemented without implementers having to pay patent royalties. That's the reason for your second quote - if KYBER patent holders don't want to agree, they should know that NIST won't choose them for the standard.

nullc|3 years ago

Just to clarify: My understanding is that the authors of Kyber aren't the patent holders in question-- rather a third party has patents which may read on Kyber and several other of the NIST finalists.

It's really unfortunate the the licensing terms weren't announced at the same time: Depending on how they're written the result may still be unattractive to use, and since they've already announced the selection NIST probably just lost some amount of negotiating leverage.

(As the obvious negotiation would be "agree to these terms we find reasonable, or we just select NTRU prime")

rdpintqogeogsaa|3 years ago

Key part here is "are finalizing". It's still possible for at least some of the deals to fall through. I guess NTRU is the backup plan just in case and/or a method to apply pressure by saying the public is now aware there's a plan B. I exüect this passage to imply at least one negotiation has been going poorly.

It would probably be interesting to look up who of these people also has patents outside of the USA. If there really is someone being particularly stubborn, one might reasonably expect them to enforce the non-US patent variant outside of the USA.

madars|3 years ago

> If the agreements are not executed by the end of 2022, NIST may consider selecting NTRU instead of KYBER.

It is especially interesting that NTRU (nor NTRU Prime, a different proposal) is _not_ advancing to the 4th round. Wouldn't you want to encourage more analysis for your (implied) runner-up?

willglynn|3 years ago

Not only that, NIST says:

> Overall assessment. One important feature of NTRU is that because it has been around for longer, its IP situation is more clearly understood. The original designers put their patents into the public domain [113], in addition to most of them having expired.

> As noted by the submitters, NTRU may not be the fastest or smallest among the lattice KEM finalists, and for most applications and use cases, the performance would not be a problem. Nonetheless, as NIST has selected KYBER for standardization, NTRU will therefore not be considered for standardization in the fourth round.

https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf

"NTRU is obviously legal and perfectly suitable, but we're not picking it." I find this to be a baffling position given the as-yet-unsolved patent issues with KYBER.

formerly_proven|3 years ago

Crypto that requires royalties won't be widely implemented, so you basically don't need to bother standardizing it.