[saag] Re: New Version Notification for draft-rsalz-crypto-registries-00.txt

["D. J. Bernstein" <djb@cr.yp.to>]

Paul Wouters writes:
> two reasons have been quoted for using ntruprime.

https://libntruprime.cr.yp.to lists seven features of sntrup; five of
those are advantages over Kyber. But the patent issue in particular is
what triggers the conclusion that the Kyber-as-the-sole-option specs are
violating BCP 79.

> 1) "don't ever use a NIST approved algorithm"

What exactly do you claim to be quoting here? Citation needed.

> Said by the cryptographer who entered the NIST competition with
> NTRUprime, but they refused to answer my question of whether that
> would mean ntruprime should not have been used if it had won the NIST
> competiton

Where exactly did this statement, followup question, and followup
refusal supposedly happen? Citation needed.

> 2) patents on kyber
> it seems most people believe the USG has or will have this arranged
> with the patent holders.

NIST says it has licenses for Kyber under just two patents, the GAM and
Ding patents:

    https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf

I've seen zero statements from NIST in response to the CN107566121
patent holder writing "Kyber is covered by our patents" (see my previous
message for references), and zero statements from NIST regarding the
rest of the patent minefield surrounding Kyber.

The applicable BCP 79 condition is "royalty-free license is available to
implementers of the specification", not "AD claims without evidence that
most people believe that the government will make everything okay".

> I believe we should also have a non-NIST alternative for ml-kem. It
> seems FrodoKEM is gaining that momentum (iso, etsi, europe, ...)

A few months ago, I brought up the FrodoKEM possibility in giving a
detailed example of potential SSH WG actions; some AD statements had
made it sound like the WG would (for unexplained reasons) be barred from
taking such actions. The AD response consisted of a statement opposing
FrodoKEM ("FrodoKEM is not ready to be used in IETF protocols" etc.):

    https://mailarchive.ietf.org/arch/msg/ssh/iX7Vdb_etrWC3RF0m8Ak8B5XlIE/

As I noted earlier, there's also an AD claim that "the cryptographic
research communities are focusing on NIST candidates ... Should the IETF
really recommend a dropped candidate at this stage? I do not think so":

    https://mailarchive.ietf.org/arch/msg/saag/9e1QheO1L6SVBX3a8mFSij9AgHw/

This AD position also implies opposition to FrodoKEM, given that NIST
has an official report saying that it is no longer considering FrodoKEM:

    https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413-upd1.pdf

But, hmmm, suddenly we're looking at an AD statement suggesting moving
ahead with FrodoKEM. Where's the explanation of this AD change of tune?
What happened to the argument that a "dropped candidate" shouldn't be
considered because the "cryptographic research communities" are
supposedly focusing on NIST candidates?

I'm also puzzled by the description of FrodoKEM as a "non-NIST
alternative for ml-kem". The big argument for FrodoKEM over Kyber is
that FrodoKEM avoids some of the security concerns about Kyber---both of
them are lattice systems but FrodoKEM uses unstructured lattices while
Kyber uses structured lattices. The most common counterargument is that
FrodoKEM's ciphertexts are an order of magnitude larger than Kyber's
ciphertexts. For applications that want smaller ciphertexts, FrodoKEM
isn't an alternative to Kyber, whereas sntrup is.

---D. J. Bernstein