IETF Logo Mail Archive

[lamps] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07

"D. J. Bernstein" <djb@cr.yp.to> Fri, 10 January 2025 18:50 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F470C14F69F for <spasm@ietfa.amsl.com>; Fri, 10 Jan 2025 10:50:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 732ume0-4n9u for <spasm@ietfa.amsl.com>; Fri, 10 Jan 2025 10:50:12 -0800 (PST)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by ietfa.amsl.com (Postfix) with SMTP id 80C66C14F69A for <spasm@ietf.org>; Fri, 10 Jan 2025 10:50:12 -0800 (PST)
Received: (qmail 18817 invoked by uid 1010); 10 Jan 2025 18:50:11 -0000
Received: from unknown (unknown) by unknown with QMTP; 10 Jan 2025 18:50:11 -0000
Received: (qmail 93409 invoked by uid 1000); 10 Jan 2025 18:50:04 -0000
Date: Fri, 10 Jan 2025 18:50:04 -0000
Message-ID: <20250110185004.93407.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: spasm@ietf.org
Mail-Followup-To: spasm@ietf.org
In-Reply-To: <1B633295-9219-4B86-B241-E6095E52D209@vigilsec.com>
Message-ID-Hash: X3UWWEGWMFIOFDOS4N3SUWFAPVEG6OGU
X-Message-ID-Hash: X3UWWEGWMFIOFDOS4N3SUWFAPVEG6OGU
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spasm.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [lamps] Re: WG Last Call for draft-ietf-lamps-kyber-certificates-07
List-Id: This is the mail list for the LAMPS Working Group <spasm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/BTi8HqpFVpp_jv8keqr7cH5FfrE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Owner: <mailto:spasm-owner@ietf.org>
List-Post: <mailto:spasm@ietf.org>
List-Subscribe: <mailto:spasm-join@ietf.org>
List-Unsubscribe: <mailto:spasm-leave@ietf.org>

I see two BCP 79 compliance problems in this draft. The same comments
apply to draft-ietf-lamps-cms-kyber-08.


1. As background, there are known patent claims regarding Kyber. NIST
has reportedly signed patent licenses regarding patents US9094189
(Gaborit and Aguilar-Melchor) and US9246675 (Ding). However, another
patent holder wrote in

    https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/F63mixuWBAAJ

that "Kyber is covered by our patents" including "the two patents
mentioned in the KCL proposal". I've seen no evidence of a royalty-free
license for those patents, such as CN107566121A (which was filed a month
before the publication of "NewHope without reconciliation", Kyber's
direct predecessor).

Even for the GAM and Ding patents, the complete signed licenses don't
appear to be available to the public. The posting

    https://web.archive.org/web/20221130033932/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf

says that it contains "relevant language (with modifications for
readability)" from the licenses; this provides no guarantees of
completeness and accuracy.

Furthermore, what has been posted (see previous link) appears to
indicate that the US9246675 license excludes "any modification,
extension, or derivation of the parameters of the PQC ALGORITHM".


2. BCP 79 says the following: "An IETF consensus has developed that no
mandatory-to-implement security technology can be specified in an IETF
specification unless it has no known IPR claims against it or a
royalty-free license is available to implementers of the specification."

One can't implement draft-ietf-lamps-kyber-certificates-07 without
implementing Kyber. The Zhao claim that "Kyber is covered by our
patents" is a known IPR claim regarding Kyber. Consequently, before
becoming an IETF RFC, the draft should be modified to allow alternatives
to Kyber.

The only other approach would be for the draft to invoke the exception
procedure from BCP 79: "It is possible to specify such a technology in
violation of this principle if there is a very good reason to do so and
if that reason is documented and agreed to through IETF consensus." I
haven't seen IETF-wide notification of a proposal to violate this BCP 79
principle, and I'm also not aware of a good reason to do so, let alone a
"very good reason". There are patent claims regarding Kyber, so any IETF
specification using Kyber should also include alternatives.


3. BCP 79 also says the following: "The IETF must have change control
over the technology described in any Standards Track IETF Documents in
order to fix problems that may be discovered or to produce other
derivative works."

BCP 79 goes on to say that it isn't prohibiting proprietary cryptography
but requires negotiations with the patent holders to ensure change
control:

    In some cases, the developer of patented or otherwise controlled
    technology may decide to hand over to the IETF the right to evolve
    the technology (a.k.a., "change control").  The implementation of an
    agreement between the IETF and the developer of the technology can be
    complex.  (See [RFC1790] and [RFC2339] for examples.)

    Note that there is no inherent prohibition against a Standards Track
    IETF Document making a normative reference to proprietary technology.
    For example, a number of IETF standards support proprietary
    cryptographic transforms.

The change-control rule per se has no exceptions. In the absence of
change control, a draft cannot go on the standards track.

Even if we assume that

    https://web.archive.org/web/20221130033932/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf

accurately reflects the actual signed licenses, it doesn't assign Kyber
change control from the US9246675 patent holder to IETF. Modifications
to produce derivative works, for example to fix problems that may be
discovered, wouldn't be allowed. The patent holder would be free to
charge IETF arbitrary amounts to allow such modifications. This is the
type of trap that the change-control requirement is designed to avoid.


---D. J. Bernstein

v2.46.0 | Report a Bug | By Email | System Status