IETF Logo Mail Archive

[TLS] Re: WG Adoption Call for Post-Quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3

"D. J. Bernstein" <djb@cr.yp.to> Fri, 14 March 2025 19:52 UTC

Return-Path: <djb-dsn2-1406711340.7506@cr.yp.to>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 5DB53B57D4A for <tls@mail2.ietf.org>; Fri, 14 Mar 2025 12:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.097
X-Spam-Level:
X-Spam-Status: No, score=-4.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_SBL_A=0.1] autolearn=ham autolearn_force=no
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JI32OUy18YfE for <tls@mail2.ietf.org>; Fri, 14 Mar 2025 12:52:31 -0700 (PDT)
Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by mail2.ietf.org (Postfix) with SMTP id 6F6B5B57D45 for <tls@ietf.org>; Fri, 14 Mar 2025 12:52:31 -0700 (PDT)
Received: (qmail 32664 invoked by uid 1010); 14 Mar 2025 19:52:30 -0000
Received: from unknown (unknown) by unknown with QMTP; 14 Mar 2025 19:52:30 -0000
Received: (qmail 686673 invoked by uid 1000); 14 Mar 2025 19:52:18 -0000
Date: Fri, 14 Mar 2025 19:52:18 -0000
Message-ID: <20250314195218.686671.qmail@cr.yp.to>
From: "D. J. Bernstein" <djb@cr.yp.to>
To: tls@ietf.org
Mail-Followup-To: tls@ietf.org
In-Reply-To: <0a812421-c74f-4171-81db-8961a9f6d8f6@redhat.com>
Message-ID-Hash: 64VW3QZ4BAC34AHWHYMRTNSMUQWSYDN5
X-Message-ID-Hash: 64VW3QZ4BAC34AHWHYMRTNSMUQWSYDN5
X-MailFrom: djb-dsn2-1406711340.7506@cr.yp.to
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: WG Adoption Call for Post-Quantum Hybrid ECDHE-MLKEM KeyAgreement for TLSv1.3
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/McbxNXoLVdfQLtq36WOThEVHv7A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Alicja Kario writes:
> NIST has selected HQC for standardisation this week... No idea about
> its patent situation

Interesting question.

My tracking page lists HQC as being claimed by GAM. People have mostly
heard about GAM as a lattice patent, but the patent is actually broader
and originates in code-based cryptography. As confirmation,

    https://web.archive.org/web/20250314182134/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/round-4/final-ip-statements/HQC-Statements-Round4.pdf

claims applicability of U.S. patent 9094189 and French patent 10/51190.

However, that document also has a FRAND-RF commitment triggered by NIST
standardization. Of course FRAND-RF can have poison pills, but

    https://web.archive.org/web/20221130033932/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf

doesn't report any poison pills, and at a cursory glance it seems to
exempt not just Kyber but also HQC from the GAM patent.

Maybe I'm missing something---NIST's latest report mentions just the
future-FRAND-RF commitment without mentioning the existing license---but
maybe the NIST patent negotiators back in 2022 did something right.

On the other hand, this patent minefield is bigger than the GAM patent.
The same license has different terms regarding patent 9246675, clearly
allowing _only_ unmodified ML-KEM. As far as I can tell, even another
version of Kyber (the 2017 version, the 2019 version, the 2020 version,
or a future patched version) wouldn't be within this 9246675 license;
merely being similar, like HQC, is definitely not enough to trigger the
license.

The question, then, is whether HQC is covered by 9246675. As always, the
doctrine of equivalents says that patents cover not just what's
literally claimed but also anything that's doing "substantially" the
same thing, so a patent lawyer will pull out endless literature on
similarities between HQC and the patent. NIST's report even feeds into
this by saying that HQC is "similar in structure" to LPR, ML-KEM, etc.

An HQC user targeted by 9246675 wins if the court doesn't accept the
doctrine-of-equivalents argument. Otherwise I think there's some chance
of success of an ensnarement defense. The way this works is that the
court challenges the patent holder to retroactively expand the patent
claims, and then the court will ask whether the expanded "hypothetical"
claims (1) would also have been patentable and (2) literally cover HQC.
It's not immediately obvious to me that the patent holder will be able
to get past this. On the other hand, the patent holder has carte blanche
to engage in retroactive creative writing, so thinking through all the
possibilities in advance is labor-intensive.

This analysis then has to be repeated for other patents in the same
minefield, such as the Zhao patent that claims Kyber coverage. HQC was
modified in October 2024, so any patent filed before then might apply.
Patent applications typically aren't public until 18 months later.

---D. J. Bernstein

v2.29.0 | Report a Bug | By Email | System Status