Resolve patent encumbrance status of Kyber

[JamesTheAwesomeDude]

To: NIST PQC Administrative Comments
Sent: January 16, 2024 9:52 AM CST

I'm trying to publish an implementation of Kyber, but I'm worried about liability exposure fro m patents US9094189B2 and US9246675.

While researching, I found that you had reportedly licensed these patents for use with Kyber. However, the full agreement is not publicly available to my k nowledge, so I can't tell whether it would actually be legal for me to publish an implementation.

I see you've published a summary[1] of these licenses, but I and many others[2][3][4][5] find it *deeply concerning* that the actual patent license isn't anywhere to be found.

Right now, any implementers are only taking your word that we even have permission to use the algorithm, and, legally speaking, that is a disturbing situation to be in.

Please release the full license agreement you negotiated for these patents, because we cannot safely implement Kyber without knowing the full terms.

[1] "NIST PQC License Summary and Excerpts", 29 Nov 2022, https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf

[2] Scott Fluhrer, Principal Engineer, Cisco Systems Security and Trust Organization, pqc-forum, 15 Jul 2022, https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/G0DoD7lkGPk/m/d7Zw0qhGBwAJ

[3] Daniel Apon, MITRE cryptography lead, pqc-forum, 15 Jul 2022, https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/G0DoD7lkGPk/m/G_evJqQNKQAJ

[4] Greg Maxwell, pqc-forum, 11 Aug 2022, https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/G0DoD7lkGPk/m/of2mVEnlEAAJ

[5] IETF Post-Quantum Use in Protocols Working Group, "Patents and PQC", IETF 116 Meeting, 31 Mar 2023, https://datatracker.ietf.org/meeting/116/proceedings#pquip

Thanks for your consideration,

[JamesTheAwesomeDude]

To: John Schanck (Mozilla)
Sent: January 16, 2024 5:56 PM CST

John,

I've got a quick question about the integration of Kyber into NSS you did in support of #1826451:

Were you, or anyone at Mozilla, ever able to actually put eyes on a patent license for Kyber? Or did you simply take NIST's paraphrased summary on faith? (Or is it Mozilla's position that the patents are invalid, or that they don't apply to Kyber?)

The reason I ask is: I'm writing some Python bindings for PQClean, a set of post-quantum cryptography C libraries; I wanted to see if I was (or at least warn my users if they might be) violating U.S. law by using Kyber. It's basically impossible to find solid information out there, though, so I thought I'd see if any other major open-source projects had integrated Kyber yet, and if so how they'd handled the patent encumbrance.

Thanks in advance,

[JamesTheAwesomeDude]

To: IETF Post-Quantum Cryptography discussion list
Sent: February 18, 2024 3:01 PM CST

> I filed a FOIA request in 2020 regarding NIST's post-quantum patent > handling. NIST admitted various negotiations regarding patent 9094189. > NIST refused to turn over 3 documents totaling 31 pages.

> I filed a FOIA request "NSA, NIST, and post-quantum cryptography" in > March 2022 for the full project records. NIST stonewalled; I took NIST > to court. See https://nist.pqcrypto.org/foia/index.html for a > periodically updated collection of the documents released in the > litigation, including various documents marked "not for public > distribution".

Wow, thanks for that information, Dan. That is exactly the kind of background I hoped to find out by opening this thread.

Is there any other "FYSA" information you would suggest I know before entering a meeting with NIST's legal team? (The agenda for _this_ meeting is the single task of seeking a signed copy of the Kyber licenses, or a signed sublicense from NIST as substitute if they claim legal inability to disclose the original, which I can present to my users for their own comfort, in case any of them hold the belief that at least one of the patents 9094189 and 9246675 is both valid and applicable to Kyber.)

NIST's press contact(?), Dustin Moody, when I pressed him for that license (attached as a Forward at the bottom of the first e-mail in this thread), claimed that "several other parties have met with [NIST's legal team] and come away satisfied", but I'm obviously skeptical of my own prospects for that meeting; since none of these "parties" to my knowledge have published whatever "satisfaction" they got from it, I'm assuming that none of them were representatives of open-source projects, OR that at least some of the parties were not actually satisfied by the meeting. (Non-exclusive "OR", of course.)

While it's "conceivable" that everything will go smoothly and NIST's lawyers were just waiting on someone to ask them, I decided to gather more information beforehand due to a hunch that it would be unreasonably optimistic to expect that result, and seeing how they've handled your FOIA requests suggests my hunch was dead-on.

I've also reached out to the Stanford Center for Internet and Society in case they have any suggestions or would be able to offer direct assistance in the meeting, but I haven't heard back from them yet.

[JamesTheAwesomeDude]

To: Center for Internet and Society (law.stanford.edu)
Cc: Timothy J.
Sent: Feb 4, 2024 11:27 AM CST

We're hoping the Center for Internet and Society at Stanford could offer some advice on a situation involving NIST and its Post-Quantum Cryptography Competition (PQC), which I believe touches on 2 of your focus areas: Open Government, and Architecture & Public Policy.

In brief:

- Kyber, which is the only post-quantum encryption algorithm NIST has standardized so far, is patent-encumbered.

- NIST's press team claims that it has procured a set of licenses which would allow everyone to legally implement and use Kyber.

- NIST has so far refused to publish these licenses, which we (as implementers) and our users are supposed to be relying on.

- When pressed, the NIST PQC press contact claimed that we "don't need to worry about it"[sic], but emphasized that he wasn't a lawyer and wasn't able to actually speak on this point.

- The contact said he would forward our request to he NIST legal team, but that was 3 weeks ago (Jan 16, 2024) and we haven't heard back.

- The contact also offered to set up a meeting with the NIST legal team, claiming that "several other parties have met with them and come away satisfied". We intend to take him up on this, and are contacting you as part of our preparation for the meeting.

Our connection to this is that we're the maintainers of a Python package that provides bindings for all the algorithms that got selected in the NIST post-quantum cryptography competition, and we want to make sure that its users are informed of all relevant terms before installing the package; the patent license agreements NIST reportedly secured don't seem to be OSI-approved, based on the limited "summary and excerpts" document they published.

Obviously, if we claim (with no warranty of noninfringement) that NIST "convinced us" that it's "probably safe" to use Kyber, that's completely inappropriate for a license document in a serious software package. Users need to actually have access to the full terms and conditions of any software or libraries they're using.

Now, it's possible that the meeting will be straightforward, and we'll walk out of it with a written legal artifact we can present to our users as proof that it's legal (and under exactly what conditions it is legal) for them to use Kyber. But I really can't imagine that happening. I'm worried that NIST will find some way to avoid providing satisfaction—maybe they'll claim their press release "should" be good enough for us; maybe they'll try to convince us that we don't actually "need" any artifact because the master license terms really are generous enough; maybe they'll claim they're legally forbidden from publishing the license; maybe they'll just claim they don't feel like helping us and aren't obliged to do so.

Our project is an independently operated open-source library, so we don't have the budget to hire a patent lawyer to assist us in this meeting to ensure we avoid all tricks and actually leave with satisfaction we can provide to prospective users of our library.

Recently brought to our attention was Debian's recommendation for software developers and maintainers to intentionally avoid all knowledge of patents to make themselves less juicy targets for lawsuits, but, to put it bluntly, that ship had long sailed by the time we found out about it. From here, I believe there's no way out but through, and getting this horrible ambiguity of Kyber's license resolved would be a public good. (I can speak more to the problems this has caused beyond just our project, if needed.)

Is this something the CIS would be able to offer any help with? Or, if you cannot help us at all with this issue, do you know or recommend any foundations that might?

Thanks for your consideration,

--

[JamesTheAwesomeDude]

To: Martin Thomson (mozilla.com)
Cc: Timothy J.
Sent: Mar 15, 2024 6:34 PM CDT

Martin,

Eric Rescorla, the former Firefox CTO, suggested that I forward this question to you.

Considering that Firefox has shipped the Kyber cryptosystem as an opt-in feature since Release 123.0, does Mozilla have any stance, or any information, on the license NIST reportedly acquired on the public's behalf for U.S. patents 9094189 and 9246675? As the principal maintainer of pypqc, which also implements the Kyber cryptosystem, I've been trying to find a copy of that license; I'm very curious to see what extra conditions it has so I can display a correct and complete EULA to my users, but I've found nothing more concrete than that strange press release so far.

As for Mozilla, I already tried asking the person who committed Kyber into Firefox (2 months ago, attached below); and I already tried asking Mozilla publicly (1 month ago, Discourse #128814); but I have got no reply yet.

As for the patent-holders (Jintai Ding and CNRS), I also already tried contacting them; both of them told me that they're under NDAs and are not at liberty to disclose the terms and conditions, and that I should contact NIST if I want information.

As for NIST itself, I of course tried contacting them first; their press contact refused to give me any further information, but offered to arrange a meeting with their lawyers, saying cryptically that “several other parties have met with them and come away satisfied after the meeting”[sic].
https://mailarchive.ietf.org/arch/msg/pqc/ArqjlUc2cVmRQZeavDRDoXHwkyo/

I'm currently preparing for that meeting, but I want to know all the relevant information going into it, so I'm trying to figure out how other open-source software maintainers have handled this nasty situation so far.

Thanks for any context you're able to provide,

--

[JamesTheAwesomeDude]

The Stanford CIS said they “are unable to help with this”, but recommended I check out Stanford’s IP and Innovation Clinic.

To: Phillip R. Malone (law.stanford.edu)
Cc: Timothy J.
Subject: Request for help - NIST Kyber License
Sent: Mar 24, 9:37 AM CDT

Professor Malone,

We're writing on behalf of open-source cryptography library, pypqc (https://pypi.org/project/pypqc/), to ask if the Juelsgaard IP and Innovation Clinic would be able to help us with an IP licensing difficulty relating to vital public encryption standards.

In brief:

• Kyber, which is the only post-quantum encryption algorithm currently standardized by NIST, may be patent-encumbered (U.S. patents 9094189 and 9246675).
• NIST's press team claims that NIST has secured a license for these patents, which would allow any interested party to implement Kyber at no cost.
• NIST has, however, refused to allow any member of the public to actually see this license, as far as I can tell.
• The pypqc team is going to meet with NIST's legal team this year to try to resolve this situation, and we are seeking advice in preparation for this meeting.

Is this something the JIPIC would be willing and able to assist with?

If not, what organizations do you recommend that might? We already reached out to the Stanford Center for Internet and Society, but their director, Barbara van Shewick, directed us to you.

--