Fighting patents

Preliminary list of patents and patent applications mentioned in NIST PQC submissions:

Priority date 2000.07.25 : application WO 2002009348 A3. Submission claims coverage of pqNTRUSign.

: application WO 2002009348 A3. Submission claims coverage of pqNTRUSign. Priority date 2001.12.07 : patent US 7308097. 889-day patent-term adjustment, so won't expire until 2024 . Submission claims coverage of FALCON.

: patent US 7308097. 889-day patent-term adjustment, so won't expire until . Submission claims coverage of FALCON. Priority date 2001.12.07 : patent US 7913088. 654-day patent-term adjustment, so won't expire until 2023 . Submission claims coverage of pqNTRUSign.

: patent US 7913088. 654-day patent-term adjustment, so won't expire until . Submission claims coverage of pqNTRUSign. Priority date 2002.04.11 : patent US 7158636. 704-day patent-term adjustment, so won't expire until 2024 . Ding. Submission claims coverage of Gui and Rainbow.

: patent US 7158636. 704-day patent-term adjustment, so won't expire until . Ding. Submission claims coverage of Gui and Rainbow. Priority date 2005.01.11 : patent US 7961876. 1335-day patent-term adjustment, so won't expire until 2028 . Ding. Submission claims coverage of Gui and Rainbow.

: patent US 7961876. 1335-day patent-term adjustment, so won't expire until . Ding. Submission claims coverage of Gui and Rainbow. Priority date 2005.06.08 : patent US 7649999. 772-day patent-term adjustment. Submission claims coverage of WalnutDSA, which is broken.

: patent US 7649999. 772-day patent-term adjustment. Submission claims coverage of WalnutDSA, which is broken. Priority date 2005.06.08 : patent US 9071427. 0-day patent-term adjustment. Submission claims coverage of WalnutDSA, which is broken.

: patent US 9071427. 0-day patent-term adjustment. Submission claims coverage of WalnutDSA, which is broken. Priority date 2010.02.18 : patent EP 2537284; US 9094189; FR 10/51190; looks like fees paid also for DE, GB, CH. Submissions claim coverage of BIKE, HQC, RQC, Ouroboros. Preliminary analysis: This patent is extremely dangerous for small-key code-based cryptography and small-key lattice-based cryptography . Concretely, this is a very broad patent on encryption via noisy DH + reconciliation. This does not include NTRU but it includes the New Hope NIST submission and many other lattice-based submissions to NIST. The priority date is before the LPR publication typically credited (in the context of small-key lattice systems) for noisy DH + reconciliation. Peikert posted noisy DH slides in 2009, but those slides didn't have reconciliation. The original version of the LPR paper (February 2010 final version for Eurocrypt, published a few months later by Springer) had a more complicated system with larger keys, and the simple "LPR10" system (small keys, noisy DH, reconciliation) did not appear until a subsequent revision of the paper.

: patent EP 2537284; US 9094189; FR 10/51190; looks like fees paid also for DE, GB, CH. Submissions claim coverage of BIKE, HQC, RQC, Ouroboros. Preliminary analysis: This patent is . Concretely, this is a very broad patent on encryption via noisy DH + reconciliation. This does not include NTRU but it includes the New Hope NIST submission and many other lattice-based submissions to NIST. The priority date is before the LPR publication typically credited (in the context of small-key lattice systems) for noisy DH + reconciliation. Peikert posted noisy DH slides in 2009, but those slides didn't have reconciliation. The original version of the LPR paper (February 2010 final version for Eurocrypt, published a few months later by Springer) had a more complicated system with larger keys, and the simple "LPR10" system (small keys, noisy DH, reconciliation) did not appear until a subsequent revision of the paper. Priority date 2012.04.12 : patent US 9246675. Ding. 0-day patent-term adjustment, so expires 2032.04.12 . Same ciphertext-size reduction (by the same technique, modulo trivial tweaks) that Peikert falsely claimed to be new in 2014. (Quote from 2014 Peikert: "As compared with the previous most efficient ring-LWE cryptosystems and KEMs, the new reconciliation mechanism reduces the ciphertext length by nearly a factor of two, because it replaces one of the ciphertext's two R_q elements with an R_2 element.") Submission claims coverage of Ding Key Exchange. Preliminary analysis: covers some other lattice-based schemes, such as the original version of New Hope deployed by Google; shouldn't cover the New Hope NIST submission. Many rumors of aggressive enforcement attempts.

: patent US 9246675. Ding. 0-day patent-term adjustment, so expires . Same ciphertext-size reduction (by the same technique, modulo trivial tweaks) that Peikert falsely claimed to be new in 2014. (Quote from 2014 Peikert: "As compared with the previous most efficient ring-LWE cryptosystems and KEMs, the new reconciliation mechanism reduces the ciphertext length by nearly a factor of two, because it replaces one of the ciphertext's two R_q elements with an R_2 element.") Submission claims coverage of Ding Key Exchange. Preliminary analysis: covers some other lattice-based schemes, such as the original version of New Hope deployed by Google; shouldn't cover the New Hope NIST submission. Many rumors of aggressive enforcement attempts. Priority date 2015.03.30 : application US 15/562034. Ding. Submission claims coverage of Gui and Rainbow.

: application US 15/562034. Ding. Submission claims coverage of Gui and Rainbow. Priority date 2016.11.18 : application PCT/KR2017/013119. Same as WO2018093203A1. Submission claims that this application covers Lizard. Submitters have not answered question of whether application also covers, e.g., SABER. Patent application seems to cover schemes where the public key uses addition of error (as in, e.g., LPR) but the ciphertext uses rounding. Rounded ciphertexts appeared earlier (May 2016) in the NTRU Prime paper.

: application PCT/KR2017/013119. Same as WO2018093203A1. Submission claims that this application covers Lizard. Submitters have not answered question of whether application also covers, e.g., SABER. Patent application seems to cover schemes where the public key uses addition of error (as in, e.g., LPR) but the ciphertext uses rounding. Rounded ciphertexts appeared earlier (May 2016) in the NTRU Prime paper. 201611018451.3, 201611018455.1. Is 201611018451 the first one? Submission claims coverage of KCL (OKCN/AKCN/CNKE).

EP17156214, EP17170508, EP17159296, EP17196812, EP17196926. Philips. Submission claims coverage of Round2.

US 20150229478. Submission claims coverage of pqNTRUSign.

JP 5736816, US 8522033, US 8959355, CN ZL201110145023.8. Sony. Submission claims coverage of MQDSS.

US 9912479. Submission claims coverage of QC-MDPC.

US 15/270824, US 62/240182, US 15840121, US 62/435151. Submission claims coverage of RLCE, where some of the parameters are broken.

Australia 2017901941. Submission claims coverage of Compact LWE, which is broken.

Spain P201700779. Submission claims coverage of DME, which is broken.

15/270,930, 15/816,378. Submission claims coverage of WalnutDSA, which is broken.

Plus a few patents that don't seem to cover anything: