Sophie Schmieg writes: > NTRU being chosen for non-security related criteria that have since > materially changed.
I recommend discussing the patent issues explicitly, including public analysis of the patent threats. For example, Yunlei Zhao in https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/Fm4cDfsx65s/m/F63mixuWBAAJ said "Kyber is covered by our patents (not only the two patents mentioned in the KCL proposal, but also more patent afterforwards)". The first two patents were filed a month before the publication of "NewHope without reconciliation", Kyber's direct predecessor: https://patents.google.com/patent/CN107566121A/en https://eprint.iacr.org/2016/1157 Maybe there's some reason that Zhao is wrong and these patents don't actually cover Kyber, but then it's important to have a public analysis convincingly saying why. More broadly, the big project of protecting user data against future quantum computers has suffered years of delay from the combination of * paying inadequate attention to patents and * selecting cryptosystems in the GAM/LPR family. Some people seem to think that the activation of NIST's licenses in 2024 will bring this mess to an end; I'm skeptical. ---D. J. Bernstein _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
