Yaakov Stein writes:
> Any IPR that can be asserted against Kyber can be asserted against
> already adopted hybrid methods incorporating Kyber.
I agree. I think the chairs have caused some confusion by highlighting
patent issues in the call for adoption---was it not already obvious that
the hybrid issue was the most important one to highlight?
On the other hand, patents also seem relevant to a preliminary step that
has been skipped here, namely identifying why the proposal is claimed to
be adding something important. The draft's motivation sentence consists
of rearranging buzzwords without answering the question:
Having a fully post-quantum (not hybrid) key agreement option for TLS
1.3 is necessary for migrating beyond hybrids and for users that need
to be fully post-quantum.
https://www.schneier.com/wp-content/uploads/2016/02/paper-ipsec.pdf
explained a long time ago how "adding features, options, and additional
flexibility to satisfy various factions within the committee"---rather
than focusing on security---tends to damage security. This was finally
taken into account in TLS 1.3, which removed many TLS 1.2 options. So
there should be an explanation of why the currently proposed option has
security benefits outweighing the costs of extra options. Yes, there's a
quantum threat to be handled, but a non-hybrid Kyber draft isn't doing
any better at that than the existing hybrid Kyber. If the claim is that
adding a no-seatbelts option will improve applicability, then this claim
should be backed up by an applicability analysis; but an applicability
analysis certainly shouldn't ignore known patents.
> If anything, one may attempt to argue that hybrids do not implement
> NIST's MLKEM scheme
> and are thus not covered by the NIST licenses.
Hmmm. I'd think that such an argument would have to be backed up by a
pointer to license text that would allow _some_ types of applications of
ML-KEM, while excluding others, and in particular excluding hybrids.
I've looked at
https://web.archive.org/web/20240331123147/https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf
and don't see how any of the text there would support such an argument.
NIST hasn't posted the complete signed licenses, and it's certainly
possible that there's something problematic hidden there, but this isn't
an argument against hybrids: hidden text could just as easily be a
problem for non-hybrids.
---D. J. Bernstein
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
