2020.07.05 08:58:35 (1279670996706836483) from Daniel J. Bernstein:
Warning: Patent https://patents.google.com/patent/US9094189B2, expiring 2032, covers subsequent LPR cryptosystem and derivatives such as Kyber, LAC, NewHope, NTRULPR, Round5, Saber, ThreeBears. Also, I'm increasingly skeptical of the idea that these avoid patent https://patents.google.com/patent/US9246675B2, expiring 2033.
2020.07.05 09:24:55 (1279677625410088963) from Daniel J. Bernstein:
A British law firm named Keltie, not (as far as we can tell) saying who's paying it to do this, filed a formal objection to the 2032 patent. The patent was upheld. To see all documents (including a few interesting documents) and watch the ongoing appeal: https://register.epo.org/application?number=EP11712927&lng=en&tab=doclist
2020.07.05 09:34:25 (1279680016226238464) from Daniel J. Bernstein:
I would love the patent to magically go away, but I find Keltie's objections unconvincing, and their star witness seems to be lying under oath. If this cryptosystem was already obvious in 2009, why did the 2010 LPR paper https://link.springer.com/content/pdf/10.1007%2F978-3-642-13190-5_1.pdf highlight a bigger, slower system?
2020.07.05 09:54:00 (1279684941714911233) from Daniel J. Bernstein:
LPR encryption using noisy DH + reconciliation was published in talks starting 2010.04 and in later LPR paper updates, but patent on encryption using noisy DH + reconciliation was already filed 2010.02. I find 2009 publications with noisy DH, but no reconciliation, no encryption.
2020.07.05 10:08:19 (1279688548078084096) from Daniel J. Bernstein:
As for the patent expiring 2033, as far as I can tell this is the original source of chopping ciphertext sizes by a factor of almost 2. Claims of obviousness are again undermined by a subsequent paper from an expert claiming the ciphertext-size reduction as his main contribution.
2020.07.05 10:12:18 (1279689548910309376) from Daniel J. Bernstein:
For a while there has been a narrative that this patent applied to original NewHope (as in Google's CECPQ1) but not to modified NewHope (as in #NISTPQC), because of a minor change in the NewHope details. I doubt courts will care about this minor change. Ciphertext size is clear.
2020.07.05 10:17:12 (1279690780295065600) from Daniel J. Bernstein:
Quotient NTRU is much older and had the same ciphertext size (actually, even slightly better), but it wasn't using noisy DH. Given the procedures that courts use to handle patent cases, I wouldn't be surprised if this patent ends up covering all compressed noisy-DH cryptosystems.