Root Causes 536: Patent Blocker on ML-KEM

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

October 15, 2025

A patent dispute in 2024 nearly blocked ML-KEM. But emerging thinking raises concern that the 2024 resolution did not guarantee full, clear access to all ML-KEM implementations. We explain.

Podcast Transcript

Tim CallanJason, I'm going to take you back in time three years to July 5, 2022. That is the day that NIST announced the round three winners. And another thing that also occurred on that day was it announced that it had cleared a potential patent blocker that would have prevented these winners from moving forward. We actually covered this in our Episode 269 which is called something to the effect of, did a patent dispute nearly prevent the progress of PQC, or something along those lines. 269. And so I had put this in the history bucket for me. That was interesting, and that's done, and we're moving forward, but I think it's not all the way done?

Jason SorokoLet's talk about exactly what happened back then. We are talking about CRYSALS-Kyber, ML-KEM today? There were some, I mean, Kyber itself had, what, at least two patents. Or, specifically, two patents from French organizations that held those patents, and therefore what needed to happen in order for the ML-KEM to be released was NIST, got a license to basically, you can use it. And that was our story, and we podcasted it and released it, and everybody was happy. But I think that what’s interesting is people have looked at it really hard, and that license that allows people to use ML-KEM is extremely narrow in scope. And I'm not a lawyer, a atent lawyer, so anybody who wants to correct me, please do. Apparently it's narrow enough in scope that any deviation of anything from ML-KEM, which might be necessary in an implementation, you're no longer absolved or free from the patent.

Tim CallanAnd I think we discussed at that time, the idea that this would be a narrow set of rights that were granted very specifically, because these institutions might have other things they wanted to do with this patented technology that didn't involve moving the world to ML-KEM and they should be able to continue to do that right, which, like in principle at that level, sounds very agreeable, but your point is that that means that upgrades that are required for the implementation of this algorithm to have it work in the real world may be encumbered once again.

Jason SorokoAnd without getting into details because this could easily be an hour long podcast and I really want to avoid it. There are also hardware usages of it, of which people who are using accelerators and inside of PKI hardware who want to implement this have looked at this and said, they're spooked by something. So we can leave it there. And we had Sofia Celi on recently, and she kind of inspired this podcast, because it reignited my interest in what those patents were, because she was talking about how alternative forms of already implemented standards, she implied that possibly there could be replacements down the road.

Tim CallanSure did.

Jason SorokoThat was like she dropped a neutron bomb on me by saying that. Probably not shocking, but I think that, I think we should have Dustin Moody on again at some point to really clear a lot of this up and give NIST’s position. And it's all good, but IETF, they're doing interesting things right now. One of the things that Sofia Celi was a co- author on, and I hope she doesn't mind me saying this, the IETF work on draft-Fluhrer-cfrg-ntru is what it's called, basically, NTRU parameter sets, the patent and all that I think is gone as of 2021 and therefore it's royalty free. It's patent free, is the idea. Therefore, I think people are looking for an ML-KIM fallback in case things tighten up. And in terms of patent enforcement things like this. I'm not saying or implying that there's going to be any kind of litigative situations here. It's just, I think people want free, clear and easy standards to work with.

Tim CallanI mean, when you're getting into this kind of standards level stuff, I agree it has to be really, really clean.

Jason SorokoThe criticality, Tim, of stuff you're going to build with these it's like the core of your stuff.

Tim CallanI mean you can't really tolerate any chance that someone's going to come along and say, everybody in the world owes me a nickel.

Jason SorokoCan you imagine putting like a billion IoT devices out in the world, and they all use this somehow, somewhere, and - -

Tim CallanAnd someone comes along and says, now you owe me $1 an item.

Jason SorokoI can tell you that a good lawyer working for that organization would look at this and go, there's gray zone. No. That's what any good lawyer would probably do, and that's what's happening right now, and that's what this podcast is about.

Tim CallanSo that’s interesting and worthwhile and important. We certainly are seeing ML-KEM is being implemented and used in a lot of places today. So that's going to put some momentum behind that particular stuff gets entrenched. That's going to be an entrenching factor. It'll be interesting to see if these kind of worries change that, because that's happening now.

Jason SorokoExactly. I don't want to negate anything this did. I think Dustin Moody's work over there and his team have done incredible things. I think getting that patent clearance was just fantastic. We reported on it, and we should all celebrate it. On the other hand, Sofia is bringing up some points, and I would love, I mean, my dream would be to have a panel where we have Sofia and Dustin Moody and some others who are involved all in the same room to have the conversation.

Tim CallanMaybe we should try for that.

Jason SorokoMaybe we should try for that. So that's my aspiration. You guys know where we live, so we'll try and reach out to you, and maybe we'll get something organized. That could be a very special episode of the Root Causes podcast. But suffice to say, for now, we have people like Sofia on, we have people like Dustin on, and others who can weigh in on this individually, and all have their say. And I think as of right now, I'd love to hear from Dustin. He would know the details. And Sofia has got, definitely got her point of view, and she's one of the lead people in authoring the alternatives. And she dropped a heck of a few statements in that podcast. If you haven't heard that Sofia Celi episode recently, please listen to it.

Tim CallanThe most recent one we've had her on.

Jason SorokoShe dropped more in in two or three breaths she took than most people do in in a whole year. And so check that out. But this podcast is about, Tim - let's call it what it is. I don't know if this is the title of the podcast, but wow, if we thought crypto agility, cryptographic agility was important before, it's not just the attackers we have to worry about.

Tim CallanAbsolutely. Yes. That's interesting. Like, a whole different angle on the need for crypto agility. When we talk about the need for crypto agility, we're imagining attacks and imagining, new computing architectures and more compute power thrown at it and things along those lines. But sure, the wrong legal encumbrance, absolutely.

Jason SorokoSo let's, drop some of the reasons right now on everybody's head for why crypto agility. So obviously, white hats, white hats versus the math, white hats versus the implementation. Dustin Moody talked about that at length, and that's why we need diversity of math, diversity of implementation. Sofia Celi dropped on us, what happens if we come up with such a better, that, and her exact words were ML-DSA. There are potentially alternatives that might have such a better key size, that why would you use ML-DSA. And what happens if you've implemented ML-DSA and that comes out and you really want to switch? Well, you should be able to, and only crypto agility will give that to you. And then there's this legal thing. So there's at least four reasons for crypto agility, and each one of them is a deal breaker massive deal.

Tim CallanAgreed. This legal thing is, I think, not just me, but I think most people aren't putting that in the mix. Those other three yes so. Maybe number three less so. The Sofia Celi point. I think that's more of a advanced idea.

Jason SorokoWell, she's at the center of it. She’s right at the center of trying to improve it and fantastic. Terefore she is going to say something like that. Her point is a good one.

Tim CallanI do suspect, just from what I read online and what I discuss with people, that this idea of perhaps this stuff does turn out to be legally encumbered isn't really part of the normal dialog. In part, because a lot of people like me believed this was resolved.

Jason SorokoI think we live in a world of assume nothing, and here we are.

Tim CallanHere we are.

Jason SorokoSo anyway, Tim, we're here to keep you guys informed about these kinds of things. And sometimes we're also here to reinterpret, when we have, especially when a really great guest on they drop 100 points of information on you in 30 seconds, sometimes we have to tease out what, what was actually said, because I think some people miss these things, and it's worth repeating. So let's get Dustin back on. Let's get Sofia back on. Let's get a panel going.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!