The contentious role of intellectual property in cryptographic standardisation

A good cryptologist, in similarity to a good patent attorney, is paranoid. One of the largest bouts of paranoia that has (probably rightfully) infected the field of cryptology is the threat posed by a quantum computer on public-key encryption. Using Shor’s algorithm, a quantum computer may break the ubiquitous public-key cryptosystems based on the order finding problem, such as RSA and elliptic-curve cryptography. Consequently, a substantial amount of cryptographic research has thus been directed towards developing quantum-safe alternatives for public-key cryptography, in a field known as Post-Quantum Cryptography (PQC). In 2024, the National Institute of Standards and Technology (NIST) published the first PQC standards, affectionately dubbed FIPS 203, 204 and 205. This article examines the selection process from an intellectual property perspective and highlights some uncommon, though not unprecedented, features of the path to cryptographic standardisation.

The usual selection process involves multiple rounds of public evaluation. In the case of PQC, NIST called for submissions in 2016, admitted 69 complete candidates into the first round, which were narrowed down to finalists and alternates in subsequent rounds, and issued the first standards in 2024. Typically, researchers submit cryptosystems, often accompanied by intellectual property statements. The community evaluates security, performance, and implement ability, and NIST publishes rationales and drafts for public comment before finalisation. Researchers prioritise the dissemination of standards and secure communications and therefore usually permit free use of potentially patentable subject matter (such as implementations of protocols). However, history provides notable exceptions, which we will explore below.

Historical examples: RSA and ECC

The encumbrance of patents does not automatically disqualify a specific cryptosystem from standardisation, but standard setting organisations and government agencies now typically require either royalty free or FRAND (fair, reasonable, and non discriminatory) licenses, or at minimum explicit disclosures, to avoid later disputes. The case of RSA is illustrative as a historic example as to why. The US patent 4 405 829 was granted in 1983 to MIT disclosing the encryption scheme, with a filing date in 1977 ​[1]​. An academic publication by the inventors had been published in 1976, which sparked many implementations of the RSA cryptosystem into software. After the patent was granted, the company RSA Security together with MIT started enforcing it, which likely stifled wide adoption of the cryptosystem but made RSA a commercial success. The patent was set to expire in September 2000 but was surprisingly released two weeks early into the public domain as a “symbolic next step in the evolution of this market” ​[2]​, perhaps to garner goodwill in the community.

The standardisation of elliptic-curve cryptography (ECC) has long been an area of uncertainty regarding intellectual property. ECC was never widely adopted despite offering advantages such as smaller key sizes in comparison to RSA. According to cryptologist Daniel J. Bernstein, “popular rumour states that elliptic-curve cryptography is a patent minefield” ​[3]​. This perception likely arose from patents covering efficient implementation techniques for ECC, although alternative implementations existed that were not patented ​[4]​. This contrasts with RSA, where the cryptosystem itself was patented. Although the NSA sought to license the relevant implementation details for standardisation, and elliptic-curve Diffie-Hellman was later incorporated into NIST standard SP 800-56Ar3, ECC never achieved broad adoption. It remains unclear whether the rumour, the patents or competition with RSA were decisive, although all three factors likely played a role.

A shift in the approach

Turning to the present and the standardisation of PQC, NIST appears to have taken a forward-looking approach to intellectual property rights. A notable feature of the PQC rollout is NIST’s facilitation of patent licences for the key encapsulation mechanism Kyber, part of FIPS 203. In response to concerns about patents claiming aspects of lattice-based key encapsulation, NIST negotiated two royalty-free licences covering United States and French patent portfolios. The US portfolio, with PCT application number WO2013152725A1, concerns a key-exchange mechanism using pairing with errors, building on the principle of learning with errors, the cryptographic primitive used in Kyber. The French portfolio, stemming from patent FR2956541B1, relates to a method for secure communication that may be used for key exchange or messaging in resource-constrained environments.

The licensors agreed to suspend enforcement rights on a royalty-free basis for implementations of Kyber in accordance with NIST’s specification ​[5]​. Notably, only excerpts of the licence have been released, so details such as any licence fees remain unknown. This proactive approach is important because standards depend on certainty. Implementers require clear intellectual property terms in addition to clear technical specifications. By addressing these issues, NIST reduces legal friction and facilitates widespread adoption of secure communication methods for governments and individuals alike.

Conclusion

These examples demonstrate that intellectual property rights play a vital role in cryptography and are often contentious. Some argue that patents should be avoided entirely, but the reality is that patents can incentivise research and do not necessarily impede adoption if managed appropriately. Compared to the telecommunications industry, where standard-essential patenting and licensing is routine, cryptography has historically handled such matters on an ad hoc basis. However, greater awareness and foresight are emerging. Perhaps the future of cryptography will also embrace FRAND licensing on a broad scale?

​​References

​​

​[1]  ​E. Roberts, “RSA Public Key Encryption,” Stanford University, 5 June 2000. [Online]. Available: https://cs.stanford.edu/people/eroberts/cs201/projects/software-patents/rsa.html. [Accessed 19 December 2025].

​[2]  ​RSA, “RSA Security Releases RSA Encryption Algorithm into Public Domain,” 6 September 2000. [Online]. Available: https://web.archive.org/web/20071120112201/http://www.rsa.com/press_release.aspx?id=261. [Accessed 19 December 2025].

​[3]  ​D. J. Bernstein, “Irrelevant patents on elliptic-curve cryptography,” [Online]. Available: https://cr.yp.to/ecdh/patents.html. [Accessed 7 January 2026].

​[4]  ​RSA Laboratories, “Are elliptic curve cryptosystems patented?,” [Online]. Available: https://web.archive.org/web/20130524001754/http://www.rsa.com/rsalabs/node.asp?id=2325. [Accessed 7 January 2026].

​[5]  ​National Institute of Standards and Technology, “NIST PQC License Summary and Excerpts,” [Online]. Available: https://csrc.nist.gov/csrc/media/Projects/post-quantum-cryptography/documents/selected-algos-2022/nist-pqc-license-summary-and-excerpts.pdf. [Accessed 7 January 2026]. ​

‍