Fighting patents

Dear Ms. Tarzian

US patent 4200770, Hellman Diffie Merkle, public-key cryptography
US patent 4405829, Rivest Shamir Adleman, RSA cryptosystem
US patent 4964164, Fiat, batch RSA signing
US patent 4995082, Schnorr, short signatures
US patent 5159632, Crandall, elliptic-curve cryptography
US patent 5222140, Beller Chang Yacobi, session keys
US patent 5271061, Crandall, elliptic-curve cryptography
US patent 5299262, Brickell Gordon McCurley, exponentiation
US patent 5347581, Naccache M'Raihi, DSS batch verification
US patent 5463690, Crandall, elliptic-curve cryptography
US patent 5673318, Bellare Guerin Rogaway, message authentication
US patent 5848159, Collins Hopkins Langford Sabin, RSA with several primes
US patent 5999627, Lee Lim, exponentiation
US patent 6012061, Sharma, deletion in Patricia trees
US patent 6141420, Vanstone Mullin Agnew, elliptic-curve cryptography
US patent 6185681, Zizzi, file encryption
US patent 7774607, Ferguson, signature verification
US patent 7929688, Yamamichi Futa Ohmori Tatebayashi, NTRU without decryption failures
US patent 8045705, Antipa Poeluev, double-scalar multiplication
US patent 8218760, Joye, compressed RSA keys
US patent 8284930, Antipa Poeluev, double-scalar multiplication
US patent 9942040, Kalach (Isara), randomizing public lattice parameters
US patent 9794249, Truskovsky Yamada Brown Gutoski (Isara), multiple signing

Preliminary list of patents and patent applications mentioned in NIST PQC submissions:

Priority date 2000.07.25: application WO 2002009348 A3. Submission claims coverage of pqNTRUSign.
Priority date 2001.12.07: patent US 7308097. 889-day patent-term adjustment, so won't expire until 2024. Submission claims coverage of FALCON.
Priority date 2001.12.07: patent US 7913088. 654-day patent-term adjustment, so won't expire until 2023. Submission claims coverage of pqNTRUSign.
Priority date 2002.04.11: patent US 7158636. 704-day patent-term adjustment, so won't expire until 2024. Ding. Submission claims coverage of Gui and Rainbow.
Priority date 2005.01.11: patent US 7961876. 1335-day patent-term adjustment, so won't expire until 2028. Ding. Submission claims coverage of Gui and Rainbow.
Priority date 2005.06.08: patent US 7649999. 772-day patent-term adjustment. Submission claims coverage of WalnutDSA, which is broken.
Priority date 2005.06.08: patent US 9071427. 0-day patent-term adjustment. Submission claims coverage of WalnutDSA, which is broken.
Priority date 2010.02.18: patent EP 2537284; US 9094189; FR 10/51190; looks like fees paid also for DE, GB, CH. Submissions claim coverage of BIKE, HQC, RQC, Ouroboros. Preliminary analysis: This patent is extremely dangerous for small-key code-based cryptography and small-key lattice-based cryptography. Concretely, this is a very broad patent on encryption via noisy DH + reconciliation. This does not include NTRU but it includes the New Hope NIST submission and many other lattice-based submissions to NIST. The priority date is before the LPR publication typically credited (in the context of small-key lattice systems) for noisy DH + reconciliation. Peikert posted noisy DH slides in 2009, but those slides didn't have reconciliation. The original version of the LPR paper (February 2010 final version for Eurocrypt, published a few months later by Springer) had a more complicated system with larger keys, and the simple "LPR10" system (small keys, noisy DH, reconciliation) did not appear until a subsequent revision of the paper.
Priority date 2012.04.12: patent US 9246675. Ding. 0-day patent-term adjustment, so expires 2032.04.12. Same ciphertext-size reduction (by the same technique, modulo trivial tweaks) that Peikert falsely claimed to be new in 2014. (Quote from 2014 Peikert: "As compared with the previous most efficient ring-LWE cryptosystems and KEMs, the new reconciliation mechanism reduces the ciphertext length by nearly a factor of two, because it replaces one of the ciphertext's two R_q elements with an R_2 element.") Submission claims coverage of Ding Key Exchange. Preliminary analysis: covers some other lattice-based schemes, such as the original version of New Hope deployed by Google; shouldn't cover the New Hope NIST submission. Many rumors of aggressive enforcement attempts.
Priority date 2015.03.30: application US 15/562034. Ding. Submission claims coverage of Gui and Rainbow.
Priority date 2016.11.18: application PCT/KR2017/013119. Same as WO2018093203A1. Submission claims that this application covers Lizard. Submitters have not answered question of whether application also covers, e.g., SABER. Patent application seems to cover schemes where the public key uses addition of error (as in, e.g., LPR) but the ciphertext uses rounding. Rounded ciphertexts appeared earlier (May 2016) in the NTRU Prime paper.
201611018451.3, 201611018455.1. Is 201611018451 the first one? Submission claims coverage of KCL (OKCN/AKCN/CNKE).
EP17156214, EP17170508, EP17159296, EP17196812, EP17196926. Philips. Submission claims coverage of Round2.
US 20150229478. Submission claims coverage of pqNTRUSign.
JP 5736816, US 8522033, US 8959355, CN ZL201110145023.8. Sony. Submission claims coverage of MQDSS.
US 9912479. Submission claims coverage of QC-MDPC.
US 15/270824, US 62/240182, US 15840121, US 62/435151. Submission claims coverage of RLCE, where some of the parameters are broken.
Australia 2017901941. Submission claims coverage of Compact LWE, which is broken.
Spain P201700779. Submission claims coverage of DME, which is broken.
15/270,930, 15/816,378. Submission claims coverage of WalnutDSA, which is broken.

Plus a few patents that don't seem to cover anything:

Priority date 2003.11.03: patent US 7499544. 959-day patent term adjustment, so expires in 2026. Mentioned in the SIKE documentation but the official statements from the SIKE submitters do not claim that this patent covers SIKE. The wording of the patent requires decryption to use pairings, which SIKE doesn't do.
GB 2532242 and US 20150163060. Originally claimed to cover NTS-KEM but supposedly in the process of being abandoned.