Patent license for Kyber?

I’ve got a quick question regarding the integration of Kyber into NSS that was recently done in support of #1826451.

It’s believed that U.S. patents no. 9094189 and 9246675 may apply to Kyber.

Of course, this should not be a problem, because NIST claims that it secured a license to allow anyone to use these patents for the purpose of implementing Kyber, for no charge.

However, it seems that no-one has ever actually seen this license. Due to this, Cisco has preliminarily considered Kyber unusable; they are by no means alone in their hesitation.

Therefore I ask: What is Mozilla’s position on these patents?

  • Does Mozilla hold that those patents are invalid, or otherwise inapplicable to Kyber?

  • Does Mozilla simply take NIST’s bizarre, cagey press release at face value?

  • Does Mozilla hold some other stance?

  • Has Mozilla not considered the issue at all yet?

Thanks for any responses.

I reached out to the committer privately by e-mail with this question over a month ago, but haven’t heard back, which is why I’m asking publicly now.

I just tested it and confirmed that, despite the fact that this wasn’t listed in the release notes, support for Kyber was included with Firefox Release 123.0 on Tuesday, though it’s gated behind a default-disabled security.tls.enable_kyber flag.

(It seems it has not yet been included in Firefox ESR 115.8.0, which is the latest ESR as of Feb 27, 2024.)