[Crypto] Why is the market for cryptographic primitives non-commercialized?

Solution 1:

Are there more examples?

About the only other example I can think of is Cryptography Research Inc (now owned by Rambus); however what they sell is methods of implementing primitives (in ways that are resistant to side channel attacks); however those operate just like the standard primitives, so that might not count.

Why do people, scientists not try to commercialize their achievements, despite the fact that they could do so, especially under patent protection.

They could certainly try; however they are quite unlikely to succeed. A large part of the crypto community is quite allergic to anything patented (unless that patented has been released for all uses); unless what they have is considerably better than the alternatives, it'll not be used at all (and so the patent fees will be for nothing).

I know that a patent can makes it difficult to adopt technology in this market.

Think: close to near impossible. Consider the case of OCB; it might be a bit better than the competing competitors as a way to do authenticated encryption (e.g. GCM); however GCM was patent free and OCB was not, no one uses OCB.

Yes, if someone did have (say) a practical FHE method (say, with homomorphic multiplication only 1,000 times slower than an unencrypted multiplication), you could make a mint (because there is nothing else able to come close to that); however this side of such a radical improvement, people will look for unencumbered alternatives (and be able to find them)

And, while we're on the subject: I believe Certicom's patenting (and aggressive threats of lawsuits) on some implementation methods for ECC (they certainly did not own the concept of ECC) slowed down the adoption of ECC by several years; certainly, the company I was with refused to touch it until the patent scenario was resolved. Yes, Certicom did make some money; however I don't believe this was a net plus for the crypto community...

Solution 2:

Offering a crypto technology for free is the easiest, and certainly one of the reason that's done. Alternatives are:

  1. Keeping it secret.
  2. Patenting it and selling licenses.

An example of 1 is the Clifford Christopher Cocks cryptosystem, which is precisely RSA with $e=N$, and remained unpublished for 24 years. The technology is not widely used until it is rediscovered or leaks, because it's not known. Attempting to use the crypto technology without publishing it has multiple technical drawbacks (see comments), and I fail to exhibit a case where that allowed the inventors to make much money.

In 2, if the patent is valid and useful but can be circumvented, people will do that and not use the patented technique. An example is the Schnorr signature patent, which DSA circumvented.

Reasons why 2 is uncommon include:

  • Patenting takes effort, time, and money (especially after the first year when the inventor/owner must translate and file the patent in each territory they want protection in).
  • More often than not, patents turn out to be invalid due to prior art, or actually cover a narrow improvement of prior art that is not essential, allowing circumvention of the patent, negating much of it's commercial value. Wounded crypto patents however can remain useful as a deterrent against clones or interoperable devices, and as ammunition in a larger patent war.
  • In USA, but not (most at least) other parts of the world, there is one year to patent one's invention after disclosing it, e.g. in a crypto conference. This has limited the geographic scope of some crypto patents to USA. An example is the RSA patent.
  • It's often hard to identify products that use a crypto technique, because crypto specs often are secret. This complicates commercial exploitation of crypto patents.
  • In many countries, abstract math techniques can't be patented. To oversimplify, hardware implementing them can, not software. The line is thin, and further complicates commercial exploitation of crypto patents.
  • Crypto technology often is implemented/used in software, and combined with the above that fragments the market to a point where it becomes economically difficult to make money out of patent licensing.

I think Cryptography Research / Rambus was successful at licensing anti-DPA techniques because they end up used in hardware and by very few economic actors, like Smart Card manufacturers.

Solution 3:

It is worth mentioning that people do try to patent some cryptographic primitives, with certain upsides/downsides for adoption. For example, in the ongoing NIST PQC standardization, the Round5 protocol did not offer a royalty-free license for its use. While this was not the only reason it failed to advance to the third round, it is explicitly mentioned as a contributing reason (see page 17).

Perhaps a bigger potential patent WRT the NIST PQC competition is one summarized by Bernstein here. I can't attempt to summarize this --- I am not a patent lawyer, and have seen many (also not patent lawyers --- although perhaps one person posted some message saying they had a patent background) people dispute Bernstein's perspective. Regardless of the impact on the competition, the existence of a patent that may be applicable has sparked much debate/worry (I've even heard it may have killed Google's experiment with the NewHope cryptosystem in Chrome, but don't know anything concrete).