Home   About Us   News   Contact Us
 
IP Cores, Inc. is an American company. As such, we are subject to the US export regulations - and the US government does regulate the export of encryption products. This page contains a brief explanation of our export licensing situation. It is intended to be used as an introductory material for engineers planning to use our encryption cores. It cannot and should not be used as a substitute for a thorough review of applicable US export laws - check with your company legal department for such a review. If you have no time to read this text, just browse through the first section below.
The export licensing process is well-described on the official US government site http://www.bis.doc.gov/licensing/exportingbasics.htm. Note that not just an American-made IP core, but the foreign-made products based on the core might be subject to the US export licensing.
In a nutshell
  This section contains a brief summary of a longer discussion below. For our encryption cores (except DES1-NLR), unless your circumstances are special (say, you work for a government - other than the US government, naturally - not industry):
 
  • A subsidiary of a US company in most countries does not need an export license
  • A Canadian company does not need an export license
  • A company from the European Union does not need an export license
  • A company based in Australia, Hong Kong, Iceland, India, Indonesia, Israel, Japan, Malaysia, Mexico, New Zealand, Norway, Philippines, Singapore, South Africa, South Korea, Switzerland, Taiwan, Thailand, or Turkey does not need a license
  • Companies from other countries do need the export license, so a 30-day review by the US government is inevitable. Since there are no fees associated with the license, we can easily apply for an export license early in the process of engagement. There is a good chance that the legal department at your company works slower than the US government, thus the license is typically issued by the time the contract is ready for signatures.
  • It is most likely that your product, manufactured with the use of our core, will not require a US license due to the use of our core
  For our FFT cores, unless your circumstances are special, if your country is part of a huge "Country Group  B", you do not need a license. Notable exceptions are Chinese and Russian companies (as these countries are not part of the list).

Single-DES core DES1-NLR does not require a license for export to almost any country.

We are not aware of any export licensing requirements for our other cores.

Information about us and our cores
 
The information in this section (coupled with the pricing information) is sufficient for an export licensing professional to determine if an export or re-export license is required for the core.

Our  AES-based security cores:
  • Are classified as 5E002
  • Country restrictions are NS1 and AT1
  • We have been granted permission for export to the "EU+" countries (EU and Australia, Japan, New Zealand, Norway, and Switzerland)
  • We have been allowed to export our encryption cores to the following additional countries: Hong Kong, India, Indonesia, Israel, Malaysia, Mexico, Philippines, Singapore, South Africa, Taiwan, Thailand, and Turkey.
  • Our permits for countries listed above contain language that allows the application of the de minimis rule to the final products: "PRODUCTS MANUFACTURED USING THE TECHNOLOGY AUTHORIZED UNDER THIS LICENSE ARE SUBJECT TO THE EXPORT ADMINISTRATION REGULATIONS (EAR) IF THEY CONTAIN GREATER THAN THE DE MINIMIS LEVEL OF CONTROLLED COMPONENTS"

DES1-NLR core is classified as 5E992. Other DES-based cores are 5E002.

Our FFT cores:

  • Are classified as 3A001.12.a
  • Country restrictions are NS2 and AT1
  • Subject to license exemption GBS
Additional information for some of our US customers: We are a California corporation and are wholly US-owned. All our employees are US citizens.
Checking the countries
  For security cores, look at your country row and columns NS1 and AT1 in the Country Chart https://www.bis.doc.gov/index.php/forms-documents/doc_download/14-commerce-country-chart; see if the country is subject to one of these restrictions. If both columns are clear, license is generally not required. Unless you are located in Canada, don't actually bother to look into this file - only Canada currently has both NS1 and AT1 columns clear.

For FFT cores, look at columns NS2 and AT1. The FFT cores currently can be shipped license-free to Australia, Austria, Belgium, Bulgaria, Canada, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, Iceland, Ireland, Italy, Japan, South Korea, Latvia, Lithuania, Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,  Turkey, United Kingdom.

Checking the exemptions
  Exemptions relax the restrictions from the Country Chart. Brief description of exemption ENC can be found in http://www.bis.doc.gov/index.php/forms-documents/doc_download/98-license-exception-enc - the particular ones applicable to our IP cores are listed below. If one of these applies, you do not need a license (see the "bad guys" lists below, though).

740.17(a)(1) permits export of security IP cores to non-government users in "Supplement 3" (to Part 740, a.k.a. "EU+") countries (EU and Australia, Canada, Japan, New Zealand, Norway, Switzerland, and Turkey). 

740.17(a)(2) permits export  of security IP cores to subsidiaries of US companies located practically anywhere. 

740.17(b)(2) permits export of security cores to to (i) government users in the Supplement 3 countries, (ii) non-government users in most countries with 30-day wait period (exceptions are the so called D:1 countries, notably China and Russia). In the case of the wait period he exporter (IP Cores) should have previously filed an exemption review for particular core with BIS per http://www.bis.doc.gov/Encryption/enc.htm (please check with us); all export using §740.17(a) is subject to "encryption registration" and semi-annual reporting (also by IP Cores), see details..

GBS (§740.4) for FFT cores permits export to Country List B (too large to be quoted here). This exemption most likely covers your country; notable exceptions include China and Russia. All export using GBS is subject to semi-annual reporting by IP Cores.

Checking the additional countries
  We have been granted a permission to export our encryption cores to the non-government end-users in the following additional countries: Argentina, Brazil, Chile, Hong Kong, India, Indonesia, Israel, Malaysia, Mexico, Philippines,  Singapore, South Africa,South Korea, Taiwan, Thailand.

Checking against bad guy lists
  To use an exemption, the company should not be in one of the four lists of bad guys maintained by the US government agencies; the list of lists is in the section "Who will receive your item?" of http://www.bis.doc.gov/licensing/exportingbasics.htm. Getting onto these lists requires a solid determination to upset the US government, so there is a 99.999% probability that your company is not there  (we know of no major companies on the lists that are based in the countries we can export to without obtaining a license). 

If you need a license
  Don't be discouraged - in most cases, getting a license is neither a long nor a hard process - and it is completely free of charges! We can file the "Multipurpose Application" for export online with SNAP-R, if you provide us with sufficient data, and the relevant US agencies are required to produce a response within 30 days. See these instructions for the actual details; note that most of the information comes from us, look for words "end-user", "purchaser" and "consignee". In particular, we will need:
 
  • Your Name, Address, City, Country, Postal Code, Telephone or FAX
  • End User's Name, Address, City, Country, Postal Code, Telephone or FAX (if you are not the end-user)
  • Specific End-Use (complete and detailed description of the use intended). A good example of a description for an ASIC core: "The (insert our core name here) core will be embedded in an (insert your product name here) chip compliant with the (insert the standard you are following here) specifications. The users of the (insert your product name here) chip will not have direct access to the cryptographic algorithms, except as defined by the( insert the standard you are following here) specifications."
 
We are sometimes required by the US Department of Commerce as a condition for the license to obtain from you a so called "letter of assurance" that simply states that your company is aware of the US export regulations affecting our cores and will comply with these regulations. Alternatively (very rare event, never happened to us so far), we may be required to ask the "ultimate consignee" (your company) to sign the form BIS-711, which pretty much states that you are going to do with the product precisely what you told us you will do, or (if you are really unlucky) to provide the "End-User Certificate", which is essentially a promise from you / your government to the US government not to re-export the items.

Does your product need a license?
  Your product incorporating our core might be subject to US export licensing as well. This is called "re-export" and is covered by a complex set of rules summarized in http://www.bis.doc.gov/Licensing/ReExportGuidance.htm.

Note that the terms of our licenses typically permit the application of the "de minimis" rule to your product. De minimis rule is defined in EAR 734.4 and 736.2(b)(2) and essentially states that as long as the "controlled" items percentage (by price) is below a certain threshold in your product (typically 25%), the item you make is not subject to the US export regulations. Some EAR details translated into plain English can be found in
http://www.bis.doc.gov/seminarsandtraining/webinars/reexport-slides.pdf.

If your final product is a chip, you might also qualify for the 740.17(b)(2) or, for consumer ("mass market") applications, 740.17(b)(3) exemptions. Note that in order to qualify for these exemptions, you will need to submit your product for "review", as described in http://www.bis.doc.gov/Encryption/ MassMarket_Keys64bitsNUp.html. You can start exporting products to non-government users 30 days after the review request is "registered" with BIS, unless notified otherwise. For mass market products, you can start exporting in 30 days as well.

It is therefore very likely that you will not need a US export license for your product. Your mileage might vary, of course.