Specification for Kyber in GnuPG (was: Very first Beta of GnuPG 2.6 available)
Werner Koch
wk at gnupg.org
Thu May 2 08:42:44 CEST 2024
Hi!
Please find attached a diff towards the LibrePGP specification which
describes the new KEM algorithms used for quantum-resistant encryption.
Before a new draft is published some minor things need to be fixed but
it should nevertheless allow to implement the same thing as we did in
GnuPG master. The SHOULD and MAYs in the table of ECC-KEM and ML-KEM
are up to discussion. In particular whether a 256 bit or a 384 bit
curve should go with ML-KEM-768.
Note that in GnuPG we use the term "Kyber" instead of "ML-KEM" because
that is easier to remember. The abbreviation is ky768 or ky1024
followed by the ECC curve name with Brainpool curves abbreviated as
bp256 et. For example ky1024_cv448 stands for the composite of
ML-KEM-1024 with X448.
A description on how to add Kyber support to an existing OpenPGP
implementation will follow. As long as the crypto primitives are
available adding that support is straightforward because existing parser
code may partly be re-used and all variants are covered by just one
algorithm id.
Support for quantum-resistant signature schemes is not not yet available
and far less urgent than encryption: The goal is to protect encrypted
data at rest (or being wiretapped). Also new signature schemes need
more real world experience before they can be taken in use.
The migration plan to quantum-resistant encryption is to add new Kyber
subkeys so that implementation with support for them can start to use
them. If at some point in the future a wide deployment as been
achieved, the new gpg option --require-pqc-encryption can be used to
force encryption with a quantum-resistant algorithm (i.e. Kyber).
Many thanks to Stavros Kousidis, Falko Strenzke, and Aron Wussler for
their draft on adding PQC to OpenPGP. The algorithms used by LibgrePGP
are the same except for the fixed info. I took the freedom to remove
the rationale parts which are not helpful for an implementer and was
thus able to make the description more concise.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Describe-the-KEM-algorithms.patch
Type: text/x-diff
Size: 11877 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240502/6d111fb2/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240502/6d111fb2/attachment-0001.sig>
More information about the Gnupg-devel
mailing list