Specification for Kyber in GnuPG

Werner Koch wk at gnupg.org
Thu May 2 20:10:34 CEST 2024 

On Thu,  2 May 2024 14:27, Andrew Gallagher said:

> This is an enormous set of initial combinations, not all of which make
> any sense. Why suggest pairing P-256 curves with kyber1024? Do we need

I already mentipned that this list is up for discussion.  Well, except
for the SHOULDs which at least need to stay in the list.  There are no
MUSTs here because PQC algorithms are not mandatory and needed for all
applications.  Instead implementations should decide what to do.

> all three grades of brainpool and NIST? The four SHOULDs and the
> corresponding two NIST equivalents are plenty.

The Brainpool curves are needed and not subject to discussion.  Adding
different codepoints for the same algorithm (ECC-KEM + ML-KEM aka Kyber)
is a major implementation hassle and diverts from existing OpenPGP
protocol behaviour.  There is one code point for RSA, one for DSA, one
for Elgamal, one for ECDH, one for ECDSA, one for EdDSA, and now one for
Kyber.  They all have different parameters: either length of parameters
or an OID for the curev parameters (which are too large to include in
all keys).   Thus it is natural to do the same for Kyber.

After all we are not TLS with its hunderds of codepoints for algorithms.
Adding more codepoints to TLS is also the natural way - for TLS.

> Once again I’ll beg you to please implement the Kousidis, Strenzke and
> Wussler spec instead of making trivial changes to their assigned

The changes might sound trivial but I explained them above.  They come
from an implementer with a specific and practical knowledge of OpenPGP
protocol needs.  The actual algorithm and cryptography has not changed
because that is not my specific knowledge.  That is how OpenPGP has
always been extended - let the crypto folks do the math and the coders
the implementation.

> numbers in order to start a pointless and exhausting fight with the
> IETF WG over ownership of the registry. If we need to allocate four

We can't wait another 9 years for a simple crypto enhancement.  We need
a new identifier NOW and need to get it used.  After a discussion with
the BSI we will temporary add a notification to Kyber keys created
according to the current ML-KEM draft.  Just in case the NIST decides to
do some final changes we can the detect keys created according to the
current draft and sort them out.


Salam-Shalom,

   Werner

-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20240502/373b308b/attachment.sig>

More information about the Gnupg-devel mailing list