GnuPG meets the standard of care set by Signal (Re: Betamax v. VHS, and the future of PQ-PGP)

[Robert J. Hansen]

>> Breaking RSA-4096 via Shor's algorithm is straight out of science 
>> fiction.
> 
> No, *this* is science fiction:

I stand by my statement. RSA-4096 via Shor's requires science fiction 
level technology advances.

> Signal is acting ethically and responsibly:  They have had hybrid-PQC 
> fully deployed to all Signal users for more than a year!  You literally 
> believe a non-fact-based argument.  Please live up to your stated hope:

There are several responses here:

1. I wasn't aware Signal was transitioning to PQC: thank you for that.

2. Do me the courtesy of taking my argument seriously, please, as I am 
with you.

A serious response would have been, "Signal is actually transitioning to 
PQC, so that's a nonissue. But do I believe SSL.com is acting 
unethically and irresponsibly by selling S/MIME encryption and signing 
certificates that aren't PQC? Yes. I believe the same about NaCl and 
Sodium, since they're not yet deploying PQC. I believe the same about 
projects that rely on NaCl or Sodium to provide cryptographic 
primitives. It's a long list. I believe they're acting unethically and 
irresponsibly."

Building the strongest possible version of someone else's argument and 
engaging with that -- as I am attempting to do with you -- is called 
"steelmanning", and is seen as a courtesy among serious people.

> The foregoing timeline comparison MUST NOT be taken as a criticism of GnuPG.

On the one hand, thank you for being clear you're not criticizing GnuPG. 
On the other, my experience on this list has shown me people interested 
in criticizing GnuPG will not be dissuaded by such imperatives.

> The same above-linked Signal blog post has a well-balanced view of if or 
> when quantum computers will break ECC/RSA; I agree with this quote:

I don't doubt your sincerity. I do doubt your understanding. See next 
response.

>> to be around the 5 to 10 year time horizon.  We are not in a position 
>> to judge which timeline is most likely, but we do see a real and 
>> growing risk which means we need to take steps today to address the 
>> future possibility of a large enough quantum computer being created.

Signal is only saying their risk model requires them to take steps to 
address a future possibility.

GnuPG *has no risk model*. GnuPG provides a toolbox by which to 
implement the LibrePGP and RFC4880 standards. Which of those tools are 
ultimately utilized depends on each user's particular threat model. 
GnuPG imposes a truly minimalist set of policies (like not supporting 
RSA past 4kbit). Beyond that, GnuPG is utterly silent on how users 
should employ the provided tools. The defaults are sane: that's all the 
policy we promise.

Sort of like NaCl and Sodium, come to think of it.

> It should be the minimum standard of care.  At this late date, as we 
> enter 2025, all else is crypto-negligence.  Thus, I thank you for 
> invoking an appeal to authority with Signal as your argument—

That wasn't an appeal to authority. It was pointing out the logical 
consequence of your argument: there exist a *vast number* of 
communications security projects that are improving the lives of 
millions worldwide, and for you to write them all off as unethical just 
because they're not using CRYSTALS-Kyber is childish.

Steelman the argument. Engage the strongest version of what someone says.

Or don't.  Up to you.

> Please do not misdirect.  My message clearly pertained only to 
> encryption.

That was not how I read it. If you're now clarifying that you only mean 
asymmetric encryption and/or key negotiation, I'm happy to stipulate I 
misread.  Accusing me of misdirection is just rude.

Please note I've accused you of nothing except holding foolish positions.

> We all know the difference between encryption and digital 
> signatures.

Really? What is it?

I'm not kidding. Every asymmetric encryption algorithm I'm aware of is 
convertible to a digital signature algorithm. Encrypt using an RSA 
public key and you encrypt; encrypt with a private key and you sign. 
Look at discrete logs one way and you get Elgamal encryption and/or 
Diffie-Hellman; look at them another and you get Elgamal signatures; add 
arbitrary constraints and you get the Digital Signature Algorithm. Shake 
a bag of CRYSTALS and out falls Kyber; keep shaking and out falls Dilithium.

You appear to be saying the obverse and reverse of a coin are 
fundamentally different things.  I'm saying the coin has two faces.

If you can show an asymmetric algorithm that's not convertible, I'd love 
to hear about it. No kidding, no sarcasm.

>> This could only be true if everyone holds to a threat model in which 
>> their data being collected by the MDR and potentially decrypted by a 
>> First World nation-state actor is a risk that needs mitigation.  Most 
>> of us do not.
> 
> The entire concept of dragnet mass-surveillance is that this is 
> *everyone’s* threat model.

Bullshit it is.

A couple of years ago I was at the Internet Freedom Festival in 
Valencia, Spain. I was in the break room when this massive bear of a 
Middle Eastern guy came up and asked in broken English if I was Rob from 
Enigmail. I said I was.

This guy wrapped me in a hug that almost broke my ribs, lifted me off 
the ground, and thanked me for saving his life. I'm a large guy and this 
bear of a man was heaving me around like a sack of flour.

He was a Syrian dissident and journalist who had used Enigmail to 
communicate securely with local Syrian sources and Western media 
contacts. al-Assad's regime threw him in jail. They worked him over but 
he didn't identify his contacts or decrypt his messages for the secret 
police, and a couple of weeks later international pressure led to his 
release. He left Syria for safety in Turkey. He bought me a beer and 
thanked me for my work with GnuPG and Enigmail, because we kept his 
contacts alive.

(Me, I think this guys who spent *two weeks being tortured in a Syrian 
prison* is the real hero. But he was being very fulsome in sharing the 
credit.)

My friend Ali Gharavi is a human rights volunteer who specializes in 
training people in how to communicate securely in hostile regimes. While 
visiting Turkey on an Amnesty International-funded trip to meet and 
train people from repressive Middle Eastern regimes, Tayyip Erdogan 
ordered him arrested on trumped-up charges. Ali was terrified his arrest 
would directly lead to compromised comms and Erdogan trading the names 
of dissidents for political favors from their home countries. That 
didn't come to pass, and after months of detention Ali got to go home.

( https://hivos.org/istanbul-10-released-hivos-very-relieved/ -- Ali is 
third from the left in the photo at the top. I do not know a kinder, 
more thoughtful gentleman.)

These are two people I know, whom I've shared meals with, whom I've had 
tea with, for whom some enormous classified data repo in Utah was an 
extremely remote concern compared to their friends falling into the 
hands of an autocrat. Are you really telling me that they're wrong to 
say "nah, you know, RSA-3072 is fine for our purposes, but for God's 
sake, Rob, you have got to do *something* about Enigmail's usability in 
Farsi and Pashto"?

Don't get me wrong. I'm entirely in favor of PQC and preparing for a 
transition. But you are revealing yourself to be a deeply unserious 
person, fond of making sweeping pronouncements without understanding of 
nuance.

So far you have asserted:

1. Everyone needs to migrate to Kyber *now*.  (No, we don't.)

2. There is a format war brewing between PGP specs.  (There is not.)

3. It is imperative GnuPG win this format war. (Vacuously true by false 
premise.)

4. It is universally unethical to deploy encryption solutions or 
services that don't employ PQC, even if those solutions are vast 
improvements over plaintext. (No, it is not.)

5. Massive data repositories and dragnet surveillance by First World 
nation-states is part of everyone's threat model. (It is not.)

After five claims, some of which were truly ludicrous, I'm done taking 
you seriously.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250103/d049df52/attachment.sig>