Plans for Post-Quantum Cryptography in GnuPG

[Jacob Bachmeyer]

On 4/12/26 21:37, Robert J. Hansen via Gnupg-users wrote:
>> I would like to know if there are any plans for GnuPG to support
>> post-quantum cryptography schemes, specifically ML-KEM (Kyber) and
>> ML-DSA (Dilithium) as these will be crucial in cryptography that is
>> resistant to quantum computer attacks (a fast-growing threat).
>
> Kyber is already present in the latest 2.5 series, which is (despite 
> its developmental version number) a GA release intended for all users.
>
> There is no support at present for PQC in signing/certifying 
> algorithms, as the demand there seems slightly less. (And before 
> anyone screams "how can it be less?!", this is less in terms of user 
> demand, and your voice is in the minority.)
>
> IMO, the necessary algorithms for PQC signing/certifying are not yet 
> ready for primetime. Dilithium is obviously the biggest component of a 
> signing/certifying system, but there are others, and things are still 
> evolving on the cryptography front. I'm sure that once things 
> stabilize LibrePGP will start supporting it quickly enough.

This is a serious problem:  recent developments suggest that 256-bit EC 
cryptosystems might not last much longer and here we find that PQC 
signature algorithms are not ready yet.

... That leaves RSA, which even at RSA-4096 may be within the reach of 
very large clusters in the near future.

Perhaps we should just bite the proverbial bullet and roll out RSA-16384 
signatures as an interim measure?  Possibly as a RSA-16384/PQC hybrid 
cryptosystem?

Would a better approach be to generalize hybrid signature systems, 
allowing users to specify combinations when generating keys?  For a 
valid signature under such a key, *all* (per-algorithm) sub-signatures 
must be valid.


-- Jacob