Plans for Post-Quantum Cryptography in GnuPG

Robert J. Hansen rjh at sixdemonbag.org
Mon Apr 13 10:13:51 CEST 2026 

> This is a serious problem:  recent developments suggest that 256-bit EC 
> cryptosystems might not last much longer

"Might" and "much not" are vague things. Better to say something 
concrete, like "the US government has informed its suppliers and 
contractors they must use PQC signatures for firmware and software 
starting in 2030. Communications can be secured via ECC until 2033."

We have between four and seven years to transition. Let's talk calmly 
about our smooth, responsible migrations, not scare people into doing it 
quickly with vague talk about how ECC might not be around much longer.

Smooth is slow. Slow is fast.

> and here we find that PQC signature algorithms are not ready yet.

NIST FIPS 204 specifying CRYSTALS was published in 2024, so *a* 
specification exists: but as with all specs, the first release had 
errors. NIST is tracking these errors in a publicly viewable 
spreadsheet. They're emphatic that "[p]otential corrections DO NOT 
introduce new technical requirements", but it's pretty clear that soon a 
new draft of FIPS 204 will be released incorporating this errata.

All the correct information exists: it's just not yet all in one master 
document.

> Perhaps we should just bite the proverbial bullet and roll out RSA-16384 
> signatures as an interim measure?  Possibly as a RSA-16384/PQC hybrid 
> cryptosystem?

Hard no. This is a terrible idea. You can have Werner and g10 Code 
working on implementing FIPS 204, or you can have them working on this. 
Delaying Dilithium to get this out as a six-month stopgap which we'd 
then have to support for 30 years is unwise.

> Would a better approach be to generalize hybrid signature systems, 
> allowing users to specify combinations when generating keys?  For a 
> valid signature under such a key, *all* (per-algorithm) sub-signatures 
> must be valid.

No.

The advice in the GnuPG FAQ still holds true, even today: "unless you 
know what you're doing and why you're doing it, stick with the defaults."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260413/e56e1513/attachment-0001.sig>

More information about the Gnupg-users mailing list