Plans for Post-Quantum Cryptography in GnuPG
Werner Koch
wk at gnupg.org
Mon Apr 13 11:20:19 CEST 2026
On Sun, 12 Apr 2026 22:37, Robert J. Hansen said:
> IMO, the necessary algorithms for PQC signing/certifying are not yet
> ready for primetime. Dilithium is obviously the biggest component of a
Right. Experience from 30 years showed that deploying a stable and
secure signing system is much more challenging than an encryption
system. Given that the claimed threat is store-now-maybe-decrypt-later
the deployment of signatures is not yet not needed.
Further, a new signing algorithm must we widely deployed before it can
be used. The migration path for encryption is much easier: Add a Kyber
Subkey and implementations supporting this will encrypt using Kyber.
That is actually how we migrated to cv25519.
Shalom-Salam,
Werner
#include <standard.pqc.disclamer.h>
/* https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf
* https://media.gnupg.org/misc/Peter_Gutmann-Why_Quantum_Cryptanalysis_is_Bollocks-2025-11.mp4 */
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260413/41c06d62/attachment.sig>
More information about the Gnupg-users
mailing list