Plans for Post-Quantum Cryptography in GnuPG

[Jacob Bachmeyer]

On 4/13/26 03:13, Robert J. Hansen wrote:
>> This is a serious problem:  recent developments suggest that 256-bit 
>> EC cryptosystems might not last much longer
>
> "Might" and "much not" are vague things. Better to say something 
> concrete, like "the US government has informed its suppliers and 
> contractors they must use PQC signatures for firmware and software 
> starting in 2030. Communications can be secured via ECC until 2033."
>
> We have between four and seven years to transition. Let's talk calmly 
> about our smooth, responsible migrations, not scare people into doing 
> it quickly with vague talk about how ECC might not be around much longer.
>
> Smooth is slow. Slow is fast.

Agreed.

>> and here we find that PQC signature algorithms are not ready yet.
>
> NIST FIPS 204 specifying CRYSTALS was published in 2024, so *a* 
> specification exists: but as with all specs, the first release had 
> errors. NIST is tracking these errors in a publicly viewable 
> spreadsheet. They're emphatic that "[p]otential corrections DO NOT 
> introduce new technical requirements", but it's pretty clear that soon 
> a new draft of FIPS 204 will be released incorporating this errata.
>
> All the correct information exists: it's just not yet all in one 
> master document.

This is good news, at least.

>> Perhaps we should just bite the proverbial bullet and roll out 
>> RSA-16384 signatures as an interim measure? Possibly as a 
>> RSA-16384/PQC hybrid cryptosystem?
>
> Hard no. This is a terrible idea. You can have Werner and g10 Code 
> working on implementing FIPS 204, or you can have them working on 
> this. Delaying Dilithium to get this out as a six-month stopgap which 
> we'd then have to support for 30 years is unwise.

Since we already *have* RSA, I would expect expanding the supported key 
size to be trivial, but Werner and g10 Code know the GPG code base 
better than I do.


-- Jacob