Plans for Post-Quantum Cryptography in GnuPG
Robert J. Hansen
rjh at sixdemonbag.org
Tue Apr 14 07:57:34 CEST 2026
> Since we already *have* RSA, I would expect expanding the supported key
> size to be trivial, but Werner and g10 Code know the GPG code base
> better than I do.
It's not the codebase. It's the support.
Let's say that GnuPG 2.6 comes out with RSA-16k support as a way to
provide realistic PQC signing today.
What happens to all the GnuPG 2.4 installations out there? Or the 2.2?
Or the 2.0? Or the 1.4? (Remember, we still regularly see support
requests for the 1.4 series. Some people really don't want to upgrade.)
"My buddy says he's using an RSA key, he generated it in GnuPG, and my
own version of GnuPG is rejecting it! GnuPG is awful!"
Then, on top of that, we're still stuck carrying around RSA-16k support
into the future for thirty years (because some people have realistic
30-year windows they need their signatures to be good for -- think
financial contracts, mortgages, and whatnot).
All this, in order to do what, exactly? In a year or so we'll have
Dilithium in the LibrePGP spec and then we'll have a proper PQC signing
algorithm. By 2029 it should be in place and ready for users. Then
Werner says, "ladies and gentlemen, commence the migration plans we
emphatically recommended you start preparing for in 2026", and in a few
months everyone who needs PQC signing has it.
Remember, the US Government still says ECC is fine for signatures until
2030.
So when the migration plan is like this, and everyone believes we'll
have Dilithium in GA releases of GnuPG by 2029, then what does this
short-term RSA-16k 'fix' give us except headaches?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260414/83d715d6/attachment.sig>
More information about the Gnupg-users
mailing list