Post-quantum defaults

Werner Koch wk at gnupg.org
Mon Apr 27 09:17:11 CEST 2026 

On Sun, 26 Apr 2026 20:40, Johan Wevers said:
> the classical asymetric algorithms and already some flaws have been
> found I would prefer not to do that, but use 2 algorithms, 1 quantum
> resistant and 1 classical, combined.

That is what we actually implemented.  The concrete format is based on a
paper and project by the BSI.  The important part from the paper and
prototype project the key-combiner algorithm.  What we changed in
LibrePGP was to replace the way the PGP algorithm ids are assigned to
match how this has always been handled in PGP. The LibrePGP spec is also
easier to read for an implementer as it drops all unneeded theoretical
descriptions.


Salam-Shalom,

   Werner



p.s.

KEM Key Combiner

   For the composite KEM schemes the following procedure MUST be used to
   compute the KEK that wraps a session key.  The construction is a one-
   step key derivation function compliant to [SP800-56C] Section 4,
   based on KMAC256 [SP800-185] and approved by [SP800-227]
   Section 4.6.2.  It is given by the following algorithm:

   multiKeyCombine (eccKeyShare, eccCipherText,
                    mlkemKeyShare, mlkemCipherText,
                    fixedInfo, oBits)

   Input:
   eccKeyShare     - the ECC key share encoded as an octet string
   eccCipherText   - the ECC ciphertext encoded as an octet string
   mlkemKeyShare   - the ML-KEM key share encoded as an octet string
   mlkemCipherText - the ML-KEM ciphertext encoded as an octet string
   fixedInfo       - the fixed information octet string (see below)
   oBits           - the size of the output keying material in bits

   Constants:
   domSeparation       - the UTF-8 encoding of the string
                         "OpenPGPCompositeKeyDerivationFunction"
   counter             - the four-octet big-endian value 0x00000001
   customizationString - the UTF-8 encoding of the string "KDF"

   eccData = eccKeyShare || eccCipherText
   mlkemData = mlkemKeyShare || mlkemCipherText
   encData = counter || eccData || mlkemData || fixedInfo

   result = KMAC256 (domSeparation, encData, oBits, customizationString)

   The fixedinfo is used to provide a binding between the KEK and the
   communication parties.  It is the concatenation of

   *  A one octet algorithm ID describing the symmetric algorithm used
      for the bulk data in the in the SEIPD (packet 18) or the OCBED
      (packet 20).

   *  The 32 octet version 5 fingerprint of the public key.  Note that
      the fingerprint covers the packet format and all other parameters
      of the public key.


-- 
The pioneers of a warless world are the youth that
refuse military service.             - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 284 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260427/7f68725b/attachment.sig>

More information about the Gnupg-users mailing list