PQC public key format specification

andrewg andrewg at andrewg.com
Tue Feb 13 13:49:19 CET 2024


On 2024-02-13 10:20, Werner Koch wrote:
> On Fri,  9 Feb 2024 14:41, andrewg said:
>> all the required ECC parameters in the private key, meaning that ECC
>> decryption (uniquely) is not possible without the public key. The
> Please explain?  You mean the parameters required for ECDH?

Yes. If somebody has their secret key material on a smartcard but has lost their public key (for whatever reason) they cannot decrypt their historic data. The extra parameters (OIDs and KDFs) are stored elsewhere. They could have been stored on the card (plenty of room since ECC keys are smaller than RSA) or they could have been stored in the spec (by defining fixed values) but the practice that emerged was neither. It retained algorithmic agility but at the cost of added failure modes (and a combinatoric explosion). Was this in the spirit of the OpenPGP way of doing things? It's certainly arguable that it was not and that we shouldn't repeat that mistake.

A




More information about the LibrePGP-discuss mailing list