Question on Kyber Encryption (Key Gen)
Werner Koch
wk at gnupg.org
Tue Oct 22 12:34:27 CEST 2024
Hi!
On Mon, 21 Oct 2024 21:50, Vincent Cozzo said:
> way to generate a Kyber public key is to add a _subkey_ to an existing
> ECC key (right?).
You can also do:
gpg -v --quick-gen-key --batch \
--passphrase='' pqc-test-20241022 at example.org pqc
Which generates such a key:
sec brainpoolP384r1 2024-10-22 [SC] [expires: 2027-10-22]
D9F7435AF96EF89EF5D4BD9E57396E9C2CA268E8
uid [ultimate] pqc-test-20241022 at example.org
ssb ky768_bp256 2024-10-22 [E]
57A0441BF54B3149A52EBA962CACF19BFFA3555B60084B146D012D16E5BD2154
> But whenever I try to test this out (by creating a new ECC Key Pair
> and then edit it by adding a subkey with the numerical code 16), I
> keep getting the error:
> ```
> gpg: agent_genkey failed for second algo: Invalid public key algorithm
Let's try using my current developemnt tree but there have been no
relevant changes since 2.5.1:
$ gpg --edit-key D9F7435AF96EF89EF5D4BD9E57396E9C2CA268E8
gpg: WARNING: unsafe permissions on homedir '/home/wk/b/gnupg/test-pqc'
gpg (GnuPG) 2.5.2-beta36; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
Secret key is available.
sec brainpoolP384r1/57396E9C2CA268E8
created: 2024-10-22 expires: 2027-10-22 usage: SC
trust: ultimate validity: ultimate
ssb ky768_bp256/57A0441BF54B3149
created: 2024-10-22 expires: never usage: E
[ultimate] (1). pqc-test-20241022 at example.org
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(10) ECC (sign only)
(12) ECC (encrypt only)
(14) Existing key from card
(16) Kyber (encrypt only)
Your selection? 16
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec brainpoolP384r1/57396E9C2CA268E8
created: 2024-10-22 expires: 2027-10-22 usage: SC
trust: ultimate validity: ultimate
ssb ky768_bp256/57A0441BF54B3149
created: 2024-10-22 expires: never usage: E
ssb ky768_bp256/F6BD9A2253968078
created: 2024-10-22 expires: never usage: E
[ultimate] (1). pqc-test-20241022 at example.org
> gpg: Key generation failed: Invalid public key algorithm
Did you build with a proper Libgcrypt version? What is the output of
gpgconf -V
> I see that `generate_subkeypair` calls ask_algo, which sets the algo
> parameter equal to PUKEY_ALGO_KYBER, and then delegates to `do_create`
> which calls `gen_kyber`... but I am having trouble finding where this
> particular error message is output. Could anyone help shed light on
The above error messages is prinbted at several palces - thus it depends
on the exact context of what you did.
> where this is failing? What "base Key" do I need to make in order to
> satisfy the "public key algorithm" requirement?
You may use any primary key. Sometimes the option --expert is needed
but not in this case. My gpg.conf only has a
with-subkey-fingerprint
line.
Shalom-Salam,
Werner
--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openpgp-digital-signature.asc
Type: application/pgp-signature
Size: 247 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20241022/2344db5c/attachment.sig>
More information about the Gnupg-users
mailing list