Opengpg smartcard specs for kyber (PQC) algorithm

Damien Goutte-Gattat dgouttegattat at incenp.org
Tue May 13 23:10:45 CEST 2025 

On Tuesday, 13 May 2025 09:10:35 BST Werner Koch via Gnupg-users wrote: 
> On Thu,  8 May 2025 10:43, Simon Josefsson said:
> > Oh!  Is there a step-by-step instruction how to create a key like
> > this?
> 
> Not yet.  However some folks obviously experimented with this

I am one of those experimenting folks. :D

Here’s a quick write-up of what I did:

Starting from a point where you already have a ECC key on a token, first thing is to get the keygrip of that key:

  $ gpg -K --with-keygrip
  [keyboxd]
  sec   ed25519 2020-05-14 [SC]
        0E3E30F7E0C3B7F2CBF4D4145A7FD609833CCD4A
        Keygrip = 2139B71E586D798EC5ADF4AA2EEDDE5A21351AE7
  uid           [ultimate] Alice <alice at example.org>
  ssb   cv25519 2020-05-14 [E]
        BD13A83426BAE9BC5C41A33745EDD81BCE62E9BD
        Card serial no. = FFFE 12345678
        Keygrip = <ECC_KEYGRIP>

Then, you need to generate the Kyber part of the new Kyber+ECC key. There are several ways to do that. One is to use the command given by Werner:

  $ gpg-connect-agent "/let param (genkey(kyber1024))" \
     "/definq KEYPARAM param" "genkey --no-protection" /bye
  S INQUIRE_MAXLEN 1024
  INQUIRE KEYPARAM
  S KEYGRIP <KYBER_KEYGRIP>
  OK

Take note of the <KYBER_KEYGRIP>. In fact, make sure you have the ECC_KEYGRIP and the KYBER_KEYGRIP in a text file somewhere, ready to be copy-pasted.

(Another way to obtain a Kyber key: ask GnuPG to generate a brand new Kyber+ECC key, then take note of the keygrip for the Kyber part and delete the ECC part that you do not need.)

Then, launch GnuPG’s key editor in expert mode:

  $ gpg --expert --edit-key alice

Add a new subkey:

  gpg> addkey
  Please select what kind of key you want:
  [...]

Select "(13) Existing key". At the "Enter the keygrip" prompt, paste the ECC_KEYGRIP, followed by a comma, followed by the KYBER_KEYGRIP:

  Enter the keygrip: ECC_KEYGRIP,KYBER_KEYGRIP

GnuPG will recognize that as Kyber key that can only be used for encryption, so select "(Q) Finished" at the next prompt:

  Possible actions for this Kyber key: Encrypt
  Current allowed actions: Encrypt

     (E) Toggle the encrypt capability
     (Q) Finished

  Your selection? Q

Then follow the rest of the key generation procedure (selection of expiration date, confirmation, really create), then save your modifications and exit the key editor.

You can run `gpg -K --with-keygrip` again to confirm the presence of your new Kyber+ECC key which shares a keygrip with your pre-existing, on-token ECC key:

  $ gpg -K --with-keygrip
  [keyboxd]
  sec   ed25519 2020-05-14 [SC]
        0E3E30F7E0C3B7F2CBF4D4145A7FD609833CCD4A
        Keygrip = 2139B71E586D798EC5ADF4AA2EEDDE5A21351AE7
  uid           [ultimate] Alice <alice at example.org>
  ssb   cv25519 2020-05-14 [E]
        BD13A83426BAE9BC5C41A33745EDD81BCE62E9BD
        Card serial no. = FFFE 12345678
        Keygrip = <ECC_KEYGRIP>
  ssb   ky1024_cv25519 2025-05-13 [E]
        FC1283D6D0A12637A6EB0E8044ADD592FC362FBB5B1676B03F6B0EA8F60F3544
        Card serial no. = FFFE 12345678
        Keygrip = <ECC_KEYGRIP>,
                  <KYBER_KEYGRIP>

Here you are, I hope this helps.

Few things to be aware of:

First, maybe wait until GnuPG 2.5.7 has been released before publishing such a key, because as of GnuPG 2.5.6 decryption will _not_ work when the ECC part is on a token. Or patch your version of GnuPG with Gniibe’s 309cfb3a4c91 commit.

Second, as you’ll have noticed the Kyber key has been generated without a passphrase ("genkey --no-protection"). If you do want to protect that key, it’s better to do that at the time you generate it (by leaving aside the "--no-protection" parameter), because GnuPG will not allow you to set a passphrase on that key afterwards: if you try the "passwd" command in the key editor, GnuPG will notice that the ECC part is on a token, and will therefore claim that there is no passphrase to change -- ignoring the fact that the Kyber part is on disk (maybe this could be considered a bug, or at least a missing feature; then again all of this is clearly experimental, so this is to be expected.)

Have fun!

- Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250513/9f222d74/attachment.sig>

More information about the Gnupg-users mailing list