Post-quantum defaults
Jakob Bohm
jb-gnumlists at wisemo.com
Tue Apr 7 18:34:56 CEST 2026
Dear GPG/PGP designers.
Note that besides the highly advanced post-quantum algorithms promoted in
recent years, there is also Merkle's hash tree signing algorithm, which
uses solid security arguments from the properties of good hash algorithms.
Two variants of this have been published as RFCs differing mostly in
padding details.
While this is purely a signature algorithm and each signature is several
kilobytes big (hashbits**2 / w / 8 plus the extra hash values for carry
bits, plus the hashbits * log2(sigcount) / 8 path to the tree root),
the public key is just a single hash value and the private key is either
a large one-time-pad or a symmetric key for a strong enough stream
cipher. Given the theory that quantum attacks halve the strength of
hash functions and other symmetric algorithms, and the theory that hash
algorithms have the equivalent symmetric strength of hashbits / 2,
Merkle-tree algorithms should be hash algorithm agile and use a hash
algorithm with hashbits >= 4 * desired-strength. Thus 128-bit
equivalent strength would need a 512 bit hash algorithm and a 256 bit
stream cipher; Double for 256-bit strength.
For example an addition to OpenPGP can reference one of the 2 RFCs,
specify w=8 and make the hash algorithm a separate part of the algorithm
indication in public keys, while a corresponding GPG implementation can
then be parameterized by a reference to the entire list of implemented
hash algorithms >= 256 bits (to verify all spec-compliant signatures)
while using one or two very strong stream ciphers for the private key
storage format (making stream and hash algs user choices during key
generation). Tree height would be dictated by a need to leave one
signing invocation available to sign a new public key, one to sign
self revocation and a few others for similar tasks, then at least 1
usable signing invocation for signing an actual mail or software
release.
On 06/04/2026 21:54, Robert J. Hansen via Gnupg-users wrote:
> As many people on this list know, I have for a very long time been a
> skeptic on the subject of quantum computing advances. I won't go into
> details, but the bottom line is there are three pillars on which I
> have set my projections and this week it looks as if two of them are
> beginning to crack.
>
> It is probably wise to begin deploying post-quantum cryptography. Are
> there any plans in GnuPG to make post-quantum algorithms the default
> for new certificates?
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20260407/2ec43a16/attachment.html>
More information about the Gnupg-users
mailing list