Post-quantum defaults
Andrew Gallagher
andrewg at andrewg.com
Wed Apr 8 15:33:09 CEST 2026
On 07/04/2026 17:34, Jakob Bohm via Gnupg-users wrote:
> Note that besides the highly advanced post-quantum algorithms promoted in
> recent years, there is also Merkle's hash tree signing algorithm, which
> uses solid security arguments from the properties of good hash algorithms.
> Two variants of this have been published as RFCs differing mostly in
> padding details.
There are two draft RFCs that have done all the spec work required for
PQC signatures in OpenPGP, using commonly-supported and
commonly-approved (by BSI, NSA and others) algorithms. They've been in
progress for over three years; the one using curve25519/448[1] has
production-ready implementations right now, and the one using
nistp/brainpool curves[2] is wire-format stable aside from the final
code points. We should be getting on with implementing these before
examining novel alternatives.
A
[1] https://www.rfc-editor.org/current_queue.php#draft-ietf-openpgp-pqc
https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc
[2] https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-nist-bp-comp-03
More information about the Gnupg-users
mailing list