Post-quantum defaults
Andrew Gallagher
andrewg at andrewg.com
Wed Apr 8 15:48:00 CEST 2026
On 08/04/2026 14:21, Werner Koch via Gnupg-users wrote:
> On Wed, 8 Apr 2026 12:52, jman said:
>
>> I think this article from Valsorda is also getting some attention:
>
> I think this article recently posted at Cryptography should get more
> attention:
>
> https://www.metzdowd.com/pipermail/cryptography/2026-March/039449.html
Sure, the NSA can't be trusted... but in the particular case of ML-KEM
it seems there's nowhere for them to hide:
https://keymaterial.net/2025/11/27/ml-kem-mythbusting/
There are concerns about the real strength of the smallest ML-KEM keys,
but the PGP PQC drafts do not permit them, only the two larger key
sizes. They also only permit them in hybrid PQ/T mode, so if you think
ECC is still secure, the only thing you've lost is some processor
cycles. Not great, but not the end of the world either.
tl;dr: nothing to see here.
A
More information about the Gnupg-users
mailing list