Post-quantum defaults
Jakob Bohm
jb-gnumlists at wisemo.com
Thu Apr 9 22:53:45 CEST 2026
On 08/04/2026 15:33, Andrew Gallagher via Gnupg-users wrote:
> On 07/04/2026 17:34, Jakob Bohm via Gnupg-users wrote:
>> Note that besides the highly advanced post-quantum algorithms
>> promoted in
>> recent years, there is also Merkle's hash tree signing algorithm, which
>> uses solid security arguments from the properties of good hash
>> algorithms.
>> Two variants of this have been published as RFCs differing mostly in
>> padding details.
>
> There are two draft RFCs that have done all the spec work required for
> PQC signatures in OpenPGP, using commonly-supported and
> commonly-approved (by BSI, NSA and others) algorithms. They've been in
> progress for over three years; the one using curve25519/448[1] has
> production-ready implementations right now, and the one using
> nistp/brainpool curves[2] is wire-format stable aside from the final
> code points. We should be getting on with implementing these before
> examining novel alternatives.
>
The algorithm I suggested has 9 PUBLISHED RFCs, not just drafts, which
simply omit descriptionsof how to integrate them in PGP. It is not at
all novel, being originally proposed in 1979. The security properties
it relies on are basic: 1. The hash algorithm cannot be reversed with
available attack resources. 2. Different inputs create wildly
different outputs. 0a. It doesn't even require the hash algorithm to
be a good key generator for things like password hashing. 0b. It
doesn't require the hash to be fully collision-resistant .
http://www.merkle.com/papers/Thesis1979.pdf: Original specification
U.S. Patent 5,432,852: Expired patent on the HSS/LMS variant
RFC8391: The complex formatting named XMSS
RFC8554: The simplified formatting named HSS/LMS
RFC8708: PKCS.7 Integration for the HSS/LMS format (obsoleted by RFC9708)
RFC8778: CBOR-COSE integration for the HSS/LMS format
RFC9708: PKCS.7 Integration for the HSS/LMS format
RFC9802: X.509 integration for both formats
RFC9814: PKCS.7 Integration for the HSS/LMS format
RFC9858: Additional standard parameter sets for the HSS/LMS format
RFC9909: X.509 Integration for the HSS/LMS format
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the Gnupg-users
mailing list