GnuPG – post-quantum crypto landing in mainline(lists.gnupg.org) |
GnuPG – post-quantum crypto landing in mainline(lists.gnupg.org) |
Funny to read 1-liner changelog versus the plethora of articles just few years ago along the line of "Quantum computer, it might just change our entire lives and make privacy impossible!".
The simple addition (of a not so simple algorithm) to the software (and few others, e.g. OpenSSL) and voila, me can move on with our daily lives. Cryptography and computational complexity are truly amazing.
This isn't a space I know too much about, but even if we all start using quantum-safe encryption for everything today, won't the arrival of quantum computers that can break traditional encryption not still be a big deal?
Given that intelligence agencies, tech companies and various bad actors have been storing encrypted data for a long time, hoping to decrypt when (if?) that day comes?
The 2.5 series are improvements for 64 bit Windows and the introduction of Kyber (aka ML-KEM or FIPS-203) as PQC encryption algorithm.
The old 2.4 series reaches end-of-life in just two months.
Not that there is anything wrong with SHA1 fingerprints in practice. The sort of collisions that SHA1 is susceptible to are not an issue in this particular application. With SHA256 fingerprints people would still be using 64 bit key IDs, just like they are doing now.
(I suppose strictly speaking it's still a "proposed standard" vs "internet standard", but so is basically everything else)
The X25519 key could remain in hardware keys for a while til manufactures catch up.
> Kyber is always used in a composite scheme along with a classic ECC algorithm.
someone asked me to name the developer i talked to. i won't do that because in the past devs have been verbally attacked and threatened. justified or not, this is not acceptable behavior, and i am not going to expose anyone to that.
on the question of LibrePGP being the work of one person, i already mentioned that i found that the old OpenPGP RFC 4880 is 90% unchanged in LibrePGP. turns out it goes even further. almost all of the LibePGP RFC was already created by the OpenPGP committee. until some people pushed for massive changes. it was only at that point that werner koch decided to fork the standard and publish the old, already agreed upon, almost ready for publication, version of OpenPGP as LibrePGP with minimal changes. so this whole idea that LibrePGP is the work of one person is simply not true. this is documented in the timeline on https://librepgp.org/#timeline
the key issue with the new OpenPGP standard is not the changes in the supported crypto standards, but the incompatible key format, including the removal of the old keyformat. think about this for a moment please. clearly crypto algorithms need to be revised and improved over time, but there should be very little need to revise the key format, and especially remove support for the old format. i haven't verified this, but with the support for an old format gone, any old documents written in that format can no longer be decrypted by software following the new standard. the unreasonableness of this change is likely what set werner off, because he could not possibly remove support for the old format from GnuPG without breaking things for almost every user.
LibrePGP therefore is not an incompatible fork of OpenPGP, but OpenPGP RFC5980 is an incompatible revision of OpenPGP RFC4880 and of the latest consensus before people decided to massively change the OpenPGP RFC.
on the claim that GnuPG keeps silently releasing 2.2 versions, there is a simple explanation for that: GnuPG 2.2 is certified by the German Federal Office for Information Security (BSI). until a new version of GnuPG gets that certification, certain institutions that require this certification are not able to upgrade. think of 2.2 as an LTS release only intended for those that need it. there is nothing malicious about it, and insinuating that stopping support for 2.4 is in bad faith when 2.2 is still supported is simply missing the point. projects that have LTS releases do that all the time.
that mentioned refusal to backport something to 2.4 was not a refusal but an oversight. it has since been fixed.
the issue with the supposedly removed systemd support was a surprise to the person i talked to. but he could not confirm either way. we'll research that and follow up (feel free to email me if there is no reply here before the time to reply expires in two weeks. my email is in the profile). what my contact did tell me is that the systemd integration somehow made it more difficult to use GnuPG without that integration on machines running systemd. i didn't quite understand why though. if i learn more about this, i'll post it.
claims that the problem is the age of gnupg's codebase, which supposedly bakes in a lot of assumptions and premature optimisations, and which also supposedly doesn't have any unit tests or continuous integration, that it's a codebase that few outsiders understand and which few insiders are confident about making major changes to are very interesting but pretty baseless.
i mean how do you even make a claim that the codebase is full of assumptions and premature optimisations? what is the evidence for this claim? same for lack of tests. a claim like that would be very easy to verify. so please show your evidence, and don't make up stuff.
in my opinion this whole controversy is caused by people not listening to each other, and it is embellished by people who only follow one side of the argument and take everything that side claims as the truth. i am not exactly neutral myself, as i consider the GnuPG devs my friends, but i have a strong interest in resolving conflicts and misunderstandings and harmonizing different viewpoints. so i hope that my comments here are not adding fuel to the fire, but rather help to douse out the fire or at least cool it down.
it is also my hope that at some point in the future the differences between the new OpenPGP RFC and LibrePGP can be resolved, and the standards can be merged. (i don't know, it might be as simple as reinstating support for the old key format). forking a project in the face of controversy is not unknown in the FOSS community. it famously happened with GCC for example and a few other well known projects, which managed to overcome their differences and merge again. but to make this happen we need to stop throwing around accusations and actually listen to people to learn the reasons for their choices and opinions.
as long as we fight, we will just hinder each other in making progress. only if we collaborate and resolve our differences are we able to learn from our mistakes and move forward. this, btw, is the mantra that i live for, and this is why i chose to get involved in this discussion.
please share this comment with anyone who needs to see it.
If you encrypt a one-off email with a 5-year confidentiality requirement, harvest-now-decrypt-later actually matters. If you're encrypting backups that get rotated every 90 days, it doesn't.
The hybrid construction (Kyber/ML-KEM + X25519) is nice precisely because it's a no-regret move — you don't lose anything by adopting early. If Kyber turns out to have a structural flaw, X25519 still protects you. If a CRQC arrives, ML-KEM still protects you. The only real cost is key/ciphertext size, which for OpenPGP isn't a hot path anyway.
The interesting question is what happens to long-lived smartcard/HSM-backed keys. Those typically have a 5–10 year lifecycle and most hardware won't grow ML-KEM support without a hardware refresh. That's where I'd expect the first real compatibility headaches.
The trouble is that PQC already has inherent size/performance downsides, and it won't benefit from the decades of optimizations that classical algorithms had. Expect a hefty performance tax for some time.
Traditionally the OpenPGP standards process has been very conservative and minimalistic. GnuPG comes from that tradition. So the RFC-9580 faction created their own maximalist version of the standard and are actively promoting it as the standard.
So from a user perspective, there are two incompatible proposals out there. It's a mess. So it is better to aggressively ignore them both and maintain interoperability by sticking with RFC-4880 (OpenPGP). That might be a problem if you for some reason are still concerned about a quantum attack against cryptography as the post quantum stuff has gotten caught in this schism. It is certainly something that the users need to keep in mind.
Well:
> Category: Standards Track
Combined with some personal drama.
my opinion is that rewriting standards like that is the result of design by committee. everyone wants to put their mark on it. designing a new standard is fine, but the new standard should have also received a new name, or it should at least have been acknowledged that the old standard still needs to be supported until enough time has passed that the old standard is no longer in use. (which could take decades if not more if we want to be realistic and consider that encrypted data at rest could linger around pretty much forever unless actively re-encoded.)
(source: i talked to a GnuPG developer)
The situation is farcical, and stems from the double bind that PGP has been in for at least 20 years: the standards are bad and need modernization, but it’s impossible to modernize them because the single thing that retains “serious” users of PGP is backwards compatibility.
The end result of this is a version of Weekend at Bernie’s where both GPG and OpenPGP are fighting over how to dress up the corpse, while the rest of the world has moved on.
Fortunately we can use the existing standard (RFC-4880) in a way that is completely secure. Remember, we are talking about the standard that was in effect when the Snowden leak revealed that PGP is on a very short list of things the NSA has no access to. There is no reason to think that has changed since then.
Unfortunately there's something akin to a conflict of interest with both RNP and OpenPGP. OpenPGP guys have gpgsm, and RNP people also maintain the S/MIME part in Thunderbird. Both have stagnated and are holding back what would have otherwise moved on.
Search for "asking the editor to step down" to find the moment when the working group decided he was more trouble than it's worth (and GnuPG's support was obviously worth a lot in the openpgp community).
ML-KEM-768 is fast as an algorithm, faster than X25519 in terms of pure computation, but uses large keys, so has higher overheads on small payloads. Most of the time, they’re about equal, or the absolute time is so slow it doesn’t matter.
Most folks now are doing hybrid ML-KEM and X25519 to guard against undiscovered flaws in ML-KEM.
Here is a 6-part article about the topic: https://blog.cr.yp.to/20251004-weakened.html
> ChaCha20-Poly1305
ha! i ran into this when looking at the source for yaak (guy who made the insomnia rest client who's now making yaak). i never got to the bottom of how it worked.
ML-KEM based on a lattice problem called "Learning With Errors", and there are similar lattice-based algorithms which have no known quantum speedup. Most traditional asymmetric encryption algorithms are based on number-theoretic assumptions like the discrete logarithm problem or the RSA assumption, which are broken by Shor's algorithm.
Symmetric cryptography (AES and SHA hash functions) are post-quantum resistant for now. Grover's algorithm technically cuts their asymptotic security in half, but that doesn't parallelize, so practically there is no known good quantum attack, and cryptographers and standards agencies tend to not worry about that. You can keep using those.
[edit: according to the sister comment posted simulataneously ML-KEM is faster than X25519. good to know!]
The time between the moment the information is recorded and when it's deciphered is what matters, rarely the information itself abstracted from all context.
So even if suddenly having a classical cryptography is broken, trivially, then there still need to be a way to search through it.
Typically for a random person that means their credit card pin and their email password for example. Well, you chance that and if, say the NSA, can decipher your old email password even 1 minute after you changed it, no big deal. If they can decipher your old emails it might be a big deal but probably not. I would argue it depends on actionable information (e.g. a coup happening tomorrow) and legal information (e.g. the proof that a certain person was an informant and should be extradited).
So... I would argue historically, huge deal, daily life... probably not much for most.
Current best practices for symmetric encryption are considered PQ-safe (provided your key length is long enough). The real question the above algorithms solve is how do you safely share the key for the symmetric encryption. That’s where X25519 and ML-KEM come in. X25519 is not PQ-safe, but it is very well studied and considered robust. ML-KEM is PQ-safe, but new, and not as well tested/audited.
* https://news.ycombinator.com/item?id=45477206
* https://news.ycombinator.com/item?id=45477206#unv_45477799
See various "NSA and IETF":
* https://datatracker.ietf.org/doc/draft-koch-librepgp/
Observing the OpenPGP schism mess I think I have gained some insight as to why some RFCs become so bloated. For example it has been recently pointed out that there are 60 RFCs for TLS (with 31 drafts in progress)[1]. The RFC process seems to be more optimal during the design phase. Once we have an established standard there should to be some way to force those that propose changes/extensions to provide appropriately strong justifications for those changes/extensions. Right now it is a popularity contest and there will always be more people out there in favour of changes/extensions than those willing to endlessly fight against those changes/extensions. Because cryptography is so specialized and obscure, the users tend to get left out of the discussion.
[1] https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf
"Intended Status: Informational"
And anyone can put forward a draft. Here's one for "IPv8" with increased security where "manageable element in an IPv8 network is authorised via OAuth2 JWT tokens"
I don't think this is really true. A huge fraction of proposed documents just go nowhere, and it's really quite common to see a new proposal get presented and be shot down by one or two people (Source: I've been one of the people doing the shooting down on more than one occasion)
- As a practical matter, anything that is a Proposed Standard RFC is a standard. In principle, there is a two-level system with PS and Internet Standard (down from three levels) but most WGs don't bother to advance specifications past PS. For example, TLS and QUIC are both PS.
- RFC 9580 obsoletes RFC 4880, so from the perspective of the IETF, it supersedes it. Of course, this doesn't make people do anything.
(As just one small example: the only mandatory symmetric cipher in 4880 is 3DES, and nobody serious is recommending 3DES for long term stored encryption in 2026.)
Your example mentions 3DES. 3DES is secure. The reason it is not recommended is because 128 bit block lengths allow longer file/message lengths than 3DES can accommodate on one key. At any rate, RFC-4880 permits the use of AES and that is what is normally used.
And no, you can’t brush aside 3DES being insecure for large messages and then call it secure. Modern cryptographic tools don’t allow that, because there is (again) universal consensus that it’s insecure.
so the rewrite claim was exaggerated. i didn't compare the stuff that was added or merged.
My honest first reaction to this statement would get me permabanned from this site, so here’s the polite version:
This is nonsense on stilts. It is so ill-informed and baseless I struggle to understand how anyone who has read the RFCs in question could possibly come to this conclusion. It is hooey.
> things the old standard used to support are not supported in the new standard.
Aside from deprecating some ancient cryptographic algorithms that nobody uses any more, everything from RFC4880 is in RFC9580. Can you point out a concrete example of something (non-obsolete!) that is missing?
> that makes any implementation of the new standard incompatible with implementations of the old one.
That is news to every openpgp implementation other than gnupg, which have happily implemented both. Even RNP have it in a feature branch somewhere.
> (source: i talked to a GnuPG developer)
Which one? When? It would genuinely help if they would go on the record. I strongly suspect their actual opinion would differ from what you’ve reported here. There’s enough hearsay nonsense about the schism floating around the internet as it is, without adding to it.
i hope you'll notice this reply and get a chance to read it.
I doubt that there is an implementation left that does 3DES by default.
It would be nice to update the standard to make AES required to be available for decryption. I really wish that the most recent standard update attempt had restricted their scope to such uncontroversial changes before going to war over the controversial changes.
Edit: I say “particularly” because I don’t think any cryptographer would endorse 4880’s only mode of operation for AES.