On Thu, Oct 16, 2025 at 1:35 PM <[email protected]> wrote: > And why bother? Real Cryptographers™ have already done the hard work > for securely hybridizing the needed algorithms, and developers such as
The why bother; is because it is best option available, for now. The PKCS11 devices you are able to find at the store for purchase from a trustworthy vendor don't support the PQC algorithms. Hardware development is slow, and much of your hardware will only support RSA and EC keys for a very long time. Good luck getting PQC on a PGP card. Even support for RSA keys longer than 2048 are difficult to find. Software on your computer can support the PQC algorithms as soon as they come out, but software cannot provide appropriate key protection against the adversaries who gain logical or physical control over your computer. These tools such as malware who would steal your keys are real and tangible, and a huge threat, but quantum computing is in the future. They are, as far as you know, very different unrelated types of actors. The concern from quantum computers is your adversaries will sniff your traffic on the wire and save it in their 30-year cold storage for future perusal. They are not on your computer with malware snatching your keys. IF they were, then the PQC algorithm offers zero additional protection. Only a hardware-based solution has anything to offer in this area -- hardware with no PQC public-key ciphers supported. It is logical to say nest E_algorithm1_key1 ( E_algorithm2_key2 ) to defend against entirely different categories of theoretical future attackers who can break E_algorithm1. But keep the E_algorithm1 encryption to defend against actors who can use malware to steal the E_algtorithm2_key straight off your computer. It doesn't matter if in theory some ideal attacker could establish a mathematical association between the two algorithms, as they say. Because your alternative is only use E_algorithm2 which makes you seriously vulnerable immediately. Or only use E_algorithm1 which is to just ignore the future quantum threat entirely. You are in an objectively weaker position using only one level of protection versus both. There's no point in mulling over a theoretical subset of attacker who has both malware to steal your PQC key and a quantum computer to blow up your traditional key. There are extremely strong reasons here to Not only use E_algorithm1 and to also not only use E_algorithm2. And the reason for applying E_algorithm1 does not have to do with concerns about the cryptographic properties of E_algorithm2. It's about the form in which implementations of that algorithm have been made available to you for use. > WK and the GnuPG devs have already implemented it *a year ago* (v.2.5.1 > stable/forward-compatible protocol for ECC+Kyber). -- -JA _______________________________________________ Gnupg-users mailing list [email protected] https://lists.gnupg.org/mailman/listinfo/gnupg-users
