Re: [openpgp] German BSI, PQC for OpenPGP in Thunderbird,

Alessandro Barenghi <> Fri, 25 June 2021 07:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5AF263A3E43 for <>; Fri, 25 Jun 2021 00:07:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UEQPC4nNFnSn for <>; Fri, 25 Jun 2021 00:07:49 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 268B43A3E3E for <>; Fri, 25 Jun 2021 00:07:48 -0700 (PDT)
Received: by with SMTP id n23so5572017wms.2 for <>; Fri, 25 Jun 2021 00:07:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ud3Uxnqrqm5dz4+Kh7auidlUeS93XvRpozJpxqAK5PQ=; b=ceoOjqP7+RNpfoGr2iL6+4lcV1/vT1vBWdVdtG4PuFlJcWzZVhgqbMYgS+1ZDhF9ep KYp6xt4zJd5Pu+X09SYjEY7ylAa1OeWkAwMquFG46Af+BbLCUj7WUvZoQ2TJjs3zKfly LMYToPBsuJ9KrMUbdpiY7R5j33F/m+3SaYRbwP4IXL5VHn2Tz3Y/ruyBNEja1YbbudgU Xb8TooBuKtoAvK3Jigbqu8SeUPBNmZtptrSthQGKK6rmX/DVoOAOoQJ6eRaCQxojS+5N 1eZpJ/6Rh91gfhqy/HGPkH/9q3TL0W0JqtQ55Q+De5sFFVAfJhtLjtvZ+5lf8VONK+C9 9L/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ud3Uxnqrqm5dz4+Kh7auidlUeS93XvRpozJpxqAK5PQ=; b=idZWJvGQrrgZY+ljepVc3KgVHyXpGI6W1P8Li6+JQ+wE9o64HR7/ybTZEFEfUU0Uwo z/aEbSMk6Ea3xYzEZ5gs8mCafPr9QMVsLFaVugOEVn4mY74EMO5UyJkfUDUVEQ2YtfT5 API4DEPatl2/dbED0Gh7Ch4LoKU7kYtQdZ+BGYdyLKKDOj8gXU+4XEZw4iV2ThKI4//j oHTt1pbmaxb6zPfcGOjJ0AiVaoTSCTYyYASxTpoT4jp51A+uIf3f6JO2CLSh4+Wmic/0 HTmrw1L0MvVqdqsn6PvIUyiWMBPQGhW+av1t93pFvlZLQbQXJMwjoonviqcitFlynq8w 5Qjw==
X-Gm-Message-State: AOAM531vk6kRAqDmBTHzbZAmCG+YtCaZ2mZzsv0GM5NKP05dUvBHjs1s H7wxp3JOX8g0lYpiR/Ex+KoefrnS4RWMtylstN5VYM4YGFk=
X-Google-Smtp-Source: ABdhPJylASdvR8RZxI5nxRvCArzr0jTaWej4JkcBFV2dXFRIadrzmL2EbljbFu0WqUHGy5OeSDv/xPe3dLTxCKn1LM8=
X-Received: by 2002:a05:600c:4417:: with SMTP id u23mr8830538wmn.26.1624604866042; Fri, 25 Jun 2021 00:07:46 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Alessandro Barenghi <>
Date: Fri, 25 Jun 2021 09:07:35 +0200
Message-ID: <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [openpgp] German BSI, PQC for OpenPGP in Thunderbird,
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 25 Jun 2021 07:07:55 -0000


On Thu, 24 Jun 2021 at 15:52, Kai Engert <> wrote:
> Hello,
> I'd like to make you aware of a project call by the German BSI (a
> federal agency for IT security), which was brought to my attention.
> I've posted some information on it on the Thunderbird planning mailing
> list, see the following thread, which has multiple messages from me:
> In my understanding they intend to pay a contractor for a wide set of
> tasks to bring PQC to Thunderbird, including the work to standardize the
> use of PQC with OpenPGP, including implementations for RNP, Botan, GnuPG
> and libgcrypt.
> It seems the BSI has already made a suggestion that they want to require
> the use of CRYSTALS-Kyber and -Dilithium.
> Is that a reasonable choice?

(Disclaimer: I have been involved in the NIST contest with a
submission which made it to the 2nd round. I am
not part of NIST personnel, opinions following are mine only.)

Kyber and Dilithium are two of the finalist algorithms in the current
NIST PQ standardization effort and,
as things stand now, thus potential candidates at the end of this year.
>From the latest update on the contest ([*] , slides 10 and 11) they
are both likely to be chosen as standards.

> Does it make sense to define a limitation to these methods at this point
> of time?
NIST is planning to announce the choice of the actual winners at the
end of 2021/early 2022 at the latest.
While writing down actual standards will take a bit more, the cut-down
on the algorithms will be significant.
We expect a single  lattice-based KEM and Classic McEliece for
diversity to be selected for KEMs,
and a single lattice based signature to make it in the standard which
will be announced at the end of the year.

NIST also has plans for a fourth stage of the competition, where they
will accept proposals for non-lattice based signatures
and analyze further the current "alternate" candidates.

If the idea is to understand what is the impact of the choices made by
NIST when implementing, it may be a reasonable time to keep thinking
about all the candidates in the NIST PQ standardization process.

An interesting bird's eye view on the sizes of ciphertexts/keypairs
and speed of the current third round candidates is available here[**]
(from slide 100 onwards).

Hope this helps,