Re: [openpgp] German BSI, PQC for OpenPGP in Thunderbird,

Justus Winter <> Mon, 28 June 2021 10:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E37D53A3476 for <>; Mon, 28 Jun 2021 03:36:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LPuzHwprJlaY for <>; Mon, 28 Jun 2021 03:36:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2F7893A347D for <>; Mon, 28 Jun 2021 03:36:21 -0700 (PDT)
Received: (qmail 2448 invoked from network); 28 Jun 2021 10:36:19 -0000
Received: from localhost (HELO localhost) ( by with SMTP; 28 Jun 2021 10:36:19 -0000
From: Justus Winter <>
To: Alessandro Barenghi <>
In-Reply-To: <>
References: <> <>
Date: Mon, 28 Jun 2021 12:36:17 +0200
Message-ID: <8735t246ou.fsf@europ.lan>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Archived-At: <>
Subject: Re: [openpgp] German BSI, PQC for OpenPGP in Thunderbird,
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Jun 2021 10:36:27 -0000

Alessandro Barenghi <> writes:

> An interesting bird's eye view on the sizes of ciphertexts/keypairs
> and speed of the current third round candidates is available here[**]
> (from slide 100 onwards).
> [**]

That is a great pointer.  I think from the perspective of the protocol,
the biggest challenge is that OpenPGP can only express cryptographic
artifacts up to 2^16 bits, or 2^13 bytes.

Even if we assume that artifacts like keys, ciphertexts, signatures are
just comprised of a single component, that only impacts very few KEMs
(HCQ, FrodoKEM, and of course McEliece), of which only McEliece is a 3rd
round finalist.  But, given that all other finalists are based on
structured lattices, and NIST expects to select only one of those,
McEliece may very well be one of the selected algorithms.

It's a different picture for the signature schemes, though, where only
Falcon and Dilithium fit into OpenPGP's MPI envelope, both of which are
3rd round finalists.  The signature schemes seem to all trade off key
size vs. signature size, with only two schemes barely able to fit into
MPIs.  That is a bit disconcerting.  NIST seems to think so too, as they
are interested in more candidates.

I think we should revisit the way we store cryptographic artifacts in
OpenPGP.  Unfortunately, neither SOS nor SBS address the issue of
potentially large PQ artifacts.