Daniel Gultsch2d ago

I’m delighted to announce that the OpenPGP implementation in #Conversations_im will see some love over the next ~6 months. Simultaneously, we will be laying the groundwork for OMEMO2 by implementing Stanza Content Encryption.

Thanks to funding from @nlnet and the European Commission.

https://nlnet.nl/project/Conversations-OpenPGP-refresh/

#XMPP #Jabber #OMEMO #OpenPGP

NLnet; OpenPGP refresh for Conversations

Show threadiuvi2d ago
@daniel @nlnet any post-quantum encryption?
Show threadWiktor Kwapisiewicz1d ago

The underlying library (PGPainless) doesn’t support PQC (https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc-17) yet (?) but technically it’s possible.

I skimmed the relevant specs (https://xmpp.org/extensions/xep-0373.html) and sadly it seems they reference the old OpenPGP spec (RFC 4880, a.k.a. "v4") instead of the newer one (RFC 9580, a.k.a. "v6") which is expected to be extended with PQC any minute now.

Post-Quantum Cryptography in OpenPGP

This document defines a post-quantum public key algorithm extension for the OpenPGP protocol, extending RFC9580. Given the generally assumed threat of a cryptographically relevant quantum computer, this extension provides a basis for long-term secure OpenPGP signatures and ciphertexts. Specifically, it defines composite public key encryption based on ML-KEM (formerly CRYSTALS-Kyber), composite public key signatures based on ML-DSA (formerly CRYSTALS-Dilithium), both in combination with elliptic curve cryptography, and SLH-DSA (formerly SPHINCS+) as a standalone public key signature scheme.

IETF Datatracker
Show threadvanitasvitae
@wiktor @iuvi @daniel I can neither deny nor confirm that work on pqc in PGPainless is underway :P
Apr 10 at 9:24amWeb
Show threadWiktor Kwapisiewicz1d ago

Haha! :)

By the way, it seems the current PQC draft spec has an escape hatch: there’s one algo that can be used with v4 keys for encryption: https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-pqc-17#section-4.3.2

Of course support for that would have to be done in several clients to be interoperable but it seems other clients are also looking for replacing their existing OpenPGP libraries with something modern: https://github.com/wiktor-k/pysequoia/issues/54#issuecomment-3965522660

Post-Quantum Cryptography in OpenPGP

This document defines a post-quantum public key algorithm extension for the OpenPGP protocol, extending RFC9580. Given the generally assumed threat of a cryptographically relevant quantum computer, this extension provides a basis for long-term secure OpenPGP signatures and ciphertexts. Specifically, it defines composite public key encryption based on ML-KEM (formerly CRYSTALS-Kyber), composite public key signatures based on ML-DSA (formerly CRYSTALS-Dilithium), both in combination with elliptic curve cryptography, and SLH-DSA (formerly SPHINCS+) as a standalone public key signature scheme.

IETF Datatracker
Show threadiuvi1d ago
@wiktor @vanitasvitae @daniel nice! I'm not good in algorithms, only used new PQE in Kleopatra tool (Kyber it calls if I'm not wrong)
Show threadAndrew Gallagher1d ago
@iuvi @wiktor @vanitasvitae @daniel the "Kyber" encryption algorithm you mention is a gnupg-specific extension that is unlikely to be implemented by anyone else. All the non-gnupg implementations (including Thunderbird and Proton) will be using the PQ algorithms from the IETF PQC draft that Wiktor linked above. This will cause a lot of pain in the coming years, unfortunately...
Show threadvanitasvitae1d ago
@andrewg @iuvi @wiktor @daniel and to add to the confusion, the IETF-algorithms (specifically ML-KEM768, ML-KEM1024) *are* what was formerly known as CRYSTALS-Kyber.
The main takeaway is that GnuPG does use a different message format than what will be specified by the IETF.