Niels Möller nisse@lysator.liu.se writes:
- Focus on getting post-quantum algorithms into Nettle.
From GnuTLS perspective, it would be helpful if there is support for at least one post-quantum KEM algorithm so it could make TLS handshake provide quantum safety and forward secrecy (with PSK). Signature algorithms could be done later.
That's my understanding too, that the current main worry is forward secrecy of protocols that use key exchange methods that are vulnerable to an attacker with a quantum computer.
While encryption may be more urgent, it takes a lot of time for algorithms to permeate standards and implementations, and there are long-term support distributions with 10 years of support or more. For example, Red Hat's signing infrastructure is limited to what their oldest supported release can consume.
I asked in 87sf5daacn.fsf@thinkbox for the PQC algorithms that we'll need for the upcoming PQC extensions to OpenPGP. Unfortunately, that mail is not available in the nettle-bugs archive, but can be found here: https://marc.info/?l=nettle-bugs&m=169963043712268&w=2
Since then, the draft has been adopted by the working group, and is available here:
https://datatracker.ietf.org/doc/draft-ietf-openpgp-pqc/
The set of PQC algorithms has not changed, we need ML-KEM, ML-DSA, and SLH-DSA. The draft dropped KMAC in favor of SHA3 as key combiner, so we (likely) don't need KMAC anymore.
I have seen the proposed implementation of ML-KEM (big thanks!), but unfortunately didn't have the time to try it out yet. If I do, I'll send feedback.
Best, Justus