On the chopping block:
* ECB (\o/)
* Triple DES (TDEA)
* Finite field DSA (for new signatures)
* ECDSA at strengths lower than 112 bits
* RSA below 2048 bits
* RNGs, HMACs, HKDF, PBKDF and hashes based on SHA1 and the truncated 224-bit SHA-2/3 modes
No big surprises. The 224's are interesting, because folklorically they have value in hash constructions where resistance to length extension is useful. In practice, everyone just uses HMAC anyways.
*
regarding finally transitioning away from SHA1: about fucking time :D
SPHINCS+ / FIPS 205 should be available soon.
FALCON ...unknown FIPS draft TBA soon.
These are newer quantum resistant algorithms, and should be considered in your future maintenance cycle as they become available in the libraries.
NIST has some of the brightest minds in the world. When they suggest something, than one should probably take the advice very seriously. =3
gnupg 2.4.3
libassuan 2.5.6
libgcrypt 1.10.3
libgpgerror 1.47
libksba 1.6.5
npth 1.6
pinentry 1.2.1
However, the Kyber algorithm was only committed recently in libgcrypt 1.11.0, and will not build on some platforms due to an libassuan 3.0.1 issue.
Did you have additional details on when a working packaged set of dependencies will be available for static .a builds that support Kyber?
Have a great day =3
i.e. the NIST advice to incorporate quantum resistant algorithms shouldn't be taken lightly. For some, transitioning means wrapping a well-tested RSA system in something newer like FIPS 203, 204, or 205.
We live in interesting times for certain, as gnugpg with Kyber support has static build fails on some platforms (libassuan 3.0.1 bug). =3
We will be wrapping RSA 2048bit in Kyber in the next few weeks, because planning for the worst and hoping for the best is good policy. =3
Cards on the table, my position on quantum cryptanalysis remains: "Rodents of unusual size? I don't think they exist." It's a very big deal because it's a full employment program for people working on novel asymmetric schemes.
* https://articles.59.ca/doku.php?id=em:20482030
The document specifies that SHA-1 in HMACs is the be entirely disallowed after 2030. That seems like it would cause needless reimplementation of systems with the associated chance of security problems and expense. SHA-1 used in an HMAC is generally known to be secure.
The 2048 deprecation in 2030 seems to be about quantum resistance, not about a move to 4096 bit RSA.
From [0], where the 112-bit 'security strength' of 2048-bit RSA is ultimately pulled from:
"The comparable security strengths provided below are based on accepted estimates as of the publication of this Recommendation using currently known methods. Advances in factoring algorithms, general discrete-logarithm attacks, elliptic-curve discrete-logarithm attacks, and other algorithmic advances as well as quantum computing may affect these equivalencies in the future. New or improved attacks or technologies may be developed that leave some of the current algorithms completely insecure."
Their recommendation is to switch to 3072-bit RSA or higher by 2031, since that has a 128-bit 'security strength' by their formula. So I don't think this has much to do with quantum resistance: as GP says, no reasonable RSA key size will help much with that.
[0] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.S..., section 5.6.1
[1] https://en.wikipedia.org/wiki/National_Institute_of_Standard...