Network Working Group S. Kousidis Internet-Draft BSI Intended status: Informational J. Roth Expires: 9 January 2025 F. Strenzke MTG AG A. Wussler Proton AG 8 July 2024 Post-Quantum Cryptography in OpenPGP draft-ietf-openpgp-pqc-04 Abstract This document defines a post-quantum public-key algorithm extension for the OpenPGP protocol. Given the generally assumed threat of a cryptographically relevant quantum computer, this extension provides a basis for long-term secure OpenPGP signatures and ciphertexts. Specifically, it defines composite public-key encryption based on ML- KEM (formerly CRYSTALS-Kyber), composite public-key signatures based on ML-DSA (formerly CRYSTALS-Dilithium), both in combination with elliptic curve cryptography, and SLH-DSA-SHAKE (formerly SPHINCS+) as a standalone public key signature scheme. About This Document This note is to be removed before publishing as an RFC. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-ietf-openpgp-pqc/. Discussion of this document takes place on the WG Working Group mailing list (mailto:openpgp@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/openpgp/. Subscribe at https://www.ietf.org/mailman/listinfo/openpgp/. Source for this draft and an issue tracker can be found at https://github.com/openpgp-pqc/draft-openpgp-pqc. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Kousidis, et al. Expires 9 January 2025 [Page 1] Internet-Draft PQC in OpenPGP July 2024 Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 9 January 2025. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Conventions used in this Document . . . . . . . . . . . . 5 1.1.1. Terminology for Multi-Algorithm Schemes . . . . . . . 5 1.2. Post-Quantum Cryptography . . . . . . . . . . . . . . . . 5 1.2.1. ML-KEM . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.2. ML-DSA . . . . . . . . . . . . . . . . . . . . . . . 6 1.2.3. SLH-DSA-SHAKE . . . . . . . . . . . . . . . . . . . . 6 1.3. Elliptic Curve Cryptography . . . . . . . . . . . . . . . 6 1.4. Standalone and Multi-Algorithm Schemes . . . . . . . . . 6 1.4.1. Standalone and Composite Multi-Algorithm Schemes . . 6 1.4.2. Non-Composite Algorithm Combinations . . . . . . . . 7 2. Supported Public Key Algorithms . . . . . . . . . . . . . . . 7 2.1. Algorithm Specifications . . . . . . . . . . . . . . . . 7 2.1.1. Experimental Codepoints for Interop Testing . . . . . 8 3. Algorithm Combinations . . . . . . . . . . . . . . . . . . . 9 3.1. Composite KEMs . . . . . . . . . . . . . . . . . . . . . 9 3.2. Composite Signatures . . . . . . . . . . . . . . . . . . 9 3.3. Multiple Signatures . . . . . . . . . . . . . . . . . . . 9 3.4. ECC requirements . . . . . . . . . . . . . . . . . . . . 10 4. Composite KEM schemes . . . . . . . . . . . . . . . . . . . . 10 Kousidis, et al. Expires 9 January 2025 [Page 2] Internet-Draft PQC in OpenPGP July 2024 4.1. Building Blocks . . . . . . . . . . . . . . . . . . . . . 10 4.1.1. ECDH KEMs . . . . . . . . . . . . . . . . . . . . . . 10 4.1.2. ML-KEM . . . . . . . . . . . . . . . . . . . . . . . 13 4.2. Composite Encryption Schemes with ML-KEM . . . . . . . . 14 4.2.1. Fixed information . . . . . . . . . . . . . . . . . . 15 4.2.2. Key combiner . . . . . . . . . . . . . . . . . . . . 15 4.2.3. Key generation procedure . . . . . . . . . . . . . . 16 4.2.4. Encryption procedure . . . . . . . . . . . . . . . . 16 4.2.5. Decryption procedure . . . . . . . . . . . . . . . . 17 4.3. Packet specifications . . . . . . . . . . . . . . . . . . 18 4.3.1. Public-Key Encrypted Session Key Packets (Tag 1) . . 18 4.3.2. Key Material Packets . . . . . . . . . . . . . . . . 19 5. Composite Signature Schemes . . . . . . . . . . . . . . . . . 19 5.1. Building blocks . . . . . . . . . . . . . . . . . . . . . 19 5.1.1. EdDSA-Based signatures . . . . . . . . . . . . . . . 19 5.1.2. ML-DSA signatures . . . . . . . . . . . . . . . . . . 20 5.2. Composite Signature Schemes with ML-DSA . . . . . . . . . 21 5.2.1. Signature data digest . . . . . . . . . . . . . . . . 21 5.2.2. Key generation procedure . . . . . . . . . . . . . . 21 5.2.3. Signature Generation . . . . . . . . . . . . . . . . 22 5.2.4. Signature Verification . . . . . . . . . . . . . . . 22 5.3. Packet Specifications . . . . . . . . . . . . . . . . . . 22 5.3.1. Signature Packet (Tag 2) . . . . . . . . . . . . . . 22 5.3.2. Key Material Packets . . . . . . . . . . . . . . . . 23 6. SLH-DSA-SHAKE . . . . . . . . . . . . . . . . . . . . . . . . 23 6.1. The SLH-DSA-SHAKE Algorithms . . . . . . . . . . . . . . 23 6.1.1. Signature Data Digest . . . . . . . . . . . . . . . . 24 6.1.2. Key generation . . . . . . . . . . . . . . . . . . . 24 6.1.3. Signature Generation . . . . . . . . . . . . . . . . 24 6.1.4. Signature Verification . . . . . . . . . . . . . . . 24 6.2. Packet specifications . . . . . . . . . . . . . . . . . . 25 6.2.1. Signature Packet (Tag 2) . . . . . . . . . . . . . . 25 6.2.2. Key Material Packets . . . . . . . . . . . . . . . . 25 7. Notes on Algorithms . . . . . . . . . . . . . . . . . . . . . 25 7.1. Symmetric Algorithms for SEIPD Packets . . . . . . . . . 25 7.2. Hash Algorithms for Key Binding Signatures . . . . . . . 26 8. Migration Considerations . . . . . . . . . . . . . . . . . . 26 8.1. Key preference . . . . . . . . . . . . . . . . . . . . . 26 8.2. Key generation strategies . . . . . . . . . . . . . . . . 27 9. Security Considerations . . . . . . . . . . . . . . . . . . . 27 9.1. Security Aspects of Composite Signatures . . . . . . . . 27 9.2. Hashing in ECDH-KEM . . . . . . . . . . . . . . . . . . . 28 9.3. Key combiner . . . . . . . . . . . . . . . . . . . . . . 28 9.4. Domain separation and binding . . . . . . . . . . . . . . 29 9.5. SLH-DSA-SHAKE Message Randomizer . . . . . . . . . . . . 29 9.6. Binding hashes in signatures with signature algorithms . 29 9.7. Symmetric Algorithms for SEIPD Packets . . . . . . . . . 30 10. Additional considerations . . . . . . . . . . . . . . . . . . 30 Kousidis, et al. Expires 9 January 2025 [Page 3] Internet-Draft PQC in OpenPGP July 2024 10.1. Performance Considerations for SLH-DSA-SHAKE . . . . . . 30 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 12. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 34 12.1. draft-wussler-openpgp-pqc-01 . . . . . . . . . . . . . . 34 12.2. draft-wussler-openpgp-pqc-02 . . . . . . . . . . . . . . 34 12.3. draft-wussler-openpgp-pqc-03 . . . . . . . . . . . . . . 34 12.4. draft-wussler-openpgp-pqc-04 . . . . . . . . . . . . . . 34 12.5. draft-ietf-openpgp-pqc-00 . . . . . . . . . . . . . . . 34 12.6. draft-ietf-openpgp-pqc-01 . . . . . . . . . . . . . . . 35 12.7. draft-ietf-openpgp-pqc-02 . . . . . . . . . . . . . . . 35 12.8. draft-ietf-openpgp-pqc-03 . . . . . . . . . . . . . . . 35 12.9. draft-ietf-openpgp-pqc-04 . . . . . . . . . . . . . . . 35 13. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 36 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 14.1. Normative References . . . . . . . . . . . . . . . . . . 36 14.2. Informative References . . . . . . . . . . . . . . . . . 36 Appendix A. Test Vectors . . . . . . . . . . . . . . . . . . . . 38 A.1. Sample v6 PQC Subkey Artifacts . . . . . . . . . . . . . 38 A.2. V4 PQC Subkey Artifacts . . . . . . . . . . . . . . . . . 58 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 64 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 65 1. Introduction The OpenPGP protocol supports various traditional public-key algorithms based on the factoring or discrete logarithm problem. As the security of algorithms based on these mathematical problems is endangered by the advent of quantum computers, there is a need to extend OpenPGP by algorithms that remain secure in the presence of quantum computers. Such cryptographic algorithms are referred to as post-quantum cryptography. The algorithms defined in this extension were chosen for standardization by the National Institute of Standards and Technology (NIST) in mid 2022 [NISTIR-8413] as the result of the NIST Post-Quantum Cryptography Standardization process initiated in 2016 [NIST-PQC]. Namely, these are ML-KEM [FIPS-203] as a Key Encapsulation Mechanism (KEM), a KEM being a modern building block for public-key encryption, and ML-DSA [FIPS-204] as well as SLH-DSA- SHAKE [FIPS-205] as signature schemes. For the two ML-* schemes, this document follows the conservative strategy to deploy post-quantum in combination with traditional schemes such that the security is retained even if all schemes but one in the combination are broken. In contrast, the stateless hash- based signature scheme SLH-DSA-SHAKE is considered to be sufficiently well understood with respect to its security assumptions in order to be used standalone. To this end, this document specifies the Kousidis, et al. Expires 9 January 2025 [Page 4] Internet-Draft PQC in OpenPGP July 2024 following new set: SLH-DSA-SHAKE standalone and the two ML-* as composite with ECC-based KEM and digital signature schemes. Here, the term "composite" indicates that any data structure or algorithm pertaining to the combination of the two components appears as single data structure or algorithm from the protocol perspective. The document specifies the conventions for interoperability between compliant OpenPGP implementations that make use of this extension and the newly defined algorithms or algorithm combinations. 1.1. Conventions used in this Document 1.1.1. Terminology for Multi-Algorithm Schemes The terminology in this document is oriented towards the definitions in [I-D.ietf-pquip-pqt-hybrid-terminology]. Specifically, the terms "multi-algorithm", "composite" and "non-composite" are used in correspondence with the definitions therein. The abbreviation "PQ" is used for post-quantum schemes. To denote the combination of post- quantum and traditional schemes, the abbreviation "PQ/T" is used. The short form "PQ(/T)" stands for PQ or PQ/T. 1.2. Post-Quantum Cryptography This section describes the individual post-quantum cryptographic schemes. All schemes listed here are believed to provide security in the presence of a cryptographically relevant quantum computer. However, the mathematical problems on which the two ML-* schemes and SLH-DSA-SHAKE are based, are fundamentally different, and accordingly the level of trust commonly placed in them as well as their performance characteristics vary. [Note to the reader: This specification refers to the NIST PQC draft standards FIPS 203, FIPS 204, and FIPS 205 as if they were a final specification. This is a temporary solution until the final versions of these documents are available. The goal is to provide a sufficiently precise specification of the algorithms already at the draft stage of this specification, so that it is possible for implementers to create interoperable implementations. Furthermore, we want to point out that, depending on possible future changes to the draft standards by NIST, this specification may be updated as soon as corresponding information becomes available.] Kousidis, et al. Expires 9 January 2025 [Page 5] Internet-Draft PQC in OpenPGP July 2024 1.2.1. ML-KEM ML-KEM [FIPS-203] is based on the hardness of solving the Learning with Errors problem in module lattices (MLWE). The scheme is believed to provide security against cryptanalytic attacks by classical as well as quantum computers. This specification defines ML-KEM only in composite combination with ECDH encryption schemes in order to provide a pre-quantum security fallback. 1.2.2. ML-DSA ML-DSA [FIPS-204] is a signature scheme that, like ML-KEM, is based on the hardness of solving the Learning With Errors problem and a variant of the Short Integer Solution problem in module lattices (MLWE and SelfTargetMSIS). Accordingly, this specification only defines ML-DSA in composite combination with EdDSA signature schemes. 1.2.3. SLH-DSA-SHAKE SLH-DSA-SHAKE [FIPS-205] is a stateless hash-based signature scheme. Its security relies on the hardness of finding preimages for cryptographic hash functions. This feature is generally considered to be a high security guarantee. Therefore, this specification defines SLH-DSA-SHAKE as a standalone signature scheme. In deployments the performance characteristics of SLH-DSA-SHAKE should be taken into account. We refer to Section 10.1 for a discussion of the performance characteristics of this scheme. 1.3. Elliptic Curve Cryptography The ECDH encryption is defined here as a KEM. Curve25519 and Curve448 are defined in [RFC7748] for use in a Diffie-Hellman key agreement scheme and defined in [RFC8032] for use in a digital signature scheme. 1.4. Standalone and Multi-Algorithm Schemes This section provides a categorization of the new algorithms and their combinations. 1.4.1. Standalone and Composite Multi-Algorithm Schemes This specification introduces new cryptographic schemes, which can be categorized as follows: * PQ/T multi-algorithm public-key encryption, namely a composite combination of ML-KEM with an ECDH KEM, Kousidis, et al. Expires 9 January 2025 [Page 6] Internet-Draft PQC in OpenPGP July 2024 * PQ/T multi-algorithm digital signature, namely composite combinations of ML-DSA with EdDSA signature schemes, * PQ digital signature, namely SLH-DSA-SHAKE as a standalone cryptographic algorithm. For each of the composite schemes, this specification mandates that the consuming party has to successfully perform the cryptographic algorithms for each of the component schemes used in a cryptographic message, in order for the message to be deciphered and considered as valid. This means that all component signatures must be verified successfully in order to achieve a successful verification of the composite signature. In the case of the composite public-key decryption, each of the component KEM decapsulation operations must succeed. 1.4.2. Non-Composite Algorithm Combinations As the OpenPGP protocol [I-D.ietf-openpgp-crypto-refresh] allows for multiple signatures to be applied to a single message, it is also possible to realize non-composite combinations of signatures. Furthermore, multiple OpenPGP signatures may be combined on the application layer. These latter two cases realize non-composite combinations of signatures. Section 3.3 specifies how implementations should handle the verification of such combinations of signatures. Furthermore, the OpenPGP protocol also allows parallel encryption to different keys by using multiple PKESK packets, thus realizing non- composite multi-algorithm public-key encryption. 2. Supported Public Key Algorithms This section specifies the composite ML-KEM + ECDH and ML-DSA + EdDSA schemes as well as the standalone SLH-DSA-SHAKE signature scheme. All of these schemes are fully specified via their algorithm ID, i.e., they are not parametrized. 2.1. Algorithm Specifications For encryption, the following composite KEM schemes are specified: Kousidis, et al. Expires 9 January 2025 [Page 7] Internet-Draft PQC in OpenPGP July 2024 +==============+===================+=============+============+ | ID | Algorithm | Requirement | Definition | +==============+===================+=============+============+ | TBD (105 for | ML-KEM-768+X25519 | MUST | Section | | testing) | | | 4.2 | +--------------+-------------------+-------------+------------+ | TBD (106 for | ML-KEM-1024+X448 | SHOULD | Section | | testing) | | | 4.2 | +--------------+-------------------+-------------+------------+ Table 1: KEM algorithm specifications For signatures, the following (composite) signature schemes are specified: +==============+====================+=============+============+ | ID | Algorithm | Requirement | Definition | +==============+====================+=============+============+ | TBD (107 for | ML-DSA-65+Ed25519 | MUST | Section | | testing) | | | 5.2 | +--------------+--------------------+-------------+------------+ | TBD (108 for | ML-DSA-87+Ed448 | SHOULD | Section | | testing) | | | 5.2 | +--------------+--------------------+-------------+------------+ | TBD | SLH-DSA-SHAKE-128s | MAY | Section | | | | | 6.1 | +--------------+--------------------+-------------+------------+ | TBD | SLH-DSA-SHAKE-128f | MAY | Section | | | | | 6.1 | +--------------+--------------------+-------------+------------+ | TBD | SLH-DSA-SHAKE-256s | MAY | Section | | | | | 6.1 | +--------------+--------------------+-------------+------------+ Table 2: Signature algorithm specifications 2.1.1. Experimental Codepoints for Interop Testing [ Note: this section to be removed before publication ] Algorithms indicated as MAY are not assigned a codepoint in the current state of the draft in order to leave enough private/ experimental code points available for other drafts. Kousidis, et al. Expires 9 January 2025 [Page 8] Internet-Draft PQC in OpenPGP July 2024 The use of private/experimental codepoints during development are intended to be used in non-released software only, for experimentation and interop testing purposes only. An OpenPGP implementation MUST NOT produce a formal release using these experimental codepoints. This draft will not be sent to IANA without every listed algorithm having a non-experimental codepoint. 3. Algorithm Combinations 3.1. Composite KEMs The ML-KEM + ECDH public-key encryption involves both the ML-KEM and an ECDH KEM in an a priori non-separable manner. This is achieved via KEM combination, i.e. both key encapsulations/decapsulations are performed in parallel, and the resulting key shares are fed into a key combiner to produce a single shared secret for message encryption. As explained in Section 1.4.2, the OpenPGP protocol inherently supports parallel encryption to different keys. Note that the confidentiality of a message is not post-quantum secure when encrypting to different keys if at least one key does not support PQ/ T encryption schemes. In section Section 8.1 it is explained how to deal with multiple key scenarios. 3.2. Composite Signatures The ML-DSA + EdDSA signature consists of independent ML-DSA and EdDSA signatures, and an implementation MUST successfully validate both signatures to state that the ML-DSA + EdDSA signature is valid. 3.3. Multiple Signatures The OpenPGP message format allows multiple signatures of a message, i.e. the attachment of multiple signature packets. An implementation MAY sign a message with a traditional key and a PQ(/T) key from the same sender. This ensures backwards compatibility due to [I-D.ietf-openpgp-crypto-refresh], Section 5.2.5, since a legacy implementation without PQ(/T) support can fall back on the traditional signature. Newer implementations with PQ(/T) support MAY ignore the traditional signature(s) during validation. Implementations SHOULD consider the message correctly signed if at least one of the non-ignored signatures validates successfully. Kousidis, et al. Expires 9 January 2025 [Page 9] Internet-Draft PQC in OpenPGP July 2024 [Note to the reader: The last requirement, that one valid signature is sufficient to identify a message as correctly signed, is an interpretation of [I-D.ietf-openpgp-crypto-refresh], Section 5.2.5.] 3.4. ECC requirements Even though the zero point, also called the point at infinity, may occur as a result of arithmetic operations on points of an elliptic curve, it MUST NOT appear in any ECC data structure defined in this document. Furthermore, when performing the explicitly listed operations in Section 4.1.1.1 or Section 4.1.1.2 it is REQUIRED to follow the specification and security advisory mandated from the respective elliptic curve specification. 4. Composite KEM schemes 4.1. Building Blocks 4.1.1. ECDH KEMs In this section we define the encryption, decryption, and data formats for the ECDH component of the composite algorithms. Table 3 describes the ECDH-KEM parameters and artifact lengths. The artifacts in Table 3 follow the encodings described in [RFC7748]. Kousidis, et al. Expires 9 January 2025 [Page 10] Internet-Draft PQC in OpenPGP July 2024 +========================+=======================+==================+ | | X25519 | X448 | +========================+=======================+==================+ | Algorithm ID reference | TBD (105 for | TBD (106 for | | | testing) | testing) | +------------------------+-----------------------+------------------+ | Field size | 32 octets | 56 octets | +------------------------+-----------------------+------------------+ | ECDH-KEM | x25519Kem | x448Kem (Section | | | (Section 4.1.1.1) | 4.1.1.2) | +------------------------+-----------------------+------------------+ | ECDH public key | 32 octets | 56 octets | | | [RFC7748] | [RFC7748] | +------------------------+-----------------------+------------------+ | ECDH secret key | 32 octets | 56 octets | | | [RFC7748] | [RFC7748] | +------------------------+-----------------------+------------------+ | ECDH ephemeral | 32 octets | 56 octets | | | [RFC7748] | [RFC7748] | +------------------------+-----------------------+------------------+ | ECDH share | 32 octets | 56 octets | | | [RFC7748] | [RFC7748] | +------------------------+-----------------------+------------------+ | Key share | 32 octets | 64 octets | +------------------------+-----------------------+------------------+ | Hash | SHA3-256 | SHA3-512 | +------------------------+-----------------------+------------------+ Table 3: Montgomery curves parameters and artifact lengths The various procedures to perform the operations of an ECDH KEM are defined in the following subsections. Specifically, each of these subsections defines the instances of the following operations: (ecdhCipherText, ecdhKeyShare) <- ECDH-KEM.Encaps(ecdhPublicKey) and (ecdhKeyShare) <- ECDH-KEM.Decaps(ecdhSecretKey, ecdhCipherText, ecdhPublicKey) To instantiate ECDH-KEM, one must select a parameter set from Table 3. Kousidis, et al. Expires 9 January 2025 [Page 11] Internet-Draft PQC in OpenPGP July 2024 4.1.1.1. X25519-KEM The encapsulation and decapsulation operations of x25519kem are described using the function X25519() and encodings defined in [RFC7748]. The ecdhSecretKey is denoted as r, the ecdhPublicKey as R, they are subject to the equation R = X25519(r, U(P)). Here, U(P) denotes the u-coordinate of the base point of Curve25519. The operation x25519Kem.Encaps() is defined as follows: 1. Generate an ephemeral key pair {v, V} via V = X25519(v,U(P)) where v is a randomly generated octet string with a length of 32 octets 2. Compute the shared coordinate X = X25519(v, R) where R is the recipient's public key ecdhPublicKey 3. Set the output ecdhCipherText to V 4. Set the output ecdhKeyShare to SHA3-256(X || ecdhCipherText || ecdhPublicKey) The operation x25519Kem.Decaps() is defined as follows: 1. Compute the shared coordinate X = X25519(r, V), where r is the ecdhSecretKey and V is the ecdhCipherText 2. Set the output ecdhKeyShare to SHA3-256(X || ecdhCipherText || ecdhPublicKey) 4.1.1.2. X448-KEM The encapsulation and decapsulation operations of x448kem are described using the function X448() and encodings defined in [RFC7748]. The ecdhSecretKey is denoted as r, the ecdhPublicKey as R, they are subject to the equation R = X25519(r, U(P)). Here, U(P) denotes the u-coordinate of the base point of Curve448. The operation x448.Encaps() is defined as follows: 1. Generate an ephemeral key pair {v, V} via V = X448(v,U(P)) where v is a randomly generated octet string with a length of 56 octets 2. Compute the shared coordinate X = X448(v, R) where R is the recipient's public key ecdhPublicKey 3. Set the output ecdhCipherText to V Kousidis, et al. Expires 9 January 2025 [Page 12] Internet-Draft PQC in OpenPGP July 2024 4. Set the output ecdhKeyShare to SHA3-512(X || ecdhCipherText || ecdhPublicKey) The operation x448Kem.Decaps() is defined as follows: 1. Compute the shared coordinate X = X448(r, V), where r is the ecdhSecretKey and V is the ecdhCipherText 2. Set the output ecdhKeyShare to SHA3-512(X || ecdhCipherText || ecdhPublicKey) 4.1.2. ML-KEM ML-KEM features the following operations: (mlkemCipherText, mlkemKeyShare) <- ML-KEM.Encaps(mlkemPublicKey) and (mlkemKeyShare) <- ML-KEM.Decaps(mlkemCipherText, mlkemSecretKey) The above are the operations ML-KEM.Encaps and ML-KEM.Decaps defined in [FIPS-203]. Note that mlkemPublicKey is the encapsulation and mlkemSecretKey is the decapsulation key. ML-KEM has the parametrization with the corresponding artifact lengths in octets as given in Table 4. All artifacts are encoded as defined in [FIPS-203]. +==============+=============+========+========+============+=======+ | Algorithm | ML-KEM | Public | Secret | Ciphertext | Key | | ID | | key | key | | share | | reference | | | | | | +==============+=============+========+========+============+=======+ | TBD (105 | ML-KEM-768 | 1184 | 2400 | 1088 | 32 | | for | | | | | | | testing) | | | | | | +--------------+-------------+--------+--------+------------+-------+ | TBD (106 | ML-KEM-1024 | 1568 | 3168 | 1568 | 32 | | for | | | | | | | testing) | | | | | | +--------------+-------------+--------+--------+------------+-------+ Table 4: ML-KEM parameters artifact lengths in octets To instantiate ML-KEM, one must select a parameter set from the column "ML-KEM" of Table 4. Kousidis, et al. Expires 9 January 2025 [Page 13] Internet-Draft PQC in OpenPGP July 2024 The procedure to perform ML-KEM.Encaps() is as follows: 1. Invoke (mlkemCipherText, mlkemKeyShare) <- ML- KEM.Encaps(mlkemPublicKey), where mlkemPublicKey is the recipient's public key 2. Set mlkemCipherText as the ML-KEM ciphertext 3. Set mlkemKeyShare as the ML-KEM symmetric key share The procedure to perform ML-KEM.Decaps() is as follows: 1. Invoke mlkemKeyShare <- ML-KEM.Decaps(mlkemCipherText, mlkemSecretKey) 2. Set mlkemKeyShare as the ML-KEM symmetric key share 4.2. Composite Encryption Schemes with ML-KEM Table 1 specifies the following ML-KEM + ECDH composite public-key encryption schemes: +========================+=============+===========+ | Algorithm ID reference | ML-KEM | ECDH-KEM | +========================+=============+===========+ | TBD (105 for testing) | ML-KEM-768 | x25519Kem | +------------------------+-------------+-----------+ | TBD (106 for testing) | ML-KEM-1024 | x448Kem | +------------------------+-------------+-----------+ Table 5: ML-KEM + ECDH composite schemes The ML-KEM + ECDH composite public-key encryption schemes are built according to the following principal design: * The ML-KEM encapsulation algorithm is invoked to create an ML-KEM ciphertext together with an ML-KEM symmetric key share. * The encapsulation algorithm of an ECDH KEM, namely X25519-KEM or X448-KEM, is invoked to create an ECDH ciphertext together with an ECDH symmetric key share. * A Key-Encryption-Key (KEK) is computed as the output of a key combiner that receives as input both of the above created symmetric key shares and the protocol binding information. Kousidis, et al. Expires 9 January 2025 [Page 14] Internet-Draft PQC in OpenPGP July 2024 * The session key for content encryption is then wrapped as described in [RFC3394] using AES-256 as algorithm and the KEK as key. * The PKESK packet's algorithm-specific parts are made up of the ML- KEM ciphertext, the ECDH ciphertext, and the wrapped session key. 4.2.1. Fixed information For the composite KEM schemes defined in Table 1 the following procedure, justified in Section 9.4, MUST be used to derive a string to use as binding between the KEK and the communication parties. // Input: // algID - the algorithm ID encoded as octet // // Constants: // domSeparation - the UTF-8 encoding of the string // "OpenPGPCompositeKDFv1" fixedInfo = algID || domSeparation The value of domSeparation is the UTF-8 encoding of the string "OpenPGPCompositeKDFv1" and MUST be the following octet sequence: domSeparation := 4F 70 65 6E 50 47 50 43 6F 6D 70 6F 73 69 74 65 4B 44 46 76 31 4.2.2. Key combiner For the composite KEM schemes defined in Table 1 the following procedure MUST be used to compute the KEK that wraps a session key. The construction is a one-step key derivation function compliant to [SP800-56C], Section 4, based on SHA3-256. It is given by the following algorithm, which computes the key encryption key KEK that is used to wrap, i.e., encrypt, the session key. [Note to the reader: the key combiner defined in the current version of this draft is not actually compliant to [SP800-56C], since the NIST standard requires that the shared secret is fed to the KDF first whereas the combiner defined here feeds the key shares of the two component schemes, which together form the shared secret, in two parts with public information in between. The combiner will be reworked to fix this defect. The change is planned to be integrated prior to IETF 121.] Kousidis, et al. Expires 9 January 2025 [Page 15] Internet-Draft PQC in OpenPGP July 2024 // multiKeyCombine(ecdhKeyShare, ecdhCipherText, ecdhPublicKey, mlkemKeyShare, // mlkemCipherText, mlkemPublicKey, fixedInfo) // // Input: // ecdhKeyShare - the ECDH key share encoded as an octet string // ecdhCipherText - the ECDH ciphertext encoded as an octet string // ecdhPublicKey - The ECDH public key of the recipient as an octet string // mlkemKeyShare - the ML-KEM key share encoded as an octet string // mlkemCipherText - the ML-KEM ciphertext encoded as an octet string // mlkemPublicKey - The ML-KEM public key of the recipient as an octet string // fixedInfo - the fixed information octet string // // Constants: // counter - the 4 byte value 00 00 00 01 ecdhData = ecdhKeyShare || ecdhCipherText || ecdhPublicKey mlkemData = mlkemKeyShare || mlkemCipherText || mlkemPublicKey KEK = SHA3-256(counter || ecdhData || mlkemData || fixedInfo) return KEK Note that the values ecdhKeyShare defined in Section 4.1.1 and mlkemKeyShare defined in Section 4.1.2 already use the relative ciphertext in the derivation. The ciphertext and public keys are by design included again in the key combiner to provide a robust security proof. The value of counter MUST be set to the following octet sequence: counter := 00 00 00 01 The value of fixedInfo MUST be set according to Section 4.2.1. 4.2.3. Key generation procedure The implementation MUST independently generate the ML-KEM and the ECDH component keys. ML-KEM key generation follows the specification [FIPS-203] and the artifacts are encoded as fixed-length octet strings as defined in Section 4.1.2. For ECDH this is done following the relative specification in [RFC7748], and encoding the outputs as fixed-length octet strings in the format specified in Table 3. 4.2.4. Encryption procedure The procedure to perform public-key encryption with an ML-KEM + ECDH composite scheme is as follows: Kousidis, et al. Expires 9 January 2025 [Page 16] Internet-Draft PQC in OpenPGP July 2024 1. Take the recipient's authenticated public-key packet pkComposite and sessionKey as input 2. Parse the algorithm ID from pkComposite 3. Extract the ecdhPublicKey and mlkemPublicKey component from the algorithm specific data encoded in pkComposite with the format specified in Section 4.3.2. 4. Instantiate the ECDH-KEM and the ML-KEM depending on the algorithm ID according to Table 5 5. Compute (ecdhCipherText, ecdhKeyShare) := ECDH- KEM.Encaps(ecdhPublicKey) 6. Compute (mlkemCipherText, mlkemKeyShare) := ML- KEM.Encaps(mlkemPublicKey) 7. Compute fixedInfo as specified in Section 4.2.1 8. Compute KEK := multiKeyCombine(ecdhKeyShare, ecdhCipherText, ecdhPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey, fixedInfo) as defined in Section 4.2.2 9. Compute C := AESKeyWrap(KEK, sessionKey) with AES-256 as per [RFC3394] that includes a 64 bit integrity check 10. Output the algorithm specific part of the PKESK as ecdhCipherText || mlkemCipherText || len(C, symAlgId) (|| symAlgId) || C, where both symAlgId and len(C, symAlgId) are single octet fields, symAlgId denotes the symmetric algorithm ID used and is present only for a v3 PKESK, and len(C, symAlgId) denotes the combined octet length of the fields specified as the arguments. 4.2.5. Decryption procedure The procedure to perform public-key decryption with an ML-KEM + ECDH composite scheme is as follows: 1. Take the matching PKESK and own secret key packet as input 2. From the PKESK extract the algorithm ID and the encryptedKey, i.e., the wrapped session key 3. Check that the own and the extracted algorithm ID match Kousidis, et al. Expires 9 January 2025 [Page 17] Internet-Draft PQC in OpenPGP July 2024 4. Parse the ecdhSecretKey and mlkemSecretKey from the algorithm specific data of the own secret key encoded in the format specified in Section 4.3.2 5. Instantiate the ECDH-KEM and the ML-KEM depending on the algorithm ID according to Table 5 6. Parse ecdhCipherText, mlkemCipherText, and C from encryptedKey encoded as ecdhCipherText || mlkemCipherText || len(C,symAlgId) (|| symAlgId) || C as specified in Section 4.3.1, where symAlgId is present only in the case of a v3 PKESK. 7. Compute (ecdhKeyShare) := ECDH-KEM.Decaps(ecdhCipherText, ecdhSecretKey, ecdhPublicKey) 8. Compute (mlkemKeyShare) := ML-KEM.Decaps(mlkemCipherText, mlkemSecretKey) 9. Compute fixedInfo as specified in Section 4.2.1 10. Compute KEK := multiKeyCombine(ecdhKeyShare, ecdhCipherText, ecdhPublicKey, mlkemKeyShare, mlkemCipherText, mlkemPublicKey, fixedInfo) as defined in Section 4.2.2 11. Compute sessionKey := AESKeyUnwrap(KEK, C) with AES-256 as per [RFC3394], aborting if the 64 bit integrity check fails 12. Output sessionKey 4.3. Packet specifications 4.3.1. Public-Key Encrypted Session Key Packets (Tag 1) The algorithm-specific fields consists of the output of the encryption procedure described in Section 4.2.4: * A fixed-length octet string representing an ECDH ephemeral public key in the format associated with the curve as specified in Section 4.1.1. * A fixed-length octet string of the ML-KEM ciphertext, whose length depends on the algorithm ID as specified in Table 4. * A one-octet size of the following fields. * Only in the case of a v3 PKESK packet: a one-octet symmetric algorithm identifier. Kousidis, et al. Expires 9 January 2025 [Page 18] Internet-Draft PQC in OpenPGP July 2024 * The wrapped session key represented as an octet string. Note that like in the case of the algorithms X25519 and X448 specified in [I-D.ietf-openpgp-crypto-refresh], for the ML-KEM composite schemes, in the case of a v3 PKESK packet, the symmetric algorithm identifier is not encrypted. Instead, it is placed in plaintext after the mlkemCipherText and before the length octet preceding the wrapped session key. In the case of v3 PKESK packets for ML-KEM composite schemes, the symmetric algorithm used MUST be AES-128, AES-192 or AES-256 (algorithm ID 7, 8 or 9). In the case of a v3 PKESK, a receiving implementation MUST check if the length of the unwrapped symmetric key matches the symmetric algorithm identifier, and abort if this is not the case. Implementations MUST NOT use the obsolete Symmetrically Encrypted Data packet (tag 9) to encrypt data protected with the algorithms described in this document. 4.3.2. Key Material Packets The algorithm-specific public key is this series of values: * A fixed-length octet string representing an EC point public key, in the point format associated with the curve specified in Section 4.1.1. * A fixed-length octet string containing the ML-KEM public key, whose length depends on the algorithm ID as specified in Table 4. The algorithm-specific secret key is these two values: * A fixed-length octet string of the encoded secret scalar, whose encoding and length depend on the algorithm ID as specified in Section 4.1.1. * A fixed-length octet string containing the ML-KEM secret key, whose length depends on the algorithm ID as specified in Table 4. 5. Composite Signature Schemes 5.1. Building blocks 5.1.1. EdDSA-Based signatures To sign and verify with EdDSA the following operations are defined: (eddsaSignature) <- EdDSA.Sign(eddsaSecretKey, dataDigest) Kousidis, et al. Expires 9 January 2025 [Page 19] Internet-Draft PQC in OpenPGP July 2024 and (verified) <- EdDSA.Verify(eddsaPublicKey, eddsaSignature, dataDigest) The public and secret key, as well as the signature MUST be encoded according to [RFC8032] as fixed-length octet strings. The following table describes the EdDSA parameters and artifact lengths: +==============+=========+=======+========+========+===========+ | Algorithm ID | Curve | Field | Public | Secret | Signature | | reference | | size | key | key | | +==============+=========+=======+========+========+===========+ | TBD (107 for | Ed25519 | 32 | 32 | 32 | 64 | | testing) | | | | | | +--------------+---------+-------+--------+--------+-----------+ | TBD (108 for | Ed448 | 57 | 57 | 57 | 114 | | testing) | | | | | | +--------------+---------+-------+--------+--------+-----------+ Table 6: EdDSA parameters and artifact lengths in octets 5.1.2. ML-DSA signatures For ML-DSA signature generation the default hedged version of ML- DSA.Sign given in [FIPS-204] is used. That is, to sign with ML-DSA the following operation is defined: (mldsaSignature) <- ML-DSA.Sign(mldsaSecretKey, dataDigest) For ML-DSA signature verification the algorithm ML-DSA.Verify given in [FIPS-204] is used. That is, to verify with ML-DSA the following operation is defined: (verified) <- ML-DSA.Verify(mldsaPublicKey, dataDigest, mldsaSignature) ML-DSA has the parametrization with the corresponding artifact lengths in octets as given in Table 7. All artifacts are encoded as defined in [FIPS-204]. Kousidis, et al. Expires 9 January 2025 [Page 20] Internet-Draft PQC in OpenPGP July 2024 +========================+===========+========+========+===========+ | Algorithm ID reference | ML-DSA | Public | Secret | Signature | | | | key | key | value | +========================+===========+========+========+===========+ | TBD (107 for testing) | ML-DSA-65 | 1952 | 4032 | 3309 | +------------------------+-----------+--------+--------+-----------+ | TBD (108 for testing) | ML-DSA-87 | 2592 | 4896 | 4627 | +------------------------+-----------+--------+--------+-----------+ Table 7: ML-DSA parameters and artifact lengths in octets 5.2. Composite Signature Schemes with ML-DSA 5.2.1. Signature data digest Signature data (i.e. the data to be signed) is digested prior to signing operations, see [I-D.ietf-openpgp-crypto-refresh], Section 5.2.4. Composite ML-DSA + EdDSA signatures MUST use the associated hash algorithm as specified in Table 8 for the signature data digest. Signatures using other hash algorithms MUST be considered invalid. An implementation supporting a specific ML-DSA + EdDSA algorithm MUST also support the matching hash algorithm. +========================+===============+===============+ | Algorithm ID reference | Hash function | Hash function | | | | ID reference | +========================+===============+===============+ | TBD (107 for testing) | SHA3-256 | 12 | +------------------------+---------------+---------------+ | TBD (108 for testing) | SHA3-512 | 14 | +------------------------+---------------+---------------+ Table 8: Binding between ML-DSA + EdDSA and signature data digest 5.2.2. Key generation procedure The implementation MUST independently generate the ML-DSA and the EdDSA component keys. ML-DSA key generation follows the specification [FIPS-204] and the artifacts are encoded as fixed- length octet strings as defined in Section 5.1.2. For EdDSA this is done following the relative specification in [RFC7748], and encoding the artifacts as specified in Section 5.1.1 as fixed-length octet strings. Kousidis, et al. Expires 9 January 2025 [Page 21] Internet-Draft PQC in OpenPGP July 2024 5.2.3. Signature Generation To sign a message M with ML-DSA + EdDSA the following sequence of operations has to be performed: 1. Generate dataDigest according to [I-D.ietf-openpgp-crypto-refresh], Section 5.2.4 2. Create the EdDSA signature over dataDigest with EdDSA.Sign() from Section 5.1.1 3. Create the ML-DSA signature over dataDigest with ML-DSA.Sign() from Section 5.1.2 4. Encode the EdDSA and ML-DSA signatures according to the packet structure given in Section 5.3.1. 5.2.4. Signature Verification To verify an ML-DSA + EdDSA signature the following sequence of operations has to be performed: 1. Verify the EdDSA signature with EdDSA.Verify() from Section 5.1.1 2. Verify the ML-DSA signature with ML-DSA.Verify() from Section 5.1.2 As specified in Section 3.2 an implementation MUST validate both signatures, i.e. EdDSA and ML-DSA, successfully to state that a composite ML-DSA + EdDSA signature is valid. 5.3. Packet Specifications 5.3.1. Signature Packet (Tag 2) The composite ML-DSA + EdDSA schemes MUST be used only with v6 signatures, as defined in [I-D.ietf-openpgp-crypto-refresh]. The algorithm-specific v6 signature parameters for ML-DSA + EdDSA signatures consist of: * A fixed-length octet string representing the EdDSA signature, whose length depends on the algorithm ID as specified in Table 6. * A fixed-length octet string of the ML-DSA signature value, whose length depends on the algorithm ID as specified in Table 7. Kousidis, et al. Expires 9 January 2025 [Page 22] Internet-Draft PQC in OpenPGP July 2024 5.3.2. Key Material Packets The composite ML-DSA + EdDSA schemes MUST be used only with v6 keys, as defined in [I-D.ietf-openpgp-crypto-refresh]. The algorithm-specific public key for ML-DSA + EdDSA keys is this series of values: * A fixed-length octet string representing the EdDSA public key, whose length depends on the algorithm ID as specified in Table 6. * A fixed-length octet string containing the ML-DSA public key, whose length depends on the algorithm ID as specified in Table 7. The algorithm-specific secret key for ML-DSA + EdDSA keys is this series of values: * A fixed-length octet string representing the EdDSA secret key, whose length depends on the algorithm ID as specified in Table 6. * A fixed-length octet string containing the ML-DSA secret key, whose length depends on the algorithm ID as specified in Table 7. 6. SLH-DSA-SHAKE 6.1. The SLH-DSA-SHAKE Algorithms The following table lists the group of algorithm code points for the SLH-DSA-SHAKE signature scheme and the corresponding artifact lengths. This group of algorithms is henceforth referred to as "SLH- DSA-SHAKE code points". +======================+=============+=============+===============+ | Algorithm ID |SLH-DSA-SHAKE|SLH-DSA-SHAKE| SLH-DSA-SHAKE | | reference |public key |secret key | signature | +======================+=============+=============+===============+ | TBD (SLH-DSA-SHAKE- |32 |64 | 7856 | | 128s) | | | | +----------------------+-------------+-------------+---------------+ | TBD (SLH-DSA-SHAKE- |32 |64 | 17088 | | 128f) | | | | +----------------------+-------------+-------------+---------------+ | TBD (SLH-DSA-SHAKE- |64 |128 | 29792 | | 256s) | | | | +----------------------+-------------+-------------+---------------+ Table 9: SLH-DSA-SHAKE algorithm code points and the corresponding artifact lengths in octets. Kousidis, et al. Expires 9 January 2025 [Page 23] Internet-Draft PQC in OpenPGP July 2024 6.1.1. Signature Data Digest Signature data (i.e. the data to be signed) is digested prior to signing operations, see [I-D.ietf-openpgp-crypto-refresh], Section 5.2.4. SLH-DSA-SHAKE signatures MUST use the associated hash algorithm as specified in Table 10 for the signature data digest. Signatures using other hash algorithms MUST be considered invalid. An implementation supporting a specific SLH-DSA-SHAKE algorithm code point MUST also support the matching hash algorithm. +========================+===============+===============+ | Algorithm ID reference | Hash function | Hash function | | | | ID reference | +========================+===============+===============+ | TBD (SLH-DSA-SHAKE- | SHA3-256 | 12 | | 128s) | | | +------------------------+---------------+---------------+ | TBD (SLH-DSA-SHAKE- | SHA3-256 | 12 | | 128f) | | | +------------------------+---------------+---------------+ | TBD (SLH-DSA-SHAKE- | SHA3-512 | 14 | | 256s) | | | +------------------------+---------------+---------------+ Table 10: Binding between SLH-DSA-SHAKE algorithm code points and signature data hash algorithms 6.1.2. Key generation SLH-DSA-SHAKE key generation is performed via the algorithm SLH- DSA.KeyGen as specified in [FIPS-205], and the artifacts are encoded as fixed-length octet strings as defined in Section 6.1. 6.1.3. Signature Generation SLH-DSA-SHAKE signature generation is performed via the algorithm SLH-DSA.Sign as specified in [FIPS-205]. The variable opt_rand is set to PK.seed. See also Section 9.5. 6.1.4. Signature Verification SLH-DSA-SHAKE signature verification is performed via the algorithm SLH-DSA.Verify as specified in [FIPS-205]. Kousidis, et al. Expires 9 January 2025 [Page 24] Internet-Draft PQC in OpenPGP July 2024 6.2. Packet specifications 6.2.1. Signature Packet (Tag 2) The SLH-DSA-SHAKE algorithms MUST be used only with v6 signatures, as defined in [I-D.ietf-openpgp-crypto-refresh], Section 5.2.3. The algorithm-specific part of a signature packet for an SLH-DSA- SHAKE algorithm code point consists of: * A fixed-length octet string of the SLH-DSA-SHAKE signature value, whose length depends on the algorithm ID in the format specified in Table 9. 6.2.2. Key Material Packets The SLH-DSA-SHAKE algorithms code points MUST be used only with v6 keys, as defined in [I-D.ietf-openpgp-crypto-refresh]. The algorithm-specific part of the public key consists of: * A fixed-length octet string containing the SLH-DSA-SHAKE public key, whose length depends on the algorithm ID as specified in Table 9. The algorithm-specific part of the secret key consists of: * A fixed-length octet string containing the SLH-DSA-SHAKE secret key, whose length depends on the algorithm ID as specified in Table 9. 7. Notes on Algorithms 7.1. Symmetric Algorithms for SEIPD Packets Implementations MUST implement AES-256. An implementation SHOULD use AES-256 in the case of a v1 SEIPD packet, or AES-256 with any available AEAD mode in the case of a v2 SEIPD packet, if all recipient certificates indicate support for it (explicitly or implicitly). A v4 or v6 certificate that contains a PQ(/T) key SHOULD include AES-256 in the "Preferred Symmetric Ciphers for v1 SEIPD" subpacket. A v6 certificate that contains a PQ(/T) key SHOULD include the pair AES-256 with OCB in the "Preferred AEAD Ciphersuites" subpacket. Kousidis, et al. Expires 9 January 2025 [Page 25] Internet-Draft PQC in OpenPGP July 2024 If AES-256 is not explicitly in the list of the "Preferred Symmetric Ciphers for v1 SEIPD" subpacket, and if the certificate contains a PQ/T key, it is implicitly at the end of the list. This is justified since AES-256 is mandatory to implement. If AES-128 is also implicitly added to the list, it is added after AES-256. If the pair AES-256 with OCB is not explicitly in the list of the "Preferred AEAD Ciphersuites" subpacket, and if the certificate contains a PQ/T key, it is implicitly at the end of the list. This is justified since AES-256 and OCB are mandatory to implement. If the pair AES-128 with OCB is also implicitly added to the list, it is added after the pair AES-256 with OCB. 7.2. Hash Algorithms for Key Binding Signatures Subkey binding signatures over algorithms described in this document and primary key binding signatures made by algorithms described in this document MUST NOT be made with MD5, SHA-1, or RIPEMD-160. A receiving implementation MUST treat such a signature as invalid. 8. Migration Considerations The post-quantum KEM algorithms defined in Table 1 and the signature algorithms defined in Table 2 are a set of new public key algorithms that extend the algorithm selection of [I-D.ietf-openpgp-crypto-refresh]. During the transition period, the post-quantum algorithms will not be supported by all clients. Therefore various migration considerations must be taken into account, in particular backwards compatibility to existing implementations that have not yet been updated to support the post- quantum algorithms. 8.1. Key preference Implementations SHOULD prefer PQ(/T) keys when multiple options are available. When encrypting to a certificate that has both a valid PQ/T and a valid traditional encryption subkey, an implementation SHOULD use the PQ/T subkey only. Furthermore, if an application has any means to determine that encrypting to a PQ/T certificate and a traditional certificate is redundant, it should omit encrypting to the traditional certificate. As specified in Section 3.1, the confidentiality of a message is not post-quantum secure when using multiple PKESKs if at least one does not use PQ/T encryption schemes. An implementation SHOULD NOT abort the encryption process when encrypting a message to both PQ/T and traditional keys to allow for a smooth transition to post-quantum cryptography. Kousidis, et al. Expires 9 January 2025 [Page 26] Internet-Draft PQC in OpenPGP July 2024 An implementation MAY sign with both a PQ(/T) and an ECC key using multiple signatures over the same data as described in Section 3.3. Signing only with PQ(/T) key material is not backwards compatible. 8.2. Key generation strategies It is RECOMMENDED to generate fresh secrets when generating PQ(/T) keys. Note that reusing key material from existing ECC keys in PQ(/T) keys does not provide backwards compatibility. An OpenPGP certificate is composed of a certification-capable primary key and one or more subkeys for signature, encryption, and authentication. Two migration strategies are recommended: 1. Generate two independent certificates, one for PQ(/T)-capable implementations, and one for legacy implementations. Implementations not understanding PQ(/T) certificates can use the legacy certificate, while PQ(/T)-capable implementations will prefer the newer certificate. This allows having an older v4 or v6 certificate for compatibility and a v6 PQ(/T) certificate, at a greater complexity in key distribution. 2. Attach PQ(/T) encryption subkeys to an existing traditional OpenPGP certificate. In the case of a v6 certificate, also PQ(/T) signature keys may be attached. Implementations understanding PQ(/T) will be able to parse and use the subkeys, while PQ(/T)-incapable implementations can gracefully ignore them. This simplifies key distribution, as only one certificate needs to be communicated and verified, but leaves the primary key vulnerable to quantum computer attacks. 9. Security Considerations 9.1. Security Aspects of Composite Signatures When multiple signatures are applied to a message, the question of the protocol's resistance against signature stripping attacks naturally arises. In a signature stripping attack, an adversary removes one or more of the signatures such that only a subset of the signatures remain in the message at the point when it is verified. This amounts to a downgrade attack that potentially reduces the value of the signature. It should be noted that the composite signature schemes specified in this draft are not subject to a signature stripping vulnerability. This is due to the fact that in any OpenPGP signature, the hashed meta data includes the signature algorithm ID, as specified in [I-D.ietf-openpgp-crypto-refresh], Section 5.2.4. As a consequence, a component signature taken out of the context of a specific composite algorithm is not a valid signature for any Kousidis, et al. Expires 9 January 2025 [Page 27] Internet-Draft PQC in OpenPGP July 2024 message. Furthermore, it is also not possible to craft a new signature for a message that was signed twice with a composite algorithm by interchanging (i.e., remixing) the component signatures, which would classify as a weak existential forgery. This is due to the fact that each v6 signatures also includes a random salt at the start of the hashed meta data, as also specified in the aforementioned reference. 9.2. Hashing in ECDH-KEM Our construction of the ECDH-KEMs, in particular the inclusion of ecdhCipherText in the final hashing step in encapsulation and decapsulation that produces the ecdhKeyShare, is standard and known as hashed ElGamal key encapsulation, a hashed variant of ElGamal encryption. It ensures IND-CCA2 security in the random oracle model under some Diffie-Hellman intractability assumptions [CS03]. The additional inclusion of ecdhPublicKey follows the security advice in Section 6.1 of [RFC7748]. 9.3. Key combiner For the key combination in Section 4.2.2 this specification limits itself to the use of SHA3-256. The sponge construction used by SHA3-256 was proven to be indifferentiable from a random oracle [BDPA08]. This means, that in contrast to SHA2, which uses a Merkle- Damgard construction, no HMAC-based construction is required for key combination. It is therefore sufficient to simply process the concatenation of any number of key shares with a domain separation when using a sponge-based construction like SHA3-256. More precisely, for a given capacity c the indifferentiability proof shows that assuming there are no weaknesses found in the Keccak permutation, an attacker has to make an expected number of 2^(c/2) calls to the permutation to tell SHA3-256 from a random oracle. For a random oracle, a difference in only a single bit gives an unrelated, uniformly random output. Hence, to be able to distinguish a key K, derived from shared keys K1 and K2 (with ciphertexts C1 and C2 and public keys P1 and P2) as K = SHA3-256(counter || K1 || C1 || P1 || K2 || C2 || P2 || fixedInfo) from a random bit string, an adversary has to know (or correctly guess) both key shares K1 and K2, entirely. The proposed construction in Section 4.2.2 preserves IND-CCA2 of any of its ingredient KEMs, i.e. the newly formed combined KEM is IND- CCA2 secure as long as at least one of the ingredient KEMs is. Kousidis, et al. Expires 9 January 2025 [Page 28] Internet-Draft PQC in OpenPGP July 2024 Indeed, the above stated indifferentiability from a random oracle qualifies Keccak as a split-key pseudorandom function as defined in [GHP18]. That is, Keccak behaves like a random function if at least one input shared secret is picked uniformly at random. Our construction can thus be seen as an instantiation of the IND-CCA2 preserving Example 3 in Figure 1 of [GHP18], up to some reordering of input shared secrets and ciphertexts. In the random oracle setting, the reordering does not influence the arguments in [GHP18]. 9.4. Domain separation and binding The domSeparation information defined in Section 4.2.1 provides the domain separation for the key combiner construction. This ensures that the input keying material is used to generate a KEK for a specific purpose or context. The algID defined in Section 4.2.1 binds the derived KEK to the chosen algorithm and communication parties. The algorithm ID identifies unequivocally the algorithm, the parameters for its instantiation, and the length of all artifacts, including the derived key. This is in line with the Recommendation for ECC in section 5.5 of [SP800-56A]. Other fields included in the recommendation are not relevant for the OpenPGP protocol, since the sender is not required to have a key of their own, there are no pre-shared secrets, and all the other parameters are unequivocally defined by the algorithm ID. 9.5. SLH-DSA-SHAKE Message Randomizer The specification of SLH-DSA-SHAKE [FIPS-205] prescribes an optional non-deterministic message randomizer. This is not used in this specification, as OpenPGP v6 signatures already provide a salted signature data digest of the appropriate size. 9.6. Binding hashes in signatures with signature algorithms In order not to extend the attack surface, we bind the hash algorithm used for signature data digestion to the hash algorithm used internally by the signature algorithm. Kousidis, et al. Expires 9 January 2025 [Page 29] Internet-Draft PQC in OpenPGP July 2024 ML-DSA internally uses a SHAKE256 digest, therefore we require SHA3 in the ML-DSA + EdDSA signature packet, see Section 5.2.1. Note that we bind a NIST security category 2 hash function to a signature algorithm that falls into NIST security category 3. This does not constitute a security bottleneck: because of the unpredictable random salt that is prepended to the digested data in v6 signatures, the hardness assumption is not collision resistance but second-preimage resistance. In the case of SLH-DSA-SHAKE the internal hash algorithm varies based on the algorithm ID, see Section 6.1.1. 9.7. Symmetric Algorithms for SEIPD Packets This specification mandates support for AES-256 for two reasons. First, AES-KeyWrap with AES-256 is already part of the composite KEM construction. Second, some of the PQ(/T) algorithms target the security level of AES-256. For the same reasons, this specification further recommends the use of AES-256 if it is supported by all recipient certificates, regardless of what the implementation would otherwise choose based on the recipients' preferences. This recommendation should be understood as a clear and simple rule for the selection of AES-256 for encryption. Implementations may also make more nuanced decisions. 10. Additional considerations 10.1. Performance Considerations for SLH-DSA-SHAKE This specification introduces both ML-DSA + EdDSA as well as SLH-DSA- SHAKE as PQ(/T) signature schemes. Generally, it can be said that ML-DSA + EdDSA provides a performance in terms of execution time requirements that is close to that of traditional ECC signature schemes. Regarding the size of signatures and public keys, though, ML-DSA has far greater requirements than traditional schemes like EC-based or even RSA signature schemes. Implementers may want to offer SLH-DSA-SHAKE for applications where the weaker security assumptions of a hash-based signature scheme are required – namely only the 2nd preimage resistance of a hash function – and thus a potentially higher degree of trust in the long-term security of signatures is achieved. However, SLH-DSA-SHAKE has performance characteristics in terms of execution time of the signature generation as well as space requirements for the signature that are even greater than those of ML-DSA + EdDSA signature schemes. Kousidis, et al. Expires 9 January 2025 [Page 30] Internet-Draft PQC in OpenPGP July 2024 Pertaining to the execution time, the particularly costly operation in SLH-DSA-SHAKE is the signature generation. Depending on the parameter set, it can range from approximately the one hundred fold to more than the two thousand fold of that of ML-DSA-87. These number are based on the performance measurements published in the NIST submissions for SLH-DSA-SHAKE and ML-DSA. In order to achieve fast signature generation times, the algorithm SLH-DSA-SHAKE-128f ("f" standing for "fast") should be chosen. This comes at the expense of a larger signature size. This choice can be relevant in applications where mass signing occurs or a small latency is required. In order to minimize the space requirements of an SLH-DSA-SHAKE signature, an algorithm ID with the name ending in "s" for "small" should be chosen. This comes at the expense of a longer signature generation time. In particular, SLH-DSA-SHAKE-128s achieves the smallest possible signature size, which is about the double size of an ML-DSA-87 signature. Where a higher security level than 128 bit is needed, SLH-DSA-SHAKE-256s can be used. Unlike the signature generation time, the signature verification time of SLH-DSA-SHAKE is not that much larger than that of other PQC schemes. Based on the performance measurements published in the NIST submissions for SLH-DSA-SHAKE and ML-DSA, the verification time of the SLH-DSA-SHAKE is, for the parameters covered by this specification, larger than that of ML-DSA-87 by a factor ranging from four (for -128s) over nine (for -256s) to twelve (for -128f). 11. IANA Considerations IANA is requested to add the algorithm IDs defined in Table 11 to the existing registry OpenPGP Public Key Algorithms. The field specifications enclosed in brackets for the ML-KEM + ECDH composite algorithms denote fields that are only conditionally contained in the data structure. +===+============+=======+=======+=========+==============+=========+ |ID | Algorithm | Public| Secret|Signature| PKESK |Reference| | | | Key| Key| Format| Format | | | | | Format| Format| | | | +===+============+=======+=======+=========+==============+=========+ |TBD| ML-KEM- | 32| 32| N/A| 32 octets | Section| | | 768+X25519 | octets| octets| | X25519 | 4.2| | | | X25519| X25519| | ciphertext, | | | | | public| secret| | 1088 octets | | | | | key| key| | ML-KEM-768 | | | | | (Table| (Table| | ciphertext | | | | | 3),| 3),| | [, 1 octet | | Kousidis, et al. Expires 9 January 2025 [Page 31] Internet-Draft PQC in OpenPGP July 2024 | | | 1184| 2400| | algorithm | | | | | octets| octets| | ID in case | | | | | ML-| ML-| | of v3 | | | | |KEM-768|KEM-768| | PKESK], 1 | | | | | public|secret-| | octet | | | | | key| key| | length | | | | | (Table| (Table| | field of | | | | | 4)| 4)| | value n, n | | | | | | | | octets | | | | | | | | wrapped | | | | | | | | session key | | | | | | | | (Section | | | | | | | | 4.3.1) | | +---+------------+-------+-------+---------+--------------+---------+ |TBD| ML-KEM- | 56| 56| N/A| 56 octets | Section| | | 1024+X448 | octets| octets| | X448 | 4.2| | | | X448| X448| | ciphertext, | | | | | public| secret| | 1568 octets | | | | | key| key| | ML-KEM-1024 | | | | | (Table| (Table| | ciphertext | | | | | 3),| 3),| | [, 1 octet | | | | | 1568| 3168| | algorithm | | | | | octets| octets| | ID in case | | | | |ML-KEM-|ML-KEM-| | of v3 | | | | | 1024| 1024| | PKESK], 1 | | | | | public|secret-| | octet | | | | | key| key| | length | | | | | (Table| (Table| | field of | | | | | 4)| 4)| | value n, n | | | | | | | | octets | | | | | | | | wrapped | | | | | | | | session key | | | | | | | | (Section | | | | | | | | 4.3.1) | | +---+------------+-------+-------+---------+--------------+---------+ |TBD| ML-DSA- | 32| 32|64 octets| N/A | Section| | | 65+Ed25519 | octets| octets| Ed25519| | 5.2| | | |Ed25519|Ed25519|signature| | | | | | public| secret| (Table| | | | | | key| key| 6), 3293| | | | | | (Table| (Table| octets| | | | | | 6),| 6),|ML-DSA-65| | | | | | 1952| 4032|signature| | | | | | octets| octets|(Table 7)| | | | | | ML-| ML-| | | | | | | DSA-65| DSA-65| | | | | | | public| secret| | | | | | | key| (Table| | | | Kousidis, et al. Expires 9 January 2025 [Page 32] Internet-Draft PQC in OpenPGP July 2024 | | | (Table| 7)| | | | | | | 7)| | | | | +---+------------+-------+-------+---------+--------------+---------+ |TBD| ML-DSA- | 57| 57| 114| N/A | Section| | | 87+Ed448 | octets| octets| octets| | 5.2| | | | Ed448| Ed448| Ed448| | | | | | public| secret|signature| | | | | | key| key| (Table| | | | | | (Table| (Table| 6), 4595| | | | | | 6),| 6),| octets| | | | | | 2592| 4896|ML-DSA-87| | | | | | octets| octets|signature| | | | | | ML-| ML-|(Table 7)| | | | | | DSA-87| DSA-87| | | | | | | public| secret| | | | | | | key| (Table| | | | | | | (Table| 7)| | | | | | | 7)| | | | | +---+------------+-------+-------+---------+--------------+---------+ |TBD| SLH-DSA- | 32| 64| 7856| N/A | Section| | | SHAKE-128s | octets| octets| octets| | 6.1| | | | public| secret|signature| | | | | | key| key|(Table 9)| | | | | | (Table| (Table| | | | | | | 9)| 9)| | | | +---+------------+-------+-------+---------+--------------+---------+ |TBD| SLH-DSA- | 32| 64| 17088| N/A | Section| | | SHAKE-128f | octets| octets| octets| | 6.1| | | | public| secret|signature| | | | | | key| key|(Table 9)| | | | | | (Table| (Table| | | | | | | 9)| 9)| | | | +---+------------+-------+-------+---------+--------------+---------+ |TBD| SLH-DSA- | 64| 128| 29792| N/A | Section| | | SHAKE-256s | octets| octets| octets| | 6.1| | | | public| secret|signature| | | | | | key| key|(Table 9)| | | | | | (Table| (Table| | | | | | | 9)| 9)| | | | +---+------------+-------+-------+---------+--------------+---------+ Table 11: IANA updates for registry 'OpenPGP Public Key Algorithms' Kousidis, et al. Expires 9 January 2025 [Page 33] Internet-Draft PQC in OpenPGP July 2024 12. Changelog 12.1. draft-wussler-openpgp-pqc-01 * Shifted the algorithm IDs by 4 to align with the crypto-refresh. * Renamed v5 packets into v6 to align with the crypto-refresh. * Defined IND-CCA2 security for KDF and key combination. * Added explicit key generation procedures. * Changed the key combination KMAC salt. * Mandated Parameter ID check in SPHINCS+ signature verification. * Fixed key share size for Kyber-768. * Added "Preliminaries" section. * Fixed IANA considerations. 12.2. draft-wussler-openpgp-pqc-02 * Added the ephemeral and public key in the ECC key derivation function. * Removed public key hash from key combiner. * Allowed v3 PKESKs and v4 keys with PQ algorithms, limiting them to AES symmetric ciphers. for encryption with SEIPDv1, in line with the crypto-refresh. 12.3. draft-wussler-openpgp-pqc-03 * Replaced round 3 submission with NIST PQC Draft Standards FIPS 203, 204, 205. * Added consideration about security level for hashes. 12.4. draft-wussler-openpgp-pqc-04 * Added Johannes Roth as author 12.5. draft-ietf-openpgp-pqc-00 * Renamed draft Kousidis, et al. Expires 9 January 2025 [Page 34] Internet-Draft PQC in OpenPGP July 2024 12.6. draft-ietf-openpgp-pqc-01 * Mandated AES-256 as mandatory to implement. * Added AES-256 / AES-128 with OCB implicitly to v1/v2 SEIPD preferences of "PQ(/T) certificates". * Added a recommendation to use AES-256 when possible. * Swapped the optional v3 PKESK algorithm identifier with length octet in order to align with X25519 and X448. * Fixed ML-DSA private key size. * Added test vectors. * Correction and completion of IANA instructions. 12.7. draft-ietf-openpgp-pqc-02 * Removed git rebase artifact. 12.8. draft-ietf-openpgp-pqc-03 * Updated SLH-DSA by removing parametrization and restricting to three SLH-DSA-SHAKE algorithm code points. * Removed NIST and Brainpool curve hybrids, dropped ECDSA from the current specification. * Updated KDF as proposed at IETF 119. * Removed whitespaces from composite algorithm names. * Explicitly disallowed SED (tag 9) and weak hashes when using PQ algorithms. 12.9. draft-ietf-openpgp-pqc-04 * Fixed ML-DSA signature size * Fixed parameters order in PKESK description * Fixed missing inputs into KEM combination description * Improved parallel encryption guidance * Improved SED deprecation decscription Kousidis, et al. Expires 9 January 2025 [Page 35] Internet-Draft PQC in OpenPGP July 2024 * Added ML-DSA test vectors 13. Contributors Stephan Ehlen (BSI) Carl-Daniel Hailfinger (BSI) Andreas Huelsing (TU Eindhoven) 14. References 14.1. Normative References [I-D.ietf-openpgp-crypto-refresh] Wouters, P., Huigens, D., Winter, J., and N. Yutaka, "OpenPGP", Work in Progress, Internet-Draft, draft-ietf- openpgp-crypto-refresh-13, 4 January 2024, . [RFC3394] Schaad, J. and R. Housley, "Advanced Encryption Standard (AES) Key Wrap Algorithm", RFC 3394, DOI 10.17487/RFC3394, September 2002, . [RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, . [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, . 14.2. Informative References [BDPA08] Bertoni, G., Daemen, J., Peters, M., and G. Assche, "On the Indifferentiability of the Sponge Construction", 2008, . [CS03] Cramer, R. and V. Shoup, "Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack", 2003, . [FIPS-203] National Institute of Standards and Technology, "Module- Lattice-Based Key-Encapsulation Mechanism Standard", August 2023, . Kousidis, et al. Expires 9 January 2025 [Page 36] Internet-Draft PQC in OpenPGP July 2024 [FIPS-204] National Institute of Standards and Technology, "Module- Lattice-Based Digital Signature Standard", August 2023, . [FIPS-205] National Institute of Standards and Technology, "Stateless Hash-Based Digital Signature Standard", August 2023, . [GHP18] Giacon, F., Heuer, F., and B. Poettering, "KEM Combiners", 2018, . [I-D.ietf-pquip-pqt-hybrid-terminology] D, F. and M. P, "Terminology for Post-Quantum Traditional Hybrid Schemes", Work in Progress, Internet-Draft, draft- ietf-pquip-pqt-hybrid-terminology-03, 9 May 2024, . [NIST-PQC] Chen, L., Moody, D., and Y. Liu, "Post-Quantum Cryptography Standardization", December 2016, . [NISTIR-8413] Alagic, G., Apon, D., Cooper, D., Dang, Q., Dang, T., Kelsey, J., Lichtinger, J., Miller, C., Moody, D., Peralta, R., Perlner, R., Robinson, A., Smith-Tone, D., and Y. Liu, "Status Report on the Third Round of the NIST Post-Quantum Cryptography Standardization Process", NIST IR 8413 , September 2022, . [SP800-56A] Barker, E., Chen, L., Roginsky, A., Vassilev, A., and R. Davis, "Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography", NIST Special Publication 800-56A Rev. 3 , April 2018, . [SP800-56C] Barker, E., Chen, L., and R. Davis, "Recommendation for Key-Derivation Methods in Key-Establishment Schemes", NIST Special Publication 800-56C Rev. 2 , August 2020, . Kousidis, et al. Expires 9 January 2025 [Page 37] Internet-Draft PQC in OpenPGP July 2024 Appendix A. Test Vectors To help implementing this specification a set of non-normative examples follow here. The test vectors are implemented using the Initial Public Draft (IPD) variant of the ML-DSA and ML-KEM schemes. A.1. Sample v6 PQC Subkey Artifacts Here is a Private Key consisting of: * A v6 Ed25519 Private-Key packet * A v6 direct key self-signature * A User ID packet * A v6 positive certification self-signature * A v6 ML-KEM-ipd-768+X25519 Private-Subkey packet * A v6 subkey binding signature The primary key has the fingerprint 52343242345254050219ceff286e9c8e479ec88757f95354388984a02d7d0b59. The subkey has the fingerprint 263e34b69938e753dc67ca8ee37652795135e0e16e48887103c11d7307df40ed. -----BEGIN PGP PRIVATE KEY BLOCK----- xUsGUdDGgBsAAAAgsJV1qyvdl+EenEB4IFvP5/7Ci5XJ1rk8Yh967qV1rb0A8q5N oCO2TM6GoqWftH02oIwWpAr+kvA+4CH7N3cpPSrCrwYfGwoAAABABQJR0MaAIqEG UjQyQjRSVAUCGc7/KG6cjkeeyIdX+VNUOImEoC19C1kCGwMCHgkDCwkHAxUKCAIW AAUnCQIHAgAAAADhOyBW8CPDe5FreFmlonhfVhr2EPw3WFLyd6mKRhkQm3VBfw7Q w7eermL9Cr5O7Ah0JxmIkT18jgKQr9AwWa3nm2mcbjSoib2WVzm5EiW3f3lgflfr ySQFpSICzPl2QcAcrgjNLlBRQyB1c2VyIChUZXN0IEtleSkgPHBxYy10ZXN0LWtl eUBleGFtcGxlLmNvbT7CmwYTGwoAAAAsBQJR0MaAIqEGUjQyQjRSVAUCGc7/KG6c jkeeyIdX+VNUOImEoC19C1kCGQEAAAAAg2ogTEbKVVlbWsejQHkq7xo8ipM7dv6H z2AekkJqupKVR+/oy+2j6ri+/B2K6k1v1y5quzirhs87fB5AxZC6ZoFDvC0kZOvo 14fPF07wCx0jwJVOWuRFVsVw7pQJHbNzgkIAx82LBlHQxoBpAAAEwLRbSSpvve2p Ih3hHweqq2VdRo+7Zf7whYHyXM/UifsniwMKSrubvsmLgCyiEwMip3ZlTSxIFDaF EMVtVvCSJ7XFZ0WslTJnZ/CENPgxbVgn6CC2b8UEb8olS3AxlSiqJSRP0OrOJdfP WJI1A+p7Vmw1CZQq2oVPUlE96SVUrFxfk7XCYpcTpIQb+mFB4ULCesat5tud7Tau UJpMKssUf0I74EUjahoR46pPReKzlSqfvhpgXSASZpBg8IZBY7VbgTnLInGTTnEr rScVlDnAwcdYvuZMQYO5EjS6LOxn1aVfU+iH+Rir2AyFzsYl6ICHciPAsKKa+Sk7 UPFBrIRG1qgn7FF0n5epHeiFCRNb87wSqlp0h+d8L3jPmDq4zoQPKDViasoHYXLD 7KoJTIxP2eGzjMRlg3oD9ph3ZnyOTIsx/4SDtxW3q+JU8RFoI0dZEdURwaoIITWi tldtPUmtBuJshceEDSWopuwLzBuVTnYDpTy94ZtDBKmgPnmSmPOKZ6THucmiJGUm Kousidis, et al. Expires 9 January 2025 [Page 38] Internet-Draft PQC in OpenPGP July 2024 WmAKkyo7kWAwYRsE2ZYqLzIJFmZFzRLIThipiZhR/9h2GemQklMJqYs25cEGx6FW zXRv8Palm7yOAicH/ldHUOtU3oFIXthOatwSrQApJ7HHvksx59ZtLFtBgHm5eRmY YleJsJLGCPssa7pK2hIwgLlmCLSAavFqYjuocWIYKLmw5vNXXRWIjPBbTpVXbUO5 U9F/67gggSWBJXCZlfgcluO422aN22m8aONiTgZtmjcC2elci5yRKGBbeKmFTcVs ZbpbY6ZCKFRyzbqmMGYe0mqN6lh7R5dNiBuJZQg04mYuSzWCF3mumlJTRtlN9Miy 6LyWApJSTQdgc3awS0mjUrgU1Ia0AjMFKcxJA6iHd6iAxWMbUqxOSoTOTUlMr3lt paNGEMGpaHwMoQs99xSI1zG9pYmfeIl6LfZSwnI4LsBvNOBiUhNUC/aYIILEm7qj Tpw5YdI+6jSl+palLlcMDzt0LgMN8rY6UlZJBGNFSAKSNSWXdFYMByKKGSCj91TD WPlOLvWKntSLk5eLodhgmRGqx5GZECgWS4wDARY00rl17dV53GejXrUtJaYcnam5 pKoTSaPJTuY25Kyy+oB7aHpV0vA87JaeRCsqkjcS5IQKdtceUskXNRa2f7CTrfQR hOGk0gSA4Jx8+Fw8uGWLGJx6m1lSyWcMX5HL7hJkFhEKebYjdALGXMV1wxNiUHCI vxCjX/AkwHEDvAN6qhULrcZlmngSbeBysOFud2a8PIS2p7RCAatO+TpFgoR+1CgV JIdiRpM0WrMfS9iBERhtYaLH1oUjBpcV7zpgNdkT4ClfbTpgu3oPnWBogDjMXKUe pSfFx0l1tNGRLCCFVit8xxA4Q+phutInyXUAHJiEfHIR4jxTd/FwQ3pDoKxTesY+ XsGtVJxe9oMrXSlt6uymn6zKQlQsw8odvHhp5/NWqkCh9/xQvmIlERsVVjyJ0FNF /+HNT9KrECCj6+cujDbEN6UmRlFvlMcxFzYaTnWa1cshSVCCa1aYZddWrDdxOwMf ObUw8TukY7A2RqcdpmpA68SLoWwNAgtFG1xWV43yC/P3XTsqTmgHRUGboDkVs9K8 1+Byg4jhKWcAksr2fFDB4wkkaZcB3uUOXuQQ2etC1aCrboS5vTeMVJVS+ssLkxle KLZ3kH9pazHbNTKQWclexAe48RImOk1PlmN9HHMgUwgJI5H8e3a7cQw8x7Yh5wce yAdhuwRGcT99CqtaQb0aeTz9xxh642roMy46rCQp2A/g1QbZIqqVe6lb4qkJ8YdM dG4SrE3UzD3tuAyu3L9Ql79qxxdB4Jt7wp+dPETaoZba+aMWZ68ZxDEjQJcgyrN9 XCBNcLcU+SpjBXPK13yeCdAVGUhA1c0qB4PKVY5/e07Kc8qGgyrlJCCb05OQQKWG mmVcJnDDIZSLM4VPd3cAgWhv5rIk/BPWQ6CGps6njH1WNaI6sTr35wcfWlMahs0w mUPkKMG0AWwT9VBCBU7huFN7Rw2DXBdQUlQDO8WzVLXFt6sZvF+XgZ840woQ8I29 BmW55qSY2hdtMsKqkU31Nbscxa5wRsu2KSirXF3JoZkTacU/taIRmmIwGXl0zBlM 8Hp9hJOdAZAAPAYwCj8FdmD4AyDiHHDkuJsLfL80CnKck2wYbBE/BoGRKwVul1Jr gh4KC4DS+WfKZQYam5KLAytFMUJf8TDiYYNmVr9TOVNAoCj4XKs7BQ7KZ5MMnCWi EEsH9im2mBrHDKXLCrFK8IY54B5ae8uDKWwOuhTtlHki5CTVHHRKaorYawvMqTZ4 HCO+6Jrj8rm7YFxhxwPihVHIl10SK2Q2tX8ygidCKc1yPBh4lKyvyryPwL6i5sM4 sU5glM9bZgPKfHosk4uNdqZQ5FyIaohJ8aocQpr0JVQv8rp0UjBEDBqDeIhepohd cp5KhA1kND4vQbfjusdVtgUorAqyAw0YSoeDLAfC5syaJqo8K06CM8y7O3VqB8Rs ZJb8Eb7mGYdH9U8m3MTjestO5LcTAyqoBJvC4TTgp6F9dJ55HJ3rzFx19wMqGhLV Abcw/JWJagrvYqTGozbiEcLheFNmKik4eGoG9mS1Ebhwhbmg5LD6kZXFK7hJOnkb cTdz0ynSqlPk1oJkh8Pa1gVG4IWgEJISZWEb036BmTASRc5EYVetuBujMYQKuWeI RrumhH3GiZBw1RIyrDYYMk37OHf0MLhahBeldJsqRoLcErOSu0T9xwmeczWoIDtZ Q8794LDkCoY6wpYFF5Scq64HgmQaS5kSQH9UtTIgbLoBmQiDUIyrx8LoBqhOdQPR 0y60NWjSXLbs0VjxrIVMZmdlxH//gknkDLlSgSqbbAkG+7T9clLS44lVYD22N03n Mil8pHWju6yYW3eFaylzI7jLEVZ5cLw15bd1JHEvRpOBxV8Fdn+p4RKoRrUN4EQm 1olEK4TsWY+uV2RCV4PEBQpOQxGZZxhMRa/AKnD3I1LjSlNh9SLXNbVIp69bPK9N qS8MGBGeWBzEARhXea9mBiUisSFSZrwneYALPBXH0h4xerZWV2GH9bu12gwBmJbB k64rwZg/dqDiCM16/C0Np0Aza4oTVsOJ6BrdZh70xFZq+Dizeg85TMywkl9Ma1BT AsMOZ45sAEwIBhUX6Colkae023ouMgj1pnFV5Rc8cTSRcGUM1ZHW8AeLAwpKu5u+ yYuALKITAyKndmVNLEgUNoUQxW1W8JIntcVnRayVMmdn8IQ0+DFtWCfoILZvxQRv yiVLcDGVKKolJE/Q6s4l189YkjUD6ntWbDUJlCrahU9SUT3pJVSsXF+TtcJilxOk hBv6YUHhQsJ6xq3m253tNq5QmkwqyxR/QjvgRSNqGhHjqk9F4rOVKp++GmBdIBJm kGDwhkFjtVuBOcsicZNOcSutJxWUOcDBx1i+5kxBg7kSNLos7GfVpV9T6If5GKvY DIXOxiXogIdyI8Cwopr5KTtQ8UGshEbWqCfsUXSfl6kd6IUJE1vzvBKqWnSH53wv eM+YOrjOhA8oNWJqygdhcsPsqglMjE/Z4bOMxGWDegP2mHdmfI5MizH/hIO3Fber Kousidis, et al. Expires 9 January 2025 [Page 39] Internet-Draft PQC in OpenPGP July 2024 4lTxEWgjR1kR1RHBqgghNaK2V209Sa0G4myFx4QNJaim7AvMG5VOdgOlPL3hm0ME qaA+eZKY84pnpMe5yaIkZSZaYAqTKjuRYDBhGwTZliovMgkWZkXNEshOGKmJmFH/ 2HYZ6ZCSUwmpizblwQbHoVbNdG/w9qWbvI4CJwf+V0dQ61TegUhe2E5q3BKtACkn sce+SzHn1m0sW0GAebl5GZhiV4mwksYI+yxrukraEjCAuWYItIBq8WpiO6hxYhgo ubDm81ddFYiM8FtOlVdtQ7lT0X/ruCCBJYElcJmV+ByW47jbZo3babxo42JOBm2a NwLZ6VyLnJEoYFt4qYVNxWxlultjpkIoVHLNuqYwZh7Sao3qWHtHl02IG4llCDTi Zi5LNYIXea6aUlNG2U30yLLovJYCklJNB2BzdrBLSaNSuBTUhrQCMwUpzEkDqId3 qIDFYxtSrE5KhM5NSUyveW2lo0YQwalofAyhCz33FIjXMb2liZ94iXot9lLCcjgu wG804GJSE1QL9pgggsSbuqNOnDlh0j7qNKX6lqUuVwwPO3QuAw3ytjpSVkkEY0VI ApI1JZd0VgwHIooZIKP3VMNY+U4u9Yqe1IuTl4uh2GCZEarHkZkQKBZLjAMBFjTS uXXt1XncZ6NetS0lphydqbmkqhNJo8lO5jbkrLL6gHtoelXS8Dzslp5EKyqSNxLk hAp21x5SyRc1FrZ/sJOt9BGE4aTSBIDgnHz4XDy4ZYsYnHqbWVLJZwxfkcvuEmQW EQp5tiN0AsZcxXXDE2JQcIi/EKNf8CTAcQO8A3qqFQutxmWaeBJt4HKw4W53Zrw8 hLantEIBq075OkWChH7UKBUkh2JGkzRasx9L2IERGG1hosfWhSMGlxXvOmA12RPg KV9tOmC7eg+dYGiAOMxcpR6lJ8XHSXW00ZEsIIVWK3zHEDhD6mG60ifJdQAcmIR8 chHiPFN38XBDekOgrFN6xj5ewa1UnF72gytdKW3q7KafrMpCVCzDyh28eGnn81aq QKH3/FC+YiURGxVWPInQU0X/4c1P0qsQIKPr5y6MNsQ3pSZGUW+UxzEXNhpOdZrV yyFJUIJrVphl11asN3E7Ax85tTDxO6RjsDZGpx2makDrxIuhbA0CC0UbXFZXjfIL 8/ddOypOaAdFQZugORWz0rzX4HKDiOEpZ7+6jJ8tjNCQrKgJg1wGCpAN0VnrtFrs 2l6Q0GteA6B+fwfjuRabwerw1ro7lcwOA5EiA6XO30P+pLG07ms2MCfCmwYYGwoA AAAsBQJR0MaAIqEGUjQyQjRSVAUCGc7/KG6cjkeeyIdX+VNUOImEoC19C1kCGwwA AAAA5kEgPwatbx3FHPIy9J9mGUEpUE03oRRPE8N4lJ2eAIMhciCEHp3BzYVGvW3O aPYmjcu4JTREPJM6HP7yR+ZEg+Bld9lBSVmEdMJnOX2ZHOdEoRV4bm1U4aPuhrKL /d8lkIgM -----END PGP PRIVATE KEY BLOCK----- Here is the corresponding Public Key consisting of: * A v6 Ed25519 Public-Key packet * A v6 direct key self-signature * A User ID packet * A v6 positive certification self-signature * A v6 ML-KEM-ipd-768+X25519 Public-Subkey packet * A v6 subkey binding signature Kousidis, et al. Expires 9 January 2025 [Page 40] Internet-Draft PQC in OpenPGP July 2024 -----BEGIN PGP PUBLIC KEY BLOCK----- xioGUdDGgBsAAAAgsJV1qyvdl+EenEB4IFvP5/7Ci5XJ1rk8Yh967qV1rb3CrwYf GwoAAABABQJR0MaAIqEGUjQyQjRSVAUCGc7/KG6cjkeeyIdX+VNUOImEoC19C1kC GwMCHgkDCwkHAxUKCAIWAAUnCQIHAgAAAADhOyBW8CPDe5FreFmlonhfVhr2EPw3 WFLyd6mKRhkQm3VBfw7Qw7eermL9Cr5O7Ah0JxmIkT18jgKQr9AwWa3nm2mcbjSo ib2WVzm5EiW3f3lgflfrySQFpSICzPl2QcAcrgjNLlBRQyB1c2VyIChUZXN0IEtl eSkgPHBxYy10ZXN0LWtleUBleGFtcGxlLmNvbT7CmwYTGwoAAAAsBQJR0MaAIqEG UjQyQjRSVAUCGc7/KG6cjkeeyIdX+VNUOImEoC19C1kCGQEAAAAAg2ogTEbKVVlb WsejQHkq7xo8ipM7dv6Hz2AekkJqupKVR+/oy+2j6ri+/B2K6k1v1y5quzirhs87 fB5AxZC6ZoFDvC0kZOvo14fPF07wCx0jwJVOWuRFVsVw7pQJHbNzgkIAzsQKBlHQ xoBpAAAEwLRbSSpvve2pIh3hHweqq2VdRo+7Zf7whYHyXM/UifsniwMKSrubvsmL gCyiEwMip3ZlTSxIFDaFEMVtVvCSJ7XFZ0WslTJnZ/CENPgxbVgn6CC2b8UEb8ol S3AxlSiqJSRP0OrOJdfPWJI1A+p7Vmw1CZQq2oVPUlE96SVUrFxfk7XCYpcTpIQb +mFB4ULCesat5tud7TauUJpMKssUf0I74EUjahoR46pPReKzlSqfvhpgXSASZpBg 8IZBY7VbgTnLInGTTnErrScVlDnAwcdYvuZMQYO5EjS6LOxn1aVfU+iH+Rir2AyF zsYl6ICHciPAsKKa+Sk7UPFBrIRG1qgn7FF0n5epHeiFCRNb87wSqlp0h+d8L3jP mDq4zoQPKDViasoHYXLD7KoJTIxP2eGzjMRlg3oD9ph3ZnyOTIsx/4SDtxW3q+JU 8RFoI0dZEdURwaoIITWitldtPUmtBuJshceEDSWopuwLzBuVTnYDpTy94ZtDBKmg PnmSmPOKZ6THucmiJGUmWmAKkyo7kWAwYRsE2ZYqLzIJFmZFzRLIThipiZhR/9h2 GemQklMJqYs25cEGx6FWzXRv8Palm7yOAicH/ldHUOtU3oFIXthOatwSrQApJ7HH vksx59ZtLFtBgHm5eRmYYleJsJLGCPssa7pK2hIwgLlmCLSAavFqYjuocWIYKLmw 5vNXXRWIjPBbTpVXbUO5U9F/67gggSWBJXCZlfgcluO422aN22m8aONiTgZtmjcC 2elci5yRKGBbeKmFTcVsZbpbY6ZCKFRyzbqmMGYe0mqN6lh7R5dNiBuJZQg04mYu SzWCF3mumlJTRtlN9Miy6LyWApJSTQdgc3awS0mjUrgU1Ia0AjMFKcxJA6iHd6iA xWMbUqxOSoTOTUlMr3ltpaNGEMGpaHwMoQs99xSI1zG9pYmfeIl6LfZSwnI4LsBv NOBiUhNUC/aYIILEm7qjTpw5YdI+6jSl+palLlcMDzt0LgMN8rY6UlZJBGNFSAKS NSWXdFYMByKKGSCj91TDWPlOLvWKntSLk5eLodhgmRGqx5GZECgWS4wDARY00rl1 7dV53GejXrUtJaYcnam5pKoTSaPJTuY25Kyy+oB7aHpV0vA87JaeRCsqkjcS5IQK dtceUskXNRa2f7CTrfQRhOGk0gSA4Jx8+Fw8uGWLGJx6m1lSyWcMX5HL7hJkFhEK ebYjdALGXMV1wxNiUHCIvxCjX/AkwHEDvAN6qhULrcZlmngSbeBysOFud2a8PIS2 p7RCAatO+TpFgoR+1CgVJIdiRpM0WrMfS9iBERhtYaLH1oUjBpcV7zpgNdkT4Clf bTpgu3oPnWBogDjMXKUepSfFx0l1tNGRLCCFVit8xxA4Q+phutInyXUAHJiEfHIR 4jxTd/FwQ3pDoKxTesY+XsGtVJxe9oMrXSlt6uymn6zKQlQsw8odvHhp5/NWqkCh 9/xQvmIlERsVVjyJ0FNF/+HNT9KrECCj6+cujDbEN6UmRlFvlMcxFzYaTnWa1csh SVCCa1aYZddWrDdxOwMfObUw8TukY7A2RqcdpmpA68SLoWwNAgtFG1xWV43yC/P3 XTsqTmgHRUGboDkVs9K81+Byg4jhKWfCmwYYGwoAAAAsBQJR0MaAIqEGUjQyQjRS VAUCGc7/KG6cjkeeyIdX+VNUOImEoC19C1kCGwwAAAAA5kEgPwatbx3FHPIy9J9m GUEpUE03oRRPE8N4lJ2eAIMhciCEHp3BzYVGvW3OaPYmjcu4JTREPJM6HP7yR+ZE g+Bld9lBSVmEdMJnOX2ZHOdEoRV4bm1U4aPuhrKL/d8lkIgM -----END PGP PUBLIC KEY BLOCK----- Here is an unsigned message "Testing\n" encrypted to this key: * A v6 PKESK * A v2 SEIPD Kousidis, et al. Expires 9 January 2025 [Page 41] Internet-Draft PQC in OpenPGP July 2024 The hex-encoded SHA3-256 ecdhKeyShare input is c3bcf24924717f82614c331cc13eea1c333ab16c6d42a6f958cbeb48aa4260fb. The hex-encoded SHA3-256 mlkemKeyShare input is 9e956c105e25da824d6f1fddbbd93b920dd33f2fd647cfcb859904966efff31a. The hex-encoded SHA3-256 output is 99229561bcf5017d6b1dd34d8eb0441897968d5b140597756db705f1de67c078. The hex-encoded session key is 0e7d04eb84f066d0943c7898db8d36959203bdecdfb3e17e5fd3a24a13641d7b. -----BEGIN PGP MESSAGE----- wcPtBiEGJj40tpk451PcZ8qO43ZSeVE14OFuSIhxA8EdcwffQO1pvDRTpyIxERdP Zf0JNCpG7uBqOXUty4vHAu/wCUmXFiutlBnRlG9O2jx2gaNp/HpAQeYmHwdDroFo MGisG0RVOigKCVqjEgSCwmk0KLyGl6jFowNA9cMfi/pf6uU9PaweMGWmlgVyXDr0 2qf/jsjEx87yeL3t6yi2YIFXCitLc+vaqWjd3/8qBOcoTf/TpPXMNPmzmffh8xZx bU25jlzB25dHXRLmwnFUlz3PU7voCQNhBtJiMSXmCzbb26BWrB+YVNvxStokvDBG pnP+lGcUIJUJpPgSoJeZLp5CWSl/UPTiuz6blsddWpfYm8wa/7V/EzmZNKkvDZt4 7vdaXBaZDnPsMTE1Tn/FIc6/13CUe2rHDqcdLKIQ1bKRTpWH2BGqaX9a71XmxgR2 kdTZ067m4xeRRGidL7/A5qklIEMumL+IyjC4zDvgtHBaGyCeDD12nK7paGhfuTxj Qn4SQQvDvswUnUlmfPQbdMV1H02+lWHk7i4QpK2vrnKOd6O7pOnWFQSMGg/L4lCx pfztFSf5bUrYSrf/VoQJdfqLwTZ0cw8uQC7eoEOn419DcKOQA1G/cKNY/lSeYZMD IAAMZZ6iIzXcSvwd5NZkISVuZO1uh/9rhg4ZTOb+rcI6RYb5GHQbEvFAw1RUNk28 4Vr1F2aYPuYw2rltNlE/D2jns6+9inJYnDmExbWX7hIItJVwwhGPqW0s0bbntFZD zqlivMUoiCla49ZNQ6m7t5HwEv7IUZcNz5PvHvy5SPlFuzAJf82bKPYhAaCC1fE9 IBQEVLG9Kw+duKgS2HtKndNd9sN3Edgf24JpM6OzhjIfuO8hUUUSl88mh3YlBKmp xbBHd01s6rr2WK/L4KifiL+Bi99k0QJjVRx4mgv5uKv6sdFKmBkcSIr6olNG5GHR hWCKuNvIg0zL9WSB8Qeav4s6sCn4gEWgyLXZ33tF39OwJFGZJtk+F01hNrISCylW cQ39tM58hK2vuqAFjvvyHmjwrQDnGMfOh+86yMipIrWF7AfzB+BVdWOkBynRMgws 45Ne2D4XyD6z8rgKqrQEKWspHdeYOxhmtLZFpg5uO06I6T944whwXWYTeGjBPsi2 YJuWlgH1nuZ+sw1FTE93XCfRHiLNQ6wBYCI9Usw9abAmW7Jhxd0/Kx72BbwLDmWm vD1iXsgyCA1uyAfj89Xs5EIhPXFsxE6dfJ13dZGJVZl6mRJwjJgZStSEycvtsbtU 84tj9A+XpPfyCmk7wIte1d71vPE3s8Wx1WFYSiwPyVJS/AALSvPdEs4vhON7EQOa xmhX1xITEesRXKhfKynhfMPpOUPgP1ctkpAbC8RGsRtEyhnALgHYqBYCULP+Pbmk x34Z3pYlVXaWqiU0VJobuMwQJvnvax0ipFOPFYr6HBYvAuUlCdD17phL7ZFmLQjY qstC0VS7E3mpvzbpo2uR1RDvWf6x6YFPAQoI9ltJ1S/lQdeLVh1+FOXuXh57qMcp rD9h0SH7PihV9SRdvR2vvWyn7ygFNPajy/8PTH15eEv/5g6ZWxs5CKvpz0hTqf8C 0lQCCQIMslhjNg7KUOTtedOwUxvAoHK/lZf4fpMbG2GW7r6OHwShQ/zNruQmR8qV qJsN7xv8+utysXtt6SUgMPnF3oUp9HzBnCwHb/m/di69xNsYQAE= -----END PGP MESSAGE----- Here is a Private Key consisting of: * A v6 ML-DSA-ipd-65+EdDSA Private-Key packet * A v6 direct key self-signature Kousidis, et al. Expires 9 January 2025 [Page 42] Internet-Draft PQC in OpenPGP July 2024 * A User ID packet * A v6 positive certification self-signature * A v6 ML-KEM-ipd-768+X25519 Private-Subkey packet * A v6 subkey binding signature The primary key has the fingerprint eb8503e3b591f84d068fc2411c310a0b7ca116974d32f81f96f0407f3fbfbb21. The subkey has the fingerprint 5f7e002bd964a5be4f3c50b95e03b19cb37bf02fa0e029af701f6677e08bd272. -----BEGIN PGP PRIVATE KEY BLOCK----- xdbrBlHQxoBrAAAHwAy6tvsF4oZeXUVdLD/OFhEsikkQEiVhPBax8SAAy6u5/YzB tlj5nSwCITDHaP2Tg13lN5BNfUahYqBla77Dge4wkQQkFQ3gMCyYz1WNlhKoM7NQ T2wqx76vYP0ZgdroxiUvP34u7DDVzonkvxsfRYBGa18bTgGdWXEXI3hP1icIjdof 9cI8IsFQMv33S04lH7FYxdpVaDupedlQl6XO2Tkf6wzY5f74XTxBuvtvg4UrCtkK ylchreHCdJ0NnY2Yj/NdG2hSjR9s5kx9nKNoPqtXczuXqzXuaxOV1qJyoGVAjKPc Eq3ntdyN1FUo8gciQdcZXxJuZXLJvF+EW4hwP1VGw9LNv0B4MVKjZPkV3yjONEjI FrFvMpgQ4cAwfGDI87uHqO6uEs9KJpFJbi0V6MvphJrj3Bw4MyJKX7vh1QJoYto7 7GfgpBKkzgsT+HfsWYoObQ7BFJMZUlutaJS4YUjHWHPGDeRswnUE13+F7XNYscpJ Q4lvLDMw/bA21mqXsF+6iENi28Mz2Y2KE4oDhCAqJ77pdKhnQycbWA6Vamf+C26e XA7iHnIFPa6j+UQd2sQ+PoRIa6h6cwDWdru9C0ycfcI0zlCXrrUdkeDKxA76FlnS z6b2GbrSDNNmhiOjk/sqFgv8lj9aJvE7y+ybGZvNapSqaLiPWPr6ax3Zo0bgn9Hq Fr4oL80oLyoEVgPuHPsBa1WxGk95m5H44GI1MDUBK1Mq2eZ+TDJxo3iMG0n/Qmes EC0r/yDAJtQDJOTHd3cGcyFgKMGn4mt580cPN+iPCbxCXS0Dpd+N220/FPijaSZc TVEWjd6b4Or6fpSf3RyHE18ipz40B6B18k+riimVPP2YyJ+LsgQ/61nQ+aI0gRQm GYDGrL9ynwnO/RNhMjXYkBf0DAm08crK6/A4RxRyWJVZEp+D0+IfgMgTrZQTtL+S WizkC1EegTVE01DDuNYxvF/X+ePRjqWzs8umsqw4nAlC/1wMm8k5Pn8L6/bgic9v ATy74R06zMXGs1KHqh+/REfPRih1LbCHIdt7e8Kvk8ErWVzXAMdAUiAzmZ0Cc3ud /WKb5vNEl8DF0rjPrO09oTgWpNqdKCmZjqsvb7yBM/05iDpCVOaBLcZH+CLYiVt5 7X8M+Jc1+fZCkZT9G/Jdm7wemhvkXPcD+zm4MRJ+6/jYQRcNd9ED5/iF4qEkkzKf s8RM1E1gHmWDnpXPifDjXW3C42s3BUAsQ80P4GfVGcQVqCMOwbAmYs8NyjlwH3Jt V8r4wjti+LCb+Jigv63cTd887E2VSkD6pMQE3URp5XYxM2OLgbsy1pKa9Zzie6eA QGPMYLUnuKnDfzltbNbGrgovql05l5Q1yldNZuMdG7jFgZ+/oioa8ZFk/dVrbTIr acvbL84Kxay7I677YKnRMga3fJ2istV0hhz+XcYh1ZEP5ybQm9ozqz54ATxHy0Ml Xi1wYQt+DiTtFcABitXe5YW5rncn21KGjt3fapE8hAI8E3OCljvHMr0vvmAfDf5s 9GSz7U7tSfuSXzqtXx8UReAWta15WQH977myMf+XpSxExjFiQpQ9w7/Ef6dePIuA VgplD171UsSMVYeh4xLKVOSakp/sjJjFnGtNb8E4mI28bvV19jneLlxs0h91oDcl llSnUCLaJdKboWYib4ZUt7tktBXq9p7I/a77x8v+m4DXaQEpywcGiyb4uyaXOJOU lk3S9a1f6dkP9hUmbFQfVMh4byyEhfdvPb+1XTkH57EMnn2aa0EEscTz1yWglm0D wdjngjmiXoI2agoGkdUaSHHtpkoH5vsSswCM0ILeJQUzh82jOlpG7GL8EuU9kfWN Li7P//OMPC+06HvGQHtkptjeCTBozCMi2bd8hOM65FpyHPzlnXLRwseyUayrx4vZ K5S35c+VqmO07it+6KZ70YNEqYAE/rb2y+C74ypcGGujlc+OCFgyq3xA59oQst5q 6GThMHiMA1iwvoeDqVa12cJi0hkmaloMsEUaRVbL37c5LSoFVPwT0R3OX/dNbusU Kousidis, et al. Expires 9 January 2025 [Page 43] Internet-Draft PQC in OpenPGP July 2024 VQUPDMKF+E4kQHS5LnMIoT0DVSa9DtRR/3hYE3Rc+LcdnKHPFB2C1gBZGhOW53LU LV4KjI73XiVR2gHaXvqC/MY/ObGRDYwrLPJDZwk6SaNr0UJvyvzjiRZfWIdBeggR TQ6DPr+o7UdfNgWrGtSgzkjtnHcI1VNbzNm+ZUFPoIBJIEXM0Cp7BX3m2380QmFK pa9gh0Rl5WizlvKpWvoN2Ani3ssSD4VXBR+DdOUTB7llQlndifeLD/BHDIa3MDQf AqgMugUB/RkgDf63dziWgmHgRfIhBNN5F/wI1Zl+yHNvgzI3NTc08CRijfxwGsrp E0zz7r8Kw1T1HRq5gU+TAxh2tcKt6Y2eRTzlI+nTplN+YAC23iP+fvAOpolm0/ag mnJ4yLDQsrQTD4GXUjgGiZXNOCG8X7tFxecmKLu0//vrZd28ObiKCvunhVsqzonz 0uPx33DJ8D7EFxW8YNX+mj5Gr6U/RJrKcbkuK0h8w0q3VMRcijDwLOPZZvcu6ObQ +4cf1MaFhzAJk9uu4vJJ02Mfu87p0/KiZbG5NNpi+QlXHzfn1fmlhTo7U2ishoRn n2vYlExGBabumP0XodC24VJTIz9sD41Ag/WpI4IAE690sZvvxNg9AIsQsAdSaQvg uZDcyFP/YONefAOnzx79jMG2WPmdLAIhMMdo/ZODXeU3kE19RqFioGVrvsOB7hgU uEdxOYhadCoES+Ta8g6p2XKnpsNGhnvlt5akSWxClWeAbgOZq8YSJ5muUtybbwNc UoUk3+GekpAAdPWHuZmSOwQhPLBmEQNa3aMHHVDdgBf8SqsBtLM4NHSe9XeeQHNX Fnc3AyWGR0UiA3VQMQdIQ0GIGBU2AogIEiFlRiSDIHU3eEY4IRaDcFZgcmE4ghIC hhhjQxAUU2Yhh2UnEBJyNgZYgFdiMlIkCDI3NRQ2c2CCOAUDA1AVdXhBFYQFcTQy ZjQXBXcSJ2YVhgZnMCMYWGBoYjgDU2eFNTJjcjCHhTEAQkEQYzdiEEhAYUE1VlYw JHeIYyElV2ADEiIChjVCSEg3MSVXMCgCRweGZwAxSBMURxiFMFIjNmcYAIEHEnd3 JFRAQxB2RiJiJmQIgxSDgBiDgoADRkRAJzQRFkdAhRWBIHAHUmJzJVUlQQI2CEJT Z2R0gANGM3RwVYdUJiMFJDhEdSE4QUAEVjQ1IVF4NlhYIkFgcThQOEBlUzWHGGQY cWI3ERhWKFEygIEhdQOCAXVYcFVHKIMQQVZhYRg1WIiIIwNYZVcTBCN0RlVTCCBw RnM1VBhEI0V2cndkZwKDRScDGFQjgFcFcENxQBAUF3KGeHBngHVCFnZENnYGZWOE F2h1ZlFoEAWEAWMRJEZYBnEDR4hVZ4d0clAgdQBHQIZoIiNQATR0EniDQYQ3hUIo YjQ3RhRTJQIlQXNmFRZ4YHYBQVczRzQlh1gniIYIRAEDgABQIFhGYBASYTVgVFVI AAhSR3c3gFcmiIQ2GAN3d1ARKAGERFKANTQmVgRSFEOERQB3ElNWNmeBBXU3NSFQ AVYwhXARBTaDdVYSERaAdDKDFTQQAIBWKHICF0hyVhYYJWWHWCMgBIhxeEZ2GIUB glhyhiUwhlZYhgdzFSEEcGYSVHR0UDKIhREEAAMhIWN2AAclUBBQNEAGc0FXKBNB IyMQeABQAHSAiIcUEUEgckVXhIIFIoRzYiQTJkYgEzEwEGEmd2NCF2AGdWFicGgl cnAUB3IWYVVhBUUEY4c3NCgIMwUlJGABFxRwYhSEcmJ3RHYTUkgSUBRFBDZTEihA WBVFEmEERURHQHN1R0EkhYc2V4R1YAcANIAwZjMzIDV0GAEYA3NGJWdyZzQ4CENo F3UEY2MgJXOEA3BgJRgQNWIiU2OIE1A1V4FRCAIHUYEkF4c3IQJWQ2RnSGIxAAII hIJgBVU2VIVVVTIEhgCGVGgWgUEhN3Ywc0N1FyQ3UyNRIEdQdIMTACJQATIohmKG c4JWRHiDdjBGhIIhATg4doI1YoA4FjU1VjY0RScXYjGGU4AWFGNncmV4FnJ3dlGC cwd3dgRVOAQoB4FGIyBYdUJzhAIkEieCJnFicwYgFoFxEUEXNyRBYBAwYXNWYEOD eCd0FCJhUFMiBEQoEWERAydYd2MSgHUAM3JBcXRlEAVkZhiEEgJDZUBHgyNwIyhD KEhoQARyBoFwExh4eEh0Zxg2VWVndIMTRGZSIHdERGMHA1QkZmCCeFGEZ4NiVWeD QSEHR3AwhkAGODNXJXcnMGdhIkAzJSVFcYFQUlWIiAYCI3KCWCJRU4UCY0hDJ4Bg KChwcSQ3YgRBB2Bwh2RVMWESACRRZIMoM2RhJTZjVBNIGGAGQ2NWdihiA4IAEIJS hmciNTg2EHZYYHMyVnQzgBBXExaAUjYGd4IEIYEkcHB0d2YTUwgmMnMIECRyJ1Bl M1UyaIZBYmZYYoJQE1V0d0FRZUMDgCcUFEJHdnRDUxcGZUVhN1cjggUAdXNDZYAn OFVEZ2gCNCEwQkgVREJ0AHNIdiiHh4c1EoZiFEYgBiFRYUgSNgc0dBKIQnJCVDiH MnESCHMGVDUQZnFAKBYSFiVFEnQAhCBEEINkRCNVRoI1JUAXIoQxIoGDEUJmU3BB BFMzZ0FkUUdDUQhAVXBAA1NChjZGB2gghBcBUVOAY3cRiBNmUVJ1VoNYiIaGMjh1 gXcXg3dSIWRjiFIheFJR4jcoGx9xUNKv0JY3/AwXPlhANXPAR5+ulNT7FEH70ezd IlqcaYMJ4xrm88DqqYW93OhVO9d9zOgL95ptTlUwj9hGyqFm+7aWtfHib5pQPbfR pD04K01cA0MK8jjwYV8XHJQI8jMuSgOg2FUHciHxNRBphzi7N7eCClxgqyHMM6DT qlGcny6w6GiPRNX5xyjU2rbZ9pDEwlG0uyLg12tPbHxJ470jAiTi708XR8Wn5oVv P9y9nLUW65hwP3ibL8+H35ZMqLU/lLUaa0jcCOkwn5cngyQbgVGq23t8Db2kw2o2 90/EHaXqNHJ6ISnC0c1puxriNRiqklfGL+AA8O1V73NwSG5QDVm0QAt5VFzpcFdC Kousidis, et al. Expires 9 January 2025 [Page 44] Internet-Draft PQC in OpenPGP July 2024 YA0FGAbhSaenLh+X2KxETbGz+bXvLakDhpvZ1FvcSzzEE0JHvzgVkpIr6KAbaQaz kiatwPUwW27yjoXetaPlKMfs6xcA15ncu++kSeqhI4UbRK9riuu8PomdaY+M1YXd cd24jHawcptJM7K8JW3ehS5KDW/t038el+xr9tDW+c1srijnYfO1EURthwAZG3Dr fgaItin/Ul8xsfghuaEM5NRLYCozR799MVEq6C0a89JlkD/LY80+HlEw+EZFbuHB zDJMVNzha83c2/uiVKvesB5EiA+eesDo4+HEJsQLwEfnDafhXC/cZWhfagAeH/Wc K+xPx1CBRvHdknGTL9vrETJupjhPuj4ADjTL+697plLB5M5Vfv8QMVd3lmh6fsep BjKvG0mOrCF3tN6jiSbCmL2AsjTSt1fyuFq2JYNEY/G7MO8hjMQiRF2l9Avj4ita WujAWLVR8AGd5g6jeufm1/Dd1CUp6lC8mHccc3uQU82QRW8qi17mLC2ybCv/kx4Y iz+Dy7u3IzE3xp7rjz7Wg4SLlGbe7ACFDjqFU7Yqy4tylkWtYE6OzQ8f3hZZoQEX dwcGgxsKCjS4i/tQC02lMOWRgqYOH9duk7Ew/3u01j6/qnGPsefYhArit8rvKcI3 aFpiCjyasioC7lkIS0m1/paaMX3v4GYl86c0m+I+ch6ldSdIUrojB+F5Xa5MSXVO zLc+wcYRhSDA8nrnP9KGkhgeF4hxkrfsrAOHIp6yOGhoTDyDT4EW8hhd2jxvz4xX Z+f6ExZxIZRUrwrPS0LgSmZk6764tgHWmqNG2G09ZQtYNnaAYLfFOSUlyDuSywUu egAV/Ldax1FhKzoYw8/Lx3vXWiZvsDjxW9PSsaO9DePUaROi6pJbksZQxaCgMNa1 9BH+3j5Af3NkQaWH3uW+KA/sTkSobVWMBpFoa2UNuS0MmERKv4hWps7q6UznvJKf y4xntYpVsg5MboXCDmrPjgZ/r3QsfzS+569cMfUdiJTBz4CF0SqVzrDBNtOeTD28 WlhBFe7chV50Kmd8GCGRHuoeJUgKTv8Rbt6V27wJSA+i5byiLUjHJroRbsck2C2O IiJxjDr61G1VZ1emkM/SaBqEwrbyz6mErOXHNdJHucz7GUNUlR7VOOnsGWwr2P5K 76cGPlATzPk5tLNX91yaT/vOm5WvhAG0q6IM3ep/mxe6QEf0qFNPi5/BPn670egn ZwuoCEOLW4AGxHAlUkU4E4RrpAK0w9baLPFFteC7FKgbrhD0bgeWaNVL1cskcmXy BLrnUO2kweEjuka5CQ7tZlRY/CVznm7aJPSG58sD/Mr/0/+Hie0HymDUgoFpzrtp gcB3/a9MYHe3o89FoG9sIwuzc3sIFY40OQRLfYhsY8jgPTfLC/2oWeOIda45rSje kyFoJvGiaX6GfICV7iHadtCeIMYK3+CKvKvKdsivXQDtCU1YPLfqxkQMK3Ver7d2 JEtRrW7vnc+YA/1q9oYOzhAKsKgLOyVTSMZC7+ck7iHx2CLpDWOnrsdykTRCAyn9 uAGqgdNsRiGi/0kMBbhKKWmBSfhQqq4mWb35l3/OAyRivFgJU91yiYAsrr/45yui PnlK2hZVOJ9M0GiV1+2tcYlvXhEY8+EQOtoibzaq3eNCxEYp8IX/CDaFxwoBV85a hdIXrmDCG+M+ae6pVds3KEv0hP1E3lxRmSfYNlhNg21KZ6lJTDN+PFGVPD9giFJ4 TcgEzRdjpQEpRWcy8zbs9Y1ZZ5uEVMaZVc3qJWVUbcJpT8RjfZ4gs+bYechK2UXC nfB9rJbecEzdjA5fkDdOkLEBn4upsPiL/BzGyRMfwfq+tJvImXPYS8PQ76fXtx7Z UBP4YlnJb5TLI7/4g69Ris0rGjHjr5jEqhPlwAfTByBQ56Nmdgm0JP9bVQit87Nl qPlI+YWvf7Ex7VdXZ1y3k1LHk69QoFpza4MbaZtFpbbLw0wJF7Mq1Z90VgQb0ygC 3h9cy1OBNGrboh6inh9lT/Ws4iglEaOun9PKTDKUuhI0pm+afh4rFcVfnaGdjrf2 SHvKvKUDeL78zUSSIz8sHssTZYy1mucMmcnhvqVNfsbiQHfukw/hyDfeOR7U1Q+s rIuoBNaqWtoxzvqGZHCQtuoFbYiwkzqvp1otZfXT4jmvwbVmi7uuG8OCSIkW4grz iMWjaJ+shpkqrP+ePTjFcTT1G+OI6/XmfAwl+voNhzjtRtM2SxQ11eZ9QhOvQOwM DMJlAcg8d4os10qr39+xrxjdhyVS5Gd2ORYjqWWDZrQj+hksChx+OoVdkuA2gRdL AHvjelseYaqRpABzWXwD+fIfufhCWOVKozq9hzzHmYxKl6Pm2XwYyqmQyIIcahMI BKiegoESic/Fg/gPZUpe/zdn552B28WLYmYwimPWRG6+Jnhcc16FIFhKD9m3WHUp 6EXqeuiJi+d6feBd39XiLsUmmCADV/5TTXvdoWSLKYx0f+fN2peMlP6FxEiPoG4m Vk5oUsNlds0SvB60BotW0g9BK1VjBFGT5y3IFfrRnUPLOanqIqTCUF5a6gHD0wb5 YqLtR244D2cXBM7a04IydeI208KXXDuMU0mXZDAESIwN/x+Qh2xV0b8/bWhu5Xos P0Icq0RUd7R7NJehlfBCuxD6QiPv1kMew0r8greDDwj/OzZYIVzm3tjzMcuVCYzZ y46BbTOo7+sydvXHFR2hPerWmlFtZL/Y0K20BvkyG9MFqjuGRNvqFdiV7N7wV7wI bM6xFFzsdLvQJQToA8prnkPy2CagX227HBHQGCjyZXW/+DkgPr1RneGzWcndyJs8 PYxW5MTcCUM7WK1qvUrl+PcbPn5w4fOhBa6IRHEWMWymH5RE5M2+6EUHhV/PrsA3 JJKBxmC1kyGDGGvKe9net28o9Q5TMeWVFfxnKyYqMO188VMOe6DJ8VlXRDxDewnp IDiMD7hWUQ2OK7Vkt73CzMwGH2sMAAAAQAUCUdDGgCKhBuuFA+O1kfhNBo/CQRwx Cgt8oRaXTTL4H5bwQH8/v7shAhsDAh4JAwsJBwMVDAgCFgAFJwkCBwIAAAAAUW4Q Kousidis, et al. Expires 9 January 2025 [Page 45] Internet-Draft PQC in OpenPGP July 2024 /S7GBwsfobwojsyOEM4sHWeLJ2Y7XPutihN78KaijZdYs0zABXp0joHdKjO3Ga+R H6sFuEBXj57+VP7Eg1nbxOzF5QiddyOhHXyscG07zAFPM5V5mV81MnjxfLGgoLJB NuepF4NPG6wx0fK2QvVSPgu4xxGPm6HfXMJ62WaAn6R8Sd7+W6mtkMtbh6oMwKq5 AXBK+Y/AgCO8TQX/kXhqFFqsRH0kdoKvB/FaXUTXBEmD6fYNkJGemEz7n7ZK35c3 PKfR4fc+N10BwUPKtQom2UMSU5En2jBpTzHSlBdvamsK9noH2HoiWNezvloWZ2w1 IB5oo7ThOolyWBAG3o83fOxeYrI+4THyXoCx37BjDd4VzWt4303kDWoX/baqCWzH yjh1kRugLd2BBBB8a9eRap40AxhZb8XV/nRo124i1ovUAoT8A3QijfPyZb/sBv0N 1VDO73cCHMcdF9IfzMzJUt/fzg1yKkQ1EKuXJrYUeV4elvCb84HqX2ZnMkeIYTCE jowh4HST4k7ztwG2f2Bsez3I9xqrfpMCKzIKXaf2At/+Rt3iU60YGVNWQqFw7l55 wP4Scj1oUm+A6wCQ1XGzQSJvV2FAc2YVH7b6IXAVB5+5WeyKwrBFRWtpHp1V+KgF N7HvHYchZYN67nglSeUAOKJeiFREKEmYALF/zBMgWXq2YfjWCf8BoKMUCrXRK30s GWtlTLKJz86v69rh3rUB0O8MjE7N7+wDohO7zxPA8zpZzCNfk4gakukb3YmeVDBH gzZSzpvlEsq8Fnr1CXTaTlv5LjaviPe/gwL4Fp9jFpW4++HeA+ukgLWbECfaJe9Z 37ZimlOTxTzdRFbBsvFpT7UMlNp2BGPc+kyUUWxp/m6M9x3lQfNMh8tJDfOGIejX ThGD1PkX9V+V0c5+XItaLok7sXh3pMFg79MQsh1XDeg9yMKXQQeHHmPF85bYQryC 0Jvy9s/3ve1JWluafz0vsd2MpgZRWwHKCbhS6QLJjWESyo4U9UFktZ/fG5eTFr/4 cCDMiZldghM1Agt8ahLhsn5RX3hABTak5HNWAHYJd8P3P36M1x3ymEnfzOVTjFDZ cthmi8g/iCi79agHMfePg/vRda7Ffjm/YFcfZXtKFdPr1IvLyW9PFmQou4dAsrQH N7yGDZGprYEpUwul+9AjENm05wBJrb8K8btK3uYS3sB9qA+F5FCgUyhNzfpG37MR uV+VrVqZT56fELKUsU1BtFOG1Lkftws8JZjhuiWouzpRzknoT1qdAI41J8YWU0eO 4kzqnh3T1xkewXwHEXj4AiWlNqvYjbx+Owa0JvxBczcR5IyPZGBxHPclY2U39bN5 k4q0TeLh+Ooeo3v9+dXdAHZl85z4bGZYOL5T6jXzGYLBjHT4rn6Vii+IjoJAc/jk 3CiENKUZivH6CAIaPtrWrhJoeHDQJ4Ewcq1STASq8THGThvmv8TJTT8EY0b76LvO IYVl6+csRsGybSYMJz/ptIC/bbv4vYlr1mL6JxgdQ7x4uCzBoDA2YgGtgB3L0kIZ QlWXqUQvXzT7rw6+ufSoIxElymv1UTCer2xfvL7l7JehFYqJgLW2o9BzXK9Xdyg9 PCo8g6YfFnBVP0iagtIF+RL9PuZOtb/NOEfU7LHoQwTAs3ig1hoDZ9Fhw7qJTFDs nytNuADq9KlMeu1zTD4YEbF/bTNOKp4MQ0g38xZ9TmcKh+dxDjGA/YtcW4KTFQya 3ByRnWcLcosT5MV4nuO00iN8gRK3oARfEDiq9nzSLHjTGzd/eib20Qg0AIJx/XDk fsbigQ3XpejhiGSRpEe+e8fWzXLIsh04fPlDeaI11hLZjXAtfn0jIXcbyFZMaaeJ dvPbHeMwk9Orip1dWcRnd+B7YEKXFcOwvuelIYV7aPmgLu1o+Q8y7lzYNve9RogC GdBguXUVnT2H94K2xADHjSjQssB6PLyXAA7JLTgXjqB6t9FGjvOiPSiZlHoOUDWS yLhqNUYZWkHkRFx2Isi+eLp6ZGTexJVZLHKp9t3/NcxNvFMjCqx5W6WWqYL8k4nM 993R6eczpctlNDMbyoTkEfpTsBK2K6k7o1yNF8M2e16m67E5Bulzq0rSUW014pnV G5BU1AgJL2uuJyNhQa4DOnZvk9Ghmhrvy/a/ijwhCs2E7Ssi1tt1y1tXBqBV4uNd al2m05bD7gGB+9J7rfk4fN/U1vqpwDnqjNswLRPSvRmsuxx7kRwbunpTPMkxFGzh hEoWDCW/DEboHRD+cADoLHCEMKOdmbqsHtjOo2kxRNco6LxzyagnTrNlByM2hB5y /9W7vuegSEMHA3GtFqHgqb6/mxHY6WHP8fwAPPpwIgnyxxCQDssr4yft39/bbgGi m6kCMQBJQyLTZ8PrkH3h47JYt94pnTgoWD8bMzOLGsuJCXO5BxgWTVgONkS6A7NA 1yGdREHRmTRvI9F9gh8BCfkb248SLXxEo5eG6WU3R+eHroTUwiTdrVliIpaJ58K/ 2nk6O2AiSHAqhQodpstm2IfrLrB1zzrTXoKBZkWZV1br2oXvjVG+P9KXQOEMWhA9 BHKOQibxqnhethFQFBPH6FU4gcLdx5RM6g4c3C3gAD3nqlYTvA8oNgdQ4DNfL5VW I1JuTxAr9EdvQfOBjQlOYODM6voZb5dKFtPqswJEgkcOfJr9ADoXnF24N5h431KG SBSu2puI03VhbhI8IqZvq8uEZ7aK+3ioEtoypto0P3IQD6clkG4tSkiBX6j+q6jB tPwKY0ongTNC7e86BxBlTXSAwxevumx9u+LG0Dk6Ayk8T452ghafTwq4g8qCNUhB jp5SNWpEs7UNMgAyC1p2rcs22otNKmORhtueviuAsQjqbtcyqGSxye6IX5AKs5kF GceBlyunXgMCysnrUMDRNBN4a/ZY8RO/PXWtB3gQGIXcWmuJlWMPwnpCNVlvXQvP 4aAGeT9LAomOJFU5Y9c/yCFwARICQ8X+B6UvRW5rWM3Kt8GWqHgbadc9Ud8BYJRl a2gSsnk31KDSRTdySLc2kP9M8nxkUB20suqqoGg+KgP4PJnxM85Y/tIjxFPW6vSJ Kousidis, et al. Expires 9 January 2025 [Page 46] Internet-Draft PQC in OpenPGP July 2024 /VPPwrVF9cHzhJfqHrZEowWpfXXK9XPN0+o79HDZqGmVCT0NMb2Q2Lo8/qO9VpBm Q4ZRYXydnDS1f8kQPivpnsoRi4HUTd5NyBD8J/JJV+b0JQJMUH8yfQ5vGadg4d2C UbYSbftbgu89W7YI87+Q1DkWCcBTAG5FZDuPeNEV+k1JCXc1/wuUQa68ypm28aRJ sqqlQZbPXooKGpno6Lio5zD6HIJOiPk0tbLFs+xVnKNqKyAdBmNQByTv9/gXkiAP l8T6t2coWY1IVXawXERud7MavhuxjDFNsEeUgXar3JhxUabTHPr+Nw873hwoo+mE tVE+q9uqQ7RUKE3pEM4v8rxa3kdgK4SGq4Qi8JOfmeuV0bfFt9doYhgkk22djuUN I2k50s4ZoZDVrTUybHf8AM211BSAo8t9FgcRC6OLR7kcrMrKUAZCRJEKPvHmrevi UeE4Rbs5SH7rxCgW0w8tJHZ+F8WW3sWaSu+4Yon9vahOF1Cn5QsGsWUpfCXmCdb4 pBFlgDgVu75+m05YkbKDv9LJ8igRjQed6MWIjqB8p2sogA2Rk/TKs5IO7DuSf2XH bUyj3SNTYa3MQyXyNMlXWjVkqJen6c616alV+yX8ILN6JOm4HoeHVASgZfnWvQRW kTQ+OPfZKoolIBGQ3ycLasoXxZLyxSNNDyKu/NMX15mcD4Ahow1O/MRHmvw8ISDi vLPXpEKsxe4cZixMiuhAGIEebOdsRef1ClKKPaqxoOv7AeMb68+X/hFNDPSrO92r xEGq8FfI/X+SxOWE1YbtPUbl6V826QaQtkPQMq2XF0Ksd2QOiiSqCtDSOLQT7D+h mtUItiuN99t339hTSSUXPmbfrhujYTfVcKEh82txev9VpIFMOqOt40BXG1rRfNvX xpcfnMABWWrs0HPg9EwfwBellQepiQxBmJ6HvJZyCtbV2iET+CGswYkb82PpDPPD PcTpk7+uLwORlKY8mylw/mx4CqKcl8pEs+sCMjT57Y417hQ1Ucr0reIgTTMUVvJt 7LwPS8k3DTILWY+fRBeJUx2x8R6F5bp5nlsBTKLO9fc5iw5AsJ1wI/3EFuUVQSM8 iCu+boS5hGQ67lzJ1s7t5DdXleGYvN6iIXhpOLpphoUV04+PQoQE4E4pHVfEn14h iKcljWlQEfuw0OglMhGGYLz1haTf+0empANv1MSDJA8azl56ngscTcRyd3GkdjdU ZLOfChMZfSJ57f2uB23Q+ZRpJRTra231oCn3TBlBCF/xXlG3xpqTATqTn97p/NPs fBOyP4RSxnSaiw8FdhiJRxf6Ue+5jDYUOQj+zpW5J5/6FkjSTEA5Jkn3wIpNSV6k TD6IrhblYO27Oa/qbwGGMChSYX+Hp73G2BMVaJ/o6+0VMzt/gJ20CJ+pDC0vNVfv 9AE4pqrX5PkAAAAAAAAAAAAAAAAAAAAJEBcaISjNLlBRQyB1c2VyIChUZXN0IEtl eSkgPHBxYy10ZXN0LWtleUBleGFtcGxlLmNvbT7CzLgGE2sMAAAALAUCUdDGgCKh BuuFA+O1kfhNBo/CQRwxCgt8oRaXTTL4H5bwQH8/v7shAhkBAAAAAIWJEHbjqAGy 8KGcTIOjv+u7npsUKWd9GMiKcAJnes+Croj0nAaHznZq907C0EJv2fsYsZ7PzSVo +NPD0BXwH/8OgJe78HM4u30Sr5VLxVouGowNKPNwPYFBc9Epltoiqx+KVQ0lfNzB g1xxs16yKMcfCwgacHRT5ZxkGObCg562Z5VvJHXsn6iF5oNKIphwqI0AJIl52GSM k9bLvzNVLXXLN/BjtRtIpsXQEmXK1LTk4/Ss3J0+91InJKQ1VXDP3k3QCI5SiXmF OQjh82AKVsXhTf5Yw720z9PcxTCOPfLcq63sO5zQ50mmPceI6kk60pKyVeNgD8yf JXJ7Dwg9r8R1CV4nrgRabLYymm2gWyKn9xsrAGSIos1PVDXz7qnUQjUAQmO7uCF4 KSSbWIt7H+d6dD5Hc9R+MGts0XQe77pvddzROvPM9bJ+OuPi1i//avWFur2lRNp0 8IfxMkI0B82b6wX4I2jm7JkuE8TiOkpRXgdVvjP2B6rxRtBIsGWDuIUzIKPnww8V IzqT85tgNGZZxPZ4WAei+kLywqXH3cIl6oSBb2aYa0Cp8aKGM26guGXXeQva2ul2 4yY0zXJgWHHcM9Z/QJUe94VhTKqC70lSK18E5w9tyEu4JO3PU8JeaZ1njl+H0ytb JHjyto0ylLm1EpVsNN8RFurBpkikeYDERSEjrgd63cFZIrvS7T69GG2g3GtfoxoJ 4H4OK/4HWOMTvoH0+Kr3PcjbUwR1JGpuXWK8J9BaE8tR8oP5jQSVD6JTnr/0Xx+U Y3nZiAD4btUovSbX8BX1PtHg2VFlFujMcJEmq/4oad/x7Bg129LKNsc2sW8uMGMH hIi6csY2PqYq7PAPQDNg59d97DX+/lCxXtZYvy66yRPTC59nLfRP5BEAFuQivsF2 xYzTr6X7oUeQbznwdv/ueiwET3oeddqMk7Vvd7rYpezJERsnbRTx0UewKw84gLss TGFZnNg4/VTFIqp+SGAFxG2POCKB8OnUOlPIfukUku1j61BOK3RtTl8RBqFiBzNH nyMs4p/Qxhk9dYnz9h4LWHhHD0zEj4kgESgXug3IB6wt0nKQk5dFHKLwlLNWsX5J hOwUIGJ05yd/JoitBu+8foGVZAIIqQ6woSaMJkc8p1XiIQfp0SAPpyHjTUQGoqA8 MZ2byleCsXu/Oi+7gPHpyDczmjLAb6xiNSZmrglu/IdlXySu140WpWTpe1fTd+bS QwTqWcfQFzBk+PsGqhZ7ArOmup2u7KbKJPJjyXzsBb7rBNqJVmjFVn3K+4BZrpY+ n9cidP/sncSDLemiBQBWpzohEeB18U3bJ8FCby0UQ1zzszQEc4pnkZ5hrCeRLd4+ DlI3dMNbZbREoZNqnmLohZghgI99xKkmmwlIzldN8bVInS0HGXVx3NldCQ5Me8v/ JKT0IGqqcj8iqsZQtfYRCaBf1Nsp1QqXrXpOxvtnCmnOTb0Oteh5Nnkp9jN44jLF Kousidis, et al. Expires 9 January 2025 [Page 47] Internet-Draft PQC in OpenPGP July 2024 NZFDD2qeITF0eWmpdFqPi+769Bf2Hogy9jHA2b7X1nurwUnv3ZX2CfTZ7gWglLvo t3srBMc3Ng9pmZsDHhwhm62z16joU3p8ewNWlGIRT2vZZLGAO0iAeGNrP2/vfAPk jz0ddl51LDVaVwMM2ZQzXeVAXQTCpq6Vy1yeMukbS96EjdNpSDlfp+m/+3H5AYek MndiFReQMclswNTaHNLuVCfXvxU1ZmeuqEdqLXEDGAA7Uz3u1vI0JklgvoZzyb7q 3eOMBqY4WjbwrQZtOZVBy8iRLMXwiPNYqWfwAHPQv64Xw13F3RC4Ap4uKvxr/shN pSgQpKDDIbRcP7FFFK+MiJunqtGkyxbG8NKStQTCU3G7k5sTntia+Ro3PtCSNyNi OA3q1reI97vJm3kwfNbHygbtXfbBB8oGY8Kpz6ONKpp/Wd2VdtX630eOma8t10bK 2Zu0tavsAYvrdXicHK/B0j1ScilkYRf+xhWQ4b2BNZ2LHzSXssjOnpTlCHYT7oP8 ou9rLQjOW3jsMBBGvStj9sVdhfkGEYjSNtYaNERtE8+Z6NmgCZOD2tGz3UWG+qwx tdqq9ouZiVoF4tKSaaVv//nf1vksSOqkww8mN41c3W4qDmu9vPdlFp+F/HEXG+26 FhErEIpJ9mL323LrkynZDNpp+rrlAg03zYtn/jmoFUGpidPkbMLOrDZHqdxvr/e9 uHQbKk22lv1PAFOAIf0GqtqyGHXUQ7/DsXvykH4J6u+RmFt/hxMUJpiZDlNjbVRK VZLDqQflPMrsUVqBlnhcaBRehlG5vWNPhwVJWWe6iokRdrK937sUkl4+yrZ///Qy CtF+J8Ts4ic5lsTNXXalAkpKPGBUnuXdB3gP2RcS0IAUwqqZGpZ9/7NEMvozctXm EiFqngiLczf7MogOUiPHPZo+FhVCtG/5S1O240BUFt1R0JrLxwwMucN1PxYwVZ+M N/XQm1wc7lmQbgNdHfbcw3dc0xI80NVS2P5a4+gLm8q9UmQ7lIT8nwCqKZnJ17jy UDUSx0cXR0A6l3wUTrlCMXqFVPRDlwJJGI5o19CAuvjP46xXRDBwusOYThChUsnx hoJk2NAkO0HOMYT4/voBd9msyk13z5CyDBMwa8yZxl8GNm/0tA8K9HQ59jgTyIw7 DZIvxUXMHk6xXZn3hO5ouc7eUW09WN21yrWr8faGjYvXb3Ax9Dk84gw9wqQXOyQb 0kGstYkZOOJtHZtYCimBpkWKX1Q/EKUakkqUNq0sT5kY8mHK8F/+2mcGjXP7MlGf mpfvA2N3nd9htVLSOt5dsDaNICZDVbmFFAOTzb/scuZxxS9bbT/r+kPMxZVzxVio d/E/NMchFLHhBxcSiS5E1lccXVWjB33kcS0/anlap82Wr8NiDLcd6JswryadhHMv gQRIDYHhSZwXYg0i6bAdrvo7xKdNgHofS4VHI+jAR7nbNFtKGuS3bUgdIl2bMRbn mjzE4+KRW+qFFSAOlC6xzSzKIlJr/TTOAgqgpptznT+ud0F32Vnqv+ASYVECeEj9 nt2AgN6dgGsNEa997A8iuTOsVBKSWVPUKbbxVz6oT4JgnQ9SBHoF0IcTGO8HzNC4 25ZMrhHFcUd4JsDrCrQdAlMzr59VIEOdReb67yp1vmH+ziOb2kjBmSGFQrzlOyuY zTdOmGvP6XK/LS+BdbQdqWPMHd7qsrbcZdEMrWaNXyxwvM4e9H+9BO7R1UNvz0Wr G0CRgFWY1FY/DgLR1r+55cTElWiZCmCSqn3Ko8ymxvVLbqxPh1xhLbAyJAcU6H2l iSzFkfpBGkMCiVrCPBr8tu69DjQ0srHtHVfBk1CwMjmHNV443mg9ly75nn6ntb7u FLMaC8JISiYOKDcAY9XRCpZdAD5tnz+u3FPUsUDTBUTIv4SbEkH5SUg0uHFQgL/b jtEN1nbQZvAyHQPqzp+Z4KuufvBmdbnm6+Y3YdzX3xj0dyhSAeCKgXk+9JYKAqHw hC94iw1UJC79nHBegAlCmcgFlICrTBZlgUYCVJLPjrAiJJZAcbG94gNVwVJVYYoQ 4Pfg6FEm851ojzP0zMsfD0pdx8rhcakrMzVtEklfh0BHuo/q3Ya759bEGv6SlZzA HjOtZSTczrMJ/6Gf57TVL9ESm0E+zYZfmqm2gWKFY8hKiYXf1I6aXpPGS5DpfHcM MrZMFbD4yl7e7a1ygN+A706ruXSnTT24S392wOWLeQVC9WCj7i8RrwxEwYGYYQqu GR0im6KI04PmBx5CeUqey6yFyDOKIaqCiNiChPABECEap7MdcycjZCjmwnv5WYvP b3V5DcDhwbpq95E22gOO3cBu/iQuiR+bNY4WG6DaK7frB6mSjyjnym31h0QaKJ2o YE3qVzxikCapq42wl1F0AfVwrJrb2+n8oZvEY8xtgnzYJxE0D6ctdaCAR28Ldtjf DtBBmQeGAdsdTkARyF99oCnw+Qn988lGDjsQaswvvHbZuBTjCEfVcDma/kVC2ThR 2XJ7coSReyZw3XUz1efiNpqAEouIHXRBzXm/m0i25/+Z1jSJOkQSZMBrgfw96jr5 WHU60uApINCNnsN5mvfVqRXZE7bsuDVUKFg95mgYKKClk96ZNjChOfac7BYVEkei outZLlNwdyeOsVWFVkcgtK9L5NCZ1gFpvcVZZYLWCFdtTnhkjSYi95h8C2rhR1Se dFkhdBDyOYUPtm+fPEKe+6Cykz3bFs5DetKM0Y1DdeJ+8SZBr4muRh7LXbJ0XrCc ITFTgvz2FDXK8TqKUTCdKiokxbawRpaD/DLLo4XgBxhQAEm5VaIqRQ1atK2CdE6N hp0hcugwd1GIV+jUYEuAflVj9nDjykLJfGceqHPAkl6mBodHygBJmz0hnzn5Nrl5 CHNJdvjLlrW18hAjlncyvRMMkogXczwaKCHcah6mBAg9FkyqMeazS77WR1KXlD1a ok/tnj87S8VT9ukCBhUdOnR9iYyz1TVASHV2sN78MUFPYYC2v9IHKDU4cHiHiLC0 GDI8pQRxnq+4y90AAAAAAAAACxMbJSkwx82LBlHQxoBpAAAEwHVOfVv6HQ+9ECHR Kousidis, et al. Expires 9 January 2025 [Page 48] Internet-Draft PQC in OpenPGP July 2024 Lkqec+Hk35ZBJUpP9QmMwpcxeRw//CCrUGZvHDaHm6SfJDZgdaYd4NiT7oteiGRy blt/DcTDfcPMF1cARUZrclVe+ooCZFqdQDOfOflqvHlH4Rc0O6U0ELwJHTUa5dnB uEt04GkAxFqH/nO/XHOIlIm+1Ua33EtoOKgwOyDH9kzAMOaG0qmLHZMs0UtXrvUr Z0U++ISVhJKzsvLMySWEpRW0nfE+XmaTMhRxjsUrIhghBYMII/edIXmLEzGVMvxY suRAYOsYKzo15hMIggBy/tSO05Nk/zm7JPEruJsr1zlx5DqodkbNQ8fEB1dB+qYV KJGai9d6hyCsCbUJ7mowKOdkHbSMUrGVDHSBYrOYMpDMJGOeckAmfKrLCeOg9iNl weMkAYihElS0D3haVbt3WiUgp4eLowioosscVmKrs2xFXjF4aEW5qsajs6WGr3Qv OTYCCtl8HZAMjte6jTgX+yeQfseBMihD8nxQ82OEEmTD1vQG70lnBzwAR3meH+cx V+xm+Whqpbx3uBtb5JghDcxX2aEOeouUZNxhVEV4kzcGkmuMSzQUsYJXETciPBGs n5tuVdR28ygxn6lW+qh+C+krlSOl48pIpWcihYiN50fDSkO1hYIp0xkAo2FAD2O7 72ogDKAEFANwhvEd7Bhz5RU2BaG+NnyV1mKj1AI/gWlCbosqh3UXTmZxvZBRmiEn blkumtI3xYC0dYuxdrlY6YrOJ1eoIUhRPFG5RxPJlISZFQZShoJcuWw3EUMRmztc IJE/VxbK5hSQW7CYENyUfqk41IxwWFbAGmRKi7ZyWyENW3dEgzEQRuVGAZwLJPZM GwFtLRd/OYYGYQe1G0myGcSajHw6EjuO6Oox26QLYJohhWVdrME1/hl/OpiYB6aP x8d5iKh5orCgBnIMzTgr0DKn6AJCuKBGanrGEKBFF0y/9XG79IBVjRJr1IoPjuO0 VSsAvhJ+01CqRiJHTCIdu9PFCXO4aaZgaCu862xriqQP/muotWwvCnltIJd8Nrlz NMTDpdssIWaBGIWBrwkmqch3TIA+PrZf7getaSVurxIs0QbGX0kpNAwbMGMAmzCa 0YVh+NmomEkbpdy71PVqPvrHIWHO3mB7qNtHnCq8R6EZpfstG2geyDjPazESgyqh u/nJBMa4KWSFitS9bFiGzjzFz3u9CpAJwpcTwrlmzKvHk1XAQ8GfwzQbMUqm4CGP C7pAWdxzwFU0NAtHoAMqU+erzuW+Zri91pxyHrLOj9IahroLx5R3hNlQcNu6rwI5 0xLNn7JBcvUt8Vs+feJiAeF8kRsnRzrJv5OFtwgC+CsPEEE+zteukfRJRksToSsS nbt7RIFYfCvAH5OlI0u9wut2USFr/ay3s6CdkMO6WrGarPrIzcqPehVUjqQCsYdJ L4VfiFS0h8cIMJDLqWQik4xHrYB9ofi9dftTKIE0LwRU6BG7cQBONLa9S9ERVAQX GCvKLKi8E4JR92eZW6hLNAoQedsmaqPDvldMIAcnjFZNVdN998N6xWe27Ndx0Bol XQsotqSPx7ZKi0qdTKNlVwZuU+uILxyaMKZoWrSP/8CSwvhhGRxKVeuWop6yF6aw 0poG75sANHALr8iet+j2eHAL1xe8SvgP3JFNzNIiMqBdOGaSLXhPORE1NWRtxqmc 4qFlDMeyQyxyMmUGiS8K05K/CySfoJPClFVKyZn4FUBC2Ayh5T98SWKwrATVys58 1BHFaRLTFYOBcc+qCEJLQ0HGdTiUE4eapVa0SJbwl6Wkhx1GB10rmqP2ZjBpIapn 2HgeNI+IXJYms3iNFhHCQFdEQJUziVTVUJD4cpJ4SqoZ1FShWrAVBS8QogBBd8oU wwB+yIuh6zSfsEKushpZO5of9LHihL11VCyXeQblYk/E5cUvwDRQynZKhsa4NElu 0EgvipiIYFzAQxgCWW6mZYVCOCzThVJLu6/B9iMrvAgD1MmY/H9GRHcswHiIhy4Z es1Hx7y4U6nZoInGFDjexbz5wq0YkYvtI8xMZoHTyWtJnM281zqrWp2JeLeFN1Eg CYvPYxzpXG7a2Yd3QqgRwj2fQSYtOn7DfJr5UrPjdWrfwh5KmgAIBCneqI1poYAB 9cYG1IWkW3B4aTZop6euGSp2c67HEQprUxDIRispgYNsiEGUQqWMmrHaQCDj5Xr2 XFvPdDGNRrV8wDba0ln6e2/ilYxp+SGOoYWw1quyNrKpcpPY3FZz0De0yUxtbI9e VoJUsWakt22TpiYbG1+UJRtLaapPtLdGkMxWJmRz6bWfmCeOYxvIGDrDAxFoI7ae 0xE1iCJC9xR7o4Z8BUrTO2CY4LvTGixKBF9QCZ8gFElE5VbCWABZOiO8Y1Q+E4SR kDjJHIu7WLJPF4O7c2OlvAXXGnWxWjJ7SiDdw0eKXFAJBFPxCIDwaWoeYHui3MMK qQOHECoZWBQeuoCd2hYqyIHztm+HRmPUqMule4bBYr0ZSly2gcZpl4RQsyu5PBCi gWX45n8YcRNI/GlyYJ9ZpJl55HsyW5w0wJD7BWeDFVbFnIdc4lmHMBIJ1KbJpiT5 8yVyiRb+E2ccG8DCKocciWmNgj0+shW6ymtzF4LQp2Tv9z2NWIBGPLHJdXbjq1Yv 9kViVkLcYxRS2VQTAHmpoRQrdnsaBXe3Owds3MZrlqUzZw439bJbanqMcGBbSwUZ bKmVgmOk1J1ZiQ1uxAc7ARMWOBGoWnLrsM8l8iPDJa3X5Hb3hAhMJbl+W4Av95HL Qaxq2ctAUge0UhqaZqEddhTB50rKSghnSxb9lygKOBK68J2P5iTyY1NNokMdek5Z sbe7BGAhWieR8pOFdCRZlE5O1HBZSCtme0lVkybqE2KRIMS3tAgdqkhb172KNLXH CoAjdTBKrM0Lt51N1YF0N6a30iFpZF7yjAm4RgfcIIFHAEwpwZF2BtAvMG8jeYBD QhvY6qy0QSuwWk+yEYjDYSZjhb61G1f6IAZNeCNbhXVZTC0ed6QCvJ/GGMyiZxxL xbGxyhWryUzx+8L4SzjJ8xzB+wT36rgll1Img3GC2kEVFl4RK8/MZXH49X/54g2m Kousidis, et al. Expires 9 January 2025 [Page 49] Internet-Draft PQC in OpenPGP July 2024 5iGVcILOyXmBsLpy5ZXE9xMFt5Re4YlZpFLkW7Z0BMstN5Ro20MWpSgY52eeqaRV Fswk6B9B8D2D1qOu6hi+zCOUa3N712jL8qTf9VntNLGi+SdGm0n8IKtQZm8cNoeb pJ8kNmB1ph3g2JPui16IZHJuW38NxMN9w8wXVwBFRmtyVV76igJkWp1AM585+Wq8 eUfhFzQ7pTQQvAkdNRrl2cG4S3TgaQDEWof+c79cc4iUib7VRrfcS2g4qDA7IMf2 TMAw5obSqYsdkyzRS1eu9StnRT74hJWEkrOy8szJJYSlFbSd8T5eZpMyFHGOxSsi GCEFgwgj950heYsTMZUy/Fiy5EBg6xgrOjXmEwiCAHL+1I7Tk2T/Obsk8Su4myvX OXHkOqh2Rs1Dx8QHV0H6phUokZqL13qHIKwJtQnuajAo52QdtIxSsZUMdIFis5gy kMwkY55yQCZ8qssJ46D2I2XB4yQBiKESVLQPeFpVu3daJSCnh4ujCKiiyxxWYquz bEVeMXhoRbmqxqOzpYavdC85NgIK2XwdkAyO17qNOBf7J5B+x4EyKEPyfFDzY4QS ZMPW9AbvSWcHPABHeZ4f5zFX7Gb5aGqlvHe4G1vkmCENzFfZoQ56i5Rk3GFURXiT NwaSa4xLNBSxglcRNyI8Eayfm25V1HbzKDGfqVb6qH4L6SuVI6XjykilZyKFiI3n R8NKQ7WFginTGQCjYUAPY7vvaiAMoAQUA3CG8R3sGHPlFTYFob42fJXWYqPUAj+B aUJuiyqHdRdOZnG9kFGaISduWS6a0jfFgLR1i7F2uVjpis4nV6ghSFE8UblHE8mU hJkVBlKGgly5bDcRQxGbO1wgkT9XFsrmFJBbsJgQ3JR+qTjUjHBYVsAaZEqLtnJb IQ1bd0SDMRBG5UYBnAsk9kwbAW0tF385hgZhB7UbSbIZxJqMfDoSO47o6jHbpAtg miGFZV2swTX+GX86mJgHpo/Hx3mIqHmisKAGcgzNOCvQMqfoAkK4oEZqesYQoEUX TL/1cbv0gFWNEmvUig+O47RVKwC+En7TUKpGIkdMIh2708UJc7hppmBoK7zrbGuK pA/+a6i1bC8KeW0gl3w2uXM0xMOl2ywhZoEYhYGvCSapyHdMgD4+tl/uB61pJW6v EizRBsZfSSk0DBswYwCbMJrRhWH42aiYSRul3LvU9Wo++schYc7eYHuo20ecKrxH oRml+y0baB7IOM9rMRKDKqG7+ckExrgpZIWK1L1sWIbOPMXPe70KkAnClxPCuWbM q8eTVcBDwZ/DNBsxSqbgIY8LukBZ3HPAVTQ0C0egAypT56vO5b5muL3WnHIess6P 0hqGugvHlHeE2VBw27qvAjnTEs2fskFy9S3xWz594mIB4XyRGydHOsm/k4W3CAL4 Kw8QQT7O166R9ElGSxOhKxKdu3tEgVh8K8Afk6UjS73C63ZRIWv9rLezoJ2Qw7pa sZqs+sjNyo96FVSOpAKxh0kvhV+IVLSHxwgwkMupZCKTjEetgH2h+L11+1MogTQv BFToEbtxAE40tr1L0RFUBBcYK8osqLwTglH3Z5lbqEs0ChB52yZqo8O+V0wgByeM Vk1V0333w3rFZ7bs13HQGiVdCyi2pI/HtkqLSp1Mo2VXBm5T64gvHJowpmhatI// wJLC+GEZHEpV65ainrIXprDSmgbvm4otGFPGl6Xf3IOlfOujssEVw4pjLCp3h9/a uTgmWTYfooCcCj62QeDdyF6wttfS/axQn3MwNlhF1IRiR1GTArLCzLgGGGsMAAAA LAUCUdDGgCKhBuuFA+O1kfhNBo/CQRwxCgt8oRaXTTL4H5bwQH8/v7shAhsMAAAA ANQUENUjVcHUQyguZAOy03z0e9p7XWTLTdi1VJl4PI9efekunOPIP5eXCtZA2Qh5 G8/u2seabEoChPK0RtSGAZ+W/L18pc9KHSda51mjJIt2EDUGMwhKbEF5QvJL5S8g mYuAUM8/fK7D7B+eTdt+uBgUJReCj5Hzp03SVSGPPcez5Fckc6T4rCTSHgsVFV17 HpIcztv04xfVwdRtsiCypaL1bru4Mj01mmqGKmoLbBK6MBZVqOinQk2PTcXmTo4U jfI79G5Aurn84De9Ni34rSlchgxVzV3Sg0M/m4mgJ4mYWAiT/fflXuXzKVfPDp5v NviWjgRDOFeYl5nMb9O+M6bXKyfsubaSwKdLKpwE57/hYv628qe4+KPdkyEhUu+D IALBEc1AqfJ3zsR4OL3fUGvipA28mWEm0fRdCnz+5ZI1F1C/nWGhEb496qyiiZWp bNA4we5C0BGjPXyCMlOHyVaOemrqg7sLqmvlNAekJhuBsirBGeCVAzropVkOrXhc h0MbRMXJ0+Fx41LS8CRkbVucQ+OOs+7SqWfPxcxPfWtWeU8pRpwsM/laJGLK+Z+J 8PO2rSmSA/LS0dr4yLpolOB8A6W1hVUv1NPajHPACriUvIGlTwd4T4iA10kJJcJu Fh4rSRTs3JaLcmEdqa3bL+XKYbc3sHfo/+sTKl40CEBF5CyZOr1MCnwooaZ/4dn6 rSGGvJM83RAZa5JVOEIUYeZspk7uO60UWg1rfkA08rmJDrg0+h9x4+HwM3uaVI5Z LIkz9e4iK4kgia04nKdLXGX3/HpOLiBkMndwTQMHVM1izvUNm2lDi9gekcJQPSsz clCM4kDhzB9njLlLlLP0mRw1Fhq5Dm74957J+1al+cUkgrvHdyvVVuAk1WEQLVcC +iECRTui/OoeEASCQF/HatNBhN85ocfxF6kLe5f3sPa9xg0Gv2qT4fQX3ZESvPOS kKMfws7lGxNpZPLoso29tLvHR/fEnViM00XugAKAAzOTENdGS/XY/bQ/ppnZGqFU U+5DgPGb1iZN5f7GY4dVPne1jEWJar0FloRFYt/rzxGoDsObbItxQrHa5b3EY5st VgoA81TH+47rfTOR3JWTp8QndE+HNybyOX7dud2yWyd/dhQqm9JxGVHrMa2i7LWq 4CqGZ7lu87XCFEpXca+EZ3LaipMPvWSwM9pZ6+0NpTFtxyGfplH8YAq1HLRmLGpe Kousidis, et al. Expires 9 January 2025 [Page 50] Internet-Draft PQC in OpenPGP July 2024 rueQMp0/BzNHXgMGXnej+/CtfDdWflmzqMips/kyHjesV4OEcP8rnuZscvghKnWu tmty8s4w1EsahUFv1a4YOlM51vkQaeZZadsGxWnNsbd7MwzRdWzheeAGWpR5Yl/W Uot3DzHC1BhL5yZinsQlM4s0WIJYHqjLsNXJ8IksV+KdTgxjImeAkb3ovHxnRjcn 7mrxTC/DT/iPXtLsXIMyPdKPG1CsU1omy88x/JsYg2S8df8fdbDoQHLJ80mq2IZk H1gXIfk/J8PLjSH5o4Pk65I6e4Rh+5PFkihS44A1BGk7arBMsyYSQFCwsT03fufA hPfByeoUjFZTnYwF8wxIOUyRX7pXPUBSI4wbVtmI0CIYpcQCvrz3eB7zq0SuQjKd S8vZFBjHLOSFyXQh0kZSRqFJvShC1fiJQYWV1zphdIGyHiwprGQR9r+GGZaIrOWU Q5rlV0HGP7ctHaXHDnEvuYeAh1BohwSXJsAv09pNI6VuV8uHOyLp3BwxTvYOZfNS VDCq2xMjFRmSAOytJr5yVSPHl08VUgcKlVYLBcPju+iHvnwp1WSRJfizxCy5xhG7 affzGmz+fl1UOM8ej6igWCN3dtVv/UusZpx44xXKvV/gUPobJZtbQj3BPN/Tnqlm 4/jFfQ8a4fL0BfPiUE6dyL6aSswOR/BjApwJtRryRVN3pcQ173lL/LCV26YefmPE /ROKRbIv8X6sfCYm3Iq25cw8vguvKpTv8RaojLFxyhPszBRNXENX5cFL4Ci2IvOO V09c7BlaAfumsxJ6h61/78ae702g+3iapo5Pih+80v7pwd93R7rLCrUXDrla5M4q 4ZdIfzzFfvuNrFTjThHhgRy0R1rMsFl3+OHYMBpsHX+GzIbimj7VUHInEMtkyYz0 Z1G07e3ro0Opzh/2ta6FQIwdJgX2Ep53sdZKkYCsmcgBTAHAko6wtDw6g6V37Unh F+vCDW+Qp8e7e05Bc/+5Qaza23FNrDyyqx9yx6ExWbK0RIZHjozUxCJyvbSt/g5r vr7Ezlhtp8gwNeB7/cEnzJYvJxCmhHBan1HVjGN438sewnTeBoKDf8yo7puYaaBz yWYvr6b5soUGzkvqiYIXKWnI8zwtRnp3IhQSpWfCluaKTYTjMP3PqNCSxduYePHy iVtnV0lQt+hHw5DiWt9ubmftA5JiDLkf4tTtguOpw4uCOS1AEnrLIDJRrRU8M/zs /L2wwiVget8bW8FyOwQ2R+Rkk80LOR5jIe8S6pWNiMuGCXxgD9il3CRvgA3JG4W7 KQib6l2/ak+OacBiTlIREGyIv6YWXUy6ilVUKGIGqRNfktRgprbQVCOzEDTbPixY tMVXB+h3Hw2i2pOnFd/e67BjSdYi7RqGkyqN5Dsk5uisR5iWBmN1rRcQW/G0RqMI 2LvbdHekq3hj6bWj0f17DuIeBlorYKU3qw1Skozi0kK7qn+qg1rG4r6jEvHgTSR8 AUqEfDLl11Zt3S9bh5vV9jE5+XQQdTmsKDhFjYL8cosJ+wG60KYJGVBD51FV95d4 VYu6Kg6Tp7WLZ/sFcX4hRsU4mm0gMw6Kha95ZM9JrAA0XuQ1cNOjrlZJ5qB9S8mU pFgaaWxXyVFNygA8D1Fe5UUbiF1R8xdu+O/TKayAnNKCULoGvf7zSrCdZs5wYHt/ v5HEkQhJmDu7ymuH14XoGarmLKzrxlT/SZkMqiVzm3WDrTFF6NgNedaOGyZMLDTK oZ0xHcpkBjU4ze8XkoPqoG5/wDzoJVtUaQtvxzSo51GXVGH0EKPIdT6mAFbwOU2W +ZGWPRJrJOg1gq6RoFk8AyPfcA1cHZwcm0YigQTUp/ErWAv7p/sTAGv/3O3lFRw6 oIk/wOTlcugTv3T130Nb0aShP6j+LEkjsSwPo8Y2wGZpafMukJYidBADo1222CnN +CCTmsPfirrYCB8XnATIwJ3AgvsSqWxY9Oo43RvNdp6YNHBC1ys7JdPg2Yuikj5I Zlq8i2hYMB236MMOlP9OKzdnU5lgLt9RJcGHjVB9E1u6Bp4emkQ7VRYELVr0MLRO CC9ppxY5bti/QYxN3ZsjaWsDELX+iKSQurGniYLPlq1LG2BGHxBOqgO2DhRhYSrD dJ2pgLFKKr56nSAZWbaViPeoPQowOS1Ebmx6vFQkecFsNqEEYCWTwOnlw2BRaB90 szsG842e/fIqmUcNuu392RzHff+yQTo3O6Y9xqdPmwZfhLSsGKSY1ThyQH6FT9qH iL65s1tz5SXeLK4lS3xQZbHC5uvojyp0ePbvudqpkoVepaUepgx5uGsAzgu6BddK /hwUbAILjegQlrFGHCuD5ufvedkrXRpXUCX0NXgHz0KULaNIQi55zR7i7IpLIDr+ 20Eu8vaVanDiXg1YF4wtjUZAQX5kMiEnWSp9LLX0cAV97k/tpbm/YZuuhfLm/1BX ebSH9vHWiJnrnFh4r7B7QjTsteGa9x64y0Dkl2b3e/6415JlisuqWbpVeco+qOD4 h05E3EahD7wjvPb/nT9FP7OWXwtMRSD9iSPIj77IM85wYJbimYPDIeFfjSu4GQ0/ RMaZkoGPWbIjCxnJihjuztm95jEDSjEXpEXjpf1wlU38aQvr1J2NdStLZrbc6uxs nV20T0dgjnml/NfEGxm1ck/IKjqkp08u2JffV9SATIcJj8DmGi2m+GLLTtSTnh8X 4f6BkLCyBksN9Oid82n40mBiVfVyWsln9mzb2cE4Q9uP6wIXPUuYDBSXuUmnS1Wb HOkRVVtehgv/CJWnlzx6/jQkf1R97elwLwwK6kbXZpeQPDr5bG9WMZUOEid1QZvn 8Xqtf4eO02ERq5AkcWHnl/FWd6cUtt37QUZlD8r+X5POMn1gUf0+IFTX73zmarr4 ydGJN5rIng36to1zwZrF31Oz7osDgI3fqE0P9lJDnFi391ZZWiRgK7SV4JFIK/x+ Zc3pM+/62xWcC2oW5u5mamYuJkxvrppkvEw8kcg8ICCn/xOVQykhHkqnMMZ+GErO tANRnKUCXcj4ICuPGDFFWxDBwGKQQadVS80dzZHO/QihC+HsZQQXVaSDCNwowT+R Kousidis, et al. Expires 9 January 2025 [Page 51] Internet-Draft PQC in OpenPGP July 2024 joAB6XyeO6k0A9VcY1D2NbZ/vgtXvPDeNSg6ggYy6GM2flgsr6UqwFzSjxs1Cv1H HNZIKMYn4vPig2Bppl8JU4B7lBoHM2BEU3n6UyIOKqam8JzW77yF7mKm1/NyOsi+ vdHP4cN/WIl3tyucE3j6+EL2GIErOWJmc4CV2BVXWJTuJzpjksxuvMfc/wMuTVR1 tMH1Sk5ufYEAAAAAAAAAAAAAAAAAAAAAAAAACA0SFx8k -----END PGP PRIVATE KEY BLOCK----- Here is the corresponding Public Key consisting of: * A v6 ML-DSA-ipd-65+EdDSA Public-Key packet * A v6 direct key self-signature * A User ID packet * A v6 positive certification self-signature * A v6 ML-KEM-ipd-768+X25519 Public-Subkey packet * A v6 subkey binding signature -----BEGIN PGP PUBLIC KEY BLOCK----- xscKBlHQxoBrAAAHwAy6tvsF4oZeXUVdLD/OFhEsikkQEiVhPBax8SAAy6u5/YzB tlj5nSwCITDHaP2Tg13lN5BNfUahYqBla77Dge4wkQQkFQ3gMCyYz1WNlhKoM7NQ T2wqx76vYP0ZgdroxiUvP34u7DDVzonkvxsfRYBGa18bTgGdWXEXI3hP1icIjdof 9cI8IsFQMv33S04lH7FYxdpVaDupedlQl6XO2Tkf6wzY5f74XTxBuvtvg4UrCtkK ylchreHCdJ0NnY2Yj/NdG2hSjR9s5kx9nKNoPqtXczuXqzXuaxOV1qJyoGVAjKPc Eq3ntdyN1FUo8gciQdcZXxJuZXLJvF+EW4hwP1VGw9LNv0B4MVKjZPkV3yjONEjI FrFvMpgQ4cAwfGDI87uHqO6uEs9KJpFJbi0V6MvphJrj3Bw4MyJKX7vh1QJoYto7 7GfgpBKkzgsT+HfsWYoObQ7BFJMZUlutaJS4YUjHWHPGDeRswnUE13+F7XNYscpJ Q4lvLDMw/bA21mqXsF+6iENi28Mz2Y2KE4oDhCAqJ77pdKhnQycbWA6Vamf+C26e XA7iHnIFPa6j+UQd2sQ+PoRIa6h6cwDWdru9C0ycfcI0zlCXrrUdkeDKxA76FlnS z6b2GbrSDNNmhiOjk/sqFgv8lj9aJvE7y+ybGZvNapSqaLiPWPr6ax3Zo0bgn9Hq Fr4oL80oLyoEVgPuHPsBa1WxGk95m5H44GI1MDUBK1Mq2eZ+TDJxo3iMG0n/Qmes EC0r/yDAJtQDJOTHd3cGcyFgKMGn4mt580cPN+iPCbxCXS0Dpd+N220/FPijaSZc TVEWjd6b4Or6fpSf3RyHE18ipz40B6B18k+riimVPP2YyJ+LsgQ/61nQ+aI0gRQm GYDGrL9ynwnO/RNhMjXYkBf0DAm08crK6/A4RxRyWJVZEp+D0+IfgMgTrZQTtL+S WizkC1EegTVE01DDuNYxvF/X+ePRjqWzs8umsqw4nAlC/1wMm8k5Pn8L6/bgic9v ATy74R06zMXGs1KHqh+/REfPRih1LbCHIdt7e8Kvk8ErWVzXAMdAUiAzmZ0Cc3ud /WKb5vNEl8DF0rjPrO09oTgWpNqdKCmZjqsvb7yBM/05iDpCVOaBLcZH+CLYiVt5 7X8M+Jc1+fZCkZT9G/Jdm7wemhvkXPcD+zm4MRJ+6/jYQRcNd9ED5/iF4qEkkzKf s8RM1E1gHmWDnpXPifDjXW3C42s3BUAsQ80P4GfVGcQVqCMOwbAmYs8NyjlwH3Jt V8r4wjti+LCb+Jigv63cTd887E2VSkD6pMQE3URp5XYxM2OLgbsy1pKa9Zzie6eA QGPMYLUnuKnDfzltbNbGrgovql05l5Q1yldNZuMdG7jFgZ+/oioa8ZFk/dVrbTIr acvbL84Kxay7I677YKnRMga3fJ2istV0hhz+XcYh1ZEP5ybQm9ozqz54ATxHy0Ml Xi1wYQt+DiTtFcABitXe5YW5rncn21KGjt3fapE8hAI8E3OCljvHMr0vvmAfDf5s 9GSz7U7tSfuSXzqtXx8UReAWta15WQH977myMf+XpSxExjFiQpQ9w7/Ef6dePIuA VgplD171UsSMVYeh4xLKVOSakp/sjJjFnGtNb8E4mI28bvV19jneLlxs0h91oDcl Kousidis, et al. Expires 9 January 2025 [Page 52] Internet-Draft PQC in OpenPGP July 2024 llSnUCLaJdKboWYib4ZUt7tktBXq9p7I/a77x8v+m4DXaQEpywcGiyb4uyaXOJOU lk3S9a1f6dkP9hUmbFQfVMh4byyEhfdvPb+1XTkH57EMnn2aa0EEscTz1yWglm0D wdjngjmiXoI2agoGkdUaSHHtpkoH5vsSswCM0ILeJQUzh82jOlpG7GL8EuU9kfWN Li7P//OMPC+06HvGQHtkptjeCTBozCMi2bd8hOM65FpyHPzlnXLRwseyUayrx4vZ K5S35c+VqmO07it+6KZ70YNEqYAE/rb2y+C74ypcGGujlc+OCFgyq3xA59oQst5q 6GThMHiMA1iwvoeDqVa12cJi0hkmaloMsEUaRVbL37c5LSoFVPwT0R3OX/dNbusU VQUPDMKF+E4kQHS5LnMIoT0DVSa9DtRR/3hYE3Rc+LcdnKHPFB2C1gBZGhOW53LU LV4KjI73XiVR2gHaXvqC/MY/ObGRDYwrLPJDZwk6SaNr0UJvyvzjiRZfWIdBeggR TQ6DPr+o7UdfNgWrGtSgzkjtnHcI1VNbzNm+ZUFPoIBJIEXM0Cp7BX3m2380QmFK pa9gh0Rl5WizlvKpWvoN2Ani3ssSD4VXBR+DdOUTB7llQlndifeLD/BHDIa3MDQf AqgMugUB/RkgDf63dziWgmHgRfIhBNN5F/wI1Zl+yHNvgzI3NTc08CRijfxwGsrp E0zz7r8Kw1T1HRq5gU+TAxh2tcKt6Y2eRTzlI+nTplN+YAC23iP+fvAOpolm0/ag mnJ4yLDQsrQTD4GXUjgGiZXNOCG8X7tFxecmKLu0//vrZd28ObiKCvunhVsqzonz 0uPx33DJ8D7EFxW8YNX+mj5Gr6U/RJrKcbkuK0h8w0q3VMRcijDwLOPZZvcu6ObQ +4cf1MaFhzAJk9uu4vJJ02Mfu87p0/KiZbG5NNpi+QlXHzfn1fmlhTo7U2ishoRn n2vYlExGBabumP0XodC24VJTIz9sD41Ag/WpI4LCzMwGH2sMAAAAQAUCUdDGgCKh BuuFA+O1kfhNBo/CQRwxCgt8oRaXTTL4H5bwQH8/v7shAhsDAh4JAwsJBwMVDAgC FgAFJwkCBwIAAAAAUW4Q/S7GBwsfobwojsyOEM4sHWeLJ2Y7XPutihN78KaijZdY s0zABXp0joHdKjO3Ga+RH6sFuEBXj57+VP7Eg1nbxOzF5QiddyOhHXyscG07zAFP M5V5mV81MnjxfLGgoLJBNuepF4NPG6wx0fK2QvVSPgu4xxGPm6HfXMJ62WaAn6R8 Sd7+W6mtkMtbh6oMwKq5AXBK+Y/AgCO8TQX/kXhqFFqsRH0kdoKvB/FaXUTXBEmD 6fYNkJGemEz7n7ZK35c3PKfR4fc+N10BwUPKtQom2UMSU5En2jBpTzHSlBdvamsK 9noH2HoiWNezvloWZ2w1IB5oo7ThOolyWBAG3o83fOxeYrI+4THyXoCx37BjDd4V zWt4303kDWoX/baqCWzHyjh1kRugLd2BBBB8a9eRap40AxhZb8XV/nRo124i1ovU AoT8A3QijfPyZb/sBv0N1VDO73cCHMcdF9IfzMzJUt/fzg1yKkQ1EKuXJrYUeV4e lvCb84HqX2ZnMkeIYTCEjowh4HST4k7ztwG2f2Bsez3I9xqrfpMCKzIKXaf2At/+ Rt3iU60YGVNWQqFw7l55wP4Scj1oUm+A6wCQ1XGzQSJvV2FAc2YVH7b6IXAVB5+5 WeyKwrBFRWtpHp1V+KgFN7HvHYchZYN67nglSeUAOKJeiFREKEmYALF/zBMgWXq2 YfjWCf8BoKMUCrXRK30sGWtlTLKJz86v69rh3rUB0O8MjE7N7+wDohO7zxPA8zpZ zCNfk4gakukb3YmeVDBHgzZSzpvlEsq8Fnr1CXTaTlv5LjaviPe/gwL4Fp9jFpW4 ++HeA+ukgLWbECfaJe9Z37ZimlOTxTzdRFbBsvFpT7UMlNp2BGPc+kyUUWxp/m6M 9x3lQfNMh8tJDfOGIejXThGD1PkX9V+V0c5+XItaLok7sXh3pMFg79MQsh1XDeg9 yMKXQQeHHmPF85bYQryC0Jvy9s/3ve1JWluafz0vsd2MpgZRWwHKCbhS6QLJjWES yo4U9UFktZ/fG5eTFr/4cCDMiZldghM1Agt8ahLhsn5RX3hABTak5HNWAHYJd8P3 P36M1x3ymEnfzOVTjFDZcthmi8g/iCi79agHMfePg/vRda7Ffjm/YFcfZXtKFdPr 1IvLyW9PFmQou4dAsrQHN7yGDZGprYEpUwul+9AjENm05wBJrb8K8btK3uYS3sB9 qA+F5FCgUyhNzfpG37MRuV+VrVqZT56fELKUsU1BtFOG1Lkftws8JZjhuiWouzpR zknoT1qdAI41J8YWU0eO4kzqnh3T1xkewXwHEXj4AiWlNqvYjbx+Owa0JvxBczcR 5IyPZGBxHPclY2U39bN5k4q0TeLh+Ooeo3v9+dXdAHZl85z4bGZYOL5T6jXzGYLB jHT4rn6Vii+IjoJAc/jk3CiENKUZivH6CAIaPtrWrhJoeHDQJ4Ewcq1STASq8THG Thvmv8TJTT8EY0b76LvOIYVl6+csRsGybSYMJz/ptIC/bbv4vYlr1mL6JxgdQ7x4 uCzBoDA2YgGtgB3L0kIZQlWXqUQvXzT7rw6+ufSoIxElymv1UTCer2xfvL7l7Jeh FYqJgLW2o9BzXK9Xdyg9PCo8g6YfFnBVP0iagtIF+RL9PuZOtb/NOEfU7LHoQwTA s3ig1hoDZ9Fhw7qJTFDsnytNuADq9KlMeu1zTD4YEbF/bTNOKp4MQ0g38xZ9TmcK h+dxDjGA/YtcW4KTFQya3ByRnWcLcosT5MV4nuO00iN8gRK3oARfEDiq9nzSLHjT Gzd/eib20Qg0AIJx/XDkfsbigQ3XpejhiGSRpEe+e8fWzXLIsh04fPlDeaI11hLZ jXAtfn0jIXcbyFZMaaeJdvPbHeMwk9Orip1dWcRnd+B7YEKXFcOwvuelIYV7aPmg Lu1o+Q8y7lzYNve9RogCGdBguXUVnT2H94K2xADHjSjQssB6PLyXAA7JLTgXjqB6 Kousidis, et al. Expires 9 January 2025 [Page 53] Internet-Draft PQC in OpenPGP July 2024 t9FGjvOiPSiZlHoOUDWSyLhqNUYZWkHkRFx2Isi+eLp6ZGTexJVZLHKp9t3/NcxN vFMjCqx5W6WWqYL8k4nM993R6eczpctlNDMbyoTkEfpTsBK2K6k7o1yNF8M2e16m 67E5Bulzq0rSUW014pnVG5BU1AgJL2uuJyNhQa4DOnZvk9Ghmhrvy/a/ijwhCs2E 7Ssi1tt1y1tXBqBV4uNdal2m05bD7gGB+9J7rfk4fN/U1vqpwDnqjNswLRPSvRms uxx7kRwbunpTPMkxFGzhhEoWDCW/DEboHRD+cADoLHCEMKOdmbqsHtjOo2kxRNco 6LxzyagnTrNlByM2hB5y/9W7vuegSEMHA3GtFqHgqb6/mxHY6WHP8fwAPPpwIgny xxCQDssr4yft39/bbgGim6kCMQBJQyLTZ8PrkH3h47JYt94pnTgoWD8bMzOLGsuJ CXO5BxgWTVgONkS6A7NA1yGdREHRmTRvI9F9gh8BCfkb248SLXxEo5eG6WU3R+eH roTUwiTdrVliIpaJ58K/2nk6O2AiSHAqhQodpstm2IfrLrB1zzrTXoKBZkWZV1br 2oXvjVG+P9KXQOEMWhA9BHKOQibxqnhethFQFBPH6FU4gcLdx5RM6g4c3C3gAD3n qlYTvA8oNgdQ4DNfL5VWI1JuTxAr9EdvQfOBjQlOYODM6voZb5dKFtPqswJEgkcO fJr9ADoXnF24N5h431KGSBSu2puI03VhbhI8IqZvq8uEZ7aK+3ioEtoypto0P3IQ D6clkG4tSkiBX6j+q6jBtPwKY0ongTNC7e86BxBlTXSAwxevumx9u+LG0Dk6Ayk8 T452ghafTwq4g8qCNUhBjp5SNWpEs7UNMgAyC1p2rcs22otNKmORhtueviuAsQjq btcyqGSxye6IX5AKs5kFGceBlyunXgMCysnrUMDRNBN4a/ZY8RO/PXWtB3gQGIXc WmuJlWMPwnpCNVlvXQvP4aAGeT9LAomOJFU5Y9c/yCFwARICQ8X+B6UvRW5rWM3K t8GWqHgbadc9Ud8BYJRla2gSsnk31KDSRTdySLc2kP9M8nxkUB20suqqoGg+KgP4 PJnxM85Y/tIjxFPW6vSJ/VPPwrVF9cHzhJfqHrZEowWpfXXK9XPN0+o79HDZqGmV CT0NMb2Q2Lo8/qO9VpBmQ4ZRYXydnDS1f8kQPivpnsoRi4HUTd5NyBD8J/JJV+b0 JQJMUH8yfQ5vGadg4d2CUbYSbftbgu89W7YI87+Q1DkWCcBTAG5FZDuPeNEV+k1J CXc1/wuUQa68ypm28aRJsqqlQZbPXooKGpno6Lio5zD6HIJOiPk0tbLFs+xVnKNq KyAdBmNQByTv9/gXkiAPl8T6t2coWY1IVXawXERud7MavhuxjDFNsEeUgXar3Jhx UabTHPr+Nw873hwoo+mEtVE+q9uqQ7RUKE3pEM4v8rxa3kdgK4SGq4Qi8JOfmeuV 0bfFt9doYhgkk22djuUNI2k50s4ZoZDVrTUybHf8AM211BSAo8t9FgcRC6OLR7kc rMrKUAZCRJEKPvHmreviUeE4Rbs5SH7rxCgW0w8tJHZ+F8WW3sWaSu+4Yon9vahO F1Cn5QsGsWUpfCXmCdb4pBFlgDgVu75+m05YkbKDv9LJ8igRjQed6MWIjqB8p2so gA2Rk/TKs5IO7DuSf2XHbUyj3SNTYa3MQyXyNMlXWjVkqJen6c616alV+yX8ILN6 JOm4HoeHVASgZfnWvQRWkTQ+OPfZKoolIBGQ3ycLasoXxZLyxSNNDyKu/NMX15mc D4Ahow1O/MRHmvw8ISDivLPXpEKsxe4cZixMiuhAGIEebOdsRef1ClKKPaqxoOv7 AeMb68+X/hFNDPSrO92rxEGq8FfI/X+SxOWE1YbtPUbl6V826QaQtkPQMq2XF0Ks d2QOiiSqCtDSOLQT7D+hmtUItiuN99t339hTSSUXPmbfrhujYTfVcKEh82txev9V pIFMOqOt40BXG1rRfNvXxpcfnMABWWrs0HPg9EwfwBellQepiQxBmJ6HvJZyCtbV 2iET+CGswYkb82PpDPPDPcTpk7+uLwORlKY8mylw/mx4CqKcl8pEs+sCMjT57Y41 7hQ1Ucr0reIgTTMUVvJt7LwPS8k3DTILWY+fRBeJUx2x8R6F5bp5nlsBTKLO9fc5 iw5AsJ1wI/3EFuUVQSM8iCu+boS5hGQ67lzJ1s7t5DdXleGYvN6iIXhpOLpphoUV 04+PQoQE4E4pHVfEn14hiKcljWlQEfuw0OglMhGGYLz1haTf+0empANv1MSDJA8a zl56ngscTcRyd3GkdjdUZLOfChMZfSJ57f2uB23Q+ZRpJRTra231oCn3TBlBCF/x XlG3xpqTATqTn97p/NPsfBOyP4RSxnSaiw8FdhiJRxf6Ue+5jDYUOQj+zpW5J5/6 FkjSTEA5Jkn3wIpNSV6kTD6IrhblYO27Oa/qbwGGMChSYX+Hp73G2BMVaJ/o6+0V Mzt/gJ20CJ+pDC0vNVfv9AE4pqrX5PkAAAAAAAAAAAAAAAAAAAAJEBcaISjNLlBR QyB1c2VyIChUZXN0IEtleSkgPHBxYy10ZXN0LWtleUBleGFtcGxlLmNvbT7CzLgG E2sMAAAALAUCUdDGgCKhBuuFA+O1kfhNBo/CQRwxCgt8oRaXTTL4H5bwQH8/v7sh AhkBAAAAAIWJEHbjqAGy8KGcTIOjv+u7npsUKWd9GMiKcAJnes+Croj0nAaHznZq 907C0EJv2fsYsZ7PzSVo+NPD0BXwH/8OgJe78HM4u30Sr5VLxVouGowNKPNwPYFB c9Epltoiqx+KVQ0lfNzBg1xxs16yKMcfCwgacHRT5ZxkGObCg562Z5VvJHXsn6iF 5oNKIphwqI0AJIl52GSMk9bLvzNVLXXLN/BjtRtIpsXQEmXK1LTk4/Ss3J0+91In JKQ1VXDP3k3QCI5SiXmFOQjh82AKVsXhTf5Yw720z9PcxTCOPfLcq63sO5zQ50mm PceI6kk60pKyVeNgD8yfJXJ7Dwg9r8R1CV4nrgRabLYymm2gWyKn9xsrAGSIos1P Kousidis, et al. Expires 9 January 2025 [Page 54] Internet-Draft PQC in OpenPGP July 2024 VDXz7qnUQjUAQmO7uCF4KSSbWIt7H+d6dD5Hc9R+MGts0XQe77pvddzROvPM9bJ+ OuPi1i//avWFur2lRNp08IfxMkI0B82b6wX4I2jm7JkuE8TiOkpRXgdVvjP2B6rx RtBIsGWDuIUzIKPnww8VIzqT85tgNGZZxPZ4WAei+kLywqXH3cIl6oSBb2aYa0Cp 8aKGM26guGXXeQva2ul24yY0zXJgWHHcM9Z/QJUe94VhTKqC70lSK18E5w9tyEu4 JO3PU8JeaZ1njl+H0ytbJHjyto0ylLm1EpVsNN8RFurBpkikeYDERSEjrgd63cFZ IrvS7T69GG2g3GtfoxoJ4H4OK/4HWOMTvoH0+Kr3PcjbUwR1JGpuXWK8J9BaE8tR 8oP5jQSVD6JTnr/0Xx+UY3nZiAD4btUovSbX8BX1PtHg2VFlFujMcJEmq/4oad/x 7Bg129LKNsc2sW8uMGMHhIi6csY2PqYq7PAPQDNg59d97DX+/lCxXtZYvy66yRPT C59nLfRP5BEAFuQivsF2xYzTr6X7oUeQbznwdv/ueiwET3oeddqMk7Vvd7rYpezJ ERsnbRTx0UewKw84gLssTGFZnNg4/VTFIqp+SGAFxG2POCKB8OnUOlPIfukUku1j 61BOK3RtTl8RBqFiBzNHnyMs4p/Qxhk9dYnz9h4LWHhHD0zEj4kgESgXug3IB6wt 0nKQk5dFHKLwlLNWsX5JhOwUIGJ05yd/JoitBu+8foGVZAIIqQ6woSaMJkc8p1Xi IQfp0SAPpyHjTUQGoqA8MZ2byleCsXu/Oi+7gPHpyDczmjLAb6xiNSZmrglu/Idl XySu140WpWTpe1fTd+bSQwTqWcfQFzBk+PsGqhZ7ArOmup2u7KbKJPJjyXzsBb7r BNqJVmjFVn3K+4BZrpY+n9cidP/sncSDLemiBQBWpzohEeB18U3bJ8FCby0UQ1zz szQEc4pnkZ5hrCeRLd4+DlI3dMNbZbREoZNqnmLohZghgI99xKkmmwlIzldN8bVI nS0HGXVx3NldCQ5Me8v/JKT0IGqqcj8iqsZQtfYRCaBf1Nsp1QqXrXpOxvtnCmnO Tb0Oteh5Nnkp9jN44jLFNZFDD2qeITF0eWmpdFqPi+769Bf2Hogy9jHA2b7X1nur wUnv3ZX2CfTZ7gWglLvot3srBMc3Ng9pmZsDHhwhm62z16joU3p8ewNWlGIRT2vZ ZLGAO0iAeGNrP2/vfAPkjz0ddl51LDVaVwMM2ZQzXeVAXQTCpq6Vy1yeMukbS96E jdNpSDlfp+m/+3H5AYekMndiFReQMclswNTaHNLuVCfXvxU1ZmeuqEdqLXEDGAA7 Uz3u1vI0JklgvoZzyb7q3eOMBqY4WjbwrQZtOZVBy8iRLMXwiPNYqWfwAHPQv64X w13F3RC4Ap4uKvxr/shNpSgQpKDDIbRcP7FFFK+MiJunqtGkyxbG8NKStQTCU3G7 k5sTntia+Ro3PtCSNyNiOA3q1reI97vJm3kwfNbHygbtXfbBB8oGY8Kpz6ONKpp/ Wd2VdtX630eOma8t10bK2Zu0tavsAYvrdXicHK/B0j1ScilkYRf+xhWQ4b2BNZ2L HzSXssjOnpTlCHYT7oP8ou9rLQjOW3jsMBBGvStj9sVdhfkGEYjSNtYaNERtE8+Z 6NmgCZOD2tGz3UWG+qwxtdqq9ouZiVoF4tKSaaVv//nf1vksSOqkww8mN41c3W4q Dmu9vPdlFp+F/HEXG+26FhErEIpJ9mL323LrkynZDNpp+rrlAg03zYtn/jmoFUGp idPkbMLOrDZHqdxvr/e9uHQbKk22lv1PAFOAIf0GqtqyGHXUQ7/DsXvykH4J6u+R mFt/hxMUJpiZDlNjbVRKVZLDqQflPMrsUVqBlnhcaBRehlG5vWNPhwVJWWe6iokR drK937sUkl4+yrZ///QyCtF+J8Ts4ic5lsTNXXalAkpKPGBUnuXdB3gP2RcS0IAU wqqZGpZ9/7NEMvozctXmEiFqngiLczf7MogOUiPHPZo+FhVCtG/5S1O240BUFt1R 0JrLxwwMucN1PxYwVZ+MN/XQm1wc7lmQbgNdHfbcw3dc0xI80NVS2P5a4+gLm8q9 UmQ7lIT8nwCqKZnJ17jyUDUSx0cXR0A6l3wUTrlCMXqFVPRDlwJJGI5o19CAuvjP 46xXRDBwusOYThChUsnxhoJk2NAkO0HOMYT4/voBd9msyk13z5CyDBMwa8yZxl8G Nm/0tA8K9HQ59jgTyIw7DZIvxUXMHk6xXZn3hO5ouc7eUW09WN21yrWr8faGjYvX b3Ax9Dk84gw9wqQXOyQb0kGstYkZOOJtHZtYCimBpkWKX1Q/EKUakkqUNq0sT5kY 8mHK8F/+2mcGjXP7MlGfmpfvA2N3nd9htVLSOt5dsDaNICZDVbmFFAOTzb/scuZx xS9bbT/r+kPMxZVzxViod/E/NMchFLHhBxcSiS5E1lccXVWjB33kcS0/anlap82W r8NiDLcd6JswryadhHMvgQRIDYHhSZwXYg0i6bAdrvo7xKdNgHofS4VHI+jAR7nb NFtKGuS3bUgdIl2bMRbnmjzE4+KRW+qFFSAOlC6xzSzKIlJr/TTOAgqgpptznT+u d0F32Vnqv+ASYVECeEj9nt2AgN6dgGsNEa997A8iuTOsVBKSWVPUKbbxVz6oT4Jg nQ9SBHoF0IcTGO8HzNC425ZMrhHFcUd4JsDrCrQdAlMzr59VIEOdReb67yp1vmH+ ziOb2kjBmSGFQrzlOyuYzTdOmGvP6XK/LS+BdbQdqWPMHd7qsrbcZdEMrWaNXyxw vM4e9H+9BO7R1UNvz0WrG0CRgFWY1FY/DgLR1r+55cTElWiZCmCSqn3Ko8ymxvVL bqxPh1xhLbAyJAcU6H2liSzFkfpBGkMCiVrCPBr8tu69DjQ0srHtHVfBk1CwMjmH NV443mg9ly75nn6ntb7uFLMaC8JISiYOKDcAY9XRCpZdAD5tnz+u3FPUsUDTBUTI v4SbEkH5SUg0uHFQgL/bjtEN1nbQZvAyHQPqzp+Z4KuufvBmdbnm6+Y3YdzX3xj0 Kousidis, et al. Expires 9 January 2025 [Page 55] Internet-Draft PQC in OpenPGP July 2024 dyhSAeCKgXk+9JYKAqHwhC94iw1UJC79nHBegAlCmcgFlICrTBZlgUYCVJLPjrAi JJZAcbG94gNVwVJVYYoQ4Pfg6FEm851ojzP0zMsfD0pdx8rhcakrMzVtEklfh0BH uo/q3Ya759bEGv6SlZzAHjOtZSTczrMJ/6Gf57TVL9ESm0E+zYZfmqm2gWKFY8hK iYXf1I6aXpPGS5DpfHcMMrZMFbD4yl7e7a1ygN+A706ruXSnTT24S392wOWLeQVC 9WCj7i8RrwxEwYGYYQquGR0im6KI04PmBx5CeUqey6yFyDOKIaqCiNiChPABECEa p7MdcycjZCjmwnv5WYvPb3V5DcDhwbpq95E22gOO3cBu/iQuiR+bNY4WG6DaK7fr B6mSjyjnym31h0QaKJ2oYE3qVzxikCapq42wl1F0AfVwrJrb2+n8oZvEY8xtgnzY JxE0D6ctdaCAR28LdtjfDtBBmQeGAdsdTkARyF99oCnw+Qn988lGDjsQaswvvHbZ uBTjCEfVcDma/kVC2ThR2XJ7coSReyZw3XUz1efiNpqAEouIHXRBzXm/m0i25/+Z 1jSJOkQSZMBrgfw96jr5WHU60uApINCNnsN5mvfVqRXZE7bsuDVUKFg95mgYKKCl k96ZNjChOfac7BYVEkeioutZLlNwdyeOsVWFVkcgtK9L5NCZ1gFpvcVZZYLWCFdt TnhkjSYi95h8C2rhR1SedFkhdBDyOYUPtm+fPEKe+6Cykz3bFs5DetKM0Y1DdeJ+ 8SZBr4muRh7LXbJ0XrCcITFTgvz2FDXK8TqKUTCdKiokxbawRpaD/DLLo4XgBxhQ AEm5VaIqRQ1atK2CdE6Nhp0hcugwd1GIV+jUYEuAflVj9nDjykLJfGceqHPAkl6m BodHygBJmz0hnzn5Nrl5CHNJdvjLlrW18hAjlncyvRMMkogXczwaKCHcah6mBAg9 FkyqMeazS77WR1KXlD1aok/tnj87S8VT9ukCBhUdOnR9iYyz1TVASHV2sN78MUFP YYC2v9IHKDU4cHiHiLC0GDI8pQRxnq+4y90AAAAAAAAACxMbJSkwzsQKBlHQxoBp AAAEwHVOfVv6HQ+9ECHRLkqec+Hk35ZBJUpP9QmMwpcxeRw//CCrUGZvHDaHm6Sf JDZgdaYd4NiT7oteiGRyblt/DcTDfcPMF1cARUZrclVe+ooCZFqdQDOfOflqvHlH 4Rc0O6U0ELwJHTUa5dnBuEt04GkAxFqH/nO/XHOIlIm+1Ua33EtoOKgwOyDH9kzA MOaG0qmLHZMs0UtXrvUrZ0U++ISVhJKzsvLMySWEpRW0nfE+XmaTMhRxjsUrIhgh BYMII/edIXmLEzGVMvxYsuRAYOsYKzo15hMIggBy/tSO05Nk/zm7JPEruJsr1zlx 5DqodkbNQ8fEB1dB+qYVKJGai9d6hyCsCbUJ7mowKOdkHbSMUrGVDHSBYrOYMpDM JGOeckAmfKrLCeOg9iNlweMkAYihElS0D3haVbt3WiUgp4eLowioosscVmKrs2xF XjF4aEW5qsajs6WGr3QvOTYCCtl8HZAMjte6jTgX+yeQfseBMihD8nxQ82OEEmTD 1vQG70lnBzwAR3meH+cxV+xm+Whqpbx3uBtb5JghDcxX2aEOeouUZNxhVEV4kzcG kmuMSzQUsYJXETciPBGsn5tuVdR28ygxn6lW+qh+C+krlSOl48pIpWcihYiN50fD SkO1hYIp0xkAo2FAD2O772ogDKAEFANwhvEd7Bhz5RU2BaG+NnyV1mKj1AI/gWlC bosqh3UXTmZxvZBRmiEnblkumtI3xYC0dYuxdrlY6YrOJ1eoIUhRPFG5RxPJlISZ FQZShoJcuWw3EUMRmztcIJE/VxbK5hSQW7CYENyUfqk41IxwWFbAGmRKi7ZyWyEN W3dEgzEQRuVGAZwLJPZMGwFtLRd/OYYGYQe1G0myGcSajHw6EjuO6Oox26QLYJoh hWVdrME1/hl/OpiYB6aPx8d5iKh5orCgBnIMzTgr0DKn6AJCuKBGanrGEKBFF0y/ 9XG79IBVjRJr1IoPjuO0VSsAvhJ+01CqRiJHTCIdu9PFCXO4aaZgaCu862xriqQP /muotWwvCnltIJd8NrlzNMTDpdssIWaBGIWBrwkmqch3TIA+PrZf7getaSVurxIs 0QbGX0kpNAwbMGMAmzCa0YVh+NmomEkbpdy71PVqPvrHIWHO3mB7qNtHnCq8R6EZ pfstG2geyDjPazESgyqhu/nJBMa4KWSFitS9bFiGzjzFz3u9CpAJwpcTwrlmzKvH k1XAQ8GfwzQbMUqm4CGPC7pAWdxzwFU0NAtHoAMqU+erzuW+Zri91pxyHrLOj9Ia hroLx5R3hNlQcNu6rwI50xLNn7JBcvUt8Vs+feJiAeF8kRsnRzrJv5OFtwgC+CsP EEE+zteukfRJRksToSsSnbt7RIFYfCvAH5OlI0u9wut2USFr/ay3s6CdkMO6WrGa rPrIzcqPehVUjqQCsYdJL4VfiFS0h8cIMJDLqWQik4xHrYB9ofi9dftTKIE0LwRU 6BG7cQBONLa9S9ERVAQXGCvKLKi8E4JR92eZW6hLNAoQedsmaqPDvldMIAcnjFZN VdN998N6xWe27Ndx0BolXQsotqSPx7ZKi0qdTKNlVwZuU+uILxyaMKZoWrSP/8CS wvhhGRxKVeuWop6yF6aw0poG75vCzLgGGGsMAAAALAUCUdDGgCKhBuuFA+O1kfhN Bo/CQRwxCgt8oRaXTTL4H5bwQH8/v7shAhsMAAAAANQUENUjVcHUQyguZAOy03z0 e9p7XWTLTdi1VJl4PI9efekunOPIP5eXCtZA2Qh5G8/u2seabEoChPK0RtSGAZ+W /L18pc9KHSda51mjJIt2EDUGMwhKbEF5QvJL5S8gmYuAUM8/fK7D7B+eTdt+uBgU JReCj5Hzp03SVSGPPcez5Fckc6T4rCTSHgsVFV17HpIcztv04xfVwdRtsiCypaL1 bru4Mj01mmqGKmoLbBK6MBZVqOinQk2PTcXmTo4UjfI79G5Aurn84De9Ni34rSlc Kousidis, et al. Expires 9 January 2025 [Page 56] Internet-Draft PQC in OpenPGP July 2024 hgxVzV3Sg0M/m4mgJ4mYWAiT/fflXuXzKVfPDp5vNviWjgRDOFeYl5nMb9O+M6bX KyfsubaSwKdLKpwE57/hYv628qe4+KPdkyEhUu+DIALBEc1AqfJ3zsR4OL3fUGvi pA28mWEm0fRdCnz+5ZI1F1C/nWGhEb496qyiiZWpbNA4we5C0BGjPXyCMlOHyVaO emrqg7sLqmvlNAekJhuBsirBGeCVAzropVkOrXhch0MbRMXJ0+Fx41LS8CRkbVuc Q+OOs+7SqWfPxcxPfWtWeU8pRpwsM/laJGLK+Z+J8PO2rSmSA/LS0dr4yLpolOB8 A6W1hVUv1NPajHPACriUvIGlTwd4T4iA10kJJcJuFh4rSRTs3JaLcmEdqa3bL+XK Ybc3sHfo/+sTKl40CEBF5CyZOr1MCnwooaZ/4dn6rSGGvJM83RAZa5JVOEIUYeZs pk7uO60UWg1rfkA08rmJDrg0+h9x4+HwM3uaVI5ZLIkz9e4iK4kgia04nKdLXGX3 /HpOLiBkMndwTQMHVM1izvUNm2lDi9gekcJQPSszclCM4kDhzB9njLlLlLP0mRw1 Fhq5Dm74957J+1al+cUkgrvHdyvVVuAk1WEQLVcC+iECRTui/OoeEASCQF/HatNB hN85ocfxF6kLe5f3sPa9xg0Gv2qT4fQX3ZESvPOSkKMfws7lGxNpZPLoso29tLvH R/fEnViM00XugAKAAzOTENdGS/XY/bQ/ppnZGqFUU+5DgPGb1iZN5f7GY4dVPne1 jEWJar0FloRFYt/rzxGoDsObbItxQrHa5b3EY5stVgoA81TH+47rfTOR3JWTp8Qn dE+HNybyOX7dud2yWyd/dhQqm9JxGVHrMa2i7LWq4CqGZ7lu87XCFEpXca+EZ3La ipMPvWSwM9pZ6+0NpTFtxyGfplH8YAq1HLRmLGperueQMp0/BzNHXgMGXnej+/Ct fDdWflmzqMips/kyHjesV4OEcP8rnuZscvghKnWutmty8s4w1EsahUFv1a4YOlM5 1vkQaeZZadsGxWnNsbd7MwzRdWzheeAGWpR5Yl/WUot3DzHC1BhL5yZinsQlM4s0 WIJYHqjLsNXJ8IksV+KdTgxjImeAkb3ovHxnRjcn7mrxTC/DT/iPXtLsXIMyPdKP G1CsU1omy88x/JsYg2S8df8fdbDoQHLJ80mq2IZkH1gXIfk/J8PLjSH5o4Pk65I6 e4Rh+5PFkihS44A1BGk7arBMsyYSQFCwsT03fufAhPfByeoUjFZTnYwF8wxIOUyR X7pXPUBSI4wbVtmI0CIYpcQCvrz3eB7zq0SuQjKdS8vZFBjHLOSFyXQh0kZSRqFJ vShC1fiJQYWV1zphdIGyHiwprGQR9r+GGZaIrOWUQ5rlV0HGP7ctHaXHDnEvuYeA h1BohwSXJsAv09pNI6VuV8uHOyLp3BwxTvYOZfNSVDCq2xMjFRmSAOytJr5yVSPH l08VUgcKlVYLBcPju+iHvnwp1WSRJfizxCy5xhG7affzGmz+fl1UOM8ej6igWCN3 dtVv/UusZpx44xXKvV/gUPobJZtbQj3BPN/Tnqlm4/jFfQ8a4fL0BfPiUE6dyL6a SswOR/BjApwJtRryRVN3pcQ173lL/LCV26YefmPE/ROKRbIv8X6sfCYm3Iq25cw8 vguvKpTv8RaojLFxyhPszBRNXENX5cFL4Ci2IvOOV09c7BlaAfumsxJ6h61/78ae 702g+3iapo5Pih+80v7pwd93R7rLCrUXDrla5M4q4ZdIfzzFfvuNrFTjThHhgRy0 R1rMsFl3+OHYMBpsHX+GzIbimj7VUHInEMtkyYz0Z1G07e3ro0Opzh/2ta6FQIwd JgX2Ep53sdZKkYCsmcgBTAHAko6wtDw6g6V37UnhF+vCDW+Qp8e7e05Bc/+5Qaza 23FNrDyyqx9yx6ExWbK0RIZHjozUxCJyvbSt/g5rvr7Ezlhtp8gwNeB7/cEnzJYv JxCmhHBan1HVjGN438sewnTeBoKDf8yo7puYaaBzyWYvr6b5soUGzkvqiYIXKWnI 8zwtRnp3IhQSpWfCluaKTYTjMP3PqNCSxduYePHyiVtnV0lQt+hHw5DiWt9ubmft A5JiDLkf4tTtguOpw4uCOS1AEnrLIDJRrRU8M/zs/L2wwiVget8bW8FyOwQ2R+Rk k80LOR5jIe8S6pWNiMuGCXxgD9il3CRvgA3JG4W7KQib6l2/ak+OacBiTlIREGyI v6YWXUy6ilVUKGIGqRNfktRgprbQVCOzEDTbPixYtMVXB+h3Hw2i2pOnFd/e67Bj SdYi7RqGkyqN5Dsk5uisR5iWBmN1rRcQW/G0RqMI2LvbdHekq3hj6bWj0f17DuIe BlorYKU3qw1Skozi0kK7qn+qg1rG4r6jEvHgTSR8AUqEfDLl11Zt3S9bh5vV9jE5 +XQQdTmsKDhFjYL8cosJ+wG60KYJGVBD51FV95d4VYu6Kg6Tp7WLZ/sFcX4hRsU4 mm0gMw6Kha95ZM9JrAA0XuQ1cNOjrlZJ5qB9S8mUpFgaaWxXyVFNygA8D1Fe5UUb iF1R8xdu+O/TKayAnNKCULoGvf7zSrCdZs5wYHt/v5HEkQhJmDu7ymuH14XoGarm LKzrxlT/SZkMqiVzm3WDrTFF6NgNedaOGyZMLDTKoZ0xHcpkBjU4ze8XkoPqoG5/ wDzoJVtUaQtvxzSo51GXVGH0EKPIdT6mAFbwOU2W+ZGWPRJrJOg1gq6RoFk8AyPf cA1cHZwcm0YigQTUp/ErWAv7p/sTAGv/3O3lFRw6oIk/wOTlcugTv3T130Nb0aSh P6j+LEkjsSwPo8Y2wGZpafMukJYidBADo1222CnN+CCTmsPfirrYCB8XnATIwJ3A gvsSqWxY9Oo43RvNdp6YNHBC1ys7JdPg2Yuikj5IZlq8i2hYMB236MMOlP9OKzdn U5lgLt9RJcGHjVB9E1u6Bp4emkQ7VRYELVr0MLROCC9ppxY5bti/QYxN3ZsjaWsD ELX+iKSQurGniYLPlq1LG2BGHxBOqgO2DhRhYSrDdJ2pgLFKKr56nSAZWbaViPeo Kousidis, et al. Expires 9 January 2025 [Page 57] Internet-Draft PQC in OpenPGP July 2024 PQowOS1Ebmx6vFQkecFsNqEEYCWTwOnlw2BRaB90szsG842e/fIqmUcNuu392RzH ff+yQTo3O6Y9xqdPmwZfhLSsGKSY1ThyQH6FT9qHiL65s1tz5SXeLK4lS3xQZbHC 5uvojyp0ePbvudqpkoVepaUepgx5uGsAzgu6BddK/hwUbAILjegQlrFGHCuD5ufv edkrXRpXUCX0NXgHz0KULaNIQi55zR7i7IpLIDr+20Eu8vaVanDiXg1YF4wtjUZA QX5kMiEnWSp9LLX0cAV97k/tpbm/YZuuhfLm/1BXebSH9vHWiJnrnFh4r7B7QjTs teGa9x64y0Dkl2b3e/6415JlisuqWbpVeco+qOD4h05E3EahD7wjvPb/nT9FP7OW XwtMRSD9iSPIj77IM85wYJbimYPDIeFfjSu4GQ0/RMaZkoGPWbIjCxnJihjuztm9 5jEDSjEXpEXjpf1wlU38aQvr1J2NdStLZrbc6uxsnV20T0dgjnml/NfEGxm1ck/I Kjqkp08u2JffV9SATIcJj8DmGi2m+GLLTtSTnh8X4f6BkLCyBksN9Oid82n40mBi VfVyWsln9mzb2cE4Q9uP6wIXPUuYDBSXuUmnS1WbHOkRVVtehgv/CJWnlzx6/jQk f1R97elwLwwK6kbXZpeQPDr5bG9WMZUOEid1QZvn8Xqtf4eO02ERq5AkcWHnl/FW d6cUtt37QUZlD8r+X5POMn1gUf0+IFTX73zmarr4ydGJN5rIng36to1zwZrF31Oz 7osDgI3fqE0P9lJDnFi391ZZWiRgK7SV4JFIK/x+Zc3pM+/62xWcC2oW5u5mamYu JkxvrppkvEw8kcg8ICCn/xOVQykhHkqnMMZ+GErOtANRnKUCXcj4ICuPGDFFWxDB wGKQQadVS80dzZHO/QihC+HsZQQXVaSDCNwowT+RjoAB6XyeO6k0A9VcY1D2NbZ/ vgtXvPDeNSg6ggYy6GM2flgsr6UqwFzSjxs1Cv1HHNZIKMYn4vPig2Bppl8JU4B7 lBoHM2BEU3n6UyIOKqam8JzW77yF7mKm1/NyOsi+vdHP4cN/WIl3tyucE3j6+EL2 GIErOWJmc4CV2BVXWJTuJzpjksxuvMfc/wMuTVR1tMH1Sk5ufYEAAAAAAAAAAAAA AAAAAAAAAAAACA0SFx8k -----END PGP PUBLIC KEY BLOCK----- A.2. V4 PQC Subkey Artifacts Here is a Private Key consisting of: * A v4 Ed25519 Private-Key packet * A User ID packet * A v4 positive certification self-signature * A v4 ECDH (Curve25519) Private-Subkey packet * A v4 subkey binding signature * A v4 ML-KEM-ipd-768+X25519 Private-Subkey packet * A v4 subkey binding signature The primary key has the fingerprint b2e9b532d55bd6287ec79e17c62adc0ddd1edd73. The ECDH subkey has the fingerprint 95bed3c63f295e7b980b6a2b93b3233faf28c9d2. The ML-KEM-ipd-768+X25519 subkey has the fingerprint bd67d98388813e88bf3490f3e440cfbaffd6f357. Kousidis, et al. Expires 9 January 2025 [Page 58] Internet-Draft PQC in OpenPGP July 2024 -----BEGIN PGP PRIVATE KEY BLOCK----- xVgEUdDGgBYJKwYBBAHaRw8BAQdAhoSK5cJt9N37EE1UjPqp8EXhAvOBCYikgtcg HMUso9MAAPwIdkHSrZmM4/Res+3qv1UT7kV5OAr6VO0M2P0ZPdAFiBICzS5QUUMg dXNlciAoVGVzdCBLZXkpIDxwcWMtdGVzdC1rZXlAZXhhbXBsZS5jb20+wo8EExYK AEEFAlHQxoAJEMYq3A3dHt1zFiEEsum1MtVb1ih+x54XxircDd0e3XMCGwMCHgkC GQEDCwkHAxUKCAIWAAUnCQIHAgAAooUA/jV775USotWqnMYHmrqaCWsUduO0cLxS 4U7CuItZnfMJAPwLAyXS8awEJ92Ll52fQ2ESsAkJ4f/cjdHoP9V+BZbSBsddBFHQ xoASCisGAQQBl1UBBQEBB0Dfrrz6gEv3iM2ULhupwUD4qABPIAwaNyVYDT2euXaS dgMBCgkAAP9Q+XMh/cX9bvDH6mbpoGjZkeYkw1NO6y5NQEDmvDnEIBN+wngEGBYK ACoFAlHQxoAJEMYq3A3dHt1zFiEEsum1MtVb1ih+x54XxircDd0e3XMCGwwAAI/D AP9yG1KzQlWnMNMjyvpkxWhAjyIVxbtr+4WsXUdTqMMQkgD/SeI376LSUoB6s/oL P10oFOJ86NjwfawQvIqa0CPIkgfHzYkEUdDGgGnWzS/qVrM3Wy7ifldXrJMRIq+r iGRtWY4Hr1s0GXm+fmMDoLIGUnUCOM0BzzdQgEAcnlVFCZQ4NmlwbChkHI5nFiIl cGQhrqzzxOzhPJrniyRZJMb3gBMXQO6yCx66G7fHAJ73J1AcFTNWyszaIcXnazHX OBSpnSMrvQfZIfV3tyW2Xhg6KjhDD6/TsrBiigPGGlZwcPtAh/EbkwR1xYlnU0mX tlwrlHgWvkwlcXOgdz4VUiDGPIJRGIh6LXe1dobCUjYVZPEKmf9TN2o8oSiVRr8L GZF1jXyqLlHloMSbJiV1m6iZH8DjTWMBYRRAOVr1Ly7MDqrwJoN0CQFnx/Hqum+2 czgxlsWLtGvADUwaPodwH9MHp4tXJ/HsOOO7z6bYdCNpAySqpSmzCaNzlXppw54n bD+0UE70dxh0UHiGnoJQXy5mkcG2gTWpwC7bZ+nbCBgcJF/IHBbIWbYQVLDTeP+z LKnDt/iAoJ5qgeF1wuC7pwsaQy7EUZgClZ0ivkdLyC6ZImikkaczV/VcrxeZZRqC GqfxQ05QJOAiGFNhvBvDclXcaXYWibxQgyFlGUM1rbR8XZJzVjbihw0pfiVnustU xYhsroqybX6iJVdAxVNiZwrMZ4VqifErJ1lYbYImF+jKQ6/zYZrrODDmLy0xZqhq mC5jsE1owzTDzEPnibtTEWiKbShTmJmxbhtQwhW7jsvKhQXbSvr7Nsh0vXzWEGim IkpBEXycePOnVSens94Rpa2jqgjLJhgalqocm07pNXFMeyJAhYVnHUuCsQzgrkNc ncbVe85GzsW6S/8MzdtKD9MGy3XHlKKByeF1oxcWEnBEQZ4JhpOmIHV7TVRhHa8L tIQ4HmCADposq1OTiAbxfYP6RtiLyemxDJaFLdaDSRSXIf5ALgxaysUxe57Qh7uA Qh5WejIJy6cDZtUYqtoLg8KDegxKSmo3hy2nsReMgc6SFU/ziHNWWQAtSjHrbFry ruaAJAmVGKj2UoqACMQlDpZkQYF2po8byQx7TIGnXwmGisygomwjTGocO5LDqoyS uORISmhcXbvcXtRWnQMafPAhpb6Sfm4JGic7W3/EcgmRcWiLnbnzNeBgirQgqTky kBRMycBAzgglsq5CJOHWZOoJTvlBHXBiq3z2ddY4hzckCeqQYwCrn08qChsLHuX1 r5ZxFE+XE6+YRvwIYEKrBTDzxNppnZTMFkGhgHWXuZcSnYQAxiSbVHTkjvcEC3k8 HHGovlujZInkNlQGk2KQjCWCI2JgFvIBBcswMt8Jmr9Jpa4zvv08Zi60DJpWYonH N+uSQ1FbxCm5tM6JJaKSjLYQxm6zfZ0Lxc0XP90SUKg4Ux+Al0y1jH7VgjWmGrP1 geoHgvP8RWlHbW+rhBWsYmAATawUdPZAg/rcODM0fzRpe5CWdnjIhRqUAjQruB4A n2iXWu5DymzgV6ajOB/3VKxYvup0mRULOwZsqHHIzJGCxlesMIecccRUT2IWaxFJ h4m1igg8zS9hG5/yQr3bJH2UbxX2o453u58wqvJBYOvhWDsITKAQMyhSD9iGA8Pq AAs1utxWaATaNH1qvDxDrdiHCYadNeTVxYYb8HVRBLaWNlG1lYjvl+WGf5t9AMC5 EKxgiozRC4yyd1oYV1+fv8g5eMz2pBWB5tuvE5ootGtwzIWSkRmGUfEzZpLCIWAF /9CWtmnPPiygQZecuzUDsTQRHnIANfWVhGZFmFh8qxc81IZKTPtgBMgW8ewE3oiJ cac8BHo5cEiTxeVDXXqEMCOn4jQCtKU8+ogQLhF6OvVpV2A9eKlvVberhBqu2+lC KDt2YpRjb2Bm5lqWDLUAiWa8rMTMwQmfybFp7Zi25pDPHpEwWvGGR6sjVYMfVRR8 HlOV6csYJTejEPghZih0dwEHdhUSe9Su+HNjsiunyNg042mGkOE/n1SGZ2cVkOMB iwyDm4uo9bG8X9akvOdT4EA3Pfg5DLAOIUILJlsrBPBRvIG5bulUdOtMfkMMUHOF O3O8FvyjpUc43tOgmvnEcCuuraqIjzokM6pHYjYjySmipMxFi8anwZIix/sUBclg UtIMo0KBY+aTwDGoOJkERWp8zgdcplfLYYEzlCWhm1JAbabKQpummohwpUErZ9gy 1NtuMJhDxxtb8MMylwWHklpwhkFcLgW/rIkLEte15zuSiGcrOJYpUEpnP/edSdyn YOutidNbg5tLxaZTiKYcUFcdZ1jI7ows9Ri4v4xJ6MxGJOSIPGWieDw1b9GTehS/ Kousidis, et al. Expires 9 January 2025 [Page 59] Internet-Draft PQC in OpenPGP July 2024 uCp++UJzCMQUYfHI/nYbDAyWPbx9piVkCIychNhrGurIqPMEUBCwXNF60hhGXlep TLoldts3W0xX3ROmD8gPqEUa8pujI1oeULiL3vlfb1deXSu6evLMPoyWyRKEFCY0 +Fe1G2RX1CyjYKkW5heqWkJixHS7tItCksAgFTTCWcUammBEA8NUuEeg3jO8nVA4 aKFrfOoSrYbHqsmO1AJfCDh21iMUOVAefLTFIsavLuFO8OmOh7cXcOQWG6G5ZdUt SQQxJJK6mKka5TZlp2GXyGzFVgdD1ddkMHMu9gB96SJjsodDQseklAldfft66xt6 UIbEVbwVCDctzPZ1o/pwKeu2GJa+D6RSEPNRrZeHF7OVq8pnnCQE/HUsrLcqPZhn /8K5MvhphdmoUQl5fmQZoIRqRxFoDqFvJ/qETBsTwwkkgLwBzSEe4+ubbchq3Jp5 1LVmmZG5BxVe9UWzPirPqKXPu4oArjEqtRJ5MARI1NifzMvKJpGuqhMIh8UQraGf KNJBxwN99Aq7GCYmkyYvo9wNUMJrYfa3TXh0GwBhqwxObtzAQZzGXGl9kVQEI9Q1 upTFQKgddScJIsoIdzSGfJlkVtSj6lsqmDdkHMPCa9yhk2Ikn9E/kbQ371ca2iZ2 4FAIIXHNeULH4qIc8ScjO1epIuerd9MLJdi5dwR9zAwNe8GznNGMi5HE2BJyS5gZ 8ht3/Xm88lIXRil6bnTOBYQ9RDoIHNU2EFamnBO9jUu92XBGqgRv9iKAVTmPr7i5 qMe8vEU0PeOjt2d4aHlZ/cO+NRO1YvHMQfxSGpjPQMRvUGoUAOOkndYVlGw3VzKw 7pFerytKJaozmpuGFCVLhlJYn9C6oeCfPQQjy1ydULIBe6DKUycbvAIjK3Qj4jum I2dp8RV3JHRmcxWzngJuj7nFyfeKBecwZesMqXl3YwOgsgZSdQI4zQHPN1CAQBye VUUJlDg2aXBsKGQcjmcWIiVwZCGurPPE7OE8mueLJFkkxveAExdA7rILHrobt8cA nvcnUBwVM1bKzNohxedrMdc4FKmdIyu9B9kh9Xe3JbZeGDoqOEMPr9OysGKKA8Ya VnBw+0CH8RuTBHXFiWdTSZe2XCuUeBa+TCVxc6B3PhVSIMY8glEYiHotd7V2hsJS NhVk8QqZ/1M3ajyhKJVGvwsZkXWNfKouUeWgxJsmJXWbqJkfwONNYwFhFEA5WvUv LswOqvAmg3QJAWfH8eq6b7ZzODGWxYu0a8ANTBo+h3Af0weni1cn8ew447vPpth0 I2kDJKqlKbMJo3OVemnDnidsP7RQTvR3GHRQeIaeglBfLmaRwbaBNanALttn6dsI GBwkX8gcFshZthBUsNN4/7MsqcO3+ICgnmqB4XXC4LunCxpDLsRRmAKVnSK+R0vI LpkiaKSRpzNX9VyvF5llGoIap/FDTlAk4CIYU2G8G8NyVdxpdhaJvFCDIWUZQzWt tHxdknNWNuKHDSl+JWe6y1TFiGyuirJtfqIlV0DFU2JnCsxnhWqJ8SsnWVhtgiYX 6MpDr/Nhmus4MOYvLTFmqGqYLmOwTWjDNMPMQ+eJu1MRaIptKFOYmbFuG1DCFbuO y8qFBdtK+vs2yHS9fNYQaKYiSkERfJx486dVJ6ez3hGlraOqCMsmGBqWqhybTuk1 cUx7IkCFhWcdS4KxDOCuQ1ydxtV7zkbOxbpL/wzN20oP0wbLdceUooHJ4XWjFxYS cERBngmGk6YgdXtNVGEdrwu0hDgeYIAOmiyrU5OIBvF9g/pG2IvJ6bEMloUt1oNJ FJch/kAuDFrKxTF7ntCHu4BCHlZ6MgnLpwNm1Riq2guDwoN6DEpKajeHLaexF4yB zpIVT/OIc1ZZAC1KMetsWvKu5oAkCZUYqPZSioAIxCUOlmRBgXamjxvJDHtMgadf CYaKzKCibCNMahw7ksOqjJK45EhKaFxdu9xe1FadAxp88CGlvpJ+bgkaJztbf8Ry CZFxaIudufM14GCKtCCpOTKQFEzJwEDOCCWyrkIk4dZk6glO+UEdcGKrfPZ11jiH NyQJ6pBjAKufTyoKGwse5fWvlnEUT5cTr5hG/AhgQqsFMPPE2mmdlMwWQaGAdZe5 lxKdhADGJJtUdOSO9wQLeTwccai+W6NkieQ2VAaTYpCMJYIjYmAW8gEFyzAy3wma v0mlrjO+/TxmLrQMmlZiicc365JDUVvEKbm0zoklopKMthDGbrN9nQvFzRc/3RJQ qDhTH4CXTLWMftWCNaYas/WB6geC8/xFaUdtb6uEFaxiYABNrBR09kCD+tw4MzR/ NGl7kJZ2eMiFGpQCNCu4HgCfaJda7kPKbOBXpqM4H/dUrFi+6nSZFQs7BmyoccjM kYLGV6wwh5xxxFRPYhZrEUmHibWKCDzNL2Ebn/JCvdskfZRvFfajjne7nzCq8kFg 6+FYOwhMoBAzKFIP2IYDw+oACzW63FZoBNo0fWq8PEOt2IcJhp015NXFhhvwdVEE tpY2UbWViO+X5YZ/m30EFhqD2sbN4HJ/Sv2SB7DadONGI5Sj0tnqRWZ//nA4CLZo y1LriIK38pV3lBCLv2M9vynHoyXTFco3BqTUGUEjbDnCeAQYFgoAKgUCUdDGgAkQ xircDd0e3XMWIQSy6bUy1VvWKH7HnhfGKtwN3R7dcwIbDAAA8PEA/16fgmhfrX12 GXFXcTGO8MKQTihxz2djD4aki7fVX+ZAAP9UT/A3jAfqvFNp+ecYkkZ8T+vnXR4P 0O22blDNAr/tDA== =q5En -----END PGP PRIVATE KEY BLOCK----- Here is the corresponding Public Key consisting of: Kousidis, et al. Expires 9 January 2025 [Page 60] Internet-Draft PQC in OpenPGP July 2024 * A v4 Ed25519 Public-Key packet * A User ID packet * A v4 positive certification self-signature * A v4 ECDH (Curve25519) Public-Subkey packet * A v4 subkey binding signature * A v4 ML-KEM-ipd-768+X25519 Public-Subkey packet * A v4 subkey binding signature Kousidis, et al. Expires 9 January 2025 [Page 61] Internet-Draft PQC in OpenPGP July 2024 -----BEGIN PGP PUBLIC KEY BLOCK----- xjMEUdDGgBYJKwYBBAHaRw8BAQdAhoSK5cJt9N37EE1UjPqp8EXhAvOBCYikgtcg HMUso9PNLlBRQyB1c2VyIChUZXN0IEtleSkgPHBxYy10ZXN0LWtleUBleGFtcGxl LmNvbT7CjwQTFgoAQQUCUdDGgAkQxircDd0e3XMWIQSy6bUy1VvWKH7HnhfGKtwN 3R7dcwIbAwIeCQIZAQMLCQcDFQoIAhYABScJAgcCAACihQD+NXvvlRKi1aqcxgea upoJaxR247RwvFLhTsK4i1md8wkA/AsDJdLxrAQn3YuXnZ9DYRKwCQnh/9yN0eg/ 1X4FltIGzjgEUdDGgBIKKwYBBAGXVQEFAQEHQN+uvPqAS/eIzZQuG6nBQPioAE8g DBo3JVgNPZ65dpJ2AwEKCcJ4BBgWCgAqBQJR0MaACRDGKtwN3R7dcxYhBLLptTLV W9YofseeF8Yq3A3dHt1zAhsMAACPwwD/chtSs0JVpzDTI8r6ZMVoQI8iFcW7a/uF rF1HU6jDEJIA/0niN++i0lKAerP6Cz9dKBTifOjY8H2sELyKmtAjyJIHzsQGBFHQ xoBp1s0v6lazN1su4n5XV6yTESKvq4hkbVmOB69bNBl5vn5jA6CyBlJ1AjjNAc83 UIBAHJ5VRQmUODZpcGwoZByOZxYiJXBkIa6s88Ts4Tya54skWSTG94ATF0Dusgse uhu3xwCe9ydQHBUzVsrM2iHF52sx1zgUqZ0jK70H2SH1d7cltl4YOio4Qw+v07Kw YooDxhpWcHD7QIfxG5MEdcWJZ1NJl7ZcK5R4Fr5MJXFzoHc+FVIgxjyCURiIei13 tXaGwlI2FWTxCpn/UzdqPKEolUa/CxmRdY18qi5R5aDEmyYldZuomR/A401jAWEU QDla9S8uzA6q8CaDdAkBZ8fx6rpvtnM4MZbFi7RrwA1MGj6HcB/TB6eLVyfx7Djj u8+m2HQjaQMkqqUpswmjc5V6acOeJ2w/tFBO9HcYdFB4hp6CUF8uZpHBtoE1qcAu 22fp2wgYHCRfyBwWyFm2EFSw03j/syypw7f4gKCeaoHhdcLgu6cLGkMuxFGYApWd Ir5HS8gumSJopJGnM1f1XK8XmWUaghqn8UNOUCTgIhhTYbwbw3JV3Gl2Fom8UIMh ZRlDNa20fF2Sc1Y24ocNKX4lZ7rLVMWIbK6Ksm1+oiVXQMVTYmcKzGeFaonxKydZ WG2CJhfoykOv82Ga6zgw5i8tMWaoapguY7BNaMM0w8xD54m7UxFoim0oU5iZsW4b UMIVu47LyoUF20r6+zbIdL181hBopiJKQRF8nHjzp1Unp7PeEaWto6oIyyYYGpaq HJtO6TVxTHsiQIWFZx1LgrEM4K5DXJ3G1XvORs7Fukv/DM3bSg/TBst1x5Sigcnh daMXFhJwREGeCYaTpiB1e01UYR2vC7SEOB5ggA6aLKtTk4gG8X2D+kbYi8npsQyW hS3Wg0kUlyH+QC4MWsrFMXue0Ie7gEIeVnoyCcunA2bVGKraC4PCg3oMSkpqN4ct p7EXjIHOkhVP84hzVlkALUox62xa8q7mgCQJlRio9lKKgAjEJQ6WZEGBdqaPG8kM e0yBp18JhorMoKJsI0xqHDuSw6qMkrjkSEpoXF273F7UVp0DGnzwIaW+kn5uCRon O1t/xHIJkXFoi5258zXgYIq0IKk5MpAUTMnAQM4IJbKuQiTh1mTqCU75QR1wYqt8 9nXWOIc3JAnqkGMAq59PKgobCx7l9a+WcRRPlxOvmEb8CGBCqwUw88TaaZ2UzBZB oYB1l7mXEp2EAMYkm1R05I73BAt5PBxxqL5bo2SJ5DZUBpNikIwlgiNiYBbyAQXL MDLfCZq/SaWuM779PGYutAyaVmKJxzfrkkNRW8QpubTOiSWikoy2EMZus32dC8XN Fz/dElCoOFMfgJdMtYx+1YI1phqz9YHqB4Lz/EVpR21vq4QVrGJgAE2sFHT2QIP6 3DgzNH80aXuQlnZ4yIUalAI0K7geAJ9ol1ruQ8ps4Femozgf91SsWL7qdJkVCzsG bKhxyMyRgsZXrDCHnHHEVE9iFmsRSYeJtYoIPM0vYRuf8kK92yR9lG8V9qOOd7uf MKryQWDr4Vg7CEygEDMoUg/YhgPD6gALNbrcVmgE2jR9arw8Q63YhwmGnTXk1cWG G/B1UQS2ljZRtZWI75flhn+bfcJ4BBgWCgAqBQJR0MaACRDGKtwN3R7dcxYhBLLp tTLVW9YofseeF8Yq3A3dHt1zAhsMAADw8QD/Xp+CaF+tfXYZcVdxMY7wwpBOKHHP Z2MPhqSLt9Vf5kAA/1RP8DeMB+q8U2n55xiSRnxP6+ddHg/Q7bZuUM0Cv+0M =dPFW -----END PGP PUBLIC KEY BLOCK----- Here is an SEIPDv1 unsigned message "Testing\n" encrypted to this key: * A v3 PKESK * A v1 SEIPD Kousidis, et al. Expires 9 January 2025 [Page 62] Internet-Draft PQC in OpenPGP July 2024 The hex-encoded SHA3-256 ecdhKeyShare input is 98782f4d20476dc2787ce8e264731e0d0cfeac0a35732cd88cc5518b57e634a0. The hex-encoded SHA3-256 mlkemKeyShare input is 3e8813445ee2a4a6f1a503d14149304f0ea4f626b45ed871e9381b967fb19008. The hex-encoded SHA3-256 output is 86ea88190089aae9256f04fdd09cd62e19f2c1d02cfb844aa1f99f7b17c49743. The hex-encoded session key is f3037ae17d83a40ed08d884e19dc66065eac82d96337e4b74b1d10e933535e4d. -----BEGIN PGP MESSAGE----- wcPUA+RAz7r/1vNXaUNGH8CAkSiFgunnUDqAiD9JSd3Sb7lMNUsWk6lzWiJicgky S/vu0sSnRtxweWkoMr1y2ZaS45nXbEQyShiqHhZUKfVwtxbU+rGVH5oCgSvtTCrs verZaFpqzqPWyZ8ApzJvjbGUDBuwns09dGIKvKoePT5DCrqXlsW4EA8gFJbiXeb3 E7nsyg3l2uMzbt6FHtYoa6qq9Q0PsUiGte52nXXWEnmBOGUfmCkVsgmHDmz63BLT 1xXuZ5YopZkhhpjTNtvWtXc6MIaqnh6XtAcg8ZoaH0iferpbHEp9+M4bv5YDjzji vv83rBQN4cBaS1/TSmBkNJHmxcyT1AOOXY2ZbmxQBORhGOTrFz3w8R78MYkEvB6x JAjoYirpsyNLJzdewpXEYrPQq4Ey8EG2+qDY47vQkQaYcSFFoxYQ8MpHXmmgJ2bp D13g/lQlSHcdWX2L59Wa1dhKRVnUyeEtO5c06FKJ7QOrywNjPdVciPVCx6bBfVd2 6qiWLynSGnzGaKd1YyaviioCm48Ydu5q8Z+QbEANbKW1azVAWCuxuiomE3RBvf1O 8d30UvBnImEf+9ANDxzmjIG2lW39U591Jbv0pL00at3tIMQN2wwiduP1KZ1dilWa gEkdPjl6Q68ov0vRCYMAZizj4pMZbsUdge2Jj9GieObnp+w25pJu9nBeI6iqYmwd Ny1U3OuvzbEUsNfKcHoQd9Cem8EZn+5ICk7eqsTkZq69oYfIVRyzEEc/X9562nzh 6B+X4CHZY/C8UCWougQriG4KVszM4myOgekKg0kNVIWgE2y7Z//S9c2twdxRWT/a 8QC4p7QX7JRgzDD9erkj/9J3hKwHxDHShKB5jsVaGO+BxtFSCiiTmgeo7+SAnJwU Mi/N0UiI2BbKdo4KmdDPUVDyobBjCjeXil7Kg7pTU0vewPZQDLl9X16CcXCB60HL fkDGpcYbjkZYbmB449sQfaLvxRMHomP4TY4PEfANIXdWmk1mS0/+zNzMQ9+Xderc 8P/EdKDKF5yr7IzSNoxuLiIWpyWJj+5QmAwup9mVv5gkh5RPnUQ0fgQ1vU8K9PMz OmYqlX2W4gPn29UovjkbGH+lEzazEzA7VZWHXG86NVN8WMXqdQvMJcmMRZhDmC3F kCII5zc6dxFXjNUgaAqV8eBqvRBbgCqK+6HSwCMY7jNFhFIy+Nj/9BYU/ereax0t Zlsk7XDK9lMZUidh5+VeEqbyMsLQ0YiyO7VJ5VdiPESXHjPkzxo42XZJELuBVC9D ArAX2Qip+oV1RXzhu/SeJdRQufGSENeZpGiG4tW24dpROh40I5TgXmpd4ALhuh1S PrepCNhXuFtKDIStKZEmCknPAGWAkLYZz5rAaMtztdGvzlektn+8CDtSo3d6FUww dp68ZtSMMb5HGscAoiDoOTiB5KVPSd80s3EPXlsgQSfHuSUHTvmD8G6q4hqGXMeV IUdwjwTvDMfW7CU5zqiV01SO6dXKsFyjLJrT57kpCbQ/2fhoMC+kNcXpzI+Z65yI jCP6Sjv+cVh7tv55kTKAPHO5VE3MDxvSOQHpUQ0zora+lfzpLUahfv8uZ4Q4J3L6 mkHfXuplyv3LcunejQDog2bhakqbrb5lg3fZGYNagykZxw== =2Xhi -----END PGP MESSAGE----- Here is an SEIPDv2 unsigned message Testing\n encrypted to this key: * A v6 PKESK * A v2 SEIPD Kousidis, et al. Expires 9 January 2025 [Page 63] Internet-Draft PQC in OpenPGP July 2024 The hex-encoded SHA3-256 ecdhKeyShare input is 4a0b21ff26997b812f6e0381b7b4ff907ecc7abdec01f16ecbf60bdc3f633341. The hex-encoded SHA3-256 mlkemKeyShare input is 4c0c441f23711ed5d44983e2cbfc06799295029b92f627b161cd57f072e0ebd0. The hex-encoded SHA3-256 output is 76ea8fcc9a31a9fa672940b9ad578f6b8ecbea1b1d1175d01f1777364a8e2704. The hex-encoded session key is b5d810efc6b2b82e77f907813e114587aca2d0e33c9c74e90eb1638df030dcaf. -----BEGIN PGP MESSAGE----- wcPhBhUEvWfZg4iBPoi/NJDz5EDPuv/W81dpZ1Yz1yu1Dk/HK2JuEmE6RavqzhvT i508AZhPxC08BxfNFar+uyZCNyMrUSrY0qY8H61GTtx1+O9VynXl8uXtS1nTDGJ9 vCR+EvH6rT/gOPQB8HUhX6Ps97Yqi/Iys1gfS8n961pScwIYpPJzUWfUUKjIT55W htkh9aIB6unqzwUDi3p4oRZRm67j1ZP14SLyonAG2tXtCZyu1An62UHeOyNl1/6Z CgC3egTf6lz26US15T8AP54AO77LOf9KwLpUYcwvSExqHGgmhS0Mil6WnFyuJUDB 7A2T2p/koW7TDaqoxhWsxY2isiH1SmAxNxzMnrGd7rNpPJ/k/r42bILfOuG0TRUN zqC9ph6OdydSyhHkN5G4eOYQqqvk19/lfLuHWlNwfNcn/2PsgsxLxNj7ltVn90W0 qLubPWrujn/DhLl+hs2xXDOudpcztUqxcBnrsSaHlaebjQoDfttVAQj2jjdNXRjZ uNRnRfcG9s3sO3b8d4ed6tk6U+nMrE2dZCBjTagqvD07Z1TpZDh7t86V3X16o/ps jxW42s+YR589b88IZcieZRbKVtXt00pn2tn95kpvL3d8nAkaiPUhrowQUz0jpn8c CDBNAn1j690qM3pD5XJlwverC2cmJH1Hjobnrhi6X1k2lQxweX28p+R9NQjSoX0h ORuE0/Wpi15y0xmr2EzjcZ/6vPncy/IrYJCYmx9+aWQAjrKjizzNFTt73kf1xba5 t4tbZkj9xgdDJXq3bAqB0/JeeTb4aTCk+n4olVYzCnMtLgj+1fWPClMModACmFOG 1+bw5Q91/7euo363sw5UwgU1JhSQ/xcKNyJQsnklWkLMJNB1Yhj/C32lEmLntigv UOO510+ehA7D5ftef8cMfEIm73HrBBiLfixvVTR8AQV4hiV/mzKP7weM7kxvAvbz ir4jt3uSBOuhTjzq2is/S3D2K+O8FZqGIbkDhnKd98LbEA2cn9nTfsbV+TVXCmaS lHNojVxPL2pUKxedV5skvfflRFciuP7UNsf8myHe7wdfPdSzMsbytDEwID3vcsme fBqZdEZxqv/mNnn38TfHMSCF+yv5XbF9ham4DIcqNlkYud1ipEFFbcBZ0o9nUIWp diSY7KGAtVF224dtcr3FTHGuBnayDq+Yk++VhF4Bb3uPVuwrkf7Bncp1aYEQfkhI HwF3X6GnwC3y7kpbkU1rOq7yXv/0mRyGpVQlW/Yf3qT1buxcWt5BvXBmKzbBpVg/ 0B9vpzrlFsT0Pb2GHuQ6U+9JoZ+ePnRMVdDz93RCGr1kQlyY15K1b+yILJiV6oOL OxoxXHnr5soIumxCqv+6oAm4SdQVJLELQK72x1dVKJ90jUOgYCeOY61NsC9BFWHT h0itUEnwWMjKg73z00bthndwfEXHBJLrHizkcv+pwD8M5wb/9H6HU4x8ELSr5Fyn WjSoa2739wmJkoJY5ifaic3L8UXJeLuEZnVG9tUrl9ohHO8RNR3Vc/uHmyhImoYp RL4rcc6YpuyextmYu9S9LkPR5Bzr+mFeJDeXbA7GJm9eofdw0lQCCQIMAGc2j84/ tfivyP5YrgQ8uBt9iwJN3IYRBy8qdr9JUyxkpkOEshV6XE4g3Orpbx0ZdrxbKmDS 7eJl5fSust3gb2KfaAoWkFQivVJP2KTl5gw= -----END PGP MESSAGE----- Acknowledgments Thanks to Daniel Huigens and Evangelos Karatsiolis for the early review and feedback on this document. Kousidis, et al. Expires 9 January 2025 [Page 64] Internet-Draft PQC in OpenPGP July 2024 Authors' Addresses Stavros Kousidis BSI Germany Email: stavros.kousidis@bsi.bund.de Johannes Roth MTG AG Germany Email: johannes.roth@mtg.de Falko Strenzke MTG AG Germany Email: falko.strenzke@mtg.de Aron Wussler Proton AG Switzerland Email: aron@wussler.it Kousidis, et al. Expires 9 January 2025 [Page 65]