Following Werner’s message on gnupg-users a few days ago, I tried creating a Kyber768_Cv25519 key by re-using a pre-existing Cv25519 key whose private part is on a Gnuk token (instead of letting GnuPG generate a distinct ECC key).
That is, I generated Kyber768 key from the GnuPG Agent using the command suggested by Werner:
$ gpg-connect-agent "/let param (genkey(kyber1024))" "/definq KEYPARAM param" "/datafile a.pub" "genkey --no-protection" /byeThen I fired GnuPG’s key editor (gpg --expert --edit-key damien), used the addkey command, selected option 13 (Existing key), and entered the keygrips from my pre-existing Cv25519 key and from the Kyber768 key I had just generated, separated by a comma. This seems to have worked as expected: GnuPG recognized the two keygrips without problems, and I ended up with a new ky768_cv25519 subkey (whose first keygrip is the same as the keygrip as my pre-existing cv25519 key).
Encryption also seems to work as I would expect. Trying to encrypt something to myself with --disable-pqc-encryption causes GnuPG to encrypt to the Cv25519 key only, while encrypting without that option (or with --require-pqc-encryption) causes GnuPG to encrypt to the Ky768_cv25519 key.
However, decryption does not work:
$ gpg -d test.asc gpg: encrypted with ky768_cv25519 key, ID 8A0147DCF2FAB068, created 2025-05-11 "Damien Goutte-Gattat <dgouttegattat@incenp.org>" gpg: public key decryption failed: No secret key gpg: decryption failed: No secret key
I was not prompted for my token's PIN. In fact, if the token is not inserted, I am not even prompted to insert it (as I would be for something encrypted to the Cv25519 key only), instead I get a slightly different error:
$ gpg -d test.asc gpg: encrypted with ky768_cv25519 key, ID 8A0147DCF2FAB068, created 2025-05-11 "Damien Goutte-Gattat <dgouttegattat@incenp.org>" gpg: public key decryption failed: No such device gpg: decryption failed: No such device
However, if both the Cv25519 key and the Ky768 key are on-disk, instead of only the Ky786 key (I tried that in a temporary GnuPG home, in which I restored a backup for my Cv25519 key), then decryption works fine.
So, it seems that decrypting to a Ky768_Cv25519 key only works when both keys are on disk, not when the ECC key is on a token. According to Werner’s aforementioned message, this should be a supported use case.
All of the above was done using the latest GnuPG 2.5.6. I can do more tests and/or provide GPG-Agent or Scdaemon logs if needed.