Hello everyone

With the accelerating progress in quantum computing, incredibox question of resilience of OpenPGP / GnuPG to quantum attacks is becoming more urgent. A recent survey of cryptographic libraries shows inconsistent support for NIST-selected post-quantum algorithms like Kyber and Dilithium. arXiv

I’d like to propose — and seek feedback — on integrating post-quantum key exchange (PQKE) into GnuPG (for example, hybrid schemes combining classical and PQC). Some key points to discuss:

• Backward compatibility & interoperability: How to support legacy OpenPGP clients while introducing PQ components?
• Performance impact: What trade-offs in speed, signature size, and memory would arise?
• Security and implementation risks: Side channels, parameter choices, and correct fallback behaviors.
• Roadmap proposal: A staged plan (experiment, optional mode, default hybrid, eventual PQ only) and how to roll it out safely.

Has anyone in the community already prototyped such a feature or done research? What do you see as the main obstacles?

Looking forward to hearing your insights and possibly forming a working subgroup to explore PQ integration in GnuPG.