* [feature] PQC KEM
@ 2026-06-29 16:27 cyper
2026-06-29 16:42 ` Milan Broz
0 siblings, 1 reply; 5+ messages in thread
From: cyper @ 2026-06-29 16:27 UTC (permalink / raw)
To: Cryptsetup
Interested in introducing a new LUKS2 "xwing" keyslot type unlocked by an X-Wing
post-quantum hybrid KEM (ML-KEM-768 + X25519, draft-connolly-cfrg-xwing-kem)
instead of a passphrase to encrypt the kek (volume key)?
1) asymmetric model won't shine in single user case but will be attractive in multiple user/image enrollment cases.
2) if per-device fresh wrapping key is desired
I've implemented such keyslot type and tested. But don't know if the aforementioned two cases is worth discussion.
Kind regards,
Alan
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [feature] PQC KEM
2026-06-29 16:27 [feature] PQC KEM cyper
@ 2026-06-29 16:42 ` Milan Broz
2026-06-29 17:50 ` cyper
2026-06-29 18:40 ` Arno Wagner
0 siblings, 2 replies; 5+ messages in thread
From: Milan Broz @ 2026-06-29 16:42 UTC (permalink / raw)
To: cyper, Cryptsetup
On 6/29/26 6:27 PM, cyper@tutanota.com wrote:
> Interested in introducing a new LUKS2 "xwing" keyslot type unlocked by an X-Wing
> post-quantum hybrid KEM (ML-KEM-768 + X25519, draft-connolly-cfrg-xwing-kem)
> instead of a passphrase to encrypt the kek (volume key)?
>
> 1) asymmetric model won't shine in single user case but will be attractive in multiple user/image enrollment cases.
> 2) if per-device fresh wrapping key is desired
>
>
> I've implemented such keyslot type and tested. But don't know if the aforementioned two cases is worth discussion.
This is typically something that should be done through LUKS2 external token while keeping keyslot
encryption as it is defined in LUKS. (Maybe you did it that way, no idea.)
Anyway, what security issue this solves (except "it is PQC")?
Milan
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [feature] PQC KEM
2026-06-29 16:42 ` Milan Broz
@ 2026-06-29 17:50 ` cyper
2026-06-29 18:40 ` Arno Wagner
1 sibling, 0 replies; 5+ messages in thread
From: cyper @ 2026-06-29 17:50 UTC (permalink / raw)
To: Milan Broz; +Cc: Cryptsetup
Avoid low-entropy passphrase. (I am aware of key file which is yet another passphase pass to pbkdf)
Avoid pbkdf cause the default one argon2 is not fips compliant.
Enable public recipient access.
29 Jun 2026 at 17:42 by gmazyland@gmail.com:
> On 6/29/26 6:27 PM, cyper@tutanota.com wrote:
>
>> Interested in introducing a new LUKS2 "xwing" keyslot type unlocked by an X-Wing
>> post-quantum hybrid KEM (ML-KEM-768 + X25519, draft-connolly-cfrg-xwing-kem)
>> instead of a passphrase to encrypt the kek (volume key)?
>>
>> 1) asymmetric model won't shine in single user case but will be attractive in multiple user/image enrollment cases.
>> 2) if per-device fresh wrapping key is desired
>>
>>
>> I've implemented such keyslot type and tested. But don't know if the aforementioned two cases is worth discussion.
>>
>
> This is typically something that should be done through LUKS2 external token while keeping keyslot
> encryption as it is defined in LUKS. (Maybe you did it that way, no idea.)
>
> Anyway, what security issue this solves (except "it is PQC")?
>
> Milan
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [feature] PQC KEM
2026-06-29 16:42 ` Milan Broz
2026-06-29 17:50 ` cyper
@ 2026-06-29 18:40 ` Arno Wagner
2026-06-30 13:51 ` cyper
1 sibling, 1 reply; 5+ messages in thread
From: Arno Wagner @ 2026-06-29 18:40 UTC (permalink / raw)
To: Milan Broz; +Cc: cyper, Cryptsetup
On Mon, Jun 29, 2026 at 18:42:03 CEST, Milan Broz wrote:
> On 6/29/26 6:27 PM, cyper@tutanota.com wrote:
> > Interested in introducing a new LUKS2 "xwing" keyslot type unlocked by an X-Wing
> > post-quantum hybrid KEM (ML-KEM-768 + X25519, draft-connolly-cfrg-xwing-kem)
> > instead of a passphrase to encrypt the kek (volume key)?
> >
> > 1) asymmetric model won't shine in single user case but will be attractive in multiple user/image enrollment cases.
> > 2) if per-device fresh wrapping key is desired
> >
> >
> > I've implemented such keyslot type and tested. But don't know if the aforementioned two cases is worth discussion.
>
> This is typically something that should be done through LUKS2 external token while keeping keyslot
> encryption as it is defined in LUKS. (Maybe you did it that way, no idea.)
>
> Anyway, what security issue this solves (except "it is PQC")?
That seems to be the key question.
Also refer to https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf
Arno
--
Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
----
A good decision is based on knowledge and not on numbers. -- Plato
If it's in the news, don't worry about it. The very definition of
"news" is "something that hardly ever happens." -- Bruce Schneier
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [feature] PQC KEM
2026-06-29 18:40 ` Arno Wagner
@ 2026-06-30 13:51 ` cyper
0 siblings, 0 replies; 5+ messages in thread
From: cyper @ 2026-06-30 13:51 UTC (permalink / raw)
To: Arno Wagner; +Cc: Milan Broz, Cryptsetup
PQC is not primary benefit, asymmetric key model is. I’m kinda curious about how such use case is valid.
29 Jun 2026 at 19:40 by wagner@arnowagner.info:
> On Mon, Jun 29, 2026 at 18:42:03 CEST, Milan Broz wrote:
>
>> On 6/29/26 6:27 PM, cyper@tutanota.com wrote:
>> > Interested in introducing a new LUKS2 "xwing" keyslot type unlocked by an X-Wing
>> > post-quantum hybrid KEM (ML-KEM-768 + X25519, draft-connolly-cfrg-xwing-kem)
>> > instead of a passphrase to encrypt the kek (volume key)?
>> >
>> > 1) asymmetric model won't shine in single user case but will be attractive in multiple user/image enrollment cases.
>> > 2) if per-device fresh wrapping key is desired
>> >
>> >
>> > I've implemented such keyslot type and tested. But don't know if the aforementioned two cases is worth discussion.
>>
>> This is typically something that should be done through LUKS2 external token while keeping keyslot
>> encryption as it is defined in LUKS. (Maybe you did it that way, no idea.)
>>
>> Anyway, what security issue this solves (except "it is PQC")?
>>
>
> That seems to be the key question.
>
> Also refer to https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf
>
> Arno
>
> --
> Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@wagner.name
> GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718
> ----
> A good decision is based on knowledge and not on numbers. -- Plato
>
> If it's in the news, don't worry about it. The very definition of
> "news" is "something that hardly ever happens." -- Bruce Schneier
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-06-30 13:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-29 16:27 [feature] PQC KEM cyper
2026-06-29 16:42 ` Milan Broz
2026-06-29 17:50 ` cyper
2026-06-29 18:40 ` Arno Wagner
2026-06-30 13:51 ` cyper
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox