GnuPG 2.5.19 introduces Kyber, also designated ML-KEM and FIPS-203, as a post-quantum encryption algorithm.

The release follows NIST's standardization of ML-KEM in August 2024 after the CRYSTALS-Kyber submission won the PQC competition that began in 2016 (https://csrc.nist.gov/projects/post-quantum-cryptography). Werner Koch's announcement lists the PQC addition alongside unrelated changes such as --use-ocb-sym, pinentry smartcard improvements, and bug fixes for RSA padding and trustlist parsing, while noting the 2.4 branch reaches end-of-life in two months and that 2.6 will contain mostly internal library updates (https://lists.gnupg.org/pipermail/gnupg-announce/2026q2/000504.html). Original coverage omitted performance characteristics, hybrid construction details, and integration status with OpenPGP standards drafts.

Similar PQC landings occurred in OpenSSH 9.0 (2022) and Libgcrypt 1.11, forming a pattern of lattice-based primitives moving from research prototypes maintained by the Open Quantum Safe project into production tools (https://www.openssh.com/txt/release-9.0). GnuPG's universal engine role for S/MIME and SSH means the change propagates to frontends and GPGME bindings without breaking backward compatibility, a detail the primary source states but does not contextualize against quantum threat timelines published by NIST and NSA.

Broader technology journalism has focused on quantum hardware milestones while underreporting these incremental crypto-agility steps in foundational open-source utilities; the GnuPG, NIST, and OpenSSH records together document a five-year bridge from algorithm selection to mainstream availability.