On Sat, 12 Jul 2025 06:09:34 +1000 (AEST) Damien Miller <djm@xxxxxxxxxxx> wrote: > On Fri, 11 Jul 2025, Aaron Rainbolt wrote: > > > I'm currently writing some documentation for a work project, and > > part of my job has involved doing a (somewhat over my head) deep > > dive into the security properties of various cryptography-related > > algorithms in OpenSSH and which ones are likely to be superior to > > others in various scenarios. In the process of doing this, I noted > > that it seems OpenSSH supports post-quantum-secure algorithms for > > symmetric encryption, key exchange, and message authentication > > codes, but notably lacks a post-quantum-secure signature algorithm > > for host key and public key authentication. As I understand it > > (keep in mind I am not a cryptographer by any means), this means > > that an attacker with a sufficiently powerful quantum computer > > could, in the future, MITM SSH connections or spoof trusted client > > devices. > > > > Are there any plans to integrate a post-quantum-secure signature > > algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)? > > We have experimental XMSS support in OpenSSH, but it's not really > usable and will probably be removed when we get a more modern PQ > signature scheme. > > There are no concrete plans to add support for a PQ signature scheme > but I think that it's fairly likely we'll add support for hybrid > ML-DSA/ed25519 per > https://datatracker.ietf.org/doc/draft-sun-ssh-composite-sigs/01/ Nice. If some input is allowable, I would like to see SLH-DSA specifically though since as I understand it, ML-DSA is related to ML-KEM (Kyber), and there are concerns that Kyber's security properties may have been intentionally misrepresented by NIST. [1] [2] Currently in the documentation I'm working on, I've recommended the use of sntrup761x25519-sha512 over mlkem768x25519-sha256 after skimming through the mentioned articles. SLH-DSA I believe also has better-understood security properties, so it may be more reliable. Obviously having an ML-DSA mode won't hurt, but given the choice, I'd prefer to use SLH-DSA. > > (Unrelated, the "About openssh-unix-dev" page [1] claims that the > > list is open for non-subscribers, but my first attempt at sending > > this was rejected with "Posting by non-members to > > openssh-unix-dev@xxxxxxxxxxx is currently disabled, sorry." It > > might be useful to correct the page so people know to subscribe > > first.) > > Sorry, fixed. Thanks :) [1] https://blog.cr.yp.to/20231003-countcorrectly.html [2] https://blog.cr.yp.to/20231125-kyber.html -- Aaron
Attachment:
pgpzbGGjbcwWH.pgp
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
