Damien Miller
2025-Jul-11 20:09 UTC
Plans for post-quantum-secure signature algorithms for host and public key authentication?
On Fri, 11 Jul 2025, Aaron Rainbolt wrote:> I'm currently writing some documentation for a work project, and part > of my job has involved doing a (somewhat over my head) deep dive into > the security properties of various cryptography-related algorithms in > OpenSSH and which ones are likely to be superior to others in various > scenarios. In the process of doing this, I noted that it seems OpenSSH > supports post-quantum-secure algorithms for symmetric encryption, key > exchange, and message authentication codes, but notably lacks a > post-quantum-secure signature algorithm for host key and public key > authentication. As I understand it (keep in mind I am not a > cryptographer by any means), this means that an attacker with a > sufficiently powerful quantum computer could, in the future, MITM SSH > connections or spoof trusted client devices. > > Are there any plans to integrate a post-quantum-secure signature > algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)?We have experimental XMSS support in OpenSSH, but it's not really usable and will probably be removed when we get a more modern PQ signature scheme. There are no concrete plans to add support for a PQ signature scheme but I think that it's fairly likely we'll add support for hybrid ML-DSA/ed25519 per https://datatracker.ietf.org/doc/draft-sun-ssh-composite-sigs/01/> (Unrelated, the "About openssh-unix-dev" page [1] claims that the list > is open for non-subscribers, but my first attempt at sending this was > rejected with "Posting by non-members to openssh-unix-dev at mindrot.org > is currently disabled, sorry." It might be useful to correct the page > so people know to subscribe first.)Sorry, fixed. -d
Aaron Rainbolt
2025-Jul-11 21:08 UTC
Plans for post-quantum-secure signature algorithms for host and public key authentication?
On Sat, 12 Jul 2025 06:09:34 +1000 (AEST) Damien Miller <djm at mindrot.org> wrote:> On Fri, 11 Jul 2025, Aaron Rainbolt wrote: > > > I'm currently writing some documentation for a work project, and > > part of my job has involved doing a (somewhat over my head) deep > > dive into the security properties of various cryptography-related > > algorithms in OpenSSH and which ones are likely to be superior to > > others in various scenarios. In the process of doing this, I noted > > that it seems OpenSSH supports post-quantum-secure algorithms for > > symmetric encryption, key exchange, and message authentication > > codes, but notably lacks a post-quantum-secure signature algorithm > > for host key and public key authentication. As I understand it > > (keep in mind I am not a cryptographer by any means), this means > > that an attacker with a sufficiently powerful quantum computer > > could, in the future, MITM SSH connections or spoof trusted client > > devices. > > > > Are there any plans to integrate a post-quantum-secure signature > > algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)? > > We have experimental XMSS support in OpenSSH, but it's not really > usable and will probably be removed when we get a more modern PQ > signature scheme. > > There are no concrete plans to add support for a PQ signature scheme > but I think that it's fairly likely we'll add support for hybrid > ML-DSA/ed25519 per > https://datatracker.ietf.org/doc/draft-sun-ssh-composite-sigs/01/Nice. If some input is allowable, I would like to see SLH-DSA specifically though since as I understand it, ML-DSA is related to ML-KEM (Kyber), and there are concerns that Kyber's security properties may have been intentionally misrepresented by NIST. [1] [2] Currently in the documentation I'm working on, I've recommended the use of sntrup761x25519-sha512 over mlkem768x25519-sha256 after skimming through the mentioned articles. SLH-DSA I believe also has better-understood security properties, so it may be more reliable. Obviously having an ML-DSA mode won't hurt, but given the choice, I'd prefer to use SLH-DSA.> > (Unrelated, the "About openssh-unix-dev" page [1] claims that the > > list is open for non-subscribers, but my first attempt at sending > > this was rejected with "Posting by non-members to > > openssh-unix-dev at mindrot.org is currently disabled, sorry." It > > might be useful to correct the page so people know to subscribe > > first.) > > Sorry, fixed.Thanks :) [1] https://blog.cr.yp.to/20231003-countcorrectly.html [2] https://blog.cr.yp.to/20231125-kyber.html -- Aaron -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/a4f5c57a/attachment-0001.asc>