Simon Josefsson
2025-Jul-11 20:39 UTC
Plans for post-quantum-secure signature algorithms for host and public key authentication?
Aaron Rainbolt <arraybolt3 at gmail.com> writes:> Are there any plans to integrate a post-quantum-secure signature > algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)?I don't know, but I made initial experiments with it: https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphincs/ There is a specification for it: https://datatracker.ietf.org/doc/html/draft-josefsson-ssh-sphincs-00 Niels M?ller implemented SLH-DSA recently and did some performance statistics: https://lists.lysator.liu.se/mailman/hyperkitty/list/nettle-bugs at lists.lysator.liu.se/message/FQU6J4OGIKCE46SXOYG4HFZ67MVOGDIL/ After that I am inclined to add more algorithm options: it seems fast verification (thus the "slow" variant) may be more relevant to software signing code paths, and the 128-bit variants may be relevant for online interactive use. I'm still mixed about the cost to add both SHAKE and SHA2, I picked SHA2 because it is faster. If there is interest, I'm happy to make another iteration of these patches. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1251 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/d31661a1/attachment.asc>
Aaron Rainbolt
2025-Jul-11 21:18 UTC
Plans for post-quantum-secure signature algorithms for host and public key authentication?
On Fri, 11 Jul 2025 22:39:17 +0200 Simon Josefsson <simon at josefsson.org> wrote:> Aaron Rainbolt <arraybolt3 at gmail.com> writes: > > > Are there any plans to integrate a post-quantum-secure signature > > algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)? > > I don't know, but I made initial experiments with it: > > https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphincs/ > > There is a specification for it: > > https://datatracker.ietf.org/doc/html/draft-josefsson-ssh-sphincs-00 > > Niels M?ller implemented SLH-DSA recently and did some performance > statistics: > > https://lists.lysator.liu.se/mailman/hyperkitty/list/nettle-bugs at lists.lysator.liu.se/message/FQU6J4OGIKCE46SXOYG4HFZ67MVOGDIL/ > > After that I am inclined to add more algorithm options: it seems fast > verification (thus the "slow" variant) may be more relevant to > software signing code paths, and the 128-bit variants may be relevant > for online interactive use. I'm still mixed about the cost to add > both SHAKE and SHA2, I picked SHA2 because it is faster. > > If there is interest, I'm happy to make another iteration of these > patches.The distros I'm helping develop and document (Kicksecure and Whonix) are stuck using whatever is in Debian, so while I can definitely say I'm interested in it, I'm not exactly sure I can say I'm interested in getting it "out there" in a particular hurry. If this was to be "resurrected" to some degree, it would be neat if this could be combined with a more traditional Ed25519 signature verification, similar to the hybrid PQ kex algorithms currently available. Depending on how exactly SLH-DSA works (which I have not studied), that might be way over-paranoid, but my workplace likes way over-paranoid :P If there's something I could do to meaningfully contribute to this sort of thing, feel free to let me know. -- Aaron> /Simon-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/4c76571f/attachment.asc>