Aaron Rainbolt
2025-Jul-11 21:18 UTC
Plans for post-quantum-secure signature algorithms for host and public key authentication?
On Fri, 11 Jul 2025 22:39:17 +0200 Simon Josefsson <simon at josefsson.org> wrote:> Aaron Rainbolt <arraybolt3 at gmail.com> writes: > > > Are there any plans to integrate a post-quantum-secure signature > > algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)? > > I don't know, but I made initial experiments with it: > > https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphincs/ > > There is a specification for it: > > https://datatracker.ietf.org/doc/html/draft-josefsson-ssh-sphincs-00 > > Niels M?ller implemented SLH-DSA recently and did some performance > statistics: > > https://lists.lysator.liu.se/mailman/hyperkitty/list/nettle-bugs at lists.lysator.liu.se/message/FQU6J4OGIKCE46SXOYG4HFZ67MVOGDIL/ > > After that I am inclined to add more algorithm options: it seems fast > verification (thus the "slow" variant) may be more relevant to > software signing code paths, and the 128-bit variants may be relevant > for online interactive use. I'm still mixed about the cost to add > both SHAKE and SHA2, I picked SHA2 because it is faster. > > If there is interest, I'm happy to make another iteration of these > patches.The distros I'm helping develop and document (Kicksecure and Whonix) are stuck using whatever is in Debian, so while I can definitely say I'm interested in it, I'm not exactly sure I can say I'm interested in getting it "out there" in a particular hurry. If this was to be "resurrected" to some degree, it would be neat if this could be combined with a more traditional Ed25519 signature verification, similar to the hybrid PQ kex algorithms currently available. Depending on how exactly SLH-DSA works (which I have not studied), that might be way over-paranoid, but my workplace likes way over-paranoid :P If there's something I could do to meaningfully contribute to this sort of thing, feel free to let me know. -- Aaron> /Simon-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/4c76571f/attachment.asc>
Simon Josefsson
2025-Jul-11 22:08 UTC
Plans for post-quantum-secure signature algorithms for host and public key authentication?
Aaron Rainbolt <arraybolt3 at gmail.com> writes:> If this was to be "resurrected" to some degree, it would be neat if > this could be combined with a more traditional Ed25519 signature > verification, similar to the hybrid PQ kex algorithms currently > available. Depending on how exactly SLH-DSA works (which I have not > studied), that might be way over-paranoid, but my workplace likes way > over-paranoid :P > > If there's something I could do to meaningfully contribute to this sort > of thing, feel free to let me know.SLH-DSA/SPHINCS+ is based on traditional old-school hashes (e.g., SHA2), and I think many cryptographers are even more comfortable with that compared to RSA/ECDSA/EDDSA. Could you read up on SLH-DSA and re-evaluate? I like belt and suspenders approaches, but one shouldn't be blind to specifics. I would not use ML-DSA unless it was in a hybrid, and I generally prefer hybrid constructs for everything PQ, but for SLH-DSA I am personally ready to make an exception. The risk for signatures is smaller than KEX's, where the attack surface becomes passively decrypting all prior communication, whereas for signatures it requires an online active SLH-DSA attack to be useful. For long-term SSHSIG used to authenticate software releases (via git signing) this argument doesn't apply though. Still, maybe this is a losing fight, and that it is actually simpler to promote Ed25519 + SLH-DSA in a hybrid because the optics of it is simpler to take in for everyone who are migrating from a Ed25519 world. Having more discussion and opinions on this would be nice. /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 1251 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250712/6403970d/attachment-0001.asc>