Plans for post-quantum-secure signature algorithms for host and public key authentication?
Damien Miller
djm at mindrot.org
Sat Jul 12 06:09:34 AEST 2025
On Fri, 11 Jul 2025, Aaron Rainbolt wrote:
> I'm currently writing some documentation for a work project, and part
> of my job has involved doing a (somewhat over my head) deep dive into
> the security properties of various cryptography-related algorithms in
> OpenSSH and which ones are likely to be superior to others in various
> scenarios. In the process of doing this, I noted that it seems OpenSSH
> supports post-quantum-secure algorithms for symmetric encryption, key
> exchange, and message authentication codes, but notably lacks a
> post-quantum-secure signature algorithm for host key and public key
> authentication. As I understand it (keep in mind I am not a
> cryptographer by any means), this means that an attacker with a
> sufficiently powerful quantum computer could, in the future, MITM SSH
> connections or spoof trusted client devices.
>
> Are there any plans to integrate a post-quantum-secure signature
> algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)?
We have experimental XMSS support in OpenSSH, but it's not really
usable and will probably be removed when we get a more modern PQ
signature scheme.
There are no concrete plans to add support for a PQ signature scheme
but I think that it's fairly likely we'll add support for hybrid
ML-DSA/ed25519 per
https://datatracker.ietf.org/doc/draft-sun-ssh-composite-sigs/01/
> (Unrelated, the "About openssh-unix-dev" page [1] claims that the list
> is open for non-subscribers, but my first attempt at sending this was
> rejected with "Posting by non-members to openssh-unix-dev at mindrot.org
> is currently disabled, sorry." It might be useful to correct the page
> so people know to subscribe first.)
Sorry, fixed.
-d
More information about the openssh-unix-dev
mailing list