Plans for post-quantum-secure signature algorithms for host and public key authentication?
Simon Josefsson
simon at josefsson.org
Sat Jul 12 06:39:17 AEST 2025
Aaron Rainbolt <arraybolt3 at gmail.com> writes:
> Are there any plans to integrate a post-quantum-secure signature
> algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)?
I don't know, but I made initial experiments with it:
https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphincs/
There is a specification for it:
https://datatracker.ietf.org/doc/html/draft-josefsson-ssh-sphincs-00
Niels Möller implemented SLH-DSA recently and did some performance
statistics:
https://lists.lysator.liu.se/mailman/hyperkitty/list/nettle-bugs@lists.lysator.liu.se/message/FQU6J4OGIKCE46SXOYG4HFZ67MVOGDIL/
After that I am inclined to add more algorithm options: it seems fast
verification (thus the "slow" variant) may be more relevant to software
signing code paths, and the 128-bit variants may be relevant for online
interactive use. I'm still mixed about the cost to add both SHAKE and
SHA2, I picked SHA2 because it is faster.
If there is interest, I'm happy to make another iteration of these
patches.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/d31661a1/attachment.asc>
More information about the openssh-unix-dev
mailing list