Plans for post-quantum-secure signature algorithms for host and public key authentication?

Aaron Rainbolt arraybolt3 at gmail.com
Sat Jul 12 07:08:43 AEST 2025 

On Sat, 12 Jul 2025 06:09:34 +1000 (AEST)
Damien Miller <djm at mindrot.org> wrote:

> On Fri, 11 Jul 2025, Aaron Rainbolt wrote:
> 
> > I'm currently writing some documentation for a work project, and
> > part of my job has involved doing a (somewhat over my head) deep
> > dive into the security properties of various cryptography-related
> > algorithms in OpenSSH and which ones are likely to be superior to
> > others in various scenarios. In the process of doing this, I noted
> > that it seems OpenSSH supports post-quantum-secure algorithms for
> > symmetric encryption, key exchange, and message authentication
> > codes, but notably lacks a post-quantum-secure signature algorithm
> > for host key and public key authentication. As I understand it
> > (keep in mind I am not a cryptographer by any means), this means
> > that an attacker with a sufficiently powerful quantum computer
> > could, in the future, MITM SSH connections or spoof trusted client
> > devices.
> > 
> > Are there any plans to integrate a post-quantum-secure signature
> > algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)?  
> 
> We have experimental XMSS support in OpenSSH, but it's not really
> usable and will probably be removed when we get a more modern PQ
> signature scheme.
> 
> There are no concrete plans to add support for a PQ signature scheme
> but I think that it's fairly likely we'll add support for hybrid
> ML-DSA/ed25519 per
> https://datatracker.ietf.org/doc/draft-sun-ssh-composite-sigs/01/

Nice. If some input is allowable, I would like to see SLH-DSA
specifically though since as I understand it, ML-DSA is related to
ML-KEM (Kyber), and there are concerns that Kyber's security properties
may have been intentionally misrepresented by NIST. [1] [2] Currently
in the documentation I'm working on, I've recommended the use of
sntrup761x25519-sha512 over mlkem768x25519-sha256 after skimming
through the mentioned articles. SLH-DSA I believe also has
better-understood security properties, so it may be more reliable.
Obviously having an ML-DSA mode won't hurt, but given the choice, I'd
prefer to use SLH-DSA.

> > (Unrelated, the "About openssh-unix-dev" page [1] claims that the
> > list is open for non-subscribers, but my first attempt at sending
> > this was rejected with "Posting by non-members to
> > openssh-unix-dev at mindrot.org is currently disabled, sorry." It
> > might be useful to correct the page so people know to subscribe
> > first.)  
> 
> Sorry, fixed.

Thanks :)

[1] https://blog.cr.yp.to/20231003-countcorrectly.html
[2] https://blog.cr.yp.to/20231125-kyber.html

--
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/a4f5c57a/attachment-0001.asc>

More information about the openssh-unix-dev mailing list