Plans for post-quantum-secure signature algorithms for host and public key authentication?
Aaron Rainbolt
arraybolt3 at gmail.com
Sat Jul 12 07:18:19 AEST 2025
On Fri, 11 Jul 2025 22:39:17 +0200
Simon Josefsson <simon at josefsson.org> wrote:
> Aaron Rainbolt <arraybolt3 at gmail.com> writes:
>
> > Are there any plans to integrate a post-quantum-secure signature
> > algorithm in OpenSSH, such as SLH-DSA (SPHINCS+)?
>
> I don't know, but I made initial experiments with it:
>
> https://blog.josefsson.org/2024/12/23/openssh-and-git-on-a-post-quantum-sphincs/
>
> There is a specification for it:
>
> https://datatracker.ietf.org/doc/html/draft-josefsson-ssh-sphincs-00
>
> Niels Möller implemented SLH-DSA recently and did some performance
> statistics:
>
> https://lists.lysator.liu.se/mailman/hyperkitty/list/nettle-bugs@lists.lysator.liu.se/message/FQU6J4OGIKCE46SXOYG4HFZ67MVOGDIL/
>
> After that I am inclined to add more algorithm options: it seems fast
> verification (thus the "slow" variant) may be more relevant to
> software signing code paths, and the 128-bit variants may be relevant
> for online interactive use. I'm still mixed about the cost to add
> both SHAKE and SHA2, I picked SHA2 because it is faster.
>
> If there is interest, I'm happy to make another iteration of these
> patches.
The distros I'm helping develop and document (Kicksecure and Whonix)
are stuck using whatever is in Debian, so while I can definitely say
I'm interested in it, I'm not exactly sure I can say I'm interested in
getting it "out there" in a particular hurry.
If this was to be "resurrected" to some degree, it would be neat if
this could be combined with a more traditional Ed25519 signature
verification, similar to the hybrid PQ kex algorithms currently
available. Depending on how exactly SLH-DSA works (which I have not
studied), that might be way over-paranoid, but my workplace likes way
over-paranoid :P
If there's something I could do to meaningfully contribute to this sort
of thing, feel free to let me know.
--
Aaron
> /Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/4c76571f/attachment.asc>
More information about the openssh-unix-dev
mailing list