Plans for post-quantum-secure signature algorithms for host and public key authentication?

[Aaron Rainbolt]

On Sat, 12 Jul 2025 00:08:44 +0200
Simon Josefsson <simon at josefsson.org> wrote:

> Aaron Rainbolt <arraybolt3 at gmail.com> writes:
> 
> > If this was to be "resurrected" to some degree, it would be neat if
> > this could be combined with a more traditional Ed25519 signature
> > verification, similar to the hybrid PQ kex algorithms currently
> > available. Depending on how exactly SLH-DSA works (which I have not
> > studied), that might be way over-paranoid, but my workplace likes
> > way over-paranoid :P
> >
> > If there's something I could do to meaningfully contribute to this
> > sort of thing, feel free to let me know.  
> 
> SLH-DSA/SPHINCS+ is based on traditional old-school hashes (e.g.,
> SHA2), and I think many cryptographers are even more comfortable with
> that compared to RSA/ECDSA/EDDSA.  Could you read up on SLH-DSA and
> re-evaluate?

Sure. I can't promise I'll understand it much, but I'd be happy to look
at it.

> I like belt and suspenders approaches, but one shouldn't be blind to
> specifics.  I would not use ML-DSA unless it was in a hybrid, and I
> generally prefer hybrid constructs for everything PQ, but for SLH-DSA
> I am personally ready to make an exception.  The risk for signatures
> is smaller than KEX's, where the attack surface becomes passively
> decrypting all prior communication, whereas for signatures it requires
> an online active SLH-DSA attack to be useful.  For long-term SSHSIG
> used to authenticate software releases (via git signing) this argument
> doesn't apply though.

I am mainly concerned with the online active attack scenario. Public
SSH keys are pretty easy to come by, aren't rotated out frequently (or
ever), and distros without a PQ signature scheme will probably be
"supported" to some degree once we have "dangerous" quantum computers,
so I see this as a somewhat looming threat that will only get harder to
defend against the longer things take. I don't expect "dangerous" QCs
to be available only to nation-states in a decade - ransomware
operations probably will be able to afford them and would be able to do
lots of damage with them in the absence of PQ signatures on older
distributions. With the way "hyper-stable" distributions like Debian,
Ubuntu, and RHEL operate, I can't imagine there being any way to tack
on post-quantum signatures onto old OpenSSH versions without either
leaving security holes or locking lots of people out of their systems.

--
Aaron

> Still, maybe this is a losing fight, and that it is actually simpler
> to promote Ed25519 + SLH-DSA in a hybrid because the optics of it is
> simpler to take in for everyone who are migrating from a Ed25519
> world. Having more discussion and opinions on this would be nice.
>
> /Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/9934afb6/attachment.asc>