[EXT] Re: Plans for post-quantum-secure signature algorithms for host and public key authentication?
Aaron Rainbolt
arraybolt3 at gmail.com
Sat Jul 12 08:53:46 AEST 2025
On Fri, 11 Jul 2025 22:31:18 +0000
"Blumenthal, Uri - 0553 - MITLL" <uri at ll.mit.edu> wrote:
> While SLH-DSA may be more secure than ML-DSA, performance and
> signature size would make it prohibitive for dynamic authentication
> for many use cases.
>
> As to how much security you need – for the vast majority of users
> ML-DSA is plenty secure “enough”. To the point that US and German
> governments (probably, among others – I didn’t bother to check)
> decided to bet their security on it.
There is a pretty significant community of users and developers
(oftentimes people involved with projects like Kicksecure, Whonix, and
Qubes OS, all of which I either contribute to or am paid to work on)
where "secure enough for the government" is not secure enough. Many of
those people work in situations where paranoid-level security mesures
are warranted, and for those people I feel having SLH-DSA would be
reasonable. Performance isn't a high priority in a lot of these
situations.
--
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20250711/9da333c9/attachment-0001.asc>
More information about the openssh-unix-dev
mailing list