Enable post-quantum key exchange by default?

Demi M. Obenour demiobenour at gmail.com
Fri Mar 12 19:43:38 AEDT 2021


On 3/10/21 11:18 PM, Damien Miller wrote:
>> There are those who feel that FFC should be thrown away in favor of ECC
>> key exchanges and those who file that PQC is coming soon and will be
>> able to factor ECC faster than FCC.
> 
> I'm pretty much one of them :) I'm skeptical whether useful QCs will be
> a thing in my lifetime, but the probability is far enough above zero that
> it makes sense to use PQC if the costs aren't too high.

On that note, I wonder if we should turn on post-quantum key exchange in the
not too distant future, as the default most-preferred kex.  IIUC the one we
use is secure if our version of NTRU is secure *or* Curve25519 is secure,
and since crypto code is constant-time there is little room for memory
unsafety vulnerabilities.  So it is low-risk, high-reward, unless I am missing
something.

> -d

Sincerely,

Demi


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210312/43acdf79/attachment.asc>


More information about the openssh-unix-dev mailing list