Doubts about the fork of Open Quantum Safe (SSH) and SSH 9 NTRU Prime.

[glopezGitHub]

Good morning team and interested parties,

Recently we have been reviewing how to implement a Quantum Safe SSH service. The question we have is that when reviewing the official releases of SSH at https://www.openssh.com/releasenotes.html, they make the following comment in release 9.3.P2:

"The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo."

Given the information provided earlier, we should assume that since the NTRU algorithm is different from the Kyber algorithm, it would be better to use the fork from your repository. At this point, the recommendation is to either use the official version with the NTRU algorithm or the existing fork in this repository.

Regarding the difference between NTRU and the NIST algorithms, it appears that NTRU is not among the algorithms selected for standardization by NIST.

Best Regards

[dstebila]

OpenSSH uses NTRU Prime + elliptic curve X25519, which is a strong configuration. While it is true that NTRU Prime was not selected by NIST for standardization, there are no known weaknesses in NTRU Prime and it remains a very reasonable choice. It is fine to continue using OpenSSH's NTRU Prime + X25519 key exchange method for now. My sense is that most applications, likely including OpenSSH, will transition to using Kyber once the NIST standards for Kyber emerge. The many more PQ methods currently available in OQS's OpenSSH fork are generally being used by those testing interoperability and performance characteristics.