[chasil]

OpenSSH has already chosen NTRU-Prime. Will there be a retrofit of CRYSTALS-KYBER? Or has the market already chosen?

DJB is an author on the SPHINCS+ team; glad to see that his work will be part of the standard.

https://sphincs.org/

[layer8]

OpenSSH has merely chosen that as its current default. Surely multiple algorithms will be supported in the future as they have in the past.

[chasil]

There was considerable strife for Daniel J. Bernstein during this competition.

https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&c...

It would not surprise me if OpenSSH only chooses to add SPHINCS+ and refuses the others.

[tptacek]

What does Bernstein's process complaint about NIST's process complaint about him have to do with which ciphersuites OpenSSH will support?

[chasil]

OpenSSH appears to have disregarded NIST, and made their own determination on a pq-kex.

Should NIST be disregarded?

NTRU-prime is not a finalist, but OpenSSH has decided that the NIST designation is irrelevant.

https://www.openssh.com/releasenotes.html

ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo.

We are making this change now (i.e. ahead of cryptographically- relevant quantum computers) to prevent "capture now, decrypt later" attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available.

[tptacek]

I personally think NIST should be disregarded, but you can disregard NIST and still end up with CRYSTALS-KYBER as your default PQC KEM, on its own merits, which can include the fact that NIST's standardization spurs so much implementation of CRYSTALS-KYBER that it becomes a de facto standard in addition to a de jure standard. (Same for signatures, and so on).

People with qualms about NIST might also reasonably have qualms about AES. And there is a common cipher that people use outside of AES --- Chapoly. But it would be downright weird to use, like, Serpent or Twofish; it would be the cryptography equivalent of a "code smell". Chapoly and AES are the de facto standards, and OpenSSH supports both.

Again though: my question is just, what does this (frankly weird) Bernstein complaint have to do with any of it? Bernstein himself is a NISTPQC participant; he's on one of the (large) winning signature teams.

(I think all the technical details here are super interesting, but not especially motivating; I'm not a cryptographer and you should disregard me as well, but my basic take on QC crypto attacks is "Rodents of unusual size? I don't think they exist.")

[chasil]

I agree with your sentiment. I wish NIST had conducted the proceedings more professionally, and this collapse in confidence is their own fault.

The OpenSSH decision to promote NTRU-prime from an experimental feature to the preferred key exchange was breathtakingly rapid, and final. It is a tacit assertion that NIST is no longer relevant.

DJB was on several teams, and I think that OpenSSH would lend greater credence to him than any other council, deservedly so.

We might end up with SPHINCS+, but I will be surprised if KYBER is adopted.

This moved very fast.

[simcop2387]

I can't seem to find anything on google, did NISTPQC ever reply?

[google234123]

Bernstein seems to be involved in never ending drama. Maybe the problem is him?

[kragen]

Bernstein being "involved in never-ending drama" is the reason it's legal to export strong cryptography from the US today and the reason much of this PQC work got done at all. He's clearly a person who often fights in cases where almost everyone else surrendered instead, which is presumably what you mean by "the problem is him," but I don't see why you describe it as a "problem". His inclination to tell hard truths, even when faced with corruption and intimidation, has frequently served the public interest.

It was often a huge problem for the people who he was fighting with, though. Are you one of them?

[tptacek]

It doesn't seem reasonable to say that Bernstein is the reason much of this PQC work got done at all.

He was one of the earliest PQC popularizers and probably coined the term. But asserting that he enabled everyone else's work is a little like saying that the person who coined "misuse-resistant authenticated encryption" enabled all the different misuse-resistant schemes; the underlying issue was plainly evident, and people were obviously going to work on it.

Your last sentence falls afoul of the HN guidelines, and your comment would be far stronger without it. Which is unfortunate, since there's an interesting and curious conversation to be had about the significance of Bernstein's role in PQC.

[chasil]

Bernstein's original lawsuit in the 90s resulted in the lift of ITAR restrictions on strong cryptography.

https://en.m.wikipedia.org/wiki/Daniel_J._Bernstein#Bernstei...

"The ruling in the case declared that software was protected speech under the First Amendment, which contributed to regulatory changes reducing controls on encryption."

[TedDoesntTalk]

Can you summarize? That’s a PDF I can’t read.

[simcop2387]

There's some technical details that I'm not good enough to summarize, but a large gist of it seems to be that the NISTPQC seems to have gone back on it's word about being transparent through the standardization process and only ever solicited private input after round 2 and round 3 and used that non-published input to make claims about the strength of at least one contender for the standardization. And the way they've done this appears to reek of Dual EC style manipulation again from what DJB brings up? at least as far as how the process is working. I don't believe he's claiming that there's any NSA back doors but alluding to there being a private party that is steering things in ways that might not be good.

Along with also apparently some possible remarks about DJB doing something wrong also (I couldn't tell from this at least what it was. I haven't done any complete readings yet).

[bwesterb]

NTRU-Prime, NTRU, Kyber and SABER are all great KEMs. NIST could've chosen any one of them. NIST never standardised Ed25519 and OpenSSH still uses it, which is perfectly fine.

[Zamicol]

Ed25519 is in the draft standard, as well as Ed25519ph: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5-draft...

[CircleSpokes]

I imagine they would add support for the standardized algorithms and still support the ones they are currently using too.