Bug 3472

Summary: Consider discontinuing support for sntrup761x25519-sha512@openssh.com
Product: Portable OpenSSH Reporter: ricky.tigg
Component: Build systemAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P5    
Version: 9.0p1   
Hardware: Other   
OS: Linux   

Description ricky.tigg 2022-09-08 23:33:57 AEST 
Hello. Post-quantum cryptographic primitives sntrup761x25519-sha512@openssh.com and chacha20-poly1305@openssh.com were introduced in OpenSSH respectively in v. 8.5, as default in v. 9.0, and v. 6.5, promoted default cipher in v. 6.9. I mistaken by conceiving that the project has for policy to solely accept to integrate algorithm implementations which have been standardised either by a recognised national or internal standards entity. At this very time, it seems there is no such standard for NTRU. It's worth noting that NIST recently decided not to select NTRU for standardisation. It instead selected CRYSTALS-Kyber in this respect. What could have happened for it to be integrated in this project, when apparently nothing intended it for this destiny? Has it ever occurred to any of you developers that a such integration might be inappropriate? It's surprising to say the least.

(*) https://nvlpubs.nist.gov/nistpubs/ir/2022/NIST.IR.8413.pdf#page=47&zoom=100,120,546
Comment 1 Damien Miller 2022-09-09 08:34:36 AEST 
chacha20-poly1305 isn't a PQ algorithm. It's an AEAD and is AFAIK out of scope for PQ work.

We'll almost certainly support Kyber as a KEM once the dust settles from the standardisation process, but have no intention of removing support for the existing PQ KEM in the short-medium term.
Comment 2 Damien Miller 2022-10-04 21:57:59 AEDT 
Closing bugs from OpenSSH 9.1 release cycle