Cryptography
key-exchange post-quantum-cryptography ntru ssh x25519
Updated Thu, 04 Aug 2022 14:30:10 GMT

Is the combination of X25519 ECDH and NTRU in OpenSSH 9.X secure against quantum attacks?


Can the combination of X25519 ECDH and NTRU in OpenSSH 9.X defend me against quantum attacks?

Why is it believed that this combination is secure?




Solution

Can the combination of X25519 ECDH and NTRU in OpenSSH 9.X defend me against quantum attacks?

Actually, that version of OpenSSH uses NTRU Prime, rather than NTRU.

However, that does not change the answer: it is believed that the combination is resistant to attackers with Quantum Computers attempting a 'store-and-decrypt-later' attack.

Why is it believed that this combination is secure?

We believe it is secure because we believe that NTRU Prime is secure against a Quantum Adversary, and the secret keys that protect the traffic depend on the NTRU Prime shared secret. Without those secret keys, the attacker would need to attack the symmetric ciphers directly, which we believe is also too hard.

Now, I did put in weasel words about 'store-and-decrypt later' attacks; another possible attack (if the attacker has a Quantum Computer at the time of the exchange) is to break the authentication piece of SSH. I don't know if that is similarly protected (it might be; I don't know); if it is isn't, then this is also a potential avenue. Of course, this attack can only be used to attacks going forward, and previous sessions are unaffected.





Comments (2)

  • +2 – Could you explain X25519 ECDH and NTRU Prime a little more? This is a newest question here about this.. — Apr 18, 2022 at 21:54  
  • +0 – @poncho | Can you write some words, what do you mean about "the authentication piece of SSH"? — Apr 19, 2022 at 17:34  


External Links

External links referenced by this document: