OpenSSH 9.0 released [LWN.net]

OpenSSH 9.0 released

Posted Apr 9, 2022 0:16 UTC (Sat) by cypherpunks2 (guest, #152408)
Parent article: OpenSSH 9.0 released

The addition of NTRU Prime for PQC is a little premature, because a new paper just came out which showed that many LWE schemes are weaker than was previously thought. The paper admits that it is not directly applicable to NTRU (which is not an LWE scheme), but it might be adaptable to it.

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/F...
https://doi.org/10.5281/zenodo.6412487

> NTRU-based cryptosystems are among the leading candidates for lattice-based post-quantum cryptography. In this work, we propose improvements to the dual attack on LWE, and as such our attack is not immediately applicable to NTRU-based cryptosystems. It is an interesting question whether ideas from this work can be adapted to similar improvements to attacks on NTRU. Specifically, there appear to be similarities between the dual attack on LWE and the so-called “hybrid attack” [How07, Wun16] on NTRU. The hybrid attack also involves enumerating over parts of the secret, and then invoking some distinguisher to determine whether a resulting vector is close to a certain constant lattice. It seems reasonable to the writers of this paper that ideas similar to those presented here can be used to reduce the running time of such attacks as well, though anything definitive would of course require further research.

to post comments

OpenSSH 9.0 released

Posted Apr 9, 2022 4:35 UTC (Sat) by CoelacanthusHex (guest, #144839) [Link] (2 responses)

And it seems that there are other problems here. If you are using gpg-agent, and OpenSSH matches the NTRU algorithm, gpg-agent will refuse because it does not support the algorithm, which makes it unusable. Now OpenSSH uses this algorithm as the first choice. This makes the probability of encountering this problem greatly increased.

OpenSSH 9.0 released

Posted Apr 9, 2022 5:40 UTC (Sat) by mkj (subscriber, #85885) [Link]

I don't see how gpg-agent would see anything about NTRU, have you seen it as a problem? sntrup761x25519 should only be getting used for key exchange (KEX), versus gpg-agent which doesn't handle KEX, just public key auth signatures which keep using existing schemes.

gpg-agent might still need updating to handle rsa-sha2 signatures, but that's a different problem. https://adamheins.com/blog/ssh-agent-key-rsa

OpenSSH 9.0 released

Posted Apr 10, 2022 20:37 UTC (Sun) by aaronmdjones (subscriber, #119973) [Link]

You are confusing key exchange (the algorithm that derives the encryption and authentication keys for the underlying traffic) with authentication.

NTRU is for the former; ssh-keygen, ssh-agent, gpg-agent, scdaemon, and such will never see it and don't even know that you're using it.

OpenSSH 9.0 released

Posted Apr 9, 2022 15:54 UTC (Sat) by tamiko (subscriber, #115350) [Link] (5 responses)

At least the way how sntrup761 is combined with x25519 ensures that the hybrid kex scheme does not degrade the security level of x25519.

OpenSSH 9.0 released

Posted Apr 9, 2022 16:45 UTC (Sat) by ballombe (subscriber, #9523) [Link] (4 responses)

Yes. The paranoid in me cannot help but wonder whether the NIST post-quantum crypto contest is not a sneaky attempt by the NSA to divert people from safe EC crypto to something less studied where they are more likely to have an edge.

OpenSSH 9.0 released

Posted Apr 9, 2022 17:49 UTC (Sat) by JoeBuck (subscriber, #2330) [Link] (2 responses)

The NSA does not own all of the world's cryptographers and will be unlikely to succeed again at inserting a back door into a standard, since they got caught (see https://en.wikipedia.org/wiki/Dual_EC_DRBG ). Experts will be looking harder next time, and there was enough troubling analysis at that time that almost everyone rejected that algorithm.

But we could reverse your argument: suppose that NSA has secret advanced technology to use quantum computing to break current cryptography, not quite ready yet but close. How to protect that? We wouldn't want people to switch away from algorithms that they are close to breaking. Maybe by spreading paranoia about the post-quantum crypto contest?

OpenSSH 9.0 released

Posted Apr 11, 2022 12:13 UTC (Mon) by ballombe (subscriber, #9523) [Link] (1 responses)

Sorry but the the NIST competition is a major force toward the use of post-quantum crypto.

OpenSSH 9.0 released

Posted Apr 11, 2022 14:26 UTC (Mon) by Paf (subscriber, #91811) [Link]

Yes, that’s exactly the point being made. It is a force for that and so spreading uncertainty about it helps an agency that doesn’t want that transition to occur. Not saying you’re doing that but the point is the logic can go in either direction. (Which doesn’t mean it’s wrong, I think it just means we don’t know.)

OpenSSH 9.0 released

Posted Apr 9, 2022 19:42 UTC (Sat) by cypherpunks2 (guest, #152408) [Link]

We already know for a fact that ECC is broken. All that's stopping it from being broken in practice is quantum error correction and coherence times. And I would hope that we would use a hybrid key exchange in TLS and all major protocols for a long time but not because of a backdoor so much as possible weaknesses in relatively new algorithms.