Filippo Valsorda18h ago

Last year, my position was that we still had time to design PQ authentication mechanisms.

Now, based on the pace of progress and on statements like Google's, I believe:

1. we need to finish rolling out PQ key exchange yesterday
2. we need to start rolling out PQ auth now
3. it's too late to ship any new non-PQ design or system

https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/

Quantum frontiers may be closer than they appear

An overview of how Google is accelerating its timeline for post-quantum cryptography migration.

Google
Show threadJari Pennanen

@filippo You got me interested to know what it would look like in authorized_keys, and can it be this short! Looks neat.

ssh-mldsa44-ed25519 434f4d505349472d4d4c44534134342d456432353531392d534841353132

https://datatracker.ietf.org/doc/draft-sun-ssh-composite-sigs/02/

Composite ML-DSA Signatures for SSH

This document describes the use of PQ/T composite signatures for the Secure Shell (SSH) protocol. The composite signatures described combine ML-DSA as the post-quantum part and the elliptic curve signature schemes ECDSA, Ed25519 and Ed448 as the traditional part.

IETF Datatracker
Mar 26 at 4:21pmWeb