
Experimental support for PQC XMSS keys in OpenSSH - throwaway2048
https://marc.info/?l=openbsd-cvs&m=151940152732492&w=2
======
throwaway2048
Would appreciate if mods would change the title back to "Experimental support
for Post Quantum Crypo in OpenSSH", the present title isn't the title of the
page, nor does "PQC XMSS" mean anything to approximately anybody.

------
agl
XMSS is great work, but it's not clearly suitable for use in SSH: I will
occasionally copy SSH private keys around, or restore them from backups. I
think that's fairly common. However, with XMSS:

"the signature schemes described in this document are stateful, meaning the
secret key changes over time. If a secret key state is used twice, no
cryptographic security guarantees remain." [1]

Perhaps the SSH authors have a clever answer for this! But stateful signatures
are not, in general, suitable as a drop-in replacement for traditional
signature schemes and I do worry that people may miss this subtle, but
critical, point.

[1] [https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-
based-...](https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-
signatures-12#section-1.1)

~~~
kcolford
The statefulness is going to be a problem with current cryptographic APIs.
There's another post quantum public key signature algorithm called SPHINCS
that is supposed to be stateless and will be much more useful.

------
xref
This 'post-quantumness' of this work is based on XMSS/Merkle Signature Scheme,
if you want to dig further:

[https://en.m.wikipedia.org/wiki/Merkle_signature_scheme](https://en.m.wikipedia.org/wiki/Merkle_signature_scheme)

~~~
jwilk
Non-mobile link:

[https://en.wikipedia.org/wiki/Merkle_signature_scheme](https://en.wikipedia.org/wiki/Merkle_signature_scheme)

