For what it's worth: Damien Miller has commented repeatedly here that OpenSSH did NTRU before the NIST competition completed, and they always planned to add the NIST PQ winner.
ML-KEM is Kyber, the lattice-based winner of the NIST PQ KEM competition (think of a KEM as a public-key encryption and delivery of a key, as opposed to Diffie Hellman, in which both sides agree on a key together). It's a key establishment mechanism that resists quantum attacks.
Kyber? For some reason I hear that and think "isn't that the PQ with a foundational Assumption(!) that's been proven trivial for binary computers to break?"
Completely unrelated algorithms; it might be hard to come up with two algorithms less related to each other than module lattices LWE and supersingular isogeny graph Diffie Hellman --- even the outcomes of the two algorithmic approaches are different (SIDH was attractive because it gives you a Diffie Hellman, and Kyber gives you a KEM).
(I just want to make it clear that this isn't a lingering concern about lattice cryptography, fwiw.)
Your sysadmin will indeed be confused, since ML-KEM public keys are not used for authenticating and are generated by the client and server automatically, analogous to Diffie-Hellman.
You can confuse them (albeit much less) when OpenSSH adds support for one of the PQ DSAs.
A more 'direct' link to the release notes:
* https://www.openssh.com/txt/release-9.9
* https://www.openssh.com/releasenotes.html#9.9p1
Related to the hybrid post-QC crypto stuff, similar moves have been done for Chrome:
* https://security.googleblog.com/2024/09/a-new-path-for-kyber...
Draft for adding it to TLS (1.3):
* https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe...
Anyone have an informed preference between MLKEM and SNTRUP?
For what it's worth: Damien Miller has commented repeatedly here that OpenSSH did NTRU before the NIST competition completed, and they always planned to add the NIST PQ winner.
What’s ML-KEM X25519? I’m familiar with Ed25519, but I’ve never heard of ML-KEM.
(Also not a cryptographer)
ML-KEM is Kyber, the lattice-based winner of the NIST PQ KEM competition (think of a KEM as a public-key encryption and delivery of a key, as opposed to Diffie Hellman, in which both sides agree on a key together). It's a key establishment mechanism that resists quantum attacks.
For anyone unfamiliar with the acronyms:
PQ = Post Quantum (cryptography)
KEM = Key Encapsulation Method
Kyber? For some reason I hear that and think "isn't that the PQ with a foundational Assumption(!) that's been proven trivial for binary computers to break?"
I'm not sure for Kyber, but SIKE/SIDH (another PQ candidate) does have those exact problems (https://eprint.iacr.org/2022/975.pdf)
Completely unrelated algorithms; it might be hard to come up with two algorithms less related to each other than module lattices LWE and supersingular isogeny graph Diffie Hellman --- even the outcomes of the two algorithmic approaches are different (SIDH was attractive because it gives you a Diffie Hellman, and Kyber gives you a KEM).
(I just want to make it clear that this isn't a lingering concern about lattice cryptography, fwiw.)
No.
https://lwn.net/Articles/973231
[dead]
look forward to confusing my sysadmins when I present them with a MLKEM pub key :)
Probably will use this on my homelab though.
Your sysadmin will indeed be confused, since ML-KEM public keys are not used for authenticating and are generated by the client and server automatically, analogous to Diffie-Hellman.
You can confuse them (albeit much less) when OpenSSH adds support for one of the PQ DSAs.