Comment by Havoc
1 day ago
Makes sense to get ahead of this. Especially when it’s a pretty trivial key swop.
Which of the two options given is stronger? Presumably the 512 one?
1 day ago
Makes sense to get ahead of this. Especially when it’s a pretty trivial key swop.
Which of the two options given is stronger? Presumably the 512 one?
They're not the same, they're completely different:
> Additionally, all the post-quantum algorithms implemented by OpenSSH are "hybrids" that combine a post-quantum algorithm with a classical algorithm. For example mlkem768x25519-sha256 combines ML-KEM, a post-quantum key agreement scheme, with ECDH/x25519, a classical key agreement algorithm that was formerly OpenSSH's preferred default. This ensures that the combined, hybrid algorithm is no worse than the previous best classical algorithm, even if the post-quantum algorithm turns out to be completely broken by future cryptanalysis.
The 256 one is actually newer than the 512 one, too:
> OpenSSH versions 9.0 and greater support sntrup761x25519-sha512 and versions 9.9 and greater support mlkem768x25519-sha256.
We're nowhere near the point where there's any general concern regarding the sizes of 256 bits or 512 bits for hashes, block sizes, key sizes etc. Currently we don't need to consider the problem as a question of what time is required, because we don't have the electrical energy required to explore even a fraction of an unfathomably smaller 128 bit space. We don't have computers that can ingest such power either. "Relax, guy."
mlkem is a sane default, since it's the construction the rest of the industry is standardizing on.
Did a bit more research and results square with what you said. They both seem solid but NIST and friends seem to have concluded mlkem is the way