Comment by throw0101a
2 days ago
The context of the conversation is "Bernstein's NTRU Prime", which is not present for TLS in any draft, and for SSH there are only personal / non-WG drafts.
So while some SSH folks just happened to pick NTRU after looking at the options at a particular point in time, some of the other most widely deployed systems (TLS, IPsec) will not be using it. So I'm not quite sure how defendable the "great preference" claim is.
The first SSH server that chose it was TinySSH.
Have you ever visited their site?
https://tinyssh.org/
I use this in a variety of ways, thousands of logins per day. I don't see much love for AES.
> The first SSH server that chose it was TinySSH.
Yes, I know. I mention this timeline in another one of my comments:
* > I use this in a variety of ways, thousands of logins per day. I don't see much love for AES.
So? Given its focus on low(er)-performance systems, perhaps on chips without AES-NI, it's no surprise that TinySSH does not have AES. Further, Dropbear, another implementation often used on smaller footprints, does have AES and recently added ML-KEM:
*chasil
1 day ago
Seal its fate then, and get TinySSH to drop it.