Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
thayne 5 days ago

Is there a PQC hybrid algorithm available for OpenSSH that is compliant with FIPS 140-3?

djmdjm 5 days ago | parent [-]

FIPS certification is given to an entire "cryptographic module" that includes hardware and software. "FIPS compliant OpenSSH" is therefore a misnomer, you have to certify OpenSSH running on a particular OS on particular hardware.

FIPS compliance does require use of specific algorithms. ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine. My understanding is therefore that it would be possible for mlkem768x25519-sha256 (supported by OpenSSH) to be certified.

caveat: IANAFA (I am not a FIPS auditor)

thayne 5 days ago | parent | next [-]

> you have to certify OpenSSH running on a particular OS on particular hardware

Right, but if you use the certified version of OpenSSH, it will only allow you to use certain algorithms.

> ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine. My understanding is therefore that it would be possible for mlkem768x25519-sha256 (supported by OpenSSH) to be certifie

ML-KEM is allowed, and SHA-256 is allowed. But AFAIK, x25519 is not, although finding a definitive list is a lot more difficult for 140-3 than it was for 140-3, so I'm not positive. So I don't think (but IANAFA as well) mlkem768x25519-sha256 would be allowed, although I would expect a hybrid that used ECDSA instead of x25519 would probably be ok. But again, IANAFA, and would be happy if I was wrong.

djmdjm 5 days ago | parent [-]

My understanding is that a hybrid using x25519 as the classical KEM is fine on the basis that the security of the construction rests (for the purposes of approval) on ML-KEM and can't be made worse by the other part of the hybrid algorithm.

I don't have a definitive reference for this though.

throw0101a 4 days ago | parent | prev [-]

> * ML-KEM is NIST approved and AFAIK NIST is on record saying that hybrid KEMs are fine.*

See perhaps §3.2, PQC-Classical Hybrid Protocols from interim report "Transition to Post-Quantum Cryptography Standards" (draft):

* https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.p...

No algorithm explicitly mentioned, but the general idea/technique discussed.