Skip to content

ssh-key: add ML-DSA keys (draft-sfluhrer-ssh-mldsa)#565

Draft
quexten wants to merge 5 commits into
RustCrypto:masterfrom
quexten:ml-dsa
Draft

ssh-key: add ML-DSA keys (draft-sfluhrer-ssh-mldsa)#565
quexten wants to merge 5 commits into
RustCrypto:masterfrom
quexten:ml-dsa

Conversation

@quexten

@quexten quexten commented Jul 4, 2026

Copy link
Copy Markdown

Implements support for ML-DSA keys and cert keys, as specified in https://www.ietf.org/archive/id/draft-sfluhrer-ssh-mldsa-02.html.

Please note, support for adopting the draft seems good, but it is still a draft. This is added to the Cargo.toml as a comment on the feature.

@baloo

baloo commented Jul 6, 2026

Copy link
Copy Markdown
Member

That's still a draft in https://www.ietf.org/archive/id/draft-sfluhrer-ssh-mldsa-02.html right?
That's not implemented in openssh itself as far as I can see.

@quexten

quexten commented Jul 6, 2026

Copy link
Copy Markdown
Author

@baloo Yes.

OpenSSH implements experimental support for draft-miller-sshm-mldsa44-ed25519-composite-sigs as of yesterdays release. A tool called SmartFTP https://www.smartftp.com/en-us/client/features/ssh implements experimental support for draft-sfluhrer-ssh-mldsa. Termius apparently also implements support for draft-sfluhrer-ssh-mldsa.

The current IETF discussion seems to lean towards implementing the pure PQ-sigs first, then later adopting / standardizing a hybrid construction. https://mailarchive.ietf.org/arch/msg/ssh/ys0vs2HtcPNSsJVLyGzN2vnXmQE/. There is an experimental set of patches for openssh and libssh too: https://mailarchive.ietf.org/arch/msg/ssh/rOlwUqiVbUueYh_BVkOzG5pLv4U/ / https://github.com/beldmit/openssh-ietf126-hackathon .

From my perspective, I'd like to test and verify that the implementation interoperates correctly with the above implementations. Then, I'm happy to upstream, given that it's behind a compile time flag / opt-in.

From RustCrypto's side, would you prefer this only to be upstreamed once the standard is finalized, or is it fine to upstream as long as we are reasonable certain that draft-sfluhrer-ssh-mldsa (or slight modifications of it) will be adopted?

@baloo

baloo commented Jul 6, 2026

Copy link
Copy Markdown
Member

Speaking personally, I'm fine with merging a draft. I appreciate the draft to be behind a feature-flag (to track what comes from the draft mostly).

We might want to comment about the draft in the Cargo.toml feature flag.

@quexten quexten changed the title Implement ML-DSA Implement ML-DSA support (draft-sfluhrer-ssh-mldsa) Jul 8, 2026
Comment thread ssh-key/src/algorithm.rs
const CERT_SK_SSH_ED25519: &str = "sk-ssh-ed25519-cert-v01@openssh.com";

/// OpenSSH certificate for ML-DSA-44 public key
const CERT_MLDSA_44: &str = "ssh-mldsa-44-cert-v01@openssh.com";

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note, these were not actually specified in any draft, but the match later expected all algorithms to have a cert identifier, so I extrapolated what this would likely be called.

@quexten quexten force-pushed the ml-dsa branch 2 times, most recently from 41588a9 to da9aa44 Compare July 8, 2026 17:53
@quexten quexten changed the title Implement ML-DSA support (draft-sfluhrer-ssh-mldsa) feat: add ML-DSA keys (draft-sfluhrer-ssh-mldsa) Jul 8, 2026
@quexten quexten changed the title feat: add ML-DSA keys (draft-sfluhrer-ssh-mldsa) ssh-key: add ML-DSA keys (draft-sfluhrer-ssh-mldsa) Jul 8, 2026
Comment thread ssh-key/src/public/mldsa.rs Outdated

/// Raw FIPS 204 public key bytes.
/// <https://sfluhrer.github.io/ssh-mldsa/draft-sfluhrer-ssh-mldsa.html#name-public-key-format>
key: Vec<u8>,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should use something similar to EcdsaPublicKey and have an enum that wraps mldsa::EncodedVerifyingKey. That would push the serialization / sizing errors over the serializer instead of having them in the verifier logic.

Comment thread ssh-key/src/public.rs Outdated
@@ -9,6 +9,8 @@ mod ecdsa;
mod ed25519;
mod key_data;
#[cfg(feature = "alloc")]

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only gate on feature "mldsa", the alloc logic should be handled by ml-dsa (it uses MaybeBox internally (there might be a "bug"/oversight on the EncodedVerifyingKey, but this is on the ml-dsa side))

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants