Paper 2025/684

Post-quantum Cryptographic Analysis of SSH

Benjamin Benčina, Royal Holloway University of London
Benjamin Dowling, King's College London
Varun Maram, SandboxAQ
Keita Xagawa, Technology Innovation Institute
Abstract

The Secure Shell (SSH) protocol is one of the first security protocols on the Internet to upgrade itself to resist attacks against future quantum computers, with the default adoption of the "quantum (otherwise, classically)" secure hybrid key exchange in OpenSSH from April 2022. However, there is a lack of a comprehensive security analysis of this quantum-resistant version of SSH in the literature: related works either focus on the hybrid key exchange in isolation and do not consider security of the overall protocol, or analyze the protocol in security models which are not appropriate for SSH, especially in the "post-quantum" setting. In this paper, we remedy the state of affairs by providing a thorough post-quantum cryptographic analysis of SSH. We follow a "top-down" approach wherein we first prove security of SSH in a more appropriate model, namely, our post-quantum extension of the so-called authenticated and confidential channel establishment (ACCE) protocol security model; our extension which captures "harvest now, decrypt later" attacks could be of independent interest. Then we establish the cryptographic properties of SSH's underlying primitives, as concretely instantiated in practice, based on our protocol-level ACCE security analysis: for example, we prove relevant cryptographic properties of "Streamlined NTRU Prime", a key encapsulation mechanism (KEM) which is used in recent versions of OpenSSH and TinySSH, in the quantum random oracle model, and address open problems related to its analysis in the literature. Notably, our ACCE security analysis of post-quantum SSH relies on the weaker notion of IND-CPA security of the ephemeral KEMs used in the hybrid key exchange. This is in contrast to prior works which rely on the stronger assumption of IND-CCA secure ephemeral KEMs. Hence we conclude the paper with a discussion on potentially replacing IND-CCA secure KEMs in current post-quantum implementations of SSH with simpler and faster IND-CPA secure counterparts, and also provide the corresponding benchmarks.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. 46th IEEE Symposium on Security and Privacy, S&P 2025
Keywords
Secure Shell (SSH)post-quantumhybrid key exchangeOpenSSHACCE protocolStreamlined NTRU PrimeQROMCPA v/s CCA
Contact author(s)
benjamin bencina 2022 @ live rhul ac uk
benjamin dowling @ kcl ac uk
varun maram @ sandboxaq com
keita xagawa @ tii ae
History
2025-04-16: approved
2025-04-15: received
See all versions
Short URL
https://ia.cr/2025/684
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2025/684,
      author = {Benjamin Benčina and Benjamin Dowling and Varun Maram and Keita Xagawa},
      title = {Post-quantum Cryptographic Analysis of {SSH}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2025/684},
      year = {2025},
      url = {https://eprint.iacr.org/2025/684}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.