PuTTY wish ml-kem

This is a mirror. Follow this link to find the primary PuTTY web site.

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist

summary: Implement the post-quantum ML-KEM key encapsulation method
class: wish: This is a request for an enhancement.
present-in: 0.82
fixed-in: e98615f0ba2d20607b13169e4dd9966da082139c (0.83)

PuTTY 0.83 now implements a second method of post-quantum key exchange. The new method, ML-KEM, was formerly known as "Crystals: Kyber", and is standardised by NIST in FIPS 203.

As with our existing support for NTRU Prime, PuTTY implements ML-KEM only in hybrid forms, running an existing classical key exchange method in parallel with it, and hashing both outputs. So an attacker must break both to derive your session keys. This protects against the risk of the new algorithm having a flaw not yet found, and the risk of a quantum computer being built that can attack the old algorithm, so there's only a problem if both of those happen.

PuTTY supports a hybrid of ML-KEM with Curve25519, and also two hybrids of it with NIST elliptic curve systems. At the time of writing this, OpenSSH 9.9 also supports the Curve25519 hybrid, and AsyncSSH supports all three.

If you want to comment on this web site, see the Feedback page.
Audit trail for this wish.
(last revision of this bug record was at 2024-12-20 13:20:02 +0000)