ML-KEM is Kyber, the lattice-based winner of the NIST PQ KEM competition (think of a KEM as a public-key encryption and delivery of a key, as opposed to Diffie Hellman, in which both sides agree on a key together). It's a key establishment mechanism that resists quantum attacks.
Kyber? For some reason I hear that and think "isn't that the PQ with a foundational Assumption(!) that's been proven trivial for binary computers to break?"
Completely unrelated algorithms; it might be hard to come up with two algorithms less related to each other than module lattices LWE and supersingular isogeny graph Diffie Hellman --- even the outcomes of the two algorithmic approaches are different (SIDH was attractive because it gives you a Diffie Hellman, and Kyber gives you a KEM).
(I just want to make it clear that this isn't a lingering concern about lattice cryptography, fwiw.)
For what it's worth: Damien Miller has commented repeatedly here that OpenSSH did NTRU before the NIST competition completed, and they always planned to add the NIST PQ winner.
Your sysadmin will indeed be confused, since ML-KEM public keys are not used for authenticating and are generated by the client and server automatically, analogous to Diffie-Hellman.
You can confuse them (albeit much less) when OpenSSH adds support for one of the PQ DSAs.
16 comments
[ 6.1 ms ] story [ 41.8 ms ] thread(Also not a cryptographer)
PQ = Post Quantum (cryptography)
KEM = Key Encapsulation Method
(I just want to make it clear that this isn't a lingering concern about lattice cryptography, fwiw.)
* https://www.openssh.com/txt/release-9.9
* https://www.openssh.com/releasenotes.html#9.9p1
* https://security.googleblog.com/2024/09/a-new-path-for-kyber...
Draft for adding it to TLS (1.3):
* https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe...
Probably will use this on my homelab though.
You can confuse them (albeit much less) when OpenSSH adds support for one of the PQ DSAs.