Post-quantum cryptography has arrived by default with the release of OpenSSH 9 and the adoption of the hybrid Streamlined NTRU Prime + x25519 key exchange method.
"The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo," the release notes said.
"We are making this change now (i.e. ahead of cryptographically-relevant quantum computers) to prevent 'capture now, decrypt later' attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available."
As work on quantum computers inches forward, protecting against future attacks has similarly increased. Thanks to the massive parallelism expected from workable quantum computers, it is believed traditional cryptography will be trivial to crack once such a machine is built.
"Securing NATO's communications for the quantum era is paramount to our ability to operate effectively without fear of interception," principal scientist Konrad Wrona said at the time.
"The trial started in March 2021. The trial was completed in early 2022. Quantum computing is becoming more and more affordable, scalable and practical. The threat of 'harvest now, decrypt later' is one all organizations, including NATO, are preparing to respond to."
Elsewhere in the OpenSSH release that was mostly focused on bug fixes, the SCP command has been moved from its default legacy protocol to using SFTP even though it brings with it several incompatibilities, such as not supporting wildcards with remote filenames or expanding a ~user path, although the latter is supported through an extension.