VA1DER
commented
2 months ago I should also add, RSA is also the current champion for post-quantum host-key signatures in that a 256-bit grade RSA key (RSA 15360bit or better) would require only 32768 qubits, but something like 1-2 billion quantum gates. This is far beyond any reasonable expectation of existence in the near-to-medium future. We may see qubit counts in the 32k in the near-ish future, but nothing like that number of gates is on any sightable horizon.
One of TinySSH's stated "features" is that it uses "no older cryptographic primitives - rsa, dsa, classic diffie-hellman, hmac-md5, hmac-sha1, 3des, arcfour, …" While I would agree with almost all crypto in that list as being needing of removal, I am quite surprised by RSA being on that list.
I would like to see RSA host key support added to TinySSH.
All the best ciphers use a 256-bit session key. There is currently no way to protect this with a host key of equivalent strength. ed25519 is a great primitive, but far weaker than the session key it protects. There is a very basic rule that you never transmit keymat over a channel that is less secure than the security level of the keymat being transferred.
The only current host key primitive able to provide 256-bit grade host/client identity assurance is RSA.