A from-scratch post-quantum SSH replacement with 17 features OpenSSH doesn't have. Every critical component carries formal mathematical proofs of correctness — not tested, proven.
17 capabilities that don't exist in OpenSSH at any configuration level. Not extensions — architectural differences.
OpenSSH uses RSA/ECDSA/Ed25519 — all broken by Shor's algorithm. qssh uses Falcon-512 (lattice-based, 666-byte signatures) and SPHINCS+ (hash-based, stateless) — both NIST-selected, both quantum-resistant.
Every packet on the wire is exactly 768 bytes. Data, keepalives, control messages — all identical size. OpenSSH leaks metadata through variable packet sizes (keystrokes vs file transfers are distinguishable). qssh frames are indistinguishable to network observers.
qssh combines ML-KEM-768 (post-quantum lattice KEM) with X25519 (classical ECC) — if either is broken, the other still protects the session. OpenSSH uses single-family ECDH only.
Pluggable quantum entropy from KIRQ Hub, Crypto4A HSM, or local /dev/qrandom devices — always mixed with OS entropy for defense in depth. OpenSSH uses OS RNG only.
Direct support for quantum key distribution protocols — information-theoretic security. OpenSSH has no QKD integration at all.
Six progressive security levels from classical compatibility through full hybrid quantum. OpenSSH has a single security model.
Dummy frame injection (30% probability), encrypted timestamps and sequence numbers in frame headers, random padding fills all unused payload space, configurable stealth mode. OpenSSH leaks timing, packet count, and size metadata constantly.
Falcon-512 and SPHINCS+ signed certificates for both users and hosts — with serial numbers, principal constraints, validity periods, and revocation. OpenSSH certificates exist but use quantum-vulnerable RSA/ECDSA.
30 Kani bounded model checking proofs, 20 Verus deductive proofs, and 67 Lean 4 mathematical theorems — zero sorries. OpenSSH has zero formal verification.
Signal-style ratcheting key derivation — compromising one session key doesn't decrypt past or future messages. OpenSSH lacks per-message forward secrecy.
Emergency fallback using pure hash-based signatures (no number theory). If Falcon and SPHINCS+ are ever broken, Lamport OTS provides last-resort quantum resistance using only SHA-256.
Unix socket signing daemon with mlock(2) preventing key swap to disk, per-key rate limiting (60 signs/minute), JSONL audit log with SHA-256 hash chain, and Argon2id passphrase protection. OpenSSH's ssh-agent has none of these.
AES-256 has reduced quantum security (~128 bits via Simon's algorithm). qssh uses SHA3-256 counter-mode stream cipher maintaining full 256-bit security against quantum adversaries.
Direct peer-to-peer connections with NAT traversal (STUN/TURN) — no sshd daemon needed. OpenSSH always requires a listening server.
Encrypted session tickets for fast reconnection — designed for mobile networks where connections drop. OpenSSH recreates the full handshake on every disconnect.
The entire crypto stack is pure Rust. No C reference implementations, no FFI, no segfaults, no memory corruption class. OpenSSH is C with decades of CVEs.
qssh does not speak the SSH wire protocol. This is intentional — SSH's variable-length records, plaintext version strings, and algorithm negotiation all leak metadata. qssh was designed post-quantum from scratch with no legacy constraints.
Data, keepalives, control messages — all identical on the wire. Encrypted headers, encrypted sequence numbers, random padding. No metadata leakage.
A direct comparison across the dimensions that matter for post-quantum readiness.
| Feature | OpenSSH | qssh |
|---|---|---|
| Signatures | RSA, ECDSA, Ed25519 | Falcon-512, SPHINCS+ |
| Key Exchange | ECDH | ML-KEM + X25519 hybrid |
| Frame Size | Variable (leaks metadata) | Constant 768 bytes |
| Quantum Entropy | No | QRNG + KIRQ + Crypto4A |
| QKD | No | BB84, E91, ETSI-QKD-014 |
| Security Tiers | One | Six (T0–T5) |
| Formal Verification | None | 117 proofs (Kani + Verus + Lean 4) |
| Forward Secrecy | Per-session only | Per-message (Double Ratchet) |
| P2P Mode | No | Yes (NAT traversal) |
| Certificates | RSA-signed | Falcon / SPHINCS+ signed |
| Language | C | Pure Rust |
Progressive security from classical compatibility to full quantum assurance. T2 is the default — post-quantum with constant-size frames out of the box.
Three independent verification tiers — from bounded model checking to deductive proofs to pure mathematics. Zero sorries. Zero axiomatized results.
Patent-free. Formally verified. Deploying now.