GitHub is introducing a hybrid post-quantum secure key exchange algorithm for SSH access when interacting with Git over SSH. The new algorithm, sntrup761x25519-sha512 (also known as [email protected]), combines Streamlined NTRU Prime (a post-quantum cryptography scheme) with the classical curve X25519. This change aims to safeguard Git data against potential future threats from quantum computers that might decrypt SSH sessions recorded today.
This update affects connections via SSH endpoints for Git data (not HTTPS) and rolled out starting September 17, 2025, for GitHub.com and non-US GitHub Enterprise Cloud regions. The US region is excluded initially because stricter FIPS cryptographic standards apply there, and the new algorithm isn’t yet FIPS-approved. GitHub Enterprise Server 3.19 will also include the new post-quantum option.
For those unfamiliar, Post-quantum cryptography (PQC) refers to a new class of cryptographic algorithms designed to withstand attacks from quantum computers. Today’s widely used public-key algorithms, such as RSA and elliptic curve cryptography (ECC), rely on mathematical problems like integer factorization and discrete logarithms, which can be efficiently solved by sufficiently powerful quantum computers using algorithms like Shor’s. If quantum computers reach a practical scale, these schemes could be broken in seconds, posing a threat to the confidentiality and integrity of secure communications.
To address this risk, researchers and organizations, led by initiatives like the NIST Post-Quantum Cryptography Standardization Project, have developed quantum-resistant algorithms that rely on different mathematical foundations (e.g., lattice problems, code-based cryptography, multivariate equations). Many of these are now being integrated into real-world systems, often in hybrid modes that combine classical and PQ algorithms to provide both current interoperability and future security. PQC adoption, like GitHub’s new SSH approach, marks a critical step in future-proofing infrastructure against the quantum threat while maintaining backward compatibility today.
From the user perspective, little will change in most workflows. If your SSH client supports the new algorithm, OpenSSH 9.0 or newer, for example, it will automatically negotiate and prefer it by default, assuming your configuration hasn’t overridden defaults. Clients that don’t support it will continue using classical key exchanges without interruption. GitHub also provides commands like ssh -Q kex to list supported key exchange algorithms and ssh -v [email protected] exit | grep ‘kex: algorithm:’ to see which one is selected during a connection.
The motivation behind this move is to counter “store now, decrypt later” threats, where adversaries could collect SSH-encrypted traffic today and decrypt it in the future once quantum computers become powerful enough. By using a hybrid scheme that combines classical security with post-quantum cryptography, GitHub ensures that even if quantum computing renders current algorithms vulnerable, SSH traffic remains protected.
GitHub also notes that while the new algorithm is newer, and therefore has had less real-world exposure, it has been designed to never be weaker than existing classical key exchange methods. Looking forward, GitHub plans to monitor developments in post-quantum cryptography and expand support for additional quantum-secure key exchange algorithms, especially those that meet FIPS requirements.
OpenSSH has already been moving toward post-quantum cryptographic (PQC) algorithms. Since version 9.0 (released in April 2022), OpenSSH includes the sntrup761x25519-sha512 algorithm for key agreement, which is hybrid (combines a classical algorithm with PQC). More recently, OpenSSH 9.9 added mlkem768x25519-sha256, and by version 10.0, this has become the default scheme for key exchange. This mirrors GitHub’s move to offer hybrid post-quantum SSH key exchanges.
Similarly, SSH.com’s Tectia Quantum-Safe Edition offers hybrid and quantum-safe SSH implementations by combining classical encryption with post-quantum algorithms such as Crystals/Kyber, FrodoKem, and NTRU. It also provides compatibility with FIPS mode and classical SSH clients/servers. Their approach is similar in offering both forward-looking PQC protections and compatibility with existing systems.
TinySSH (a minimal SSH server) has also made early moves toward hybrid PQC key exchanges as well. It supports configurations that combine NTRU Prime with ED25519 curve operations, adding quantum-forward secrecy in SSH key agreement. While TinySSH’s implementation is more experimental, it serves as an example of how smaller, focused SSH tools are also adopting hybrid PQC key-exchange models.
