Connect with us

Hi, what are you looking for?


Identity & Access

Google Releases Security Key Implementation Resilient to Quantum Attacks

Google has released the first quantum-resilient FIDO2 security key implementation as part of its OpenSK project.

Google on Tuesday released what it described as the first FIDO2 security key implementation that should be resistant to quantum attacks.

There has been significant progress in quantum computing in the past years and tech giants are increasingly focusing on quantum security. The main concern is related to encryption — current cryptography will not be able to protect information against quantum attacks, which is why quantum-resilient cryptography is needed. 

In partnership with the Swiss university ETH Zurich, Google has developed a quantum-resilient security key implementation that leverages a hybrid signature scheme involving traditional elliptic-curve cryptography (specifically ECDSA) and CRYSTALS-Dilithium, a quantum scheme that NIST recently standardized, saying it offers “strong security and excellent performance”. 

The researchers who developed the new security key implementation pointed out that a hybrid scheme is needed as some quantum-resistant algorithms have shown signs of weakness. Given that most security keys cannot be upgraded, caution is needed, Google said.  

Proof-of-concept (PoC) source code has been released as part of Google’s OpenSK project. The OpenSK project was announced in early 2020 and its goal is to provide open source code for hardware security keys. As part of the project, the tech giant also provides the resources necessary to 3D print a security key enclosure. 

“On the technical side, a large challenge was to create a Dilithium implementation small enough to run on security keys’ constrained hardware. Through careful optimization, we were able to develop a Rust memory optimized implementation that only required 20 KB of memory, which was sufficiently small enough,” Google explained in a blog post. 

“We also spent time ensuring that our implementation signature speed was well within the expected security keys specification. That said, we believe improving signature speed further by leveraging hardware acceleration would allow for keys to be more responsive,” it added.

While it will take some time until quantum attacks become a reality, Google believes the industry needs to take action as early as possible given the difficulty of widely deploying new cryptography across the internet. 

Advertisement. Scroll to continue reading.

Google hopes that its implementation will be standardized at some point and supported by all major web browsers. 

Related: Quantum Decryption Brought Closer by Topological Qubits

Related: QuSecure and Accenture Test Multi-Orbit Communications Link Using Post-Quantum Cryptography

Related: QuSecure Unveils Quantum-Resilient Communications Satellite Link

Related: News Analysis: UK Commits $3 Billion to Support National Quantum Strategy

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...