Google on Tuesday released what it described as the first FIDO2 security key implementation that should be resistant to quantum attacks.
There has been significant progress in quantum computing in the past years and tech giants are increasingly focusing on quantum security. The main concern is related to encryption — current cryptography will not be able to protect information against quantum attacks, which is why quantum-resilient cryptography is needed.
In partnership with the Swiss university ETH Zurich, Google has developed a quantum-resilient security key implementation that leverages a hybrid signature scheme involving traditional elliptic-curve cryptography (specifically ECDSA) and CRYSTALS-Dilithium, a quantum scheme that NIST recently standardized, saying it offers “strong security and excellent performance”.
The researchers who developed the new security key implementation pointed out that a hybrid scheme is needed as some quantum-resistant algorithms have shown signs of weakness. Given that most security keys cannot be upgraded, caution is needed, Google said.
Proof-of-concept (PoC) source code has been released as part of Google’s OpenSK project. The OpenSK project was announced in early 2020 and its goal is to provide open source code for hardware security keys. As part of the project, the tech giant also provides the resources necessary to 3D print a security key enclosure.
“On the technical side, a large challenge was to create a Dilithium implementation small enough to run on security keys’ constrained hardware. Through careful optimization, we were able to develop a Rust memory optimized implementation that only required 20 KB of memory, which was sufficiently small enough,” Google explained in a blog post.
“We also spent time ensuring that our implementation signature speed was well within the expected security keys specification. That said, we believe improving signature speed further by leveraging hardware acceleration would allow for keys to be more responsive,” it added.
While it will take some time until quantum attacks become a reality, Google believes the industry needs to take action as early as possible given the difficulty of widely deploying new cryptography across the internet.
Google hopes that its implementation will be standardized at some point and supported by all major web browsers.