Google says it now has a FIDO2 security key implementation that is quantum resilient, claiming it to be the first of its kind.
FIDO2 is the technological standard for passwordless solutions, such as passkeys – which are stored on device – and physical security keys. It was developed by the FIDO alliance, a cross-industry association of which Google, along with the rest of big tech, is a board member.
The new quantum resiliant implementation is part of OpenSK, which is Google’s open source security key firmware that supports both FIDO2 and FIDO U2F. According to the company, it “uses a novel ECC/Dilithium hybrid signature schema that benefits from the security of ECC against standard attacks and Dilithium’s resilience against quantum attacks.”
Hybrid resilience
This schema was codeveloped with the Swiss Federal Institute of Technology in Zurich (ETH Zürich). Google believes that the progress towards practical quantum computers becoming a reality is moving at pace, which is a major concern for the world of cryptography.
Given the outlandish theoretical speeds and abilities that quantum computers are said to achieve, they are capable of cracking standard encryption methods, something even the most powerful of today’s supercomputers can’t do.
Google maintains, however, that with quantum resilient methods, such as the Dilithium algorithm, “we now have a clear path to secure security keys against quantum attacks.”
And even though it may be some time before this brave new world of computing makes its way outside of the labs and into the hands of threat actors – somewhere between 5-50 years on some people’s reckoning – Google thinks that protecting cryptography and all that it underpins is “a massive undertaking which is why doing it as early as possible is vital.”
For security keys, this means users will need to upgrade their models, which in turn means waiting on FIDO to standardize quantum resilient cryptography for them, and for browsers to support their use.
Google took the hybrid approach as the quantum resilient Dilithium algorithm, along with others, could by themselves be vulnerable to compromise from non-quantum computers.
Recently, Google took this same hybrid approach when adding quantum resistant algorithms to Chrome, as part of its effort to make sure the internet as a whole is safe from the new technology.
Since it is open source, anyone can test out the new security key algorithm, or contribute to its research, by accessing the OpenSK from its GitHub page.
