Google Releases First Quantum-Resilient FIDO2 Key Implementation

An anonymous reader quotes a report from BleepingComputer: Google has announced the first open-source quantum resilient FIDO2 security key implementation, which uses a unique ECC/Dilithium hybrid signature schema co-created with ETH Zurich. FIDO2 is the second major version of the Fast IDentity Online authentication standard, and FIDO2 keys are used for passwordless authentication and as a multi-factor authentication (MFA) element. Google explains that a quantum-resistant FIDO2 security key implementation is a crucial step towards ensuring safety and security as the advent of quantum computing approaches and developments in the field follow an accelerating trajectory.

To protect against quantum computers, a new hybrid algorithm was created by combining the established ECDSA algorithm with the Dilithium algorithm. Dilithium is a quantum-resistant cryptographic signature scheme that NIST included in its post-quantum cryptography standardization proposals, praising its strong security and excellent performance, making it suitable for use in a wide array of applications. This hybrid signature approach that blends classic and quantum-resistant features wasn't simple to manifest, Google says. Designing a Dilithium implementation that's compact enough for security keys was incredibly challenging. Its engineers, however, managed to develop a Rust-based implementation that only needs 20KB of memory, making the endeavor practically possible, while they also noted its high-performance potential.

The hybrid signature schema was first presented in a 2022 paper (PDF) and recently gained recognition at the ACNS (Applied Cryptography and Network Security) 2023, where it won the "best workshop paper" award. This new hybrid implementation is now part of the OpenSK, Google's open-source security keys implementation that supports the FIDO U2F and FIDO2 standards. The tech giant hopes that its proposal will be adopted by FIDO2 as a new standard and supported by major web browsers with large user bases. The firm calls the application of next-gen cryptography at the internet scale "a massive undertaking" and urges all stakeholders to move quickly to maintain good progress on that front.

Dilithium?

[rossdee]

I thought Dilithium was part of the antimatter reactor of star fleet vessels.

Re:

[xforce]

Yes, just drop your credentials in the reactor. Guaranteed not to return ever.

Re:

[omnichad]

Dilithium is just Li2 - a relatively boring substance.

But Google didn't come up with the name. It was a pre-existing algorithm that seems to be named because of the algebraic lattices it uses.
https://pq-crystals.org/dilith... [pq-crystals.org]

Re:

[sinkskinkshrieks]

Only if your warp core does warp 9.

Re:

[Anubis IV]

I thought Dilithium was part of the antimatter reactor of star fleet vessels.

Different formulation. Star Fleet uses dilithium crystals.

Wait what

[backslashdot]

We’ve had dilithium all this time? What a waste, Han Solo could have used some on his Kessel run. What next Captain Kirk deprived of midi-chlorians?

Pointless

[phantomfive]

We are nowhere near getting quantum computers, so there isn't a rush to get quantum resistant encryption out there.

There is a rush to get people to use decent encryption techniques, like not hard-coding the nonce. You might as well be sending plaintext if you're going to write encryption code like that, and quantum cryptography won't save you.

Re: Pointless

[LindleyF]

When quantum is available in 10-20 years, you want all the data that becomes instantly insecure to be as old as possible.

Re: Pointless

[WaffleMonster]

When quantum is available in 10-20 years, you want all the data that becomes instantly insecure to be as old as possible.

This isn't some predicable engineering problem where progress can be charted or which volume production of quantum circuits have a reasonable chance of eventually solving.

A class of quantum computers that can break codes requires knowledge and technology that simply doesn't exist and nobody has any clue how to obtain. There exists no credible path even toward an approach that might work. In this context putting a date on when something will happen is like guessing when Elon musk will outfit his starships with warp drives.

The other thing to keep in mind Fido keys provide authentication. Whether the NSA with a quantum computer would be able to decrypt data they recorded years ago of encrypted sessions depends on the forward secure algorithms used to protect the session which by definition has nothing to do with the underlying key.

If enabling breakthroughs were ever discovered people would have time to get new keys and invalidate their old ones.

Re:

[JustAnotherOldGuy]

A class of quantum computers that can break codes requires knowledge and technology that simply doesn't exist and nobody has any clue how to obtain.

That's true today and will likely be true tomorrow, but you can bet there are loads of boffins hard at work on it, both in the military/intelligence and private sectors.

There exists no credible path even toward an approach that might work.

I don't disagree, but it's also a statement that won't be true forever. I'd wager that neither of us knows just how far alon

Re:

[AmiMoJo]

Many times in the past we have discovered that the government had access to technology well ahead of everyone else, even technology that was thought to be impossible at one point.

The most common example is the ability to crack certain encryption that was believed to be secure. Someone in the NSA or GCHQ discovered a shortcut, and even if it still needed a billion dollar computer, they have those. Even though it may seem that quantum computers can't get to the stage where they can crack this stuff, who knows

Re:

[WaffleMonster]

Many times in the past we have discovered that the government had access to technology well ahead of everyone else, even technology that was thought to be impossible at one point.

The most common example is the ability to crack certain encryption that was believed to be secure. Someone in the NSA or GCHQ discovered a shortcut, and even if it still needed a billion dollar computer, they have those. Even though it may seem that quantum computers can't get to the stage where they can crack this stuff, who knows if there is some weakness we don't know about that they *can* assist with.

There is inherently nothing wrong with hedging against the unknown and unknowable. Crypto agility allows users to switch to different algorithms with minimal disruption should a previously unknown flaw be found in an existing cipher suite with little added cost.

Even in cases where you pay an extra premium for example chaining algorithms or key exchanges in ways that insulate systems from single failures at the cost of additional resource consumption may be something viewed as prudent to some while declined

Re:

[phantomfive]

You're worried about something that probably won't exist in 20 years.

Meanwhile, there is a problem that exists today, and will still exist even if we get quantum algorithms, so solve that problem first.

And the constructions were vetted by whom?

[sinkskinkshrieks]

I'd want to know: 1. Which curves do they use? 2. Who else helped them engineer it, i.e., NIST and NSA? 3. And who (externally) vetted it? Otherwise, this seems like crafting a hammer without ever seeing what a nail looks like or what other hammers already exist.