Last week, Google unveiled its first Quantum resilient FIDO2 (Fast Identity Online) security key implementation as part of its OpenSK security keys initiative. This optimised implementation of open-source hardware employs an innovative signature scheme called an ECC/Dilithium hybrid schema. This approach leverages the strengths of ECC in defending against conventional attacks while harnessing the quantum resistance of Dilithium against potential quantum threats. 

This development surfaced shortly after Google’s recent announcement that it intends to introduce support for encryption algorithms capable of resisting quantum attacks in Chrome version 116. 

Why FIDO2?

Over the past ten years, mathematicians and engineers have worked tirelessly to prevent potential cryptographic disaster by introducing PQC (post-quantum cryptography). PQC involves encryption techniques designed to resist attacks from Quantum Computers.

FIDO2’s primary goal is to remove the need for passwords in online contexts. It was designed to establish openly accessible and licence-free standards for secure authentication without passwords on the internet. Through the FIDO2 authentication method, the conventional risks associated with username and password logins are removed and replaced by the FIDO2 standard, which is said to provide defence against prevalent online threats. 

The most-recognised version of FIDO2 implementation involves a password-less authentication method called passkeys. As of now, there are no identified methods by which passkeys can be overcome in credential phishing attacks. Numerous websites and services presently offer users the option to log in through passkeys, utilising cryptographic keys stored within security keys, smartphones, and other devices. Big Tech companies such as Microsoft and Apple also support FIDO2 security keys. 

While quantum attacks are still in the distant future, deploying cryptography at Internet scale is a massive undertaking which is why doing it as early as possible is vital. Google believes that this implementation (or a similar version) will become standardised within the FIDO2 key specification and gain backing from prominent web browsers. This move aims to safeguard users’ credentials from quantum attacks. 

Combating Quantum Attacks 

Quantum attacks are a type of cyberattacks that leverage the advanced computational capabilities of quantum computers to break certain types of cryptographic systems and algorithms. 

Quantum attacks use properties of quantum mechanics, such as superposition and entanglement, to perform calculations that would either be extremely challenging or impossible for classical computers to execute efficiently. Two specific algorithms that quantum computers use to perform these attacks are Shor’s algorithm and Grover’s algorithm. In the former method, the algorithm can factor big numbers into prime parts, possibly weakening the encryption, and in Grover’s algorithm, it focusses on searching unsorted database of times which can weaken the security of symmetric key cryptography by reducing the effective key length needed to resist exhaustive search attacks.

In the upcoming years, established data encryption protocols, including widely used public key cryptography (PKC) standards like RSA, might face vulnerabilities. A recent report by the Hudson Institute, a think tank, said that the financial sector is likely to be a primary target for future quantum attacks as the technology evolves. Furthermore, the quantum cyberattacks targeting the US financial sector could result in a staggering $3.3 trillion economic loss to the US economy. 

National Institute of Standards and Technology (NIST) points out that once the critical threshold is surpassed (referring to the point where advanced quantum computers can break current classical encryption methods), the ability to ensure the secrecy of previously stored encrypted data held by adversaries becomes futile. This emphasises the urgency in adopting quantum-resistant encryption measures today. This proactive approach is essential to safeguard data against potential breaches before the anticipated development of these quantum machines. Companies such as Microsoft, Google, and IBM are concerned about the potential security challenges that might arise due to the capabilities of quantum computers. 

In Google’s security key implementation, Dilithium used, which is a type of cryptographic algorithm that falls under the category of PQC, solves a variety of problems. For it to be broken, an attacker would have to defeat both the ECDSA (Elliptic Curve Digital Signature Algorithm) encryption and the PQC encryption that underpins its security. Furthermore, the keys it uses are tiny compared to many other PQC algorithms in circulation now.

Source: Google Blog

Google’s current approach shadows on the ‘harvest now, decrypt later’ threat, which is a type of attack strategy that leverages the assumption that current encryption methods might be vulnerable to future advancements in technology, such as quantum computers. In this scenario, attackers collect and store encrypted data intercepted from communication channels or compromised systems, with the intention of decrypting it at a later time when more powerful computational resources become available. 

Though Google had been silent on its progress on quantum computing, with this announcement of quantum resilient security key, it looks like Google has not given up on quantum as yet. 

The post Future-proofing Data with Google’s Quantum Security appeared first on Analytics India Magazine.