Quantum Computing

FIDO2 Pairs PQC To Defend Against Future Quantum Threats

Posted on by Jettipalli Lavanya5 min read
FIDO2 Pairs PQC To Defend Against Future Quantum Threats

Quantum Leap in Authentication: PQC Helps FIDO2 Guard Against Upcoming Computing Threats

FIDO2

A significant security migration is taking place in modern authentication systems, especially the widely used FIDO2 standard for passwordless logins, in order to counter the impending threat posed by large-scale quantum computers. This shift entails incorporating Post-Quantum Cryptography (PQC) into security keys and protocols to guarantee ongoing safe access in a digital environment that is changing quickly.

Built on hardware-backed cryptographic techniques, FIDO2 is an industry standard that integrates the FIDO Alliance Client to Authenticator Protocol (CTAP) and the W3C Web Authentication (WebAuthn). Classical signature methods such as RSA with SHA-256 (RS256) and ECDSA with SHA-256 (ES256) are primarily used in contemporary implementations. These techniques are vulnerable to assaults using Shor’s Algorithm, a quantum algorithm that can perform discrete logarithms and integer factorization in polynomial time, hence undermining the core tenet of traditional public-key cryptography.

The Urgent Need for Quantum-Resilience

This move is primarily being driven by the need to address vulnerabilities that quantum computing has revealed, particularly the risk of “harvest now, decrypt later” (HNDL) attacks. Today, encrypted conversations are recorded, kept, and decoded when powerful quantum computers become available in an HNDL scenario. Even if current communications are intercepted and the unauthorized party waits for future advancements in quantum decryption technologies, the secret cannot be found through the use of PQC.

During this transition phase, FIDO2 PQC security migration studies are primarily concerned with preserving a high degree of protection against both present (classical) and potential (quantum) threats.

You can also read Archer Materials Advances 12CQ Quantum Chip and A1 Biochip

Two Major Security Approaches:

Hybrid Signatures: The majority of early implementations, including Google’s OpenSK work and other research initiatives, utilize hybrid signature schemes. Two cryptographic methods are used simultaneously for authentication in this crucial security measure: the well-known classical technique (like ECDSA) and a promising, NIST-standardized PQC algorithm (like CRYSTALS-Dilithium). One significant security advantage of this hybrid technique is that, in the event a new attack is discovered against the PQC algorithm, the classical algorithm continues to offer protection. Conversely, if a quantum computer breaches the classical algorithm, the PQC algorithm remains secure.

Pure PQC: The long-term goal is to switch to pure PQC, which uses solely quantum-resistant algorithms, after these new schemes have been fully standardized and subjected to significant public cryptanalysis.

Additionally, interoperability and standardization are essential to security. The addition of PQC algorithms to the CBOR Object Signing and Encryption (COSE) codelist is a recent example of the FIDO Alliance’s active collaboration with agencies such as NIST to develop PQC-friendly specifications.

Implementation Challenges and Technical Feasibility

Compared to classical algorithms, PQC algorithms require greater calculation time and have higher key and signature sizes, which pose major implementation issues. Furthermore, side-channel assaults, which track physical attributes like power consumption, are much more likely to target these sophisticated algorithms. Security studies are essential for locating potential sites of compromise and creating efficient software and hardware defenses to safeguard private keys kept on authenticators.

Construction of quantum-resilient FIDO2 authentication processes has been shown to be technically feasible through research, frequently utilizing the CRYSTALS-Dilithium signature method and CRYSTALS-Kyber for key exchange.

You can also read Virginia Tech Quantum Launches QISE Facility For Innovation

The Qey: A Practical Prototype for PQC Authentication

Using a physical prototype security key called “The Qey,” a research team comprising Aditya Mitra and Sibi Chakkaravarthy Sethuraman examined the practical application of a new signature algorithm, the Module Lattice-based Digital Signature Algorithm (ML-DSA), which is based on the Crystals-Dilithium standard.

Hardware and Software Configuration: The Qey prototype system made use of a microcontroller with an ARM Cortex A-53 processor that was connected to a USB 2.0 connector. Due to the significant processing power needed for PQC and the current dearth of hardware accelerators specifically designed for PQC, the system is built on a simplified version of Debian. Presenting itself to the host computer as a Human Interface Device (HID), the device serves as a USB device and indicates its function as a FIDO key.

Importantly, NIST recommends using the Open Quantum Safe (OQS) project’s ML-DSA functions for PQC algorithms. The CTAP protocol was implemented using a bespoke Python implementation to allow for connectivity with common FIDO2 services. In addition to supporting ML-DSA-44 and ML-DSA-65 algorithms, the key keeps ES256 as a backup technique.

Performance Analysis: Performance investigation showed that the computational overhead of ML-DSA is comparatively low, even if the key and signature sizes are potentially bigger than those of traditional techniques like ECDSA. Comparing ML-DSA to current techniques, the average delay was about 10 milliseconds (10,000 microseconds), which is substantially within the allowed range for authentication. ML-DSA-44 authentication, for example, took an average of 17,800.6 microseconds, while ES-256 authentication took 3,192.7 microseconds.

Current Resilience and Future Development

The Qey is resistant to typical vulnerabilities like Man-in-the-Middle (MITM) assaults (by operating solely over TLS) and Phishing (by imposing Relying Party identity verification) because it implements FIDO2 standards. Moreover, PQC strengthens the key’s defenses against HNDL attacks.

Unfortunately, the prototype is now limited due to the fact that crucial cryptographic secrets are kept on a MicroSD card. This decision was required since secure storage media that fully satisfy PQC standards, such as Secure Elements (SE) or Trusted Platform Modules (TPM), are currently unavailable. If an attacker manages to obtain the key, the current version of The Qey is therefore susceptible to physical attacks. In addition to investigating the possibility of including biometric authentication techniques in further iterations, researchers expect to address this problem through hybrid cryptographic techniques. This study is an important step in preparing online authentication systems for the impending arrival of potent quantum computers.

You can also read SDI-QRNG Advances Quantum Random Number Generation

Written by

Jettipalli Lavanya

Jettipalli Lavanya is a technology content writer and a researcher in quantum computing, associated with Govindhtech Solutions. Her work centers on advanced computing systems, quantum algorithms, cybersecurity technologies, and AI-driven innovation. She is passionate about delivering accurate, research-focused articles that help readers understand rapidly evolving scientific advancements.

Keep reading

Infleqtion at Canaccord Genuity Conference Quantum Symposium

Infleqtion at Canaccord Genuity Conference Quantum Symposium

4 min read
Quantum Heat Engine Built Using Superconducting Circuits

Quantum Heat Engine Built Using Superconducting Circuits

4 min read
Relativity and Decoherence of Spacetime Superpositions

Relativity and Decoherence of Spacetime Superpositions

4 min read

Leave a Reply

Your email address will not be published. Required fields are marked *