Google proposes new security keys to protect data from future quantum attacks

Even though quantum computers are still under development, researchers are already working to protect sensitive data from attacks fueled by the expected advances in computing power.

This week Google announced the release of code for a security key that uses cryptography designed to withstand decryption attempts by traditional computers and quantum processors as well.

The company says its proposed implementation will allow for the creation of quantum-resilient security keys under FIDO2, the second version of a global standard for passwordless authentication.

Security keys are small physical devices that typically plug into a computer or communicate wirelessly when placed close to a device. Google’s proposal was co-developed with the ETH Zürich research university.

The code involves a new hybrid signature scheme that combines the traditional ECC algorithm and the newer Dilithium algorithm to counter quantum attacks.

ECC signatures have been in use for about two decades. Dilithium, in turn, is a “quantum safe” algorithm that the U.S. National Institute of Standards and Technology has selected as part of its potential standards for future cryptographic systems.

Researchers said they decided to create a hybrid signature as the security of Dilithium “hasn’t yet stood the test of time.”

Tests done recently on "quantum-safe" algorithms have indeed proven that they are exposed to certain kinds of traditional cyberattacks. For example, a specific implementation of CRYSTALS-Kyber is vulnerable to side-channel attacks, which use information leaked by a computer system to gain unauthorized access or extract sensitive data, researchers found.

According to Google, it's especially important to use a hybrid signature scheme for security keys as most of them can't be updated; people have to purchase new ones.

Why now?

There's no timeline for when practical quantum computers will arrive. Experts say this could happen “somewhere in the next 10 to 100 years.”

But while quantum attacks are still hypothetical, Google says that “deploying cryptography at internet scale is a massive undertaking,” so it's important to get started as soon as possible. Quantum researchers agree.

“Some technology will be around for years and some of the data it is securing may still be sensitive for many years. That suggests one needs to protect it against future threats such as quantum computers,” said Alan Woodward, professor of cybersecurity at the University of Surrey.

Woodward also believes that the development of quantum tech is a way of gaining a competitive advantage in the market: “If you can sell a product that has a degree of future-proofing it’s likely to have more traction in the market than a competitor who appears to be using “old fashioned” technology,” he told Recorded Future News.

The quantum transition for security keys is expected to be gradual, as users will have to buy new ones once they are standardized and the new standard is supported by major browsers, Google said.

Users shouldn't notice the switch to new encryption scheme, Woodward says: “Users probably have no idea what encryption scheme is being used at present and I imagine it will be the same as more post quantum encryption schemes are incorporated in products such as this key.”

What could be more bothersome is having to switch to a different physical key to fully use the new technology. In other words, you'll need to move everything that uses your current key over to the new one, he added.