ARTICLE Quantum safe algorithm

We are currently working on hybrid signatures for FIDO authentication. This means that to authenticate to a server, the OFFPAD needs to produce two signatures instead of one for access: a standard elliptic curve signature (ECDSA) and a post-quantum signature.

The decision to adopt hybrid signatures, a practice endorsed by security agencies in Germany, France, and other countries, is rooted in a prudent approach. While post-quantum signatures are a promising development, their relative newness and the lack of extensive implementation experience necessitate a blend of the current standard with the emerging one.

This ensures that security will be at least at the same level as today since an attacker would have to break ECDSA to impersonate the user. This holds even if the post-quantum scheme is weaker than we believe. Furthermore, if someone develops a large quantum computer, they must break both the quantum-safe signature scheme and ECDSA to impersonate the user. This leads to more robust security overall.

While the US National Institute of Standards and Technology (NIST) is currently standardizing three post-quantum signature schemes today, none of these have been adequately implemented in commercial security hardware yet. This means post-quantum signatures must be computed on standard microcontrollers that do not provide extra protection against side-channel attacks or key extraction, in contrast to secure elements implementing protected ECDSA signatures. It is clear that hybrid signatures are the best approach until the post-quantum signatures are both properly wetted and implemented in secure hardware.

We had to choose among the three new standardized algorithms to implement hybrid signatures: CRYSTALS-Dilithium, FALCON, and SPHINCS+. While FALCON provides the smallest public key + signature pair, the key generation and signature algorithms are very complex and require floating point numbers, which are challenging to implement correctly on embedded platforms such as the OFFPAD. Furthermore, SPHICS+ has smaller keys but is much slower and produces large signatures. Therefore, we decided on CRYSTALS-Dilithium, which is the fastest post-quantum signature scheme, has the lowest memory footprint, is much simpler to implement than the others, and has practically small keys and signatures. The implementation of CRYSTALS-Dilithium is conducted by PQShield.

We are currently in the final phases of implementing hybrid FIDO signatures and are excited to share the results publicly when they are available for demonstration.