The End of Easy Math: Transitioning FIDO2 to PQC Standards
For decades, the foundation of digital trust has rested on a simple mathematical assumption: that certain problems, like factoring massive prime numbers and reversing a discrete logarithm, are practically impossible for computers to solve.
These assumptions are the bedrock of the RSA and ECC (Elliptic Curve Cryptography) algorithms that secure every bank transaction, encrypted email, and VPN tunnel in use today.
However, the closer we get to the emergence of cryptographically relevant quantum computers (CRQC), the less we can rely on these assumptions anymore. Unlike classical computers that process bits as 0s or 1s, quantum machines use qubits to explore multiple states simultaneously. Through Shor’s Algorithm, a sufficiently powerful quantum computer can bypass decades of classical "hardness," and break RSA and ECC protocols in mere minutes.
Problem Shift: From One Dimension to Many
Post-Quantum Cryptography (PQC) main development challenge was to identify a new set of operations that are easily solved in one direction but have no shortcuts or simple ways to be reversed.
RSA and ECC rely on 'flat' mathematical structures that quantum computers can easily map and bypass, being able to calculate the function for all possible inputs simultaneously and extrapolate patterns identifying the periodicity of the math behind it.
PQC algorithms amp up the difficulty by adding dimensions and basing their logic in the realm of lattices. Lattices are grids of points; each point represents a combination of coordinates. They can be structured to include hundreds or thousands of dimensions. Lattice-based cryptography is based on finding the point closest to the origin of this immense multi-dimensional haystack.
If RSA is like finding a specific house on a single street (1D), and ECC is like finding a house in a city (2D), PQC is like finding a single specific atom in a galaxy-sized, thousand-dimensional grid. Even for a quantum computer, there is no 'shortcut' through that much space.
Signature Size and Speed
The transition to PQC is not just a math update; it is a fundamental shift in the "weight" and "speed" of digital security. To understand why ML-DSA is the chosen successor, we must look at how it compares to the algorithms we use today.
The Data Trade-off: Key and Signature Sizes
The most visible difference is the "bloat" in data size. Current standards like ECDSA (Elliptic Curve Digital Signature Algorithm) are incredibly lean, producing tiny signatures that fit into a single network packet.
PQC algorithms by contrast use larger, multi-dimensional matrices. This results in signatures that are significantly larger:
Public Key: While an ECDSA public key is a mere 64 bytes, an ML-DSA public key is between 2500~ and 4800~ bytes.
Signature: An ECDSA signature is typically 64 bytes; an ML-DSA signature jumps between 2400~ and 4500~ bytes.
For hardware manufacturers like AuthenTrend, this means devices must handle nearly 50x more data per authentication. This requires sophisticated data fragmentation to ensure that despite the larger size, the "tap-to-login" experience remains fluid and compliant with existing USB protocols.
The Performance Paradox: Why PQC is Faster
You might assume that larger keys mean slower logins. Surprisingly, the opposite can be true.
The "Old" Way: RSA and ECC rely on Modular Exponentiation—a process of raising huge numbers to even huger powers. This is computationally "heavy" and can tax a small processor.
The "New" Way: ML-DSA relies on Polynomial Multiplication. When optimized with a specialized math tool called the Number Theoretic Transform (NTT), these calculations are remarkably efficient.
In hardware-accelerated environments, ML-DSA can actually outperform ECDSA at verification speed. While the initial signature generation involves a "rejection sampling" loop (trying multiple times to ensure the signature is mathematically secure and short), the end-to-end verification is nearly instantaneous.
| Feature | RSA / ECDSA (The Past) | ML-DSA (The Future) |
|---|---|---|
| Mathematical Base | Integer Factoring / Curves | Module-Lattices |
| Public Key Size | Very Small (32–256 bytes) | Medium-Large (over 2500 bytes) |
| Signature Size | Tiny (64–256 bytes) | Larger (over 2400 bytes) |
| Processing Speed | Moderate to Fast | Very Fast (Optimized for hardware) |
The "Safety Net" Strategy: Hybrid Authentication
As we move toward a post-quantum world, the industry faces a unique dilemma: deploy new quantum-resistant math to protect against future threats, yet these new algorithms lack the decades of "battle-testing" that classical methods like ECC have undergone. To resolve this, they have developed two main frameworks: Hybrid Compatibility and Crypto Agility.
Double-Wrapped Security
Hybrid Compatibility creates a situation in which the older algorithms are not just swapped out. Instead, in the case of a product like ATKey, authentication requests are signed using two distinct layers simultaneously:
The Classical Layer: uses a quantum vulnerable algorithm to provide immediate compatibility and protection against all known classical attacks.
The Post-Quantum Layer: Acts as a future-proof shield that even a cryptographically relevant quantum computer cannot penetrate.
By combining these, the resulting signature is only as weak as its strongest component. If a hidden flaw is ever discovered in the new PQC math, your identity remains protected by the classical ECC layer. Conversely, when the first powerful quantum computers emerge, the PQC layer stands as an unhackable barrier.
Hybrid Compatibility ensures today's security being up to the highest standards. But this is not enough by itself to ensure that tomorrow’s threats are kept at bay; that is where Crypto Agility comes into play.
Crypto Agility to Add Resilience
One of the greatest hurdles in cryptographic migration is the risk of breaking existing systems. And it is impossible to retrofit everything, especially older systems with limited computing resources.
But considering the risk that vulnerabilities in new PQC algorithms would be discovered the more they get used is important to have a way to ditch unsafe protocols in favor of more reliable ones.
Crypto agility indicates a framework in which no system or device is strictly connected to a single cryptographic algorithm. Thanks to this flexibility, it is possible to change outdated or vulnerable cryptography and introduce better alternatives without a complete overhaul of the systems and workflows.
Preparing for "Q-Day"
Q-Day or when cryptographically relevant quantum computers (CRQC) will be readily available has been postulated to be 10 years from now for a long time. The '10-year' window is rapidly shrinking as researchers optimize quantum error correction:
Researchers have optimized many aspects of quantum computing, making it possible to achieve CRQCs with a manageable number of qubits.
Governmental agencies and regulators are pushing for PQC to be adopted and have agreed to algorithms standards.
But for many, this is not enough.
The "Harvest Now, Decrypt Later" Threat
The most critical misunderstanding is that we can afford to wait for the first quantum computer to be built before we act. In reality, the threat is active today. Sophisticated adversaries are currently engaging in "Harvest Now, Decrypt Later" (HNDL) attacks. exfiltrating and storing vast amounts of encrypted sensitive data today, with the intent to unlock it the moment quantum hardware reaches maturity. If your data has a shelf life of more than five years, be it intellectual property, healthcare records, or government secrets, it is already at risk.
