Google Cloud has rolled out quantum-safe digital signatures for its Cloud Key Management Service (Cloud KMS), now available in preview.
This update aligns with the National Institute of Standards and Technology’s (NIST) post-quantum cryptography (PQC) standards, aiming to protect sensitive data from the future risks of quantum computing.
Cloud KMS, Google Cloud’s encryption key management tool, has traditionally relied on public-key cryptography methods like RSA and ECC. However, these methods face potential threats from quantum computing advancements, particularly through “harvest now, decrypt later” (HNDL) attacks. While quantum computers capable of breaking traditional encryption don’t exist yet, experts warn that the risk is too significant to ignore, especially after Microsoft’s recent Majorana 1 chip breakthrough.
To counter this, Google is integrating quantum-resistant cryptography into both Cloud KMS (software) and Cloud HSM (hardware security modules). The update includes two new PQC algorithms: ML-DSA-65 (FIPS 204), a lattice-based digital signature algorithm, and SLH-DSA-SHA2-128S (FIPS 205), a stateless hash-based digital signature algorithm. These cryptographic implementations will be open-source via BoringCrypto and Tink libraries, ensuring transparency and enabling independent security audits.
Google encourages organizations to start testing and integrating these quantum-safe algorithms into their existing security frameworks. The company also welcomes feedback from early adopters to refine the implementation before a wider rollout.
