Google Cloud introduces quantum-safe digital signatures in KMS

Google Cloud has introduced quantum-safe digital signatures to its Cloud Key Management Service (Cloud KMS), making them available in preview.

The tech giant says this initiative aligns with the National Institute of Standards and Technology's (NIST) post-quantum cryptography (PQC) standards, addressing future risks of quantum computing breaking classic encryption schemes.

With Google Cloud being used by financial institutions, large enterprises, government agencies, critical infrastructure units, and software developers, the introduction of quantum-safe encryption is crucial for safeguarding sensitive data from advanced attacks.

Quantum-ready Cloud KMS

Cloud KMS is Google Cloud's encryption key management tool used for securely generating, storing, and managing cryptographic keys that encrypt and sign data.

By using conventional public-key cryptography such as RSA and ECC, customers run the risk of having their data exposed in the future via what is known as 'harvest now, decrypt later' (HNDL) attacks.

Although quantum computers capable of breaking current encryption schemes do not exist yet, all experts agree that the HNDL risk is too high to ignore. This concern is further heightened by Microsoft's announcement of its Majorana 1 chip breakthrough, representing a crucial step toward building a future quantum computer.

To help future-proof our data, Google is now integrating quantum-resistant cryptography into Cloud KMS (software) and Cloud HSM (hardware security modules).

The two algorithms that are adopted are ML-DSA-65 (FIPS 204), a lattice-based digital signature algorithm, and SLH-DSA-SHA2-128S (FIPS 205), a stateless hash-based digital signature algorithm.

"Today, we're excited to announce quantum-safe digital signatures (FIPS 204/FIPS 205) in Google Cloud Key Management Service (Cloud KMS) for software-based keys, available in preview," reads Google's announcement.

"We're also sharing a high-level view into our post-quantum strategy for Google Cloud encryption products, including for Cloud KMS and our Hardware Security Modules (Cloud HSM)."

Cloud KMS now allows users to sign and verify digital signatures using these new PQC algorithms, just like they would with classical cryptography.

The cryptographic implementations will be open-source (via BoringCrypto and Tink libraries), maintaining transparency and allowing independent security audits.

Google invites organizations to start testing and integrating quantum-resistant algorithms into existing deployments and report their feedback to help iron out any problems.