Google announced on Thursday the development of quantum-safe digital signatures (FIPS 204/FIPS 205) in Google Cloud Key Management Service (Cloud KMS) for software-based keys. This is available in preview.
The search giant also provided a high-level view into its post-quantum strategy for Google Cloud encryption products, including Cloud KMS and the Cloud Hardware Security Module (Cloud HSM).
Mounting concern over public-key cryptography systems
This is significant, the company said, because the security of many of the world’s most widely used public-key cryptography systems has increasingly become a concern as experimental quantum computing continues to advance. Large, cryptographically-relevant quantum computers have the potential to break these algorithms.
However, post-quantum cryptography (PQC) can use existing hardware and software to mitigate these risks. New PQC standards from the National Institute of Standards and Technology (NIST) became available in August 2024, enabling tech vendors around the world to begin PQC migrations.
“At Google, we take post-quantum computing risks seriously,’’ wrote Jennifer Fernick, a senior staff security engineer, and Andrew Foster, engineering manager of Cloud KMS, in a Google Cloud blog post. “We began testing PQC in Chrome in 2016, we’ve been using PQC to protect internal communications since 2022, and we’ve taken additional quantum-computing protective measures in Google Chrome, Google’s data center servers, and in experiments for connections between Chrome Desktop and Google products (such as Gmail and Cloud Console).”
Google’s approach to quantum-safe Cloud KMS
Google detailed steps the company is taking to make Google Cloud KMS quantum-safe, which include:
- Offering software and hardware support for standardized quantum-safe algorithms.
- Supporting migration paths for existing keys, protocols, and customer workloads to adopt PQC.
- Quantum-proofing Google’s underlying core infrastructure.
- Analyzing the security and performance of PQC algorithms and implementations.
- Contributing technical comments to PQC advocacy efforts in standards bodies and government organizations.
Pledging open-source availability
Google’s Cloud KMS PQC roadmap supports the NIST post-quantum cryptography standards (FIPS 203, FIPS 204, FIPS 205, and future standards), which can help customers perform quantum-safe key import and key exchange, encryption and decryption operations, and digital signature creation, according to the company.
The software implementations of these standards will be available to Cloud KMS clients as open-source software and maintained as part of the Google-authored, open-source cryptographic libraries BoringCrypto and Tink, Fernick and Foster wrote.
Quantum-safe digital signatures are now available in Cloud KMS, so customers can use Google’s existing API to cryptographically sign data and validate signatures using NIST-standardized quantum-safe cryptography with key pairs stored in Cloud KMS.
“This unblocks the essential work of testing and integrating these signing schemes into existing workflows ahead of wider adoption,’’ Fernick and Foster explained. “It also can help ensure that newly-generated digital signatures are resistant to attacks by future adversaries who may have access to cryptographically-relevant quantum computers.”
