Announcing quantum-safe digital signatures in Cloud KMS

The continued advancement of experimental quantum computing has raised concerns about the security of many of the world's widely-used public-key cryptography systems. Crucially, there exists the potential for sufficiently large, cryptographically-relevant quantum computers to break these algorithms. This potential highlights the need for developers to build and implement quantum-resistant cryptography now.

Fortunately, post-quantum cryptography (PQC) offers a way of mitigating these risks using existing hardware and software. The National Institute of Standards and Technology’s new PQC standards, made available in August 2024 following several years of community engagement, have begun enabling technology vendors around the world to take steps toward PQC migrations.

Today, we’re excited to announce quantum-safe digital signatures (FIPS 204/FIPS 205) in Google Cloud Key Management Service (Cloud KMS) for software-based keys, available in preview. We’re also sharing a high-level view into our post-quantum strategy for Google Cloud encryption products, including for Cloud KMS and our Hardware Security Modules (Cloud HSM).

At Google, we take post-quantum computing risks seriously. We began testing PQC in Chrome in 2016, we’ve been using PQC to protect internal communications since 2022, and we’ve taken additional quantum-computing protective measures in Google Chrome, Google’s data center servers, and in experiments for connections between Chrome Desktop and Google products (such as Gmail and Cloud Console.)

Quantum-safe Cloud KMS

We are actively working to make Google Cloud KMS quantum-safe. Our comprehensive approach to quantum-safety includes: 

• Offering software and hardware support for standardized quantum-safe algorithms;

• Supporting migration paths for existing keys, protocols, and customer workloads to adopt PQC;

• Quantum-proofing Google's underlying core infrastructure;

• Analyzing the security and performance of PQC algorithms and implementations;

• And contributing technical comments to PQC advocacy efforts in standards bodies and government organizations.

Our Cloud KMS PQC roadmap includes support for the NIST post-quantum cryptography standards (FIPS 203, FIPS 204, FIPS 205, and future standards), in both software (Cloud KMS) and hardware (Cloud HSM). This can help customers perform quantum-safe key import and key exchange, encryption and decryption operations, and digital signature creation. 

Our underlying software implementations of these standards for Cloud KMS clients will be available as open-source software. They will also be maintained as part of the Google-authored, open-source cryptographic libraries BoringCrypto and Tink to enable full transparency and code-auditability of our algorithmic implementations to our customers and to the broader security community. 

From a hardware and third-party vendor perspective, we are working closely with HSM vendors and Google Cloud External Key Manager (EKM) partners to strategize and enable successful quantum-safe cryptography for our customers.

Now preview quantum-safe digital signatures in Cloud KMS 

Cloud KMS now offers quantum-safe digital signatures, so customers can use our existing API to cryptographically sign data and validate signatures using NIST-standardized quantum-safe cryptography with key pairs stored in Cloud KMS. This unblocks the essential work of testing and integrating these signing schemes into existing workflows ahead of wider adoption. 

It also can help ensure that newly-generated digital signatures are resistant to attacks by future adversaries who may have access to cryptographically-relevant quantum computers. Just as the Harvest Now, Decrypt Later (HNDL) threat model raises the urgency of future-proofing key exchange protocols, migrating to quantum-safe Digital Signature Algorithms (DSA) today is essential for protection against future forgery and tampering, and is critical to enabling secure software updates in a world with cryptographically-relevant quantum computers. 

While that future may be years away, those deploying long-lived roots-of-trust or signing firmware for devices managing critical infrastructure should consider mitigation options against this threat vector now. The sooner we’re able to secure these signatures, the more resilient the digital world’s foundation of trust becomes.

In this release, we offer support for both ML-DSA-65 (as specified in FIPS 204, a lattice-based digital signature) and SLH-DSA-SHA2-128S (FIPS 205, a stateless hash-based digital signature), both of which recently became part of NIST's PQC standards. 

Much in the world of PQC is still under development and in flux, including the hybridization of classical and post-quantum digital signatures. Since the cryptographic community has yet to come to a consensus and establish norms regarding digital signature hybridization, we have decided not to offer API support for hybridization schemes at this time. However, this could change as consensus on hybridization standards converges across the industry in the coming months.

Moving forward

We commit to staying on top of developments in post-quantum cryptography, including incorporating any future algorithm standards from NIST. We are prepared to adapt to any changes that may arise as the quantum cryptanalytic landscape evolves over time, particularly if future cryptanalysis demonstrates attacks which would materially affect the security of Google Cloud customers or their data.

As always, we welcome customer feedback and collaboration on your specific cryptographic needs.