On Thursday, Google rolled out its quantum-safe digital signatures for software-based keys in the Google Cloud Key Management Service (Cloud KMS). This feature is currently available in preview mode. The company also shared insights into its larger strategy for incorporating post-quantum security across Google Cloud encryption products, including both Cloud KMS and the Cloud Hardware Security Module (Cloud HSM).
The Shift to Quantum-Safe Security: Protecting Data with PQC
The rise of quantum computing raises serious concerns about the security of public-key cryptography. Many widely-used systems face serious vulnerabilities as quantum technology progresses. These advanced quantum computers could potentially crack the algorithms that protect our data. However, post-quantum cryptography (PQC) offers a way to build defenses using current hardware and software. The National Institute of Standards and Technology (NIST) introduced new PQC standards in August 2024, allowing tech companies globally to start migrating to these new security measures.
Jennifer Fernick, a senior staff security engineer, and Andrew Foster, engineering manager of Cloud KMS, highlighted Google’s commitment to facing quantum risks in a blog post. They mentioned that Google began testing PQC in Chrome back in 2016 and has been actively using it to secure internal communications since 2022. Google has also applied various protective measures across its services, including data centers and interactions between Chrome and other Google applications like Gmail and Cloud Console.
In terms of making Cloud KMS quantum-safe, Google outlined several key steps:
– They are providing both software and hardware support for standardized quantum-safe algorithms.
– They’re creating pathways for existing keys and protocols to transition smoothly to PQC.
– The core infrastructure of Google is being fortified against quantum threats.
– They’re evaluating the security and efficiency of PQC algorithms.
– They’re actively participating in PQC discussions within standards bodies and government organizations.
Google aims to make its roadmap for Cloud KMS PQC compatible with NIST’s post-quantum standards. This effort will empower customers to perform secure key imports, exchanges, and digital signature operations. The software that implements these standards will be open-source, integrated into Google’s cryptographic libraries, BoringCrypto and Tink.
With quantum-safe digital signatures now accessible in Cloud KMS, customers can leverage Google’s existing API to cryptographically sign data and verify those signatures using NIST-approved quantum-safe methods, drawing on key pairs stored in Cloud KMS. This development facilitates the integration of these signing schemes into existing systems, preparing for a future where data protection needs to guard against powerful quantum adversaries.
The move toward Post-Quantum Cryptography (PQC) is not just a technical upgrade; it is a fundamental shift in how we define digital trust. As quantum processors become more powerful, the mathematical foundations of current encryption—specifically those relying on the difficulty of factoring large numbers—are becoming increasingly fragile. By integrating these new standards into Cloud KMS, Google is effectively building a “quantum shield” for the modern enterprise, ensuring that long-term data remains protected even if a cryptographically relevant quantum computer (CRQC) emerges sooner than expected.
Why This Matters Now
While full-scale quantum computers are still in development, the threat of “Harvest Now, Decrypt Later” is very real. Malicious actors may capture encrypted sensitive data today, intending to decrypt it once quantum technology matures. Implementing quantum-safe signatures ensures that the integrity of software updates, financial transactions, and legal documents remains unassailable for decades to come.
The Role of Open Source
By pushing these algorithms into BoringCrypto and Tink, Google is democratizing high-level security. Developers no longer need to be cryptography experts to implement NIST-standard protection. This transparency allows for:
- Peer Review: Continuous auditing of the code to find and fix vulnerabilities.
- Interoperability: Ensuring that different cloud environments can communicate securely using the same “language” of defense.
- Speed: Faster adoption across the global tech ecosystem, reducing the “window of risk” during the transition period.
As we move toward 2027 and beyond, the focus will likely shift from preview modes to mandatory standards for government and high-security industries.
To order our software development and system administration services, please visit our contact page