On Thursday, Google rolled out its quantum-safe digital signatures for software-based keys in the Google Cloud Key Management Service (Cloud KMS). This feature is currently available in preview mode. The company also shared insights into its larger strategy for incorporating post-quantum security across Google Cloud encryption products, including both Cloud KMS and the Cloud Hardware Security Module (Cloud HSM).
The rise of quantum computing raises serious concerns about the security of public-key cryptography. Many widely-used systems face serious vulnerabilities as quantum technology progresses. These advanced quantum computers could potentially crack the algorithms that protect our data. However, post-quantum cryptography (PQC) offers a way to build defenses using current hardware and software. The National Institute of Standards and Technology (NIST) introduced new PQC standards in August 2024, allowing tech companies globally to start migrating to these new security measures.
Jennifer Fernick, a senior staff security engineer, and Andrew Foster, engineering manager of Cloud KMS, highlighted Google’s commitment to facing quantum risks in a blog post. They mentioned that Google began testing PQC in Chrome back in 2016 and has been actively using it to secure internal communications since 2022. Google has also applied various protective measures across its services, including data centers and interactions between Chrome and other Google applications like Gmail and Cloud Console.
In terms of making Cloud KMS quantum-safe, Google outlined several key steps:
– They are providing both software and hardware support for standardized quantum-safe algorithms.
– They’re creating pathways for existing keys and protocols to transition smoothly to PQC.
– The core infrastructure of Google is being fortified against quantum threats.
– They’re evaluating the security and efficiency of PQC algorithms.
– They’re actively participating in PQC discussions within standards bodies and government organizations.
Google aims to make its roadmap for Cloud KMS PQC compatible with NIST’s post-quantum standards. This effort will empower customers to perform secure key imports, exchanges, and digital signature operations. The software that implements these standards will be open-source, integrated into Google’s cryptographic libraries, BoringCrypto and Tink.
With quantum-safe digital signatures now accessible in Cloud KMS, customers can leverage Google’s existing API to cryptographically sign data and verify those signatures using NIST-approved quantum-safe methods, drawing on key pairs stored in Cloud KMS. This development facilitates the integration of these signing schemes into existing systems, preparing for a future where data protection needs to guard against powerful quantum adversaries.
