Google Cloud has introduced quantum-safe digital signatures in its Cloud Key Management Service (Cloud KMS) to protect against potential threats from quantum computers. This feature is currently available for software-based keys.
This new feature is in line with the National Institute of Standards and Technology’s (NIST) post-quantum cryptography (PQC) standards, which were finalized in August 2024. The Cloud KMS PQC roadmap includes support for NIST post-quantum cryptography standards.
According to Google Cloud, its PQC roadmap includes support for the NIST post-quantum cryptography standards in both software and hardware. This will enable customers to perform quantum-safe key import and exchange, encryption, and digital signature creation.
The company has also announced that it will make its software implementations of the NIST post-quantum cryptography standards available as open-source software. Additionally, Google Cloud is working with Hardware Security Module (HSM) vendors and Google Cloud External Key Manager (EKM) partners to enable quantum-safe cryptography across its platform.
The main goal of adopting PQC early on is to protect against the Harvest Now, Decrypt Later (HNDL) threat. This involves threat actors collecting encrypted sensitive data now, with the intention of decrypting it later when a powerful enough quantum computer becomes available.
Google Cloud’s Jennifer Fernick and Andrew Foster have emphasized the importance of securing digital signatures against this threat vector, stating that “the sooner we’re able to secure these signatures, the more resilient the digital world’s foundation of trust becomes.”
Quantum-safe digital signatures in Cloud KMS are currently available in preview for both ML-DSA-65 (FIPS 204) and SLH-DSA-SHA2-128S (FIPS 205), with plans for future rollout of API support for hybridization schemes.
