Google Reveals Quantum-Resistant Digital Signatures in Cloud KMS, Recognizes “Post-Quantum Computing Risks with Importance”
Announced by Google on Thursday was the introduction of quantum-resistant digital signatures (FIPS 204/FIPS 205) in Google Cloud Key Management Service (Cloud KMS) for software-driven keys. This feature is currently in preview mode.
The well-known search engine also shared an overview of its strategy concerning post-quantum aspects for Google Cloud encryption products, such as Cloud KMS and the Cloud Hardware Security Module (Cloud HSM).
Growing apprehension over public-key cryptography systems
The company stated that this move is of significant importance as the safety of many widely used public-key cryptography systems worldwide has raised concerns with the continuous development of experimental quantum computing. The emergence of large-scale quantum computers with cryptographic relevance has the potential to breach these algorithms.
Nevertheless, post-quantum cryptography (PQC) can utilize existing software and hardware to alleviate these dangers. Recently released PQC standards by the National Institute of Standards and Technology (NIST) in August 2024 have enabled global technology vendors to commence PQC transitions.
“We at Google are gravely conscious of the risks associated with post-quantum computing,’’ stated Jennifer Fernick, a senior staff security engineer, and Andrew Foster, engineering manager of Cloud KMS, in a Google Cloud blog post. “We initiated PQC testing in Chrome back in 2016, we’ve been implementing PQC for securing internal communications since 2022, and we have executed additional protective measures against quantum computing in Google Chrome, Google’s data center servers, and in trials for connections between Chrome Desktop and Google products (like Gmail and Cloud Console).”
Google’s strategy for quantum-secure Cloud KMS
Google elaborated on the measures it is adopting to fortify Google Cloud KMS against quantum threats, such as:
- Providing software and hardware support for standardized quantum-secure algorithms.
- Facilitating pathways for migrating existing keys, protocols, and customer workflows to embrace PQC.
- Securing Google’s foundational core infrastructure against quantum attacks.
- Evaluating the security and efficiency of PQC algorithms and their implementations.
- Contributing technical insights to support PQC advocacy campaigns in standardization organizations and government entities.
Commitment to open-source accessibility
Google’s Cloud KMS PQC roadmap aligns with the NIST post-quantum cryptography standards (FIPS 203, FIPS 204, FIPS 205, and forthcoming standards), which can help clients conduct quantum-secure key import and exchange, encryption and decryption tasks, as well as creating digital signatures, as per the company’s statement.
The software adaptations of these standards will be provided to Cloud KMS customers as open-source software and will be managed within Google’s self-developed open-source cryptographic libraries BoringCrypto and Tink, as indicated by Fernick and Foster.
Quantum-secure digital signatures are now accessible via Cloud KMS, allowing customers to utilize Google’s existing API for cryptographically signing and validating data using NIST-approved quantum-safe cryptography while using key pairs stored in Cloud KMS.
“This release breaks barriers by enabling the crucial effort of inspecting and integrating these signing schemes into current workflows in advance of broad acceptance,’’ elaborated Fernick and Foster. “This can additionally help assure that newly generated digital signatures are impenetrable against potential attackers equipped with quantum computers of cryptographic relevance.”
About Author
