Google Cloud KMS Introduces Quantum-Safe Digital Signatures Align with NIST’s PQC Standards

The Quantum Threat to Modern Cryptography

Quantum computing poses rapidly escalating challenges to many of the public-key cryptographic algorithms currently in use: RSA, ECC, and DSA.

Many of the classical public key cryptographic algorithms secure everything that deals with financial transactions, software updates, identity verification, and data encryption.

However, a powerful quantum computer, in numbers by other calculations, could render the encryption ineffective, and twentieth-century ways of keeping data and digital security will be influenced.

Recommended: Sectigo Code Signing Instructions for Google KMS: Create HSM Key, Attestation,CSR & Sign Code

This threat is not just hypothetical; the Harvest Now, Decrypt Later (HNDL) threat model indicates that the adversaries are already storing encrypted data with the hopes of decrypting it in the future once quantum technologies have developed.

That puts pressure on moving toward post-quantum cryptography to ensure the data remains protected in the long run.

Making these changes possible, Cloud KMS from Google Cloud is bringing quantum-safe digital signatures with pointers for organizations on how to start their post-quantum transition.

Google Cloud KMS: Quantum-Resistant Digital Signatures Now in Preview

Google Cloud has rolled out quantum-safe digital signatures with the launch of the Cloud Key Management Service (Cloud KMS), enabling enterprises to deploy the NIST-standardized post-quantum cryptographic (PQC) algorithms into their security workflows, maintaining protection for sensitive digital transactions against any quantum attacks into the future.

Supported Quantum-Safe Digital Signature Algorithms

Google Cloud KMS now supports these NIST-approved PQC algorithms:

1. ML-DSA-65

• A lattice-based digital signature algorithm based on the Module Learning With Errors (MLWE) problem.
• Designed to guarantee strong security assurances even when faced with a quantum adversary.

2. SLH-DSA-SHA2-128S

• A stateless hash-based digital signature derived from SPHINCS+ provides quantum resistance against brute-force attacks.
• Helpful in securing code-signing workflows and long-lived authentication systems.

These are the kinds of algorithms through which organizations find it useful to validate digital signatures and authenticate software updates. Still, they will remain resilient against decryption by quantum means in the future.

Also Read: How to Create and Validate Digital Signatures using Google Cloud Key Management Service?

Why is Google now going in for Post-quantum Cryptography?

Google’s Long-Term PQC Strategy

Google has been the prime force in post-quantum cryptography. Milestones include the following:

• 2016: Began PQC experiments in Google Chrome, working on mixed key exchange mechanisms.
• 2022: Added PQC protections for internal communications between Google’s data centers.
• 2024: The final release of the NIST PQC standards, permitting enterprise adoption.

Google is also working with HSM vendors and EKM partners for a smooth transition to quantum resistance encryption techniques.

“Harvest Now, Decrypt Later” (HNDL) Threat

The HNDL attack model demands enterprises’ urgent migration to quantum-safe cryptography today. The risks that one should be aware of include:

• Software Integrity Attacks: The digital signatures ensure the software updates come from trusted sources. Quantum adversaries can fake these signatures, install malware, or take over the system.
• Fraud and Authentication Attacks: Long-term digital certificates and authentication keys used in public key infrastructure (PKI) might potentially crack.
• Data leakage from Encrypted Communications: Perpetrators will now and later on bridge encrypted communications through interception to decrypt them in the future, assuming quantum decryption capability exists.

Proactively leveraging quantum-secure digital signatures eliminates the possibility that attackers with sufficient resource capabilities can retroactively abrogate security assurances established today.

Google’s Approach to Post-Quantum Security

Integration with Existing Workflows

Quantum-safe digital signature capability in Cloud KMS is intended for smooth integration with existing security workflows, which means:

• Organizations may use the Cloud KMS APIs almost entirely without modifications.
• Existing classical keys may co-exist with quantum-safe keys, allowing gradual and smooth migration.
• The security teams can test these signatures in CI/CD pipelines for code and software integrity and authenticity.

Open-source Cryptographic Implementation

For transparency and security, Google has open-sourced its PQC implementations within:

• BoringCrypto – Google’s cryptographic module that is used for being FIPS-compliant.
• Tink – A very friendly cryptographic library that enables easy integration of PQC.

With these open-source implementations, Google allows third-party audits and uptake by the industry to strengthen the overall security ecosystem.

Not Hybrid Digital Signatures—Yet

Although hybrid cryptographic approaches, combining classical and quantum-resistant algorithms, are a rising trend in the industry, Google is pushing for API support for hybrid digital signatures to come later. The reasons are:

• No consensus in the community has been reached yet on the best practices for hybrid signature schemes.
• Google wants to keep hybrid PQC out of Cloud KMS incorporation until standards are well-defined and widely accepted.

However, Google indicated that future hybrid implementations may be considered once the cryptographic community establishes explicit norms and best practices.

How Enterprises Will Prepare for Post-Quantum Security?

To minimize the risk itself from quantum threats, the organization should take the following steps to test and integrate PQC solutions:

Evaluate Your Organization’s Exposure to Cryptography

• Find out where the structure of your system relies on public key cryptography (RSA, ECC, DSA, and so on).
• Assess long-lived digital certificates and see whether they are vulnerable to quantum.

Getting Into the Testing of Quantum-Safe Digital Signatures

• Use new PQC digital signatures in test environments established in Cloud KMS.
• Include ML-DSA-65 (FIPS 204) and SLH-DSA-SHA2-128S (FIPS 205) in your code signing and authentication workflow.

Augment Security Workflows with PQC Embedded

• Drift all forms of long-term signing to quantum-resistant alternatives.
• Establish an initiation plan for hybrid cryptographic deployments to balance security with compatibility.

Draw upon Open-source Tools and the Google Cloud Security Ecosystem

• Carry the BoringCrypto and Tink libraries into play at Google as secure implementations.
• Stay on top of developments with Google’s Cloud PQC roadmap so that changes in best practices are considered appropriately.

Secure your Software with Quantum-resistant Cryptography

With newer advancements in quantum computing, organizations increasingly need to warp their information security strategies for the future.

One of the best practices to improve software integrity is taking a Sectigo Code Signing Certificate and utilizing Google Cloud KMS for secure encryption and private key storage. Get started now to protect your business against forthcoming quantum threats.

Search