Google Cloud Takes Steps to Guard Against Quantum Security Risks – Source: securityboulevard.com

Google Cloud is putting technology into its key management tool to protect its encryption systems from threats posed by quantum computing.

The major cloud provider said Monday that quantum-safe digital signatures – FIPS 204 and 205 – are in Google Cloud Key Management Service (Cloud KMS) for software-based keys, a capability that’s now available in preview. At the same time, the company is laying out some details of its post-quantum cryptography strategy for Google Cloud encryption products, which includes not just Cloud KMS but also its Hardware Security Modules.

The cybersecurity industry for years has been concerned with what would happen when quantum systems that could easily break modern cryptography, exposing data and compromising systems. A key concern is what is referred to as “harvest now, decrypt later,” where threat groups are stealing data with the expectation of being able to decrypt later with quantum computing technology.

Efforts to develop quantum-resistant cryptography – or post-quantum cryptography – have been in the works and the U.S. National Institute and Standards Technology in August 2024 approved final versions of its standards.

Development is Accelerating

Google’s announcement comes in the wake of several key advancements in quantum computing research, including Google scientists’ announcement last month of its latest quantum chip, Willow, which includes technology that solves a key challenge to error correction, which is necessary for building a scalable usable quantum system.

That was followed this month by Microsoft’s introduction of Majorana, it’s quantum chip, which company scientists said could accelerate the arrival of reliable, fault-tolerant quantum systems to years rather than decades.

Jennifer Fernick, senior staff security engineer for product security engineering at Google Cloud, and Andrew Foster, engineering manager of Cloud KMS, leaned into such developments when writing about the company’s post-quantum strategy.

“The continued advancement of experimental quantum computing has raised concerns about the security of many of the world’s widely-used public-key cryptography systems,” Fernick and Foster wrote. “Crucially, there exists the potential for sufficiently large, cryptographically-relevant quantum computers to break these algorithms. This potential highlights the need for developers to build and implement quantum-resistant cryptography now.”

Mitigating Future Risks Now

Post-quantum cryptography can mitigate such risks using existing hardware and software, they added. The industry seems to be responding, with market intelligence and research firm The Quantum Insider predicting the quantum security space – which includes post-quantum cryptography as well as quantum key distribution, quantum internet, and quantum random number generators – will grow from about $700 million last year to about $10 billion by 2030.

Google, like other IT giants, has been looking at ways to adress the security risks that will come with quantum computing. The company began testing post-quantum cryptograph in Chrome in 2016 and has been using it with internal communications for about three years. There also have been other steps to protect Chrome and servers in Google’s data centers, Fernick and Fowler wrote.

Bulking Up Protections in Cloud KMS

In Cloud KMS, that has included offering hardware and software support for quantum-safe algorithms, supporting paths for existing keys, protocols, and customer workloads to adopt post-quantum cryptography, and contributing to work by standards bodies and government organizations.

The roadmap for post-quantum cryptography calls for supporting NIST standards – FIPS 203, 204, 205, and whatever comes in the future – in both software (Cloud KMS) and hardware (Cloud HSM).

“This can help customers perform quantum-safe key import and key exchange, encryption and decryption operations, and digital signature creation,” they wrote. “Our underlying software implementations of these standards for Cloud KMS clients will be available as open-source software.”

They’ll also be included as part of the BoringCrypto and Tink open source cryptographic libraries. For hardware and third-party vendors, Google with working with HSM vendors and Google Cloud External Key Manager partners in quantum-safe cryptography for organizations.

Embracing NIST Standards

The quantum-safe digital signatures in Cloud KMS enables organizations to use Google’s API to cryptographically sign data and validate signatures using NIST standards with key pairs stored in Cloud KMS. This facilitates the testing and integrating of the signing capabilities into workflows now.

“It also can help ensure that newly-generated digital signatures are resistant to attacks by future adversaries who may have access to cryptographically-relevant quantum computers,” they wrote. “Migrating to quantum-safe Digital Signature Algorithms (DSA) today is essential for protection against future forgery and tampering, and is critical to enabling secure software updates in a world with cryptographically-relevant quantum computers.”