Google Introduces Quantum-Safe Digital Signatures in Cloud KMS

Google Cloud has unveiled a critical cybersecurity upgrade: quantum-safe digital signatures via its Key Management Service (Cloud KMS), now available in preview.

This move aligns with the National Institute of Standards and Technology’s (NIST) 2024 post-quantum cryptography (PQC) standards, offering developers tools to safeguard encryption against future quantum threats.

Quantum-Resistant Signatures Enter the Mainstream

Google’s latest update integrates two NIST-standardized algorithms into Cloud KMS: ML-DSA-65 (a lattice-based signature scheme under FIPS 204) and SLH-DSA-SHA2-128S (a stateless hash-based method per FIPS 205).

These algorithms enable cryptographic signing and validation processes that are resistant to attacks from cryptographically relevant quantum computers.

By embedding these protocols into Cloud KMS, Google allows enterprises to future-proof authentication workflows—particularly vital for systems requiring long-term security, such as critical infrastructure firmware or software update chains.

The implementation leverages Cloud KMS’s existing API, minimizing disruption for developers. Organizations can now generate and manage quantum-safe keys alongside classical ones, facilitating phased migration.

Notably, Google has open-sourced its software implementations through BoringCrypto and Tink, enabling third-party audits and fostering trust in its cryptographic backbone.

Google’s Post-Quantum Strategy Takes Shape

This release marks a milestone in Google’s broader PQC roadmap, which spans software (Cloud KMS) and hardware (Cloud HSM).

The company prioritizes hybrid approaches, combining classical and quantum-resistant algorithms to mitigate transitional risks.

However, hybridization standards for digital signatures remain under debate, prompting Google to defer API support until industry consensus emerges.

Since pioneering PQC experiments in Chrome in 2016, Google has fortified internal communications with quantum-safe protocols since 2022.

Its Cloud division now aims to quantum-proof core infrastructure while aiding customer migrations. This includes collaboration with HSM vendors and External Key Manager partners to ensure cohesive ecosystem support.

The update addresses the Harvest Now, Decrypt Later (HNDL) threat, where adversaries collect encrypted data today to decrypt it later using quantum machines.

While such systems remain theoretical, their potential to compromise digital signatures—and thus software integrity—demands proactive defense.

Signatures securing high-value assets, like root certificates or industrial control systems, face decades-long exposure windows, making immediate action essential.

“Migrating to quantum-safe signatures isn’t just about tomorrow’s threats—it’s about ensuring today’s systems remain trustworthy in a quantum future,” noted a Google Cloud spokesperson.

Organizations reliant on long-lived signatures are urged to begin testing. Cloud KMS’s preview enables integration into CI/CD pipelines and code-signing frameworks.

Google plans to expand Cloud KMS’s PQC support to include FIPS 203 (key encapsulation) and hybrid key exchanges, reinforcing end-to-end encryption.

Performance optimization remains a focus, as lattice-based algorithms incur higher computational overhead than classical equivalents.

Early benchmarks suggest ML-DSA-65 signatures are 2–3x larger than ECDSA equivalents, necessitating infrastructure adjustments for large-scale deployments.

Industry collaboration will drive standardization. Google continues contributing to NIST working groups and open-source projects, advocating for interoperable PQC solutions.

As quantum computing timelines solidify, such efforts aim to prevent fragmented adoption and ensure a unified defense against quantum-enabled threats.

With this release, Google positions Cloud KMS as a bridge to the post-quantum era, balancing innovation with practical, incremental migration paths.

Enterprises are now tasked with evaluating their exposure and initiating pilots—because delay is the adversary’s ally in quantum security.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here