Understanding Google Cloud KMS PQC Support

On Feb 21, 2025, Google announced Cloud KMS PQC support. This follows the IETF pre-RFC memo that was intended to tackle not just upcoming real time Quantum threats but also Harvest now Decrypt later involving Quantum computing. Listen to Google podcast.

While Google outlined a broader post-quantum security roadmap, there are specifics like PQC support in Cloud HSM, migration for cryptographic keys, and integration with open-source cryptographic libraries like BoringCrypto and Tink. Google continues to collaborate with NIST, EKM partners, and HSM vendors to provide end-to-end quantum-resistant encryption solutions.

Google-authored, open-source cryptographic libraries BoringCrypto and Tink enable full transparency and code-auditability of the algorithmic implementations for the broader security community. Since 2016, Google has been testing PQC in Chrome, deploying quantum-resistant cryptography in their data centers, and experimenting with PQC in its products such as Gmail and Cloud Console.

In their release, you find:

While that future may be years away, those deploying long-lived roots-of-trust or signing firmware for devices managing critical infrastructure should consider mitigation options against this threat vector now. The sooner we’re able to secure these signatures, the more resilient the digital world’s foundation of trust becomes.

Currently KMS offers support for ML-DSA-65 (FIPS 204) and SLH-DSA-SHA2-128S (FIPS 205). There is no API support for ?digital signature hybridization schemes at this time due to lack of industry consensus now. But customers can use existing API to cryptographically sign data and validate signatures with key pairs stored in Cloud KMS using PQC schemes. This allows testing and integrating these signing schemes into existing business processes, ahead of wider adoption.

Some background on FIPS 204 and 205:

FIPS 205

It is a Stateless Hash-Based Digital Signature Algorithm (SLH-DSA), a cryptographic method used to verify the authenticity and integrity of digital messages. It is designed as a post-quantum cryptographic signature scheme, meaning it remains secure even against attacks from quantum computers. This standard is based on SPHINCS+, a signature scheme chosen during NIST’s Post-Quantum Cryptography (PQC) Standardization process.

Traditional digital signature schemes like RSA and ECC rely on mathematical problems (e.g., integer factorization, discrete logarithms) that can be efficiently solved by quantum computers. In contrast, SLH-DSA relies on hash functions, making it resistant to quantum attacks.

The SLH-DSA scheme is stateless, meaning it does not require the signer to keep track of previously used keys. This improves usability over stateful schemes like XMSS, which require secure state management.

Advantages

1. Quantum Resistance – Unlike RSA and ECC, SLH-DSA is secure against attacks by quantum computers.
2. Stateless Design – No need for maintaining state between signature generations, unlike schemes such as XMSS.
3. High Security – Relies on well-established hash function properties (collision resistance, preimage resistance).
4. Flexible Implementation – Can be implemented in software, firmware, or hardware.
5. Non-Repudiation – Ensures the validity of a signature can be verified and not denied by the signer.

Limitations

1. Large Signature Size – SLH-DSA signatures are significantly larger than those of RSA or ECC, which may impact efficiency in bandwidth-constrained applications.
2. Slower Signing Process – The computational cost of generating a signature is higher than traditional digital signature algorithms.
3. Verification Overhead – The verification process involves multiple hash computations, which may result in slower performance.
4. Complex Implementation – Requires careful implementation to ensure security, especially against side-channel attacks.

FIPS 204

Digital signatures are crucial for verifying the authenticity of electronic messages and ensuring data integrity. The Module-Lattice-Based Digital Signature Algorithm (ML-DSA) is a post-quantum cryptographic signature scheme, designed to remain secure even against quantum computing attacks. It is based on lattice-based cryptography, specifically the Module Learning With Errors (MLWE) problem, which is considered difficult to solve even with quantum computers.

ML-DSA was derived from CRYSTALS-DILITHIUM, one of the quantum-resistant cryptographic schemes selected by NIST’s Post-Quantum Cryptography (PQC) Standardization process. It provides security based on hard mathematical problems, rather than relying on traditional number-theoretic problems like RSA or ECC, which are vulnerable to quantum attacks.

Advantages

1. Quantum Resistance – Unlike traditional signature schemes, ML-DSA is secure against quantum computing threats.
2. Strong Security Properties – ML-DSA provides strong unforgeability, meaning even with access to multiple signed messages, an attacker cannot forge new valid signatures.
3. Standardization and Flexibility – ML-DSA offers multiple parameter sets for different levels of security and efficiency, making it adaptable to various applications.
4. Efficient Verification – The verification process is faster than traditional post-quantum signature schemes, making it practical for real-world use.
5. Non-Repudiation – Ensures that a signed message can be proven to originate from a specific user, preventing later denial (repudiation).

Limitations

1. Large Key and Signature Size – ML-DSA requires larger public keys and signatures than classical schemes like RSA and ECC, leading to higher storage and transmission costs.
2. Computational Overhead – While verification is relatively efficient, signature generation is computationally intensive, making it slower than traditional methods.
3. Complex Implementation – ML-DSA relies on advanced mathematical structures, requiring careful implementation to avoid vulnerabilities, especially to side-channel attacks.
4. Randomness Requirements – Secure signature generation depends on high-quality random number generation, which can be challenging in constrained environments.

Roadmap and conclusion

Google has done a strategic move in cloud security by bringing utility scale PQC to mass adoption.

Following are key steps for PQC transition:

• Implement a PQC strategy: Acquire Quantum computing and PQC expertise within the organisation. Sure, they are expensive investments now but lack of strategy in 2025 is a recipe for business failure in 2026. There must be at least one annual board discussion on impact of Quantum Computing.
• Risk assessment: Include PQC in a typical information security and risk assessment. Testing them for Post-Quantum world requires increased budgets. Do not restrict the scope to communication (Data in flight). There is a bigger impact within Data at rest.
• Collaborate: Industry participation and regular collaboration will allow for rapid learnings.

P.s.: I am happy to chat with anyone on PQC and Quantum Computing !