Google Cloud has introduced new post-quantum encryption options to its Key Management Service (Cloud KMS). This latest update, currently available in preview mode, includes support for post-quantum Key Encapsulation Mechanisms (KEMs) that are specifically built to withstand attacks from quantum computers.
Cloud KMS is a managed service that enables users to create, utilize, rotate, and manage encryption keys for data and applications hosted on Google Cloud. It is a popular choice among organizations that rely on identity and access management (IAM) systems to safeguard sensitive data and meet compliance requirements.
The new feature aims to tackle a threat known as “Harvest Now, Decrypt Later,” where malicious actors gather encrypted data with the intention of decrypting it in the future when quantum computers become more prevalent.
Brent Muir, a principal consultant at Google Cloud, stresses the importance of early preparation. He emphasized on LinkedIn, stating, “It is crucial to protect sensitive data requiring long-term confidentiality, even if the quantum threat seems distant.”
Transitioning from conventional encryption systems like RSA to post-quantum KEMs presents novel technical challenges. Unlike traditional methods where the sender selects and encrypts a shared key, a KEM generates the secret key during the encapsulation process. This means developers may need to rework parts of their architecture, as they cannot simply swap out an existing encryption function.
To facilitate the transition, Google recommends utilizing Hybrid Public Key Encryption (HPKE), a standardized approach that supports both classical and post-quantum algorithms. HPKE is already accessible through Google’s open-source Tink library.
Another challenge is the size difference between post-quantum keys and ciphertexts compared to their classical counterparts. For instance, the ML-KEM-768 key is approximately 18 times larger than a P-256 key. This disparity could impact the performance of systems with stringent constraints on bandwidth, memory, or storage.
Cloud KMS now offers support for several new options, including ML-KEM-768 and ML-KEM-1024, which are implementations of the US National Institute of Standards and Technology’s (NIST) standardized Module-Lattice-based KEM (FIPS 203). Additionally, X-Wing (Hybrid KEM) is a dual-layer method that combines the classical X25519 algorithm with ML-KEM-768, tailored for general-purpose applications.
Google Cloud is set to integrate post-quantum algorithms into its infrastructure by 2026. The company’s open-source cryptographic libraries – BoringCrypto and Tink – already incorporate the new implementations, with expanded HPKE support slated to arrive for Java, C++, Go, and Python later this year.
Despite the awareness of quantum threats, many organizations remain unprepared. Toyosi Kuteyi, a privacy and compliance specialist at Actalent, highlighted in a blog post that only 9% of organizations have a post-quantum roadmap, as per data from Bain & Co. Reports from PwC and Microsoft indicate that most organizations are still in the evaluation phase, assuming they are not targets – leading to a false sense of security.
Google suggests that integrating new quantum-safe KEMs into existing security workflows is uncomplicated through the Cloud KMS API.
(Photo by Manuel)
See also: Google expands in Belgium and faces US AI antitrust scrutiny
Want to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and co-located with other leading technology events. Click here for more information.
CloudTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
