Google Cloud has recently introduced new post-quantum encryption options to its Key Management Service (Cloud KMS). This update, which is currently in preview, includes support for post-quantum Key Encapsulation Mechanisms (KEMs) – a type of encryption designed to withstand attacks from quantum computers with cryptographic capabilities.
Cloud KMS is a managed service that enables users to generate, use, rotate, and manage encryption keys for data and applications hosted on Google Cloud. It is widely used by organizations that depend on identity and access management (IAM) systems to safeguard sensitive data and comply with regulatory requirements.
The new feature aims to combat a threat known as “Harvest Now, Decrypt Later,” where malicious actors collect encrypted data now with the intention of decrypting it in the future when quantum computers become more prevalent.
Brent Muir, a principal consultant at Google Cloud, highlighted the importance of early preparation, stating on LinkedIn, “It is essential to protect sensitive data that requires long-term confidentiality, even if the quantum threat appears distant.”
Moving from conventional encryption systems like RSA to post-quantum KEMs presents new technical challenges. Unlike traditional methods where the sender selects and encrypts a shared key, a KEM generates the secret key during the encapsulation process. This means that developers may need to redesign parts of their architecture rather than simply swapping out an existing encryption function.
To facilitate the transition, Google recommends utilizing Hybrid Public Key Encryption (HPKE), a standardized approach that supports both classical and post-quantum algorithms. HPKE is already accessible through Google’s open-source Tink library.
One of the challenges posed by post-quantum encryption is size. Post-quantum keys and ciphertexts are significantly larger than their classical counterparts. For example, the ML-KEM-768 key is approximately 18 times the size of a P-256 key. This difference could impact the performance of systems with strict bandwidth, memory, or storage constraints.
Cloud KMS now supports several new options, including ML-KEM-768, ML-KEM-1024, and X-Wing (Hybrid KEM), which combines the X25519 algorithm with ML-KEM-768 for general-purpose applications.
Google Cloud plans to integrate post-quantum algorithms into its infrastructure by 2026. The company’s cryptographic libraries, BoringCrypto and Tink, already incorporate these new implementations, with expanded HPKE support expected to roll out for Java, C++, Go, and Python later this year.
Despite the growing awareness of quantum threats, many organizations remain unprepared. According to a blog post by Toyosi Kuteyi, only 9% of organizations have a post-quantum roadmap, with the majority still evaluating options. Google suggests that integrating new quantum-safe KEMs into existing security workflows can be easily accomplished via the Cloud KMS API.
To learn more about Cloud Computing from industry experts, consider attending Cyber Security & Cloud Expo, part of the TechEx event series, taking place in Amsterdam, California, and London. For more information on upcoming enterprise technology events and webinars, visit TechForge Media.
(Photo by Manuel)
See also: Google expands in Belgium and faces US AI antitrust scrutiny
CloudTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.
