GCP – PQC in plaintext: How we’re helping customers prepare for a quantum-safe future

Google has been working on making computing quantum safe for almost a decade. We’ve been rolling out post-quantum cryptography in our infrastructure for internal and customer services, and now we’re at the level where you can get hands-on — and we’re here to help.

We’ve developed a threat model, invested in cryptographic libraries, BoringSSL, key rotation, and encrypted our internal traffic — as part of mitigating Store Now, Decrypt Later (SNDL) attacks (sometimes referred to as Harvest Now, Decrypt Later). We’re also actively participating in industry working-groups. 

We’re phasing our effort to migrate to a quantum-safe state across our public-facing services in a way that closely mirrors the internal work we’re doing. We’ve focused on three key areas: protecting data in transit, securing long-lived digital signatures, and transitioning our public key infrastructure. Today, we’re detailing the current status of each.

Protecting data in transit

A huge number of key exchanges take place each day to establish cloud connections. Without PQC protections, keys could be captured for use in SNDL attacks. To protect your data in transit, Google has deployed the new standards-based PQC method, ML-KEM (FIPS 203). We use it both as a standalone algorithm and in hybrid configurations that pair it with traditional key exchange methods.

• What we’ve done: We’ve migrated key exchanges for internal traffic to ML-KEM. All Google and select Google Cloud-native services are safeguarded by default using Google Cloud network encryption, using ML-KEM for cryptographic key exchange. Customer workloads running on Google Cloud benefit from this protection with no further action needed. We are currently working on migrating public APIs and services that need protections beyond those provided by the Google Cloud Networking stack.

  Additionally, Google Cloud KMS has now introduced ML-Key Encapsulation Mechanisms (including generation, encapsulation, and decapsulation) in preview, providing a foundational tool for quantum-resistant encryption. ML-KEM allows you to start your post-quantum cryptography experimentation by creating and testing next-generation keys. 

• Next steps for you: We’re enabling our public API endpoints and client libraries to support ML-KEM, providing quantum-safe protection from store-now, decrypt-later attacks when you access Google Cloud services. For your administrators, we are providing the tools to manage this transition. They will have the ability to opt-in to PQC protection, monitor its adoption, and enforce its use across your organization.

Securing long-lived digital signatures

Digital signatures that need to remain valid for decades are high-value targets for future quantum attacks. We are focused on transitioning to ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) to protect against forged signatures that could undermine essential properties like data integrity, authenticity, and non-repudiation.

• What we’ve done: We’ve built native support for generating and using ML-DSA and SLH-DSA in Cloud KMS, allowing you to implement new post-quantum roots of trust for uses including software, firmware, and document signing.

• Next steps for you: Identify and prioritize migration of your long-lived digital signatures. We will provide tools to help you audit your cryptographic assets and implement a transition plan using PQC capabilities in Cloud KMS.

Transitioning our Public Key Infrastructure 

Securing communications requires updating our PKI with quantum-safe signing algorithms. Our phased approach is enabling quantum-safe certificates in our cloud-based Certificate Authority Service (CAS).

• What we’ve done: With the added support for ML-DSA keys, we are laying the foundation to use those keys to sign the root or intermediate certificate authorities in your PKI systems of the future.. Standards for combined signatures using both classical and PQC signatures are still evolving. Google is active in the standards process and working to ensure customers have robust signing options that are both pure PQC and hybrids when needed. Because the cryptographic community has yet to reach a full consensus on the best practices for combined signature schemes, we are not yet offering a native API for them in Cloud KMS. As organizations agree to settle on standards, we will begin to offer standards-based solutions.

• Next steps for you: To help minimize your efforts, Google Cloud will continue to update guidance on how to best ensure your PKI can validate and trust both legacy and new PQC certificates. 

What’s next for PQC

Google is investing in post-quantum cryptography as a long-term program, and we have more milestones to achieve and approaches to discuss before we can be secure against quantum-driven attacks. For more information, please visit our post-quantum cryptography hub.