Full Report
Google Cloud has announced quantum-safe digital signatures in Google Cloud Key Management Service (Cloud KMS) for software-based keys as a way to bulletproof encryption systems against the threat posed by cryptographically-relevant quantum computers. The feature, currently in preview, coexists with the National Institute of Standards and Technology's (NIST) post-quantum cryptography (PQC)
Analysis Summary
# Tool/Technique: Google Cloud KMS Quantum-Safe Digital Signatures (ML-KEM, ML-DSA, SLH-DSA)
## Overview
Google Cloud has introduced quantum-safe digital signatures within its Cloud Key Management Service (Cloud KMS) for software-based keys. This feature is designed to protect encryption systems against future decryption capabilities enabled by cryptographically-relevant quantum computers, primarily by mitigating the "Harvest Now, Decrypt Later" (HNDL) threat vector.
## Technical Details
- Type: Technique/Framework Component (Security Feature Integration)
- Platform: Google Cloud Platform (Cloud KMS, potentially Cloud HSM)
- Capabilities: Support for Post-Quantum Cryptography (PQC) standards for key import, key exchange, encryption/decryption, and digital signature creation. Initial support includes NIST PQC standards FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA).
- First Seen: Announced/In Preview February 2025 (based on article date).
## MITRE ATT&CK Mapping
Since this is a defensive security feature against future threats, direct offensive mappings are not immediately applicable based on the information provided. However, its purpose relates to securing systems that might otherwise be targeted by techniques involving decryption or integrity compromise:
- **DEFENSE/PREVENTION:** Related conceptually to **Defense Evasion** and **Impact** if these systems (like firmware signing roots-of-trust) were compromised using classical or future cryptographic attacks.
- *Note: No specific offensive T-code is mapped as this is a proactive defense mechanism.*
## Functionality
### Core Capabilities
- Implementation of NIST Post-Quantum Cryptography (PQC) standards in software within Cloud KMS.
- Current preview availability for quantum-safe digital signature creation using:
- ML-DSA-65 (FIPS 204 / CRYSTALS-Dilithium)
- SLH-DSA-SHA2-128S (FIPS 205 / Sphincs+)
### Advanced Features
- Supporting underlying software algorithms (FIPS 203/ML-KEM, FIPS 204/ML-DSA, FIPS 205/SLH-DSA) as open-source software.
- Roadmap includes support for PQC standards across hardware (Cloud HSM) and integration with External Key Manager (EKM) partners.
- Future API support planned for hybridization schemes.
- Mitigation against the **Harvest Now, Decrypt Later (HNDL)** strategy.
## Indicators of Compromise
*Note: As this is a defensive feature introduction, no offensive IOCs are provided in the context.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
N/A. This feature specifically targets future threats posed by quantum computing against long-lived data and firmware signing processes.
## Detection Methods
N/A. This section relates to detecting the *use* of traditional cryptographic weaknesses being exploited. The detection focus here would be on monitoring Cloud KMS configuration changes, key usage anomalies, and ensuring timely migration to PQC primitives.
## Mitigation Strategies
- **Adoption:** Customers should utilize the preview features in Cloud KMS to begin securing long-lived roots-of-trust and firmware signing keys using ML-DSA and SLH-DSA schemes.
- **Migration Planning:** Plan the integration of PQC standards (FIPS 203, 204, 205) into systems, especially those managing critical infrastructure firmware.
- **Hybridization:** Prepare for the eventual rollout of hybridization schemes as cryptographic consensus evolves.
## Related Tools/Techniques
- **NIST PQC Standards:** FIPS 203 (ML-KEM), FIPS 204 (CRYSTALS-Dilithium/ML-DSA), FIPS 205 (Sphincs+/SLH-DSA).
- **Quantum Security Concepts:** Harvest Now, Decrypt Later (HNDL).
- **Related Google Tools:** Cloud HSM, Google Cloud External Key Manager (EKM).