Google Cloud KMS + BoringSSL / Tink

Google's post-quantum cryptography strategy operates across three distinct layers: the Chrome browser (the world's most-used TLS client), Google Cloud infrastructure, and the open-source Tink cryptographic library. Together, these layers give Google an outsized influence on the overall pace of PQC adoption across the internet — and give enterprises building on Google Cloud a well-documented, developer-friendly path to quantum-resistant systems. At the browser layer, Chrome 124 shipped with hybrid X25519 + ML-KEM-768 as the default key exchange mechanism for TLS 1.3 connections. This made Chrome the first major browser to ship PQC by default, and because Chrome accounts for roughly 65 percent of global browser market share, Google's decision effectively made hybrid ML-KEM the predominant key exchange for a majority of HTTPS traffic worldwide. Any server negotiating TLS with Chrome users — including every enterprise application accessed through a browser — is already running PQC on the client-to-server leg when the server supports it. At the cloud infrastructure layer, Google Cloud KMS supports PQC key types for asymmetric signing and key wrapping operations. Google's production infrastructure uses X-Wing, a formally specified hybrid KEM that combines X25519 with ML-KEM-768 under a single, auditable construction. X-Wing has an IETF draft specification (draft-connolly-cfrg-xwing-kem) and has been formally analyzed for security, which gives it stronger provable security properties than informal hybrid concatenations. For developers, Tink is Google's highest-value contribution to the PQC ecosystem. This open-source multi-language cryptographic library (Java, C++, Python, Go, JavaScript) provides high-level, hard-to-misuse PQC APIs that abstract away algorithm parameter selection and implementation complexity. Tink's design philosophy — making it harder to do cryptography wrong than right — makes it the most accessible path to PQC for application development teams who are not cryptographic experts. The library is widely used outside Google: Tink processes hundreds of billions of operations per day across Google's production systems.