Why Signal's Post-Quantum Makeover Is An Amazing Engineering Achievement

'Eleven days ago, the nonprofit entity that develops the protocol, Signal Messenger LLC, published a 5,900-word write-up describing its latest updates that bring Signal a significant step toward being fully quantum-resistant,' writes Ars Technica:

The mechanism that has made this constant key evolution possible over the past decade is what protocol developers call a 'double ratchet.' Just as a traditional ratchet allows a gear to rotate in one direction but not in the other, the Signal ratchets allow messaging parties to create new keys based on a combination of preceding and newly agreed-upon secrets. The ratchets work in a single direction, the sending and receiving of future messages. Even if an adversary compromises a newly created secret, messages encrypted using older secrets can't be decrypted... [Signal developers describe a 'ping-pong' behavior as parties take turns replacing ratchet key pairs one at a time.] Even though the ping-ponging keys are vulnerable to future quantum attacks, they are broadly believed to be secure against today's attacks from classical computers.

The Signal Protocol developers didn't want to remove them or the battle-tested code that produces them. That led to their decision to add quantum resistance by adding a third ratchet. This one uses a quantum-safe Key-Encapsulation Mechanism (KEM) to produce new secrets much like the Diffie-Hellman ratchet did before, ensuring quantum-safe, post-compromise security... The technical challenges were anything but easy. Elliptic curve keys generated in the X25519 implementation are about 32 bytes long, small enough to be added to each message without creating a burden on already constrained bandwidths or computing resources. A ML-KEM 768 key, by contrast, is 1,000 bytes. Additionally, Signal's design requires sending both an encryption key and a ciphertext, making the total size 2,272 bytes... To manage the asynchrony challenges, the developers turned to 'erasure codes,' a method of breaking up larger data into smaller pieces such that the original can be reconstructed using any sufficiently sized subset of chunks...

The Signal engineers have given this third ratchet the formal name: Sparse Post Quantum Ratchet, or SPQR for short. The third ratchet was designed in collaboration with PQShield, AIST, and New York University. The developers presented the erasure-code-based chunking and the high-level Triple Ratchet design at the Eurocrypt 2025 conference. Outside researchers are applauding the work. 'If the normal encrypted messages we use are cats, then post-quantum ciphertexts are elephants,' Matt Green, a cryptography expert at Johns Hopkins University, wrote in an interview. 'So the problem here is to sneak an elephant through a tunnel designed for cats. And that's an amazing engineering achievement. But it also makes me wish we didn't have to deal with elephants.'

Thanks to long-time Slashdot reader mspohr for sharing the article.

Read more of this story at Slashdot.