Signal’s Post-Quantum Cryptographic Implementation

Signal has just rolled out its quantum-safe cryptographic implementation.

Ars Technica has a really good article with details:

Ultimately, the architects settled on a creative solution. Rather than bolt KEM onto the existing double ratchet, they allowed it to remain more or less the same as it had been. Then they used the new quantum-safe ratchet to implement a parallel secure messaging system.

Now, when the protocol encrypts a message, it sources encryption keys from both the classic Double Ratchet and the new ratchet. It then mixes the two keys together (using a cryptographic key derivation function) to get a new encryption key that has all of the security of the classical Double Ratchet but now has quantum security, too.

The Signal engineers have given this third ratchet the formal name: Sparse Post Quantum Ratchet, or SPQR for short. The third ratchet was designed in collaboration with PQShield, AIST, and New York University. The developers presented the erasure-code-based chunking and the high-level Triple Ratchet design at the Eurocrypt 2025 conference. At the Usenix 25 conference, they discussed the six options they considered for adding quantum-safe forward secrecy and post-compromise security and why SPQR and one other stood out. Presentations at the NIST PQC Standardization Conference and the Cryptographic Applications Workshop explain the details of chunking, the design challenges, and how the protocol had to be adapted to use the standardized ML-KEM.

Jacomme further observed:

The final thing interesting for the triple ratchet is that it nicely combines the best of both worlds. Between two users, you have a classical DH-based ratchet going on one side, and fully independently, a KEM-based ratchet is going on. Then, whenever you need to encrypt something, you get a key from both, and mix it up to get the actual encryption key. So, even if one ratchet is fully broken, be it because there is now a quantum computer, or because somebody manages to break either elliptic curves or ML-KEM, or because the implementation of one is flawed, or…, the Signal message will still be protected by the second ratchet. In a sense, this update can be seen, of course simplifying, as doubling the security of the ratchet part of Signal, and is a cool thing even for people that don’t care about quantum computers.

Also read this post on X.

Tags: , , ,

Posted on October 29, 2025 at 7:09 AM19 Comments

Comments

kiwano October 29, 2025 9:12 AM

Am I the only one wondering if the choice of name “Sparse Post Quantum Ratchet” was influenced by ancient Rome?

finagle October 29, 2025 10:01 AM

Excellent.
Now they just need to deal with the whole needing a mobile phone number and all the possible end run attacks where the device is compromised.
All of which worry me far more than the possibility of quantum computers being used in the (far?) future.

Clive Robinson October 29, 2025 11:29 AM

@ finagle, ALL,

With regards,

“All of which worry me far more than the possibility of quantum computers being used in the (far?) future.”

That’s a mistake everyone makes…

The thing is the reason for Post Quantum Crypto is a problem of how to establish a “root of trust” from which you can then do “key generation”.

The root of trust has to be a secret between the two communicating parties. Thus the exchange of the secret prior to the 1970’s had to be “by hand” or some other “secure communications channel” which in the likes of OnLine Commerce did not exist so would have to be established. Hence the names used for such are,

1, Key Transfer Procedure
2, Key Establishment Protocols
3, Key Agreement Protocol

The first covers the older “by hand” systems as well as the newer mathematical systems and is part of the more general “Key Managment”(KeyMan) system. These usually require a secure “covert channel”.

The second covers the mathematical systems that don’t require even a secure channel. They are based on the notion that not only do “One Way Functions”(OWF) exist that also OWF’s with a “Back Door Function” exist.

The last is more about what happens after the initial root of trust is established and covers things like “ratchet functions”.

The problem you need to worry about more than Quantum Computers is the “assumption” that OWF’s exist…

There is of yet no “proof” in the mathematical sense that they do. Just the reassurance that despite many looking, no algorithm has yet been publicly demonstrated.

But if the assumption is invalid then you will not have to hang onto the “never never” idea that workable Quantum Computers will be developed in any of our life times, because existing computers will probably work just fine.

This then causes another question to arise which is what “Post Quantum Cryptography”(PQC) is all about.

Can there be the equivalent of a OWF in a way that is secure against Quantum Computing?

Again there is no proof that there is. In fact at least one serious attempt in the NIST Competition has failed already…

But the mathematicians, logicians and engineers are looking

And a couple of recent publications suggest that the OWF Assumption is increasingly on shaky ground…

mark October 29, 2025 1:00 PM

And I’m sure they had no motive other than choosing a random name for SPQR. (Flashing on the filk of SPQR, to the tune of YMCA.)

kodlu October 29, 2025 3:57 PM

@clive robinson, can you point out the recent publications showing the existence of OWFs on increasingly shaky ground?

StephenM October 30, 2025 1:24 AM

@Moshe Yudkowsky

Don’t know how the the grammar works but I think you’ll find that’s:

Senatus Populusque Romanum

KC October 30, 2025 2:07 AM

Rolfe Schmidt talked about Signal’s moves towards post-quantum security in a March podcast. (He’s a Research Engineer at Signal and one of the authors of the Signal SPQR blog post.)

Even though the conversation was seven months ago, it’s still a curious listen for getting a lay of the quantum land 🙂

Host Johannes Lintzen: Fascinating. So, I guess talking about regulatory bodies a little bit more, do you feel like the usual regulatory bodies like IETF and ISO and many others, do you feel like they should be a bit more proactive when it comes to secure messaging and standards for that?

Rolfe Schmidt: I guess I am not sure. I think it’s easy to jump the gun a bit, getting too proactive, getting too prescriptive, and take away some of the flexibility we need when new ideas come up.

I think as we’ve been designing this ratchet, the protocols we ended up with are so different from what I thought we were going to do setting out. Had we set it in stone too early, we would have done the wrong thing.

.
Rolfe mentioned that he does post some updates on LinkedIn, where it looks like he’s also linked to a few additional collaborator posts on Sparse Post-Quantum Ratchet (SPQR).

piglet October 30, 2025 4:30 AM

Does anybody believe that quantum comuting is real? I hear it’s just another hype (there was a fun post here a while ago about how no successful quantum factorization has really been demonstrated).

finagle October 30, 2025 5:06 AM

@Clive

That’s a mistake everyone makes…

No. I’m separating concerns. Quantum cryptography is not completely orthogonal to imperfect key generation and sharing, but it should be considered and ranked as a threat, and not be used to distract from the big problems of secure platforms and privacy.

Having a perfectly secured piece of string doesn’t matter if the can is broadcasting what goes along the string, and from whom.

Clive Robinson October 30, 2025 8:00 AM

@ finagle,

“No. I’m separating concerns.”

Ahh sorry, I thought you were just talking about the crypto.

I first said that “Signal” and all the other “secure messaging apps” were “not secure in use” here and called out Moxie on it. And if you look back you will see that I got roasted by many for my comment.

But as I pointed out back then if you are using security it’s the whole system you have to look at.

In particular where the “security endpoint” was with respect to the “communications endpoint”.

I went on to point out that because it was fairly easy to put a software shim in the drivers for the user interface, and the OS allows for “end run attacks” around any App that any attacker who knew what they were doing would not bother attacking the crypto, they would simply “end run the app and go for the user interface”.

What I also mentioned was that other apps could easily do the same thing, all you had to do was get such an app onto the users device.

And sadly we saw Apple do one of the dumbest things they could they put such a thing into their OS…

And now we have what is called “client side scanning” which does exactly what I feared… And governments like Australia and UK are mandating such “end run access” now it’s clear they’ve lost the E2EE battle.

But you mention,

“Having a perfectly secured piece of string doesn’t matter if the can is broadcasting what goes along the string, and from whom.”

Not sure if you are talking about EmSec with “can is broadcasting” or you are talking about “traffic analysis” with “what goes along the string, and from whom.”?

Or one of the as yet unnamed attack vectors that is one step on from traffic analysis and carried out using statistical modeling and purchased data from Data Btokers.

I’m kind of chatting with @Winter about it over on, the “First Wap…” it started when @Winter made a comment,

https://www.schneier.com/blog/archives/2025/10/first-wap-a-surveillance-computer-youve-never-heard-of.html/#comment-449379

to something I’d said, and has a bit of a way to go.

And as a habit of old I’m waiting for the thread to go quiet before the chat gets intensive, as it allows others to make their comments or ask questions without feeling intimidated or pushed out of the thread.

But yes if you want a chat about things all the way down from “out of space” –Low Earth Orbit– to original papers from Claude Shannon and Gus Simmons. I’m happy to do so and have done in the past.

But overall it’s not problems I’m looking for but “practical solutions” for those that are either being used or soon will be by those of unlawfull, lawfull but anti-social or criminal intent (all of which apply to all three of Prof Ross J. anderson’s “Levels of Attacker”.

So you will also find I’ve posted one or three solutions one or more times over the years.

Including how to make a sort of SCIF from common household items, you can knock up or take down in seconds. Also why I talk about “energy gapping” not the old and broken “air gapping” model, a couple of us on this blog –Hi @RobertT if your reading” broke at the time of BadBIOS. As usual with anything that appears new and went against the crowds “cognitive bias” it got derided at the time. But then a couple of under grad students used the info we’d given to “write a paper”… Then suddenly it was all official and everyone was “jumping on the band waggon” mostly those you’ld rather had not.

Any way as they say,

“Welcome, take a seat and name your poison?”

MrC October 30, 2025 11:07 PM

@piglet

Does anybody believe that quantum comuting is real?

In theory, all that remains is a bear of an engineering problem. We know what we want to build. We are able to build toy examples of what we want to build. We just haven’t been able to build it at sufficient scale — enough entangled q-bits to be useful. Yet.

A lot of the “we don’t really need to worry about quantum computing in our lifetimes” sentiment is rooted in the fact that the engineering problem has turned out to be really, really hard. The lack of meaningful progress so far has engendered a sense that progress will continue to be glacial, if we can even get there at all.

This is a natural response to a lack of progress, but not a prudent one. An engineering breakthrough that rapidly gets us from here to a practically useful quantum computer is unlikely, but it isn’t unthinkable. And the consequences for existing cryptosystems if it did happen would be apocalyptic.

We also have to worry today about a hypothetical engineering breakthrough 50ish years in the future. Adversaries (read “NSA”) are already storing vast amounts of encrypted traffic, hoping to be able to break it someday. Some messages sent today are still going to be important and sensitive in 50 years.

A second branch of “we don’t really need to worry about quantum computing in our lifetimes” sentiment revolves around the sketchy notion that the engineering difficulties suggest that there’s something we don’t yet understand about quantum mechanics that actually makes it impossible. This is hard to evaluate because it’s entirely premised on something we don’t know.

Three other things are going on here too:

Eager/desperate to show practical results that justify further funding, researchers are fudging their test cases to create the illusion of progress. This paper is probably what you were referring to as the “fun post.”

Eager/desperate to show practical results that justify further funding, researchers are building toy devices with architectures that don’t even try to entangle all the q-bits. This may yield a better showpiece (with a fudged test case), but it’s a dead end with respect to to goal of ever being able to run Shor’s Algorithm with enough q-bits to matter.

Our view into the state of the engineering research is limited to this sort of industry and academic projects publicly (over)stating their progress to justify their funding. We have no idea what’s going on inside the world’s intelligence agencies. If they achieved the necessary engineering breakthrough, they wouldn’t tell us. They’d just build the damned thing and start spying on us.

Clive Robinson November 3, 2025 1:11 PM

@ V.Serge, ALL,

“Does anyone believe E2EE exists, never mind “quantum-safe”?”

Your getting two things muddled up.

1, Encryption.
2, Key Negotiation.

I know E2EE exists and it can be secure with a little effort.

It’s why having failed to get “back-doors” into even standard Encryption they have now switched to trying to force “Client Side Scanning”. Which suggests that they might have given up on,

3, Putting back doors in.
4, Quantum Computing delivering any time soon.

The problem with “Client Side Scanning” is it only works on those who “go for convenience” or use Electronic Commerce etc where there is no independent secure side channel for a secret “Root of Trust” to be transferred[1]. Or a secure “system” after all what security does a “secure app” give if the supplier 9f the OS “end runs it” by sending what is appearing on the device “user interface”.

As you note,

“at least do your encryption off the endpoint device, and quit lying to yourselves.”

Is part of the way to go. However it needs to have had a “Root of Trust” actually transferred “Securely between the two parties”. Anything done on line thanks to “collect it all” is not in any way secure thus secret, and will in effect get you a target painted on your back if you use “off device encryption”.

The thing about “collect it all” via “Client Side Scanning” is getting built into all smart phones etc by the likes of Apple, Alphabet, Meta, Microsoft, that we know of.

If people start sending what looks like encrypted text from the keyboard etc, “client side scanning” will almost certainly flag it up, because the message statistics are wrong.

This means an extra stage is needed to make the actual “Cipher Text” look as though it is just ordinary “Plain Text” and importantly use “deniable encryption”.

I’ve explained how to do this in the past on this blog using a “One Time Pad” encryption and a “Code Book”.

The problem is that the cognitive load is way to much for the average person to “want to bother with” even though it’s relatively simple to do (and why I don’t use any consumer or commercial encryption systems).

So the majority of people won’t protect themselves properly. And worse they will probably reveal what they are doing in one or more very simple ways.

As can be seen in the UK the authorities are using very very poorly designed legislation that does not require actual evidence to grab peoples phones, computers etc. Just claims that a communication hurt some unknown probably invented persons feelings.

A UK Barrister has indicated that this is clearly part of a “normalisation process” to get people to be afraid of speaking freely, using jokes or sarcasm.

Worse though the suggested UK ID that will have to go on your Smart Phone, will allow not just “client side scanning” but full traceability. Worse those who have grabbed your phone will have in effect made you a “Non person”. The UK IRS officially HMRC has started using an AI system linked into all forms of electronic communications they can. That will then use AI to profile you every time you spend money or move around.

There has already been a case where a woman was accused of fraud because she had left the country. The HMRC argument was that she had purchased an open flight so was nolonger resident in the UK…. But they failed to check to see if she had actually left the country (she had not due to an illness her child had),

https://www.theguardian.com/society/2025/oct/31/woman-flight-italy-did-not-board-child-benefits-stopped

This is only going to get worse.

Because the UK Government policy is to go after those who cannot defend themselves. Yet let corporations that take billions out of the country they are not paying tax on get away with it.

But that’s all right, because the Corps Lobbyists are “nest feathering” politicians and civil servants in various ways…

[1] Hence the development of “Key Negotiation Protocols” that are based on various “assumed” “One Way Functions”(OWFs). All such mathematical OWFs used for this are prone to having “back doors” added. In fact it’s the fact there are “secret back doors” that make the protocols work for the key negotiation.

V.Serge November 6, 2025 5:34 AM

@Clive Robinson, ALL, re:your November 3, 2025 1:11 PM.

Thanks. Its a mystery to me that such wide open access to the plain-text is being ignored as tho it were secured. This is not encryption, much less post quantum. Its pure fantasy.

Plain text wont be secure until its encrypted off-device, on an air-gap, using something like Signal as a TRANSPORT LAYER ONLY. For example, using SecureDrop* to ship a QRcode MP4 that can be read by camera, onto and off of the endpoint devices, (the users phones).

Claiming otherwise is a mesmerism given by self-deceived liars: As it plainly appears from my perspective.

(*See ‘ht tps://docs.securedrop.org/en/stable/)

JG5 November 9, 2025 7:44 AM

Glad to see you guys are on the job about endpoint security and the related requirements. “What percentage of Signal users have endpoint security?”

@Clive – Our last exchange on affordable electricity got truncated because I colored outside some line. I have been meaning to comment on Alien Probe Technology. In case anyone remembers the Grey Poupon ads from wayback, that would be the correct accent on our side of the pond. Sir, your Alien Probe is warmed and lubed, Sir. References to NASA work on the planet between Saturn and Neptune usually is good for a chuckle.

Clive Robonson November 9, 2025 10:19 PM

@ JG5

With regards,

“… got truncated because I colored outside some line.”

Maybe not…

Since this blog moved hosting there has been a persistent error arising.

If you see a 428 or similar error you and somebody else posted at the same time or at least within a short time window of each other.

The system trips over it’s own feet, but not untill it’s done other things. Like hash your post to stop double posts (though they still happen). And log your IP address or other Identifier in case you repost within a two short time window in which case it gets referred for moderation. Or at least that’s what you get told by the software, though I can not remember having seen any submits that have had the held for moderation notice actually get posted later.

It’s why you sometimes see “Part 1…” Where people have split their post into parts to try and work out what caused it to get the “held”

In the past I’ve used a “binary chop” to try to find the actual problem but it appears to have a “non deterministic element” to it in that sometimes just partitioning or “back ticking” URLs works.

So like others these days I just split the message up into between 4 and 10 “couple of short paragraph” parts.

I hope that helps.

As for the “grey poop on” mustard ads, “good grief”, they go back to the time of “Yes Minister”…

Somebody I used to know had a second hand later version of those “Rollers” and had a proximity alarm system fitted, that if you got to close a stern female voice would order “Stand away from the Car” and if you did not it would add an officious “Now” after.

I joked with him one day that he needed the “007 version” that blows up and takes the perp out for smashing the window… But they were more innocent times when people knew you were joking not being a “faux extremist” to be accused of committing “harassment”.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.