Signal Protocol and Post-Quantum Ratchets Signal announces a major security enhancement to the Signal Protocol: the Sparse Post Quantum Ratchet (SPQR). This new ratchet improves Signal's resistance against future quantum computing attacks while preserving current security guarantees like forward secrecy (FS) and post-compromise security (PCS). --- Background: Signal Protocol and Quantum Threats The Signal Protocol provides end-to-end encryption for billions of daily private messages. Traditional Signal uses a Double Ratchet combining hash-based FS and elliptic-curve Diffie-Hellman (ECDH) for PCS. Hash functions used are quantum-safe, but elliptic-curve cryptography (ECDH) is vulnerable to quantum computers. An earlier upgrade, PQXDH, addressed quantum threats at session initiation by adding quantum-resistant secrets to initial key exchanges. However, continuous protection throughout a conversation requires a post-quantum ratcheting mechanism. --- Sparse Post Quantum Ratchet (SPQR) SPQR is a regularly advancing post-quantum ratchet providing FS and PCS in a quantum-safe manner. It operates alongside the existing Double Ratchet to create the Triple Ratchet. This hybrid combines classical and post-quantum keys via a Key Derivation Function. For Signal users: No change in app experience. Conversations migrate seamlessly to the new protocol. Protection against quantum computing threats without sacrificing existing security. --- Technical Overview Current Double Ratchet Design Uses ECDH for PCS: new keys derive through secret exchanges attached to messages. Ratcheting makes past keys unrecoverable from new ones (one-way property). Quantum adversaries could break ECDH encoded secrets by analyzing intercepted communications. Incorporating Post-Quantum Security: Key Encapsulation Mechanisms (KEMs) Quantum-secure KEMs replace ECDH for ongoing key agreements. KEMs use an asymmetrical message pattern: Initiator sends an Encapsulation Key (EK). Receiver responds with a Ciphertext (CT) encapsulating the shared secret. Challenges: Large size (over 1000 bytes per EK or CT vs. 32 bytes in ECDH). Handling offline users, message loss, and message ordering. Addressing Bandwidth and Reliability Use a state machine on both sides to track message states: Sending EK, Receiving CT, etc. Optimize messaging by chunking EK and CT data using erasure codes: Break messages into many chunks. Any subset of chunks (≥ threshold) can reconstruct the original data. Improves robustness against packet loss and malicious message drops. Efficiency vs. Security Tradeoffs Faster secret sharing (pre-generating many epochs) risks exposure if a device is compromised. Simulations show overlapping secrets increase vulnerability. Solution: a designed protocol that balances generation speed with minimizing exposure. Optimized ML-KEM Braid Protocol Break EK and CT into parts (seed, hash, major components) allowing: Parallel sending of most data chunks. Minimal times when one side sends nothing. This refined protocol efficiently uses message capacity and reduces latency. --- The Triple Ratchet Protocol Mixes keys from both Double Ratchet (ECDH) and SPQR (post-quantum) using a Key Derivation Function. Hybrid key provides security that requires breaking both classical and post-quantum algorithms. Enables: Quantum-safe forward secrecy. Quantum-safe post-compromise security. Works transparently, preserving user experience. --- Deployment Strategy: Heterogeneous Rollout and Downgrades SPQR-enabled clients may encounter partners without SPQR support. Instead of forcing errors or retries, SPQR attaches optional negotiation data that can be ignored by non-supporting clients. Ensures backwards compatibility and smooth migration. Downgrade only allowed on initial