Full Report
Signal has just rolled out its quantum-safe cryptographic implementation. Ars Technica has a really good article with details: Ultimately, the architects settled on a creative solution. Rather than bolt KEM onto the existing double ratchet, they allowed it to remain more or less the same as it had been. Then they used the new quantum-safe ratchet to implement a parallel secure messaging system. Now, when the protocol encrypts a message, it sources encryption keys from both the classic Double Ratchet and the new ratchet. It then mixes the two keys together (using a cryptographic key derivation function) to get a new encryption key that has all of the security of the classical Double Ratchet but now has quantum security, too...
Analysis Summary
# Research: Signal's Post-Quantum Cryptographic Implementation (Inferred from Technical Analysis)
## Metadata
- Authors: Signal Engineers collaborating with PQShield, AIST, and New York University (Inferred)
- Institution: Signal / Various Academic & Industry Partners (Inferred)
- Publication: Eurocrypt 2025 Conference Proceedings, Usenix Security 25 Proceedings, IACR ePrint (2025) (Inferred from context)
- Date: October 2025 (Inferred from blog post date)
## Abstract
This research details the engineering solution developed by Signal to integrate quantum-safe cryptography into its existing Double Ratchet protocol while maintaining core security properties like forward secrecy and post-compromise security. The solution, named the Sparse Post Quantum Ratchet (SPQR), avoids a direct, invasive modification to the classic Double Ratchet. Instead, it leverages a parallel, independent quantum-safe ratchet mechanism whose derived keys are cryptographically mixed with the keys from the classic ratchet via a KDF to produce the final message encryption keys. This "Triple Ratchet" design provides robust security against both classical and quantum adversaries by achieving redundancy through key diversification.
## Research Objective
The primary objective was to introduce robust quantum-safe key encapsulation (KEM) functionality—specifically integrating standardized post-quantum algorithms like ML-KEM—into the Signal Protocol to protect long-term confidentiality against future quantum computers, without sacrificing the proven security properties or operational stability of the existing protocol structure.
## Methodology
### Approach
The researchers utilized an **iterative comparative evaluation** combined with a **parallel architecture implementation**. They analyzed six distinct options for integrating quantum safety and selected the approach that best balanced security, performance, and architectural compatibility. The chosen methodology involved parallel execution rather than monolithic replacement.
### Dataset/Environment
The study environment involves the Signal Secure Messaging Protocol, specifically focusing on the key derivation and material exchange mechanisms central to the Double Ratchet.
### Tools & Technologies
- Double Ratchet Protocol (Existing Baseline)
- Quantum Key Encapsulation Mechanisms (KEMs), including NIST-standardized algorithms (e.g., ML-KEM).
- Cryptographic Key Derivation Functions (KDFs) for key mixing.
- Sparse Post Quantum Ratchet (SPQR) - The newly developed quantum-safe ratchet.
- Erasure-code-based chunking (Mentioned as a related optimization).
## Key Findings
### Primary Results
1. **Parallel Ratchet Architecture:** A functional, parallel cryptographic system was successfully designed where the existing classical Double Ratchet operates independently from a new quantum-safe ratchet (SPQR).
2. **Key Mixing for Hybrid Security:** Message encryption keys are derived by combining (mixing via KDF) the outputs from both the classical and the SPQR ratchets.
3. **Redundant Security Guarantee:** The resulting encryption key inherits strong security from both systems. Crucially, if *one* ratchet (classical or quantum-safe) is broken (e.g., due to ECC compromise or ML-KEM failure), the message remains secured by the other intact ratchet.
### Supporting Evidence
- Formal presentation and discussion of the design trade-offs (six options considered) at major security conferences (Eurocrypt 2025, Usenix 25).
### Novel Contributions
- **Sparse Post Quantum Ratchet (SPQR):** Introduction of a novel, specifically designed quantum-safe ratchet mechanism.
- **Triple Ratchet Design:** Implementation of a secure, fault-tolerant hybridization scheme where security is derived from two independent ratchets whose outputs are deterministically mixed.
- **Integration Strategy:** Successfully integrating a new KEM-based ratchet without fundamentally altering the structure of the established, high-performance Double Ratchet.
## Technical Details
The core technical innovation is the **Triple Ratchet design**:
1. **Classic Ratchet ($\text{R}_{\text{Classic}}$):** Operates as the standard elliptic curve-based Double Ratchet.
2. **Quantum Ratchet ($\text{R}_{\text{PQ}}$/SPQR):** An independent ratchet leveraging KEMs (like ML-KEM) for quantum resistance.
3. **Key Derivation:** The final ephemeral session key ($\text{K}_{\text{Final}}$) is generated as:
$$\text{K}_{\text{Final}} = \text{KDF}(\text{Output}(\text{R}_{\text{Classic}}) \ \| \ \text{Output}(\text{R}_{\text{PQ}}))$$
This ensures that $\text{K}_{\text{Final}}$ is only secure if both underlying key components remain secure, but its failure only requires the *failure of one* component to provide protection via the other. The architecture avoids "bolting on" KEM/KEM-based key exchanges directly into the existing ratchet state transitions.
## Practical Implications
### For Security Practitioners
This implementation provides a pragmatic, immediate upgrade path for high-assurance messaging systems to achieve quantum resilience while preserving existing forward/post-compromise security guarantees. It demonstrates how to achieve hybrid security strength in practice.
### For Defenders
Defenders benefit from "doubled" security, even against non-quantum threats. An adversary must simultaneously break two fundamentally different cryptographic primitives (Elliptic Curve DH and the chosen PQC KEM) to compromise the session key material.
### For Researchers
The SPQR design provides a concrete case study on secure protocol migration toward PQC, prioritizing architectural separation and key diversification over direct substitution.
## Limitations
Specific performance overheads associated with running two active ratchets and the KDF mixing step are not detailed in this summary but were critical factors in the evaluation process (leading to the selection of SPQR over other options). The reliance on the performance of the chosen PQC KEM (e.g., ML-KEM) remains a dependency.
## Comparison to Prior Work
Prior work might have explored end-to-end replacement of the key exchange or utilizing PQ methods only at session setup. Signal’s approach differs because it maintains the fully specified, stateful Double Ratchet for its established security properties (like post-compromise security) and uses the PQ ratchet merely to *feed* a component key into a final mixing function, ensuring cryptographic redundancy.
## Real-world Applications
- Secure messaging applications (e.g., Signal, WhatsApp) requiring long-term confidentiality against future cryptanalytic advances.
- Any real-time, ephemeral key exchange protocol where maintaining low latency and high security assurances is paramount.
## Future Work
- Detailed analysis of the latency and bandwidth implications of operating the parallel ratchet system.
- Further investigation into optimizing the erasure-code-based chunking mentioned in the associated research for efficient key/state synchronization.
## References
- Signal Blog Post announcing SPQR implementation (October 2025).
- Ars Technica technical deep dive on the implementation strategy.
- Eurocrypt 2025 paper detailing erasure-code-based chunking and Triple Ratchet design (IACR ePrint 2025/078).
- Usenix 25 paper discussing the six architectural options considered.