Signal Intros Quantum-Resistant Encryption for App
The developers of the Signal messaging app are strengthening the app’s central encryption capabilities for the upcoming post-quantum era.
Signal is upgrading the Signal Protocol – the cryptographic specifications behind the end-to-end encryption (EE2E) used in the private text and voice communications that run over the app – to ensure it can withstand cyberthreats as quantum computers mature and become more available, including to bad actors.
Signal CTO Ehren Kret noted in a blog post this week that quantum systems that exist today don’t have nearly enough qubits – the quantum equivalent of the classic bit – to threaten the public-key cryptography that Signal and other organizations use.
“However, if a sufficiently powerful quantum computer were built in the future, it could be used to compute a private key from a public key thereby breaking encrypted messages,” Kret wrote.
To address this, a growing number of tech companies are adopting encryption protocols that are designed to withstand the powerful compute capabilities of quantum systems.
From X3DH to PQXDH
For Signal, that means upgrading the current spec – X3DH, or Extended Triple Diffie-Hellman – with PQXDH (Post-Quantum Extended Diffie-Hellman). The CTO wrote that through the move, the company is “adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards.”
The effects of the shift will be felt beyond Signal users, given that the Signal Protocol is also used in other messaging apps like WhatsApp and Google messages.
Quantum computers hold the promise of being able to quickly solve problems that would take even the most power supercomputers today months or years to sort through. That’s good for a broad range of industries, from pharmaceuticals to life sciences to energy.
However, in the hands of cybercriminals, it represents significant risks to current cryptography technologies, including elliptic curve cryptography, which Signal uses as the public key cryptosystem for many of its specifications.
Governments around the world are pushing for post-quantum standards. Addressing quantum is a key part of the White House’s larger cybersecurity initiatives and the U.S. Cybersecurity and Infrastructure Security (CISA) last year launched a post-quantum cryptography program.
The U.S. National Institute of Standards and Technology (NIST) has since chosen four cryptographic algorithms as possible replacements for current algorithms vulnerable to quantum computing.
Something Old, Something New
Signal is taking a hybrid approach to its post-quantum strategy, combining one of those NIST algorithms – CRYSTALS-Kyber – with its current elliptic curve cryptography. This way, “an attacker must break both systems in order to compute the keys protecting people’s communications,” Kret wrote.
“The essence of our protocol upgrade … is to compute a shared secret, data known only to the parties involved in a private communication session, using both the elliptic curve key agreement protocol X25519 and the post-quantum key encapsulation mechanism CRYSTALS-Kyber,” he wrote.
Signal’s approach is similar to the hybrid strategy Google announced last month. The IT giant is using the X25519 elliptic curve algorithm with Kyber-768 to protect traffic on the Chrome browser starting with Chrome 116. Also in August, Google released a quantum-resilient FIDO2 security key implementation for its OpenSK implementation of Rust-based security keys.
A writer on Reddit posted that they like that Signal is “using classical EC and Crystals-Kyber together, but I do wonder how often that asymmetric encryption executes in the background. There will be a performance + battery hit if it’s often. If they’re just using it in the classical session sense, it’s fine because you have one handshake (or I guess two now, with one nested inside of the other) and then you switch to some symmetrical like AES which is hardware accelerated on most devices and much lighter weight.”
Protecting Against HNDL
When quantum computing will become mainstream is still being debated, with estimates running from years to decades. It initially will likely be used in conjunction with classical systems, acting somewhat like an accelerator used to run workloads that the classical computers can’t.
However, a drive of the current push for quantum-resistant cryptography comes from concerns about a threat known as Harvest Now, Decrypt Later (HNDL). Essentially, threat groups may be stealing data now that can’t be decrypted now by could later with quantum systems.
“We are not in a position to judge which timeline is most likely, but we do see a real and growing risk which means we need to take steps today to address the future possibility of a large enough quantum computer being created,” Kret wrote.
He added that the new protocol is supported in the latest versions of Signal’s client apps and is being used for chats initiated after both sides of the chat are using the latest Signal software. In the coming months, after all Signal users have had a chance to update the app, the company will disable X3DH for new chats and require PQXDH.
Software updates are coming to upgrade existing chats to the new protocol, the CTO wrote.
