Quantum Resistance and the Signal Protocol

Today we are happy to announce the first step in advancing quantum resistance for the Signal Protocol: an upgrade to the X3DH specification which we are calling PQXDH. With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards.

…new post-quantum cryptosystems have been created to implement new one-way functions that cannot be advantageously reversed by a quantum computer. Thanks to innovation from cryptographic researchers and the NIST Standardization Process for Post-Quantum Cryptography we now have stable options that have been created and vetted by a large community of experts.

Our new protocol is already supported in the latest versions of Signal’s client applications and is in use for chats initiated after both sides of the chat are using the latest Signal software. In the coming months (after sufficient time has passed for everyone using Signal to update), we will disable X3DH for new chats and require PQXDH for all new chats. In parallel, we will roll out software updates to upgrade existing chats to this new protocol.

PQXDH protects messages exchanged on Signal against the threat of a future quantum computer. We will need to make further upgrades to address the threat of an attacker with a contemporaneous quantum computer. Further research in the area of post-quantum cryptography will be needed to fill in the remaining gaps. We recommend reading the security considerations section of our PQXDH whitepaper for more information on the areas of open research.


This is very welcome news. Glad to see Signal staying ahead of the curve.

Now we can have quantum resistant VPN connections like Mullvad offers, and chat with post-quantum encryption as well. Hopefully WhatsApp and the others downstream will receive this upgrade.


let’s goo group chat isn’t getting leaked

I hope telegram will add at least e2ee by default on all chats

Seems unlikely unfortunately since they have basically publicly argued against it to justify their client-side encryption by default

This is why I recommend signal to pretty much everyone. It’s a very secure and very reliable chat platform that just works and there’s no learning curve involved. As easy to use as it is, you don’t have to compromise on security.


pq safe is only an issue for public key cryptography. Symmetric key encryption (preferably with 256bits or more entropy) is quantum safe from get go. Pre shared symmetric keys (with enough entropy) is the trick WireGuard uses for its pq safety (I guess, the same for Mullvad?).

True. Btw, Signal didn’t get here first. Kyber, the pqkem Signal is proposing to use, is already being standardized since June by NIST for pq safe cryptography. Cloudflare and Chrome (v116) started supporting Kyber for kex in TLS (ref) barely a month later.

1 Like

Will all the previous information be vulnerable to the quantum computers, or the new type of encryption can secure all the previous information too? Does it work for the companies which store all the information on their servers without even end-to-end encryption? Can they make their servers quantum resistant too?

post quantum cryptography isn’t going to solve any of those problems, unfortunately.


It will be vulnerable if it doesn’t get reencrypted according to pq safe standards.

Any information stored this way is as safe as it’s keeper. They can improve this safety beyond their own security by applying pq safe E2E encryption to all their data.
It all comes down to people actually applying these standards, their sole existence doesn’t matter if they don’t get implemented.

WhatsApp E2EE is backdoored anyway, so it doesn’t really matter if it claims to have Quantum-proof encryption. You should consider WhatsApp a malicious, privacy-hostile and practically unencrypted messaging service.

WhatsApp collects a lot of metadata and personal data, but the chat itself has the same Signal protocol. You can’t backdoor that without backdooring Signal.

Too bad. I’ve got you in my sights bucko

  • FBI Agent #117

Does anyone know if it will be possible to get PQXDH on gpg?

You mean pq safe cryptography for GPG? I’m sure there are proposals already to use Kyber and other NIST pq candidates.

pq-xdh is very specific to the Signal protocol and its implementations. It isn’t a framework or a standard.

WhatsApp claims to use the Signal protocol. But they use a proprietary fork of the protocol. Maybe the messages are actually encrypted, but the key is probably sent to Facebook’s servers. Or the messages are sent to Facebook servers unencrypted, before they get encrypted and sent to the actual recipient. You can’t trust Facebook to implement encryption properly. Actually, you shouldn’t trust Facebook with anything.
Last year an internal guide from the FBI was leaked, which explains how to get access to WhatsApp messages, without taking any of the devices used for the communication. That’s kinda sus, isn’t it?


oh yeah, that sucks then. Can’t even trust them to implement Signal encryption properly. Gotta keep pushing friends and family towards Signal.

Yeah. That’s what I’ve been doing for over a year now. Most of my family now uses Signal, as well as all of my friends. And they don’t just use Signal to message me, they also message each other on Signal. I turned them into real Signal users, which is great!