Encrypted messaging app Signal has announced an update to the Signal Protocol to add support for quantum resistance by upgrading the Extended Triple Diffie-Hellman (X3DH) specification to Post-Quantum Extended Diffie-Hellman (PQXDH).
"With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards," Signal's Ehren Kret said.
The development comes weeks after Google added support for quantum-resistant encryption algorithms in its Chrome web browser and announced a quantum-resilient FIDO2 security key implementation as part of its OpenSK security keys initiative last month.
The Signal Protocol is a set of cryptographic specifications that provides end-to-end encryption (E2EE) for private text and voice communications. It's used in various messaging apps like WhatsApp and Google's encrypted RCS messages for Android.
While quantum computers are unlikely to go mainstream anytime soon, existing cryptosystems are vulnerable to a threat known as Harvest Now, Decrypt Later (HNDL), in which the data that's encrypted today could be decrypted in the future using a quantum computer.
Put differently, a threat actor could steal scrambled sensitive data from targets of interest and stash it, thereby allowing the malicious party to harness the power of a quantum computer when it becomes available to compute a private key from a public key and break open the encrypted content.
To counter such threats, the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) chose CRYSTALS-Kyber as the post-quantum cryptographic algorithm for general encryption.
But instead of completely porting over to CRYSTALS-Kyber, Signal's PQXDH takes a hybrid approach like that of Google, combining the elliptic curve key agreement protocol X25519 with Kyber-1024, which aims for security roughly equivalent to AES-256.
"The essence of our protocol upgrade from X3DH to PQXDH is to compute a shared secret, data known only to the parties involved in a private communication session, using both the elliptic curve key agreement protocol X25519 and the post-quantum key encapsulation mechanism CRYSTALS-Kyber," Kret explained.
"We then combine these two shared secrets together so that any attacker must break both X25519 and CRYSTALS-Kyber to compute the same shared secret."
The non-profit said that the new protocol is already supported by the latest versions of the client applications, and that it plans to disable X3DH for new chats and require PQXDH for all new chats "after sufficient time has passed for everyone using Signal to update."
"PQXDH establishes a shared secret key between two parties who mutually authenticate each other based on public keys," Signal said. "PQXDH provides post-quantum forward secrecy and a form of cryptographic deniability but still relies on the hardness of the discrete log problem for mutual authentication in this revision of the protocol."