Why Signal's Post-Quantum Makeover Is An Amazing Engineering Achievement (arstechnica.com)
- Reference: 0179827214
- News link: https://it.slashdot.org/story/25/10/19/0546205/why-signals-post-quantum-makeover-is-an-amazing-engineering-achievement
- Source link: https://arstechnica.com/security/2025/10/why-signals-post-quantum-makeover-is-an-amazing-engineering-achievement/
> The mechanism that has made this constant key evolution possible over the past decade is what protocol developers call a " [3]double ratchet ." Just as a traditional ratchet allows a gear to rotate in one direction but not in the other, the Signal ratchets allow messaging parties to create new keys based on a combination of preceding and newly agreed-upon secrets. The ratchets work in a single direction, the sending and receiving of future messages. Even if an adversary compromises a newly created secret, messages encrypted using older secrets can't be decrypted... [Signal developers describe a "ping-pong" behavior as parties take turns replacing ratchet key pairs one at a time.] Even though the ping-ponging keys are vulnerable to future quantum attacks, they are broadly believed to be secure against today's attacks from classical computers.
>
> The Signal Protocol developers didn't want to remove them or the battle-tested code that produces them. That led to their decision to add quantum resistance by adding a third ratchet. This one uses a quantum-safe Key-Encapsulation Mechanism (KEM) to produce new secrets much like the Diffie-Hellman ratchet did before, ensuring quantum-safe, post-compromise security... The technical challenges were anything but easy. Elliptic curve keys generated in the X25519 implementation are about 32 bytes long, small enough to be added to each message without creating a burden on already constrained bandwidths or computing resources. A ML-KEM 768 key, by contrast, is 1,000 bytes. Additionally, Signal's design requires sending both an encryption key and a ciphertext, making the total size 2,272 bytes... To manage the asynchrony challenges, the developers turned to "erasure codes," a method of breaking up larger data into smaller pieces such that the original can be reconstructed using any sufficiently sized subset of chunks...
>
> The Signal engineers have given this third ratchet the formal name: Sparse Post Quantum Ratchet, or SPQR for short. The third ratchet was designed in collaboration with [4]PQShield , [5]AIST , and New York University. The developers [6]presented the erasure-code-based chunking and the high-level Triple Ratchet design at the Eurocrypt 2025 conference. Outside researchers are applauding the work. "If the normal encrypted messages we use are cats, then post-quantum ciphertexts are elephants," Matt Green, a cryptography expert at Johns Hopkins University, wrote in an interview. "So the problem here is to sneak an elephant through a tunnel designed for cats. And that's an amazing engineering achievement. But it also makes me wish we didn't have to deal with elephants."
Thanks to long-time Slashdot reader [7]mspohr for sharing the article.
[1] https://signal.org/blog/spqr/
[2] https://arstechnica.com/security/2025/10/why-signals-post-quantum-makeover-is-an-amazing-engineering-achievement/
[3] https://signal.org/docs/specifications/doubleratchet/
[4] https://pqshield.com/
[5] https://www.aist.go.jp/index_en.html
[6] https://eprint.iacr.org/2025/078
[7] https://www.slashdot.org/~mspohr
Uh Why? There is no quantum threat yet... (Score:2, Flamebait)
Quantum computers can't factor 15 without cheating (use classical computer to pre-calculate the problem, using the answer, into a physics problem that the quantum computer solves, less than 100% of the time). There is no possible way any RSA key (even the 1024 bit ones) are at all vulnerable to this mythical quantum computer that isn't even close to existing. The entire post-quantum encryption movement is a massive waste of time and money. Billions in the US alone.
[1]https://www.cs.auckland.ac.nz/... [auckland.ac.nz]
[1] https://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf
Re: (Score:3)
There is no quantum threat yet, but if someday there is there will be hoards of stolen pre-quantum data to decrypt, some of which will contain information that still matters. For example, the encrypted data of a well-known password manager was stolen last year; no-one can decrypt it now, but perhaps they will be able to in the future.
Re: (Score:3)
Sure and if somebody discovers magic, the same thing happens. But is that (or a working, scaling QC) likely? No, not at all.
This whole "post quantum" thing is merely a sign of a complete risk management failure. Not impressive.
An amazingly stupid accomplishment (Score:2)
QCs are not a threat to encryption and may never be. The current factorization record is 35. Not 35 bit, 35. And that was not with Shor's algorithm, but one specially crafted to facto 35. This is after 50 years of research. Thing that tech is going anywhere? You may want to have your head examined.
Messing with established, known to be secure cryptography at this time is insane.
Oh, I am well aware some people recently used a D-Wave for an essentially analog computer factorization with more bits. But that one
Re: (Score:1)
If you read the post, you'd see that they conservatively don't mess with their known to be secure cryptography. Since they don't trust the newer algorithms enough to rely on their security entirely, they layer them, so you have to break both the old algorithm and the new post-quantum algorithm to break the encryption.
Re: (Score:2)
It may not be now, but it's not a bad idea to guard against that potential future. Would you prefer that someone 20 years from now not be able to snoop on your past messages because quantum computers suddenly became good in the same way that LLMs made major advancements even though AI research has been around for over 50 years as well?
Re: (Score:2)
It is a liability to guard against stupid threats that will not materialize soon enough to matter. For QCs, "20 years" is simply ignorant and stupid. Nothing "suddenly" will happen with QCs.
Re: (Score:2)
Keep on reading the papers.
The key thing to make QC work is the ability to do logic on error corrected qbits with scalable error correction.
We are not remotely close and there's no sign of a plan to get there.
The quantum surface codes and quantum LDPC stuff that claimed to solve the problem clearly do not. You just have to read the papers and find the bit where it gives the error correction capability vs the unreliability of the underlying non error corrected qbits. Compute the binomial error distribution f
Re: (Score:2)
Indeed. And it is even worse: We do not know whether there even is a possible solution that would be practical. So far, it looks like that even for the numbers for raw, uncorrected qbits, effort scales exponentially in the number of qbits (!) and the length of the calculation (!). And that is the easy case that does not give you anything worthwhile. Effective qbits are far worse. For reference, the conventionally computer revolution was driven by an inverse (!) exponentially scaling effort in the number of
Amazing Engineering Achievement? (Score:3)
It reads more like they did the logical thing.
ML-KEM is the new NIST standard for transferring a key (ML=Modular Lattice, KEM=Key Encapsulation Method). It's the default choice for a post quantum KEM.
With the ratchet, the logical thing to do is to tack on a third cog using ML-KEM. That's what they did.
Also you need to accommodate the huge numbers that ML-KEM uses. That's what they did.
It's a fine design, done well and deserving of praise - especially deploying a hybrid scheme against the best efforts of the NSA to stop that, but I don't think it counts as an amazing engineering achievement.
Calling is SPQR is pretty funny for someone who grew up in a formally Roman fortress town.
An amazing accomplishment (Score:5, Interesting)
I read this several times and don't pretend that I understand all of it but smart people who do understand the complexity of the problem and Signal's solution seem impressed.
This achievement puts Signal far ahead of any other encryption. They seem to have an encryption solution that is "quantum proof" as well as being capable of implementation in the real world.
Congratulations to them.
Re: (Score:1)
The amazing accomplishment is it took so long for this to be a dupe article - [1]https://it.slashdot.org/story/25/10/03/234236/signal-braces-for-quantum-age-with-spqr-encryption-upgrade [slashdot.org], though I guess an Ars Technica write up of the original that was covered here may be a fraternal dupe instead of an identical dupe.
[1] https://it.slashdot.org/story/25/10/03/234236/signal-braces-for-quantum-age-with-spqr-encryption-upgrade
Re:An amazing accomplishment (Score:4, Informative)
The Nerds.xyz article is very brief.
The Ars article is a much longer and better explanation.
Re:An amazing accomplishment (Score:4, Insightful)
Too bad nobody uses it. I'm always caught between europeans insisting on whatsapp and applepickers insisting on facetime. I always tell people to call and/or text me on signal, and they never do.
Re: (Score:2)
Unfortunately, many people don't know or care about security.
Keep promoting Signal as a superior security app. We do know that "they" are listening to everything all the time and it is only a matter of time until something you (even innocently) say will draw their attention.
Re:An amazing accomplishment (Score:4, Funny)
> Too bad nobody uses it.
U.S. Secretary of Defense - I mean, War (sigh) - Pete Hegseth wants you to hold his third lunch-beer ... /s
Re: (Score:3)
> Too bad nobody uses it. I'm always caught between europeans insisting on whatsapp and applepickers insisting on facetime. I always tell people to call and/or text me on signal, and they never do.
All the technical people I know use Signal.
Those of us conversant in cryptography have studied the protocol and found it to be good.
The ratchet, oblivious RAMs, good algorithm choices and much more.
Re: An amazing accomplishment (Score:1)
My "About" on Whatsapp is "Signal is better". I still haven't use signal since no one I know knew it existed before Hegseth made it famous. Now they are afraid to use it since it was clearly the problem.
Re: (Score:2)
It actually puts them behind. The bombastic language is also quite telling. If anybody uses that in the crypto-space, it is a sure sign of incompetence. Has been that way for 50 years or so.