Signal has begun building post-quantum cryptography into its open-source encrypted messaging protocols so it can stay ahead of the possibility that one day a quantum computer will render existing cryptographic systems obsolete.
This week, the Signal Foundation – the non-profit behind the Signal messaging app – announced an upgrade to its Extended Triple Diffie-Hellman (X3DH) specification that allows the asynchronous handling of shared keys between users who are offline and communicating with a server.
The post-quantum version of this protocol, called PQXDH, incorporates an algorithm that the US National Institute of Standards and Technology (NIST) published in its first set of possible quantum-resistant algorithms last year.
“Although quantum computers already exist, the systems known to exist today do not yet have enough qubits to pose a threat to the public-key cryptography that Signal currently uses,” Signal said.
“However, if a sufficiently powerful quantum computer were built in the future, it could be used to compute a private key from a public key thereby breaking encrypted messages.”
Signal is trying to defend against a strategy known as ‘harvest now, decrypt later’ which is where an attacker steals hangs onto encrypted data with the expectation that it will one day be crackable.
As the organisation explained, quantum computers aren’t expected to be better at general computing but rather will perform certain types of computations in a way that classical computers never could.
This is the heart of debates around terms like ‘quantum supremacy’ and it remains unknown if quantum engineering will ever overcome the unreal physical limitations needed to reach their theoretical potential.
But if they do modern cryptography may be the first item on the chopping block thanks to Shor’s Algorithm, one of the earliest mathematical examples of quantum computing advantage that motivated the entire field.
Shor’s Algorithm offered a way to more quickly find the prime factors of extremely large numbers, undoing the one-way function – a maths problem that is easy to do one way but much, much harder to reverse – of cryptographic systems like RSA.
And because factoring falls under the same category as the maths underpinning Signal’s elliptic curve cryptography, discrete logarithms, it means the Signal protocol was in need of future-proofing.
“The essence of our protocol upgrade from X3DH to PQXDH is to compute a shared secret, data known only to the parties involved in a private communication session, using both the elliptic curve key agreement protocol X25519 and the post-quantum key encapsulation mechanism CRYSTALS-Kyber,” Signal said in a blog post.
CRYSTALS-kyber was one of the algorithms NIST published last year.
“We then combine these two shared secrets together so that any attacker must break both X25519 and CRYSTALS-Kyber to compute the same shared secret.”
The reason Signal chose to incorporate two crypto systems, rather than falling entirely back on the quantum-resistant one, was because one of the potential standards NIST announced was subsequently found to be cracked by a classical computer.
But there are still limits to its approach. As Signal mentions in its PQXDH documentation, the protocol “is not designed to provide protection against active quantum attackers”.
Rather, it’s designed specifically for the ‘harvest now, decrypt later’ scenario and won’t stop “a malicious server with access to such a quantum computer” from generating new key pairings and intercepting encrypted communications.
The new quantum-resistant protocol is already supported in Signal’s latest versions.