The Signal Foundation has unveiled a new cryptographic ratchet scheme called the Sparse Post-Quantum Ratchet (SPQR), a major step toward shielding its protocol suite from the future threat of quantum computing.
The Signal Protocol – long seen as the gold standard for end-to-end encrypted messaging across civilian, military and government use – currently relies on a “Double Ratchet” design, in which symmetric-key updates and elliptic-curve Diffie-Hellman (ECDH) exchanges secure message streams. While the hash functions it uses remain safe from quantum attacks, ECDH would be vulnerable to a powerful enough quantum computer.
To tackle that risk, Signal previously added PQXDH, a hybrid handshake that introduces quantum-resistant key exchange when a session begins, blocking “harvest now, decrypt later” tactics. SPQR takes that protection further by adding a post-quantum ratchet that runs continuously throughout a conversation, not just at setup.
The new design combines state machine logic, erasure-code chunking, and hybrid key derivation, ensuring that each message refreshes shared secrets in a manner that resists both backwards and forward compromise – even if an attacker later gains access to one side’s device. In effect, Signal now has a “Triple Ratchet”: the existing Double Ratchet runs alongside the SPQR ratchet, with both outputs combined through a key derivation function. An adversary would have to break both the classical and quantum-resistant layers to read any messages.
Balancing this new protection with performance has been a challenge. Quantum-safe key encapsulation mechanisms (KEMs) produce larger ciphertexts and require precise message ordering – a poor fit for the messy, asynchronous reality of internet messaging, where packets can be delayed or dropped. Signal’s solution uses erasure coding, which splits large cryptographic blobs into smaller chunks, only some of which need to arrive to reconstruct the data. This tolerates network hiccups and even limited interference, though an attacker blocking most chunks would cause a visible denial-of-service rather than a silent failure.
Signal’s engineers also explored different state-machine strategies for deciding which side should send key material at any moment. Their simulations showed that some faster, parallel key-generation methods created unacceptable exposure if one device were briefly compromised; therefore, the final design takes a more cautious, serial approach.
Because many users and devices won’t support SPQR immediately, Signal is deploying it with a fallback: sessions can temporarily “downgrade” to the older ratchet when necessary. But crucially, once a conversation starts in SPQR mode, an attacker can’t force it back to classical mode mid-session. Over time, as users upgrade, older sessions will be phased out.
The design is grounded in formal, peer-reviewed cryptography. Academic and industry partners, including PQShield, AIST, and NYU, used ProVerif models to validate its properties, and Signal’s Rust implementation is directly linked to those proofs. Code is also translated into F* using the “hax” toolchain for further verification, ensuring the implementation matches its mathematical design.
For defence, intelligence, and government users, SPQR has clear implications. It shows that mainstream secure-messaging platforms are already preparing for a post-quantum future, and legacy systems in military or diplomatic contexts will need to do the same. It also raises transitional questions for coalition networks or cross-domain messaging tools that interoperate with Signal, as well as for adversaries hoping to stockpile today’s encrypted traffic for future decryption.
SPQR and the broader Triple Ratchet architecture are not cure-alls. Their strength depends on flawless implementation, complete rollout, and the continuing resilience of the underlying KEMs. Quantum-safe cryptography is still evolving, and future advances could shift the landscape again. But Signal’s move demonstrates a serious, technically rigorous commitment to keeping communications secure under even the harshest future threat models.
In short, SPQR strengthens Signal without reinventing it. It’s a careful upgrade that brings post-quantum defences into one of the world’s most widely trusted encryption protocols – and a sign that the race to quantum-harden secure systems is already well underway.
