Signal Protocol and Post-Quantum Ratchets

Original Article ↗ Hacker News Discussion ↗

Understanding the post‑quantum ratchet

  • Commenters explain that Signal already had post‑quantum (PQ) key exchange for session setup, but not for the ongoing “ratchet” that provides forward secrecy (FS) and post‑compromise security (PCS).
  • Threat model: adversaries can (a) record ciphertext now and decrypt later with a future quantum computer, and (b) eventually compromise devices or code to extract keys.
  • To keep FS and PCS under this “harvest‑now, decrypt‑later + eventual compromise” model, the ratchet itself must be PQ-secure; otherwise attackers can target the ratchet keys instead of individual messages.
  • SPQR mixes classical ECDH and PQ KEMs with fresh randomness from both parties, so future keys can’t be derived from past key material.

Performance and symmetric crypto

  • Ratcheting and PQ key agreement are relatively infrequent, so users shouldn’t see noticeable latency.
  • Several replies clarify that quantum computers only quadratically speed up brute force on symmetric ciphers (Grover’s algorithm): AES‑128 becomes roughly 64‑bit strength, still impractically hard; AES‑256 is even safer.

Backups, disappearing messages, and FS/PCS

  • Heated debate around Signal’s optional cloud backups, which use a static symmetric key on the device:
    • Critics argue that if any participant backs up all messages (including disappearing ones in some configurations), group‑level FS/PCS is effectively lost, and PQ ratcheting becomes “theater.”
    • Others counter that backups don’t create fundamentally new risks beyond a compromised device or a recipient screenshotting/exporting chats; it’s more an opsec and UX/education issue than a cryptographic one.
    • There is some disagreement and ambiguity over exactly which messages (e.g., very short‑timer disappearing messages) are included in backups.

Quantum threat model and traffic harvesting

  • Several comments assume large actors (e.g., intelligence agencies) are already storing encrypted traffic for future decryption; PQ ratchets address this.
  • Some skepticism about optimistic quantum‑computing timelines; others note current systems are still far from large‑scale cryptanalysis.

Signal vs other protocols

  • Comparisons to iMessage PQ3: both add ML‑KEM ratcheting; Signal chunks PQ keys into normal messages to avoid conspicuous large rekey packets.
  • Comparisons to Matrix/MLS: Signal’s evolving “Signal Protocol” (Double Ratchet + PQ extensions) vs Matrix’s Olm/Megolm and MLS (more standardized, more centralized group sequencing, different metadata trade‑offs).
  • Email/PGP + self‑hosted servers are noted as not currently PQ‑secure; they also rely on trusting providers not to archive ciphertext.

Phone numbers, identity, and spam

  • Many see phone‑number identity as Signal’s main weakness: SIMs are often KYC‑linked and can be hijacked; some jurisdictions require ID for SIM purchase.
  • Others stress this is primarily a privacy issue, not a core cryptographic security failure:
    • SIM takeover doesn’t yield past messages; it creates a new device with new keys and safety‑number changes and can be gated by a registration PIN.
  • Discussion of usernames and “phone‑number privacy” features, and ideas for one‑time contact links and stricter whitelisting to reduce abuse.

Naming and culture

  • Long side‑thread on the SPQR acronym (Roman Republic motto), the “men thinking about the Roman Empire” meme, and pop‑culture references (films, comics).

Product and ecosystem critiques / requests

  • Several people praise the technical paper and formal verification.
  • Others complain Signal feels “crypto‑first, product‑second”: no public SDK, no stable APIs, hostility to third‑party clients and bots, no federation.
  • Defenders argue a tightly controlled, minimal surface is intentional to preserve security and reduce abuse; open extensibility is seen as a large risk.
  • Additional minor requests: better moderation tools in groups, more robust notification behavior, location‑sharing or “transport bus” use cases, and remote‑wipe / “nuke” features for high‑risk situations.