Innovative Post-Quantum Ratchet for Signal Messenger 🚀 at CAW 2025
Explore the latest advancements in post-quantum cryptography with Talk 11 at CAW 2025, focusing on designing a secure ratchet mechanism for Signal Messenger. Join us to learn how this breakthrough enhances privacy in a quantum world!
Miro Haller
107 views • Jun 18, 2025
About this video
Talk 11 at the Cryptographic Applications Workshop (CAW) 2025 affiliated with Eurocrypt 2025.
Website: https://caw.cryptanalysis.fun/previous/2025.html
Presenter: Rolfe Schmidt
Slides: https://caw.cryptanalysis.fun/assets/pdf/2025/A_Post-Quantum_Ratchet_for_Signal.pdf
Talk abstract:
Signal is working on an update to the Double Ratchet protocol that will provide hybrid ECDH and MLWE based forward secrecy (FS) and post compromise security (PCS). In this talk we will present Signal’s candidate protocol, what options we considered in its design, and how we compare these protocols. After reviewing the Signal Protocol we will look at the natural KEM-based construction of Continuous Key Agreement (CKA) from [1] and note that while it meets our security goals, it would increase the size of Signal messages dramatically. This motivates us to look at bandwidth limited protocols and we show how to use erasure codes, as described in [2], to convert any CKA-based secure messaging protocol into a protocol that has small, fixed size protocol messages. This protocol meets Signal’s security and bandwidth requirements, but it is clearly suboptimal: it has a larger than needed attack surface and it produces new shared secrets too slowly. The design space of alternative protocols is large, though and we introduce ways to make significant improvements. The most important observation is that the KEM is not the perfect abstraction for ratcheting protocols, and by using the internal structure of lattice-based KEMs we create much better protocols. One way to do this is with the Ratcheting KEM construction of [2]. Alternatively, we can use the internal structure of ML-KEM to create a protocol we call the ML-KEM Braid which is less efficient than the Ratcheting KEM construction but can be implemented using standard ML-KEM. Signal has implemented this protocol in Rust using hax for formal verification [3] and is evaluating it for deployment to production.
[1] https://eprint.iacr.org/2018/1037
[2] https://eprint.iacr.org/2025/078
[3] https://github.com/signalapp/SparsePostQuantumRatchet
Website: https://caw.cryptanalysis.fun/previous/2025.html
Presenter: Rolfe Schmidt
Slides: https://caw.cryptanalysis.fun/assets/pdf/2025/A_Post-Quantum_Ratchet_for_Signal.pdf
Talk abstract:
Signal is working on an update to the Double Ratchet protocol that will provide hybrid ECDH and MLWE based forward secrecy (FS) and post compromise security (PCS). In this talk we will present Signal’s candidate protocol, what options we considered in its design, and how we compare these protocols. After reviewing the Signal Protocol we will look at the natural KEM-based construction of Continuous Key Agreement (CKA) from [1] and note that while it meets our security goals, it would increase the size of Signal messages dramatically. This motivates us to look at bandwidth limited protocols and we show how to use erasure codes, as described in [2], to convert any CKA-based secure messaging protocol into a protocol that has small, fixed size protocol messages. This protocol meets Signal’s security and bandwidth requirements, but it is clearly suboptimal: it has a larger than needed attack surface and it produces new shared secrets too slowly. The design space of alternative protocols is large, though and we introduce ways to make significant improvements. The most important observation is that the KEM is not the perfect abstraction for ratcheting protocols, and by using the internal structure of lattice-based KEMs we create much better protocols. One way to do this is with the Ratcheting KEM construction of [2]. Alternatively, we can use the internal structure of ML-KEM to create a protocol we call the ML-KEM Braid which is less efficient than the Ratcheting KEM construction but can be implemented using standard ML-KEM. Signal has implemented this protocol in Rust using hax for formal verification [3] and is evaluating it for deployment to production.
[1] https://eprint.iacr.org/2018/1037
[2] https://eprint.iacr.org/2025/078
[3] https://github.com/signalapp/SparsePostQuantumRatchet
Video Information
Views
107
Likes
2
Duration
30:33
Published
Jun 18, 2025
Related Trending Topics
LIVE TRENDSRelated trending topics. Click any trend to explore more videos.