This article is more than 1 year old
Signal adopts new alphabet jumble to protect chats from quantum computers
X3DH readied for retirement as PQXDH is rolled out
Signal has adopted a new key agreement protocol in an effort to keep encrypted Signal chat messages protected from any future quantum computers.
Quantum computers – which every decade experts believe may be able to crack today's encryption schemes within the next decade or two – aren't particularly useful at the moment.
"Although quantum computers already exist, the systems known to exist today do not yet have enough qubits to pose a threat to the public-key cryptography that Signal currently uses," noted Ehren Kret, chief technology officer at Signal, in a write-up. "However, if a sufficiently powerful quantum computer were built in the future, it could be used to compute a private key from a public key thereby breaking encrypted messages."
Researchers around the world, many in nations the US considers adversaries, are working hard to do just that. For instance, a recent preprint paper from Oded Regev, a New York University computer science professor, has proposed a quantum factoring algorithm that is claimed to be more efficient than the one proposed by Peter Shor (Shor's algorithm). If Regev's method can be successfully implemented, it could allow the factoring of integers (and exposure of cryptographic keys) with fewer quantum gates – a machine easier to realize in the near term.
This type of attack – known as Harvest Now, Decrypt Later, because it involves grabbing as much encrypted data as possible today to crack in future – has been of sufficient concern that the US National Institute for Standards and Technology (NIST) in 2016 called for the development of quantum-resistant encryption algorithms.
With NIST's selection of CRYSTALS-Kyber and three other algorithms for its post-quantum cryptographic standard last year, private sector firms in the US now have some tested algorithms to work with and have started to roll out their own technology for keeping data secure after the anticipated quantum leap.
- Google Chrome to shield encryption keys from promised quantum computers
- Fujitsu: Quantum computers no threat to encryption just yet
- You can cross 'Quantum computers to smash crypto' off your list of existential fears for 30 years
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption
In August, for example, Google said Chrome 116 includes support for X25519Kyber768, a hybrid key encapsulation mechanism (KEM) to safeguard symmetric encryption secrets during secure TLS network connections.
And in May, it was Microsoft talking up the steps it has been taking to prepare for post-quantum cryptography.
Basically, we're in the midst of a speculative upgrade cycle based on compliance concerns. Those who have encrypted data, particularly government entities, want some assurance that their information and chatter will remain confidential for years to come.
Signal, consistently mentioned alongside WhatsApp as probably the best choice for secure chat messaging, is upgrading its X3DH ("Extended Triple Diffie-Hellman") specification to PQXDH ("Post-Quantum Extended Diffie-Hellman").
"With this upgrade, we are adding a layer of protection against the threat of a quantum computer being built in the future that is powerful enough to break current encryption standards," said Kret.
As described in the PQXDH paper, PQXDH is designed for asynchronous communication via a server where a shared secret key needs to be established between two parties (Alice and Bob) who can authenticate one another based on their respective public keys.
PQXDH uses both the elliptic curve key agreement protocol X25519 and CRYSTALS-Kyber and combines the two secrets, so that Signal does not have to toss its established elliptic curve foundation. This means the attacker must break both to calculate the shared secret key.
Kret says that Signal's client software already supports PQXDH and in a few months X3DH will be disabled. This should help defend present and past data against a future quantum computer. For scenarios in which a quantum computer is actively intercepting and eavesdropping chat comms, further mitigations are anticipated. ®