Signal’s Post-Quantum Encryption: An Engineering Marvel
▼ Summary
– The Signal Protocol updates secret keys for each message, typing indicator, and read receipt using a “double ratchet” mechanism to ensure confidentiality.
– The double ratchet allows one-directional key evolution, preventing decryption of past messages even if a new secret is compromised.
– A handshake establishes a shared “root key,” initially using X3DH and now PQXDH for quantum resistance.
– The Symmetric Ratchet generates a new AES key for every message, so compromising a device reveals no past keys but future keys remain at risk.
– The Diffie-Hellman ratchet incorporates new keys in messages to update the root key, making old secrets useless and limiting eavesdroppers’ access to future keys.
Signal’s messaging protocol delivers robust confidentiality by continuously refreshing its secret keys. This happens not just when you send or receive a message, but also during other interactions like seeing a typing indicator or sending a read receipt. For the past ten years, this persistent key evolution has been powered by a mechanism developers call the “double ratchet.” Functioning much like a mechanical ratchet that permits movement in only one direction, this system lets participants generate new encryption keys by blending previous secrets with newly established ones. The process moves forward exclusively, securing all future communications. A critical benefit is that even if an attacker manages to obtain a newly created secret, they cannot decrypt any messages that were protected by older keys.
The entire sequence begins with an initial handshake. This handshake executes three or four Elliptic-Curve Diffie-Hellman (ECDH) agreements, which cleverly mix both long-term and short-term secrets to establish a single, shared secret. This becomes the foundational “root key” that kickstarts the Double Ratchet mechanism. Up until 2023, the protocol used the X3DH key agreement. It has now been upgraded to PQXDH, a crucial enhancement designed to make the initial handshake resistant to attacks from future quantum computers.
The first component of the Double Ratchet is the Symmetric Ratchet. This layer takes the root key and uses it to derive an AES encryption key. It then advances this key for every single message sent. This ensures every message is locked with a brand new secret key. A major security advantage here is that if a malicious actor compromises a user’s device, they cannot work backwards to uncover any of the keys that were used previously. However, at this stage, the attacker would still have the ability to calculate the keys that will be used for future messages. This potential vulnerability is precisely what the second layer, the Diffie-Hellman ratchet, is built to address.
The Diffie-Hellman ratchet introduces a fresh ECDH public key with every outgoing message. To illustrate, consider the classic example of Alice and Bob. When Alice sends a message to Bob, she generates a new ratchet key pair. She then performs an ECDH agreement between her new key and the most recent ratchet public key that Bob sent her. This calculation yields a new secret. Alice knows that once Bob receives her new public key, he will be able to independently compute this same secret. With this new secret in hand, Alice combines it with her existing root key to create an entirely new root key, effectively starting the process over. The outcome is that any attacker who had learned her old secrets will find her new ratchet keys indistinguishable from random data. This creates a “ping-pong” dynamic, where the participants in a conversation take turns replacing their ratchet key pairs one after the other. The powerful result is that an eavesdropper who compromises one device might steal a current private key, but it will soon be replaced by a new, uncompromised key in a manner that completely shields it from the attacker.
(Source: Ars Technica)
