Signal Braces For Quantum Age With SPQR Encryption Upgrade

BrianFagioli shares a report from NERDS.xyz: Signal has introduced the Sparse Post Quantum Ratchet (SPQR), a new upgrade to its encryption protocol that mixes quantum safe cryptography into its existing Double Ratchet. The result, which Signal calls the Triple Ratchet, makes it much harder for even future quantum computers to break private chats. The change happens silently in the background, meaning users do not need to do anything, but once fully rolled out it will make harvested messages useless even to adversaries with quantum power.

The company worked with researchers and used formal verification tools to prove the new protocol's security. Signal says the upgrade preserves its guarantees of forward secrecy and post compromise security while adding protection against harvest now, decrypt later attacks. The move raises a bigger question: will this be enough when large scale quantum computers arrive, or will secure messaging need to evolve yet again?

SPQR?

[PDXNerd]

Ah, is that what those Romans were trying to use? https://en.wikipedia.org/wiki/SPQR [wikipedia.org] builds post-quantum bridges and triumphal arches!!
 
Seriously though, as a signal user, I'm happy they are thinking about increasing encryption safety but how can anyone take any 'post quantum' marketing seriously when we're still in pre-quantum, and a quantum computer hasn't even been able to break weak encryption? Will real quantum computing power actually be stronger than 'post quantum' cryptography? Or maybe we'll find out current EC based crypto is stronger than we thought. Who knows!

Re:

[alanw]

You beat me to it. Senatus Populusque Romanus was my immediate reaction.

Re:SPQR?

[Chris Mattern]

Caesar cipher [wikipedia.org] is best cipher!

Re:

[sveinki]

"Sono Pazzi Questi Romani" is a frequent phrase uttered by Obelix, translated to Italian.

Re:

[dargaud]

"Sono Porci Questi Romani: is the frequent phrase uttered by romans themselves...

Re:

[AntronArgaiv]

Yes, but what have the Romans ever done for us?
I mean, besides cryptography, roads, water...

Re:

[sabbede]

Peace?

Re:

[LainTouko]

If your system is protected from both conventional and quantum computers, but nobody can make capable quantum computers, then your system is still protected.

Re:

[PDXNerd]

If we can't make a capable quantum computer, then how do we know its protected?

Re:

[LeDopore]

Unless we know for sure that P != NP, we can never know for sure that any encryption is safe. (If verifying that a secret crypto key is correct is in P, and P = NP, then finding that crypto key has to also be in P.)

However, we currently know that there's a way for a big enough quantum computer to crack today's RSA encryption. It's generally supposed that several state-level agencies (and probably some other actors) are storing today's encrypted messages on the assumption that they will be decryptable in t

Re:

[eneville]

Ok but aside from sanitation and roads, what have the Romans ever done for us?

Theory vs practice

[Mostly a lurker]

It appears that a lot of effort has gone into designing a system that is theoretically secure (at least, against currently known attacks). However, it requires trust in the implementation which can never be completely transparent. State actors can insist on secret server-side backdoors that will store less secure copies of messages. These would not require code injection within clients (which would be detectable). There are many ways this could work, including such things as session key substitution.

Re:Theory vs practice

[bill_mcgonigle]

> secret server-side backdoors that will store less secure copies of messages

How do you do that with end-to-end cryptosystems?

Re:

[Slayer]

However, it requires trust in the implementation which can never be completely transparent. State actors can insist on secret server-side backdoors that will store less secure copies of messages.

A few months ago top US officials discussed secret stuff over Signal, and the outrage over this was heard world wide. So much for the trustworthiness of Signal. Pepperidge Farm remembers ...

Re:Theory vs practice

[maladroit]

You mean the conversation where they included a journalist because he was in someone's address list?

Yeah, nobody was worried about someone breaking Signal's encryption in that case - Hegseth was sending the classified details directly to the external parties.

The main reason the Trump admin uses Signal is to avoid keeping records of their conversations as required by law.

They are still using Signal, btw. Yesterday a Trump admin official was recorded having a classified Signal conversation in public.

The conversation was absolutely insane in many ways. Among other things, Hegseth wanted to send the 82nd Airborne to Portland, in response Trump's hallucinations about what was heppening there.

https://www.startribune.com/tr... [startribune.com]

Re:

[Slayer]

The main criticism was not directed at Signal's encryption standards, and the fact, that a journalist was carelessly added to the conversation was only a side act. The real criticism came about, because they hosted their app on private, i.e. insecure, phones. Signal can use whatever encryption they want, they have no control over the platforms their software is run on.

Re:

[buck-yar]

With OS level access, it'd be trivial to bypass Signal's encryption by simply keylogging. That's the case with any "secure" messaging system. Microsoft has been accused of sending events (keystrokes, mouse movements, etc) as telemetry. Android guessing probably does that too. They may claim to have to keylog just for the service to work, like Gboard or other screen keyboards. That's the whole point of avoiding telemetry etc, because keylogging is so easy and why wouldn't they with the ability?

Re:

[Slayer]

All these "revolutionaries", who'd like to "stick it to the man" and communicate their schemes through smart phone based means, are not going to be protected by any app's design or technology, and whether Signal changes encryption algo or not will not make much of a difference. Anyone decrying this as tinfoil hattery or conspiracy theory driven nuttery shall reread the serious reporting about the US gov't communicating over Signal.

Re:

[strikethree]

Among other things, Hegseth wanted to send the 82nd Airborne to Portland, in response Trump's hallucinations about what was heppening there.

Heh, using a nuclear bomb to kill a mosquito makes sense from a certain point of view. My only question is why are these delusional fuckers carrying ANY responsibility at all. Anyone who is sane can see what is going on and how it is wrong. Where are the rational people at?

Re:

[InterGuru]

Signal is secure, but the devices on either end can be hacked.

Re: Theory vs practice

[simlox]

As far as I learned in security class, back in 2003 or so, was that no encryption basic algorithm have been proved secure. TLS is proved securw given that the underlying encryption algorithms are secure, but nobody have proven that. Quantum algorithms just makes it more likely that some algorithms can be broken, given that RSA is vulnerable.

Re: Theory vs practice

[simlox]

Sorry, the algorithm used in quantum encryption is secure, being a one-time pad, exchanged via quantum pairs.

Re:

[phantomfive]

Sorry, the algorithm used in quantum encryption is secure,

Which algorithm are you talking about? Because it's certainly not the algorithm discussed in the story (SPQR encryption)

Re:

[Bumbul]

Which algorithm are you talking about? Because it's certainly not the algorithm discussed in the story (SPQR encryption)

The Fine Article describes traditional encryption method (not quantum), which is RESISTANT to ATTACKS that run on (sometime in the future) upcoming quantum computers. Quantum encryption itself is a completely different beast, not discussed in this story.

Re:

[Mostly a lurker]

Sorry, the algorithm used in quantum encryption is secure, being a one-time pad, exchanged via quantum pairs.

Any system that has a secure method for transmission of one-time pads between the parties in a conversation ought to be secure. However, there is no method of which I am aware that involves passing the one-time pads via a third party (in this case, Signal) where we can be confident the security will not be subverted by (especially) state actors. Would you be confident using one-time pads passed usin

Re:

[AvitarX]

Quantum encryption is 100% secure (barring new physics). It involves sending a one time pad that is known not to be intercepted.

Traditional encryption requires that P not equal NP, which is not proven. If someone can find a way to reduce no polynomial time algorithms to polynomial time than current encryption is broken. If someone can prove it's impossible than current encryption is secure against non quantum algorithms.

Post quantum cryptography is around the corner

[hmilz]

Excellent stuff, and a good read for people who studied PQC. Given that in the next few weeks or months, PQC-capable (ML-KEM and ML-DSA enabled) releases of OpenSSL and OpenSSH will be rolled out in most if not all Linux distros, likely in MacOS and hopefully in the mobile variants as well, and hoping that server admins will swiftly upgrade, quantum computing supported decryption may actually be over before it even starts. (No idea what Microsoft is doing but they cannot risk adversary triggered downgrades

Re:

[Zarhan]

Problem with PQC is that *none* have been really proven to be secure (not the algorithms themselves, and implementations of course have their issues). Then we get stuff like https://datatracker.ietf.org/d... [ietf.org] where idea is that you negotiate the keys with a ton of different PQC algorithms (and one classical) and hope that at least one of them works.

The whole FIPS algorithm evaluation process kinda proved that - and then we got headlines like this: https://thequantuminsider.com/... [thequantuminsider.com] - and that made it to the f

Re:

[LainTouko]

Conventional algorithms aren't proven secure either. They've just been around for a lot longer with no successful breakages, which increases confidence in them. In some cases you can use hash-based signature algorithms which rely only on the irreversibility of their hash functions. SLH-DSA produces long signatures and signing is very slow, but for firmware signatures in many cases neither of these will be problems.

Time to move to cascades?

[ctilsie242]

One thing TrueCrypt and VeraCrypt have as an option is to use multiple encryption algorithms. The point isn't 768 bits, but more of, if AES has a break that causes it to have a lot fewer bits that need to be guessed, Serpent and other algorithms are likely not to be broken by the same attack, so the data is protected.

Maybe we need to consider this. Have a good conventional algorithm coupled with a PQ algorithm. This way, if something causes RSA to be completely useless, broken in O(n) time, the PQ algori

Irrelevant

[Merkwuerdigliebe]

All of this is irrelevant as literally all of the hardware (everything from cpu to the last tiny chip controlling your keyboard, secure enclave, ...) and most of the software (bios-layer, operating system, anything lurking around hidden and equipped with root rights, ...) on all of the systems you use (PC, mobile phone, ...) is under control of the adversary. After the lessons of WW2 information warfare (Enigma and the like) you wouldn't think that any government allowed their potential enemies to equip th

What "quantum age"?

[gweihir]

Why are people falling for this nonsense? After half a century of research the quantum factorization record is currently 35. Not 35 bit, 35, i.e. 6 bit. That is utterly pathetic and not likely to change anytime soon. For all practical purposes, QCs do not exist.

Re:What "quantum age"?

[Entrope]

More specifically, digital quantum computers have factored 15, 21 and 35 -- but 15 is a near-trivial special case, and the circuits for the other two used shortcuts that were associated with knowledge of what the factors (of 21 and 35) are. The circuit for 35 can't factor 21.

Re:

[gweihir]

That bad? I though this were at least 6 bit general factorization implementations. So even worse than Shor's Algorithm implemented for 6 bits. Speaking of any "threats" from this tech or expecting it to matter anytime soon is insane.

Thanks for pointing this out.

Re:

[Entrope]

https://algassert.com/post/250... [algassert.com] addresses the case of 21.

https://arxiv.org/pdf/1903.007... [arxiv.org] seems to be the paper about 35, although it says that noise meant that "the algorithm fails to factor N = 35" (and didn't do a great job for 21 either).

Re:

[dargaud]

I tried to look at how to program quantum computers, and there are now toolsets for that although you can only run them on simulations, but it's so complex and unintuitive (that's quantum mechanics for you, ha!) that it's just impossible to grok what you have to do in order to do even the most simple tasks. Much less a loop with a printf !!!

Re:

[outsider007]

That half a century claim is dumb, the first quantum computer happened in the past decade and I'll bet you've never used or seen one.

Re:

[gweihir]

I have been following this tech for about 35 years now. Research into qbits and quantum gates was well established at that time. The 50 year claim is accurate and the dumb one here is you.

Re:

[ceoyoyo]

Richard Feynman famously proposed the theoretical possibility of quantum computing in a 1982 paper. That's closer to 40 years, but in a couple of years it will indeed round to 50.

What's the equivalent for the theoretical possibility of conventional computing? Something way back in antiquity. Anyway, Pascal was building rudimentry examples by the 17th century. Real practical codebreaking happened a couple centuries later.

Stuff happens faster today. If big quantum computers are possible or practical it's poss

Re:

[h33t l4x0r]

I'm sure it's been theoretical for 100 years, but how long have people been able to order one?

Re:

[ceoyoyo]

Probably best to work on reading comprehension first.

Re:

[h33t l4x0r]

You should probably google how timelines work.

Re:

[phantomfive]

It's not that hard, if you want to use a quantum computer you can literally do it today [ibm.com].

Re:

[gweihir]

Well, in that case, factorize something larger than 35. I dare you.

Re:

[Tony Isaac]

Researchers in China have claimed to crack a 50-bit key. https://www.sciencing.com/1765... [sciencing.com] If true, that's a lot better than 6 bits, but still far, far away from RSA's 2048 bits. Getting from 6 to 50 is an accomplishment, but orders of magnitude short of being able to attack real encryption.

Re:

[gweihir]

Researchers in China have claimed lots of things. And 50 bit would still be within other approaches than an actual general implementation of Shor's Algorithm. Oh, and look, they used a D-Wave. That is not a QC at all. It is a very restricted Quantum annealing device and it does NOT scale for factorization.

Re:

[Tony Isaac]

All of your observations are correct, in my opinion, and support the notion that we are far from needing to worry about quantum computing destroying the effectiveness of today's encryption algorithms.

The weakest link in encryption schemes, is the human, and this will remain true.

Re:

[gweihir]

All of your observations are correct, in my opinion, and support the notion that we are far from needing to worry about quantum computing destroying the effectiveness of today's encryption algorithms.

Thank you.

The weakest link in encryption schemes, is the human, and this will remain true.

That is certainly true. Humans are really good at sabotage all forms of IT security, both by incompetence and by intent.

Re:

[Anonymous Coward]

Was that a real factorization, or was it one that could be replicated "with an 8-bit home computer, an abacus, [or] a dog [iacr.org]"?

so they have quantum proof encryption

[Escogido]

and backdoors for law enforcement and intelligence and whatnot. teh irony

Re:

[jd]

What did you expect from an algorithm named after the Roman Empire?

Re:

[phantomfive]

SPQR means "the senate and the people"; the implication being that the government and the recipient can read the message (but no one else).

Peer to peer

[Skinkie]

And now a peer to peer upgrade, so that in ChatControl times there is no man in the middle.

Isn't Ratchet a DIY Mechanical Keyboard?

[kurt_cordial]

In triple-Russia keyboard hobby-kits you!

Wrong! per gewgle:

[Fly Swatter]

a device consisting of a bar or wheel with a set of angled teeth in which a cog or tooth engages, allowing motion in one direction only.

Signal embraces SPQR. Vini, Vidi, Vici!

[rocket rancher]

Signal invokes SPQR for post-quantum security. Marcus Aurelius reminds us: You have power over your keys, not over the quantum adversary. Realize this, and you will find strength.

Quantum computers have yet to factor 15

[cjmnews]

Or at least quantum computers haven't factored 15 (or any other number) without cheating (using a classic computer to pre-calculate the answer using the answer, then the quantum computer "solves" it), making the threat non-existent. Peter Gutmann wrote about this: https://www.cs.auckland.ac.nz/... [auckland.ac.nz] showing all the hype about quantum factoring of integers is all smoke and mirrors. Well, at least we have jobs implementing post-quantum cryptography for the next 20 years, and profit from the results.

SPQR encryption?

[XXongo]

SPQR? Ha.

Caesar used a simple substitution cipher. A modern codebreaker could decode this in a fraction of a second.

Gov'ts, FBI, CIA, etc will want a backdoor...

[bsdetector101]

What then ?