Signal Protocol · Post-Quantum Cryptography

From Double Ratchet to Triple Ratchet

Signal's messaging protocol derives a unique encryption key for every message using a system of interlocking "ratchets" — one-way key derivation chains that advance forward with each message or key exchange. The classical Double Ratchet has protected billions of messages since 2016. In October 2025, Signal deployed the Triple Ratchet to extend that protection against quantum computers.
2013–2025 · Classical

Double Ratchet

Two ratchets work in tandem. The DH ratchet performs a fresh X25519 Diffie-Hellman exchange each time the conversation direction changes, injecting new shared secrets into the root key chain. Between DH steps, the symmetric ratchet advances a hash chain (HMAC-SHA-256) to derive a unique message key for every send or receive.

  • DH ratchet — X25519 exchange per round-trip → new root key. Provides post-compromise security: a leaked key heals once both parties ratchet.
  • Symmetric ratchet — HMAC-SHA-256 chain between DH steps → unique message key. Provides forward secrecy: past keys are irrecoverable.
⚠ X25519 is vulnerable to Shor's algorithm — a sufficiently capable quantum computer breaks every DH ratchet step, exposing all message keys.
2025 · Post-Quantum Hybrid

Triple Ratchet

Adds a third ratchet — SPQR (Sparse Post-Quantum Ratchet) — running in parallel. It periodically exchanges ML-KEM-768 encapsulation keys alongside the classical DH ratchet. The outputs of all three ratchets are mixed together via HKDF to produce each message key, ensuring an attacker must break both X25519 and ML-KEM to compromise any message.

  • DH ratchet — X25519 (same as before), providing classical post-compromise security.
  • Symmetric ratchet — HMAC-SHA-256 chain, providing forward secrecy within each epoch.
  • SPQR ratchet — ML-KEM-768 via the Braid protocol, erasure-coded across messages (~32–42 B overhead). Provides post-quantum forward secrecy and PCS.
✓ Hybrid composition: MK = HKDF(K_classical ‖ K_pq) — proven secure in the QROM if either primitive holds. (Eurocrypt 2025)
Key Derivation Flow · Double vs Triple
DOUBLE RATCHET (2016) DH ratchet X25519 Sym ratchet HMAC-SHA-256 KDF MK quantum-vulnerable TRIPLE RATCHET (2025) DH ratchet X25519 Sym ratchet HMAC-SHA-256 SPQR ratchet ML-KEM-768 Braid HKDF mix MK_hybrid quantum-resistant
↑↓ j/k navigate · drag orbit · scroll zoom · 1-4 switch phase · p pseudocode · i overview