Signal PQXDH

PQXDH (Post-Quantum Extended Diffie-Hellman) is the Signal Protocol's initial key agreement, deployed by Signal in September 2023. It augments the earlier X3DH handshake with a Kyber-based key encapsulation so that session secrets resist harvest now, decrypt later attacks by future quantum computers, while authentication continues to rest on classical elliptic curve keys.

How it works

In X3DH, two parties who may never be online simultaneously agree on a shared secret through several X25519 Diffie-Hellman computations over identity keys, a signed prekey, and optional one-time prekeys fetched from Signal's servers. PQXDH keeps this structure and adds a post-quantum layer: clients also publish Kyber public keys (a signed last-resort key and one-time keys), the initiating party encapsulates against one of them, and the resulting KEM shared secret is mixed with the Diffie-Hellman outputs in the final key derivation. The published PQXDH specification uses Kyber-1024, the highest of Kyber's parameter sets; Kyber was later standardized with modifications as ML-KEM in FIPS 203.

The combination is a PQ/T hybrid: recovering the session secret requires breaking both X25519 and Kyber. A quantum attacker running Shor's algorithm against recorded traffic defeats the elliptic curve part but still faces the lattice-based encapsulation.

What it protects, and what it does not

PQXDH was designed against a specific threat: an adversary recording Signal traffic today in order to decrypt it once a cryptographically relevant quantum computer exists. With PQXDH, the initial shared secret, and everything derived from it, is protected against that adversary, as Signal explained in its announcement.

The server's role is unchanged: prekey bundles, including the Kyber public keys, are public values stored for offline delivery, so the post-quantum layer adds no new trust in Signal's infrastructure and does not alter what the service can observe.

Two limits are explicit in the design. First, authentication remains classical: identity keys are still elliptic curve keys, so a future quantum attacker could in principle impersonate a party in new conversations, but cannot retroactively decrypt old ones. Second, at launch the Double Ratchet that provides forward secrecy and post-compromise security within a session continued to use classical elliptic curve ratcheting, so its self-healing property did not yet hold against a quantum adversary.

Formal verification

Signal developed PQXDH alongside formal analysis rather than after the fact. Researchers from Inria and Cryspen analyzed the protocol in ProVerif (symbolic model) and CryptoVerif (computational model), confirming its core secrecy and authentication goals against both classical and harvest-style quantum adversaries. The analysis also surfaced subtleties, including the need to bind the Kyber public key into the key derivation to rule out re-encapsulation issues, and the revised specification incorporates the resulting strengthened bindings. This made PQXDH one of the first deployed post-quantum protocols shipped together with machine-checked analysis.

Deployment and follow-on work

PQXDH shipped in Signal's client applications in September 2023 and applies to newly established sessions between updated clients, making Signal the first large messaging platform to deploy post-quantum key agreement at scale. Apple's later iMessage PQ3 announcement classified messaging security in levels and placed PQXDH at level 2 (post-quantum initial establishment only), with its own protocol at level 3 by adding ongoing post-quantum rekeying.

Signal has since published work on closing the ratchet gap: a sparse post-quantum ratchet (SPQR) that combines with the existing Double Ratchet into a triple ratchet design, adding quantum-resistant self-healing to ongoing conversations, and Signal stated in 2025 that it had begun rolling this out. As of early 2026, PQXDH remains the initial key agreement, with the post-quantum ratchet work extending protection deeper into the session. Together with post-quantum TLS and Apple iMessage PQ3, PQXDH is one of the reference examples of hybrid post-quantum migration in widely used software.

Frequently asked questions

Does PQXDH make Signal fully post-quantum?

No. It protects the secrecy of session establishment against future quantum decryption; authentication and, at launch, the ongoing ratchet remained classical.

Sources

  1. Quantum Resistance and the Signal Protocol (Signal, 2023)
  2. The PQXDH Key Agreement Protocol (Signal, 2023)
  3. FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (NIST, 2024)
  4. iMessage with PQ3: The new state of the art in quantum-secure messaging at scale (Apple Security Engineering and Architecture, 2024)
Cite this entry
"Signal PQXDH." postquantum.wiki. Updated July 11, 2026. https://postquantum.wiki/signal-pqxdh@misc{pqwiki-signal-pqxdh, title = {Signal PQXDH}, howpublished = {\url{https://postquantum.wiki/signal-pqxdh}}, year = {2026}, note = {postquantum.wiki, updated 2026-07-11} }