Signal, the popular privacy-first messaging app, is making its biggest security upgrade in years by securing conversations against future quantum computer threats. The company announced it is introducing a new cryptographic system called the Sparse Post-Quantum Ratchet (SPQR), a system built to safeguard private conversations even if tomorrowโs machines outpace todayโs encryption.
โWe are excited to announce a significant advancement in the security of the Signal Protocol: the introduction of the Sparse Post Quantum Ratchet (SPQR). This new ratchet enhances the Signal Protocolโs resilience against future quantum computing threats while maintaining our existing security guarantees of forward secrecy and post-compromise security,โ announced the company in a blog post on Thursday.
The change happens entirely in the background. Users wonโt see new buttons or settings, but their chats will now be protected by a stronger foundation. For the average Signal user, nothing about the app experience will change. Messages and calls will still work as usual, and users wonโt need to flip any switches.
Behind the scenes, however, the new SPQR system quietly boosts Signalโs already tough security model, making it more resilient against the threat of future quantum computers that could one day crack todayโs encryption methods.
So how does it work?
Signal has relied on whatโs called the well-known Double Ratchet, a system that constantly updates encryption keys and discards old ones to ensure that even if a hacker steals a key, they canโt unlock past or future messages. The new SPQR system adds a layer of advanced post-quantum algorithms, creating a stronger Triple Ratchet. This hybrid design blends todayโs encryption with quantum-resistant safeguards, ensuring both old and future messages remain safe โ even if attackers compromise current keys.
At the heart of this upgrade are two key components: Post-Quantum Extended Diffie-Hellman (PQXDH) and ML-KEM (Module Lattice-based Key Encapsulation Mechanism). PQXDH enhances how session keys are initially exchanged between users, while ML-KEM, a post-quantum algorithm recently standardized by NIST, helps generate โfuture-proofโ keys resistant to quantum attacks. Together, these technologies ensure that even if a current key is compromised, Signal can quickly restore security and protect future chats.
The upgrade ensures two key things: Forward Secrecy (FS), which protects past messages against future compromise, and Post-Compromise Security (PCS), which protects future messages from past compromise if an attacker ever manages to grab a key. Even if todayโs systems are broken in the future, SPQR ensures that future conversations quickly recover and stay secure.
The rollout is gradual and backward-compatible, meaning conversations will automatically upgrade once both parties are on the new system. If one person has SPQR enabled and the other doesnโt, conversations will temporarily fall back to the existing system until both sides are upgraded. Once fully deployed, Signal plans to enforce SPQR across all chats. Eventually, SPQR will become the default for all conversations.
Signal developed the new system in collaboration with cryptography researchers from PQShield, Japanโs AIST, and New York University, with the design being rigorously tested and formally verified for security.
With around 100 million active users worldwide, Signal is setting a precedent in the messaging world: encryption must evolve ahead of threats. While quantum computers may still be years away, Signalโs latest upgrade shows it isnโt waiting until the last minute to protect its users.
