Symposium sur la sécurité des technologies de l'information et des communications

Secure Messaging apps are used by billions of people daily. However, due to imminent threat of a “Harvest Now, Decrypt Later” attack, secure messaging providers must react now in order to make their protocols hybrid-secure: at least as secure as before, but now also postquantum (PQ) secure. Since many of these apps are internally based on the famous Signal’s Double-Ratchet (DR) protocol, making Signal hybrid-secure is of great importance.

In fact, Signal and Apple already deployed various Signal-based variants with varying levels of hybrid security: PQXDH (only on the initial handshake), and PQ3 (on the entire protocol), by adding a PQ-ratchet to the DR protocol. Unfortunately, due to the large communication overheads of the Kyber scheme used by PQ3, real-world PQ3 performs this PQ-ratchet approximately every 50 messages. As we observe, the effectiveness of this amortization, while reasonable in the best-case communication scenario, quickly deteriorates in other still realistic scenarios; causing many consecutive (rather than 1 in 50) re-transmissions of the same Kyber public keys and ciphertexts (of combined size 2272 bytes!). In this work, we present a new Signal-based, hybrid-secure messaging protocol with improved complexity compared to PQ3: the “Triple Ratchet” protocol.

– First, Triple Ratchet uses erasure codes to make the communication inside the PQ-ratchet provably balanced. This results in much better worst-case communication guarantees compared to PQ3.

– Second, we design a novel variant of Kyber, called Katana, with significantly smaller combined length of ciphertext and public key (which is the relevant efficiency measure for “PQ-secure ratchets”). For 192 bits of security, Katana improves this key efficiency measure by over 37%: from 2272 to 1416 bytes. In doing so, we identify a critical security flaw in prior suggestions to optimize communication complexity of lattice-based PQ-ratchets, and fix this flaw using recent advances in lattice security proof techniques.

This protocol has been developed with the Signal team, and some ideas discussed in this work have been brought into production by Signal, as explained in their blog post: https://signal.org/blog/spqr/.

This submission is based on this EUROCRYPT 2025 paper: https://eprint.iacr.org/2025/078. While the original paper was aimed at cryptographers, we aim to make this presentation more geared towards an audience of security practitioners. We will first present the threat model and design rationale of the original Double Ratchet protocol. We will then highlight how this design breaks when trying to port it naively to the post-quantum setting. Finally, we will present our improved protocol and explain how it is tailored to the quirks and unique properties of post-quantum cryptographic primitives. If accepted at SSTIC, our presentation will be in French.