IR & Security
Why Signal‘s Post-Quantum Update Is Good for The Entire Security Community
Daniel Curci
3 Oct
2023
IR & Security
Signal recently made an exciting announcement regarding the post-quantum enhancements to its implementation of the X3DH protocol. While Mode was already offering post-quantum security for communications like messaging and video calling, this development is a significant victory for the broader security community and, in many respects, everyone who uses public-key encryption.
For a long time, it felt like we were one of the few communication apps willing to make the early commitment to post-quantum encryption. Now we are joined by one of the leaders in secure and private communication, and that gives us at Mode a lot to reflect on.
Signal's update could have a domino effect on other "privacy and security" focused apps using public-key encryption to start adopting post-quantum protocols sooner rather than later.
Signal has long been celebrated by the privacy community for it's efforts towards popularizing trusted and secure communication.
By developing and implementing the X3DH protocol, Signal enables two parties with public and private key pairs to establish a shared secret key over a (presumed) insecure network and establishing exceptional security characteristics, including forward secrecy for each conversation.
Ultimately, it's the foundation of how most end-to-end encrypted communication apps keep data secure and private.
However...
The protocol was developed to protect communication in a world where classical computation posed the greatest risk to data security.
Now, we are rapidly approaching a new era.
Quantum computers, could, in theory, break several contemporary encryption algorithms (including the X3DH protocol used by Mode and Signal to facilitate key exchanges), leaving user communications exposed in the event of a quantum-enabled attack.
The concern stems from harvest and decrypt attacks.
In the context of quantum computing and encryption, "harvest and decrypt" represent a significant threat. Currently, an adversary might lack the computational power to crack a complex encryption algorithm like that used in the X3DH protocol. However, they could still 'harvest' or gather and store encrypted data with the intention of decrypting it in the future.
Once quantum computers become sufficiently powerful, an adversaries could then execute a 'decrypt' attack, decrypting the previously 'harvested' information. This means that sensitive data encrypted today could be at risk of exposure in the future. It’s this concern that drives the need for post-quantum security measures now, ensuring our encrypted data remains secure not just today, but also in the future.
Luckily, we have the means to further improve on X3DH to start protecting our data from quantum-enabled attacks in the future. We'll get to how further below.
The timing of Signal's protocol update is likely related to The National Institute of Standards and Technology's (NIST) selection of the CRYSTALS-Kyber post quantum protocol for standardization.
The Signal upgrade combines X3DH with a post-quantum key encapsulation mechanism, CRYSTALS-Kyber, creating a shared secret that requires attackers to break both systems to compromise communication data security.
This is the same protocol and similar implementation used by Mode.
CRYSTALS-Kyber completed a rigorous and thorough evaluation process by NIST, involving several rounds of evaluation where the cryptographic community is invited to analyze and critique proposed algorithms. NIST launched the proactive initiative to evaluate and standardize post-quantum cryptographic algorithms.
The key to all of this is the multi-layered implementation of elliptic curve cryptography and post quantum. By combining the two protocols, Mode and Signal offer users the best security available today with the best security available for tomorrow.
The standardization of post-quantum security brings a breath of fresh air to the landscape of secure communication apps. By integrating post-quantum security now, communication apps can future-proof communication data against quantum threats.
Knowledge of this amongst secure app developers is widespread, but action on it has been sparse.
As a leading communication app for those seeking better privacy, Signal may not be a household name, but it's certainly finding it's way into mainstream awareness. From it's Wikipedia page, Signal had over 40 million active users in 2022.
The decision for Signal to enhance it's X3DH protocol to include post-quantum security is a signal (yes, pun intended) that the time is now to begin protecting data with the best post-quantum protocols we have today.
Our hope is that this could have a domino effect on other "privacy and security" focused technology providers using public-key encryption to start adopting post-quantum protocols.
Sometimes it takes a move like this to get others to make a more serious consideration about the security of their own platforms.
With Signal, more people get access to post-quantum secure communication.
Although we are on a similar mission to protect our users' communication data, we want to help businesses address some of their unique communication challenges with the same level of trust users place in Signal.
The more apps that provide the best possible security, the better off we are collectively.
Mode has been offering post quantum end-to-end encrypted communication for some time. We understood that we were ahead of the curve. But we also understood that it was the best decision for the security of our users communication data.
The recent Signal announcement validates that we’ve been on the right track for a long time. Multi-layered implementations of post-quantum encryption is needed today and the time is now to start trusting the best protocols we have available to us.
You can learn more about how Mode has implemented our protocols by requesting a copy of our whitepaper.
Let's hope to see more apps embracing post-quantum enhancements, as we continue to advocate for stronger security measures and embrace technological advancements to safeguard our data and communication. With Mode and Signal leading the way, we can feel more confident in the security of our digital interactions and, hopefully, in the adoption of post-quantum security.
-----------------------------------
Mode is a secure communication platform specifically designed for the workplace. Our goal is to provide organizations with a secure alternative to traditional communication platforms. With Signal now offering post-quantum security, a broader range of individuals worldwide can benefit from the same protection.
Learn how Mode can improve your cyber incident response plan.
