up:: In the Protocols MOC

Signal PQXDH

Signal PQXDH, short for Post-Quantum Extended Diffie-Hellman, is the key-agreement protocol Signal deployed to make the initial handshake of a conversation resist a quantum computer. It works by running Signal’s existing classical X3DH agreement and a post-quantum key encapsulation mechanism together, then folding both results into one shared secret, so the session key holds as long as either half is unbroken. The post-quantum half is an IND-CCA-secure KEM, and the specification names CRYSTALS-Kyber-1024 as the concrete choice, the pre-standard sibling of ML-KEM-1024. PQXDH exists for one reason: to close the harvest-now-decrypt-later window on the very first key a Signal conversation establishes, which is the key an adversary would record today and decrypt years later.

Source: Signal, “The PQXDH Key Agreement Protocol,” Revision 3, 2023-05-24, last updated 2024-01-23, signal.org/docs/specifications/pqxdh.

The short version:

  • PQXDH runs Signal’s classical X3DH elliptic-curve handshake and a post-quantum Kyber-1024 key encapsulation in the same exchange, and combines both shared secrets so the initial session key survives if either component holds.
  • The post-quantum protection covers the initial key agreement only. Once the conversation is bootstrapped, Signal’s classical Double Ratchet takes over the ongoing message keys, which is why PQXDH is a Level-2-style protection in Apple’s ranking rather than end-to-end post-quantum.
  • The classical curve is Curve25519 (or Curve448), the same ECDH Signal always used. PQXDH adds the KEM alongside it, it doesn’t rip out the classical layer.
  • The motivation is HNDL. The spec says PQXDH is designed to prevent an adversary with a quantum computer from harvesting encrypted traffic now and decrypting it later.
  • PQXDH is a hybrid design against a passive quantum adversary. Its authentication is still classical, so an active quantum attacker who can forge the identity keys is out of scope, the same signature-migration gap every applied-PQC protocol carries.

Picture two people agreeing on a secret combination for a lock before they ever meet in person, by each mailing the other a sealed contribution and mixing them into one number. For years that mixing used only elliptic-curve math, which a quantum computer running Shor’s algorithm would eventually unwind from recorded copies of the mail. PQXDH mails a second, quantum-resistant contribution in the same envelope and mixes it in too, so unwinding the elliptic-curve half leaves the combination out of reach. The lock itself never changed. The recipe for the secret now depends on a number a quantum computer cannot reconstruct.

What is Signal PQXDH?

Signal PQXDH is a post-quantum upgrade to X3DH, the Extended Triple Diffie-Hellman protocol that Signal has used to establish the first shared secret between two users who may not be online at the same time. X3DH lets Alice send an encrypted first message to Bob by combining several ECDH operations against Bob’s published keys, so the session bootstraps asynchronously without a live round trip. That design is elegant and it is entirely classical, which means every one of those ECDH operations rests on the elliptic-curve discrete logarithm that Shor’s algorithm solves.

PQXDH keeps all of X3DH and adds one thing: a post-quantum key encapsulation mechanism run in parallel. Bob publishes a post-quantum encapsulation key alongside his classical prekeys, Alice encapsulates against it to produce a ciphertext and a post-quantum shared secret, and that secret is concatenated into the key-derivation input next to the X3DH output. The specification requires the KEM to have IND-CCA post-quantum security and gives Kyber-1024 as the worked example.

Source: Signal, “The PQXDH Key Agreement Protocol,” §2.1 and §3, signal.org/docs/specifications/pqxdh.

The result is a hybrid key agreement in the exact sense the whole transition relies on. The final secret is derived from both the classical and the post-quantum contribution, so an attacker has to break both to recover it. Break only the elliptic-curve half with a quantum computer and the post-quantum secret still stands between the attacker and the session key. PQXDH was developed by Ehren Kret and Rolfe Schmidt as an extension of the original X3DH by Moxie Marlinspike and Trevor Perrin.

How does PQXDH add ML-KEM on top of X3DH?

PQXDH runs the KEM as an added ingredient in the same handshake, and the ordering is straightforward once you separate the classical work from the post-quantum work. Walking the exchange end to end:

  1. Bob publishes a post-quantum prekey. Alongside his classical identity key, signed prekey, and one-time prekeys, Bob uploads a post-quantum KEM encapsulation key (a “last-resort” one plus one-time ones), each signed by his identity key so Alice can trust it came from Bob.
  2. Alice encapsulates. When Alice starts the conversation, she runs KEM encapsulation against Bob’s post-quantum encapsulation key, producing a ciphertext CT and a post-quantum shared secret SS. In parallel she performs the classical X3DH ECDH operations against Bob’s elliptic-curve prekeys.
  3. Alice derives the master secret. She concatenates the X3DH output and the post-quantum secret SS and feeds the combined value into the key-derivation function, producing the shared master key. She sends her ephemeral public key and the KEM ciphertext CT in the initial message.
  4. Bob reconstructs it. Bob decapsulates CT with his post-quantum private key to recover SS, performs the matching classical ECDH operations, concatenates the two the same way, and derives the identical master key. From there the classical Double Ratchet takes over per-message keys.

Source: Signal, “The PQXDH Key Agreement Protocol,” §3, signal.org/docs/specifications/pqxdh.

The load-bearing detail is that the post-quantum secret is mixed into the key schedule rather than replacing the classical secret. This is the same combiner logic that TLS hybrid key exchange uses with X25519MLKEM768, applied to Signal’s asynchronous messaging setup instead of a synchronous network handshake. Both derive the working key from a classical and a post-quantum contribution at once.

What does PQXDH protect, and what does it leave classical?

PQXDH protects the confidentiality of the initial shared secret against a quantum adversary, and it deliberately leaves authentication classical. That boundary is the single most important thing to understand about it, because it decides exactly which quantum attacks PQXDH stops and which it does not.

  1. Confidentiality of the first key: post-quantum. The shared secret that bootstraps the conversation is derived with the KEM contribution, so a passive attacker who records the handshake today cannot recover the key later with a quantum computer. This is the HNDL protection, and it is the whole point.
  2. Authentication: still classical. The identity keys that prove Alice is Alice and Bob is Bob are elliptic-curve keys, and the spec is explicit that authentication in PQXDH is not quantum-secure. In the specification’s words, “in the presence of an active quantum adversary, the parties receive no cryptographic guarantees” about authentication.

Source: Signal, “The PQXDH Key Agreement Protocol,” §4.1 and §4.7, signal.org/docs/specifications/pqxdh.

This split maps precisely onto the HNDL versus Non-HNDL distinction that governs applied PQC everywhere. Recorded ciphertext is a future liability the day a capable quantum computer exists, so confidentiality moves first. A forged identity requires a quantum computer live at the moment of the handshake, so authentication is a real but later problem, the same reason TLS migrated key exchange before certificate signatures. PQXDH addresses the harvestable half and leaves the authentication half for a future revision.

Why did Signal ship PQXDH before the quantum computer exists?

Because the threat PQXDH answers is already running, even though the machine that completes it is not built yet. The entire logic is harvest-now-decrypt-later: an adversary with the resources to record encrypted traffic can capture a Signal handshake today, store it indefinitely, and decrypt the session the day a cryptographically relevant quantum computer can run Shor’s algorithm against the elliptic-curve half. The recording is cheap and the storage is cheap, so a well-resourced attacker’s rational move is to harvest now and wait.

Any message whose confidentiality has to outlast the arrival of that machine is exposed from the moment it is sent, which is why the harvesting window is open now for long-lived secrets rather than at some future start date. Signal, whose product promise is confidentiality for exactly the kind of communication people need to stay private for years, had a direct interest in closing that window on its most sensitive step first. PQXDH shipped in 2023 for precisely this reason, well ahead of any working CRQC, because waiting for the machine means every conversation recorded in the interim is already lost.

Source: Signal, “The PQXDH Key Agreement Protocol,” §4.7 (PQXDH is designed to prevent harvest-now-decrypt-later attacks by adversaries with a quantum computer), signal.org/docs/specifications/pqxdh.

How does PQXDH compare to Apple’s PQ3?

PQXDH and PQ3 both add post-quantum protection to a secure messenger, and they draw the line in different places. PQXDH puts post-quantum cryptography into the initial key agreement, while PQ3 also applies it to the ongoing rekeying, which Apple’s own ranking calls the difference between Level 2 and Level 3.

Signal PQXDHApple PQ3
Post-quantum at initial key establishmentYes (Kyber-1024)Yes (Kyber-1024)
Post-quantum in ongoing rekeying / ratchetNo (classical Double Ratchet)Yes (Kyber-768, periodic)
Apple’s security-level labelLevel 2Level 3
AuthenticationClassicalClassical
Shipped20232024

Source: Signal, “The PQXDH Key Agreement Protocol,” signal.org/docs/specifications/pqxdh; Apple Security Research, “iMessage with PQ3,” February 21, 2024, security.apple.com/blog/imessage-pq3.

The practical read is that both protocols close the HNDL window on the conversation’s opening secret, which is the harvestable part, so both deliver the protection that matters most against a recording adversary. PQ3’s added post-quantum rekeying defends against a different scenario, where an attacker compromises key material mid-conversation and a quantum computer later, so the two protocols reflect a design choice about how far past the initial handshake to extend the post-quantum guarantee rather than a gap in the core HNDL defense. The full mechanics of the ongoing-rekeying half live in Apple iMessage PQ3.

Is PQXDH the same idea as TLS hybrid key exchange?

Yes, it is the same combiner pattern in a different protocol. Both run a classical elliptic-curve key agreement and a post-quantum ML-KEM operation together, and both derive the working key from the two secrets combined, so the session survives if either component holds. The difference is entirely in the setting and the wire format, not in the cryptographic idea.

  1. TLS is synchronous. Both endpoints are online and complete the handshake in a live round trip, negotiating the named group X25519MLKEM768 and exchanging key shares in the same flight.
  2. PQXDH is asynchronous. Bob may be offline when Alice starts the conversation, so Bob publishes prekeys to a server in advance and Alice bootstraps the session against those stored keys with no live round trip.

Source: Signal, “The PQXDH Key Agreement Protocol,” signal.org/docs/specifications/pqxdh.

Recognizing that both are the same hybrid combiner is what makes applied PQC legible across protocols. Once you see that TLS, SSH, IPsec, and Signal all mix a classical and a post-quantum secret into one working key, the differences reduce to how each protocol carries the extra kilobyte and when each endpoint gets the two contributions. The applied-PQC hub maps all of them onto that single shape.

Common misconceptions

  • “Signal is fully quantum-safe because it uses PQXDH.” PQXDH makes the initial key agreement quantum-resistant. The ongoing message keys run through the classical Double Ratchet, and the identity authentication is classical, so a complete post-quantum guarantee across a whole conversation is a further step, which is exactly the Level 2 versus Level 3 distinction.
  • “PQXDH replaced elliptic-curve cryptography in Signal.” It added a post-quantum KEM alongside the existing X3DH ECDH, and derives the key from both. The elliptic-curve layer is still there as the classical half of a hybrid, carried as a hedge in case the young lattice scheme has an undiscovered flaw.
  • “Kyber-1024 and ML-KEM-1024 are unrelated.” Kyber is the algorithm NIST standardized as ML-KEM in FIPS 203. The PQXDH spec names Kyber-1024 as its example KEM, and the standardized ML-KEM-1024 is the same design finalized, so PQXDH sits in the ML-KEM family.
  • “PQXDH protects messages I already sent.” It protects the confidentiality of sessions established after it was enabled. Any conversation bootstrapped with classical-only X3DH before the upgrade stays exposed to a future quantum computer, which is the whole harvest-now-decrypt-later argument for shipping it early.
  • “Because PQXDH exists, an active quantum attacker cannot touch Signal.” PQXDH defends against a passive quantum adversary recording traffic. Its authentication is still classical, so an active quantum adversary able to forge identity keys is outside its guarantees, the same certificate-and-signature gap the rest of applied PQC carries.

Questions people ask

Is Signal quantum-safe? Signal’s initial key agreement is post-quantum through PQXDH, which uses Kyber-1024 alongside classical Curve25519 to protect the first shared secret against a harvesting quantum adversary. The ongoing message ratchet and the identity authentication are still classical, so the confidentiality of the opening handshake is protected while a full end-to-end post-quantum guarantee is a later step.

What does PQXDH stand for? Post-Quantum Extended Diffie-Hellman. It is the post-quantum successor to X3DH, Signal’s Extended Triple Diffie-Hellman handshake, adding a post-quantum key encapsulation to the classical elliptic-curve agreement.

Which post-quantum algorithm does PQXDH use? An IND-CCA-secure key encapsulation mechanism, with the specification naming CRYSTALS-Kyber-1024 as the concrete choice, the pre-standard form of ML-KEM-1024.

Does PQXDH protect the whole conversation or just the start? Just the initial key agreement. After the session bootstraps, Signal’s classical Double Ratchet manages the ongoing message keys, which is why Apple ranks PQXDH-style protection as Level 2, in contrast to the Level 3 ongoing post-quantum rekeying in PQ3.

Why did Signal add post-quantum crypto before quantum computers can break anything? Because of harvest-now-decrypt-later. An adversary can record an encrypted handshake today and decrypt it once a quantum computer exists, so any message that must stay confidential for years is already exposed the moment it is captured. Closing the window early protects traffic sent in the meantime.

Does PQXDH make Signal’s authentication quantum-safe? No. The identity keys are classical elliptic-curve keys, and the spec states that against an active quantum adversary the parties receive no cryptographic authentication guarantees. PQXDH targets the harvestable confidentiality half; the authentication half is a separate, later migration.

How is PQXDH different from TLS hybrid key exchange? It is the same hybrid combiner, a classical ECDH mixed with an ML-KEM secret, applied to Signal’s asynchronous messaging rather than a live TLS handshake. TLS completes in a live round trip; PQXDH bootstraps against prekeys a user published in advance, so both sides need not be online at once.


Everything here is the map, given freely. When your team needs its own messaging, key-exchange, and authentication surfaces sorted into what already resists a harvesting quantum adversary and what still has to move, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.