In September 2023, Signal replaced the key agreement at the start of every new conversation. The old handshake, X3DH, built its shared secret entirely from elliptic-curve Diffie-Hellman operations. The new one, PQXDH, runs the same elliptic-curve exchange and adds a second secret produced by a post-quantum key encapsulation mechanism. Five months later, Apple shipped PQ3 for iMessage in iOS 17.4, built on the same idea with one significant addition. Both upgrades rolled out silently. No user saw a prompt, and no message looked different.
That silence is worth unpacking, because these two deployments moved post-quantum cryptography from conference papers into the default texting apps of a large fraction of the planet, and the design choices they made are a preview of how the rest of the industry will do it.
The Deadline Is Not the Quantum Computer
A cryptographically relevant quantum computer, one that can run Shor's algorithm against real key sizes, does not exist. Estimates of when one might range from a decade to never. If that were the whole story, upgrading in 2023 would have been early.
It is not the whole story, because encrypted traffic can be stored. An adversary that captures your TLS sessions or your messaging handshakes today can hold the ciphertext until decryption becomes possible, then read everything retroactively. The approach is usually called harvest now, decrypt later. For most people the risk is abstract. For a journalist's source list, a dissident's contact graph, or a company's negotiating position, a message that must stay confidential for fifteen years has to be encrypted, today, against the computer that might exist in fifteen years.
Quantum attacks split into two categories. Breaking confidentiality works retroactively on recorded ciphertext, so the key exchange had to move first. Forging signatures only helps an attacker at the moment of the handshake, so classical authentication can wait until post-quantum signatures mature. Both Signal and Apple made exactly this split.
What PQXDH Actually Does
PQXDH keeps the entire X3DH structure: long-term identity keys, signed prekeys, one-time prekeys uploaded to the server so that conversations can start while the recipient is offline. To this it adds a Kyber-1024 key encapsulation. Kyber, standardized by NIST in 2024 under the name ML-KEM, is a lattice-based scheme; its security rests on a different mathematical problem than elliptic curves, one with no known quantum shortcut.
The important design decision is that the two exchanges are combined, not substituted. The elliptic-curve secrets and the Kyber secret are all fed into the key derivation function together. An attacker has to break both to recover the session key. This hybrid construction is deliberate humility: lattice cryptography is newer than elliptic curves, and if a classical weakness turns up in Kyber, the conversation is still protected by X25519. The same belt-and-suspenders reasoning appears in post-quantum TLS.
The cost is size. An X25519 public key is 32 bytes. A Kyber-1024 public key is 1,568 bytes. Prekey bundles got bigger, servers store more, and handshakes carry more data. For a messenger this is noise on a modern connection, which is part of why the rollout could be silent.
PQ3 and the Rekeying Problem
Apple's PQ3 starts from the same playbook: hybrid initial key agreement, elliptic curves plus Kyber, secrets combined so both must fall. Then it addresses a problem PQXDH initially left open: what happens after the handshake.
Modern messengers do not use one key per conversation. The Double Ratchet continuously replaces keys, which is what gives you forward secrecy and self-healing after a compromise. In Signal's 2023 design, the ratchet's ongoing Diffie-Hellman steps remained classical, so the post-quantum guarantee applied to the conversation's starting secret. PQ3 built periodic post-quantum rekeying into the conversation itself: fresh Kyber material is woven in as the conversation progresses, so even a conversation that runs for years keeps re-anchoring itself to post-quantum secrets.
Signal closed the same gap from its own direction. In 2025 it published the Sparse Post-Quantum Ratchet, which adds a quantum-resistant component to the ongoing ratchet rather than only the handshake. The engineering challenge in both designs is the same: Kyber material is fifty times the size of the elliptic-curve equivalent, and a ratchet touches every message, so the schemes go to real lengths to amortize the large keys across many messages instead of paying the cost each time.
What Stays Classical, and Why That Is Fine For Now
Neither system uses post-quantum signatures for identity. Your long-term identity key, the thing your contacts verify, is still an elliptic-curve key. This is a considered choice, not an oversight. To exploit it, an attacker needs a working quantum computer at the time of the attack, because forging an identity only helps during a live handshake. Recorded traffic does not become forgeable in retrospect. When post-quantum signature schemes settle down (they are currently much larger and less battle-tested than ML-KEM), identity keys can migrate without invalidating the confidentiality work already shipped.
| Component | Signal (PQXDH + SPQR) | iMessage (PQ3) |
|---|---|---|
| Initial key agreement | Hybrid: X25519 + Kyber-1024 | Hybrid: elliptic curve + Kyber |
| Ongoing rekeying | Post-quantum ratchet added 2025 | Periodic post-quantum rekeying from launch |
| Identity / authentication | Classical elliptic curve | Classical elliptic curve |
| Fallback if Kyber breaks classically | Elliptic-curve layer still holds | Elliptic-curve layer still holds |
How to Read a Post-Quantum Claim
As more services advertise quantum resistance, the useful questions are specific ones. Is the post-quantum exchange hybrid, or did the classical layer get removed? Does the protection cover only the first handshake, or does rekeying stay quantum-resistant over the life of the conversation? Is the scheme a NIST-standardized one like ML-KEM, or something proprietary? And is there a published protocol description that outside cryptographers can check? Signal and Apple both published detailed designs and invited formal analysis; several academic verifications of PQ3 and PQXDH followed. A vendor that claims quantum safety without showing the construction is asking for trust it has not earned.
It is also worth keeping the threat in proportion. For most attackers, breaking the cryptography was never the plan. Compromising the endpoint is cheaper, today and in the quantum future: a phone infected with mercenary spyware reads your messages in plaintext regardless of which lattice problem protects the wire. Post-quantum migration protects one specific, real, long-horizon risk. It does not change the rest of your threat model.
The broader math behind lattice schemes is covered in our lattice cryptography explainer, and the general migration picture, including the signature problem, in the post-quantum overview. Group messaging is the next frontier: the MLS working group is standardizing post-quantum ciphersuites, and group protocols multiply the key-size problem by the member count, which makes the amortization tricks above matter even more.