We are delighted to share with you the second episode of our new Podcast Shielded: The Last Line of Cyber Defense.
Hosted by our Global Business Development Director Johannes Lintzen, we dive into the world of post-quantum cryptography, examining how businesses and industries can prepare for the upcoming quantum revolution. From practical steps to real-world case studies and expert interviews, Shielded is an essential guide to navigating the future of cybersecurity.
Episode 2: The Quantum-Safe Playbook: How Signal Protected Billions with a Lean Team
Quantum threats are no longer a distant concern. As adversaries engage in Harvest Now, Decrypt Later attacks—collecting encrypted data today with the intention of decrypting it once quantum computers mature—the urgency to act has become immediate. While many organizations are still debating when to begin their post-quantum journey, Signal Messenger didn’t wait. Despite being a nonprofit with a lean cryptography team, Signal deployed quantum-resistant encryption protocols in 2023, protecting billions of messages in real time.
In a recent episode of Shielded: The Last Line of Cyber Defense, Signal’s Research Engineer, Rolfe Schmidt, joined host Johannes Lintzen to share how one of the world’s most privacy-centric messaging platforms made the leap to post-quantum security—without a massive team or budget. The conversation offers not just a technical deep dive, but a pragmatic roadmap for organizations of any size to follow.
The threat landscape has already shifted. As Rolfe explains, adversaries are collecting encrypted network data—everything from messages and media to call contents—with the intent of decrypting it once quantum capabilities allow. “The entire Internet was subject to Harvest Now, Decrypt Later attacks,” he says. “We’re talking about all our users’ messages, media, call contents—everything.” This risk isn’t limited to tech companies or state agencies; it affects any organization handling sensitive contracts, customer data, intellectual property, or information with long-term confidentiality requirements. Waiting for compliance deadlines or finalized standards may seem practical, but it can leave companies exposed and scrambling.
Signal’s approach wasn’t driven by urgency alone—it was grounded in engineering pragmatism. Rather than creating a dedicated post-quantum team or running a separate migration track, the company integrated PQC into its existing product development workflows. “We don’t have a team dedicated to the post-quantum transition,” Rolfe notes. “The post-quantum transition is part of our regular product development workflow.” In early 2023, Signal deployed a hybrid encryption protocol that layered the classical Elliptic Curve Diffie-Hellman (ECDH) algorithm with ML-KEM (formerly Kyber), a lattice-based post-quantum algorithm. This hybrid model allowed the team to enhance security without abandoning existing protections or waiting for standards to be finalized.
“Did we feel like a major risk that [Kyber] was insecure or broken in some important way? No, we didn’t really see that,” Rolfe explains. “And we could prove that even if Kyber was completely broken, that this new protocol wouldn’t take away any security guarantees from our current users.” Hybrid cryptography, in this case, wasn’t a stepping stone—it was a deliberate long-term strategy. Signal plans to keep classical guarantees in place as long as they remain meaningful, while layering in post-quantum strength.
What’s notable is how seamlessly PQC became part of Signal’s normal engineering rhythm. Rolfe emphasizes that each improvement was pragmatic and incremental. One example involved updating secure hardware enclaves to use ML-KEM. Since the system was already being upgraded, the team simply added PQC support as part of that process. This kind of “opportunistic” migration—tackling post-quantum readiness in parallel with planned upgrades—is a key part of Signal’s approach.
Signal also tackled one of the biggest hesitations around PQC adoption: performance. Lattice-based algorithms like Kyber tend to come with larger keys and higher computational costs. But through engineering optimizations, Signal was able to maintain performance parity, even in bandwidth-constrained regions. As Rolfe puts it, the idea that PQC migration must come with steep tradeoffs simply isn’t true—especially for organizations willing to be strategic.
Looking ahead, Signal is exploring post-quantum zero-knowledge proofs (ZKPs) to address metadata privacy—ensuring not only that messages are protected, but that information about who is talking to whom remains private as well. “We don’t want to know. We can’t know who is in a group. So this has to be encrypted in a way that we can’t see—only group members can see it,” Rolfe says. As metadata becomes a higher-value target, these next-generation privacy techniques will be essential.
For other organizations wondering where to start, Rolfe’s advice is simple: “Just inventory your use of public key cryptography. Find out like what are you up against? Where do you use it and why?” Once you’ve identified your cryptographic dependencies, treat PQC as a core part of ongoing product development, not a future project. That mindset shift—from waiting for the right moment to integrating PQC into regular workflows—is what enabled Signal to move quickly and securely with limited resources.
The benefits of early action are both technical and strategic. Organizations that start now can spread costs over time, reduce compliance risk, and avoid being forced into hasty migrations. More importantly, they can earn customer trust, differentiate themselves as security leaders, and influence the direction of emerging standards. As Rolfe’s perspective throughout the conversation makes clear, the question isn’t whether to begin—it’s how to begin wisely.
Signal’s journey proves that organizations don’t need a large cryptography team or a full roadmap in place to start making progress. What’s needed is the conviction to act—and a commitment to building quantum resilience into the systems that matter most.
About Signal
Signal is an independent nonprofit organization dedicated to developing open-source privacy technology that protects free expression and enables secure global communication. Known for its end-to-end encrypted messaging and calling app, Signal has become a trusted platform for millions of users around the world—including journalists, activists, and everyday users seeking uncompromising privacy. The Signal Protocol is widely regarded as the gold standard for secure messaging and is used by major platforms across the tech industry.
…………………………………………………………………….
Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on…
✔ Get insider knowledge from leading cybersecurity experts.
✔ Learn practical steps to future-proof your organization.
✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.