Post-quantum cryptography

A common theoretical attack is “harvest now, decrypt later”, in which the attacker harvests a lot of encrypted messages and years later, once reliable large quantum computers are developed or a classical attack against a common encryption scheme is found, decrypt all of the messages which were harvested. Protecting against the future quantum computing attack is an important goal, since any algorithm relying on the fact that factoring large numbers is a very hard and time-consuming problem, but Shor’s algorithm, when run on a sufficiently large quantum computer, can factor a large number N in O(log N) time. This means that it’s important to use encryption algorithms that don’t rely on factoring large numbers being a hard problem.

There are many post-quantum encryption algorithms that have been proposed, but multiple flaws have already been found. Therefore, it’s important to use both a post-quantum encryption algorithm and a regular encryption algorithm to encrypt data, so that we don’t accidentally worsen our security. Proton is working on a standard to use post-quantum cryptography algorithms in combination with classical encryption in OpenPGP, which would be relevant to us. Meanwhile, iMessage PQ3 is a protocol that has been independently audited, and also uses post-quantum cryptography in combination with classical encryption. If any of you find any other post-quantum cryptographic protocols designed for messaging applications, please reply with info about them.

I think that it’s important to implement post-quantum cryptography in order to secure users’ data. Unfortunately, this field is still very underdeveloped, but Delta Chat could gain a major advantage if we manage to successfully implement post-quantum cryptography, securing our users’ messages better than even Signal. At this time, companies like Apple don’t think post-quantum authentication is necessary, but if “harvest now, decrypt later” attacks on our authentication protocols could reveal personally identifiable information or public keys which are attached to a chatmail account, implementing post-quantum authentication might be necessary to protect against those attacks.

1 Like

The current plan on this is to wait for the next OpenPGP version that aims to add post-quantum AFAIK.

Post-quantum and next version of OpenPGP are two different RFCs.
New OpenPGP v6 is at
Post-quantum is at


There is this article that I found on post-quantum cryptography integrated into Delta Chat: Quantum-resistant End-to-End Secure Messaging and Email Communication | Proceedings of the 18th International Conference on Availability, Reliability and Security

In fact, reading this article is how I became aware that Delta Chat exists, and now I use it as my daily driver for email (though I still have a traditional client for more “formal” style emails).


Thanks for the interesting link. Wasn’t aware of this paper! Funny that the author’s never contacted us.

Very interesting indeed!

I assume that Delta Chat will work off the same OpenPGP standard as Proton and therefore implement post-quantum cryptography around the same time as Proton.

While I wouldn’t recommend Signal in general, it has already implemented post-quantum cryptography.

I agree that post-quantum cryptography is necessary and I look forward to its integration in Delta Chat hopefully in the not too distant future!

That is interesting. Did they just implement post-quantum cryptography in Delta Chat (custom fork) and not tell anyone in the Delta Chat community?

The paper says they modified rpgp and simply linked that to Delta Chat. Evidently Delta Chat changes were minimal, but rpgp needed a bit more work.

The paper has email addresses. They say their implementation may be of interest to others, which suggests they may be open to contribute back to Delta Chat???

We’ll certainly mail the folks and their changes were already discussed among rpgp developers yesterday – it will not be too hard to add support even without any outside contribution.

The main issue at play here is the ongoing IETF OpenPGP discussion around draft-wussler-openpgp-pqc-04 - Post-Quantum Cryptography in OpenPGP – i.e. how the specification side plays out. We recently had good discussions and remain in close contact with Proton folks about it. The critical, not yet fully conceptualized issue, will be how to phase PQC keys into Delta Chat, both for existing and future users.

Thanks again for pointing to the paper which is helpful for this overall process!

1 Like