Paper 2024/702

Security Analysis of Signal's PQXDH Handshake

Rune Fiedler, Technische Universität Darmstadt
Felix Günther, IBM Research Europe – Zurich

Signal recently deployed a new handshake protocol named PQXDH to protect against "harvest-now-decrypt-later" attacks of a future quantum computer. To this end, PQXDH adds a post-quantum KEM to the Diffie-Hellman combinations of the prior X3DH handshake. In this work, we give a reductionist security analysis of Signal's PQXDH handshake in a game-based security model that captures the targeted "maximum-exposure" security, allowing fine-grained compromise of user's long-term, semi-static, and ephemeral key material. We augment prior such models to capture not only the added KEM component but also the signing of public keys, which prior analyses did not capture but which adds an additional flavor of post-quantum security in PQXDH. We then establish a fully parameterized, concrete security bound for the session key security of PQXDH, in particular shedding light on a KEM binding property we require for PQXDH's security, and how to avoid it. Our discussion of KEM binding complements the tool-based analysis of PQXDH by Bhargavan, Jacomme, Kiefer, and Schmidt, which pointed out a potential re-encapsulation attack if the KEM shared secret does not bind the public key. We show that both Kyber (used in PQXDH) and its current NIST draft standard ML-KEM (foreseen to replace Kyber once standardized) satisfy a novel binding notion we introduce and rely on for our PQXDH analysis, which may be of independent interest.

Available format(s)
Cryptographic protocols
Publication info
SignalPQXDHkey exchangeKEM bindingpost-quantumhybrid
Contact author(s)
rune fiedler @ cryptoplexity de
mail @ felixguenther info
2024-05-10: approved
2024-05-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Rune Fiedler and Felix Günther},
      title = {Security Analysis of Signal's {PQXDH} Handshake},
      howpublished = {Cryptology ePrint Archive, Paper 2024/702},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.