Which Messengers Are Already Quantum-Safe?

Signal and iMessage lead public post-quantum deployment; WhatsApp, Google Messages, Telegram, Threema, Viber, Wire, and Matrix require closer status checks

Type: Comparative Analysis
Published: July 2026
Keywords: PQXDH, PQ3, ML-KEM, Signal Protocol, Double Ratchet, Harvest-Now-Decrypt-Later, quantum-safe messaging, post-quantum cryptography

Abstract

Most people assume their messaging app is private. But encrypted is not the same as quantum-safe. The key exchange step — the handshake that establishes a shared secret before any message is sent — is vulnerable to Shor's algorithm unless it uses post-quantum protection. Signal and iMessage have publicly documented post-quantum protections at scale. WhatsApp, Google Messages, Telegram, Threema, Viber, Wire, and Matrix differ sharply in public evidence, deployment status, protocol scope, and roadmap maturity. This analysis explains what each major messenger appears to do under the hood, what remains uncertain, and how to read the landscape as a developer or decision-maker.

Key Points at a Glance

  • Signal and iMessage are the strongest public examples of post-quantum secure messaging at scale. Signal first introduced PQXDH for post-quantum session establishment and later announced SPQR / Triple Ratchet for ongoing post-quantum ratcheting. Apple iMessage uses PQ3 with post-quantum session establishment and periodic in-session post-quantum rekeying.
  • WhatsApp's post-quantum chat deployment lacks public technical documentation. WhatsApp is based on Signal Protocol concepts, but no primary WhatsApp or Meta technical source currently confirms the exact post-quantum parameters used for chat-session key exchange.
  • Google Messages has not publicly confirmed post-quantum key exchange in production. Google Messages provides end-to-end encrypted RCS for supported conversations, and post-quantum MLS work is relevant, but no primary Google source confirms production ML-KEM deployment for RCS chat sessions.
  • Telegram is not quantum-safe. Telegram cloud chats are not end-to-end encrypted against Telegram's servers, and Secret Chats use classical Diffie-Hellman rather than a published post-quantum upgrade.
  • The harvest-now, decrypt-later window is open today. Messages sent via non-PQ or classical-only protocols can be archived and targeted later if a cryptographically relevant quantum computer becomes available.

1. Why Key Exchange — Not Message Encryption — Is the Quantum Weak Point

Think of a messaging session as two parts: a vault and the locksmith visit that sets its combination. The vault is the symmetric layer — usually a high-strength symmetric cipher that encrypts your message content. The locksmith visit is the key exchange — the cryptographic handshake that establishes the shared secret before a single byte of message is sent. A cryptographically relevant quantum computer primarily threatens the public-key handshake, not modern high-security symmetric encryption such as AES-256.

Shor's algorithm, running on a sufficiently large quantum computer, can derive a private key from a public key in polynomial time. This directly collapses every asymmetric algorithm used in key exchange today: X25519 (Curve25519 ECDH), ECDH over other curves, and RSA. The moment a cryptographically relevant quantum computer (CRQC) exists, any session key negotiated with these primitives can be reconstructed after the fact.

AES-256 is a different story. Grover's algorithm provides a quadratic speedup against exhaustive key search, reducing the effective security of AES-256 to roughly 128-bit quantum security. That remains a conservative symmetric-security target for long-term protection.

Modern messengers like Signal use ratcheting protocols that generate fresh key material as a conversation progresses, providing forward secrecy: compromise of today's state should not expose the full past conversation. In the post-quantum setting, however, a classical elliptic-curve Diffie-Hellman ratchet is not enough by itself. If a ratchet step relies only on classical Diffie-Hellman and the relevant public transcript was harvested, a future quantum adversary could reconstruct that Diffie-Hellman contribution. Protocol state deletion and symmetric chaining still matter, but the classical Diffie-Hellman part no longer provides post-quantum protection.

The Two-Layer View

Symmetric layer (AES-256): Grover's reduces security to ~128-bit equivalent. Still safe — no replacement needed.

Asymmetric key exchange (X25519 / ECDH / RSA): Shor's derives private keys from public keys. Broken by a CRQC — must be replaced or augmented.

2. The Harvest-Now, Decrypt-Later Risk for Messaging

As we detail in our analysis of harvest-now, decrypt-later (HNDL) threats, sophisticated adversaries are already intercepting and storing encrypted traffic today, banking on their ability to decrypt it once quantum hardware matures. The question is not whether this is happening — signals intelligence agencies have the infrastructure and the motive — but whether the data collected today is worth decrypting in five to fifteen years.[6]

For messaging, this risk is distinctly higher than for most TLS web traffic. A typical HTTPS session fetches a web page that loses its value in minutes. A message thread, by contrast, can contain negotiation records, legal discussions, source relationships, and strategic plans that remain sensitive for decades. The "harvest window" for a journalist protecting a source, or a company discussing an acquisition, extends years into the future — well within the projected timeline for early CRQC capability.

Risk calibration matters here. For everyday personal conversations, the probability that a nation-state adversary is storing your traffic and waiting to decrypt it is vanishingly small. But for users operating in high-stakes environments, the threat is real and active today, with no warning before exploitation occurs.

⚠️ Who Is Actually at Risk Today

Users who should migrate to a quantum-safe messenger now — before a CRQC exists:

  • Journalists protecting confidential sources
  • Lawyers and legal teams discussing privileged matters
  • Corporate teams handling M&A, IP, or competitive intelligence
  • Government and diplomatic personnel
  • Activists and human rights workers in adversarial environments
  • Security researchers disclosing vulnerabilities before patches are released

3. What "Quantum-Safe Messaging" Actually Means

A hybrid key encapsulation mechanism (KEM) combines a classical key exchange such as X25519 with a post-quantum KEM such as ML-KEM in a single handshake. In a correctly designed hybrid key exchange, confidentiality is intended to remain secure if either the classical component or the post-quantum component remains secure. This depends on the combiner, authentication binding, downgrade resistance, key separation, and implementation details. Hybrid deployment adds PQ protection without betting everything on an algorithm family whose final NIST standard was published only in 2024.

ML-KEM is the standardized form of CRYSTALS-Kyber, a lattice-based key-encapsulation mechanism standardized in NIST FIPS 203 in August 2024.[5] It comes in three parameter sets: ML-KEM-512 (NIST Security Level 1), ML-KEM-768 (Level 3), and ML-KEM-1024 (Level 5). Levels 3 and 5 are commonly discussed for messaging deployments — the difference is a trade-off between key/ciphertext size and the security margin against future cryptanalytic improvements.

Forward secrecy in the post-quantum context adds a second dimension beyond just upgrading the initial key exchange. PQXDH protects the session-establishment handshake with ML-KEM. Apple PQ3 goes further by adding periodic post-quantum rekeying inside active sessions. Signal later announced SPQR, a sparse post-quantum ratchet mixed with the existing Double Ratchet as a Triple Ratchet, to add ongoing post-quantum key updates after session establishment.

PQXDH, PQ3, and SPQR: Different Levels of Post-Quantum Ratcheting

PQXDH: Hybrid ML-KEM + X25519 at session establishment. It protects the initial session setup, which is the most valuable target for many harvest-now, decrypt-later attacks.

PQ3 (Apple iMessage): Hybrid ML-KEM + Curve25519 at session establishment, plus periodic in-session PQ rekeying. Apple classifies this as "Level 3" — the highest tier in its taxonomy.

SPQR / Triple Ratchet (Signal): A later Signal design that mixes a sparse post-quantum ratchet into the existing ratcheting protocol so conversations receive ongoing post-quantum key updates, not only PQ session establishment.

4. Messenger-by-Messenger Quantum-Safety Analysis

Signal

Signal was the first major consumer messenger to publish and deploy post-quantum session establishment. In September 2023, the Signal Foundation published the PQXDH (Post-Quantum Extended Diffie-Hellman) specification and shipped it to production.[1] PQXDH replaces the classical X3DH (Extended Triple Diffie-Hellman) session-establishment step with a hybrid construction: an ML-KEM-1024 key encapsulation is layered alongside the existing X25519 Diffie-Hellman, with the shared secrets combined through a key-derivation function. This uses the highest ML-KEM parameter set.

Signal later announced SPQR (Sparse Post Quantum Ratchet), mixed with the existing Double Ratchet as a Triple Ratchet.[11] This is an important update: Signal should no longer be described only as "post-quantum at session establishment" if the article is being reviewed in 2026. The public claim is that conversations can receive ongoing post-quantum key updates after the initial PQXDH handshake.

Signal is fully open-source, including the libsignal library that implements these protocol components. Its public specifications make Signal one of the most transparent large-scale deployments of post-quantum secure messaging.

Apple iMessage

Apple launched PQ3 in February 2024, shipping with iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4.[2] PQ3 uses ML-KEM-768 combined with Curve25519 (the Edwards form of X25519) for session establishment. Apple's internal security taxonomy runs from Level 1 (no E2EE) to Level 3 (PQ at session start plus in-session rekeying); PQ3 is Level 3 — the highest.

The periodic rekeying is PQ3's defining feature relative to PQXDH. Roughly every 50 messages or 7 days (whichever comes first), iMessage performs a fresh post-quantum key exchange within the ongoing conversation. A HNDL adversary who captures weeks of ciphertext and later obtains a session key can only decrypt messages within the affected rekeying window, not the entire conversation history.

An important scope note: PQ3 protects iMessage — the protocol behind blue-bubble conversations between Apple devices. SMS fallback (green bubbles) and RCS are separate protocols and are not covered. Only device-to-device iMessage with E2EE active receives PQ3 protection.

WhatsApp

WhatsApp is built on Signal Protocol concepts and provides end-to-end encryption for personal messages by default. Public discussion often groups WhatsApp with Signal-style post-quantum messaging upgrades, but no primary WhatsApp or Meta technical source currently documents the exact post-quantum parameters deployed for chat-session key exchange. The only available Meta Engineering source concerns post-quantum security for encrypted backups — a different protocol surface from production chat-session establishment.

Until a technical disclosure clarifies WhatsApp's chat-session key exchange, its post-quantum status remains unconfirmed. The distinction matters: encrypted backups, session establishment, and in-session ratcheting are different protocol surfaces.

WhatsApp is closed-source. Even where high-level protocol claims are published, independent verification of production deployment details is more limited than for open-source implementations such as Signal.

Google Messages

Google Messages provides end-to-end encrypted RCS (Rich Communication Services) conversations when the required client and service conditions are met.[4] However, no primary Google technical source has confirmed production deployment of post-quantum key exchange (such as ML-KEM-768) for RCS chat sessions.

The standards direction is clear: MLS and post-quantum MLS work are important for future group and cross-platform messaging security. But end-to-end encrypted RCS and post-quantum key exchange are separate capabilities. Standard SMS is not end-to-end encrypted, and cross-platform RCS support depends on the deployed protocol and client stack.

Telegram

Telegram Is Not Quantum-Safe

Telegram's MTProto 2.0 protocol uses 2048-bit Diffie-Hellman for "Secret Chats" (device-to-device E2EE). No post-quantum upgrade has been announced or committed to.[8] DH-2048 is directly vulnerable to Shor's algorithm on a CRQC.

Regular Telegram chats — including ordinary group chats — are not end-to-end encrypted against Telegram's servers. Telegram's cloud-chat architecture is therefore a present-day trust and access-control issue, separate from the future quantum threat.

Threema

Threema uses NaCl/libsodium for its cryptographic primitives, with X25519 for key exchange. The classical security posture is strong — Threema has undergone independent third-party audits and does not require accounts to be linked to phone numbers or email addresses. In February 2026, Threema announced a collaboration with IBM Research to implement post-quantum cryptography.[12] This is a public roadmap signal, but not the same as confirmed production PQ deployment.

Viber

Viber adopted end-to-end encryption in 2016 using a custom protocol based on similar double-ratchet concepts to Signal rather than the Signal Protocol implementation itself. The underlying key exchange relies on classical elliptic-curve cryptography. No public post-quantum deployment or roadmap has been disclosed. The classical protocol provides strong security today but is vulnerable to a future CRQC if harvested session-establishment material is sufficient to reconstruct the relevant key exchange.

Wire

Wire has upgraded its standard messaging protocol from Proteus to Messaging Layer Security (MLS).[10] MLS is a modern standard for end-to-end encrypted group messaging, but a standard MLS deployment is not post-quantum-safe unless it uses a post-quantum MLS ciphersuite or hybrid ML-KEM integration. As of July 2026, no public evidence indicates that Wire's production messaging uses post-quantum key exchange.

Matrix / Element

Matrix is an open, federated messaging protocol; Element is the primary client. The encryption layer uses Olm (a Signal Protocol double-ratchet implementation) and MegOlm for group messaging. The Matrix.org foundation has published research on post-quantum integration — including PQ-MLS approaches — but nothing has reached production as of early 2026.

Matrix's federated and multi-client architecture adds a genuine complexity layer: clients, room versions, device management, cross-signing, key backup, and key-distribution behavior must interoperate across homeservers. This is more complex than a centralized messenger rollout, even though end-to-end encryption is primarily a client-side security property.

5. Head-to-Head: Quantum-Safety Status at a Glance

Figure 1: Quantum-Safety Tiers Across Major Messengers
DEPLOYED PQ + ONGOING PQ KEY UPDATES Apple iMessage PQ3 — ML-KEM-768 + Curve25519, periodic PQ rekeying Signal SPQR / Triple Ratchet — ongoing PQ updates DEPLOYED PQ SESSION ESTABLISHMENT Signal PQXDH — X25519 + ML-KEM-1024 at session setup E2EE OR ROADMAP, BUT PQ CHAT DEPLOYMENT NOT CONFIRMED HERE WhatsApp (primary-source-needed), Google Messages RCS, Threema, Wire MLS, Matrix / Element NO DEFAULT PQ PROTECTION / LIMITED E2EE SCOPE Telegram — cloud chats are not E2EE against Telegram servers; Secret Chats are classical DH only
Messenger Protocol / Scope PQ Status Algorithm(s) Evidence Level Open Source Notes
Signal PQXDH; SPQR / Triple Ratchet Deployed / announced rollout X25519 + ML-KEM-1024; SPQR for ongoing PQ updates Official technical specifications / official blog Yes Strongest public transparency among large messengers
Apple iMessage PQ3 for iMessage Deployed Curve25519 + ML-KEM-768 Official technical blog and security analysis Partial Periodic PQ rekeying; iMessage only, not SMS
WhatsApp Signal Protocol-derived E2EE chats Primary source needed Not publicly documented for chat sessions Backup-only source; no chat-session source available No Encrypted backups and chat-session key exchange are separate surfaces
Google Messages RCS E2EE for supported conversations Not confirmed here Not publicly confirmed for RCS Official E2EE documentation; no PQ chat confirmation No SMS excluded; RCS scope depends on client and service conditions
Telegram MTProto 2.0; Secret Chats only for E2EE No DH-2048 for Secret Chats Official protocol documentation Partial Cloud chats are not E2EE against Telegram servers
Threema NaCl / libsodium Roadmap announced X25519 today; PQ implementation collaboration announced Official roadmap announcement No Classical E2EE today; IBM Research collaboration announced Feb. 2026
Viber Custom double-ratchet-style E2EE No Classical elliptic-curve key exchange Public product documentation No No PQ roadmap disclosed
Wire MLS, formerly Proteus No confirmed PQ deployment Not publicly documented Official MLS migration documentation; no PQ evidence Yes MLS is not automatically post-quantum-safe
Matrix / Element Olm / MegOlm; MLS direction In progress / standards work X25519 today Standards and ecosystem work Yes Federated and multi-client deployment is complex

6. Developer Takeaways: Building or Selecting a Quantum-Safe Messenger

If you are building a new messaging application and need post-quantum key exchange today, do not write ML-KEM from scratch. libsignal, Signal Foundation's open-source library, includes PQXDH and related messaging protocol components. liboqs (Open Quantum Safe project) provides standalone ML-KEM implementations in C with language bindings for Python, Go, Java, and others. The correct engineering task is protocol integration, authentication, downgrade resistance, key storage, and deployment safety — not implementing lattice cryptography by hand.

Key exchange is not the only surface to audit. The key distribution server — the mechanism by which pre-keys are uploaded, stored, and fetched to initiate new sessions — must also be hardened. If an attacker can intercept or replace a pre-key bundle before a session begins, they can substitute a classical-only key regardless of what your protocol specifies. Identity key management (how long-term identity keys are generated, stored, and rotated) is a second vector that PQ-capable protocols must address.

Use the hybrid model during the transition period. Deploying ML-KEM alone, without a classical component, discards the classical security guarantee that users already rely on. Hybrid (PQ + classical) is the correct default until ML-KEM accumulates the same decades of real-world cryptanalytic scrutiny that X25519 has.

Recommended Libraries for PQ Messaging

  • libsignal (Signal Foundation) — includes PQXDH; production-tested; Apache 2.0 license
  • liboqs (Open Quantum Safe) — standalone ML-KEM + other NIST algorithms; MIT license; C with broad language bindings
  • wolfSSL — post-quantum TLS and KEM support; suitable for embedded / IoT messaging contexts
  • BouncyCastle (Java/C#) — FIPS 203 ML-KEM implementation in the PQC extensions package

Developer checklist:

7. End-User Guidance: Choosing a Quantum-Safe Messenger

For everyday personal communication — catching up with friends and family, making plans, sharing photos — any end-to-end encrypted messenger provides adequate security today. The quantum computer capable of retroactively breaking past messages does not yet exist, and when it does exist, it will initially be an extraordinarily expensive and scarce resource. Nation-states will not use it to read your dinner plans.

For users with a higher threat model — journalists protecting sources, lawyers discussing privileged matters, executives handling sensitive negotiations — the calculus is different. Prefer messengers with publicly documented post-quantum protections, especially Signal and iMessage. Both are widely available, user-friendly, and have published technical material describing post-quantum messaging protection. Avoid using Telegram cloud chats for sensitive communications regardless of the quantum threat: Telegram's ordinary and group chats are not end-to-end encrypted against Telegram's servers, which is a more immediate and concrete limitation than the future quantum risk.

⚠️ Telegram: Two Reasons to Be Cautious

  1. Regular and group chats are not end-to-end encrypted against Telegram's servers. Telegram cloud chats rely on Telegram's server-side architecture. This is a present-day trust and access-control issue, not a future quantum issue.
  2. Secret Chats use DH key exchange not protected against quantum computers. Even Telegram's opt-in E2EE mode uses DH-2048, which is directly broken by Shor's algorithm on a CRQC. Harvested Secret Chat ciphertext is a future quantum risk.

8. What Comes Next: The PQ Messaging Roadmap

The Messaging Layer Security (MLS) protocol — standardized as IETF RFC 9420 in July 2023 — is the next-generation architecture for group messaging at scale.[9] MLS defines a tree-based ratcheting scheme that scales end-to-end encryption to large groups efficiently. Post-quantum MLS work is underway in the IETF ecosystem, but implementers should distinguish standards work, draft cipher suites, and production deployment. A messenger should not be called quantum-safe merely because its future architecture may use MLS.

Regulatory pressure on messenger providers will increase. The NSA CNSA 2.0 suite mandates post-quantum algorithm adoption for high-value government and defense communications, with migration timelines beginning in 2025 and targeting completion by 2030.[13] While consumer messenger regulation has not yet followed, NIS2 (EU) and emerging national cybersecurity frameworks are expected to extend PQ requirements to commercial communications providers handling sensitive or regulated data. Messengers that have not begun PQ migration by 2027–2028 may face compliance pressure in regulated sectors.

Standards to Watch

  • NIST FIPS 203 — ML-KEM standard (final, August 2024): the reference for any compliant PQ key exchange implementation
  • IETF RFC 9420 — Messaging Layer Security Protocol: the foundation for next-generation group E2EE; PQ-MLS drafts extend it with ML-KEM
  • NSA CNSA 2.0 (2022) — mandates ML-KEM for key agreement in national security systems; sets the migration timeline benchmark
  • EU NIS2 Directive — requires "state of the art" cryptography for essential and important entities; PQ migration expectations are forming

Next Step

Understand why messages sent on non-PQ messengers today are a live interception target — even before any quantum computer exists.

Read: The Harvest-Now, Decrypt-Later Threat →

How to Cite This Article

APA

PostQuantumSecurity.org. (2026, February 1). Which Messengers Are Already Quantum-Safe? Signal, WhatsApp, iMessage and More. https://www.postquantumsecurity.org/publications/pqc_messengers.html

IEEE

PostQuantumSecurity.org, "Which Messengers Are Already Quantum-Safe? Signal, WhatsApp, iMessage and More," Feb. 1, 2026. [Online]. Available: https://www.postquantumsecurity.org/publications/pqc_messengers.html

BibTeX / LaTeX

@misc{pqcryptography_pqc_messengers,
  author       = {{PostQuantumSecurity.org}},
  title        = {Which Messengers Are Already Quantum-Safe? Signal, WhatsApp, iMessage and More},
  year         = {2026},
  month        = feb,
  day          = {1},
  url          = {https://www.postquantumsecurity.org/publications/pqc_messengers.html}
}

References

  1. Signal Foundation. (2023, September). PQXDH: Post-Quantum Extended Diffie-Hellman. https://signal.org/docs/specifications/pqxdh/
  2. Apple Security Engineering and Architecture. (2024, February). iMessage with PQ3: The new state of the art in quantum-secure messaging. https://security.apple.com/blog/imessage-pq3/
  3. Meta Engineering. (2024). Post-quantum security for end-to-end encrypted backups. Meta Engineering Blog. Note: this source concerns encrypted backups; it should not be used alone to prove WhatsApp chat-session PQXDH deployment.
  4. Google Messages Help. About end-to-end encryption in Google Messages. https://support.google.com/messages/answer/10262381
  5. National Institute of Standards and Technology. (2024, August). FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM). https://csrc.nist.gov/pubs/fips/203/final
  6. PostQuantumSecurity.org. (2025, June). The Quantum Clock Is Ticking: What is Harvest-Now, Decrypt-Later? https://www.postquantumsecurity.org/publications/harvest-now-decrypt-later.html
  7. Marlinspike, M., & Perrin, T. (2016, November). The Double Ratchet Algorithm. Signal Foundation. https://signal.org/docs/specifications/doubleratchet/
  8. Telegram. MTProto Mobile Protocol. https://core.telegram.org/mtproto
  9. Barnes, R., et al. (2023, July). RFC 9420: The Messaging Layer Security (MLS) Protocol. IETF. https://www.rfc-editor.org/rfc/rfc9420
  10. Wire. Messaging Layer Security (MLS). https://support.wire.com/hc/en-us/articles/12434725011485-Messaging-Layer-Security-MLS
  11. Signal Foundation. (2025, October). SPQR: A Sparse Post-Quantum Ratchet for Signal. https://signal.org/blog/spqr/
  12. Threema. (2026, February). Towards a Quantum-Secure Future: Threema and IBM Research Join Forces. https://threema.ch/en/blog/quantum-secure-future
  13. National Security Agency. (2022, September). Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) Advisory. NSA/CISA Advisory