Quantum risk is a business risk—and Signal Messenger isn’t waiting for quantum computers to arrive. In this episode of Shielded: The Last Line of Cyber Defense, Johannes Lintzen welcomes Rolfe Schmidt, Research Engineer at Signal Messenger, to explore how one of the world's most privacy-focused messaging platforms implemented post-quantum cryptography—even with a lean team.

Rolfe Schmidt is a Research Engineer at Signal Messenger, where he spearheads the organization's post-quantum cryptography initiatives. As the cryptography engineering lead, he has been instrumental in implementing Signal's groundbreaking post-quantum secure messaging protocols, including the successful deployment of ML-KEM (formerly Kyber) for harvest-now-decrypt-later protection in 2023. Schmidt's expertise spans cryptographic protocol design, zero-knowledge proofs, and secure messaging systems, making him a key figure in Signal's transition to quantum-safe security. His work has directly impacted billions of users across platforms that implement the Signal protocol, including WhatsApp and Google Messages.

Here’s your step-by-step guide to how Signal made post-quantum readiness real—no massive team or budget required.

[03:25] Integrating PQC into Regular Development Workflows –
Rolfe explains how Signal treats post-quantum cryptography (PQC) migration as an ongoing part of their product development lifecycle rather than a standalone initiative. By embedding PQC into regular workflows, they avoid treating quantum security as a distant or isolated challenge. Instead of waiting for a "perfect time" to act, Signal continuously assesses threats, evaluates trade-offs, and prioritizes based on resource availability and user risk. This pragmatic approach allows their small team to make incremental, meaningful progress toward quantum resilience while keeping up with day-to-day product demands. Key Question: Are we integrating PQC into our current workflows or waiting for a separate initiative to start?

[04:55] Prioritizing Harvest Now, Decrypt Later Protection –
In early 2023, Signal prioritized protection against Harvest Now, Decrypt Later (HNDL) attacks—where adversaries capture encrypted data now with the intent to decrypt it when quantum computers become available. Rolfe highlights how they made this decision before PQ standards were finalized, confident that MLKEM (formerly Kyber) had reached sufficient maturity. By developing a hybrid encryption protocol, they added quantum resistance while maintaining their existing security guarantees. The lesson? Organizations can act today, even before the standards landscape is fully settled, by choosing well-supported, low-risk hybrid approaches. Key Question: Are we waiting for perfect standards, or are we mitigating immediate HNDL risks now?

Signal breaks down PQC migration into modular, manageable steps rather than attempting an all-at-once overhaul. Rolfe shares how they evaluate each system and service individually, applying post-quantum upgrades where it makes the most sense—such as updating hardware enclaves or secure channels—without waiting for a full platform redesign. This modular approach allows for gradual implementation, reduces operational risk, and helps teams build PQC familiarity over time. Key Question: Are we breaking PQC migration into smaller, actionable pieces or stuck planning a single massive shift?

Signal approaches authentication migration by categorizing it into three distinct areas: general signatures, user identity proofs, and metadata protection. Rolfe shares how they have clear plans to add quantum-safe digital signatures as hybrid solutions and integrate these changes into their standard product updates. Their method shows that organizations can prepare for authentication migration incrementally, building familiarity with PQ signature libraries now to ensure a smooth transition later. Key Question: Do we have a phased plan for migrating authentication and digital signatures, or are we postponing decisions until the threat is imminent?

Rolfe emphasizes the importance of starting with a comprehensive cryptographic inventory—identifying where public key cryptography is used, why it’s used, and the consequences of quantum compromise. This analysis naturally prioritizes migration tasks and highlights areas where existing PQ solutions can be applied immediately. For challenges without clear answers, engaging the research community can uncover new pathways. Rolfe’s advice: Don’t wait for a mandate—take inventory, prioritize, and start small. Key Question: Have we completed a cryptographic inventory and risk assessment, or are we still mapping our exposure?

Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.