Autocrypt v2 Achieves Post-Quantum Cryptography and Reliable Deletion
Autocrypt v2 has been released. It combines post-quantum cryptography (ML-KEM-768) with reliable deletion (clock-time based), achieving forward secrecy without synchronization. Based on OpenPGP v6, the certificate is 2938 bytes.
On June 29, 2026, the messaging encryption standard “Autocrypt v2” was released, led by Daniel Kahn Gillmor of the ACLU, Friedel Ziegelmayer of n0, and holger krekel of merlinux. This specification places post-quantum cryptography and “Reliable Deletion” at its core, and is designed for distributed, delay-tolerant messaging systems. Based on OpenPGP v6 (RFC 9580), it provides automatic and interoperable end-to-end encryption.
Design to Counter “Decrypt-Now,
Decrypt-Later” Attacks
One of the greatest threats in modern messaging is the “decrypt later” attack. Attackers collect encrypted messages as they traverse the network, and later obtain the private key or use a quantum computer to decrypt past communications en masse. Autocrypt v2 counters this two-stage threat.
As the first stage, it adopts a hybrid cryptosystem in anticipation of the post-quantum era, which cannot be withstood by current cryptographic techniques. As the second stage, reliable deletion automatically destroys and invalidates keys after a fixed period. The development team explains that this term is easier for users to understand than the conventional “forward secrecy,” and it works reliably even in fragmented or partitioned network environments.
Technical Features
The Autocrypt v2 certificate is a fixed size of 2938 bytes and consists of six packets.
- Primary key (Ed25519): used for signatures and authentication
- Direct key signature: function definition, not revocable
- Fallback subkey (ML-KEM-768 + X25519): for long-term encryption
- Subkey binding: not revocable
- Rotating subkey (ML-KEM-768 + X25519): for short-term encryption
- Subkey binding: revocable (max_rd=10 days)
As post-quantum cryptography, it uses a hybrid of ML-KEM-768 and X25519. The rotating subkey has a default validity period of 10 days, and a new key is automatically generated before expiration. Key derivation uses a deterministic ratchet mechanism with HKDF (SHA2-512). This allows all devices to synchronize on a time-based schedule without requiring any network communication.
Changes from v1
Autocrypt v1 was specialized for email and used email addresses as the identity layer. v2 is transport-independent and adopts pure cryptographic identities. Messaging applications can freely choose the protocol. It achieves the same goal—automatic, standards-based, interoperable E2E encryption—in a more general form.
Reliable Deletion Schedule
The key rotation schedule is as follows.
- Rotating subkey validity period: max_rd (default 10 days)
- New key generation: before min_rd of expiration
- Delivery delay: assumed 10 days
- Automatic deletion: after max_rd + 10 days
This mechanism allows all participants to update their keys at the same time, even in environments where the network is unstable and messages take time to arrive. While conventional forward secrecy requires server synchronization and complex coordination across multiple devices, Autocrypt v2 is clock-time-based, works offline, and functions with zero configuration.
Practical Implementation of Post-Quantum
Cryptography
ML-KEM-768 is one of the post-quantum cryptographic algorithms standardized by the US National Institute of Standards and Technology (NIST) in 2024. By adopting a hybrid with X25519, it maintains compatibility with current elliptic curve cryptography while also preparing for the threat of quantum computers. Since the certificate size is fixed at 2938 bytes, it can be efficiently transferred even in bandwidth-limited environments.
As an implementation example of Autocrypt v2, a Rust-based rPGP implementation and Python sample code have been released. The committers are considering adoption in messaging applications such as Delta Chat and chatmail.
Editorial Opinion
In the short term, Autocrypt v2 becomes a significant option for distributed messaging applications. In particular, the server dependency and key management complexity that existing protocols like Signal and Matrix face could potentially be resolved through clock-based key rotation and post-quantum cryptography. However, integrating into real products will pose challenges in compatibility with existing key management infrastructure and user experience design. In the long term, it could serve as a catalyst for the widespread adoption of post-quantum cryptography standards across the messaging industry. The concept of “reliable deletion” proposed by Autocrypt v2 goes beyond cryptographic forward secrecy and may also influence legal regulations and data retention obligations. Furthermore, if the OpenPGP v6 ecosystem becomes more active, similar mechanisms might be adopted for applications beyond email. The editorial board appreciates that Autocrypt v2’s design philosophy balances “simplicity” and “quantum resistance.” However, whether the key rotation period setting (default 10 days) fits the actual use cases of real applications requires verification.
References
- Autocrypt v2 Official Site — Released June 29, 2026
- OpenPGP v6 (RFC 9580) — IETF
Frequently Asked Questions
- What is the main innovation of Autocrypt v2?
- It combines post-quantum cryptography (ML-KEM-768 + X25519) with time-based reliable deletion. All devices can update keys without network synchronization, and keys are automatically deleted every 10 days.
- How is it different from conventional forward secrecy?
- Conventional forward secrecy (such as Diffie-Hellman ratchet) requires server synchronization and coordination across multiple devices. Autocrypt v2 derives and destroys keys using only clock time, so it works offline and is reliable even in fragmented network environments.
- What kind of applications is it expected to be used in?
- The main targets are distributed, delay-tolerant messaging applications like Delta Chat and chatmail. It can also support transports other than email.
Comments