Signal launches Lean verification of its Rust Signal protocol implementation

Signal has pushed its security story into rarer territory: not just stronger cryptography, but formal proof. With Beneficial AI Foundation and Lean FRO, the company launched Signal Shot, a public verification platform built to prove the Signal Protocol and its Rust implementation correct in Lean. That matters because Signal Protocol already protects end-to-end encrypted communications exchanged daily by billions of people, and Signal is now trying to raise confidence from “widely trusted” to “machine-checked.”

The pitch is unusually concrete for a security project of this scale. Signal Protocol was first published in 2013 and has long spread well beyond Signal’s own app. The official libsignal repository says the underlying implementations are written in Rust, and libsignal-protocol implements the Signal Protocol, including the Double Ratchet algorithm. In other words, Signal Shot is not starting from a paper spec in the abstract. It is targeting the code that already runs the protocol in production.

That makes the timing notable. Signal has continued hardening the protocol against future threats, including its 2023 PQXDH post-quantum key agreement upgrade and the October 2025 announcement of the Sparse Post Quantum Ratchet, or SPQR. Its documentation also now includes ML-KEM Braid, a sparse continuous key agreement protocol designed by Graeme Connell and Rolfe Schmidt and published with revision 1 on 2025-02-21. The new protocol uses NIST-standardized ML-KEM, showing that Signal’s security work is moving on several tracks at once: post-quantum resilience, forward secrecy, and verification.

Signal Shot’s technical bet is that AI plus Lean can help prove properties of the real implementation, not just the mathematics on paper. The workflow described in the pre-launch writeup runs Rust through Aeneas into Lean, then proves the translated code correct. Lean 4, a functional programming language and theorem prover with a dependent type system, gives the project a serious formal foundation. The distinction here is important: the point is to verify actual code paths, not to admire a neat specification while the implementation drifts away from it.

The broader context is a growing formal-verification ecosystem that already includes work like Aeneas, Microsoft’s SymCrypt verification, AWS’s Cedar, and the Veil project for distributed protocols. Cryspen has said it intends to contribute tools and expertise to Signal Shot in collaboration with the Aeneas team. That is the right kind of outside pressure for a project like this, because the real prize is not a demo. It is a credible path to proving that one of the world’s most recognizable secure-messaging stacks, built in Rust, behaves the way its designers say it does.