> The final thing interesting for the triple ratchet is that it nicely combines the best of both worlds. Between two users, you have a classical DH-based ratchet going on one side, and fully independently, a KEM-based ratchet is going on. Then, whenever you need to encrypt something, you get a key from both, and mix it up to get the actual encryption key. So, even if one ratchet is fully broken, be it because there is now a quantum computer, or because somebody manages to break either elliptic curves or ML-KEM, or because the implementation of one is flawed, or..., the Signal message will still be protected by the second ratchet. In a sense, this update can be seen, of course simplifying, as doubling the security of the ratchet part of Signal, and is a cool thing even for people that don't care about quantum computers.

as has been pointed out by DJB, nobody seems to be able to trust the new PQC crypto which is why we have to do these hybrids. They're actively resisting an attempt by the NSA to have non-hybrid PQC being standardized

Which leaves me feeling like this isn't as amazing as they want you to believe. They did a lot of work because they can't trust the new crypto to fully replace the classical.