[josephg]

This is coming from Signal, who are more than qualified to do this kind of work. You shouldn't roll your own crypto. But crypto experts can do what they want.

[inp]

Yes, and moreover, they just add a shared secret in the computation of the initial root key, it cannot be worse in this case.

[zx8080]

What could go wrong

[flangola7]

Is that good or bad?

[7v3x3n3sem9vv]

it's good. think of it like adding a different kind of lock that requires a different key (method) to open up first. at worst it's no less secure than before. If it works as intended it's a huge disincentive for anyone collecting encrypted data with the hopes that a quantum computer may break encryption the "old" method in the future.