At TikTok, we adhere to strict privacy principles that restrict the use of personal data solely to its consented purposes. For instance, user identifiers, such as phone numbers or email addresses—collected exclusively for authentication—are never reused to track behavior across apps or services.

We follow established industry standards and privacy control frameworks to prevent unauthorized data access and operate under a zero-trust infrastructure with strong cryptographic enforcement. Sensitive data is encrypted locally on the user's device and can only be decrypted by the specific service for which it was intended—ensuring that no other service, internal or external, can access plaintext. This approach complements Transport Layer Security (TLS), which protects all communication between user devices and TikTok servers.

To further strengthen our long-term security posture, we've deployed TikTok's first post-quantum cryptographic solution based on NIST standards—positioning us ahead of emerging threats.

A Scalable Authenticated and Encrypted Channel

Our goal is to build a solution that scales to over one billion users while remaining operationally manageable for service teams. In our architecture, user devices handle encryption, while a centralized service is responsible for decryption. Asymmetric encryption allows devices to encrypt using the service's public key, but decryption on the server side is computationally expensive and reduces throughput.

While symmetric encryption is more efficient, it requires a unique key per device—making it infeasible to cache billions of keys on each server and raising significant security concerns. Using an external key management service (KMS) introduces network latency and requires rigorous reliability under peak load conditions.

To address these challenges, we implemented envelope encryption. This service generates a unique data encryption key (DEK) for each device, encrypts it using a key encryption key (KEK), and stores only the KEK. User data is encrypted with the DEK, and the encrypted DEK is bundled with the payload. Only the service can decrypt the DEK using its KEK, ensuring secure and efficient access to data. We apply authenticated encryption with associated data (AEAD) for both the DEK and user data, establishing a stateless, high-throughput, cryptographically authenticated channel between each device and the service.

Dispatching Keys to User Devices

To enable this model, the DEK must be securely delivered to the user device. This requires transmitting the DEK and its encrypted form through an authenticated and encrypted channel. For efficiency, we use standardized key delivery protocols such as the Diffie-Hellman Integrated Encryption Scheme (IES) (standardized in IEEE 1363a, ISO/IEC 18033-2, SECG SEC 1, and ANSI X9.63) and the Hybrid Public Key Encryption (HPKE) protocol (IETF RFC 9180). These protocols are optimized for one-time key exchanges and avoid the complexity of full TLS handshakes by reducing communication rounds and eliminating redundant session state.

In brief, these protocols allow two parties to establish a shared secret using public-key cryptography, which then secures further communication. We assume that the device has authenticated the service over TLS and obtained the service's public key out of band. Before encrypting any data, the device generates an ephemeral key pair and sends its public key to the service. The service replies with an encrypted payload containing a newly generated DEK and its encryption. The device then uses its private key and the service's public key to decrypt the response and extract the DEK, enabling secure, stateless communication.

Post-Quantum Migration

While current protocols provide strong security, they rely on cryptographic algorithms that are vulnerable to quantum computing. Algorithms such as RSA and elliptic curve cryptography can be broken by future quantum computers using attacks like Shor's algorithm. Although quantum attacks are not feasible today, it's crucial to begin migrating now to post-quantum cryptography to defend against “harvest now, decrypt later” threats—where adversaries archive encrypted data with the intention to decrypt it once quantum capabilities mature.

To address this, NIST has standardized a post-quantum key encapsulation mechanism (FIPS 203) and provided guidance for transitioning to quantum-safe algorithms. A widely recommended approach is to use hybrid cryptography, where both classical and post-quantum algorithms are used during key exchange. For example, in hybrid TLS, both classical and post-quantum mechanisms contribute to the final shared secret, offering resilience against both classical and quantum attacks.

Unfortunately, hybrid versions of HPKE and IES are not yet fully standardized, and securely combining two key encapsulation mechanisms in HPKE introduces subtle design challenges. As a conservative choice, we implemented a hybrid post-quantum IES using NIST-standardized elliptic curve cryptography and the module-lattice-based key encapsulation mechanism (MLKEM). This approach balances performance with standard conformance.

We are actively monitoring emerging standards, such as post-quantum HPKE, and may adopt hybrid KEM-based implementations like X-Wing KEM as they mature. Because the DEK dispatch protocol is single-use and stateless, updating it in the future is simple and does not involve backward compatibility concerns.

This deployment marks TikTok's first production rollout of post-quantum cryptography. We've upgraded key infrastructure components, including our internal key management service, to support post-quantum key formats. The solution is already in use across several business-critical scenarios and is on track to rollout to all users. We remain committed to expanding adoption of our post-quantum HPKE-based solution to further strengthen the privacy and security of TikTok's global community.