X3DH — initial key agreement

Extended triple Diffie-Hellman. Uses long-term + one-time prekeys. Alice + Bob derive a shared secret asynchronously (Bob doesn't need to be online).

Advertisement

X3DH — initial key agreement

Extended triple Diffie-Hellman. Uses long-term + one-time prekeys. Alice + Bob derive a shared secret asynchronously (Bob doesn't need to be online).

Advertisement

Ratchet 1: Diffie-Hellman

Each new message exchange advances the DH ratchet. New shared secret. Even if one key leaks, future keys are safe (post-compromise security).

Ratchet 2: KDF chain

Between DH steps, keys are derived through a one-way KDF chain. Even if one message key leaks, past keys can't be recovered (forward secrecy).

Out-of-order + skipped keys

Messages may arrive out of order. Signal stores skipped message keys temporarily. Complex but preserves security.

Metadata still leaks

Server knows WHO messaged WHOM + WHEN. Content is opaque. Sealed sender + private groups reduce metadata but not fully.