X3DH — initial key agreement
Extended triple Diffie-Hellman. Uses long-term + one-time prekeys. Alice + Bob derive a shared secret asynchronously (Bob doesn't need to be online).
X3DH — initial key agreement
Extended triple Diffie-Hellman. Uses long-term + one-time prekeys. Alice + Bob derive a shared secret asynchronously (Bob doesn't need to be online).
Ratchet 1: Diffie-Hellman
Each new message exchange advances the DH ratchet. New shared secret. Even if one key leaks, future keys are safe (post-compromise security).
Ratchet 2: KDF chain
Between DH steps, keys are derived through a one-way KDF chain. Even if one message key leaks, past keys can't be recovered (forward secrecy).
Out-of-order + skipped keys
Messages may arrive out of order. Signal stores skipped message keys temporarily. Complex but preserves security.
Metadata still leaks
Server knows WHO messaged WHOM + WHEN. Content is opaque. Sealed sender + private groups reduce metadata but not fully.