Papers
Topics
Authors
Recent
Search
2000 character limit reached

Signal Protocol: Secure Asynchronous Messaging

Updated 5 July 2026
  • Signal Protocol is an end-to-end encrypted messaging standard that combines X3DH and the Double Ratchet for secure asynchronous communication.
  • It utilizes a prekey hierarchy with long-term, signed, and one-time keys to enable offline session setup and continuous key evolution.
  • Deployment analyses reveal that implementation choices affect security outcomes, influencing metadata exposure, key-change notifications, and overall trust.

Signal Protocol is an end-to-end encrypted messaging protocol suite for asynchronous instant messaging, presented in the literature as the main successor to Off-the-Record (OTR) for mobile settings and deployed as the cryptographic basis of systems such as Signal and WhatsApp. Across the surveyed and mechanized analyses, its core structure combines X3DH for asynchronous session establishment with the Double Ratchet for ongoing message protection, yielding confidentiality, integrity, forward secrecy, and, in later formal-comparison literature, post-compromise security, subject to the protocol’s verification and deployment assumptions (Johansen et al., 2018, Ginesin et al., 2024, Rastogi et al., 2017).

1. Origins and design objectives

The protocol is described as extending the OTR tradition into asynchronous messaging. In the comparative survey literature, OTR is treated as the baseline secure messaging protocol that popularized deniability, frequent key refresh, and forward secrecy, but remained limited by its synchronous design. Signal is then presented as the protocol family that incorporated asynchronous communication directly, thereby making OTR-like security properties suitable for mobile and offline messaging. In the WhatsApp-oriented exposition, Signal Protocol—formerly Axolotl—is further characterized as a “compact derivative” of OTR, especially in its repeated Diffie–Hellman exchanges and ratcheting (Johansen et al., 2018, Rastogi et al., 2017).

This design orientation explains why Signal is repeatedly associated with mobile messaging rather than merely with two-party authenticated key exchange. The survey literature summarizes its goals as end-to-end encryption plus “advanced security properties such as forward secrecy and future secrecy,” while the WhatsApp analysis emphasizes “plausible deniability and forward-secret asynchronous communications” on mobile devices. A plausible implication is that Signal’s defining contribution is not a single primitive but a composition: offline-capable session bootstrap together with continual key evolution during conversation (Johansen et al., 2018, Rastogi et al., 2017).

2. Cryptographic architecture

The protocol is commonly described through a prekey hierarchy and a ratcheting session state. In the WhatsApp exposition, Signal uses three kinds of keys: a long-term identity key pair, a medium-term signed prekey, and one-time prekeys; all are Curve25519 key pairs. The initiator retrieves the recipient’s public material from the server, verifies the signed prekey, generates a fresh ephemeral key, and derives a shared secret that initializes the session state.

Component Role Persistence
Identity key pair Long-term authentication anchor Long-term
Signed prekey Medium-term public material signed by the identity key Medium-term
One-time prekey Additional prekey material for asynchronous setup One-time

A standard exposition of the X3DH-style setup gives the four Diffie–Hellman terms as

DH1=DH(IKa(sec),SKb(pub))DH_1 = DH(IK_a(sec), SK_b(pub))

DH2=DH(EKa(sec),IKb(pub))DH_2 = DH(EK_a(sec), IK_b(pub))

DH3=DH(EKa(sec),SKb(pub))DH_3 = DH(EK_a(sec), SK_b(pub))

DH4=DH(EKa(sec),OTKb(pub))DH_4 = DH(EK_a(sec), OTK_b(pub))

followed by

K=KDF(DH1DH2DH3DH4).K = KDF(DH_1 \,\|\, DH_2 \,\|\, DH_3 \,\|\, DH_4).

The resulting secret initializes the Double Ratchet. In the WhatsApp account, HKDF derives a root key and chain keys from the combined ECDH output, and the session remains associated with the device until events such as reinstallation or device change. The same literature describes the Double Ratchet as maintaining three chains—a root chain, a sending chain, and a receiving chain—where Diffie–Hellman outputs feed the root chain and a symmetric-key ratchet advances per message. At the per-message level, the WhatsApp exposition gives

Message key=HMAC-SHA256(chain key,0x01)\text{Message key} = \operatorname{HMAC\text{-}SHA256}(\text{chain key}, 0\text{x}01)

Chain key=HMAC-SHA256(chain key,0x02),\text{Chain key} = \operatorname{HMAC\text{-}SHA256}(\text{chain key}, 0\text{x}02),

capturing the basic ratchet step in which each send consumes the current chain key, derives a message key, and advances the chain state (Rastogi et al., 2017, Johansen et al., 2018, Jefferys et al., 2020).

Curve25519 is consistently identified as the elliptic-curve basis for the public-key operations. The WhatsApp analysis describes it as suitable for ECDH key agreement, efficient, and resistant to timing attacks. Within this architecture, signed prekeys bind medium-term public keys to long-term identity keys, while one-time prekeys support asynchronous initiation without requiring the recipient to be online (Rastogi et al., 2017).

3. Security properties and authentication model

The literature attributes a broad security profile to Signal. In the WhatsApp analysis, the protocol protects the contents of text messages, calls, videos, audio, and files in transit; the same paper credits it with forward secrecy, plausible deniability, and substantial protection against man-in-the-middle attacks. The comparative survey presents Signal as inheriting and extending OTR’s deniability story, and summarizes the Double Ratchet using the three specification properties “Resilience,” “Forward security,” and “Break-in recovery.” The mechanized comparison literature treats Signal as the reference two-party protocol for confidentiality, integrity, forward secrecy, and post-compromise security, with the latter two especially attributed to the Double Ratchet (Rastogi et al., 2017, Johansen et al., 2018, Ginesin et al., 2024).

The authentication model is more conditional than simplified descriptions often imply. Signal’s signed prekeys provide an identity-bound medium-term key, but the surveyed papers repeatedly tie active-adversary resistance to out-of-band identity verification. WhatsApp exposes QR-code verification and comparison of a 60-digit number; the survey treats safety numbers, QR codes, and out-of-band comparison as necessary to resist man-in-the-middle attacks in the active-adversary model. The mechanized Matrix comparison makes the same point more sharply: Signal depends on off-band verification of identity keys, and without that verification the protocol is vulnerable to an unknown key-share attack. The later proposal for automated in-band MitM detection is explicitly motivated by the observation that user awareness is poor when it comes to authenticating keys in instant messaging applications (Johansen et al., 2018, Ginesin et al., 2024, Teng et al., 2024).

Deniability is also treated with nuance. The WhatsApp analysis explains plausible deniability by noting that both parties derive the shared secret and the resulting MAC keys, so a receiver can verify a message but can also later produce MACs, weakening cryptographic proof of authorship. At the same time, later server-assisted extensions explicitly exclude deniability from the set of preserved Signal guarantees, which suggests that deniability in deployed systems is sensitive to surrounding trust and logging assumptions rather than being an invariant of the ratchet alone (Rastogi et al., 2017, Teng et al., 2024).

4. Deployments and protocol family

The protocol’s deployment history is marked by extensive reuse and nontrivial divergence. The comparative survey examines six applications—Signal, WhatsApp, Wire, Viber, Riot, and Telegram—and treats Signal as the central protocol reference point. Signal and WhatsApp are described as direct Signal implementations; Wire implements the Proteus protocol, “heavily based on the Signal protocol, but re-implemented in-house”; Riot uses Matrix, whose Olm algorithm is said to be based on the Signal protocol for one-to-one conversations. The survey’s central finding is that sharing the Signal protocol does not guarantee identical security, privacy, or usability outcomes: implementation and product decisions around key changes, verification, device management, and defaults materially affect real security (Johansen et al., 2018).

The same survey gives concrete examples. In its 2017 experiments, Signal took the conservative stance after a key change: it marked messages as undelivered, notified the sender that the peer had “a new security number,” and blocked further sending until re-verification. WhatsApp made the opposite tradeoff: it notified about key changes but did not block by default in the observed version, and it was the only app that re-encrypted and resent an undelivered message after the recipient reinstalled and received new keys. Wire allowed multiple devices and exposed per-device fingerprints, but did not automatically notify peers about device-key changes. Riot inherited some Signal-style properties in one-to-one mode through Olm, but its group and multi-device behavior depended on Megolm and, in the survey snapshot, encryption was still “in beta form” and “not turned on by default” (Johansen et al., 2018).

A distinct line of reuse appears in Session. That system explicitly states that it “uses the Signal protocol” and “does not modify the fundamentals of the Signal protocol,” but changes the surrounding architecture: identities are X25519 public keys rather than phone numbers or email addresses, prekey bundles are distributed via friend requests rather than a centralized prekey server, and messages are transported and stored through onion requests and decentralized swarms. This suggests that Signal is often treated as a reusable cryptographic substrate rather than as a complete application architecture (Jefferys et al., 2020).

5. Metadata, trust surfaces, and ecosystem limits

A persistent theme in the literature is the distinction between content confidentiality and privacy more broadly. The WhatsApp security analysis argues that encrypting the end-to-end channel does not by itself preserve privacy, because metadata remains highly revealing. The paper lists phone numbers involved, timestamps or time of delivery, content size, connection duration, connection frequency, contact lists, social-graph information, group-membership patterns, and possibly user location as exposed or collectible metadata. It also distinguishes transport protection from endpoint and backup exposure, noting that messages may be secure in transit while resident data on smartphones, tablets, and computers is less well protected, and that cloud backups to services such as Google Drive or iCloud may undermine ideal end-to-end guarantees (Rastogi et al., 2017).

The survey literature formalizes some of this limitation at the protocol-comparison level. In its reproduction of the Unger et al. scoring rubric, Signal receives 0 for “Anonymity Preserving” and 0 for “No Additional Service.” The stated reasons are that X3DH uses long-term public keys during the initial key agreement and that Signal relies on a central server for prekeys and stored messages. The survey’s conclusion therefore stresses that even when message content is end-to-end encrypted, important metadata is still manipulated and stored on the server (Johansen et al., 2018).

Two later research directions address this gap without replacing Signal’s cryptographic core. Session seeks reduced metadata leakage through onion routing, decentralized storage, and pseudonymous public-key identity while keeping X3DH and the Double Ratchet for pairwise messaging. DenIM, by contrast, keeps ordinary Signal unchanged and low-latency, but adds a second mode for deniable traffic by piggybacking deniable Signal traffic inside regular Signal-shaped client/server traffic, with fixed-size padding, client and server deniable buffers, and server-side deterministic generation of deniable ephemeral keys so that key exhaustion does not leak metadata. In both cases, metadata privacy is treated as a systems property that must be engineered around Signal rather than derived from X3DH or the ratchet alone (Jefferys et al., 2020, Nelson et al., 2022).

6. Formal analyses, attacks, and extensions

Formal-comparison work increasingly treats Signal as the benchmark against which adjacent secure messaging designs are measured. A mechanized ProVerif analysis of Matrix’s cryptographic suite models Signal and Signal composed with Sender Keys as the comparison baseline for pairwise and group security. Its conclusion is precise: the composition of Olm and Megolm has security comparable to Signal and Sender Keys if Olm pre-keys are signed, and provably worse post-compromise security if Olm pre-keys are not signed. The same analysis reinforces two broader points: Signal’s X3DH and Double Ratchet remain the reference design for pairwise confidentiality, authentication, forward secrecy, and post-compromise security, but identity-key verification outside the protocol remains necessary, and Sender Keys-style group layers inherit structural caveats such as the lack of transcript equivalence and compromise-related message-injection issues (Ginesin et al., 2024).

Operational analyses show that the delivered guarantees of Signal-style handshakes depend heavily on server-side prekey management. The study “Prekey Pogo” investigates WhatsApp’s Signal-based handshake and demonstrates a targeted depletion attack against one-time prekeys. The paper reports little to no rate limiting on repeated prekey-bundle fetches, depletion of 812 prekeys in 40 seconds to 2 minutes with synchronous requests and about 10 seconds with asynchronous requests, refill when only 10 one-time prekeys remain, and notification when fewer than 11 remain. Its cryptographic conclusion is narrower than a total break: if no one-time prekey is available, the handshake still works, but the initial message or messages of a fresh session lose the stronger initial forward secrecy normally provided by X3DH until the responder replies and the asymmetric ratchet advances. At higher request rates, the authors also report availability failures in prekey retrieval itself (Gegenhuber et al., 9 Apr 2025).

Other recent work extends Signal without redefining its core ratchet. Cerberus is a moderation and accountability layer for Signal-like end-to-end encrypted messaging, not a redesign of X3DH or the Double Ratchet; it attaches moderator-issued tokens to messages and allows the sender’s identity to be revealed only if a threshold of moderators agree after a report. A separate proposal for in-band active MitM detection modifies registration and epoch-start messaging so that client and server track an evolving keychain

HAv+1=h(HAv,epkAt+1),H_A^{v+1} = h(H_A^v, epk_A^{t+1}),

with server signatures binding the server’s view of that evolution. The authors present it as a way to automate key confirmation without user involvement, reporting client-side overheads under 15 ms and server-side overheads under 20 ms, while explicitly excluding deniability from the preserved Signal guarantees because of the stronger server role (Pattison et al., 2023, Teng et al., 2024).

Taken together, these analyses present Signal Protocol as a mature and extensible cryptographic core whose principal abstractions—prekey-based asynchronous setup and ratcheted key evolution—have proven reusable across applications, formal models, and protocol overlays. They also show that the protocol’s strongest advertised properties are inseparable from deployment questions: identity verification, prekey-server behavior, endpoint security, metadata exposure, group-layer composition, and the trust placed in surrounding infrastructure.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Signal Protocol.