Most people who use Signal or WhatsApp know their messages are “end-to-end encrypted” and have a rough sense that this means only they and the recipient can read them. Few people know what actually happens in the fraction of a second between pressing send and the message arriving on the other end. The gap between those two things is worth closing, because the details reveal something genuinely elegant, and because misunderstanding them leads to real security mistakes.
The Key Exchange Problem
The foundational challenge in encrypted messaging is this: how do two people agree on a secret when they’re communicating over a channel that anyone can observe? This isn’t a new problem. It was unsolved for most of human history, which is why wartime encryption required physically couriering codebooks. The solution, published by Whitfield Diffie and Martin Hellman in 1976, is one of the most important insights in computer science.
The Diffie-Hellman key exchange works through a property of modular arithmetic: certain mathematical operations are easy to compute in one direction and computationally infeasible to reverse. You and a stranger can each contribute a public number to a shared calculation, combine them with your respective private numbers, and arrive at the same secret value, without either of you ever transmitting that secret value. An observer who intercepts every message you exchange still can’t derive the secret. The math simply doesn’t run backwards fast enough.
Modern messaging apps don’t use Diffie-Hellman directly. Signal uses a protocol called X3DH (Extended Triple Diffie-Hellman), which is more sophisticated because it has to solve an additional problem: what happens when your recipient is offline when you send the message?
The Handshake Before Hello
When you install Signal and register your phone number, your app generates several sets of cryptographic keys. Some are long-term identity keys. Some are one-time prekeys, a bundle of single-use keys that get uploaded to Signal’s servers. When you send someone a message for the first time, your app downloads one of their prekeys from the server and uses it to perform the key exchange without your recipient being online at all.
This is where the elegance really shows. Signal’s servers hold these prekeys but are mathematically incapable of using them to decrypt anything. The server is acting as a dead-drop for cryptographic material, not as a trusted intermediary. When you press send on that first message to a new contact, your app silently fetches a prekey, performs a multi-step Diffie-Hellman exchange across four different key pairs, and derives a shared secret that exists only on your device and (once they come online) your recipient’s device. Signal’s infrastructure never sees it.
Once that initial handshake is complete, the conversation shifts to what Signal calls the Double Ratchet algorithm. This is the mechanism that handles all subsequent messages, and it does something that seems almost paranoid until you understand why it matters.
Why Every Message Gets a New Key
The Double Ratchet doesn’t just encrypt your messages with the shared secret established during the handshake. It derives a new encryption key for every single message, using the previous state of the conversation as input. Send ten messages, and ten distinct keys get generated and immediately discarded after use.
This property is called forward secrecy, and it’s the reason a compromised key doesn’t unravel your entire conversation history. If an attacker somehow obtained your current encryption key, they could decrypt the current message. They could not decrypt anything you sent before it, because those keys were derived, used, and deleted. The conversation is a one-way ratchet: you can advance it but not wind it back.
The “double” in Double Ratchet refers to two interleaved mechanisms running simultaneously. One advances with every message (the symmetric ratchet). The other advances whenever messages change direction between sender and receiver (the Diffie-Hellman ratchet). The combined effect is that even an attacker who completely compromises one of your devices for a period of time and then loses access will find that the conversation self-heals. New messages become secure again as new DH ratchet steps execute.
This is materially different from older encrypted email schemes like PGP, which encrypt everything to a long-term public key. Compromise that private key, and every message ever sent to it becomes readable. PGP has no forward secrecy. This is not a minor footnote; it’s a fundamental architectural difference.
What the App Doesn’t Protect
Understanding what encryption does makes it easier to understand what it doesn’t do, and the limits matter.
Signal’s encryption protects the content of messages in transit and at rest on Signal’s servers (where they exist only briefly and in encrypted form). It does not protect metadata, at least not completely. Signal knows when you registered, roughly how often you use the app, and which phone numbers have accounts. They’ve worked to minimize this, but some metadata is structurally unavoidable when routing messages through a network. Knowing that two phone numbers communicated at a specific time can be significant even without message content, a fact that intelligence agencies have understood for decades.
Encryption also doesn’t protect what’s on your device. If someone has physical access to your unlocked phone, or if your device is compromised by malware, the messages can be read before they’re encrypted for transmission or after they’re decrypted for display. The cryptographic guarantees apply to the channel, not the endpoints. This is why endpoint security and encryption are complementary concerns, not substitutes for each other.
Finally, metadata around disappearing messages and sealed sender (a feature that hides sender identity even from Signal’s servers) reveals something about where the real vulnerabilities lie. The protocol is remarkably strong. The weak points are almost always at the edges: device security, backup practices, and the person on the other end of the conversation.
The Math You’re Trusting When You Press Send
When you hit send on a Signal message, your device performs a key derivation, encrypts your message with AES-256, and ships it to a server that cannot read it, all before the send animation finishes. The recipient’s device performs the corresponding decryption in the same moment they open the app. The whole thing is fast enough to feel instant and complex enough that it occupied some of the best cryptographers in the world for decades to develop.
The practical upshot is that Signal’s encryption is not the thing most likely to fail you. The protocol has been formally verified and audited repeatedly. What will fail you, if anything does, is the stuff around the edges: an unencrypted backup sitting in Google Drive, a device without a strong passcode, a notification that previews message content on your lock screen. The math is solid. The human factors almost always aren’t.
