The Signal Protocol (formerly known as the TextSecure Protocol) is a non- federated

cryptographic protocol A cryptographic protocol is an abstract or concrete Communications protocol, protocol that performs a information security, security-related function and applies cryptographic methods, often as sequences of cryptographic primitives. A protocol desc ...

that provides

end-to-end encryption End-to-end encryption (E2EE) is a method of implementing a secure communication system where only communicating users can participate. No one else, including the system provider, telecom providers, Internet providers or malicious actors, can ...

for voice and

instant messaging Instant messaging (IM) technology is a type of synchronous computer-mediated communication involving the immediate ( real-time) transmission of messages between two or more parties over the Internet or another computer network. Originally involv ...

conversations. The protocol was developed by Open Whisper Systems in 2013 and was introduced in the

open-source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use and view the source code, design documents, or content of the product. The open source model is a decentrali ...

TextSecure app, which later became

Signal A signal is both the process and the result of transmission of data over some media accomplished by embedding some variation. Signals are important in multiple subject fields including signal processing, information theory and biology. In ...

. Several

closed-source Proprietary software is software that grants its creator, publisher, or other rightsholder or rightsholder partner a legal monopoly by modern copyright and intellectual property law to exclude the recipient from freely sharing the software or modi ...

applications have implemented the protocol, such as

WhatsApp WhatsApp (officially WhatsApp Messenger) is an American social media, instant messaging (IM), and voice-over-IP (VoIP) service owned by technology conglomerate Meta. It allows users to send text, voice messages and video messages, make vo ...

, which is said to encrypt the conversations of "more than a billion people worldwide" or

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

who provides end-to-end encryption by default to all

RCS RCS may refer to: Organizations Arts and entertainment * Radio Corporation of Singapore * Radcliffe Choral Society, a choral ensemble at Harvard University *RCS MediaGroup (Rizzoli-Corriere della Sera), an Italian publishing group *Royal Conserva ...

-based conversations between users of their Google Messages app for one-to-one conversations.

Facebook Messenger Messenger, formerly known as Facebook Messenger, is an American proprietary instant messaging service developed by Meta Platforms. Originally developed as Facebook Chat in 2008, the client application of Messenger is currently available o ...

also say they offer the protocol for optional "Secret Conversations", as did

Skype Skype () was a proprietary telecommunications application operated by Skype Technologies, a division of Microsoft, best known for IP-based videotelephony, videoconferencing and voice calls. It also had instant messaging, file transfer, ...

for its "Private Conversations". The protocol combines the

Double Ratchet Algorithm In cryptography, the Double Ratchet Algorithm (previously referred to as the Axolotl Ratchet) is a key management algorithm that was developed by Trevor Perrin and Moxie Marlinspike in 2013. It can be used as part of a cryptographic protocol t ...

, prekeys (i.e., one-time ephemeral public keys that have been uploaded in advance to a central server), and a triple

elliptic-curve Diffie–Hellman Elliptic-curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties, each having an Elliptic curve, elliptic-curve public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be di ...

(3-DH) handshake, and uses Curve25519,

AES-256 The Advanced Encryption Standard (AES), also known by its original name Rijndael (), is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is a variant ...

, and

HMAC-SHA256 In cryptography, an HMAC (sometimes expanded as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of message authentication code (MAC) involving a cryptographic hash function and a secr ...

as primitives.

History

The development of the Signal Protocol was started by Trevor Perrin and

Moxie Marlinspike Moxie Marlinspike is an American entrepreneur, cryptographer, and computer security researcher. Marlinspike is the creator of Signal (messaging app), Signal, co-founder of the Signal Technology Foundation, and served as the first CEO of Signal M ...

(Open Whisper Systems) in 2013. The first version of the protocol, TextSecure v1, was based on

Off-the-record messaging Off-the-record Messaging (OTR) is a cryptographic protocol that provides encryption for instant messaging conversations. OTR uses a combination of Advanced Encryption Standard, AES symmetric-key algorithm with 128 bits key length, the Diffie–Hel ...

(OTR). On 24 February 2014, Open Whisper Systems introduced TextSecure v2, which migrated to the Axolotl Ratchet. The design of the Axolotl Ratchet is based on the ephemeral key exchange that was introduced by OTR and combines it with a symmetric-key ratchet modeled after the Silent Circle Instant Message Protocol (SCIMP). It brought about support for

asynchronous communication In telecommunications, asynchronous communication is transmission of data, generally without the use of an external clock signal, where data can be transmitted intermittently rather than in a steady stream. Any timing required to recover data fro ...

("offline messages") as its major new feature, as well as better resilience with distorted order of messages and simpler support for conversations with multiple participants. The Axolotl Ratchet was named after the critically endangered aquatic salamander

Axolotl The axolotl (; from ) (''Ambystoma mexicanum'') is a neoteny, paedomorphic salamander, one that Sexual maturity, matures without undergoing metamorphosis into the terrestrial adult form; adults remain Aquatic animal, fully aquatic with obvio ...

, which has extraordinary self-healing capabilities. The developers refer to the algorithm as self-healing because it automatically disables an attacker from accessing the

cleartext In cryptography, plaintext usually means unencrypted information pending input into cryptographic algorithms, usually encryption algorithms. This usually refers to data that is transmitted or stored unencrypted. Overview With the advent of comp ...

of later messages after having compromised a

session key A session key is a single-use symmetric key used for encrypting all messages in one communication session. A closely related term is content encryption key (CEK), traffic encryption key (TEK), or multicast key which refers to any key used for ...

. The third version of the protocol, TextSecure v3, made some changes to the cryptographic primitives and the wire protocol. In October 2014, researchers from

Ruhr University Bochum The Ruhr University Bochum (, ) is a public research university located in the southern hills of the central Ruhr area, Bochum, Germany. It was founded in 1962 as the first new public university in Germany after World War II. Instruction began ...

published an analysis of TextSecure v3. Among other findings, they presented an

unknown key-share attack As defined by , an unknown key-share (UKS) attack on an authenticated key agreement In cryptography, a key-agreement protocol is a protocol whereby two (or more) parties generate a cryptographic Key (cryptography), key as a function of information ...

on the protocol, but in general, they found that it was secure. In March 2016, the developers renamed the protocol as the Signal Protocol. They also renamed the Axolotl Ratchet as the Double Ratchet algorithm to better differentiate between the ratchet and the full protocol because some had used the name Axolotl when referring to the full protocol. , the Signal Protocol is based on TextSecure v3, but with additional cryptographic changes. In October 2016, researchers from the UK's

University of Oxford The University of Oxford is a collegiate university, collegiate research university in Oxford, England. There is evidence of teaching as early as 1096, making it the oldest university in the English-speaking world and the List of oldest un ...

, Australia's

Queensland University of Technology The Queensland University of Technology (QUT) is a public university, public research university located in the city of Brisbane in Queensland, Australia. It has two major campuses, a modern city campus in Gardens Point, Brisbane, Gardens Point ...

, and Canada's

McMaster University McMaster University (McMaster or Mac) is a public research university in Hamilton, Ontario, Canada. The main McMaster campus is on of land near the residential neighbourhoods of Ainslie Wood, Ontario, Ainslie Wood and Westdale, Ontario, Westd ...

published a formal analysis of the protocol, concluding that the protocol was cryptographically sound. Another audit of the protocol was published in 2017.

Properties

The protocol provides confidentiality, integrity,

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...

, participant consistency, destination validation,

forward secrecy In cryptography, forward secrecy (FS), also known as perfect forward secrecy (PFS), is a feature of specific key-agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session ke ...

, post-compromise security (aka future secrecy), causality preservation, message unlinkability, message repudiation, participation repudiation, and asynchronicity. It does not provide anonymity preservation and requires servers for the relaying of messages and storing of public key material. The Signal Protocol also supports end-to-end encrypted group chats. The group chat protocol is a combination of a pairwise double ratchet and

multicast encryption Multicast encryption is the use of encryption to ensure that only the chosen recipient(s) has access to multicast data. Multicasting Multicast is what enables a node on a network to address one unit of data to a specific group of receivers.Micc ...

. In addition to the properties provided by the one-to-one protocol, the group chat protocol provides speaker consistency, out-of-order resilience, dropped message resilience, computational equality, trust equality, subgroup messaging, as well as contractible and expandable membership.

Authentication

For authentication, users can manually compare public key fingerprints through an outside channel. This makes it possible for users to verify each other's identities and avoid a

man-in-the-middle attack In cryptography and computer security, a man-in-the-middle (MITM) attack, or on-path attack, is a cyberattack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communi ...

. An implementation can also choose to employ a

trust on first use Trust on first use (TOFU), or trust upon first use (TUFU), is an authentication scheme used by client software which needs to establish a trust relationship with an unknown or not-yet-trusted endpoint. In a TOFU model, the client will try to look ...

mechanism in order to notify users if a correspondent's key changes.

Metadata

The Signal Protocol does not prevent a company from retaining information about when and with whom users communicate. There can therefore be differences in how messaging service providers choose to handle this information. Signal's

privacy policy A privacy policy is a statement or legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify ...

states that recipients' identifiers are only kept on the Signal servers as long as necessary in order to transmit each message. In June 2016, Moxie Marlinspike told ''

The Intercept ''The Intercept'' is an American left-wing nonprofit news organization that publishes articles and podcasts online. ''The Intercept'' has published in English since its founding in 2014, and in Portuguese since the 2016 launch of the Brazilia ...

'': "the closest piece of information to metadata that the Signal server stores is the last time each user connected to the server, and the precision of this information is reduced to the day, rather than the hour, minute, and second." In October 2018, Signal Messenger announced that they had implemented a "sealed sender" feature into Signal, which reduces the amount of metadata that the Signal servers have access to by concealing the sender's identifier. The sender's identity is conveyed to the recipient in each message, but is encrypted with a key that the server does not have. This is done automatically if the sender is in the recipient's contacts or has access to their Signal Profile. Users can also enable an option to receive "sealed sender" messages from non-contacts and people who do not have access to their Signal Profile. A contemporaneous wiretap of the user's device and/or the Signal servers may still reveal that the device's IP address accessed a Signal server to send or receive messages at certain times.

Usage

Open Whisper Systems first introduced the protocol in application '' TextSecure''. They later merged an encrypted voice call application named '' RedPhone'' into TextSecure and renamed it ''Signal''. In November 2014, Open Whisper Systems announced a partnership with

to provide end-to-end encryption by incorporating the Signal Protocol into each WhatsApp client platform. Open Whisper Systems said that they had already incorporated the protocol into the latest WhatsApp client for Android and that support for other clients, group/media messages, and key verification would be coming soon after. On April 5, 2016, WhatsApp and Open Whisper Systems announced that they had finished adding end-to-end encryption to "every form of communication" on WhatsApp, and that users could now verify each other's keys. In February 2017, WhatsApp announced a new feature, WhatsApp Status, which uses the Signal Protocol to secure its contents. In October 2016, WhatsApp's parent company

Facebook Facebook is a social media and social networking service owned by the American technology conglomerate Meta Platforms, Meta. Created in 2004 by Mark Zuckerberg with four other Harvard College students and roommates, Eduardo Saverin, Andre ...

also deployed an optional mode called Secret Conversations in

which provides end-to-end encryption using an implementation of the Signal Protocol. In September 2015,

G Data Software G Data CyberDefense AG (until September 2019 ''G Data Software AG'') is a German software company that focuses on computer security. The company was founded in 1985 and is headquartered in Bochum. They are known for being the creators of ...

launched a new messaging app called Secure Chat which used the Signal Protocol. G Data discontinued the service in May 2018. In September 2016,

launched a new messaging app called Allo, which featured an optional "incognito mode" that used the Signal Protocol for end-to-end encryption. In March 2019, Google discontinued Allo in favor of their Google Messages app on Android. In November 2020, Google announced that they would be using the Signal Protocol to provide end-to-end encryption by default to all

-based conversations between users of their Google Messages app, starting with one-to-one conversations. In January 2018, Open Whisper Systems and

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

announced the addition of Signal Protocol support to an optional

mode called Private Conversations.

Influence

The Signal Protocol has had an influence on other cryptographic protocols. In May 2016, Viber said that their encryption protocol is a custom implementation that "uses the same concepts" as the Signal Protocol. Forsta's developers have said that their app uses a custom implementation of the Signal Protocol. The

that was introduced as part of the Signal Protocol has also been adopted by other protocols.

OMEMO OMEMO is an extension to the Extensible Messaging and Presence Protocol (XMPP) for multi-client end-to-end encryption developed by Andreas Straub. According to Straub, OMEMO uses the Double Ratchet Algorithm "to provide multi-end to multi-end e ...

is an XMPP Extension Protocol (XEP) that was introduced in the Conversations messaging app and approved by the

XMPP Standards Foundation XMPP Standards Foundation (XSF) is the foundation in charge of the standardization of the protocol extensions of Extensible Messaging and Presence Protocol, XMPP, the open standard of instant messaging and presence of the Internet Engineering Ta ...

(XSF) in December 2016 as XEP-0384.

Matrix Matrix (: matrices or matrixes) or MATRIX may refer to: Science and mathematics * Matrix (mathematics), a rectangular array of numbers, symbols or expressions * Matrix (logic), part of a formula in prenex normal form * Matrix (biology), the m ...

is an open communications protocol that includes Olm, a library that provides optional end-to-end encryption on a room-by-room basis via a Double Ratchet Algorithm implementation. The developers of

Wire file:Sample cross-section of high tension power (pylon) line.jpg, Overhead power cabling. The conductor consists of seven strands of steel (centre, high tensile strength), surrounded by four outer layers of aluminium (high conductivity). Sample d ...

have said that their app uses a custom implementation of the Double Ratchet Algorithm. Messaging Layer Security, an

IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet standard, Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster ...

proposal, uses ''Asynchronous ratcheting trees'' to efficiently improve upon security guarantees over Signal's ''Double Ratchet''.

Implementations

Signal Messenger maintains
reference implementation
of the Signal Protocol

library A library is a collection of Book, books, and possibly other Document, materials and Media (communication), media, that is accessible for use by its members and members of allied institutions. Libraries provide physical (hard copies) or electron ...

written in

Rust Rust is an iron oxide, a usually reddish-brown oxide formed by the reaction of iron and oxygen in the catalytic presence of water or air moisture. Rust consists of hydrous iron(III) oxides (Fe2O3·nH2O) and iron(III) oxide-hydroxide (FeO(OH) ...

under the AGPLv3 license on

GitHub GitHub () is a Proprietary software, proprietary developer platform that allows developers to create, store, manage, and share their code. It uses Git to provide distributed version control and GitHub itself provides access control, bug trackin ...

. There are bindings to Swift, Java, TypeScript, C, and other languages that use the reference Rust implementation. Signal maintained the following deprecated libraries:
libsignal-protocol-c
A library written in C with additional licensing permissions for Apple's

App Store An app store, also called an app marketplace or app catalog, is a type of digital distribution platform for computer software called applications, often in a mobile context. Apps provide a specific set of functions which, by definition, do not i ...

.
libsignal-protocol-java
A library written in

Java Java is one of the Greater Sunda Islands in Indonesia. It is bordered by the Indian Ocean to the south and the Java Sea (a part of Pacific Ocean) to the north. With a population of 156.9 million people (including Madura) in mid 2024, proje ...

.
libsignal-protocol-javascript
A library written in

Javascript JavaScript (), often abbreviated as JS, is a programming language and core technology of the World Wide Web, alongside HTML and CSS. Ninety-nine percent of websites use JavaScript on the client side for webpage behavior. Web browsers have ...

. There also exist alternative libraries written by third-parties in other languages, such as

TypeScript TypeScript (abbreviated as TS) is a high-level programming language that adds static typing with optional type annotations to JavaScript. It is designed for developing large applications and transpiles to JavaScript. It is developed by Micr ...

References

Literature

* * * * * *

External links

*
"TextSecure Protocol: Present and Future"
talk by Trevor Perrin at NorthSec 2015 (video) {{Instant messaging Application layer protocols Cryptographic protocols End-to-end encryption