End-to-End Encryption
A deep dive into how Cipher protects your messages with state-of-the-art cryptography.
What is End-to-End Encryption?
End-to-end encryption (E2EE) means that only you and the person you're communicating with can read your messages. Not Cipher, not your internet provider, not anyone else—just the two of you.
Messages are encrypted on your device before they leave, travel through the network in encrypted form, and are only decrypted on your recipient's device using their private keys.
The Signal Protocol
Cipher uses a combination of well-established cryptographic protocols, often referred to collectively as the "Signal Protocol" since it was first implemented in the Signal messenger:
X3DH (Extended Triple Diffie-Hellman)
Establishes a shared secret between two parties who have never communicated before, using long-term identity keys, medium-term signed prekeys, and ephemeral one-time prekeys.
Double Ratchet Algorithm
Continuously generates new keys for each message, providing forward secrecy and post-compromise security. Even if one key is compromised, only a single message is exposed.
AES-256-GCM
The actual symmetric encryption algorithm used for message content. Provides both confidentiality (encryption) and integrity (authentication) in a single operation.
Forward Secrecy Explained
Forward secrecy is a property that ensures past communications remain secure even if long-term keys are compromised in the future. Here's how it works in Cipher:
Message 1: Key_A → Encrypt → Send → Decrypt → Delete Key_A Message 2: Key_B → Encrypt → Send → Decrypt → Delete Key_B Message 3: Key_C → Encrypt → Send → Decrypt → Delete Key_C ... If Key_C is compromised: ✗ Cannot decrypt Message 1 (Key_A deleted) ✗ Cannot decrypt Message 2 (Key_B deleted) ✓ Can only decrypt Message 3
Each message uses a unique key that is immediately deleted after use. An attacker who gains access to your current keys cannot decrypt messages from the past because those keys no longer exist.
Post-Compromise Security
But what about future messages? The Double Ratchet provides "self-healing" security through the Diffie-Hellman ratchet. When you and your contact exchange messages, new entropy is introduced that an attacker doesn't have access to.
After just a few message exchanges following a compromise, the attacker loses the ability to decrypt new messages. Security is automatically restored without any action required from users.
Encryption in Practice
Here's what happens when you send "Hello!" to Alice:
- Session check: Does a session with Alice exist? If not, perform X3DH key agreement.
- Key derivation: The Double Ratchet derives a unique message key from the current chain key.
- Encryption: "Hello!" is encrypted using AES-256-GCM with the message key.
- Ratchet advance: The sending chain ratchets forward, deleting the old key.
- Transmission: The encrypted message is sent to Alice via the P2P network.
- Decryption: Alice's device derives the same message key and decrypts.
- Key deletion: Both devices delete the message key immediately.
What's NOT Encrypted
While message content is always encrypted, some metadata is necessary for the system to function:
- Recipient public key: Necessary for routing (but we use techniques to minimize this)
- Timestamp: Needed for message ordering
- Message size: Encrypted messages have a size that could reveal information
Cipher minimizes metadata exposure through techniques like sealed sender (hiding the sender from relay nodes), padding messages to uniform sizes, and using mix networks for additional anonymity.
Cryptographic Specifications
All cryptographic implementations are well-audited libraries. We use libsodium for most operations and have undergone multiple independent security audits.