End-to-End Encryption and the Signal Protocol
Trevor Perrin’s presentation on the TextSecure protocol, what the world now knows as the Signal Protocol, is one of the most important talks in applied cryptography from the past decade. It is also, characteristically, understated.
The Signal Protocol and the Authentication Problem
Most discussion focuses on the Double Ratchet, which combines Diffie-Hellman and symmetric ratchets to provide forward and future secrecy. That matters. But the more interesting and underappreciated contribution is how the protocol approaches authentication, and the limits of what authentication can realistically achieve.
What Encryption Alone Cannot Provide
Signal provides strong end-to-end encryption. Messages are encrypted using keys derived from X3DH and the Double Ratchet. Even if long-term keys are compromised, past messages remain protected and future sessions recover once new ephemeral keys are introduced.
But encryption does not guarantee you are encrypting to the right person. If a server provides a malicious public key, you can send a perfectly encrypted message directly to an attacker. The encryption works. The identity assurance fails.
Authentication is a separate and harder problem.
Usable Security
PGP addressed authentication through manual key verification and webs of trust. It worked for experts, but it never reached mass adoption because the process was burdensome.
Signal made encryption invisible. Key generation, prekeys, rotation, and session setup happen automatically. You install the app and messages are encrypted.
Authentication cannot be made fully invisible. As Perrin notes, users must be involved somehow. The question becomes: what do you do when most users will not complete a formal verification ceremony?
Two Approaches
One approach is strict authentication before encryption. No verification, no secure channel. In practice, this means only a small subset of users get protection, and those users become identifiable as security-conscious targets.
Signal chooses the opposite model: encrypt everything by default and make verification optional. All users get encrypted transport. Some verify fingerprints or scan QR codes. Most do not. An outside observer cannot distinguish between them.
This design has a subtle property. Users who verify are protected by not being distinguishable from those who do not. Users who do not verify are protected by blending into a population where verification might have occurred. The crowd provides cover.
Trust on First Use
When you first fetch a contact’s key, you trust it and store it. If that key changes unexpectedly, you receive a warning.
TOFU is imperfect. Users often ignore warnings. But in this model, the initial key is silently recorded and only changes introduce friction. The realistic goal is not perfect fingerprint checking. It is detecting suspicious key changes at least sometimes.
For stronger guarantees, users can verify keys out of band by scanning QR codes. The option exists without being mandatory. Skipping verification does not weaken encryption itself. It means trusting the key directory, which is an acceptable tradeoff for many conversations.
Cryptographic Engineering
The primitives behind Signal are well understood. The innovation is in how they are composed into a system that works under real-world constraints: asynchronous messaging, key exhaustion, multi-device use, group chats, and potentially untrusted servers.
The authentication philosophy illustrates the difference between theoretical cryptography and cryptographic engineering. A purely rigorous solution might protect a small, disciplined minority. Signal instead encrypts everything, relies on ubiquity for cover, and offers stronger verification to those who want it.