X3DH (Extended Triple Diffie-Hellman)

X3DH, short for Extended Triple Diffie-Hellman, is the key-agreement protocol that lets two parties establish a shared secret even when one of them is offline. This asynchronous property is what makes encrypted messaging practical, you can send a first message to a contact who is asleep with their phone off, and they derive the same key when they wake up. It is the handshake that precedes the per-message ratcheting of a live session.

Prekeys and the offline bootstrap

The protocol works by having each user publish a bundle of public keys to a server in advance. That bundle contains a long-term identity key, a medium-term signed prekey (rotated periodically and signed by the identity key), and a batch of single-use one-time prekeys. A sender fetches a recipient's bundle, verifies the signature, generates an ephemeral key pair, and computes the shared secret immediately, without the recipient being present. The server merely stores and serves public key material.

Three (or four) Diffie-Hellman computations

X3DH performs three DH computations, or four when a one-time prekey is available, then feeds them through a KDF to produce the session secret. Two of the computations bind the parties' identity keys to provide mutual authentication; the others mix in ephemeral and prekey material to provide forward secrecy. Crucially, authentication is achieved through Diffie-Hellman rather than digital signatures over the transcript, which gives the protocol cryptographic deniability: neither party can later present a portable proof that the other participated in the conversation.

X3DH produces the shared secret consumed by the Double Ratchet Algorithm, and the pair form the cryptographic core of the Signal Protocol.