Generic Signal Protocol: Specification and Implementation


The (original) Signal protocol is an open source secure messaging protocol that provides end-to-end authenticated encryption with forward security, post-compromise security, asynchronicity and many other appealing security advantages. The protocol is extensively deployed and secures the daily communication of billions of users via popular (mobile as well as desktop) messaging applications such as Signal (originally TextSecure), WhatsApp, Google Allo, Facebook Messenger, Skype, etc.

The Signal protocol (or strictly speaking its core component, the double ratchet algorithm) is formally analyzed and abstracted in the paper "The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol" by Joël Alwen, Sandro Coretti and Yevgeniy Dodis. The paper proposes a decomposition of the double ratchet algorithm into multiple generic cryptographic modules. The modularization enables customization of the algorithm using different instances of the modules, which naturally leads to post-quantum variants of the Signal protocol by employing quantum-safe module instances.

The implementation of the generic Signal protocol here follows the modularization and is provided as a C library.


In [1] it is described how the generic Signal protocol can be decomposed into continuous key agreement (CKA), PRF-PRNG (PRGF), authenticated encryption with associated data (AEAD) and PRG, as well as how to construct CKA from key encapsulation mechanism (KEM) and PRGF from HKDF.

[2] describes a standard construction of HKDF from HMAC.

[3] mentions the canonical "encrypt-then-MAC" construction of AEAD from SKE and HMAC.

By definition there exists a trivial construction of PRG from PRF, namely PRG(k) = PRF(k, 0) | PRF(k, 1) | PRF(k, 2) | ....


  1. Joël Alwen, Sandro Coretti and Yevgeniy Dodis, "The Double Ratchet: Security Notions, Proofs, and Modularization for the Signal Protocol".
  2. H. Krawczyk and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)" (RFC 5869).
  3. D. McGrew, "An Interface and Algorithms for Authenticated Encryption" (RFC 5116).


The C implementation follows the specification of the modularization.

Refer to in code archive for details about the usage as well as the functionality of the library.


Release Notes