up:: In the Protocols MOC

Double Ratchet

The Double Ratchet is the algorithm at the heart of the Signal messaging protocol, designed by Trevor Perrin and Moxie Marlinspike, that lets two parties exchange encrypted messages while deriving a fresh key for every single message. That per-message key derivation gives Signal two strong properties: forward secrecy, so a key compromised today cannot decrypt yesterday’s messages, and post-compromise security, so the conversation heals and future messages become private again after an attacker who stole a key loses their foothold. It gets its name from combining two ratchets: a symmetric-key ratchet built on KDF chains and a Diffie-Hellman ratchet that mixes in fresh key material as messages flow.

The Double Ratchet handles the ongoing session. Setting up the very first shared secret is a separate step, and in Signal that step is now the post-quantum Signal PQXDH handshake, so the two compose cleanly: PQXDH establishes the initial secret with quantum resistance, and the Double Ratchet drives the conversation from there.

Source: T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” Signal specification, revision 4, 2025, signal.org/docs/specifications/doubleratchet.

The short version:

  • The Double Ratchet derives a unique key for every message, so earlier keys cannot be computed from later ones and later keys cannot be computed from earlier ones.
  • It combines a symmetric-key ratchet, which turns KDF chains into a stream of per-message keys, with a Diffie-Hellman ratchet, which attaches fresh DH public values to messages and mixes the results into the chain.
  • The symmetric ratchet delivers forward secrecy: keys are deleted after use, so a later compromise cannot reach back to past messages.
  • The Diffie-Hellman ratchet delivers post-compromise security, sometimes called break-in recovery: once fresh DH material flows, an attacker who stole a key loses the ability to read future messages.
  • The Double Ratchet does not establish the first shared secret. A key-agreement handshake does that, and in Signal it is now the post-quantum Signal PQXDH protocol.
  • The Double Ratchet itself relies on symmetric primitives and Diffie-Hellman ratcheting, so the quantum question for a Signal session lives in the initial handshake, which is exactly what PQXDH hardens.

What is the Double Ratchet?

The Double Ratchet is a session algorithm for secure messaging: given a shared secret that two parties already hold, it manages the exchange of encrypted messages so that each message gets its own key and old keys are destroyed as the conversation moves forward. Trevor Perrin and Moxie Marlinspike designed it for Signal, where it was originally called the Axolotl Ratchet, and it is now the ratcheting core inside a long list of applications that adopted the Signal protocol. The current specification, edited by Trevor Perrin, with Moxie Marlinspike and Rolfe Schmidt as authors, describes the central guarantee directly: the parties derive new keys for every message so that earlier keys cannot be calculated from later ones, and later keys cannot be calculated from earlier ones.

The design solves a specific problem. Long-lived conversations create long-lived risk, because if a single key protects a whole session, then stealing that key exposes everything. The Double Ratchet breaks that link by constantly evolving the key material, so the value of any one stolen key is bounded to a tiny slice of the conversation. It is a session protocol, so it assumes a shared secret already exists and concerns itself only with what happens after. Where that first secret comes from is the job of a separate handshake, described below.

Source: T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” Signal specification, revision 4, 2025, signal.org/docs/specifications/doubleratchet.

How does the Double Ratchet work?

The Double Ratchet earns its name by running two ratchets at once, each turning in one direction only, so key material always advances and never reverses. The two mechanisms work together:

  1. The symmetric-key ratchet. Each party keeps KDF chains, one for sending and one for receiving. To produce the key for the next message, the current chain key is fed through a KDF, which outputs both a message key and the next chain key. The message key encrypts one message and is then deleted; the chain key advances by one step. Because a KDF runs in only one direction, an attacker who learns a later chain key cannot run it backward to recover the message keys that already came and went.
  2. The Diffie-Hellman ratchet. Alongside the messages, the parties attach fresh Diffie-Hellman public values. When a party receives a new DH public value from the other side, it performs a DH calculation and mixes the fresh shared result into its KDF chains, effectively reseeding them with new entropy that an old attacker never saw. This is the step that lets a conversation recover its privacy after a compromise.

The two ratchets divide the labor:

RatchetTurnsBuilt onProperty it delivers
Symmetric-keyOnce per messageKDF chainsForward secrecy for past messages
Diffie-HellmanWhen the conversation’s direction changesFresh DH public values mixed into the chainsPost-compromise security (break-in recovery) for future messages

The symmetric ratchet turns fast, once per message, and gives the fine-grained forward secrecy. The Diffie-Hellman ratchet turns more slowly, whenever the direction of the conversation changes and fresh DH values are exchanged, and gives the recovery property. Running both means a stolen key is useful for a shrinking window and then becomes worthless, which is the behavior secure messaging needs.

Source: T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” Signal specification, revision 4, 2025, signal.org/docs/specifications/doubleratchet.

What is forward secrecy in the Double Ratchet?

Forward secrecy is the guarantee that compromising a key today does not expose messages that were already sent and decrypted, and the Double Ratchet provides it through the symmetric-key ratchet. Every message key is derived from a chain key, used once to protect a single message, and then deleted, so the plaintext of a past message is protected by a key that has already been erased from memory.

Because the KDF that advances the chain runs in one direction only, knowing a chain key at some point in the conversation reveals nothing about the message keys that preceded it. An attacker who seizes a device mid-conversation and reads its current state cannot reconstruct the keys for earlier messages, because those keys were destroyed after use and cannot be recomputed from what remains. The specification states this precisely: earlier keys cannot be calculated from later ones. That is the property that makes a captured phone far less catastrophic than it would be if one long-lived key protected the whole history.

Source: T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” Signal specification, revision 4, 2025, signal.org/docs/specifications/doubleratchet.

What is post-compromise security in the Double Ratchet?

Post-compromise security, which the specification calls break-in recovery, is the guarantee that a conversation heals after a compromise: if an attacker steals key material at some moment, the parties regain privacy for future messages once fresh Diffie-Hellman values have been exchanged. It is the mirror image of forward secrecy. Forward secrecy protects the past; post-compromise security protects the future.

The Diffie-Hellman ratchet is what delivers it. Each time a new DH public value is sent and a fresh DH shared secret is mixed into the KDF chains, the key material is reseeded with entropy the attacker never possessed. An adversary who captured the old state cannot predict the new chains, because they never saw the new DH private keys. So after a compromise, the very next full turn of the DH ratchet locks the attacker out of everything that follows, and the conversation continues privately as if the compromise had ended. This self-healing behavior is one of the reasons the Signal protocol became the reference design for secure messaging.

Source: T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” Signal specification, revision 4, 2025, signal.org/docs/specifications/doubleratchet.

How does the Double Ratchet compose with PQXDH?

The Double Ratchet and Signal PQXDH handle two different jobs, and they compose cleanly: PQXDH sets up the first shared secret, and the Double Ratchet runs the session from there. A Signal conversation has two phases. The first is the initial key agreement, where two parties who may never have been online at the same time establish a shared secret. The second is the ongoing exchange of messages, which is what the Double Ratchet governs.

The quantum question lives almost entirely in the first phase. The original Signal key agreement, X3DH, was built on elliptic-curve Diffie-Hellman, which Shor’s algorithm would break, exposing that initial secret to a harvest-now-decrypt-later adversary who records the handshake and waits for a quantum computer. PQXDH addresses that by adding a post-quantum key encapsulation mechanism to the handshake, so the initial shared secret is protected by both classical and post-quantum key agreement.

Once PQXDH has produced that secret, it feeds into the Double Ratchet exactly as the old handshake did, and the ratchet’s forward secrecy and post-compromise security continue to operate over each message. The Double Ratchet stayed unchanged through the quantum transition, because the exposure was in setting up the first secret, which is the piece PQXDH replaced.

Source: T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” Signal specification, revision 4, 2025, signal.org/docs/specifications/doubleratchet.

Is the Double Ratchet quantum-safe on its own?

The Double Ratchet’s ongoing operation rests on symmetric primitives and repeated Diffie-Hellman ratcheting, so the honest answer is that the quantum risk of a Signal session concentrates in the initial handshake rather than in the ratchet itself. The symmetric-key ratchet uses KDF chains and symmetric encryption, which face only Grover’s algorithm and its square-root speedup, so at standard key sizes they keep a comfortable margin the same way AES-256 and SHA-256 do.

The Diffie-Hellman ratchet is the part that draws scrutiny, because a classical elliptic-curve DH ratchet would, in isolation, be a Shor target. In practice this matters far less than the initial handshake for one reason: the DH ratchet’s job is post-compromise recovery within a live session, not protecting a long-recorded secret, and the value protected by any single ratchet step is small and short-lived. The strategically important quantum exposure, the one a harvest-now-decrypt-later adversary targets, is the initial shared secret, and that is precisely what Signal PQXDH hardens. So the correct read is that securing a Signal conversation against quantum attack is mainly about the handshake, PQXDH does that, and the Double Ratchet continues to provide its forward secrecy and post-compromise security on top.

Source: T. Perrin and M. Marlinspike, “The Double Ratchet Algorithm,” Signal specification, revision 4, 2025, signal.org/docs/specifications/doubleratchet.

Common misconceptions

  1. “The Double Ratchet establishes the encrypted session from scratch.” It does not. It is a session algorithm that assumes a shared secret already exists. A separate handshake, X3DH originally and Signal PQXDH now, sets up that first secret.
  2. “Forward secrecy and post-compromise security are the same property.” They are opposites in time. Forward secrecy protects messages already sent; post-compromise security restores privacy for future messages after a compromise ends.
  3. “One ratchet does all the work.” There are two. The symmetric-key ratchet gives per-message forward secrecy, and the Diffie-Hellman ratchet gives post-compromise recovery. Both are needed for the full guarantee.
  4. “The Double Ratchet had to be replaced for post-quantum security.” It did not. The quantum exposure was in the initial key agreement, so PQXDH replaced the handshake and the Double Ratchet kept running unchanged.
  5. “Because it uses Diffie-Hellman, the Double Ratchet is wide open to quantum attack.” The strategically important secret is the one set up in the handshake, which PQXDH protects. The DH ratchet steps protect small, short-lived, in-session material, a far less valuable target.
  6. “Post-compromise security means an attacker who steals a key learns nothing.” They can read messages during the window they hold current key material. The guarantee is that once fresh Diffie-Hellman values flow, they lose access to everything after that.

Questions people ask

What does the Double Ratchet actually do? It manages an ongoing encrypted conversation by deriving a fresh key for every message and destroying old keys, which gives forward secrecy for past messages and post-compromise security for future ones.

Why is it called a double ratchet? Because it runs two one-way ratchets: a symmetric-key ratchet built on KDF chains that advances once per message, and a Diffie-Hellman ratchet that reseeds the chains with fresh key material as the conversation turns.

How does the Double Ratchet relate to PQXDH? They handle different phases. Signal PQXDH performs the initial key agreement that sets up the first shared secret with post-quantum protection, and the Double Ratchet drives every message after that. PQXDH feeds its secret into the ratchet.

Is the Double Ratchet quantum-safe? Its symmetric core faces only Grover and keeps a wide margin. The quantum risk of a Signal session sits in the initial handshake, which is why Signal added Signal PQXDH rather than changing the ratchet.

Who designed the Double Ratchet? Trevor Perrin and Moxie Marlinspike, for the Signal protocol, where it was first known as the Axolotl Ratchet. The current specification is edited by Trevor Perrin, with Moxie Marlinspike and Rolfe Schmidt as authors.

Does the Double Ratchet protect a captured phone’s message history? Forward secrecy means the keys for already-read messages are deleted and cannot be recomputed, so a device captured mid-conversation cannot reconstruct earlier message keys from its current state. Locally stored plaintext is a separate concern the app handles outside the ratchet.


Everything here is the map, given freely. When your team needs its own cryptography sorted into what survives the quantum transition and what has to move, that’s what an alignment briefing is for.

Last verified 2026-07-12 · Maintained by Addie LaMarr, LaMarr Labs.