Last week, with little fanfare, Google announced a change that could soon make its 2 billion Android users worldwide far harder to surveil: The tech giant says it’s rolling out a beta version of its Android messaging app that will now use end-to-end encryption by default. That level of encryption, while limited to one-on-one conversations, is designed to prevent anyone else from eavesdropping—not phone carriers, not intelligence agencies, not a hacker who has taken over the local Wi-Fi router, not even Google itself will have the keys to decrypt and read those billions of messages.
The news isn’t just a win for global privacy. It’s also a win for one particular encryption system: the Signal protocol, which is well on its way to accounting for a majority of the world’s real-time text conversations. As this protocol becomes the de facto standard for encrypted messaging in most major services, it’s worth understanding what sets it apart from other forms of end-to-end encrypted messaging.
You might already know Signal thanks to the popular end-to-end encrypted text messaging app by the same name, created by cypherpunk Moxie Marlinspike and in recent years hosted by the nonprofit Signal Foundation. Signal, the app, has an unparalleled reputation for security and privacy, with high-profile endorsements from NSA whistleblower Edward Snowden and WhatsApp founder Brian Acton, who left WhatsApp in 2018 to serve as the Signal Foundation’s executive director.
But the underlying crypto system that Marlinspike designed and on which Signal is built, known as the Signal protocol, has spread far beyond its eponymous app. WhatsApp first adopted the Signal protocol in 2014 to end-to-end encrypt all messages between Android phones, in what Marlinspike told WIRED was “the largest deployment of end-to-end encryption ever.” WhatsApp switched it on by default for all billion-plus users two years later. Shortly thereafter, Google rolled out end-to-end encryption via the Signal protocol as an opt-in feature for its now-defunct Allo messenger and in its Duo video chat service. Facebook followed by adding it as an opt-in “Secret Conversations” feature in Facebook Messenger a few months later. Google’s decision to integrate the Signal protocol into Android’s messaging app by default represents the biggest new collection of phones to adopt the standard in years, with hundreds of millions more devices.
So why have the tech giants of the world all chosen Signal as their go-to crypto protocol? Its standout feature, says Johns Hopkins computer science professor and cryptographer Matthew Green, is how it implements what’s known as “perfect forward secrecy.” With most encryption systems, when an app is installed on a phone, it creates a permanent key pair that is used to encrypt and decrypt messages: one “public” key that is sent to the messaging server and will be used to identify the user, and one “private” key that never leaves the user’s phone. If that private key is somehow compromised, however, like if someone hacks or seizes your phone, that potentially leaves all your messages vulnerable to decryption. Even if you’ve deleted messages from your phone, the key can decrypt any encrypted messages that eavesdroppers have managed to record when they originally traveled across the network.
The Signal protocol, however, uses a so-called “ratchet” system that changes the key after every message. It does this by generating a collection of temporary key pairs for each user, in addition to the permanent keys. When someone sends a message to a contact over an app using the Signal protocol, the app combines the temporary and permanent pairs of public and private keys for both users to create a shared secret key that’s used to encrypt and decrypt that message. Since generating this secret key requires access to the users’ private keys, it exists only on their two devices. And the Signal protocol’s system of temporary keys—which it constantly replenishes for each user—allows it to generate a new shared key after every message.