Double Ratchet
Also known as: ratchet algorithm, Signal Double Ratchet
The Double Ratchet is the algorithm that gives end-to-end encrypted chats a fresh key for every single message. It combines a Diffie-Hellman “ratchet” that turns over with each reply and a symmetric key-derivation “ratchet” that advances per message, so a stolen key exposes neither past nor future messages.
Originally designed by Trevor Perrin and Moxie Marlinspike for Signal, the Double Ratchet is now the backbone of nearly every serious messenger, including WhatsApp, Signal, and RVNT. Its job is to manage the per-message keys after two people have completed an initial handshake.
It is called double because it spins two ratchets at once. The symmetric-key ratchet runs a key-derivation function forward once per message, producing a unique message key and immediately discarding the old chaining key — this is what gives forward secrecy, the property that compromising your phone today cannot decrypt the messages you sent last week. The Diffie-Hellman ratchet mixes in a brand-new shared secret whenever the conversation changes direction (you reply to them), which gives post-compromise security (also called break-in recovery): even if an attacker steals your keys, the next back-and-forth heals the session and locks them out again.
The result is that the keys are constantly moving. There is no single long-lived key an adversary can grab to read a whole conversation; each message is sealed under a key that exists for an instant and is then deleted.
How it works
After an X3DH handshake establishes a shared root key, each message carries the sender’s current ratchet public key. Receiving a new ratchet key triggers a DH ratchet step: both sides derive a new root key and new sending/receiving chain keys. Within a chain, every message advances the symmetric ratchet via a KDF, deriving a one-time message key. Out-of-order messages are handled by caching skipped message keys up to a bounded limit, so a delayed message still decrypts without breaking the chain.
How RVNT uses Double Ratchet
RVNT implements the Double Ratchet in its Rust rvnt-crypto crate, with AES-256-GCM as the message cipher and the keys derived through HKDF. RVNT’s handshake is a hybrid post-quantum X3DH — classical X25519 combined with ML-KEM-768 — so the root key that seeds the ratchet is itself quantum-resistant. Large file transfers ride a separate content-encryption key rather than the message ratchet, which keeps a multi-gigabyte transfer from exhausting the skipped-key window and wedging your chat. See the Double Ratchet docs for the full design.
Frequently asked questions
Does the Double Ratchet protect old messages if my phone is stolen?
Yes, for messages whose keys have already been deleted. The symmetric ratchet discards each message key right after use, so an attacker who seizes your device cannot derive the keys for messages you already sent and received — that property is called forward secrecy.
What is the difference between forward secrecy and post-compromise security?
Forward secrecy protects the past: a key stolen today cannot decrypt yesterday’s messages. Post-compromise security (break-in recovery) protects the future: after a compromise, the next Diffie-Hellman ratchet step introduces fresh randomness the attacker never saw, healing the session and locking them back out.
Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.