X3DH
Also known as: Extended Triple Diffie-Hellman, X3DH key agreement, triple Diffie-Hellman handshake, X3DH handshake
X3DH (Extended Triple Diffie-Hellman) is an asynchronous key-agreement handshake that lets two people establish a shared secret even when one of them is offline. The initiator fetches a published bundle of the recipient's public keys and performs three or four Diffie-Hellman operations to derive one session key, which then seeds the Double Ratchet for ongoing messaging.
Designed by Trevor Perrin and Moxie Marlinspike for the Signal Protocol in 2016, X3DH solves a problem ordinary Diffie-Hellman cannot: how do you agree on a secret key with someone who is asleep with their phone in a drawer? Classic DH needs both parties online at the same time to swap ephemeral keys. X3DH removes that requirement by having each user publish a prekey bundle in advance.
The initiator (Alice) downloads the recipient's (Bob's) bundle and runs up to four DH computations, combining her identity key, a fresh ephemeral key, and Bob's identity key, signed prekey, and a one-time prekey. Each DH contributes a distinct property: mutual authentication, forward secrecy, and replay protection. The four outputs are concatenated and fed through HKDF to produce a single 32-byte session secret. Bob reconstructs the identical secret later when he comes online and receives Alice's initial message.
Because Alice's ephemeral private key is deleted right after the handshake, compromising either long-term identity key afterward cannot reconstruct the session secret. X3DH also gives offline deniability: either party could have produced the transcript alone, so it proves nothing to a third party.
How it works
Bob pre-publishes a bundle: identity key, a signed prekey, and a batch of one-time prekeys.
Alice fetches it and computes (with IK = identity, EK = ephemeral, SPK = signed prekey, OPK = one-time prekey):
DH1 = DH(IK_A, SPK_B) — authentication
DH2 = DH(EK_A, IK_B) — forward secrecy for Bob
DH3 = DH(EK_A, SPK_B) — forward secrecy for both
DH4 = DH(EK_A, OPK_B) — replay protection (skipped if no OPK is left)
SK = HKDF(DH1 || DH2 || DH3 || DH4)
Alice sends her identity key, ephemeral key, the consumed OPK id, and her first message encrypted under SK. Bob looks up and deletes that OPK, repeats the same four DH operations from his side, derives the identical SK, and both parties initialize the Double Ratchet from it.
How RVNT uses X3DH
RVNT runs a hybrid post-quantum X3DH. Alongside the classical X25519 operations it adds a fifth secret from ML-KEM-768 (FIPS 203): the initiator encapsulates against the recipient's lattice key and concatenates that shared secret before HKDF, so SK = HKDF(DH1..DH4 || PQ_SS). An attacker must break both elliptic-curve and lattice cryptography. See Key Exchange for the full construction.
Frequently asked questions
What is the difference between X3DH and the Double Ratchet?
X3DH is the one-time handshake that establishes the very first shared secret between two people. The Double Ratchet then takes that secret and continuously evolves it, deriving a fresh key for every message. X3DH sets up the conversation; the Double Ratchet runs it.
How can X3DH work if the other person is offline?
Each user uploads a bundle of public keys (a prekey bundle) to a server ahead of time. The sender downloads that bundle and derives the shared secret on their own. The recipient computes the matching secret whenever they next come online, so no live handshake is needed.
Is X3DH quantum-safe?
Classical X3DH is not — a quantum computer running Shor's algorithm could break the elliptic-curve Diffie-Hellman steps. RVNT and Signal's PQXDH both fix this by mixing in a lattice-based key from ML-KEM-768, so the session stays secure even against a future quantum attacker.
Every definition here describes something RVNT actually ships — a post-quantum, end-to-end-encrypted, peer-to-peer messenger with no phone number and no servers.