This document describes the “X3DH” (or “Extended Triple Diffie-Hellman”) key agreement protocol. X3DH establishes a shared secret key between two parties who mutually authenticate each other based on public keys. X3DH provides ==forward secrecy and cryptographic deniability==. X3DH is ==designed for asynchronous settings== where one user (“Bob”) is offline but has published some information to a server. Another user (“Alice”) wants to use that information to send encrypted data to Bob, and also establish a shared secret key for future communication.

Builds on Triple Diffie-Hellman

All keys have public and corresponding private part Alice and Bob both have long term identity keys $IK_A$, $IK_B$ Bob has a signed ‘prekey’ $SPK_B$ which he changes periodically He has a set of one-time ‘prekeys’ $OPK_B$ which are each used up in a single X3DH run (Prekeys are just keys provided in advance of the protocol run) During each run Alice generates a new ephemeral key pair $EK_A$

X3DH has three phases:

1. Bob publishes his identity key and prekeys to a server.
2. Alice fetches a “prekey bundle” from the server, and uses it to send an initial message to Bob.
3. Bob receives and processes Alice’s initial message

Bob publishes to the server:

• identity key $IK_B$
• signed prekey $SPK_B$
• prekey signature Sig($IK_B$, Encode($SPK_B$))
• Set of one-time prekeys $OPK_B$

Alice contacts the server and receives

• $IK_B$
• $SPK_B$
• Sig($IK_B$, Encode($SPK_B$))
• $OPK_B$ (if they aren’t all deleted already) Server deletes used one-time prekeys once they are sent

Alice verifies prekey signature, showing that the signed prekey is authentic to the identity key

Alice generates ephemeral key $EK_A$

If no

See also Leveraging Smart Contracts for Secure and Asynchronous Group Key Exchange Without Trusted Third Party