Skip to content

The cryptography

End-to-end encryption, explained for humans

PrivaMesh uses the same proven cryptography that secures Signal - X3DH, Double Ratchet and AES-256-GCM - adapted for a serverless world. Here it is without the math.

Soon on the App StoreDeep dive: Double Ratchet

“End-to-end encrypted” means only the two ends - your device and your contact’s - can read a message. Everything in between sees ciphertext. PrivaMesh takes that further: because there is no server in between at all, the only ends that exist are the two of you. Three well-understood pieces of cryptography make it work.

X3DH - agreeing on a secret without meeting

Before two people can encrypt to each other, they need a shared secret. The X3DH (Extended Triple Diffie-Hellman) handshake, built on Curve25519, lets your devices agree on one even when one of you is offline. It combines several key exchanges so that a first message can be sent immediately and securely. PrivaMesh publishes the needed prekeys as wallet-signed prekey bundles in an on-chain registry, so there is no trusted key server that could hand out a fake key - the signature proves the key belongs to the right wallet. That is the anti-MITM foundation of the whole system.

Double Ratchet - a new key for every message

Once a shared secret exists, the Double Ratchet takes over. Using HKDF and HMAC-SHA256, it derives a brand-new key for every single message and throws the old one away. Two ratchets turn together: one advances with each message, the other with each reply, mixing in fresh key material. This gives you two powerful guarantees:

  • Forward secrecy - if a key leaks today, yesterday’s messages stay locked, because those keys no longer exist.
  • Post-compromise security - if an attacker briefly gets in, the ratchet heals with the next exchange and locks them back out.

Read the full plain-English Double Ratchet explainer.

AES-256-GCM - sealing the payload

The per-message key from the ratchet is used with AES-256-GCM, an authenticated encryption scheme, to seal the actual content. GCM doesn’t just hide the message - it also detects tampering, so a modified ciphertext is rejected rather than silently decrypted wrong. Before encryption, PrivaMesh pads every message to a fixed-size bucket, so an observer can’t infer anything from length. A one-word reply and a long paragraph look identical on the wire.

Where the keys live

All of this depends on keys that only you hold. PrivaMesh stores them in the iOS Keychain - device-only and biometric-lockable. They never sync, never upload, and never touch a server, because there isn’t one. See how your seed phrase and keys work.

The honest trade-off

Forward secrecy has a real cost: deleted keys can’t decrypt old messages, so your chat history cannot be restored from your seed phrase alone. Your seed brings back your funds and identity, not your conversations. That’s the price of true forward secrecy, and we think it’s the right default for a privacy-first messenger.

PrivaMesh end-to-end encrypted chat screen protected by X3DH, Double Ratchet and AES-256-GCM on iPhone

Keep reading