Core Concepts

Forward secrecy

Even if an attacker records every encrypted message you send today and later compromises your device, they cannot read your past messages. The keys that encrypted them have already been deleted — permanently.

💡 One sentence definition

Forward secrecy means that the compromise of a long-term key does not compromise past session keys. Each message is encrypted with a unique, ephemeral key that is deleted the moment it is used.

Without forward secrecy

Most encryption systems use a single long-term secret for an entire session or conversation. This is efficient, but catastrophic when a key is eventually stolen — and an attacker who has been recording ciphertext since day one can decrypt the entire conversation history retroactively.

Without forward secrecy — one long-lived key

static_key— same key used for all messages, never rotated

Msg 1encrypt(plaintext, static_key)

Msg 2encrypt(plaintext, static_key)

Msg 3encrypt(plaintext, static_key)

Msg 4encrypt(plaintext, static_key)← key stolen here

Msg 5encrypt(plaintext, static_key)

Attacker has static_key → can decrypt ALL 5 messages — including ones sent years ago that were recorded in transit.

With forward secrecy

Encra generates a unique message key for every single message. Each key is derived from the current chain key, used to encrypt exactly one message, then zeroed from memory. Even if an attacker obtains the current chain key, all past message keys are provably gone — they were never stored.

With forward secrecy — unique key per message, deleted after use

Msg 1encrypt(plaintext, MK₁)key deleted ✓

Msg 2encrypt(plaintext, MK₂)key deleted ✓

Msg 3encrypt(plaintext, MK₃)key deleted ✓

Msg 4encrypt(plaintext, MK₄)← key stolen here

Msg 5encrypt(plaintext, MK₅)future

Attacker has MK₄ → can only decrypt Msg 4. MK₁–MK₃ are gone forever. Past messages stay private.

The recorded-traffic attack

The most realistic threat model for forward secrecy is the harvest-now, decrypt-later attack: a passive adversary records all encrypted traffic today, then waits for an opportunity to steal the keys. This is not hypothetical — intelligence agencies and sophisticated attackers routinely store encrypted traffic for future decryption.

The recorded-traffic attack — forward secrecy vs none

2024 JanAlice and Bob start chatting

2024 AprAttacker begins recording ciphertext

2024–2025Thousands of messages exchanged

2025 MarAttacker obtains Alice's device

2025 MarAttacker reads Alice's current state

ResultWithout FS: all recorded msgs decryptable

ResultWith FS: only future msgs at risk — past keys gone

How Encra implements it

The Double Ratchet provides forward secrecy through the symmetric KDF chain. For every message:

A message key is derived: MK = BLAKE2b(chain_key, 0x01)
The chain key advances: CK_next = BLAKE2b(chain_key, 0x02)
The message is encrypted with MK using XSalsa20-Poly1305.
MK is zeroed from memory — it is never stored to disk, never logged, never persisted.

typescript

// Inside DoubleRatchet.encrypt() — simplified
encrypt(plaintext: string): EncryptedMessage {
  // Step the symmetric chain — one-way, cannot be reversed
  const [newChainKey, messageKey] = kdfChain(this.sendingChainKey)
  this.sendingChainKey = newChainKey   // advance
  this.sendingN++

  // Encrypt with the ephemeral message key
  const { ciphertext, nonce } = encrypt(plaintext, messageKey)

  // Zero the message key — forward secrecy guaranteed from this point
  messageKey.fill(0)

  return { header: { publicKey: this.dhSendPair.publicKey, n: this.sendingN - 1, pn: this.pn }, ciphertext, nonce }
}

ℹ One-way KDF

The KDF (BLAKE2b-256) is a one-way function. You can computeCK_n+1 from CK_n, but you cannot reverse it to get CK_n-1. This is what makes the chain one-directional — the ratchet only clicks forward.

Break-in recovery

Forward secrecy protects past messages. But what about future messages after a breach? The KDF chain alone cannot help here — if the attacker has the current chain key, they can derive all future message keys in that chain.

The DH ratchet solves this. Every time the conversation changes direction (Alice sends, then Bob replies), both sides generate fresh ephemeral key pairs and inject new DH key material into the root key. The old chain key becomes useless for deriving future messages — even if the attacker had it.

Break-in recovery — automatic healing after compromise

✗

Before breach

Session compromised — attacker has chain key

⟳

DH ratchet step

New ephemeral key pair generated and exchanged

✓

After breach

Attacker's stolen chain key is now useless — new chain derived from fresh DH secret

This happens automatically on every direction change in the conversation. No user action needed. No re-handshake. No perceptible delay.

💡 Why this matters in practice

Malware that briefly reads a device's memory captures a snapshot of the current ratchet state — but as soon as the conversation continues naturally, the DH ratchet fires and the attacker's snapshot stops being useful. They don't need to be evicted from the device; the protocol evicts them mathematically.

Guarantees & limits

Threat	Protection	Notes
Long-term key theft	✓ Past messages safe	Message keys already deleted; long-term key only affects key registration.
Current chain key stolen	✓ Past messages safe	Only future messages in that chain are at risk until the next DH step.
Full device compromise	✓ Past messages safe	Current and future messages at risk until ratchet fires again.
Recorded traffic + future key theft	✓ Past messages safe	KDF chain is one-way; past message keys cannot be derived.
Real-time device access	✗ Active session at risk	If attacker can read plaintext from the screen or memory as you type, no protocol helps.
Server compromise	✓ All messages safe	Server stores only public keys and encrypted blobs it cannot read.

🚨 What forward secrecy cannot protect

Forward secrecy is a property of key material — it says nothing about the plaintext itself. If Alice's screen or clipboard is compromised while she is reading a message, the attacker sees the plaintext directly. Encryption only protects data in transit and at rest.

Double Ratchet →

Full walkthrough of the KDF chain and DH ratchet that implement forward secrecy.

Cryptographic primitives →

BLAKE2b-256, XSalsa20-Poly1305, and the rest of Encra's crypto stack.

Double Ratchet

@encra/react