Root Key

Derived via X3DH handshake

Input to KDF chain for new keys

Each message derives a new Message Key (MK) from the Chain Key (CK):

CK_n+1, MK_n = KDF(CK_n)

MK_n used to encrypt message with AES-256-GCM

Ensures every message has a unique key

Symmetric Ratchet - Receiving Chain

Receiver derives same MK sequence using KDF(CK)

Decrypts messages symmetrically

Deletes used keys immediately for forward secrecy

Triggered when a new DH public key is received

Computes DH(private, public) → new shared secret

New Root Key and fresh Chain Keys via KDF:

RootKey', CKs', CKr' = KDF(RootKey, DH output)

Injects fresh entropy → Post-compromise security

Encryption (Sender)

AES-256-GCM encrypts plaintext with MKn

Ciphertext and new DH public key sent to recipient

Decryption (Receiver)

Uses same MKn from KDF(CKn) to decrypt ciphertext

Updates DH Ratchet when new public key is received

• Blue: Root and KDF chains • Green: Symmetric Ratchets • Yellow: DH Ratchet (key updates) • Orange: Encryption/Decryption

• Provides forward secrecy (keys change per message) and post-compromise security (new DH exchanges refresh secrets).