Why E2EE Without Forward Secrecy Lies to You
"End-to-end encrypted" is a marketing phrase. The honest version of the question is: if my private key is stolen tomorrow, can the attacker decrypt last month's messages? If the answer is yes, the encryption is doing far less than its label implies. The property that says "no" is forward secrecy — and it's not optional.
The threat that matters
The classic encryption threat model imagines a passive observer trying to decrypt messages in real time. That's the easy case. The harder case, and the one nation-state services and large platforms actually face, is store now, decrypt later: an adversary records every encrypted message it can, indefinitely, on the assumption that a key will eventually be compromised — through legal compulsion, server breach, endpoint malware, or future quantum capability.
If your encryption uses a long-lived key directly to encrypt every message, then the day that key falls, your entire archived history falls with it. Forward secrecy (sometimes called perfect forward secrecy, PFS) is the design property that prevents this. It guarantees that compromise of the long-term private key does not enable decryption of any prior session.
How forward secrecy works
The mechanism is conceptually simple: don't use the long-term key to encrypt messages. Use it to authenticate a fresh, short-lived key generated by ephemeral Diffie-Hellman. The session key is computed and then immediately destroyed. Without that exact key, the captured ciphertext is uncrackable even if the attacker later steals every long-term secret on both endpoints.
// Sketch of an ephemeral DH handshake
1. Alice generates ephemeral keypair (a, A=g^a)
2. Bob generates ephemeral keypair (b, B=g^b)
3. Both sign their ephemeral public key with their LONG-TERM identity key
4. Both compute shared secret K = g^(ab)
5. Both ZEROIZE a and b in memory
6. K is used to derive the session encryption key
7. When the session ends, K is also destroyedThe signature in step 3 is what authenticates the handshake — it proves you're really talking to Bob's identity key. But the identity key never directly encrypts anything. Compromising it later lets the attacker impersonate Bob in a future handshake, but it cannot decrypt any past K because a and b are gone.
The Signal protocol's double upgrade
Signal goes a step further. The Double Ratchet derives a new key for every individual message, not just every session. The "ratchet" combines a Diffie-Hellman ratchet (new ephemeral keys when a reply arrives) with a symmetric ratchet (a one-way hash chain advancing with each message). The result has two properties that go beyond classical PFS:
- Forward secrecy: compromise today does not break yesterday.
- Post-compromise security (PCS): compromise today is healed by tomorrow's next ratchet step. After the next round-trip, the attacker is locked back out.
This is the single most important property to look for in a modern messenger. The TLS 1.3 handshake also has forward secrecy by default — but it doesn't have PCS, because TLS sessions don't ratchet through messages the way Signal does.
The messenger scoreboard
| Messenger | E2EE by default? | Forward secrecy? | Post-compromise security? |
|---|---|---|---|
| Signal | Yes | Yes (Double Ratchet) | Yes |
| Yes (Signal protocol) | Yes | Yes — but cloud backups break it (see below) | |
| iMessage (pre-Contact Key Verification) | Yes | No (long-lived RSA keys per device) | No |
| iMessage (PQ3, 2024+) | Yes | Yes (rachet + PQ KEM) | Yes |
| Telegram default chats | No (server-side stored) | N/A | N/A |
| Telegram Secret Chats | Yes | Yes (MTProto 2.0) | No |
| Matrix / Element | Optional, default-on for DMs | Yes (Olm/Megolm) | Partial (Megolm rotates per session) |
| PGP email | Yes (when used) | No | No |
| Discord | No | N/A | N/A |
Two entries deserve particular attention.
PGP: the cautionary tale
PGP is the canonical example of E2EE without forward secrecy. Your private key is the same for every email you receive over years or decades. Subpoena it, steal it, brute-force a weak passphrase — and a fifteen-year archive of "encrypted" mail decrypts in a single batch. PGP is not a bad protocol; it is a 1991 protocol, and the threats have changed. For long-form encrypted communication today, the modern advice is "use Signal" or "use age + ephemeral keys," not "use PGP."
iMessage's quiet upgrade
For most of its history, iMessage authenticated with long-lived RSA-1280 keys per device. Apple shipped PQ3 in early 2024, replacing this with a Signal-style ratchet plus post-quantum KEM (Kyber-1024). It's now arguably the strongest deployed messaging protocol on the planet. The upgrade was nearly invisible to users — which is exactly how cryptography upgrades should happen.
The cloud backup problem
WhatsApp now offers end-to-end encrypted backups (off by default). Signal's backups stay on-device. iMessage backups via iCloud are E2EE only if Advanced Data Protection is enabled — which most users have not turned on. The lesson: forward secrecy is a property of the entire system, not just the protocol. A backup that defeats it defeats it completely.
How to actually verify the property
You can't visually inspect a chat to know if forward secrecy is in play. You can:
- Read the protocol documentation. Real implementations document their handshake. If a service uses generic phrases like "military-grade encryption" without naming the protocol or a peer-reviewed paper, that is the answer.
- Check for ratcheting language. "Per-message keys," "Double Ratchet," "TreeKEM" (the MLS group construction), "ephemeral DH" — these are the markers.
- Check for backup behavior. If the messenger stores messages off-device in any unencrypted form, FS is meaningless against any attacker who reaches the backup.
- Check for safety numbers / verification. Without out-of-band identity verification, you can have all the FS in the world and still be talking to a man-in-the-middle.
The post-quantum shoe drop
Forward secrecy in the classical sense protects against future key theft. It does not, on its own, protect against a future quantum computer breaking the underlying Diffie-Hellman exchange itself. If an adversary records ECDH handshakes today and quantum-breaks them in 2035, those past sessions decrypt — even with classical PFS.
This is why 2024 was the year hybrid post-quantum key exchange went mainstream. Signal's PQXDH, iMessage's PQ3, and TLS 1.3's X25519+Kyber768 hybrid all add a quantum-resistant KEM next to the classical ECDH. Either one breaking is fine; both breaking is required to compromise the session. For "store now, decrypt later" threats with a 10–15 year horizon, this is the only credible defense.
The takeaway
End-to-end encryption is not a binary. The cryptographic difference between Signal's ratchet and a generic "we encrypt your messages" service is the difference between a sealed envelope and a sealed envelope you also burn after reading. They look similar from the outside. Only one of them survives the day someone gets the keys.