Tessera vs Signal Protocol
Signal set the bar for end-to-end content encryption in consumer messaging. Tessera targets a different layer: hiding the metadata that Signal's server still sees. This page compares the two on content, authentication, metadata privacy, architecture, and when each is the right tool.
TL;DR
| Feature | Tessera | Signal |
|---|---|---|
| Content encryption | AES-GCM (symmetric) | Double Ratchet + AES-GCM |
| Sender authentication | ZK Schnorr / Fiat–Shamir proof | Implicit via key exchange (no protocol-level proof) |
| Metadata privacy | (ε,δ)-DP cover traffic + blinded pseudonyms | None — server sees full social graph |
| Central authority | None (P2P, pairwise enrolment) | Required (Signal's server / sealed sender relay) |
| DP cover traffic | Yes, calibrated (ε,δ) | No |
| Blinded pseudonyms | Y′ = Y + t·G per recipient per delivery | No (static identity keys) |
| Decentralized routing | Bucketed broadcast over P2P gossip | Central relay service |
| License | MIT | AGPLv3 (server), GPLv3 (client) |
| Language | Python | Java, Rust, TypeScript |
What Signal does well
Signal's content encryption is the industry reference. The Double Ratchet provides forward secrecy and post-compromise security for message bodies; X3DH handles asynchronous key agreement so a sender can message a recipient who is offline. The protocol has been audited repeatedly, ships in production clients used by hundreds of millions of people, and has a mature ecosystem of libraries across Java, Rust, and TypeScript.
As a product, Signal is polished: it has a large user base, mobile and desktop clients, group messaging, voice/video, and a non-profit steward that has resisted pressure to weaken the design. For consumer messaging where the goal is "encrypt the content well," Signal is hard to beat.
Where Signal falls short
Signal encrypts the content of messages but not themetadata. The Signal server — and any adversary that compromises it or compels it — sees:
- Who messages whom (the full social graph of every user).
- When each message is sent and its size.
- How often two parties communicate and the frequency pattern.
- Which users are online at overlapping times.
Sealed Sender removes the sender's identity from the packet envelope but does not hide the recipient or the timing — a global observer (or the server itself) can still reconstruct the graph. Signal the organization necessarily operates the central server, which is a metadata concentration point by construction.
Signal also has no protocol-level sender authentication. Anyone who holds a session key can send a message; there is no zero-knowledge proof that ties a message to a long-term identity without revealing that identity. Authentication is implicit in the key agreement, not an explicit, verifiable claim.
How Tessera differs
Tessera treats metadata as a first-class secret. Four mechanisms combine to hide the social graph:
- Differentially-private cover traffic. Each node emits calibrated noise so a global observer cannot distinguish a real delivery from a cover message beyond an (ε,δ) bound.
- Per-recipient blinded pseudonyms. A sender appears under Y′ = Y + t·G, where t = H(seed ‖ session_id) mod q. Different recipients see different, unlinkable pseudonyms for the same sender.
- ZK sender authentication. A Schnorr / Fiat–Shamir proof lets a sender prove knowledge of their secret key to a recipient without revealing the key or the long-term identity behind the blind.
- Decentralized bucketed broadcast. Messages are routed by bucket and Bloom fingerprint over a P2P gossip network; no single node observes the full routing graph.
The result is a protocol where no central authority, no homeserver, and no relay sees who is talking to whom. Privacy is a formal property with a tunable (ε,δ) parameter, not an aspiration.
Detailed feature comparison
| Capability | Tessera | Signal |
|---|---|---|
| Content encryption algorithm | AES-GCM | AES-GCM (under Double Ratchet) |
| Forward secrecy (content) | No (per-delivery keys, no ratchet) | Yes (Double Ratchet) |
| Sender authentication | Explicit ZK proof | Implicit (session key possession) |
| Recipient anonymity from server | Yes (bucketed broadcast) | No (server routes to recipient) |
| Sender anonymity from server | Yes (DP cover + blinding) | Partial (Sealed Sender only) |
| Cross-recipient unlinkability | Yes (per-recipient blinding) | No (single identity key) |
| Formal privacy guarantee | (ε,δ)-DP on delivery counts | None for metadata |
| Topology | P2P gossip (mesh or ring) | Central server |
| Enrolment | Pairwise, local | Phone-number based, central |
| License | MIT | AGPLv3 / GPLv3 |
| Primary language | Python | Java, Rust, TypeScript |
When to choose which
Choose Signal when
- You need a complete, ready-to-use consumer messaging app.
- Content encryption is sufficient and metadata exposure is an accepted risk.
- You want forward secrecy and a mature, audited ratcheting protocol.
- You need voice/video, group chat, and a large existing user base.
Choose Tessera when
- You need metadata privacy — no server may see the social graph.
- You need explicit, verifiable sender authentication (ZK proof).
- You cannot deploy or trust a central server.
- You are building a custom application and want a protocol primitive, not an app.
- You want a formal (ε,δ)-differential-privacy bound on traffic analysis.
Frequently asked questions
Does Tessera replace Signal for consumer messaging?
No. Signal is a complete, polished messaging app with a large user base; Tessera is a protocol primitive for builders who need metadata privacy and sender authentication inside their own application. They serve different audiences.
Why does metadata matter if content is end-to-end encrypted?
Metadata — who messages whom, when, and how often — reveals the social graph. A server that sees metadata can infer relationships, group membership, and patterns of life even when it cannot read a single message body.
Does Tessera use the Double Ratchet or X3DH like Signal?
No. Tessera uses AES-GCM for content encryption, Schnorr / Fiat–Shamir zero-knowledge proofs for sender authentication, and per-recipient blinded pseudonyms. It does not implement forward-secrecy ratcheting in the Signal sense; it targets a different threat surface (metadata) rather than content forward secrecy.