End-to-end Encryption

“Trust your application, not the network”


End-to-end encryption (E2EE) is the most secure way to communicate privately and securely online. By encrypting information at the sender and decrypting at the receiver point, end-to-end encryption prevents anyone in the middle from reading that information.

E2EE vs network security

With End-to-End Encryption (E2EE) there is no need for a secure channel. Instead of relying on a communication protocol lower in the stack to handle the encryption, the application that created the message will handle encryption and decryption of its own communication.

The key difference between traditional channel (“session”, “tunnel”) security and payload encryption based object security is that an application does not need to trust a channel and the different relaying nodes between sender and receiver.

end-to-end encrytion

Consider the case of an email message.  When it’s carried over an IPSEC or TLS secured connection, the message is protected during transmission.  However, it is unprotected in the receiver’s mailbox, and in intermediate servers, hubs, etc., along the way.

By contrast, with object security, the entire message is encrypted and integrity protected until it is examined and decrypted by the recipient.  It also provides strong authentication of the actual sending device.

Different End-to-End Encryption models

E2EE comes in different flavors depending on the purpose the model has been developed for.


  • Designed for e2e secure email.
  • Simple in construction, (encrypt email symmetrically, then encrypt key asymmetrically)
  • Identity tied to email
  • Decentralised authentication (Web of Trust)
  • GPLv3


  • Designed for Perfect Forward Secrecy (Throw everything away)
  • Complex in construction, (X3DH, double ratchet)
  • Identity tied to phone number
  • Access control decided by device at send time
  • GPLv3 for clients & AGPLv3 for servers
  • Operates between recipients known and registered at send time

Read more about HYKER vs Signal here


  • Designed for retroactive access and dynamic trust
  • Key sharing at decryption, not encryption
  • Simple in construction
  • Bring your own identity
  • Dynamic recipient set
  • Grant access to messages retroactively
  • Access control delegation possible
  • Commercial Software License


End-to-end x x x
Multiple devices x x
Any Identity x
Perfect Forward Secrecy x
Access Control Delegation x
Dynamic Groups x


HYKER End-to-End Security provides all necessary functionality, including encryption key distribution, for simplified application development of full asynchronous end-to-end secure applications.


More reading

Hyker security model

Take me to the documentation for a more in-depth description

Learn more about asynchronous communication and security in our Developer Program