Use Noise Protocol for synchronous peer-to-peer agent sessions, Signal Protocol (X3DH + Double Ratchet) for asynchronous messaging where agents may be offline, and MLS (RFC 9750) for encrypted group communication across agent fleets. TLS 1.3 remains the right choice when interoperability with existing HTTP infrastructure is required. Each protocol was designed for a different communication shape — using the wrong one adds complexity without adding security.
Why standard TLS is not enough for agent-to-agent communication
TLS was designed for the client-server model: a browser connects to a server, the server proves its identity with a certificate, and the session ends when the response is delivered. Agent-to-agent communication breaks every one of these assumptions.
Agents are peers, not clients and servers. Both sides need to prove identity simultaneously. TLS supports mutual authentication via client certificates, but it treats that as an add-on rather than a first-class primitive. The handshake is asymmetric by design — one side is always the "server" — which maps poorly onto two agents that may each initiate contact with the other at any time.
More fundamentally, TLS 1.3 (RFC 8446) does not provide forward secrecy for session resumption tickets, and it has no native mechanism for the kind of ratcheting encryption that protects long-running agent relationships if a session key is ever compromised.
What is the Noise Protocol Framework and when should agents use it
Noise Protocol is a framework for building cryptographic handshake protocols. It is the foundation underneath WireGuard and was designed specifically for the mutual-authentication, peer-to-peer use case that TLS handles awkwardly.
A Noise handshake is defined by a pattern — a short string like XX or IK that specifies the exact sequence of key exchanges between the two parties. The XX pattern (transmit, transmit) means both sides send their static public keys during the handshake, both sides verify each other's identity, and the session key is derived from an X25519 Diffie-Hellman exchange. The resulting session is encrypted with ChaCha20-Poly1305 (RFC 8439).
Use Noise when:
- Both agents are online simultaneously and need a live encrypted session
- You control both sides of the connection and do not need interoperability with external HTTP infrastructure
- You want minimal handshake overhead — Noise
XXcompletes in one round trip - You are building on UDP or a custom transport (Noise runs on any byte stream)
The Noise specification is 42 pages and formally verifiable. The security properties are well-understood, unlike ad-hoc TLS configurations.
How Signal Protocol handles asynchronous agent messaging with forward secrecy
Signal Protocol solves a different problem: what happens when the receiving agent is offline when the message is sent?
The protocol has two parts. X3DH (Extended Triple Diffie-Hellman) establishes a shared secret between two parties who have never communicated before, even if one party is offline at the time. The sender uses a bundle of prekeys published by the recipient — including a signed prekey and a set of one-time prekeys — to derive the initial session key without requiring the recipient to be present.
The Double Ratchet algorithm then encrypts each message with a fresh key derived by advancing a cryptographic ratchet. This gives two properties that matter for agent communication:
- Forward secrecy: if a session key is compromised, past messages cannot be decrypted
- Break-in recovery: if a key is compromised, the ratchet recovers automatically after a few message exchanges
Use Signal Protocol when:
- Agents communicate asynchronously and cannot be guaranteed to be online simultaneously
- Messages may be stored in transit and you need past messages protected even if future keys leak
- You are building an agent messaging layer analogous to a secure inbox
When to use MLS for group agent communication
Messaging Layer Security (RFC 9750) is the IETF standard for end-to-end encrypted group messaging. It was designed to solve the scaling problem that Signal Protocol has in groups: in a naive implementation, sending one message to N agents requires N separate encrypted copies.
MLS uses a binary tree of X25519 key agreements where updating one member's key requires O(log N) operations rather than O(N). A group of 1,000 agents handles a single member key rotation with roughly 10 cryptographic operations instead of 1,000.
MLS also handles membership changes — adding or removing agents from a group — as first-class protocol operations, each of which produces a new group epoch with fresh key material. An agent removed from the group cannot decrypt messages from later epochs, even if it retains messages it observed while it was a member.
Use MLS when:
- Multiple agents need to participate in a shared encrypted channel
- Membership changes (agents joining, leaving, being revoked) happen regularly
- You need post-compromise security: new group members cannot read historical messages
For an overview of how these properties apply to multi-agent deployments, Pilot Protocol's agent communication security guide covers the practical tradeoffs in production environments.
How to decide: a protocol decision framework
| Scenario | Protocol | Why |
|---|---|---|
| Two agents, both online, need a live session | Noise (XX pattern) |
Symmetric handshake, minimal overhead, no cert infrastructure |
| Agent sends message to offline peer | Signal (X3DH + Double Ratchet) | Async key agreement, per-message forward secrecy |
| Fleet of agents sharing an encrypted channel | MLS (RFC 9750) | Scales to thousands of members, handles membership changes |
| Calling an external HTTP API or human-facing service | TLS 1.3 | Interoperability; the external endpoint requires it |
| Agents communicating over UDP at high frequency | Noise over UDP or DTLS (RFC 9147) | TLS requires TCP; Noise and DTLS work on datagram transports |
| Agents requiring HTTP/3 transport | QUIC (RFC 9000) | QUIC embeds TLS 1.3, eliminates TCP head-of-line blocking |
The common mistake is reaching for TLS because it is familiar, then layering API keys on top for agent identity, and separately solving the group communication problem with a message broker. Each of those layers adds a dependency. The protocols above address identity, encryption, and group membership as integrated properties of the channel — not as separate systems that have to agree with each other.
Frequently asked questions
What algorithm should agent keypairs use?
Ed25519 (RFC 8032) for signing, X25519 (RFC 7748) for key agreement. Both are NIST-recommended and standardised across TLS 1.3, Noise, Signal, and MLS. For regulated environments evaluating post-quantum migration, ML-KEM (FIPS 203) replaces X25519 for key agreement and ML-DSA (FIPS 204) replaces Ed25519 for signatures.
Can Noise and Signal Protocol be combined?
Yes. Signal Protocol itself uses a Noise-derived handshake structure for session establishment. A common architecture uses Noise for the transport session and implements the Double Ratchet on top for per-message forward secrecy. WireGuard does something similar: Noise for the tunnel, with rekeying at configurable intervals.
Does MLS require a central server?
MLS requires a delivery service to distribute group messages and a authentication service to verify member credentials, but neither has to be a single server. The spec explicitly allows federated and decentralised delivery services. Group message confidentiality is end-to-end — the delivery service sees ciphertext only.
What happens to in-flight messages when an agent restarts?
With Signal Protocol, the Double Ratchet state must be persisted to survive restarts. If the ratchet state is lost, messages encrypted to future ratchet positions cannot be decrypted. Store ratchet state in the same secrets manager you use for the agent keypair — AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault — so it survives host replacement.
Is the A2A protocol relevant to this choice?
A2A (Agent-to-Agent, now under the Linux Foundation) is an application-layer protocol that defines how agents exchange tasks, artifacts, and status. It does not specify the transport security layer — that is left to the implementation. A2A messages can be carried over TLS 1.3 for HTTP-based deployments or over Noise/Signal for peer-to-peer deployments. The protocol choice above is orthogonal to A2A adoption.
Top comments (0)