Cryptography
How a message is encrypted
Three layers turn your plaintext into a sealed envelope: a quantum-safe handshake, a per-message ratchet, and a wrapper that hides who sent it.
Setting up a chat is a secret handshake that even a future super-computer can’t crack. After that, every single message is locked with a brand-new key, so cracking one message never helps with the next. And the whole thing is put in an envelope that shows only “deliver to” — your name is sealed inside.
Session setup is PQXDH (X3DH over X25519 + ML-KEM-1024 → HKDF root). Messages use the Double Ratchet — per-message AES-256-GCM keys with forward secrecy and post-compromise recovery, plaintext padded to 1024 bytes. The result is wrapped in Sealed Sender: the sender certificate is encrypted to the recipient via ephemeral X25519 → HKDF → XChaCha20-Poly1305.
What each layer buys you
PQXDH
confidentialityA handshake safe even against tomorrow’s quantum computers — set up while your friend is offline.
Classical X25519 + ML-KEM-1024, both through HKDF. Post-quantum forward secrecy; asynchronous.
Double Ratchet
forward secrecyA new lock for every message, so cracking one never unlocks the others — past or future.
Per-message AES-256-GCM keys via ratcheting KDF + DH steps; forward secrecy + post-compromise recovery.
Sealed Sender
metadataThe doorman reads only “deliver to.” Your name is folded up inside the sealed note.
Sender cert encrypted to the recipient; the wire envelope carries recipient + ciphertext only.
1024-byte padding
traffic shapeEvery message is the same size, so a watcher can’t guess “short chat” vs “long document” from the shape.
Plaintext padded to a 1024-byte boundary before encryption; identical to cover-traffic decoys.