Cryptography

How a message is encrypted

Three layers turn your plaintext into a sealed envelope: a quantum-safe handshake, a per-message ratchet, and a wrapper that hides who sent it.

Setting up a chat is a secret handshake that even a future super-computer can’t crack. After that, every single message is locked with a brand-new key, so cracking one message never helps with the next. And the whole thing is put in an envelope that shows only “deliver to” — your name is sealed inside.

Session setup is PQXDH (X3DH over X25519 + ML-KEM-1024 → HKDF root). Messages use the Double Ratchet — per-message AES-256-GCM keys with forward secrecy and post-compromise recovery, plaintext padded to 1024 bytes. The result is wrapped in Sealed Sender: the sender certificate is encrypted to the recipient via ephemeral X25519 → HKDF → XChaCha20-Poly1305.

Plaintext → sealed envelope
the three encryption layers, in order
handshake ratchet sealed sender
Figure. Content is fully encrypted before a single byte reaches the network — the server has no plaintext, no key, and no sender to leak.

What each layer buys you

PQXDH

confidentiality

A handshake safe even against tomorrow’s quantum computers — set up while your friend is offline.

Classical X25519 + ML-KEM-1024, both through HKDF. Post-quantum forward secrecy; asynchronous.

Double Ratchet

forward secrecy

A new lock for every message, so cracking one never unlocks the others — past or future.

Per-message AES-256-GCM keys via ratcheting KDF + DH steps; forward secrecy + post-compromise recovery.

Sealed Sender

metadata

The doorman reads only “deliver to.” Your name is folded up inside the sealed note.

Sender cert encrypted to the recipient; the wire envelope carries recipient + ciphertext only.

1024-byte padding

traffic shape

Every message is the same size, so a watcher can’t guess “short chat” vs “long document” from the shape.

Plaintext padded to a 1024-byte boundary before encryption; identical to cover-traffic decoys.