System

The master map

Everything in one picture. A message flows top to bottom; each layer states the feature it provides and the protection it contributes. Hit to explore it full-screen with pan & zoom.

Read it like a building. Your device is the top floor where all the locking happens. Below it, each layer adds one job and one protection, and only sealed, unreadable material ever travels down to the vault at the bottom. Three pillars run the full height: quantum-safe crypto, the public key receipt book, and recovery.

The trust boundary is the client. Sealed Sender ciphertext crosses a metadata layer to an oblivious server, then to storage that holds only ciphertext + public keys. Cross-cutting pillars — hybrid PQC, Key Transparency, and recovery — span every layer.

Privex — every layer connected
feature provided · protection contributed
device transport edge server storage
Figure. The further down, the less trusted — and the less each layer is given. By the storage floor, all that remains is ciphertext and public keys.

What each layer provides & protects

Device / client

root of trust

Provides: all crypto, key custody, cover traffic.

Protects: content confidentiality and at-rest data. Plaintext and private keys never leave here.

Metadata / transport

Phase 2 target

Provides: Sealed Sender, padding, jittered receipts, Nym (planned).

Protects: who you talk to and whether you use Privex (Laws 3 & 4).

Edge

config

Provides: TLS, CSP, header hardening, no-log.

Protects: against MITM, injection, DDoS.

Server

blind router

Provides: routing, PoW anti-Sybil, Key Transparency, WS delivery.

Protects: Laws 1 & 2; detects MITM.

Storage

untrusted

Provides: a public-key directory and ephemeral queues.

Protects: via minimal retention & seizure resistance.

Pillars

cross-cutting

PQC: quantum resistance everywhere. KT: MITM detection. Recovery: no key loss, still zero-knowledge.