System
The master map
Everything in one picture. A message flows top to bottom; each layer states the feature it provides and the protection it contributes. Hit ⤢ to explore it full-screen with pan & zoom.
Read it like a building. Your device is the top floor where all the locking happens. Below it, each layer adds one job and one protection, and only sealed, unreadable material ever travels down to the vault at the bottom. Three pillars run the full height: quantum-safe crypto, the public key receipt book, and recovery.
The trust boundary is the client. Sealed Sender ciphertext crosses a metadata layer to an oblivious server, then to storage that holds only ciphertext + public keys. Cross-cutting pillars — hybrid PQC, Key Transparency, and recovery — span every layer.
What each layer provides & protects
Device / client
root of trustProvides: all crypto, key custody, cover traffic.
Protects: content confidentiality and at-rest data. Plaintext and private keys never leave here.
Metadata / transport
Phase 2 targetProvides: Sealed Sender, padding, jittered receipts, Nym (planned).
Protects: who you talk to and whether you use Privex (Laws 3 & 4).
Edge
configProvides: TLS, CSP, header hardening, no-log.
Protects: against MITM, injection, DDoS.
Server
blind routerProvides: routing, PoW anti-Sybil, Key Transparency, WS delivery.
Protects: Laws 1 & 2; detects MITM.
Storage
untrustedProvides: a public-key directory and ephemeral queues.
Protects: via minimal retention & seizure resistance.
Pillars
cross-cuttingPQC: quantum resistance everywhere. KT: MITM detection. Recovery: no key loss, still zero-knowledge.