# Cryptography Overview quicprochat layers multiple cryptographic protocols to provide confidentiality, integrity, authentication, forward secrecy, and post-compromise security. This page catalogues every algorithm in the system, the crate that supplies it, and the security margin it provides. ## Algorithm Inventory | Algorithm | Purpose | Crate | Security Level | |-----------|---------|-------|----------------| | Ed25519 | Identity signing, MLS credentials | `ed25519-dalek 2` | 128-bit classical | | X25519 | MLS HPKE key exchange, Hybrid KEM | `x25519-dalek 2` | 128-bit classical | | AES-128-GCM | MLS AEAD | `openmls` (via RustCrypto) | 128-bit | | SHA-256 | Key fingerprints, HKDF | `sha2 0.10` | 128-bit collision resistance | | ML-KEM-768 | Post-quantum KEM | `ml-kem 0.2` | NIST Level 3 (~192-bit PQ) | | HKDF-SHA256 | Key derivation | `hkdf 0.12` | Depends on input entropy | > **Note:** The system provides 128-bit classical security throughout. When the > hybrid KEM is active (M5 onward), content encryption gains 192-bit > post-quantum security via ML-KEM-768. ## Where Each Algorithm Appears ### Transport Layer **QUIC/TLS 1.3** (via `quinn 0.11` + `rustls 0.23`): Provides the encrypted transport tunnel. The TLS 1.3 handshake negotiates an ephemeral ECDHE key exchange (X25519 or P-256, depending on the peer) and an AEAD cipher (AES-128-GCM or ChaCha20-Poly1305). This layer protects connection metadata from passive network observers. ### Application Layer 1. **MLS (RFC 9420)** (via `openmls 0.5`): Provides end-to-end encrypted group messaging. The ciphersuite is `MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519`, which uses: - X25519 for DHKEM (HPKE key exchange) - AES-128-GCM for content encryption - SHA-256 for the KDF and transcript hashing - Ed25519 for signing Commits, Proposals, and credentials 2. **Hybrid KEM** (via `ml-kem 0.2` + `x25519-dalek 2` + `hkdf 0.12`): An outer encryption layer combining X25519 and ML-KEM-768. The combined shared secret is derived through HKDF-SHA256 and used with ChaCha20-Poly1305 for AEAD. See [Post-Quantum Readiness](post-quantum-readiness.md) for integration plans. ### Identity Layer - **Ed25519** provides long-term identity signing. Each client generates a single Ed25519 keypair that serves as the MLS `BasicCredential`, the Authentication Service registration key, and the delivery queue index. See [Ed25519 Identity Keys](identity-keys.md). - **SHA-256** computes key fingerprints -- a 32-byte digest of the Ed25519 public key bytes used for compact, collision-resistant identification in logs and protocol messages. ## Security Level Summary All classical algorithms in the system target at least 128-bit security. The post-quantum component (ML-KEM-768) targets NIST Level 3, which corresponds to roughly 192-bit security against quantum adversaries. The weakest classical link is the 128-bit security level of AES-128-GCM in the MLS ciphersuite. This is consistent with the IETF's recommended MLS ciphersuite and is considered adequate for the foreseeable future. ```text Layer Classical Security Post-Quantum Security -------------------------------------------------------------------- QUIC/TLS 1.3 128-bit (ECDHE) None (classical only) MLS (content) 128-bit (AES-128-GCM) None (classical only) Hybrid KEM (M5+) 128-bit (X25519) ~192-bit (ML-KEM-768) ``` See the [Threat Model](threat-model.md) for a discussion of what is and is not protected, and [Forward Secrecy](forward-secrecy.md) and [Post-Compromise Security](post-compromise-security.md) for the advanced security properties these algorithms enable. ## Related Pages - [Ed25519 Identity Keys](identity-keys.md) -- long-term signing keypair - [Key Lifecycle and Zeroization](key-lifecycle.md) -- creation through destruction - [Forward Secrecy](forward-secrecy.md) -- past message protection - [Post-Compromise Security](post-compromise-security.md) -- future message recovery - [Post-Quantum Readiness](post-quantum-readiness.md) -- ML-KEM-768 hybrid KEM - [Threat Model](threat-model.md) -- attacker models and known gaps