c/quicproquo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
501f5a577c54d56be069fdb2f75d61124fd6c65b
quicproquo/docs/src/cryptography/overview.md
Chris Nennemann 853ca4fec0 chore: rename project quicnprotochat -> quicproquo (binaries: qpq) 
Rename the entire workspace:
- Crate packages: quicnprotochat-{core,proto,server,client,gui,p2p,mobile} -> quicproquo-*
- Binary names: quicnprotochat -> qpq, quicnprotochat-server -> qpq-server,
  quicnprotochat-gui -> qpq-gui
- Default files: *-state.bin -> qpq-state.bin, *-server.toml -> qpq-server.toml,
  *.db -> qpq.db
- Environment variable prefix: QUICNPROTOCHAT_* -> QPQ_*
- App identifier: chat.quicnproto.gui -> chat.quicproquo.gui
- Proto package: quicnprotochat.bench -> quicproquo.bench
- All documentation, Docker, CI, and script references updated

HKDF domain-separation strings and P2P ALPN remain unchanged for
backward compatibility with existing encrypted state and wire protocol.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-01 20:11:51 +01:00

91 lines
4.1 KiB
Markdown
Raw Blame History

# Cryptography Overview
quicproquo layers multiple cryptographic protocols to provide confidentiality,
integrity, authentication, forward secrecy, and post-compromise security. This
page catalogues every algorithm in the system, the crate that supplies it, and
the security margin it provides.
## Algorithm Inventory
| Algorithm | Purpose | Crate | Security Level |
|-----------|---------|-------|----------------|
| Ed25519 | Identity signing, MLS credentials | `ed25519-dalek 2` | 128-bit classical |
| X25519 | MLS HPKE key exchange, Hybrid KEM | `x25519-dalek 2` | 128-bit classical |
| AES-128-GCM | MLS AEAD | `openmls` (via RustCrypto) | 128-bit |
| SHA-256 | Key fingerprints, HKDF | `sha2 0.10` | 128-bit collision resistance |
| ML-KEM-768 | Post-quantum KEM | `ml-kem 0.2` | NIST Level 3 (~192-bit PQ) |
| HKDF-SHA256 | Key derivation | `hkdf 0.12` | Depends on input entropy |
> **Note:** The system provides 128-bit classical security throughout. When the
> hybrid KEM is active (M5 onward), content encryption gains 192-bit
> post-quantum security via ML-KEM-768.
## Where Each Algorithm Appears
### Transport Layer
**QUIC/TLS 1.3** (via `quinn 0.11` + `rustls 0.23`): Provides the encrypted
transport tunnel. The TLS 1.3 handshake negotiates an ephemeral ECDHE key
exchange (X25519 or P-256, depending on the peer) and an AEAD cipher
(AES-128-GCM or ChaCha20-Poly1305). This layer protects connection metadata
from passive network observers.
### Application Layer
1. **MLS (RFC 9420)** (via `openmls 0.5`): Provides end-to-end encrypted
group messaging. The ciphersuite is
`MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519`, which uses:
- X25519 for DHKEM (HPKE key exchange)
- AES-128-GCM for content encryption
- SHA-256 for the KDF and transcript hashing
- Ed25519 for signing Commits, Proposals, and credentials
2. **Hybrid KEM** (via `ml-kem 0.2` + `x25519-dalek 2` + `hkdf 0.12`):
An outer encryption layer combining X25519 and ML-KEM-768. The combined
shared secret is derived through HKDF-SHA256 and used with
ChaCha20-Poly1305 for AEAD. See
[Post-Quantum Readiness](post-quantum-readiness.md) for integration plans.
### Identity Layer
- **Ed25519** provides long-term identity signing. Each client generates a
single Ed25519 keypair that serves as the MLS `BasicCredential`, the
Authentication Service registration key, and the delivery queue index. See
[Ed25519 Identity Keys](identity-keys.md).
- **SHA-256** computes key fingerprints -- a 32-byte digest of the Ed25519
public key bytes used for compact, collision-resistant identification in logs
and protocol messages.
## Security Level Summary
All classical algorithms in the system target at least 128-bit security. The
post-quantum component (ML-KEM-768) targets NIST Level 3, which corresponds to
roughly 192-bit security against quantum adversaries.
The weakest classical link is the 128-bit security level of AES-128-GCM in the
MLS ciphersuite. This is consistent with the IETF's recommended MLS ciphersuite
and is considered adequate for the foreseeable future.
```text
Layer Classical Security Post-Quantum Security
--------------------------------------------------------------------
QUIC/TLS 1.3 128-bit (ECDHE) None (classical only)
MLS (content) 128-bit (AES-128-GCM) None (classical only)
Hybrid KEM (M5+) 128-bit (X25519) ~192-bit (ML-KEM-768)
```
See the [Threat Model](threat-model.md) for a discussion of what is and is not
protected, and [Forward Secrecy](forward-secrecy.md) and
[Post-Compromise Security](post-compromise-security.md) for the advanced
security properties these algorithms enable.
## Related Pages
- [Ed25519 Identity Keys](identity-keys.md) -- long-term signing keypair
- [Key Lifecycle and Zeroization](key-lifecycle.md) -- creation through destruction
- [Forward Secrecy](forward-secrecy.md) -- past message protection
- [Post-Compromise Security](post-compromise-security.md) -- future message recovery
- [Post-Quantum Readiness](post-quantum-readiness.md) -- ML-KEM-768 hybrid KEM
- [Threat Model](threat-model.md) -- attacker models and known gaps
Reference in New Issue View Git Blame Copy Permalink