quicproquo/docs/src/cryptography/overview.md

Cryptography Overview

quicprochat layers multiple cryptographic protocols to provide confidentiality, integrity, authentication, forward secrecy, and post-compromise security. This page catalogues every algorithm in the system, the crate that supplies it, and the security margin it provides.

Algorithm Inventory

Algorithm	Purpose	Crate	Security Level
Ed25519	Identity signing, MLS credentials	ed25519-dalek 2	128-bit classical
X25519	MLS HPKE key exchange, Hybrid KEM	x25519-dalek 2	128-bit classical
AES-128-GCM	MLS AEAD	openmls (via RustCrypto)	128-bit
SHA-256	Key fingerprints, HKDF	sha2 0.10	128-bit collision resistance
ML-KEM-768	Post-quantum KEM	ml-kem 0.2	NIST Level 3 (~192-bit PQ)
HKDF-SHA256	Key derivation	hkdf 0.12	Depends on input entropy

Note: The system provides 128-bit classical security throughout. When the hybrid KEM is active (M5 onward), content encryption gains 192-bit post-quantum security via ML-KEM-768.

Where Each Algorithm Appears

Transport Layer

QUIC/TLS 1.3 (via quinn 0.11 + rustls 0.23): Provides the encrypted transport tunnel. The TLS 1.3 handshake negotiates an ephemeral ECDHE key exchange (X25519 or P-256, depending on the peer) and an AEAD cipher (AES-128-GCM or ChaCha20-Poly1305). This layer protects connection metadata from passive network observers.

Application Layer

1. MLS (RFC 9420) (via openmls 0.5): Provides end-to-end encrypted group messaging. The ciphersuite is MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519, which uses:

   • X25519 for DHKEM (HPKE key exchange)
   • AES-128-GCM for content encryption
   • SHA-256 for the KDF and transcript hashing
   • Ed25519 for signing Commits, Proposals, and credentials

2. Hybrid KEM (via ml-kem 0.2 + x25519-dalek 2 + hkdf 0.12): An outer encryption layer combining X25519 and ML-KEM-768. The combined shared secret is derived through HKDF-SHA256 and used with ChaCha20-Poly1305 for AEAD. See Post-Quantum Readiness for integration plans.

Identity Layer

• Ed25519 provides long-term identity signing. Each client generates a single Ed25519 keypair that serves as the MLS BasicCredential, the Authentication Service registration key, and the delivery queue index. See Ed25519 Identity Keys.

• SHA-256 computes key fingerprints -- a 32-byte digest of the Ed25519 public key bytes used for compact, collision-resistant identification in logs and protocol messages.

Security Level Summary

All classical algorithms in the system target at least 128-bit security. The post-quantum component (ML-KEM-768) targets NIST Level 3, which corresponds to roughly 192-bit security against quantum adversaries.

The weakest classical link is the 128-bit security level of AES-128-GCM in the MLS ciphersuite. This is consistent with the IETF's recommended MLS ciphersuite and is considered adequate for the foreseeable future.

Layer                  Classical Security    Post-Quantum Security
--------------------------------------------------------------------
QUIC/TLS 1.3           128-bit (ECDHE)       None (classical only)
MLS (content)          128-bit (AES-128-GCM) None (classical only)
Hybrid KEM (M5+)       128-bit (X25519)      ~192-bit (ML-KEM-768)

See the Threat Model for a discussion of what is and is not protected, and Forward Secrecy and Post-Compromise Security for the advanced security properties these algorithms enable.

Related Pages

• Ed25519 Identity Keys -- long-term signing keypair
• Key Lifecycle and Zeroization -- creation through destruction
• Forward Secrecy -- past message protection
• Post-Compromise Security -- future message recovery
• Post-Quantum Readiness -- ML-KEM-768 hybrid KEM
• Threat Model -- attacker models and known gaps