Cryptography Deep Dive

Security,
by design.

End-to-end encryption is the baseline, not the feature. Here's exactly how we protect your conversations — no hand-waving, no marketing fluff. Read the code, read the math, verify for yourself.

Signal Protocol
Battle-tested
ML-KEM-768
Post-quantum ready
Zero-knowledge
Server reads: 0
Threat Model

What we protect against

We designed GhostCrypt assuming the worst: that servers will be seized, that networks will be tapped, and that some devices will be stolen. Here's how each threat is neutralized.

Threat

Server compromise

An attacker gains full access to our servers and all stored data.

Defense

Server only stores ciphertext. Keys never leave devices. Zero plaintext ever reaches the server.

Threat

Network eavesdropping

A nation-state or ISP monitors all traffic between devices.

Defense

TLS 1.3 + E2E encryption. Even metadata is minimized. Traffic looks like random bytes.

Threat

Device theft

A device is lost, stolen, or seized at a border crossing.

Defense

Biometric lock + Vault Mode. Messages encrypted at rest with SQLCipher. Ghost Mode wipes on demand.

Threat

Future decryption

An attacker records encrypted traffic today to decrypt later with a quantum computer.

Defense

ML-KEM-768 hybrid KEM — NIST-standardized post-quantum. Harvest-now-decrypt-later mitigated.

Threat

Key compromise

A device's private keys are extracted by malware or an adversary.

Defense

Double Ratchet — every message uses a fresh key. Past and future messages stay safe (PFS + PCS).

Threat

Insider threat

A GhostCrypt employee attempts to read user messages.

Defense

Even with root access to production, plaintext is mathematically impossible to recover. We cannot read your messages.

Cryptographic Primitives

The stack, layer by layer

Four primitives form our cryptographic core. Each is battle-tested, peer-reviewed, and deployed at scale. Here's what they do and why we chose them.

01

X3DH

Initial Key Agreement

X3DH establishes a shared secret between two parties who have never met before, using a bundle of pre-published public keys. It's asynchronous — you can send the first message to someone who's offline. This is how the very first message in a new conversation is encrypted.

x3dh.rs
// Extended Triple Diffie-Hellman
// Four elliptic curve operations produce SK

pub fn x3dh_initiate(
    ika: &IdentityKey,
    bob_bundle: &PreKeyBundle,
) -> Result<SharedSecret> {
    let ek_a = EphemeralKey::generate();
    
    let dh1 = DH(ika, bob_bundle.spk);
    let dh2 = DH(ek_a, bob_bundle.ik);
    let dh3 = DH(ek_a, bob_bundle.spk);
    let dh4 = DH(ek_a, bob_bundle.opk?);
    
    let sk = KDF(dh1 || dh2 || dh3 || dh4);
    Ok(SharedSecret(sk))
}
02

Double Ratchet

Forward Secrecy + Post-Compromise Security

After the initial handshake, every message uses a fresh encryption key derived from a ratcheting chain. If a key is compromised, past messages stay safe (forward secrecy). New messages recover automatically (post-compromise security). This is the same protocol Signal and WhatsApp use.

double_ratchet.rs
// Double Ratchet — derive fresh key per message
impl RatchetState {
    pub fn encrypt(&mut self, pt: &[u8]) -> Ciphertext {
        // Symmetric-key ratchet
        let (ck_next, mk) = kdf_ck(self.chain_key);
        self.chain_key = ck_next;
        self.n += 1;
        
        // AEAD encryption with fresh key
        let ct = aes_256_gcm_encrypt(mk, pt, self.ad());
        
        // Burn the message key after use
        drop(mk);
        
        Ciphertext { n: self.n, ct }
    }
}
03

AES-256-GCM

Authenticated Encryption

The actual message bytes are encrypted with AES-256 in Galois/Counter Mode — a widely deployed AEAD (Authenticated Encryption with Associated Data) cipher. It provides both confidentiality and integrity in a single operation. Hardware-accelerated on every modern CPU.

aead.rs
// AES-256-GCM — AEAD cipher
use aes_gcm::{Aes256Gcm, Nonce, KeyInit};

pub fn encrypt(
    key: &[u8; 32],
    nonce: &[u8; 12],
    pt: &[u8],
    ad: &[u8],
) -> Vec<u8> {
    let cipher = Aes256Gcm::new(key.into());
    cipher
        .encrypt(Nonce::from_slice(nonce), Payload {
            msg: pt,
            aad: ad,
        })
        .expect("encryption never fails")
}
04

ML-KEM-768 (Kyber)

Post-Quantum Key Encapsulation

A classical Diffie-Hellman handshake can be broken by a sufficiently powerful quantum computer. ML-KEM-768 (formerly Kyber) is the NIST-standardized post-quantum KEM that we combine with X25519 in a hybrid construction. If quantum computers break ECC tomorrow, your messages stay safe.

hybrid_kem.rs
// Hybrid KEM — X25519 + ML-KEM-768
use ml_kem::{MlKem768, EncodedSizeUser};

pub fn hybrid_encapsulate(
    recipient: &HybridPublicKey,
) -> (SharedSecret, HybridCiphertext) {
    // Classical part
    let (ss_classic, ct_classic) = 
        x25519_encap(&recipient.x25519);
    
    // Post-quantum part
    let (ss_pq, ct_pq) = 
        MlKem768::encapsulate(&recipient.kyber);
    
    // Combine — safe if EITHER is secure
    let ss = KDF(ss_classic || ss_pq);
    (ss, HybridCiphertext { ct_classic, ct_pq })
}
Zero-Knowledge Server

What we can and cannot see

Privacy isn't a promise — it's a mathematical constraint. Here's a complete list of what our servers have access to.

What our servers CAN see

  • Encrypted message blobs (ciphertext only, never plaintext)
  • Your username and account creation date
  • Public keys (to facilitate handshakes)
  • Message timestamps (for delivery ordering)
  • Device registration metadata
  • IP addresses during active sessions (TLS-terminated, minimal logging)
  • Push notification tokens (to wake your device)

What our servers CANNOT see

  • Message content (text, photos, videos, files)
  • Voice and video call audio/video
  • Your contact list (stored encrypted on-device)
  • Group member lists and group metadata
  • Typing indicators, read receipts, and delivery status
  • Your private keys (they never leave your device)
  • Profile data (avatars, bios, status messages)
  • Which devices are paired to your account
Defense in Depth

11 layers of security

We don't rely on a single security mechanism. Every layer below is independently secure — and we use all of them at once.

01

TLS 1.3

Network transport

Modern TLS with forward secrecy protects connections

02

Certificate Pinning

MITM prevention

Apps only trust our exact cert public key

03

X3DH Key Agreement

Session establishment

Four-DH handshake for initial secret

04

Double Ratchet

Per-message keys

Fresh key for every single message

05

AES-256-GCM

Message encryption

AEAD cipher for confidentiality + integrity

06

ML-KEM-768

Post-quantum

NIST-approved KEM for quantum resistance

07

HKDF-SHA256

Key derivation

Safe extraction and expansion of keys

08

Ed25519

Identity signatures

Fast, safe signatures for identity

09

MLS Protocol

Group messaging

IETF RFC 9420 for scalable groups

10

SQLCipher

At-rest storage

Local database encryption on every device

11

Biometric Lock

Access control

Face ID, Touch ID, PIN for device access

Open Source

Engineered by one.
Trusted by many.

GhostCrypt is designed and built by Mohsin Manzoor Bhat — an independent privacy engineer applying the same primitives used by Signal, WhatsApp, and Matrix. Real cryptography, real engineering, no marketing fluff.

1000+
lines Rust
0
unsafe blocks
54
crypto tests
Download GhostCryptMeet the Engineer