Hybrid post-quantum protocol: Double Ratchet + X3DH + ML-KEM (Kyber-768). End-to-end encryption with quantum resilience.
A cryptographic communication protection protocol implementing hybrid post-quantum end-to-end encryption. The architecture is based on the Double Ratchet algorithm with X3DH (Extended Triple Diffie-Hellman) extension, augmented by NIST-standardized ML-KEM (Kyber-768) key encapsulation mechanism to ensure cryptographic resilience against HNDL (Harvest Now, Decrypt Later) attacks in the era of quantum computing.
HNDL attack mitigation through hybrid X25519 + ML-KEM (Kyber-768) protocol with dual key derivation
Automatic cryptographic material rotation via asymmetric ratchet operation with adaptive interval
Deterministic ephemeral key derivation through symmetric ratchet with immediate destruction of predecessors
Bilateral verification through cryptographic binding of identifiers to session context with SHA-256 hashing
Key material protection through page-locked memory with deterministic zeroing upon deallocation
Ecliptix Protection Protocol provides comprehensive communication protection at every level
Compromise of current keys cannot decrypt past messages. Old keys are automatically destroyed.
Fresh keys on every direction change. 1-step classical PCS, 2-step hybrid PCS. Automatic security restoration.
X25519 + Kyber-768 hybrid construction. Secure if either classical OR post-quantum crypto is unbroken.
Messages cryptographically bound to both parties' identities. Prevents identity substitution attacks.
Messages can arrive out of sequence. Skipped key cache handles network reordering gracefully.
All secrets in guarded memory. RAM-locked, automatically zeroed on destruction. No memory fragmentation.
Four-level key hierarchy with hybrid post-quantum protection. From long-term identity keys based on elliptic curves and lattices to short-lived symmetric message keys — each level ensures protection for its communication stage.
Long-term identity cryptographic keys for asymmetric authentication and trust establishment between participants. Combination of classical elliptic curve cryptography (Ed25519/X25519) and post-quantum lattice-based cryptography (Kyber-768).
Medium-term session establishment keys with limited lifetime. Signed pre-keys and one-time ephemeral keys for secure channel initialization with forward secrecy.
Short-lived symmetric encryption keys with automatic rotation. Root/Chain/Message keys for Double Ratchet algorithm with per-message forward secrecy and post-compromise security.
Integration of OPAQUE and Protection Protocol ensures protection from authentication to message delivery
User initiates access — system verifies identity without collecting or storing password in any form
OPAQUE protocol performs asymmetric key exchange — server never receives or stores password, eliminating database breach risk
SecureEnvelope format for encrypted message transport
AES-256-GCM-SIV 12-byte nonce format ensuring uniqueness
Hybrid X3DH + Kyber-768
4× ECDH + post-quantum KEM
AAD binds ciphertext to session context, preventing cross-session attacks
From session initialization to message encryption
Formal security properties proven by the protocol
Each message uses a unique encryption key derived from the ratchet. Past messages remain secure even if long-term keys are compromised.
Break-in recovery on every direction change via hybrid ratchet. 1-step classical PCS (fresh X25519 DH), 2-step hybrid PCS (+ fresh Kyber-768 KEM).
Hybrid construction with Kyber-768 ensures security against both classical and quantum attackers. NIST-standardized algorithms.
SHA-256 hash of all identity keys binds every message to both parties. Prevents identity misbinding attacks.
Technical comparison with Signal protocol variants — the industry baseline for secure messaging
| Feature | Ecliptix | Signal PQXDH | Signal X3DH |
|---|---|---|---|
| Per-Ratchet PQ Protection | ✓ | ✗ | ✗ |
| Handshake PQ (Kyber-768) | ✓ | ✓ | ✗ |
| Metadata Encryption | Per-epoch rotating key | Sealed Sender | Sealed Sender |
| AEAD Cipher | AES-256-GCM-SIV | AES-256-CBC + HMAC | AES-256-CBC + HMAC |
| Nonce-Misuse Resistance | ✓ | ✗ | ✗ |
| Post-Compromise Recovery | 1-step DH / 2-step hybrid | 1-step DH only | 1-step DH only |
| Perfect Forward Secrecy | ✓ | ✓ | ✓ |
| Formal Proofs | 6 theorems + 10 Tamarin lemmas | High-level analysis | eCK sketch |
| Cryptographic Identity Binding | ✓ | ✓ | ✓ |
All security properties verified by three independent methods: symbolic provers (Tamarin, ProVerif) and game-based reductions under a Dolev-Yao adversary with quantum oracle
10 / 10 lemmas verified (handshake 6 + ratchet 4)
4 / 6 queries verified (Q5/Q6: known DH overapproximation)
6 theorems + 8 lemmas with concrete security bounds
The hybrid root secret remains computationally indistinguishable from random for any PPT adversary, provided neither party's long-term key is compromised during the handshake.
SKC(A,B,sk) ∧ ¬Corrupt(A) ∧ ¬Corrupt(B) ⟹ ¬K(sk)Bilateral HMAC-SHA256 key confirmation prevents Unknown Key Share (UKS) attacks. Both parties derive identical session keys and confirm via MAC exchange.
Confirm(A,B,mac) ⟹ ∃ Session(A,B,sk) ∧ Session(B,A,sk)Compromise of long-term X25519 keys after session completion does not break past sessions. Ephemeral keys are zeroized; Kyber-768 KEM provides quantum-resilient FS.
SKC(A,B,sk)@i ∧ Corrupt(A)@j ∧ i < j ⟹ ¬K(sk)Both initiator and responder derive identical root keys from the same X3DH + KEM inputs. HMAC confirmation ensures key agreement before any message encryption.
Confirm(A→B) ∧ Confirm(B→A) ⟹ RK_A = RK_BAfter full state compromise, security recovers in 1 step for classical (fresh X25519 DH) and 2 steps for hybrid (fresh DH + fresh Kyber-768 KEM). Each direction change triggers ratchet.
Compromise(A)@i ∧ Ratchet(A)@j ∧ i < j ⟹ ¬K(mk_j)Each ratchet step derives a fresh root key via HKDF over new DH + KEM secrets. The ratchet key remains secret unless both parties' states are simultaneously compromised.
RatchetKey(A,B,rk) ∧ ¬(Corrupt(A) ∧ Corrupt(B)) ⟹ ¬K(rk)Both parties derive the same root key from the hybrid X3DH output. Session ID binding and identity hashes prevent cross-session and misbinding attacks.
Session(A,B,sid) ⟹ RK_A(sid) = RK_B(sid)Per-message keys derived via symmetric ratchet (HKDF-SHA256) provide IND-CPA+ security under AES-256-GCM-SIV (MRAE). Keys are destroyed immediately after use.
Adv^{IND-CPA+} ≤ Adv^{eCK} + q·Adv^{PRF} + Adv^{MRAE}Bounded nonce cache (2048 entries) with monotonic counters prevents message replay. INT-CTXT of AES-256-GCM-SIV ensures ciphertext integrity.
Adv^{Replay} ≤ Adv^{INT-CTXT} + 2^{-n_cache}AES-256-GCM-SIV (RFC 8452) degrades gracefully on nonce reuse — only leaks equality of plaintexts, not plaintext content. SIV construction provides MRAE security.
NonceMisuse(n) ⟹ Leak ≤ EqualityOracle(m₁,m₂)Dolev-Yao adversary with full network control, adaptive long-term key corruption, and quantum oracle breaking classical Diffie-Hellman. Hybrid combiner follows the OR-model: security holds if EITHER X25519 (Gap-CDH) OR Kyber-768 (IND-CCA2) remains unbroken.
MLS-inspired group messaging with hybrid PQ TreeKEM — X25519 + Kyber-768 per node
Left-balanced binary tree with X25519 + Kyber-768 per node. parent_hash chain verification on every UpdatePath.
Per-member symmetric hash ratchet for O(1) encrypt/decrypt. Each member maintains independent key chain.
Commit + Welcome messages drive epoch transitions. External Join and PSK injection supported.
Add, Remove, Update, ExternalInit proposals. Full proposal validation and application pipeline.
Epoch advancement via Commit; old epoch keys erased
TreeKEM UpdatePath re-encrypts with fresh X25519 + Kyber-768
Sender keys bound to leaf index; per-member symmetric ratchet
parent_hash chain from root to leaf verified on each UpdatePath
Enhanced security policy cryptographically bound to group context hash — not configuration, but enforcement at key schedule level
Two HKDF-Expand passes with different info strings. Compromising one pass is insufficient.
Every message carries HMAC commitment for abuse reporting. E2E-compatible moderation.
Prevents uninvited members from joining via external commits.
Max skipped keys per sender reduced from 32 to 4, limiting flood attacks.
| Parameter | Default | Shield |
|---|---|---|
| Enhanced key schedule (2-pass KDF) | Off | On |
| Mandatory franking | Off | On |
| Block external join | Off | On |
| Max messages per epoch | 100,000 | 1,000 |
| Max skipped keys per sender | 32 | 4 |
38 attack proof-of-concept tests + 307 integration tests + 46 API tests
| Attack Vector | Protection | Status |
|---|---|---|
| Harvest-Now-Decrypt-Later | Kyber-768 on every ratchet step | All epochs protected |
| Real-time Quantum Adversary | Per-ratchet Kyber-768 KEM | Per-ratchet protection |
| Compromised Session State | Hybrid ratchet (DH + KEM) | 1-step classical / 2-step hybrid PCS |
| Nonce Reuse (implementation bug) | AES-256-GCM-SIV nonce-misuse resistance | Safe — leaks only equality |
| State Rollback | HMAC-SHA256 anti-rollback on serialized state | Detected |
| Metadata Traffic Analysis | Per-epoch encrypted metadata + key rotation | Protected |
| Replay Attack | Bounded nonce cache (2,048) + monotonic counters | Prevented |
| Identity Substitution | SHA-256 identity binding hash in every message AAD | Prevented |
Technical comparison with Signal protocol variants — the industry baseline
| Feature | Ecliptix | Signal PQXDH | Signal X3DH |
|---|---|---|---|
| PQ-protected handshake | ✓ | ✓ | ✗ |
| PQ-protected ratchet | ✓ | ✗ | ✗ |
| HNDL defense scope | Handshake + all epochs | Handshake only | None |
| PQ forward secrecy | Per-epoch | Initial session only | None |
| PQ post-compromise security | ✓ | ✗ | ✗ |
| AEAD cipher | AES-256-GCM-SIV | AES-256-CBC + HMAC | AES-256-CBC + HMAC |
| Nonce-misuse resistance | ✓ | ✗ | ✗ |
| Metadata privacy | Per-epoch rotating key | Sealed Sender | Sealed Sender |
| State anti-rollback HMAC | ✓ | ✗ | ✗ |
| Session teardown ceremony | 9-step key wipe | No | No |
| Secure memory (mlock) | ✓ | ✗ | ✗ |
| Shamir secret sharing | ✓ | ✗ | ✗ |
| Replay nonce cache (bounded) | ✓ | ✗ | ✗ |
| Group messaging protocol | Hybrid PQ TreeKEM | N/A | N/A |
| Shield mode | ✓ | ✗ | ✗ |
| Sealed / Disappearing / Frankable | ✓ | ✗ | ✗ |
| Formal proofs | 6 theorems + 10 Tamarin | High-level analysis | eCK sketch |
| Cryptographic identity binding | ✓ | ✗ | ✗ |
| Multi-device support | ✗ | ✓ | ✓ |
| Production deployment | Research protocol | Billions of users | Billions of users |
Criterion benchmarks on Apple M-series
| Operation | Time |
|---|---|
| Full handshake (keygen + X3DH + Kyber + confirm) | ~1.1 ms |
| Hybrid ratchet step (X25519 + Kyber-768) | ~259 µs |
| Encrypt 256 bytes | ~17 µs |
| Decrypt 256 bytes | ~21 µs |
| Burst throughput (no ratchet) | ~15 µs/msg |
| Alternating throughput (256B) | ~524 µs |
| Out-of-order decrypt (20 msgs) | ~292 µs |
| Session export (sealed) | ~105 µs |
| Session import (sealed) | ~185 µs |
Message sizes and bandwidth trade-offs for hybrid PQ protection
| Metric | Size | Notes |
|---|---|---|
| Handshake init | ~1,170 bytes | +Kyber-768 ciphertext |
| Pre-key bundle | ~1,400 bytes | +Kyber-768 public key |
| Message overhead | ~80 bytes | Key + metadata AEAD + nonce |
| Ratchet message (with PQ) | ~1,300 bytes | +Kyber PK + ciphertext |
| Max envelope size | 1 MiB | Enforced limit |
| Max handshake size | 16 KiB | Enforced limit |
Security posture against classical and quantum adversaries
| Threat | Ecliptix | Signal PQXDH | Signal X3DH |
|---|---|---|---|
| Passive eavesdropper (classical) | ✓ | ✓ | ✓ |
| Active MITM (classical) | ✓ | ✓ | ✓ |
| Harvest-now-decrypt-later (quantum) | All epochs | Handshake only | Vulnerable |
| Quantum adversary (real-time) | Per-ratchet | Handshake only | Vulnerable |
| Compromised session state | Hybrid ratchet | Classical only | Classical only |
| Nonce reuse | GCM-SIV safe | CBC leaks | CBC leaks |
| State rollback | HMAC anti-rollback | No detection | No detection |
| Metadata traffic analysis | Encrypted + rotation | Sealed Sender | Sealed Sender |
421 tests covering crypto primitives, protocol correctness, adversarial inputs, and attack PoCs
32 libfuzzer targets covering all protocol layers
The Ecliptix protocol is ideal for industries with the highest privacy requirements
Implement next-generation cryptography into your messaging infrastructure
Discuss Integration