City of Hats – Secure messenger with no phone number or email required (crypto spec published)

[thebluedrg]

Hi — we've published the full cryptographic architecture and production source code for City of Hats, a secure messaging platform designed around identity abstraction.

What makes it different from Signal, Session, etc.:

• No phone number, no email — users communicate via cryptographic "Hat IDs"
• Multiple context-specific identities per user (work, personal, temporary) with no correlation between them
• Nothing to subpoena that links a Hat to a real person

Crypto stack (open-source, MIT licensed):

• Hybrid X25519 + ML-KEM-768 (post-quantum) key exchange
• Double Ratchet with encrypted headers (metadata protection)
• Sender Keys for groups with ECDSA verification
• Metadata padding, sealed sender, tamper-evident audit logs

Published:

• Full protocol specification
• Production TypeScript source
• Threat model with honest limitations

→ https://github.com/City-of-Hats/coh-crypto-spec

We're preparing for a third-party security audit and would value feedback from the privacy community — especially on the identity model and whether it addresses gaps you see in current secure messengers.

[psam21]

The sign up on cityofhats.com itself requires google or apple id?

[thebluedrg]

Good question.

The platform does not require Google or Apple sign-in. Users can create a Hat ID directly using a passphrase-based identity model (no phone number or email required).

Google/Apple login is optional and only provided for convenience — it is not required and not tied to the core messaging identity.

The cryptographic identity (Hat ID) is separate from any login method.

[psam21]

so I go to cityofhats.com/
dont want to install the app so goto web version link which was https://hats.cityofhats.com/
then click sign up
and am asked for email

[thebluedrg]

Correct, email or passphrase

[brentspine]

Yea, valid. I was even able to start without signup, but it's confusing and seems mostly vibe coded. Why does the login page allow Google but the signup has no mention?

[thebluedrg]

Fair criticism.

What you’re seeing is two separate concepts that probably need to be explained better in the UI:

1. Account access
   – Optional Google/Apple login for convenience and recovery

2. Messaging identity
   – Hat IDs, which can be created and used without phone number or email

So yes, someone can start without a traditional signup, but the current UX doesn’t make that distinction clear enough yet.

That’s a product/UI issue on our side, not the intended trust model.