Skip to content

huddle 1.3.0 — post-quantum hybrid DM encryption (X25519 + ML-KEM-768)

Choose a tag to compare

View all tags
@richer-richard richer-richard released this 07 Jun 10:05
· 52 commits to main since this release
v1.3.0
This tag was signed with the committer’s verified signature.
richer-richard Richard
SSH Key Fingerprint: CtwnvzstjQiWJp3m8e2m3ne4xHDmXM5+6lLbk2DGRxM
Verified
Learn about vigilant mode.
e090ca7
This commit was signed with the committer’s verified signature.
richer-richard Richard
SSH Key Fingerprint: CtwnvzstjQiWJp3m8e2m3ne4xHDmXM5+6lLbk2DGRxM
Verified
Learn about vigilant mode.

huddle 1.3.0 — post-quantum hybrid DM encryption (X25519 + ML-KEM-768)

Direct-message key agreement is now hybrid post-quantum. A DM's wrap key is
derived from both a classical X25519 ECDH secret and a post-quantum
ML-KEM-768 (FIPS 203) encapsulated secret, combined through HKDF-SHA256. The
key is secure as long as either primitive holds — so a future quantum computer
that breaks X25519 no longer threatens recorded DMs. This closes the
"harvest now, decrypt later" gap (an adversary storing ciphertext today to
decrypt once quantum hardware exists). It's the same approach Signal standardized
as PQXDH, scoped to huddle's static DM model.

Highlights

  • No new key to manage, no migration. Each identity's ML-KEM keypair is
    derived deterministically from the existing Ed25519 seed, so every current
    identity gains a post-quantum key for free; nothing changes on disk.
  • Backward compatible. The ML-KEM public key and ciphertext ride in new,
    optional MemberAnnounce fields. A 1.3 peer talking to a pre-1.3 peer falls
    back automatically to the classical X25519 DM key — DMs keep working. A DM goes
    hybrid only when both peers are on 1.3+.
  • Downgrade-resistant. The new fields live inside the signed announce
    envelope, so a malicious relay can't strip them to force a classical downgrade
    without breaking the signature.

Unchanged by design (and honest about it)

  • Message contents are still encrypted with Megolm (already quantum-
    resistant — symmetric AES-256 + HMAC-SHA-256); file bytes with
    ChaCha20-Poly1305.
  • Identities and message authenticity still use Ed25519 signatures
    (classical). Forging a signature needs a quantum computer operating live, not
    "harvest now", and replacing it would break the relay auth, fingerprints, TOFU
    pinning, and connect codes. Post-quantum signatures (ML-DSA / SLH-DSA) are a
    possible future step. See SECURITY.md for the full posture.

Notes

  • The relay (huddle-server) runtime is unchanged — the post-quantum work is
    entirely client-side, so existing relays serve 1.3 clients with no redeploy.
  • A multi-agent adversarial crypto review found no critical/high issues; the full
    workspace test suite (incl. two-node gossipsub DMs over the hybrid path) passes.
Assets 2
Loading