Your words never leave your hands.
The MyOnne server routes encrypted packets. It cannot read your messages, hear your calls, or see your photos. Not because we promise not to - because the protocol makes it impossible.
A handshake that resists the future.
When two MyOnne devices meet for the first time, they perform a Post-Quantum Extended Diffie-Hellman handshake. Four classical key exchanges and one ML-KEM-768 encapsulation produce a shared secret that cannot be broken - even by a future quantum computer running Shor's algorithm.
Alice
Shared Secret
Bob
Key Agreement Steps
IKM = F ‖ DH1 ‖ DH2 ‖ DH3 ‖ DH4 ‖ PQ_SS
SK = HKDF-SHA256(0x00, IKM, "myonne-PQXDH-v1", 32)
Cryptographic Primitives
ML-KEM-768
NIST FIPS 203 · Post-quantum lattice KEM
X25519
Constant-time elliptic curve Diffie-Hellman
Ed25519
Constant-time device identity signatures
AES-256-GCM
Authenticated encryption per message
HKDF-SHA256
Domain-separated key derivation (RFC 5869)
~800µs - total session establishment time. Four DH computations, one ML-KEM encapsulation, two HKDF derivations. Faster than a blink.
Every message gets its own key. Every key is destroyed after use.
Three interleaved ratchets operate simultaneously. A key compromised tomorrow cannot read yesterday. A quantum computer built next decade cannot break today's messages.
Key Chain Visualization
Symmetric Chain
Each message advances the chain key. Message key N cannot derive key N-1. After use, the key is deleted.
DH Ratchet
When conversation roles swap, a fresh X25519 keypair is generated. The old root key is replaced. A compromised key cannot decrypt past messages.
SPQR Ratchet
Periodically injects ML-KEM-768 post-quantum entropy into the key chain. Even if classical DH is broken by a future quantum adversary, forward secrecy holds.
Destroyed on Drop. When a key is no longer needed, it isn't just marked as deleted - it's actively overwritten and destroyed in memory so it can never be recovered.
Even we can't read your phone.
Two independent encryption layers protect everything stored on your device. If one is compromised, the other still holds. Physical extraction of the storage yields only noise.
SQLCipher · Page-Level
The entire SQLite database is encrypted at the page level using AES-256. Without the encryption key, the database file is indistinguishable from random noise. Every read and write operation transparently decrypts/encrypts in place.
Application · Row-Level
Every row containing key material is individually encrypted with a unique wrapping key derived via HKDF-SHA256 with a domain-specific info label. Different data categories - device identities, ratchet sessions, ritual state - get cryptographically separated keys. Cross-domain reuse is impossible.
Defense in depth. If the SQLCipher key is compromised, the application-level encryption still protects individual rows. If a row key leaks, it cannot decrypt rows from a different domain. Two walls. One vault.
Hide the needle in a stack of needles.
Message content is encrypted, but message size leaks intent. A 2-byte "ok" looks different from a 150-byte paragraph on the wire. MyOnne actively defends against traffic analysis through constant-size padding.
Message Padding
Every plaintext is padded to a 256-byte boundary before encryption. A two-letter "hi" and a long paragraph produce identical ciphertext sizes on the wire.
"Hi" (2 bytes)
Paragraph (180 bytes)
Replay Detection
The protocol maintains a sliding window of the last 4,096 processed message IDs (DH public + counter). If an attacker captures an encrypted message and attempts to resend it later to gauge reaction, the protocol silently drops it.
Context Binding (AEAD)
Every ciphertext is cryptographically bound to its exact position in the conversation. The AES-GCM Associated Data (AD) includes the sender's public key, the recipient's public key, the current chain, and the message counter. Messages cannot be spliced, swapped, or reordered without failing decryption.
Your devices trust each other, not us.
Adding a new device requires physical proximity or out-of-band verification. The server cannot inject a rogue device into your account because the server does not control the trust root.
Hardware-Bound Generation
Ed25519 identity keys and X25519 prekeys are generated locally on the device. The private keys never leave the silicon.
The OTP Ceremony
To link a new device, you must enter a time-limited OTP displayed on an already-trusted device. No SMS resets. No email links. Physical control is required.
Cryptographic Signatures
The existing device signs the new device's public descriptor with its root Ed25519 key. The server merely relays this signature. If the server tries to fake a device, the signature validation fails.
Trusted
Code
New Device
Enter Code
Exactly what we can see.
We designed the protocol to minimize what we know. What remains is what routing physically requires. Nothing more.
