MyOnne Protocol

Your words never leave your hands.

The MyOnne server routes encrypted packets. It cannot read your messages, hear your calls, or see your photos. Not because we promise not to - because the protocol makes it impossible.

Your deviceEncrypts
Routes only
Their deviceDecrypts
Post-Quantum Key Exchange

A handshake that resists the future.

When two MyOnne devices meet for the first time, they perform a Post-Quantum Extended Diffie-Hellman handshake. Four classical key exchanges and one ML-KEM-768 encapsulation produce a shared secret that cannot be broken - even by a future quantum computer running Shor's algorithm.

Alice

Shared Secret

Bob

Key Agreement Steps

DH1
Identity×Signed Prekey
DH2
Ephemeral×Identity
DH3
Ephemeral×Signed Prekey
DH4
Ephemeral×One-Time Prekey
PQ_SS
ML-KEM-768×Encapsulation
Final derivation

IKM = F ‖ DH1 ‖ DH2 ‖ DH3 ‖ DH4 ‖ PQ_SS
SK = HKDF-SHA256(0x00, IKM, "myonne-PQXDH-v1", 32)

Cryptographic Primitives

ML-KEM-768

NIST FIPS 203 · Post-quantum lattice KEM

~178-bit PQ security

X25519

Constant-time elliptic curve Diffie-Hellman

~128-bit classical

Ed25519

Constant-time device identity signatures

64-byte signatures

AES-256-GCM

Authenticated encryption per message

Hardware accelerated

HKDF-SHA256

Domain-separated key derivation (RFC 5869)

15 unique info labels

~800µs - total session establishment time. Four DH computations, one ML-KEM encapsulation, two HKDF derivations. Faster than a blink.

Triple Ratchet · Forward Secrecy

Every message gets its own key. Every key is destroyed after use.

Three interleaved ratchets operate simultaneously. A key compromised tomorrow cannot read yesterday. A quantum computer built next decade cannot break today's messages.

Key Chain Visualization

msg_0
destroyed
msg_1
destroyed
msg_2
destroyed
msg_3
PQ step
msg_4
msg_5
DH ratchet
msg_6
msg_7
PQ step
Symmetric
DH advance
PQ injection

Symmetric Chain

Each message advances the chain key. Message key N cannot derive key N-1. After use, the key is deleted.

Per-message forward secrecyHKDF-SHA256 per message

DH Ratchet

When conversation roles swap, a fresh X25519 keypair is generated. The old root key is replaced. A compromised key cannot decrypt past messages.

Break-in recoveryFresh X25519 on every turn

SPQR Ratchet

Periodically injects ML-KEM-768 post-quantum entropy into the key chain. Even if classical DH is broken by a future quantum adversary, forward secrecy holds.

Post-quantum forward secrecySparse PQ ratchet steps

Destroyed on Drop. When a key is no longer needed, it isn't just marked as deleted - it's actively overwritten and destroyed in memory so it can never be recovered.

At-Rest Encryption

Even we can't read your phone.

Two independent encryption layers protect everything stored on your device. If one is compromised, the other still holds. Physical extraction of the storage yields only noise.

Layer 1 · SQLCipher
Layer 2 · App Encryption
b"device-identity"
b"ratchet-session"
b"ritual-state"
b"media-file"
1

SQLCipher · Page-Level

The entire SQLite database is encrypted at the page level using AES-256. Without the encryption key, the database file is indistinguishable from random noise. Every read and write operation transparently decrypts/encrypts in place.

2

Application · Row-Level

Every row containing key material is individually encrypted with a unique wrapping key derived via HKDF-SHA256 with a domain-specific info label. Different data categories - device identities, ratchet sessions, ritual state - get cryptographically separated keys. Cross-domain reuse is impossible.

Defense in depth. If the SQLCipher key is compromised, the application-level encryption still protects individual rows. If a row key leaks, it cannot decrypt rows from a different domain. Two walls. One vault.

Traffic Analysis Defense

Hide the needle in a stack of needles.

Message content is encrypted, but message size leaks intent. A 2-byte "ok" looks different from a 150-byte paragraph on the wire. MyOnne actively defends against traffic analysis through constant-size padding.

Message Padding

Every plaintext is padded to a 256-byte boundary before encryption. A two-letter "hi" and a long paragraph produce identical ciphertext sizes on the wire.

"Hi" (2 bytes)

256 B

Paragraph (180 bytes)

256 B

Replay Detection

The protocol maintains a sliding window of the last 4,096 processed message IDs (DH public + counter). If an attacker captures an encrypted message and attempts to resend it later to gauge reaction, the protocol silently drops it.

Context Binding (AEAD)

Every ciphertext is cryptographically bound to its exact position in the conversation. The AES-GCM Associated Data (AD) includes the sender's public key, the recipient's public key, the current chain, and the message counter. Messages cannot be spliced, swapped, or reordered without failing decryption.

Multi-Device Trust

Your devices trust each other, not us.

Adding a new device requires physical proximity or out-of-band verification. The server cannot inject a rogue device into your account because the server does not control the trust root.

1

Hardware-Bound Generation

Ed25519 identity keys and X25519 prekeys are generated locally on the device. The private keys never leave the silicon.

2

The OTP Ceremony

To link a new device, you must enter a time-limited OTP displayed on an already-trusted device. No SMS resets. No email links. Physical control is required.

3

Cryptographic Signatures

The existing device signs the new device's public descriptor with its root Ed25519 key. The server merely relays this signature. If the server tries to fake a device, the signature validation fails.

Trusted

Code

482915

New Device

Enter Code

Radical Transparency

Exactly what we can see.

Message content (text, media, files)
Never
Voice and video calls (SRTP media)
Never
Who your partner is
Never
User profiles or real identities
Never
Address book uploadsWe do not sync or scrape your phone's contact list
Never
Private keys (Identity, Prekeys)
Never
Backup archive contents
Never
Prekey bundles (public keys only)Required for session setup
Yes
Device registry (public fingerprints)Required for multi-device
Yes
Account creation & last active datesTied to an irreversible unique ID, without granular timestamps, for DAU metrics
Yes

We designed the protocol to minimize what we know. What remains is what routing physically requires. Nothing more.