Skip to content

vanessamadison/cryptiq

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

32 Commits
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

๐˜Š๐˜ณ๐˜บ๐˜ฑ๐˜ต๐˜ช๐˜˜

Version Python Flask Next.js Quantum Safe NIST Approved License Author


๐˜–๐˜ท๐˜ฆ๐˜ณ๐˜ท๐˜ช๐˜ฆ๐˜ธ

CryptiQ 2.0 is a post-quantum-ready secure messaging platform and reference implementation that pairs a Flask API with a sleek dark-mode client designed for practical demos.


๐˜๐˜ช๐˜ด๐˜ถ๐˜ข๐˜ญ ๐˜—๐˜ณ๐˜ฆ๐˜ท๐˜ช๐˜ฆ๐˜ธ

1. Initial Room State
Initial State

2. Encryption Modes & PQC Registration
Encryption Modes

3. Room Key Vault & Secure Unlocking
Room Unlocked

4. End-to-End Encrypted Chat
Encrypted Chat


๐˜š๐˜บ๐˜ด๐˜ต๐˜ฆ๐˜ฎ ๐˜ž๐˜ฐ๐˜ณ๐˜ฌ๐˜ง๐˜ญ๐˜ฐ๐˜ธ

flowchart TB
    Start((Start)) --> Create[Create Room]
    Create --> Gen[Generate Room Key]
    
    Gen --> PathA{Manual Path}
    Gen --> PathB{PQC Path}

    subgraph Manual [Tier 1: Manual Share]
        PathA --> Link[Copy Secure Link]
        Link -.->|Secure Channel| Join[Open Link & Save Key]
    end

    subgraph PQC [Tier 2: PQC Demo]
        PathB --> Reg[Register PQC Public Keys]
        Reg --> Wrap[Share via ML-KEM Envelope]
        Wrap --> Server[(Server Storage)]
        Server --> Unwrap[Accept & Decrypt Envelope]
    end

    Join --> Ready[Room Unlocked]
    Unwrap --> Ready

    Ready --> Msg[Send Encrypted Message]
    Msg --> AES[AES-GCM Encryption]
    AES --> Post[POST Ciphertext to Server]
    Post --> Broadcast[SSE / Polling Broadcast]
    Broadcast --> Recv[Receive & Decrypt on Peer]
Loading

๐˜œ๐˜ด๐˜ฆ๐˜ณ ๐˜š๐˜ต๐˜ฐ๐˜ณ๐˜ช๐˜ฆ๐˜ด & ๐˜‹๐˜ฆ๐˜ฎ๐˜ฐ ๐˜๐˜ญ๐˜ฐ๐˜ธ

Story A: The Secure Standard (Manual Share)

The primary production-style flow that works across all modern browsers.

  1. Host: Create a room and click Generate Key in the Room Key Vault.
  2. Host: Click Copy Secure Link (this includes the room ID and the secret key).
  3. Guest: Open the secure link. The room ID and key are automatically populated.
  4. Guest: Click Save Key. The UI will confirm: "Room key saved to this device."
  5. Chat: Both sides can now send messages. Encryption and decryption happen automatically.

Story B: The Post-Quantum Demo (PQC Mode)

An advanced demo path using ML-KEM envelopes, optimized for Chromium browsers.

  1. Setup: Both users click Enable PQC Demo on their respective devices (Chrome/Edge/Brave).
  2. Sender: Click Share via PQC. This wraps the room key in a quantum-resistant envelope.
  3. Recipient: Click Accept PQC Envelope. The device unwraps the key using its local PQC private key.
  4. Result: The room is unlocked without the secret ever being shared manually or in plaintext.

๐˜ž๐˜ฉ๐˜ข๐˜ตโ€™๐˜ด ๐˜•๐˜ฆ๐˜ธ ๐˜ช๐˜ฏ 2.0

CryptiQ 2.0 is substantially more usable and coherent as a PQC portfolio project:

  • Deterministic Key Derivation Fixed a bug where different devices derived different AES keys from the same room secret. Now, shared secrets result in perfect decryption across all clients.

  • Enhanced PQC Reliability Resolved X25519 private key handling errors in Chromium. PQC envelopes now reliably transport room secrets between modern browsers.

  • Live Room Experience

    • Auto-Refresh: New messages appear automatically via event streams with a robust polling fallback.
    • Intuitive Sending: Press Enter in the message box to send immediately.
    • Clear Feedback: Visual indicators confirm when a room key is successfully saved or unlocked.
  • Professional Interface Redesigned with a darker enterprise palette, SF-like typography, and better mobile responsiveness.


๐˜’๐˜ฆ๐˜บ ๐˜Š๐˜ข๐˜ฑ๐˜ข๐˜ฃ๐˜ช๐˜ญ๐˜ช๐˜ต๐˜ช๐˜ฆ๐˜ด

  • Post-quantum alignment Uses modern NIST-aligned terminology such as ML-KEM and ML-DSA.

  • Room-key encryption Room secrets are created and retained on the client. The server stores only ciphertext and metadata.

  • Tiered key exchange Manual out-of-band distribution is the reliable default; PQC sharing is the cutting-edge alternative.

  • Browser support

    • Manual: Safari, Chrome, Edge, Brave.
    • PQC: Chromium-based (Chrome, Brave, Edge). Safari is currently limited to manual sharing.

๐˜๐˜ช๐˜จ๐˜ฉ ๐˜“๐˜ฆ๐˜ท๐˜ฆ๐˜ญ ๐˜ˆ๐˜ณ๐˜ค๐˜ฉ๐˜ช๐˜ต๐˜ฆ๐˜ค๐˜ต๐˜ถ๐˜ณ๐˜ฆ

cryptiq/
โ”œโ”€โ”€ backend/              Flask API and auth layer
โ”‚   โ”œโ”€โ”€ app.py            REST API + JWT auth + room streams
โ”‚   โ”œโ”€โ”€ db.py             SQLite models and schema
โ”‚   โ””โ”€โ”€ requirements.txt  Python dependencies
โ”œโ”€โ”€ frontend/             Next.js client application
โ”‚   โ”œโ”€โ”€ app/              App Router UI
โ”‚   โ”œโ”€โ”€ public/           Static assets + PQC wasm
โ”‚   โ”œโ”€โ”€ scripts/          Build helpers
โ”‚   โ””โ”€โ”€ package.json      Frontend dependencies
โ””โ”€โ”€ README.md             Overview, flows, deployment, and setup

Core concepts:

  • Backend Flask service for auth, rooms, room membership, device key registration, PQC envelopes, and encrypted message storage
  • Client-side AES-GCM message encryption with a per-room secret
  • Optional ML-KEM envelope exchange for demonstration purposes
  • Shared room model designed for a concrete portfolio demo rather than a vague crypto showcase

๐˜›๐˜ฆ๐˜ค๐˜ฉ ๐˜š๐˜ต๐˜ข๐˜ค๐˜ฌ

Backend

  • Python + Flask
  • SQLite for lightweight state
  • JWT auth with room membership checks
  • SSE stream endpoint for near-real-time message delivery

Frontend

  • Next.js + React
  • Web Crypto API with AES-GCM
  • PBKDF2-derived room encryption keys
  • Optional browser-side PQC WebAssembly with ML-KEM

๐˜˜๐˜ถ๐˜ช๐˜ค๐˜ฌ ๐˜š๐˜ต๐˜ข๐˜ณ๐˜ต

Requirements

  • Python 3.9 or newer
  • Node.js 18 or newer
# Backend
cd backend
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python app.py   # Flask on :5000

# Frontend (new terminal)
cd frontend
npm install
npm run dev     # Next.js on :3000

Access:

Frontend: http://localhost:3000
Backend:  http://localhost:5000

๐˜“๐˜ฐ๐˜ค๐˜ข๐˜ญ ๐˜‹๐˜ฆ๐˜ท ๐˜•๐˜ฐ๐˜ต๐˜ฆ๐˜ด

  • Room keys are device-local and should be shared intentionally during testing
  • Older messages created before the deterministic room-key fix may not decrypt correctly in previously used rooms
  • For the cleanest demo, create a fresh room after pulling the latest changes
  • If PQC demo mode was tested before the latest key-handling fix, use Reset PQC Keys before re-enabling it

๐˜š๐˜ฆ๐˜ค๐˜ถ๐˜ณ๐˜ช๐˜ต๐˜บ ๐˜”๐˜ฐ๐˜ฅ๐˜ฆ๐˜ญ

CryptiQ 2.0 currently focuses on these security properties:

  • Client-held room keys
  • AES-GCM encryption for message payloads
  • JWT-secured API access and room membership enforcement
  • Server stores only ciphertext, nonces, and room metadata
  • Manual out-of-band key delivery as the primary usable model
  • Optional PQC envelope exchange as a separate demonstration path

Important limitation:

  • The current PQC mode is a browser-side demonstration layer, not a full audited end-to-end production PQC system

๐˜™๐˜ฐ๐˜ข๐˜ฅ๐˜ฎ๐˜ข๐˜ฑ

  • QR code room sharing for mobile demos
  • Cleaner advanced-mode separation for PQC controls
  • Full backend liboqs integration where available
  • Better persistence and multi-device identity handling
  • Optional hardware-backed local key storage

๐˜“๐˜ช๐˜ค๐˜ฆ๐˜ฏ๐˜ด๐˜ฆ ๐˜ข๐˜ฏ๐˜ฅ ๐˜Š๐˜ฐ๐˜ฏ๐˜ต๐˜ข๐˜ค๐˜ต

CryptiQ is released under the MIT License. See the LICENSE file for details.

Author: Vanessa Madison Site: vanessamadison.com

For research collaboration or security review discussions, open an issue or reach out through the contact details on the site.

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors