CryptiQ 2.0 is a post-quantum-ready secure messaging platform and reference implementation that pairs a Flask API with a sleek dark-mode client designed for practical demos.
2. Encryption Modes & PQC Registration
3. Room Key Vault & Secure Unlocking
flowchart TB
Start((Start)) --> Create[Create Room]
Create --> Gen[Generate Room Key]
Gen --> PathA{Manual Path}
Gen --> PathB{PQC Path}
subgraph Manual [Tier 1: Manual Share]
PathA --> Link[Copy Secure Link]
Link -.->|Secure Channel| Join[Open Link & Save Key]
end
subgraph PQC [Tier 2: PQC Demo]
PathB --> Reg[Register PQC Public Keys]
Reg --> Wrap[Share via ML-KEM Envelope]
Wrap --> Server[(Server Storage)]
Server --> Unwrap[Accept & Decrypt Envelope]
end
Join --> Ready[Room Unlocked]
Unwrap --> Ready
Ready --> Msg[Send Encrypted Message]
Msg --> AES[AES-GCM Encryption]
AES --> Post[POST Ciphertext to Server]
Post --> Broadcast[SSE / Polling Broadcast]
Broadcast --> Recv[Receive & Decrypt on Peer]
The primary production-style flow that works across all modern browsers.
- Host: Create a room and click Generate Key in the Room Key Vault.
- Host: Click Copy Secure Link (this includes the room ID and the secret key).
- Guest: Open the secure link. The room ID and key are automatically populated.
- Guest: Click Save Key. The UI will confirm: "Room key saved to this device."
- Chat: Both sides can now send messages. Encryption and decryption happen automatically.
An advanced demo path using ML-KEM envelopes, optimized for Chromium browsers.
- Setup: Both users click Enable PQC Demo on their respective devices (Chrome/Edge/Brave).
- Sender: Click Share via PQC. This wraps the room key in a quantum-resistant envelope.
- Recipient: Click Accept PQC Envelope. The device unwraps the key using its local PQC private key.
- Result: The room is unlocked without the secret ever being shared manually or in plaintext.
CryptiQ 2.0 is substantially more usable and coherent as a PQC portfolio project:
-
Deterministic Key Derivation Fixed a bug where different devices derived different AES keys from the same room secret. Now, shared secrets result in perfect decryption across all clients.
-
Enhanced PQC Reliability Resolved X25519 private key handling errors in Chromium. PQC envelopes now reliably transport room secrets between modern browsers.
-
Live Room Experience
- Auto-Refresh: New messages appear automatically via event streams with a robust polling fallback.
- Intuitive Sending: Press Enter in the message box to send immediately.
- Clear Feedback: Visual indicators confirm when a room key is successfully saved or unlocked.
-
Professional Interface Redesigned with a darker enterprise palette, SF-like typography, and better mobile responsiveness.
-
Post-quantum alignment Uses modern NIST-aligned terminology such as ML-KEM and ML-DSA.
-
Room-key encryption Room secrets are created and retained on the client. The server stores only ciphertext and metadata.
-
Tiered key exchange Manual out-of-band distribution is the reliable default; PQC sharing is the cutting-edge alternative.
-
Browser support
- Manual: Safari, Chrome, Edge, Brave.
- PQC: Chromium-based (Chrome, Brave, Edge). Safari is currently limited to manual sharing.
cryptiq/
โโโ backend/ Flask API and auth layer
โ โโโ app.py REST API + JWT auth + room streams
โ โโโ db.py SQLite models and schema
โ โโโ requirements.txt Python dependencies
โโโ frontend/ Next.js client application
โ โโโ app/ App Router UI
โ โโโ public/ Static assets + PQC wasm
โ โโโ scripts/ Build helpers
โ โโโ package.json Frontend dependencies
โโโ README.md Overview, flows, deployment, and setup
Core concepts:
- Backend Flask service for auth, rooms, room membership, device key registration, PQC envelopes, and encrypted message storage
- Client-side AES-GCM message encryption with a per-room secret
- Optional ML-KEM envelope exchange for demonstration purposes
- Shared room model designed for a concrete portfolio demo rather than a vague crypto showcase
Backend
- Python + Flask
- SQLite for lightweight state
- JWT auth with room membership checks
- SSE stream endpoint for near-real-time message delivery
Frontend
- Next.js + React
- Web Crypto API with AES-GCM
- PBKDF2-derived room encryption keys
- Optional browser-side PQC WebAssembly with ML-KEM
Requirements
- Python 3.9 or newer
- Node.js 18 or newer
# Backend
cd backend
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python app.py # Flask on :5000
# Frontend (new terminal)
cd frontend
npm install
npm run dev # Next.js on :3000Access:
Frontend: http://localhost:3000
Backend: http://localhost:5000
- Room keys are device-local and should be shared intentionally during testing
- Older messages created before the deterministic room-key fix may not decrypt correctly in previously used rooms
- For the cleanest demo, create a fresh room after pulling the latest changes
- If PQC demo mode was tested before the latest key-handling fix, use Reset PQC Keys before re-enabling it
CryptiQ 2.0 currently focuses on these security properties:
- Client-held room keys
- AES-GCM encryption for message payloads
- JWT-secured API access and room membership enforcement
- Server stores only ciphertext, nonces, and room metadata
- Manual out-of-band key delivery as the primary usable model
- Optional PQC envelope exchange as a separate demonstration path
Important limitation:
- The current PQC mode is a browser-side demonstration layer, not a full audited end-to-end production PQC system
- QR code room sharing for mobile demos
- Cleaner advanced-mode separation for PQC controls
- Full backend liboqs integration where available
- Better persistence and multi-device identity handling
- Optional hardware-backed local key storage
CryptiQ is released under the MIT License. See the LICENSE file for details.
Author: Vanessa Madison Site: vanessamadison.com
For research collaboration or security review discussions, open an issue or reach out through the contact details on the site.

