Coming Soon
Jawbone is the state-of-the-art messaging protocol for a post-quantum world.
Jawbone pairs modern cryptography with a clean, focused messaging experience. The security framework below outlines the hybrid design that protects messages and metadata today while preparing for tomorrow.
Jawbone Security Framework for Messaging
Jawbone implements a hybrid cryptographic system combining classical elliptic curve cryptography with post-quantum algorithms to ensure security against both current and future quantum computing threats, with an optional onion networking layer for additional traffic analysis resistance.
Security Layers
+-----------------------------------------------------------------+
| JAWBONE SECURITY LAYERS |
+-----------------------------------------------------------------+
| Layer 1: Identity and Authentication |
| Ed25519 signatures + X25519/ML-KEM key pairs |
| Layer 2: Session Establishment (Extended X3DH) |
| X25519 + ML-KEM-1024 hybrid key exchange |
| Layer 3: Triple Ratchet Protocol |
| DH Ratchet (X25519) + PQ Ratchet (ML-KEM-1024) |
| + Symmetric Chain Ratchet (HKDF) |
| Layer 4: Sealed Sender (Metadata Protection) |
| X25519 ephemeral + XChaCha20-Poly1305 |
| Layer 5: Optional Onion Networking |
| Multi-hop relays + traffic analysis resistance |
+-----------------------------------------------------------------+Cryptographic Algorithms
Key Exchange
| Algorithm | Type | Key Sizes | Security Level | Purpose |
|---|---|---|---|---|
| X25519 | Classical ECDH | 32 bytes | Approx 128-bit | DH ratchet, X3DH, ephemeral keys |
| ML-KEM-1024 | Post-Quantum KEM | Public 1568 bytes, Private 3168 bytes | NIST Level 5 (Approx 256-bit) | PQ ratchet, hybrid X3DH |
Digital Signatures
| Algorithm | Signature Size | Purpose |
|---|---|---|
| Ed25519 | 64 bytes | Identity verification, PreKey signing, message authentication |
Symmetric Encryption
| Algorithm | Key Size | Nonce Size | Tag Size | Purpose |
|---|---|---|---|---|
| XChaCha20-Poly1305 | 256-bit | 192-bit (24 bytes) | 128-bit (16 bytes) | Message encryption, sealed sender |
Key Derivation
| Algorithm | Purpose |
|---|---|
| HKDF-SHA256 | Session keys, chain keys, message keys |
| HKDF-SHA512 | Extended key material derivation |
| Argon2id | Password-based key derivation for storage encryption |
Layer 1: Identity and Authentication
Each user generates the following identity keys:
LocalIdentity
|-- Identity Key Pair (X25519) - Long-term identity
|-- Signing Key Pair (Ed25519) - For digital signatures
|-- Signed PreKey Pair (X25519) - Medium-term, signed by identity
|-- Kyber Key Pair (ML-KEM-1024) - Post-quantum identity
|-- One-Time PreKeys (X25519[]) - Single-use keysPreKey Bundle (published to server):
PreKeyBundleDto
|-- IdentityKey // X25519 public key
|-- SigningKey // Ed25519 public key
|-- SignedPreKey // X25519 public key (signed)
|-- SignedPreKeySignature // Ed25519 signature
|-- KyberPublicKey // ML-KEM-1024 public key
|-- OneTimePreKey // X25519 public key (optional)Layer 2: Session Establishment (Extended X3DH)
Jawbone extends the Signal X3DH protocol with post-quantum key encapsulation.
+-----------------------------------------------------------------+
| EXTENDED X3DH KEY AGREEMENT |
+-----------------------------------------------------------------+
| DH1 = X25519(Alice_Identity_Private, Bob_SignedPreKey) |
| DH2 = X25519(Alice_Ephemeral_Private, Bob_Identity) |
| DH3 = X25519(Alice_Ephemeral_Private, Bob_SignedPreKey) |
| DH4 = X25519(Alice_Ephemeral_Private, Bob_OneTimePreKey)* |
| |
| (KEM_Ciphertext, KEM_Secret) = KyberEncapsulate(Bob_KyberPub) |
| |
| SharedSecret = HKDF(DH1 || DH2 || DH3 || DH4 || KEM_Secret, |
| salt=0x00[32], info="JawboneX3DH", 64) |
| |
| RootKey = SharedSecret[0..32] |
| ChainKey = SharedSecret[32..64] |
+-----------------------------------------------------------------+
* DH4 included only if OneTimePreKey availableInitial message contains:
- Alice ephemeral public key
- Kyber ciphertext for Bob to decapsulate
- First encrypted message
Layer 3: Triple Ratchet Protocol
The Triple Ratchet combines three ratcheting mechanisms for optimal security.
+-----------------------------------------------------------------+
| TRIPLE RATCHET STATE |
+-----------------------------------------------------------------+
| +-----------------+ +-----------------+ +------------------+ |
| | DH RATCHET | | PQ RATCHET | | SYMMETRIC CHAIN | |
| | (X25519) | | (ML-KEM-1024) | | (HKDF) | |
| +-----------------+ +-----------------+ +------------------+ |
| | PrivateKey | | PrivateKey | | SendingChainKey | |
| | PublicKey | | PublicKey | | ReceivingChainKey| |
| | RemotePublicKey | | RemotePublicKey | | MessageNumber | |
| | DhRootKey | | PqRootKey | | | |
| +--------+--------+ +--------+--------+ +--------+---------+ |
| | | | |
| +---------+----------+ | |
| v | |
| +---------------------+ | |
| | Combined Root Key |<-----------------+ |
| | (DH xor PQ secret) | |
| +---------------------+ |
+-----------------------------------------------------------------+Ratchet Steps
1. DH Ratchet (every message exchange)
DH_Output = X25519(Local_Ratchet_Private, Remote_Ratchet_Public)
(New_RootKey, New_ChainKey) = HKDF(RootKey, DH_Output, "JawboneTripleRatchet-DH")2. PQ Ratchet (periodic)
(KEM_Ciphertext, KEM_Secret) = KyberEncapsulate(Remote_Kyber_Public)
New_PQ_RootKey = HKDF(PQ_RootKey, KEM_Secret, "JawboneTripleRatchet-PQ")3. Symmetric Chain Ratchet (every message)
New_ChainKey = HMAC-SHA256(ChainKey, 0x02)
MessageKey = HMAC-SHA256(ChainKey, 0x01)Message Key Derivation
CombinedRootKey = DeriveTripleRatchetRootKey(DH_RootKey, PQ_RootKey, Salt)
(SendChainKey, RecvChainKey) = DeriveChainKeys(CombinedRootKey, RatchetPublicKey)
MessageKey = HKDF(ChainKey, "MessageKey", MessageNumber)Layer 4: Sealed Sender (Metadata Protection)
Sealed sender hides the identity of the message sender from the server.
+-----------------------------------------------------------------+
| SEALED SENDER ENVELOPE |
+-----------------------------------------------------------------+
| 1. Create ephemeral key pair for sealing |
| SealEphemeral = GenerateX25519KeyPair() |
| |
| 2. Derive sealing key |
| SealSecret = X25519(SealEphemeral.Private, Recipient.Pub) |
| SealKey = HKDF(SealSecret, salt, "SealedSender", 32) |
| |
| 3. Encrypt the message envelope |
| (Ciphertext, Tag) = XChaCha20Poly1305( |
| SealKey, Nonce, SerializedEnvelope) |
| |
| 4. Combine into sealed message |
| SealedMessage = SealEphemeral.Public (32 bytes) |
| || Nonce (24 bytes) |
| || Tag (16 bytes) |
| || Ciphertext (variable) |
+-----------------------------------------------------------------+Unsealing process (recipient only):
EphemeralKey = SealedMessage[0..32]
Nonce = SealedMessage[32..56]
Tag = SealedMessage[56..72]
Ciphertext = SealedMessage[72..]
UnsealSecret = X25519(Recipient.Private, EphemeralKey)
UnsealKey = HKDF(UnsealSecret, salt, "SealedSender", 32)
Envelope = XChaCha20Poly1305Decrypt(UnsealKey, Nonce, Ciphertext, Tag)Layer 5: Optional Onion Networking
Onion networking routes messages through multiple relays, wrapping each hop in its own encryption layer. It is an opt-in mode for teams that require maximum anonymity against traffic analysis.
+-----------------------------------------------------------------+
| ONION ROUTING OVERVIEW |
-----------------------------------------------------------------+
| Client -> Relay A -> Relay B -> Relay C -> Recipient |
| Each hop decrypts one layer and learns only the next hop. |
| Payload remains end-to-end encrypted by Jawbone. |
-----------------------------------------------------------------+Message Envelope Structure
MessageEnvelope
|-- RatchetPublicKey // Current DH ratchet public key (32 bytes)
|-- MessageNumber // Message number in current chain
|-- PreviousChainLength // Previous chain length (for out-of-order)
|-- Epoch // Combined ratchet epoch
|-- Ciphertext // Encrypted message content
|-- Tag // Poly1305 authentication tag (16 bytes)
|-- Nonce // XChaCha20 nonce (24 bytes)
|-- ProtocolVersion // 1=Double Ratchet, 2=Triple Ratchet
|
| // Triple Ratchet Extensions
|-- PqPublicKey // New ML-KEM public key (if PQ ratchet)
|-- KemCiphertext // KEM ciphertext (1568 bytes, if PQ ratchet)
|-- PqEpoch // PQ ratchet epoch
|-- IncludesPqRatchet // Whether message includes PQ ratchet step
|-- AcknowledgedPqEpoch // Acknowledged PQ epoch from remoteSecurity Properties
- Forward secrecy: DH ratchet prevents past message disclosure after compromise.
- PQ forward secrecy: PQ ratchet protects against future quantum attacks.
- Post-compromise security: Security is restored after one round-trip.
- Quantum resistance: ML-KEM-1024 delivers NIST Level 5 strength.
- Metadata protection: Sealed sender hides origin from the server.
- Traffic analysis resistance: Optional onion routing obscures network paths.
Key Domain Separation
| Context | Info String |
|---|---|
| X3DH Key Agreement | JawboneX3DH |
| Triple Ratchet Initialization | JawboneTripleRatchet-Init |
| DH Ratchet | JawboneTripleRatchet-DH |
| PQ Ratchet | JawboneTripleRatchet-PQ |
| Combined Root Key | JawboneTripleRatchet-Combined |
| PQ Root Key | JawboneTripleRatchet-PQ-Root |
| Chain Key Derivation | JawboneTripleRatchet-Chain-v1 |
| Root Key Derivation | JawboneTripleRatchet-Root-v1 |
| Message Key | MessageKey |
| Sealed Sender | SealedSender |
| Master Identity Encryption | Jawbone-MasterIdentity-Encryption-v1 |
Secure Memory Handling
CryptoProvider.Instance.SecureZero(sharedSecret);
CryptoProvider.Instance.SecureZero(encryptionKey);
CryptoProvider.Instance.SecureZero(plaintext);