Labs · Live in your browser

QS3 — Forward-Secret Post-Quantum Ratchet

Every message below is encrypted with its own single-use key. Each conversation turn runs a fresh ML-KEM-768encapsulation that evolves the session's root key, after a hybrid X25519 + ML-KEM-768 handshake. Steal a device's entire secret state mid-conversation and watch the protocol lock the thief out after one round trip.

Read the full protocol guide →

📱 Alice
Running hybrid PQC handshake…
💻 Bob
Running hybrid PQC handshake…
🕵️ Eavesdropper

Press Steal state on either device to hand an attacker a complete copy of its secrets — root key, chain keys, and current ratchet private key. The attacker then attempts to decrypt every packet that follows.

Under the hood
HandshakeX25519 + ML-KEM-768 → HKDF
RatchetML-KEM-768 per turn
Message keysHKDF chain, single-use
AEADAES-256-GCM (header = AAD)
SignaturesML-DSA-65 per packet
🔑
One key per message
Message keys come off a one-way HKDF chain and are erased after use. A leaked key opens exactly one message.
Forward secrecy
Chains only run forward — today’s state cannot re-derive yesterday’s keys, so recorded traffic stays sealed even after a device compromise.
🩹
Self-healing
Every turn injects fresh ML-KEM-768 entropy. One round trip after a compromise, the attacker’s stolen state is useless.
⚛️
Hybrid by construction
Breaking the session requires beating BOTH X25519 and ML-KEM-768 — classical and post-quantum, belt and braces.