Onera Docs
E2EE Architecture

Cryptographic Primitives

Symmetric encryption, asymmetric encryption, and key derivation algorithms

Cryptographic Primitives

All cryptographic operations use libsodium (v0.7.16), a modern, audited cryptographic library.

Symmetric Encryption

Algorithm: XSalsa20-Poly1305 (crypto_secretbox)

ParameterValue
CipherXSalsa20 (stream cipher)
AuthenticationPoly1305 MAC
Key Size256 bits
Nonce Size192 bits
MAC Size128 bits

Selection Rationale

  • Nonce-misuse resistance: 192-bit nonces make collisions astronomically unlikely
  • Authenticated encryption: Prevents tampering
  • Constant-time implementation: Prevents timing attacks
  • Well-audited: Widely deployed in Signal, WireGuard, etc.

Asymmetric Encryption

Algorithm: X25519 + XSalsa20-Poly1305 (crypto_box_seal)

ParameterValue
Key ExchangeX25519 (Curve25519 ECDH)
EncryptionXSalsa20-Poly1305
Public Key Size256 bits
Private Key Size256 bits

Selection Rationale

  • Ephemeral key in sealed box: Provides forward secrecy
  • No sender identity leakage: Anonymous encryption
  • Industry standard: Used in modern E2EE systems

Password-Based Key Derivation

Algorithm: Argon2id

ParameterDefault Value
AlgorithmArgon2id (hybrid)
Memory256 MB
Iterations3 (MODERATE)
Parallelism1
Salt Size128 bits
Output Size256 bits

Fallback Chain

For low-memory devices, Onera uses a fallback chain:

Selection Rationale

  • Memory-hard: Resists GPU/ASIC brute-force attacks
  • Hybrid mode: Combines data-dependent and data-independent passes
  • Winner: Password Hashing Competition (2015)
  • Adaptive fallback: Maintains security on constrained devices

Hashing and Key Derivation

FunctionAlgorithmUse Case
General HashingBLAKE2bDevice key derivation, verification IDs
KDFlibsodium crypto_kdfDeriving subkeys from master key
PRF KDFHKDF-SHA256WebAuthn PRF to KEK derivation

Random Number Generation

All randomness uses libsodium's randombytes_buf(), which:

  • Uses OS-provided CSPRNG (/dev/urandom, CryptGenRandom)
  • Is seeded from hardware entropy sources
  • Passes all standard randomness tests

Threat Model

Adversary capabilities, security goals, and trust boundaries

Key Hierarchy

Master key, private keys, chat keys, and session keys

On this page

Cryptographic PrimitivesSymmetric EncryptionSelection RationaleAsymmetric EncryptionSelection RationalePassword-Based Key DerivationFallback ChainSelection RationaleHashing and Key DerivationRandom Number Generation