Open-Source E2EE Messenger

Messages that
only you can read

End-to-end encrypted chat built on the Signal Protocol with post-quantum protection, a zero-knowledge relay server, and 156 automated security tests. Fully open source.

See How It Works View on GitHub
Pre-production prototype — independent security audit recommended before high-risk use. View Audit Pack

Production Readiness

78%
Signal Protocol (X3DH + Double Ratchet)
Post-Quantum Hybrid KEM
TreeKEM Group Protocol
TLS Enforcement & Server Hardening
156 Tests (Unit, Fuzz, Adversarial)
Audit Documentation Pack
Dependency Hygiene (Dependabot + SBOM)
Multi-Device Support (designed)
Independent Security Audit
156
Security Tests
Unit, property, fuzz, adversarial
34
Verified Claims
Mapped to code & tests
100%
Open Source
MIT License · Full transparency
Feb 2026
Last Security Review
v3 production hardening
Bug Bounty
Report via GitHub Security
Features

What CipherLink Protects

True End-to-End Encryption

Messages are encrypted on your device before sending. Not even the server can read them.

Anonymous Messaging

Sealed Sender hides who sent each message. The server only knows where to deliver.

Quantum-Resistant

Hybrid encryption protects your messages even against future quantum computers.

Secure Groups

TreeKEM-based group chat with forward secrecy. Adding or removing members rotates all keys.

Encrypted Backups

Passphrase-protected backups with Shamir key splitting. No single point of failure.

Verify Contacts

Safety numbers let you verify contacts in person via QR code. Detects MITM attacks.

Alice
End-to-end encrypted
Hey! Are we still meeting at 3pm?
14:32
Yes! Park entrance, same spot
14:33
Perfect, bringing coffee
14:33
You're the best!
14:34
XChaCha20-Poly1305
Alice's iPhone
Relay Server
Zero Knowledge
7f3a9c1b...e4d2
a91c4e2f...8b73
3d7f1a9b...c5e8
f2b8d4e6...1a93
Server sees only ciphertext
No plaintext No keys No sender ID
Route & Forget
Zero-Knowledge Server
Bob
End-to-end encrypted
Hey! Are we still meeting at 3pm?
14:32
Yes! Park entrance, same spot
14:33
Perfect, bringing coffee
14:33
You're the best!
14:34
XChaCha20-Poly1305
Bob's Android

Architecture

Alice
Expo RN + libsodium
Encrypts before sending
Ciphertext only
Relay Server
Node.js + ws + TLS
Zero knowledge
Ciphertext only
Bob
Expo RN + libsodium
Decrypts on receive

Tech Stack

libsodium
Cryptography
Expo
React Native
TypeScript
Strict Mode
Node.js
Server
ws
WebSocket
Zod
Validation
Vitest
Testing
fast-check
Property Tests
pnpm
Monorepo
GitHub Actions
CI/CD

Quick Start

# Clone & install $ git clone https://github.com/BEKO2210/cipherlink.git && cd cipherlink $ pnpm install # Start server + mobile app $ pnpm dev:server $ pnpm dev:mobile # Run all 156 tests $ pnpm test

Protocol Deep Dive

X3DH Key Agreement
Extended Triple Diffie-Hellman with Ed25519 identity keys, signed prekeys, and one-time prekeys. Asynchronous session setup allows messaging offline contacts. The protocol performs 3 DH computations (identity-signed, identity-onetime, ephemeral-signed) plus an optional 4th (ephemeral-onetime) to derive the initial shared secret via HKDF-SHA256.
Double Ratchet Protocol
Continuous key rotation combining a DH ratchet (new keypair per exchange) with symmetric KDF chains. Provides forward secrecy (past keys irrecoverable) and post-compromise security (heals after temporary key compromise). Each message uses a unique message key derived from the chain, then immediately discarded.
Post-Quantum Hybrid KEM (X25519 + ML-KEM-768)
Combines classical X25519 with ML-KEM-768 (Kyber) in a hybrid construction. If either component remains secure, the combined secret is secure — defense against harvest-now-decrypt-later attacks. Combined shared secrets are mixed via HKDF-SHA256. Currently uses Kyber wire format placeholder, ready for native drop-in when standardized.
TreeKEM Group Key Agreement
MLS-inspired binary tree structure for group key management. Each member holds a leaf node with a keypair. Updates propagate O(log n) path secrets to the root, deriving per-epoch group secrets. All updates are Ed25519-signed. Member additions and removals trigger immediate key rotation, ensuring forward secrecy for group messages.
Metadata Resistance
All messages are padded to uniform 4096-byte envelopes, making them indistinguishable by size. Cover traffic generates dummy envelopes at random intervals. Message batching with timing jitter prevents timing correlation. Combined with Sealed Sender (encrypted sender identity), this defeats most traffic analysis.
Sealed Sender
Sender identity encrypted inside the message envelope using an ephemeral DH keypair against the recipient's identity key. The relay server routes messages using only the recipient's public key — it never learns who sent a message. Authentication happens inside the encrypted payload.
Key Transparency (Merkle Tree)
Verifiable key directory using a Merkle tree. The server publishes signed tree heads. Clients can request inclusion proofs to verify their keys haven't been silently substituted. Prevents the server from serving different keys to different clients (a key-substitution attack).
Protocol State Machine
Formal 5-state lifecycle: UNINITIALIZEDPREKEY_PUBLISHEDKEY_AGREEMENTRATCHETINGCLOSED. Each transition has enforced invariants. Invalid state transitions throw errors, preventing protocol misuse. Epoch counters track key rotation cycles.
SecureBuffer & Key Management
Misuse-resistant key wrapper with: use-after-wipe detection (throws on access after .wipe()), RAII auto-cleanup scopes, JSON.stringify and toString leak prevention (returns [REDACTED]). Zero raw key material exposure in logs or serialization.
Server Hardening (v3)
Production TLS enforcement (blocks ws://), IP-based connection limiting with token bucket rate limiter (30 burst, 5/sec), WebSocket ping/pong keepalive, structured logging with sanitized output (no keys/ciphertext in logs), group fan-out cap (256 members), Dependabot + lockfile integrity + SBOM generation.

Protected Against

  • Server reading messages (E2EE)
  • Past message exposure (forward secrecy)
  • Key compromise persistence (post-compromise security)
  • Sender identity leakage (sealed sender)
  • MITM attacks (safety number verification)
  • Replay attacks (dedup + 50K server cache)
  • Message length analysis (4096-byte envelopes)
  • Quantum computing (hybrid PQ KEM)
  • Traffic analysis (cover traffic + jitter)
  • Key directory tampering (Merkle transparency)
  • Backup SPOF (Shamir 2-of-3 splitting)
  • Key material misuse (SecureBuffer)
  • Insecure transport (TLS enforcement)
  • Connection flooding (IP rate limiting)
  • Log data leaks (sanitized logging)
  • Supply chain attacks (Dependabot + SBOM)

Open Items

  • Multi-device: design complete, implementation pending
  • PQ KEM: wire format placeholder (native drop-in ready)
  • No disappearing messages yet
  • No server integration tests
  • Independent audit required for production
View Full Audit Pack v2 Security Architecture
Interactive Demo

Encryption in Action

Watch a message travel from Alice to Bob. The server sees only ciphertext.

Alice's Device
Waiting...
Step 1
Compose
Message
Waiting for input...
Alice's Keys
-
Step 2
X25519 DH
Shared Secret
-
HKDF-SHA256
-
Step 3
Derive Key
Message Key (256-bit)
-
XChaCha20-Poly1305
-
Step 4
Encrypt
Ciphertext + Auth Tag
-
Relay Server (TLS)
-
Step 5
Forward
Server Knowledge
-
Bob's Device
-
Step 6
Decrypt
Plaintext Recovered
-
Roadmap

What's Next

Concrete milestones for CipherLink's path to production.

Q4 2025
v1 — Core Signal Protocol
X3DH, Double Ratchet, Sealed Sender, Sender Keys, safety numbers, encrypted backups, replay protection.
Q1 2026
v2 — Security Hardening
Hybrid PQ KEM, TreeKEM groups, metadata resistance, key transparency, Shamir key splitting, SecureBuffer, protocol state machine.
Feb 2026
v3 — Production Hardening
TLS enforcement, server hardening, 156 tests (incl. fuzz & adversarial), audit documentation pack, dependency hygiene.
Q2 2026
v4 — Multi-Device & Native Kyber
Per-device keypairs, QR/passphrase linking, device revocation. Replace Kyber wire format with native ML-KEM-768.
Q3 2026
Independent Security Audit
Engage external auditors for comprehensive review of cryptographic implementation and protocol correctness.
Q4 2026
Public Beta
App store releases (iOS, Android, F-Droid), disappearing messages, remote wipe, server integration tests.
Download

Get CipherLink

Currently in development. Source code available now.

Source Code

Clone the repo and build locally.

GitHub Repository

iOS (TestFlight)

Planned for Q4 2026.

Coming Soon

Android (APK)

v1.0.0 — requires Android 7.0+

Download APK

F-Droid

Planned for Q4 2026.

Coming Soon

Security Hall of Fame

We recognize security researchers who responsibly disclose vulnerabilities.

No submissions yet. Be the first!

Report a Vulnerability
Star on GitHub Based on: Signal Protocol (Marlinspike & Perrin, 2016) · MLS / RFC 9420 · NIST FIPS 203 (ML-KEM)