Castle is the encrypted messaging protocol that powers Cyph. It provides confidentiality, deniability, asynchronous messaging, automatic mutual authentication, and quantum computing resistance.

The last two points bear some emphasis:

1. Authentication is a major problem with secure communication. Without it, using encryption is pointless.
   • This is typically a cumbersome process requiring users to meet up IRL.
   • Castle handles this invisibly with no user intervention.
2. Alternatives are universally vulnerable to quantum computing attacks, meaning it’s only a matter of time before all of their users’ data is exposed.
   • See: IBM warns of instant breaking of encryption by quantum computers: ‘Move your data today’
   • Castle mitigates this looming threat right now.

Technical Detail

Castle is broadly similar to Signal Protocol, which is an open standard that has seen heavy scrutiny and is considered to be highly secure. Details of Signal Protocol can be found here. The differences in Castle are as follows:

Public Key Authentication

Signal

• Signal is unauthenticated by default, relying on users to meet and scan QR codes. This is not a one-time process, but rather must be performed every time you or your chat partner activate a new client/device.

Cyph

• Cyph Accounts: Upon signup, a long-lived key pair is generated and authenticated via a one-time AGSE-PKI certificate issuance. This provides always-on authentication for that user seamlessly and indefinitely.
• Cyph Burner: The cyph link URL fragment includes a shared secret that is used during the handshake to provide authenticity. This is less secure than Cyph Accounts for repeat conversations over time, but is safe from man-in-the-middle as long as an attacker fails to compromise both the Cyph servers and the channel used to transmit the link within the window of time before the link is opened.

Quantum Computing Resistance

Signal

• Signal Protocol presently offers no mitigation for quantum computing.

Castle

• Castle integrates various proposed “post-quantum” cryptographic primitives. Post-quantum cryptography has been a very active area of research in recent decades with much uncertainty as to what will hold up against future cryptanalysis. Castle maximizes its chances of long-term success by hedging its bets on at least one of these algorithms standing the test of time.
  • Public key cyphers used in initial handshake: Kyber, HQC
  • Key exchange cyphers used in Double Ratchet: Kyber
  • Signing schemes used in AGSE-PKI certificates: Dilithium
  • Signing schemes used in WebSign code signing: SPHINCS+

Initial Handshake

Signal

• Signal Protocol’s X3DH key agreement protocol involves each client having uploaded a large number of signed ephemeral “prekeys” and using those to perform key exchanges.

Castle

• Castle’s handshake is entirely different. As noted, each user has one single public key pair; Alice simply generates a random symmetric key and encrypts it for Bob.

Cryptographic Primitives

Signal

• Signal uses X25519, AES-CBC-256, and HMAC-SHA-256.

Castle

• Castle uses X25519, XChaCha20, and Poly1305 (combined with the aforementioned quantum-resistant primitives).
• Additionally, Ed25519 is used for signing, Argon2id is used for password hashing, and SHA-512 is used for general hashing.

Forward Secrecy

Signal

• Signal’s Double Ratchet ensures strong forward secrecy though a combined symmetric key ratchet (for consistent forward secrecy) and asymmetric key ratchet (for intermittent “self-healing” or “future secret” forward secrecy).

Castle

• Cyph Burner: Castle uses the same Double Ratchet technique.
• Cyph Accounts: All message history is by default encrypted with the user’s key and synced to cloud storage, making forward secrecy impossible. However, ephemeral “burner” chats are also supported from Cyph Accounts.