Security Architecture
Cryptographic Primitives
Primitives and Their Roles
| Primitive | Algorithm | Role in Semafore |
|---|---|---|
| Curve25519 | ECDH (Elliptic Curve Diffie-Hellman) | Key agreement in X3DH and Double Ratchet DH ratchet steps; generates shared secrets |
| Ed25519 | EdDSA (Edwards-Curve Digital Signature Algorithm) | Signing and verifying Signed Pre-Keys; used only for signature verification during session establishment |
| AES-256-GCM | Authenticated Encryption with Associated Data | Symmetric encryption of message content; provides both confidentiality and authentication |
| HKDF-SHA256 | HMAC-based Key Derivation Function | Derives session keys from X3DH shared secrets and from DH ratchet steps in the Double Ratchet |
| HMAC-SHA256 | Hash-based Message Authentication Code | Advances the symmetric ratchet chain key in the Double Ratchet protocol |
| SHA-512 | Cryptographic Hash Function | General-purpose hashing where needed; not used in active encryption/decryption paths |
Implementation Notes
Curve25519 vs. Ed25519: Semafore uses both forms of 25519. Curve25519 (Montgomery form) is used for ECDH key agreement in all DH operations. Ed25519 (Edwards form) is used for signing and verifying the Signed Pre-Key. These are mathematically related but require different public-key representations; the protocol explicitly includes both in the key bundle contract to avoid conversion errors.
GCM mode: All symmetric encryption uses AES-256-GCM, which provides authenticated encryption. Each encryption operation generates a fresh random nonce; static IVs are never used. GCM ensures that an attacker cannot modify ciphertext without detection.
HKDF-SHA256: The key derivation steps in X3DH and the Double Ratchet use HKDF-SHA256 to extract and expand entropy from raw DH shared secrets. HKDF prevents patterns from weak sources of randomness and provides domain separation between different uses of the shared secret (session key material, chain keys, etc.).