Technical specifications for each cryptographic primitive used in QSafe Vault, with context on the security model and design rationale.
Current encryption is based on mathematical problems that are easy to check but hard to solve — like factoring enormous numbers. A classical computer would need billions of years. But quantum computers use a fundamentally different approach: superposition and entanglement allow them to explore exponentially many solutions simultaneously. Shor's Algorithm (1994) showed that quantum computers can factor large numbers and solve elliptic curve problems in polynomial time — directly breaking RSA and ECDH, the pillars of today's internet security. The solution is to use different math that quantum computers also cannot solve.
Breaks RSA and ECDH by factoring large integers and solving discrete logarithms exponentially faster than any classical algorithm. All current TLS/HTTPS key exchange is vulnerable.
Provides a quadratic speedup for searching. This halves the effective key length of symmetric ciphers — which is why AES-256 remains secure (256-bit → 128-bit effective), but AES-128 would be marginal.
Adversaries collect encrypted traffic today and store it, waiting for quantum computers to arrive. Any data encrypted now with classical algorithms will eventually be readable. Protect it now.
ML-KEM (formerly CRYSTALS-Kyber) is used to securely exchange the per-file encryption key. It works by performing key encapsulation: using your public key, a random shared secret is generated along with a ciphertext. Only your secret key can recover the shared secret from that ciphertext. This replaces ECDH — the current standard for key exchange — which is broken by quantum computers.
The security is based on the Module Learning With Errors (MLWE) problem: finding a secret vector given noisy linear equations in a polynomial ring. This problem is believed to be hard for both classical and quantum computers — it has no known polynomial-time quantum algorithm.
ML-DSA (formerly CRYSTALS-Dilithium) creates a digital signature over the entire QSAFE container — covering the ciphertext, the encapsulated key, the policy fields, and the header. The signature proves two things: (1) the container was created by the holder of this secret key, and (2) not a single byte has been changed since it was signed. Verification happens before decryption — any tampered file fails immediately.
Security is based on the Module Short Integer Solution (MSIS) and MLWE problems. The signing procedure involves sampling polynomials and computing commitment/response pairs that reveal nothing about the secret key.
AES-256-GCM is the world's most widely deployed symmetric cipher, used by governments, militaries, and all HTTPS connections. In GCM mode it provides both confidentiality (encryption) and authenticity (a 128-bit authentication tag). This means if anyone tampers with the ciphertext, decryption fails with an authentication error — even without the signature check.
The key used for AES is derived fresh for each file via HKDF-SHA-256, seeded by the ML-KEM shared secret and a random per-file salt. Even if one file's AES key were somehow compromised, it reveals nothing about any other file.
Argon2id converts your human-readable password into a cryptographic key. It is deliberately slow and memory-intensive: each attempt requires significant RAM and time, making brute-force password guessing extremely expensive. QSafe uses time cost 3, memory cost 64MB, parallelism 1 — meaning each password attempt takes ~0.5 seconds and 64MB of RAM on modern hardware. An attacker trying a billion passwords per second would be reduced to about 1 attempt per 0.5 seconds.