Architecture | Atlas Associates

ARCHITECTURE

Technical Architecture

Flutter cross-platform client, Firebase backend, and Signal Protocol E2EE with post-quantum cryptography.

Technology Stack

Layer	Technology
Client	Flutter 3.x + Dart
State Management	Riverpod 3.0 (AsyncNotifier / Generator)
Backend	Firebase (Firestore / Auth / Storage / FCM) + GCP
Mesh Network	Bridgefy BLE SDK
Cryptography	Arc Protocol (Signal Protocol, libsignal-client Rust): PQXDH (X25519 + ML-KEM-1024) + Ed25519 (AEGIS)
Local Database	Hive (NoSQL, type-safe)
Key Storage	FlutterSecureStorage (Keychain / Keystore / Web Crypto API)
Image Cache	CachedNetworkImage

E2EE Encryption Pipeline

Phase 1: PQXDH (Post-Quantum Extended Diffie-Hellman)
  IKa(X25519) × SPKb(X25519) → DH1
  EKa(X25519) × IKb(X25519) → DH2
  EKa(X25519) × SPKb(X25519) → DH3
  EKa(X25519) × OPKb(X25519) → DH4
  EKa(ML-KEM-1024) → PQ encapsulate → ss_pq
  HKDF(DH1 ‖ DH2 ‖ DH3 ‖ DH4 ‖ ss_pq) → Root Key

Phase 2: Double Ratchet
  Root Key → Chain Key → Message Key (per message)
  DH Ratchet: New X25519 key pair per exchange
  Symmetric Ratchet: KDF chain for sequential messages

Phase 3: AES-256-GCM
  Message Key → AES-256-GCM encrypt(plaintext)
  12-byte random IV per message
  Authentication tag for integrity

Phase 4: AEGIS (Ed25519 Signature)
  Sign(senderId ‖ timestamp ‖ content) → signature
  90-day key rotation + grace period verification

Phase 5: Sealed Sender
  Generate ephemeral X25519 key pair
  ECDH with recipient → HKDF-SHA256 → AES key
  Encrypt(senderId ‖ ciphertext) → sealed message

Group Encryption (ECIES + AES-256-GCM)

Key Distribution (per member):
  GroupKey(AES-256) → ECIES encrypt(member.publicKey) → Firestore

Message Encryption:
  AES-256-GCM(groupKey, plaintext, AAD = senderId ‖ groupId ‖ timestamp)

Key Retrieval (fast path):
  Memory Cache → SecureStorage → Firestore ECIES decrypt

O(N) key distribution, O(1) message encryption. Each member receives the group key encrypted with their public key via ECIES. Messages are encrypted once with AES-256-GCM using Additional Authenticated Data (AAD) for integrity.

E2EE Protection Across All App States

Messages are decrypted immediately upon receipt and cached in persistent storage, ensuring E2EE protection regardless of app state — foreground, background, or terminated.

App State	1:1 Chat	Group Chat	Mechanism
Chat screen active	✅	✅	StreamBuilder decrypt → LRU + SentMessageCache
Foreground (other screen)	✅	✅	FCM pre-decrypt → SentMessageCache
Pre-session reset	✅	N/A	Pre-decrypt before ratchet reset
Background / Terminated	✅	✅	SharedPreferences queue → bulk decrypt on resume

Multi-Device Architecture

Device 1 (e.g., iPhone)

[X25519] Identity Key
[Ed25519] Signing Key
[X25519] Signed PreKey
[X25519] OTPKs x 100
[ML-KEM-1024] PQ PreKey
Independent Double Ratchet sessions

Device 2 (e.g., macOS)

[X25519] Identity Key
[Ed25519] Signing Key
[X25519] Signed PreKey
[X25519] OTPKs x 100
[ML-KEM-1024] PQ PreKey
Independent Double Ratchet sessions

Device List Signing: Ed25519 signature on deviceListV1:{sorted_ids}:{timestamp} for tamper detection. No session sharing between devices.

1/100 Ultra Compression Pipeline

Arc compresses images and videos by up to 100x before encryption, dramatically reducing payload size while maintaining visual quality. This enables faster E2EE encryption, instant previews, and efficient transmission over low-bandwidth networks including BLE Mesh.

6MB

Original (HEIC/JPEG)

→1/100

~50KB

WebP

Image Compression Pipeline:
  1. User selects image (HEIC/JPEG/PNG, avg 3-8MB)
  2. flutter_image_compress → WebP (quality: 70, max 1920px)
  3. Result: ~50KB (1/100 compression ratio)
  4. Thumbnail: 200px WebP (~5KB) for instant preview
  5. Upload: thumbnail first → full image in background
  6. E2EE: AES-256-GCM encrypt(compressed_image)

Video Compression Pipeline:
  1. User records/selects video (MOV/MP4)
  2. ffmpeg_kit → H.264 MP4 (CRF 28, 720p max)
  3. Thumbnail: first frame extract → WebP (~5KB)
  4. Upload: thumbnail → chunked video upload
  5. E2EE: per-chunk AES-256-GCM encryption

Key Benefits:
  ✦ 1/100 size reduction → faster E2EE encryption
  ✦ Instant thumbnail → zero perceived latency
  ✦ Background upload → UI never blocks
  ✦ Smaller payloads → lower bandwidth for Mesh/BLE

1/100

Compression Ratio

~50KB

Avg Image Size

< 200ms

Processing Time

WebP + H.264

Output Formats

Compression runs entirely on-device before encryption. No uncompressed data leaves the device. Thumbnails are generated locally for instant preview, and full-resolution images are uploaded in the background without blocking the UI.

Mesh Network (BLE Offline E2EE)

[Device A] ──BLE── [Device B] ──BLE── [Device C] ──Multi-hop── [Device D]
   100m radius         100m radius         100m radius

Parameter	Value
Direct P2P	BLE 100m radius
Multi-hop	N relay x 100m
Protocol	Bridgefy SDK
Encryption	X3DH + Double Ratchet + AES-256-GCM
Offline	Store & Forward queue
Use Case	Disaster, winery fields, remote areas

architecture.ondeviceTitle

architecture.ondeviceDesc

🌐

Rosetta

Offline

architecture.rosettaDesc

Model: Gemma 3n (TranslateGemma)
Languages: 55
Processing: 100% on-device
Data leakage: zero

🐾

Pet Companion

Offline

architecture.petDesc

Model: Gemma 3n (4B parameters)
Storage: Hive (TypeID 96-97)
Processing: 100% on-device
Server communication: none

4-Pillar Vision:
  🛡️ DefenseTech     ─── Online: E2EE (PQXDH + ML-KEM-1024) + AEGIS + Sealed Sender
  📡 DisasterTech    ─── Offline: BLE Mesh + additional encryption layers
  🌍 Language Bridge ─── Offline: Gemma 3n (TranslateGemma) on-device translation
  🐾 AI Pet         ─── Offline: Gemma 3n companion, zero server communication

Model Pipeline:
  Firestore config → Download check → Ad gate → Model download → Hive cache
  User input → On-device inference (Gemma 3n) → Result → No data leaves device

Key Lifecycle & Rotation

Key Type	Rotation	Purpose
Identity Key (X25519)	Account lifetime	Core identity
Signing Key (Ed25519)	90 days + grace period	AEGIS message signatures
Signed PreKey (X25519)	7-30 days	X3DH handshake
One-Time PreKeys (X25519)	Single use	Forward secrecy per session
PQ PreKey (ML-KEM-1024)	Account lifetime	Post-quantum key encapsulation
Double Ratchet Keys	Per message exchange	Per-message forward secrecy