Atlas Associates
ARCHITECTURE

技術アーキテクチャ

Flutterクロスプラットフォームクライアント、Elixir PreKeyサーバー、Firebaseバックエンド、Arc Protocol(Signal Protocol E2EE + PQXDH ML-KEM-1024)。

02 / 06
Mesh Network · BLE Offline

圏外でも、つながる。

BLE オフライン P2P 通信で、インターネットや携帯回線が断絶しても近隣ユーザー同士で E2EE 通信を継続。災害・検閲・通信逼迫下の代替手段に。

NO INTERNET. NO PROBLEM.

📡 NO INTERNET
🔋 BLE ACTIVE
🔒 E2EE
あなた
A
M
K
S

技術スタック

LayerTechnology
ClientFlutter 3.44 + Dart
State ManagementRiverpod 3.0 (AsyncNotifier / Generator)
BackendFirebase (Firestore / Auth / Storage / FCM) + GCP
PreKey ServerElixir/Phoenix (Cloud Run, europe-west1) — Firestore transaction-based atomic PreKey consumption
Mesh NetworkBridgefy BLE SDK
CryptographyArc Protocol (libsignal-client Rust FFI): PQXDH (X25519 + ML-KEM-1024), XEdDSA signatures, Sender Key (Group)
Local DatabaseHive (NoSQL, type-safe)
Key StorageFlutterSecureStorage (Keychain / Keystore / Web Crypto API)
Image CacheCachedNetworkImage

PreKey Server — Elixir/Phoenix

Dedicated server for atomic PreKey consumption during Signal Protocol session establishment. Built with Elixir/Phoenix on Cloud Run (europe-west1), optimized for EMEA users.

Elixir 1.19
Elixir 1.19
Erlang/OTP 28 · BEAM VM
Phoenix 1.8
Phoenix 1.8
API only · Bandit HTTP
Cloud Run
Cloud Run
europe-west1 · EMEA
Firestore
Firestore
REST API · eur3 multi-region
Rust (libsignal)
Rust (libsignal)
PQXDH · XEdDSA · Sender Key
Flutter 3.44
Flutter 3.44
iOS · Android · macOS · Web

E2EE暗号化パイプライン

Phase 1: PQXDH (Post-Quantum Extended Diffie-Hellman)
  IKa(X25519) × SPKb(X25519) → DH1
  EKa(X25519) × IKb(X25519) → DH2
  EKa(X25519) × SPKb(X25519) → DH3
  EKa(X25519) × OPKb(X25519) → DH4
  EKa(ML-KEM-1024) → PQ encapsulate → ss_pq
  HKDF(DH1 ‖ DH2 ‖ DH3 ‖ DH4 ‖ ss_pq) → Root Key

Phase 2: Double Ratchet
  Root Key → Chain Key → Message Key (per message)
  DH Ratchet: New X25519 key pair per exchange
  Symmetric Ratchet: KDF chain for sequential messages

Phase 3: AES-256-GCM
  Message Key → AES-256-GCM encrypt(plaintext)
  12-byte random IV per message
  Authentication tag for integrity

Phase 4: AEGIS (XEdDSA Signature via libsignal)
  Sign(senderId ‖ timestamp ‖ content) → signature
  XEdDSA: Identity Key (X25519) doubles as signing key

Phase 5: Sealed Sender
  Generate ephemeral X25519 key pair
  ECDH with recipient → HKDF-SHA256 → AES key
  Encrypt(senderId ‖ ciphertext) → sealed message

グループ暗号化(ECIES + AES-256-GCM)

Key Distribution (per member):
  GroupKey(AES-256) → ECIES encrypt(member.publicKey) → Firestore

Message Encryption:
  AES-256-GCM(groupKey, plaintext, AAD = senderId ‖ groupId ‖ timestamp)

Key Retrieval (fast path):
  Memory Cache → SecureStorage → Firestore ECIES decrypt

O(N) key distribution, O(1) message encryption. Each member receives the group key encrypted with their public key via ECIES. Messages are encrypted once with AES-256-GCM using Additional Authenticated Data (AAD) for integrity.

全アプリ状態でのE2EE保護

メッセージは受信時に即座に復号され、永続ストレージにキャッシュされます。フォアグラウンド・バックグラウンド・終了状態を問わず、E2EE保護を保証します。

App State1:1 ChatGroup ChatMechanism
Chat screen activeStreamBuilder decrypt → LRU + SentMessageCache
Foreground (other screen)FCM pre-decrypt → SentMessageCache
Pre-session resetN/APre-decrypt before ratchet reset
Background / TerminatedSharedPreferences queue → bulk decrypt on resume

マルチデバイスアーキテクチャ

Device 1 (e.g., iPhone)

  • [X25519] Identity Key
  • [Ed25519] Signing Key
  • [X25519] Signed PreKey
  • [X25519] OTPKs x 100
  • [ML-KEM-1024] PQ PreKey
  • Independent Double Ratchet sessions

Device 2 (e.g., macOS)

  • [X25519] Identity Key
  • [Ed25519] Signing Key
  • [X25519] Signed PreKey
  • [X25519] OTPKs x 100
  • [ML-KEM-1024] PQ PreKey
  • Independent Double Ratchet sessions

Device List Signing: Ed25519 signature on deviceListV1:{sorted_ids}:{timestamp} for tamper detection. No session sharing between devices.

Mesh Network(BLEオフラインE2EE)

[Device A] ──BLE── [Device B] ──BLE── [Device C] ──Multi-hop── [Device D]
   100m radius         100m radius         100m radius
ParameterValue
Direct P2PBLE 100m radius
Multi-hopN relay x 100m
ProtocolBridgefy SDK
EncryptionX3DH + Double Ratchet + AES-256-GCM
OfflineStore & Forward queue
Use CaseDisaster, winery fields, remote areas

architecture.ondeviceTitle

architecture.ondeviceDesc

Rosetta

Offline近日公開

architecture.rosettaDesc

  • Model: Gemma 4 (TranslateGemma)
  • Languages: 55
  • Processing: 100% on-device
  • Data leakage: zero

Pet Companion

Offline近日公開

architecture.petDesc

  • Model: Gemma 4 (4B parameters)
  • Storage: Hive (TypeID 96-97)
  • Processing: 100% on-device
  • Server communication: none

SUM

Offline近日公開

PDF・スライド・文書をアップロードすると、要約・深層洞察・視座をオンデバイスで生成。URLのAI要約(Gemini)も対応。Intelligenceプランの機能。

  • Model: Gemma 4 (planned)
  • Input: PDF / DOCX / PPTX
  • Processing: 100% on-device
  • Plan: Intelligence
4-Pillar Vision:
  🛡️ DefenseTech     ─── Online: E2EE (PQXDH + ML-KEM-1024) + AEGIS + Sealed Sender
  📡 DisasterTech    ─── Offline: BLE Mesh + additional encryption layers
  🌍 Language Bridge ─── Offline: Gemma 4 (TranslateGemma) on-device translation
  🐾 AI Pet         ─── Offline: Gemma 4 companion, zero server communication

Model Pipeline:
  Firestore config → Download check → Ad gate → Model download → Hive cache
  User input → On-device inference (Gemma 4) → Result → No data leaves device

鍵ライフサイクル & ローテーション

Key TypeRotationPurpose
Identity Key (X25519)Account lifetimeCore identity
Signing Key (Ed25519)90 days + grace periodAEGIS message signatures
Signed PreKey (X25519)7-30 daysX3DH handshake
One-Time PreKeys (X25519)Single useForward secrecy per session
PQ PreKey (ML-KEM-1024)Account lifetimePost-quantum key encapsulation
Double Ratchet KeysPer message exchangePer-message forward secrecy