Atlas Associates
ARCHITECTURE

기술 아키텍처

Flutter 크로스 플랫폼 클라이언트, Firebase 백엔드, 양자 내성 암호 적용 Signal Protocol E2EE.

02 / 06
Mesh Network · BLE Offline

오프 그리드? 여전히 연결됩니다.

BLE 오프라인 P2P가 인터넷과 모바일 네트워크가 끊어져도 E2EE 대화를 유지합니다. 재해, 검열, 인프라 과부하에 대한 진정한 폴백입니다.

NO INTERNET. NO PROBLEM.

📡 인터넷 없음
🔋 BLE ACTIVE
🔒 E2EE
A
M
K
S

기술 스택

LayerTechnology
ClientFlutter 3.44 + Dart
State ManagementRiverpod 3.0 (AsyncNotifier / Generator)
BackendFirebase (Firestore / Auth / Storage / FCM) + GCP
PreKey ServerElixir/Phoenix (Cloud Run, europe-west1) — Firestore transaction-based atomic PreKey consumption
Mesh NetworkBridgefy BLE SDK
CryptographyArc Protocol (libsignal-client Rust FFI): PQXDH (X25519 + ML-KEM-1024), XEdDSA signatures, Sender Key (Group)
Local DatabaseHive (NoSQL, type-safe)
Key StorageFlutterSecureStorage (Keychain / Keystore / Web Crypto API)
Image CacheCachedNetworkImage

PreKey Server — Elixir/Phoenix

Dedicated server for atomic PreKey consumption during Signal Protocol session establishment. Built with Elixir/Phoenix on Cloud Run (europe-west1), optimized for EMEA users.

Elixir 1.19
Elixir 1.19
Erlang/OTP 28 · BEAM VM
Phoenix 1.8
Phoenix 1.8
API only · Bandit HTTP
Cloud Run
Cloud Run
europe-west1 · EMEA
Firestore
Firestore
REST API · eur3 multi-region
Rust (libsignal)
Rust (libsignal)
PQXDH · XEdDSA · Sender Key
Flutter 3.44
Flutter 3.44
iOS · Android · macOS · Web

E2EE 암호화 파이프라인

Phase 1: PQXDH (Post-Quantum Extended Diffie-Hellman)
  IKa(X25519) × SPKb(X25519) → DH1
  EKa(X25519) × IKb(X25519) → DH2
  EKa(X25519) × SPKb(X25519) → DH3
  EKa(X25519) × OPKb(X25519) → DH4
  EKa(ML-KEM-1024) → PQ encapsulate → ss_pq
  HKDF(DH1 ‖ DH2 ‖ DH3 ‖ DH4 ‖ ss_pq) → Root Key

Phase 2: Double Ratchet
  Root Key → Chain Key → Message Key (per message)
  DH Ratchet: New X25519 key pair per exchange
  Symmetric Ratchet: KDF chain for sequential messages

Phase 3: AES-256-GCM
  Message Key → AES-256-GCM encrypt(plaintext)
  12-byte random IV per message
  Authentication tag for integrity

Phase 4: AEGIS (XEdDSA Signature via libsignal)
  Sign(senderId ‖ timestamp ‖ content) → signature
  XEdDSA: Identity Key (X25519) doubles as signing key

Phase 5: Sealed Sender
  Generate ephemeral X25519 key pair
  ECDH with recipient → HKDF-SHA256 → AES key
  Encrypt(senderId ‖ ciphertext) → sealed message

Group Encryption (ECIES + AES-256-GCM)

Key Distribution (per member):
  GroupKey(AES-256) → ECIES encrypt(member.publicKey) → Firestore

Message Encryption:
  AES-256-GCM(groupKey, plaintext, AAD = senderId ‖ groupId ‖ timestamp)

Key Retrieval (fast path):
  Memory Cache → SecureStorage → Firestore ECIES decrypt

O(N) key distribution, O(1) message encryption. Each member receives the group key encrypted with their public key via ECIES. Messages are encrypted once with AES-256-GCM using Additional Authenticated Data (AAD) for integrity.

E2EE Protection Across All App States

Messages are decrypted immediately upon receipt and cached in persistent storage, ensuring E2EE protection regardless of app state — foreground, background, or terminated.

App State1:1 ChatGroup ChatMechanism
Chat screen activeStreamBuilder decrypt → LRU + SentMessageCache
Foreground (other screen)FCM pre-decrypt → SentMessageCache
Pre-session resetN/APre-decrypt before ratchet reset
Background / TerminatedSharedPreferences queue → bulk decrypt on resume

멀티 디바이스 아키텍처

Device 1 (e.g., iPhone)

  • [X25519] Identity Key
  • [Ed25519] Signing Key
  • [X25519] Signed PreKey
  • [X25519] OTPKs x 100
  • [ML-KEM-1024] PQ PreKey
  • Independent Double Ratchet sessions

Device 2 (e.g., macOS)

  • [X25519] Identity Key
  • [Ed25519] Signing Key
  • [X25519] Signed PreKey
  • [X25519] OTPKs x 100
  • [ML-KEM-1024] PQ PreKey
  • Independent Double Ratchet sessions

Device List Signing: Ed25519 signature on deviceListV1:{sorted_ids}:{timestamp} for tamper detection. No session sharing between devices.

Mesh Network (BLE 오프라인 E2EE)

[Device A] ──BLE── [Device B] ──BLE── [Device C] ──Multi-hop── [Device D]
   100m radius         100m radius         100m radius
ParameterValue
Direct P2PBLE 100m radius
Multi-hopN relay x 100m
ProtocolBridgefy SDK
EncryptionX3DH + Double Ratchet + AES-256-GCM
OfflineStore & Forward queue
Use CaseDisaster, winery fields, remote areas

architecture.ondeviceTitle

architecture.ondeviceDesc

Rosetta

Offline출시 예정

architecture.rosettaDesc

  • Model: Gemma 4 (TranslateGemma)
  • Languages: 55
  • Processing: 100% on-device
  • Data leakage: zero

Pet Companion

Offline출시 예정

architecture.petDesc

  • Model: Gemma 4 (4B parameters)
  • Storage: Hive (TypeID 96-97)
  • Processing: 100% on-device
  • Server communication: none

SUM

Offline출시 예정

PDF, 프레젠테이션, 문서를 업로드하면 AI 기반 요약, 심층 통찰, 다양한 관점을 얻을 수 있습니다 — 전부 온디바이스로 처리됩니다. 또한 Gemini를 통한 URL 즉시 AI 요약. Intelligence 플랜 기능.

  • Model: Gemma 4 (planned)
  • Input: PDF / DOCX / PPTX
  • Processing: 100% on-device
  • Plan: Intelligence
4-Pillar Vision:
  🛡️ DefenseTech     ─── Online: E2EE (PQXDH + ML-KEM-1024) + AEGIS + Sealed Sender
  📡 DisasterTech    ─── Offline: BLE Mesh + additional encryption layers
  🌍 Language Bridge ─── Offline: Gemma 4 (TranslateGemma) on-device translation
  🐾 AI Pet         ─── Offline: Gemma 4 companion, zero server communication

Model Pipeline:
  Firestore config → Download check → Ad gate → Model download → Hive cache
  User input → On-device inference (Gemma 4) → Result → No data leaves device

키 라이프사이클 & 교체

Key TypeRotationPurpose
Identity Key (X25519)Account lifetimeCore identity
Signing Key (Ed25519)90 days + grace periodAEGIS message signatures
Signed PreKey (X25519)7-30 daysX3DH handshake
One-Time PreKeys (X25519)Single useForward secrecy per session
PQ PreKey (ML-KEM-1024)Account lifetimePost-quantum key encapsulation
Double Ratchet KeysPer message exchangePer-message forward secrecy