Arc Protocol v2.0 — Powered by libsignal
Arc Protocol
Security Whitepaper
Version 2.0 — April 2026 · Atlas Associates Inc. · Public
Abstract
Arc is a privacy-first messenger built on the Signal Protocol (libsignal-client v0.65.2), enhanced with per-message Ed25519 digital signatures (AEGIS), client-side sender anonymization (Sealed Sender), and BLE Mesh offline E2EE.
Arc provides end-to-end encryption (E2EE) on every plan, free of charge. Security is never behind a paywall.
1. Design Principles
E2EE for everyone
Full encryption on every plan. No premium paywall for security.
Post-quantum readiness
Hybrid classical + PQC to protect against future quantum computers.
Zero trust architecture
The server never sees plaintext content. Metadata exposure is minimized.
No backdoors
No government or internal request can compromise encryption. Enforced by cryptographic design.
2. Cryptographic Foundation
| Component | Algorithm | Standard | Key Size |
|---|---|---|---|
| Key Exchange (Classical) | X25519 ECDH | RFC 7748 | 256-bit |
| Key Exchange (Post-Quantum) | ML-KEM-1024 (via libsignal) | FIPS 203 | Level 3 |
| Message Encryption | AES-256-GCM | NIST SP 800-38D | 256-bit |
| Message Authentication | XEdDSA (libsignal) | Signal XEdDSA spec | 256-bit |
| Key Derivation | HKDF-SHA256 | RFC 5869 | 256-bit output |
| Chain Key Derivation | HMAC-SHA256 | RFC 2104 | 256-bit |
| Protocol Base | Signal Protocol | Open specification | — |
Arc uses libsignal-client v0.65.2 (Rust, via FFI) — the same library used by Signal Messenger — for core protocol operations.
3. PQXDH: Hybrid Key Exchange
Quantum computers capable of breaking X25519 may exist within 10-15 years. "Harvest now, decrypt later" attacks mean encrypted data captured today could be decrypted in the future. Arc addresses this by combining classical X25519 with post-quantum ML-KEM-1024, the same approach pioneered by Signal in September 2023.
Alice → Bob: 1. Fetch Bob's PreKey Bundle (Identity + Signed PreKey + One-Time PreKey + PQ PreKey) 2. 4× X25519 DH computations 3. ML-KEM-1024.Encaps(Bob's PQ Public Key) → (pq_ciphertext, pq_shared_secret) 4. Root Key = HKDF-SHA256(DH1‖DH2‖DH3‖DH4‖pq_shared_secret) 5. Send: Alice's keys + PQ ciphertext (1,088 bytes) + encrypted message
An attacker must break both X25519 and ML-KEM-1024 to compromise the key exchange.
| Parameter | Value |
|---|---|
| Public Key | 1,184 bytes |
| Secret Key | 2,400 bytes |
| Ciphertext | 1,088 bytes |
| Shared Secret | 32 bytes |
| NIST Security Level | Level 3 (AES-192 equivalent) |
| NIST Standard | FIPS 203 (August 2024) |
4. Double Ratchet: Forward Secrecy
After session establishment via PQXDH, all subsequent messages use the Double Ratchet algorithm, providing forward secrecy (compromise of a current key cannot decrypt past messages) and break-in recovery (compromise is automatically healed after a few messages).
DH Ratchet (direction change): New Root Key = HKDF-SHA256(current_root_key, X25519_DH_output) Symmetric Ratchet (per-message): Message Key = HMAC-SHA256(chain_key, 0x01) Next Chain = HMAC-SHA256(chain_key, 0x02)
Every message uses a unique, independently derived key. Chain keys are immediately deleted after deriving the next key. Maximum 1,000 skipped message keys cached per session.
5. AES-256-GCM: Message Encryption
Each message is encrypted with a unique Message Key from the Double Ratchet using AES-256-GCM authenticated encryption.
Ciphertext = AES-256-GCM.Encrypt( key: message_key (32 bytes), nonce: random (12 bytes, never reused), aad: ratchet_public_key ‖ prev_chain_length ‖ message_number, plaintext: message content ) Per-message overhead: nonce (12B) + auth tag (16B) = 28 bytes
6. AEGIS: Message Authentication
AEGIS (Arc Enhanced Guard & Integrity System) provides per-message Ed25519 digital signatures. Neither Signal nor WhatsApp sign individual messages.
| Property | Description |
|---|---|
| Sender Authentication | Cryptographic proof that a specific user sent the message |
| Tamper Detection | Any modification after signing is detected |
| Non-Repudiation | Sender cannot deny having sent the message |
XEdDSA Signing (via libsignal): payload = senderId ‖ "|" ‖ timestamp ‖ "|" ‖ content signature = XEdDSA.Sign(payload, X25519_private_key) → 64 bytes attached to message (Converts X25519 key to Ed25519 internally — no separate Ed25519 key needed) Verification: XEdDSA.Verify(payload, signature, sender_X25519_public_key) → verified | failed | noSignature
7. Sealed Sender: Sender Anonymity
Sealed Sender prevents the server from knowing who sent a message. Signal's implementation uses a sender certificate and delivery token system. Arc uses a simpler ephemeral X25519 ECDH envelope without server-side token validation.
Sender: 1. Generate ephemeral X25519 keypair 2. DH = X25519(ephemeral_private, recipient_identity_public) 3. AES_Key = HKDF-SHA256(DH, info="Arc Sealed Sender v1") 4. Envelope = AES-256-GCM(senderId + "\0" + payload, AES_Key) → Sealed Message = ephemeral_pub(32B) ‖ nonce(12B) ‖ ciphertext ‖ mac(16B)
Available for 1:1 chats where both participants have the Intelligence plan.
Read-or-Lose 암호화
읽거나, 영원히 잃거나. 24시간 동안 읽지 않은 메시지는 수학적으로 복호화가 불가능해집니다. 삭제되는 것이 아니라 — 복호화 키 자체가 파괴됩니다. 법원 명령, 서버 소환장, 기기 압수 그 어떤 수단으로도 내용을 복원할 수 없습니다.
| 기능 | Signal / WhatsApp / Telegram | Arc |
|---|---|---|
| 파괴되는 대상 | 평문 | 복호화 키 자체 |
| 트리거 | 읽은 후 경과 시간 | 읽지 않은 상태로 24시간 경과 |
| 복구 가능성 | 백업으로 가능할 수 있음 | 수학적으로 불가능 |
| 읽음/미읽음 연동 | 없음 | UI에서 완전한 가시성 |
t=0h : Alice sends E(m) with KeyPair_v1.
Firestore stores m_encrypted and decryptionExpiresAt = t+24h.
t=1h : KeyPair_v1 rotates to KeyPair_v2.
Private_v1 retained in 24h grace window.
...
t=24h+1 : pruneExpiredOldEncKeysV2() destroys Private_v1.
Any ciphertext encrypted to Public_v1 is now undecryptable forever.받지 않은 전화 통화를 상상해 보세요. 기록은 남습니다 — 누군가 전화를 걸었다는 것을 압니다. 하지만 목소리는? 사라졌습니다. Arc의 읽지 않은 메시지도 똑같이 작동합니다: 메시지가 도착했다는 것은 볼 수 있지만, 그 내용은 되돌릴 수 없이 사라졌습니다.
8. Group Encryption: Sender Keys
Arc uses Signal Protocol's Sender Key mechanism for efficient group encryption. Each member generates a personal Sender Key, distributed via encrypted 1:1 channels. Messages are encrypted once (not N times for N members).
Encryption (libsignal group_encrypt): Chain Key → Message Key → AES-256-GCM (libsignal internal) HMAC signature (libsignal internal) → Output: SenderKeyMessage bytes Decryption (libsignal group_decrypt): Signature verify → Replay detect → Decrypt (libsignal internal) All crypto operations delegated to libsignal — no custom primitives.
9. Key Management
| Key | Algorithm | Lifetime | Storage |
|---|---|---|---|
| Identity Key | X25519 | Account lifetime | Platform Secure Storage |
| Signing Key | XEdDSA (libsignal) | 90-day rotation | Platform Secure Storage |
| Signed PreKey | X25519 | Weekly rotation | Platform Secure Storage |
| One-Time PreKey | X25519 | Single use | Platform Secure Storage |
| PQ PreKey | ML-KEM-1024 | Single use | Platform Secure Storage (via libsignal) |
Private keys are stored in iOS Keychain / Android EncryptedSharedPreferences. Never in Hive, SharedPreferences, plain files, or cloud storage.
Elixir PreKey Server
PreKey bundles (Signed PreKey, One-Time PreKeys, PQ PreKeys) are managed by an Elixir-based PreKey server that handles bundle distribution, one-time key depletion tracking, and automatic replenishment signaling to clients.
10. Key Sync: Multi-Device
Arc uses independent key sets per device (no primary/linked hierarchy). To decrypt messages from the original device on a new device, users scan a QR code containing an ephemeral X25519 public key. Both devices perform ECDH, derive an AES-256-GCM key via HKDF, and securely transfer identity keys. Session TTL: 5 minutes.
11. BLE Mesh: Offline E2EE
Arc's BLE Mesh Network enables E2EE communication without internet — unique among major messengers. Messages use the same PQXDH + Double Ratchet protocol over Bluetooth Low Energy. Ideal for natural disasters, remote areas, and privacy-critical environments.
12. Threat Model
| Adversary | Capability | Mitigation |
|---|---|---|
| Passive Observer | Intercepts all traffic | E2EE: all content encrypted |
| Active MITM | Modifies traffic | AES-GCM auth + XEdDSA signatures |
| Server Compromise | Full Firestore access | No plaintext stored; keys client-only |
| Quantum Computer | Breaks X25519 | Hybrid PQXDH with ML-KEM-1024 |
| Key Compromise | Obtains session key | Double Ratchet forward secrecy |
| Replay Attack | Resends messages | Iteration tracking + unique nonces |
What Arc Cannot Protect Against
- • Compromised/rooted device with malware
- • Screenshots by recipient
- • Server-side metadata analysis (mitigated by Sealed Sender)
- • Social engineering
13. Standards Compliance
| Standard | Status |
|---|---|
| NIST FIPS 203 (ML-KEM) | Implemented via libsignal-client |
| RFC 7748 (X25519) | Implemented |
| XEdDSA (Signal spec) | Implemented via libsignal-client |
| RFC 5869 (HKDF) | Implemented |
| NIST SP 800-38D (AES-GCM) | Implemented |
14. Comparison with Signal & WhatsApp
| Feature | Signal | Arc | |
|---|---|---|---|
| Protocol Base | Signal Protocol | Signal Protocol (licensed) | Signal Protocol (libsignal) |
| Post-Quantum Key Exchange | PQXDH (ML-KEM-1024, 2023) | PQXDH (via Signal Protocol) | PQXDH (ML-KEM-1024, via libsignal) |
| Post-Quantum Ratchet | SPQR Triple Ratchet (Oct 2025) | Not confirmed | Planned |
| Per-Message Signatures | DH authentication only | DH authentication only | XEdDSA (libsignal) ✦ |
| Sealed Sender | Cert + delivery token | Not implemented | Ephemeral ECDH envelope ✦ |
| Offline E2EE | Not supported | Not supported | BLE Mesh (Bridgefy SDK) ✦ |
| Multi-Device | Primary + Linked | Primary + Linked | Independent keys + Key Sync ✦ |
| Key Separation | XEdDSA conversion | XEdDSA conversion | XEdDSA (same as Signal) — unified key pair ✦ |
| Open Source | Fully open source | Partial | Whitepaper published |
Transparency note: Signal pioneered PQXDH in September 2023 and advanced to SPQR Triple Ratchet in October 2025. Arc's PQC capability is inherited from Signal's open-source libsignal library. Arc's genuine differentiators are marked with ✦.
15. Conclusion
Arc Protocol builds on the proven Signal Protocol foundation and extends it with three proprietary security layers:
XEdDSA (libsignal)
Per-message Ed25519 signatures provide explicit sender authentication, tamper detection, and non-repudiation — absent from Signal and WhatsApp.
Client-Side Sealed Sender
Sender anonymity via ephemeral ECDH envelope, entirely on the client.
BLE Mesh (Bridgefy SDK Transport Encryption)
E2EE via Bluetooth without internet — unique among major messengers.
We welcome security research and responsible disclosure from the community.
Download PDF
Enter your details to download the Arc Protocol Whitepaper.
Version 2.0 — April 2026 · Atlas Associates Inc.