# Crypto Quick Reference

The post-quantum E2EE layer. Full detail: `DESIGN.md` §3.2; threat boundary: `THREAT_MODEL.md`.

## Architecture
- **Handshake**: hybrid `X25519 + ML-KEM-768` (PQXDH-style) — harvest-now-decrypt-later defence.
- **Session**: Double Ratchet → per-message keys, forward secrecy, post-compromise security.
- **Identity signatures**: `Ed25519 + ML-DSA-65` — identity/prekey signing ONLY (not in the per-message ratchet; preserves deniability).
- **AEAD**: ChaCha20-Poly1305 (XChaCha20 for async nonce-misuse resilience).
- **PQ ongoing ratchet**: deferred to v2 (version-gated).

## Key crates
```rust
// x25519-dalek, ed25519-dalek, ml-kem, ml-dsa, chacha20poly1305, hkdf, blake3, zeroize, secrecy, subtle
```

## Common Mistakes
- Rolling your own primitive/protocol (forbidden — use audited crates; change needs an ADR).
- Leaving key material un-zeroized in memory.
- Putting ML-DSA signatures inside the ratchet (breaks deniability, bloats messages).

## Full Patterns
→ `docs/patterns/core.md`.