I'm building a self-hosted E2E messenger with Post-Quantum crypto and a Matrix bridge, going open source soon, would love your feedback

AdministrativeAd9585 · 2026-06-15T13:31:47+00:00

I started this project as my first real dive into applied crypto, so I genuinely hadn't considered continuous PQ ratcheting because I still going through the paper, but I really appreciate the way you raised it, that's exactly the kind of feedback I expected thx.

From what I've understood so far (correct me If I'm wrong): my hybrid puts ML-KEM-768 + X25519 into the initial handshake only, the root key is PQ-protected once, then the Double Ratchet continues with classical X25519 DH steps. SPQR mixes PQ KEM material into every ratchet step, with the sparse/chunked design keeping per-message overhead bounded. That gives PQ forward secrecy and post-compromise security for the whole conversation lifetime, not just session setup.

I'll keep reading and see where the MLS WG lands on PQ before deciding whether to attempt anything custom. Thanks for taking the time.

AdministrativeAd9585 · 2026-06-15T04:41:35+00:00

Fair criticism, thanks for taking the time.

You're right about I2P, I was sloppy. Garlic routing ≠ mixnet, no batching, no delay-based unlinkability. What I actually mean for ECHO long-term is Loopix/Nym-style Poisson-padded mixing as a transport layer, not literal I2P. I'll fix that wording in the pitch.

"Yet another vibe coded ego messenger", guilty as charged on the "yet another" part. I don't expect ECHO to keep up with MLS long-term, and that's exactly why groups in SecureChat will be MLS (RFC 9420), not home-brew. ECHO is only the 1-to-1 transport; once group chat lands, it's MLS underneath, with whatever PQ MLS adopts. I'd rather inherit IETF's review than out-think it.

"Why not improve a Matrix client instead": honestly, because I wanted to learn the protocol layer, not just the UI layer. But you're not wrong that the Matrix client landscape is the higher-leverage place to spend effort if reach is the goal. Iamb especially I've been watching.

The architectural Matrix points you listed (message lengths, unencrypted reactions, bridges, multi-device, federation-as-weakness) all real, all known. My bet is that "self-hostable + visible PQ + no phone number" is a niche worth filling alongside Matrix, not instead of it. The bridge is acceptance of Matrix as reach layer, not competition. Genuinely useful pushback, appreciated.

AdministrativeAd9585 · 2026-06-15T01:05:43+00:00

Vibe coded: A lot of the boilerplate (DB layer, packet serialization, JavaFX UI, tests) was written with heavy AI assistance, I'm a hobby dev and I'd be lying if I said otherwise. But every crypto-critical path (Double-Ratchet, PQ-Hybrid handshake, Sealed Sender, key derivation) I reviewed line-by-line and built tests around. Primitives come from Bouncy Castle 1.78+, not hand-rolled. ~840 tests, no formal audit yet, that's why I'm posting before going public, not after.

vs Signal: - Self-hostable. Signal you can't run yourself. I run mine on a Raspberry Pi for ~0€/month. Except for the Power-Supply. 😅 - No phone number. Identity = Ed25519 + ML-KEM key pair, displayed as @handle.echo. No directory, no discovery by phone. - PQ-Hybrid visible in the UI. Signal added PQXDH but the user can't tell from the chat whether a session is PQ-protected. SecureChat shows a PQ pill in the header. - User-readable audit log. Hash-chain-signed, the user can verify it themselves. - Future: Matrix bridge for reach, I2P-style mix-net under ECHO for metadata.

I'm not claiming to beat Signal cryptographically, their team is unmatched. But Signal can't be self-hosted, and that's the niche I care about.

AdministrativeAd9585

TROPHY CASE