The Zero-Knowledge Pipeline
We don't trust the network. We don't trust the cloud. We barely trust the OS.
Everything is encrypted on your device before it leaves your hands.
Poly 1305
XSalsa20
Blind Relay
Identity Key
Verification
Client-Side Only
Encryption occurs on your device using WebAssembly (libsodium) before data ever touches the network.
Zero Knowledge
Our servers act as a blind relay. We cannot see your files, messages, or keys, even if subpoenaed.
Forward Secrecy
Keys are rotated for every file chunk. Compromising one key does not compromise the entire session.
Cryptographic Primitives
We rely on the Sodium crypto library (a port of NaCl), which offers high-speed, constant-time primitives. We deliberately avoid "rolling our own crypto" in favor of industry standards.
XChaCha20-Poly1305
Authenticated Encryption with Associated Data (AEAD). Used for all file transfers and real-time media streams.
X25519 & Ed25519
Elliptic Curve Diffie-Hellman key exchange and signatures. Used for establishing shared secrets and verifying identity.
Argon2id
Memory-hard password hashing. Used to derive your Identity Key from your password/biometric input, making brute-force attacks prohibitively expensive.
Transport Architecture
NTK adapts its transport layer based on your security profile and network conditions.
Mode A: Peer-to-Peer (WebRTC)
Direct browser-to-browser connection. Data flows directly between participants without touching our servers (except for signaling).
Maximum Privacy • Lowest Latency
Mode B: SFU Mesh (LiveKit)
Uses a selective forwarding unit to scale to larger groups. To maintain security, we use Insertable Streams to encrypt media frames before sending effectively creating an E2EE tunnel through the server.
High Scale • Bandwidth Efficient