Post-quantum Signal protocol implementation in Dart/Flutter.
Implements the SC-AKE and SC-DAKE handshake protocols from "An Efficient and Generic Construction for Signal's Handshake (X3DH): Post-Quantum, State Leakage Secure, and Deniable" (Hashimoto et al., PQC 2022).
Lattice replaces Signal's X3DH key agreement with a post-quantum construction based on:
- ML-KEM (Kyber) for key encapsulation (NIST FIPS 203)
- ML-DSA (Dilithium) for digital signatures (NIST FIPS 204)
- HMAC-SHA256 for PRF and randomness extraction
| Level | KEM | SIG | Security |
|---|---|---|---|
| L128 | ML-KEM-512 | ML-DSA-44 | 128-bit post-quantum |
| L192 | ML-KEM-768 | ML-DSA-65 | 192-bit post-quantum |
| L256 | ML-KEM-1024 | ML-DSA-87 | 256-bit post-quantum |
| Package | Description |
|---|---|
| lattice_crypto | Cryptographic primitives (KEM, SIG, PRF, Ext) |
| lattice_protocol | SC-AKE + SC-DAKE protocol logic |
| lattice_server | Key distribution server (Shelf) |
| lattice_client | Flutter/Dart client SDK |
| Package | Description |
|---|---|
| lattice_server_firebase | Firebase Cloud Run + Firestore storage |
| lattice_server_serverpod | Serverpod endpoints + PostgreSQL storage |
| lattice_server_supabase | Supabase PostgreSQL storage adapter |
| Tool | Description |
|---|---|
| deploy | Interactive deployment CLI (Docker/AWS/Azure/GCP/Firebase) |
| monitor | Server health monitoring and alerting |
# Clone and install
git clone https://github.com/flutterplaza/lattice.git
cd lattice
dart pub get
# Run all tests
dart test
# Start the server
dart run packages/lattice_server/bin/server.dartimport 'package:lattice_client/lattice_client.dart';
final alice = LatticeClient(
userId: 'alice',
connection: Connection(baseUrl: 'http://localhost:8080'),
);
final bob = LatticeClient(
userId: 'bob',
connection: Connection(baseUrl: 'http://localhost:8080'),
);
await alice.register();
await bob.register();
await alice.uploadPreKey();
final bobSession = await bob.initiateSession('alice');
final aliceSessions = await alice.respondToSessions();
// Both share the same post-quantum session key| Platform | Method | Storage Backend |
|---|---|---|
| Local | Docker | In-memory / File |
| AWS ECS | Docker + ECR | File / External DB |
| Azure Container Apps | Docker + ACR | File / External DB |
| GCP Cloud Run | Docker + GCR | File / External DB |
| Firebase | Cloud Run + Hosting | Firestore |
| Serverpod | Native Dart server | PostgreSQL |
| Supabase | External server | Supabase PostgreSQL |
# Deploy locally with Docker
dart run tools/deploy/bin/deploy.dart deploy --target local
# Deploy to Firebase Cloud Run
dart run tools/deploy/bin/deploy.dart deploy --target firebase
# Deploy to GCP Cloud Run
dart run tools/deploy/bin/deploy.dart deploy --target gcpFull documentation is available at the documentation website or in the docs/ directory.
- Getting Started
- Protocol Specification
- Server Setup
- Deployment Guide
- Platform Integrations
- Security Model
- API Reference
Packages are published to pub.dev via tag-triggered CI:
git tag v0.1.0
git push origin v0.1.0This triggers the publish.yml workflow which publishes lattice_crypto to pub.dev using OIDC authentication.
This implementation targets post-quantum security against both passive and active adversaries:
- SC-AKE: Authenticated key exchange with state leakage security
- SC-DAKE: Deniable authenticated key exchange using ring signatures
- No cryptographic material is ever logged
- Constant-time comparisons for security-critical operations
- TLS enforcement for production deployments
BSD 3-Clause License. See LICENSE.
@inproceedings{hashimoto2022efficient,
title={An Efficient and Generic Construction for Signal's Handshake (X3DH): Post-Quantum, State Leakage Secure, and Deniable},
author={Hashimoto, Keitaro and Katsumata, Shuichi and Kwiatkowski, Kris and Prest, Thomas},
booktitle={Post-Quantum Cryptography},
year={2022},
publisher={Springer}
}See CONTRIBUTORS.md for paper authors and project contributors.