Cryptographic Reference
This page is a quick-reference table of every cryptographic algorithm, key size, and library used in Relay. It is intended for security auditors, contributors, and anyone who wants to verify the crypto stack at a glance.
Algorithm Table
| Operation | Algorithm | Key / Output Size | Library | Notes |
|---|---|---|---|---|
| Seed generation | BIP39 | 128-bit entropy, 12 words | @scure/bip39 | English wordlist, PBKDF2-SHA512 to seed |
| HD key derivation | SLIP-0010 (Ed25519) | 256-bit keys | @noble/hashes (HMAC-SHA512) | Hardened derivation only |
| Auth signing | Ed25519 | 256-bit private, 256-bit public | tweetnacl (server), @noble/curves (client) | Challenge-response login |
| Transaction signing | Ed25519 | 256-bit private, 256-bit public | tweetnacl (via @solana/web3.js) | Solana transactions |
| DH key agreement | X25519 | 256-bit shared secret | @noble/curves | Signal Protocol X3DH |
| Identity signing | Ed25519 | 256-bit keys | @noble/curves | Signal Protocol identity + pre-key signing |
| Ed25519 to X25519 | Birational map | 256-bit | @noble/curves | edwardsToMontgomery / toMontgomerySecret |
| Key derivation (Signal) | HKDF-SHA256 | Variable output | @noble/hashes | Root key, chain key, message key derivation |
| Message encryption | AES-256-CBC + HMAC-SHA256 | 256-bit AES, 256-bit HMAC | @noble/ciphers + @noble/hashes | Signal Protocol messages |
| Storage encryption | AES-256-GCM | 256-bit key, 96-bit IV | @noble/ciphers | EncryptedStorage wrapper |
| Backup encryption | AES-256-GCM | 256-bit key, 96-bit IV | @noble/ciphers | Relay backup files |
| Backup KDF | Argon2id | 256-bit output | hash-wasm | 3 iterations, 64 MB memory, parallelism 1 |
| PIN hashing | PBKDF2-SHA256 | 256-bit output | @noble/hashes (HMAC-SHA256) | 10,000 iterations, 128-bit random salt |
| Password hashing (legacy) | PBKDF2-SHA256 | 256-bit output | @noble/hashes | 600,000 iterations (v1, auto-migrated) |
| Random bytes | CSPRNG | Variable | @noble/ciphers (randomBytes) | OS-provided entropy |
Library Versions
All cryptographic libraries are from the @noble and @scure families by Paul Miller. These are:
- Pure JavaScript — no native C/Rust bindings, fully compatible with React Native and Hermes.
- Audited — independently security-audited.
- Widely used — trusted by Ethereum, Solana, and other blockchain ecosystems.
| Library | Purpose |
|---|---|
@noble/curves | Ed25519, X25519, birational map |
@noble/hashes | SHA-256, SHA-512, HMAC, HKDF, PBKDF2 |
@noble/ciphers | AES-256-CBC, AES-256-GCM, randomBytes |
@scure/bip39 | BIP39 mnemonic generation and validation |
tweetnacl | Ed25519 signing (server-side) |
hash-wasm | Argon2id (backup encryption) |
Key Sizes and Formats
| Key Type | Size | Encoding | Storage |
|---|---|---|---|
| BIP39 mnemonic | 12 words (128-bit entropy + 4-bit checksum) | English words | Keychain (biometric-gated) |
| Ed25519 private key | 32 bytes (256 bits) | Base58 (Solana format) | Keychain (biometric-gated) |
| Ed25519 public key | 32 bytes (256 bits) | Base58 (Solana format) | Keychain (no biometric) |
| X25519 private key | 32 bytes (256 bits) | Base64 | EncryptedStorage |
| X25519 public key | 32 bytes (256 bits) | Base64 | Server (pre-key bundles) |
| AES-256 key | 32 bytes (256 bits) | Raw bytes | Derived (HKDF), never stored directly |
| HMAC-SHA256 key | 32 bytes (256 bits) | Raw bytes | Derived (HKDF), never stored directly |
| AES-GCM IV | 12 bytes (96 bits) | Raw bytes | Prepended to ciphertext |
| AES-CBC IV | 16 bytes (128 bits) | Raw bytes | Derived from message key via HKDF |
| Argon2id salt | 16 bytes (128 bits) | Raw bytes | Stored in backup file header |
| PBKDF2 salt | 16 bytes (128 bits) | Hex | Stored in PIN hash string |
Security Properties
| Property | How Relay Achieves It |
|---|---|
| Forward secrecy | Double Ratchet generates a new DH key pair per conversation turn. Compromising a current key cannot decrypt past messages. |
| Post-compromise security | New DH ratchet steps re-establish security after a key compromise. |
| Replay protection | Message counters in ratchet headers prevent replay. |
| Tampering detection | HMAC-SHA256 (Signal messages) and GCM auth tags (storage/backups) detect any modification. |
| Timing attack resistance | Constant-time comparison for PIN verification and HMAC verification. |
| Key separation | Wallet and auth keys derived from the same seed but at different SLIP-0010 paths — cryptographically independent. |
| Key erasure | Private key bytes zeroed in memory immediately after use. |
| Brute-force resistance | Argon2id (backups) and PBKDF2 (PIN) impose computational cost on each guess. |
Standards and Specifications
| Standard | Where Used | Reference | Notes |
|---|---|---|---|
| BIP-39 | Mnemonic seed generation | BIP-0039 | Industry-wide standard (not Bitcoin-specific) |
| BIP-44 | Derivation path format | BIP-0044 | Path convention adopted by all chains |
| SLIP-0010 | Ed25519 HD key derivation | SLIP-0010 | Replaces BIP-32 for Ed25519 curves (Solana) |
| SLIP-0044 | Coin type 501 (Solana) | SLIP-0044 | Chain identifier registry |
| X3DH | Key agreement protocol | Signal X3DH Spec | |
| Double Ratchet | Message encryption protocol | Signal Double Ratchet Spec | |
| RFC 5869 | HKDF key derivation | RFC 5869 | |
| RFC 8439 | ChaCha20-Poly1305 / AES-GCM | RFC 8439 | |
| RFC 9106 | Argon2 password hashing | RFC 9106 | |
| NIST SP 800-132 | PBKDF2 | NIST SP 800-132 |