How It Works
Canium uses MLS (Message Layer Security, RFC 9420) — the IETF standard for next-generation secure group messaging — as the single encryption stack across all communications: channels and direct messages.
Your Password Never Leaves Your Device
Canium uses OPAQUE (RFC 9807), a password authentication protocol in which the server never receives your password — not even in hashed form. The server holds a cryptographic record that is useless without the password, and a blob of encrypted key material that is useless without the OPAQUE session key your password produces. The two halves are worthless in isolation.
A breach of the server database reveals nothing about any user's password or derived keys.
Encryption Keys Derived on Your Device
When you log in, your device derives a root secret entirely locally. Every encryption key in the system descends from this secret. The server never sees this secret.
Because derivation is deterministic and user-scoped, every device you log in on produces the same keys from the same root secret. There is no per-device key registration, no synchronization ceremony.
MLS Group Encryption
Every Canium channel — including direct messages — is an MLS group. MLS is a cryptographic protocol for secure group messaging at scale, standardized by the IETF in 2023. It provides:
- End-to-end encryption — messages are encrypted on the sender's device and decrypted only on recipients' devices. The server stores ciphertext only.
- Forward secrecy — compromise of current keys does not expose past messages.
- Post-compromise security — after a device is compromised and removed from a group, future messages are cryptographically inaccessible to that device.
- Post-quantum encryption — all MLS group key establishment uses a hybrid post-quantum key encapsulation mechanism: the X-Wing combiner, pairing classical X25519 with ML-KEM-768, the NIST-standardized post-quantum KEM. An attacker recording Canium traffic today cannot retroactively decrypt it with a future quantum computer — the "harvest now, decrypt later" attack is closed. Disclosure and recovery (DRA) envelopes use the same hybrid construction. We adopted this ahead of final IETF post-quantum ciphersuite standardization, deliberately — the KEM components themselves are standardized, and waiting would have left recorded traffic exposed.
Direct Messages — Same Stack, No Exceptions
Direct messages in Canium are 2-person MLS groups. They use the identical cryptographic machinery as channels — same key derivation, same encryption scheme, same recovery paths, same server blindness. There is no separate DM cryptosystem with its own threat model. One encryption stack, consistently applied.
What the Server Never Sees
| Item | Server access |
|---|---|
| User passwords | Never — OPAQUE protocol |
| Root secret (master key) | Never — derived client-side only |
| OPAQUE session key | Never — ephemeral, client-only |
| MLS channel keys | Never — derived client-side via MLS export |
| MLS private key material | Never — server holds public portions only |
Multi-Device — Zero Friction
Because all keys derive deterministically from the root secret, adding a new device is simply logging in. No cryptographic re-enrollment of existing channels, no epoch churn. Your encryption state is fully portable via your credentials alone.