Moneta Eight FZE LLC
Ajman Free Zone · United Arab Emirates
Moneta Eight
Technical Specification

OpenBook Zero Protocol

The end-to-end encryption protocol powering OpenBook Chat. A formal specification of its cryptographic design, threat model, and security properties.

v1.0 Active · June 2026 OpenBook Chat iOS Built in the UAE
Version v1.0
Published June 2026
Status Active
Platform iOS
Author Moneta Eight FZE
01

Abstract

OpenBook Zero is the end-to-end encryption protocol designed and implemented by Moneta Eight FZE for OpenBook Chat. It provides per-message ephemeral key agreement (the ECIES pattern) with sender-side forward secrecy, authenticated encryption, and a Shamir-sharded (2-of-3) identity key system designed for recoverable custody (§07, L5) — without requiring users to manage cryptographic material directly.

The protocol is built entirely from standard, well-vetted cryptographic primitives: X25519 for key agreement, HKDF-SHA256 for key derivation, and AES-256-GCM for authenticated encryption. The identity key backup system uses Shamir's Secret Sharing over GF(2⁸), implemented from scratch in Dart.

OpenBook Zero is designed to be auditable and transparent. This document specifies the protocol as implemented. Where the two diverge, the implementation is authoritative and this document will be corrected.
02

Threat Model

What OpenBook Zero protects against

  • Network interception — All message content is encrypted before leaving the sender's device. An adversary with full network visibility sees only ciphertext.
  • Server-side breach — Firebase stores only ciphertext. A full server compromise does not expose message content. Keys never touch the server.
  • Sender-side retrospective decryption — Every ephemeral private key is destroyed at send time. Compromising a sender’s identity key exposes nothing about previously sent messages.
  • Message tampering — AES-256-GCM authenticated encryption detects any modification — even a single bit — causing decryption to fail loudly.

What it does not claim to protect against

  • Compromised endpoint — If a device is seized and unlocked, locally stored messages are accessible. This is outside the scope of any messaging protocol.
  • Metadata analysis — OpenBook Zero encrypts content. Who communicates with whom, and when, is visible to the server — a deliberate tradeoff enabling message history.
  • Recipient key compromise — An adversary holding a recipient’s long-term private key can decrypt that user’s stored message history, since the ephemeral public key stored with each message allows the shared secret to be recomputed. This is the explicit tradeoff that enables recoverable history (§07, L1, L4).
  • Nation-state adversaries — Zero-day exploits, hardware attacks, and state-level device compromise are out of scope.
  • Break-in recovery — No symmetric ratchet is currently implemented. Addressed in v1.1.
03

Cryptographic Primitives

All primitives are standard, publicly specified algorithms. No proprietary or novel cryptography is used. X25519, HKDF-SHA256, and AES-256-GCM are provided by the cryptography Dart package (v2.7) — a vetted, widely-deployed implementation. Key material at rest is held via flutter_secure_storage (iOS Keychain, hardware-backed). Only the Shamir Secret Sharing layer is first-party code.

Algorithm Role Parameters / Standard
X25519 Elliptic-curve Diffie-Hellman key agreement RFC 7748 · 32-byte keypairs · Identity and ephemeral key agreement
HKDF-SHA256 Key derivation from shared secret RFC 5869 · 32-byte output · Salt = ephemeral pubkey · Info = openbook_zero_v3_message
AES-256-GCM Authenticated symmetric encryption NIST SP 800-38D · 256-bit key · 96-bit random nonce · 128-bit auth tag
SHA-256 Key fingerprint generation FIPS 180-4 · Verifiable identity fingerprints for out-of-band verification
Shamir SS / GF(2⁸) Identity key backup AES polynomial 0x11b · 2-of-3 threshold · Implemented in Dart
BIP-39 Recovery phrase encoding 2048-word wordlist · 12 words · 128 bits entropy
04

Identity Layer

Every OpenBook user has a long-term X25519 identity keypair. The public key is published to the server so contacts can encrypt messages to them. The private key never leaves the device unencrypted and is never transmitted to the server in any form.

Key generation

On first setup, the app generates a 32-byte X25519 keypair using a cryptographically secure random source. The public key is stored locally and published to Firestore under the user's UID. The private key is immediately split into Shamir shards and never stored whole after that point.

Key distribution

Before sending a message, the sender fetches the recipient's X25519 public key from their Firestore user document (obZeroPublicKey field, base64-encoded). This fetch is cached in memory with a 10-minute TTL to minimise Firestore reads without staleness risk.

Trust assumption: OpenBook Zero currently trusts the server for public key distribution. A future version will add key transparency and out-of-band fingerprint verification to protect against a malicious server substituting a different public key.
05

Message Encryption

Every message is encrypted independently with no shared session state (the ECIES pattern). The sender’s ephemeral private key is destroyed immediately after use — nothing on the sender’s side can re-derive a message key. The recipient decrypts using their long-term private key together with the ephemeral public key stored alongside the ciphertext. The properties this does and does not provide are stated precisely in §02 and §10 (L1).

Encryption flow

1
Generate ephemeral keypair

Fresh X25519 keypair unique to this message, used nowhere else.

2
ECDH key agreement

ephemeralPrivKey × recipientPubKey → 32-byte shared secret

3
HKDF-SHA256 key derivation

HKDF(sharedSecret, salt=ephemeralPubKey, info="openbook_zero_v3_message") → 32-byte AES key

4
AES-256-GCM encrypt

messageKey + random 96-bit nonce → ciphertext + 128-bit authentication tag

5
Store + discard

ciphertext + ephemeralPubKey stored to Firestore · ephemeral private key immediately discarded

Ciphertext format

// Packed binary layout — base64-encoded for Firestore storage [ 12 bytes ] nonce — random per message, never reused [ 16 bytes ] MAC tag — AES-GCM authentication tag [ N bytes ] ciphertext — encrypted message content // Stored alongside on Firestore message document ephemeralPubKey — base64 X25519 public key (32 bytes) encryptionVersion — 3 // wire-format v3 corresponds to spec v1.0; v1–v2 were unreleased internal iterations
06

Encrypt-for-Self Pattern

Because OpenBook Zero uses asymmetric key agreement, a message encrypted to the recipient's public key cannot be decrypted by the sender — the sender does not hold the recipient's private key. Every outgoing message is encrypted twice using independent ephemeral keypairs:

For the recipient

Stored in text + ephemeralPubKey

For the sender (self)

Stored in textForSender + ephemeralPubKeyForSender

The two encryptions are cryptographically independent — each uses its own ephemeral keypair. A compromise of one does not affect the other. The app selects which ciphertext to decrypt based on whether the current user is sender or recipient.

07

Key Recovery (Shamir Secret Sharing)

The long-term X25519 private key is the root of a user's cryptographic identity. Losing it means losing the ability to decrypt past messages and prove identity on a new device. OpenBook Zero protects against this using Shamir's Secret Sharing.

At setup, the 32-byte private key is split into three shards using a 2-of-3 Shamir scheme over GF(2⁸). Any two shards reconstruct the key. One shard alone reveals nothing — this is information-theoretically proven, not assumed.

Shard Location Protection
Shard 1 Device — iOS Keychain flutter_secure_storage · encrypted at rest with hardware-protected keys
Shard 2 Firebase Firestore A single shard reveals nothing about the key — Shamir’s information-theoretic guarantee · at-rest encryption under a recovery-phrase-derived key ships in v1.1
Shard 3 Device — secure storage (transitional) Moves to sole user custody as a 12-word BIP-39 phrase in v1.1 · never stored on the server

Normal operation

The app silently reconstructs the private key from Shard 1 (device) and Shard 2 (server) each session. The reconstructed key exists in memory only, is never written to disk, and is discarded when the session ends. Shard 3 is used only as an offline fallback when the server shard is unreachable.

Recovery flow (v1.1 — in development)

Once user-custody recovery ships, the user will enter their 12-word recovery phrase on a new device. Combined with Shard 2 retrieved from the server, the app reconstructs the private key and restores full access to message history; Shard 1 is then regenerated on the new device.

In v1.0, all shards are managed by OpenBook systems (two on-device, one on the server) and cross-device recovery is not yet available — see L6.

Important (v1.0): Until the user-custody phrase ships in v1.1, loss of the device means permanent loss of message history — the server shard alone cannot reconstruct the key, by design. Once v1.1 ships, the 12-word phrase becomes the user’s single point of custody.
08

Verification

◉ Server View Toggle

In chat settings, users can toggle to view raw base64 ciphertext as stored on Firebase — confirming that servers only ever see opaque encrypted data, never plaintext. The toggle is a UI mode switch; it does not modify any stored data.

⬡ Key Fingerprint

SHA-256 hash of both parties' X25519 public keys, ordered canonically by user ID so both sides produce the same value. Users can compare fingerprints out-of-band — over a call or in person — to detect any MITM substitution of public keys.

Example — illustrative only
a3f2 b8c1 9e4d 7f20 c15a 83d6 4b9e 2f71 d8a0 3c5b 1e92 7d64 f0a3 b2c8 9e15 4d70
09

UAE Regulatory Alignment & PDPL

OpenBook Zero's architecture was designed with strong alignment to the UAE Federal Personal Data Protection Law (PDPL — Federal Decree-Law No. 45 of 2021) and the UAE's broader digital trust and data sovereignty objectives.
Security by Design

All encryption (X25519 + AES-256-GCM) happens on-device before any data leaves the user's phone. Servers never see plaintext or keys.

Data Minimisation

Only ciphertext and minimal metadata are stored on Firebase. No message content, no keys, and no unnecessary personal data ever reaches our infrastructure.

User Control & Transparency

Users can independently verify encryption state (Server View) and confirm conversation integrity (key fingerprints). Full recovery control via 12-word phrase.

Moneta Eight FZE LLC is committed to full PDPL compliance as the company scales — including documented technical & organisational measures, data subject rights processes, cross-border transfer safeguards, and incident response procedures. This public specification is part of our commitment to transparency and auditability.

Future roadmap items include enhanced data residency options and formal PDPL-aligned privacy documentation.

10

Known Limitations

We publish known limitations because transparency about what a protocol does not do is as important as describing what it does.

L1 — Forward secrecy is sender-side only (no ratchet)
Each message uses an independent ephemeral keypair, so compromise of a sender's identity key exposes nothing about previously sent messages. However, compromise of a recipient's long-term private key exposes their stored message history: the ephemeral public key stored with each message allows the shared secret to be recomputed. This is inherent to recoverable message history (see L4) and is a deliberate design tradeoff. Signal's Double Ratchet provides stronger post-compromise properties at the cost of history recovery.
→ v1.1 KDF chain narrows exposure · retention controls (L4) reduce the window
L2 — No prekey bundles
Requires recipient to have an active public key on the server before a message can be sent. No mechanism currently exists for one-time prekeys enabling forward-secret offline message delivery.
→ Addressed in v1.1
L3 — Server-trusted key distribution
Public keys are distributed via Firebase. A malicious or compromised server could substitute a different public key, enabling a MITM attack on new conversations. The key fingerprint feature partially mitigates this via out-of-band verification.
→ Key transparency planned for v1.2
L4 — Persistent encrypted storage
Unlike Signal, which deletes messages upon delivery, OpenBook stores encrypted ciphertext on Firebase indefinitely to support message history and recovery. Content is protected by E2EE; metadata is visible to the server. Users requiring ephemeral messaging should use Void mode.
→ Per-conversation retention controls planned
L5 — User-custody recovery not yet shipped
In v1.0 all three shards are held by OpenBook systems: Shards 1 and 3 on the user’s device (Keychain-backed secure storage) and Shard 2 on the server. The 12-word BIP-39 phrase that places Shard 3 solely in the user’s hands — enabling cross-device recovery — is in development. Until then, device loss means history loss.
→ BIP-39 phrase + QR custody flow ships in v1.1
L6 — No independent security audit yet
OpenBook Zero has not yet been independently audited by a third-party security firm. This specification is published to invite community review. Formal audit planned post-seed-round funding.
→ Community review welcomed at info@moneta8.com
11

Version Roadmap

v1.0 — Current (June 2026)
Live
X25519 + HKDF-SHA256 + AES-256-GCM · Per-message ephemeral keypairs · Encrypt-for-self · GF(2⁸) Shamir key sharding (2-of-3) · Server View · Key fingerprint
12

Version History

v1.0 — June 2026
Initial public specification. Protocol designed and implemented entirely by Moneta Eight FZE LLC in the United Arab Emirates. Community review welcomed.
Security disclosures
info@moneta8.com

This document will be updated as the protocol evolves. The version number in the header is the authoritative reference.