Secretus logoSecretus

About Secretus

Rethinking secret sharing from first principles — for a world where quantum computers are no longer science fiction.

🌐 The Problem with Secret Sharing Today

Most "secure" secret sharing tools store your plaintext — or at best a weakly encrypted version of it — on their servers. When you paste a password into those tools, the company can read it. When their database leaks, your secrets leak with it.

The more forward-thinking tools use end-to-end encryption, but almost all of them rely on classical cryptography — specifically elliptic-curve Diffie-Hellman (ECDH). That's perfectly safe today. The problem is tomorrow.

Nation-state actors and well-resourced attackers already run "harvest now, decrypt later" campaigns: they record encrypted traffic today and archive it until quantum computers powerful enough to break ECDH become available. Estimates range from 5 to 15 years. Anything sensitive you share today with classical encryption could be decrypted in the future.

🔬 What Secretus Does Differently

Secretus is built around two fundamental design principles:

  1. 1.Your server never sees your plaintext. All encryption and decryption happens inside your browser, using the Web Crypto API. We are architecturally incapable of reading your secrets — not by policy, but by design.
  2. 2.Reduce future quantum exposure in P2P mode. Secretus combines authenticated X3DH-style setup with ML-KEM-768 (NIST FIPS 203), a standardized post-quantum key encapsulation mechanism, to reduce harvest-now-decrypt-later risk without claiming blanket quantum-proof guarantees.

⚖️ Two Modes, One Platform

Different secrets require different threat models. Secretus gives you two distinct modes, and you choose which one fits the moment.

Standard Mode

AES-256-GCM · Quantum-Resistant · Async

The sender encrypts the secret in the browser with a random AES-256-GCM key. The ciphertext is stored on our server. The decryption key is placed in the URL #fragment — a part of the URL that browsers never send to servers, making it invisible to us.

The recipient opens the link at their own pace — from 15 minutes up to 30 days later (or a custom date). Their browser extracts the key from the fragment, fetches the ciphertext, and decrypts it locally. After first access, the link is invalidated immediately and the ciphertext object is deleted shortly after on a best-effort basis, backstopped by a storage lifecycle rule.

No simultaneous presence required
AES-256 is quantum-resistant (Grover's algorithm only halves effective key length, still 128-bit equivalent)
One-time link — ciphertext deleted after first successful view
Supports text, files (Business), and voice messages (Business)
🔒

Maximum Security

X3DH-style P2P · ML-KEM-768 hybrid · No secret-payload storage in this mode

Both parties connect directly, browser-to-browser, over WebRTC. The secret is transmitted through an authenticated X3DH-style session with ML-KEM-768 hybrid key agreement, and the secret payload is not stored on our servers in this mode.

The key exchange combines classical ECDH (P-256) with ML-KEM-768 post-quantum encapsulation. Both shared secrets are combined via HKDF into a single session root key. Breaking one layer doesn't help an attacker — they need to break both simultaneously.

No secret-payload storage on the server in P2P mode
ML-KEM-768 hybrid layer reduces harvest-now-decrypt-later exposure
Per-message symmetric ratchet with unique AES-GCM keys
Requires sender and recipient online simultaneously

⚛️ ML-KEM-768 — Post-Quantum Encryption Explained

Why does this matter right now?

In 2024, NIST finalized three post-quantum cryptography standards. ML-KEM (previously called CRYSTALS-Kyber) is the only approved Key Encapsulation Mechanism — designed specifically to replace ECDH in a world with quantum computers. Secretus adopted it immediately.

How classical ECDH works (and why it breaks)

Classical key exchange like ECDH relies on the hardness of the discrete logarithm problem on elliptic curves. A classical computer would need billions of years to break it. Shor's algorithm, running on a sufficiently large quantum computer, reduces that to hours. The encryption doesn't break today — it breaks the moment quantum hardware matures.

How ML-KEM-768 works

ML-KEM is based on the Module Learning With Errors (MLWE) problem — a lattice-based mathematical problem that is believed to be hard for both classical and quantum computers. There is no known quantum algorithm that offers a meaningful speedup against MLWE.

In Secretus Maximum Security mode, here's what happens at the cryptographic level:

  1. 1
    Receiver generates an ML-KEM-768 keypair (1184-byte public key, 2400-byte secret key) entirely in the browser. The public key is included in the prekey bundle sent to the sender.
  2. 2
    Sender encapsulates against the receiver's public key — producing a 1088-byte ciphertext and a 32-byte ML-KEM shared secret. The ciphertext is sent via the signaling channel; the shared secret stays local.
  3. 3
    Receiver decapsulates the ciphertext with their secret key, recovering the same 32-byte shared secret independently.
  4. 4
    Hybrid combination via HKDF-SHA256: The ECDH 4-DH output (from X3DH) and the ML-KEM shared secret are concatenated and fed into HKDF with info string "Secretus-Hybrid-X3DH-v1". The output becomes the session root key for the browser-side ratchet state.

🔬 Library: @noble/post-quantum

Secretus uses @noble/post-quantum by Paul Miller — independently audited by Cure53, pure TypeScript, zero dependencies, tree-shakeable. The same author behind @noble/curves, the de facto standard for elliptic curve cryptography in the JavaScript ecosystem.

Maximum Security Protocol Scope

🔒 All encryption happens entirely in your browser

Secretus currently implements browser-native authenticated X3DH session setup, ML-KEM-768 hybrid key agreement, and a per-direction symmetric ratchet for short-lived P2P transfers. It is not presented here as an audited full Signal Protocol or as demonstrated post-compromise recovery.

Current implementation scope

  • • Authenticated X3DH-style handshake establishes the classical shared secret.
  • • ML-KEM-768 adds a post-quantum shared secret, combined via HKDF.
  • • Separate sending and receiving chain keys derive a fresh AES-256-GCM key for each message.
  • • Each side proactively rotates its own DH ratchet key on a fixed message schedule, gated on already having a ratchet public key from the peer to combine with.
  • • Formal post-compromise recovery is not claimed until the ratchet has an external cryptographic audit.

X3DH Key Agreement

X3DH (Extended Triple Diffie-Hellman) allows two parties who have never spoken before to establish a shared secret securely, without any pre-shared passwords. In Maximum Security mode, Secretus extends X3DH with an ML-KEM-768 layer:

  • Identity Keys (IK): Long-term ECDH P-256 keypairs that identify each party.
  • Signed Prekey (SPK): A medium-term key signed by the identity key, preventing man-in-the-middle attacks.
  • One-Time Prekey (OPK): A single-use key that ensures forward secrecy even if all other keys are compromised.
  • 4-DH + ML-KEM hybrid: The four ECDH outputs are combined with the ML-KEM shared secret via HKDF into a single session root key that is resistant to both classical and quantum attacks.

Current Ratchet Behavior

Once the hybrid session root key is established, every message uses a unique key derived from the current chain key and message number:

  • Chain Keys: Sender and receiver maintain separate chain keys that ratchet forward with each message.
  • Message Keys: Each message gets a unique AES-256-GCM key derived from the current chain key plus the message number. After use, it is immediately discarded.
  • Forward secrecy for past messages: Compromising a message key does not reveal earlier message keys or plaintexts.
  • DH ratchet trigger: Each side proactively rotates its own DH ratchet key on a fixed message schedule (not only in reaction to a message from the peer), as long as it already has a ratchet public key from the peer to pair with.

✅ Security Guarantees (Maximum Security Mode)

  • No server storage in P2P mode: Secret transmitted browser-to-browser via WebRTC — not stored server-side
  • Quantum-resistant key exchange: ML-KEM-768 layer is designed to resist Shor's algorithm
  • Past-message forward secrecy: Compromising one message key does not reveal earlier message keys
  • Zero-knowledge: We are architecturally unable to decrypt your secrets
  • No passwords: Keys generated and exchanged automatically in browser
  • Crypto libraries: Web Crypto API for symmetric/classical operations; the ML-KEM-768 layer uses the independently-audited @noble/post-quantum library

Standard Mode — Async AES-256-GCM

The Maximum Security mode requires both parties to be online at the same time — a real constraint in business contexts where people are in different time zones or simply check messages at different hours. Standard Mode solves this with a different, equally sound cryptographic approach.

The #fragment trick — why the server never sees your key

The URL for a Standard Mode secret looks like: secretus.app/s/{id}#async_{key}

The part after # is the URL fragment. By HTTP specification, browsers never include the fragment in requests to the server. When a recipient opens the link, their browser fetches the ciphertext from our server — but our server only sees secretus.app/s/{id}, never the key. The decryption happens entirely client-side. This is not a trust-based privacy guarantee — it is architecturally enforced.

Storage: DynamoDB + S3, claim-and-consume one-time read

The encrypted payload is stored in Amazon S3 (eu-central-1). Metadata (expiry, s3 key) is in DynamoDB. When the recipient reads the secret, the server first acquires a conditional DynamoDB claim with a short, renewable lease — this is what makes concurrent reads mutually exclusive, not a single atomic delete. While holding the claim it reads the ciphertext from S3, then deletes the DynamoDB metadata with the claim's ownership checked, and only returns the payload to the recipient once that deletion succeeds. The link is invalid from that point on. Deleting the underlying S3 object is a separate, best-effort step that happens asynchronously after the response — a 37-day S3 lifecycle rule is the physical cleanup backstop if that best-effort delete is ever missed, not the primary mechanism.

✅ Security Guarantees (Standard Mode)

  • AES-256-GCM: 256-bit key length — quantum computers with Grover's algorithm reduce effective security to 128 bits, still considered an impractical attack for any foreseeable future
  • Key isolation: Decryption key lives only in the URL fragment — we never see it, it is never logged
  • One-time read: A conditional claim-and-consume flow makes the link unusable after the first successful read; the DynamoDB metadata deletion is what's guaranteed synchronously, not the S3 object's physical removal
  • TTL enforcement: DynamoDB native TTL auto-expires metadata; a 37-day S3 lifecycle rule is the backstop for the ciphertext object if the best-effort delete is ever missed
  • Async: No simultaneous presence required — recipient opens within 15 min up to 30 days (custom expiry)

🔑 Team Split — Shamir's Secret Sharing

Some secrets shouldn't rest in the hands of a single person. API keys for critical infrastructure, recovery codes for shared accounts, encryption passphrases for company data — these deserve threshold access control: split the secret so that no one individual can access it alone, but a quorum of trusted holders can reconstruct it when needed.

What is Shamir's Secret Sharing?

Shamir's Secret Sharing (1979, Adi Shamir) is an information-theoretically secure cryptographic scheme. A secret is split into N shares. Any K shares (the threshold) reconstruct the secret exactly. Any K−1 or fewer shares reveal mathematically nothing about the secret — not even a single bit. This is a stronger guarantee than computational security: no amount of computing power can break it.

Under the hood, the secret becomes a polynomial of degree K−1 over a finite field. Each share is a point on that polynomial. Lagrange interpolation with K points recovers the polynomial and thus the secret. With K−1 points, the polynomial is completely undetermined.

How Team Split Works in Secretus

1

Create & Configure

Write your secret, choose a threshold preset (2-of-3, 3-of-5, 3-of-7) and optionally name each holder. All splitting happens in your browser — nothing is uploaded.

2

N Share Links Generated

One unique link per holder. The share data lives in the URL #fragment — browsers never send fragments to servers, so Secretus never sees any share. Send each link to the corresponding holder over any channel.

3

Holder Opens Their Link

Each holder sees their share code and a clear explanation. When reconstruction is needed, they copy their code and send it to whoever holds the reconstruction link.

4

Reconstruct With Threshold

The reconstruction link owner pastes K codes into the reconstruction page. Once the threshold is met, the secret is rebuilt locally in their browser via Lagrange interpolation. No server is involved at any step.

🏢

Corporate Access

Root AWS credentials split 3-of-5 across CTO + 4 leads

🔐

Wallet Recovery

Seed phrase split 2-of-3 across trusted family members

🤝

Multi-Party Approval

API key released only when 2 of 3 co-founders agree

Library: shamir-secret-sharing — independently audited, zero-dependency TypeScript, published by the Privy team. Runs entirely in your browser via the same environment as the rest of Secretus. No WebAssembly, no native binaries.

🌍 Infrastructure & Privacy

EU-Only Infrastructure

Signaling server, DynamoDB, and S3 all reside in eu-central-1 (Frankfurt). Romanian operator. No US data residency.

WebRTC P2P

Maximum Security mode transmits secrets directly browser-to-browser using WebRTC with DTLS/SRTP. Our signaling server facilitates the connection, then steps out.

Consent-Based Analytics

No analytics without explicit consent. Cookiebot-managed, GDPR-compliant.

Multi-Format Support

Text, files (up to 5MB), and voice messages — all encrypted before leaving your device.

GDPR-Aware Design

View, export, or delete your account data at any time from your profile. We minimize what we store to what's operationally necessary.

Open Audit Trail

The cryptographic design is documented on this page. We believe security through transparency is stronger than security through obscurity.

Three Modes. One Platform. Zero Compromise.

Quantum computers will not arrive with an announcement. Secretus combines async AES-256-GCM for convenient one-time secrets, authenticated X3DH-style + ML-KEM-768 for browser-to-browser P2P sharing, and Shamir's Secret Sharing for threshold access control that no single person can bypass.

⚡ Standard · AES-256-GCM🔒 Maximum Security · ML-KEM-768🔑 Team Split · Shamir SSS
Start Sharing Securely