Zero-Knowledge Fortress

NYX Security Architecture operates on a Trust No One (TNO) model. Features include Blind Indexing via Argon2id, Signal Protocol Double Ratchet encryption for messages, local-first IndexedDB storage for chat histories, and direct WebRTC P2P tunnels bypassing servers for calls.

Privacy is not a feature. It's our architecture. Explore the mathematical guarantees that keep your messages strictly yours.

01 / THREAT MODEL

We Assume Our Servers Are Compromised.

Traditional messaging apps focus on protecting their server walls. NYX takes a more radical approach: Trust No One (TNO).

We designed this architecture assuming hackers are already inside our servers. However, since there are no decryption keys on the server, a data breach yields nothing but cryptographically useless random characters.

NYX_SERVER_DB // POSTGRES BREACHED
ROW_1e2a9f8b3... UNREADABLE
ROW_27c4d11a9... UNREADABLE
ROW_3ff20x91p... UNREADABLE
Data Secured
Zero-Knowledge Kept Intact
Device
@h4nzs
Argon2id KDF
NYX Server
Hash: 9a3b...
02 / BLIND INDEXING

Absolute Server Blindness.

If we don't ask for your phone number or email, how can your friends find you?

NYX uses a cryptographic technique called Blind Indexing. When you register, your username is heavily hashed using the Argon2id algorithm directly on your device.

The server only receives a random string of code (a hash). We literally don't know who you are, and there is no mathematical formula in the universe to reverse that hash back into your real name.

03 / THE DOUBLE RATCHET

Every Message, A New Key.

NYX is built upon the world's most respected encryption protocol: The Signal Protocol. But we don't just encrypt the connection, we encrypt every single message individually.

  • Perfect Forward Secrecy (PFS): If your device is compromised tomorrow, your messages sent yesterday remain unreadable because the old keys have already been destroyed.
  • Post-Compromise Security (PCS): If your key leaks today, you only need to send one new message. The system will automatically "ratchet" a new key and restore your security.
KDF
MSG #1 KEY_A
MSG #2 KEY_B
MSG #3 KEY_C
Plaintext → v2_28a9b1...c4
IndexedDB Vault
Cloud DB
04 / LOCAL VAULT & PROFILES

Your Data, On Your Device.

Most chat apps sync your entire history to their cloud. We don't. Your entire NYX chat history lives exclusively inside your device's IndexedDB.

Even your profile picture and display name are encrypted locally. The key to unlock them is only sent to your approved contacts. To our servers, you have no face and no name—just an encrypted blob of data.

05 / WEBRTC TUNNELS

Wiretap-Proof Calls.

When you make a voice or video call, our architecture shifts from Client-Server to a true Peer-to-Peer (P2P) network.

The NYX server only acts as a signaling pathfinder. But even the connection signals (SDP/ICE) are wrapped in E2EE encryption. Once connected, voice and video packets flow directly between devices. The server is completely bypassed.

Peer A
Server Bypassed
Peer B
DIRECT P2P TUNNEL

Are you a Security Researcher?

We welcome independent audits. Read our Coordinated Disclosure Protocol and earn your place in the NYX Hall of Fame.

View Bug Bounty Protocol
ce, obfuscation is the only true freedom."