Encryption
BothL2PSMessagingPeer and the legacy MessagingPeer use the same end-to-end encryption layer. Only the persistence and transport layer differs between the two — the cryptography is identical.
The protocol uses ml-kem-aes for secure communication:
- Key generation. Each peer generates a public/private key pair (post-quantum ML-KEM, ML-KEM-768 in the Demos default).
- Public key exchange. Peers exchange public keys through their respective server (the L2PS messaging server for
L2PSMessagingPeer, the legacy signaling server forMessagingPeer). - Signatures. Peers sign their ML-KEM public key with an ML-DSA signing key from the same
unifiedCryptoinstance to bind the encryption key to the signing identity. - Message encryption. Messages are encrypted using the recipient’s public key by encapsulating a fresh shared secret per message (this is what gives the protocol its forward-secrecy property).
- Message decryption. Recipients use their private key to decapsulate the shared secret and AES-decrypt the payload.
L2PSMessagingPeer, the encrypted payload is serialized to the wire as SerializedEncryptedMessage:
MessagingPeer, the same plaintext is serialized using SerializedEncryptedObject from the SDK’s unifiedCrypto (algorithm, serializedCipherText, serializedEncryptedData).