Protocol Documentation
How ZelEn Works
A complete walkthrough of the ZelEn v1 encryption protocol — key generation, the binary container format, the encryption and decryption pipelines, and formal security.
0 — FOUNDATIONS
How Public & Private Keys Are Derived
Classical cryptography relies on number-theoretic hardness — problems easy to construct but hard to reverse. Post-quantum cryptography replaces these with lattice problems that remain hard even for quantum computers running Shor's algorithm.
Classical · 1977
RSA
Integer Factorisation Problem
- Choose two large random primes
pandq - Compute public modulus
n = p × q - Compute
φ(n) = (p−1)(q−1) - Pick exponent
e; derived = e⁻¹ mod φ(n)
Public
(n, e)Private
dKey size256 bytes (2048-bit)
Quantum✗ Broken by Shor
Hard problemFactor large n
Classical · 1985
ECC
Elliptic Curve Discrete Log Problem
- Pick a standard curve (P-256, Curve25519) with generator
G - Choose random integer
kas the private key - Compute public key
Q = k × G(point multiplication) - Recovering
kfromQandGis the ECDLP
Public
Q = kGPrivate
kKey size32–64 bytes (256-bit)
Quantum✗ Broken by Shor
Hard problemFind k from kG
Post-Quantum · NIST FIPS 203
ML-KEM
Module Learning With Errors (MLWE)
- Sample random matrix
A ∈ R_q^(k×k)from a public seed - Sample short secret vectors
s, efrom a narrow distribution - Compute
b = A·s + e mod q - Given
(A, b), recoveringsis the MLWE problem
Public
(A, b) 1568 BPrivate
s 3168 BKey size1568 / 3168 bytes
Quantum✓ Quantum safe
Hard problemSolve MLWE
| Property | RSA-2048 | ECC P-256 | ML-KEM-1024 (ZelEn) |
|---|---|---|---|
| Hard Problem | Integer factorisation | Elliptic curve discrete log | Module Learning With Errors |
| Public Key Size | 256 bytes | 32–64 bytes | 1,568 bytes |
| Private Key Size | 1,192 bytes | 32 bytes | 3,168 bytes |
| Classical Security | ~112 bits | ~128 bits | ~256 bits |
| Quantum Security | ✗ ~0 bits (Shor) | ✗ ~0 bits (Shor) | ✓ ~128 bits |
| NIST Standard | PKCS#1 / RFC 8017 | FIPS 186-5 | FIPS 203 |
| Key Operation | Modular exponentiation | Point multiplication | Polynomial ring arithmetic |
A — KEY GENERATION
Key Bundle Generation
Every identity in ZelEn has two keypairs: one for encryption (KEM) and one for signatures.
User Identity
subject@domain
subject@domain
Identity Input
→
ML-KEM KeyGen
FIPS 203
FIPS 203
KEM Keypair
→
ML-DSA KeyGen
FIPS 204
FIPS 204
Signature Keypair
→
SHA3-256
Identity FP
Identity FP
Fingerprint
→
Argon2id
Passphrase KDF
Passphrase KDF
Key Protection
→
.zkey
.zpub
.zcert
.zpub
.zcert
Output Files
Key File Formats
| File | Contents | Visibility | Usage |
|---|---|---|---|
| .zkey | KEM sk + Sig sk, encrypted with Argon2id | Private — never share | Decryption, Signing |
| .zpub | KEM pk + Sig pk, unencrypted JSON | Public — share freely | Encryption target, Verify |
| .zcert | zpub + ML-DSA signature + metadata | Public — shareable | Identity binding |
D — BINARY FORMAT
.zelen Binary Header — ZELC @ 0x7D
The .zelen container starts with a 145-byte fixed header followed by the variable-length KEM ciphertext.
The ZELC brand marker at exact offset 0x7D serves as an
integrity anchor — any container that does not present ZELC at 0x7D is immediately rejected.
Header Byte Map — ZELC glows orange at 0x7D
0x00Z
0x01E
0x02L
0x03E
0x04N
0x11SFP
…SFP
…SFP
0x30SFP
0x31RFP
…RFP
…RFP
0x50RFP
0x51KDG
…KDG
…KDG
0x70KDG
0x71NON
…NON
…NON
0x7CNON
0x7DZ
0x7EE
0x7FL
0x80C
0x81TAG
…TAG
…TAG
0x90TAG
0x91CTL
0x92CTL
0x93CTL
0x94CTL
0x95KCT
…KCT
…KCT
……
MAGIC
METADATA
FINGERPRINTS
NONCE
ZELC @ 0x7D ★
AUTH TAG
KEM CT
Full Offset Table
OFFSET
SIZE
FIELD
DESCRIPTION
0x00
5
Magic
"ZELEN" ASCII (5A 45 4C 45 4E)
0x05
1
Version
Format version (0x01)
0x06
1
Flags
Bit 0=SIGNED, Bit 1=CERT, Bit 7=MOCK
0x07
1
Security Tier
3 = NIST Level 3, 5 = NIST Level 5
0x08
1
Header Profile
Profile marker (0x01 = standard)
0x09
2
Suite ID
Big-endian uint16: 0x0100=PQ3, 0x0101=PQ5
0x0B
2
Cert Type
0x0000=None, 0x0001=ZCert, 0x0002=X509
0x0D
4
Payload Length
Big-endian uint32 plaintext size
0x11
32
Sender FP
SHA3-256 identity fingerprint (sender)
0x31
32
Recipient FP
SHA3-256 identity fingerprint (recipient)
0x51
32
KEM CT Digest
SHA3-256(KEM ciphertext)
0x71
12
AES-GCM Nonce
96-bit random nonce (never reused)
0x7D
4
ZELC Brand
"ZELC" (5A 45 4C 43) — integrity anchor @ 0x7D
0x81
16
Header Auth Tag
Trunc128(KDF(k_hdr, H_0)) — MAC over header
0x91
4
KEM CT Length
Big-endian uint32 length of KEM ciphertext
0x95
var
KEM Ciphertext
ML-KEM encapsulation ciphertext (variable length)
B — ENCRYPTION
Encryption Pipeline
1
ML-KEM.Encaps(ek_R)
(K, c_kem) ← encapsulate with recipient public key
2
Build Header H_0
Fixed header with ZELC@0x7D, zeroed auth tag
3
n ← random_bytes(12)
Fresh AES-GCM nonce — never reused
4
PRK = KDF(K, CE(H_0,H(c_kem),fp_S,fp_R,suite,policy))
"ZELEN v1 key schedule" — domain separated
5
k_enc = KDF(PRK, "payload encryption")
32-byte AES-256 payload key
6
k_hdr = KDF(PRK, "header authentication")
32-byte header MAC key
7
k_sigctx = KDF(PRK, "signature transcript binding")
Signature transcript key
8
t_H = Trunc128(KDF(k_hdr, H_0))
Header auth tag → inserted at 0x81
9
(C,T) ← AES-256-GCM(k_enc,n,M,AAD=H)
AAD = full header with ZELC@0x7D and auth tag
10
SIG_INPUT = CE("ZELEN-SIG-v1",H(H),H(c_kem),H(C),T,...)
Canonical sign input
11
Σ ← ML-DSA.Sign(sk_S, SIG_INPUT)
Optional — if sender .zkey provided
12
H ∥ c_kem ∥ C ∥ T ∥ cert ∥ Σ
.zelen output container
C — DECRYPTION
Decryption Pipeline
Fail-closed at every step. No plaintext is released unless all authentication checks pass.
✓
Parse header (single-pass, allocation-capped)
Reject malformed headers, oversized fields, trailing bytes
✓
Verify ZELEN magic @ 0x00
5 bytes "ZELEN" — fail if wrong
✓
Verify ZELC brand @ 0x7D
4 bytes "ZELC" at exact offset — fail if wrong
✓
Validate suite ID
Reject unknown or disabled suites
✓
Verify H(c_kem) matches header digest
KEM ciphertext integrity before decapsulation
✓
K ← ML-KEM.Decaps(dk_R, c_kem)
Recover shared secret
✓
Recompute PRK, k_enc, k_hdr
Same KDF as encryption
✓
Verify header auth tag (constant-time)
hash_equals() — no timing oracle
✓
Verify cert / signature if present
ML-DSA verify — reject if invalid
✓
M ← AES-256-GCM.Dec(k_enc,n,C,AAD=H,T)
Fail closed on tag mismatch — generic error only
✓
Release plaintext
Only on complete authentication success
E — FORMAL SECURITY
Security Reduction
AdvZelEnobj-sec(A)
≤
AdvML-KEMIND-CCA(B)
+
AdvGCMAEAD(C)
+
AdvKDFPRF(D)
+
AdvML-DSAEUF-CMA(E)
+
εCE
+
εparse
Where B, C, D, E are PPT adversaries against the respective primitives,
ε_CE is the collision probability of the canonical encoder,
and ε_parse is the probability of a parser confusion attack.
All terms are negligible in the security parameter λ for NIST Level 3/5 parameters.
| Component | Primitive | Security Property | NIST Standard |
|---|---|---|---|
| Key Encapsulation | ML-KEM-768/1024 | IND-CCA2 vs. quantum | FIPS 203 |
| Symmetric Encryption | AES-256-GCM | IND-CPA + AUTH | NIST SP 800-38D |
| Key Derivation | HKDF-SHA256 | PRF security | RFC 5869 |
| Digital Signatures | ML-DSA-65/87 | EUF-CMA vs. quantum | FIPS 204 |
| Hash Functions | SHA3-256 / SHA-256 | Collision resistance | FIPS 202 |
| Canonical Encoding | Length-prefix CE | No concatenation ambiguity | ZelEn Spec v1 |
F — OPTIONAL LAYER
MTE Optional Layer
Hybrid classical-quantum security for transition periods.
Hybrid KEM (MTE Mode)
In MTE (Multi-Transposition Encapsulation) mode, the ZelEn container can embed a classical X25519 shared secret alongside the ML-KEM shared secret, combined via XOR or HKDF. This ensures security even if ML-KEM is broken (classical adversary) or X25519 is broken (quantum adversary).
ML-KEM
K_pq
K_pq
Post-Quantum
⊕
X25519
K_ec
K_ec
Classical
→
HKDF
K_combined
K_combined
Hybrid Key
→
AES-256-GCM
Encrypt
Suite 0x0200+ reserved for MTE mode