post-quantum e2e messenger // aes512-sc-v3

outlast
the end
of the world

Every message is sealed in your browser — hybrid X25519 + ML-KEM-1024 handshake, post-quantum AES512 transport, keys that rotate on every message. The relay in the middle carries ciphertext. Nothing else. No one else.

one file · 5.7 mb · sha-256 verifiable · runs from disk
faq — six questions

before you ask.

01 what is aes512?

A 512-bit-key, 512-bit-block cipher built on the wide-trail design behind AES — then hardened: 18 rounds, a SHAKE-256 key schedule with no related-key structure to attack, and a fully constant-time core immune to cache-timing. Wrapped in an encrypt-then-MAC AEAD that commits to its key. Bigger margins than AES-256 on every axis we can measure.

02 can anyone read my messages?

No. Every message is encrypted and decrypted inside your browser. The relay between you is an untrusted pipe — it pairs two peers and forwards ciphertext. No keys, no plaintext, no storage, no accounts. There is nothing in the middle to read, and nothing to hand over.

03 what makes it post-quantum?

Every conversation opens with a hybrid X25519 + ML-KEM-1024 handshake, and both sides authenticate with static ML-KEM keys alongside Ed25519 signatures. Breaking a recorded session means breaking the curve and the lattice. Record-now, decrypt-later dies here.

04 what if a key is stolen?

Keys rotate on every single message, and the chain only moves forward — a compromised key recovers nothing already sent. Every connection starts with a fresh handshake, and your identity key rests encrypted under your passphrase. It never touches disk in plaintext.

05 do i have to trust your servers?

You don’t — and you don’t have to use them. The relay is one stateless ~16 MB binary with this whole site inside: run it on your own box, behind your own proxy, or as a Tor onion service. Anyone can host the end of the world.

06 has it been audited?

Not yet — and we won't pretend otherwise. The protocol stands on standardized primitives (ML-KEM-1024, Ed25519, SHA-512), and the AES512 core is specified byte for byte, with pinned test vectors, reproducible builds, and a full published analysis. But today it sits at specified and self-analysed, not independently reviewed — so we do not call it secure, and we won't until cryptographers outside the project have attacked it in the open. The roadmap tracks exactly what that takes and where we stand on the ladder; the open problems and any breaks live as public issues. Confidence is earned in the open, and we stand where you can see us.

self-host — the relay

host the end of the world.

The relay is one static binary with everything inside — this page, the app, the offline file. Run it and you are the infrastructure: it pairs two peers by a room code, forwards their ciphertext, and that is all it ever touches. Put it behind your own proxy, on a spare box, or behind a Tor onion address.

SHA256SUMS.txt · verify: shasum -a 256 -c SHA256SUMS.txt · then: ./ragnarok-relay_<platform> and open port 8080
manifesto
no provider to compel.
no store to filter.
no update to poison.
nothing to seize.

Ragnarok is one file you can hold — verify it byte for byte, run it from disk, point it at any relay on earth. No accounts. No code that changes without your consent. Nothing worth taking in the middle. When the networks you trusted burn down, this still works.

outlast the end of the world.
ragnarok © 2026
app sha-256 8e43bc32264b… · research artifact — unaudited