Both parties generate Ed25519 keypairs independently. Public keys are exchanged over an authenticated channel. No private key material leaves either system at any point in the protocol.
Ed25519 · RFC 8032HKDF-SHA256 derives a symmetric session key from the shared secret and a freshly generated nonce. The derived key is scoped to this session only — it cannot be reused across sessions or parties.
HKDF-SHA256 · RFC 5869The sending party applies SHA-256 to each raw identifier (phone, email, or similar) using a salt derived from the session key. The original PII never enters the transport layer — only the hash does.
SHA-256 · FIPS 180-4The hashed payload is encrypted with AES-256-GCM using the session key. GCM provides authenticated encryption — the recipient can verify ciphertext integrity before decryption, preventing tampering in transit.
AES-256-GCM · FIPS 197The sender signs the ciphertext envelope with their Ed25519 private key. The signature is appended to the transmission. The recipient can verify provenance before decrypting — a spoofed packet fails signature verification immediately.
Ed25519 Signing · RFC 8032The recipient verifies the Ed25519 signature against the sender's public key. Only upon successful verification does AES-256-GCM decryption proceed. Any modification to the ciphertext fails the GCM authentication tag.
Verify → DecryptThe recipient applies the same HKDF-derived salt to their own identifier pool, producing SHA-256 hashes locally. Matches are resolved by hash comparison — the recipient's raw identifiers never leave their system either.
Bilateral Zero-DisclosureEvery exchange event is appended to a tamper-evident audit log with HMAC integrity. Session keys are single-use and destroyed post-exchange. Key rotation schedules are enforced at the protocol layer — not by policy alone.
HMAC-SHA256 · Append-Only