crypto

> -   **There’s no forward secrecy.** Unlike Signal protocol, which uses a [double-ratchet](https://signal.org/docs/specifications/doubleratchet/) to continuously update the user’s secret keys, the XChat cryptography just encrypts each message under a recipient’s long-term public key. The actual encryption mechanism is based on an encryption scheme from [libsodium](https://doc.libsodium.org/).
> -   **User private keys are stored at X.** XChat stores user _private key_s at its own servers. To obtain your private keys, you first log into X’s key-storage system using a password such as PIN. This is needed to support stateless clients like web browsers, and in fairness it’s not dissimilar to what Meta has done with its encryption for [Facebook Messenger and Instagram](https://about.fb.com/news/2023/12/default-end-to-end-encryption-on-messenger/). Of course, those services use Hardware Security Modules (HSMs), and critically, X does not appear to.
> -   **X’s key storage is based on “Juicebox.”** To implement their secret-storage system, XChat uses a protocol called [Juicebox](https://juicebox.xyz/). Juicebox “shards” your key material across three servers, so that in principle the loss or compromise of one server won’t hurt you.