ThermoCrypt Flowchart

%%{init: {'flowchart': {'curve': 'linear'}}}%% flowchart TD GenA["Start: generate_identity_v4"]:::start GenSec["Init Secure Memory:
• mlock (No Swap)
• sodium_init"]:::memsec GenB["Enter Password"]:::input GenC["Generate Keypair:
• ML-KEM-768 (PQ)
• X25519 (Classic)
• ML-DSA-65 (Signing)"]:::process GenD["Composite Public Key Blob
(PQ pk + X pk + Sig pk)"]:::data GenE["Sign Public Blob with ML-DSA-65"]:::process GenF["Generate Random DEK (32 bytes)"]:::process GenG{"TPM Mode Enabled?"}:::decision GenH["TPM: Create RSA Key in TPM
Encrypt DEK via TPM (OAEP)"]:::tpm GenI["Argon2id -> KEK from pass + salt
Encrypt DEK via XChaCha20"]:::disk GenJ["Save sealed DEK to resonance.vault"]:::storage GenK["Encrypt Private Keys (priv_blob)
using DEK -> enc_priv"]:::process GenL["Save to vault: sealed_dek || nonce || enc_priv"]:::storage GenM["Create Header with HMAC (from pass)
and Public Blob Fingerprint"]:::process GenN["Write .thermoid file:
Header || pub_keys || signature"]:::output GenWipe["RAII Destructors:
Wipe Plaintext Keys (sodium_memzero)"]:::memsec GenO["Done: Identity Ready"]:::finish GenA --> GenSec GenSec --> GenB GenB --> GenC GenC --> GenD GenD --> GenE GenE --> GenF GenF --> GenG GenG -- "Yes" --> GenH GenG -- "No (Disk)" --> GenI GenH --> GenJ GenI --> GenJ GenJ --> GenK GenK --> GenL GenL --> GenM GenM --> GenN GenN --> GenWipe GenWipe --> GenO click GenA callNode click GenSec callNode click GenB callNode click GenC callNode click GenD callNode click GenE callNode click GenF callNode click GenG callNode click GenH callNode click GenI callNode click GenJ callNode click GenK callNode click GenL callNode click GenM callNode click GenN callNode click GenWipe callNode click GenO callNode classDef start fill:#ecf0f1,stroke:#2c3e50,stroke-width:2px; classDef finish fill:#27ae60,stroke:#2ecc71,color:white; classDef process fill:#fff,stroke:#3498db,stroke-width:2px; classDef decision fill:#fff,stroke:#f1c40f,stroke-width:2px; classDef tpm fill:#e8f8f5,stroke:#16a085,stroke-dasharray: 5 5; classDef disk fill:#fdfefe,stroke:#95a5a6,stroke-dasharray: 5 5; classDef data fill:#ebf5fb,stroke:#3498db; classDef output fill:#f9ebea,stroke:#e74c3c; classDef memsec fill:#2c3e50,stroke:#e74c3c,color:#ecf0f1,stroke-width:2px,stroke-dasharray: 5 5;

%%{init: {'flowchart': {'curve': 'linear'}}}%% flowchart TD EncA["Start: encrypt_stream_v3"]:::start EncB["Read Recipient .thermoid"]:::input EncC["Verify Public Key Blob Signature
(ML-DSA-65)"]:::security EncD["Encapsulate with ML-KEM-768
-> PQ shared secret + ciphertext"]:::process EncE["Generate Ephemeral X25519 Keypair"]:::process EncF["X25519 (Ephemeral sk + Static pk)
-> Classic shared secret"]:::process EncG["Blake2b Hash (PQ ss + X ss) -> Master Key"]:::hybrid EncWipe["RAII: Wipe Ephemeral Secrets
(PQ ss, X ss, Eph sk)"]:::memsec EncH["Init XChaCha20-Poly1305 Stream
with Master Key"]:::process EncI["Write File Header:
THERMO_V1 || ML-KEM ct || eph X pk"]:::output EncJ{"Read Input Chunks"}:::decision EncK["Encrypt Chunk (Push) + Tag"]:::process EncL["Finished Encrypted File (.thermo)"]:::finish EncA --> EncB EncB --> EncC EncC --> EncD EncD --> EncE EncE --> EncF EncF --> EncG EncG --> EncWipe EncWipe --> EncH EncH --> EncI EncI --> EncJ EncJ --> EncK EncK --> EncJ EncJ -- "FINAL Tag" --> EncL click EncA callNode click EncB callNode click EncC callNode click EncD callNode click EncE callNode click EncF callNode click EncG callNode click EncWipe callNode click EncH callNode click EncI callNode click EncJ callNode click EncK callNode click EncL callNode classDef start fill:#ecf0f1,stroke:#2c3e50; classDef finish fill:#27ae60,stroke:#2ecc71,color:white; classDef process fill:#fff,stroke:#3498db; classDef hybrid fill:#8e44ad,stroke:#9b59b6,color:white; classDef security fill:#f39c12,stroke:#d35400,color:white; classDef memsec fill:#2c3e50,stroke:#e74c3c,color:#ecf0f1,stroke-width:2px,stroke-dasharray: 5 5;

%%{init: {'flowchart': {'curve': 'linear'}}}%% flowchart TD DecA["Start: decrypt_logic_v4"]:::start DecAnti["Anti-Forensics:
• Debugger Check (ptrace)"]:::memsec DecB["Enter Password"]:::input DecC["Read Own .thermoid -> Header"]:::input DecD["Verify Header HMAC with Password"]:::security DecE{"Read resonance.vault"}:::storage DecF{"Binding Type?"}:::decision DecG["TPM: Decrypt Sealed DEK (RSA)"]:::tpm DecH["Disk: Argon2id -> KEK
Decrypt Sealed DEK"]:::disk DecI["Retrieve DEK (32 bytes)"]:::process DecJ["Decrypt priv_blob with DEK
-> PQ sk + X sk"]:::security DecK["Read File: THERMO_V1 + Keys + Header"]:::input DecL["Decapsulate ML-KEM ct (PQ sk)
-> PQ shared secret"]:::process DecM["X25519 (Eph pk + Own sk)
-> Classic shared secret"]:::process DecN["Blake2b Hash (PQ ss + X ss) -> Master Key"]:::hybrid DecO["Init Secretstream Pull"]:::process DecP{"Read Chunks"}:::decision DecQ["Decrypt Chunk (Pull)"]:::process DecWipe["RAII: Wipe Master Key &
Priv Keys immediately"]:::memsec DecR["Decryption Successful"]:::finish DecA --> DecAnti DecAnti --> DecB DecB --> DecC DecC --> DecD DecD --> DecE DecE --> DecF DecF -- "TPM" --> DecG DecF -- "Disk" --> DecH DecG --> DecI DecH --> DecI DecI --> DecJ DecJ --> DecK DecK --> DecL DecL --> DecM DecM --> DecN DecN --> DecO DecO --> DecP DecP --> DecQ DecQ --> DecP DecP -- "FINAL Tag OK" --> DecWipe DecWipe --> DecR click DecA callNode click DecAnti callNode click DecB callNode click DecC callNode click DecD callNode click DecE callNode click DecF callNode click DecG callNode click DecH callNode click DecI callNode click DecJ callNode click DecK callNode click DecL callNode click DecM callNode click DecN callNode click DecO callNode click DecP callNode click DecQ callNode click DecWipe callNode click DecR callNode classDef start fill:#ecf0f1,stroke:#2c3e50; classDef finish fill:#27ae60,stroke:#2ecc71,color:white; classDef hybrid fill:#8e44ad,stroke:#9b59b6,color:white; classDef security fill:#c0392b,stroke:#e74c3c,color:white; classDef memsec fill:#2c3e50,stroke:#e74c3c,color:#ecf0f1,stroke-width:2px,stroke-dasharray: 5 5;

ThermoCrypt Flowchart

Hybrid Post-Quantum Architecture Explorer (ML-KEM-768 + X25519)

Step Title