¶ Frequently Asked Questions
¶ Feature FAQ
¶ What is Social Encryption?
Social Encryption™ ("SE") is a quantum-resistant technology that allows 1:n people to communicate with end-to-end encryption (E2EE) across a network without manually exchanging keys. It does this by replacing network key exchanges with a symmetric key exchange from already known sources of entropy that can be acquired from anything, including passphrases, contents of files/images, or any offline/online source of data. By using shared experiences and knowledge, there is no need to perform traditional network handshakes to exchange shared keys. This symmetric key exchange leaves no network trace, i.e., the network does not know that any data has been exchanged when multiple parties communicate securely in an E2EE fashion.
SE is a "rolling cipher" algorithm, meaning that each entropy line is derived from a separate source and is compounded into the final result, an AES-256 shared key. This final AES-256-bit key is used for E2EE, encrypting all content between parties using AES-256-bit GCM mode. SE keys are identified across the network using a SHA-512 hash derived from an HMAC (hash-based message authentication code). This hash allows parties involved to know which SE key to use for the decryption of content without revealing any of the entropic data and other secrets used to derive the SE keys.
For example, Alice asks Bob if he still has that picture they took last year on holiday. Bob says he does. Then Alice asks if Bob remembers the name of her favorite restaurant. Fortunately for Bob, he does. They both add these items they have/know to Polynom's Social Encryption engine and now they can share fully encrypted messages unique to them alone.
¶ What is Post-Quantum Cryptography? (PQC)
Post-quantum cryptography is a subset of cryptography designed to be secure against quantum computers. Some currently used cryptography is quantum-safe, meaning it is secure even if adversaries can use quantum computers. However, new post-quantum algorithms (especially Latticed-based cryptography) are designed to be quantum-safe or quantum-proof.
Most symmetric encryption schemes are considered quantum-safe if they use sufficiently large key sizes. The same is said for most hash functions. However, it is essential to note that no cryptography can ever be guaranteed to be secure forever. Cryptography is constantly being tested and analyzed to make reliable assumptions about its security.
Code Siren implements the post-quantum algorithms submitted and accepted by the National Institute of Standards and Technology (NIST) standardization process. We believe they are promising long-term candidates for post-quantum cryptography standards.
¶ What are Quantum Rooms?
Quantum Rooms™ are rooms only for individuals who share a common SE key. Just like the principles of Quantum Entanglement, the content within Quantum Rooms only exists as long as 1:n individuals view it. For this reason, Quantum Rooms are both temporal and ephemeral. The moment the last user leaves the Quantum Room, the content is permanently deleted, and the room ceases to exist. Quantum Rooms merge disappearing content and private rooms without manually inviting users and managing authorization.
Quantum Rooms are unique in that they are never created, nor are users ever invited to join the rooms. A Quantum Room only exists if 1:n users possess an SE key and happen to have entered the room. Users who have the same SE key(s) will be able to communicate securely with each other via E2EE encryption. Since Quantum Rooms are temporal, individuals can discuss matters of sensitivity and confidentiality without worrying about content management, such as manually setting message expiration rules as required in apps like Signal.
The content in a Quantum Room can be kept-alive, i.e., prevented from auto-deletion, by having at least one person remain in the room. This feature allows the users to manually control the expiration of content by choosing to remain in the Quantum Room. The content will persist forever as long as at least one person remains in a Quantum Room.
Since a given Quantum Room is only visible to individuals with a specific SE key, deleting an SE key will make entrance into a previously accessible room impossible. They also allow individuals with the same SE keys to revisit the same rooms at a time without configuring anything within the server. Users who do not have a given SE key will have no way of knowing if any Quantum Rooms even exist on the server. This feature allows someone to host a server without channels or rooms, i.e., “Empty Server”). The benefit of an empty server is that nobody can create channels or rooms, but only those with SE keys will see which Quantum Rooms are available to them.
¶ What is HiPS™ Technology?
Hiding-in-Plain Sight™ technology allows Polynom to operate securely (i.e., equivalent to a Type 1 Cryptographic device) on compromised networks, servers, and/or in hostile countries. Polynom achieves this by using various techniques to disguise its traffic and make it difficult to block or intercept.
For example, Polynom disguises its traffic by adding random noise to the lengths of requests and responses. This makes it difficult to write firewall rules based on the fixed lengths of different messages. Polynom also uses varying techniques for masquerading traffic as different Internet-standard byte patterns. This makes it even more difficult for inspection techniques (e.g., deep packet inspection) to identify and block Polynom traffic.
The only non-encrypted packets that Polynom uses are called control messages. These messages use random bytes and modulus math to transfer understanding across the network. This ensures that even if a control message is intercepted, it will be difficult to understand its meaning.
In addition to the techniques described above, Polynom uses various other techniques to protect its traffic, including PQC CRYSTALS Kyber-1024 exchanges resulting in AES 256-bit keys. These techniques make Polynom one of the most secure communications platforms available.
For further information, see: How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic.
¶ What is Cryptography-as-a-Service™? (APIs)
- CaaS is an API that allows two or more computer programs or applications to communicate with each other cryptographically. It is a way for programs to share data and functionality with encryption.
- CaaS provides a library that enables core identity management features which enable the foundational identity and access management core and generates key pairs that are equivalent to identities in the Polynom app
- CaaS is the foundational implementation of PQC cryptographic algorithms and routines, which serve as the basis of identity and access management, enabling encryption, decryption, message signing and verification, Graphatar composition, etc.
¶ Client FAQ
¶ How do I export/save my Graphatar/ID?
From the Windows desktop application, click the settings (gear) icon in the toolbar. When the 3rd pane opens, click your Graphatar to reveal Manage Identites. This will list all your identites. Right-click the Graphatar you want to export, and choose Export. Please use a secure password. This export file contains the private keys for your identity.
In Android, tap your Graphatar's image from the main navigation page. This will open the Edit User page. From there, tap the 3-dot menu on the top right corner. There is an Export option in the bottom-up popup menu. Please use a secure password. This export file contains the private keys for your identity.
¶ How do I import an existing Graphatar/ID?
This assumes you have exported your Graphatar previously, and it has been saved in a password protected file such as User.nom
From the Windows desktop application, click the settings (gear) icon in the toolbar. When the 3rd pane opens, click Import Identity.
From the Android application, click the settings (gear) icon in the toolbar. Then click Identities. From there, tap the 3-dot menu on the top right corner. There is an Import option in the bottom-up popup menu.
¶ How do I enable the tray icon on Gnome desktop?
Many linux distros do not have appindicators enabled by default.
¶ Debian based Gnome Desktop:
Install the appindicator extension
sudo apt install gnome-shell-extension-appindicator
reboot or log out/in, then run the following command:
gnome-extensions enable [email protected]
¶ Red Hat based Gnome Desktop:
Install and then run the Extension Manager:
flatpak install flathub com.mattjakeman.ExtensionManager
flatpak run com.mattjakeman.ExtensionManager
Enable the Appindicator & KStatusNotifierItem Support extension
The polynom icon and menu should now appear on the system tray.
¶ How many Graphatars are possible?
There are over 15 Decillion possible Graphatars. That's 15,576,890,575,604,480,000,000,000,000,000,000 for those who like things spelled out. This is why somtimes it takes a while to scroll past a lot of not-so-interesting Graphatars until you find one that you love.
¶ Will my Graphatar image ever change?
Polynom is Beta software. Until Polynom 1.0 is released, it is almost guaranteed that your Graphatar image will change as we update the Graphatar engine with improvements. Sorry about that! These updates can in no way alter the private encryption key that your Graphatar represents - your data is still secure.
¶ Why disable VoIP variable bit rate (VBR)?
VBR makes VoIP calls more efficient, because your client will broadcast smaller packets when you are making quieter sounds in a call. This is the default setting. If you have reason to believe that your encrypted calls are likely to be sniffed, turn VBR off in your client and it will always transmit the same size VoIP packets, making it impossible to sniff when you're speaking out loud or just breathing on the call.
¶ Are VoIP calls encrypted?
In short, yes. Every single call on Polynom is end-to-end encrypted. This is facilitated by the server. But what if the server is compromised? The answer is simple. Use Social Encryption as another layer of security, and even the server will have no knowledge of the call's content. With Social Encryption in your VoIP call, you have a user owned and controled layer of end-to-end encryption wrapped inside the server controlled end-to-end encryption. The call is still crystal clear. Our cryptography is future proof, DPI resistant, and quantum proof.
¶ Server FAQ
¶ What port does Polynom™ Server use?
Polynom Server uses port 1337 by default. That can be changed on startup using -p xxxx at the command prompt. It is important to make sure that port 1337 is open in your host firewall and forwards from your router.
¶ What does it mean that a server is Private/Public?
A private server is only accessible to a specific group of people, while a public server is accessible to anyone. Polynom Server allows server owners to restrict access by "whitelisting" users. Whitelisting can be used to restrict access to the server to members of a specific organization or enterprise. This can help to protect the server's resources and data from unauthorized access or to conserve resources (i.e., bandwidth).
¶ What does it mean when a server is Trusted/Untrusted?
Server owners in high security environments should mark their server as "Untrusted" and then provide the server's public key to all their users for manual input. This forces the user's clients to verify they are on the right server before connecting. This prevents Man-In-The-Middle (MITM) attacks.
When a server is listed as "Trusted" it means that the client will accept the server's public key (and any changes to it) at face value, and continue to communicate. For most public facing communities this setting is fine, as it would be very resource intensive to try and spoof a server instance.
¶ How does the whitelist/blacklist work?
Server Admins and users with the manage_server permission can add or remove an ID hash from both the whitelist and the blacklist. This change takes place immediately. No restart of servers or clients is required. A user must be whitelisted in order to join a private server. If an ID is blacklisted, they will never be able to access the server again.
¶ How do invisible roles work?
If I am a Server Admin or have the manage_roles permission, I can see all the invisible roles. I will always be able to see an invisible role if it has been assigned to me. If I am not a Server Admin or do not have manage_roles, I will see the highest visible role that others have, but I will not see any invisible roles.
¶ What encryption algorithms does Polynom use?
Polynom uses the very latest and strongest encryption recommended by NIST and the US NSA's Commercial National Security Algorithm (CNSA) Suite.
For further information, see: The Commercial National Security Algorithm Suite 2.0 FAQ.
Polynom deploys:
- CRYSTALS-Dilithium (NIST Level V) (CNSA2.0)
- CRYSTALS-Kyber (NIST Level V) (CNSA2.0)
- Secure Hash Algorithm SHA512 (CNSA2.0)
- AES 256 GCM (CNSA2.0)
- Leighton-Micali Signature (LMS) (CNSA2.0)
- ED25519 ECDSA (CNSA1.0)
- X25519 ECDH (CNSA1.0)
¶ What is a Graphatar™ and Role-Based Access Control?
A Graphatar is a quick and easy visual representation of user's cryptographic identity. Graphatars are rendered as layered images that allow users to quickly determine if the person they are speaking to is who they think it is. This makes Graphatars the first line of defense against phishing and identity theft by minimizing the likelihood that a user can pretend to be another user, a vulnerability commonly found on other platforms, such as Discord and Telegram. Because there are billions upon billions of unique combinations, Graphatars make it mathematically very difficult to trick users into believing they are somebody else. If a Graphatar doesn't seem right, such as the colors or image composition doesn't appear as expected, further analysis can be done by examining the Graphatar's hash and/or the identifier. The Graphatar hash is a 64-byte SHA-512 hash of the Graphatar public keys. The Graphatar identifier is an 8-byte checksum of the 64-byte hash. These values help analyze possible threat actors, especially when a malicious individual attempts to impersonate a legitimate user.
Since identity is owned by the individual (and not a centralized store), every Polynom server a user connects to will render the Graphatar the same. This allows for an identity federation across disparate servers since the same public key(s) will verify all messages sent to those servers. This provides for authentication and non-repudiation. Not only does this allow all users across different servers to perceive a Graphatar identically, but it also allows messages sent to different servers to be trusted to have originated from the same place, i.e., the person with access to the Graphatar's private keys.
¶ What is Self-Hosting?
Self-hosting is running and maintaining a private server instead of using a cloud or service outside your control. This means you are responsible for your server's hardware, software, and security. Self-hosting is the foundation of data sovereignty and self-governance because it gives you control over your data.
Personal and enterprise data sovereignty is the right of individuals and businesses to control their private data, including where it is stored, how it is used, and who has access to it. Self-hosting provides several technical benefits, including data sovereignty, security, and compliance. Enterprises that self-host Polynom have full control over their work product, including where it is stored and how it is managed. Self-hosting can also help to increase security, as users can control the underlying infrastructure and security measures. Additionally, self-hosting can help teams to comply with regulations, such as those related to data privacy and legally mandated security.
Polynom offers self-hosting as an option for teams that require administrative control over their data and infrastructure. Self-hosted Polynom will be able to be installed on various operating systems, including Windows, Linux, and iOS. Currently Polynom-CE is Linux only.
Polynom also offers several resources to help teams self-host, including documentation, tutorials, and an FAQ.