e2hat — end-to-end encryption in the browser

e2hat is an end-to-end encrypted web chat built on the ecutils elliptic-curve code: encryption runs in the browser, so the server only ever relays ciphertext. The initial release got messages moving; the days after were about authentication, forward secrecy, and replay protection.

Keys that don't outlive the conversation. The first version reused a static Diffie–Hellman key. That was replaced with ephemeral DH renegotiation, so each session derives fresh keys and a compromised key does not retroactively expose past messages — forward secrecy. Per-message scalars come from HKDF, with a fix to a sampling bias in how they were derived.

Assuming the channel is hostile. A server that relays ciphertext can still reorder, replay, or drop it. This added challenge–response authentication, ECDSA signatures, domain-separated authentication so a value signed for one purpose can't be reused for another, anti-replay state that survives a reload, and a pre-send probe that checks both sides agree on the ephemeral keys before a message goes out. Keys at rest are stored with AES-GCM in IndexedDB.

Messages as curve points. Because the transport is elliptic-curve, text has to become points on the curve (Koblitz encoding), which caps how much fits in one point. Long messages are split at word boundaries and reassembled into a single bubble on the other side.

e2hat runs at e2hat.com.