Sryptos
Back to Blog

DEEP DIVE

Behind the Scenes: How We Built Sryptos’ Encryption Engine

Sryptos Engineering
Sryptos Engineering
October 22, 2025

The promise of "end-to-end encryption" is foundational to Sryptos. But what does it actually mean, and how did we implement it in a modern web application? This post is a technical deep dive into our encryption engine, built on the robust and native Web Crypto API.

Abstract visualization of glowing code

The Core Technology: Web Crypto API

Instead of relying on third-party libraries that could be compromised, we built our encryption directly on the Web Crypto API, a low-level interface available in all modern browsers. This gives us granular control and ensures our cryptography is performed by the browser's own battle-tested and highly optimized implementation. This approach is a core principle at our parent company, BHK Vision Labs.

The E2EE Handshake: ECDH Key Exchange

For every new conversation, a secure channel must be established. We use the Elliptic-curve Diffie-Hellman (ECDH) key exchange protocol. Here’s how our backend code facilitates this:

  1. Key Generation: When you start a chat, your device generates a unique public/private key pair (using the P-256 curve).
  2. Key Storage: Your private key is stored securely in your browser's local storage. It NEVER leaves your device.
  3. Key Exchange: Your public key is published to a shared Firestore document for the chat. You retrieve your contact's public key from the same document.
  4. Key Derivation: Using your private key and your contact's public key, both devices independently derive the exact same shared secret key. This is the magic of ECDH. This shared secret is a symmetric AES-256 key.

Because the private keys are never transmitted, an eavesdropper intercepting the public keys on our Firestore backend cannot derive the shared secret.

Message Encryption: AES-GCM

Once the shared AES key is derived, we use it to encrypt and decrypt messages with the AES-GCM (Galois/Counter Mode) algorithm. We chose AES-GCM for several key reasons:

  • Authenticated Encryption: It provides both confidentiality (encryption) and authenticity (integrity). This means we can be sure a message hasn't been tampered with in transit.
  • Performance: It is extremely fast and efficient, making it ideal for real-time chat applications.
  • Security: It is the industry standard for high-performance, authenticated symmetric encryption.

For each message, we generate a random 12-byte Initialization Vector (IV), encrypt the message, and send the resulting ciphertext and the IV to our server. The recipient's device uses the shared AES key and the IV to decrypt the message.

The Convenience Option: Synced AES

For users who need multi-device support, our Synced AES mode uses a similar principle but with a different key management strategy. This is part of a suite of professional tools offered by BHK Vision Labs to balance security and usability. A single master AES key is created and securely wrapped (encrypted) for each of the user's registered devices. When a new device logs in, it can unwrap the master key, giving it access to the entire encrypted chat history. While theoretically less secure than pure E2EE (as it relies on a shared master key), the encryption itself remains just as strong.