Autocrypt v2

Post-Quantum Cryptography & Reliable Deletion

Daniel Kahn Gillmor (ACLU)
IETF OpenPGP designated expert

Friedel Ziegelmayer (n0)
rPGP Rust maintainer

holger krekel (merlinux)
chatmail and Delta Chat

What is Autocrypt v2?

🔒 Modern OpenPGP v6 certificate for messaging

🛡️ Post-quantum resistant encryption

🗑️ Reliable deletion (“forward secrecy”)

🌐 Designed for decentralized delay-tolerant messaging systems

Protection against “decrypt later” attacks

📡 Today: Adversaries collect in-transit encrypted messages

↓ months to years

🔓📱 Later: Obtain secret keys → decrypt deleted/collected messages

↓ years to decades

🖥️⚛️ Much later: Quantum computers → decrypt all collected messages

Autocrypt v2 protects against both decrypt-later attack scenarios

Reliable Deletion: what matters for users

🛡️ Deletion works against decrypt-later attacks

🌐 Reliable in fragmented/splintering networks

📝 “Reliable Deletion” > “Forward Secrecy” (clearer term)

Autocrypt v2: A Simpler Path

Traditional Reliable Deletion

Network sync required 🤯

Central servers needed 😭

Multi-device complexity 😵

Autocrypt v2 solution

⌛ Clock-time based

🌿 Works offline

🕊️ Zero coordination

Autocrypt v1 → v2: What Changed?

v1 (Email-focused)

📧 Bound to email address

🏷️ Email as identity layer

→

v2 (Universal)

🌐 Transport agnostic

🔐 Pure cryptographic identity

Same goal: Automatic, standards-based, interoperable E2E encryption

Autocrypt v2 Key Technical Features

Post-Quantum: Hybrid ML-KEM-768 + X25519
Reliable Deletion: Automatic key expiration & destruction
Compact: Fixed 2938-byte certificates
Interoperable: Standard OpenPGP v6 (RFC 9580)
Easy: See rPGP and Python examples

Autocrypt v2 Certificate (6 Packets)

🔑 A. Primary Key (Ed25519) • Signing & Certification

B. Direct Key Signature (defines features, no expiry)

C. Fallback Subkey (ML-KEM-768 + X25519) • Long-term encryption

D. Subkey Binding (no expiry)

E. Rotating Subkey (ML-KEM-768 + X25519) • Short-term encryption

F. Subkey Binding (expires: max_rd=10d)

📦 Fixed Size: 2938 bytes

Key Rotation Schedule

⏱️ Rotating subkey: Valid for max_rd (default: 10 days)

🔄 New generation: At min_rd before expiry

📬 Delivery delay: 10 days assumed

🗑️ Auto-delete: After max_rd + 10 days

Autocrypt v2 Key Ratcheting Algorithm

🔄 Deterministic key derivation from previous subkey

🔐 Uses HKDF with SHA2-512 for cryptographic ratcheting

⏱️ Time-based rotation synchronized across all devices

🎯 No network coordination needed

Key Ratcheting

        
        prior rotating          
        subkey secret   ───> normalize_x25519
             |                     |
         (inputs)                  |
    info     |     salt            | IKM
      |      |       |             |
      v      v       v             v
    ┌─────────────────────────────────┐
    │                                 │
    │   HKDF (SHA2-512, L=160)        │
    │                                 │
    └──────────────┬──────────────────┘
                   |
                   |
         ┌─────────┴─────────┐
         v                   v
     64 bytes            96 bytes
         |                   |
         |                   |
         v                   v
    SHA2-512          normalize_x25519
         |                   |
         |                   |
         v                   v
   16-byte salt      next rotating
   (for binding)     subkey secret

Two Encryption Subkeys: Fallback vs Rotating

Fallback Subkey: Long-term hybrid encryption key
- Used when no rotating subkey valid
- ⚠️ NOT reliably deletable
Rotating Subkey: Short-term hybrid encryption key
- Must be used if valid
- Rotates every 5 days (see min_rd in spec)
- Auto-destroyed after expiry
- ✅ Reliably deletable messages

Peer Certificate Management

📥 Incoming certs merged into local cache

🧹 Pruning: Remove expired keys

🔐 Encryption priority:

Valid rotating subkey? → Use it
Pick earliest expiry (faster deletion)
Never use fallback if rotating available

Beware of coordinated deletion

🔄 Need to delete all copies on all devices

💾 What about backups & offline devices?

⚠️ Out of scope for Autocrypt v2

Delta Chat, Signal and other apps offer coordinated deletion.

Hybrid Cryptography Explained

ML-KEM-768: Post-quantum algorithm (NIST standard)
X25519: Classical elliptic curve
Hybrid approach: Security if either algorithm is secure
Protection against both classical and quantum attacks
Future-proof encryption

🔐 Autocrypt v2 = ML-KEM-768 ⊕ X25519

Autocrypt v2 Practical Benefits

🗑️ Deleted messages = gone forever

🤖 Fully automatic (no user action)

🌐 Works with existing Internet messaging infrastructure

📡 No network sync required (fewer failures)

Comparisons with other E2EE efforts

Feature	Autocrypt v2	Signal	Matrix	MLS
Post-Quantum	✅	✅	🔄 In-dev	✅
Reliable Deletion	✅	✅	✅ + UTD	✅
Minimal metadata	✅	⚠️ Binding	⚠️ servers	⚠️ Binding
Decentralized	✅	❌	✅	🔄 in-dev
Formal specification	✅	❌	✅	✅
Simple implementation	✅	❌	❌	❌

Autocrypt v2 status and roadmap

📝

Q1 2026
Draft Spec

🛠️

Q2 2026
Implementation

✅

Q3 2026
Testing & Polish

🚀

Q4 2026
App Releases

See chatmail.at/clients for clients and bots that will seamlessly upgrade

Get involved: other implementers welcome!

Scan to chat with holger

chatmail Logo Delta Chat Logo Arcanechat Logo DeltaTouch Logo

Experienced Rust developer?
Interested in chatmail and Delta Chat?
Talk to us :)

Autocrypt v2 Specifications & Resources

Fosdem 2026 Autocrypt v2 talk