# CQRIT Architecture

## Overview

CQRIT is a client-side post-quantum encryption system with zero server-side key storage.

**Technology Stack:**
- **Frontend:** React (TypeScript)
- **Crypto Engine:** Rust → WebAssembly (primary), JavaScript (fallback)
- **Runtime:** Browser (client-side only)
- **Platform:** Web application + Browser extensions

## System Architecture

```
┌─────────────────────────────────────────────┐
│           User's Browser (Client)            │
│                                              │
│  ┌────────────────────────────────────┐     │
│  │  Memory Inputs (User Knowledge)    │     │
│  └──────────────┬─────────────────────┘     │
│                 │                            │
│                 ▼                            │
│  ┌────────────────────────────────────┐     │
│  │  Key Derivation Function (KDF)     │     │
│  │  (Rust or JavaScript)         │     │
│  └──────────────┬─────────────────────┘     │
│                 │                            │
│                 ▼                            │
│  ┌────────────────────────────────────┐     │
│  │  Private Key (In Memory Only)      │     │
│  └──────────────┬─────────────────────┘     │
│                 │                            │
│                 ▼                            │
│  ┌────────────────────────────────────┐     │
│  │  Encryption Engine                 │     │
│  │  (CRYSTALS-Kyber + Symmetric)      │     │
│  └──────────────┬─────────────────────┘     │
│                 │                            │
│                 ▼                            │
│  ┌────────────────────────────────────┐     │
│  │  Encrypted Data                    │     │
│  └──────────────┬─────────────────────┘     │
│                 │                            │
└─────────────────┼──────────────────────────┘
                  │
                  ▼
        ┌─────────────────┐
        │  Storage Layer  │
        │  - Local (free) │
        │  - Cloud (paid) │
        └─────────────────┘
```

## Data Flow

### Encryption Flow

1. **User Input**
   - User provides memory-based inputs
   - No validation (intentionally - privacy)

2. **Key Derivation**
   - Inputs processed through KDF
   - Deterministic output (same inputs = same key)
   - High computational cost (defense against brute force)

3. **Encryption**
   - Data encrypted with post-quantum algorithms
   - Symmetric encryption for data
   - Post-quantum layer (CRYSTALS-Kyber)

4. **Storage**
   - Encrypted data saved locally or cloud
   - Keys NEVER leave memory
   - Keys NEVER transmitted over network

### Decryption Flow

1. **User Input**
   - User provides same memory inputs

2. **Key Regeneration**
   - KDF regenerates identical key
   - No key lookup required

3. **Decryption**
   - Encrypted data retrieved from storage
   - Key applied to decrypt
   - Plaintext returned to user

4. **Key Disposal**
   - Key cleared from memory after use
   - Never persisted

## Component Architecture

### Frontend Layer (React/TypeScript)

**Responsibilities:**
- User interface
- Input collection
- Storage management
- Call crypto engine

**Does NOT:**
- Store keys
- Implement cryptography
- Access plaintext on server

### Crypto Engine (Rust/WebAssembly)

**Responsibilities:**
- Key derivation
- Encryption/decryption
- Post-quantum operations
- Memory management

**Properties:**
- Sandboxed execution
- No network access
- Fast performance
- Memory safety (Rust)

### Storage Layer

**Local Storage (Browser):**
- IndexedDB for encrypted items
- Unlimited capacity
- Offline-capable
- No key material

**Cloud Storage (Optional):**
- Encrypted items only
- No plaintext
- No key material
- Pricing based on item count

## Execution Model

### Client-Side Only

All cryptographic operations execute in the browser:

```
User Device → Browser → WASM/JS Engine → Encryption → Output
```

**Network Interaction:**
- Encrypted data sync (optional)
- No key transmission
- No plaintext transmission
- No cryptographic operations on server

### Offline Capability

CQRIT works completely offline:

1. Load app once (caching)
2. Generate keys (local computation)
3. Encrypt/decrypt (local operations)
4. Store locally (browser storage)

Internet only needed for:
- Cloud sync (optional)
- Sharing with others (optional)

## Security Properties

### No Server-Side Key Handling

- Keys generated in browser
- Keys used in browser
- Keys destroyed in browser
- Server never sees keys

### Deterministic Key Generation

- Same inputs → same key
- Multi-device support
- No key synchronization needed

### Zero Trust Architecture

- Don't trust servers
- Don't trust network
- Don't trust cloud providers
- Trust only client-side execution + cryptographic algorithms

## Scalability

### Client-Side Scaling

- Each user's encryption independent
- No server load for crypto operations
- Scales infinitely (client does the work)

### Storage Scaling

- Local: Limited by user's device
- Cloud: Pricing tiers (20 to 10,000 items)
- Automatic billing on tier upgrade

## Browser Compatibility

**Supported:**
- Chrome/Edge (Chromium)
- Firefox
- Safari
- Mobile browsers

**Requirements:**
- WebAssembly support
- Modern JavaScript (ES6+)
- LocalStorage/IndexedDB

## Performance Characteristics

**Key Generation:**
- First time: ~100-500ms
- Subsequent: Cached in session

**Encryption:**
- Small items (<1KB): ~1-10ms
- Large files (>1MB): ~100-1000ms

**Decryption:**
- Similar to encryption

**Network:**
- No dependency for crypto operations
- Cloud sync: depends on connection

## Deployment Architecture

**Web App:**
- Static hosting (Vercel/Netlify)
- CDN distribution
- No backend servers for crypto

**Browser Extension:**
- Same crypto engine
- Integration with web pages
- Local execution

---

**Next:** Read [Cryptography](crypto.md) for implementation details