LumaChat LumaChat
Technical

LumaChat Whitepaper

Secure, Privacy-First Messaging Platform with End-to-End Encryption

Version 2.9.11 December 2025 Build 157

Executive Summary

"Server LumaChat tidak dapat membaca pesan Anda. Data terenkripsi hanya bisa dibuka oleh Anda dan penerima."

LumaChat adalah platform perpesanan generasi berikutnya yang menggabungkan enkripsi tingkat enterprise, komunikasi real-time, dan estetika budaya yang terinspirasi dari batik Indonesia.

Key Highlights

Signal Protocol (X3DH + Double Ratchet) LINK ID System Zero-Knowledge Server 100MB+ File Upload Per-Chat Privacy WebRTC Calls Flutter Cross-Platform

Visi & Misi

Visi

LumaChat membayangkan dunia di mana komunikasi yang aman dapat diakses oleh semua orang tanpa mengorbankan privasi, kegunaan, atau identitas budaya.

Misi

Menyediakan platform perpesanan yang:

  • Mengimplementasikan enkripsi end-to-end standar industri
  • Tidak memerlukan nomor telepon (LINK ID)
  • Memberikan kontrol privasi penuh kepada pengguna
  • Menggabungkan desain budaya Indonesia

Core Values

Value Deskripsi
Privacy First Privasi bukan fitur, tapi fondasi
Zero Knowledge Server tidak bisa membaca pesan
User Control Pengguna memiliki kontrol penuh
Transparency Arsitektur terdokumentasi

Technology Stack

Frontend (Mobile)

Technology Version Purpose
Flutter 3.x Cross-platform framework
Riverpod 2.6.1 State management
Isar 3.1.0 Local database
cryptography 2.7.0 Signal Protocol
flutter_webrtc 0.12.4 Voice/Video calls

Backend

Technology Version Purpose
Node.js 18+ Runtime
Express 4.18.2 REST API
WebSocket (ws) 8.16.0 Real-time messaging
SQLite better-sqlite3 Metadata storage
MinIO 7.1.3 Encrypted media storage

Security & Encryption

Signal Protocol

LumaChat mengimplementasikan Signal Protocol dengan komponen:

  • X3DH (Extended Triple Diffie-Hellman) - Key exchange
  • Double Ratchet - Forward secrecy per message
  • AES-256-GCM - Symmetric encryption
  • X25519 - Elliptic curve key pairs

E2EE Scope

Data Type E2EE Notes
Text Messages ✅ Yes Encrypted on device
Media Files ✅ Yes AES-GCM before upload
Voice/Video Calls ✅ Yes WebRTC DTLS-SRTP
Metadata TLS only Sender/recipient IDs

Key Management

Key Type Rotation Storage
Identity Key Never (unless compromised) Secure storage
Signed PreKey Every 7 days Server (public only)
One-Time PreKey Single use Server (public only)
Session Key Per message (ratchet) Device memory

Feature Set

Core Features

  • LINK ID System - Unique identifier (LX-XXXX-XXXX), no phone required
  • E2E Encrypted Messaging - Text, media, documents
  • Voice & Video Calls - WebRTC with LiveKit SFU
  • Group Chat - Multi-participant conversations
  • Diary (Stories) - 24-hour ephemeral content

Privacy Features (v2.8.7+)

  • Per-Chat Privacy Controls - Disappearing messages, media cache per chat
  • Encryption Transparency - Privacy Badge, session fingerprint
  • Privacy Presets - Default, High Privacy, Maximum Privacy
  • Email Recovery - Optional account recovery

Technical Features

  • Chunked Media Upload - 100MB+ files with 256KB chunks
  • Data-Only FCM - Privacy-preserving push notifications
  • WebSocket Real-time - Sub-second message delivery
  • Offline-First - Local database with sync

Architecture Overview

┌─────────────────────────────────────────────────────────────┐
│                     CLIENT (Flutter)                         │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐          │
│  │   UI Layer  │  │   Riverpod  │  │    Isar     │          │
│  │  (Widgets)  │  │   (State)   │  │  (Local DB) │          │
│  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘          │
│         └────────────────┼────────────────┘                  │
│                          ▼                                   │
│  ┌─────────────────────────────────────────────────────┐    │
│  │              Services Layer (Encryption)             │    │
│  │   Signal Protocol │ WebSocket │ WebRTC │ FCM        │    │
│  └─────────────────────────────────────────────────────┘    │
└─────────────────────────────┬───────────────────────────────┘
                              │ HTTPS/WSS (TLS 1.2+)
                              ▼
┌─────────────────────────────────────────────────────────────┐
│                     SERVER (Node.js)                         │
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐          │
│  │   Express   │  │  WebSocket  │  │   SQLite    │          │
│  │  (REST API) │  │  (Real-time)│  │ (Metadata)  │          │
│  └──────┬──────┘  └──────┬──────┘  └──────┬──────┘          │
│         └────────────────┼────────────────┘                  │
│                          ▼                                   │
│  ┌─────────────────────────────────────────────────────┐    │
│  │                 MinIO (Encrypted Blobs)              │    │
│  │         Server has NO decryption keys                │    │
│  └─────────────────────────────────────────────────────┘    │
└─────────────────────────────────────────────────────────────┘

Roadmap

✅ Completed (v2.8.7 - v2.9.x)

  • Conversation Transparency Mode
  • Per-Chat Privacy Profile
  • Proof-of-Privacy Badge
  • Chunked Media Upload (100MB+)
  • Data-Only FCM

🔜 Phase 2 (v3.0.x)

  • Offline-First Superpower - Seamless offline queue
  • Message Integrity Receipt - Cryptographic verification
  • Ephemeral Media Firewall - View-once media

📅 Phase 3 (v3.2.x+)

  • Desktop apps (Windows, macOS, Linux)
  • E2E encrypted backups
  • Multi-account support

Full Technical Whitepaper

Untuk dokumentasi teknis lengkap termasuk API reference, database schema, dan implementation details, hubungi tim development.

dev@lumachat.xyz