Built and shipped a desktop messenger that stacks several privacy primitives in one wire format: **Envelope (Monero stealth model)** - Recipient publishes (view_pub, spend_pub) as `phantom:<view>:<spend>` - Sender's ephemeral r: - tag = HMAC(HKDF(r × view_pub, "ViewTag"), epk) - enc_key = HKDF(r × spend_pub, "Envelope") - ciphertext = XChaCha20-Poly1305(enc_key, payload, aad=tag) - Receiver scans every envelope on the relay with view_secret (O(1) ECDH+HMAC per envelope), opens matching ones with spend_secret - Relay structurally cannot link sender↔receiver because every envelope on the wire looks identical **PQXDH hybrid envelope (v2)** - When recipient address carries ML-KEM-1024 pub (`phantomx:` prefix): - enc_key = HKDF(spend_shared || mlkem_shared, "PhantomChat-v2-HybridEnvelope") - Both X25519 and ML-KEM must break to recover - Wire-version-byte distinguishes v1 (classic) from v2 (hybrid) — fully backward compatible **Ratchet bootstrap via ECDH…