bluebells / sealed-state
PRIVATE BETA · INVITED ACCESS
(BETA) INVITED ACCESS BUILD --------

PROVE you were invited.

Bluebells is in closed beta. If someone gave you an access key, paste it below. The key is verified server-side and never stored on this device in cleartext.

ACCESS KEY
Your key is checked over TLS against the relay's allowlist. Each tester gets a unique, revocable code.
UNIQUE PER TESTER Each beta key is unique. Revoking one key doesn't affect anyone else.
SERVER-VERIFIED Your key is checked by the relay over TLS. We don't ship a hash list to your browser.
EXPIRES The access token expires after 7 days. You'll re-enter the key after that.
bluebells · 2026 · PRIVATE BETA · NO ACCOUNTS · NO TRACKING ● RELAY OK
BLUEBELLS
Rooms opened 1,277
HOW CAPSULE INVISIBLE SEAL AUDIT OPEN A ROOM →
HOW CAPSULE INVISIBLE THE SEAL WHAT WE CAN'T DO AUDIT OPEN A ROOM →
ZERO-ACCOUNT MESSENGER + BURNER EMAIL OPEN PROTOCOL · v1.0 01 / 08

CONVERSATIONS no one CAN KEEP

Not another messenger. A different architecture. No phone number, no contacts upload, no account graph. Messages are sealed on your device with hybrid X25519 + ML-KEM-768; relays hold short-lived encrypted transit data and forget it on a 60-second TTL. LWE-based PIR makes which conversation you query cryptographically indistinguishable from the relay's view. Open spec, signed reproducible build, run your own relay.

OPEN A ROOM →
  • CostFree, forever
  • SignupNone
  • InstallNone | browser
  • SourceVerify the build ↗
PCR00c4f7a9b1d…2b91 ▮ STH·NYCa8f3e2c1… ▮ LEAVES1,284,402 ▮ BUILDa8f3e2c1 ▮ FILES217 ▮ ED25519d4b59f07… ▮ X255197e2c1d4b… ▮ STH·FRA6f0a2e91… ▮ LEAVES982,117 ▮ RELAYOK · 60s TTL ▮ UTC--:--:-- ▮
02 HOW IT WORKS FOUR STEPS · NO SIGNUP 02 / 08

OPEN. SEAL. SEND. burn.

01 OPEN · STEP ONE 01 / 04

A fresh room, in a click.

Your browser mints a hybrid X25519 + ML-KEM-768 keypair and a fresh room ID. No account, no email, no install. The room exists the moment you make it. The page is the app.

KEYGEN < 40 ms · client-side FORMAT capsule v01
02 INVITE · STEP TWO 02 / 04

People by seed, email by address.

Invite with a one-use seed URL (works once, expires in 15 min). Send it through any channel | Signal, AirDrop, a piece of paper. Or mint a bb-…@inbox address and hand it to a vendor; mail arrives sealed in the same library.

SEED TTL 15 min · single-use INBOX bb-…@inbox.bluebells.com
03 TALK · STEP THREE 03 / 04

Sealed on your device.

Every message is XChaCha20-Poly1305 sealed under a room key only your devices hold. Polls wrap in LWE-PIR so even which conversation you're checking is opaque to the relay.

SYMMETRIC XChaCha20-Poly1305 POLL CADENCE 30 s · constant · PIR-wrapped
04 BURN · STEP FOUR 04 / 04

One tap, gone forever.

Rotate the key and every prior message becomes literally unreadable, even to you. Burn the room outright and every device wipes simultaneously. Burn the bb-…@inbox address and it's tombstoned globally; nobody can re-issue it. Not even us.

ROTATE drand beacon · forward-secure BURN global tombstone · permanent
HYBRID KEX▮ X25519▮ ML-KEM-768▮ XCHACHA20-POLY1305▮ BLAKE3▮ ED25519▮ ML-DSA-65▮ ARGON2ID▮ LWE-PIR▮ 60s TTL▮ NO ACCOUNTS▮ ZERO LOGS▮ OPEN SPEC▮
03 THE CAPSULE A URL IS A CIPHERTEXT 03 / 08

THE LINK is THE CONVERSATION.

Every Bluebells room is a self-contained capsule encoded in its URL. The fragment carries a sealed payload — your device decrypts it, nothing else can. Strip the URL and the conversation is gone. There is nothing else to delete.

LIVE CAPSULE · INTERACTIVE
https://bluebells.com/r/#01.a8f3e2c1d4b59f07e2c1d4b5.
DRAG TO DECRYPT →
KEY 0%
PLAINTEXT MESSAGE

sealed · drag the key →

SIGNED · Ed25519 + ML-DSA-65 · a-keypair
CIPHER STACK Six layers sealed in order | break any one, the rest still hold.
  1. 01 · KEXX25519
  2. 02 · KEMML-KEM-768
  3. 03 · AEADXChaCha20-Poly1305
  4. 04 · HASHBLAKE3
  5. 05 · SIGEd25519 · ML-DSA-65
  6. 06 · KDFArgon2id

The URL holds the ciphertext. Your device holds the key. The capsule is the entire record.

FIG. 02 · CAPSULE ENCODING
01 / 04
04 INVISIBLE FOUR LAYERS · SCROLL → 04 / 08

YOU CHECKED
A ROOM AT
11:48.
NOBODY
SHOULD KNOW.

Encryption hides what you said. Bluebells also reduces what can be inferred about when you send, which room you check, and whether a room is active. Four independent layers run continuously in this tab | each one has a verification surface on the live audit page.

Scroll for layers
01 TRANSPORT TLS 1.3 + ECH · DEFAULT

ENCRYPTED
CLIENT hello.
NO SNI
ON THE WIRE.

Every byte rides TLS 1.3 with Encrypted Client Hello. The CDN sees an outbound TLS connection | not the SNI, not the destination host, not which page you loaded. ECH grease is always on, even on idle tabs. Tor Browser users auto-swap to our v3 hidden services on boot, with no exit node in path.

HANDSHAKE < 80ms ECH GREASE · ALWAYS
FIG. 03A
02 COVER TRAFFIC 30 s ± 8 s

EVERY DEVICE
pulses.
ACTIVE ROOMS
LOOK IDLE.

Every connected device publishes an empty OPERATION_BATCH frame every ~30 seconds with ±8 s jitter. Same envelope, same encryption, same payload size. That uniform pulse makes active and idle rooms materially harder to distinguish from timing alone.

FRAME SIZE 1.2kb ± 8 S JITTER
FIG. 03B
03 SLOT ROTATION EVERY 15 MIN

ROOM IDS
ROTATE every
FIFTEEN MIN.

Rendezvous IDs derive from the room key × a 15-minute slot index. The relay sees a fresh opaque ID every slot | no stable identifier for any observer to log or correlate over time.

SLOT WINDOW 15min HKDF · BLAKE3
FIG. 03C
04 PIR POLLS LWE-BASED

CHECKING
IS opaque.
EVEN TO US.

Catch-up polls run on a constant 30-second cadence wrapped in LWE-based private information retrieval. The relay answers your query but cryptographically cannot determine which rendezvous you requested. Bluebells ships this PIR path as a default protocol surface, not an add-on mode.

POLL CADENCE 30s LWE · CONSTANT
FIG. 03D
05 ANTI-FEATURES ARCHITECTURAL IMPOSSIBILITIES 05 / 08

EIGHT GUARANTEES
WE can can't
see.

01WE CAN READ YOUR MESSAGES.END-TO-END · DEVICE-ONLY KEYS
02WE CAN IDENTIFY YOU.NO ACCOUNTS · NO IDENTIFIERS
03WE CAN SEE WHO YOU TALK TO.ROTATING RENDEZVOUS IDS
04WE CAN RETAIN YOUR DATA.60-SECOND TTL · NO LOGS
05WE CAN HAND OVER YOUR CONVERSATIONS.WHEN ASKED, WE CAN SHARE ONLY THE SMALL AMOUNT WE KEEP
06WE CAN ADD A BACKDOOR.OPEN SPEC · RUN YOUR OWN RELAY
07WE CAN CAP YOUR FILE SIZES.ATTACHMENTS STREAM CHUNK-BY-CHUNK BETWEEN DEVICES · UPLOAD A 200 GB VIDEO THE SAME WAY YOU SEND A JPEG
08WE CAN CHARGE YOU.ALWAYS FREE · NO PLAN TIERS · NO QUOTA TAX ON PRIVATE CONVERSATION
01 / 05
01CAN'TEND-TO-END

WE CAN
READ YOUR
MESSAGES.

Every message is XChaCha20-Poly1305 sealed under a room key only your devices hold. The relay sees ciphertext or nothing.

KEY256bitDEVICE-ONLY
FIG. 03C · 01
02CAN'TNO ACCOUNTS

WE CAN
IDENTIFY you.

No phone number. No email. No account graph. There is nothing to register, nothing to leak, nothing to hand over.

IDENTIFIERS0NONE STORED
FIG. 03C · 02
03CAN'TPIR POLLS

WE CAN
SEE WHO YOU
TALK TO.

Rendezvous IDs rotate every fifteen minutes. Catch-up polls wrap in LWE-based PIR so the relay cannot determine which room you queried.

ROTATION5minPIR · CONSTANT
FIG. 03C · 03
04CAN'T60S TTL

WE CAN
RETAIN YOUR
DATA.

Encrypted bytes pass through the relay for at most sixty seconds, then they are gone. No database. No archive. No backup.

RELAY TTL60sZERO LOGS
FIG. 03C · 04
05CAN'TOPEN SPEC

WE CAN
ADD A
BACKDOOR.

The protocol is open, the build is signed reproducibly, and you can run your own relay. If the math is right, you don't need to trust us.

RELAYS∞RUN YOUR OWN
FIG. 03C · 05
06 THE PREMISE WHO THIS IS FOR · WHY IT EXISTS 06 / 08

THE MOST private COMMUNICATION PLATFORM EVER.

  1. 01

    For people in hostile environments.

    Activists, dissidents, anyone where being seen to talk is the threat. The relay can't tell which room you check, whether a room is active, or a real publish from a cover-traffic pulse. The wire pattern is uniform across every device on the network.Where being seen to talk is the threat. The relay can't tell which room you check, or whether it's even active.

    PIR UNIFORM WIRE NO IDENTITY
  2. 02

    For journalists protecting sources.

    Every message can carry an enclave-signed receipt that proves authorship and timestamp. Anyone, anywhere, can verify it offline. No subscription, no legal hold, no service to subpoena. The math is the credential.Every message carries an enclave-signed receipt, verifiable offline forever. Nothing to subpoena.

    SIGNED RECEIPTS OFFLINE VERIFY NO SUBPOENA
  3. 03

    For anyone who would rather verify than trust.

    Open protocol, public primitives, signed reproducible build. Pin our PCR0, pin our STH, run your own relay. If the math is right, you don't need to trust us.Open spec, signed reproducible build. Pin our PCR0, run your own relay. Verify, don't trust.

    OPEN SPEC PCR0 PINNED RUN YOUR OWN
¶

Free. Always. No accounts, no phone numbers, no keys we hold, no payment surface. Run your own relay if you don't trust ours. Receipts verify offline forever; they survive Bluebells, AWS, even the internet.

07 AUDIT · LIVE FETCHED FROM THE ENCLAVE + RELAYS 07 / 08

NOT A promise. A MEASUREMENT.

AWS NITRO ENCLAVE · /attest

The signing key, measured.

PCR0 fetching… Ed25519 fetching… X25519 fetching…
awaiting /attest ↗
TRANSPARENCY LOG · /log/sth

Every message, signed by every relay.

NYC fetching… Frankfurt fetching…
awaiting prove inclusion →
BUILD MANIFEST · SHA-384 + Ed25519

Every JS byte you loaded, signed.

Files fetching… Signed fetching… Built fetching…
awaiting manifest ↗

Verify any message yourself. Paste a receipt at /audit and your browser runs the math, PCR0 chains to AWS, STH inclusion proof recomputes locally, no server round-trip required.

OPEN /AUDIT →
08 OPEN A ROOM FREE FOREVER · ONE CLICK 08 / 08

DISAPPEAR into MATH.

One click and your browser mints a fresh hybrid keypair, derives a room ID, and prints a URL. Send it to anyone, on any channel, and the conversation begins. The relay holds short-lived encrypted transit data only - not the message, not which room you queried, not which device asked. Everything material is verifiable from the page you loaded.

OPEN A ROOM → VERIFY THE BUILD ↗
BLUEBELLS 2026

NO COOKIES · NO TRACKERS · NO TELEMETRY

PROTOCOL

Specification Threat Model

VERIFY

Audit the Relay

POLICY

Privacy & Compliance