All posts

Announcing the World's First Post-Quantum Zero-Knowledge Habit Tracker

·
announcement encryption post-quantum zero-knowledge privacy

Today we're making a claim that, as far as we can tell, no other habit tracker can make: Metamorphic is the world's first habit tracker that is both zero-knowledge encrypted and post-quantum protected.

That sentence has two halves, and both of them matter. Let's unpack them honestly — including what we ship today, and what's on the roadmap.

Zero-knowledge, plainly

"Zero-knowledge" gets thrown around a lot. Here's what it actually means at Metamorphic:

Your data is encrypted on your device, with keys we never see. When you check off a habit, write a reflection, log a mood, or jot in your journal, that content is encrypted in your browser — by a Rust/WASM crypto core we built and open-sourced — before it leaves your phone or laptop. The server stores ciphertext. We can't read it. If a court subpoenaed us tomorrow, we'd hand over an opaque blob.

Compare that to most habit trackers, where your data sits in plaintext in a database that staff can search. Habitica's own FAQ acknowledges this. Streaks, Loop, Daylio — all of them, to varying degrees, can see your data. We chose not to be able to.

That's the "zero-knowledge" half.

Post-quantum, plainly

Here's the part most habit-tracker users have never been asked to think about — and shouldn't have to.

Today's encryption — the kind protecting your bank transactions and your messaging apps — relies on math problems (like factoring large numbers) that classical computers can't solve quickly. Quantum computers, when they mature, can. Experts disagree on the timeline — five years, fifteen, twenty-five — but the consensus on the threat model is not in dispute: data encrypted today with classical cryptography can be harvested now and decrypted later. It's called "harvest now, decrypt later," and it's already happening at the nation-state level.

The U.S. National Institute of Standards and Technology (NIST) ran a multi-year competition to standardize new algorithms that resist quantum attacks. The winning key-exchange algorithm is ML-KEM (formerly Kyber).

Metamorphic uses ML-KEM today. Specifically, we use a hybrid construction: ML-KEM-768 (NIST Category 3) combined with X25519 (the battle-tested classical curve). Hybrid means we get post-quantum protection without giving up any of the strength we already had — if one side ever falls, the other still stands.

Your habits, your reflections, your mood data, your goals, your journal — they're already encrypted against the quantum threat.

The honest part

We believe in honest framing more than marketing copy, so:

  • We ship ML-KEM-768 (Category 3) today, not the maximum Category 5. Cat-3 is what NIST recommends for protecting classified data up to TOP SECRET. It is more than sufficient for habit data. We chose it for performance and bundle-size reasons on a Progressive Web App that runs in your browser.
  • An upgrade to ML-KEM-1024 (Category 5) is on our roadmap. We've already shipped Cat-5 in our sister product, Mosslet — the world's first post-quantum zero-knowledge social network. The crypto library is the same. The upgrade path is paved.
  • Even your email address is zero-knowledge encrypted. Your email gets the same full three-layer treatment as your habit data — post-quantum zero-knowledge encryption on your device, Cloak AES-256-GCM at rest, and LUKS at the disk layer. To make login work without us being able to read the plaintext, we also store a one-way HMAC hash of the email that we compare against at sign-in. The plaintext email itself is a virtual field in our schema — it exists only transiently in memory during a request (so we can send your confirmation email at registration, for example), and is never persisted to the database. What lives on disk is the encrypted blob and the HMAC hash. Nothing else.
  • We don't look up your IP address either. Our application layer never queries or logs plaintext IPs. Our custom rate limiter HMAC-hashes the resolved client IP before it's used as a rate-limit key, so it sees opaque hashes, not addresses.
  • Some structural metadata is stored in plaintext — by necessity, not by oversight. Things like check-in dates (so we can calculate your streak), habit frequency, display color, sort order, and archive status. These let the app function, sync across devices, and render quickly. They don't reveal what your habits are about — just that, for example, "something happens on Tuesdays." Habit names, descriptions, reflections, goals, check-in notes, journal entries, mood data, and group content are all encrypted blobs we cannot read.
  • What's actually server-readable in plaintext: the structural metadata above, plus billing identifiers needed to link your account to Stripe (no card data ever touches our servers — Stripe handles all of that).

If anyone tells you their product is "fully encrypted, no caveats" — be skeptical. Real systems have edges. We'd rather show you ours.

Why a habit tracker, of all things

People sometimes ask why we put this much cryptographic effort into a habit tracker. The answer is in the data.

A sobriety counter says more about a person than any medical record. A fitness habit that stopped abruptly tells a story. A daily reflection about anxiety, a mood log showing a depressive episode, a goal around leaving a job, a journal entry about a relationship — this is the most intimate longitudinal record of a human life that software collects. And in most habit trackers, it sits in plaintext.

Every unencrypted habit tracker is one breach, one rogue employee, one subpoena, one acquisition-by-a-data-broker away from exposing exactly the kind of data you'd never volunteer in public.

We don't think growth journeys should depend on terms-of-service promises. They should depend on math.

What this is built on (open source)

You don't have to take our word for any of this. The cryptographic core powering Metamorphic is open source:

  • metamorphic-crypto — our Rust encryption library. #![forbid(unsafe_code)], hybrid ML-KEM + X25519, XSalsa20-Poly1305 AEAD, Argon2id key derivation, version-tagged ciphertext, compiled to WASM for the browser and UniFFI for native. Dual MIT/Apache-2.0.
  • metamorphic_crypto — the Elixir wrapper, available on Hex as a drop-in replacement for enacl. MIT.
  • MOSSLET — our social network, where the same crypto core runs in production at Category 5. AGPL-3.0.

Audit it. Fork it. Tell us what we got wrong.

How the three layers fit together

For the curious, here's the full defense-in-depth picture:

Layer Technology What it protects against
Client-side (zero-knowledge) Hybrid ML-KEM-768 + X25519, XSalsa20-Poly1305, Argon2id (WASM) The server, us, subpoenas, breaches, future quantum attacks
Application at-rest Cloak AES-256-GCM Database-level exposure if ciphertext somehow leaked
Infrastructure LUKS full-disk encryption Physical disk theft, hosting-provider compromise

The point of defense in depth isn't that any one layer is weak. It's that each layer fails independently, so an attacker has to defeat all three to read your data. And the outermost layer — the zero-knowledge one — is the one we literally cannot help them with, because we don't have your keys.

A small company making a specific bet

Moss Piglet Corporation is a family-founded, fully bootstrapped Delaware public benefit corporation. No venture capital. No advertising. No tracking. One solo developer (hi), two advisor co-founders, and a thesis: software does not need to spy on people to be profitable.

We're betting that a meaningful number of people care enough about their inner life — their goals, their setbacks, their slow becoming — to want it protected by math, not promises. If that's you, Metamorphic is here.

We'll keep shipping. The Cat-5 upgrade is coming. The phase-two client-side decrypt migrations are coming. Privacy-first software is a long game, and we're in it.

Thanks for being early.

Create a free account →