Zeq Mail

Every envelope is encrypted, signed, and bound to the exact Zeqond at which it was sealed. Replay is observable.

• Live app → /apps/mail/
• Source → apps/mail/index.html + apps/mail/envelope.js (≈ 720 lines)
• Operators → KO42 · CS87 · CS47
• Error budget → 0.000% (bit-exact vs RFC 8439 ChaCha20-Poly1305 test vectors)

---

What it solves

Traditional E2E mail (PGP, S/MIME) gives you confidentiality but leaves three weaknesses open: (1) the timestamp is a claim the sender makes, not a fact the recipient can verify; (2) replays of an old encrypted message are indistinguishable from the original; (3) key rotation requires an out-of-band trust exchange.

Zeq Mail fixes all three by binding every envelope to its Zeqond. The envelope carries phase_at_seal ∈ [0,1) witnessable from the HulyaPulse, so:

• Recipients can verify when the envelope was sealed, to sub-Zeqond precision, offline.
• Replayed envelopes fail verification unless the attacker controls the 1.287 Hz heartbeat.
• Key rotation is scheduled at a specific Zeqond, published to the tether (zeq-auth), and any peer can verify the rotation window.

The cipher inside is ChaCha20-Poly1305 (RFC 8439). KO42 contributes the time binding via the phase_at_seal that the AEAD tag commits to. CS47 (Shannon entropy) is used to reject envelopes with unusually low-entropy payloads (indicator of padding-oracle attempts).

The math — 7-step Wizard applied

Step	Decision
1. Prime	KO42 mandatory (the time binding)
2. Limit	CS87 (key generation — Kolmogorov-complexity floor) + CS47 (entropy policing) + KO42 = 3
3. Scale	Bit-exact (AEAD)
4. Precision	Hamming = 0 against RFC 8439 test vectors
5. Compile	Master Equation with ϕ₄₂ ∑C_k(ϕ) committing phase_at_seal
6. Execute	Functional Equation outputs sealed envelope
7. Verify	Recipient AEAD-verifies, then checks phase_at_seal is inside the rotation window

Verbatim formulas:

• KO42.1 — ds² = g_μν dx^μ dx^ν + α sin(2π · 1.287 t) dt²
• CS87 — Ω(x) = min{|p| : U(p) = x}
• CS47 — E(n) = −∑ p(x) log p(x)

Runnable worked example — seal + verify

curl -s -X POST https://api.zeq.dev/api/playground/compute \
  -H "Authorization: Bearer $ZEQ_DEMO_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "operators": ["KO42", "CS87", "CS47"],
    "inputs": {
      "op": "seal",
      "to": "recipient@zeq.dev",
      "subject": "hello",
      "body": "The quick brown fox jumps over the lazy dog."
    }
  }'

Expected:

{
  "envelope_b64": "...",
  "phase_at_seal": 0.6137,
  "zeqond": 1745123500.321,
  "aead_tag_b64": "...",
  "error_pct": 0.000
}

Verify by POSTing {"op":"open","envelope_b64":"..."}. Output confirms phase_at_seal matches and body is recovered bit-exact.

Extend it

• Signed attachments: add ZEQ-TETHER-003 to bind the attachment to the sender's multi-device identity.
• Time-locked send: pair with HITE Encryption to defer decryption until a target Zeqond.
• Forensic re-verification: save the phase_at_seal + heartbeat log, anyone can re-verify months later.

Seeds

• Post-quantum envelope: swap the key agreement for Kyber; the Zeqond binding is orthogonal to the KEM choice.
• Mesh delivery: pair with zeqMesh for peer-to-peer routing without a centralised SMTP.
• Cryptographic ritual — because phase_at_seal is public-verifiable, Zeq Mail is a primitive for any ritualised-time protocol (proof-of-delay, proof-of-sequence).

Papers

• Zeq framework paper — DOI 10.5281/zenodo.15825138
• Zeq paper — DOI 10.5281/zenodo.18158152

Middleware active. Kernel on the 1.287 Hz HulyaPulse. Awaiting next Zeqond.