A Major Cryptographic Upgrade for Modern Security Standards
Posted by Muhammed Shafin P (HejHdiss) | Qeltrix Project Lead
I'm excited to announce Qeltrix V4, a focused cryptographic upgrade that marks a significant milestone in the Qeltrix ecosystem. This release represents a deliberate break from backward compatibility in favor of adopting industry-standard, hardware-accelerated encryption that meets modern security requirements.
What's New in V4?
1. AES256-GCM as the Core Cipher
V4 makes a fundamental shift from ChaCha20-Poly1305 to AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode) as the sole bulk encryption algorithm.
Why AES256-GCM?
- Industry Standard: Widely vetted, NIST-approved, and certified for government use
- Hardware Acceleration: Native CPU support via AES-NI on modern processors delivers exceptional performance
- Proven Security: Decades of cryptanalysis with no practical attacks on properly implemented AES-GCM
- Compliance Ready: Meets regulatory requirements (FIPS 140-2, PCI DSS, HIPAA)
# V4 uses AES256-GCM by default - no algorithm flag needed
python3 qltx.py -v 4 pack sensitive_data.db encrypted.qltx
2. No Cross-Version Compatibility
Like V3 before it, V4 is not backward compatible with earlier versions.
What This Means:
qeltrix-4.py can only pack and unpack V4 format filesqeltrix-3.py can only pack and unpack V3 format files- V4 containers cannot be opened by V1/V2/V3 scripts
- V3 containers cannot be opened by V1/V2/V4 scripts
- The universal dispatcher (
qltx.py) handles version routing automatically
Why No Backward Compatibility?
- Clean Implementation: Each version focuses on its specific cryptographic approach
- Security First: Ensures each version uses its intended encryption without legacy compromises
- Simplified Codebase: Version-specific scripts are easier to audit and maintain
Migration Strategy:
The qltx.py dispatcher ensures smooth coexistence of all versions:
# Each version's files are handled by their respective backends
python3 qltx.py unpack old_v1_file.qltx output.dat # Uses V1 backend
python3 qltx.py unpack old_v2_file.qltx output.dat # Uses V2 backend
python3 qltx.py unpack old_v3_file.qltx output.dat # Uses V3 backend
# New V4 files require explicit version flag
python3 qltx.py -v 4 pack newfile.dat v4_archive.qltx # Uses V4 backend
python3 qltx.py unpack v4_archive.qltx newfile.dat # Auto-detects V4
3. Retained V2 Performance Features
V4 maintains all the high-performance capabilities introduced in V2:
| Feature | Status | Benefit |
|---|
| Parallel Unpacking | ✓ Retained | Multi-core decryption for fast extraction |
| Random Access (seek) | ✓ Retained | Read specific byte ranges without full decryption |
| Zstd Compression | ✓ Retained | Choose between LZ4 (speed) and Zstd (ratio) |
| Two-Pass & Single-Pass | ✓ Retained | Flexible key derivation modes |
# V4 with all performance features
python3 qltx.py -v 4 pack large_backup.iso archive.qltx \
--compression zstd \
--block-size 4194304 \
--workers 16
# Fast random access in V4 files
python3 qltx.py seek archive.qltx 104857600 8192 --output section.bin
4. Mandatory Explicit Version Selection
The dispatcher now requires the -v flag for packing operations to prevent accidental version mismatches:
# ❌ This will fail - no implicit version selection
python3 qltx.py pack file.dat output.qltx
# ✓ Correct - explicit version required
python3 qltx.py -v 4 pack file.dat output.qltx
python3 qltx.py -v 3 pack file.dat output.qltx --recipient-pub-key key.pem
python3 qltx.py -v 2 pack file.dat output.qltx --compression zstd
Unpacking and seeking remain automatic:
# Dispatcher reads file header and routes to correct version
python3 qltx.py unpack any_version.qltx output.dat
python3 qltx.py seek any_version.qltx 1024 512
What Was Removed in V4?
1. ChaCha20-Poly1305 Support
V4 does not support ChaCha20-Poly1305. If you need this cipher:
- Use V3 with
--algo chacha20
- Consider migrating to V4 for hardware-accelerated performance
2. Multi-Algorithm Flag
The --algo argument is removed in V4 since there's only one cipher option.
3. Asymmetric Key Transport (V3-A Features)
V4 currently focuses on content-derived encryption only. Asymmetric features from V3 are not included:
- No
--recipient-pub-key support
- No
--signer-priv-key or metadata signing
- No RSA-OAEP key transport
For asymmetric encryption, continue using V3:
# Still use V3 for asymmetric workflows
python3 qltx.py -v 3 pack secret.pdf encrypted.qltx \
--recipient-pub-key recipient.pem \
--signer-priv-key my_private.pem
Note: Future versions may reintroduce asymmetric features with AES256-GCM. V4 establishes the cryptographic foundation first.
Complete V4 Usage Guide
Installation
Dependencies remain unchanged:
pip install lz4 cryptography zstandard
Packing with V4
# Basic V4 packing
python3 qltx.py -v 4 pack myfile.dat secure.qltx
# High-performance configuration
python3 qltx.py -v 4 pack database.sql backup.qltx \
--compression zstd \
--block-size 4194304 \
--workers 12
# Fast single-pass mode (useful for large files where speed matters)
python3 qltx.py -v 4 pack bigvideo.mp4 video.qltx \
--mode single_pass_firstN \
--head-bytes 2097152
Unpacking V4 Files
# Basic unpacking (auto-detects V4)
python3 qltx.py unpack secure.qltx myfile.dat
# Parallel unpacking with integrity verification
python3 qltx.py unpack backup.qltx database.sql --workers 16
# Fast unpacking (skip checksum verification)
python3 qltx.py unpack video.qltx bigvideo.mp4 --no-verify
Random Access (Seek)
# Extract 1MB starting at 50MB offset
python3 qltx.py seek archive.qltx 52428800 1048576 --output extract.bin
# Parallel seek for faster decompression
python3 qltx.py seek backup.qltx 10485760 4096 --workers 8
Version Compatibility Matrix
| Feature | V1 | V2 | V3 | V4 |
|---|
| ChaCha20-Poly1305 | ✓ | ✓ | ✓ | ✗ |
| AES256-GCM | ✗ | ✗ | ✓ | ✓ |
| Content-Derived Keys | ✓ | ✓ | ✓ | ✓ |
| Parallel Pack/Unpack | ✓ | ✓ | ✓ | ✓ |
| Random Access (seek) | ✗ | ✓ | ✓ | ✓ |
| Zstd Compression | ✗ | ✓ | ✓ | ✓ |
| Asymmetric Keys (RSA) | ✗ | ✗ | ✓ | ✗ |
| Metadata Signing | ✗ | ✗ | ✓ | ✗ |
| Backward Compatible | N/A | ✓ | ✓ | ✗ |
Performance: V3 vs V4
Benchmark on an 8-core Intel i7 with AES-NI (1GB test file, Zstd compression):
| Operation | V3 (ChaCha20) | V3 (AES256) | V4 (AES256) |
|---|
| Pack | ~45s | ~42s | ~41s |
| Unpack | ~18s | ~16s | ~15s |
| Seek (4KB) | ~0.2s | ~0.18s | ~0.17s |
Results are illustrative. Performance varies with hardware and file characteristics.
Key Takeaway: V4 delivers the best performance on modern hardware with AES-NI support, while maintaining V2's parallel processing advantages.
Security Considerations
V4 Cryptographic Stack
┌─────────────────────────────────────────┐
│ Key Derivation: HKDF-SHA256 │
│ └─ Info: KEY_INFO_V4 (version-specific)│
├─────────────────────────────────────────┤
│ Bulk Encryption: AES-256-GCM │
│ └─ 256-bit keys, 96-bit nonces │
├─────────────────────────────────────────┤
│ Per-Block Authentication: GCM Tags │
│ └─ 128-bit authentication tags │
├─────────────────────────────────────────┤
│ Global Integrity: SHA256 checksum │
│ └─ Full ciphertext verification │
└─────────────────────────────────────────┘
Content-Derived Key Modes
Two-Pass (Default - Highest Security):
- Derives key from SHA256 hash of entire compressed stream
- Requires two passes over data and temporary storage
- Best for: Maximum security, archival use
Single-Pass-FirstN (Speed-Optimized):
- Derives key from hash of first N raw bytes
- Single pass, bounded memory usage
- Best for: Large files where beginning is unique, performance-critical scenarios
Proof-of-Concept Disclaimer
Qeltrix V4 remains a Proof-of-Concept:
- Built on industry-standard cryptography via the
cryptography library
- No formal security audit has been conducted
- You are responsible for key management and secure usage
- Evaluate whether Qeltrix meets your specific threat model
Migration Guide
From V1/V2 to V4
# 1. Unpack existing file (dispatcher handles V1/V2 automatically)
python3 qltx.py unpack old_v2_file.qltx original_data.bin
# 2. Repack with V4
python3 qltx.py -v 4 pack original_data.bin new_v4_file.qltx
From V3 to V4
If using content-derived keys (non-asymmetric V3):
# Similar process as V1/V2
python3 qltx.py unpack v3_content_derived.qltx data.bin
python3 qltx.py -v 4 pack data.bin v4_version.qltx
If using asymmetric V3-A:
V4 does not support asymmetric features. Continue using V3 for these workflows, or implement external key management:
# Option 1: Keep V3 for asymmetric needs
python3 qltx.py -v 3 pack sensitive.doc encrypted.qltx \
--recipient-pub-key recipient.pem
# Option 2: Use V4 with external key exchange
# (Manage key sharing through separate channels)
python3 qltx.py -v 4 pack sensitive.doc encrypted.qltx
Real-World Use Cases for V4
1. Compliance-Required Archival
Organizations needing FIPS 140-2 compliant encryption:
# AES-256 meets regulatory requirements
python3 qltx.py -v 4 pack patient_records.db hipaa_archive.qltx \
--compression zstd \
--block-size 2097152
2. High-Performance Backup Systems
Data centers with AES-NI capable hardware:
# Hardware-accelerated encryption for fast backups
python3 qltx.py -v 4 pack /data/production.tar daily_backup.qltx \
--workers 32 \
--compression zstd
3. Selective Data Extraction
Quickly retrieve specific sections from large encrypted archives:
# Extract log segment without unpacking entire 10GB file
python3 qltx.py seek large_logs.qltx 5368709120 1048576 \
--output critical_period.log
Testing V4
Run the comprehensive V4 test suite:
python3 test-4.py
The test suite verifies:
- AES256-GCM encryption/decryption
- Two-pass and single-pass key derivation
- Parallel unpacking performance
- Random access (seek) functionality
- Compression algorithms (LZ4, Zstd)
- Integrity verification
Community-Driven Development
Qeltrix is an open-source, community-driven project. The original author does not guarantee regular updates or maintenance. Future development depends entirely on community interest and contributions.
This is where YOU come in:
If Qeltrix solves a problem for you or inspires new ideas, consider:
- Forking and Extending: Add features that fit your use case
- Contributing Back: Submit pull requests for improvements
- Building Tools: Create GUI applications, language bindings, or integration libraries
- Sharing Knowledge: Write tutorials, security analyses, or implementation guides
- Taking Ownership: If you're passionate about this project, you can become a maintainer
The concept and codebase are openly licensed (CC BY-SA 4.0 for concept, GPLv3 for code) specifically to enable the community to take Qeltrix in new directions. Whether that's adding asymmetric features to V4, creating specialized versions for specific industries, or building entirely new architectures—the foundation is here for you to build upon.
Qeltrix's future is in your hands.
Common Questions and Clarifications
Q: Why remove ChaCha20-Poly1305?
A: V4 focuses on a single, standards-compliant cipher to simplify the codebase and ensure consistent security properties. ChaCha20 remains available in V3.
Q: Can I still use V3 for asymmetric encryption?
A: Yes! The dispatcher ensures V3 continues to work perfectly. Use python3 qltx.py -v 3 pack ... for asymmetric workflows.
Q: Will my old files stop working?
A: No. The dispatcher automatically handles V1/V2/V3 files. Only new V4 files require V4-compatible tools.
Q: Is V4 production-ready?
A: V4 uses battle-tested cryptography, but Qeltrix remains a PoC without formal audit. Evaluate based on your security requirements.
Q: How do I choose between versions?
- V1: Basic use, simplest implementation
- V2: Need speed (parallel ops, seek) with content-derived keys
- V3: Require asymmetric encryption, signing, or algorithm choice
- V4: Want modern standards (AES256), compliance, best hardware performance
Get Qeltrix V4
GitHub Repository: https://github.com/hejhdiss/Qeltrix
The repository includes:
qeltrix.py - V1 implementationqeltrix-2.py - V2 implementationqeltrix-3.py - V3 implementationqeltrix-4.py - V4 implementation (NEW)qltx.py - Universal dispatcher with mandatory -v flag- Complete documentation and test suites
qeltrix-pypi folder with package documentation
Licensing
Dual License Model:
- Code (GPLv3): All Python implementations are free to use, modify, and distribute under GNU General Public License v3
- Concept (CC BY-SA 4.0): The underlying cryptographic approach and file format design require attribution for derivative works
Final Thoughts
Qeltrix V4 is a Proof-of-Concept demonstrating content-derived encryption with modern cryptographic standards. While built on robust primitives from the cryptography library (AES-256-GCM, HKDF-SHA256), this project:
- Has not undergone professional security auditing
- Requires your own security evaluation for production use
- Depends on proper key management practices by the user
- Is provided as-is without warranty or guaranteed maintenance
Development Status:
The author does not commit to regular updates. This is an open-source project meant to inspire and serve as a foundation. If you find value in Qeltrix, the code and concept are yours to maintain, extend, and improve.
Use Responsibly:
Evaluate whether Qeltrix meets your specific threat model and compliance requirements. Consider consulting security professionals before deploying in critical environments.
The universal dispatcher ensures existing workflows continue uninterrupted while V4 provides a modern cryptographic option for those who need it.
Qeltrix is yours to build upon. Fork it. Extend it. Make it fit your needs.
Qeltrix (.qltx) - Content-Derived Encryption, Evolved Again
Copyright © 2025 HejHdiss (Muhammed Shafin P)
Code: GPLv3 | Concept: CC BY-SA 4.0 International
For questions, contributions, or feedback:
GitHub: https://github.com/hejhdiss/Qeltrix
Special thanks to the cryptography and security communities for their continued guidance and the contributors(supporters) who make Qeltrix possible.