[CRITICAL] Fallback encryption sends AES key in message payload

## Description
When ML-KEM encryption fails, `encryptWithFallbackMethod()` falls back to AES-GCM but **includes the raw encryption key in the message payload**.

## Location
`src/lib/crypto/post-quantum-encryption.js` line ~417

```js
const encryptedMessage = {
    v: 3,
    alg: 'FALLBACK-AES-GCM',
    key: Base64.encode(keyBytes), // <-- AES key sent in cleartext
    iv: Base64.encode(iv),
    c: Base64.encode(new Uint8Array(ciphertext)),
};
```

## Impact
Anyone who intercepts or reads the stored message (server operator, DB breach, MITM) can trivially decrypt it. This completely defeats E2E encryption.

## Reproduction
1. Trigger ML-KEM failure (corrupted public key, key size mismatch)
2. Fallback fires and produces JSON with `key` field containing the raw AES key
3. Extract `key` + `iv`, decrypt `c` with AES-GCM — message fully recovered

## Recommended Fix
Remove fallback encryption entirely. If ML-KEM fails, the message should fail to send with a clear error, not silently degrade to zero security.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CRITICAL] Fallback encryption sends AES key in message payload #47

Description

Location

Impact

Reproduction

Recommended Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[CRITICAL] Fallback encryption sends AES key in message payload #47

Description

Description

Location

Impact

Reproduction

Recommended Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions