Something I can't figure out from Mastodon's website is where and how it uses cryptography.

I fear it might all be plaintext, despite the insanity of doing that in the present post-Snowden world, rather than the appropriate end-to-end combined with point-per-point encryption.

They are not encrypted but signed with an elaborate algorithm (I worked on ActivityPub server implementation).

Twtxt is minimalist but functional: https://github.com/buckket/twtxt