Build v0.9.4-rc · keyset 0x0e2a · 12 layers · dual-signed pq

Communicationbeyondcompromise

Lumes is an end-to-end encrypted messenger built for an adversarial threat model — forensic extraction, active MITM, compromised peers, memory dumps. Twelve independent layers. Post-quantum dual signing. No telemetry. Built for users who need real security, not marketing.

Read the threat model
12
Encryption layers
20+
Anti-forensic checks
0
Zero knowledge
512b
Realm key
01who needs this

Built for users that need real security,
not marketing.

01 / 03

Journalists & investigative reporters

Source protection at the device level. If a phone is seized, Keychain extraction yields opaque envelopes — useless without the PIN.

Threat model
UFEDBorder seizureSource burn
02 / 03

Activists & human rights defenders

Coordination in surveillance-heavy environments. Duress PIN silently wipes state; disappearing messages erase the symmetric ratchet, not just the plaintext.

Threat model
CoercionMITMCustody
03 / 03

Security researchers & high-risk individuals

Verifiable primitives. 12 independent layers — break one, the others hold. SecureString in memory; signed WebRTC with anti-replay 30 s.

Threat model
RAM dumpPeer compromiseReplay
02what makes it different

Three things no
mainstream messenger does.

001 · Post-quantum

Dual signing with
ML-KEM-768 +
ML-DSA-65.

Classical X25519 + Ed25519 stay. Post-quantum lattices ride alongside — break one family, the other holds. The first messenger to ship FIPS 203 / 204 in production.

// handshake.ts
const classical = x25519.scalarMult(ourSecret, theirPub);
const pq        = mlKem768.encap(theirPQPub);     // FIPS 203
const root      = hkdfSha512("lumes-v1-rk",
                          concat(classical, pq.shared));

const sigC      = ed25519.sign(transcript, ourEdSk);
const sigPQ     = mlDsa65.sign(transcript, ourDsaSk); // FIPS 204

// both signatures verified — break one family, the other holds.
002 · Anti-forensic

Keychain extraction without the PIN yields noise.

Argon2id envelopes wrap every long-term secret. UFED can read the Keychain — it cannot unwrap it. The PIN never leaves the device.

Device
iOS Keychain
argon2id
m=64MiB · t=3
Envelope
PIN-bound
Extracted without PIN
7f 3a c1 88 e2 04 9b 14 …  d6 71 0a fe c9 22 b3 5c
b8 0c d3 41 27 ee a9 6d …  4e 80 1b 97 22 c4 31 ff
→ indistinguishable from random; ≥ 2^96 work to brute-force
003 · Forward-secure

Disappearing messages that actually disappear.

Most apps delete the plaintext. Lumes zeroes the message key, the prekey, and the group symmetric key. Past sessions can't be reconstructed even if the device is later seized.

Plaintext
"meet at 21:00"
zeroed ✕
Message key (mk)
0xA1F4…
zeroed ✕
PreKey
spk_07
zeroed ✕
Group sym key
gsk_3a2
zeroed ✕
After 60 s · forward-secrecy guarantee restoredsession reset · keyset_rev++
03defense in depth

Twelve independent layers.
Break one — the others hold.

Each layer assumes the one above it has failed. The full chain is verifiable from the open primitives down.

#
Layer
Defeats
Status
01
PIN-bound envelope
UFED extraction
shipped
02
Realm DB encryption
Cold storage read
shipped
03
X25519 handshake
Eavesdropping
shipped
04
ML-KEM-768
Quantum CRQC
shipped
05
Ed25519 signing
Identity spoof
shipped
06
ML-DSA-65 signing
Quantum forgery
shipped
07
Double Ratchet
Past-key compromise
shipped
08
ChaCha20-Poly1305
Tampering
shipped
09
SecureString in RAM
Memory dump
shipped
10
WebRTC ICE signing
Call MITM / replay
shipped
11
Duress PIN · silent wipe
Coercion / custody
shipped
12
Forward-secure delete
Forensic recovery
shipped
Read the full cryptographic spec·Last spec review: 2026-05-27 · keyset rev 0x0e2a
04threat detail

Pick an attack.
See what Lumes does about it.

Every line below is in the production code. No "future work", no hand-waving. If a vendor claims a defense, we expect the same level of detail.

attack profile

Cellebrite UFED, GrayKey, physical seizure.

Forensic tools dump the iOS Keychain and Realm DB byte-for-byte. With most messengers, that's a full extract. With Lumes, what they get is unwrappable opaque ciphertext.

  • Every long-term secret wrapped in Argon2id envelope (m=64 MiB, t=3)
  • PIN-bound; PIN never written to disk, never leaves device
  • 4 independent PIN-enforcement layers on every unwrap
  • Brute-force cost ≥ 2^96 with current Argon params
$ ufed-extract --device iPhone15 --output dump.bin live
extracting keychain.................... ok
extracting realm.db.................... ok
parsing lumes.identity.................. opaque
parsing lumes.prekey.bundle............. opaque
parsing lumes.session.ratchet........... opaque

// raw bytes of lumes.identity
00000000  7f 3a c1 88 e2 04 9b 14  d6 71 0a fe c9 22 b3 5c
00000010  b8 0c d3 41 27 ee a9 6d  4e 80 1b 97 22 c4 31 ff
00000020  2a 9f 67 03 11 d8 50 ee  63 a4 7c 8b 19 f2 06 c1
...
                                            entropy = 7.998 bits/byte
→ argon2id-wrapped · indistinguishable from random
→ recovery requires PIN; PIN not in dump
05message lifecycle

Send a message.
Here's what happens.

end-to-end · < 80 ms typical
  1. 01
    Handshake

    X25519 + ML-KEM-768 encapsulation. Both shared secrets feed HKDF → root key.

    ~12 ms
  2. 02
    Sign & verify

    Ed25519 + ML-DSA-65 dual signature over the transcript. Both must verify.

    ~8 ms
  3. 03
    Ratchet step

    Full Signal-style Double Ratchet, 3-step: DH out, chain advance, message key derive.

    ~3 ms
  4. 04
    Encrypt & seal

    ChaCha20-Poly1305 AEAD. Sealed envelope; sender identity hidden from relay.

    ~1 ms
  5. 05
    Send

    TLS 1.3 with cert pinning. Server sees ciphertext + recipient hash; nothing else.

    net
9:41 lumes
M
M.
e2ee · pq verified
60s ↻
are we still on for tonight?
yes — same place, 21:00
copy. burning my prekey now.
Message…

Mockup — actual UI pending public release

06how it compares

What other messengers
don't ship — yet.

We compare against the strongest, not the weakest. If we can be honestly outperformed on a row, we mark it.

CapabilityLumesSignalWhatsAppThreemaTelegram
Post-quantum dual signing
ml-kem-768 + ml-dsa-65
PQXDH only
Anti-UFED envelopes
argon2id PIN-bound
Anti-memory-dump (SecureString)
heap-zeroing on use
Disappearing — FS key wipe
mk + prekey + gsk
Duress PIN · silent wipe
bypass USB/custody
WebRTC ICE signed + anti-replay
ed25519 · 30 s window
Double Ratchet — full Signal 3-step
dh + chain + mk
Independent external audit
third-party review
pendingpartial● ISOpartial
shipped partial not implementedpending awaiting external review
Read the full comparison
07get notified

Launch happens once.Be there.

We'll only email you about the public release and the external audit results. No marketing. Unsubscribe is a single click.

Launch waiting list

Security verification required.