Four audiences · concrete use cases

For the people whocan't be wrong.

Lumes's threat model was written with four specific audiences in front of us. Pick yours below — every scenario maps to a real cryptographic layer that handles it.

For journalists

Source protection · border crossings · custody

For activists

Surveillance states · coercion · group safety

For researchers

Verifiable primitives · RAM safety · auditability

For armed forces

Field OPSEC · device capture · tactical coordination

01 · Journalists

Journalists & investigative reporters.

Source protection is the difference between a story published and a source prosecuted. Every cryptographic decision in Lumes was made with that calculus.

The leak survived the publication. The source did not.— what we built Lumes to prevent

Your phone is searched at a border crossing.

Customs forensic tools (UFED, GrayKey) dump the iOS Keychain and Realm DB byte-for-byte. With most messengers, that is your source list.

Lumes →Every long-term secret is Argon2id-wrapped in a PIN-bound envelope. The dump yields opaque ciphertext indistinguishable from random. layer 01

You're detained and ordered to unlock the device.

An officer demands the PIN. You can refuse and face consequences, or comply and burn the source.

Lumes →Enter the duress PIN. It looks identical to the primary at the lock screen, but silently zeroes the identity material, prekeys, and ratchet state — bypassing USB / MDM / custody hooks. layer 11

A previously trusted source's device is later seized.

Even if the source's device is compromised tomorrow, you don't want yesterday's messages to be reconstructable.

Lumes →Forward-secure delete zeroes the message key, the prekey, and the group symmetric key — not just the plaintext. Past sessions cannot be replayed even with future device access. layer 12

A government adversary records your encrypted traffic today.

The harvest-now-decrypt-later attack assumes a quantum computer will exist within 10 years. X25519 alone is not safe under that bet.

Lumes →Every handshake is signed twice (Ed25519 + ML-DSA-65) and uses a hybrid KEM (X25519 + ML-KEM-768). Breaking one family does not break the other. layers 03–06

A relay-side adversary tries to correlate “who talks to whom”.

Content encryption alone leaks metadata. For some stories, the metadata is the story.

Lumes →Sealed-sender envelopes; recipient identity is a rotating HKDF hash, not a phone number. Optional Tor / SOCKS5 transport. layer 10 + transport

02 · Activists

Activists & human rights defenders.

Coordination in a surveillance state is high-stakes by definition. The cost of a leak is not embarrassment — it is a years-long detention, or worse, for the people you are coordinating with.

The encryption was strong. The disappearing-message implementation wasn't.— a real post-mortem we won't repeat

A group member's device is compromised mid-action.

In most apps, compromise of one device exposes the full group history. The “expired” disappearing messages are still recoverable from key material.

Lumes →Group symmetric keys rotate on every membership change and every N messages. Forward-secure delete zeroes the full key triple (mk + spk + gsk). Compromise of one device today reveals only what fits in the current window. layers 07 + 12

A man-in-the-middle attempts to hijack a call mid-coordination.

WebRTC signaling is the soft underbelly of most messengers — ICE candidates flow unauthenticated, opening the door to downgrade and hijack.

Lumes →Every signaling message and every ICE candidate is individually Ed25519-signed and timestamped. A sliding 30 s anti-replay window rejects duplicate sequences. Short Authentication Strings (SAS) verify out-of-band. layer 10

A team member is held in custody and pressured.

The threat model includes coercion. No amount of cryptography helps against rubber-hose attacks if the answer is “yes, I'll unlock it”.

Lumes →Duress PIN — entering the secondary PIN unlocks an empty-shell session while silently wiping everything actionable. Four independent enforcement layers prevent any single bypass from leaking plaintext. layer 11

Network traffic is being analysed in bulk.

A national-level adversary doesn't need to break encryption — they need to build a graph of who-talks-to-whom-and-when.

Lumes →Sealed sender; ±5 min timestamp jitter; ciphertext padded to fixed 4 KiB boundary; optional Tor transport. The relay sees a blob and a hash. network privacy

A captured device is being analysed in a forensic lab.

Cellebrite, MSAB XRY, GrayKey — these are operating tools, not theoretical.

Lumes →PIN-bound envelope (Argon2id m=64MiB, t=3) makes Keychain extraction useless without the PIN, with a brute-force floor of ~6 weeks per device under enclave throttling. layer 01

03 · Researchers

Security researchers & high-risk individuals.

You trust what you can verify. Lumes composes only standard, published primitives with documented parameters — no homemade crypto — and commits to a 90-day disclosure SLA in writing.

Honest pending is more useful than dishonest verified.— our default answer when audits are not yet shipped

You want assurance the crypto isn't homemade or quietly weakened.

Proprietary, unpublished cryptography is where backdoors hide. “Trust us” is not a threat model.

Lumes →No homemade primitives. Lumes composes only standard, independently-specified algorithms — X25519, Ed25519, ChaCha20-Poly1305, Argon2id, HKDF, plus the NIST PQC standards ML-KEM-768 (FIPS 203) and ML-DSA-65 (FIPS 204) — every parameter documented. The full composition is going to independent external audit (Q3 2026). independent audit

You want to audit the cryptographic primitives without trusting our wrappers.

Hand-rolled crypto is a red flag. So is opaque integration.

Lumes →Every primitive sourced from audited libraries: libsodium (X25519, Ed25519, ChaCha20, Argon2id, HKDF), liboqs (ML-KEM-768, ML-DSA-65 via NIST reference). Wrapper code is < 1 200 LoC and fully covered by the spec. all 12 layers

You want to test the runtime for memory safety violations.

An app that handles secrets in raw JavaScript memory will leak.

Lumes →SecureString wraps every sensitive buffer, zeroed via sodium.memzero in a finally block on every use. use-after-zero throws synchronously. Runtime counters published per build. layer 09

You find a vulnerability.

Disclosure SLA, safe harbour, and bounty terms should be in writing before you start.

Lumes →48-hour acknowledgement; 14-day patch SLA for critical; 90-day public disclosure with CVE. Bounty tier up to $25k for confirmed critical findings.

You want a vendor that admits limitations.

A messenger that claims to have solved the threat model has not understood it.

Lumes →External audit is pending. We say so on the front page. When we ship the audit report, you will see every finding — critical or not. Manifesto

04 · Defense

Armed forces & security services.

Operational communications either fail closed or fail catastrophically. Lumes treats the captured handset, the interrogated operator, and the state-level interceptor as the default case — not the exception.

The radio was encrypted. The handset, once captured, was not.— the failure mode Lumes is built around

A handset is captured in hostile territory.

Once a device leaves friendly control, forensic extraction is a matter of time, not capability. Standard storage encryption falls the moment it is unlocked.

Lumes →Every long-term secret sits inside an Argon2id PIN-bound envelope. A full storage dump yields ciphertext indistinguishable from random — the capture buys the adversary nothing without the PIN. layer 01

An operator is captured and interrogated.

Coercion is part of the threat model. Cryptography is useless if the only options are silence or full disclosure.

Lumes →The duress PIN unlocks an empty-shell session while silently zeroing identity material, prekeys, and mission keys across four independent enforcement layers — indistinguishable from a normal unlock. layer 11

A tactical group changes composition mid-operation.

Units rotate, members are added and removed, and a single compromised handset must never expose the whole channel's history.

Lumes →Group symmetric keys rotate on every membership change and every N messages; forward-secure delete zeroes the full key triple. A compromise reveals only the current window, never the archive. layers 07 + 12

A state-level adversary records the encrypted channel for later.

Signals intelligence stores today's traffic against tomorrow's quantum computer. Classical key exchange alone does not survive that bet.

Lumes →Every handshake is doubly signed (Ed25519 + ML-DSA-65) over a hybrid KEM (X25519 + ML-KEM-768). Breaking one algorithm family leaves the other intact — harvest-now-decrypt-later fails. layers 03–06

Procurement demands verifiable, backdoor-free cryptography.

Defense acquisition cannot rest on “trust us”. Proprietary, unpublished crypto is a non-starter for an auditable supply chain.

Lumes →No homemade primitives — only standard, independently specified algorithms (X25519, Ed25519, ChaCha20-Poly1305, Argon2id, HKDF, ML-KEM-768, ML-DSA-65) from audited libraries, every parameter documented and headed to independent external audit. independent audit

Read the technical spec.

Every scenario above maps to one or more of the 12 cryptographic layers. The spec describes each layer's primitives, parameters, and the threat it is meant to handle.

Compare Read the spec Get notified