Most encrypted messengers are designed for the typical user — someone who values privacy but won't lose their life over it. Signal protects that user excellently. So does Threema. We don't try to compete with them.
Lumes is built for the user whose threat model is different. The journalist whose phone is seized at the border. The activist coordinating in a surveillance state. The researcher whose source must never be identified. For them, “good enough” is not good enough. The cost of an encryption failure is not embarrassment — it is years of prison, or worse.
That user is roughly 1% of the people who download an encrypted messenger. The other 99% are well served by Signal. We built Lumes so the 1% can have the same depth of protection at the cryptographic layer that they put into their operational security.
01 — the threatWhat “adversarial” actually means.
“Encrypted” is a word that hides a wide range of guarantees. End-to-end encryption alone is necessary but not sufficient when the attacker can:
Seize the device. A Cellebrite UFED or GrayKey unit, sold to police departments and intelligence services, dumps the iOS Keychain and Realm database byte-for-byte. With most messengers, that is a full extract of every conversation. With Lumes, what they get is unwrappable ciphertext.
Run a future quantum computer. The harvest-now-decrypt-later attack is already happening: adversaries record encrypted traffic today, betting that the keys will fall to a CRQC within ten years. X25519 and Ed25519 alone are not safe under that bet. Lumes signs every handshake twice — once classically, once with a lattice KEM.
Coerce the user. No amount of cryptography helps when the threat is a wrench, a customs officer, or a holding cell. Lumes's answer is a duress PIN: a second password, indistinguishable from the primary, that silently zeroes everything.
Dump RAM while the app is running. A running app holds plaintext keys somewhere. Lumes keeps that window measured in microseconds — every sensitive buffer wrapped in SecureString, zeroed with sodium.memzero the instant it's no longer needed.
02 — who Lumes is forThe 1%, named.
We don't think of “the 1%” abstractly. We built Lumes for three concrete groups of people:
Source protection is the difference between a published story and a prosecuted source. When a reporter's phone crosses a border, the assumption should be that it will be searched. Argon2id-bound envelopes mean a customs forensic dump yields nothing without the reporter's PIN, and the duress PIN means even that is not the only answer.
Coordination in a surveillance state is high-stakes by definition. Disappearing messages in most apps delete the plaintext; Lumes zeroes the message key, the prekey, and the group symmetric key — so a compromised device tomorrow cannot reconstruct the conversation from yesterday.
People whose threat model is verifiable, not generic. They want primitives they can audit, code they can read, and a vendor that will tell them when something is wrong. Twelve independent layers; verifiable build hashes; a 90-day disclosure SLA in writing.
03 — pledgesWhat we will, and will not, do.
A messenger's threat model is only as honest as the company behind it. The cryptography we ship matters less than the choices we are willing to commit to in writing.
- Run telemetry or analytics of any kind
- Sell any user-level data, ever
- Compromise the threat model for adoption
- Add growth-hack features (read receipts off by default; no online status)
- Claim what we cannot prove
- Negotiate with backdoor requests
- Publish every external audit in full
- Disclose vulnerabilities within 90 days of patching
- Keep the comparison honest about where others beat us
- Ship security fixes before features
- Pay bounties on confirmed findings
- Tell you when we are wrong
04 — where we arePre-audit. Honestly.
Lumes is not yet externally audited. The current build is internal-review-complete: 24 CRITICAL and 38 HIGH findings closed across nine sprints, written up in our internal advisory log. That is not the same as an external audit. We will not pretend it is.
External audit is scoped for Q3 2026. The auditor, the scope, and the final report will be public the day the engagement closes. If the audit surfaces a critical issue, that issue will be on the front page of this site until it is closed.
05 — what we don't claimWhere Signal still wins.
We are precise about the comparison because the people we built this for read the fine print.
Signal has a deeper trust history. The Signal protocol has been peer-reviewed for a decade and externally audited multiple times. Until we ship the same evidence, we do not claim the same standing.
Threema has Swiss jurisdiction. If your threat model includes lawful-intercept warrants under specific national regimes, Threema's GDPR-and-FADP combination is currently the strongest answer on the market.
Both have larger user bases. A messenger is only as useful as the network of people on it. If the colleagues you need to talk to are on Signal today, the right move today is Signal. We expect that to change for the 1% over time; we do not expect it for everyone.
06 — the betWhy we are doing this anyway.
We believe the threat model is changing. State-level surveillance budgets are rising. Forensic extraction is no longer rare. Quantum cryptanalysis is a question of when, not if. The slow consolidation of metadata at every tier of the network is happening whether or not the typical user notices.
For most people, the existing tools will continue to be enough. For the 1%, they will not. Lumes is the messenger built for the user who cannot afford to be wrong.
Built for users that need real security, not marketing.