Security.

A short page summarising what Lattice defends against and what it doesn't, with links to the full threat model, audit reports, and disclosure policy. The detail lives in the white papers and the technical specifications; this page is the index.

The 60-second summary.

   What is protected:
   ──────────────────
     ✓ Message contents in transit  (ChaCha20-Poly1305 AEAD)
     ✓ Message contents at rest     (per-cell AEAD in the local DB)
     ✓ Identity authenticity        (Ed25519 signatures, hybrid PQ session)
     ✓ Forward secrecy              (Noise XX ratchet + per-message nonce)
     ✓ Post-compromise security     (MLS for groups, double ratchet 1:1)
     ✓ Quantum-resistance           (ML-KEM-768 mixed into every session)
     ✓ Sender / recipient unlinking (sealed-sender tags, padding buckets)
     ✓ Recipient privacy from relays(onion-wrapping for high-threat sends)

   What is not protected:
   ──────────────────────
     ✗ Endpoint compromise          (rooted phone wins; out of scope)
     ✗ User error                   (lost seed = lost identity, by design)
     ✗ Radio-presence detection     (BLE adverts are visible to anyone in
                                     range — your *presence* on the mesh
                                     is detectable, your *content* is not)
     ✗ Global passive observer
       with traffic confirmation    (Tor doesn't either)
     ✗ Denial-of-service jamming    (no consumer app can defend against
                                     deliberate radio jamming)
  

Threat model — three tiers.

T1 — Local passive radio observer.

An adversary in BLE / Wi-Fi range capturing every byte you transmit. Defences: ChaCha20-Poly1305 AEAD per packet (RFC 8439), padding to 256/512/1024/2048 bucket sizes (defeats length-correlation attacks), sealed-sender recipient tags (relays can't tell who packets are for), optional Poisson cover-traffic emission (uncorrelates user activity from wire activity). Limit: your presence as a Lattice user is detectable from the BLE service UUID we advertise. We do not pretend otherwise; that's the cost of working without a server.

T2 — Local active radio adversary.

Same range as T1 plus the ability to inject and modify packets. Defences: AEAD authentication tags reject any modification, time-windowed Bloom dedupe rejects replays, sliding-window nonce protection at the session layer rejects out-of-order replays inside a session, Ed25519 signatures on every introduction / vote / burn command. Limit: an active adversary in your local airwave can deny service by jamming. No application can prevent radio jamming on consumer phones.

T3 — Network-level adversary (state-level resources, traffic confirmation).

An adversary with access to multiple physical observation points, doing classical traffic-confirmation analysis (timing, volume, correlation). Defences: cover traffic in high-threat mode, optional 3-layer onion wrapping with X25519 per layer, optional Tor v3 bridge for the bridged-internet path. Limit: a sufficiently capable adversary can do traffic confirmation against any messenger. Tor admits this. We admit it. The defence against this class is not running the app, or running it inside a much larger anonymity set than we currently provide.

What is explicitly out of scope.

• Rooted / jailbroken devices. If the OS is compromised, the OS sees what the user sees, including unlocked Lattice. We do not promise to defend against this and never will.
• Supply-chain attacks against our dependencies. We pin Cargo.lock, run cargo audit + cargo deny on every PR, and publish dependency hashes in our BUILD-MANIFEST. But ultimately, if RustSec misses a backdoor in a transitive dep, we miss it too.
• Physical coercion. Our duress-PIN feature wipes the device on a duress credential, but a sufficiently determined adversary with physical control of the phone and the user can extract whatever the user knows. No software can fix this.
• Loss of seed. By design — there is no recovery path. The trade-off is real and permanent.

The full threat model with every defence cited to a specific source file: WP-01 — Threat Model.

Cryptography.

Standards we conform to or use, in alphabetical order:

• BIP-39 mnemonic generation + PBKDF2-HMAC-SHA512 seed derivation.
• FIPS 180-4 SHA-256 / SHA-512.
• FIPS 197 / NIST SP 800-38D AES-256-GCM (Android Keystore wrap only).
• FIPS 198-1 HMAC.
• FIPS 203 ML-KEM-768 (post-quantum key encapsulation).
• RFC 5869 HKDF.
• RFC 7748 X25519 / Curve25519.
• RFC 8032 Ed25519 / EdDSA.
• RFC 8439 ChaCha20-Poly1305 AEAD (IETF profile).
• RFC 8949 CBOR (canonical encoding).
• RFC 9420 MLS (group security).
• Noise Protocol Framework rev 34, XX pattern with Hybrid Forward Secrecy extension.

Full mapping with citations and implementation crate names: Specifications.

Audit history.

Pre-v1.0 audit is being commissioned with one of Trail of Bits, Cure53, or Latacora. Scope: cryptography, identity layer, Lattice Invite protocol, MLS integration. Timeline: completes before v1.0.0.

Post-launch audit cadence:

• 6 months in production — implementation drift since v1.0.
• Annually thereafter.

Reports will be published in full unless they contain unfixed critical issues, in which case publication is delayed until fix. Public advisory log will live at lattice.fyi/advisories.

Reporting a vulnerability.

Please drop a note in our Matrix room, encrypted to our PGP key (public key, key fingerprint posted on this page once it's generated). We acknowledge receipt within 72 hours and commit to a fix or documented mitigation within 90 days for critical issues. Researchers who follow the policy are publicly credited (or remain anonymous by request) and are explicitly safe-harboured against legal action by us for good-faith research.

Full policy: /security-disclosure.

What you can do as a researcher.

• Read the white papers and specifications — these document the protocol fully ahead of the source release.
• Reverse-engineer the signed binary — the wire format, packet layout, padding buckets, and key-derivation labels in the papers are byte-precise, so you can verify that what's on the wire matches what's claimed.
• When v1.0 ships and the source is public, you'll also be able to: run our release checks (fmt, clippy, full test suite, 1000-case property-test soak, fuzz smoke, audit, deny), run our fuzzers across lattice-packet, lattice-mls, lattice-intro, lattice-location, lattice-mesh, and run our 10,000-node Glastonbury-density mesh simulator from a fixed seed.
• If you can break a documented defence at any stage, please tell us. We'll publish your finding and the fix.