Risk Model Assumptions

Cipher Threat Model

Cipher’s threat model is based on a hostile and surveilled environment where:

  • No external system or server can be trusted

  • All communication layers may be compromised

  • Attackers may access device-level metadata, network traffic, and physical access

  • Users might be targeted with phishing, interception, or device-level intrusions

To remain resilient, Cipher adopts the following defensive posture:

1. Trust No Server

Cipher assumes:

  • Any server or cloud dependency is a liability

  • Centralized key storage or transmission is a structural flaw

  • Only fully client-side computation ensures true privacy

Cipher performs all cryptographic operations locally, without transmitting or receiving any data to/from servers.

2. Communication Channels Are Untrusted

Cipher considers:

  • All transport layers (email, chat apps, etc.) as exposed and non-confidential

  • Metadata (who, when, how often) as potentially revealing

  • Content visibility as the only protection scope

Cipher encrypts all messages to opaque ciphertext that cannot be correlated with the original data.

3. Endpoints Are Vulnerable

Cipher acknowledges:

  • Devices may be physically compromised

  • User sessions may be tampered with

  • Malicious apps may attempt to read local storage or screen content

Cipher encourages:

  • Minimal on-device persistence

  • No message logs

  • Stateless operation to reduce attack surface

4. Cryptographic Strength Alone Is Insufficient

Cipher operates under the principle that:

  • Secure channels must combine entropy, structure, and polymorphism

  • Layered encryption adds nonlinear complexity

  • Brute-force resistance is probabilistic, not deterministic

Cipher is designed to exponentially increase uncertainty per layer, making targeted decryption computationally infeasible.

PreviousWhat Cipher Does Not DoNextDesign Trade-offs

Last updated