Security Model.

UNDERWORLD is a restricted-security encrypted messenger designed for high-risk communication, hostile networks, metadata-sensitive environments, and situations where ordinary consumer privacy is not enough.

The security model is built around local encryption, device-bound identity, anonymity-network routing, fail-closed delivery, relay distrust, metadata minimization, attachment sanitization, active attack detection, and hardened release controls.

UNDERWORLD does not treat the server as trusted. It does not treat the network as trusted. It does not treat cloud recovery as safe. It does not treat convenience features as harmless.

Every layer is designed to reduce exposure before a message leaves the device.

RESTRICTED SECURITY ONLY

UNDERWORLD does not include a weak mode, standard mode, convenience mode, or insecure fallback mode.

The app is designed around one security posture:

Encrypted locally.
Routed through protected anonymity networks.
Delivered as ciphertext only.
Stored locally.
Failed closed when secure routing is unavailable.

No plaintext relay.
No direct fallback.
No contact upload.
No cloud backups.
No notification previews.
No server-side recovery.
No exposed social presence.
No sensitive release logs.

Features that commonly create exposure in consumer messengers are removed, blocked, or redesigned.

DEVICE-BOUND CRYPTOGRAPHIC IDENTITY

UNDERWORLD identity material is generated and stored locally on the user’s device.

The user’s cryptographic identity is not recovered from the cloud, synchronized through a central account, or rebuilt from a server-side backup.

This creates a harder security boundary:

The server cannot restore the identity.
The relay cannot reconstruct the identity.
The cloud cannot recover private keys.
A third party cannot request server-side key recovery.

If the device and its cryptographic identity material are lost, the identity is gone with it.

This is a deliberate security decision. It removes the recovery channel because recovery channels can become breach channels, seizure channels, coercion channels, or unauthorized access channels.

END-TO-END ENCRYPTION LAYER

UNDERWORLD encrypts message content before transport begins.

The message is sealed locally on the sender’s device and decrypted locally on the recipient’s device. The relay handles encrypted payloads only.

The encryption layer is designed around modern secure-messaging principles:

X3DH-style session establishment.
Double Ratchet message evolution.
Message-key isolation.
Forward secrecy.
Post-compromise recovery behavior.
Authenticated encryption.
Local identity binding.
Per-conversation cryptographic state.

The relay is never part of the trust boundary for plaintext.

X3DH-STYLE SESSION ESTABLISHMENT

UNDERWORLD uses an X3DH-style key agreement model for establishing secure sessions between contacts.

The purpose of this layer is to let two users establish shared cryptographic material without exposing plaintext secrets to the relay.

The model is designed around:

Long-term identity keys.
Ephemeral key agreement.
Pre-key style session initialization.
Contact identity binding.
Session material derived locally.
Relay transport without plaintext trust.

The relay may help move encrypted handshake material, but it does not receive the final plaintext session state.

DOUBLE RATCHET MESSAGING

UNDERWORLD uses a Double Ratchet-style messaging model so conversation keys evolve over time.

Instead of relying on one static conversation secret, the cryptographic state advances as messages are exchanged.

This provides important security properties:

Forward secrecy.
Limited damage from key compromise.
Fresh message keys over time.
Isolation between message states.
Reduced exposure from captured historical traffic.
Recovery of security after state advancement when possible.

If one message key is exposed, the design should not automatically expose the entire conversation.

The conversation keeps moving cryptographically.

MESSAGE-KEY ISOLATION

UNDERWORLD isolates message encryption material so each message has its own derived protection.

This reduces blast radius.

A compromised message should not unnecessarily expose unrelated messages. A malformed message should not poison the entire session. A replayed message should not be accepted as fresh communication.

Message-key isolation supports the active alarm model, replay resistance, duplicate-message detection, and tamper detection.

AUTHENTICATED ENCRYPTION

UNDERWORLD uses authenticated encryption to protect both confidentiality and integrity.

Encrypted messages must not only be unreadable. They must also be protected against modification.

Authentication-tag failure is treated as a security event, not as a normal parsing failure.

If ciphertext is modified, forged, corrupted, replayed, or injected, the app can detect that the encrypted payload can no longer be trusted.

This supports protection against:

Message tampering.
Packet injection.
Relay forgery.
Malformed ciphertext.
Authentication-tag failure.
Modified attachment payloads.
Manipulated encrypted capsules.

POST-QUANTUM HYBRID DEFENSE

UNDERWORLD implements a post-quantum hybrid defense model designed to reduce long-term interception risk and store-now-crack-later exposure.

The model combines classical cryptographic protection with quantum-resistant key-establishment direction.

This is aligned with the cryptographic direction published by the U.S. National Security Agency through CNSA 2.0 for future quantum-resistant protection of National Security Systems.

The purpose is not to claim government certification.

The purpose is to harden Underworld against the possibility that encrypted traffic captured today could be attacked later using more powerful future capabilities.

UNDERWORLD’s post-quantum hybrid model is designed for:

Long-term confidentiality.
Quantum-risk reduction.
Hybrid key agreement.
Classical plus post-quantum protection.
Store-now-crack-later resistance.
High-risk communication longevity.

UNDERWORLD does not claim NSA approval, military certification, or government endorsement.

It is CNSA 2.0-aligned in cryptographic direction, not government-certified.

CNSA 2.0-ALIGNED CRYPTOGRAPHIC DIRECTION

CNSA 2.0 is the NSA-published direction for quantum-resistant cryptographic protection of U.S. National Security Systems.

UNDERWORLD references this direction because high-risk communication should not only defend against today’s interception. It should also consider future decryption risk.

In Underworld, this means the cryptographic architecture is designed around:

Post-quantum hybrid defense.
Strong authenticated encryption.
Modern key-agreement direction.
Future-resistant security planning.
Avoidance of obsolete cryptographic assumptions.
Protection against long-term captured traffic.

This gives the system a stronger security direction than ordinary consumer messaging designs that only focus on current confidentiality.

ZERO CLOUD TRUST

UNDERWORLD does not trust the cloud with private communication material.

There is no remote message storage.
No cloud backups.
No contact upload.
No recovery backdoor.
No hidden server-side copy waiting to be restored, seized, or exposed.

Private identity material remains local.
Private conversation data remains local.
Message plaintext remains local.
Recovery is not delegated to a cloud service.

This architecture removes an entire class of attacks created by centralized recovery systems, account restoration systems, cloud sync, contact discovery databases, and backup extraction.

Privacy is enforced by architecture, not by promise.

NO CONTACT UPLOAD

UNDERWORLD does not upload the user’s address book.

Contact discovery is one of the most dangerous convenience features in ordinary messaging apps because it can expose relationship graphs.

In high-risk communication, the relationship between two people may be as sensitive as the content of the message.

UNDERWORLD avoids centralized social graph construction.

The server should not learn who is in the user’s contact list.
The relay should not build contact relationships.
The app should not leak address books for convenience.
Private relationships remain local.

ANONYMITY-NETWORK ROUTING

UNDERWORLD reduces direct network exposure by routing communication through hardened anonymity networks such as Tor and I2P.

The routing layer is separate from the encryption layer.

Encryption protects the message.
Tor or I2P protects the route.
The relay moves ciphertext.
The recipient decrypts locally.

This separation is important.

Even if a transport layer is observed, the message remains encrypted.
Even if the relay receives traffic, it should receive ciphertext only.
Even if the network is hostile, direct exposure is reduced by protected routing.

TOR-ONLY FAIL-CLOSED RELEASE ROUTING

UNDERWORLD release behavior is designed to fail closed.

If Tor routing cannot be established in release mode, message transmission must not silently fall back to ordinary internet routing.

No direct path.
No plaintext route.
No insecure relay fallback.
No silent downgrade.
No convenience bypass.

If secure routing fails, delivery stops.

This prevents hostile networks from forcing the app into a weaker communication mode.

I2P ISOLATION MODULE

UNDERWORLD also supports an I2P isolation direction for routing diversity and future hardened anonymity-network support.

I2P is treated as a protected routing layer, not as a replacement for end-to-end encryption.

The same security principle applies:

The message is encrypted locally before routing.
The routing layer must not receive plaintext.
The relay must not become trusted.
Fallback must not create direct exposure.

I2P support strengthens Underworld’s long-term architecture by avoiding dependence on a single anonymity network model.

ZERO-KNOWLEDGE RELAY DESIGN

UNDERWORLD’s relay is designed as a ciphertext transport component.

The relay should not know message plaintext.
The relay should not hold user private keys.
The relay should not recover conversations.
The relay should not provide cloud identity recovery.
The relay should not expose direct plaintext delivery.

Its job is to move encrypted payloads between users.

This creates a relay-distrust model: the relay may be available, unavailable, observed, attacked, or hostile, but it should not become a plaintext compromise point.

RELAY PURGE AND MINIMUM STORAGE PRINCIPLE

UNDERWORLD is designed to avoid long-term server-side retention of private communication material.

The relay should hold only what is necessary for delivery and should avoid becoming a permanent message archive.

This reduces exposure from:

Relay seizure.
Relay compromise.
Infrastructure provider access.
Storage leakage.
Operational mistakes.
Long-term metadata accumulation.

The relay is transport, not memory.

RELIABLE DELIVERY WITHOUT TRUSTING THE RELAY

UNDERWORLD includes reliability logic for message delivery while preserving the relay-distrust model.

The system can queue, retry, and drain pending encrypted messages without converting the relay into a trusted plaintext storage service.

Reliability is handled around ciphertext movement, not cloud message recovery.

The goal is to improve delivery without weakening the security model.

METADATA DEFENSE

UNDERWORLD treats metadata as sensitive.

In hostile environments, the metadata around a message can be as dangerous as the message content.

UNDERWORLD reduces metadata exposure through:

No contact upload.
No online status.
No last-seen markers.
No typing indicators.
No notification previews.
No cloud backups.
No social discovery.
No public profile dependency.
No ordinary direct relay path.
Anonymity-network routing.
Decoy relay traffic.
Attachment sanitization.
Local identity storage.

The objective is to reduce what the app reveals about who communicates, when they communicate, how they communicate, and what files they carry.

NO SOCIAL PRESENCE LEAKS

UNDERWORLD avoids common messenger features that expose behavior.

No typing indicators.
No online status.
No last seen.
No public availability signal.

These features may seem harmless in consumer apps, but in hostile environments they can reveal that a person is awake, active, communicating, or under pressure.

UNDERWORLD removes these signals by design.

NOTIFICATION PRIVACY

UNDERWORLD keeps notifications generic by default.

A locked screen should not expose message content, sender names, sensitive filenames, or communication context.

Notification previews are treated as an external leak surface.

The protected app screen is the correct place to see sensitive content. The operating-system notification surface is not.

DECOY RELAY TRAFFIC

UNDERWORLD supports encrypted decoy relay traffic.

Decoy payloads are designed to look like normal encrypted relay traffic while carrying no real conversation content.

The purpose is to reduce traffic-analysis clarity.

Even when message content is unreadable, observers may still analyze timing, volume, activity bursts, and communication patterns. Decoy traffic adds background encrypted motion to make real communication harder to isolate.

Decoy traffic is not a promise of invisibility.

It is a metadata-defense layer that reduces signal quality for observers.

CIPHERTEXT PADDING AND TRAFFIC SHAPING DIRECTION

UNDERWORLD’s security model includes ciphertext-shaping principles to reduce unnecessary information leakage from message size and traffic pattern behavior.

The goal is to avoid making encrypted payloads too easy to classify by size, timing, or structure.

Where implemented, padding and decoy traffic work together:

Padding reduces payload-shape leakage.
Decoys reduce activity-pattern clarity.
Tor and I2P reduce direct network traceability.
Fail-closed routing prevents downgrade exposure.

ATTACHMENT SANITIZATION

UNDERWORLD treats attachments as a major attack surface.

Files can expose:

EXIF metadata.
Device identifiers.
File paths.
Author names.
Application metadata.
GPS coordinates.
Embedded thumbnails.
Misleading extensions.
Risky MIME mismatches.
Oversized payload abuse.
Path-traversal attempts.
Dangerous content types.

UNDERWORLD includes an attachment sanitization layer designed to reduce metadata exposure before files are shared.

Attachments are not treated as neutral content.

They are inspected, constrained, and sanitized.

DANGEROUS ATTACHMENT HARDENING

UNDERWORLD’s attachment-defense model includes checks against risky file behavior and metadata deception.

The app is designed to detect or block conditions such as:

Attachment path traversal.
Dangerous attachment type.
Risky MIME mismatch.
Oversized attachment abuse.
Attachment metadata deception.
Malformed attachment packets.
Suspicious file identity mismatch.

This reduces the chance that files become a side channel for tracking, exploitation, or identity exposure.

ACTIVE INCOMING ATTACK ALARMS

UNDERWORLD includes active alarm logic for suspicious attack conditions.

The app is designed to warn when the communication environment shows signs of interference, manipulation, downgrade attempts, or breach risk.

Underworld can raise warnings for conditions such as:

Packet injection attempt.
Replay attack.
Message tampering.
Authentication-tag failure.
Malformed packet attack.
Duplicate message-ID attack.
Duplicate encrypted-message attack.
Sender-binding attack.
Contact identity substitution attack.
Ratchet-state attack.
Skipped-key abuse attack.
Relay message-forgery attempt.
Attachment path-traversal attack.
Dangerous attachment attack.
Risky MIME mismatch attack.
Oversized attachment abuse.
Attachment metadata deception.
Tapjacking or obscured-touch attack.
Screen overlay attack.
Insecure routing downgrade attempt.

The principle is simple:

Block first.
Warn fast.
Escalate when trust breaks.

AUTHENTICATION AND IDENTITY-SUBSTITUTION DEFENSE

UNDERWORLD protects against attempts to confuse or replace contact identity.

Contact identity substitution is treated as a serious security event because a successful substitution can redirect communication toward an attacker.

The security model includes sender binding, identity verification direction, contact-specific cryptographic state, and alarm behavior when identity assumptions no longer match.

A secure messenger must not only encrypt messages.

It must protect who the message is encrypted to.

REPLAY AND DUPLICATE-MESSAGE DEFENSE

UNDERWORLD detects replay and duplicate-message conditions.

A replayed encrypted message should not be accepted as fresh communication.

Duplicate message IDs, duplicate encrypted payloads, and suspicious replay behavior can indicate relay manipulation, network interference, or attack attempts.

These events are handled as security conditions, not harmless delivery noise.

RATCHET-STATE HARDENING

UNDERWORLD’s Double Ratchet-style model requires careful state handling.

Ratchet-state attacks, skipped-key abuse, and invalid message ordering can create security risk if not handled correctly.

UNDERWORLD treats suspicious ratchet behavior as part of the active alarm model.

The app is designed to protect against unsafe state manipulation and to avoid silently accepting cryptographic inconsistencies.

BLACKOUT MODE

Blackout Mode is Underworld’s emergency offline capsule system.

It is designed for situations where the internet is blocked, unavailable, unsafe, or too exposed to trust.

In Blackout Mode, the user can prepare encrypted offline message capsules.

Those capsules can later be moved through local carriers such as:

QR transfer.
File transfer.
Wi-Fi transfer.
Bluetooth transfer.
Physical handoff.
Other controlled local channels.

The carrier does not receive plaintext.

Blackout Mode does not activate automatically.
It does not perform blind fallback.
It does not downgrade into plaintext transfer.

The user enters manually and stays in control.

SILENT WITNESS SECURITY MODEL

Silent Witness is designed for high-risk source-side communication and sensitive evidence preparation.

It is not a social network.
It is not a leak marketplace.
It is not a publishing platform.
It is not a casual sharing feature.

Silent Witness focuses on:

Local preparation.
Evidence control.
Encrypted packaging.
Destination verification.
Endpoint checks.
Fingerprint checks.
Tor-routed transmission.
Hostile-environment protection.
Reduced phishing and wrong-destination risk.

It can guide users toward trusted public-interest reporting destinations while keeping the user-side process protected.

UNDERWORLD does not decide what truth is.
UNDERWORLD does not publish.
UNDERWORLD does not investigate.
UNDERWORLD does not edit evidence.
UNDERWORLD does not act as a media organization.

It protects the source-side process before exposure occurs.

APP LOCK

UNDERWORLD includes local app-lock protection to reduce casual and opportunistic access to the app.

The app-lock layer protects the user interface and local access path, especially when the device is handled by someone else.

App Lock is not a replacement for device security, full-disk encryption, or a strong operating-system lock.

It is an additional local barrier inside the application.

DURESS PIN AND LAST-RESORT PROTECTION

UNDERWORLD supports a secondary duress PIN for forced-access scenarios.

If the user is forced to unlock the app, the duress PIN can trigger an irreversible local security response that destroys sensitive local data before it can be exposed.

This feature is designed for extreme pressure situations.

No warning.
No recovery prompt.
No cloud restore.
No second chance.

The normal PIN opens the app.
The duress PIN protects the last line.

ANDROID HARDENING

UNDERWORLD is hardened for Android release behavior.

The Android security model includes:

No cloud backups.
No notification previews.
No sensitive logs.
No contact upload.
No plaintext relay.
Restricted routing policy.
Release fail-closed behavior.
Secure local identity storage.
App lock protection.
Duress PIN path.
Attachment sanitization.
Overlay and tapjacking detection.
Obscured-touch defense.
Debug-only tools blocked from release.
Release signing enforcement.

Android convenience behaviors that increase exposure are disabled or restricted.

TAPJACKING AND SCREEN OVERLAY DEFENSE

UNDERWORLD includes protection against obscured-touch and screen overlay attacks.

These attacks attempt to trick users into tapping sensitive controls while another app overlays or manipulates the screen.

UNDERWORLD treats overlay and obscured-touch conditions as security-relevant.

This protects sensitive actions such as unlocking, sending, confirming, deleting, or handling protected content.

SECURE LOGGING FACADE

UNDERWORLD avoids sensitive production logging.

Security-sensitive applications must not leak secrets through logs.

UNDERWORLD uses a secure logging approach to prevent direct sensitive logs from surviving into release builds.

The release hardening model blocks direct unsafe logging patterns and prevents debug-style internal state exposure.

Logs must not contain:

Message plaintext.
Private keys.
Identity secrets.
Sensitive routing details.
Attachment contents.
Security tokens.
Contact secrets.
Relay secrets.
Duress events.
User private content.

RELEASE LOCKDOWN

UNDERWORLD includes release lockdown checks to prevent debug-only behavior from entering production.

Release hardening includes checks for:

No debug receivers in release.
No insecure local debug relay fallback.
No plaintext relay in release.
No sensitive logs.
No backup exposure.
No notification previews.
No direct routing fallback.
Onion-only release policy.
Release signing enforcement.
Anti-leak validation.
Final release validation.

The release build must preserve the security model, not bypass it.

TOR AND I2P ONLY RELEASE LOCK

UNDERWORLD includes a production onion-only release lock.

This ensures release builds remain aligned with protected routing requirements.

The release build must not silently use a direct endpoint when Tor/onion routing is required.

If the protected route is not available, the release posture is to fail closed.

This prevents hostile networks from triggering downgrade behavior.

RELAY OPERATIONAL HARDENING

UNDERWORLD’s relay is designed as a restricted ciphertext relay, not a cloud messaging backend.

The relay model is hardened around:

Ciphertext-only transport.
No plaintext access.
No private key custody.
No cloud identity recovery.
Mailbox-style delivery.
Relay purge controls.
Health checks.
Operational monitoring.
No sensitive logging.
No direct release fallback.
Tor/onion production routing.

The relay must support delivery without becoming the security authority.

SECURE ROOMS MODEL

UNDERWORLD includes secure room communication while preserving restricted-security principles.

Rooms must not weaken the core model.

Room communication must remain encrypted, routed through the protected relay model, and aligned with local identity and metadata-minimization rules.

Rooms are not public social groups.
Rooms are not discovery spaces.
Rooms are not metadata-exposing communities.

They are restricted communication spaces designed under the same security constraints as one-to-one messaging.

VOICE MESSAGE SECURITY

UNDERWORLD supports secure voice notes while keeping the restricted-security posture.

Voice messages are treated as encrypted attachments, not ordinary media uploads.

They follow the same security expectations:

Local preparation.
Encrypted transmission.
No plaintext relay.
No cloud backup.
No notification preview.
No public media exposure.
Protected routing.

Voice convenience must not bypass the cryptographic or routing model.

SECURITY STATUS PANEL

UNDERWORLD includes visible security state indicators so the user can understand the current trust condition.

Status indicators can include:

Tor Routing: Connecting, Connected, or Disconnected.
Relay: Waiting, Connected, or Disconnected.
Encryption: Active with the current encryption state.
App Lock: Active or inactive.
Alarm level: Normal, warning, or critical.

The goal is to avoid silent failure.

A secure app should tell the user when the route is unsafe, the relay is unavailable, or the communication state cannot be trusted.

FAILURE AS PROTECTION

UNDERWORLD treats some failures as successful defense.

If Tor fails, the app should not downgrade.
If authentication fails, the message should not open.
If identity binding fails, the session should not be trusted.
If an attachment is dangerous, it should not be accepted.
If a relay packet is malformed, it should be blocked.
If secure routing is unavailable, the message should not move.

Failure is not always a bug.

In high-risk communication, failure can be the correct security outcome.

ASSURANCE ROADMAP

UNDERWORLD is designed toward high-assurance security practices.

The architecture is compatible with future assurance directions such as:

CNSA 2.0-aligned post-quantum cryptographic direction.
FIPS 140-3-ready cryptographic module boundaries.
Common Criteria / EUCC-style evaluation paths.
Independent security audit.
Responsible disclosure process.
Reproducible release discipline.
Formal threat model documentation.
Protocol documentation.
Relay operation documentation.

These references describe design direction and assurance goals.

They do not imply government certification, military approval, NSA endorsement, NATO approval, FIPS validation, or Common Criteria certification unless explicitly stated.

SECURITY LIMITATIONS

UNDERWORLD is hardened, but no messenger can eliminate every risk.

UNDERWORLD cannot fully protect against:

A device already compromised by advanced malware.
A hostile operating system.
Physical surveillance of the screen.
A recipient who exposes messages.
Screenshots taken with another device.
Coerced disclosure outside the app.
Unsafe destination handling.
Social engineering.
Weak device lock settings.
Compromised keyboards.
Hostile accessibility services.
Malicious firmware.
Direct human betrayal.

UNDERWORLD reduces exposure across encryption, routing, metadata, storage, attachments, and forced-access scenarios.

It does not make unsafe behavior safe.

High-risk users must still use operational discipline.

FINAL SECURITY POSITION

UNDERWORLD is built on a layered security model:

Local cryptographic identity.
X3DH-style session establishment.
Double Ratchet message evolution.
Authenticated encryption.
Post-quantum hybrid defense.
CNSA 2.0-aligned cryptographic direction.
Tor and I2P anonymity-network routing.
Fail-closed delivery.
Zero-knowledge relay design.
No cloud recovery.
No contact upload.
No notification previews.
No social presence leaks.
Decoy relay traffic.
Attachment sanitization.
Active attack alarms.
App lock.
Duress PIN.
Blackout Mode.
Silent Witness.
Release lockdown.
Anti-leak validation.
Onion-only production enforcement.

The security model is not based on asking users to trust the server.

It is based on reducing what the server can know, reducing what the network can see, reducing what the cloud can recover, reducing what metadata can reveal, and blocking communication when the route is no longer safe.

UNDERWORLD follows one rule:

If trust breaks, protection comes first.