Every security system is defined by two lists: what it protects against, and what it does not. A system that publishes only the first list is marketing. A system that publishes both is engineering. The difference is the difference between a promise a vendor expects the user not to test, and a design the user is invited to evaluate against a real threat model.
This article is Zentamesh's second list. Not the capabilities. The limits. What the network protects, what it cannot, and why the honesty about the second category is itself part of the security property.
Message content
End-to-end encryption with per-message forward secrecy and a post-quantum hybrid layer. Content of messages is cryptographically inaccessible to anyone except the intended sender and recipient, during transit and beyond. This guarantee holds against a passive adversary recording the wire, against a compromised validator, against a future adversary with quantum hardware, and against a forced disclosure targeting the network operator — which does not exist in a form that could comply.
Contact graph
Sender identities are sealed, routing addresses are hashes of public keys, and no central directory maps identifiers to humans. A validator cannot reconstruct who is messaging whom from the traffic passing through it. An external observer cannot reconstruct the contact graph by asking the network, because the network does not possess it.
Sealed Sender:
Sender identity is encrypted inside the payload, not written into the routing envelope. Even a fully compromised validator cannot determine who originated a message it forwarded.
Session integrity
Per-message forward secrecy ensures that the compromise of a device at time T does not expose messages sent before T. The Double Ratchet's key erasure is structural, not policy-based: the keys are gone because the code deletes them, and no amount of investigation of the device recovers what does not exist on the device anymore.
Availability
Erasure-coded message storage survives the loss of up to K validators per message. The routing adapts around failed or malicious validators via Q-learning. The LoRa mesh provides fallback connectivity when the internet path is unavailable. Decentralization means no single operator can be compelled to deny service, because the network continues through the other operators.
Identity
Wallet-based identity closes the SIM-swap, support-line social engineering, and directory enumeration attacks that have compromised mainstream messenger accounts at scale. There is no phone number to reassign and no registrar to deceive.
What the network does not protect
Compromised endpoint
If your device is compromised — malware, physical access, a screen recorder, a keylogger — the network cannot protect content that the device itself renders in plaintext. End-to-end encryption ends at the ends. An adversary with full access to either endpoint sees messages as the user sees them. This is not a Zentamesh limit; it is an inherent limit of every encrypted messenger.
Coerced counterpart
The person you are messaging can be pressured, physically or legally, to share the conversation. Their device holds the decrypted messages. Their willingness to keep them private is not a cryptographic property.
Traffic existence
An adversary monitoring your internet connection can observe that you are sending traffic to Zentamesh. The destinations and contents are opaque. The fact of usage is not. For users whose threat model includes mere Zentamesh usage being sensitive, additional layers — a VPN, Tor entry point, or routing through LoRa rather than internet — are recommended.
Traffic Existence vs. Traffic Content:
Zentamesh hides what you say and who you say it to. It does not hide that you are using Zentamesh. No network of any size can make its users indistinguishable from non-users on the wire.
Long-term correlation
A determined adversary observing traffic entering and leaving the network over long periods, with substantial computational resources, may be able to perform traffic-correlation attacks that link pseudonymous identities to real-world identities in edge cases. Onion routing, cover traffic, and padding raise the cost of this attack substantially, but do not reduce it to zero.
Lost keys
If a user loses both their device and their backup passphrase, their identity is unrecoverable. This is not a policy; it is a structural property of self-sovereign identity. The alternative — a recovery mechanism usable by the network operator — would reintroduce the central-authority trust assumption the design exists to eliminate.
OS and hardware attacks
Zentamesh is a network protocol and an application. It does not harden the operating system, the hardware, or the network stack the device runs on. Attacks that subvert the OS — exploited kernels, compromised firmware, malicious hardware implants — are outside the protocol's protective scope.
Underlying assumptions
Every cryptographic guarantee rests on assumptions that deserve explicit statement.
- That the underlying cryptographic primitives — X25519, Kyber-768, Dilithium-3, AES-256-GCM — have no catastrophic breaks beyond currently published cryptanalysis
- That the random number generators on user devices are actually random. A subverted RNG undermines every key generated on that device
- That a majority of the validator set behaves honestly. Consensus-level attacks require controlling more than one-third of stake
- That the open-source code the user is running actually matches the published source. Supply-chain attacks against the distribution channel are a real threat that protocol design alone cannot address
If any of these assumptions fails, the corresponding guarantee weakens. Zentamesh publishes them specifically so users and auditors can evaluate whether the assumptions are warranted in their particular threat context.
Calibrated Trust:
A user who knows exactly what a security system does and does not protect can make accurate decisions. A user who trusts marketing has no calibration at all. Publishing the limits is the only way to produce calibrated users — and calibrated users are the only users who are actually secure.
Why honesty matters
A security system whose marketing describes an infinite set of protections is, in practice, protecting nothing, because the user cannot calibrate what they are trusting. A system that lists its limits lets the user make real decisions: "I am protected against the adversaries I am worried about, and I accept the residual risks I cannot address through this tool alone."
Zentamesh is not a silver bullet against all possible adversaries. It is a carefully constructed defense against the adversaries it was designed for. The honest statement of its scope is the condition under which the defense is credible. Everything else is a story.
Thanks & Best Regards Zentachain Team!
