Ping Under
Adversarial Pressure

What Ping defends against, what it does not, and where it stands relative to the field. No overclaims. No marketing.

Adversary Tiers

Every threat model begins with the adversary. Not all attackers are equal.
Ping's defenses are designed to escalate with the threat.

Tier 1 Passive Observer

A curious roommate, a café sniffer, an ISP logging DNS queries, or a relay operator inspecting traffic. They can observe encrypted traffic but cannot compel cooperation from endpoints or infrastructure.

Ping: fully defended
Tier 2 Infrastructure-Level

A compromised relay operator, a hostile CDN, a man-in-the-middle on the network path, or a Telegram infrastructure breach. They control parts of the delivery chain and can modify, delay, or drop traffic. They may attempt to correlate metadata across sessions.

Ping: structurally defended
Tier 3 State-Level / Endpoint Compromise

A nation-state with legal authority to compel cooperation, conduct targeted device exploitation, deploy zero-day attacks against endpoints, or perform global traffic analysis. They can seize hardware, install spyware, or operate at the OS level below the application layer.

Ping: partially defended
Why Tier 3 is partial No messenger defends against a fully compromised endpoint. If an adversary owns your device, they read what you read. Any product claiming otherwise is lying. Ping's defense at Tier 3 is structural: there is no server to subpoena, no message archive to seize, no metadata store to mine. The attack surface is limited to the endpoints themselves.

What Ping Defends

These are the attack surfaces Ping was explicitly built to neutralize.

Passive Surveillance

All traffic is end-to-end encrypted with ChaCha20-Poly1305. Key exchange via X25519. An observer on the network sees only encrypted Nostr events with no readable content, no participant names, no conversation structure.

Traffic Analysis

Messages are padded to power-of-two bucket sizes (256B → 512KB) before encryption. Sensitive operations are wrapped in privacy envelopes, a second encryption layer that hides both content and operation type. Message length reveals nothing.

Metadata Collection

No accounts. No phone numbers. No email. No registration. Identity is a locally-generated secp256k1 keypair. Relays see encrypted blobs with Nostr event metadata but cannot map events to real-world identities or reconstruct conversation graphs.

Server Compromise

There is no server. Ping uses a decentralized multi-relay Nostr architecture. Compromising a relay yields only encrypted events that the relay was never able to read. No message logs. No user database. No keys. Nothing to take.

Forward Secrecy

Sender keys ratchet forward after each message via HMAC-SHA256 chain derivation. Keys rotate every 100 messages or on any membership change. Compromising a current key does not decrypt past messages.

Legal Compulsion

A subpoena to Ping returns nothing. There is no message store, no user directory, no metadata log. The architecture is not resistant to legal requests by policy, it is resistant by the absence of data. You cannot hand over what does not exist.

Honest Limitations

No system is invulnerable. Acknowledging limitations is not weakness, it is precision.
These are the attack surfaces Ping does not fully address.

Out of Scope

  • If malware or spyware controls the device, it reads what the user reads. This is true of every messenger, including Signal. Ping cannot defend below the OS layer.
  • Once a message is decrypted and rendered on screen, a camera or screenshot captures it. Ping includes ephemeral messaging to reduce exposure but cannot prevent physical observation.
  • Physical coercion to extract PINs or biometric access is outside the scope of software.
  • A state-level adversary observing all Nostr relays simultaneously could theoretically correlate timing patterns. Ping's multi-relay broadcast and padding make this harder but not impossible against a sufficiently resourced attacker.
  • Sharing room codes on public channels, screenshots posted to social media, or running Ping on a rooted device with debug access. No architecture survives its operator.

The Landscape

Compared through threat categories, not feature checklists. This is not a sales pitch.
Every product in this table has made meaningful contributions to private communication.

Threat Category Signal Session Briar Ping
End-to-end encryption Yes Yes Yes Yes
No phone / email required No Yes Yes Yes
Decentralized infrastructure No Partial Yes Yes
No server-side message store Queued Swarm TTL Yes Yes
Metadata resistance Sealed sender Onion routing Tor-based Multi-relay, padded
Traffic analysis resistance Block padding Partial Tor timing Bucket padding
Forward secrecy Double Ratchet Session protocol Bramble Chain ratchet
Survives server seizure Centralized Swarm nodes No server No server
Subpoena yields data Limited metadata Minimal Nothing Nothing
Cross-platform Yes Yes Android only Yes

Data at Rest

Where messages live, who can access them, and what a breach actually yields.

Data at Rest Signal Session Briar Ping
Messages stored on server Never. Store-and-forward, deletes after delivery Never. Decentralized swarm, deleted after retrieval Never. P2P, no server Never. Relays see only encrypted blobs, no storage by design
Messages stored on device Yes. Full history persisted Yes. Persisted on device Yes. Persisted on device No. Ephemeral by default
Cloud backup exposure Optional. Encrypted backup to Signal servers or local file None None None
Data available to compromise High. Full conversation archive on device Moderate. Device archive exists Moderate. Device archive exists Near zero. Messages exist only in memory during active session
Forward secrecy relevance Critical. Archive must be protected against key compromise Relevant. Device seizure is the threat Relevant Low. Nothing to retroactively decrypt
Signal's approach to the archive problem is: build a more sophisticated lock. Double Ratchet. Per-message key derivation. Cryptographic machinery of extraordinary elegance. It works. It's brilliant engineering. And it's necessary because Signal chose to persist messages.

Ping's approach to the archive problem is: don't build the room the lock would go on.

This is KISS applied to the deepest layer of the security model. The simplest defense against retroactive decryption is the nonexistence of the ciphertext. The simplest defense against archive compromise is the nonexistence of the archive. The simplest defense against backup subpoena is the nonexistence of the backup.

Every other messenger, including the privacy-focused ones, creates data and then builds defenses around it. Ping's primary defense is the absence of the data itself. The encryption (ChaCha20-Poly1305, X25519, HKDF) protects messages in transit. The ephemeral design ensures there's nothing to protect at rest.

This isn't a compromise. It's a fundamentally different security model. And it's arguably more robust against real-world attack patterns than forward secrecy, because real-world attacks don't target key derivation chains. They target cloud backups, device databases, server archives, and legal compulsion. Ping has zero exposure on all four vectors.

The Ping Position

Ping does not claim to be the most secure messenger ever built.
It claims to be honest about its architecture and uncompromising in its defaults.

🔒 Architectural Guarantees

  • No server to subpoena, compromise, or seize
  • No user database to breach or correlate
  • No message archive to mine, decrypt, or hand over
  • No registration data linking identity to a person
  • No unencrypted data leaves the device, ever
  • No metadata log that reconstructs who talked to whom
  • Largest anonymity set (950M Telegram users)
  • Zero behavioral fingerprint
  • Decentralized transport, no single point of shutdown or surveillance
  • Message padding to uniform size
  • No phone number required, no contact upload, no social graph exposure
  • Zero-knowledge architecture

For a deeper look at the encryption architecture, see the Overview. For the philosophy behind Ping's entropy model, read the Entropy Thesis.

Complexity is not a feature.
It is a fingerprint waiting to be read.

Back to home