the trust problem

Your messages are encrypted.
Everything else isn’t.

End-to-end encryption protects what you say. It doesn’t protect who you say it to, when, how often, or how long the conversation lasted. The rest of the picture stays in plain sight on a server.

even with end-to-end encryption

They can’t read the messages.
They don’t need to.

Encryption hides bodies. The routing log records who, when, how often, and how long. That log is enough to reconstruct most of a life.

2026-05-07T19:14:02Z alice → bob [message] 2026-05-07T19:14:08Z alice → carol [message] 2026-05-07T19:14:31Z bob → alice [message] 2026-05-07T19:15:02Z alice → group:design-team [message × 3] 2026-05-07T19:15:47Z carol → alice [message] 2026-05-07T19:16:12Z bob → group:design-team [message] 2026-05-07T19:16:40Z alice → dan [message × 2] 2026-05-07T19:17:08Z dan → alice [message] 2026-05-07T19:17:33Z carol → group:design-team [message] 2026-05-07T19:18:01Z alice → bob [message] 2026-05-07T19:18:44Z bob → carol [message] 2026-05-07T19:19:06Z alice → group:design-team [message] 2026-05-07T19:14:02Z alice → bob [message] 2026-05-07T19:14:08Z alice → carol [message] 2026-05-07T19:14:31Z bob → alice [message] 2026-05-07T19:15:02Z alice → group:design-team [message × 3] 2026-05-07T19:15:47Z carol → alice [message] 2026-05-07T19:16:12Z bob → group:design-team [message] 2026-05-07T19:16:40Z alice → dan [message × 2] 2026-05-07T19:17:08Z dan → alice [message] 2026-05-07T19:17:33Z carol → group:design-team [message] 2026-05-07T19:18:01Z alice → bob [message] 2026-05-07T19:18:44Z bob → carol [message] 2026-05-07T19:19:06Z alice → group:design-team [message]

the operator’s view

The server can end
your account.

your account

on the messenger

your conversations

m. ortiz

can we move the review to thursday?

14:31

k. tanaka

one more round on copy then we ship.

12:08

j. okafor

flight lands at nine.

10:47

a. lin

thanks — talk soon.

yest.

l. moreau

i’ll bring the spec.

yest.

s. weber

happy birthday — see you sat.

operator console

acct_8194active

acct_8195active

acct_8196active

acct_8197 — youactivesuspended

acct_8198active

acct_8199active

The company that runs the server can disable your account at will. Your conversations — every one — stop being yours. There is no appeal you can file from inside the app.

what runs on the server

You trust the binaries the
server runs. You can’t see them.

DEPLOY 2026-05-04 14:31 DEPLOY 2026-05-06 09:17 DEPLOY 2026-05-07 11:08 DEPLOY 2026-05-04 14:31 DEPLOY 2026-05-06 09:17 DEPLOY 2026-05-07 11:08

Whatever runs on the server, runs on you. The source isn’t bound to the runtime; the audits aren’t reproducible. Each deploy is a renewed act of faith.

trust required, today

You already trust this many
parties. By default.

▢the messenger’s company

▢the messenger’s CEO and counsel

▢every engineer with deploy access

▢the messenger’s hosting provider

▢every admin of every group you’re in

▢the certificate authorities pinned in your phone

▢the operating-system vendor

▢whatever subpoena lands in any of the above

Encryption was supposed to remove some of these. It didn’t.

the bridge

How the math
actually replaces the trust.

Three engineering choices do the work. None of them are exotic. All of them are running in production cryptography somewhere already.

01 · Zero-knowledge group membership

A public registry without public identities.

A sender proves “I am a member of this group” on chain without revealing which member. The Soroban contract verifies the proof; everyone else — relayer, validators, passive observers — only sees that some member acted.

It does not hide that an action happened, or which group it happened in.

02 · Relayer-pays transactions

You transact without a funded account.

A relayer submits your signed Stellar transaction and pays the fee. There is no bank, no on-ramp, no funded account tying you to a real-world identity.

The relayer sees ciphertext and connection metadata. It cannot read messages, impersonate you, or rewrite group state — and you can switch it.

03 · On-device identity

No account anyone can disable.

Twelve BIP-39 words generated on your phone. Keys, contacts, and history live there. There is no “Onym account” for anyone to suspend, hand over, or delete.

If your phone is compromised, none of this helps. Endpoints are still endpoints.

onym’s answer

Remove the operator.
Make the shared state public.

No company in the loop. No operator console with kill-switch authority. Every layer open source and reproducible from source — no opaque server-side logic in the trust path. Group state lives on a public smart contract; messages travel over relays you can swap; identity stays on your device.

Onym defends against an operator who would disable your account, a passive on-chain observer, and a malicious group member exceeding their role. It does not defend against a global passive surveiller, a compromised device, or a screenshot. The full list is the threat model.

See how it works Read the threat model

Your messages are encrypted.Everything else isn’t.

They can’t read the messages.They don’t need to.

The server can endyour account.

You trust the binaries theserver runs. You can’t see them.

You already trust this manyparties. By default.

How the mathactually replaces the trust.