Ping-Pong Wake Protocol

Core Delivery Mode for High-Security Profile

Secure Legion's stateless, serverless delivery handshake that ensures messages are only delivered when you are physically present and have unlocked your device.

1. Purpose

The Ping-Pong Wake Protocol is Secure Legion's stateless, serverless delivery handshake.

It solves one brutal requirement:

"Do not deliver a message to my device unless I am physically present and have unlocked it."

This guarantees:

No centralized queue.
No metadata about communication partners.
No auto-delivery to seized/compromised devices.

Ping-Pong is the high-security mode of Secure Legion. Other users can still use the asynchronous encrypted relay mode for convenience.

2. Roles

Sender (S): Creates and encrypts the message.
Receiver (R): Authenticates and retrieves the message.

No permanent servers or relays are required. Relays can act only as optional transport layers for wake tokens, never as message custodians.

3. Cryptographic Material

Each Secure Legion identity includes:

Identity Key (Ed25519): Long-term signing key for authenticity.
Wake Key (Ed25519/X25519): Used for ping/pong wake encryption.
Session/Chat Keys: Ephemeral keys for message encryption (Double Ratchet-style).
Queue Encryption Key: Protects locally queued messages.

All private keys are stored in hardware security modules (StrongBox / Secure Enclave).

4. Lifecycle Overview

Sender creates message M.
M is encrypted → ciphertext C.
C stored locally (encrypted queue).
Sender emits encrypted Ping Token to Receiver.
Receiver wakes, authenticates, sends Pong.
Sender transmits ciphertext C → Receiver.
Receiver decrypts and displays; C is deleted.

5. Sender Behavior

Message Preparation

Encrypt plaintext M → ciphertext C.
Store C locally (per-contact encrypted queue).

Ping Creation

Create token: {nonce, message_ref, timestamp}
Encrypt with Receiver's Wake Key → PingEnc.
Sign with Identity Key.

Ping Transport

Ping can be transmitted through:

Direct socket (online peer)
Tor onion route
Encrypted UnifiedPush / ntfy channel

Relays only move opaque encrypted tokens, not metadata.

6. Receiver Behavior

Wake & Authentication

Receiver decrypts PingEnc via Wake Key.
User authentication (PIN, biometric) required before generating Pong.
Prevents message delivery to seized/locked device.

Pong Response

Receiver constructs Pong:

Includes original nonce, signature, ephemeral address.
Sends encrypted Pong back to Sender.

7. Secure Transfer After Pong

Sender verifies Pong and matches to queued message ID.
Sender transmits ciphertext C over secure channel.
Sender deletes C.
Receiver decrypts in memory.
For view-once messages, keys and plaintext are erased instantly.

8. Key Advantages

Device-Gated Delivery

Messages can't arrive without verified user presence.

Zero Metadata Exposure

Relays only see opaque, fixed-length encrypted blobs.

Configurable Privacy Profiles

Users can choose Ping-Pong (real-time, high-security) or Async Relay (convenience mode with encrypted time-limited storage).

9. Storage Model

Component	Stored Where	Notes
Ciphertext	Sender Device	Encrypted, TTL-based
Wake Tokens	Transport	Opaque, fixed-size
Private Keys	Hardware Enclave	Non-exportable

10. Failures & Timeouts

Each queued message has:

TTL: 7 days (example)
Retry Limit: 5–10 attempts
Auto-cleanup: Deletes expired undelivered ciphertexts.

11. Duress PIN Integration

When a duress PIN is entered:

Device wipes local private keys.
Broadcasts signed revocation event.
Senders delete queued messages for that identity.

12. Patentable Novelty

Two-phase authenticated wake handshake (Ping → Pong).

Biometric/PIN-gated message release.

Serverless metadata-free wake transport.

Duress-triggered cryptographic revocation.

Summary

The Ping-Pong Wake Protocol gives users direct control over when and how encrypted messages are delivered.

No central servers, no metadata leaks, and no unintended deliveries — fulfilling Secure Legion's promise:

No servers. No metadata. No compromises.