We assume attackers:

• can access server memory
• can steal backups
• can intercept network traffic
• can compromise a device
• can observe user behavior partially
• cannot break modern cryptography
• cannot simultaneously compromise:
  • Control Key
  • Master Key
  • Recovery Scheme participants

We protect against:

• plaintext exposure
• unauthorized reading
• unauthorized writes
• identity hijacking
• key cloning
• rollback attacks
• data/linkability leaks