System

Threat model & defenses

Who Privex is built to defeat — honestly. Green is blocked by the architecture; amber is degraded with a documented residual risk. No over-claiming.

Every attack below hits a wall, not a single guard. To break Privex you’d have to defeat several independent defenses at once — and breaking one leaves the others standing. Some threats (like malware already on your unlocked phone) can’t be fully solved by any app; those are marked honestly.

Defense-in-depth validated against the codebase. The model assumes each layer can fail independently and relies on overlap rather than perfection. Content confidentiality is the strongest guarantee; timing/metadata is degraded, not eliminated, until the Phase-2 Nym layer lands.

The seven adversaries

#AdversaryOutcome
1ISP / DNS / Wi-Fi eavesdropper degraded Sees encrypted traffic; today can tell you connect to Privex (Nym hides this in Phase 2).DoH + cover traffic; Phase 1 exposes connection to the API. Phase 2: Nym mixnet route.
2Active network MITM blocked Can’t read, change, or replay a message undetected.TLS 1.3 + HKDF auth tags + KT log detect tampering.
3Compromised server (hack / insider / coercion) blocked Full database access yields nothing usable.Client-side encryption + Sealed Sender + no PII + UNLOGGED tables.
4Nation-state legal order (Iceland) blocked Even a valid court order gets nothing, because nothing exists to hand over.No identities, content, social graph, or IPs on the server; warrant canary.
5VPS host — physical access, RAM dump blocked Sees relay IPs, encrypted blobs, and code-names only.dm-crypt at rest · UNLOGGED · RAM-only Redis · traffic arrives from relays.
6Future quantum computer blocked Can’t retroactively decrypt captured traffic.Hybrid Kyber1024 + Dilithium3 on every session from day one.
7Root malware on your device partial Keys stay non-exportable, but on-screen text is readable — no app can fully fix this.SE/Keystore non-exportable keys; in-memory plaintext is out of scope.

Attack ↔ defense matrix

Each attack collides with defenses covered elsewhere in this wiki. No single bypass breaks more than one shield.

Sybil flood

Register millions of fake accounts.

→ Proof of Work

Every account costs a puzzle that hardens with the crowd.

Hybrid PoW (SHA + Argon2id), difficulty from aggregate pressure, no per-IP state.

User enumeration

Probe ids to map the userbase.

→ PoW-gated fetch

Every lookup costs a puzzle too.

Bundle / KT / OPAQUE-init are PoW-gated + 30/60s per-target cap.

Offline password crack

Steal the DB and guess passwords forever.

→ OPAQUE

The server never saw the password — there’s nothing to guess against.

OPRF record only; no password-derived value; opt-in, hard-deleted on disable.

Key substitution

Swap a friend’s public key.

→ Key Transparency

Every key is in a public receipt book; a swap is caught or refused.

Client-verified Merkle inclusion against a pinned, signed root.

Sender spoofing

Forge a message from someone else.

→ Dual signatures

Every sender note carries two unforgeable signatures.

Sender cert is Ed25519 + Dilithium3 dual-signed; recipient verifies both.

Legal compulsion

Demand logs, history, or identities.

→ Nothing to give

There are no logs, no history, and no identities to produce.

No PII, no IP logs, UNLOGGED transient state, Iceland jurisdiction, warrant canary.

Traffic analysis

Watch the wire to infer who talks to whom.

→ Sealed + cover traffic

Real notes are mixed with identical fakes; the sender is sealed inside.

Sealed Sender + 1024-byte padding + Poisson cover traffic; Nym mixnet in Phase 2.

Server seizure

Walk off with the hardware.

→ Minimal retention

The drawers hold sealed envelopes and a public phone book — nothing else.

UNLOGGED + RAM-only Redis + no PII; encrypted at rest; see the Seizure model.

Harvest-now, decrypt-later

Record traffic for a future quantum computer.

→ Hybrid PQC

The recorded traffic is already quantum-safe.

Kyber1024 + Dilithium3 on every session; recording buys nothing.

Not goals Privex does not protect against voluntary sharing, physical coercion of the user, or a malicious recipient who already holds the decrypted messages.