System
Threat model & defenses
Who Privex is built to defeat — honestly. Green is blocked by the architecture; amber is degraded with a documented residual risk. No over-claiming.
Every attack below hits a wall, not a single guard. To break Privex you’d have to defeat several independent defenses at once — and breaking one leaves the others standing. Some threats (like malware already on your unlocked phone) can’t be fully solved by any app; those are marked honestly.
Defense-in-depth validated against the codebase. The model assumes each layer can fail independently and relies on overlap rather than perfection. Content confidentiality is the strongest guarantee; timing/metadata is degraded, not eliminated, until the Phase-2 Nym layer lands.
The seven adversaries
| # | Adversary | Outcome |
|---|---|---|
| 1 | ISP / DNS / Wi-Fi eavesdropper | degraded Sees encrypted traffic; today can tell you connect to Privex (Nym hides this in Phase 2).DoH + cover traffic; Phase 1 exposes connection to the API. Phase 2: Nym mixnet route. |
| 2 | Active network MITM | blocked Can’t read, change, or replay a message undetected.TLS 1.3 + HKDF auth tags + KT log detect tampering. |
| 3 | Compromised server (hack / insider / coercion) | blocked Full database access yields nothing usable.Client-side encryption + Sealed Sender + no PII + UNLOGGED tables. |
| 4 | Nation-state legal order (Iceland) | blocked Even a valid court order gets nothing, because nothing exists to hand over.No identities, content, social graph, or IPs on the server; warrant canary. |
| 5 | VPS host — physical access, RAM dump | blocked Sees relay IPs, encrypted blobs, and code-names only.dm-crypt at rest · UNLOGGED · RAM-only Redis · traffic arrives from relays. |
| 6 | Future quantum computer | blocked Can’t retroactively decrypt captured traffic.Hybrid Kyber1024 + Dilithium3 on every session from day one. |
| 7 | Root malware on your device | partial Keys stay non-exportable, but on-screen text is readable — no app can fully fix this.SE/Keystore non-exportable keys; in-memory plaintext is out of scope. |
Attack ↔ defense matrix
Each attack collides with defenses covered elsewhere in this wiki. No single bypass breaks more than one shield.
Register millions of fake accounts.
Every account costs a puzzle that hardens with the crowd.
Hybrid PoW (SHA + Argon2id), difficulty from aggregate pressure, no per-IP state.
Probe ids to map the userbase.
Every lookup costs a puzzle too.
Bundle / KT / OPAQUE-init are PoW-gated + 30/60s per-target cap.
Steal the DB and guess passwords forever.
The server never saw the password — there’s nothing to guess against.
OPRF record only; no password-derived value; opt-in, hard-deleted on disable.
Swap a friend’s public key.
Every key is in a public receipt book; a swap is caught or refused.
Client-verified Merkle inclusion against a pinned, signed root.
Forge a message from someone else.
Every sender note carries two unforgeable signatures.
Sender cert is Ed25519 + Dilithium3 dual-signed; recipient verifies both.
Demand logs, history, or identities.
There are no logs, no history, and no identities to produce.
No PII, no IP logs, UNLOGGED transient state, Iceland jurisdiction, warrant canary.
Watch the wire to infer who talks to whom.
Real notes are mixed with identical fakes; the sender is sealed inside.
Sealed Sender + 1024-byte padding + Poisson cover traffic; Nym mixnet in Phase 2.
Walk off with the hardware.
The drawers hold sealed envelopes and a public phone book — nothing else.
UNLOGGED + RAM-only Redis + no PII; encrypted at rest; see the Seizure model.
Record traffic for a future quantum computer.
The recorded traffic is already quantum-safe.
Kyber1024 + Dilithium3 on every session; recording buys nothing.