Decision
Privacy is treated as an accountability-first design: probes are public, on-chain channels enable disputes, gossip enables discovery. Most privacy surfaces are accepted as inherent. Five concrete mitigations are specified below; deeper techniques (dummy probes, channel mixing) are future work.Adversary model (four tiers)
| Tier | Example adversary | What they can observe |
|---|---|---|
| Passive observer | On-path network middlebox | QUIC metadata (IPs, SNI unless ECH is deployed), timing, volume |
| Active participant | Malicious node or client | Probes, gossip, NodeAnnounce frequency, payment channel open/close |
| Infrastructure operator | L2 RPC provider, relay host | On-chain events at read time; relay endpoints see encrypted QUIC flows |
| Compromised endpoint | Malicious app server or backend | Plaintext bytes, client subscription identity |
Privacy surfaces (23 catalogued)
The full ADR inventories 23 distinct surfaces with explicit dispositions (accept or mitigate). Highlights:- P-22 — on-chain settlement volume leakage. Anyone can read channel open/close amounts on-chain. Accepted: disputes require public channel state.
- P-23 —
slash_sigas non-repudiable content inventory proof. A node that signedslash_sigon aProbeResponsehas provably committed to serving that hash. Accepted: the same signature is what enables on-chain accountability. - Probe traffic. Who probes what is visible to the probed node. Accepted: selection depends on probing; fully private probing would require PIR at O(log N) blow-up.
Mitigations
- Client NodeId rotation. Clients rotate NodeIds on session boundaries to break linkability across subscription sessions.
popular_hashescapped at 5. Lowers the precision of per-node content fingerprinting.- Client key encryption via platform keychain. Clients store Ethereum keys in macOS Keychain, Windows Credential Manager, or Gnome Keyring — not plaintext files.
- Multi-source RPC. Clients and nodes use multiple independent RPC providers to reduce single-vendor deanonymization surface.
- Epoch key forward secrecy. Epoch keys are ephemeral and rotate every 5 minutes, so a compromised epoch key cannot decrypt past envelopes.
Future work
- Dummy probes. Inject cover-traffic probes to obscure real content interest. Unresolved cost/benefit.
- Payment channel mixing. Route settlements through a mixing contract. Regulatory complexity.
Scope clarifications
- Content plaintext is a content-provider concern. If sensitivity requires it, use end-to-end encryption.
- Client IP addresses are visible to peers. Tor-style relaying is out of scope — adding a layer of indirection conflicts with the pay-per-byte accountability model.