Oxen Privacy Model

I’m kinda interested in your take on Session (which is currently using Oxen) and their privacy model and it’s trade-offs with things like Lokinet. Is it like you mentioned in your recent interview with BlockChat that while it has relative “decentralization” with it’s contracts but actually just stores most of it’s data in an S3 bucket?

They seem to have been attempting a similar model to Q with their Lokinet sites and whatnot, but from what I can determine they seem to have issues with funding/running their own network given their switch to trying to rebuild on Arbitrum. A case of investors selling them out?

I’m not fully familiar with how Oxen stores the data, a brief glance shows it appears to be retained on network for a given TTL value, unless both parties are online in which case the data is transient. This approach isn’t unlike Q – we too follow an approach with transient data, TTL-defined data, and permanent data, but the distinction, and very important ones are that:

• it inherits a lot of Monero’s technical debts in architecture (notably, comparing the codebases shows where they’ve explicitly had to begrudgingly work around some of that)
• employs onion routing directly in the network permissionlessly (sort of) via nodes that have staked via PoS, which is highly vulnerable to analytic attacks by state actors (this is why Tor finds themselves kicking out large chunks of the network on occasion when they’re uncovered), but does not appear to (I could be wrong, please correct me if so!) have a defense-in-depth approach to compose this routing with a mixnet that at least preserves k-anonymity of the mixed set.

Going to take a guess since I don’t have time to deep dive, but it appears Session splits group chats into two categories: public (anyone can read) and private (but only up to 100 members). This limit is usually a sign that a n-1 (i.e. pairwise) message encryption technique like Double-Ratchet is being used because the overhead becomes too high for both clients and servers.

Completely out of the loop on their rebuilding on Arbitrum. Do you have more info on this? I don’t like to make judgment calls about bootstrapping off of other protocols like “selling out” because there may be a valid reason they chose to do something, and I know nothing of their corporate structure (if any) or investors.

Per their FAQ on their site:

Why are they using Arbitrum

The Session Token is launching on Arbitrum One, a leading Ethereum Layer 2 scaling solution, for its proven performance, reliability, and security. Creating the cryptographic-ally secure Session Node registration and reward system directly on the Ethereum network would be prohibitively expensive. Arbitrum’s drastically reduced gas fees allow the implementation of the Session Network’s staking logic on an Ethereum-backed blockchain with much lower costs. Supported by a grant from the Arbitrum Foundation, Session should contribute significantly to Arbirum’s success in the future as one of the largest decentralised applications on its network.

How they explain their network

The Session Network is a decentralized physical infrastructure network (DePIN) made up of community-operated nodes, called Session Nodes). This DePIN infrastructure enables application functionality and scalability through the routing and storage of data (like messages). Currently, there are approximately 2,000 nodes providing services to Session via the Oxen Network. These nodes will undergo a migration from the Oxen Network to the new Session Network.

Session Protocol Details

Peer-to-Peer (from their white paper)

This description covers the functions of the Session Protocol required for one-on-one chats. The function of the protocol for groups and communities is covered in sections 5.4.1 and 5.4.2 respectively.

To construct and send a valid message in a one-on-one chat using the Session Protocol, the sender first creates a message M containing a number of data fields, including the plaintext message, and the senders Ed25519 public key. M is then serialised and padded to the next 160 byte multiple to prevent extraction of the exact message size. M can now be signed given the sender’s Ed25519 private key using the Ed25519 signature scheme. Once signed, the sender’s Ed25519 public key and the signature are then appended to M.

After signing the message M, the sender generates an ephemeral X25519 key pair. This key pair, alongside the recipient’s X25519 key pair, is used to generate a shared symmetric encryption key. The message M is then encrypted with this shared symmetric key using the XSalsa20-Poly1305 algorithm. This encrypted blob can now be packed into a message, which contains necessary metadata specifying the recipients X25519 public key and the ephemeral X25519 public key. Though both Ed25519 and X25519 keys are used, only one private key is required; the X25519 keys are derived from the recipient’s Ed25519 keys.

The usage of both Ed25519 and X25519 keys in this process may create some confusion. The public X25519 key is derived from the sender’s Ed25519 key pair; this public X25519 key represents the user’s Account ID. Historically this was done to maintain compatibility with the Signal Protocol which also uses X25519 keys in this way.

Once a message has been generated and packed it will be sent to the recipient’s swarm via an onion request specifying the expiry time and timestamp of the message. The recipient will authenticate retrieval of the message and reverse the process, decrypting, determining, and authenticating the sender of the message as it does so.

Groups & Communities

One way to improve scalability in group chats is to adopt a shared encryption key for all group members. This key would be shared in a pairwise message to members joining the group. When a
member leaves or is expelled, the administrator creates a new shared encryption key, re-encrypts it, and sends it to the remaining N − 1 members, effectively rotating the key to prevent former members from accessing new messages. In this system, messages only need to be encrypted once
for the group in most scenarios.

This scheme is effective in small to medium-sized group chats where the membership set changes infrequently. However, it can be impractical in larger groups where users frequently leave (or are otherwise removed from) the chat.

With the above considerations in mind, the Session Protocol defines two different designs for the encryption and scaling of group chats. Which design is appropriate depends on the intended size and use of the group and is chosen when the group is created. ‘Groups’ support communication among 3 to 100 participants. Participant sizes beyond 100 require the use of ‘communities’. However, it should be noted that ‘communities’ can also accommodate participant sizes fewer than 100.

Groups (3-100)

Users encrypt and decrypt messages for the group using the established group encryption symmetric key, messages are encrypted using the XChaCha20-Poly1305 algorithm.

Community

Authentication to the Session Community Server is similar to authentication in one-on-one conversations, with one main difference. Instead of each user using their long-term Session private key pair to sign messages, they use a deterministic derived key. This ensures users do not leak their real Account ID to large communities, as this could be a vector for spammers to collect users’ Account IDs.

Not sure about their investors, just read a rant about people not liking the switch to Arb (yet another migration from one network to the next) the other day.

Oxen → Arbitrum
I see. This makes some sense – raw UTXO style models don’t really directly enable much in the way of DePIN without some performance pains or essentially L2’ing off of it, so I can understand why they made the move given they want to focus singularly on Session and not the broader DePIN eco. They also stated they got an Arbitrum grant, I’ll leave that fact alone without stated observation.

Notes on their use of Encryption

• No repudiability – Their message design utilizes signatures of known identities, which may be a desired condition, but consequentially is far more binding in nature than messages in Signal – the Double-Ratchet protocol was designed explicitly with the idea in mind that either party could forge messages on behalf of the other (or if an attacker obtained control of a device), essentially increasing room for reasonable doubt of the provenance of messages, while in realtime leaving both parties assured of authenticity by temporal awareness.
• Message Ordering – I’d have to see more about how the actual message structure works here, because it seems there is no assurance of ordering of messages, and messages may drop. Not necessarily a serious problem, but one that can annoy users and can be a problem for users that wish to extend further from it.
• Linkability – the onion routing structure alone (and especially given its permissionless state and no mixnet involvement) is insufficient to safeguard the links of individual senders. Given either broad surveillance of all nodes (passive) or even participating as nodes (also passive, but directly in the middle), timing analysis could very easily link pairs of identities conversing.
• Group Encryption – this is just a simple singular encryption key. It appears the key is rotated on addition/removal of members, but could lead to interesting conditions if they are not accounting for the possibility that the rotation could give some users different key material and bifurcate the conversation, not sure how they’re jointly establishing a key here.
• No PFS – from the above information alone (there may be more details that contest this), it does not appear this provides perfect forward secrecy – a compromised key can allow a passive adversary the ability to decrypt historic and future messages.

In Comparison

Triple-Ratchet was designed to solve the room size (N-1 broadcast key rotation) problem, retain PFS and repudiability properties of Double-Ratchet (with optional sender authentication). The linkability of identities is obfuscated by onion routing in the same way, but is safeguarded against passive and active adversaries with RPM to provide unforgeable permutations of outbound sets under k-anonymity.

I intentionally split out those two particular implementations as MIT licensed libraries so other projects that may need them can use them for their own purposes. It may be helpful for them.