Skip to content

Tessera Threat Model

A threat model says what you are protecting, from whom, and under what assumptions. This page enumerates the adversaries Tessera considers, the security property each is defended by, the formal basis for that defence, the cryptographic assumptions the whole edifice rests on, and — just as importantly — what Tessera does not protect.

What a threat model is, and why it matters

Security is not a scalar; it is a set of guarantees against a set of adversaries under a set of assumptions. A protocol that is “secure” without naming its threat model is underspecified. For architects evaluating Tessera, the relevant questions are: which adversaries does it defend against, which does it not, and what must be true about the deployment environment for the guarantees to hold? This page answers each in turn.

Adversaries

AdversaryWhat they seeDefenceScope
Malicious sender (impersonation)Public parameters, recipient’s YSchnorr EUF-CMA ⇐ DLog (forking lemma)In scope
Honest-but-curious recipientIts own deliveries, all public trafficZK — learns nothing beyond identity of senderIn scope
Colluding recipientsTheir combined deliveriesDistinct shared_seed → distinct Y′ distributionsIn scope
Global passive network observerAll per-bucket counts over time(ε,δ)-DP cover trafficIn scope
Coalition of compromised relaysAll proofs + Bloom filtersSame DP bound (counts only) + blindingIn scope
Replay attackerRecorded proofsPer-delivery commitment freshness + dedupIn scope
Compromised endpoint (OS/keys)Secret key, all stateOUT OF SCOPE (assumed secret key intact)

The model is deliberately conservative: a coalition of compromised relays is considered in-scope and defended by the same (ε,δ)-DP bound that defends a single global observer, because the relays see only counts and blinded commitments. Endpoint compromise is out of scope — Tessera assumes the secret key is intact on the sender’s device.

Security properties

Each property maps to a mechanism and a formal result:

PropertyMechanismFormal basis
UnforgeabilitySchnorr binds (R, s, Y, m)EUF-CMA ⇐ DLog (forking lemma)
HVZK / NIZKFiat–Shamir transform in ROMStandard Schnorr ZK
Cross-recipient unlinkabilityPer-recipient blinded pseudonym Y′Blinding lemma
Replay resistanceCommitment freshness + dedupFreshness theorem
Metadata privacy(ε,δ)-DP cover traffic, load-independentLaplace mechanism (Dwork et al.)

Assumptions

Tessera’s guarantees rest on four assumptions:

  • SECP256k1 discrete-logarithm hardness. No efficient adversary can compute x from Y = x·G. This underpins unforgeability and the blinding lemma.
  • Random oracle model (ROM). The hashH used for the Fiat–Shamir challenge and the blinding scalar is modeled as a random oracle. This is the standard assumption for NIZK soundness and zero-knowledge of FS-transformed Schnorr.
  • Honest verifier. The recipient (verifier) follows the protocol. Tessera does not defend against a malicious verifier who deviates from the verification algorithm — but such deviation only affects whether the recipient accepts the proof, not the sender’s secrets.
  • Secret-key integrity. The sender’s long-term secret key x is not compromised. If x leaks, the adversary can impersonate the sender — out of scope, same as every other public-key authentication system.

What Tessera does NOT protect

A clear threat model says what is out of scope as loudly as what is in. Tessera does not protect:

  • Message content. Tessera authenticates the sender and routes privately; it does not encrypt the payload. Use a content-encryption layer (Tessera ships AES-GCM for the proof envelope; end-to-end content encryption is the application’s responsibility).
  • Endpoint compromise. If the sender’s device is compromised and x is extracted, all guarantees fail. Tessera assumes key integrity, like every public-key system.
  • Traffic-confirmation attacks beyond the (ε,δ)-DP bound.An adversary that can correlate timing, size, or content of messages across the network boundary in ways not captured by the per-bucket count model may gain additional information up to the DP budget. The bound is statistical and compositionally holds across rounds, but exotic side channels (e.g. traffic analysis of the TCP layer, power analysis of the device) are not covered.

Comparison: Tessera vs Signal vs Tor

SchemeAssumesProtectsDoes not protect
TesseraDLog, ROM, honest verifier, key integritySender, recipient, timing, graphContent (use AES-GCM), endpoint
SignalHonest server, E2EE key exchangeContentSocial graph (server sees it)
Tor≥1 honest hop in circuitSource IP of TCP streamExit traffic, timing correlation

Tessera’s threat model is narrower than Signal’s on content (Tessera does not provide the content layer) but strictly stronger on metadata (Signal’s server reconstructs the social graph). Compared with Tor, Tessera provides authenticated one-to-one delivery rather than anonymous source-of-TCP-stream, and defends against a global passive observer via DP cover traffic rather than relying on hop diversity.

Frequently asked questions

Why is endpoint compromise out of scope?

Every public-key authentication system assumes the secret key is intact on the prover's device. If the device is compromised and x is extracted, the adversary can impersonate the sender indefinitely. Defending against endpoint compromise requires OS-level isolation (secure enclaves, hardware keys), which is orthogonal to the protocol layer Tessera operates at. Tessera integrates with standard key stores (EncryptedKeyStore, PBKDF2) to make extraction harder, but does not claim to prevent it.

Does Tessera defend against a coalition of all relays?

Yes, within the (ε,δ)-DP bound. A coalition of all relays sees every proof and every Bloom subscription, but it still sees only counts (padded by DP cover traffic) and blinded commitments (uniform per delivery). The blinding lemma and the DP guarantee both hold against a coalition because they are information-theoretic/statistical and do not depend on trust assumptions about relays. The only thing a full coalition gains over a single relay is more proof copies, which it already had via gossip.

What is the difference between the (ε,δ) bound and perfect privacy?

Perfect privacy (ε=0, δ=0) would require the per-bucket count to be statistically independent of the real load — achievable only with infinite dummy bandwidth. Tessera's (ε,δ)-DP bound is the standard relaxation: an adversary's ability to distinguish 'delivery happened' from 'delivery did not happen' is bounded by ε, with a δ probability of failure. At ε=0.1 the empirical linking AUC is 0.526, essentially at the information-theoretic ceiling of 0.548 — the residual information is negligible for practical purposes.

Read the full security analysis

The formal proofs, benchmark harnesses, and comparative leakage matrix are in the Tessera repo under scripts/ and the research notes.

pip install tessera