Security
Tessera is an open-source privacy protocol for authenticated, metadata-private, one-to-one delivery. This page summarises the threat model, security properties, formal guarantees, assumptions, scope, and responsible disclosure policy. For the full threat-model write-up, seeThreat Model.
Threat model
Tessera assumes a global passive network observer that can see every packet on every link, plus an honest-but-curious recipient, plus the possibility of colluding recipients. The following table lists the adversaries the protocol is designed to resist and the mechanism that defeats each.
| Adversary | Defence |
|---|---|
| Malicious sender (impersonation) | Unforgeability ⇐ Discrete Logarithm + forking lemma |
| Honest-but-curious recipient | Per-recipient blinding — Y' uniform per delivery |
| Colluding recipients | Distinct shared_seed → independent Y' distributions |
| Global passive network observer | (ε,δ)-differentially-private cover traffic |
| Replay attacker | Per-delivery commitment freshness + dedup |
| Tagging / malleability attacker | AES-GCM authenticated encryption + commitment binding |
Security properties
Each property below is backed by a named mechanism and a formal reduction or empirical benchmark. The benchmark harnesses (experiments E1–E7) are reproducible; see theresearch page for the harness table.
| Property | Mechanism | Formal basis |
|---|---|---|
| Unforgeability | Schnorr binds (R, s, Y, m) | EUF-CMA ⇐ DLog (forking lemma) |
| HVZK / NIZK | Fiat–Shamir transform in the ROM | Standard Schnorr ZK |
| Cross-recipient unlinkability | Per-recipient blinded pseudonym Y' | Blinding lemma |
| Replay resistance | Per-delivery commitment + dedup | Freshness theorem |
| Metadata privacy | (ε,δ)-DP cover traffic, load-independent | Shifted-Laplace mechanism |
| Content confidentiality | AES-GCM (256-bit) | IND-CCA2 AE |
Empirical security validation
The bench_security.py harness (experiment E6) runs the verifier against four attack classes — tamper, swap-key, forge, and replay — with 5000 trials each. The result: false-accept rate (FAR) and false-reject rate (FRR) both 0 / 0 across all classes. The adversary linking AUC under (ε,δ)-DP cover traffic at ε=0.1 (experiment E3, linkability_sim.py) is 0.526 — statistically indistinguishable from random guessing.
Assumptions and scope
What Tessera protects:
| Protected | How |
|---|---|
| Sender identity (on the wire) | Blinded pseudonyms — observer sees uniform random Y' |
| Sender–recipient linking (routing) | Bucketed broadcast + Bloom fingerprints |
| Per-bucket delivery counts | (ε,δ)-DP cover traffic, load-independent Laplace noise |
| Message content | AES-GCM authenticated encryption |
| Sender authentication | Schnorr / Fiat–Shamir NIZK, EUF-CMA |
Out of scope:
- Compromised endpoint — assumes the sender's secret key is intact on the device.
- Recipient running a malicious verifier — the verifier is assumed honest.
- Traffic analysis beyond per-bucket counts (e.g. global timing correlation across long horizons).
- Denial-of-service — Tessera is not designed to resist flooding; bucket limits mitigate but do not prevent.
- Metadata introduced by the application layer above Tessera (e.g. client UI behaviour).
Responsible disclosure
If you find a security issue in Tessera, please report it responsibly. Email security issues tocontact@skelfresearch.comwith Tessera Security in the subject. Please do not open a public GitHub issue for security vulnerabilities. We will acknowledge receipt within 72 hours and aim to publish a fix and advisory within 90 days.
Cryptographic primitives
- Curve: secp256k1 (ECDLP hard group).
- Proof: Schnorr identification, Fiat–Shamir transform in the random oracle model.
- Hash: SHA-256 modelled as a random oracle.
- Symmetric: AES-256-GCM (IND-CCA2 authenticated encryption).
- Keystore: PBKDF2 with 100,000 iterations; configurable key rotation.