Security Model

Threat Model

Attack	Mitigation	Epic	Status
Sybil	PoW difficulty 24+ bits (adaptive, epoch-based); `MAX_POW_DIFFICULTY=24`	172.A, 304	Implemented
Eclipse (DHT)	Subnet /24 diversity in k-buckets (K/4=5 max per subnet)	172.C	Implemented
Mailbox Flood	Reject when full (no eviction); per-sender quota; global 100K cap	172.B, 173, 313.5	Implemented
Replay (routing)	Two-layer dedup: per-(origin,via,seq) + per-(origin,seq); `MAX_ROUTE_ANNOUNCE_AGE_SECS=300`	172.D, 449.2	Implemented
DHT Poisoning	`expires_at` validation; signed STORE announcements	172.E, 181.A2	Implemented
DHT Delete abuse	`DeletePayload` requires `(algo, pubkey, signature)`; `BLAKE3(pubkey)==key` (self-owned only)	449.1	Implemented
DHT seed exhaustion	HashSet-based O(1) dedup in iterative lookups	449.12	Implemented
Gateway Spoofing	`peer_roles` cache verified against handshake capabilities	172.F	Implemented
Rate flood	Per-peer token bucket → violation tracker (5 strikes / 5 min) → ban list	Multiple	Implemented
Connection flood	`MAX_SESSIONS_PER_IP=32`; optional PoW challenge at handshake	—	Implemented
Congestion	Backpressure at >78% load; adaptive fan-out halved at >50%	321	Implemented
Transit abuse	Reputation gate: `MIN_REPUTATION_FOR_TRANSIT=200`	322	Implemented
Cross-algo substitution	All signatures verified via `crypto::verify_message(algo, ...)`; algo byte travels on the wire	444.3, 449.1	Implemented
Traffic analysis	Optional `SessionMsg::Padding` frames aligned to MTU (Epic 409.7)	409	Implemented

Purpose	Algorithm	Notes
Identity	Ed25519 or Falcon-512	Configurable per-node; `node_id = BLAKE3(pubkey)` identical for both
Session key exchange	X25519 ephemeral DH	HKDF-SHA256 (salt = `local_id XOR remote_id`, info = `"ovl1-session-v1"`) yields `tx_key`/`rx_key`/`session_id`; lex-order swap of tx/rx keys gives both sides mirrored assignments
Session encryption	ChaCha20-Poly1305	Per-frame AEAD; 12-byte counter nonce; rekey at 128 GiB / 32 days / counter wrap (configurable via `[session] rekey_bytes_threshold` + `rekey_time_threshold_secs`)
E2E encryption	ML-KEM-768 encapsulation + ChaCha20-Poly1305	Markers `0xE2` (E2E) / `0xE3` (meta-E2E, hides sender)
Hashing	BLAKE3	Node IDs, DHT keys, PoW, content hashing, HMAC (`keyed`)
PoW	`BLAKE3(pubkey ‖ nonce ‖ sign(pubkey, nonce))` with ≥24 leading-zero bits	Sequential; adaptive `24 + ⌈log2(N/100K)⌉`
Mailbox replica encryption	HKDF(primary_mlkem_dk) + ChaCha20-Poly1305	Replicas store opaque blobs (Epic 249.5/407.6)

PowParams, Base64PrivateKey, Base64PublicKey: Debug output redacted (Epic 306)
SessionKeys: custom Debug impl with redaction
Session keys derived via HKDF-SHA256; tx/rx assignment is mirrored by lex-ordering both peers' node_ids
Nonce counter overflow detected and session rekeyed

Risk	Description	Mitigation Plan
Shard filtering bypass	`shard_filtering` is opt-in (default false)	Enable by default when network > 1M nodes
Reputation cold start	New nodes start at score 0 → can't transit immediately	Mitigation TBD (peer vouches via `ReputationAttestation` provide some acceleration)
Key material in memory	Private keys in heap; not page-locked	Future: mlock + madvise(DONTDUMP)
Protocol version gap	`OVL1_MINOR_VERSION = 1` but features gate at >=5	Bump version with full test coverage