A Privacy Protocol Using Ephemeral Intermediaries and a Rank-Deficient Matrix Power Function (RDMPF)

Abstract

This paper presents a private transfer architecture for the Internet Computer (ICP) that decouples deposit and retrieval through two short-lived intermediaries, with sealed storage and attested teardown by an ephemeral witness. The protocol uses a non-interactive RDMPF-based encapsulation to derive per-transfer transport keys. A public notice hint is computed from the capsule to enable discovery without fingerprinting the recipient's key. Retrieval is authorized by a short proof of decapsulation that reveals no identities. All transaction intermediaries are ephemeral and issue certified destruction intents and proofs, allowing a noticeboard to publish auditable finalization records. The design provides sender identity privacy with respect to the recipient, content confidentiality against intermediaries, forward secrecy for transport keys after staged destruction, verifiable liveness and finality. We formalize the basic interfaces, provide the security arguments for encapsulation correctness, hint privacy, authorization soundness and timeout reclaim. In terms of implementation, it has been recently brought into production on the ICP under the name ICPP. It has been subject to exhaustive testing and incorporates a few enhancements, focusing on the operational possibilities offered by ICP's technology. This work hence serves as a broad reference for the protocol now publicly accessible.

Summary

This paper introduces ICPP, a novel protocol for private data transfer on the Internet Computer (ICP). ICPP decouples the deposit and retrieval phases using short-lived intermediaries and a Rank-Deficient Matrix Power Function (RDMPF) based encapsulation scheme, providing sender identity privacy, content confidentiality, and forward secrecy.

Key Insights

• •ICPP utilizes ephemeral intermediaries and storage units that are created and destroyed for each transfer, enhancing security and privacy by limiting the exposure of data to any single entity.
• •The protocol employs a non-interactive encapsulation scheme based on RDMPF to derive per-transfer transport keys, ensuring that the keys are unique and the data is protected during transit.
• •A public notice hint, derived from the capsule, enables recipients to discover the transfer without revealing their identity, preserving receiver privacy.
• •The design incorporates verifiable destruction intents and proofs, allowing for auditable finalization records and ensuring that ephemeral state is properly discarded, contributing to forward secrecy.
• •The paper formally proves several security theorems including path unlinkability, content confidentiality, unpredictability of the witness, and auditable staged destruction.

Practical Implications

• •ICPP offers a practical solution for enhancing privacy in blockchain environments like the Internet Computer, where data is typically public, opening up possibilities for new applications requiring private data transfer.
• •The use of RDMPF and other cryptographic primitives highlights the importance of strong cryptographic foundations for building secure and private blockchain applications.
• •Future research could focus on mitigating the residual co-location risk and exploring alternative threat models, such as collusion between intermediaries, to further strengthen the protocol's security.
• •The ICPP architecture can serve as a blueprint for designing privacy-preserving protocols in other decentralized systems and platforms.

Links & Resources

Authors

Cite This Paper