every-channel/every.channel
1
0
Fork 0
Code Releases Activity Actions 2
every.channel/evolution/proposals/ECP-0011-stream-encryption.md
every.channel 897e556bea
every.channel: sanitized baseline
2026-02-15 16:17:27 -05:00

1.2 KiB
Raw Blame History

ECP-0011: stream encryption keys

Status: Draft

Problem

We need a consistent encryption model so streams can be protected in transit while remaining discoverable by stream id.

Decision

Derive a symmetric stream key deterministically from the stream id, with an optional network secret:

  • stream_key = BLAKE3-derive("every.channel stream key v1", network_secret || 0x00 || stream_id)
  • If network_secret is absent, the key is public and provides obfuscation only.
  • If network_secret is present, the stream is private to holders of the secret.

Encryption will be applied at the object layer (MoQ objects), not at the transport layer. This allows relays to store and forward encrypted objects without visibility.

Consequences

  • Streams can be encrypted deterministically without coordination.
  • Private swarms can be created by sharing a network secret.

Alternatives considered

  • Per-session negotiated keys: rejected because it prevents deterministic convergence.
  • PKI per stream: deferred due to operational complexity.

Rollout / teardown

  • Add key derivation helper in ec-crypto.
  • Implement object-layer encryption in the MoQ publisher.
  • Add configuration for network secret.