Documentation
Security model
At VIGIL-MESH, there is only one encryption layer: the session between two machines IS an end-to-end QUIC connection — not a tunnel stacked on top of another tunnel. The vigies that relay traffic are structurally blind: they only ever see opaque metadata, never the content nor the keys. Revoking a member is immediate, and the key exchange is post-quantum from the design stage to resist future decryption.
A single encryption layer
The session linking two machines is not encrypted "on top of" a transport: it IS an end-to-end QUIC connection. Encryption comes from TLS 1.3, peer authentication relies on raw Ed25519 public keys (raw public keys, RFC 7250) — no certificate chain to manage — and key establishment uses a hybrid post-quantum X25519 + ML-KEM768 exchange.
Classic mesh VPNs do it differently: they stack an encrypted tunnel inside a fallback channel, which ends up double-encrypting the relayed path — more surface, more cost, two layers to age together. VIGIL has only one layer to secure, and it is the right one: the one that truly goes end to end.
The blind relay, by construction
The relay's blindness is not a promise of good conduct, it is a structural property: the vigie never holds the keys that decrypt your flows. Here is precisely what each actor sees — and never sees.
| Actor | Sees | Never sees |
|---|---|---|
| The vigie | Opaque flow and group identifiers, packet sizes, timing, transport IP addresses | The content, the keys, the cleartext network map (netmap) |
| The controller | Identities, policy, the directory of members and networks | The content of your end-to-end flows |
The consequence is direct: the complete compromise of a vigie yields only metadata. An attacker who takes a vigie can neither forge a node identity (they don't have the private keys, which never leave their machine), nor read end-to-end traffic (they don't have the session keys). They observe sizes and timing, nothing more.
Broadcast is encrypted too
Multicast is no exception to the rule. Each sender broadcasts under a sender key that rotates when a member is revoked, when it reconnects or restarts, and at the latest every 24 hours. The vigie replicates the packets to the receivers without ever being able to read them.
The trust model is stated honestly: the guarantee bears on authenticity at the group level. Any authorized member can send and decrypt the group's broadcasts — exactly the model of a physical LAN, where anyone plugged into the switch shares the same broadcast domain.
Immediate revocation
Removing a member is not about waiting for a token to expire. Revocation combines two immediate gestures: removing the member from the signed network map (netmap) distributed by the controller, and immediately rotating the group keys still in use.
The result: a revoked member can no longer establish a new session, and it decrypts nothing from broadcasts issued after its revocation. The cut-off takes effect at the moment of the decision, not at the next cycle.
Post-quantum from the design stage
The key exchange of QUIC sessions is hybrid X25519 + ML-KEM768. "Hybrid" means that the session key depends on both mechanisms at once: it remains secure as long as either of the two holds. It is a defence against the "harvest now, decrypt later" scenario — an adversary recording encrypted traffic today in the hope of breaking it tomorrow with a quantum computer.
The ML-KEM implementation used is a proven library, integrated as-is — never an in-house rewrite of the cryptographic primitive.