Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Threat model

audience: contributors

This chapter restates the per-organism trust assumptions named in Organisms and describes how they compose across a lattice. It is scoped to one lattice; cross-lattice threats live in Cross-lattice coordination.

Mosaik’s own security posture — crash-fault-tolerant Raft, QUIC peer authentication via iroh, ticket-gated bonding — is assumed and not re-derived. Where a claim depends on mosaik, the mosaik book is linked.

Goals and non-goals

Goals.

  • Sender-to-transaction unlinkability at the submission and auction layers, up to the trust boundary of zipnet + unseal + offer.
  • Non-equivocating candidate blocks: atelier commits one body per slot, signed under a TDX-attested collective, so no committee minority can smuggle an alternate block past the other members.
  • Auditable attribution: tally’s Refunds commit is a deterministic function of the upstream commits and on-chain inclusion, and its Attestations are presentable to an on-chain settlement contract for independent verification.

Non-goals.

  • Byzantine fault tolerance of Raft. mosaik’s variant is crash-fault tolerant. A deliberately compromised committee member within an organism can DoS liveness but cannot forge a commit that does not pass the state machine’s own validation. Each organism spells out what “validation” means in its own crate docs.
  • Confidentiality of on-chain effects. Once a Candidates[S] block is executed on-chain, the chain reveals whatever that execution reveals. The lattice does not try to hide the economic outcome; it hides the sender-to-transaction linkage up to the moment the chain reveals it.
  • Resistance to message-length side channels beyond what zipnet already enforces. Integrators that encode variable- size payloads directly into zipnet’s fixed-size slots leak size metadata at the application layer. This is the integrator’s problem; see zipnet’s security checklist.
  • Cross-lattice guarantees. See cross-chain.md.

Per-organism trust shapes

Short recap of the assumption each organism operates under. Each organism’s own docs carry the full derivation; this page ties them together.

zipnet

Assumption. Any-trust — anonymity holds as long as at least one committee server is honest. Liveness in v1 requires all servers honest (the zipnet roadmap’s v2 item relaxes this).

Attacker power ceiling. The adversary can control the TEE of every client except one; the aggregator; the network; all but one committee server. Under that ceiling, sender-to-envelope linkability is PRF-indistinguishable.

Breaks when. Every committee server colludes. Every client TEE is compromised (then attestation — the v2 TDX path — no longer admits any client).

See zipnet threat model for the full argument.

unseal

Assumption. t-of-n threshold. Fewer than t committee members colluding learn nothing about the cleartext of any zipnet round; t or more colluding members can decrypt at will.

Attacker power ceiling. Control the TEE of up to t - 1 committee members.

Breaks when. An adversary obtains t share secrets. The TDX attestation on every committee member raises the bar from “I compromised t operator hosts” to “I compromised t TDX images and their attestation chains”.

Composition note. Because unseal feeds offer and atelier, compromising unseal beyond threshold also breaks the anonymity of order flow to those two organisms. A lattice operator picking t for unseal is picking the anonymity budget for the whole lattice.

offer

Assumption. Majority-honest committee. A majority can commit an AuctionOutcome[S] whose winner is not the highest bid.

Attacker power ceiling. Up to floor(n/2) committee members compromised. Searchers’ bid anonymity is additionally protected by the auction’s threshold encryption: a minority of compromised committee members cannot decrypt losing bids.

Breaks when. A majority of the offer committee colludes against the searcher set. The fallback is that the on-chain settlement contract can reject an AuctionOutcome whose evidence set does not verify.

atelier

Assumption. TDX attestation (hardware root of trust) plus majority-honest committee. A committee member without a valid TDX quote on their PeerEntry is not admitted; a minority of compromised TDX images cannot commit a block body the majority rejects; a majority can commit an arbitrary block body.

Attacker power ceiling. Compromise fewer than floor(n/2) + 1 TDX images and their attestation chain (including Azure / cloud provider attestation services for rented TDX hosts).

Breaks when. A majority of the atelier committee’s TDX images are compromised. At that point the adversary can choose blocks; downstream relay still surfaces the block body to the proposer, but the proposer (or the chain) is the last line of defense.

Composition note. A malicious atelier majority cannot retroactively change offer’s outcome or zipnet’s broadcast; those logs are authoritative in their own Groups. A malicious majority can simply choose to exclude a winning bid or include transactions outside the unsealed pool. Downstream tally attribution will then reflect the misbehavior — a malicious atelier cannot hide its actions from the audit log, only choose what to commit.

relay

Assumption. Any-trust on liveness; majority-honest on the integrity of AcceptedHeaders. A single honest relay committee member suffices to ship a header; a majority of dishonest members can commit an AcceptedHeaders[S] that lies about the proposer’s acknowledgement.

Breaks when. A majority of the relay committee conspires to forge a proposer-ack record. The on-chain inclusion watcher in tally is the ground truth — an AcceptedHeaders[S] that does not correspond to an included block is a visible discrepancy and is not used for attribution.

tally

Assumption. Majority-honest committee. A majority can misattribute a refund.

Breaks when. A majority of the tally committee conspires. The on-chain settlement contract can reject attestations whose evidence does not verify, which bounds the attack to “a majority commits a refund attestation the contract later rejects”, not “the refund is paid out”.

How the assumptions compose

The lattice does not require every organism’s trust assumption to hold simultaneously for every property. Different properties depend on different subsets:

PropertyDepends on
Sender-to-tx unlinkabilityzipnet any-trust AND unseal t-of-n
Bid confidentiality until auction endsoffer threshold crypto
Winning-bid integrity per slotoffer majority-honest
Block-body non-equivocationatelier TDX + majority-honest
Header delivery to proposerrelay any-trust liveness
Faithful refund attestationtally majority-honest AND on-chain inclusion
Lattice livenessEvery organism’s liveness condition

Concretely:

  • If zipnet is fully honest but unseal crosses threshold, order flow is deanonymized to the unseal adversary. offer bidding is still confidential to competing searchers.
  • If offer goes majority-malicious, wrong bundles win, but atelier still builds legally and tally can attribute from the committed (wrong) AuctionOutcome. The integrator can tell from the public logs that offer misbehaved.
  • If atelier goes TDX-compromised, the lattice commits bad blocks but cannot hide the fact of doing so. Proposers can choose a different builder for the next slot; operators retire the atelier deployment.
  • If tally goes majority-malicious, attestations are refused by on-chain settlement contracts; refunds simply do not flow.

This decomposition is the point. A monolithic pipeline forces every user to trust every component’s worst-case failure mode; the lattice lets each property depend only on the organisms that actually produce it.

What a compromised lattice cannot do

Regardless of how many organisms go bad (short of all of them):

  • Cannot change the chain’s head. The lattice produces candidate blocks; the chain’s proposer accepts them or not. Compromising the lattice does not override chain-level validity.
  • Cannot mint money. tally’s attestations only route MEV that was actually captured on a block; they cannot manufacture payouts. On-chain settlement contracts enforce this.
  • Cannot forge an organism’s commit log. Mosaik-native collections are append-only and signed by their Group members. A post-hoc rewrite is detectable by any integrator replaying the log.

What a compromised lattice can do

Conservatively:

  • Deny service. Every organism’s liveness is a failure mode. A lattice that DoSes itself is possible.
  • Bias block content within the atelier trust boundary. A majority-compromised atelier + majority-compromised offer can commit a block whose bundle ordering favours the adversary. The public commit logs record this and it is visible to any integrator; the chain executes it.
  • Refuse to refund. A majority-compromised tally can withhold attestations. Searchers with no on-chain recourse get no refund for that slot.

The observability is load-bearing. Integrators — and chain explorers — can monitor the lattice’s public logs and raise objections, switch lattices, or escalate through on-chain governance. A lattice that misbehaves is a lattice whose integrators stop using it.

Operator responsibilities

The trust assumptions above are protocol-level; they hold only if operators run the software the assumptions describe. Every operator running a committee member in any organism is responsible for:

  • Running the attested image for organisms with TDX admission (unseal, atelier, optionally relay).
  • Protecting committee-admission secrets — the GroupKey- equivalent for each organism. Loss of this secret means an adversary can join the committee.
  • Rotating on schedule per Rotations and upgrades.
  • Reporting anomalies — divergences between organism logs and on-chain reality — via whatever channel the lattice operator has established.

See operators/security-posture.md when that page lands.

Cross-references

  • Organisms — per-organism trust sketch.
  • Composition — subscription graph used above.
  • Roadmap — items that tighten the assumptions (BFT liveness, post-quantum unseal, etc.).