大多數傳統即時通訊系統（IMS）是基於中心化身份驗證和授權機制去確保資訊安全的，可惜任何中央化的系統都無可避免地需要承擔數據洩露的風險。（詳述）對比起來，西蒂姆(Citum)是由眾多網絡節點 鋪墊出來的去中心化系統，在它的基礎上面搭建的IMS就不再需要承擔這種風險。舉例，假設兩個用戶試圖在西蒂姆(Citum)通訊。發件人是 Alice，預期收件人是 Bob。第三者是無法確認得知自己是否已經正確地解密得到 Alice 給 Bob 的訊息的，因為西蒂姆(Citum)用了以下的安全機制：1、PGP加密；2、無差別網樹多點傳送（IMTM）門限加密系統；3、秘鑰/信息疑義。PGP太流行了，不需要再解釋了。但是「密鑰/消息疑義」比較少人認識，而「IMTM門限加密系統」是西蒂姆(Citum)獨有的，所以我們會花更多的時間來解釋它們的資訊安全優勢。
Most of the conventional instant messenger systems (IMS) are built on a centralized authentication and authorization regime. Unfortunately, any centralized system is inherently susceptible to data breach. (More info here.) In contract, IMS built on top of Citium, paved by a network of decentralized nodes , is not at risk. For example, suppose that two users are trying to communicate with each other on Citium. Sender is Alice and the intended recipient is Bob. No third party can know for sure if he or she has been correctly deciphering a message from Alice to Bob because Citium utilizes the following security mechanisms: 1. Pretty Good Privacy (PGP) Encryption; 2. indiscriminate mesh-tree multicast (IMTM) threshold cryptosystem; and 3. Key/Message Equivocation. PGP is too popular to need further explanation. But since the IMTM threshold cryptosystem is unique to Citium and key/message equivocation is less known, we are going to spend more time explaining their InfoSec advantages.
Figure 1.1: Alice holds the two public keys given by Bob, i.e. KA & KB, because Alice and Bob have performed out-of-band authentication. Note that both of their devices manage their own cryptographic keys. In fact, all keys in Citium are generated or derived on-device. Private keys are never sent to anyone else, not even to the service nodes. Both public keys are used in the Hybrid Encryption module, which combines the deniability of a public-key cryptosystem, the efficiency of a symmetric-key cryptosystem, and the additional protection of threshold cryptosystem.
Figure 1.2: Citium Instant Messenger (CIM) is an Off-the-Record Messaging (OTR) system. CIM user Alice posts* a message to another Citium user Bob. Here, Alice’s message is converted into a plaintext (M). M and Random Session Key (KR) are going to be processed through the Hybrid Encryption module as follows:
Plaintext (M) is first encrypted by the XXTEA and Blowfish algorithms with the Random Session Key (KR) resulting in a ciphertext (β). Slice β into n ciphertexts; and suppose n = 3, we have β1, β2 and β3.
BLOWFISHKR(XXTEAKR(M)) ⇒ βn=3
⇒ β1, β2, β3
In order to create the θ, one β is randomly picked among the βn. Suppose β1 is randomly picked from βn. KR is encrypted by ECDSA algorithm with KA, resulting which in turn combined with β1 to be encrypted by ECDSA algorithm with KB resulting in a ciphertext (θ):
ECDSAKB(β1 + ECDSAKA(KR))⇒ θ
Finally, the cipertexts of β2, β3, and θ (i.e. βn-1& θ) are ready for IMTM. Note that β1 is not needed here because it has already been encapsulated in θ.
* We use the word “post” instead of “send” because it makes more sense in the communication network of Citium, which combines the beauty of both cryptography and steganography. But what is steganography? Imagine the word “post” in the sense of Alice posting many anonymous and randomly placed classified ads on multiple newspapers around the world so everyone can see but only the intended recipient Bob knows how to locate them all and make sense of the underlying message. This practice, called steganography, is the flip side of cryptography. In cryptography, everyone involved knows a message has been sent. What’s not known — except to the decoder — is the content of the message. Steganography hides the fact that a message was even sent, usually by hiding it in plain sight.(In the movie “A Beautiful Mind,” the main character, played by Russell Crowe, becomes convinced that the Communists are hiding messages inside news stories and loses his mind trying to decipher them.)
Figure 1.3: Most instant messenger systems are designed that messages are directly pushed onto the client apps of the intended recipients. However, in Citium Instant Messenger system, push notifications are limited to a generic text reminder (i.e. “You have a new message.”)(G) being sent to the intended recipients. The intended recipients are required to fetch in the messages on their own, which will be explained later in the data flow cycle. For now, Alice sends two pieces of information to Bob’s service node IMSP Bolivia in case Bob is not currently online. One is the generic text reminder (i.e. “You have a new message.”)(G), and the other is the ciphertext (θ) that encapsulates the Random Session Key (KR) and one of the randomly chosen sliced ciphertext (β1).
Figure 1.4: The cipertexts of β2, β3(i.e. βn-1) are sent to the Citium network by indiscriminate mesh-tree multicast (IMTM) which distributes indiscriminately to as many Citium nodes (i.e. service nodes and user nodes) as possible by mesh-tree multicasting, effectively preempting link analysis and eliminating data breach due to failure at any single point.
Figure 1.5: If plaintext (M) is larger than 1024 bytes, anything beyond that are separated into a single slice (i.e. the excess ciphertext (βE) uploaded onto the service node of Alice (i.e. IMSP Australia). IMSP Australia will keep the βE for 24 hours before permanently deleting it. This does not only prevent running out of disk space but also further maximizes the deniability nature of Citium.
Figure 1.6: Service node of the intended recipient Bob (i.e. IMSP Bolivia) pushes the generic notification (“You have a new message.”) (G) and the ciphertext (θ) that encapsulates the Random Session Key (KR) and one of the randomly chosen sliced ciphertext (β1) to Bob’s node.
Figure 1.7: At this point, Bob is fully aware of the fact that someone has tried to post a message onto the Citium network with him as the intended recipient. Bob pings the whole Citium network with IMTM to fetch in the cipertexts of β2, β3, (i.e. βn-1).
Figure 1.8: Now, the cipertexts of β2, β3, and θ are ready for the Hybrid Decryption module.
Figure 1.9: Bob’s Private Key A (KA-1) is the corresponding private key to Bob’s Public Key A ((KA). Bob’s Private Key B (KB-1) is the corresponding private key to Bob’s Public Key B ((KB). They are both ready for the Hybrid Decryption module.
Figure 1.10: The Excess Ciphertext (βE) is fetched in from the Service Node of sender Alice (i.e. IMSP Australia) and is ready for the Hybrid Decryption module.
Figure 1.11: Before the deciphering process happens in the Hybrid Decryption module, all the ciphertext slices have to be in place. Assuming all of them from figure 1.8-10 are already in place, we’ll see θ being deciphered first by ESDSA algorithm resulting in β1 and KR.
ECDSAKA-1(ECDSAKB-1(θ)) ⇒ β1, KR
Combining β1 with the rest of its siblings (i.e. β2, β3) that were sliced at Alice’s side, Bob can now decrypt everything back to the plaintext as follows:
XXTEAKR-1(BLOWFISHKR-1(β1 + β2 + β3)) ⇒ M
Finally, the correct plaintext (M) is revealed and delivered to Bob.
IMTM Threshold Cryptosystem
IMTM門限加密系統 意味著 一個消息的密文是被加密算法劃分成多個碎片，這些碎片又通過網狀樹多點傳送、不加選擇地分佈到盡可能多的節點 上，有效地抑止關聯鏈結分析的可能，和去除任何因為單點攻擊成功而導致的數據洩露。
Indiscriminate mesh-tree multicast (IMTM) threshold cryptosystem means that a ciphertext is cryptographically split into multiple slices, which in turn are distributed indiscriminately to as many nodes as possible by mesh-tree multicasting, effectively preempting link analysis and eliminating data breach due to failure at any single point.
為了使預期收件人（Bob）解密來自發件人（Alice）的消息，Bob必須獲取指定的私鑰來解密消息。 Bob必須通過 無差別網樹多點傳送（IMTM）來盡可能多的節點 作請求，直到收集齊全所有密文碎片為止。只有接訊者（Bob）才能將所有密文碎片重新統一併起來才能生成有效的源文本，成功解鎖Alice留給她的加密的信息。
In order for the intended recipient (Bob) to correctly decrypt the message from the sender (Alice), Bob has to obtain all slices of the ciphertext and to decrypt it with the right key. Bob has to make request to as many nodes as he can through indiscriminate mesh-tree multicast (IMTM) until he collects all the slices. Only the intended recipient (Bob) can correctly reunite and decrypt all slices of the ciphertext.
Cryptanalytically Unbreakable: Unless some hackers can hijack all node that holds the pertaining sliced ciphertexts and decipher them all with a quantum computer that only exists in theory, nothing during transit of the pertaining sliced ciphertexts can threaten the confidentiality of the message.
In the Citium cryptosystem, an enemy hacker or a cryptanalyst might be able to intercept a ciphertext (C). There is a critical concept called key equivocation and message equivocation as shown in the diagram below:
The key and message equivocation are a measure for the strength of a cipher system under a ciphertext only attack for the key and message respectively. Key Equivocation and Message Equivocation refer to key strength under known plaintext attacks and key strength under plaintext attacks. The longer the received ciphertext, the greater the probability that the cryptanalyst will discover the secret key or plaintext. The probability of a cryptanalyst successfully deciphering a ciphertext generally increases with the length of the ciphertext. In Citium, the sliced ciphertexts minimize the size of the individual ciphertext so that the strength of the cipher is maximized.
完整性 | Integrity ✓
在資訊安全中，數據完整性是指在整個生命週期內保持並確保數據的準確性和完整性。資訊安全完整性是指數據不能以未經授權或未被發現的方式進行修改，其定義則不要與數據庫中的參考完整性混淆。在西蒂姆(Citum)上傳播的密文碎片是被 ECDSA 算法加密了的。該加密不僅「計算不可解」computationally intractable，而且在很多開源項目（例如Bitcoin）中已經使用了將近二十年。成功的駭客攻擊（無需私鑰對它進行解密）將使任何可能的攻擊者都獲得巨大的利潤。這種現象似乎從未發生過，這是非常好的經驗證據說明它的安全性。
In information security, data integrity means maintaining and assuring the accuracy and completeness of data over its entire lifecycle. InfoSec integrity means that data cannot be modified in an unauthorized or undetected manner, and its definition is not to be confused with referential integrity in databases. A ciphertext slice cannot be changed during transit on Citium because it is encrypted by ECDSA (Elliptic Curve Digital Signature Algorithm). It is not only computationally intractable but also has enjoyed almost two decades of usage in open-source projects, such as Bitcoin. A successful hack (deciphering it without a private key) would allow any would-be attacker to make a tremendous amount of profit. The fact that this appears to have never happened is a very good empirical evidence for its security.
No single point of failure (SPOF) can impact the spread of cybertext slices and collection of them through indiscriminate mesh-tree multicast (IMTM).
Fully Decentralization: The majority of the contemporary online application service providers are using some forms of centralized methods (e.g. servers hosted in a datacenter) to structure their user management systems. It means monitoring. Because no matter how vigorously the service providers assert that they are effectively guarding the user information (e.g. email, IPs, username & password) against maladministration or hack, theoretically, they hold the power to modify or delete the information. Therefore, decentralization is absolutely necessary to achieve the level of confidence that one can rule out even theoretical mishaps from happening.