Lesson 6
Encryption
Every FIPS packet passes through two independent encryption layers. This is not optional. There is no plaintext mode. Both layers use the Noise Protocol Framework with ChaCha20-Poly1305 as the AEAD cipher.
The two layers
FMP: Hop-by-hop (Noise IK)
Encrypts traffic between adjacent peers. Each link has its own Noise IK session. When B forwards a packet from A toward D, it decrypts A's link encryption and re-encrypts under its own link encryption for the next hop.
Pattern: Noise IK
Key exchange: Single round-trip
Identity: Initiator sends npub in first message
Purpose: Authentication, link confidentiality
FSP: End-to-end (Noise XK)
Encrypts traffic between the original sender and the final recipient. Transit routers cannot read this layer. It survives all intermediate link decryptions and re-encryptions intact.
Pattern: Noise XK
Key exchange: Three messages
Identity: Initiator's npub hidden until msg3
Purpose: End-to-end confidentiality, forward secrecy
Why two layers?
Consider what a single layer gives you. If you only had end-to-end encryption, transit routers would need to see routing headers in plaintext, exposing traffic patterns. If you only had link encryption, each transit router could read the payload before re-encrypting for the next hop.
The two-layer design solves both problems. FMP handles authentication between peers and protects the routing envelope. FSP protects the application payload from everyone except the intended recipient. Transit routers decrypt the FMP layer to make forwarding decisions, but the FSP layer inside is opaque to them.
Why IK for links, XK for sessions?
FMP uses Noise IK because when you configure a peer, you already know its public key. IK lets the initiator transmit their static key immediately, completing mutual authentication in a single round-trip. This is fast, which matters for link setup.
FSP uses Noise XK because session traffic crosses untrusted intermediate nodes. XK withholds the initiator's static key until the third message, where it is encrypted under the full shared secret. This means transit routers (and even the responder until msg3) cannot correlate the initiator's identity from the handshake alone.
Watch a packet cross the mesh
The animation below tracks a packet from node A to node D across three hops, over three different transports. Step through it or hit play. Watch how the green FMP layer gets stripped and reapplied at each hop, while the blue FSP layer stays untouched until the final destination.
Packet Journey: A → D
Step 1/7: Application sends payload
App on node A sends data to node D. Raw payload is handed to FSP.
Who can see what (revisited)
With both encryption layers active, here is what different observers can learn:
| Observer | Sees | Cannot see |
|---|---|---|
| Transport-level observer | Encrypted blobs, timing, sizes | Any FIPS-level information |
| Transit router (B, C) | Source/dest node_addrs, packet size, coordinates | Payload, npubs of endpoints, session content |
| Destination (D) | Sender's npub, payload, session metadata | Route the packet took, intermediate node identities |
Encryption
1. Which Noise pattern does FMP (link layer) use?
2. Why does FSP use Noise XK instead of IK?
3. What can an intermediate router see when forwarding a packet?