Z00Z logo

Z00ZBlockchain

OnionNet

Privacy-ingress guide for Z00Z route ownership, transport roles, replay discipline, low-load privacy, and transport-layer non-claims.

OnionNet is Z00Z’s target anonymous-ingress fabric. Its role is transport and runtime ingress privacy, not settlement authority. It aims to move live topology authority out of discretionary committees, let clients own route construction, keep membership auditable, preserve replay discipline, and prevent transport operators from learning canonical payload meaning where the double-envelope contract can be frozen safely.

This repository does not ship OnionNet. The OnionNet whitepaper itself says the design remains implementation-blocked until several contracts are precise: public-state derivation, witness distribution, replay binding, ingress-recipient confidentiality, challenge evidence, anti-griefing, low-load privacy, and any break-glass authority. This page therefore describes bounded target behavior, not a deployable anonymity claim.

Route Ownership and Boundary

flowchart TD A[Client wallet] --> B[Fetch public epoch inputs] B --> C[Derive active view] C --> D[Build route locally] D --> E[Outer transport envelope] E --> F[Bridge / edge / relay hops] F --> G[Exit removes transport wrapper] G --> H[Runtime ingress decryptor target] H --> I[Normalized WorkItem target] I --> J[Publication pipeline] style A fill:#E3F2FD,stroke:#1E88E5,stroke-width:1px,color:#0D47A1 style B fill:#ECEFF1,stroke:#546E7A,stroke-width:1px,color:#263238 style C fill:#ECEFF1,stroke:#546E7A,stroke-width:1px,color:#263238 style D fill:#FFF3E0,stroke:#FB8C00,stroke-width:1px,color:#E65100 style E fill:#ECEFF1,stroke:#546E7A,stroke-width:1px,color:#263238 style F fill:#E8F5E9,stroke:#43A047,stroke-width:1px,color:#1B5E20 style G fill:#ECEFF1,stroke:#546E7A,stroke-width:1px,color:#263238 style H fill:#FFF3E0,stroke:#FB8C00,stroke-width:1px,color:#E65100 style I fill:#ECEFF1,stroke:#546E7A,stroke-width:1px,color:#263238 style J fill:#FFF3E0,stroke:#FB8C00,stroke-width:1px,color:#E65100

The important move is that the client constructs and validates the route. A bridge or resolver should not hand the client an unverifiable end-to-end path. Public membership is visible enough for auditability, while live adjacency and route intent remain bounded.

Double-Envelope Flow

sequenceDiagram box rgb(227,242,253) Public API / User participant C as Client end box rgb(232,245,233) External / Cross-system participant B as Bridge end box rgb(255,243,224) Infrastructure / Runtime participant R as Relay Path end box rgb(236,239,241) Neutral / Support participant X as Exit end box rgb(255,243,224) Infrastructure / Runtime participant I as Runtime Ingress end C->>C: Build inner runtime-bound envelope C->>C: Wrap with OnionNet transport envelope C->>B: Submit packet B->>R: Forward hop-local packet R->>X: Deliver transport wrapper X->>I: Remove outer wrapper only I->>I: Check replay and ingress binding I->>I: Form normalized runtime work item

The double-envelope model matters because generic onion routing often makes the exit the place where transport privacy ends and semantic visibility begins. OnionNet’s target pushes semantic visibility closer to a runtime ingress seam.

Membership and Route Construction

OnionNet separates membership from activation. A node can be registered, probationary, eligible, active, demoted, revoked, or slashed. Activation should be derived deterministically from public inputs such as finalized randomness, eligible membership roots, and policy commitments. That removes hidden topology selection from ordinary operator discretion.

Route construction depends on witness distribution. The client needs enough authenticated public structure to build a route without revealing route intent. If witness lookup is too narrow, lookup patterns can leak. If public topology is too broad, endpoint privacy collapses. The whitepaper therefore treats witness distribution as a central contract, not an optimization.

Transport Roles

OnionNet transport roles include bridge ingress, edge transition, relay strata, exits, and runtime-adjacent decryptors. Each role should learn only what it needs. Bridges bootstrap access. Relays forward hop-local packets. Exits remove the transport wrapper. Runtime ingress handles the narrow approved handoff. Ordering, DA, settlement, business logic, and validator truth stay outside OnionNet.

The Tor specifications are useful external references because they document real onion-routing protocol behavior and hidden-service/rendezvous concepts. They are not Z00Z specifications. The Tor spec site notes that the documents describe how Tor works and are maintained as living protocol specifications. The Tor protocol specification says it aims to specify current Tor behavior, while the rendezvous specification describes hidden service version 3. Z00Z should cite those pages as comparative transport references, not as evidence that OnionNet is implemented here.

Replay Discipline

Replay discipline is a core OnionNet requirement. The inner envelope should be bound to transport context: version, epoch, compatibility generation, traffic class, ingress-recipient key identifier, ciphertext size class, expiry, and canonical replay tag. Without that binding, a payload can escape the route context it was meant to inhabit.

Packet classes also matter. The whitepaper keeps a taxonomy such as data, cover, loop, and control. Packet geometry, padding, queue behavior, and replay state are part of the anonymity contract. They are not merely performance details.

Low-Load Privacy

Sparse traffic is a privacy problem. OnionNet should not pretend anonymity holds when route diversity collapses. The target behavior is fail-closed or contracted operation: fewer live lanes, thicker anonymity sets, larger batching windows where safe, cover floors, loop traffic, or explicit delay. A status page should not say “private” when the privacy floor is not met.

This is a direct non-claim. OnionNet does not promise perfect anonymity against a fully global observer. It does not promise zero public membership metadata. It does not promise unconditional permissionless admission without Sybil cost. It does not promise zero-latency behavior under sparse load.

Safety Gates

Safety gates include public-state contract validation, witness freshness, route diversity, replay binding, ingress-recipient confidentiality, challenge evidence, anti-griefing, and low-load privacy floors. If any gate cannot be validated, OnionNet should refuse, contract, re-probe, or delay rather than forwarding best-effort traffic that weakens privacy.

Transport-Layer Non-Claims

Transport privacy is not settlement privacy by itself. OnionNet can hide route origin and reduce exit-visible payload meaning, but settlement privacy also depends on wallet-local possession, selective disclosure, commitment design, telemetry, support behavior, and public status display. A privacy ingress layer does not make every downstream claim private.

Comparison Discipline

Tor references should be used carefully. Tor’s specification corpus documents the Tor protocol and onion service behavior; it does not define OnionNet. The useful comparison is architectural: onion routing, relay roles, hidden-service style rendezvous concepts, and the need for precise protocol documents. Z00Z should not imply that inheriting Tor vocabulary automatically gives OnionNet Tor’s properties, implementation maturity, or threat model.

The safe way to compare is to state the boundary. Tor is an implemented network with its own specifications and compatibility history. OnionNet is a Z00Z target design for runtime-bound ingress whose contracts remain unfrozen. A future implementation may use Sphinx-compatible ideas, QUIC, TLS or WebSocket bridge ingress, Tor-based ingress, or other carriers, but all carriers must terminate into the same normalized packet and replay discipline.

Implementation Blockers

Before OnionNet can be presented as deployable, several blockers need source and tests: deterministic active-set derivation, witness bundle distribution, route diversity validation, replay-state storage, inner-envelope AAD schema, key separation, challenge proofs, anti-griefing, low-load privacy simulation, and break-glass governance. If any of those are missing, docs should say target architecture.

These blockers are not administrative. They decide whether route ownership, control-plane trust reduction, and exit-visible payload reduction are real. Until then, a docs page can teach the design but must not sell a guarantee.

Privacy Floor Review

A future OnionNet status surface should expose privacy-floor state without leaking route intent. The user needs to know whether the network is operating normally, contracted, delayed, or refusing because diversity is too low. The public should not see enough detail to reconstruct active routes. This is a hard product boundary and should be tested with simulation before launch.

Operational Signals

OnionNet operators need signals that do not reveal routes. Useful aggregate signals include eligible membership size, active-set health, lane contraction state, replay rejection counts, queue pressure, cover budget, and challenge status. Risky signals include exact route paths, live next-hop coordinates, route-specific contact material, and user session timing. The public layer should expose the former only at safe granularity and keep the latter out of ordinary status.

Documentation Readiness

OnionNet docs should remain explicit about blockers until implementation contracts are frozen. The page can teach route ownership, double envelopes, replay binding, and low-load privacy now. It should not provide operator commands, public uptime claims, or anonymity guarantees until source, tests, simulation, and audit evidence exist.

Release Gate

OnionNet release readiness requires simulation evidence for sparse-load privacy, tests for replay binding, tests for route construction, tests for witness freshness, and audit evidence for the confidentiality boundary. Until those exist, the only honest public status is architectural target work.

That status should be visible in examples, diagrams, and operator text.

Reader safety note: OnionNet can reduce ingress and route risks only inside its validated assumptions. It should never be used as shorthand for total privacy or final settlement.

Evidence and Further Reading

Use the source bullets below as an audit checklist, not decoration: when reusing this page, preserve the named section scope, the responsible actor, and the split between live repository evidence, target architecture, and open design work.

  • OnionNet Whitepaper sections 2-12 for thesis, boundary, route construction, transport, replay, low-load privacy, threat model, crypto direction, rollout, blockers, and glossary.
  • Privacy Threat Model And Metrics section 8 for service and disclosure privacy boundaries.
  • Tor Specifications: https://spec.torproject.org/.
  • Tor Protocol Specification: https://spec.torproject.org/tor-spec/.
  • Tor Rendezvous Specification v3: https://spec.torproject.org/rend-spec/.