MESSAGE-ENCAPSULATION-MECHANISM

Field	Value
Name	Message Encapsulation Mechanism
Slug	91
Status	raw
Category	Standards Track
Editor	Marcin Pawlowski
Contributors	Youngjoon Lee [email protected], Alexander Mozeika [email protected], Mehmet Gonen [email protected], Álvaro Castro-Castilla [email protected], Daniel Kashepava [email protected], Daniel Sanchez Quiros [email protected], Filip Dimitrijevic [email protected]

Timeline

2026-05-29 — 67e498e — chore: fix math issues (#350)
2026-05-28 — d45eed2 — Chore: mirror blochain specs into github/mdbook (#347)

Revision History

Version	Changes	Date
1.0.0	Initial revision.	2026-04-09

Introduction

The message encapsulation mechanism is part of the Blend Protocol and it describes the cryptographic operations necessary for building and processing messages by a Blend node.

This document is part of the Formatting section. Please read through that document to better understand the context of the encapsulation mechanism and constructions used here.

Overview

The Message Encapsulation Mechanism is a core component of the Blend Protocol that ensures privacy and security during node-to-node message transmission. By implementing multiple encryption layers and cryptographic operations, this mechanism keeps messages confidential while concealing their origins.

The encapsulation process includes:

Building a multi-layered structure with public headers, private headers, and encrypted payloads
Using cryptographic keys and proofs for layer security and authentication
Applying verifiable random node selection for message routing
Using shared key derivation for secure inter-node communication

This document outlines the cryptographic notation, data structures, and algorithms essential to the encapsulation process, providing a complete specification for implementing this mechanism within the Blend Protocol.

Notation

$\mathbf K^{n}_h = \{(K^{n}_{0}, k^{n}_{0}, \pi_{Q}^{K_{0}^{n}}),...,(K^{n}_{h-1}, k^{n}_{h-1}, \pi_{Q}^{K_{h-1}^{n}}) \}$ is a collection of $h$ key pairs for a node $n$ with proofs of quota, where $K_{i}^{n}$ is the $i$ -th public key and $k_{i}^{n}$ is its corresponding private key, and $\pi_{Q}^{K_{i}^{n}}$ is its proof of quota.

Ed25519PublicKey = bytes
Ed25519PrivateKey = bytes
KEY_SIZE = 32
ProofOfQuota = bytes
PROOF_OF_QUOTA_SIZE = 160

KeyCollection = List[KeyPair]

class KeyPair:
    signing_public_key: Ed25519PublicKey
    signing_private_key: Ed25519PrivateKey
    proof_of_quota: ProofOfQuota

class ProofOfQuota:
  key_nullifier: zkhash # 32 bytes
  proof: bytes # 128 bytes

For more information about key generation mechanism please refer to [1.0.0] Key Types and Generation.

For more information about proof of quota please refer to Proof of Quota.

$P^n$ is a public key of the node $n$ , which is globally accessible using the Service Declaration Protocol (SDP). We are using this notation to distinguish the origin of the key, hence the following simplified notation. For more information about Service Declaration Protocol please refer to [1.0.0] Service Declaration Protocol.
$\mathcal{N} = \text{SDP}(s)$ is the set of nodes globally accessible using the SDP.

Nodes = set[Ed25519PublicKey]  # set of signing public keys

$N =|\mathcal{N}|$ is the number of nodes globally accessible using the SDP.
$\kappa^{n,m}_{i} = k^{n}_{i} \cdot P^{m} = p^{m} \cdot K^{n}_{i}$ , is a shared key calculated between node $n$ and node $m$ using the $i$ -th key of the node $n$ , $P^{m}$ is the public key of the node $m$ retrieved from the SDP protocol and $p^m$ is its corresponding private key.

SharedKey = bytes  # KEY_SIZE

$\pi^{K^{n}_{l},m}_{S}$ is the proof of selection of the public key $K^{n}_l$ to the node index $m$ from a set of all nodes $\mathcal N$ .

ProofOfSelection = bytes
PROOF_OF_SELECTION_SIZE = 32

For more information about the proof of selection, please refer to Proof of Selection.

$H_{\mathbf N}()$ is a domain-separated hash function dedicated to the node index selection (the implementation of the hash function is blake2b).

def hashds(domain=b"BlendNode", data: bytes) -> bytes:
    return Blake2B.hash512(domain + data)

$H_\mathbf{I}()$ is a domain-separated hash function dedicated to the initialization of the blend header (the implementation of the hash function is blake2b).

def hashds(domain=b"BlendInitialization", data: bytes) -> bytes:
    return Blake2b.hash512(domain + data)

$H_\mathbf{b}()$ is a domain-separated hash function dedicated to the blend header encryption operations (the implementation of the hash function is blake2b).

def hashds(domain=b"BlendHeader", data: bytes) -> bytes:
    return Blake2b.hash512(domain + data)

$H_\mathbf{P}()$ is a domain-separated hash function dedicated to the payload encryption operations (the implementation of the hash function is blake2b).

def hashds(domain=b"BlendPayload", data: bytes) -> bytes:
    return Blake2b.hash512(domain + data)

$\beta_{max}$ is the maximal number of blending headers in the private header.

ENCAPSULATION_COUNT: int

$\text {CSPRBG}()$ is a generalized cryptographically secure pseudo-random bytes generator, it is implemented as BLAKE2b-Based PRNG Construction.
$\text {CSPRBG}()_{x}$ is a cryptographically secure pseudo-random bytes generator whose output is restricted to $x$ bytes, it is implemented as BLAKE2b-Based PRNG Construction.

def pseudo_random(domain: bytes, key: bytes, size: int) -> bytes:
    rand = BlakeRng.from_seed(hashds(domain, key)).generate(size)
    assert len(rand) == size
    return rand

$|t|$ returns the length of the $t$ expressed in bytes.
$\oplus$ is a XOR operation.

def xor(a: bytes, b: bytes) -> bytes:
    assert len(a) == len(b)
    return bytes(x ^ y for x, y in zip(a, b))

$E_{k}(x)=\text{CSPRBG}(k) \oplus x$ is an encryption that uses a cryptographically secure pseudo-random bytes generator with a secret $k$ and payload $x$ .

def encrypt(data: bytes, key: bytes -> bytes:
    return xor(data, pseudo_random(b"BlendEncapsulation", key, len(data))))

$D_{k}(x)=\text{CSPRBG}(k) \oplus x$ is a decryption that uses using cryptographically secure pseudo-random bytes generator with a secret $k$ and payload $x$ .

def decrypt(data: bytes, key: bytes) -> bytes:
    return xor(data, pseudo_random(b"BlendEncapsulation", key, len(data))))

Construction

Message Structure

We start with a definition of the message structure that must be used to provide the protocol with the envisioned capabilities.

A node $n$ constructs a message $\mathbf M = (\mathbf H, \mathbf h, \mathbf P)$ according to the format presented below.

Diagram

class Message:
    public_header: PublicHeader
    private_header: PrivateHeader
    payload: EncryptedPayload

$\mathbf H$ is a public header:
$V$ , version of the header, it is set to $1$ .
$K^{n}_i$ , a public key from the set $\mathbf K^n_h$ .
$\pi^{K^{n}_i}_{Q}$ , a corresponding proof of quota for the key $K^{n}_i$ from the set $\mathbf K^n_h$ and contains its proof nullifier.
$\sigma_{K^{n}_{i}}(\mathbf {h|P}_i)$ , a signature of the concatenation of the $i$ -th encapsulation of the payload $\mathbf P$ and the private header $\mathbf h$ , that can be verified by the public key $K^{n}_{i}$ .

Signature = bytes
SIGNATURE_SIZE = 64

class PublicHeader:
    version: int = 1  # u8
    signing_public_key: Ed25519PublicKey
    proof_of_quota: ProofOfQuota
    signature: Signature

$\mathbf h = (\mathbf b_1,...,\mathbf b_{\beta_{max}})$ is an encrypted private header:
is a blending header:
1. $K^{n}_{l}$ , a public key from the set $\mathbf K^n_h$ .
2. $\pi^{K^{n}_{l}}_{Q}$ , a corresponding proof of quota for the key $K^{n}_l$ from the $\mathbf K^n_h$ and contains its proof nullifier.
3. $\sigma_{K^{n}_{l}}(\mathbf {h|P}_l)$ , a signature of the concatenation of the $l$ -th encapsulation of the payload $\mathbf P$ and the private header $\mathbf h$ , that can be verified by public key $K^{n}_{l}$ .
4. $\pi^{K^{n}_{l+1},m_{l+1}}_{S}$ , a proof of selection of the node index $m_{l+1}$ assuming public key $K^{n}_{l+1}$ .
5. $\Omega$ , a flag that indicates that this is the last blending header.

PrivateHeader = List[EncryptedBlendingHeader]  # length: ENCAPSULATION_COUNT
EncryptedBlendingHeader = bytes

class BlendingHeader:
    signing_public_key: Ed25519PublicKey
    proof_of_quota: ProofOfQuota
    signature: Signature
    proof_of_selection: ProofOfSelection
    is_last: bool  # 1 byte

$\mathbf P$ is a payload.

EncryptedPayload = bytes

PAYLOAD_BODY_SIZE = 34 * 1024

class Payload:
    header: PayloadHeader
    body: bytes  # PAYLOAD_BODY_SIZE

class PayloadHeader:
    payload_type: PayloadType  # 1 byte
    body_len: int  # u16

class PayloadType(Enum):
    COVER = 0x00
    DATA = 0x01

Keys and Proof Generation

For simplicity of the presentation, we do not distinguish between signing and encryption keys. However, in practice, such a distinction is necessary, that is:

The $\mathbf K^n_h$ contains Ephemeral Signing Keys (ESK) that are part of the PoQ generation and are used for message signing; these are included in the public and private headers.
Shared secret keys used for encryption of messages are generated from an Ephemeral Encryption Key (sender), which is derived from the ESK, and from a Non-ephemeral Encryption Key (NEK) (receiver), which is derived from a Non-ephemeral Signing Key (NSK) retrieved from the SDP protocol.

For more information, look at [1.0.0] Key Types and Generation.

The first step is to generate a set of keys alongside all necessary proofs that will be used in the next steps of the algorithm.

Generate the collection $\mathbf K^n_h$ , where $h$ defines the number of encapsulation layers such that $h \le \beta_{max}$ .

def generate_key_collection(num_layers: int) -> List[KeyPair]:
    assert num_layers <= ENCAPSULATION_COUNT
    # Generate `num_layers` random KeyPairs non-deterministically.
    return [KeyPair.random() for _ in range(num_layers)]

The key collection generation requires generation of Proof of Quota ([1.0.1] Proof of Quota) for each key, as defined in the following steps.

The ProofOfQuotaPublic (Public values) structure must be filled with public information:
1. session, core_quota, leader_quota, core_root, pol_epoch_nonce, pol_t0, pol_t1, pol_ledger_aged are retrieved from the blockchain.
2. K_part_one and K_part_two are first and second part of the signature key (KeyPair) generated by the above generate_key_collection.

class ProofOfQuotaPublic:
        session: int          # Session number (uint64)
        core_quota: int       # Allowed messages per session for core nodes
        leader_quota: int     # Allowed messages per session for potential leaders
        core_root: zkhash     # Merkle root of zk_id of the core nodes
        K_part_one: int       # First part of the signature public key (16 bytes)
        K_part_two: int       # Second part of the signature public key (16 bytes)
        pol_epoch_nonce: int  # PoL Epoch nonce
        pol_t0: int           # PoL constant t0
        pol_t1: int           # PoL constant t1
        pol_ledger_aged: zkhash # Merkle root of the PoL eligible notes
        # Outputs:
        key_nullifier: zkhash   # derived from session, private index and private sk

The ProofOfQuotaWitness (Witness) structure must be filled as follows:
1. If the message contains cover traffic then:
  1. We assume that the core quota is used and the selector=0 value must be specified.
  2. The index counts the number of cover messages and must be below core_quota.
  3. The core_sk, core_path, core_path_selector are filled by the node to prove that the node is the core node.
  4. The rest of the ProofOfQuotaWitness, is filled with arbitrary data.
2. If the message contains data then:
  1. We assume that the leader quota is used and the selector=1 value must be specified.
  2. The index counts the number of data messages and must be below leader_quota.
  3. The core_sk, core_path, core_path_selector are filled with arbitrary data.
  4. The rest is filled with Proof of Leadership (PoL — [1.1.0] Proof of Leadership) related data.

class ProofOfQuotaWitness:
        index: int                            # This is the index of the generated key. Limiting this index limits the maximum number of key generated. (20 bits)
        selector: int                         # Indicates if it's a leader (=1) or a core node (=0)
        # This part is filled randomly by potential leaders
        core_sk: zkhash                       # sk corresponding to the zk_id of the core node
        core_path: list[zkhash]               # Merkle path proving zk_id membership (len = 20)
        core_path_selectors: list[bool]       # Indicates how to read the core_path (if Merkle nodes are left or right in the path)
        # This part is filled randomly by core nodes
        pol_sl: int                           # PoL slot
        pol_sk_starting_slot: int             # PoL starting slot of the slot secrets
        pol_note_value: int                   # PoL note value
        pol_note_tx_hash: zkhash              # PoL note transaction
        pol_note_output_number: int           # PoL note transaction output number
        pol_noteid_path: list[zkhash]         # PoL Merkle path proving noteID membership in ledger aged (len = 32)
        pol_noteid_path_selectors: list[bool] # Indicates how to read the note_path (if Merkle nodes are left or right in the path)
        pol_slot_secret: int                  # PoL slot secret corresponding to sl
        pol_slot_secret_path: list[zkhash]    # PoL slot secret Merkle path to sk_secrets_root (len = 25)

The ProofOfQuotaPublic and ProofOfQuotaWitness are passed to the zero-knowledge circuits that generate the proof $\pi^{K^{n}_{l}}_{Q}$ which derives the key_nullifier ( $\nu_s$ ) from session, private index, private secret key during proof generation.

Select $h$ nodes from the set of nodes $\mathcal{N}$ in a random and verifiable manner. For $i \in \{1,…,h\}$ , select $l_i = \text{CSPRBG}(H_{\mathbf N}(\rho))_{8} \mod N$ , where $\rho$ is a selection randomness (using little-endian encoding), a shared secret derived during Proof of Quota generation, the output of the $\text{CSPRBG}()_8$ is returns 8 bytes (little-endian).

def select_nodes(key_collection: List[KeyPair], nodes: List[Node]) -> List[Node]:
    selected_nodes = []
    for keypair in key_collection:
        rand = pseudo_random(
          b"BlendNode",
            selection_randomness,
            8
        )
        index = modular_bytes(rand, NUM_NODES)
        selected_nodes.append(nodes[index])
    return selected_nodes

def modular_bytes(data: bytes, modulus: int) -> int:
    # Convert data into an unsigned big integer using little-endian.
    return int.from_bytes(data, byteorder='little') % modulus

Generate proofs of selection $\pi^{K^{n}_i,l_i}_{S}$ for $i \in \{1,…,h\}$ , which proves that the public key $K^{n}_i$ correctly maps to the index $l_i$ from the set of nodes $\mathcal{N}$ .
For $i \in \{1,…,h\}$ , retrieve public keys $\mathcal P = \{ {P^{l_1},..., P^{l_h}} \}$ for all $h$ selected nodes using the SDP protocol (defined as provider_id in Identifiers).

def blend_node_signing_public_keys(selected_nodes: List[Node]) -> List[Ed25519PublicKey]:
    return [node.signing_public_key for node in selected_nodes]

For $i \in \{1,…,h\}$ , calculate shared keys from a set of public keys of selected nodes $\kappa^{n,i}_{i} = k^{n}_{i} \cdot P^{l_i}$ .

def derive_shared_keys(key_collection: List[KeyPair], blend_node_signing_public_keys: List[Ed25519PublicKey]) -> List[SharedKey]:
    assert len(key_collection) == len(blend_node_signing_public_keys)
    assert len(key_collection) <= ENCAPSULATION_COUNT

    shared_keys = []
    for (keypair, blend_node_signing_public_key) in zip(key_collection, blend_node_signing_public_keys):
        encryption_private_key = signing_private_key.derive_x25519()
        blend_node_encryption_public_key = blend_node_signing_public_key
        shared_key = diffie_hellman(encryption_private_key, blend_node_encryption_public_key)
        shared_keys.append(shared_key)
    return shared_keys

In step 2 of the algorithm above, the sender constructs a blending path from nodes sampled at random but in a verifiable manner. The nodes are selected deterministically (and randomly) by the key value. The key to node mapping is proven in step 3.

The node selection proof $\pi^{K^n_i,l_i}_{S}$ is constructed in such a way that it proves only the fact that the key $K^n_i$ used for the encryption maps correctly to the node index $l_i$ from the stable set of nodes $\mathcal{N}$ . This proof should be considered a private proof intended only for the recipient blend node.

This mechanism intends to limit the possibility of “double spending” the emission token. This restricts the sender's ability to use the same emission token twice, first for constructing and emitting a message and then for claiming a reward for it.

For more information about proof of selection please refer to Proof of Selection.

Message Initialization

The second step is to create an empty message $\mathbf M$ and fill the private header with random values.

Create an empty message $\mathbf M$ (filled with zeros).
Randomize the private header: For $\mathbf b_i \in \mathbf h = (\mathbf b_{1},...,\mathbf b_{\beta_{max}})$ , set $\mathbf b_{i} = \text {CSPRBG}( \rho_{i})_{|\mathbf b|}$ , where $\rho_i$ is some random value.

def randomize_private_header() -> PrivateHeader:
    blending_headers = []
    for _ in range(ENCAPSULATION_COUNT):
        blending_header = pseudo_random(b"BlendRandom", entropy(), BlendingHeader.SIZE)
        blending_headers.append(blending_header)
    return blending_headers

Fill the last $h$ blend headers with reconstructable payloads: For $i = \{ 1+\beta_{max}-h,...,\beta_{max})$ , do the following:
$t=\beta_{max} - i + 1$
$r_{t,1} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,t}_t|1))_{|K|}$
$r_{t,2} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,t}_t|2))_{|\pi^{K}_{Q}|}$
$r_{t,3}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,t}_t|3))_{|\sigma_{K}(\mathbf P)|}$
$r_{t,4}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,t}_t|4))_{|\pi^{K,k}_{S}|}$
$\Omega=0$
$\mathbf{b}_i = \{ r_{t,1}, r_{t,2}, r_{t,3}, r_{t,4}, \Omega\}$ .

def fill_last_blending_headers(private_header: PrivateHeader, shared_keys: List[SharedKeys]) -> PrivateHeader:
    assert len(private_header) == ENCAPSULATION_COUNT
    assert len(shared_keys) <= ENCAPSULATION_COUNT

    pseudo_random_blending_headers = []
    for shared_key in shared_keys:
        r1 = pseudo_random(b"BlendInitialization", shared_key + b"\x01", KEY_SIZE)
        r2 = pseudo_random(b"BlendInitialization", shared_key + b"\x02", PROOF_OF_QUOTA_SIZE)
        r3 = pseudo_random(b"BlendInitialization", shared_key + b"\x03", SIGNATURE_SIZE)
        r4 = pseudo_random(b"BlendInitialization", shared_key + b"\x04", PROOF_OF_SELECTION_SIZE)
        is_last = False
        pseudo_random_blending_headers.append(r1 + r2 + r3 + r4 + is_last)

    # Replace the last `len(shared_keys)` blending headers.
    private_header[-num_layers:] = pseudo_random_blending_headers
    return private_header

Encrypt the last $h$ blend headers in a reconstructable manner: For $i=\{ 1,...,h \}$ , for $j=\{1, ..., i \}$ , encrypt blend header $\mathbf{b}_{\beta_{max}-i+1}=E_{H_{\mathbf{b}}(\kappa^{n,l_j}_{j})}(\mathbf{b}_{\beta_{max}-i+1})$ .

def encrypt_last_blending_headers(private_header: PrivateHeader, shared_keys: List[SharedKeys]) -> PrivateHeader:
    assert len(private_header) == ENCAPSULATION_COUNT
    assert len(shared_keys) <= ENCAPSULATION_COUNT

    for i, _ in enumerate(shared_keys):
        index = len(private_header) - i - 1
        for shared_key in shared_keys[:i + 1]:
            private_header[index] = encrypt(private_header[index], shared_key)

    return private_header

This prevents leakage of the encryption sequence when a message is encapsulated less than $\beta_{max}$ times, and enables us to encode the header in a way that it can be reconstructed during the decapsulation.

Message Encapsulation

The final part of the algorithm is the true encapsulation o f the payload. That is, given the payload $\mathbf P_0$ and number of encapsulations $h \le \beta_{max}$ we do the following.

For $i \in \{ 1,…,h \}$ do the following:

If $i=1$ then generate a new ephemeral key pair: $(K^n_0, k^n_0) \notin \mathbf K^n_h$ .
Calculate the signature of the concatenation of the current header and payload: $\sigma_{K^{n}_{i-1}}(\mathbf h_{i-1}| \mathbf P_{i-1})$ .
Using the shared key $\kappa^{n,l_i}_i$ , encrypt the payload: $\mathbf{P}_i = E_{H_\mathbf{P}( \kappa^{n,l_i}_i)}(\mathbf P_{i-1})=\mathbf{P}_{i-1} \oplus \text {CSPRBG}(H_\mathbf{P}(\kappa^{n,l_i}_i))$ Note that the uniqueness of the key stream is preserved as the encryption is done on a domain separated checksum of the shared key, which is renders a different key stream than the encryption of the header.
Shift blending headers by one downward: $\mathbf b_z \rightarrow \mathbf b_{z+1}$ for $z \in \{ 1,…,\beta_{max} \}$ . The first blending header is now empty, and the last blending header is truncated.
Fill the blending header $\mathbf b_1$ , where $1$ refers to the top position:
If $i=1$ then:
1. Fill the proof of quota with random data: $\pi^{K^{n}_0}_{Q}= \text {CSPRBG}(H_\mathbf{I}(k^{n}_0))_{|\pi^{K}_{Q}|}$
2. Set the last flag to 1: $\Omega=1$
Else set the last flag to 0: $\Omega = 0$
$\mathbf{b}_1 = \{ K^n_{i-1}, \pi^{K^{n}_{i-1}}_{Q}, \sigma_{K^{n}_{i-1}}(\mathbf h_{i-1}|\mathbf P_{i-1}), \pi^{K^{n}_i,l_i}_{S}, \Omega \}$ .
Using shared key $\kappa^{n,l_i}_i$ , encrypt the private header $\mathbf{h}_{E_{i}} = E_{H_{\mathbf b}(\kappa^{n,l_i}_i)}(\mathbf{h}_i)$ : For each $\mathbf b_j \in \mathbf h_i = (\mathbf b_1,...,\mathbf b_{m_{max}})$ using a shared key $\kappa^{n,l_i}_i$ , encrypt the blending header: $\mathbf{b}_j = E_{H_\mathbf{b}(\kappa^{n,l_i}_i)}(\mathbf{b}_j)=\mathbf{b}_j \oplus \text {CSPRBG}(H_\mathbf{b}(\kappa^{n,l_i}_i))$ .

Fill in the public header: $\mathbf H=\{ K^{n}_h, \pi^{K^{n}_h}_{Q}, \sigma_{K^{n}_h}(\mathbf P_h) \}$ .

The message is encapsulated.

def encapsulate(
        private_header: PrivateHeader,
        payload: Payload,
        shared_keys: List[SharedKeys],
        key_collection: List[KeyPair],
        list_of_pos: List[ProofOfSelection]
) -> bytes:
    # Step 1 ~ 6: Encapsulate private header and payload
    prev_keypair = KeyPair.random()
    is_first_selected = True
    for shared_key, keypair, proof_of_selection) in zip(shared_keys, key_collection, list_of_pos):
        private_header, payload = encapsulate_private_part(
            private_header,
            payload.bytes(),
            shared_key,
            prev_keypair.signing_private_key,
            prev_keypair.proof_of_quota,
            proof_of_selection,
            # The first encapsulation is for the last decapsulation.
            is_last=is_first_selected,
        )
        prev_keypair = keypair
        is_first = False

    # Fill in the public header
    public_header = PublicHeader(
        prev_keypair.signing_public_key,
        prev_keypair.proof_of_quota,
        signature=sign(private_part, prev_keypair.signing_private_key),
        version=1,
    )

    return public_header.bytes() + b"".join(private_headers) + payload

def encapsulate_private_part(
    private_header: PrivateHeader,
    payload: EncryptedPayload,
    shared_key: SharedKey,
    signing_private_key: Ed25519PrivateKey,
    proof_of_quota: ProofOfQuota,
    proof_of_selection: ProofOfSelection,
    is_last: bool
) -> bytes:
    # Step 2: Calculate a signature on `private_header + payload`.
    signature = sign(
        signing_body(private_header, payload),
        signing_private_key
    )
    # Step 3: Encrypt the payload
    payload = encrypt(payload, shared_key)
    # Step 4: Shift blending headers by one rightward.
    private_header.pop()  # Remove the last blending header
    # Step 5: Add the new blending header to the front.
    blending_header = BlendingHeader(
        signing_private_key.public(),
        proof_of_quota,
        signature,
        proof_of_selection,
        is_last
    )
    private_header.insert(0, blending_header.bytes())
    # Step 6: Encrypt the private header
    for i, _ in enumerate(private_header):
        private_header[i] = encrypt(private_header[i], shared_key)

    return private_header, payload


def signing_body(private_header: PrivateHeader, payload: EncryptedPayload) -> bytes:
    return b"".join(private_headers) + payload

Message Decapsulation

If a message $\mathbf M$ is received by the node and its public header is correct - that is, it was verified according to the relay logic defined here: Relaying - then the node $l$ executes the following logic:

Calculate the shared secret. Using the key $K^{n}_l \in \mathbf H$ from the public header of the message $\mathbf M$ and the private key $p^l$ of the node $l$ calculate: $\kappa^{n,l}_l = K^{n}_l \cdot p^l$ .
Decrypt the private header using the shared key $\kappa^{n,l}_l$ . For each $\mathbf b_j \in \mathbf h = (\mathbf b_1,...,\mathbf b_{\beta_{max}})$ using a shared key $\kappa^{n,l}_l$ decrypt the blending header: $\mathbf{b}_j = D_{H_\mathbf{b}(\kappa^{n,l}_l)}(\mathbf{b}_j)=\mathbf{b}_j \oplus \text {CSPRBG}(H_\mathbf{b}(\kappa^{n,l}_l))$ .
Verify the header:
If the proof $\pi^{K^{n}_l,l}_{S}\in \mathbf b_1$ is not correct, discard the message. That is, if the node index $l$ does not correspond to the $K^{n}_l\in \mathbf H$ , then the message must be rejected.
If the key $K^{n}_l \in \mathbf b_1$ was already seen, discard the message.
If the proof $\pi^{K^{n}_l,l}_{Q} \in \mathbf b_1$ is incorrect, discard the message.
If $\Omega \in \mathbf b_1$ equals $1$ , then stop processing the message and process the payload.
Using the blending header $\mathbf b_1$ , set the public header: $\mathbf H_l = \{K^{n}_l \in \mathbf b_1,\pi^{K^{n}_l,l}_{Q} \in \mathbf b_1 ,\sigma_{K^{n}_l}(\mathbf {h|P}) \in \mathbf b_1\}$ .
Decrypt the payload, using the shared key $\kappa^{n,l}_l$ : $\mathbf{P}_l =D_{H_\mathbf{P}(\kappa^{n,l}_l)}=\mathbf{P} \oplus \text {CSPRBG}(H_{\mathbf P}(\kappa^{n,l}_l))$ .
Reconstruct the blend header:
$r_{l,1} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|1))_{|K|}$
$r_{l,2} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|2))_{|\pi^{K}_{Q}|}$
$r_{l,3}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|3))_{|\sigma_{K}(\mathbf P)|}$
$r_{l,4}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|4))_{|\pi^{K,k}_{S}|}$
$\Omega=0$
$b = \{ r_{l,1}, r_{l,2}, r_{l,3}, r_{l,4}, \Omega \}$ .
Encrypt the blending header: $\hat b = E_{H_\mathbf{b}(\kappa^{n,{l}}_{l})}(b)$
Shift blending headers by one upward: $\mathbf b_z \rightarrow \mathbf b_{z-1}$ for $z \in \{ 1,…,\beta_{max} \}$ . The first blending header is truncated, and the last blending header is empty.
Reconstruct the private header: $\mathbf h_{E_{l}} = \{$ $…$ $\mathbf{b}_{\beta_{max}} = \hat b$ , $\}$ .
If the signature from the public header does not match the signature of the reconstructed header and the decrypted payload, discard the message: $\text{verify\_sig}(\sigma_{K^n_l}(\mathbf{h}_{E_l}| \mathbf{P}_l), \mathbf{h}| \mathbf{P},{K^n_l})$ .
The message is decapsulated.
Follow the message processing logic: Processing.

def decapsulate(
    message: bytes,
    signing_private_key: Ed25519PrivateKey
) -> bytes:
    # Step 1: Derive the shared key.
    encryption_private_key = signing_private_key.derive_x25519()
    public_header = PublicHeader.from_bytes(
        message[Header.SIZE : Header.SIZE + PublicHeader.SIZE]
    )
    shared_key = diffie_hellman(
        encryption_private_key,
        public_header.signing_public_key.derive_x25519()
    )

    # Step 2: Decrypt the private header
    private_header = message[
        Header.SIZE + PublicHeader.SIZE:
        Header.SIZE + PublicHeader.SIZE + (BlendingHeader.SIZE * ENCAPSULATION_COUNT)
    ]
    for i, _ in enumerate(private_header):
        private_header[i] = decrypt(private_header[i], shared_key)

    # Step 3: Verify the first blending header
    first_blending_header = BlendingHeader.from_bytes(private_header[0])
    first_blending_header.validate()

    # Step 4: Construct the new public header
    public_header = PublicHeader(
        first_blending_header.signing_public_key,
        first_blending_header.proof_of_quota,
        first_blending_header.signature,
        version= 1,
    )

    # Step 5: Decrypt the payload
    payload_offset = (
        Header.SIZE + PublicHeader.SIZE + (BlendingHeader.SIZE * ENCAPSULATION_COUNT)
    )
    payload = message[payload_offset:]
    payload = decrypt(payload, shared_key)

    # Step 6: Reconstruct the new blending header
    r1 = pseudo_random(b"BlendInitialization", shared_key + b"\x01", KEY_SIZE)
    r2 = pseudo_random(b"BlendInitialization", shared_key + b"\x02", PROOF_OF_QUOTA_SIZE)
    r3 = pseudo_random(b"BlendInitialization", shared_key + b"\x03", SIGNATURE_SIZE)
    r4 = pseudo_random(b"BlendInitialization", shared_key + b"\x04", PROOF_OF_SELECTION_SIZE)
    is_last = False

    # Step 7: Encrypt the new blending header
    encrypted_new_blending_header = encrypt(r1 + r2 + r3 + r4 + is_last, shared_key)

    # Step 8: Shift blending headers by one leftward.
    private_header.pop(0)  # Remove the first blending header.

    # Step 9: Add the new blending header to the end.
    private_header.append(encrypted_new_blending_header)

    # Step 10: Verify the signature
    verify_signature(
        first_blending_header.signature,
        signing_body(private_header, payload)
        first_blending_header.signing_public_key,
    )

    header = message[0:Header.SIZE]
    return header + public_header.bytes() + b"".join(private_header) + payload

Appendix

Example

Let us look at an example of the above mechanism. Let us assume that $\beta_{max}=4,h=3$ . We are omitting protocol version in the header for simplicity.

Initialization

Create an empty message: $\mathbf{M} = (\mathbf{H}=0,\mathbf{h}=0,\mathbf{P}=0)$
Randomize the private header: $\mathbf h_0 = \{$ $\mathbf b_1 = \text {CSPRBG}( \rho_{1})_{|\mathbf b|}$ ,

$\mathbf b_2 = \text {CSPRBG}( \rho_{2})_{|\mathbf b|}$ ,

$\mathbf b_3 = \text {CSPRBG}( \rho_{3})_{|\mathbf b|}$ ,

$\mathbf b_4 = \text {CSPRBG}( \rho_{4})_{|\mathbf b|}$ ,

$\}$ .

Fill the last $h$ blend headers with reconstructable payloads: $\mathbf h_0 = \{$ $\mathbf b_1 = \text {CSPRBG}( \rho_{1})_{|\mathbf b|}$ ,

$\mathbf b_2 = \{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \}$ ,

$\mathbf b_3 = \{ r_{l_2,1}, r_{l_2,2} ,r_{l_2,3}, r_{l_2,4}, \Omega \}$ ,

$\mathbf b_4 = \{ r_{l_1,1}, r_{l_1,2} ,r_{l_1,3}, r_{l_1,4}, \Omega \}$ ,

$\}$ .

Encrypt the last $h$ blend headers in a reconstructable manner: $\mathbf h_{E_0} = \{$ $\mathbf b_1 = \text {CSPRBG}( \rho_{1})_{|\mathbf b|}$ ,

$\mathbf b_2 = E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}E_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\mathbf b_3 = E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}E_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}(\{ r_{l_2,1}, r_{l_2,2} ,r_{l_2,3}, r_{l_2,4}, \Omega \})$ ,

$\mathbf b_4 = E_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}(\{ r_{l_1,1}, r_{l_1,2} ,r_{l_1,3}, r_{l_1,4}, \Omega \})$ ,

$\}$ .

Encapsulation

$i=1$ :

Generate a new ephemeral key pair: $(K^n_0, k^n_0) \notin \mathbf K^n$ .
Calculate the signature of the header and the payload: $\sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0)$ .
Using shared key $\kappa^{n,l_1}_{1}$ encrypt the payload: $\mathbf P_1 = E_{H_\mathbf{P}(\kappa^{n,l_1}_{1})}(\mathbf P_0)$ .
Shift blending headers by one down: $\mathbf h_1 = \{$ $\mathbf b_1 = \emptyset$ ,

$\mathbf b_2 = \text {CSPRBG}( \rho_{1})_{|\mathbf b|}$ ,

$\mathbf b_3 = E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}E_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \}$ ,

$\mathbf b_4 = E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{1})}E_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}(\{ r_{l_2,1}, r_{l_2,2} ,r_{l_2,3}, r_{l_2,4}, \Omega \})$ ,

$\}$ .

Fill the first blending header (the $\Omega=1$ in this case): $\mathbf h_1 = \{$ $\mathbf b_1 = \{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S}, \Omega=1 \}$ ,

$\mathbf b_2 = \text {CSPRBG}( \rho_{1})_{|\mathbf b|}$ ,

$\mathbf b_3 = E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}E_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\mathbf b_4 = E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}E_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}(\{ r_{l_2,1}, r_{l_2,2} ,r_{l_2,3}, r_{l_2,4}, \Omega \})$ ,

$\}$ .

Using shared key $\kappa^{n,l_1}_{1}$ encrypt the private header: $\mathbf{h}_{E_{1}} = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\mathbf{h}_1) = \{$ $\mathbf b_1 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S}, \Omega \})$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\mathbf b_3 = E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\mathbf b_4 = E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\{ r_{l_2,1}, r_{l_2,2} ,r_{l_2,3}, r_{l_2,4}, \Omega \})$ ,

$\}$ .

$i=2$ :

$i \ne 1$ .
Calculate the signature of the header and the payload: $\sigma_{K^{n}_1}(\mathbf{h}_{E_1}| \mathbf{P}_1)$ .
Using shared key $\kappa^{n,l_2}_{2}$ encrypt the payload: $\mathbf P_2 = E_{H_\mathbf{P}(\kappa^{n,l_2}_{2})}(\mathbf P_1)$ .
Shift blending headers by one down: $\mathbf h_2 = \{$ $\mathbf b_1 = \emptyset$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S} , \Omega \})$ ,

$\mathbf b_3 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\mathbf b_4 = E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\}$ .

Fill the first blending header: $\mathbf h_2 = \{$ $\mathbf b_1 = \{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_{E_1}| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S}, \Omega \}$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S}, \Omega \})$ ,

$\mathbf b_3 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\mathbf b_4 = E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\}$ .

Using shared key $\kappa^{n,l_2}_2$ encrypt the private header: $\mathbf{h}_{E_2} = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}(\mathbf{h}_2) = \{$ $\mathbf b_1 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}(\{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_{E_1}| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S} , \Omega \})$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S}, \Omega \})$ ,

$\mathbf b_3 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\mathbf b_4 = E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\}$ .

$i=3$ :

$i \ne 1$ .
Calculate the signature of the header and the payload: $\sigma_{K^{n}_2}(\mathbf{h}_{E_2}| \mathbf{P}_2)$ .
Using shared key $\kappa^{n,l_3}_{3}$ encrypt the payload: $\mathbf P_3 = E_{H_\mathbf{P}(\kappa^{n,l_3}_{3})}(\mathbf P_2)$ .
Shift blending headers by one down: $\mathbf h_3 = \{$ $\mathbf b_1 = \emptyset$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}(\{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_{E_1}| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S}, \Omega \})$ ,

$\mathbf b_3 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S} , \Omega \})$ ,

$\mathbf b_4 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\}$ .

Fill the first blending header: $\mathbf h_3 = \{$ $\mathbf b_1 = \{K^{n}_2,\pi_Q^{K^{n}_2},\sigma_{K^n_2}(\mathbf{h}_{E_2}| \mathbf{P}_2),\pi^{K^{n}_3,l_3}_{S}, \Omega \}$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}(\{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_{E_1}| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S} , \Omega \})$ ,

$\mathbf b_4 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\}$ .

Using shared key $\kappa^{n,l_3}_3$ encrypt the private header: $\mathbf{h}_{E_3} = E_{H_{\mathbf b}(\kappa^{n,l_3}_3)}(\mathbf{h}_3) = \{$ $\mathbf b_1 = E_{H_{\mathbf b}(\kappa^{n,l_3}_3)}(\{K^{n}_2,\pi_Q^{K^{n}_2},\sigma_{K^n_2}(\mathbf{h}_{E_2}| \mathbf{P}_2),\pi^{K^{n}_3,l_3}_{S}, \Omega \})$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_3}_3)}E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}(\{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_{E_1}| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S}, \Omega \})$ ,

$\mathbf b_3 = E_{H_{\mathbf b}(\kappa^{n,l_3}_3)}E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S}, \Omega \})$ ,

$\mathbf b_4 = E_{H_{\mathbf b}(\kappa^{n,l_3}_3)}E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\}$ .

The above calculations give us the final message $\mathbf {M = (H,h,P)}$ where:

$\mathbf H = (K^{n}_3,~ \pi^{K^{n}_3}_Q,~ \sigma_{K^{n}_3}(\mathbf{h}_{E_3}|\mathbf{P}_3))$ ,

$\mathbf{h} = \mathbf{h}_{E_3} = \{$

$\mathbf b_1 = E_{H_{\mathbf b}(\kappa^{n,l_3}_3)}(\{K^{n}_2,\pi_Q^{K^{n}_2},\sigma_{K^n_2}(\mathbf{h}_{E_2}| \mathbf{P}_2),\pi^{K^{n}_3,l_3}_{S}, \Omega \})$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_3}_3)}E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}(\{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_{E_1}| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S} , \Omega \})$ ,

$\mathbf b_4 = E_{H_{\mathbf b}(\kappa^{n,l_3}_3)}E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\}$ ,

$\mathbf{P} = \mathbf P_3= E_{H_{\mathbf P_0}(\kappa^{n,l_3}_3)}E_{H_{\mathbf P}(\kappa^{n,l_2}_2)}E_{H_{\mathbf P}(\kappa^{n,l_1}_1)}(\mathbf{P}_0)$ .

Decapsulation

Now let us take the above message and decapsulate it. We verify that the node doing the processing is the rightful recipient of the message and that the public header is correct.

$l=l_3$ :

Calculate shared secret: $\kappa^{n,l_3}_{3}=K^n_{3} \cdot p^{l_3}$ , where $K^{n}_{3} \in \mathbf H$ and $p^{l_3}$ is the private part of the public key of the node $l_3$ .
Decrypt the header: $\mathbf h_{l_3} = D_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}(\mathbf{h}) = \{$ $\mathbf b_1 = \{K^{n}_2,\pi_Q^{K^{n}_2},\sigma_{K^n_2}(\mathbf{h}_{E_2}| \mathbf{P}_2),\pi^{K^{n}_3,l_3}_{S}, \Omega \}$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}(\{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_{E_1}| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S}, \Omega \})$ ,

$\mathbf b_4 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\}.$

Verify the header: 1. If the proof of selection $\pi^{K^{n}_3,l_3}_{S} \in \mathbf{b}_1$ fails then stop. 2. If the key $K^{n}_2 \in \mathbf b_1$ was already seen, discard the message. 3. If the proof $\pi^{K^{n}_2,l_2}_{Q} \in \mathbf b_1$ is incorrect, discard the message.
Reconstruct the public header: $\mathbf H = (K^{n}_2,~ \pi^{K^{n}_2}_Q,~ \sigma_{K^{n}_2}(\mathbf{h}_{E_2}|\mathbf{P}_2))$
Decrypt the payload: $\mathbf{P}_{l_3} = D_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}(\mathbf P)$ .
Reconstruct the blend header: $b = \{$ $r_{l_3,1} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|1))_{|K|}$ ,

$r_{l_3,2} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|2))_{|\pi^{K}_{Q}|}$ ,

$r_{l_3,3}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|3))_{|\sigma_{K}(\mathbf P)|}$ ,

$r_{l_3,4}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|4))_{|\pi^{K,k}_{S}|}$ ,

$\Omega = 0$ ,

$\}.$

Encrypt the blend header: $\hat b = E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}(b)$ .
Shift blending headers by one upward, the first blending header is discarded: $\mathbf b_i \rightarrow \mathbf b_{i-1}$ .
Reconstruct the private header: $\mathbf h_{E_{l_3}} = \{$ $\mathbf b_1 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}(\{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_1| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S} , \Omega \})$ ,

$\mathbf b_3 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\mathbf b_4 = \hat b=E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\}.$

If the signature from the public header does not match the signature of the reconstructed header and the decrypted payload then discard the message: $\sigma_{K^n_2}(\mathbf{h}_{E_2}| \mathbf{P}_2) == \sigma_{K^n_2}(\mathbf{h}_{E_{l_3}}| \mathbf{P}_{l_3})$ $\text{verify\_sig}(\sigma_{K^{n}_2}(\mathbf{h}_{E_2}|\mathbf{P}_2), \mathbf{h}_{E_{l_3}}| \mathbf{P}_{l_3},{K^n_2})$
The message is decapsulated.
Follow the processing logic: Processing.

$l=l_2$ :

Calculate shared secret: $\kappa^{n,l_2}_{2}=K^n_{2} \cdot p^{l_2}$ , where $K^{n}_{2} \in \mathbf H$ and $p^{l_2}$ is the private part of the public key of the node $l_2$ .
Decrypt the header: $\mathbf h_{l_2} = D_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\mathbf{h}_{E_{l_3}}) = \{$ $\mathbf b_1 = \{K^{n}_1,\pi_Q^{K^{n}_1},\sigma_{K^n_1}(\mathbf{h}_1| \mathbf{P}_1),\pi^{K^{n}_2,l_2}_{S}, \Omega \}$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S}, \Omega \})$ ,

$\mathbf b_3 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\mathbf b_4 = E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\}.$

Verify the header: 1. If the proof of selection $\pi^{K^{n}_2,l_2}_{S} \in \mathbf{b}_1$ fails then stop. 2. If the key $K^{n}_1 \in \mathbf b_1$ was already seen, discard the message. 3. If the proof $\pi^{K^{n}_1,l_1}_{Q} \in \mathbf b_1$ is incorrect, discard the message.
Reconstruct the public header: $\mathbf H = (K^{n}_1,~ \pi^{K^{n}_1}_Q,~ \sigma_{K^{n}_1}(\mathbf{h}_{E_1}|\mathbf{P}_1))$
Decrypt the payload: $\mathbf{P}_x = D_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\mathbf P)$ .
Reconstruct the blend header: $b = \{$ $r_{l_2,1} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|1))_{|K|}$ ,

$r_{l_2,2} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|2))_{|\pi^{K}_{Q}|}$ ,

$r_{l_2,3}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|3))_{|\sigma_{K}(\mathbf P)|}$ ,

$r_{l_2,4}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|4))_{|\pi^{K,k}_{S}|}$ ,

$\Omega=0$ ,

$\}.$

Encrypt the reconstructed blend header: $\hat b = E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(b)$ .
Shift blending headers by one upward, the first blending header is discarded: $\mathbf b_i \rightarrow \mathbf b_{i-1}$ .
Reconstruct the private header: $\mathbf h_{E_{l_2}} = \{$ $\mathbf b_1 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ K^n_0, \pi^{K^{n}_{0}}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S}, \Omega \})$ ,

$\mathbf b_2 = E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\text {CSPRBG}( \rho_{1})_{|\mathbf b|})$ ,

$\mathbf b_3=E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega\})$ ,

$\mathbf b_4 = \hat b=E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\{ r_{l_2,1}, r_{l_2,2} ,r_{l_2,3}, r_{l_2,4}, \Omega \})$ ,

$\}.$

Check the signature: $\sigma_{K^n_2}(\mathbf{h}_{E_1}| \mathbf{P}_1) == \sigma_{K^n_2}(\mathbf{h}_{E_{l_2}}| \mathbf{P}_{l_2})$ $\text{verify\_sig}(\sigma_{K^{n}_1}(\mathbf{h}_{E_1}|\mathbf{P}_1), \mathbf{h}_{E_{l_2}}| \mathbf{P}_{{l_2}},{K^n_1})$
The message is decapsulated.
Follow the message processing logic: Processing.

$l=l_1$ :

Calculate shared secret: $\kappa^{n,l_1}_{1}=K^n_{1} \cdot k^{l_1}$ , where $K^{n}_{l_1} \in \mathbf H$ and $p^{l_1}$ is the private part of the public key of the node $l_1$ .
Decrypt the private header: $\mathbf h_{l_1} = D_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}(\mathbf{h}_{E_{l_2}}) = \{$ $\mathbf b_1 = \{ K^n_0, \pi^{K^{n}_{0},l_0}_{Q}, \sigma_{K^{n}_0}(\mathbf{h}_{E_0}| \mathbf{P}_0), \pi^{K^{n}_1,l_1}_{S}, \Omega \}$ ,

$\mathbf b_2 = \text {CSPRBG}( \rho_{1})_{|\mathbf b|}$ ,

$\mathbf b_3=E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{3})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4}, \Omega \})$ ,

$\mathbf b_4 =E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\{ r_{l_2,1}, r_{l_2,2} ,r_{l_2,3}, r_{l_2,4}, \Omega \})$ ,

$\}.$

Verify the header: 1. If the proof of selection $\pi^{K^{n}_1,l_1}_{S} \in \mathbf{b}_1$ fails then stop. 2. If the key $K^{n}_0 \in \mathbf b_1$ was already seen, discard the message. 3. If the proof $\pi^{K^{n}_0,l_0}_{Q} \in \mathbf b_1$ is incorrect, discard the message.
Reconstruct the public header: $\mathbf H = (K^{n}_0,~ \pi^{K^{n}_0}_Q,~ \sigma_{K^{n}_0}(\mathbf{h}_{E_0}|\mathbf{P}_0))$
Decrypt the payload: $\mathbf{P}_{l_1} = D_{H_\mathbf{P}(\kappa^{n,{l_1}}_{1})}(\mathbf P)$ .
Reconstruct the blend header: $b = \{$ $r_{l_1,1} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|1))_{|K|}$ ,

$r_{l_1,2} = \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|2))_{|\pi^{K}_{Q}|}$ ,

$r_{l_1,3}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|3))_{|\sigma_{K}(\mathbf P)|}$ ,

$r_{l_1,4}= \text {CSPRBG}(H_\mathbf{I}(\kappa^{n,l}_l|4))_{|\pi^{K,k}_{S}|}$ ,

$\Omega = 0$ ,

$\}.$

Encrypt the reconstructed blend header: $\hat b = E_{H_\mathbf{b}(\kappa^{n,{l_1}}_{1})}(b)$ .
Shift blending headers by one upward, the first blending header is discarded: $\mathbf b_i \rightarrow \mathbf b_{i-1}$ .
Reconstruct the private header: $\mathbf h_{E_{l_1}} = \{$ $\mathbf b_1 = \text {CSPRBG}( \rho_{1})_{|\mathbf b|}$ ,

$\mathbf b_2=E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}E_{H_{\mathbf b}(\kappa^{n,l_2}_2)}E_{H_\mathbf{b}(\kappa^{n,{l_3}}_{l_3})}(\{ r_{l_3,1}, r_{l_3,2} ,r_{l_3,3}, r_{l_3,4},\Omega \})$ ,

$\mathbf b_3 =E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}E_{H_\mathbf{b}(\kappa^{n,{l_2}}_{2})}(\{ r_{l_2,1}, r_{l_2,2} ,r_{l_2,3}, r_{l_2,4},\Omega \})$ ,

$\mathbf b_4 = \hat b=E_{H_{\mathbf b}(\kappa^{n,l_1}_1)}(\{ r_{l_1,1}, r_{l_1,2} ,r_{l_1,3}, r_{l_1,4},\Omega \})$ ,

$\}.$

If the signature from the public header does not match the signature of the reconstructed header and the decrypted payload then discard the message: $\text{verify\_sig}(\sigma_{K^{n}_0}(\mathbf{h}_{E_0}|\mathbf{P}_0), \mathbf{h}_{E_{l_1}}| \mathbf{P}_{{l_1}},{K^n_0})$ .
The message is decapsulated.
Follow the message processing logic: Processing.

Logos LIP