THE AMOS PROTOCOL

Anonymous Media Origination Standard

v0.5 DRAFT

Wire specification for anonymous, censorship-resistant, one-directional media submission over a peer-to-peer relay network. No accounts. No registration. No server to seize.

Read the Specification View on GitHub

Protocol Parameters

Fragments (N) 20 Erasure-coded per submission

Threshold (K) 12 Sufficient for reconstruction

Plaintext Capacity 384 KiB K × 32,768 bytes

Fragment Payload 32,768 B Per data fragment

Wire Fragment 32,816 B Payload + 48-byte header

Delivery Layers 3 Preview · Primary · Archival

Mix Delay Floor ≥ 60s ≥ 3600s for Class 3+ adversaries

Epoch Rotation 24h Key retention 17 days

Submission TTL 14d Group TTL ≤ 30 days

Anti-Concentration ≤ K−1 (11) fragments per peer · MUST ≥ 2 peers · SHOULD ≥ 7 First-hop distribution constraint. Prevents single-peer reconstruction.

Cryptographic Primitives

Hash SHA-256 (FIPS 180-4)
AEAD ChaCha20-Poly1305 (RFC 8439)
HPKE DHKEM(X25519, HKDF-SHA256) + ChaCha20-Poly1305 (RFC 9180)
MAC / PRF HMAC-SHA256 (RFC 2104)
Signatures Ed25519 (RFC 8032)
CSPRNG OS-provided (§5.6)

Architecture

Submitting Node

Strips device identity. Encrypts evidence envelope. Erasure-codes media into N fragments. Distributes to relay peers under anti-concentration constraints.

Relay Network

Receives, holds, mixes, and forwards encrypted fragments. Per-relay delay ≥ 60s. Cannot read contents. Cover traffic makes real and dummy fragments indistinguishable.

Consuming Platform

Reassembles K-of-N fragments. Decrypts evidence envelope. Verifies cryptographic chain of custody from capture to receipt.

Transport Modes

Mode A: Internet Relay. Fragments over TLS-encrypted relay-to-relay connections. Standard operation when connectivity is available.
Mode B: Local Mesh. Bluetooth LE and Wi-Fi Direct. Device-to-device propagation without internet access.
Mode C: Store-and-Forward. Fragments stored locally, transmitted when connectivity resumes. Survives extended blackouts.

One-directional flow only. No acknowledgments, no return channel. Fragment tags derived per-submission via K-tag HMAC, unlinkable across submissions.

Threat Model

1 Local network observer. Wi-Fi sniffing, coffee-shop-level passive monitoring. Protected

2 Regional ISP with DPI. Can block protocols. Operates bounded relay nodes. Protected

3 Nation-state with passive cross-jurisdictional visibility. SIGINT-level cable taps. Protected

4 Full-spectrum nation-state. Global active + targeted device compromise. Out of scope

The protocol makes explicit anonymity claims bounded by adversary class. Class 4 (device compromise) is outside the protocol's protection envelope. See §10 of the specification for formal bounds and mitigations by attack vector.

Delivery Layers

Preview 0x00 Ultra-low-fidelity thumbnail. Immediate delivery for triage.

Primary 0x01 Watchable representation. Standard media quality.

Archival 0x02 Full-resolution original. Evidentiary preservation.

Each layer carries its own content hash inside the evidence envelope (SHA-256, computed at capture). The cryptographic binding runs from capture to reassembly.