Mesh Store-and-Forward Submission

Components

Mesh transport: Bluetooth LE for short-range device-to-device, LoRa for kilometer-range, Wi-Fi Direct or local AP for higher-bandwidth corridors. Peer-to-peer or multi-hop store-and-forward.
End-to-end encryption: IND-CCA2 authenticated encryption with ephemeral sender keying. X25519 plus ChaCha20-Poly1305 or AES-256-GCM are conventional.
Relay decryption keypair: rotated by the relay at least every 24 hours; retired private keys securely erased.
Source-fingerprinting mitigations: at least two orthogonal mechanisms. Physical-layer options: randomized Bluetooth LE MACs, rotated LoRa node identifiers. Network-layer: onion-routed propagation (Sphinx-style), Poisson-distributed cover traffic.
Out-of-band relay-key distribution: relay identity public keys pre-loaded onto sender devices through trusted channels (printed cards, signed bundle, in-person handoff).

Protocol

sender Receive, out-of-band, the relay set's identity keys, current ephemeral decryption keys, and rotation schedule.
sender Encrypt the payload to the relay's current ephemeral public key under IND-CCA2 AEAD with ephemeral sender keying.
sender Inject ciphertext into the mesh transport.
peers Store-and-forward toward the relay set; intermediate peers see ciphertext only. Onion routing across hops, when present, hides per-hop next-peer identity.
peers Emit Poisson-scheduled cover traffic so a real submission is not distinguishable from idle behavior.
exit-peer A peer with online connectivity forwards the ciphertext to the relay's online endpoint.
relay Decrypt, process, optionally return an acknowledgement through the same transport.
relay Rotate the ephemeral decryption keypair at the published cadence; securely erase retired keys.

Guarantees & threat model

End-to-end confidentiality: intermediate peers cannot recover the cleartext payload.
Source unlinkability across encounters: physical-layer rotation plus network-layer cover traffic together prevent an adversary observing one mesh encounter from linking it to the same sender's prior or subsequent activity. Single-mitigation deployments do not satisfy this.
Tolerance to high latency: delivery is eventual, bounded only by mesh path connectivity.
Threat model: adversary observes radio spectrum and IP traffic, may control some peers, and may compromise individual companion devices. Out of scope: SIGINT-level RF fingerprinting that distinguishes individual transmitters by hardware characteristics.

Trade-offs

Latency. Delivery adds seconds to days, depending on path connectivity and cover-traffic schedule. Applications must tolerate this.
Companion-device hygiene. A shared or compromised companion sees plaintext for the senders it serves. Treat companions as compromisable; rotate when practical.
Relay-set diversity required. Senders SHOULD fan out across multiple relays with size and jurisdictional-diversity floors as deployment requirements.
No real-time error feedback. A failed delivery may be invisible for hours. Acknowledgement tokens propagated back through the same transport cover the happy path only.
Cover-traffic budget. Poisson cover increases sender energy cost and mesh bandwidth use; deployment tunes the rate against the threat model.

Example

Reporters and human-rights observers in a region with periodic internet shutdowns submit encrypted reports to a journalism organization's relay using Briar over Bluetooth LE. Phones in physical proximity sync ciphertext peer-to-peer; messages traverse multiple hops until reaching a phone with online connectivity, which forwards the ciphertext to the relay over Tor. Bluetooth LE MAC randomization combined with Poisson cover-traffic intervals prevents an adversary scanning the local Bluetooth spectrum from correlating which reporter submitted what at which time.

Works best when

Avoid when

Post-quantum exposure