@hive-p2p/browser 1.0.68 → 1.0.70

package/core/arbiter.mjs

@@ -99,7 +99,7 @@ export class Arbiter {
 	/** Call from HiveP2P module only! @param {string} from @param {any} message @param {Uint8Array} serialized @param {number} [powCheckFactor] default: 0.01 (1%) */
 	async digestMessage(from, message, serialized, powCheckFactor = .01) {
 		const { senderId, pubkey, topic, expectedEnd } = message; // avoid powControl() on banished peers
-		if (!await this.#signatureControl(from, message, serialized)) return;
+		if (!this.#signatureControl(from, message, serialized)) return;
 		if (!this.#lengthControl(from, topic ? 'gossip' : 'unicast', serialized, expectedEnd)) return;
 
 		const routeOrHopsOk = topic ? this.#hopsControl(from, message) : this.#routeLengthControl(from, message);
@@ -111,11 +111,11 @@ export class Arbiter {
 		return true;
 	}
 	/** @param {string} from @param {import('./gossip.mjs').GossipMessage} message @param {Uint8Array} serialized */
-	async #signatureControl(from, message, serialized) {
+	#signatureControl(from, message, serialized) {
 		try {
 			const { pubkey, signature, signatureStart } = message;
 			const signedData = serialized.subarray(0, signatureStart);
-			const signatureValid = await this.cryptoCodex.verifySignature(pubkey, signedData, signature);
+			const signatureValid = this.cryptoCodex.verifySignature(pubkey, signedData, signature);
 			if (!signatureValid) throw new Error('Gossip signature invalid');
 			this.adjustTrust(from, TRUST_VALUES.VALID_SIGNATURE, 'Gossip signature valid');
 			return true;

package/core/config.mjs

@@ -158,6 +158,10 @@ export const UNICAST = { // MARKERS RANGE: 0-127
 		'2': 'signal_answer',
 		signal_offer: 3,
 		'3': 'signal_offer',
+		privacy: 4,
+		'4': 'privacy',
+		private_message: 5,
+		'5': 'private_message',
 	},
 }
 

package/core/crypto-codex.mjs

@@ -3,56 +3,13 @@ import { SIMULATION, NODE, IDENTITY, GOSSIP, UNICAST, LOG_CSS } from './config.m
 import { GossipMessage } from './gossip.mjs';
 import { DirectMessage, ReroutedDirectMessage } from './unicast.mjs';
 import { Converter } from '../services/converter.mjs';
-import { ed25519, Argon2Unified } from '../services/cryptos.mjs'; // now exposed in full and browser builds
-
-class Ed25519BatchVerifier {
-	#verifyQueue = [];
-	#verifyResolvers = new Map();
-	#batchTimer = null;
-	#nextId = 0;
-	#BATCH_SIZE = 10;
-	#BATCH_TIMEOUT = 5;
-
-	verifySignature(publicKey, dataToVerify, signature) {
-		return new Promise((resolve) => {
-			const id = this.#nextId++;
-			this.#verifyQueue.push({ id, publicKey, dataToVerify, signature });
-			this.#verifyResolvers.set(id, resolve);
-
-			// Flush immediately if batch full
-			if (this.#verifyQueue.length >= this.#BATCH_SIZE) {
-				this.#flushBatch();
-				return;
-			}
-
-			// Otherwise schedule flush
-			if (!this.#batchTimer)
-				this.#batchTimer = setTimeout(() => this.#flushBatch(), this.#BATCH_TIMEOUT);
-		});
-	}
-
-	async #flushBatch() {
-		if (this.#batchTimer) clearTimeout(this.#batchTimer), this.#batchTimer = null;
-		if (this.#verifyQueue.length === 0) return;
-
-		const batch = this.#verifyQueue.splice(0);
-		const results = await Promise.all(
-			batch.map(item => ed25519.verifyAsync(item.signature, item.dataToVerify, item.publicKey))
-		);
-
-		for (let i = 0; i < batch.length; i++) {
-			this.#verifyResolvers.get(batch[i].id)(results[i]);
-			this.#verifyResolvers.delete(batch[i].id);
-		}
-	}
-}
+import { ed25519, x25519, chacha20poly1305, randomBytes , Argon2Unified } from '../services/cryptos.mjs'; // now exposed in full and browser builds
+import { concatBytes } from '@noble/ciphers/utils.js';
 
 export class CryptoCodex {
 	argon2 = new Argon2Unified();
 	converter = new Converter();
 	AVOID_CRYPTO = false;
-	/** @type {Ed25519BatchVerifier} only if "AVOID_CRYPTO" is disabled*/
-	verifier;
 	verbose = NODE.DEFAULT_VERBOSE;
 	/** @type {string} */ id;
     /** @type {Uint8Array} */ publicKey;
@@ -88,7 +45,6 @@ export class CryptoCodex {
 		if (this.nodeId) return;
 		await this.#generateAntiSybilIdentity(seed, asPublicNode);
 		this.AVOID_CRYPTO = false; // enable crypto operations
-		this.verifier = new Ed25519BatchVerifier();
 		if (!this.id) throw new Error('Failed to generate identity');
     }
 	/** Check if the pubKey meets the difficulty using Argon2 derivation @param {Uint8Array} publicKey */
@@ -97,6 +53,7 @@ export class CryptoCodex {
 		const { bitsString } = await this.argon2.hash(publicKey, 'HiveP2P', IDENTITY.ARGON2_MEM) || {};
 		if (bitsString && bitsString.startsWith('0'.repeat(IDENTITY.DIFFICULTY))) return true;
 	}
+	/** @param {Uint8Array} publicKey */
 	#idFromPublicKey(publicKey) {
 		if (IDENTITY.ARE_IDS_HEX) return this.converter.bytesToHex(publicKey.slice(0, this.idLength), IDENTITY.ID_LENGTH);
 		return this.converter.bytesToString(publicKey.slice(0, IDENTITY.ID_LENGTH));
@@ -105,7 +62,7 @@ export class CryptoCodex {
 	async #generateAntiSybilIdentity(seed, asPublicNode) {
 		const maxIterations = (2 ** IDENTITY.DIFFICULTY) * 100; // avoid infinite loop
 		for (let i = 0; i < maxIterations; i++) { // avoid infinite loop
-			const { secretKey, publicKey } = await ed25519.keygenAsync(seed);
+			const { secretKey, publicKey } = ed25519.keygen(seed);
 			const id = this.#idFromPublicKey(publicKey);
 			if (asPublicNode && !this.isPublicNode(id)) continue; // Check prefix
 			if (!asPublicNode && this.isPublicNode(id)) continue; // Check prefix
@@ -119,16 +76,41 @@ export class CryptoCodex {
 		if (this.verbose > 0) console.log(`%cFAILED to generate id after ${maxIterations} iterations. Try lowering the difficulty.`, LOG_CSS.CRYPTO_CODEX);
 	}
 
-	// MESSSAGE CREATION (SERIALIZATION AND SIGNATURE INCLUDED)
+	// PRIVACY
+	generateEphemeralX25519Keypair() {
+		const { secretKey, publicKey } = x25519.keygen();
+		return { myPub: publicKey, myPriv: secretKey };
+	}
+	computeX25519SharedSecret(secret, pub) {
+		return x25519.getSharedSecret(secret, pub);
+	}
+	/** @param {Uint8Array} data @param {Uint8Array} sharedSecret */
+	encryptData(data, sharedSecret) {
+		if (!sharedSecret) throw new Error('Cannot encrypt data without shared secret.');
+		const nonce = randomBytes(12);
+		const cipher = chacha20poly1305(sharedSecret, nonce);
+		const encrypted = cipher.encrypt(data);
+		return concatBytes(nonce, encrypted);
+	}
+	/** @param {Uint8Array} encryptedData @param {Uint8Array} sharedSecret */
+	decryptData(encryptedData, sharedSecret) {
+		if (!sharedSecret) throw new Error('Cannot decrypt data without shared secret.');
+		const nonce = encryptedData.slice(0, 12);
+		const cipher = chacha20poly1305(sharedSecret, nonce);
+		const decrypted = cipher.decrypt(encryptedData.slice(12));
+		return decrypted;
+	}
+
+	// MESSAGE CREATION (SERIALIZATION AND SIGNATURE INCLUDED)
 	/** @param {Uint8Array} bufferView @param {Uint8Array} privateKey @param {number} [signaturePosition] */
-	async signBufferViewAndAppendSignature(bufferView, privateKey, signaturePosition = bufferView.length - IDENTITY.SIGNATURE_LENGTH) {
+	signBufferViewAndAppendSignature(bufferView, privateKey, signaturePosition = bufferView.length - IDENTITY.SIGNATURE_LENGTH) {
 		if (this.AVOID_CRYPTO) return;
 		const dataToSign = bufferView.subarray(0, signaturePosition);
-		const signature = await ed25519.signAsync(dataToSign, privateKey);
+		const signature = ed25519.sign(dataToSign, privateKey);
 		bufferView.set(signature, signaturePosition);
 	}
 	/** @param {string} topic @param {string | Uint8Array | Object} data @param {number} [HOPS] @param {string[]} route @param {string[]} [neighbors] */
-	async createGossipMessage(topic, data, HOPS = 3, neighbors = [], timestamp = CLOCK.time) {
+	createGossipMessage(topic, data, HOPS = 3, neighbors = [], timestamp = CLOCK.time) {
 		const MARKER = GOSSIP.MARKERS_BYTES[topic];
 		if (MARKER === undefined) throw new Error(`Failed to create gossip message: unknown topic '${topic}'.`);
 		
@@ -142,7 +124,7 @@ export class CryptoCodex {
 		bufferView.set(neighborsBytes, 47); 					// X bytes for neighbors
 		bufferView.set(dataBytes, 47 + neighborsBytes.length); 	// X bytes for data
 		bufferView.set([Math.min(255, HOPS)], totalBytes - 1); 	// 1 byte for HOPS (Unsigned)
-		await this.signBufferViewAndAppendSignature(bufferView, this.privateKey, totalBytes - IDENTITY.SIGNATURE_LENGTH - 1);
+		this.signBufferViewAndAppendSignature(bufferView, this.privateKey, totalBytes - IDENTITY.SIGNATURE_LENGTH - 1);
 		return bufferView;
 	}
 	/** @param {Uint8Array} serializedMessage */
@@ -152,8 +134,8 @@ export class CryptoCodex {
 		clone[serializedMessage.length - 1] = Math.max(0, hops - 1);
 		return clone;
 	}
-	/** @param {string} type @param {string | Uint8Array | Object} data @param {string[]} route @param {string[]} [neighbors] */
-	async createUnicastMessage(type, data, route, neighbors = [], timestamp = CLOCK.time) {
+	/** @param {string} type @param {string | Uint8Array | Object} data @param {string[]} route @param {string[]} [neighbors] @param {Uint8Array} [encryptionKey] @param {number} [timestamp] */
+	createUnicastMessage(type, data, route, neighbors = [], encryptionKey, timestamp = CLOCK.time) {
 		const MARKER = UNICAST.MARKERS_BYTES[type];
 		if (MARKER === undefined) throw new Error(`Failed to create unicast message: unknown type '${type}'.`);
 		if (route.length < 2) throw new Error('Failed to create unicast message: route must have at least 2 nodes (next hop and target).');
@@ -161,23 +143,24 @@ export class CryptoCodex {
 		
 		const neighborsBytes = this.#idsToBytes(neighbors);
 		const { dataCode, dataBytes } = this.#dataToBytes(data);
+		const dBytes = encryptionKey ? this.encryptData(dataBytes, encryptionKey) : dataBytes;
 		const routeBytes = this.#idsToBytes(route);
-		const totalBytes = 1 + 1 + 1 + 8 + 4 + 32 + neighborsBytes.length + 1 + routeBytes.length + dataBytes.length + IDENTITY.SIGNATURE_LENGTH;
+		const totalBytes = 1 + 1 + 1 + 8 + 4 + 32 + neighborsBytes.length + 1 + routeBytes.length + dBytes.length + IDENTITY.SIGNATURE_LENGTH;
 		const buffer = new ArrayBuffer(totalBytes);
 		const bufferView = new Uint8Array(buffer);
-		this.#setBufferHeader(bufferView, MARKER, dataCode, neighbors.length, timestamp, dataBytes, this.publicKey);
+		this.#setBufferHeader(bufferView, MARKER, dataCode, neighbors.length, timestamp, dBytes, this.publicKey);
 		
-		const NDBL = neighborsBytes.length + dataBytes.length;
+		const NDBL = neighborsBytes.length + dBytes.length;
 		bufferView.set(neighborsBytes, 47); 					// X bytes for neighbors
-		bufferView.set(dataBytes, 47 + neighborsBytes.length); 	// X bytes for data
+		bufferView.set(dBytes, 47 + neighborsBytes.length); 	// X bytes for data
 		bufferView.set([route.length], 47 + NDBL);				// 1 byte for route length
 		bufferView.set(routeBytes, 47 + 1 + NDBL);				// X bytes for route
 
-		await this.signBufferViewAndAppendSignature(bufferView, this.privateKey, totalBytes - IDENTITY.SIGNATURE_LENGTH);
+		this.signBufferViewAndAppendSignature(bufferView, this.privateKey, totalBytes - IDENTITY.SIGNATURE_LENGTH);
 		return bufferView;
 	}
 	/** @param {Uint8Array} serialized @param {string[]} newRoute */
-	async createReroutedUnicastMessage(serialized, newRoute) {
+	createReroutedUnicastMessage(serialized, newRoute) {
 		if (newRoute.length < 2) throw new Error('Failed to create rerouted unicast message: route must have at least 2 nodes (next hop and target).');
 		if (newRoute.length > UNICAST.MAX_HOPS) throw new Error(`Failed to create rerouted unicast message: route exceeds max hops (${UNICAST.MAX_HOPS}).`);
 	
@@ -189,7 +172,7 @@ export class CryptoCodex {
 		bufferView.set(this.publicKey, serialized.length); // 32 bytes for new public key
 		for (let i = 0; i < routeBytesArray.length; i++) bufferView.set(routeBytesArray[i], serialized.length + 32 + (i * IDENTITY.ID_LENGTH)); // new route
 		
-		await this.signBufferViewAndAppendSignature(bufferView, this.privateKey, totalBytes - IDENTITY.SIGNATURE_LENGTH);
+		this.signBufferViewAndAppendSignature(bufferView, this.privateKey, totalBytes - IDENTITY.SIGNATURE_LENGTH);
 		return bufferView;
 	}
 	/** @param {string[]} ids */
@@ -217,9 +200,9 @@ export class CryptoCodex {
 
 	// MESSSAGE READING (DESERIALIZATION AND SIGNATURE VERIFICATION INCLUDED)
 	/** @param {Uint8Array} publicKey @param {Uint8Array} dataToVerify @param {Uint8Array} signature */
-	async verifySignature(publicKey, dataToVerify, signature) {
+	verifySignature(publicKey, dataToVerify, signature) {
 		if (this.AVOID_CRYPTO) return true;
-		return this.verifier.verifySignature(publicKey, dataToVerify, signature);
+		return ed25519.verify(signature, dataToVerify, publicKey);
 	}
 	/** @param {Uint8Array} bufferView */
 	readBufferHeader(bufferView, readAssociatedId = true) {
@@ -255,8 +238,8 @@ export class CryptoCodex {
 		} catch (error) { if (this.verbose > 1) console.warn(`Error deserializing ${topic || 'unknown'} gossip message:`, error.stack); }
 		return null;
 	}
-	/** @param {Uint8Array | ArrayBuffer} serialized @return {DirectMessage | ReroutedDirectMessage | null} */
-	readUnicastMessage(serialized) {
+	/** @param {Uint8Array | ArrayBuffer} serialized @param {import('./peer-store.mjs').PeerStore} peerStore @return {DirectMessage | ReroutedDirectMessage | null} */
+	readUnicastMessage(serialized, peerStore) {
 		if (this.verbose > 3) console.log(`%creadUnicastMessage ${serialized.byteLength} bytes`, LOG_CSS.CRYPTO_CODEX);
 		if (this.verbose > 4) console.log(`%c${serialized}`, LOG_CSS.CRYPTO_CODEX);
 		try { // 1, 1, 1, 8, 4, 32, X, 1, X, 64
@@ -265,12 +248,18 @@ export class CryptoCodex {
 			if (type === undefined) throw new Error(`Failed to deserialize unicast message: unknown marker byte ${d[0]}.`);
 			const NDBL = neighLength + dataLength;
 			const neighbors = this.#bytesToIds(serialized.slice(47, 47 + neighLength));
-			const deserializedData = this.#bytesToData(dataCode, serialized.slice(47 + neighLength, 47 + NDBL));
 			const routeLength = serialized[47 + NDBL];
 			const routeBytesLength = routeLength * this.idLength;
 			const signatureStart = 47 + NDBL + 1 + routeBytesLength;
 			const routeBytes = serialized.slice(47 + NDBL + 1, signatureStart);
 			const route = this.#bytesToIds(routeBytes);
+			
+			const destId = route[route.length - 1];
+			const d = type === 'private_message' && this.id === destId
+			? this.decryptData(serialized.slice(47 + neighLength, 47 + NDBL), peerStore.privacy[this.#idFromPublicKey(pubkey)]?.sharedSecret)
+			: serialized.slice(47 + neighLength, 47 + NDBL);
+			
+			const deserializedData = this.id === destId ? this.#bytesToData(dataCode, d) : d;
 			const initialMessageEnd = signatureStart + IDENTITY.SIGNATURE_LENGTH;
 			const signature = serialized.slice(signatureStart, initialMessageEnd);
 			const isPatched = (serialized.length > initialMessageEnd);
@@ -288,7 +277,8 @@ export class CryptoCodex {
 	#bytesToIds(serialized) {
 		const ids = [];
 		const idLength = this.idLength;
-		if (serialized.length % idLength !== 0) throw new Error('Failed to parse ids: invalid serialized length.');
+		if (serialized.length % idLength !== 0)
+			throw new Error('Failed to parse ids: invalid serialized length.');
 
 		for (let i = 0; i < serialized.length / idLength; i++) {
 			const idBytes = serialized.slice(i * idLength, (i + 1) * idLength);

package/core/gossip.mjs

@@ -103,9 +103,9 @@ export class Gossip {
 	}
 	/** Gossip a message to all connected peers > will be forwarded to all peers
 	 * @param {string | Uint8Array | Object} data @param {string} topic default: 'gossip' @param {number} [HOPS] */
-	async broadcastToAll(data, topic = 'gossip', HOPS) {
+	broadcastToAll(data, topic = 'gossip', HOPS) {
 		const hops = HOPS || GOSSIP.HOPS[topic] || GOSSIP.HOPS.default;
-		const serializedMessage = await this.cryptoCodex.createGossipMessage(topic, data, hops, this.peerStore.neighborsList);
+		const serializedMessage = this.cryptoCodex.createGossipMessage(topic, data, hops, this.peerStore.neighborsList);
 		if (!this.bloomFilter.addMessage(serializedMessage)) return; // avoid sending duplicate messages
 		if (this.verbose > 3) console.log(`(${this.id}) Gossip ${topic}, to ${JSON.stringify(this.peerStore.neighborsList)}: ${data}`);
 		for (const peerId of this.peerStore.neighborsList) this.#broadcastToPeer(peerId, serializedMessage);

package/core/node-services.mjs

@@ -51,12 +51,12 @@ export class NodeServices {
 	#startWebSocketServer(domain = 'localhost', port = SERVICE.PORT) {
 		this.wsServer = new TRANSPORTS.WS_SERVER({ port, host: domain });
 		this.wsServer.on('error', (error) => console.error(`WebSocket error on Node #${this.id}:`, error));
-		this.wsServer.on('connection', async (ws) => {
+		this.wsServer.on('connection', (ws) => {
 			ws.on('close', () => { if (remoteId) for (const cb of this.peerStore.callbacks.disconnect) cb(remoteId, 'in'); });
 			ws.on('error', (error) => console.error(`WebSocket error on Node #${this.id} with peer ${remoteId}:`, error.stack));
 
 			let remoteId;
-			ws.on('message', async (data) => { // When peer proves his id, we can handle data normally
+			ws.on('message', (data) => { // When peer proves his id, we can handle data normally
 				if (remoteId) for (const cb of this.peerStore.callbacks.data) cb(remoteId, data);
 				else { // FIRST MESSAGE SHOULD BE HANDSHAKE WITH ID
 					const d = new Uint8Array(data); if (d[0] > 127) return; // not unicast, ignore
@@ -68,7 +68,7 @@ export class NodeServices {
 
 					const { signatureStart, pubkey, signature } = message;
 					const signedData = d.subarray(0, signatureStart);
-					if (!await this.cryptoCodex.verifySignature(pubkey, signedData, signature)) return;
+					if (!this.cryptoCodex.verifySignature(pubkey, signedData, signature)) return;
 
 					remoteId = route[0];
 					this.peerStore.digestPeerNeighbors(remoteId, neighborsList); // Update known store
@@ -79,8 +79,7 @@ export class NodeServices {
 				}
 			});
 
-			const handshakeMsg = await this.cryptoCodex.createUnicastMessage('handshake', null, [this.id, this.id], this.peerStore.neighborsList);
-			ws.send(handshakeMsg);
+			ws.send(this.cryptoCodex.createUnicastMessage('handshake', null, [this.id, this.id], this.peerStore.neighborsList));
 		});
 	}
 	#startSTUNServer(host = 'localhost', port = SERVICE.PORT + 1) {

package/core/node.mjs

@@ -17,9 +17,9 @@ import { NodeServices } from './node-services.mjs';
  * @param {string} [options.domain] If provided, the node will operate as a public node and start necessary services (e.g., WebSocket server)
  * @param {number} [options.port] If provided, the node will listen on this port (default: SERVICE.PORT)
  * @param {number} [options.verbose] Verbosity level for logging (default: NODE.DEFAULT_VERBOSE) */
-export async function createPublicNode(options) {
+export async function createPublicNode(options = {}) {
 	const verbose = options.verbose !== undefined ? options.verbose : NODE.DEFAULT_VERBOSE;
-	const domain = options.domain || undefined;
+	const domain = options.domain || "localhost";
 	const codex = options.cryptoCodex || new CryptoCodex(undefined, verbose);
 	const clockSync = CLOCK.sync(verbose);
 	if (!codex.publicKey) await codex.generate(domain ? true : false);
@@ -82,7 +82,7 @@ export class Node {
 		const { arbiter, peerStore, messager, gossip, topologist } = this;
 
 		// SETUP TRANSPORTS LISTENERS
-		peerStore.on('signal', (peerId, data) => this.sendMessage(peerId, data, 'signal_answer')); // answer created => send it to offerer
+		peerStore.on('signal', (peerId, data) => this.sendMessage(peerId, data, { type: 'signal_answer' })); // answer created => send it to offerer
 		peerStore.on('connect', (peerId, direction) => this.#onConnect(peerId, direction));
 		peerStore.on('disconnect', (peerId, direction) => this.#onDisconnect(peerId, direction));
 		peerStore.on('data', (peerId, data) => this.#onData(peerId, data));
@@ -90,6 +90,7 @@ export class Node {
 		// UNICAST LISTENERS
 		messager.on('signal_answer', (senderId, data) => topologist.handleIncomingSignal(senderId, data));
 		messager.on('signal_offer', (senderId, data) => topologist.handleIncomingSignal(senderId, data));
+		messager.on('privacy', (senderId, data) => this.#handlePrivacy(senderId, data));
 
 		// GOSSIP LISTENERS
 		gossip.on('signal_offer', (senderId, data, HOPS) => topologist.handleIncomingSignal(senderId, data, HOPS));
@@ -108,9 +109,9 @@ export class Node {
 		
 		const isHoverNeighbored = this.peerStore.neighborsList.length >= DISCOVERY.TARGET_NEIGHBORS_COUNT + this.halfTarget;
 		const dispatchEvents = () => {
-			//this.sendMessage(peerId, this.id, 'handshake'); // send it in both case, no doubt...
+			//this.sendMessage(peerId, this.id, { type: 'handshake' }); // send it in both case, no doubt...
 			if (DISCOVERY.ON_CONNECT_DISPATCH.OVER_NEIGHBORED && isHoverNeighbored)
-				this.broadcast([], 'over_neighbored'); // inform my neighbors that I am over neighbored
+				this.broadcast([], { type: 'over_neighbored' }); // inform my neighbors that I am over neighbored
 			if (DISCOVERY.ON_CONNECT_DISPATCH.SHARE_HISTORY) 
 				if (this.peerStore.getUpdatedPeerConnectionsCount(peerId) <= 1) this.gossip.sendGossipHistoryToPeer(peerId);
 		};
@@ -160,12 +161,69 @@ export class Node {
 	}
 	
 	/** Broadcast a message to all connected peers or to a specified peer
-	 * @param {string | Uint8Array | Object} data @param {string} topic default: 'gossip' @param {string} [targetId] default: broadcast to all
-	 * @param {number} [timestamp] default: CLOCK.time @param {number} [HOPS] default: GOSSIP.HOPS[topic] || GOSSIP.HOPS.default */
-	async broadcast(data, topic, HOPS) { return this.gossip.broadcastToAll(data, topic, HOPS); }
+	 * @param {string | Uint8Array | Object} data @param {string} [targetId] default: broadcast to all
+	 * @param {number} [timestamp] default: CLOCK.time
+	 * @param {Object} [options]
+	 * @param {string} [options.type] default: 'gossip'
+	 * @param {number} [options.HOPS] default: GOSSIP.HOPS[topic] || GOSSIP.HOPS.default */
+	broadcast(data, options = {}) {
+		const { type, HOPS } = options;
+		return this.gossip.broadcastToAll(data, topic, HOPS);
+	}
 	
-	/** @param {string} remoteId @param {string | Uint8Array | Object} data @param {string} type */
-	async sendMessage(remoteId, data, type, spread = 1) { return this.messager.sendUnicast(remoteId, data, type, spread); }
+	/** Send a unicast message to a specific peer
+	 * @param {string} remoteId @param {string | Uint8Array | Object} data
+	 * @param {Object} [options]
+	 * @param {'message' | 'private_message'} [options.type] default: 'message'
+	 * @param {number} [options.spread=1] Number of neighbors used to relay the message */
+	async sendMessage(remoteId, data, options = {}) {
+		const { type, spread } = options;
+		const privacy = type === 'private_message' ? await this.getPeerPrivacy(remoteId) : null;
+		if (privacy && !privacy?.sharedSecret) {
+			this.verbose > 1 ? console.warn(`Cannot send encrypted message to ${remoteId} as shared secret could not be established.`) : null;
+			return false;
+		}
+
+		return this.messager.sendUnicast(remoteId, data, type, spread);
+	}
+	/** Send a private message to a specific peer, ensuring shared secret is established
+	 * @param {string} remoteId @param {string | Uint8Array | Object} data
+	 * @param {Object} [options]
+	 * @param {number} [options.spread=1] Number of neighbors used to relay the message */
+	async sendPrivateMessage(remoteId, data, options = {}) {
+		const o = { ...options, type: 'private_message' };
+		return this.sendMessage(remoteId, data, o);
+	}
+	// Building this function, she can be moved to another class later
+	async getPeerPrivacy(peerId, retry = 20) {
+		let p = this.peerStore.privacy[peerId];
+		if (!p) {
+			this.peerStore.privacy[peerId] = this.cryptoCodex.generateEphemeralX25519Keypair();
+			p = this.peerStore.privacy[peerId];
+		}
+
+		let nextMessageIn = 1;
+		while (!p?.sharedSecret && retry-- > 0) {
+			if (nextMessageIn-- <= 0) {
+				this.messager.sendUnicast(peerId, p.myPub, 'privacy');
+				nextMessageIn = 5;
+			}
+			await new Promise(r => setTimeout(r, 100));
+			p = this.peerStore.privacy[peerId];
+		}
+		return p;
+	}
+	/** @param {string} senderId @param {Uint8Array} peerPub */
+	#handlePrivacy(senderId, peerPub) {
+		if (this.peerStore.privacy[senderId]?.sharedSecret) return; // already have shared secret
+		
+		if (!this.peerStore.privacy[senderId])
+			this.peerStore.privacy[senderId] = this.cryptoCodex.generateEphemeralX25519Keypair();
+
+		this.peerStore.privacy[senderId].peerPub = peerPub;
+		this.peerStore.privacy[senderId].sharedSecret = this.cryptoCodex.computeX25519SharedSecret(this.peerStore.privacy[senderId].myPriv, peerPub);
+		this.messager.sendUnicast(senderId, this.peerStore.privacy[senderId].myPub, 'privacy');
+	}
 
 	/** Send a connection request to a peer */
 	async tryConnectToPeer(targetId = 'toto', retry = 10) {
@@ -174,7 +232,7 @@ export class Node {
 			const { offerHash, readyOffer } = this.peerStore.offerManager.bestReadyOffer(100, false);
 			if (!offerHash || !readyOffer) await new Promise(r => setTimeout(r, 1000)); // build in progress...
 			else {
-				this.messager.sendUnicast(targetId, { signal: readyOffer.signal, offerHash }, 'signal_offer', 1);
+				this.messager.sendUnicast(targetId, { signal: readyOffer.signal, offerHash }, 'signal_offer');
 				return;
 			}
 		} while (retry-- > 0);
@@ -201,7 +259,14 @@ export class Node {
 
 	/** Triggered when a new message is received.
 	 *  @param {function} callback can use arguments: (senderId:string, data:any) */
-	onMessageData(callback) { this.messager.on('message', callback); }
+	onMessageData(callback, includesPrivate = true) {
+		this.messager.on('message', callback);
+		if (includesPrivate) this.messager.on('private_message', callback);
+	}
+
+	/** Triggered when a new private message is received.
+	 * @param {function} callback can use arguments: (senderId:string, data:any) */
+	onPrivateMessageData(callback) { this.messager.on('private_message', callback); }
 
 	/** Triggered when a new gossip message is received.
 	 * @param {function} callback can use arguments: (senderId:string, data:any, HOPS:number) */

package/core/peer-store.mjs

@@ -20,6 +20,13 @@ export class KnownPeer { // known peer, not necessarily connected
 	}
 }
 
+class Privacy {
+	/** @type {Uint8Array} */ 	sharedSecret;
+	/** @type {Uint8Array} */ 	myPub;
+	/** @type {Uint8Array} */ 	myPriv;
+	/** @type {Uint8Array} */	peerPub;
+}
+
 export class PeerConnection { // WebSocket or WebRTC connection wrapper
 	peerId; transportInstance; isWebSocket; direction; pendingUntil; connStartTime;
 
@@ -46,6 +53,7 @@ export class PeerStore { // Manages all peers informations and connections (WebS
 	/** @type {Record<string, PeerConnection>} */ 	connected = {};
 	/** @type {Record<string, KnownPeer>} */ 	  	known = {}; // known peers store
 	/** @type {number} */							knownCount = 0;
+	/** @type {Record<string, Privacy>} */ 			privacy = {}; // peerId, Privacy settings
 	/** @type {Record<string, number>} */ 			kick = {}; // peerId, timestamp until kick expires
 	/** @type {Record<string, Function[]>} */ 		callbacks = {
 		'connect': [(peerId, direction) => this.#handleConnect(peerId, direction)],

package/core/topologist.mjs

@@ -169,13 +169,13 @@ export class Topologist {
 		let remoteId = null;
 		const ws = new TRANSPORTS.WS_CLIENT(this.#getFullWsUrl(publicUrl)); ws.binaryType = 'arraybuffer';
 		ws.onerror = (error) => console.error(`WebSocket error:`, error.stack);
-		ws.onopen = async () => {
+		ws.onopen = () => {
 			this.bootstrapsConnectionState.set(publicUrl, true);
 			ws.onclose = () => {
 				this.bootstrapsConnectionState.set(publicUrl, false);
 				for (const cb of this.peerStore.callbacks.disconnect) cb(remoteId, 'out');
 			}
-			ws.onmessage = async (data) => {
+			ws.onmessage = (data) => {
 				if (remoteId) for (const cb of this.peerStore.callbacks.data) cb(remoteId, data.data);
 				else { // FIRST MESSAGE SHOULD BE HANDSHAKE WITH ID
 					const d = new Uint8Array(data.data); if (d[0] > 127) return; // not unicast, ignore
@@ -187,7 +187,7 @@ export class Topologist {
 
 					const { signatureStart, pubkey, signature } = message;
 					const signedData = d.subarray(0, signatureStart);
-					if (!await this.cryptoCodex.verifySignature(pubkey, signedData, signature)) return;
+					if (!this.cryptoCodex.verifySignature(pubkey, signedData, signature)) return;
 
 					remoteId = route[0];
 					this.peerStore.digestPeerNeighbors(remoteId, neighborsList); // Update known store
@@ -197,8 +197,8 @@ export class Topologist {
 					for (const cb of this.peerStore.callbacks.connect) cb(remoteId, 'out');
 				}
 			};
-			const handshakeMsg = await this.cryptoCodex.createUnicastMessage('handshake', null, [this.id, this.id], this.peerStore.neighborsList);
-			ws.send(handshakeMsg);
+
+			ws.send(this.cryptoCodex.createUnicastMessage('handshake', null, [this.id, this.id], this.peerStore.neighborsList));
 		};
 	}
 	#tryToSpreadSDP(nonPublicNeighborsCount = 0, isHalfReached = false) { // LOOP TO SELECT ONE UNSEND READY OFFER AND BROADCAST IT
@@ -252,7 +252,7 @@ export class Topologist {
 			if (sentTo.has(peerId)) continue;
 			if (sentTo.size === 0) readyOffer.sentCounter++;
 			sentTo.set(peerId, true);
-			this.messager.sendUnicast(peerId, { signal: readyOffer.signal, offerHash }, 'signal_offer', 1);
+			this.messager.sendUnicast(peerId, { signal: readyOffer.signal, offerHash }, 'signal_offer');
 			if (sentTo.size >= 12) break; // limit to 12 unicast max
 		}
 	}

package/core/unicast.mjs

@@ -75,16 +75,14 @@ export class UnicastMessager {
 	}
 	/** Send unicast message to a target
 	 * @param {string} remoteId @param {string | Uint8Array | Object} data @param {string} type
-	 * @param {number} [spread] Max neighbors used to relay the message, default: 1 */
-	async sendUnicast(remoteId, data, type = 'message', spread = 1) {
+	 * @param {number} [spread] *Optional* Max neighbors used to relay the message, default: 1 */
+	sendUnicast(remoteId, data, type = 'message', spread = 1) {
 		if (remoteId === this.id) return false;
 
 		const builtResult = this.pathFinder.buildRoutes(remoteId, this.maxRoutes, this.maxHops, this.maxNodes, true);
 		if (!builtResult.success) return false;
-
-		// Caution: re-routing usage who can involve insane results
-		const destinations = [];
-		const createdMessagePromises = [];
+		
+		const encryptionKey = type === 'private_message' ? this.peerStore.privacy[remoteId]?.sharedSecret : undefined;
 		const finalSpread = builtResult.success === 'blind' ? 1 : spread; // Spread only if re-routing is false
 		for (let i = 0; i < Math.min(finalSpread, builtResult.routes.length); i++) {
 			const route = builtResult.routes[i].path;
@@ -92,14 +90,10 @@ export class UnicastMessager {
 				if (this.verbose > 1) console.warn(`Cannot send unicast message to ${remoteId} as route exceeds maxHops (${UNICAST.MAX_HOPS}). BFS incurred.`);
 				continue; // too long route
 			}
-			
-			destinations.push(route[1]); // send to next peer
-			createdMessagePromises.push(this.cryptoCodex.createUnicastMessage(type, data, route, this.peerStore.neighborsList));
+
+			const msg = this.cryptoCodex.createUnicastMessage(type, data, route, this.peerStore.neighborsList, encryptionKey);
+			this.#sendMessageToPeer(route[1], msg);
 		}
-		
-		const createdMessages = await Promise.all(createdMessagePromises);
-		for (let i = 0; i < createdMessages.length; i++)
-			this.#sendMessageToPeer(destinations[i], createdMessages[i]);
 		return true;
 	}
 	/** @param {string} targetId @param {Uint8Array} serialized */
@@ -119,7 +113,7 @@ export class UnicastMessager {
 		if (this.arbiter.isBanished(from)) return this.verbose >= 3 ? console.info(`%cReceived direct message from banned peer ${from}, ignoring.`, 'color: red;') : null;
 		if (!this.arbiter.countMessageBytes(from, serialized.byteLength, 'unicast')) return; // ignore if flooding/banished
 
-		const message = this.cryptoCodex.readUnicastMessage(serialized);
+		const message = this.cryptoCodex.readUnicastMessage(serialized, this.peerStore);
 		if (!message) return this.arbiter.countPeerAction(from, 'WRONG_SERIALIZATION');
 		const isOk = await this.arbiter.digestMessage(from, message, serialized);
 		if (!isOk) return; // invalid message or from banished peer
@@ -155,7 +149,7 @@ export class UnicastMessager {
 				return; // too long route
 			}
 				
-			const patchedMessage = await this.cryptoCodex.createReroutedUnicastMessage(serialized, newRoute);
+			const patchedMessage = this.cryptoCodex.createReroutedUnicastMessage(serialized, newRoute);
 			const nextPeerId = newRoute[selfPosition + 1];
 			this.#sendMessageToPeer(nextPeerId, patchedMessage);
 		}