Encryption

Mainframe provides protocols for one-to-one and one-to-many encryption. Each Mainframe node has an asymmetric key pair associated with it. This key is used to decrypt packets intended for this node. When one node wishes to send a packet to another, it encrypts the packet using the public key of the intended recipient node, or a pre-arranged shared key. Forward secrecy is ensured by additional ephemeral symmetric keys. The receiving node’s public key is obtained from a prior exchange of contact information that occurs out-of-band, such as by consulting a directory of contacts, or from a direct exchange of public keys between individuals. Packet encryption is an integral part of Mainframe's transport protocols and cannot be circumvented.

Packets intended for multiple nodes can be sent in multicast mode. This allows the sender and nodes routing multicast packets to send a single packet instead of duplicates along any route that will reach two or more of the intended recipients. Mainframe provides protocols for shared key negotiation so that multicast packets can be encrypted only once for multiple recipient nodes. This mode of operation is intended for high-performance applications requiring moderate security, as multiple destination addresses are revealed in packet metadata. It can also be combined with dark routing.