\documentclass[11pt,a4paper]{article}

\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage{lmodern}
\usepackage[margin=2.5cm]{geometry}
\usepackage{amsmath,amssymb}
\usepackage{graphicx}
\usepackage{booktabs}
\usepackage{tabularx}
\usepackage{hyperref}
\usepackage{listings}
\usepackage{xcolor}
\usepackage{enumitem}
\usepackage{float}
\usepackage{url}

\hypersetup{
  colorlinks=true,
  linkcolor=blue!60!black,
  citecolor=green!50!black,
  urlcolor=blue!70!black,
}

\lstset{
  basicstyle=\ttfamily\small,
  breaklines=true,
  frame=single,
  framerule=0.4pt,
  rulecolor=\color{gray!50},
  backgroundcolor=\color{gray!5},
  numbers=left,
  numberstyle=\tiny\color{gray},
  numbersep=6pt,
  columns=fullflexible,
  keepspaces=true,
  xleftmargin=1.5em,
  xrightmargin=0.5em,
}

\newcommand{\fapp}{\textsc{Fapp}}
\newcommand{\qpq}{\textsc{QuicProQuo}}
\newcommand{\cbor}{\textsc{Cbor}}

\title{\textbf{FAPP: A Privacy-Preserving Decentralized Protocol\\for Psychotherapy Appointment Discovery}}

\author{
  Christian Nennemann\\
  Independent Researcher\\
  \texttt{write@nennemann.de}
}

\date{April 2026}

\begin{document}

\maketitle

\begin{abstract}
In Germany, patients seeking psychotherapy face wait times of three to six months,
driven in part by structural opacity in the appointment allocation system of the
\emph{Kassenärztliche Vereinigung} (KV).  We present FAPP (Free Appointment
Propagation Protocol), a decentralized protocol that enables licensed
psychotherapists to announce free appointment slots into a mesh network, where
patients can discover and reserve them anonymously.  FAPP implements an
\emph{asymmetric privacy model}: therapist identities are public and
cryptographically bound to their professional license (Approbation), while
patient queries carry no identifying information.  Reservations are end-to-end
encrypted using X25519 Diffie--Hellman key agreement with ChaCha20-Poly1305
authenticated encryption, ensuring that only the intended therapist can read
patient contact information.  The protocol is transport-agnostic, supporting
QUIC, TCP, and LoRa links through the \qpq{} mesh networking stack.  We
describe the protocol design, analyze its security properties against a
realistic adversary model grounded in German healthcare regulation, and
discuss deployment considerations for a real-world pilot.
\end{abstract}

\medskip
\noindent\textbf{Keywords:} decentralized healthcare, privacy-preserving discovery, mesh networking, psychotherapy access, appointment scheduling

% ===========================================================================
\section{Introduction}
\label{sec:intro}
% ===========================================================================

Mental disorders affect approximately 27.8\% of the adult population in Germany
in any given year~\cite{jacobi2014psychische}, yet the infrastructure for
connecting patients with psychotherapists remains rooted in centralized,
opaque systems.  The Kassenärztliche Vereinigung (KV)---the self-governing
body of statutory health insurance physicians---operates a \emph{Terminservicestelle}
(appointment referral service) reachable via the national number
116117~\cite{terminservice116117}.  Studies by the Bundespsychotherapeutenkammer
(BPtK) consistently report average wait times of three to six months between
initial contact and the first therapeutic session~\cite{bpt2022wartezeiten},
with the situation worsening for child and adolescent psychotherapy and in
rural regions.

The structural problem is one of \emph{visibility}.  A therapist with a free
50-minute slot next Tuesday has no efficient channel to make this slot
discoverable to the patients who need it.  The KV's 116117 system operates
on a referral basis with limited real-time slot data.  Commercial platforms
such as Doctolib~\cite{doctolib2024} aggregate some appointment data but
require therapists to opt in, charge fees, and track patient search
behavior~\cite{bpt2024versorgung}.  The KBV's own physician search
portal~\cite{kbvarztsuche} provides practice information but not real-time
slot availability.  None of these systems allow patients to search
\emph{anonymously}---a property of particular importance in mental health,
where the mere act of searching for a therapist can carry stigma.

We propose FAPP (Free Appointment Propagation Protocol), a decentralized
protocol designed to address this specific gap.  FAPP operates over the
\qpq{} mesh network~\cite{rfc9000}, enabling therapists to announce free
appointment slots and patients to discover them without any central server,
registration, or identity disclosure.  The protocol enforces an
\emph{asymmetric privacy model}: therapists, as licensed professionals
(\emph{Approbation}, regulated under SGB~V \S\S~92, 95~\cite{sgbv2024}),
operate with public, verifiable identities, while patients enjoy query-level
anonymity.  Reservation messages are end-to-end encrypted so that
intermediary mesh nodes cannot observe patient contact information.

The contributions of this paper are:
\begin{enumerate}[nosep]
  \item A complete protocol specification for decentralized, privacy-preserving
        appointment discovery tailored to the German psychotherapy system
        (Section~\ref{sec:protocol}).
  \item An asymmetric privacy model with formal threat analysis grounded in
        German healthcare regulation (Sections~\ref{sec:threat} and~\ref{sec:security}).
  \item A transport-agnostic design that operates over QUIC, TCP, and LoRa
        mesh links (Section~\ref{sec:transport}).
  \item An open-source reference implementation in Rust with 222~passing
        tests, including 31~FAPP-specific integration tests.
\end{enumerate}

% ===========================================================================
\section{Related Work}
\label{sec:related}
% ===========================================================================

\paragraph{Centralized appointment platforms.}
Doctolib~\cite{doctolib2024} is the dominant commercial appointment platform
in Germany and France, offering real-time booking for physicians including
some psychotherapists.  The KV's 116117 Terminservicestelle~\cite{terminservice116117}
provides telephone and online appointment referral mandated by
SGB~V~\S~75.  Both systems are centralized: they require therapists to
register, maintain a server-side database of slots, and---critically---record
patient search queries, creating a correlation between identity and mental
health need.  FAPP differs fundamentally by eliminating the central database and
enabling anonymous discovery.

\paragraph{Decentralized healthcare data systems.}
Research on patient-controlled health records~\cite{mandl2007indivo} has
explored decentralized architectures where patients hold their own data.
Content-addressed storage systems like IPFS~\cite{benet2014ipfs} have been
proposed for medical record sharing.  However, these focus on record
\emph{storage} rather than real-time \emph{service discovery}, and none
address the specific problem of appointment slot propagation in a
privacy-preserving manner.

\paragraph{Mesh networking for constrained environments.}
Meshtastic~\cite{meshtastic2023} provides LoRa-based mesh networking for
text messaging with basic encryption.  Reticulum~\cite{reticulum2023}
offers a cryptographic networking stack supporting multiple transport
layers including LoRa, with a focus on resilience.  Briar~\cite{briar2017}
implements delay-tolerant, peer-to-peer messaging with Tor integration for
censorship resistance.  FAPP draws architectural inspiration from these
systems---particularly Reticulum's transport abstraction and Briar's
store-and-forward model---but adds domain-specific semantics for appointment
discovery, structured query matching, and a therapist verification framework
absent from general-purpose mesh protocols.

\paragraph{Privacy-preserving discovery.}
Anonymous communication systems, from onion routing~\cite{goldschlag1996onion}
to Mixminion~\cite{danezis2003mixminion}, provide sender anonymity at the
network layer.  Off-the-Record messaging~\cite{borisov2004offrecord} achieves
deniability and forward secrecy in point-to-point communication.
MLS~\cite{rfc9420} extends these properties to group settings.  FAPP's
privacy model is narrower but operationally distinct: rather than hiding
\emph{all} participants, it deliberately exposes therapist identity (as
required by professional regulation) while protecting patient anonymity.
This asymmetric model, while simpler than full anonymity systems, aligns
precisely with the regulatory and social requirements of psychotherapy
access.

% ===========================================================================
\section{Threat Model and Privacy Requirements}
\label{sec:threat}
% ===========================================================================

\subsection{Asymmetric Privacy Model}

FAPP's privacy model reflects the inherent asymmetry of the
therapist--patient relationship in German healthcare law:

\begin{description}[nosep,leftmargin=1.5em]
  \item[Therapist identity is public.] Psychotherapists in Germany hold an
    \emph{Approbation} (professional license) issued by the state health
    authority.  Their practice is listed in KV registries.  FAPP
    binds each therapist's mesh identity to their Approbation via a
    SHA-256 hash of the credential number, creating accountability
    without exposing the raw number to the mesh.

  \item[Patient queries are anonymous.] A \texttt{SlotQuery} message
    contains only search filters (specialization, insurance type, postal
    code prefix, time range) and a random correlation ID.  No patient
    identity, device fingerprint, or return address is attached.
    Only when a patient \emph{chooses} to reserve a slot does an encrypted
    channel to the therapist emerge.
\end{description}

\subsection{Adversary Model}

We consider the following adversary capabilities:

\begin{enumerate}[nosep]
  \item \textbf{Passive network observer.} An adversary who can observe all
    mesh traffic on links they control.  They can see message sizes, timing,
    and CBOR-encoded (but not encrypted) FAPP frames for \texttt{SlotAnnounce}
    and \texttt{SlotQuery} messages.  They cannot observe the content of
    \texttt{SlotReserve} or \texttt{SlotConfirm} payloads, which are
    end-to-end encrypted.

  \item \textbf{Malicious relay node.} A relay node with \texttt{CAP\_FAPP\_RELAY}
    that faithfully participates in message propagation but attempts to
    correlate queries with reservations or de-anonymize patients.

  \item \textbf{Fake therapist.} An adversary who generates an Ed25519 keypair
    and publishes \texttt{SlotAnnounce} messages with fabricated Approbation
    hashes, attempting to collect patient contact data.

  \item \textbf{Denial-of-service attacker.} An adversary who floods the mesh
    with spurious \texttt{SlotAnnounce} or \texttt{SlotQuery} messages to
    exhaust relay storage or bandwidth.
\end{enumerate}

We explicitly exclude the following from our threat model:
\begin{itemize}[nosep]
  \item Global passive adversaries who observe all mesh links simultaneously.
  \item Adversaries who compromise a therapist's long-term Ed25519 private key.
  \item Physical-layer attacks on LoRa radio (jamming, direction finding).
\end{itemize}

\subsection{Legal Context}

The protocol operates within the German healthcare regulatory framework:

\begin{itemize}[nosep]
  \item \textbf{Approbation} (PsychThG \S~1): Psychotherapists require a
    state-issued license.  FAPP's therapist verification levels are designed
    to interoperate with this credential system.
  \item \textbf{Bedarfsplanung} (SGB~V \S~101): Regional capacity planning
    determines the number of licensed therapy seats per area.  FAPP does
    not circumvent this system; it improves the visibility of slots within
    it.
  \item \textbf{Patient data protection} (GDPR, BDSG): Patient search behavior
    constitutes health-related personal data under GDPR Art.~9.
    FAPP's anonymous query design avoids generating this data category
    entirely---a property no centralized platform can offer.
  \item \textbf{Fernbehandlung} (MBO-{\"A} \S~7): Telemedicine regulations
    require an initial in-person contact for some therapy modalities.
    FAPP's \texttt{Modalitaet} field distinguishes in-person, video, and
    hybrid sessions, supporting compliance-aware search.
\end{itemize}

% ===========================================================================
\section{Protocol Design}
\label{sec:protocol}
% ===========================================================================

\subsection{Overview}

FAPP defines five message types that together implement a complete
appointment discovery and reservation lifecycle:

\begin{enumerate}[nosep]
  \item \textbf{SlotAnnounce}: Therapist publishes available time slots.
  \item \textbf{SlotQuery}: Patient searches for matching slots (anonymous).
  \item \textbf{SlotResponse}: Relay or therapist returns matching results.
  \item \textbf{SlotReserve}: Patient claims a slot (E2E encrypted to therapist).
  \item \textbf{SlotConfirm}: Therapist confirms or rejects the reservation.
\end{enumerate}

\noindent The first three messages are \emph{cleartext} within the mesh (though
protected by transport-layer encryption on each hop).  The last two carry
end-to-end encrypted payloads that intermediary nodes cannot read.

\subsection{Capability Flags}

FAPP extends the mesh announce protocol's capability bitfield with three
flags that allow nodes to declare their role:

\begin{center}
\begin{tabular}{llp{7cm}}
\toprule
\textbf{Flag} & \textbf{Value} & \textbf{Semantics} \\
\midrule
\texttt{CAP\_FAPP\_THERAPIST} & \texttt{0x0100} & Node is a licensed
  therapist that publishes \texttt{SlotAnnounce} messages. \\
\texttt{CAP\_FAPP\_RELAY} & \texttt{0x0200} & Node caches
  \texttt{SlotAnnounce}s and answers \texttt{SlotQuery} messages from
  its local store. \\
\texttt{CAP\_FAPP\_PATIENT} & \texttt{0x0400} & Node can issue anonymous
  \texttt{SlotQuery} and \texttt{SlotReserve} messages. \\
\bottomrule
\end{tabular}
\end{center}

\noindent A single node may combine flags---for example, a relay operated by
a patient advocacy group would set both \texttt{CAP\_FAPP\_RELAY} and
\texttt{CAP\_FAPP\_PATIENT}.

\subsection{Message Specifications}

\subsubsection{SlotAnnounce}

A \texttt{SlotAnnounce} carries the therapist's available time slots
along with metadata needed for discovery and verification.  Its fields
are:

\begin{itemize}[nosep]
  \item \texttt{id}: 16-byte unique identifier, derived as
    $\texttt{SHA-256}(\texttt{therapist\_address} \| \texttt{sequence})[0..16]$.
  \item \texttt{therapist\_address}: 16-byte truncated mesh address,
    computed as $\texttt{SHA-256}(\texttt{Ed25519\_pubkey})[0..16]$.
  \item \texttt{fachrichtung}: List of therapy specializations
    (\emph{Verhaltenstherapie}, \emph{Tiefenpsychologisch fundiert},
    \emph{Analytisch}, \emph{Systemisch}, \emph{Kinder-/Jugend}).
  \item \texttt{modalitaet}: Session modalities
    (\emph{Praxis}, \emph{Video}, \emph{Hybrid}).
  \item \texttt{kostentraeger}: Accepted insurance types
    (\emph{GKV}, \emph{PKV}, \emph{Selbstzahler}).
  \item \texttt{location\_hint}: Postal code (PLZ) only; never an exact address.
  \item \texttt{slots}: Vector of \texttt{TimeSlot} records, each containing
    \texttt{start\_unix} (Unix seconds), \texttt{duration\_minutes} (typically
    50 or 25), and \texttt{slot\_type} (\emph{Erstgespräch},
    \emph{Probatorik}, \emph{Therapie}, \emph{Akut}).
  \item \texttt{approbation\_hash}: SHA-256 of the therapist's Approbation
    number, binding the mesh identity to a real-world credential.
  \item \texttt{profile\_url}: Optional URL to the therapist's public profile
    (practice website, Jameda, KBV listing) for out-of-band verification.
  \item \texttt{sequence}: Monotonically increasing counter per therapist,
    used for deduplication and supersession of older announcements.
  \item \texttt{ttl\_hours}: Time-to-live (default: 168 hours = 7 days).
  \item \texttt{timestamp}: Unix seconds at creation.
  \item \texttt{signature}: Ed25519 signature over all fields except
    \texttt{signature} and \texttt{hop\_count}.
  \item \texttt{hop\_count}, \texttt{max\_hops}: Current and maximum
    propagation depth (default max: 8 hops).
\end{itemize}

The signature covers a deterministic byte serialization of all non-excluded
fields, using fixed-width enum indices and \texttt{0xFF} separators between
variable-length sections.  Forwarding nodes increment \texttt{hop\_count}
without re-signing---a design shared with the underlying mesh announce
protocol.

\subsubsection{SlotQuery}

A \texttt{SlotQuery} enables patients to search for available slots without
revealing their identity:

\begin{itemize}[nosep]
  \item \texttt{query\_id}: 16 random bytes for response correlation.
  \item \texttt{fachrichtung}, \texttt{modalitaet}, \texttt{kostentraeger}:
    Optional filters narrowing search results.
  \item \texttt{plz\_prefix}: Optional postal code prefix (e.g.,
    \texttt{"80"} for the Munich area), enabling geographic filtering
    without revealing the patient's exact location.
  \item \texttt{earliest}, \texttt{latest}: Optional Unix-second bounds
    on acceptable appointment times.
  \item \texttt{slot\_type}: Optional filter by appointment type.
  \item \texttt{max\_results}: Maximum number of results requested.
\end{itemize}

\noindent No patient address, key, or identity material appears in the query.
The \texttt{query\_id} is random and single-use, providing no linkability
across queries.

\subsubsection{SlotResponse}

A \texttt{SlotResponse} contains the \texttt{query\_id} from the
originating query and a vector of matching \texttt{SlotAnnounce} records.
Full announce records are included so the patient can independently verify
each therapist's Ed25519 signature and Approbation hash binding.

\subsubsection{SlotReserve}
\label{sec:reserve}

When a patient selects a slot, they construct a \texttt{SlotReserve}
message containing:

\begin{itemize}[nosep]
  \item \texttt{slot\_announce\_id}: Reference to the target
    \texttt{SlotAnnounce}.
  \item \texttt{slot\_index}: Index into the announce's slot vector.
  \item \texttt{patient\_ephemeral\_key}: A fresh X25519 public key
    generated for this reservation.
  \item \texttt{encrypted\_contact}: Patient contact information, encrypted
    to the therapist's X25519 public key (derived from their Ed25519
    identity via standard birational mapping).
\end{itemize}

\noindent The encryption scheme is detailed in Section~\ref{sec:crypto}.

\subsubsection{SlotConfirm}

The therapist's response contains:

\begin{itemize}[nosep]
  \item \texttt{slot\_announce\_id}, \texttt{slot\_index}: Identifies the
    reserved slot.
  \item \texttt{confirmed}: Boolean acceptance or rejection.
  \item \texttt{encrypted\_details}: Appointment details (room, address,
    instructions), encrypted to the patient's ephemeral key.
  \item \texttt{therapist\_ephemeral\_key}: A fresh X25519 key generated for
    this confirmation, providing forward secrecy.
\end{itemize}

\subsection{Cryptographic Construction}
\label{sec:crypto}

The E2E encryption for \texttt{SlotReserve} and \texttt{SlotConfirm}
follows a standard ECDH + KDF + AEAD pattern:

\paragraph{Key agreement.}
The patient generates an ephemeral X25519 keypair
$(sk_P, pk_P)$~\cite{rfc7748}.  The therapist's X25519 public key $pk_T$
is derived from their Ed25519 identity key via the standard birational map.
The shared secret is computed as:
\[
  ss = \text{X25519}(sk_P, pk_T)
\]

\paragraph{Key derivation.}
A 32-byte symmetric key is derived using HKDF-SHA256~\cite{rfc5869,hkdf2010krawczyk}:
\[
  k = \text{HKDF-Expand}(ss, \texttt{"fapp-reserve-v1"}, 32)
\]
For confirmations, the context string is \texttt{"fapp-confirm-v1"} and
the therapist generates a fresh ephemeral keypair, ensuring forward
secrecy even if the therapist's long-term key is later compromised.

\paragraph{Authenticated encryption.}
Plaintext is encrypted with ChaCha20-Poly1305~\cite{rfc8439,bernstein2012chacha}
using a random 12-byte nonce.  The ciphertext format is:
\[
  \texttt{nonce}_{12} \| \texttt{ciphertext} \| \texttt{tag}_{16}
\]
This construction provides IND-CCA2 security under standard assumptions.

\subsection{Wire Format}

All FAPP messages are serialized with CBOR (Concise Binary Object
Representation, RFC~8949~\cite{rfc8949}), consistent with the \qpq{}
mesh envelope and announce formats.  On the wire, each FAPP frame is
prefixed with a single-byte tag identifying the message type:

\begin{center}
\begin{tabular}{cl}
\toprule
\textbf{Tag} & \textbf{Message Type} \\
\midrule
\texttt{0x01} & \texttt{SlotAnnounce} \\
\texttt{0x02} & \texttt{SlotQuery} \\
\texttt{0x03} & \texttt{SlotResponse} \\
\texttt{0x04} & \texttt{SlotReserve} \\
\texttt{0x05} & \texttt{SlotConfirm} \\
\bottomrule
\end{tabular}
\end{center}

\noindent CBOR was chosen over Protocol Buffers or JSON for three reasons:
(1)~self-describing format requiring no schema negotiation, (2)~compact
binary encoding suitable for LoRa's constrained bandwidth, and (3)~existing
use throughout the \qpq{} mesh stack, avoiding a second serialization
dependency.

\subsection{Propagation Rules}

\texttt{SlotAnnounce} messages propagate via controlled flooding:

\begin{enumerate}[nosep]
  \item A relay node receiving an announce checks \texttt{hop\_count} $<$
    \texttt{max\_hops} and \texttt{timestamp} + \texttt{ttl\_hours} $>$
    current time.  Failing either check, the message is dropped.
  \item The announce is deduplicated against a bounded set of seen IDs
    (capacity: 50{,}000).  Duplicate IDs are silently dropped.
  \item Sequence-based supersession: if the relay has seen a higher
    \texttt{sequence} from the same \texttt{therapist\_address}, the
    incoming announce is rejected.
  \item If the relay has the therapist's public key, the Ed25519 signature
    is verified.  Invalid signatures cause immediate rejection.
  \item The announce is stored in the relay's \texttt{FappStore} (bounded
    to 10{,}000 total entries and 50 per therapist) and re-broadcast with
    \texttt{hop\_count} incremented.
\end{enumerate}

\texttt{SlotQuery} messages propagate similarly but with shorter effective
TTLs.  Relay nodes that hold matching \texttt{SlotAnnounce} records in
their local store respond directly, reducing query propagation depth.

% ===========================================================================
\section{Mesh Transport Integration}
\label{sec:transport}
% ===========================================================================

FAPP is transport-agnostic by design.  It produces and consumes byte
frames; the underlying \qpq{} mesh stack handles routing, fragmentation,
and transport selection.

\subsection{Transport Layer Architecture}

The \qpq{} mesh provides three transport backends through a unified
\texttt{TransportManager} abstraction:

\begin{description}[nosep,leftmargin=1.5em]
  \item[QUIC (primary).] QUIC over UDP~\cite{rfc9000} with TLS~1.3 mutual
    authentication.  Used for high-bandwidth links between nodes with
    internet connectivity.  Each mesh connection uses the ALPN identifier
    \texttt{quicprochat/mesh/1}.

  \item[TCP (fallback).] Length-prefixed TCP streams for environments where
    UDP is blocked or NAT traversal fails.  Provides reliable, ordered
    delivery at the cost of head-of-line blocking.

  \item[LoRa (constrained).] Sub-GHz radio links using LoRa modulation
    (EU868 band)~\cite{lora2015semtech} for infrastructure-independent
    operation.  Subject to ETSI EN~300~220 duty cycle limits (1\% in the
    868.0--868.6~MHz sub-band)~\cite{eu868dutycycle}.
\end{description}

\noindent The \texttt{TransportManager} selects the transport based on the
destination address type and provides automatic capability classification
(Unconstrained, Medium, Constrained, Severely\-Constrained) that influences
cryptographic mode selection.

\subsection{Hop-Based Propagation}

FAPP messages propagate through the mesh as payloads inside
\texttt{Mesh\-Envelope} containers.  Each envelope carries:

\begin{itemize}[nosep]
  \item Source and destination 16-byte truncated addresses.
  \item TTL counter decremented at each hop.
  \item Ed25519 signature (for authenticity, not confidentiality).
  \item Nonce for replay detection.
\end{itemize}

\noindent The mesh router maintains a \texttt{RoutingTable} with entries
learned from periodic \texttt{MeshAnnounce} messages.  For FAPP's flooding
pattern, outbound frames are sent to all known next-hop addresses
(\emph{flood fan-out}).

\subsection{Deduplication and Store-and-Forward}

Deduplication operates at two levels:

\begin{enumerate}[nosep]
  \item \textbf{Envelope level.} The mesh router tracks seen envelope nonces
    in a bounded set, preventing the same envelope from being forwarded
    twice.
  \item \textbf{FAPP level.} The \texttt{FappStore} tracks seen announce IDs
    (bounded to 50{,}000 entries with FIFO eviction) and per-therapist
    sequence numbers.  An announce with a sequence number lower than the
    last seen value for that therapist is rejected immediately.
\end{enumerate}

\noindent Store-and-forward is handled by the \texttt{MeshStore}, which queues
messages for offline recipients and delivers them upon reconnection.  This
is particularly relevant for therapist nodes that may only be online during
practice hours.

\subsection{Location Hints and PLZ-Based Filtering}

FAPP uses German postal codes (PLZ) as coarse location hints.  The
five-digit PLZ system provides geographic granularity at the city or
district level without revealing exact addresses.  Query-time filtering
on PLZ prefixes allows geographic scoping:

\begin{itemize}[nosep]
  \item \texttt{"8"}: all of Bavaria and parts of Baden-Württemberg.
  \item \texttt{"80"}: Munich metropolitan area.
  \item \texttt{"803"}: central Munich districts.
\end{itemize}

\noindent This prefix-based approach lets patients control the trade-off between
geographic precision and result volume without disclosing their own
location.

\subsection{LoRa Considerations}

LoRa links impose severe bandwidth constraints.  At SF12/BW125 (the
most resilient configuration), the effective payload per frame is
approximately 51 bytes~\cite{lora2015semtech}.  Measured FAPP message
sizes in the reference implementation are:

\begin{center}
\begin{tabular}{lrl}
\toprule
\textbf{Message} & \textbf{CBOR Size} & \textbf{SF12 Fragments} \\
\midrule
\texttt{SlotAnnounce} (2 slots) & $\sim$320 bytes & 7 \\
\texttt{SlotQuery} (all filters) & $\sim$90 bytes & 2 \\
\texttt{SlotReserve} & $\sim$110 bytes & 3 \\
\texttt{SlotConfirm} & $\sim$100 bytes & 2 \\
\bottomrule
\end{tabular}
\end{center}

\noindent The \qpq{} LoRa transport handles fragmentation and reassembly
transparently, with a \texttt{DutyCycleTracker} enforcing EU868 1\%
duty cycle compliance.  At SF12, transmitting a full \texttt{SlotAnnounce}
takes approximately 14 seconds of airtime, consuming roughly 0.4\% of the
hourly duty budget.  This is viable for low-frequency announcements but
precludes real-time query--response interactions over LoRa alone.
A practical deployment would use LoRa for announce propagation in
areas without internet connectivity, with queries flowing over
QUIC or TCP where available.

% ===========================================================================
\section{Security Analysis}
\label{sec:security}
% ===========================================================================

\subsection{Patient Anonymity}

\texttt{SlotQuery} messages contain no patient-identifying information:
no return address, no public key, no device fingerprint.  The
\texttt{query\_id} is a random 16-byte value generated per query,
providing no cross-query linkability.

\emph{Limitation:} In the current design, a relay node can observe
\emph{which incoming link} a query arrived on, potentially correlating
it with a directly connected patient node.  Mitigations include
multi-hop query forwarding (where intermediate nodes strip source
information) and cover traffic.  The return path for responses is
discussed as future work in Section~\ref{sec:future}.

\subsection{Therapist Verification}
\label{sec:verification}

FAPP provides three verification levels for therapist identity:

\begin{description}[nosep,leftmargin=1.5em]
  \item[Level 0: Mesh signature only.]
    The therapist's \texttt{SlotAnnounce} is signed with their Ed25519 key.
    This proves control of the corresponding mesh identity but does not bind
    it to a real-world person.  The \texttt{approbation\_hash} field
    (SHA-256 of the Approbation number) creates a commitment but is not
    independently verifiable at this level, since an attacker could
    fabricate a hash.

  \item[Level 1: Endorsement by trusted relays.]
    Trusted relay nodes---operated, for example, by patient advocacy
    organizations (\emph{Unabhängige Patientenberatung})---can sign
    \texttt{Endorsement} records attesting to a therapist's identity after
    out-of-band verification.  This creates a web-of-trust model where
    patients can filter by endorser reputation.

  \item[Level 2: Registry verification.]
    A gateway node queries the KBV physician registry using the therapist's
    \emph{Lebenslange Arztnummer} (LANR) and signs an attestation binding
    the mesh identity to the registry entry.  This provides the highest
    assurance but requires infrastructure for registry access.
\end{description}

\noindent The current reference implementation operates at Level~0 with
a \texttt{profile\_url} field enabling manual cross-verification.  The
client UI displays prominent warnings for unverified therapists.

\subsection{Denial of Service}

FAPP employs several mechanisms to resist denial-of-service attacks:

\begin{enumerate}[nosep]
  \item \textbf{Rate limiting.} Relay nodes enforce a maximum of 10
    \texttt{SlotAnnounce} messages per hour per \texttt{therapist\_address}
    using a sliding-window rate limiter.

  \item \textbf{Capacity bounds.} The \texttt{FappStore} limits total
    cached announcements to 10{,}000 and per-therapist announcements to 50,
    with oldest-first eviction.

  \item \textbf{Hop limits.} The \texttt{max\_hops} field (default: 8)
    bounds propagation depth, preventing amplification attacks.

  \item \textbf{TTL enforcement.} Expired announcements (\texttt{timestamp}
    + \texttt{ttl\_hours} $\times$ 3600 < current time) are dropped on
    receipt and garbage-collected from stores periodically.

  \item \textbf{Backpressure.} The mesh layer's \texttt{BackpressureController}
    implements priority-based load shedding, preferring to drop low-priority
    traffic (queries from unknown peers) before high-priority traffic
    (announces from verified therapists).
\end{enumerate}

\subsection{Sybil Resistance}
\label{sec:sybil}

The Sybil attack~\cite{douceur2002sybil}---where an adversary creates
many pseudonymous identities---is a concern for FAPP in two contexts:

\begin{description}[nosep,leftmargin=1.5em]
  \item[Fake therapists.] An attacker generates multiple Ed25519 keypairs
    and publishes \texttt{SlotAnnounce} messages from each.
    \emph{Mitigation:} The \texttt{approbation\_hash} field forces the
    attacker to commit to a credential number per identity.  While
    fabricating hashes is trivial, each fabricated identity is
    independently rate-limited and consumes the attacker's store
    budget.  Level~1 and Level~2 verification (Section~\ref{sec:verification})
    provide progressively stronger Sybil resistance by requiring
    out-of-band identity binding.

  \item[Fake relay nodes.] An attacker operates many relay nodes to
    observe traffic patterns.
    \emph{Mitigation:} FAPP's flooding model means all relays see
    approximately the same traffic; additional Sybil relays gain no
    information advantage beyond what a single relay provides.  For
    point-to-point messages (\texttt{SlotReserve}, \texttt{SlotConfirm}),
    E2E encryption ensures that even colluding relays cannot read
    content.
\end{description}

\subsection{Slot Squatting}

An adversary could attempt to reserve all announced slots to deny
service to legitimate patients.  Since \texttt{SlotReserve} messages are
E2E encrypted, the therapist must decrypt and process each reservation
individually.  Mitigations include:

\begin{itemize}[nosep]
  \item Therapists can reject suspicious reservations via
    \texttt{SlotConfirm} with \texttt{confirmed = false}.
  \item Rate limiting on \texttt{SlotReserve} per therapist (enforced at
    the therapist node).
  \item The patient must provide genuine contact information (encrypted)
    for the reservation to be actionable; a therapist who cannot reach the
    patient can cancel and re-announce the slot.
\end{itemize}

\subsection{Replay Protection}

Replay attacks are mitigated at two levels:

\begin{enumerate}[nosep]
  \item \textbf{Announce deduplication.} The \texttt{(therapist\_address,
    sequence)} pair uniquely identifies each announce version.  A replayed
    announce with a sequence number already seen or lower than the latest is
    rejected.
  \item \textbf{Envelope nonces.} The mesh envelope layer uses random nonces
    tracked in a bounded seen-set, preventing replay of the transport
    container.
  \item \textbf{TTL expiry.} Even if a dedup cache is evicted, the
    \texttt{timestamp} + \texttt{ttl\_hours} check prevents acceptance of
    stale announces.
\end{enumerate}

% ===========================================================================
\section{Discussion}
\label{sec:discussion}
% ===========================================================================

\subsection{Comparison with Centralized Alternatives}

\begin{table}[t]
\centering
\caption{Comparison of psychotherapy appointment systems.}
\label{tab:comparison}
\begin{tabularx}{\textwidth}{lccccX}
\toprule
& \textbf{Real-time} & \textbf{Patient} & \textbf{Decen-} &
  \textbf{Verifi-} & \\
\textbf{System} & \textbf{slots} & \textbf{anon.} & \textbf{tralized} &
  \textbf{cation} & \textbf{Notes} \\
\midrule
116117~\cite{terminservice116117} & Partial & No & No & Official &
  Telephone/web; limited slot data; identity required for referral. \\
Doctolib~\cite{doctolib2024} & Yes & No & No & Self-report &
  Tracks search behavior; therapist opt-in required; commercial fees. \\
KBV Arztsuche~\cite{kbvarztsuche} & No & Partial & No & Official &
  Practice info only; no real-time availability. \\
FAPP (Level~0) & Yes & Yes & Yes & Mesh sig. &
  Anonymous search; no infrastructure; limited identity assurance. \\
FAPP (Level~2) & Yes & Yes & Yes & Registry &
  Requires trusted gateway; strongest guarantees. \\
\bottomrule
\end{tabularx}
\end{table}

Table~\ref{tab:comparison} summarizes the trade-offs.  FAPP is the only system
that offers both real-time slot visibility and patient anonymity.  This
comes at the cost of weaker therapist verification at Level~0, which is
an explicit design trade-off: we prioritize patient privacy and system
availability over centralized credential checking, with a planned
upgrade path to registry-backed verification.

\subsection{Deployment Challenges}

\paragraph{Therapist adoption.}
FAPP requires therapists to run mesh node software and actively manage
their slot announcements.  While the protocol is designed for automation
(a background daemon can publish slots from the practice management
system), adoption depends on therapists perceiving the system as
lower-friction than existing alternatives.  Integration with established
PVS (Praxisverwaltungssoftware) systems is essential for adoption.

\paragraph{Network bootstrapping.}
A mesh network requires a critical mass of relay nodes to provide
adequate coverage.  Initial deployment can leverage existing \qpq{}
infrastructure (the messenger's server-to-server federation provides
seed connectivity), but sustained operation benefits from dedicated
relay nodes at healthcare institutions, patient advocacy organizations,
or community networks.

\paragraph{Key management.}
Therapists must protect their Ed25519 private key, which serves as
both their mesh identity and the anchor for their professional
reputation.  Key compromise requires generating a new identity and
re-establishing verification, analogous to certificate revocation in
PKI systems.  The \qpq{} key transparency module provides Merkle-log
based revocation, but its integration with FAPP is ongoing work.

\subsection{Regulatory Considerations}

FAPP does not replace or circumvent the KV's appointment allocation
system.  It operates as a complementary discovery layer:  therapists
who have unfilled slots can announce them through the mesh in addition
to reporting them through official channels.  Since FAPP does not
handle billing, prescriptions, or clinical data, it falls outside the
scope of Telematikinfrastruktur (TI) certification requirements.

Patient anonymity aligns with GDPR's data minimization principle
(Art.~5(1)(c)):  by not collecting or processing patient identity data
during the search phase, FAPP avoids creating the health-related personal
data that centralized platforms inevitably generate.

\subsection{LoRa Constraints and Hybrid Deployment}

Pure LoRa deployment is impractical for interactive query--response
patterns due to duty cycle constraints and high latency.  A realistic
deployment uses LoRa for \emph{announce propagation} in connectivity
gaps (rural areas, community mesh networks) while routing queries
and reservations over internet-connected transports.  The \qpq{}
\texttt{TransportManager} handles this routing transparently:
a relay node connected to both LoRa and TCP will bridge announces
between networks without application-layer awareness.

% ===========================================================================
\section{Conclusion and Future Work}
\label{sec:future}
% ===========================================================================

FAPP demonstrates that privacy-preserving appointment discovery is
achievable in a decentralized architecture without sacrificing the
verifiability requirements of a regulated healthcare profession.
The asymmetric privacy model---public therapist, anonymous patient---is
not merely a technical design choice but a reflection of the social
contract underlying psychotherapy:  the professional is accountable,
the patient is protected.

The reference implementation in Rust, comprising approximately 1{,}600
lines of protocol code with 31 dedicated tests and full E2E encryption
support, validates the design's feasibility.  CBOR serialization keeps
message sizes within LoRa fragmentation budgets, and the integration
with \qpq{}'s multi-transport mesh stack demonstrates that
a single protocol can operate across QUIC, TCP, and radio links.

Several directions remain for future work:

\paragraph{Anonymous return paths.}
The current design lacks a robust mechanism for routing
\texttt{SlotResponse} messages back to anonymous query originators.
The \texttt{SlotQuery} specification includes a \texttt{return\_path}
field for onion-style routing~\cite{goldschlag1996onion}, where each
hop in the return path is encrypted to the respective relay's key,
but this is not yet implemented.  Realizing this would provide
Mixminion-style~\cite{danezis2003mixminion} unlinkability between
queries and their originators.

\paragraph{Multi-hop privacy for reservations.}
\texttt{SlotReserve} messages are currently E2E encrypted but routed
by flooding, which reveals the approximate network location of the
originator to neighboring nodes.  A circuit-based routing scheme,
where the patient establishes a multi-hop tunnel before sending the
reservation, would provide stronger traffic analysis resistance.

\paragraph{E2E encrypted channels.}
After a successful reservation, the therapist and patient could
establish a persistent MLS~\cite{rfc9420} session through the mesh
for ongoing communication (appointment changes, intake forms).
The \qpq{} stack already supports MLS group key agreement; bridging
FAPP's ephemeral key exchange to a durable MLS session is a natural
extension.

\paragraph{Endorsement gossip protocol.}
Level~1 verification (Section~\ref{sec:verification}) requires a gossip
protocol for distributing and aggregating endorsements from trusted
relays.  This protocol must resist endorsement inflation (where
colluding nodes endorse each other) while remaining lightweight
enough for constrained transports.

\paragraph{Real-world pilot.}
We plan a pilot deployment in a German metropolitan area, partnering
with a small group of psychotherapists willing to announce slots
through the mesh alongside their existing booking channels.  The
pilot will measure (a)~slot discovery latency, (b)~relay network
coverage requirements, and (c)~therapist and patient usability
perceptions.  Lessons from this pilot will inform protocol revisions
and inform regulatory engagement with the relevant KV.

\paragraph{Post-quantum key exchange.}
The \qpq{} mesh stack supports a hybrid X25519 + ML-KEM-768 key
encapsulation mechanism at the envelope level.  Integrating post-quantum
key exchange into FAPP's reservation encryption would future-proof
patient contact data against quantum adversaries, though the increased
message sizes (approximately 2{,}676 bytes for a PQ-hybrid KeyPackage
versus 306 bytes for classical) make this impractical on LoRa links
with current duty cycle budgets.

\bigskip
\noindent The source code, protocol specification, and integration tests
are available at the \qpq{} project repository under the MIT license.

\bibliographystyle{plain}
\bibliography{fapp-refs}

\end{document}