EchoMix

1.2 Key Encapsulation Mechanism

2. Core Protocol

2.1 Handshake Phase

2.1.1 Handshake Authentication

2.2 Data Transfer Phase

3. Predefined Commands

3.1 The no_op Command

3.2 The disconnect Command

Sphinx cryptographic packet format

Mon, 11 May 2026 21:24:41 -0700

Sphinx cryptographic packet format

Yawning Angel

George Danezis

Claudia Diaz

Ania Piotrowska

David Stainton

Abstract

This document defines the Sphinx cryptographic packet format for decryption mix networks, and provides a parameterization based around generic cryptographic primitives types. This document does not introduce any new crypto, but is meant to serve as an implementation guide.

Table of Contents

2. Cryptographic Primitives

2.1 Sphinx Key Derivation Function

3. Sphinx Packet Parameters

Sphinx packet replay detection

Mon, 11 May 2026 21:23:36 -0700

Sphinx packet replay detection

David Stainton

Abstract

This document defines the replay detection for any protocol that uses Sphinx cryptographic packet format. This document is meant to serve as an implementation guide and document the existing replay protect for deployed mix networks.

Table of Contents

2. Sphinx Cryptographic Primitives

2.1 Sphinx Parameter Constants

3. System Overview

4. Sphinx Packet Replay Cache

4.1 Sphinx Replay Tag Composition

Public key infrastructure

Mon, 11 May 2026 21:21:55 -0700

Public key infrastructure

Yawning Angel

Claudia Diaz

Ania Piotrowska

David Stainton

Masala

Abstract

Table of Contents

Conventions used in this document

1.2 Security properties overview

1.3 Differences from Tor and Mixminion directory authority systems

2. Overview of mix PKI interaction

2.1 PKI protocol schedule

2.1.1 Directory authority server schedule

2.1.2 Mix schedule

3. Voting for consensus protocol

3.1 Protocol messages

3.1.1 Mix descriptor and directory signing

3.2 Vote exchange

3.3 Reveal exchange

Mix network design

Mon, 11 May 2026 21:21:06 -0700

Mix network specification

Yawning Angel

George Danezis

Claudia Diaz

Ania Piotrowska

David Stainton

Abstract

This document describes the high level architecture and detailed protocols and behavior required of mix nodes participating in the Katzenpost Mix Network.

Table of Contents

3. Packet Format Overview

3.1 Sphinx Cryptographic Primitives

3.2 Sphinx Packet Parameters

3.3 Sphinx Per-hop Routing Information Extensions

4. Mix Node Operation

Mix decoy loop

Mon, 11 May 2026 21:19:15 -0700

Propagation of mix decoy loop statistics

David Stainton

Eva Infeld

Leif Ryge

Abstract

In the context of continuous time mixing strategies such as the memoryless mix used by Katzenpost, n-1 attacks may use strategic packetloss. Nodes can also fail for benign reasons. Determining whether or not it’s an n-1 attack is outside the scope of this work.

This document describes how we will communicate statistics from mix nodes to mix network directory authorities which tells them about the packetloss they are observing.

KEMSphinx

Mon, 11 May 2026 21:18:18 -0700

KEMSphinx

David Stainton

Abstract

Here I present a modification of the Sphinx cryptographic packet format that uses a KEM instead of a NIKE whilst preserving the properties of bitwise unlinkability, constant packet size and route length hiding.

Table of Contents

2. Post Quantum Hybrid KEM

2.1 NIKE to KEM adapter

2.2 KEM Combiner

3. KEMSphinx Header Design

4. KEMSphinx Unwrap Operation

Acknowledgments

References

1. Introduction

We’ll express our KEM Sphinx header in pseudo code. The Sphinx body will be exactly the same as the section called “References” Our basic KEM API has three functions:

Contact Voucher Design

Mon, 11 May 2026 21:16:30 -0700

Contact Voucher Design

Threebit Hacker

Leif Ryge

Abstract

Table of Contents

Voucher Design

Self-authenticating BACAP payload

Voucher Design

In order to join or initiate a conversation, participants need to exchange cryptographic key material. To address this problem we have a slightly unusual design: Contact vouchers.

In many systems, invites to conversations flow from an existing member of the conversation to the user being invited. In our “Contact Voucher” protocol this flow is reversed: A member wishing to join a conversation hands a “Contact Voucher” (out of band) to the existing member, who then inducts the new member into the group.

Certificate format

Mon, 11 May 2026 21:14:56 -0700

Certificate format

David Stainton

Abstract

This document proposes a certificate format that Katzenpost mix server, directory authority server and clients will use.

Table of Contents

1.3. Certificate Key Types

1.1. Document Format

1.2 Certificate Types

2. Golang API

Acknowledgments

References

Terminology

The following terms are used in this specification.

Conventions Used in This Document

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC2119.

Provider-side autoresponder extension

Mon, 11 May 2026 21:09:52 -0700

Provider-side autoresponder extension (Kaetzchen)

Yawning Angel

Kali Kaneko

David Stainton

Abstract

This interface is meant to provide support for various autoresponder agents “Kaetzchen” that run on Katzenpost provider instances, thus bypassing the need to run a discrete client instance to provide functionality. The use-cases for such agents include, but are not limited to, user identity key lookup, a discard address, and a loop-back responder for the purpose of cover traffic.

Table of Contents