https://echomix.org/Recent content on EchoMixHugoen-usTue, 02 Jun 2026 00:00:00 +0000https://echomix.org/docs/specs/contact_voucher_narration/Tue, 02 Jun 2026 00:00:00 +0000https://echomix.org/docs/specs/contact_voucher_narration/<h2 id="introduction">Introduction</h2> <p>The <a href="../contact_voucher/">voucher spec</a> was very difficult for me to read and it overloads variable names and doesn&rsquo;t make certain facts explicit enough. I wrote this spec for my own understanding of the design as an implementation guide for myself.</p> <h2 id="streams">Streams</h2> <p>There is no separate reply stream. Alice replies on the very same stream Bob used to mint the voucher.</p> <ul> <li><strong>MessageStream</strong>: Bob writes; the group reads. This is the stream whose live messages the protocol must protect.</li> <li><strong>VoucherStream</strong>: the rendezvous, derived entirely from the <code>Voucher</code>. Box 0 holds Bob&rsquo;s <code>VoucherPayload</code>; box 1 holds Alice&rsquo;s <code>VoucherReply</code>.</li> <li><strong>the group&rsquo;s other streams</strong>: each existing member has their own MessageStream, just like Bob&rsquo;s.</li> </ul> <h2 id="stream-objects">Stream Objects</h2> <ul> <li><strong>MessageStream</strong>: <code>.WriteCap</code> (Bob keeps), <code>.ReadCap</code> (travels in <code>VoucherPayload</code>, inside <code>SignedPleaseAdd</code>).</li> <li><strong>VoucherStream</strong>: read and write caps derivable by anyone holding the <code>Voucher</code>.</li> <li><strong>VoucherKeypair</strong>: <code>VoucherSecretKey</code> (Bob keeps), <code>VoucherPublicKey</code> (travels in <code>VoucherPayload</code>). This is the MKEM keypair under which Alice seals the reply to Bob.</li> </ul> <h2 id="messages">Messages</h2> <ul> <li><code>SignedPleaseAdd</code> is Bob&rsquo;s signed self-introduction: a serialized <code>PleaseAdd</code> (his <code>DisplayName</code> and <code>MessageStream.ReadCap</code>) plus a signature over it produced by <code>MessageStream.WriteCap</code>.</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-go" data-lang="go"><span style="display:flex;"><span><span style="color:#75715e">// PleaseAdd is a member&#39;s request to join, carrying their display name</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// and the read cap that lets others read their messages.</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">type</span> <span style="color:#a6e22e">PleaseAdd</span> <span style="color:#66d9ef">struct</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">// DisplayName is the party&#39;s name to be displayed in chat clients.</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">DisplayName</span> <span style="color:#66d9ef">string</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// UniversalReadCap is the BACAP read cap for this member&#39;s</span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// MessageStream, letting others read all messages posted by them.</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">UniversalReadCap</span> <span style="color:#f92672">*</span><span style="color:#a6e22e">bacap</span>.<span style="color:#a6e22e">UniversalReadCap</span> </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// SignedPleaseAdd binds a PleaseAdd to a signature made by the member&#39;s</span> </span></span><span style="display:flex;"><span><span style="color:#75715e">// write cap, so any party can verify the name-and-cap binding.</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">type</span> <span style="color:#a6e22e">SignedPleaseAdd</span> <span style="color:#66d9ef">struct</span> { </span></span><span style="display:flex;"><span> <span style="color:#75715e">// PleaseAdd contains the CBOR serialized PleaseAdd struct.</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">PleaseAdd</span> []<span style="color:#66d9ef">byte</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#75715e">// Signature contains the cryptographic signature over the PleaseAdd field.</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">Signature</span> []<span style="color:#66d9ef">byte</span> </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><ul> <li><code>WhoReply</code> := the existing members&rsquo; MessageStream read caps (one or more), so Bob can read everyone already in the group.</li> <li><code>VoucherReply</code> := <code>WhoReply || VoucherSalt</code>, MKEM-sealed to <code>VoucherPublicKey</code> and written to VoucherStream box 1. Box 1 is an ordinary BACAP box, so the payload is BACAP-encrypted as a stream box and then additionally MKEM-encrypted to Bob&rsquo;s <code>VoucherPublicKey</code>; only Bob, holding <code>VoucherSecretKey</code>, can open it.</li> <li><code>Introduction</code> := Bob&rsquo;s display name together with his salt-mutated MessageStream read cap, published to the existing group so the members can read Bob. The group receives the mutated cap directly and never the salt.</li> </ul> <pre tabindex="0"><code>VoucherPayload := SignedPleaseAdd || VoucherPublicKey Voucher := Hash(VoucherPayload) </code></pre><h2 id="the-vouchersalt-re-seeding-the-messagestream">The VoucherSalt: re-seeding the MessageStream</h2> <p><code>VoucherSalt</code> is the heart of the protocol. It is <strong>not</strong> a nonce and it does <strong>not</strong> modify BACAP. It is a value that <strong>replaces the KDF state</strong> inside a MessageStream&rsquo;s <code>MessageBoxIndex</code>, which re-seeds the index chain and so moves the stream to a fresh, unpredictable sequence of box IDs. Only two parties ever touch it. Bob mutates his <code>MessageStream.WriteCap</code> by the salt and writes his real messages at the mutated position. Alice mutates Bob&rsquo;s matching <code>MessageStream.ReadCap</code> by the same salt <strong>once</strong>, before she shares it, so writer and readers meet at the mutated position. The group never learns the salt; it only ever receives the already-mutated read cap.</p>https://echomix.org/docs/specs/wire_protocol/Mon, 11 May 2026 21:25:36 -0700https://echomix.org/docs/specs/wire_protocol/<div class="article"> <div class="titlepage"> <div> <div> <h2 id="katzenpost-mix-network-wire-protocol"><span id="wire_protocol"></span>Katzenpost mix network wire protocol</h2> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="yawning-angel"><span class="firstname">Yawning</span> <span class="surname">Angel</span></h3> </div> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> <p>This document defines the Katzenpost Mix Network Wire Protocol for use in all network communications to, from, and within the Katzenpost Mix Network.</p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#conventions-used-in-this-document">1.1 Conventions Used in This Document</a></span></p> <p><span class="section"><a href="#wire_protocol_introduction">1. Introduction</a></span></p> <p><span class="section"><a href="#key-encapsulation-mechanism">1.2 Key Encapsulation Mechanism</a></span></p> <p><span class="section"><a href="#core-protocol">2. Core Protocol</a></span></p> <p><span class="section"><a href="#handshake-phase">2.1 Handshake Phase</a></span></p> <p><span class="section"><a href="#handshake-authentication">2.1.1 Handshake Authentication</a></span></p> <p><span class="section"><a href="#data-transfer-phase">2.2 Data Transfer Phase</a></span></p> <p><span class="section"><a href="#predefined-commands">3. Predefined Commands</a></span></p> <p><span class="section"><a href="#the-no_op-command">3.1 The no_op Command</a></span></p> <p><span class="section"><a href="#the-disconnect-command">3.2 The disconnect Command</a></span></p>https://echomix.org/docs/specs/sphinx_format/Mon, 11 May 2026 21:24:41 -0700https://echomix.org/docs/specs/sphinx_format/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="sphinx-cryptographic-packet-format"><span id="sphinx"></span>Sphinx cryptographic packet format</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="yawning-angel"><span class="firstname">Yawning</span> <span class="surname">Angel</span></h3> </div> <div class="author"> <h3 id="george-danezis"><span class="firstname">George</span> <span class="surname">Danezis</span></h3> </div> <div class="author"> <h3 id="claudia-diaz"><span class="firstname">Claudia</span> <span class="surname">Diaz</span></h3> </div> <div class="author"> <h3 id="ania-piotrowska"><span class="firstname">Ania</span> <span class="surname">Piotrowska</span></h3> </div> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> <p>This document defines the Sphinx cryptographic packet format for decryption mix networks, and provides a parameterization based around generic cryptographic primitives types. This document does not introduce any new crypto, but is meant to serve as an implementation guide.</p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#terminology">Terminology</a></span></p> <p><span class="section"><a href="#conventions-used-in-this-document">Conventions Used in This Document</a></span></p> <p><span class="section"><a href="#sphinx_introduction">1. Introduction</a></span></p> <p><span class="section"><a href="#cryptographic-primitives">2. Cryptographic Primitives</a></span></p> <p><span class="section"><a href="#sphinx-key-derivation-function">2.1 Sphinx Key Derivation Function</a></span></p> <p><span class="section"><a href="#sphinx-packet-parameters">3. Sphinx Packet Parameters</a></span></p>https://echomix.org/docs/specs/packet_replay/Mon, 11 May 2026 21:23:36 -0700https://echomix.org/docs/specs/packet_replay/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="sphinx-packet-replay-detection"><span id="replay"></span>Sphinx packet replay detection</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> <p>This document defines the replay detection for any protocol that uses Sphinx cryptographic packet format. This document is meant to serve as an implementation guide and document the existing replay protect for deployed mix networks.</p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#terminology">Terminology</a></span></p> <p><span class="section"><a href="#d58e95">Conventions Used in This Document</a></span></p> <p><span class="section"><a href="#sphinx_replay_detection_introduction">1. Introduction</a></span></p> <p><span class="section"><a href="#sphinx-cryptographic-primitives">2. Sphinx Cryptographic Primitives</a></span></p> <p><span class="section"><a href="#sphinx-parameter-constants">2.1 Sphinx Parameter Constants</a></span></p> <p><span class="section"><a href="#system-overview">3. System Overview</a></span></p> <p><span class="section"><a href="#sphinx-packet-replay-cache">4. Sphinx Packet Replay Cache</a></span></p> <p><span class="section"><a href="#sphinx-replay-tag-composition">4.1 Sphinx Replay Tag Composition</a></span></p>https://echomix.org/docs/specs/pki/Mon, 11 May 2026 21:21:55 -0700https://echomix.org/docs/specs/pki/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="public-key-infrastructure"><span id="pki"></span>Public key infrastructure</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="yawning-angel"><span class="firstname">Yawning</span> <span class="surname">Angel</span></h3> </div> <div class="author"> <h3 id="claudia-diaz"><span class="firstname">Claudia</span> <span class="surname">Diaz</span></h3> </div> <div class="author"> <h3 id="ania-piotrowska"><span class="firstname">Ania</span> <span class="surname">Piotrowska</span></h3> </div> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> <div class="author"> <h3 id="masala"><span class="firstname"></span> <span class="surname">Masala</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#terminology">Terminology</a></span></p> <p><span class="section"><a href="#conventions-used-in-this-document">Conventions used in this document</a></span></p> <p><span class="section"><a href="#pki_introduction">1. Introduction</a></span></p> <p><span class="section"><a href="#security-properties-overview">1.2 Security properties overview</a></span></p> <p><span class="section"><a href="#differences-from-tor-and-mixminion-directory-authority-systems">1.3 Differences from Tor and Mixminion directory authority systems</a></span></p> <p><span class="section"><a href="#overview-of-mix-pki-interaction">2. Overview of mix PKI interaction</a></span></p> <p><span class="section"><a href="#pki-protocol-schedule">2.1 PKI protocol schedule</a></span></p> <p><span class="section"><a href="#directory-authority-server-schedule">2.1.1 Directory authority server schedule</a></span></p> <p><span class="section"><a href="#mix-schedule">2.1.2 Mix schedule</a></span></p> <p><span class="section"><a href="#voting-for-consensus-protocol">3. Voting for consensus protocol</a></span></p> <p><span class="section"><a href="#protocol-messages">3.1 Protocol messages</a></span></p> <p><span class="section"><a href="#mix-descriptor-and-directory-signing">3.1.1 Mix descriptor and directory signing</a></span></p> <p><span class="section"><a href="#vote-exchange">3.2 Vote exchange</a></span></p> <p><span class="section"><a href="#reveal-exchange">3.3 Reveal exchange</a></span></p>https://echomix.org/docs/specs/mix_network/Mon, 11 May 2026 21:21:06 -0700https://echomix.org/docs/specs/mix_network/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="mix-network-specification"><span id="mixspec"></span>Mix network specification</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="yawning-angel"><span class="firstname">Yawning</span> <span class="surname">Angel</span></h3> </div> <div class="author"> <h3 id="george-danezis"><span class="firstname">George</span> <span class="surname">Danezis</span></h3> </div> <div class="author"> <h3 id="claudia-diaz"><span class="firstname">Claudia</span> <span class="surname">Diaz</span></h3> </div> <div class="author"> <h3 id="ania-piotrowska"><span class="firstname">Ania</span> <span class="surname">Piotrowska</span></h3> </div> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> <p>This document describes the high level architecture and detailed protocols and behavior required of mix nodes participating in the Katzenpost Mix Network.</p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#terminology">Terminology</a></span></p> <p><span class="section"><a href="#d58e162">Conventions Used in This Document</a></span></p> <p><span class="section"><a href="#mixnet_introduction">1. Introduction</a></span></p> <p><span class="section"><a href="#system-overview">2. System Overview</a></span></p> <p><span class="section"><a href="#threat-model">2.1 Threat Model</a></span></p> <p><span class="section"><a href="#network-topology">2.2 Network Topology</a></span></p> <p><span class="section"><a href="#packet-format-overview">3. Packet Format Overview</a></span></p> <p><span class="section"><a href="#sphinx-cryptographic-primitives">3.1 Sphinx Cryptographic Primitives</a></span></p> <p><span class="section"><a href="#sphinx-packet-parameters">3.2 Sphinx Packet Parameters</a></span></p> <p><span class="section"><a href="#sphinx-per-hop-routing-information-extensions">3.3 Sphinx Per-hop Routing Information Extensions</a></span></p> <p><span class="section"><a href="#mix-node-operation">4. Mix Node Operation</a></span></p>https://echomix.org/docs/specs/mix_decoy/Mon, 11 May 2026 21:19:15 -0700https://echomix.org/docs/specs/mix_decoy/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="propagation-of-mix-decoy-loop-statistics"><span id="decoy"></span>Propagation of mix decoy loop statistics</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> <div class="author"> <h3 id="eva-infeld"><span class="firstname">Eva</span> <span class="surname">Infeld</span></h3> </div> <div class="author"> <h3 id="leif-ryge"><span class="firstname">Leif</span> <span class="surname">Ryge</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> <p>In the context of continuous time mixing strategies such as the memoryless mix used by Katzenpost, n-1 attacks may use strategic packetloss. Nodes can also fail for benign reasons. Determining whether or not it’s an n-1 attack is outside the scope of this work.</p> <p>This document describes how we will communicate statistics from mix nodes to mix network directory authorities which tells them about the packetloss they are observing.</p>https://echomix.org/docs/specs/kemsphinx/Mon, 11 May 2026 21:18:18 -0700https://echomix.org/docs/specs/kemsphinx/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="kemsphinx"><span id="kemsphinx"></span>KEMSphinx</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> <p>Here I present a modification of the Sphinx cryptographic packet format that uses a KEM instead of a NIKE whilst preserving the properties of bitwise unlinkability, constant packet size and route length hiding.</p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#kemsphinx_introduction">1. Introduction</a></span></p> <p><span class="section"><a href="#post-quantum-hybrid-kem">2. Post Quantum Hybrid KEM</a></span></p> <p><span class="section"><a href="#nike-to-kem-adapter">2.1 NIKE to KEM adapter</a></span></p> <p><span class="section"><a href="#kem-combiner">2.2 KEM Combiner</a></span></p> <p><span class="section"><a href="#kemsphinx-header-design">3. KEMSphinx Header Design</a></span></p> <p><span class="section"><a href="#kemsphinx-unwrap-operation">4. KEMSphinx Unwrap Operation</a></span></p> <p><span class="section"><a href="#acknowledgments">Acknowledgments</a></span></p> <p><span class="section"><a href="#appendix-a.-references">References</a></span></p> </div> <div class="section"> <div class="titlepage"> <div> <div> <h2 id="1-introduction"><span id="kemsphinx_introduction"></span>1. Introduction</h2> </div> </div> </div> <p>We’ll express our KEM Sphinx header in pseudo code. The Sphinx body will be exactly the same as <a href="#SPHINXSPEC" class="xref">the section called “References”</a> Our basic KEM API has three functions:</p>https://echomix.org/docs/specs/contact_voucher/Mon, 11 May 2026 21:16:30 -0700https://echomix.org/docs/specs/contact_voucher/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="contact-voucher-design"><span id="voucher"></span>Contact Voucher Design</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="threebit-hacker"><span class="firstname">Threebit</span> <span class="surname">Hacker</span></h3> </div> <div class="author"> <h3 id="leif-ryge"><span class="firstname">Leif</span> <span class="surname">Ryge</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#d58e43">Voucher Design</a></span></p> <p><span class="section"><a href="#d58e76">Self-authenticating BACAP payload</a></span></p> </div> <div class="section"> <div class="titlepage"> <div> <div> <h2 id="voucher-design"><span id="d58e43"></span>Voucher Design</h2> </div> </div> </div> <p>In order to join or initiate a conversation, participants need to exchange cryptographic key material. To address this problem we have a slightly unusual design: Contact vouchers.</p> <p>In many systems, invites to conversations flow from an existing member of the conversation to the user being invited. In our &ldquo;Contact Voucher&rdquo; protocol this flow is reversed: A member wishing to join a conversation hands a &ldquo;Contact Voucher&rdquo; (out of band) to the existing member, who then inducts the new member into the group.</p>https://echomix.org/docs/specs/certificate_format/Mon, 11 May 2026 21:14:56 -0700https://echomix.org/docs/specs/certificate_format/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="certificate-format"><span id="certificate"></span>Certificate format</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> <p>This document proposes a certificate format that Katzenpost mix server, directory authority server and clients will use.</p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#terminology">Terminology</a></span></p> <p><span class="section"><a href="#conventions-used-in-this-document">Conventions Used in This Document</a></span></p> <p><span class="section"><a href="#certificate_introduction">1. Introduction</a></span></p> <p><span class="section"><a href="#document-format">1.1. Document Format</a></span></p> <p><span class="section"><a href="#certificate-types">1.2 Certificate Types</a></span></p> <p><span class="section"><a href="#certificate-key-types">1.3. Certificate Key Types</a></span></p> <p><span class="section"><a href="#golang-api">2. Golang API</a></span></p> <p><span class="section"><a href="#acknowledgments">Acknowledgments</a></span></p> <p><span class="section"><a href="#appendix-a.-references">References</a></span></p> </div> <div class="section"> <div class="titlepage"> <div> <div> <h2 id="terminology"><span id="terminology"></span>Terminology</h2> </div> </div> </div> <p>The following terms are used in this specification.</p> <div class="variablelist"> <p><span class="term"></span></p> </div> </div> <div class="section"> <div class="titlepage"> <div> <div> <h2 id="conventions-used-in-this-document"><span id="conventions-used-in-this-document"></span>Conventions Used in This Document</h2> </div> </div> </div> <p>The key words <span class="quote">“<span class="quote">MUST</span>”</span>, <span class="quote">“<span class="quote">MUST NOT</span>”</span>, <span class="quote">“<span class="quote">REQUIRED</span>”</span>, <span class="quote">“<span class="quote">SHALL</span>”</span>, <span class="quote">“<span class="quote">SHALL NOT</span>”</span>, <span class="quote">“<span class="quote">SHOULD</span>”</span>, <span class="quote">“<span class="quote">SHOULD NOT</span>”</span>, <span class="quote">“<span class="quote">RECOMMENDED</span>”</span>, <span class="quote">“<span class="quote">MAY</span>”</span>, and <span class="quote">“<span class="quote">OPTIONAL</span>”</span> in this document are to be interpreted as described in <a href="#RFC2119" class="link">RFC2119</a>.</p>https://echomix.org/docs/specs/autoresponder/Mon, 11 May 2026 21:09:52 -0700https://echomix.org/docs/specs/autoresponder/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="provider-side-autoresponder-extension-kaetzchen"><span id="autoresponder"></span>Provider-side autoresponder extension (Kaetzchen)</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="yawning-angel"><span class="firstname">Yawning</span> <span class="surname">Angel</span></h3> </div> <div class="author"> <h3 id="kali-kaneko"><span class="firstname">Kali</span> <span class="surname">Kaneko</span></h3> </div> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> </div> </div> <div> <div class="abstract"> <p><strong>Abstract</strong></p> <p>This interface is meant to provide support for various autoresponder agents <span class="quote">“<span class="quote">Kaetzchen</span>”</span> that run on Katzenpost provider instances, thus bypassing the need to run a discrete client instance to provide functionality. The use-cases for such agents include, but are not limited to, user identity key lookup, a discard address, and a loop-back responder for the purpose of cover traffic.</p> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#d58e50">Conventions Used in This Document</a></span></p>https://echomix.org/docs/specs/glossary/Mon, 11 May 2026 21:17:28 -0700https://echomix.org/docs/specs/glossary/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="glossary"><span id="glossary"></span>Glossary</h1> </div> </div> <hr> </div> <div class="variablelist"> <p><span class="term"><span class="bold"><strong>BlockSphinxPlaintext</strong></span></span><br> The payload structure which is encapsulated by the Sphinx body.</p> <p><span class="term"><span class="bold"><strong>classes of traffic</strong></span></span><br> We distinguish the following classes of traffic:</p> <div class="itemizedlist"> <ul> <li> <p>SURB Replies (also sometimes referred to as ACKs)</p> </li> <li> <p>Forward messages</p> </li> </ul> </div> <p><span class="term"><span class="bold"><strong>client</strong></span></span><br> Software run by the User on its local device to participate in the Mixnet. Again let us reiterate that a client is not considered a &ldquo;node in the network&rdquo; at the level of analysis where we are discussing the core mixnet protocol in this here document.</p>https://echomix.org/docs/specs/references/Mon, 11 May 2026 21:22:38 -0700https://echomix.org/docs/specs/references/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="references"><span id="references"></span>References</h1> </div> </div> <hr> </div> <p><span id="AB96"></span><span class="bold"><strong>AB96</strong></span></p> <p>Anderson, R., Biham, E., <span class="quote">“<span class="quote">Two Practical and Provably Secure Block Ciphers: BEAR and LION</span>”</span>, 1996.</p> <p><span id="AEZV5"></span><span class="bold"><strong>AEZV5</strong></span></p> <p>Hoang, V., Krovetz, T., Rogaway, P., <span class="quote">“<span class="quote">AEZ v5: Authenticated Encryption by Enciphering</span>”</span>, March 2017, <a href="http://web.cs.ucdavis.edu/~rogaway/aez/aez.pdf" class="link" target="_top"><a href="http://web.cs.ucdavis.edu/~rogaway/aez/aez.pdf">http://web.cs.ucdavis.edu/~rogaway/aez/aez.pdf</a></a>.</p> <p><span id="BRIDGING"></span><span class="bold"><strong>BRIDGING</strong></span></p> <p>Danezis, G., Syverson, P., <span class="quote">“<span class="quote">Bridging and Fingerprinting: Epistemic Attacks on Route Selection</span>”</span>, Proceedings of PETS 2008, Leuven, Belgium, July 2008, <a href="https://www.freehaven.net/anonbib/cache/danezis-pet2008.pdf" class="link" target="_top"><a href="https://www.freehaven.net/anonbib/cache/danezis-pet2008.pdf">https://www.freehaven.net/anonbib/cache/danezis-pet2008.pdf</a></a>.</p> <p><span id="COMPULS05"></span><span class="bold"><strong>COMPULS05</strong></span></p> <p>Danezis, G., Clulow, J., <span class="quote">“<span class="quote">Compulsion Resistant Anonymous Communications</span>”</span>, Proceedings of Information Hiding Workshop, June 2005, <a href="https://www.freehaven.net/anonbib/cache/ih05-danezisclulow.pdf" class="link" target="_top"><a href="https://www.freehaven.net/anonbib/cache/ih05-danezisclulow.pdf">https://www.freehaven.net/anonbib/cache/ih05-danezisclulow.pdf</a></a>.</p> <p><span id="ED25519"></span><span class="bold"><strong>ED25519</strong></span></p> <p><a href="https://www.rfc-editor.org/rfc/rfc8032" class="link" target="_top"><a href="https://www.rfc-editor.org/rfc/rfc8032">https://www.rfc-editor.org/rfc/rfc8032</a></a>.</p> <p><span id="FINGERPRINTING"></span><span class="bold"><strong>FINGERPRINTING</strong></span></p> <p>Danezis, G., Clayton, R., <span class="quote">“<span class="quote">Route Finger printing in Anonymous Communications</span>”</span>, <a href="https://www.cl.cam.ac.uk/~rnc1/anonroute.pdf" class="link" target="_top"><a href="https://www.cl.cam.ac.uk/~rnc1/anonroute.pdf">https://www.cl.cam.ac.uk/~rnc1/anonroute.pdf</a></a>.</p>https://echomix.org/docs/build_from_source/Mon, 11 May 2026 21:31:32 -0700https://echomix.org/docs/build_from_source/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="build-katzenpost-from-source"><span id="building"></span>Build Katzenpost from source</h1> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#pinned-versions">Pinned versions</a></span></p> <p><span class="section"><a href="#prerequisites">Prerequisites</a></span></p> <p><span class="section"><a href="#kpclientd-the-client-daemon">kpclientd (the client daemon)</a></span></p> <p><span class="section"><a href="#go-thin-client">Go thin client</a></span></p> <p><span class="section"><a href="#rust-thin-client">Rust thin client</a></span></p> <p><span class="section"><a href="#python-thin-client">Python thin client</a></span></p> <p><span class="section"><a href="#katzenqt-qt-group-chat-client">katzenqt (Qt group chat client)</a></span></p> <p><span class="section"><a href="#verifying-the-stack">Verifying the stack</a></span></p> </div> <p>This page is the canonical reference for the <span class="strong"><strong>pinned versions</strong></span> of the Katzenpost stack, together with brief instructions for building and running each component from source. It is intended for anyone who wishes to run the software ahead of binary packages becoming available.</p>https://echomix.org/docs/specs/group_chat/Mon, 11 May 2026 09:45:35 -0700https://echomix.org/docs/specs/group_chat/<div class="article"> <div class="titlepage"> <div> <div> <h1 id="katzenpost-group-chat-design"><span id="group_chat"></span>Katzenpost Group Chat Design</h1> </div> <div> <div class="authorgroup"> <div class="author"> <h3 id="threebit-hacker"><span class="firstname">Threebit</span> <span class="surname">Hacker</span></h3> </div> <div class="author"> <h3 id="david-stainton"><span class="firstname">David</span> <span class="surname">Stainton</span></h3> </div> </div> </div> </div> <hr> </div> <div class="toc"> <p><strong>Table of Contents</strong></p> <p><span class="section"><a href="#d58e44">Prerequisites</a></span></p> <p><span class="section"><a href="#d58e64">Introduction</a></span></p> <p><span class="section"><a href="#d58e102">Group Chat Message Types</a></span></p> <p><span class="section"><a href="#d58e165">Protocol Flow</a></span></p> <p><span class="section"><a href="#d58e239">Addenda</a></span></p> </div> <div class="section"> <div class="titlepage"> <div> <div> <h2 id="prerequisites"><span id="d58e44"></span>Prerequisites</h2> </div> </div> </div> <p>This design specification is dependent on the BACAP and Pigeonhole protocol designs from our paper <a href="https://arxiv.org/abs/2501.02933" class="link" target="_top">Echomix: A Strong Anonymity System with Messaging</a>, which describes</p> <div class="itemizedlist"> <ul> <li> <p>the BACAP (blinded and capability) in section 4 and</p> </li> <li> <p>the Pigeonhole protocol in section 5.</p> </li> </ul> </div> <p>The <a href="https://github.com/katzenpost/hpqc/blob/main/bacap/bacap.go" class="link" target="_top">source code</a> and <a href="https://github.com/katzenpost/hpqc/blob/main/bacap/bacap.go" class="link" target="_top">API docs</a> for BACAP are available on pkg.go.dev.</p> </div> <div class="section"> <div class="titlepage"> <div> <div> <h2 id="introduction"><span id="d58e64"></span>Introduction</h2> </div> </div> </div> <p>The Pigeonhole protocol establishes anonymous cryptographic communication channels which have a <span class="emphasis"><em>readcap</em></span> (read capability) and a <span class="emphasis"><em>writecap</em></span> (write capability). For example, if Alice and Bob want to communicate, they can each create their own Pigeonhole/BACAP channels and exchange readcaps on those channels. Now when Bob writes to his channel, Alice can read those messages because she has Bob&rsquo;s readcap. Likewise, when Alice writes to her channel, Bob can read those messages because he has Alice&rsquo;s readcap. This is the most basic construction using BACAP and Pigeonhole.</p>https://echomix.org/blog/2024-04-25-threat-model/Thu, 25 Apr 2024 00:00:00 +0000https://echomix.org/blog/2024-04-25-threat-model/<p>Here we present a draft of the Katzenpost mixnet threat model document. We regard the threat model document as a living document which is frequently edited and in need of ongoing maintenance as we continue to develop newer mixnet protocols. Currently it is being organized by mixnet attack category and we have arranged attacks in a table with corresponding attacker capabilities. Later sections of the document present a deep dive into the core cryptographic protocols that comprise Katzenpost, namely these three:</p>https://echomix.org/blog/2024-04-15-lit-review/Mon, 15 Apr 2024 00:00:00 +0000https://echomix.org/blog/2024-04-15-lit-review/<p>We are presenting our overview of existing Mixnet literature. It takes some liberties with what is included or not. It proposes new ways to talk about some issues, and provides a critical analysis of some of the existing papers. It also endeavors to introduce the reader to the language of anonymity systems, while maintaining mathematical rigor.</p> <p>This doc, in particular, does not talk about the Katzenpost design. It does introduce the reader to some of the reasons why we&rsquo;ve been making certain design decisions, and a keen eye might be led to some of the similar conclusions. But here we focus on already published research. We also stick to theory and don&rsquo;t focus on any practical systems being built today.</p>https://echomix.org/blog/2024-04-12-hpqc/Fri, 12 Apr 2024 00:00:00 +0000https://echomix.org/blog/2024-04-12-hpqc/<p>The Katzenpost developement team has recently released a new golang cryptography library known as <a href="https://github.com/katzenpost/hpqc"><strong>hpqc</strong></a>. The theme of the library is hybrid post quantum cryptographic constructions, namely:</p> <ul> <li>hybrid KEMs (key encapsulation mechanism)</li> <li>hybrid NIKEs (non-interactive key exchange)</li> <li>hybrid signature schemes</li> </ul> <p>In each of the three main subdirectories, &ldquo;kem&rdquo;, &ldquo;nike&rdquo; and &ldquo;sign&rdquo; there exists interface definitions for <code>Scheme</code>, <code>PrivateKey</code> and <code>PublicKey</code>. For signature schemes and KEMs we&rsquo;re borrowing the interface sets from cloudflare&rsquo;s circl library.</p>https://echomix.org/blog/2024-01-28-katzenpost-at-37c3/Sun, 28 Jan 2024 00:00:00 +0000https://echomix.org/blog/2024-01-28-katzenpost-at-37c3/<p>Dr. Eva Infeld and surveillance expert and developer Leif Ryge held a session at the Chaos Communication Congress about the current state of the project, some of the things we’re working on, and some of the pitfalls many anonymity systems fall into. Building an anonymity system fit for our dystopian age is a hard problem, but we’re doing it.</p> <p><a href="https://www.youtube.com/watch?v=1ev4r-aZmFM"><img src="https://github.com/katzenpost/website/tree/main/content/en/media/thumbnail.png" alt="Katzenpost talk on YouTube"></a></p>https://echomix.org/blog/2023-11-25-audio-engineering-considerations/Sat, 25 Nov 2023 00:00:00 +0000https://echomix.org/blog/2023-11-25-audio-engineering-considerations/<p>Modern Mixnets have a unique set of requirements when it comes to processing audio. The bandwidth is scarce, but we expect to use modern devices and have ample processing power. We aim to secure the communication against even sophisticated attacks that come from capturing the metadata, and prioritize tools that are free, open source and written with security in mind. In this unique setting, we present a set of recommendations for implementing codecs, DSPs, and sophisticated noise reduction tools, to deliver either impressive quality at low bandwidth or good quality at impressively low bandwidth.</p>https://echomix.org/blog/2023-11-24-website-relaunch/Fri, 24 Nov 2023 00:00:00 +0000https://echomix.org/blog/2023-11-24-website-relaunch/<p>To match all the code development in Katzenpost in the last year, it was time for a website relaunch. Our site was a migration from Sphinx, which is primarily for documentation, to Hugo which is wildly configurable for all sorts of websites. Given the technical nature and need for nice documentation interface, we used the well crafted and maintained Docsy theme.</p> <p><strong>Website Dependencies</strong></p> <ul> <li><a href="https://gohugo.io">Hugo</a> static site generator</li> <li><a href="https://docsy.dev">Docsy</a> theme for Hugo</li> <li><a href="https://getbootstrap.com">Bootstrap 5</a> is bundled in Docsy</li> <li><a href="https://decapcms.org">Decap CMS</a> for a user-friendly GUI</li> </ul>https://echomix.org/blog/2019-05-04/Sat, 04 May 2019 00:00:00 +0000https://echomix.org/blog/2019-05-04/<p>Greetings,</p> <p>The last few weeks have been very busy. I now have the basic working prototype implementation of a new Katzenpost messaging system. This new system has mutual location hiding properties for communication partners because recipients retreive their messages from a remote spool using a Sphinx SURB based protocol. <a href="https://cypherpunks.ca/~iang/pubs/Sphinx_Oakland09.pdf" title="Danezis, G., Goldberg, I., Sphinx: A Compact and Provably Secure Mix Format, DOI 10.1109/SP.2009.15, May 2009">SPHINX</a> <a href="https://github.com/katzenpost/docs/blob/master/specs/sphinx.rst" title="Angel, Y., Danezis, G., Diaz, C., Piotrowska, A., Stainton, D., Sphinx Mix Network Cryptographic Packet Format Specification July 2017">SPHINXSPEC</a></p>https://echomix.org/blog/2019-04-10/Wed, 10 Apr 2019 00:00:00 +0000https://echomix.org/blog/2019-04-10/<p>Greetings,</p> <p>The Panoramix grant project funded by the European Commission has officially ended but the Katzenpost free software project lives on. Masala and I continue to work on Katzenpost for grant money given to us by Samsung.</p> <p>We recently learned a few things about mixnet design in a series of design meetings. The conclusions from our learnings is too much information and detail for this here post. However I will summarize some of our conclusions below. Our discussions usually revolved around mixnet CRDT applications, client reliability, message spool server design, client decoy traffic and, preventing attacks: statistical disclosure and active confirmation attacks.</p>https://echomix.org/blog/2019-01-19/Sun, 13 Jan 2019 00:00:00 +0000https://echomix.org/blog/2019-01-19/<p>Hi,</p> <p>I wrote some notes about making mixnet components in Rust that are binary compatible with <a href="https://github.com/katzenpost/docs/blob/master/drafts/priority_tasks.rst#rustification">existing Katzenpost components</a></p> <h1 id="rustification">Rustification</h1> <p>The goal should be binary compatibility with the golang implementation of Katzenpost such that the existing golang components can interoperate with the new Rust components. Perhaps the biggest advantage of using Rust would be for writing mixnet clients as opposed to mix servers. A Rust mixnet client could easily present a FFI that could be used by user interfaces written in Java for Android and Swift for iOS.</p>https://echomix.org/blog/2018-11-22/Thu, 22 Nov 2018 00:00:00 +0000https://echomix.org/blog/2018-11-22/<p>Greetings!</p> <p>This is our second edition of katzenpost news. There&rsquo;s been a lot of progress since the last report I posted many months ago.</p> <p>Firstly I&rsquo;d like to mention our future development plans:</p> <ul> <li>mix and directory authority key agility</li> <li>generative testing for the voting Directory Authority system</li> <li>generative testing for all of the things where appropriate</li> <li>load and performance testing the mix server</li> <li>design and development of an application agnostic mixnet client message oriented protocol library</li> <li>design and development of one or more applications that use our new mixnet protocol client library</li> <li>potentially assist in integration with other software projects that want to use a mixnet transport protocol</li> </ul> <p>Our recent accomplishments include:</p>https://echomix.org/blog/2018-02-27/Tue, 27 Feb 2018 00:00:00 +0000https://echomix.org/blog/2018-02-27/<h2 id="katzenpost-monthly-news">katzenpost monthly news</h2> <p>Greetings!</p> <p>This is our first edition of katzenpost monthly news. I&rsquo;ll be summarizing recent events from our first hackfest in Athens in early December 2017 to the present.</p> <p>What we did in Athens:</p> <ul> <li>setup a test mix network</li> <li>remote collaboration with Yawning Angel to fix bugs and add features to the server side</li> <li>wrote some basic installation documentation</li> <li>Moritz created and deployed the <a href="https://katzenpost.mixnetworks.org">katzenpost website</a> with glossary and FAQ</li> <li>explored technical issues related to python and java language bindings to golang libraries</li> <li>discussed at length the possibilies for various kinds of mixnet clients</li> <li>Vincent wrote a prototype android instant messenger client</li> <li>met with the GrNet people and told them how to install a katzenpost mix network and answered their questions</li> <li>meskio and kaliy added an external user db interface for Provider authentication</li> <li>meskio wrote prototype python clients for testing purposes</li> <li>we had many group discussion about mix network design</li> <li>special guest visitor: George Kadianakis from Tor Project</li> </ul> <p>Since that time we have been working on our PKI specification. Nick Mathewson sent us a six page review of our spec and Yawning sent a two page reply; both of these e-mails contain lots of design details and have been useful in our editing of the spec thus far:</p>