katzenpost

Katzenpost Mix Network

Post Quantum Anonymous Communication Network

Katzenpost is a software project dedicated to designing and implementing mix network protocols. A mix network is a type of anonymous communication network. An anonymous communication network is also known as a traffic analysis resistant network; that is, it's protocols are designed to resist statistical analysis by passive global adversaries.

Traffic analysis typically refers to the statistical analysis of encrypted traffic. Traffic analysis is worth defending against given that common network protocols leak lots of information such as source and destination IP addresses, message size, message sequence, message delay pattern, geographical locations, social graph etc. Mere end to end encryption alone cannot protect against this type of information leakage.

At the most basic level, mixnets are composed of mix nodes. These are a cryptographic packet switching routers which protect our privacy by mixing many messages together and cryptographically transforming them before routing them on to the next hop. Mix nodes also use shuffling or added latency to create uncertainty for network observers. This uncertainty is in regards to trying to link incoming messages with the outgoing messages.

Project Status

We are currently working to implement the new mixnet protocols discussed in our paper. Please also see the specification documents for the new protocols:

Pigeonhole Protocol Specification Group Chat Protocol Specification

Within this repo there are some old deprecated APIs which are associated with the "old client":

• client
• minclient
• stream
• map
• cmd/http-proxy-client
• cmd/http-proxy-server
• cmd/katzencat
• cmd/katzencopy
• cmd/map

PLEASE TAKE CARE TO AVOID USING THESE DEPRECATED SECTIONS OF OUR CODEBASE!

Building Katzenpost

Build Targets

The root Makefile provides several build targets for different components:

Standard Components

To build all standard server and client components (excluding replica), use:

cd katzenpost
make all

This builds all executables in the cmd/ directory:

• server - Mix server node
• dirauth - Directory authority node
• genconfig - Configuration file generator
• ping - Network connectivity testing tool
• courier - Message courier service
• echo-plugin - Echo service plugin
• fetch - Data fetching utility
• genkeypair - Cryptographic key pair generator
• gensphinx - Sphinx packet generator
• http-proxy-client - HTTP proxy client
• http-proxy-server - HTTP proxy server
• katzencat - Katzenpost netcat-like utility
• katzencopy - File transfer utility
• kpclientd - Katzenpost client daemon
• map - Network mapping utility
• sphinx - Sphinx cryptographic packet tool

Individual Components

You can also build individual components:

make server      # Build just the mix server
make dirauth     # Build just the directory authority
make genconfig   # Build just the config generator
# ... etc for any component

Replica Component (Special Requirements)

The replica component requires RocksDB dependencies and has its own target:

make replica

This will:

1. Install RocksDB dependencies (cmake, build tools, gflags, RocksDB v10.2.1)
2. Build the replica executable

Note: The replica target requires sudo privileges to install system dependencies.

Cleaning Built Binaries

To remove all built executables:

make clean

Dependencies

Standard Components

Most Katzenpost components only require Go and standard system libraries.

Replica Component Dependencies

The replica component requires RocksDB, which has additional system dependencies:

• System packages: cmake, build-essential, libsnappy-dev, libzstd-dev, liblz4-dev, libz-dev
• gflags: Built from source (https://github.com/gflags/gflags.git)
• RocksDB v10.2.1: Built from source (https://github.com/facebook/rocksdb.git)

The make replica target automatically handles installing these dependencies, but requires sudo privileges. If you prefer to install dependencies manually, you can use:

make install-replica-deps  # Install RocksDB dependencies only

Client:

New Katzenpost mixnet clients are forthcoming.

Server Side Usage/Configuration

Our docker configuration is the most comprehensive and up to date place to learn about how to configure a Katzenpost mix network. Run the makefile in the docker directory to get a usage menu:

$ cd katzenpost/docker; make 
These make targets allow you to control the test network:
 config-only        - generate configuration files only (no docker containers)
 start              - start the testnet
 stop               - stop the testnet
 client-restart     - restart just the kpclientd daemon
 client-logs        - view kpclientd daemon logs
 wait               - wait for testnet to have consensus
 watch              - tail -F all logs
 watch-replicas     - monitor all replica logs
 watch-auth         - monitor all directory authority logs
 watch-mixes        - monitor all mix node logs
 watch-courier      - monitor courier service log
 watch-servicenode  - monitor service node log
 watch-gateway      - monitor gateway log
 watch-all-separate - monitor all logs with component labels
 status             - show testnet consensus status
 show-latest-vote   - does what it says
 run-ping           - send a ping over the testnet
 clean-bin          - stop, and delete compiled binaries
 clean-local        - stop, and delete data and binaries
 clean-local-dryrun - show what clean-local would delete
 clean              - the above, plus cleans includes go_deps images

You can run a docker mixnet locally and then inspect the configuration files to learn how to configure a Katzenpost mixnet.

Documentation is a work in progress:

• Katzenpost Mixnet Documentation

• Using the Katzenpost Docker test mix network

• Mixnet Admin guide

Expert's Corner

Katzenpost is an unverified decryption mix network that uses a continuous time mixing strategy with client selected exponential delays and a stratified routing topology.

We have some resources for experts:

• Mixnet Threat Model Document

• Mixnet Literature Review

Cryptographic Agility

Katzenpost consists of 3 core cryptographic protocols all of which have cryptographic agility with respect to the KEM, NIKE or signature scheme being used:

1. Wire protocol based on Noise/PQ Noise
2. Sphinx
3. PKI

Each of these protocols makes use of our golang cryptography library called HPQC (hybrid post quantum cryptography):

https://github.com/katzenpost/hpqc

Firstly, for each of the protocols we make use of a small set of golang interfaces for KEM, NIKE and signature schemes respectively allowing us to build protocols that are completely agnostic to the specific cryptographic primitive being used. Secondly, each of these protocol implementations allows for the selection of the cryptographic primitive via it's TOML configuration file.

Here's what primitives are available to you:

As well as all of the NIKE schemes through the KEM adapter, and any combinations of the above through the combiner.

Wire protocol based on Noise/PQ Noise

All Katzenpost components communicate with one another using our "wire" protocol which currently only works on TCP but hopefully soon also QUIC. This wire protocol is traffic padded as a redundant measure against traffic analysis.

We believe in The Noise Protocol Framework, that it is good to use it instead of TLS, whenever possible. Noise places all of the protocol decision making during the design phase of the protocol instead of during protocol runtime. This means there are no protocol downgrade attacks, no dynamic selection of ciphersuite and so on.

However, we use a variation of Noise called Post Quantum Noise, from the paper:

@misc{cryptoeprint:2022/539,
      author = {Yawning Angel and Benjamin Dowling and Andreas Hülsing and Peter Schwabe and Florian Weber},
      title = {Post Quantum Noise},
      howpublished = {Cryptology ePrint Archive, Paper 2022/539},
      year = {2022},
      doi = {10.1145/3548606.3560577},
      note = {\url{https://eprint.iacr.org/2022/539}},
      url = {https://eprint.iacr.org/2022/539}
}

Our wire protocol implementation let's you select any KEM and if you happened to have selected Xwing then the precise Noise protocol descriptor string for the protocol would be:

Noise_pqXX_Xwing_ChaChaPoly_BLAKE2s

Here's a diagram of the pqXX pattern which we use:

sequenceDiagram
    Client-)Server: e
    Server-)Client: ekem, s
    Client-)Server: skem, s
    Server-)Client: skem

Sphinx

We use the Sphinx cryptographic packet format and allow it's geometry to be completely configurable to accomodate various networking requirements. Additionally the Sphinx can use any NIKE (non-interactive key exchange). We also developed a novel post quantum variation called KEM Sphinx. KEM (key encapsulation mechanism) Sphinx is twice as fast on the server side as the original NIKE Sphinx because it only requires one public key operation per hop instead of two. However it has the packet header overhead size penalty that grows linearly with the number of hops.

And here are some Sphinx benchmarks using different KEMs and NIKEs, computed on David's laptop:

We can draw several conclusions from this table of benchmarks:

1. KEM Sphinx is about twice as fast as NIKE Sphinx
2. MLKEM768 is faster than X25519
3. Xwing KEM Sphinx is almost as fast as X25519 NIKE Sphinx but probably a lot more secure given that it's a post quantum hybrid construction which still uses the classically secure X25519 NIKE.
4. CTIDH is very slow and we probably don't want to use it for Sphinx. We instead think it very useful for application level encryption.

Please also note that hybrid KEMs referred to above are constructed using a security preserving KEM combiner and a NIKE to KEM adapter (adhoc elgamal construction) with semantic security so that the resulting hybrid KEM is IND-CCA2 in the QROM.

PKI/Directory Authority

Mix network key management and distribution is handled by the directory authority system, a decentralized voting protocol that can tolerate (1/2 * n)-1 node outages. Clients and mix nodes can talk to the dirauth (directory authority) system to get a published PKI document which is essentially a view of the network which contains public cryptographic keys and network connection information.

The mix descriptors are signed by the mix nodes. Each dirauth also signs their interactions in the voting protocol and the final published PKI document.

Mix nodes and dirauth (directory authority) nodes use whichever signature scheme selected by the dirauth configuration. Clients also use this signature scheme to verify PKI documents.

Debugging/Profiling Katzenpost

We can optionally enable the use of pyroscope pprof profiling within the mix server by building with the "pyroscope" build tag:

cd cmd/server; go build --tags pyroscope

You'll have to setup a pyroscope server via these instructions, here:

https://grafana.com/docs/pyroscope/latest/get-started/

And you can point the mix server at the pyroscope server via environment variables:

export PYROSCOPE_APPLICATION_NAME=katzenpost_mix_server
export PYROSCOPE_SERVER_ADDRESS=http://localhost:4040
export PYROSCOPE_SERVICE_TAG=mix1
./server -f katzenpost-server.toml

License

AGPLv3

Donations

Your donations are welcomed and can be made through Open Collective here.

Supported By

This project has received funding from:

• European Union’s Horizon 2020 research and innovation programme under the Grant Agreement No 653497, Privacy and Accountability in Networks via Optimized Randomized Mix-nets (Panoramix).
• The Samsung Next Stack Zero grant.
• NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.
• NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073.