David Stainton's Open Source Projects

See my github profile and the Katzenpost organisation for additional open source projects.

Post-Quantum Cryptography and the Katzenpost Mix Network

Katzenpost is a post-quantum mix network with strong metadata-privacy guarantees against global passive adversaries, compromised contacts, quantum decryption, and statistical/confirmation attacks. It started as part of the EU Horizon 2020 Panoramix project in 2017, and I’ve been leading the cryptographic protocol work on it ever since.

Two post-quantum hybrid variants of the Sphinx packet format. A NIKE Sphinx and a KEM Sphinx, both supporting hybrid post-quantum constructions, so you can compose X25519 with ML-KEM (or other KEMs/NIKEs) and keep the handshake secure even if one primitive breaks.

• Code: core/sphinx
• Classical Sphinx spec: https://katzenpost.network/docs/specs/sphinx.html
• KEM Sphinx spec: https://katzenpost.network/docs/specs/kemsphinx.html

Pigeonhole: unlinkable message storage for mixnets. Pigeonhole is the storage protocol from our Echomix paper. Messages live in BACAP boxes, pseudorandom unlinkable locations derived via Ed25519 key blinding, sharded across replicas and fronted by couriers that never learn the box IDs. Fixed-throughput courier-replica connections hide traffic patterns. Envelope encryption keeps couriers blind.

• Implementation in review: PR #985
• Overview: https://katzenpost.network/docs/pigeonhole_explained/
• Protocol spec: https://katzenpost.network/docs/specs/pigeonhole/
• Group chat design: https://katzenpost.network/docs/specs/group_chat.html
• Thin client howto: https://katzenpost.network/docs/thin_client_howto/
• Thin client API reference: https://katzenpost.network/docs/thin_client_api_reference/

Post-quantum Noise wire protocol for the mixnet. Integrated a PQ Noise handshake into the Katzenpost mix network wire protocol, via a fork of Yawning Angel’s Nyquist pq/experimental branch. The result follows the approach described in Angel/Dowling/Hülsing/Schwabe/Weber’s Post-Quantum Noise.

• Code: core/wire
• Wire protocol spec: https://katzenpost.network/docs/specs/wire.html

hpqc: post-quantum Go cryptography library. My PQ crypto library used throughout Katzenpost. Highlights:

• A secure KEM combiner.
• An ad-hoc ElGamal-based NIKE-to-KEM adapter, so any number of NIKEs and KEMs can be hybridised together.
• KEM, NIKE, and signature primitives (MLKEM768, CTIDH, Sphincs+, plus classical X25519 and Ed25519) with hybrid variants.
• The BACAP blinding-and-capability scheme.

IETF TLS working group. Active participant in both the post-quantum signatures discussion (pure ML-DSA vs. composite) and the ML-KEM pure-vs-hybrid discussion. My position on both: use hybrids. PQ cryptanalysis has already broken a handful of candidates in recent years, and lattices are young compared to elliptic curves. I’d rather not bet there are no more breaks coming.

Earlier Katzenpost contributions

• Plugin system for the mix server allowing providers to run network services that mixnet clients can interact with: https://github.com/katzenpost/server/blob/master/internal/provider/kaetzchen/cbor_plugins.go
• PANDA and REUNION service plugins, asynchronous PAKE protocols: https://github.com/katzenpost/reunion, https://github.com/katzenpost/panda
• Catshadow, a mixnet messaging protocol and client with strong location-hiding properties that prevent communication partners from discovering one another’s location on the mix network: https://github.com/katzenpost/catshadow, https://github.com/katzenpost/catchat. Design and threat model: catshadow.pdf.
• New cryptographic certificate format for the mixnet voting directory authority: https://github.com/katzenpost/core/tree/master/crypto/cert
• Post-quantum hybrid double ratchet for end-to-end message encryption: https://github.com/katzenpost/doubleratchet

Some of this earlier work was funded by Samsung and NLnet.

• NLnet announcement
• Samsung NEXT Stack Zero Grant recipients

Honeybadger: TCP injection attack detector (2014)

In 2014, shortly after the Edward Snowden document leaks, I wrote Honeybadger, at the time the most sophisticated detector of TCP injection attacks, including the NSA’s so-called “quantum insert” (which is really just a silly name for TCP injection). It uses my own classification of injection attacks:

1. handshake hijack
2. segment veto
3. sloppy injection
4. out-of-order coalesce injection
5. censorship injection

Writeup: TCP injection attack categories. Documentation: honeybadger.readthedocs.org.

During that work I acted as an advisor to Google on improvements to their Gopacket library (correspondence with Graeme Connell at Google and Laurent Hausermann at Sentryo in April 2015). I have never been employed by Google; I am an independent security researcher.

Earlier open source

Go

I started writing Go in 2014.

• BPF sniffer API I contributed to Google’s gopacket library, so Honeybadger could run efficiently on BSD without libpcap.
• IPFS Tor onion transport.
• Parasitic TCP traceroute: a Linux nfqueue-based tool that mangles packets of an existing TCP connection to traceroute past an upstream NAT.
• Contributed an onion-listener feature to Bulb, Tor integration for Go apps.
• Added SOCKS5 proxy support to Subgraph’s fw-daemon.
• Reported a bug in Subgraph’s Linux netfilter-queue library.
• Fixed a bug in Go’s standard library syscall module.

Rust

I learned Rust by writing cryptography libraries and solving cryptopals challenges.

• Sphinx cryptographic packet format in Rust: historical, compatible with earlier versions of the Katzenpost Go Sphinx.
• Mix Link: a Rust crate binary-compatible with an earlier version of the Katzenpost mix network wire protocol. Uses the Noise_XXhfs_25519+Kyber1024_ChaChaPoly_BLAKE2b hybrid-PQ handshake.
• Lioness wide-block cipher in Rust, binary-compatible with my Go Lioness implementation.
• AEZ Rust FFI bindings around the AEZ wide-block-cipher reference C implementation.
• ECDH wrapper, Sphinx replay cache, experimental SEDA mix server.
• Cryptopals solutions.

Python

Most of my Python work involved async IO networking with Twisted, often for Tor integration or cryptography.

• Feature contributions to Tahoe-LAFS (2013-2017 at Least Authority), the original cryptographic-capability storage system.
• Fork of Ian Goldberg’s Sphinx reference implementation: made it compatible with Python 2/3 and upgraded some of the cryptographic primitives.
• pylioness: a Python Lioness wide-block cipher.
• scan_tor_rfc5961: active scanner for a Linux kernel vulnerability that affected the Tor network; report to tor-dev. The follow-up guard-discovery attack remains unpublished for ethical reasons.
• tor_partition_scanner, contributions to txtorcon, maintenance releases of pycryptopp, Tor integration for Foolscap.
• onionvpn: a VPN using Tor onion services as transport.
• twistedcat: a socat-like tool in Twisted.
• txtorhttpproxy: a Twisted HTTP-to-Tor proxy.