NyxNet

Privacy-First Post-Quantum Secure Network Stack

English | 日本語

NyxNet is a next-generation anonymous communication framework designed for the quantum computing era. Combining mix network architecture with quantum-resistant cryptography, it provides robust protection against traffic analysis while maintaining high performance.

---

Table of Contents

• Overview
• Key Features
• Architecture
• Technology Stack
• Getting Started
• Project Structure
• Use Cases
• Performance
• Security
• Roadmap
• Contributing
• License
• Acknowledgments

---

Overview

The Challenge

Modern encryption faces three critical threats:

1. Quantum Computing: Algorithms like Shor's can break RSA and elliptic curve cryptography
2. Traffic Analysis: Even encrypted communications reveal metadata through timing and size patterns
3. Store-Now-Decrypt-Later: Adversaries can archive encrypted traffic and decrypt it when quantum computers become available

The Solution

NyxNet addresses these challenges through:

• Post-Quantum Cryptography: Hybrid ML-KEM-768 + X25519 key exchange
• Sphinx Onion Routing: Multi-hop encrypted routing with unlinkability
• Adaptive Cover Traffic: Poisson-distributed dummy packets to mask patterns
• QUIC Transport: Low-latency UDP-based communication with 0-RTT handshake
• Forward Error Correction: Adaptive Reed-Solomon encoding for packet loss resilience

graph LR
    A[User Application] --> B[NyxNet SDK]
    B --> C[QUIC Transport]
    C --> D[Mix Node 1]
    D --> E[Mix Node 2]
    E --> F[Mix Node 3]
    F --> G[Exit Node]
    G --> H[Destination]
    
    style A fill:#e1f5ff
    style B fill:#b3e5fc
    style C fill:#81d4fa
    style D fill:#4fc3f7
    style E fill:#29b6f6
    style F fill:#039be5
    style G fill:#0277bd
    style H fill:#e1f5ff

Loading

---

Key Features

Security

Feature	Description	Implementation
Post-Quantum Cryptography	ML-KEM-768 + X25519 hybrid key exchange	nyx-crypto
Sphinx Routing	3-hop onion encryption with header unlinkability	nyx-mix
Replay Protection	Timestamp-based nonce validation with Bloom filter	nyx-crypto/anti_replay
Forward Secrecy	Ephemeral keys for session encryption	nyx-crypto/session
Secure Key Storage	Platform keychain integration (iOS/Android/Desktop)	nyx-crypto/keystore

Performance

Feature	Description	Implementation
QUIC Transport	Low-latency UDP datagrams with multiplexing	nyx-transport
Multipath Routing	Automatic failover with dynamic path selection	nyx-stream/multipath
FEC Coding	Adaptive Reed-Solomon redundancy (5-20%)	nyx-fec
BBR Congestion Control	Bandwidth estimation-based flow control	nyx-stream/bbr
Zero-Copy Buffers	Memory-efficient packet processing	nyx-core

Privacy

Feature	Description	Implementation
Cover Traffic	Poisson-distributed dummy packets	nyx-mix/cover
Traffic Analysis Resistance	Padding and timing obfuscation	nyx-stream/padding_system
Distributed Trust Model	No single point of failure	Architecture-wide
Metadata Minimization	Minimal header information	Protocol design

Integration

Feature	Description	Implementation
gRPC API	20+ RPC methods for control and monitoring	nyx-daemon, nyx-control
SOCKS5 Proxy	Tor-compatible proxy interface	nyx-http-proxy (Go)
HTTP CONNECT Proxy	Browser-compatible HTTPS tunneling	nyx-http-proxy (Go)
OpenTelemetry	Metrics (Prometheus) and traces (Jaeger)	nyx-telemetry
Mobile SDK	iOS and Android FFI bindings	nyx-mobile-ffi
WebAssembly	Browser-native encryption	nyx-sdk-wasm

---

Architecture

System Overview

graph TB
    subgraph "Application Layer"
        APP[User Applications]
        BROWSER[Web Browsers]
        MOBILE[Mobile Apps]
    end
    
    subgraph "SDK Layer"
        SDK[nyx-sdk<br/>Stream API]
        WASM[nyx-sdk-wasm<br/>WebAssembly]
        FFI[nyx-mobile-ffi<br/>iOS/Android]
    end
    
    subgraph "Proxy Layer"
        SOCKS[SOCKS5]
        HTTP[HTTP CONNECT]
    end
    
    subgraph "Control Plane"
        DAEMON[nyx-daemon<br/>gRPC/JSON-RPC]
        CLI[nyx-cli<br/>Management]
        CONTROL[nyx-control<br/>DHT/REST]
    end
    
    subgraph "Data Plane"
        STREAM[nyx-stream<br/>Multiplexing]
        MIX[nyx-mix<br/>Sphinx Routing]
        TRANSPORT[nyx-transport<br/>QUIC Multipath]
        FEC[nyx-fec<br/>Reed-Solomon]
    end
    
    subgraph "Foundation Layer"
        CRYPTO[nyx-crypto<br/>ML-KEM + X25519]
        CORE[nyx-core<br/>Types & Config]
        TELEMETRY[nyx-telemetry<br/>Metrics & Traces]
    end
    
    APP --> SDK
    BROWSER --> SOCKS
    BROWSER --> HTTP
    MOBILE --> FFI
    
    SDK --> DAEMON
    WASM --> DAEMON
    FFI --> DAEMON
    SOCKS --> DAEMON
    HTTP --> DAEMON
    CLI --> DAEMON
    
    DAEMON --> CONTROL
    DAEMON --> STREAM
    
    STREAM --> MIX
    MIX --> TRANSPORT
    TRANSPORT --> FEC
    
    STREAM --> CRYPTO
    MIX --> CRYPTO
    TRANSPORT --> CORE
    FEC --> CORE
    
    DAEMON --> TELEMETRY
    STREAM --> TELEMETRY
    CONTROL --> TELEMETRY

Loading

Data Flow

sequenceDiagram
    participant App as Application
    participant SDK as NyxNet SDK
    participant Mix1 as Mix Node 1
    participant Mix2 as Mix Node 2
    participant Mix3 as Mix Node 3
    participant Exit as Exit Node
    participant Dest as Destination

    App->>SDK: Send Data
    SDK->>SDK: ML-KEM-768 + X25519 Handshake
    SDK->>SDK: Create Sphinx Packet<br/>(3-layer encryption)
    SDK->>SDK: Apply FEC Encoding
    SDK->>Mix1: QUIC Transport
    
    Mix1->>Mix1: Peel Layer 1
    Mix1->>Mix2: Forward
    
    Mix2->>Mix2: Peel Layer 2
    Mix2->>Mix3: Forward
    
    Mix3->>Mix3: Peel Layer 3
    Mix3->>Exit: Forward
    
    Exit->>Dest: Deliver
    
    Dest-->>Exit: Response
    Exit-->>Mix3: SURB Route
    Mix3-->>Mix2: Forward
    Mix2-->>Mix1: Forward
    Mix1-->>SDK: Deliver
    SDK-->>App: Response Data

Loading

Security Boundaries

graph TB
    subgraph "User Space - Trusted"
        APP[Application]
        SDK[SDK]
    end
    
    subgraph "Network Space - Untrusted"
        ISP[ISP]
        MIX1[Mix Node 1]
        MIX2[Mix Node 2]
        MIX3[Mix Node 3]
        EXIT[Exit Node]
    end
    
    subgraph "Cryptographic Protection"
        E1[ML-KEM + X25519 Encryption]
        E2[Sphinx Layer 1]
        E3[Sphinx Layer 2]
        E4[Sphinx Layer 3]
    end
    
    APP -->|Plaintext| SDK
    SDK -->|E1| ISP
    ISP -->|E1+E2+E3+E4| MIX1
    MIX1 -->|E1+E3+E4| MIX2
    MIX2 -->|E1+E4| MIX3
    MIX3 -->|E1| EXIT
    
    style APP fill:#a5d6a7
    style SDK fill:#81c784
    style ISP fill:#ef5350
    style MIX1 fill:#ffb74d
    style MIX2 fill:#ffb74d
    style MIX3 fill:#ffb74d
    style EXIT fill:#ffa726

Loading

---

Technology Stack

Core Languages

Language	Version	Purpose	Rationale
Rust	1.70+ (2021 edition)	Core components, daemon, SDK	Memory safety, zero-cost abstractions, strong type system
Go	1.24+	HTTP/HTTPS proxy layer	Pure Go TLS, excellent networking libraries

Key Dependencies

Cryptography

• ml-kem (0.2): NIST-standardized post-quantum KEM
• x25519-dalek: Elliptic curve Diffie-Hellman
• chacha20poly1305: Authenticated encryption
• blake3: Cryptographic hashing
• ed25519-dalek: Digital signatures

Networking

• tokio (1.37+): Async runtime and I/O
• quinn (0.11): QUIC protocol implementation
• tonic: gRPC framework
• axum: HTTP server framework
• h2, h3: HTTP/2 and HTTP/3 support

Serialization

• ciborium: CBOR encoding/decoding
• prost: Protocol Buffers
• serde: Serialization framework
• bincode: Binary encoding

Observability

• tracing: Structured logging
• opentelemetry: Distributed tracing
• prometheus: Metrics collection

---

Getting Started

Prerequisites

# Rust toolchain
rustc --version  # 1.70.0 or newer

# Go toolchain (for HTTP proxy)
go version  # 1.24 or newer

# Protocol buffer compiler (optional, vendored in build-protoc)
protoc --version

Installation

Option 1: From Source

# Clone the repository
git clone https://github.com/Aqua-218/NyxNet.git
cd NyxNet

# Build all components
cargo build --release

# Build HTTP proxy (Go)
cd crates/nyx-http-proxy
go build -o ../../target/release/nyx-http-proxy
cd ../..

Option 2: Install CLI Only

cargo install --path crates/nyx-cli

Quick Start

1. Start the Daemon

# Using default configuration
nyx-cli daemon start

# With custom config
nyx-cli daemon start --config config/nyx.toml

2. Configure Proxy

# SOCKS5 proxy (default: localhost:9150)
export SOCKS_PROXY=socks5://localhost:9150

# HTTP proxy (default: localhost:8118)
export HTTP_PROXY=http://localhost:8118
export HTTPS_PROXY=http://localhost:8118

3. Send Anonymous Traffic

# Via SOCKS5
curl --socks5 localhost:9150 https://example.com

# Via HTTP proxy
curl --proxy http://localhost:8118 https://example.com

# Direct SDK usage
nyx-cli send --to <destination> --data "Hello, anonymity!"

4. Monitor Status

# View daemon information
nyx-cli info

# Subscribe to events
nyx-cli events

# Check circuit status
nyx-cli circuit list

Configuration Example

# config/nyx.toml
[network]
mix_hops = 3
cover_traffic_rate = 0.1  # 10% dummy traffic
low_power_mode = false

[security]
handshake_mode = "Hybrid"  # ML-KEM-768 + X25519
replay_cache_size = 100000
key_rotation_interval = "24h"

[transport]
quic_0rtt = true
multipath_enabled = true
fec_redundancy = 0.15  # 15% redundancy

[proxy]
socks5_port = 9150
http_port = 8118

[telemetry]
prometheus_port = 9090
jaeger_endpoint = "http://localhost:14268/api/traces"

---

Project Structure

NyxNet/
├── crates/                      # Rust workspace members
│   ├── nyx-core/                # Core types, config, error handling
│   ├── nyx-crypto/              # ML-KEM-768 + X25519, session keys
│   ├── nyx-transport/           # QUIC transport layer
│   ├── nyx-mix/                 # Sphinx onion routing
│   ├── nyx-fec/                 # Reed-Solomon error correction
│   ├── nyx-stream/              # Stream multiplexing, BBR
│   ├── nyx-telemetry/           # OpenTelemetry integration
│   ├── nyx-control/             # DHT, REST API
│   ├── nyx-cli/                 # Command-line interface
│   ├── nyx-daemon/              # Background service, gRPC
│   ├── nyx-sdk/                 # High-level SDK
│   ├── nyx-sdk-wasm/            # WebAssembly bindings
│   ├── nyx-mobile-ffi/          # iOS/Android FFI
│   ├── nyx-http-proxy/          # HTTP/SOCKS5 proxy (Go)
│   └── nyx-conformance/         # Protocol conformance tests
├── docs/                        # Comprehensive documentation
│   ├── 01-overview/             # Project overview, tech stack
│   ├── 02-architecture/         # Architecture deep dive
│   ├── 03-features/             # Feature specifications
│   ├── 04-api-reference/        # API documentation
│   ├── 05-development/          # Development guides
│   ├── 06-deployment/           # Deployment guides
│   └── 07-operations/           # Operations and monitoring
├── tests/                       # Integration and boundary tests
│   ├── integration/             # End-to-end tests
│   ├── boundary/                # Edge case tests
│   ├── security/                # Security validation
│   └── benchmarks/              # Performance benchmarks
├── tools/                       # Development and deployment tools
│   ├── scripts/                 # Automation scripts
│   ├── deploy/                  # Deployment configurations
│   └── test/                    # Test utilities
├── config/                      # Configuration files
│   ├── nyx.toml                 # Main configuration
│   ├── rust/                    # Rust tooling configs
│   └── security/                # Security scanners
├── examples/                    # Usage examples
│   ├── mobile/                  # Mobile app examples
│   └── full_config.toml         # Complete configuration reference
├── Cargo.toml                   # Workspace definition
└── README.md                    # This file

Component Dependencies

graph TD
    CLI[nyx-cli] --> DAEMON[nyx-daemon]
    SDK[nyx-sdk] --> DAEMON
    WASM[nyx-sdk-wasm] --> SDK
    FFI[nyx-mobile-ffi] --> SDK
    PROXY[nyx-http-proxy] --> DAEMON
    
    DAEMON --> CONTROL[nyx-control]
    DAEMON --> STREAM[nyx-stream]
    
    STREAM --> MIX[nyx-mix]
    MIX --> TRANSPORT[nyx-transport]
    TRANSPORT --> FEC[nyx-fec]
    
    STREAM --> CRYPTO[nyx-crypto]
    MIX --> CRYPTO
    CONTROL --> CRYPTO
    
    TRANSPORT --> CORE[nyx-core]
    FEC --> CORE
    CRYPTO --> CORE
    
    DAEMON --> TELEMETRY[nyx-telemetry]
    STREAM --> TELEMETRY
    CONTROL --> TELEMETRY

Loading

---

Use Cases

1. Anonymous Web Browsing

# Configure browser to use SOCKS5 proxy
# Firefox: Preferences -> Network Settings -> Manual proxy
# Host: localhost, Port: 9150

nyx-cli daemon start
# Browse anonymously with post-quantum protection

2. Secure Messaging

use nyx_sdk::{Client, StreamConfig};

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let client = Client::connect("localhost:50051").await?;
    
    let mut stream = client.create_stream(StreamConfig {
        cover_traffic: true,
        multipath: true,
        ..Default::default()
    }).await?;
    
    stream.send(b"Secure message").await?;
    let response = stream.recv().await?;
    
    Ok(())
}

3. Mobile Applications

// iOS example
import NyxMobile

let config = NyxConfig()
config.mixHops = 3
config.lowPowerMode = true

let client = try NyxClient(config: config)
try await client.connect()

let data = "Hello".data(using: .utf8)!
try await client.send(data, to: destination)

4. IoT Device Protection

# Lightweight configuration for resource-constrained devices
nyx-cli daemon start \
    --config config/iot.toml \
    --low-power \
    --min-cover-traffic

---

Performance

Benchmarks

Metric	Value	Conditions
Throughput	100+ Mbps	Single stream, 3 hops, LAN
Latency	50-150 ms	3 hops, WAN, no congestion
Handshake Time	15-30 ms	ML-KEM-768 + X25519 hybrid
CPU Usage	2-5% idle, 15-30% active	Per daemon instance
Memory Usage	50-100 MB	Typical workload
FEC Overhead	5-20%	Adaptive based on packet loss
Cover Traffic	0-50%	User-configurable

Scalability

graph LR
    A[1 Stream] -->|100 Mbps| B[10 Streams]
    B -->|80 Mbps/stream| C[100 Streams]
    C -->|50 Mbps/stream| D[1000 Streams]
    D -->|10 Mbps/stream| E[Connection Pool]
    
    style A fill:#a5d6a7
    style B fill:#81c784
    style C fill:#66bb6a
    style D fill:#4caf50
    style E fill:#43a047

Loading

Optimization Features

• Zero-copy I/O: Minimized memory allocations
• SIMD acceleration: Reed-Solomon encoding (AVX2, NEON)
• Multipath aggregation: Bandwidth pooling across routes
• Adaptive FEC: Dynamic redundancy based on loss rate
• Connection pooling: Reused QUIC connections
• BBR congestion control: Optimized for high-latency networks

---

Security

Threat Model

Threat	Mitigation	Status
Passive eavesdropping	End-to-end encryption (ML-KEM + X25519)	Protected
Traffic analysis	Cover traffic, padding, timing obfuscation	Protected
Timing attacks	Adaptive delays, batching	Protected
Replay attacks	Timestamp nonces, Bloom filter cache	Protected
Quantum attacks	ML-KEM-768 post-quantum KEM	Protected
Single node compromise	3-hop routing, no single point of trust	Protected
Store-now-decrypt-later	Forward secrecy, ephemeral keys	Protected
Denial of Service	Rate limiting, proof-of-work (planned)	Partial
Sybil attacks	DHT security, reputation system (planned)	Partial

Cryptographic Primitives

graph TB
    subgraph "Key Exchange"
        MLKEM[ML-KEM-768<br/>Post-Quantum KEM]
        X25519[X25519<br/>ECDH]
    end
    
    subgraph "Symmetric Encryption"
        CHACHA[ChaCha20-Poly1305<br/>AEAD]
    end
    
    subgraph "Hashing"
        BLAKE3[BLAKE3<br/>Fast Hashing]
        SHA3[SHA3-256<br/>Nonce Generation]
    end
    
    subgraph "Signatures"
        ED25519[Ed25519<br/>Node Identity]
    end
    
    MLKEM -.->|Hybrid| X25519
    MLKEM -->|Shared Secret| CHACHA
    X25519 -->|Shared Secret| CHACHA
    BLAKE3 -->|Header MAC| CHACHA
    SHA3 -->|Nonce| CHACHA
    ED25519 -->|Authentication| MLKEM

Loading

Security Audits

• Automated Scanning: Bearer, Trivy, cargo-deny, cargo-audit
• Dependency Checks: Regular updates, CVE monitoring
• Fuzzing: cargo-fuzz targets for parser and crypto code
• Formal Verification: TLA+ specifications for critical protocols (in progress)
• Third-party Audit: Planned for v1.0 release

Responsible Disclosure

To report security vulnerabilities, please email: security@seleniaproject.org

Do not open public issues for security concerns.

---

Roadmap

Version 0.1.0 (Current - Alpha)

• Core cryptographic primitives
• QUIC transport layer
• Sphinx routing implementation
• Basic daemon and CLI
• SOCKS5/HTTP proxy support
• Integration test suite

Version 0.2.0 (Q2 2025 - Beta)

• Mobile SDK production release
• WebAssembly SDK optimization
• DHT-based directory service
• Reputation system for mix nodes
• Enhanced telemetry and monitoring
• Performance optimization (target: 200 Mbps)

Version 0.3.0 (Q3 2025 - RC)

• Formal security audit
• TLA+ formal verification completion
• DoS protection mechanisms
• Proof-of-work client puzzles
• Enhanced error recovery
• Production deployment guides

Version 1.0.0 (Q4 2025 - Stable)

• Full protocol specification freeze
• Public mix network launch
• Commercial support options
• Ecosystem partnerships
• Browser extension
• Desktop GUI applications

Future Enhancements

• VDF-based batch processing (cMix-style)
• Anonymous credentials (e.g., Privacy Pass)
• Threshold encryption for bulletins
• Decentralized governance
• Cross-chain integration (blockchain anchoring)

---

Contributing

We welcome contributions from the community. Please see our contributing guidelines before submitting pull requests.

Development Setup

# Clone repository
git clone https://github.com/Aqua-218/NyxNet.git
cd NyxNet

# Install development tools
rustup component add clippy rustfmt
cargo install cargo-nextest cargo-audit cargo-deny

# Run tests
cargo nextest run

# Run linters
cargo clippy --all-targets --all-features
cargo fmt --check

# Security audit
cargo audit
cargo deny check

Code Quality Standards

• Test Coverage: Minimum 75% for new code
• Documentation: All public APIs must be documented
• Linting: Zero clippy warnings (pedantic mode)
• Security: No unsafe code without explicit approval
• Performance: Benchmarks for performance-critical paths

Communication Channels

• Issues: GitHub Issues for bug reports and feature requests
• Discussions: GitHub Discussions for questions and ideas
• Security: security@seleniaproject.org for vulnerability reports
• Chat: Coming soon (Discord/Matrix)

---

License

Licensed under either of:

• Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
• MIT License (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

---

Acknowledgments

Research Foundations

• Tor Project: Pioneering work in onion routing
• Signal: Modern post-quantum cryptography integration
• Nym/Katzenpost: Mix network architecture insights
• NIST: Post-quantum cryptography standardization

Technology Providers

• Rust Project: Memory-safe systems programming
• Tokio: High-performance async runtime
• Quinn: QUIC protocol implementation
• ml-kem: NIST-compliant post-quantum KEM

Standards Bodies

• IETF: QUIC, TLS, HTTP specifications
• NIST: Post-quantum cryptography standards
• W3C: Web standards and privacy guidelines

---

Citation

If you use NyxNet in academic research, please cite:

@software{nyxnet2025,
  title = {NyxNet: Privacy-First Post-Quantum Secure Network Stack},
  author = {SeleniaProject},
  year = {2025},
  url = {https://github.com/Aqua-218/NyxNet},
  version = {0.1.0}
}

---

Built with privacy in mind. Secured for the quantum future.

For detailed documentation, visit the docs/ directory or read our comprehensive guide.