~/junctus — an open-source, post-quantum anonymity layer

An anonymity layer: no node holds the whole.

Junctus encrypts each flow, slices it into k-of-n shares, and sends every share down its own onion-wrapped, timing-mixed path. Any single relay — any group smaller than k — only ever sees a meaningless fragment.

Get Started
macOSsoon
Ubuntusoon
Androidsoon
iPhonesoon
Fig. 1 — one request through the overlay (n = 4, k = 3)
YOUENCRYPTSLICE k / nDISJOINT PATHS · ONION-WRAPPED · TIMING-MIXED · PQ LINKSSHARE 1SHARE 2SHARE 3SHARE 4REASSEMBLE ≥kEXIT
exit model
a fresh rotating exit, per request — responsibility diffused, never eliminated.
tapping a relay
sever a path
availabilityReconstructed4 of 4 shares arrived · need ≥ 3
confidentialityLearns nothingno relay compromised
▶ tap any relay — confirm it holds only a meaningless fragment. Switch to Compromise to collude, or sever a path to test recovery.
your data cover traffic relay compromised
§ 01

Trust less than Tor.

A classic VPN asks you to trust one company. Onion routing asks you to trust that a handful of relays never collude. Junctus is built so there is nothing worth seizing: a flow is encrypted, sliced into n shares of which any k reconstruct it — and the shares never travel together.

Every request gets a fresh route and a fresh exit. Timing is mixed against a global observer. Handshakes and onion packets are post-quantum from day one — recorded traffic stays sealed even against a future quantum adversary. And this is no longer a diagram: the network runs end to end, from zero-config discovery to live multi-hop circuits whose responses no middle relay can read.

Where the overlay must touch the open web, responsibility is diffused — rotated per request, and split across a threshold committee so that no minority of members learns anything at all. The engine is neo, one open Rust core shared by every platform. The claims are tested, the limits are documented, and nothing here asks for your trust where a proof — or an honest caveat — will do.

§ 02

Six verbs per flow, in order.

This is the entire per-flow pipeline, exactly as it runs in the engine. Reassembly is the reverse: collect at least k authentic shares, decode, decrypt.

Discovery — a Kademlia DHT over libp2p, hardened with self-certifying signed records and witnessed snapshots, bootstrapped through signed DNS-over-HTTPS records — only ever finds peers. It never carries user data, and it always runs behind the obfuscating transport.

§ 03

The mechanisms, honestly labeled.

All ten have running, tested code — including the four that were research-grade a season ago. Where a hard boundary remains, the card says so, because a roadmap is not a feature.

01shipped

Information slicing

The core mechanism. Flows are encrypted, then split k-of-n across mutually disjoint multi-hop paths. Colluding relays below the threshold learn nothing, and a corrupted share is detected, attributed, and routed around — properties asserted by tests, not prose.

02shipped

Live circuits & tunnels

Sphinx onions travel sockets between separate processes, and a circuit stays open to carry a real TCP byte stream both ways, onion-layered per cell. Only the exit sees the payload; tampering, replay, or reordering anywhere is caught at the endpoint; and no middle relay can read the response.

03shipped

Fresh route + exit, per request

No two requests share a full path; concurrent routes share no hop — not even the exit; exits rotate and never immediately repeat. There is no stable circuit to watch.

04shipped

Mixnet timing defense

Exponential per-packet delays and Poisson cover traffic, scaled by the privacy dial — and since the third review, cover and real frames travel as length-identical fixed-size cells, so an observer watching every link at once cannot split them apart.

05shipped

Post-quantum from day one

Hybrid X25519 + ML-KEM-768 key-confirmed handshakes and Sphinx onion packets, Ed25519-signed identities. “Harvest now, decrypt later” harvests ciphertext that stays ciphertext.

06shipped

Self-certifying discovery

Signed peer records whose id must equal the hash of their keys; witness-signed relay snapshots any untrusted mirror can serve; a DHT clients never appear in — bootstrapped over signed DNS-over-HTTPS records that rotate without a client rebuild.

07shipped

Verifiable routing

A commit-then-VRF handshake: the client commits before seeing any randomness, and the beacon’s VRF has exactly one possible output — so neither side can bias the path, and anyone can verify the result. Aborting and retrying buys no bias either: commitments are bound to an epoch and a counter.

08shipped

Anonymous bandwidth credits

Privacy-Pass-style VOPRF tokens: the issuer blind-signs a serial it never sees, so earning and spending cannot be linked. Issuance is gated on proven, receipt-backed relay work; receipts are capped and expire; and double-spend logs are epoch-scoped so a key rotation cannot resurrect old serials.

09core shipped

Committee exit

The flagship, and it now runs: a real two-party MPC-TLS stack computes the whole ChaCha20-Poly1305 record and SHA-256 key schedule under 2PC — oblivious-transfer extension, garbled circuits verified against their KATs — so the record key, keystream, and plaintext are never assembled at any one party. Today’s gadgets are honest-but-curious by design; malicious-secure garbling and live wiring to a real socket are the remaining, scoped steps.

10shipped

Verifiable privacy

Two-server PIR fetches a relay by node id without either server learning which. A zero-knowledge shuffle argument lets a mix prove it permuted honestly without revealing the permutation — binding it into the live mix is the step ahead.

§ 04

Seven adversaries, one table.

A threat model is a table, not a slogan. Every row names what an adversary can do, what Junctus does about it — and the limit we will not hide from you.

AdversaryWhat they can doWhat Junctus doesThe honest limit
Your ISPSees your link, runs deep packet inspectionEverything encrypted; the transport mimics mainstream TLS/QUICTraffic volume is still observable
An on-path censorBlocks by IP, SNI, or protocol; probes activelySigned DoH rendezvous, an obfuscation ladder, and a REALITY-style authenticated flight — a prober only ever sees a decoyCamouflage mimics QUIC/WebRTC shape, not yet their full protocol crypto
Colluding relaysRun several nodes on your pathk-of-n slicing — fewer than k shares reveal nothing — plus onion layeringCollusion ≥ k across one request’s paths degrades it
A global observerWatches every link at once, correlates timingCover traffic and Poisson timing mixingCosts latency and bandwidth; imperfect at small scale
A malicious exitInspects or tampers with clearnet trafficFresh per-request exits; a committee that computes the TLS session under two-party MPC, so no member holds the key or the plaintextPlaintext to a clearnet site is inherently visible to some egress
A Sybil attackerFloods fake nodes to map or deanonymizeBandwidth credits make identities costly; VRF paths resist herdingAn open problem; residual risk while the network is young
A quantum adversaryRecords today, decrypts laterPQ-hybrid handshakes and onion packets from day oneRests on the assumptions of the PQ primitives

Several rows are asserted by adversary-simulation tests in CI today: colluding relays below the threshold learn nothing; a single relay learns only its next hop, and a tampered payload avalanches instead of carrying a signal; an on-path observer sees only ciphertext; forged discovery data is rejected outright; and no committee minority can open a request. Explicit non-goals for v1: censors who accept large collateral damage, hiding from the destination that a connection happened, compromised endpoints, and formal anonymity bounds. And the table is not just defended — it has been attacked directly, by us. That story is next.

§ 05

We attacked it first.

Three rounds of adversarial review: first the handshake, the onion layer, the novel core, and the discovery plane — then everything that had grown since — and, most recently, the newest surface of all: the two-party MPC-TLS stack, the REALITY probe-resistant transport, persistent circuit tunnels, the credit economy, and the seed, mix, and camouflage layers around them. Findings cite file and line; the worst were proven with working exploits against the real code. Every finding from all three rounds is closed — fixed in code with a regression test standing guard, or, where the defect was an overclaimed doc, by correcting the claim itself.

05critical breaks — found, proven, fixed
82findings closed across three rounds
00highs or mediums left open
01external audit not yet delivered
was criticalfixed

The tagging attack

The onion payload carried no integrity check at any layer, so a malicious first relay could imprint a bit-pattern and a colluding exit could read it back — defeating the unlinkability the mixnet exists to provide. The payload is now an exit-verified wide-block cipher: any en-route tamper avalanches the entire block and is rejected — a corrupted packet cannot carry a message.

was criticalfixed

The key-free forgery

Feeding the protocol a degenerate curve point collapsed every node’s per-hop keys to a public constant — anyone could forge a packet a victim would accept, with no key at all. The identity point is now rejected outright, with a regression test standing guard.

was highfixed

The costly hello

A replayed handshake opener forced the responder into an expensive post-quantum computation every time — a free denial-of-service. The handshake now demands a stateless retry cookie and key confirmation: a replay costs the attacker a round-trip and the responder only a MAC, and no session exists until the initiator proves its key.

was criticalfixed

The infinite mint

Found in the second review: a single validly-signed relay receipt could claim an astronomical byte count and mint trillions of bandwidth credits in one call — defeating the whole proof-of-relay economy. Receipts are now capped per claim, and the honest residual (a colluding pair can still forge many capped receipts) is documented rather than papered over.

was criticalfixed

The counterfeit capability

Third round: the probe-resistant transport ran Diffie–Hellman on whatever ephemeral point a stranger sent — including degenerate points that collapse the shared secret to a public constant. A censor could forge the authenticated flight with no capability at all, proven with a working exploit against the shipped code. Degenerate points now silently take the decoy path, a replay cache swallows captured flights, and the hello no longer has a fixed length to fingerprint.

was criticalfixed

The mint wired to nothing

The credit issuer would blind-sign for anyone who asked: issuance never consulted the earning ledger, so unlimited spendable credits could be minted at zero bandwidth — voiding the economy’s anti-Sybil premise. Issuance now atomically consumes proven, receipt-backed earnings; receipts expire; and double-spend logs are scoped to key epochs, so a rotation or redeploy cannot resurrect old serials.

was highfixed

The give-away silence

Cover packets left the mixer at one constant size while real frames varied — so a passive observer could split cover from real by length alone, quietly voiding half the cover-traffic defense. Every frame now travels as a fixed-size cell, length-identical on the wire, with the true length sealed inside the encryption.

01 / 07

The third round was the harshest by design: fifty-seven findings against code no review had ever touched, from a probe-resistance authenticator forgeable with a degenerate curve point to a credit mint wired to nothing. All fifty-seven are closed. Findings that looked severe but did not survive adversarial re-verification were downgraded and the reasoning recorded — a plausible-but-wrong finding is treated as a defect of the review, not a win. And the supply chain is now guarded too: any RustSec advisory in the dependency tree fails CI. An internal review is still not an audit: the external gate stands.

§ 06

One dial, honest trade-offs.

Strong anonymity, low latency, low overhead — pick two. That trilemma is mathematics, not marketing, so Junctus surfaces it as a control instead of pretending it away.

config · privacy_level

The anonymity trilemma: strong anonymity, low latency, low overhead — pick two. The dial decides which two. There is no fourth option, here or anywhere.

A sane default: moderate mixing and cover traffic.

Timing mixing
Moderate Poisson per-hop delays
Cover traffic
Moderate, blended with real flows
Clearnet exit
Fresh rotating exit per request
Global observer
Timing decorrelated
Latency cost
a deliberate tax
§ 07

What we won’t pretend.

Every privacy tool has limits. Most bury them. Ours are part of the specification, kept next to the features and versioned with the code.

Not audited
  1. The trilemma is real.

    Junctus deliberately pays a latency and bandwidth tax for anonymity. If a network promises you all three, it is lying about at least one.

  2. “No responsible exit” has an asterisk.

    Inside the overlay it holds fully — no relay ever reassembles a flow. Toward the open web it is diffused and rotated per request, and split across a threshold committee at the strongest setting: reduced, never zero, because some machine must speak to the destination.

  3. A small network is weak anonymity.

    Slicing and mixing hide you in a crowd. Until the crowd grows, the anonymity set is small — and we say so, rather than round it up.

  4. Sybil is answered, not solved.

    Bandwidth credits make fake identities expensive, not impossible — and today’s proof-of-relay receipts are client-attested, not a trustless measurement. Bootstrap may require a seed set. This remains an open research problem everywhere.

  5. Phones are participants, not pack mules.

    Mobile devices throttle the dial on battery and cellular, and are never mandatory relays or committee members.

  6. It is not audited.

    Three rounds of internal adversarial review found real breaks — five of them critical — and every finding is fixed. But that is not the external security and cryptography audit that gates real-world use. Until that audit: experiment, contribute, poke holes — do not bet your freedom on it.

§ 08

Built in the open, gated by an audit.

Everything below with a filled marker has running, tested code — the core, the frontier that was research a season ago, and a hardening tier driven by our own attack on the system. What remains is listed just as plainly.

Core — implemented
01FoundationPQ-hybrid identity (Ed25519 + X25519 + ML-KEM-768), config, CLI.
02MVP tunnelSigned hybrid handshake, encrypted session, a real TUN bridge.
03Onion routingFull Sphinx: fixed-size packets, per-hop MACs, replay tags.
04Information slicingEncrypt-then-slice k-of-n over Reed–Solomon; any-k recovery.
05Decentralizationlibp2p Kademlia DHT discovery and the connection ladder.
06Runnable discoverySigned peer records, witnessed snapshots, seed infrastructure, zero-config `neo run`.
07Live onion forwardingSphinx circuits over real sockets — a live seed, three relays, and a sender, end to end; plaintext seen by exactly one node.
08Timing defensePoisson mixing and cover traffic in the live data plane; global-observer simulation.
09Unblockable transportPluggable obfuscation, length bucketing, QUIC.
10Diffused exitOpt-in exit policy; rotating fresh-per-request exits.
11MobileUniFFI bindings over the core; iOS and Android shells.
12Core hardeningAdversary simulations, wire-parser fuzzing, the threat model.
Frontier — implemented
01Anonymous bandwidth creditsVOPRF tokens: unlinkable issuance, double-spends rejected.
02Verifiable routingCommit-then-VRF path seeds neither client nor beacon can bias.
03Committee exitThreshold trust-split with verifiable, attributable key custody.
04Verifiable privacyTwo-server PIR and oblivious lookup by node id; a real ZK shuffle.
Hardening & expansion — implemented
01Security hardeningEvery finding from two review rounds fixed with regression tests — twenty-five, three of them critical.
02Bidirectional streamingA return path with per-hop stream keys; middle relays read nothing.
03NAT traversalAutoNAT reachability and a hole-punch ladder with relay fallback.
04Earn-side accountingCapped proof-of-relay receipts gate credit issuance; spending stays anonymous.
05DoH bootstrapSigned rendezvous records over DNS-over-HTTPS; rotate without a client rebuild.
06ZK verifiable shuffleA mix proves an honest permutation without revealing it.
07Verifiable committee custodyFeldman-verified key shares; a corrupted share is detected and attributed.
08Persistent circuit tunnelsA circuit stays open and carries a real TCP byte stream, onion-layered per cell; a mauled cell is caught at the endpoint.
09Threshold committee decryptionClient-combined partial decryptions with DLEQ proofs — the committee never assembles the key or the plaintext.
10Probe-resistant transportsA REALITY-style authenticated first flight — a prober only ever sees a decoy — with QUIC/MASQUE and WebRTC/DTLS shape camouflage.
11Two-party MPC-TLS coreA full ChaCha20-Poly1305 record and SHA-256 key schedule computed under 2PC — OT extension, garbled circuits matched to their KATs; honest-but-curious today, by design.
12Adversarial hardening, round threeFifty-seven findings against the newest surfaces — MPC-TLS, REALITY, circuit tunnels, credits, seed, mix — every one closed; internal dial-outs default-denied; a RustSec advisory gate now fails CI.
What remains
01Malicious-secure, live MPC-TLSAuthenticated garbling to close dual-execution's ≤1-bit leak, the DECO point-to-bit conversion, and wiring to a real TLS socket on the server's own curve.
02Stream multiplexingCongestion control and many streams over one circuit, above today's single-stream tunnel.
External auditSecurity + cryptography audit before anyone relies on Junctus. A hard gate, not a milestone to rush past.
§ 09

One engine, every pocket.

The protocol lives in a shared Rust core; the platforms are thin shells around it. Phones join the network on their own terms — never as mandatory relays.

CLI & daemonmacOS and Linux — one cfg-gated binary that runs as client, relay, or discovery seed.
macOS appThe full data path in an app: a react-native-macos shell whose system VPN (NEPacketTunnelProvider) claims the default route and gives every intercepted TCP flow its own fresh multi-hop onion circuit to its destination — relay snapshots witness-verified before use, one identity shared with the CLI. Builds from source today; not yet notarized for distribution.
iOSSwift shell over the Rust core via xcframework, tunneling through NEPacketTunnelProvider.
AndroidKotlin shell built with cargo-ndk, tunneling through VpnService.
One coreEvery platform shares the same open Rust engine — fifteen crates, from neo-crypto to neo-verify. AGPL-3.0. No forks of trust.
# one Rust workspace, fifteen crates
$ git clone https://github.com/junctus/neo
$ cd neo && cargo build --release

# a discovery seed — serves no user traffic
$ neo seed --witness witness.key

# relays that register and forward onions
$ neo run --relay --listen 127.0.0.1:9001
$ neo run --relay --listen 127.0.0.1:9002

# only the exit can read it
$ neo send --message "hello" --hops 2