GitHub - xilioscient/troskji: Post-quantum multi-path tunnel — Hybrid KEM (X25519+Kyber-1024) · Shamir 3-of-5 SSS · BLAKE3 · XDP/eBPF cover traffic · Rust

Labyrinth-Mesh

Post-quantum resilient multi-path tunnel — Hybrid KEM (X25519 + Kyber-1024) · BLAKE3 auth · Shamir 3-of-5 SSS · XDP/eBPF cover traffic · Dilithium3 identity

What it does

Labyrinth-Mesh takes any payload, splits it into 5 shares using Shamir Secret Sharing over GF(2⁸), authenticates each share with BLAKE3, negotiates the session key via Hybrid KEM (X25519 + Kyber-1024 combined), and dispatches shares over N separate UDP paths with variable jitter and independent per-share timing. The receiver needs only 3 of the 5 shares to reconstruct the original plaintext.

The session key combines X25519 and Kyber-1024 — secure against both classical and quantum adversaries. Replay protection uses a 128-bit sliding window that tolerates out-of-order UDP delivery. Each share is sent from a dedicated socket with a random delay to resist timing correlation attacks.

An optional CBR engine (XDP/eBPF, Linux ≥ 5.15) holds the bitrate constant regardless of whether real traffic is being sent.

Quickstart (3 terminals)

# T1 — receiver
labyrinth recv --ctrl 0.0.0.0:8199 --udp 0.0.0.0:8200 --mgmt 0.0.0.0:9090

# T2 — live TUI
labyrinth-tui --mgmt 127.0.0.1:9090

# T3 — sender (Ctrl+D to close)
labyrinth send --to 127.0.0.1:8199

With Docker:

./quickstart.sh          # build + start, GUI at http://localhost:8080
./quickstart.sh --stop   # stop all containers

Binaries

Binary	Description
`labyrinth`	CLI: `send` `recv` `status` `setup`
`labyrinth-tui`	Ratatui TUI dashboard, 500ms polling
`labyrinth-server`	Standalone management plane
`labyrinth_mesh`	Legacy binary configured via env vars
`dashboard`	Legacy TUI

CLI — `labyrinth`

`labyrinth send`

--to <addr>        Receiver ctrl address (hybrid KEM)  [default: 127.0.0.1:8199]
--file, -f <path>  File to send (default: stdin)
--remotes <list>   Comma-separated UDP destinations  [default: 127.0.0.1:8200]
--receiver-key     Dilithium3 fingerprint of receiver (TOFU if omitted)
--jitter-min <ms>  Minimum inter-batch jitter  [default: 200]
--jitter-max <ms>  Maximum inter-batch jitter  [default: 1200]
--stagger <ms>     Max per-share random delay (parallel send)  [default: 5]
--mgmt <addr>      Start management plane on this address

Examples:

labyrinth send --to 192.168.1.10:8199 --file secret.pdf
labyrinth send --to 192.168.1.10:8199 --remotes 192.168.1.10:8200,192.168.1.11:8200
echo "hello" | labyrinth send --to 127.0.0.1:8199

`labyrinth recv`

--ctrl <addr>        TCP listen for KEM key exchange  [default: 0.0.0.0:8199]
--udp <addr>         UDP listen  [default: 0.0.0.0:8200]
--output, -o <path>  Output file (default: stdout)
--sign               Generate Dilithium3 keypair and print fingerprint
--mgmt <addr>        Start management plane on this address

Examples:

labyrinth recv --output /tmp/received.pdf --mgmt 0.0.0.0:9090
labyrinth recv --sign   # prints fingerprint for --receiver-key on sender side

`labyrinth status`

labyrinth status
labyrinth status --mgmt 10.0.0.5:9090 --format json

`labyrinth setup`

labyrinth setup    # interactive wizard

TUI — `labyrinth-tui`

labyrinth-tui --mgmt 127.0.0.1:9090

Key	Action
`q` / `Ctrl+C`	Quit
`p`	Pause / resume polling
`f`	Failover popup (show paths)
`0`–`9`	Toggle path in popup
`Esc`	Close popup
`r`	Reset local delta counters

Web GUI

The SvelteKit GUI is available via Docker at http://localhost:8080. Shows live metrics via SSE, process logs and per-path controls (pause/resume). Supports Bearer token authentication for the management plane.

Management Plane HTTP API

Endpoint	Method	Description
`/health`	GET	`{"status":"ok"/"degraded"/"critical", ...}`
`/metrics`	GET	Session, fragment, ratchet, replay counters
`/metrics/paths`	GET	Per-path bytes/packets array
`/metrics/stream`	GET	SSE JSON stream every 1s
`/metrics/rtt/p95`	GET	RTT 95th percentile
`/logs`	GET	Last 500 process log entries
`/path/{idx}/activate`	POST	Reactivate path idx
`/path/{idx}/deactivate`	POST	Deactivate path idx

curl 127.0.0.1:9090/health
curl 127.0.0.1:9090/metrics
curl -H "Authorization: Bearer TOKEN" 127.0.0.1:9090/metrics/stream
curl -X POST 127.0.0.1:9090/path/1/deactivate

Security Stack

Payload
  │
  ▼
GF(2⁸) Shamir SSS        n=5 shares, k=3 threshold — each byte is a point on a degree-2 polynomial
  │
  ▼
Hybrid KEM                X25519 (classical) + Kyber-1024 (post-quantum) combined
  │                        key = BLAKE3-derive(kyber_ss ‖ x25519_ss)
  │  + BLAKE3 auth tag    8 bytes per fragment, constant-time verification
  │  + Key ratchet        key rotation every 10,000 packets via BLAKE3-KDF
  │  + Replay window      128-bit bitmap: tolerates UDP out-of-order delivery
  │  + Dilithium3         optional sender identity (post-quantum signature)
  ▼
UDP multi-path            round-robin across paths, 200–1200ms jitter
  │  + parallel send      each share: dedicated socket + random delay
  ▼
XDP/eBPF cover traffic    constant bitrate (optional, Linux ≥ 5.15)

Threat model: protects against on-path DPI, temporal traffic analysis (with CBR enabled), inter-share timing correlation, replay attacks, and adversaries with quantum computers. Does not protect against physical access to the host.

Build

cargo build --workspace                   # debug
cargo build --release --workspace         # release (LTO + codegen-units=1)
cargo test -p labyrinth-core --lib        # unit tests

Key dependencies:

pqcrypto-kyber     = "0.7"   Kyber-1024 KEM (NIST PQC Level 5)
x25519-dalek       = "2"     X25519 ECDH (hybrid KEM)
pqcrypto-dilithium = "0.5"   Dilithium3 post-quantum signatures
blake3             = "1.5"   Auth tags + KDF + ratchet
sharks             = "0.5"   Shamir Secret Sharing
aes-gcm-siv        = "0.11"  Nonce-reuse resistant AEAD
aya                = "0.12"  eBPF userspace loader
axum               = "0.7"   Management plane HTTP
tokio              = "1"     Async runtime

Environment Variables

Variable	Default	Description
`LABYRINTH_MODE`	`send`	`send` or `recv` (legacy only)
`LABYRINTH_CTRL`	`0.0.0.0:8199`	TCP listen for KEM (receiver)
`LABYRINTH_RECV_CTRL`	`127.0.0.1:8199`	TCP connect for KEM (sender)
`LABYRINTH_UDP_LISTEN`	`0.0.0.0:8200`	UDP listen (receiver)
`LABYRINTH_REMOTES`	`127.0.0.1:8200`	UDP destinations, comma-separated
`LABYRINTH_JITTER_MIN_MS`	`200`	Minimum inter-batch jitter (ms)
`LABYRINTH_JITTER_MAX_MS`	`1200`	Maximum inter-batch jitter (ms)
`LABYRINTH_SHARE_STAGGER_MS`	`5`	Max per-share random delay (ms)
`LABYRINTH_CBR_ENABLED`	`false`	`1` → enable XDP cover traffic
`LABYRINTH_CBR_BPS`	`0` (= 2 Mbps)	CBR rate in bit/s
`DMPOT_MGMT_ADDR`	(off)	Start HTTP management plane
`LABYRINTH_BIND`	`0.0.0.0:9090`	`labyrinth-server` bind address

Repository Structure

labyrinth-core/        Core library
  src/
    v2/                Hybrid KEM, Shamir, BLAKE3, ratchet, replay window
    phase1/            GF(2⁸) arithmetic
    phase2/            Onion Kyber encryption
    phase3/            Protocol morphing engine (TLS1.3/QUIC/HTTP2)
    phase4/            XDP/eBPF + MultiPathController
    phase5/            Anti-debug, memory integrity
    management_plane/  Axum HTTP API + SSE
    metrics/           SharedMetrics, DashboardMetrics
    file_transfer/     FileSender / FileReceiver + BLAKE3 verify
    log_capture/       500-entry ring buffer

labyrinth-cli/         `labyrinth` CLI (clap subcommands)
labyrinth-tui/         `labyrinth-tui` TUI
labyrinth-server/      `labyrinth-server` standalone management plane

labyrinth-gui/         SvelteKit + TailwindCSS v4 web dashboard

docker-compose.yml     Backend + GUI via nginx
quickstart.sh          One-liner bootstrap

推荐订阅源

Hacker News: Show HN

Labyrinth-Mesh

What it does

Quickstart (3 terminals)

Binaries

CLI — `labyrinth`

`labyrinth send`

`labyrinth recv`

`labyrinth status`

`labyrinth setup`

TUI — `labyrinth-tui`

Web GUI

Management Plane HTTP API

Security Stack

Build

Environment Variables

Repository Structure

推荐订阅源

Hacker News: Show HN

Labyrinth-Mesh

What it does

Quickstart (3 terminals)

Binaries

CLI — labyrinth

labyrinth send

labyrinth recv

labyrinth status

labyrinth setup

TUI — labyrinth-tui

Web GUI

Management Plane HTTP API

Security Stack

Build

Environment Variables

Repository Structure

CLI — `labyrinth`

`labyrinth send`

`labyrinth recv`

`labyrinth status`

`labyrinth setup`

TUI — `labyrinth-tui`