NAKPAK
Nested Anonymous Kernel for Private Authenticated Komms
Post-quantum onion routing for anonymous communication across the YAKMESH network. Rope bridges connecting mountain peaks.
v2.8.2Overview
NAKPAK provides anonymous routing through the YAKMESH network. Messages are wrapped in multiple layers of encryption, with each relay node only knowing the previous and next hop. Unlike traditional onion routing, NAKPAK uses post-quantum cryptography (ML-KEM768) for key encapsulation.
Key Features
- • Post-Quantum - ML-KEM768 (Kyber) for key encapsulation
- • Layered Encryption - Each hop peels one encryption layer
- • Source Anonymity - Relays don't know the original sender
- • Destination Privacy - Only final relay knows the destination
- • Replay Protection - Unique circuit IDs prevent replay attacks
How It Works
┌────────────────────────────────────────────────────────────┐ │ NAKPAK Onion Routing │ ├────────────────────────────────────────────────────────────┤ │ │ │ Sender │ │ │ │ │ │ Encrypt(L3(Encrypt(L2(Encrypt(L1(msg)))))) │ │ │ │ │ ▼ │ │ ┌───────┐ ┌───────┐ ┌───────┐ ┌───────┐ │ │ │Relay 1│ ─► │Relay 2│ ─► │Relay 3│ ─► │ Dest │ │ │ │Decrypt│ │Decrypt│ │Decrypt│ │Receive│ │ │ │Layer 3│ │Layer 2│ │Layer 1│ │ msg │ │ │ └───────┘ └───────┘ └───────┘ └───────┘ │ │ │ │ Each relay only knows: previous hop + next hop │ │ No relay knows both sender AND destination │ │ │ └────────────────────────────────────────────────────────────┘
Circuit Construction
NAKPAK builds circuits through 3+ relay nodes:
- Path Selection - Choose relay nodes from SHERPA peer registry
- Key Exchange - ML-KEM768 encapsulation with each relay
- Layer Building - Encrypt message for each hop (innermost to outermost)
- Transmission - Send through circuit, each relay decrypts one layer
Usage
// Access NAKPAK from your node
const nakpak = node.nakpak;
// Build a circuit to a destination
const circuit = await nakpak.buildCircuit({
destination: 'targetNodeId',
hops: 3, // Number of relay hops (default: 3)
});
// Send anonymous message through circuit
await nakpak.send(circuit.id, {
type: 'private-message',
content: 'This message is anonymous!'
});
// Receive anonymous messages
nakpak.onMessage((envelope) => {
// Note: envelope.from is the circuit ID, not the sender
console.log('Anonymous message:', envelope.payload);
});
// Close circuit when done
await nakpak.closeCircuit(circuit.id);Configuration
// yakmesh.config.js
export default {
nakpak: {
enabled: true,
// Default circuit settings
defaultHops: 3,
maxHops: 5,
// Circuit lifetime
circuitTimeout: 600000, // 10 minutes
// Acting as relay
allowRelay: true,
maxRelayCircuits: 100,
}
};Security Considerations
Important Notes
- • Timing Attacks - Random delays are added to prevent correlation
- • Traffic Analysis - Messages are padded to fixed sizes
- • Exit Node - The final relay knows the destination (but not the source)
- • Circuit Lifetime - Circuits should be rotated periodically
- • YPC-27 Checksums - Quantum-hard checksums protect packet integrity during routing. Learn more →
Comparison with Tor
| Feature | NAKPAK | Tor |
|---|---|---|
| Key Exchange | ML-KEM768 (PQ) | Curve25519 |
| Quantum Safe | ✓ | ✗ |
| Relay Network | YAKMESH mesh | Volunteer relays |
| Discovery | SHERPA (decentralized) | Directory authorities |
| Protocol | WebSocket | Custom TCP |
Use Cases
- • Anonymous Messaging - Private communication without metadata exposure
- • Whistleblowing - Submit sensitive information anonymously
- • Privacy Markets - Anonymous trading on PeerQuanta marketplace
- • Censorship Resistance - Bypass network-level blocking
Etymology
"NAKPAK - like a backpack that carries your secrets through the mountains. What's inside is known only to you."
Nested Anonymous Kernel for Private Authenticated Komms