Post-quantum anonymous overlay network. 3-hop onion routing with ML-KEM-768 + X25519 hybrid key exchange at every hop, ML-DSA-65 directory consensus, and Falcon-512 hidden-service addresses. Six pluggable transports. No OpenSSL. No liboqs. No compromises.
~55,000 lines of C core plus ~21,000 lines of vendored PQClean reference code. Minimal runtime deps: libsodium, libevent, zlib, pthreads. PQ primitives built in-tree — no OpenSSL, no GnuTLS, no liboqs.
NIST FIPS 203 (formerly Kyber768, Level 3). Hybrid X25519 + ML-KEM-768 key exchange at link layer and at every circuit hop. Sequential-AND: both halves must succeed.
Post-QuantumNIST FIPS 204 (formerly Dilithium3). Directory authorities co-sign the network consensus with Ed25519 + ML-DSA-65. Threshold signing; no single-DA compromise.
Post-QuantumNIST FN-DSA. Hidden-service descriptors dual-signed Ed25519 + Falcon-512. The .moor address commits to both the PQ KEM key and the Falcon key — no post-quantum identity forgery.
Any TCP service exposed as a .moor address. 6-hop rendezvous circuits with vanguards. Any protocol: SSH, HTTP, IRC, databases, SMTP.
2-server XOR-PIR and DPF-PIR descriptor lookups. The directory relay cannot learn which .moor address a client is resolving. On by default.
ShitStorm (Chrome JA4), Nether (Minecraft), Mirage (TLS 1.3), Shade (Elligator2), Scramble (HTTP), Speakeasy (SSH). Make MOOR look like anything else.
Censorship ResistancePer-circuit randomized adaptive padding. Fixed 514-byte cells. FRONT burst-cover padding. Constant-rate cover floor. Defeats website-fingerprinting.
Traffic AnalysisProp 324/329 per-circuit CC with authenticated SENDMEs (Prop 289). EWMA circuit scheduling. 128 pre-built circuits per client.
PerformanceKernel-informed packet scheduling. RTT-adaptive tick interval. TCP_INFO write budgets. Congestion-aware EWMA boost. MOOR's KIST.
Performance1-RTT authenticated link handshake with mandatory PQ hybrid upgrade. Forward-secret. Sequential-AND verification — no classical-only fallback.
Post-QuantumMemory-hard proof-of-work admission control. 256 KB per hash. Epoch-bound salt. Defends HS intro points and relay admission against DoS.
DoS ProtectionL2 vanguards rotate every 24h, L3 every 1h. Prevents guard-discovery attacks on hidden services. Prop 271 guard pinning at ≥20 relays.
PrivacyAggregate bandwidth across multiple circuit legs. EWMA-weighted scheduling with latency-aware path selection.
PerformanceLinux syscall filtering. no_new_privs enforced. Relay and client processes drop privileges after startup. mlockall for key material.
Statistical tracking of guard circuit success. Detects guards that selectively fail circuits to bias path re-selection.
SecurityCountry and AS-level exclusion prevents all-same-jurisdiction circuits. 370K+ IPv4 rows, 100K+ IPv6 rows. Enforced at path selection.
PrivacyDistributed hidden-service load balancing across multiple backends. Transparent to clients. Scale HS throughput horizontally.
PerformanceEvery build stamps the git commit into the binary. Directory authorities reject descriptors with a different build-ID. Fleet upgrades in lockstep — no silent version drift.
SecurityEvery client connection traverses guard, middle, and exit relays. Each hop adds a fresh layer of hybrid encryption. Hidden-service circuits add 3 vanguard-protected hops for 6 total — no single relay ever sees both endpoints.
1-RTT authenticated link handshake with mandatory PQ hybrid upgrade. Sequential-AND verification. 532-byte wire frames. No downgrade path.
Layered onion encryption, fresh hybrid key material per hop. Fixed 514-byte cells. BLAKE2b running digest authentication.
Hidden-service rendezvous. PQ-sealed introduction cells. Client and HS derive e2e keys no relay ever sees. Any TCP protocol.
Dual-signed HS descriptors. Blinded keys rotate per time period. DPF-PIR lookup. Signed revision counters defeat replay attacks.
A .moor address binds three keys into
a single human-shareable string. It cannot be spoofed by a classical attacker and
cannot be spoofed by a quantum attacker. The address IS the verification.
Classical identity. Cheap to verify, used for the outer descriptor signature. Half of a sequential-AND check.
16-byte commitment to ML-KEM-768 pubkey (1184 B) concatenated with Falcon-512 pubkey (897 B). The address proves the PQ material.
Base32-encoded footer covering checksum bytes and the version marker. Mistyped addresses fail fast — no silent mis-route.
When plain encryption isn't enough, make MOOR traffic look like something else entirely. All six transports ship in-tree and are selectable with a single flag.
Chrome 131+ JA4 fingerprint (X25519MLKEM768 keyshare). Elligator2 key-hiding. ECH GREASE. HTTP/2 framing. Key rotation every 65K records.
Minecraft 1.21.4 protocol camouflage. Real handshake, login sequence, plugin-channel framing. DPI sees Minecraft gameplay.
TLS 1.3 framing with operator-configurable SNI. Looks like a connection to any domain you choose.
Elligator2 point obfuscation with inter-arrival time modes. Wire bytes are indistinguishable from uniform random.
ASCII HTTP prefix + ChaCha20 stream cipher. Passes casual DPI inspection as regular web traffic.
SSH protocol camouflage with real banner exchange. Looks like an SSH session to any passive observer.
One command to install. One command to run.
Detects your distro, installs build deps, builds from source, and starts a client (or relay with -s -- --role).
Supports Debian/Ubuntu (apt), Fedora (dnf), Arch (pacman), and Alpine (apk). If system libsodium < 1.0.18, the script builds 1.0.20 from source.
Three libraries, a C compiler, and make. PQ primitives are vendored from PQClean — nothing to download separately.
Hardening is automatic: -fstack-protector-strong, FORTIFY_SOURCE=2, -fPIE -pie, full RELRO. Every build stamps the git commit as a fleet-gate build ID.
Source only. Build it yourself. Verify it yourself.
"Privacy is not a privilege granted by the powerful.
It is a right exercised by the free."