Authenticated Encrypted Relay Network (AERN)
Controlled anonymity infrastructure with certificate-anchored trust and a symmetric multi-hop data plane
AERN is a complete relay-network architecture rather than a narrow tunneling primitive. It combines an isolated root trust anchor, a domain controller that distributes authenticated topology, a fully meshed proxy fabric, and client-established entry tunnels into a post-quantum anonymity system designed for environments that require both privacy and governance.
In the QRCS stack, AERN occupies the role of an authenticated anonymous relay network and transport layer. Its replacement value is defined against both open-participation anonymity overlays and enterprise VPN systems: the protocol replaces implicit trust with certificates, variable packet structure with fixed-size ciphertexts, and static tunnel behavior with per-packet route randomization under a formally analyzed security model.
The root server signs the certificate chain, the domain controller distributes authenticated topology, and every active relay is a known, authenticated participant.
Entry and exit proxies remain session anchors while interior hops are sampled anew for each packet from the shared topology view.
Each relay packet carries a 54-byte authenticated header and a 1446-byte encrypted payload region to suppress size-based traffic leakage.
Asymmetric operations are concentrated in registration and tunnel establishment; operational forwarding proceeds through pre-initialized symmetric tunnel state.
Executive Summary
The strategic and acquisition-oriented summary of AERN, positioned within the broader QRCS transport and infrastructure stack.
Open Executive SummaryFormal Analysis
Game-based security treatment covering mutual authentication, key indistinguishability, replay resistance, tunnel confidentiality, unlinkability, and systemic trust compromise.
Open Formal AnalysisTechnical Specification
Engineering-level description of device roles, certificate structures, route maps, relay packets, key establishment, topology synchronization, and packet traversal.
Open Technical SpecificationAERN is a replacement-class architecture, not an incremental protocol variant
The protocol was designed in direct response to three recurring failure modes in classical anonymity systems: reliance on classical cryptographic assumptions, acceptance of untrusted or unverifiable relay participants, and traffic structures that preserve enough regularity to support path correlation and metadata analysis.
Why the model is materially different
AERN replaces open relay participation with a certificate hierarchy, pushes expensive asymmetric operations to the control plane, and shifts operational forwarding into a symmetric encrypted mesh. The result is a system that is more suitable for sovereign, regulated, or enterprise-operated deployments than either volunteer anonymity overlays or conventional VPNs.
| Dimension | Legacy Systems | AERN |
|---|---|---|
| Trust model | Open or implicit participation | Certificate-anchored membership |
| Cryptographic base | Classical | Post-quantum key establishment and signatures |
| Routing behavior | Circuit-based / comparatively stable | Per-packet randomized route construction |
| Packet structure | Variable | Fixed-size relay packets |
| Metadata retention | Partial | Designed to avoid persistent flow metadata beyond active state |
High-level technical rationale
The design begins from the proposition that traffic analysis is a primary threat, not a secondary concern. The cryptographic and routing layers therefore work together: fixed packet sizes suppress a major side channel, independently resampled interior routes disrupt stable path signatures, authenticated headers prevent metadata tampering, and ephemeral KEM exchanges ensure that long-term certificate compromise does not retroactively reveal past tunnel payloads.
- Authenticated topology prevents adversarial insertion of arbitrary relay nodes.
- Symmetric relay processing allows longer paths without the repeated asymmetric overhead of classical onion systems.
- Centralized trust is constrained structurally: ARS signs, ADC distributes, APS relays, clients attach and consume the topology view.
From an acquisition standpoint, AERN is best understood as a controlled anonymity infrastructure that can be formally documented, independently audited, and operationally governed as private sovereign transport, rather than as an open, community-driven overlay. It is designed to operate within defined trust boundaries, where node participation, routing behavior, and cryptographic controls are explicitly managed.
This framing positions AERN as infrastructure rather than experimentation. As a result, AERN aligns with enterprise security models and regulatory expectations, distinguishing it from public anonymity networks that depend on uncontrolled participation and emergent behavior.
Four coordinated entities define the trust and relay fabric
The specification organizes AERN around a root trust anchor, a topology authority, a fully meshed proxy network, and authenticated client devices. These roles are not interchangeable; each exists to constrain a distinct attack surface.
ARS
AERN Root Security is the isolated signing authority. It generates the root signing key pair, signs device certificates directly or via ADC proxy signing, and functions as the network trust anchor.
| Role | Certificate authority and policy root |
|---|---|
| Model | Deliberately isolated; minimal message surface |
ADC
AERN Domain Controller maintains the canonical topology, validates certificates against the root, distributes updates, forwards signing requests, and coordinates revocation and convergence behavior.
| Role | Topology distribution and administrative control |
|---|---|
| State | Authenticated topology and certificate lists |
APS
AERN Proxy Servers form the relay mesh. Each APS registers with ADC, caches certified topology data, exchanges certificates with peers, and establishes a symmetric bidirectional tunnel state with every required remote proxy.
| Role | Entry, forwarding, and exit relay functions |
|---|---|
| Mode | Symmetric per-hop encryption and forwarding |
ACD
AERN Client Devices register with the domain, obtain the proxy topology list, select an entry node at random, and establish an encrypted tunnel into the relay fabric for client-to-server or client-to-client communication.
| Role | Network ingress and session initiation |
|---|---|
| Trust | Root certificate, signed device certificate, cached proxy data |
Certificate-bound handshake, SHAKE-based expansion, and per-hop AEAD processing
The protocol uses post-quantum KEM and signature primitives for identity authentication and tunnel establishment, then transitions into a symmetric forwarding model built on RCS and KMAC. This asymmetry concentration is central to AERN’s performance profile.
Handshake abstraction
The formal model treats the client-to-proxy setup as a compact, certificate-authenticated KEM exchange. Both sides verify signed metadata and derive the same tunnel keys from the KEM shared secret under a context-bound SHAKE expansion.
C → P : (CσC, c, nonceC, tC, HσCS)
P : verify(CσC), ss ← Decaps(c, kem.skP)
(Kenc, Kmac) ← KDF(ss, context)
P → C : (CσP, nonceP, tP, HσCS)
C : verify(CσP), derive (Kenc, Kmac)
Primitive and state inventory
| KEM layer | ML-KEM by default in the formal model, with specification allowance for aggressive post-quantum profiles such as ML-KEM-1024 and alternative code-based sets. |
|---|---|
| Signature layer | ML-DSA or SPHINCS+-class signing profiles for certificates and authenticated control messages. |
| KDF | SHAKE-based deterministic expansion of the shared secret into directional tunnel keys and nonces. |
| Data-plane cipher | RCS authenticated stream cipher with KMAC-protected metadata and payload authentication. |
| Replay controls | Authenticated sequence numbers and UTC timestamp freshness bounds in both control and tunnel processing. |
Full-mesh proxy synchronization and deterministic topology indexing
After registration, each proxy synchronizes with the domain topology, exchanges certificates with peers, and establishes symmetric tunnel state with every required relay partner. The topology is ordered by ascending serial number, which makes route hints locally resolvable across every synchronized proxy.
Topology and connection state
| Structure | Purpose |
|---|---|
| Topological node | IP address, certificate hash, issuer, serial, expiration, and designation for authenticated device lookup. |
| Topological list | Serialized, hashed node set distributed by ADC and cached identically across synchronized proxies. |
| Connection state | Target socket, receive and transmit cipher state, sequence counters, instance identifiers, and send-interface counters. |
| Route hint | 16-bit index into the common proxy list; used to fetch the next node and corresponding cipher instance. |
Why the full mesh matters
Proxy-to-proxy tunnel state is pre-established rather than negotiated inside each client flow. That means the active forwarding path does not repeatedly incur asymmetric cost; packets move through already initialized send and receive cipher interfaces. The specification’s connection-state footprint places each RCS state at approximately two kilobytes, which permits high fan-out proxy peering on commodity server memory budgets.
This architecture allows AERN to support longer randomized paths than traditional onion systems without the same latency penalty. Packet forwarding is reduced to authenticated symmetric processing and indexed next-hop resolution. The result is a transport layer that maintains consistent throughput characteristics even as path depth and network scale increase. It also simplifies scaling strategies, since additional proxies increase capacity without introducing proportional setup overhead. Latency remains stable under increasing network complexity and routing depth.
Per-packet interior route diversity combined with a fixed relay packet format
AERN fixes both the packet envelope and the path-generation semantics. The session entry and exit proxies remain stable anchors, while interior hops are resampled from the certified topology on a packet-by-packet basis.
Route generation semantics
h ∈ {hmin, …, hmax}
Route = (P1, P2, …, Ph-1, Ph)
P1 = fixed entry proxy per session
Ph = fixed exit proxy after first outbound route
(P2, …, Ph-1) = uniformly sampled interior proxies
subject to non-consecutive repetition constraints
The specification sets the minimum path length at three hops and the default maximum at sixteen hops, with a recommendation not to lower the maximum below eight when stronger timing obfuscation is desired.
This parameterization reflects a deliberate balance between latency tolerance and anonymity strength, allowing deployments to tune path depth according to operational requirements while maintaining a consistent baseline of traffic obfuscation.
Relay packet envelope
| Field | Size | Function |
|---|---|---|
| Packet flag | 1 byte | Message class, exchange stage, or error signaling |
| Packet sequence | 8 bytes | Ordering and replay control |
| Fragment sequence | 4 bytes | Fragment tracking for payloads exceeding one relay packet |
| Route map | 33 bytes | Indexed next-hop hints and route position |
| Timestamp | 8 bytes | Freshness validation |
| Payload | 1446 bytes | Encrypted packet body |
Formal treatment covers authentication, secrecy, replay resistance, and unlinkability
The formal analysis models a quantum-capable adversary with global visibility, adaptive interference, and partial compromise powers. The protocol goals are expressed as explicit security games rather than informal claims.
Security properties proved or reduced in the formal model
- Mutual authentication reduces to certificate validation and EUF-CMA security of the signature scheme.
- Key indistinguishability reduces to the IND-CCA2 security of the underlying post-quantum KEM.
- Weak forward secrecy and post-compromise security follow from fresh KEM exchanges and erasure of ephemeral material after use.
- Tunnel confidentiality and integrity are modeled under RCS pseudo-randomness and KMAC integrity assumptions.
- Replay resistance is enforced by authenticated sequence numbers and timestamp-window validation.
Anonymity and systemic-trust analysis
The anonymity game captures client-destination unlinkability under partial relay compromise. The formal paper derives a k-anonymity-style bound in which adversarial distinguishing power scales with compromised relay share, while fixed packet sizes, per-packet route diversity, and authenticated metadata constrain correlation channels.
The systemic model also examines ARS and ADC failure. Root compromise enables future certificate forgery, but does not retroactively recover past tunnel keys once ephemeral state has been erased; domain-controller compromise can manipulate routing view, but does not directly break authenticated encryption on active or completed tunnels.
Symmetric forwarding as primary performance lever
AERN is designed for continuous operation across heterogeneous and potentially adversarial network environments, where nodes may join, leave, or become unavailable without notice. The protocol assumes an untrusted transport layer and therefore maintains confidentiality, integrity, and routing privacy independent of the underlying network. Proxies operate as autonomous relay nodes, maintaining symmetric tunnel relationships with peers while participating in a topology that is periodically refreshed through epoch-based coordination. Each epoch introduces a new network view, including updated relay sets and routing identifiers, ensuring that long-lived associations cannot be trivially correlated over time.
Traffic patterns are intentionally shaped to resist analysis. Nodes generate controlled background traffic, including empty or indistinguishable packets, to maintain a consistent observable profile regardless of actual payload transmission. Message timing, ordering, and forwarding behavior are governed by local policies that incorporate jitter and queueing strategies, reducing the reliability of timing-based inference. Session state is bounded by epoch duration, with rekeying enforced at defined intervals to limit the exposure of any single key set. This operational model supports deployment in environments requiring high availability and resistance to passive and active surveillance, while remaining compatible with deterministic execution and auditable behavior at the implementation level.
Deployment fit
AERN is particularly well aligned with environments where transport privacy must coexist with documented governance: sovereign communications networks, defense and intelligence infrastructure, regulated enterprise backbones, financial or healthcare exchange layers, and protected collaboration domains.
| Role in stack | Foundational anonymous transport substrate |
|---|---|
| Primary buyers | Government, defense, enterprise infrastructure providers, regulated industries |
| Replacement case | Open anonymity systems and legacy enterprise tunneling architectures |