L0: Transport Layer

Evade rather than encrypt.

The L0 Transport layer provides censorship-resistant communication that hides in plain sight.

Core Components

LWF: Libertaria Wire Frame

A lightweight binary protocol optimized for minimal overhead.

Frame Structure:

 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|     Version   |   Frame Type  |          Flags                |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Session ID (64 bits)                                |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Sequence Number (32 bits)                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Timestamp (64 bits, nanosecond precision)           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           Payload Length (16 bits)                            |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                                                               |
+                         Payload                               +
|                                                               |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|           MAC (128 bits, XChaCha20-Poly1305)                  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Key Properties: - Fixed 72-byte header: Predictable parsing, cache-friendly - 1350 byte MTU: Fits in single Ethernet frame with overhead - XChaCha20-Poly1305: Modern AEAD encryption - Nanosecond timestamps: Sovereign time synchronization

MIMIC Skins: Protocol Camouflage

MIMIC makes sovereign traffic look like regular internet traffic.

Available Skins

Skin	Appearance	Detection Risk	Use Case
`MIMIC_HTTPS`	TLS 1.3 + WebSocket	Low	General use
`MIMIC_DNS`	DNS-over-HTTPS	Very Low	Restricted networks
`MIMIC_QUIC`	HTTP/3	Low	Modern firewalls
`STEGO_IMAGE`	JPEG/PNG	Minimal	Total lockdown

MIMIC_HTTPS Flow

Client                           Server
  |                                 |
  |------ TLS 1.3 Handshake ------>|
  |<----- Encrypted Extensions -----|
  |
  |---- WebSocket Upgrade (HTTP) -->|
  |<---- 101 Switching Protocols ---|
  |
  |====== LWF Frames (encrypted) ==|
  |                                 |

Polymorphic Noise Generator (PNG)

Even encrypted traffic has patterns. PNG masks these:

Per-Session:
  - Traffic shaping profile (Netflix, YouTube, generic)
  - Epoch rotation (100-1000 packets)
  - Deterministic padding (both peers derive same pattern)

Noise Protocol Framework

We use the Noise Protocol Framework for cryptographic handshakes.

Patterns Used

Pattern	Use Case	Properties
`Noise_XX`	Mutual authentication	Both parties authenticate
`Noise_IK`	0-RTT resumption	Fast reconnection
`Noise_NN`	Ephemeral only	Plausible deniability

PQXDH: Post-Quantum Extension

Hybrid handshake combining X25519 + ML-KEM-768:

Ceremony (4 ECDH + 1 KEM → 5 shared secrets):
1. Alice generates ephemeral X25519 keypair
2. Alice encapsulates to Bob's ML-KEM-768 public key
3. 4 X25519 ECDH operations
4. 1 ML-KEM-768 encapsulation
5. HKDF-SHA256 derives root key from 5 secrets

Kenya Compliance: <20ms handshake on ARM Cortex-A53

UTCP: Unreliable Transport

UDP-based overlay with reliability semantics:

Features:
- Packet fragmentation/reassembly
- Forward error correction (optional)
- Out-of-order delivery handling
- Congestion control (BBR-inspired)

OPQ: Offline Packet Queue

Persistent queue for offline-first operation:

pub struct OfflinePacketQueue {
    wal: WriteAheadLog,       // Append-only durability
    retention: Duration,      // 72h default
    max_size: usize,          // Configurable limit
}

impl OfflinePacketQueue {
    fn enqueue(&mut self, packet: LwfFrame) {
        self.wal.append(packet);
        // Deliver when peer comes online
    }
}

Sovereign Time Protocol

Nanosecond-precision time without centralized servers:

Mechanism:
1. Each node maintains local clock (hardware or NTP-synced)
2. Peers exchange timestamp samples
3. Apply Marzullo's algorithm for Byzantine fault tolerance
4. Derive confidence intervals, not absolute time

See RFC-0105 for full specification.

Implementation

Component	Location	Status
LWF Codec	`core/l0-transport/lwf.zig`	✅ Stable
MIMIC Skins	`core/l0-transport/mimic/`	✅ Stable
Noise Integration	`core/l0-transport/noise.zig`	✅ Stable
OPQ	`core/l0-transport/opq.zig`	✅ Stable
Sovereign Time	`core/l0-transport/time.zig`	✅ Stable