I build cryptographic software, privacy-focused network services, and small systems tools with an emphasis on boring APIs, portable code, and implementations people can actually ship.
Most of my public work is cryptography engineering: authenticated encryption, secure protocols, language bindings, WebAssembly/WASI portability, encrypted DNS, standard-library implementations, and tools that make misuse harder. All these projects are maintained, some have been for 25+ years.
I also publish AI models and datasets on Hugging Face, and 3D models on Printables.
If this work is useful to you or your organization, sponsorship helps keep it maintained.
| Project | What it is |
|---|---|
libsodium |
A modern, portable, easy-to-use cryptography library used across many ecosystems. |
dnscrypt-proxy |
A flexible encrypted DNS proxy supporting DNSCrypt, DoH, ODoH, relays, and anonymized DNS. |
minisign |
A small tool for signing files and verifying signatures. |
dsvpn |
A deliberately simple VPN for people who want the smallest useful thing. |
piknik |
Copy and paste anything over the network with encryption built in. |
libhydrogen |
A compact cryptography library designed for constrained systems. |
libsodium.js |
libsodium compiled to WebAssembly and JavaScript with convenient wrappers. |
encrypted-dns-server |
A high-performance encrypted DNS server for DNSCrypt, DoH, and ODoH deployments. |
pure-ftpd |
A portable FTP server with a long security and operations history. |
libsodium,libsodium-doc,libsodium.js,libsodium-php,libsodium-rs,swift-sodium,libsodium-sys-stablelibhydrogen,rust-libhydrogen,rust-libhydrogen-syscharm,zig-charm,charm.jsrust-jwt-simple,rust-ed25519-compact,rust-ct-codecs,js-base64-ct
- AEGIS:
aegis-aead/libaegis,aegis-aead/aegis-bitsliced,aegis-aead/go-libaegis,aegis-aead/aegis-java,aegis-aead/aegis-jasmin,aegis-aead/openssl,aegis-aead/boringssl - AEGIS implementations and experiments:
rust-aegis,js-aegis-aead,pyaegis,aegis-X,aegis-vaes,aegis-mobile-benchmark - HiAE:
hiae-aead/libhiae,hiae-aead/zig-hiae,hiae-aead/go-hiae,hiae-aead/hiae.js,hiae-aead/draft-pham-hiae,hiae-aead/benchmarks,rust-hiae - Wide-block, format-preserving, and seekable encryption:
zig-hctr2,rust-hctr2,zig-alf,go-fast,c-fast,zig-fast,py-fast,js-fast,zig-utf8encrypt,logcrypt - Ciphers, MACs, hashes, and primitives:
go-aes,go-aes-siv,aes-kw,rust-aes-keywrap,rust-aes-wasm,libsodium-xchacha20-siv,blobcrypt,turbocrypt,encpipe,elimac,zig-lemac,zig-poly1163,rust-sthash,rust-xoodyak,zig-kangarootwelve,turboshake.js - Additional primitive implementations:
zig-ascon,zig-rocca-s,rust-rocca-s,zig-morus,rust-morus,zig-cymric,zig-aes-gem,zig-skinny,zig-lwbc32,rust-lwbc,zig-beanie,zig-butterknife,areion,zig-alzette,vistrutah,zig-vistrutah,simpira384,garoupe,forro,blabla,spritz
- Minisign and compatible tooling:
minisign,zig-minisign,rust-minisign,rust-minisign-verify,go-minisign,rsign2,minisign-verify-c - Signature schemes and signature-adjacent work:
rust-blind-rsa-signatures,zig-blind-rsa-signatures,c-blind-rsa-signatures,c-partially-blind-rsa-signatures,go-blindrsa,proxy-signatures,zig-eddsa-key-blinding,ed25519.py,rust-cpace,spake2-ee,c-sigma,rust-sigma-protcols - WebAssembly module signing:
wasm-signatures/wasmsign2,wasm-signatures/design,wasmsign,wasmsign2-rules
- IPCrypt standardization and reference code:
ipcrypt-std/draft-denis-ipcrypt,ipcrypt-std/ipcrypt2,ipcrypt-std/ipcrypt-std.github.io,ipcrypt-std/draft-denis-uricrypt - IPCrypt implementations:
c-ipcrypt,go-ipcrypt,zig-ipcrypt,rust-ipcrypt2,php-ipcrypt,ipcrypt-js,ipcrypt-java,ipcrypt-swift,ipcrypt-kotlin,ipcrypt-lua,ipcrypt-elixir,ipcrypt-ruby,ipcrypt.awk,ipcrypt-cobol,ipcrypt-zero - URI privacy:
zig-uricrypt,rust-uricrypt,uricrypt.js
jumpinjack,aes-torture,openssl-family-bench,malicious-rsa-public-keys,blacknurse,CVE-2025-65945-poc,react2shell-exploit- Protocol drafts and notes:
draft-denis-tls-aegis,draft-denis-xet
- DNSCrypt project:
dnscrypt-proxy,dnscrypt-protocol,dnscrypt-resolvers,dnscrypt-server-docker,dnscrypt-website,draft-denis-dns-stamps,encrypted-dns-server,doh-server - DNS and resolver tooling:
go-dnsstamps,rust-dnsstamps,vue-dnsstamp,EtchDNS,dnssector,rust-dnsclient,dnsblast,rpdns,massresolver,whatsmyresolver,ipgrep - Privacy and network applications:
dsvpn,twice,tigertunnel,piknik,pingbar,bitbar-dnscrypt-proxy-switcher,odoh-relay,go-hpke-compact,iptoasn-webservice,iptrap,ratelimit
- WASI cryptography:
wasm-crypto/wasi-crypto-bindings,wasm-crypto/wasi-crypto-host-functions,wasm-crypto/wasi-crypto-wasmtime,WASI-crypto,wasi-crypto-preview,wasmtime-crypto - Crypto and TLS in WebAssembly:
libsodium.js,wasm-crypto,rust-ed25519-wasm,rsa-wasm,rust-rsa-wasm,openssl-wasm,boringssl-wasm,ring-wasi,tinygo-wasi_rand,as-hmac-sha2 - Runtime tooling and experiments:
as-wasi,witx-codegen,rust-witx-docgen,rust-witx-indent,wasi-update,quickjs-wasi,wasmtime-static-analysis,was-not-wasm,wasmonkey,webassembly-benchmarks,libgmp-wasm,libclang_rt.builtins-wasm32.a
- Servers, storage, and command-line tools:
pure-ftpd,Pincaster,PureDB,sharedance,Blogbench,minicsv,simpleconf,dlog,go-clocksmith,rust-coarsetime,rust-privdrop,bloom-filter,rust-bloom-filter,hf-mount-encrypted - Fastly and edge tooling:
fastly.js,xvcl,zigly - Caches, sketches, hashes, and data structures:
rust-sieve-cache,go-sieve-cache,rust-hyperloglog,rust-count-min-sketch,rust-qptrie,rust-clockpro-cache,rust-arc-cache,rust-cart-cache,rust-jumphash,rust-polymur-hash,rust-slabigator,fpst - Zig, Rust, and Go utility libraries:
zig-xet,zig-ultracdc,zig-lz4,zig-base91,zig-bounded-array,zig-ctsort,zig-gimli,rust-benchmark-simple,rust-precision,rust-time-format,rust-uri-encode,rust-rawbytes,rust-framestream,rust-socket-priority,go-padme-padding,rust-padme-padding - Coding-agent and AI tooling:
Swival/swival,Swival/swival-commands,Swival/nbclaw,Swival/security-audits,Swival/calibra,Swival/skillscheck,Swival/vscode-agent-skill-lint,Swival/homebrew-tap,Swival/ds4-m5,insightlayer,inferswitch,zig-for-mcp
Additional public repositories updated since 2021
rust-siphash,siphash-js,siphash-erlang,siphash-php,untrinsics,rust-softaes,zig-bkdf,zig-hpke,zig-asymcrypt,rust-asymcrypt,rust-superboring,rust-seekable-stream-cipher,zig-common-access-tokenjs-wesolowski,PHP-Skein-Hash,rust-hmac-sha256,rust-hmac-sha512,rust-hmac-sha1,rust-sparx,go-progressive-hash,zig-floe,libsodium-signcryption,botbrake-refzig-xoodoo,nonce-extension,zig-cbc,smac,xsecretbox,moonbit-aegisrust-sealed_box,ponteil,aes-stream,pelican-mac,zig-ecdsa
dsvpn-ios,rust-dnstap,Simple-Comet-Server,vscode-piknik,atom-piknik,soundcheck,ping,windowshopper,URL-shortener-based-on-Tokyo-Cabinet,fischer-koch-s,tinyglitch
swival-nono-pack,fastly-vcl-examples,cae-abi,fastly-cost-simulator,flashmania,byteripper,d8code,log4perl_ltsv,yes-rs,rust-binstring,rust-bpf,rust-uuidv7,rust-uuidv6,rust-daemonize-simplezigly-template,rust-occlum-pal,rust-fehler-more,geoip-sys,rust-ipext,rust-xfailure,rust-printtable,vscode-witx
I also contribute around cryptography and systems standards rather than treating code as the only output. Recent public work includes:
- CFRG/IETF drafts around HPKE, AEAD properties, EdDSA key blinding, DNS stamps, IPCrypt, URICrypt, XET, and AEGIS cipher suites for TLS.
- Cryptographic implementations in the Zig standard library, especially under
lib/std/crypto. - Project organizations for
DNSCrypt,aegis-aead,hiae-aead,ipcrypt-std,dip-proto,wasm-crypto, andwasm-signatures. - Ecosystem work around WebAssembly, WASI, Zig, PHP, and secure application infrastructure. I do not list every repository from large standards bodies or foundations here; membership in those organizations is not the same as project ownership.