chore(deps): bump actions/cache from 4 to 5

Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/cache dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Regenerate cargo vet exemptions
2026-02-27 14:03:11 -08:00 · 2025-12-17 23:12:23 +00:00 · 2025-12-17 20:52:09 +01:00 · 2025-12-17 20:52:09 +01:00 · 2025-09-20 11:31:50 +02:00 · 2025-09-16 08:45:06 +00:00
159 changed files with 9670 additions and 7160 deletions
--- a/.ci/boot_race/a.toml
+++ b/.ci/boot_race/a.toml
@@ -3,11 +3,6 @@ secret_key = "rp-a-secret-key"
 listen = ["127.0.0.1:9999"]
 verbosity = "Verbose"

-[api]
-listen_path = []
-listen_fd = []
-stream_fd = []
-
 [[peers]]
 public_key = "rp-b-public-key"
 endpoint = "127.0.0.1:9998"
--- a/.ci/boot_race/b.toml
+++ b/.ci/boot_race/b.toml
@@ -3,11 +3,6 @@ secret_key = "rp-b-secret-key"
 listen = ["127.0.0.1:9998"]
 verbosity = "Verbose"

-[api]
-listen_path = []
-listen_fd = []
-stream_fd = []
-
 [[peers]]
 public_key = "rp-a-public-key"
 endpoint = "127.0.0.1:9999"
--- a/.ci/gen-workflow-files.nu
+++ b/.ci/gen-workflow-files.nu
@@ -32,9 +32,9 @@ let systems_map = {
  # aarch64-darwin
  # aarch64-linux
  
-  i686-linux: ubuntu-latest,
+  i686-linux: ubicloud-standard-2-ubuntu-2204,
  x86_64-darwin: macos-13,
-  x86_64-linux: ubuntu-latest
+  x86_64-linux: ubicloud-standard-2-ubuntu-2204
 }

 let targets = (get-attr-names ".#packages"
@@ -61,14 +61,13 @@ mut release_workflow = {

 let runner_setup = [
  {
-    uses: "actions/checkout@v3"
+    uses: "actions/checkout@v4"
  }
  {
-    uses: "cachix/install-nix-action@v22",
-    with: { nix_path: "nixpkgs=channel:nixos-unstable" }
+    uses: "cachix/install-nix-action@v30",
  }
  {
-    uses: "cachix/cachix-action@v12",
+    uses: "cachix/cachix-action@v15",
    with: {
      name: rosenpass,
      authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
@@ -154,7 +153,7 @@ for system in ($targets | columns) {
      }
      {
        name: Release,
-        uses: "softprops/action-gh-release@v1",
+        uses: "softprops/action-gh-release@v2",
        with: {
          draft: "${{ contains(github.ref_name, 'rc') }}",
          prerelease: "${{ contains(github.ref_name, 'alpha') || contains(github.ref_name, 'beta') }}",
@@ -182,7 +181,7 @@ $cachix_workflow.jobs = ($cachix_workflow.jobs | insert $"($system)---whitepaper
    }
    {
      name: "Deploy PDF artifacts",
-      uses: "peaceiris/actions-gh-pages@v3",
+      uses: "peaceiris/actions-gh-pages@v4",
      with: {
        github_token: "${{ secrets.GITHUB_TOKEN }}",
        publish_dir: result/,
--- a/.github/workflows/bench-primitives.yml
+++ b/.github/workflows/bench-primitives.yml
@@ -0,0 +1,103 @@
+name: rosenpass-ciphers - primitives - benchmark
+
+permissions:
+  contents: write
+
+on:
+  #pull_request:
+  push:
+
+env:
+  CARGO_TERM_COLOR: always
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  prim-benchmark:
+    strategy:
+      fail-fast: true
+      matrix:
+        system: ["x86_64-linux", "i686-linux"]
+
+    runs-on: ubicloud-standard-2
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - uses: actions/checkout@v5
+
+      # Install nix
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27 # A popular action for installing Nix
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      # Set up environment
+
+      - name: 🛠️ Prepare Benchmark Path
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          BRANCH_NAME: ${{ github.ref_name   }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          case "$EVENT_NAME" in
+          "push")
+            echo "BENCH_PATH=branch/$BRANCH_NAME" >> $GITHUB_ENV
+            ;;
+          "pull_request")
+            echo "BENCH_PATH=pull/$PR_NUMBER" >> $GITHUB_ENV
+            ;;
+          *)
+            echo "don't know benchmark path for event of type $EVENT_NAME, aborting"
+            exit 1
+          esac
+
+      # Benchmarks ...
+
+      - name: 🏃🏻‍♀️ Benchmarks (using Nix as shell)
+        working-directory: ciphers
+        run: nix develop ".#devShells.${{ matrix.system }}.benchmarks" --command cargo bench -F bench --bench primitives --verbose -- --output-format bencher | tee ../bench-primitives.txt
+
+      - name: Extract benchmarks
+        uses: cryspen/benchmark-data-extract-transform@v2
+        with:
+          name: rosenpass-ciphers primitives benchmarks
+          tool: "cargo"
+          os: ${{ matrix.system }}
+          output-file-path: bench-primitives.txt
+          data-out-path: bench-primitives-os.json
+
+      - name: Fix up 'os' label in benchmark data
+        run: jq 'map(with_entries(.key |= if . == "os" then "operating system" else . end))' <bench-primitives-os.json >bench-primitives.json
+
+      - name: Upload benchmarks
+        uses: cryspen/benchmark-upload-and-plot-action@v3
+        with:
+          name: Crypto Primitives Benchmarks
+          group-by: "operating system,primitive,algorithm"
+          schema: "operating system,primitive,algorithm,implementation,operation,length"
+          input-data-path: bench-primitives.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # NOTE: pushes to current repository
+          gh-repository: github.com/${{ github.repository }}
+          auto-push: true
+          fail-on-alert: true
+          base-path: benchmarks/
+
+  ciphers-primitives-bench-status:
+    if: ${{ always() }}
+    needs: [prim-benchmark]
+    runs-on: ubicloud-standard-2
+    steps:
+      - name: Successful
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: exit 0
+      - name: Failing
+        if: ${{ (contains(needs.*.result, 'failure')) }}
+        run: exit 1
--- a/.github/workflows/bench-protocol.yml
+++ b/.github/workflows/bench-protocol.yml
@@ -0,0 +1,90 @@
+name: rosenpass - protocol - benchmark
+
+permissions:
+  contents: write
+
+on:
+  #pull_request:
+  push:
+
+env:
+  CARGO_TERM_COLOR: always
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  proto-benchmark:
+    strategy:
+      fail-fast: true
+      matrix:
+        system: ["x86_64-linux", "i686-linux"]
+
+    runs-on: ubicloud-standard-2
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+      - uses: actions/checkout@v5
+
+      # Install nix
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v27 # A popular action for installing Nix
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+            access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+      # Set up environment
+
+      - name: 🛠️ Prepare Benchmark Path
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          BRANCH_NAME: ${{ github.ref_name   }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          case "$EVENT_NAME" in
+          "push")
+            echo "BENCH_PATH=branch/$BRANCH_NAME" >> $GITHUB_ENV
+            ;;
+          "pull_request")
+            echo "BENCH_PATH=pull/$PR_NUMBER" >> $GITHUB_ENV
+            ;;
+          *)
+            echo "don't know benchmark path for event of type $EVENT_NAME, aborting"
+            exit 1
+          esac
+
+      # Benchmarks ...
+
+      - name: 🏃🏻‍♀️ Benchmarks
+        run: nix develop ".#devShells.${{ matrix.system }}.benchmarks" --command cargo bench -p rosenpass --bench trace_handshake -F trace_bench --verbose >bench-protocol.json
+
+      - name: Upload benchmarks
+        uses: cryspen/benchmark-upload-and-plot-action@v3
+        with:
+          name: Protocol Benchmarks
+          group-by: "operating system,architecture,protocol version,run time"
+          schema: "operating system,architecture,protocol version,run time,name"
+          input-data-path: bench-protocol.json
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          # NOTE: pushes to current repository
+          gh-repository: github.com/${{ github.repository }}
+          auto-push: true
+          fail-on-alert: true
+          base-path: benchmarks/
+
+  ciphers-protocol-bench-status:
+    if: ${{ always() }}
+    needs: [proto-benchmark]
+    runs-on: ubicloud-standard-2
+    steps:
+      - name: Successful
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: exit 0
+      - name: Failing
+        if: ${{ (contains(needs.*.result, 'failure')) }}
+        run: exit 1
--- a/.github/workflows/doc-upload.yml
+++ b/.github/workflows/doc-upload.yml
@@ -13,10 +13,10 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Clone rosenpass-website repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          repository: rosenpass/rosenpass-website
          ref: main
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -30,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build (no push) and Load
@@ -128,7 +128,7 @@ jobs:
    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Docker meta
        id: meta
@@ -173,7 +173,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: digests-rp-${{ matrix.arch }}
          path: ${{ runner.temp }}/digests/*
@@ -193,7 +193,7 @@ jobs:
    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Docker meta
        id: meta
@@ -237,7 +237,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: digests-rosenpass-${{ matrix.arch }}
          path: ${{ runner.temp }}/digests/*
@@ -255,7 +255,7 @@ jobs:
        target: [rp, rosenpass]
    steps:
      - name: Download digests
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-${{ matrix.target }}-*
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -0,0 +1,166 @@
+name: Integration Tests
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  integration-tests-x86_64-linux:
+    name: Integration tests x86_64-linux
+    runs-on:
+      - ubicloud-standard-2-ubuntu-2204
+    steps:
+      - uses: actions/checkout@v5
+      - uses: cachix/install-nix-action@v30
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          name: rosenpass
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Extract the reference of before and after for the integration tests.
+        run: |
+          EVENT_NAME="${{ github.event_name }}"
+          REF_BEFORE=""
+          REF_AFTER="path:../../"
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            echo "This CI run was triggered in the context of a pull request."
+            REF_BEFORE="github:rosenpass/rosenpass/main"
+            git checkout -B pr-${{ github.event.pull_request.number }}
+            REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+          elif [[ "$EVENT_NAME" == "push" ]]; then
+            echo "This CI run was triggered in the context of a push."
+            REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+            REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+          else
+            echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+            exit 1
+          fi
+          echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+          echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+      - name: Check
+        run: |
+          cd ./tests/integration
+          nix flake check --print-build-logs --system x86_64-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  # THE FOLLOWING TEST IS DISABLED FOR THE TIME BENG UNTIL WE GET AN ARM64 RUNNER THAT SUPPORTS KVM
+  #integration-tests-aarch64-linux:
+  #  name: Integration tests aarch64-linux
+  #  runs-on:
+  #    - ubicloud-standard-2-arm-ubuntu-2204
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          #git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #          #git checkout -B ${{ github.ref_name }}
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        # export QEMU_OPTS="-machine virt -cpu cortex-a57"
+  #        nix flake check --print-build-logs --system aarch64-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  #integration-tests-i686-linux:
+  #  name: Integration tests i686-linux
+  #  timeout-minutes: 144000
+  #  runs-on:
+  #    - ubicloud-standard-8-ubuntu-2204
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        nix flake check --print-build-logs --system i686-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  # THE FOLLOWING TEST IS DISABLED FOR THE TIME BENG UNTIL THIS ISSUE WITH NIXOS TESTS ON DARWIN GETS RESOLVED: https://github.com/NixOS/nixpkgs/issues/294725
+  #integration-tests-aarch64-darwin:
+  #  name: Integration tests aarch64-darwin
+  #  runs-on:
+  #    - warp-macos-13-arm64-6x
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        nix flake check --print-build-logs --system aarch64-darwin --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
--- a/.github/workflows/nix-mac.yaml
+++ b/.github/workflows/nix-mac.yaml
@@ -19,7 +19,7 @@ jobs:
    needs:
      - aarch64-darwin---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -38,7 +38,7 @@ jobs:
      - aarch64-darwin---rp
      - aarch64-darwin---rosenpass-oci-image
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -54,7 +54,7 @@ jobs:
      - warp-macos-13-arm64-6x
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -70,7 +70,7 @@ jobs:
      - warp-macos-13-arm64-6x
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -87,7 +87,7 @@ jobs:
    needs:
      - aarch64-darwin---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -102,7 +102,7 @@ jobs:
    runs-on:
      - warp-macos-13-arm64-6x
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
--- a/.github/workflows/nix.yaml
+++ b/.github/workflows/nix.yaml
@@ -19,7 +19,7 @@ jobs:
    needs:
      - i686-linux---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -35,7 +35,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -52,7 +52,7 @@ jobs:
    needs:
      - i686-linux---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -67,7 +67,7 @@ jobs:
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -76,7 +76,8 @@ jobs:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Check
-        run: nix flake check . --print-build-logs
+        run: |
+          nix flake check . --print-build-logs
  x86_64-linux---default:
    name: Build x86_64-linux.default
    runs-on:
@@ -84,7 +85,7 @@ jobs:
    needs:
      - x86_64-linux---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -101,7 +102,7 @@ jobs:
    needs:
      - x86_64-linux---proverif-patched
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -117,7 +118,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -136,7 +137,7 @@ jobs:
      - x86_64-linux---rosenpass-static-oci-image
      - x86_64-linux---rp-static
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -158,7 +159,7 @@ jobs:
  #     - run: |
  #         DEBIAN_FRONTEND=noninteractive
  #         sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi binfmt-support qemu-user-static
-  #     - uses: actions/checkout@v4
+  #     - uses: actions/checkout@v5
  #     - uses: cachix/install-nix-action@v30
  #       with:
  #         nix_path: nixpkgs=channel:nixos-unstable
@@ -176,7 +177,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -195,7 +196,7 @@ jobs:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -216,7 +217,7 @@ jobs:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -235,7 +236,7 @@ jobs:
    needs:
      - x86_64-linux---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -255,7 +256,7 @@ jobs:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -273,7 +274,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -289,7 +290,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -306,7 +307,7 @@ jobs:
    needs:
      - x86_64-linux---rosenpass-static
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -322,7 +323,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -337,7 +338,7 @@ jobs:
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -352,7 +353,7 @@ jobs:
    runs-on: ubicloud-standard-2-ubuntu-2204
    if: ${{ github.ref == 'refs/heads/main' }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
--- a/.github/workflows/qc-mac.yaml
+++ b/.github/workflows/qc-mac.yaml
@@ -16,8 +16,8 @@ jobs:
  cargo-test-mac:
    runs-on: warp-macos-13-arm64-6x
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
--- a/.github/workflows/qc.yaml
+++ b/.github/workflows/qc.yaml
@@ -16,7 +16,7 @@ jobs:
  prettier:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actionsx/prettier@v3
        with:
          args: --check .
@@ -25,23 +25,39 @@ jobs:
    name: Shellcheck
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - name: Run ShellCheck
        uses: ludeeus/action-shellcheck@master

  rustfmt:
-    name: Rust Format
+    name: Rust code formatting
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
-      - name: Run Rust Formatting Script
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Install nightly toolchain
+        run: |
+          rustup toolchain install nightly
+          rustup override set nightly
+      - run: rustup component add rustfmt
+      - name: Run Cargo Fmt
+        run: cargo fmt --all --check
+      - name: Run Rust Markdown code block Formatting Script
        run: bash format_rust_code.sh --mode check

  cargo-bench:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
@@ -61,14 +77,14 @@ jobs:
    steps:
      - name: Install mandoc
        run: sudo apt-get install -y mandoc
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - name: Check rp.1
        run: doc/check.sh doc/rp.1

  cargo-audit:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -76,8 +92,8 @@ jobs:
  cargo-clippy:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
@@ -95,8 +111,8 @@ jobs:
  cargo-doc:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
@@ -112,15 +128,10 @@ jobs:
      - run: RUSTDOCFLAGS="-D warnings" cargo doc --no-deps --document-private-items

  cargo-test:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [ubicloud-standard-2-ubuntu-2204, warp-macos-13-arm64-6x]
-        # - ubuntu is x86-64
-        # - macos-13 is also x86-64 architecture
+    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
@@ -138,8 +149,8 @@ jobs:
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
@@ -159,10 +170,9 @@ jobs:

  cargo-fuzz:
    runs-on: ubicloud-standard-2-ubuntu-2204
-    env:
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
@@ -174,7 +184,7 @@ jobs:
      - name: Install nightly toolchain
        run: |
          rustup toolchain install nightly
-          rustup override nightly
+          rustup override set nightly
      - name: Install cargo-fuzz
        run: cargo install cargo-fuzz
      - name: Run fuzzing
@@ -193,9 +203,23 @@ jobs:

  codecov:
    runs-on: ubicloud-standard-2-ubuntu-2204
+    env:
+      RUSTUP_TOOLCHAIN: nightly
    steps:
-      - uses: actions/checkout@v4
-      - run: rustup default nightly
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            target/
+          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Install nightly toolchain
+        run: |
+          rustup toolchain install nightly
+          rustup override set nightly
      - run: rustup component add llvm-tools-preview
      - run: |
          cargo install cargo-llvm-cov || true
@@ -209,6 +233,4 @@ jobs:
        with:
          files: ./target/grcov/lcov
          verbose: true
-        env:
-          RUSTUP_TOOLCHAIN: 1.81
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/regressions.yml
+++ b/.github/workflows/regressions.yml
@@ -16,7 +16,7 @@ jobs:
  multi-peer:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - run: cargo build --bin rosenpass --release
      - run: python misc/generate_configs.py
      - run: chmod +x .ci/run-regression.sh
@@ -27,7 +27,7 @@ jobs:
  boot-race:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - run: cargo build --bin rosenpass --release
      - run: chmod +x .ci/boot_race/run.sh
      - run: cargo run --release --bin rosenpass gen-keys .ci/boot_race/a.toml
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,7 +11,7 @@ jobs:
    runs-on:
      - ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
      - uses: cachix/cachix-action@v15
        with:
@@ -30,7 +30,7 @@ jobs:
    runs-on:
      - macos-13
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
      - uses: cachix/cachix-action@v15
        with:
@@ -49,7 +49,7 @@ jobs:
    runs-on:
      - ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -69,7 +69,7 @@ jobs:
    name: Build and upload DEB and RPM packages
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
      - uses: cachix/cachix-action@v15
        with:
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/supply-chain.yml
@@ -13,14 +13,14 @@ jobs:
    name: Deny dependencies with vulnerabilities or incompatible licenses
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: EmbarkStudios/cargo-deny-action@v2
  cargo-supply-chain:
    name: Supply Chain Report
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
@@ -28,7 +28,11 @@ jobs:
            ~/.cargo/registry/cache/
            ~/.cache/cargo-supply-chain/
          key: cargo-supply-chain-cache
-      - uses: actions/cache@v4
+      - name: Install nightly toolchain
+        run: |
+          rustup toolchain install nightly
+          rustup override set nightly
+      - uses: actions/cache@v5
        with:
          path: ${{ runner.tool_cache }}/cargo-supply-chain
          key: cargo-supply-chain-bin
@@ -49,19 +53,21 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/cache@v5
        with:
          path: |
            ~/.cargo/bin/
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
          key: cargo-vet-cache
-      - name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
+      - name: Install nightly toolchain
        run: |
-          rustup toolchain install stable
-          rustup default stable
-      - uses: actions/cache@v4
+          rustup toolchain install nightly
+          rustup override set nightly
+      - uses: actions/cache@v5
        with:
          path: ${{ runner.tool_cache }}/cargo-vet
          key: cargo-vet-bin
@@ -69,23 +75,103 @@ jobs:
        run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-vet binary
        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
-      - name: Regenerate vet exemptions for dependabot PRs
-        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-        run: cargo vet regenerate exemptions
-      - name: Check for changes in case of dependabot PR
-        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-        run: git diff --exit-code || echo "Changes detected, committing..."
-      - name: Commit and push changes for dependabot PRs
-        if: success() && github.actor == 'dependabot[bot]'
+      - name: Check which event triggered this CI run, a push or a pull request.
        run: |
-          git fetch origin ${{ github.head_ref }}
-          git switch ${{ github.head_ref }}
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions@github.com"
-          git add supply-chain/*
-          git commit -m "Regenerate cargo vet exemptions"
-          git push origin ${{ github.head_ref }}
+          EVENT_NAME="${{ github.event_name }}"
+          IS_PR="false"
+          IS_PUSH="false"
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            echo "This CI run was triggered in the context of a pull request."
+            IS_PR="true"
+          elif [[ "$EVENT_NAME" == "push" ]]; then
+            echo "This CI run was triggered in the context of a push."
+            IS_PUSH="true"
+          else
+            echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+            exit 1
+          fi
+          echo "IS_PR=$IS_PR" >> $GITHUB_ENV
+          echo "IS_PUSH=$IS_PUSH" >> $GITHUB_ENV
+        shell: bash
+      - name: Check if last commit was by Dependabot
+        run: |
+          # Depending on the trigger for, the relevant commit has to be deduced differently.
+          if [[ "$IS_PR" == true ]]; then
+            # This is the commit ID for the last commit to the head branch of the pull request.
+            # If we used github.sha here instead, it would point to a merge commit between the PR and the main branch, which is only created for the CI run.
+            SHA="${{ github.event.pull_request.head.sha }}"
+            REF="${{ github.head_ref }}"
+          elif [[ "$IS_PUSH" == "true" ]]; then
+            SHA="${{ github.sha }}" # This is the last commit to the branch.
+            REF=${GITHUB_REF#refs/heads/}
+          else
+            echo "ERROR: This action only supports pull requests and push events as triggers. Exiting with error."
+            exit 1
+          fi
+          echo "Commit SHA is $SHA"
+          echo "Branch is $REF"
+          echo "REF=$REF" >> $GITHUB_ENV
+
+          COMMIT_AUTHOR=$(gh api repos/${{ github.repository }}/commits/$SHA --jq .author.login) # .author.login might be null, but for dependabot it will always be there and cannot be spoofed in contrast to .commit.author.name
+          echo "The author of the last commit is $COMMIT_AUTHOR"
+          if [[ "$COMMIT_AUTHOR" == "dependabot[bot]" ]]; then
+            echo "The last commit was made by dependabot"
+            LAST_COMMIT_IS_BY_DEPENDABOT=true
+          else
+            echo "The last commit was made by $COMMIT_AUTHOR not by dependabot"
+            LAST_COMMIT_IS_BY_DEPENDABOT=false
+          fi
+          echo "LAST_COMMIT_IS_BY_DEPENDABOT=$LAST_COMMIT_IS_BY_DEPENDABOT" >> $GITHUB_ENV
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+      - name: Check if the last commit's message ends in "--regenerate-exemptions"
+        run: |
+          # Get commit message
+          COMMIT_MESSAGE=$(git log -1 --pretty=format:"%s")
+          if [[ "$COMMIT_MESSAGE" == *"--regenerate-exemptions" ]]; then
+            echo "The last commit message ends in --regenerate-exemptions"
+            REGEN_EXEMP=true
+          else
+            echo "The last commit message does not end in --regenerate-exemptions"
+            REGEN_EXEMP=false
+          fi
+          echo "REGEN_EXEMP=$REGEN_EXEMP" >> $GITHUB_ENV
+        shell: bash
+      - name: Check if the CI run happens in the context of a dependabot PR # Even if a PR is created by dependabot, the last commit can, and often should be, the regeneration of the cargo vet exemptions. It could also be from an individual making manual changes.
+        run: |
+          IN_DEPENDABOT_PR_CONTEXT="false"
+          if [[ $IS_PR == "true" && "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
+            IN_DEPENDABOT_PR_CONTEXT="true"
+            echo "This CI run is in the context of PR by dependabot."
+          else
+            echo "This CI run is NOT in the context of PR by dependabot."
+            IN_DEPENDABOT_PR_CONTEXT="false"
+          fi
+          echo "IN_DEPENDABOT_PR_CONTEXT=$IN_DEPENDABOT_PR_CONTEXT" >> $GITHUB_ENV
+        shell: bash
+      - uses: actions/checkout@v5
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true'
+        with:
+          token: ${{ secrets.CI_BOT_PAT }}
+      - name: In case of a dependabot PR, ensure that we are not in a detached HEAD state
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true'
+        run: |
+          git fetch origin $REF # ensure that we are up to date.
+          git switch $REF # ensure that we are NOT in a detached HEAD state. This is important for the commit action in the end
+        shell: bash
+      - name: Regenerate cargo vet exemptions if we are in the context of a PR created by dependabot and the last commit is by dependabot or a regeneration of cargo vet exemptions was explicitly requested.
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true' && (env.LAST_COMMIT_IS_BY_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true') # Run only for Dependabot PRs or if specifically requested
+        run: cargo vet regenerate exemptions
+      - name: Commit and push changes if we are in the context of a PR created by dependabot and the last commit is by dependabot or a regeneration of cargo vet exemptions was explicitly requested.
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true' && (env.LAST_COMMIT_IS_BY_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true')
+        uses: stefanzweifel/git-auto-commit-action@v6
+        with:
+          commit_message: Regenerate cargo vet exemptions
+          commit_user_name: rosenpass-ci-bot[bot]
+          commit_user_email: noreply@rosenpass.eu
+          commit_author: Rosenpass CI Bot <noreply@rosenpass.eu>
+        env:
+          GITHUB_TOKEN: ${{ secrets.CI_BOT_PAT }}
      - name: Invoke cargo-vet
        run: cargo vet --locked
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -110,9 +110,9 @@ dependencies = [

 [[package]]
 name = "anyhow"
-version = "1.0.96"
+version = "1.0.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b964d184e89d9b6b67dd2715bc8e74cf3107fb2b529990c90cf517326150bf4"
+checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"
 dependencies = [
 "backtrace",
 ]
@@ -126,6 +126,34 @@ dependencies = [
 "derive_arbitrary",
 ]

+[[package]]
+name = "assert_tv"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4aa42a8e0531efffd0fe96c6feef83221dc673c34b4ba2c2c9cbcd499511acba"
+dependencies = [
+ "anyhow",
+ "assert_tv_macros",
+ "base64",
+ "log",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "toml",
+ "zstd",
+]
+
+[[package]]
+name = "assert_tv_macros"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7b50043d3ecb7bc6e5e60dc6704757b7f9a9903d2c5ca13f8d62d494c68333"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.98",
+]
+
 [[package]]
 name = "atomic-polyfill"
 version = "1.0.3"
@@ -157,6 +185,12 @@ dependencies = [
 "windows-targets 0.52.6",
 ]

+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
 [[package]]
 name = "base64ct"
 version = "1.6.0"
@@ -408,9 +442,9 @@ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"

 [[package]]
 name = "clap_mangen"
-version = "0.2.24"
+version = "0.2.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbae9cbfdc5d4fa8711c09bd7b83f644cb48281ac35bf97af3e47b0675864bdf"
+checksum = "27b4c3c54b30f0d9adcb47f25f61fcce35c4dd8916638c6b82fbd5f4fb4179e2"
 dependencies = [
 "clap",
 "roff",
@@ -1153,6 +1187,17 @@ dependencies = [
 "generic-array",
 ]

+[[package]]
+name = "io-uring"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
+dependencies = [
+ "bitflags 2.8.0",
+ "cfg-if",
+ "libc",
+]
+
 [[package]]
 name = "ipc-channel"
 version = "0.18.3"
@@ -1246,9 +1291,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"

 [[package]]
 name = "libc"
-version = "0.2.169"
+version = "0.2.174"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
+checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"

 [[package]]
 name = "libcrux"
@@ -1269,7 +1314,7 @@ version = "0.0.3-pre"
 source = "git+https://github.com/cryspen/libcrux.git?rev=10ce653e9476#10ce653e94761352b657b6cecdcc0c85675813df"
 dependencies = [
 "libcrux-hacl-rs",
- "libcrux-macros",
+ "libcrux-macros 0.0.2",
 ]

 [[package]]
@@ -1279,7 +1324,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "78d522fb626847390ea4b776c7eca179ecec363c6c4730b61b0c0feb797b8d92"
 dependencies = [
 "libcrux-hacl-rs",
- "libcrux-macros",
+ "libcrux-macros 0.0.2",
 "libcrux-poly1305",
 ]

@@ -1299,7 +1344,7 @@ version = "0.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8bba0885296a72555a5d77056c39cc9b04edd9ab1afa3025ef3dbd96220705c"
 dependencies = [
- "libcrux-macros",
+ "libcrux-macros 0.0.2",
 ]

 [[package]]
@@ -1321,6 +1366,15 @@ dependencies = [
 "syn 2.0.98",
 ]

+[[package]]
+name = "libcrux-macros"
+version = "0.0.3"
+source = "git+https://github.com/cryspen/libcrux.git?rev=0ab6d2dd9c1f#0ab6d2dd9c1f39c82b1125a566d6befb38feea28"
+dependencies = [
+ "quote",
+ "syn 2.0.98",
+]
+
 [[package]]
 name = "libcrux-ml-kem"
 version = "0.0.2-beta.3"
@@ -1350,7 +1404,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "80143d78ae14ab51ceb2c8a9514fb60af6645d42a9c951bc511792c19c974fca"
 dependencies = [
 "libcrux-hacl-rs",
- "libcrux-macros",
+ "libcrux-macros 0.0.2",
 ]

 [[package]]
@@ -1364,11 +1418,19 @@ dependencies = [
 "libcrux-platform",
 ]

+[[package]]
+name = "libcrux-test-utils"
+version = "0.0.2"
+source = "git+https://github.com/cryspen/libcrux.git?rev=0ab6d2dd9c1f#0ab6d2dd9c1f39c82b1125a566d6befb38feea28"
+dependencies = [
+ "libcrux-macros 0.0.3",
+]
+
 [[package]]
 name = "libfuzzer-sys"
-version = "0.4.9"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf78f52d400cf2d84a3a973a78a592b4adc535739e0a5597a0da6f0c357adc75"
+checksum = "5037190e1f70cbeef565bd267599242926f724d3b8a9f510fd7e0b540cfa4404"
 dependencies = [
 "arbitrary",
 "cc",
@@ -1412,9 +1474,9 @@ dependencies = [

 [[package]]
 name = "log"
-version = "0.4.26"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30bde2b3dc3671ae49d8e2e9f044c7c005836e7a023ee57cffa25ab82764bb9e"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"

 [[package]]
 name = "memchr"
@@ -2013,6 +2075,8 @@ name = "rosenpass"
 version = "0.3.0-dev"
 dependencies = [
 "anyhow",
+ "assert_tv",
+ "base64",
 "clap",
 "clap_complete",
 "clap_mangen",
@@ -2024,6 +2088,7 @@ dependencies = [
 "hex",
 "hex-literal",
 "home",
+ "libcrux-test-utils",
 "log",
 "memoffset 0.9.1",
 "mio",
@@ -2039,8 +2104,10 @@ dependencies = [
 "rosenpass-wireguard-broker",
 "rustix",
 "serde",
+ "serde_json",
 "serial_test",
 "signal-hook",
+ "signal-hook-mio",
 "stacker",
 "static_assertions",
 "tempfile",
@@ -2070,6 +2137,7 @@ dependencies = [
 "anyhow",
 "blake2",
 "chacha20poly1305",
+ "criterion",
 "libcrux",
 "libcrux-blake2",
 "libcrux-chacha20poly1305",
@@ -2122,6 +2190,38 @@ dependencies = [
 "rosenpass-util",
 ]

+[[package]]
+name = "rosenpass-rp"
+version = "0.2.1"
+dependencies = [
+ "anyhow",
+ "base64ct",
+ "ctrlc-async",
+ "env_logger",
+ "futures",
+ "futures-util",
+ "genetlink",
+ "libc",
+ "log",
+ "netlink-packet-core",
+ "netlink-packet-generic",
+ "netlink-packet-wireguard",
+ "rosenpass",
+ "rosenpass-cipher-traits",
+ "rosenpass-ciphers",
+ "rosenpass-secret-memory",
+ "rosenpass-util",
+ "rosenpass-wireguard-broker",
+ "rtnetlink",
+ "serde",
+ "stacker",
+ "tempfile",
+ "tokio",
+ "toml",
+ "x25519-dalek",
+ "zeroize",
+]
+
 [[package]]
 name = "rosenpass-secret-memory"
 version = "0.1.0"
@@ -2129,6 +2229,8 @@ dependencies = [
 "allocator-api2",
 "allocator-api2-tests",
 "anyhow",
+ "assert_tv",
+ "base64",
 "base64ct",
 "log",
 "memsec",
@@ -2136,6 +2238,8 @@ dependencies = [
 "rand 0.8.5",
 "rosenpass-to",
 "rosenpass-util",
+ "serde",
+ "serde_json",
 "tempfile",
 "zeroize",
 ]
@@ -2153,11 +2257,14 @@ version = "0.1.0"
 dependencies = [
 "anyhow",
 "base64ct",
+ "libcrux-test-utils",
+ "log",
 "mio",
 "rustix",
 "static_assertions",
 "tempfile",
 "thiserror 1.0.69",
+ "tokio",
 "typenum",
 "uds",
 "zerocopy 0.7.35",
@@ -2188,35 +2295,6 @@ dependencies = [
 "zerocopy 0.7.35",
 ]

-[[package]]
-name = "rp"
-version = "0.2.1"
-dependencies = [
- "anyhow",
- "base64ct",
- "ctrlc-async",
- "futures",
- "futures-util",
- "genetlink",
- "netlink-packet-core",
- "netlink-packet-generic",
- "netlink-packet-wireguard",
- "rosenpass",
- "rosenpass-cipher-traits",
- "rosenpass-ciphers",
- "rosenpass-secret-memory",
- "rosenpass-util",
- "rosenpass-wireguard-broker",
- "rtnetlink",
- "serde",
- "stacker",
- "tempfile",
- "tokio",
- "toml",
- "x25519-dalek",
- "zeroize",
-]
-
 [[package]]
 name = "rtnetlink"
 version = "0.14.1"
@@ -2339,9 +2417,9 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.139"
+version = "1.0.140"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44f86c3acccc9c65b153fe1b85a3be07fe5515274ec9f0653b4a0875731c72a6"
+checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
 dependencies = [
 "itoa",
 "memchr",
@@ -2358,6 +2436,19 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
 [[package]]
 name = "serial_test"
 version = "3.2.0"
@@ -2401,14 +2492,25 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"

 [[package]]
 name = "signal-hook"
-version = "0.3.17"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8621587d4798caf8eb44879d42e56b9a93ea5dcd315a6487c357130095b62801"
+checksum = "d881a16cf4426aa584979d30bd82cb33429027e42122b169753d6ef1085ed6e2"
 dependencies = [
 "libc",
 "signal-hook-registry",
 ]

+[[package]]
+name = "signal-hook-mio"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34db1a06d485c9142248b7a054f034b349b212551f3dfd19c94d45a754a217cd"
+dependencies = [
+ "libc",
+ "mio",
+ "signal-hook",
+]
+
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.2"
@@ -2441,12 +2543,12 @@ checksum = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd"

 [[package]]
 name = "socket2"
-version = "0.5.8"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8"
+checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
 dependencies = [
 "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -2466,9 +2568,9 @@ checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"

 [[package]]
 name = "stacker"
-version = "0.1.19"
+version = "0.1.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9156ebd5870ef293bfb43f91c7a74528d363ec0d424afe24160ed5a4343d08a"
+checksum = "cddb07e32ddb770749da91081d8d0ac3a16f1a569a18b20348cd371f5dead06b"
 dependencies = [
 "cc",
 "cfg-if",
@@ -2610,20 +2712,22 @@ dependencies = [

 [[package]]
 name = "tokio"
-version = "1.44.2"
+version = "1.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
+checksum = "43864ed400b6043a4757a25c7a64a8efde741aed79a056a2fb348a406701bb35"
 dependencies = [
 "backtrace",
 "bytes",
+ "io-uring",
 "libc",
 "mio",
 "parking_lot",
 "pin-project-lite",
 "signal-hook-registry",
+ "slab",
 "socket2",
 "tokio-macros",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -2702,6 +2806,12 @@ dependencies = [
 "subtle",
 ]

+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
 [[package]]
 name = "utf8parse"
 version = "0.2.2"
@@ -3241,3 +3351,31 @@ dependencies = [
 "quote",
 "syn 2.0.98",
 ]
+
+[[package]]
+name = "zstd"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
+dependencies = [
+ "zstd-safe",
+]
+
+[[package]]
+name = "zstd-safe"
+version = "7.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
+dependencies = [
+ "zstd-sys",
+]
+
+[[package]]
+name = "zstd-sys"
+version = "2.0.15+zstd.1.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237"
+dependencies = [
+ "cc",
+ "pkg-config",
+]
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -2,17 +2,17 @@
 resolver = "2"

 members = [
-    "rosenpass",
-    "cipher-traits",
-    "ciphers",
-    "util",
-    "constant-time",
-    "oqs",
-    "to",
-    "fuzz",
-    "secret-memory",
-    "rp",
-    "wireguard-broker",
+  "rosenpass",
+  "cipher-traits",
+  "ciphers",
+  "util",
+  "constant-time",
+  "oqs",
+  "to",
+  "fuzz",
+  "secret-memory",
+  "rp",
+  "wireguard-broker",
 ]

 default-members = ["rosenpass", "rp", "wireguard-broker"]
@@ -42,54 +42,59 @@ toml = "0.7.8"
 static_assertions = "1.1.0"
 allocator-api2 = "0.2.14"
 memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec6844125bd6612f92e9a281373df", features = [
-    "alloc_ext",
+  "alloc_ext",
 ] }
 rand = "0.8.5"
 typenum = "1.17.0"
-log = { version = "0.4.22" }
+log = { version = "0.4.27" }
 clap = { version = "4.5.23", features = ["derive"] }
-clap_mangen = "0.2.24"
+clap_mangen = "0.2.29"
 clap_complete = "4.5.40"
 serde = { version = "1.0.217", features = ["derive"] }
 arbitrary = { version = "1.4.1", features = ["derive"] }
-anyhow = { version = "1.0.95", features = ["backtrace", "std"] }
+anyhow = { version = "1.0.98", features = ["backtrace", "std"] }
 mio = { version = "1.0.3", features = ["net", "os-poll"] }
+signal-hook-mio = { version = "0.2.4", features = ["support-v1_0"] }
+signal-hook = "0.3.17"
 oqs-sys = { version = "0.9.1", default-features = false, features = [
-    'classic_mceliece',
-    'kyber',
+  'classic_mceliece',
+  'kyber',
 ] }
 blake2 = "0.10.6"
 sha3 = "0.10.8"
 chacha20poly1305 = { version = "0.10.1", default-features = false, features = [
-    "std",
-    "heapless",
+  "std",
+  "heapless",
 ] }
 zerocopy = { version = "0.7.35", features = ["derive"] }
 home = "=0.5.9" # 5.11 requires rustc 1.81
 derive_builder = "0.20.1"
-tokio = { version = "1.42", features = ["macros", "rt-multi-thread"] }
+tokio = { version = "1.46", features = ["macros", "rt-multi-thread"] }
 postcard = { version = "1.1.1", features = ["alloc"] }
 libcrux = { version = "0.0.2-pre.2" }
 libcrux-chacha20poly1305 = { version = "0.0.2-beta.3" }
 libcrux-ml-kem = { version = "0.0.2-beta.3" }
-libcrux-blake2 = { git = "https://github.com/cryspen/libcrux.git", rev = "10ce653e9476"}
+libcrux-blake2 = { git = "https://github.com/cryspen/libcrux.git", rev = "10ce653e9476" }
+libcrux-test-utils = { git = "https://github.com/cryspen/libcrux.git", rev = "0ab6d2dd9c1f" }
 hex-literal = { version = "0.4.1" }
 hex = { version = "0.4.3" }
 heck = { version = "0.5.0" }
 libc = { version = "0.2" }
 uds = { git = "https://github.com/rosenpass/uds" }
-signal-hook = "0.3.17"
+lazy_static = "1.5"

 #Dev dependencies
+assert_tv = { version = "0.6.4" }
+base64 = { version = "0.22.1" }
 serial_test = "3.2.0"
 tempfile = "3"
-stacker = "0.1.17"
+stacker = "0.1.21"
 libfuzzer-sys = "0.4"
 test_bin = "0.4.0"
 criterion = "0.5.1"
 allocator-api2-tests = "0.2.15"
 procspawn = { version = "1.0.1", features = ["test-support"] }
-
+serde_json = { version = "1.0.140" }

 #Broker dependencies (might need cleanup or changes)
 wireguard-uapi = { version = "3.0.0", features = ["xplatform"] }
--- a/analysis/03_identity_hiding_initiator.entry.mpv
+++ b/analysis/03_identity_hiding_initiator.entry.mpv
@@ -1,25 +0,0 @@
-#define INITIATOR_TEST 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-// nounif a:Atom, s:seed, a2:Atom;
-// 	ConsumeSeed(a, s, a2) / 6300[conclusion].
-
-nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
-nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
-nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
-nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
-nounif Spk:kem_sk_tmpl;
-  attacker(Creveal_kem_pk(Spk))/6110[conclusion].
-nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-  attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
-nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-  attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
-nounif rh:RespHello_t;
-  attacker(Cresp_hello( *rh ))/6107[conclusion].
-nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].
--- a/analysis/03_identity_hiding_responder.entry.mpv
+++ b/analysis/03_identity_hiding_responder.entry.mpv
@@ -1,96 +0,0 @@
-#define RESPONDER_TEST 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-// select k:kem_pk,ih: InitHello_t;         attacker(prf(prf(prf(prf(key0, PROTOCOL), MAC), kem_pk2b(k) ), IH2b(ih))) phase 1/6300[hypothesis].
-
-// select epki:kem_pk, sctr:bits, pidiC:bits, auth:bits, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits;
-// 	mess(D, prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder1)))),
-// 			IH2b(InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth)))
-// 		) [hypothesis, conclusion].
-
-// select epki:kem_pk, sctr:bits, pidiC:bits, auth:bits, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits;
-// attacker(choice[prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder1)))),
-// 		IH2b(InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth))),
-
-// 		prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder2)))),
-// 				IH2b(InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2)))]
-// 	) [hypothesis, conclusion].
-
-// select 
-// attacker(prf(prf(key0,PROTOCOL),MAC)) [hypothesis, conclusion].
-
-// select 
-// attacker(prf(key0,PROTOCOL)) [conclusion].
-
-// select  
-// attacker(key0) [conclusion].
-
-// select  
-// attacker(PROTOCOL) [conclusion].
-
-// select 
-// attacker(kem_pub(trusted_kem_sk(responder1))) /9999 [hypothesis, conclusion].
-
-// select 
-// attacker(kem_pub(trusted_kem_sk(responder2))) /9999 [hypothesis, conclusion].
-
-// nounif ih:InitHello_t;
-// 	attacker(ih) / 9999 [hypothesis].
-
-// nounif rh:RespHello_t;
-// 	attacker(rh) / 9999 [hypothesis].
-
-// nounif ic:InitConf_t;
-// 	attacker(ic) / 9999 [hypothesis].
-
-// nounif k:key;
-// attacker(ck_hs_enc( *k )) [hypothesis, conclusion].
-
-// nounif k:key;
-// attacker(ck_hs_enc( *k )) phase 1   [hypothesis, conclusion].
-
-// nounif k:key, b:bits;
-// attacker(ck_mix( *k , *b ))   [hypothesis, conclusion].
-
-// nounif k:key, b:bits;
-// attacker(ck_mix( *k , *b ))phase 1   [hypothesis, conclusion].
-
-// // select k:kem_pk, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits, epki:kem_pk, sctr:bits, pidiC:bits, auth:bits;
-// // attacker(choice[Envelope(prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pub(trusted_kem_sk(responder1))),
-// // 	InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2)
-// // 	), InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2))
-// // 	Envelope(prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pub(trusted_kem_sk(responder2))),
-// // 		InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth)),
-// // 		InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth))
-// // 	]) / 9999[hypothesis, conclusion].
-
-// nounif k:key, b1:bits, b2:bits;
-// 	attacker(xaead_enc( *k, *b1, *b2)) / 9999[hypothesis,conclusion].
-
-// nounif pk:kem_pk, k:key; 
-// 	attacker(kem_enc( *pk , *k )) / 9999[hypothesis,conclusion].
-
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/9999[hypothesis, conclusion].
-// nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-//   attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/9999[hypothesis, conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr )) /9999 [hypothesis, conclusion].
-
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   mess(C, Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/9999[hypothesis, conclusion].
-// nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-//   mess(C, Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/9999[hypothesis, conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   mess(C, Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr )) /9999 [hypothesis, conclusion].
-// nounif rh:RespHello_t;
-//   attacker(Cresp_hello( *rh ))[conclusion].
-// nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
-// nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-// nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-// nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-// nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
-// nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
-// nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
-// nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
--- a/analysis/03_identity_hiding_test.entry.mpv
+++ b/analysis/03_identity_hiding_test.entry.mpv
@@ -1,29 +0,0 @@
-#define INITIATOR_TEST 1
-#define CUSTOM_MAIN 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-let Oinitiator_bad_actor_inner(sk_tmp:kem_sk_prec) =
-
-  in(C, Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr));
-
-  #if RANDOMIZED_CALL_IDS
-    new call:Atom;
-  #else
-    call <- Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr);
-  #endif
-
-  in(C, last_cookie:key);
-  tmpl <- make_trusted_kem_sk(sk_tmp);
-  out(C, setup_kem_sk(tmpl));
-  Oinitiator_inner(sidi, Ssskm, Spsk, tmpl, Seski, Ssptr, last_cookie, C, call).
-
-let Oinitiator_bad_actor() =
-  Oinitiator_bad_actor_inner(responder1) | Oinitiator_bad_actor_inner(responder2) | Oinitiator_bad_actor_inner(initiator1) | Oinitiator_bad_actor_inner(initiator2).
-
-
-let identity_hiding_main2() = 
-  0 | Oinitiator_bad_actor() | rosenpass_main2() | participants_communication() | phase 1; secretCommunication().
-
-
-let main = identity_hiding_main2.
--- a/analysis/04_dos_protection.entry.mpv
+++ b/analysis/04_dos_protection.entry.mpv
@@ -1,136 +0,0 @@
-#define CHAINING_KEY_EVENTS 1
-#define MESSAGE_TRANSMISSION_EVENTS 0
-#define SESSION_START_EVENTS 0
-#define RANDOMIZED_CALL_IDS 0
-#define COOKIE_EVENTS 1
-#define KEM_EVENTS 1
-
-#include "config.mpv"
-#include "prelude/basic.mpv"
-#include "crypto/key.mpv"
-#include "crypto/kem.mpv"
-#include "rosenpass/handshake_state.mpv"
-
-/* The cookie data structure is implemented based on the WireGuard protocol.
- * The ip and port is based purely on the public key and the implementation of the private cookie key is intended to mirror the biscuit key.
- * The code tests the response to a possible DOS attack by setting up alternative branches for the protocol
- * processes: Oinit_conf, Oinit_hello and resp_hello to simulate what happens when the responder or initiator is overloaded.
- * When under heavy load a valid cookie is required. When such a cookie is not present a cookie message is sent as a response.
- * Queries then test to make sure that expensive KEM operations are only conducted after a cookie has been successfully validated.
- */
-
-type CookieMsg_t.
-fun CookieMsg(
-  SessionId,  // sender
-  bits,     // nonce
-  bits      // cookie
-) : CookieMsg_t [data].
-
-#define COOKIE_EVENTS(eventLbl) \
-  COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (SessionId, SessionId, Atom).)   \
-  COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (SessionId, SessionId, Atom).)   \
-  COOKIE_EV(event MCAT(eventLbl, _CookieSent) (SessionId, SessionId, Atom, CookieMsg_t).)
-
-fun cookie_key(kem_sk) : key [private].
-fun ip_and_port(kem_pk):bits.
-letfun create_mac2_key(sskm:kem_sk, spkt:kem_pk) = prf(cookie_key(sskm), ip_and_port(spkt)).
-letfun create_cookie(sskm:kem_sk, spkm:kem_pk, spkt:kem_pk, nonce:bits, msg:bits) = xaead_enc(lprf2(COOKIE, kem_pk2b(spkm), nonce),
-    k2b(create_mac2_key(sskm, spkm)), msg).
-
-#define COOKIE_PROCESS(eventLbl, innerFunc) \
-  new nonce:bits; \
-  in(C, Ccookie(mac1, mac2)); \
-  COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (sidi, sidr, call);)  \
-  msgB <- Envelope(mac1, msg); \
-  mac2_key <- create_mac2_key(sskm, spkt); \
-  if k2b(create_mac2(mac2_key, msgB)) = mac2 then  \
-    COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (sidi, sidr, call);)  \
-    innerFunc \
-  else \
-    cookie <- create_cookie(sskm, spkm, spkt, nonce, msg); \
-    cookie_msg <- CookieMsg(sidi, nonce, cookie); \
-    COOKIE_EV(event MCAT(eventLbl, _CookieSent) (sidi, sidr, call, cookie_msg);)  \
-    out(C, cookie_msg). \
-
-#include "rosenpass/oracles.mpv"
-
-#include "rosenpass/responder.macro"
-COOKIE_EVENTS(Oinit_conf)
-let Oinit_conf_underLoad() =
-  in(C, Cinit_conf(Ssskm, Spsk, Sspkt, ic));
-  in(C, last_cookie:bits);
-
-  msg <- IC2b(ic);
-  let InitConf(sidi, sidr, biscuit, auth) = ic in 
-
-  new call:Atom;
-
-  SETUP_HANDSHAKE_STATE()
-
-  COOKIE_PROCESS(Oinit_conf, Oinit_conf_inner(Ssskm, Spsk, Sspkt, ic, call))
-
-#include "rosenpass/responder.macro"
-COOKIE_EVENTS(Oinit_hello)
-let Oinit_hello_underLoad() =
-
-  in(C, Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih));
-  in(C, Oinit_hello_last_cookie:key);
-  new call:Atom;
-
-  msg <- IH2b(ih);
-  let InitHello(sidi, epki, sctr, pidic, auth) = ih in
-  SETUP_HANDSHAKE_STATE()
-
-  COOKIE_PROCESS(Oinit_hello, Oinit_hello_inner(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih, Oinit_hello_last_cookie, C, call))
-
-let rosenpass_dos_main() = 0
-  | !Oreveal_kem_pk
-  | REP(INITIATOR_BOUND, Oinitiator)
-  | REP(RESPONDER_BOUND, Oinit_hello)
-  | REP(RESPONDER_BOUND, Oinit_conf)
-  | REP(RESPONDER_BOUND, Oinit_hello_underLoad)
-  | REP(RESPONDER_BOUND, Oinit_conf_underLoad).
-
-let main = rosenpass_dos_main.
-
-select cookie:CookieMsg_t;         attacker(cookie)/6220[hypothesis].
-nounif v:key;         attacker(prepare_key( v ))/6217[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
-
-// nounif Spk:kem_sk_tmpl;
-//   attacker(Creveal_kem_pk(Spk))/6110[conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
-nounif rh:RespHello_t;
-  attacker(Cresp_hello( *rh ))/6107[conclusion].
-nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].
-
-@reachable "DOS protection: cookie sent"
-query sidi:SessionId, sidr:SessionId, call:Atom, cookieMsg:CookieMsg_t;
-  event (Oinit_hello_CookieSent(sidi, sidr, call, cookieMsg)).
-
-@lemma "DOS protection: Oinit_hello kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oinit_hello_UnderLoadEV(sidi, sidr, call))
-  && event(Oinit_hello_KemUse(sidi, sidr, call))
-  ==> event(Oinit_hello_CookieValidated(sidi, sidr, call)).
-
-@lemma "DOS protection: Oinit_conf kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oinit_conf_UnderLoadEV(sidi, sidr, call))
-  && event(Oinit_conf_KemUse(sidi, sidr, call))
-  ==> event(Oinit_conf_CookieValidated(sidi, sidr, call)).
-
-@lemma "DOS protection: Oresp_hello kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oresp_hello_UnderLoadEV(sidi, sidr, call))
-  && event(Oresp_hello_KemUse(sidi, sidr, call))
-  ==> event(Oresp_hello_CookieValidated(sidi, sidr, call)).
-
--- a/analysis/rosenpass/03_identity_hiding.mpv
+++ b/analysis/rosenpass/03_identity_hiding.mpv
@@ -58,7 +58,7 @@ let secure_init_hello(initiator: kem_sk_tmpl, sidi : SessionId, psk: key_tmpl, r

  new epkit:kem_pk;    // epki
  new sctrt:bits;      // sctr 
-  new pidiCt:bits;      // pidiC
+  new pidi_ct:bits;      // pidi_ct
  new autht:bits;       // auth

  NEW_TRUSTED_SEED(seski_trusted_seed)
@@ -70,9 +70,9 @@ let secure_init_hello(initiator: kem_sk_tmpl, sidi : SessionId, psk: key_tmpl, r

 let secure_resp_hello(initiator: kem_sk_tmpl, responder: kem_sk_tmpl, sidi:SessionId, sidr:SessionId, biscuit_no:Atom, psk:key_tmpl) =

-  in(D, InitHello(=secure_sidi, epki, sctr, pidiC, auth));
+  in(D, InitHello(=secure_sidi, epki, sctr, pidi_ct, auth));

-  ih <- InitHello(sidi, epki, sctr, pidiC, auth);
+  ih <- InitHello(sidi, epki, sctr, pidi_ct, auth);
  NEW_TRUSTED_SEED(septi_trusted_seed)
  NEW_TRUSTED_SEED(sspti_trusted_seed)
  new last_cookie:key;
--- a/analysis/rosenpass/cookie.mpv
+++ b/analysis/rosenpass/cookie.mpv
@@ -19,7 +19,7 @@ fun CookieMsg(
  COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (spkm, spkt, last_cookie);)	\
  msgB <- Envelope(mac1, RH2b(rh));	\
  mac2_key <- create_mac2_key(sskm, spkt)	\
-  let RespHello(sidi, sidr, ecti, scti, biscuit, auth) = rh in \
+  let RespHello(sidi, sidr, ecti, scti, biscuit_ct, auth) = rh in \
  if Envelope(mac2_key, msgB) = mac2 then	\
    COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (spkm, last_cookie);)	\
    innerFunc	\
--- a/analysis/rosenpass/handshake_state.mpv
+++ b/analysis/rosenpass/handshake_state.mpv
@@ -143,10 +143,10 @@ letfun ENCRYPT_AND_MIX(ct, pt) \
 // TODO: Migrate kems to use binary ciphertexts directly
 #define ENCAPS_AND_MIX(ct, pk, shk) \
  ct <- kem_enc(pk, shk);           \
-  MIX3(kem_pk2b(pk), ct, k2b(shk))
+  MIX3(kem_pk2b(pk), k2b(shk), ct)
 #define DECAPS_AND_MIX(sk, pk, ct) \
  DUMMY(shk) <- kem_dec(sk, ct);   \
-  MIX3(kem_pk2b(pk), ct, k2b(DUMMY(shk)))
+  MIX3(kem_pk2b(pk), k2b(DUMMY(shk)), ct)


 // biscuits
--- a/analysis/rosenpass/oracles.mpv
+++ b/analysis/rosenpass/oracles.mpv
@@ -86,8 +86,8 @@ MTX_EV( event RHRjct(RespHello_t, key, kem_sk, kem_pk). )
 MTX_EV( event ICSent(RespHello_t, InitConf_t, key, kem_sk, kem_pk). )
 SES_EV( event InitiatorSession(RespHello_t, key). )
 let Oresp_hello(HS_DECL_ARGS) =
-  in(C, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit, auth)));
-  rh <- RespHello(sidr, sidi, ecti, scti, biscuit, auth);
+  in(C, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit_ct, auth)));
+  rh <- RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth);
  /* try */ let ic = (
    ck_ini <- ck;
    RESPHELLO_CONSUME()
@@ -124,7 +124,7 @@ let Oinit_hello() =
  call <- Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih);
 #endif
  // TODO: This is ugly
-  let InitHello(sidi, epki, sctr, pidiC, auth) = ih in
+  let InitHello(sidi, epki, sctr, pidi_ct, auth) = ih in
  SETUP_HANDSHAKE_STATE()
  eski <- kem_sk0;
  epti <- rng_key(setup_seed(Septi)); // RHR4
--- a/analysis/rosenpass/protocol.mpv
+++ b/analysis/rosenpass/protocol.mpv
@@ -7,7 +7,7 @@ fun InitHello(
  SessionId, // sidi
  kem_pk,    // epki
  bits,      // sctr 
-  bits,      // pidiC
+  bits,      // pidi_ct
  bits       // auth
 ) : InitHello_t [data].

@@ -17,16 +17,16 @@ fun InitHello(
  /* not handled here */                /* IHI3 */ \
  MIX2(sid2b(sidi), kem_pk2b(epki))     /* IHI4 */ \
  ENCAPS_AND_MIX(sctr, spkr, sptr)      /* IHI5 */ \
-  ENCRYPT_AND_MIX(pidiC, pidi)          /* IHI6 */ \
+  ENCRYPT_AND_MIX(pidi_ct, pidi)        /* IHI6 */ \
  MIX2(kem_pk2b(spki), k2b(psk))        /* IHI7 */ \
  ENCRYPT_AND_MIX(auth, empty)          /* IHI8 */ \
-  ih <- InitHello(sidi, epki, sctr, pidiC, auth);
+  ih <- InitHello(sidi, epki, sctr, pidi_ct, auth);

 #define INITHELLO_CONSUME()                       \
  ck <- lprf1(CK_INIT, kem_pk2b(spkr)); /* IHR1 */ \
  MIX2(sid2b(sidi), kem_pk2b(epki))     /* IHR4 */ \
  DECAPS_AND_MIX(sskr, spkr, sctr)      /* IHR5 */ \
-  DECRYPT_AND_MIX(pid, pidiC)           /* IHR6 */ \
+  DECRYPT_AND_MIX(pid, pidi_ct)         /* IHR6 */ \
  LOOKUP_SENDER(pid)                    /* IHR6 */ \
  MIX2(kem_pk2b(spki), k2b(psk))        /* IHR7 */ \
  DECRYPT_AND_MIX(DUMMY(empty), auth)
@@ -46,17 +46,17 @@ fun RespHello(
  MIX2(sid2b(sidr), sid2b(sidi))   /* RHR3 */ \
  ENCAPS_AND_MIX(ecti, epki, epti) /* RHR4 */ \
  ENCAPS_AND_MIX(scti, spki, spti) /* RHR5 */ \
-  STORE_BISCUIT(biscuit)           /* RHR6 */ \
+  STORE_BISCUIT(biscuit_ct)        /* RHR6 */ \
  ENCRYPT_AND_MIX(auth, empty)     /* RHR7 */ \
-  rh <- RespHello(sidr, sidi, ecti, scti, biscuit, auth);
+  rh <- RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth);

 #define RESPHELLO_CONSUME()                                    \
-  let RespHello(sidr, sidi, ecti, scti, biscuit, auth) = rh in \
+  let RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth) = rh in \
  /* not handled here */               /* RHI2 */ \
  MIX2(sid2b(sidr), sid2b(sidi))       /* RHI3 */ \
  DECAPS_AND_MIX(eski, epki, ecti)     /* RHI4 */ \
  DECAPS_AND_MIX(sski, spki, scti)     /* RHI5 */ \
-  MIX(biscuit)                         /* RHI6 */ \
+  MIX(biscuit_ct)                      /* RHI6 */ \
  DECRYPT_AND_MIX(DUMMY(empty), auth)  /* RHI7 */

 type InitConf_t.
@@ -70,11 +70,11 @@ fun InitConf(
 #define INITCONF_PRODUCE()                  \
  MIX2(sid2b(sidi), sid2b(sidr)) /* ICI3 */ \
  ENCRYPT_AND_MIX(auth, empty)   /* ICI4 */ \
-  ic <- InitConf(sidi, sidr, biscuit, auth);
+  ic <- InitConf(sidi, sidr, biscuit_ct, auth);

 #define INITCONF_CONSUME()                        \
-  let InitConf(sidi, sidr, biscuit, auth) = ic in \
-  LOAD_BISCUIT(biscuit_no, biscuit)   /* ICR1 */    \
+  let InitConf(sidi, sidr, biscuit_ct, auth) = ic in \
+  LOAD_BISCUIT(biscuit_no, biscuit_ct)/* ICR1 */    \
  ENCRYPT_AND_MIX(rh_auth, empty)     /* ICIR */    \
  ck_rh <- ck;                        /* ---- */ /* TODO: Move into oracles.mpv */ \
  MIX2(sid2b(sidi), sid2b(sidr))      /* ICR3 */    \
--- a/cipher-traits/Cargo.toml
+++ b/cipher-traits/Cargo.toml
@@ -8,7 +8,7 @@ description = "Rosenpass internal traits for cryptographic primitives"
 homepage = "https://rosenpass.eu/"
 repository = "https://github.com/rosenpass/rosenpass"
 readme = "readme.md"
-rust-version = "1.77"
+rust-version = "1.77.0"

 [dependencies]
 thiserror = { workspace = true }
--- a/cipher-traits/src/primitives/keyed_hash.rs
+++ b/cipher-traits/src/primitives/keyed_hash.rs
@@ -40,7 +40,7 @@ pub struct InferKeyedHash<Static, const KEY_LEN: usize, const HASH_LEN: usize>
 where
    Static: KeyedHash<KEY_LEN, HASH_LEN>,
 {
-    pub _phantom_keyed_hasher: PhantomData<*const Static>,
+    pub _phantom_keyed_hasher: PhantomData<Static>,
 }

 impl<Static, const KEY_LEN: usize, const HASH_LEN: usize> InferKeyedHash<Static, KEY_LEN, HASH_LEN>
--- a/ciphers/Cargo.toml
+++ b/ciphers/Cargo.toml
@@ -8,22 +8,42 @@ description = "Rosenpass internal ciphers and other cryptographic primitives use
 homepage = "https://rosenpass.eu/"
 repository = "https://github.com/rosenpass/rosenpass"
 readme = "readme.md"
-rust-version = "1.77"
+rust-version = "1.77.0"

 [features]
-experiment_libcrux_all = [
-    "experiment_libcrux_blake2",
-    "experiment_libcrux_chachapoly",
-    "experiment_libcrux_chachapoly_test",
-    "experiment_libcrux_kyber",
-]
-experiment_libcrux_blake2 = ["dep:libcrux-blake2", "dep:thiserror"]
-experiment_libcrux_chachapoly = ["dep:libcrux-chacha20poly1305"]
+# whether the types should be defined
+experiment_libcrux_define_blake2 = ["dep:libcrux-blake2", "dep:thiserror"]
+experiment_libcrux_define_kyber = ["dep:libcrux-ml-kem", "dep:rand"]
+experiment_libcrux_define_chachapoly = ["dep:libcrux-chacha20poly1305"]
+
+# whether the types should be used by default
+experiment_libcrux_blake2 = ["experiment_libcrux_define_blake2"]
+experiment_libcrux_kyber = ["experiment_libcrux_define_kyber"]
+experiment_libcrux_chachapoly = ["experiment_libcrux_define_chachapoly"]
 experiment_libcrux_chachapoly_test = [
-    "experiment_libcrux_chachapoly",
-    "dep:libcrux",
+  "experiment_libcrux_define_chachapoly",
+  "dep:libcrux",
 ]
-experiment_libcrux_kyber = ["dep:libcrux-ml-kem", "dep:rand"]
+
+# shorthands
+experiment_libcrux_define_all = [
+  "experiment_libcrux_define_blake2",
+  "experiment_libcrux_define_chachapoly",
+  "experiment_libcrux_define_kyber",
+]
+experiment_libcrux_all = [
+  "experiment_libcrux_blake2",
+  "experiment_libcrux_chachapoly",
+  "experiment_libcrux_chachapoly_test",
+  "experiment_libcrux_kyber",
+]
+
+bench = ["experiment_libcrux_define_all"]
+
+[[bench]]
+name = "primitives"
+harness = false
+required-features = ["bench"]

 [dependencies]
 anyhow = { workspace = true }
@@ -50,3 +70,4 @@ libcrux = { workspace = true, optional = true }

 [dev-dependencies]
 rand = { workspace = true }
+criterion = { workspace = true }
--- a/ciphers/benches/primitives.rs
+++ b/ciphers/benches/primitives.rs
@@ -0,0 +1,378 @@
+criterion::criterion_main!(keyed_hash::benches, aead::benches, kem::benches);
+
+fn benchid(base: KvPairs, last: KvPairs) -> String {
+    format!("{base},{last}")
+}
+
+#[derive(Clone, Copy, Debug)]
+struct KvPair<'a>(&'a str, &'a str);
+
+impl std::fmt::Display for KvPair<'_> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "{k}={v}", k = self.0, v = self.1)
+    }
+}
+
+#[derive(Clone, Copy, Debug)]
+struct KvPairs<'a>(&'a [KvPair<'a>]);
+
+impl std::fmt::Display for KvPairs<'_> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self.0.len() {
+            0 => Ok(()),
+            1 => write!(f, "{}", &self.0[0]),
+            _ => {
+                let mut delim = "";
+                for pair in self.0 {
+                    write!(f, "{delim}{pair}")?;
+                    delim = ",";
+                }
+                Ok(())
+            }
+        }
+    }
+}
+
+mod kem {
+    criterion::criterion_group!(
+        benches,
+        bench_kyber512_libcrux,
+        bench_kyber512_oqs,
+        bench_classicmceliece460896_oqs
+    );
+
+    use criterion::Criterion;
+
+    fn bench_classicmceliece460896_oqs(c: &mut Criterion) {
+        template(
+            c,
+            "classicmceliece460896",
+            "oqs",
+            rosenpass_oqs::ClassicMceliece460896,
+        );
+    }
+
+    fn bench_kyber512_libcrux(c: &mut Criterion) {
+        template(
+            c,
+            "kyber512",
+            "libcrux",
+            rosenpass_ciphers::subtle::libcrux::kyber512::Kyber512,
+        );
+    }
+
+    fn bench_kyber512_oqs(c: &mut Criterion) {
+        template(c, "kyber512", "oqs", rosenpass_oqs::Kyber512);
+    }
+
+    use rosenpass_cipher_traits::primitives::Kem;
+
+    fn template<
+        const SK_LEN: usize,
+        const PK_LEN: usize,
+        const CT_LEN: usize,
+        const SHK_LEN: usize,
+        T: Kem<SK_LEN, PK_LEN, CT_LEN, SHK_LEN>,
+    >(
+        c: &mut Criterion,
+        alg_name: &str,
+        impl_name: &str,
+        scheme: T,
+    ) {
+        use super::{benchid, KvPair, KvPairs};
+
+        let base = [
+            KvPair("primitive", "kem"),
+            KvPair("algorithm", alg_name),
+            KvPair("implementation", impl_name),
+            KvPair("length", "-1"),
+        ];
+
+        let kem_benchid = |op| benchid(KvPairs(&base), KvPairs(&[KvPair("operation", op)]));
+
+        c.bench_function(&kem_benchid("keygen"), |bench| {
+            let mut sk = [0; SK_LEN];
+            let mut pk = [0; PK_LEN];
+
+            bench.iter(|| {
+                scheme.keygen(&mut sk, &mut pk).unwrap();
+            });
+        });
+
+        c.bench_function(&kem_benchid("encaps"), |bench| {
+            let mut sk = [0; SK_LEN];
+            let mut pk = [0; PK_LEN];
+            let mut ct = [0; CT_LEN];
+            let mut shk = [0; SHK_LEN];
+
+            scheme.keygen(&mut sk, &mut pk).unwrap();
+
+            bench.iter(|| {
+                scheme.encaps(&mut shk, &mut ct, &pk).unwrap();
+            });
+        });
+
+        c.bench_function(&kem_benchid("decaps"), |bench| {
+            let mut sk = [0; SK_LEN];
+            let mut pk = [0; PK_LEN];
+            let mut ct = [0; CT_LEN];
+            let mut shk = [0; SHK_LEN];
+            let mut shk2 = [0; SHK_LEN];
+
+            scheme.keygen(&mut sk, &mut pk).unwrap();
+            scheme.encaps(&mut shk, &mut ct, &pk).unwrap();
+
+            bench.iter(|| {
+                scheme.decaps(&mut shk2, &sk, &ct).unwrap();
+            });
+        });
+    }
+}
+mod aead {
+    criterion::criterion_group!(
+        benches,
+        bench_chachapoly_libcrux,
+        bench_chachapoly_rustcrypto,
+        bench_xchachapoly_rustcrypto,
+    );
+
+    use criterion::Criterion;
+
+    const KEY_LEN: usize = rosenpass_ciphers::Aead::KEY_LEN;
+    const TAG_LEN: usize = rosenpass_ciphers::Aead::TAG_LEN;
+
+    fn bench_xchachapoly_rustcrypto(c: &mut Criterion) {
+        template(
+            c,
+            "xchacha20poly1305",
+            "rustcrypto",
+            rosenpass_ciphers::subtle::rust_crypto::xchacha20poly1305_ietf::XChaCha20Poly1305,
+        );
+    }
+
+    fn bench_chachapoly_rustcrypto(c: &mut Criterion) {
+        template(
+            c,
+            "chacha20poly1305",
+            "rustcrypto",
+            rosenpass_ciphers::subtle::rust_crypto::chacha20poly1305_ietf::ChaCha20Poly1305,
+        );
+    }
+
+    fn bench_chachapoly_libcrux(c: &mut Criterion) {
+        template(
+            c,
+            "chacha20poly1305",
+            "libcrux",
+            rosenpass_ciphers::subtle::libcrux::chacha20poly1305_ietf::ChaCha20Poly1305,
+        );
+    }
+
+    use rosenpass_cipher_traits::primitives::Aead;
+
+    fn template<const NONCE_LEN: usize, T: Aead<KEY_LEN, NONCE_LEN, TAG_LEN>>(
+        c: &mut Criterion,
+        alg_name: &str,
+        impl_name: &str,
+        scheme: T,
+    ) {
+        use crate::{benchid, KvPair, KvPairs};
+
+        let base = [
+            KvPair("primitive", "aead"),
+            KvPair("algorithm", alg_name),
+            KvPair("implementation", impl_name),
+        ];
+        let aead_benchid = |op, len| {
+            benchid(
+                KvPairs(&base),
+                KvPairs(&[KvPair("operation", op), KvPair("length", len)]),
+            )
+        };
+
+        let key = [12; KEY_LEN];
+        let nonce = [23; NONCE_LEN];
+        let ad = [];
+
+        c.bench_function(&aead_benchid("encrypt", "0byte"), |bench| {
+            const DATA_LEN: usize = 0;
+
+            let ptxt = [];
+            let mut ctxt = [0; DATA_LEN + TAG_LEN];
+
+            bench.iter(|| {
+                scheme.encrypt(&mut ctxt, &key, &nonce, &ad, &ptxt).unwrap();
+            });
+        });
+
+        c.bench_function(&aead_benchid("decrypt", "0byte"), |bench| {
+            const DATA_LEN: usize = 0;
+
+            let ptxt = [];
+            let mut ctxt = [0; DATA_LEN + TAG_LEN];
+            let mut ptxt_out = [0u8; DATA_LEN];
+
+            scheme.encrypt(&mut ctxt, &key, &nonce, &ad, &ptxt).unwrap();
+
+            bench.iter(|| {
+                scheme
+                    .decrypt(&mut ptxt_out, &key, &nonce, &ad, &mut ctxt)
+                    .unwrap()
+            })
+        });
+
+        c.bench_function(&aead_benchid("encrypt", "32byte"), |bench| {
+            const DATA_LEN: usize = 32;
+
+            let ptxt = [34u8; DATA_LEN];
+            let mut ctxt = [0; DATA_LEN + TAG_LEN];
+
+            bench.iter(|| {
+                scheme.encrypt(&mut ctxt, &key, &nonce, &ad, &ptxt).unwrap();
+            });
+        });
+
+        c.bench_function(&aead_benchid("decrypt", "32byte"), |bench| {
+            const DATA_LEN: usize = 32;
+
+            let ptxt = [34u8; DATA_LEN];
+            let mut ctxt = [0; DATA_LEN + TAG_LEN];
+            let mut ptxt_out = [0u8; DATA_LEN];
+
+            scheme.encrypt(&mut ctxt, &key, &nonce, &ad, &ptxt).unwrap();
+
+            bench.iter(|| {
+                scheme
+                    .decrypt(&mut ptxt_out, &key, &nonce, &ad, &mut ctxt)
+                    .unwrap()
+            })
+        });
+
+        c.bench_function(&aead_benchid("encrypt", "1024byte"), |bench| {
+            const DATA_LEN: usize = 1024;
+
+            let ptxt = [34u8; DATA_LEN];
+            let mut ctxt = [0; DATA_LEN + TAG_LEN];
+
+            bench.iter(|| {
+                scheme.encrypt(&mut ctxt, &key, &nonce, &ad, &ptxt).unwrap();
+            });
+        });
+        c.bench_function(&aead_benchid("decrypt", "1024byte"), |bench| {
+            const DATA_LEN: usize = 1024;
+
+            let ptxt = [34u8; DATA_LEN];
+            let mut ctxt = [0; DATA_LEN + TAG_LEN];
+            let mut ptxt_out = [0u8; DATA_LEN];
+
+            scheme.encrypt(&mut ctxt, &key, &nonce, &ad, &ptxt).unwrap();
+
+            bench.iter(|| {
+                scheme
+                    .decrypt(&mut ptxt_out, &key, &nonce, &ad, &mut ctxt)
+                    .unwrap()
+            })
+        });
+    }
+}
+
+mod keyed_hash {
+    criterion::criterion_group!(
+        benches,
+        bench_blake2b_rustcrypto,
+        bench_blake2b_libcrux,
+        bench_shake256_rustcrypto,
+    );
+
+    const KEY_LEN: usize = 32;
+    const HASH_LEN: usize = 32;
+
+    use criterion::Criterion;
+
+    fn bench_shake256_rustcrypto(c: &mut Criterion) {
+        template(
+            c,
+            "shake256",
+            "rustcrypto",
+            &rosenpass_ciphers::subtle::rust_crypto::keyed_shake256::SHAKE256Core,
+        );
+    }
+
+    fn bench_blake2b_rustcrypto(c: &mut Criterion) {
+        template(
+            c,
+            "blake2b",
+            "rustcrypto",
+            &rosenpass_ciphers::subtle::rust_crypto::blake2b::Blake2b,
+        );
+    }
+
+    fn bench_blake2b_libcrux(c: &mut Criterion) {
+        template(
+            c,
+            "blake2b",
+            "libcrux",
+            &rosenpass_ciphers::subtle::libcrux::blake2b::Blake2b,
+        );
+    }
+
+    use rosenpass_cipher_traits::primitives::KeyedHash;
+
+    fn template<H: KeyedHash<KEY_LEN, HASH_LEN>>(
+        c: &mut Criterion,
+        alg_name: &str,
+        impl_name: &str,
+        _: &H,
+    ) where
+        H::Error: std::fmt::Debug,
+    {
+        use crate::{benchid, KvPair, KvPairs};
+
+        let key = [12u8; KEY_LEN];
+        let mut out = [0u8; HASH_LEN];
+
+        let base = [
+            KvPair("primitive", "keyedhash"),
+            KvPair("algorithm", alg_name),
+            KvPair("implementation", impl_name),
+            KvPair("operation", "hash"),
+        ];
+        let keyedhash_benchid = |len| benchid(KvPairs(&base), KvPairs(&[KvPair("length", len)]));
+
+        c.bench_function(&keyedhash_benchid("0byte"), |bench| {
+            let bytes = [];
+
+            bench.iter(|| {
+                H::keyed_hash(&key, &bytes, &mut out).unwrap();
+            })
+        })
+        .bench_function(&keyedhash_benchid("32byte"), |bench| {
+            let bytes = [34u8; 32];
+
+            bench.iter(|| {
+                H::keyed_hash(&key, &bytes, &mut out).unwrap();
+            })
+        })
+        .bench_function(&keyedhash_benchid("64byte"), |bench| {
+            let bytes = [34u8; 64];
+
+            bench.iter(|| {
+                H::keyed_hash(&key, &bytes, &mut out).unwrap();
+            })
+        })
+        .bench_function(&keyedhash_benchid("128byte"), |bench| {
+            let bytes = [34u8; 128];
+
+            bench.iter(|| {
+                H::keyed_hash(&key, &bytes, &mut out).unwrap();
+            })
+        })
+        .bench_function(&keyedhash_benchid("1024byte"), |bench| {
+            let bytes = [34u8; 1024];
+
+            bench.iter(|| {
+                H::keyed_hash(&key, &bytes, &mut out).unwrap();
+            })
+        });
+    }
+}
--- a/ciphers/src/hash_domain.rs
+++ b/ciphers/src/hash_domain.rs
@@ -83,6 +83,33 @@ impl HashDomain {
        Ok(Self(new_key, self.1))
    }

+    /// Version of [Self::mix] that accepts an iterator and mixes all values from the iterator into
+    /// this hash domain.
+    ///
+    /// # Examples
+    ///
+    /// ```rust
+    /// use rosenpass_ciphers::{hash_domain::HashDomain, KeyedHash};
+    ///
+    /// let hasher = HashDomain::zero(KeyedHash::keyed_shake256());
+    /// assert_eq!(
+    ///     hasher.clone().mix(b"Hello")?.mix(b"World")?.into_value(),
+    ///     hasher.clone().mix_many([b"Hello", b"World"])?.into_value()
+    /// );
+    ///
+    /// Ok::<(), anyhow::Error>(())
+    /// ```
+    pub fn mix_many<I, T>(mut self, it: I) -> Result<Self>
+    where
+        I: IntoIterator<Item = T>,
+        T: AsRef<[u8]>,
+    {
+        for e in it {
+            self = self.mix(e.as_ref())?;
+        }
+        Ok(self)
+    }
+
    /// Creates a new [SecretHashDomain] by mixing in a new key `v`
    /// by calling [SecretHashDomain::invoke_primitive] with this
    /// [HashDomain]'s key as `k` and `v` as `d`.
@@ -161,6 +188,46 @@ impl SecretHashDomain {
        Self::invoke_primitive(self.0.secret(), v, self.1)
    }

+    /// Version of [Self::mix] that accepts an iterator and mixes all values from the iterator into
+    /// this hash domain.
+    ///
+    /// # Examples
+    ///
+    /// ```rust
+    /// use rosenpass_ciphers::{hash_domain::HashDomain, KeyedHash};
+    ///
+    /// rosenpass_secret_memory::secret_policy_use_only_malloc_secrets();
+    ///
+    /// let hasher = HashDomain::zero(KeyedHash::keyed_shake256());
+    /// assert_eq!(
+    ///     hasher
+    ///         .clone()
+    ///         .turn_secret()
+    ///         .mix(b"Hello")?
+    ///         .mix(b"World")?
+    ///         .into_secret()
+    ///         .secret(),
+    ///     hasher
+    ///         .clone()
+    ///         .turn_secret()
+    ///         .mix_many([b"Hello", b"World"])?
+    ///         .into_secret()
+    ///         .secret(),
+    /// );
+
+    /// Ok::<(), anyhow::Error>(())
+    /// ```
+    pub fn mix_many<I, T>(mut self, it: I) -> Result<Self>
+    where
+        I: IntoIterator<Item = T>,
+        T: AsRef<[u8]>,
+    {
+        for e in it {
+            self = self.mix(e.as_ref())?;
+        }
+        Ok(self)
+    }
+
    /// Creates a new [SecretHashDomain] by mixing in a new key `v`
    /// by calling [SecretHashDomain::invoke_primitive] with the key of this
    /// [HashDomainNamespace] as `k` and `v` as `d`.
--- a/ciphers/src/subtle/libcrux/mod.rs
+++ b/ciphers/src/subtle/libcrux/mod.rs
@@ -4,11 +4,11 @@
 //!
 //! [Github](https://github.com/cryspen/libcrux)

-#[cfg(feature = "experiment_libcrux_blake2")]
+#[cfg(feature = "experiment_libcrux_define_blake2")]
 pub mod blake2b;

-#[cfg(feature = "experiment_libcrux_chachapoly")]
+#[cfg(feature = "experiment_libcrux_define_chachapoly")]
 pub mod chacha20poly1305_ietf;

-#[cfg(feature = "experiment_libcrux_kyber")]
+#[cfg(feature = "experiment_libcrux_define_kyber")]
 pub mod kyber512;
--- a/ciphers/src/subtle/mod.rs
+++ b/ciphers/src/subtle/mod.rs
@@ -9,8 +9,8 @@ pub mod custom;
 pub mod rust_crypto;

 #[cfg(any(
-    feature = "experiment_libcrux_blake2",
-    feature = "experiment_libcrux_chachapoly",
-    feature = "experiment_libcrux_kyber"
+    feature = "experiment_libcrux_define_blake2",
+    feature = "experiment_libcrux_define_chachapoly",
+    feature = "experiment_libcrux_define_kyber",
 ))]
 pub mod libcrux;
--- a/constant-time/Cargo.toml
+++ b/constant-time/Cargo.toml
@@ -8,7 +8,7 @@ description = "Rosenpass internal utilities for constant time crypto implementat
 homepage = "https://rosenpass.eu/"
 repository = "https://github.com/rosenpass/rosenpass"
 readme = "readme.md"
-rust-version = "1.77"
+rust-version = "1.77.0"

 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

--- a/deny.toml
+++ b/deny.toml
@@ -24,11 +24,7 @@ feature-depth = 1
 [advisories]
 # A list of advisory IDs to ignore. Note that ignored advisories will still
 # output a note when they are encountered.
-ignore = [
-    "RUSTSEC-2024-0370",
-    "RUSTSEC-2024-0436",
-    "RUSTSEC-2023-0089",
-]
+ignore = ["RUSTSEC-2024-0370", "RUSTSEC-2024-0436", "RUSTSEC-2023-0089"]
 # If this is true, then cargo deny will use the git executable to fetch advisory database.
 # If this is false, then it uses a built-in git library.
 # Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support.
@@ -43,11 +39,11 @@ ignore = [
 # See https://spdx.org/licenses/ for list of possible licenses
 # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
 allow = [
-    "MIT",
-    "Apache-2.0",
-    "Apache-2.0 WITH LLVM-exception",
-    "BSD-3-Clause",
-    "ISC",
+  "MIT",
+  "Apache-2.0",
+  "Apache-2.0 WITH LLVM-exception",
+  "BSD-3-Clause",
+  "ISC",
 ]
 # The confidence threshold for detecting a license from license text.
 # The higher the value, the more closely the license text must be to the
@@ -57,10 +53,10 @@ confidence-threshold = 0.8
 # Allow 1 or more licenses on a per-crate basis, so that particular licenses
 # aren't accepted for every possible crate as with the normal allow list
 exceptions = [
-    # Each entry is the crate and version constraint, and its specific allow
-    # list
-    { allow = ["Unicode-DFS-2016", "Unicode-3.0"], crate = "unicode-ident" },
-    { allow = ["NCSA"], crate = "libfuzzer-sys" },
+  # Each entry is the crate and version constraint, and its specific allow
+  # list
+  { allow = ["Unicode-DFS-2016", "Unicode-3.0"], crate = "unicode-ident" },
+  { allow = ["NCSA"], crate = "libfuzzer-sys" },

 ]

@@ -94,15 +90,11 @@ workspace-default-features = "allow"
 # on a crate-by-crate basis if desired.
 external-default-features = "allow"
 # List of crates that are allowed. Use with care!
-allow = [
-]
+allow = []
 # List of crates to deny
-deny = [
-]
+deny = []

-skip-tree = [
-
-]
+skip-tree = []

 # This section is considered when running `cargo deny check sources`.
 # More documentation about the 'sources' section can be found here:
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1

 ARG BASE_IMAGE=debian:bookworm-slim
+ARG CHEF_IMAGE=rust:slim-bookworm

 # Stage 1: Base image with cargo-chef installed
-FROM rust:latest AS chef
+FROM ${CHEF_IMAGE} AS chef
 RUN cargo install cargo-chef
 # install software required for liboqs-rust
 RUN apt-get update && apt-get install -y clang cmake && rm -rf /var/lib/apt/lists/*
--- a/flake.lock
+++ b/flake.lock
@@ -1,26 +1,5 @@
 {
  "nodes": {
-    "fenix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "rust-analyzer-src": "rust-analyzer-src"
-      },
-      "locked": {
-        "lastModified": 1728282832,
-        "narHash": "sha256-I7AbcwGggf+CHqpyd/9PiAjpIBGTGx5woYHqtwxaV7I=",
-        "owner": "nix-community",
-        "repo": "fenix",
-        "rev": "1ec71be1f4b8f3105c5d38da339cb061fefc43f4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "fenix",
-        "type": "github"
-      }
-    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
@@ -39,6 +18,24 @@
        "type": "github"
      }
    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "nix-vm-test": {
      "inputs": {
        "nixpkgs": [
@@ -59,6 +56,27 @@
        "type": "github"
      }
    },
+    "nix-vm-test_2": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734355073,
+        "narHash": "sha256-FfdPOGy1zElTwKzjgIMp5K2D3gfPn6VWjVa4MJ9L1Tc=",
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "rev": "5948de39a616f2261dbbf4b6f25cbe1cbefd788c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1728193676,
@@ -77,26 +95,77 @@
    },
    "root": {
      "inputs": {
-        "fenix": "fenix",
        "flake-utils": "flake-utils",
        "nix-vm-test": "nix-vm-test",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "rosenpassOld": "rosenpassOld",
+        "rust-overlay": "rust-overlay_2",
+        "treefmt-nix": "treefmt-nix_2"
      }
    },
-    "rust-analyzer-src": {
-      "flake": false,
+    "rosenpassOld": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nix-vm-test": "nix-vm-test_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay",
+        "treefmt-nix": "treefmt-nix"
+      },
      "locked": {
-        "lastModified": 1728249780,
-        "narHash": "sha256-J269DvCI5dzBmPrXhAAtj566qt0b22TJtF3TIK+tMsI=",
-        "owner": "rust-lang",
-        "repo": "rust-analyzer",
-        "rev": "2b750da1a1a2c1d2c70896108d7096089842d877",
+        "lastModified": 1754748821,
+        "narHash": "sha256-mMggTZDC97lLvKNOLtDz3GBjjxXFD++e1s0RZsVH/vI=",
+        "owner": "rosenpass",
+        "repo": "rosenpass",
+        "rev": "916a9ebb7133f0b22057fb097a473217f261928a",
        "type": "github"
      },
      "original": {
-        "owner": "rust-lang",
-        "ref": "nightly",
-        "repo": "rust-analyzer",
+        "owner": "rosenpass",
+        "repo": "rosenpass",
+        "rev": "916a9ebb7133f0b22057fb097a473217f261928a",
+        "type": "github"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744513456,
+        "narHash": "sha256-NLVluTmK8d01Iz+WyarQhwFcXpHEwU7m5hH3YQQFJS0=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "730fd8e82799219754418483fabe1844262fd1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744513456,
+        "narHash": "sha256-NLVluTmK8d01Iz+WyarQhwFcXpHEwU7m5hH3YQQFJS0=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "730fd8e82799219754418483fabe1844262fd1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
        "type": "github"
      }
    },
@@ -114,6 +183,62 @@
        "repo": "default",
        "type": "github"
      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743748085,
+        "narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743748085,
+        "narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -3,41 +3,56 @@
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
    flake-utils.url = "github:numtide/flake-utils";

-    # for rust nightly with llvm-tools-preview
-    fenix.url = "github:nix-community/fenix";
-    fenix.inputs.nixpkgs.follows = "nixpkgs";
-
    nix-vm-test.url = "github:numtide/nix-vm-test";
    nix-vm-test.inputs.nixpkgs.follows = "nixpkgs";
    nix-vm-test.inputs.flake-utils.follows = "flake-utils";
+
+    # for rust nightly with llvm-tools-preview
+    rust-overlay.url = "github:oxalica/rust-overlay";
+    rust-overlay.inputs.nixpkgs.follows = "nixpkgs";
+
+    treefmt-nix.url = "github:numtide/treefmt-nix";
+    treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    # Older version of rosenpass, referenced here for backwards compatibility
+    rosenpassOld.url = "github:rosenpass/rosenpass?rev=916a9ebb7133f0b22057fb097a473217f261928a";
+    rosenpassOld.inputs.nixpkgs.follows = "nixpkgs";
  };

-  outputs = { self, nixpkgs, flake-utils, nix-vm-test, ... }@inputs:
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils,
+      nix-vm-test,
+      rust-overlay,
+      treefmt-nix,
+      rosenpassOld,
+      ...
+    }@inputs:
    nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [

-
      #
      ### Export the overlay.nix from this flake ###
      #
-      {
-        overlays.default = import ./overlay.nix;
-      }
-
+      { overlays.default = import ./overlay.nix; }

      #
      ### Actual Rosenpass Package and Docker Container Images ###
      #
-      (flake-utils.lib.eachSystem [
-        "x86_64-linux"
-        "aarch64-linux"
+      (flake-utils.lib.eachSystem
+        [
+          "x86_64-linux"
+          "aarch64-linux"

-        # unsuported best-effort
-        "i686-linux"
-        "x86_64-darwin"
-        "aarch64-darwin"
-        # "x86_64-windows"
-      ]
-        (system:
+          # unsuported best-effort
+          "i686-linux"
+          "x86_64-darwin"
+          "aarch64-darwin"
+          # "x86_64-windows"
+        ]
+        (
+          system:
          let
            # normal nixpkgs
            pkgs = import nixpkgs {
@@ -48,130 +63,185 @@
            };
          in
          {
-            packages = {
-              default = pkgs.rosenpass;
-              rosenpass = pkgs.rosenpass;
-              rosenpass-oci-image = pkgs.rosenpass-oci-image;
-              rp = pkgs.rp;
+            packages =
+              {
+                default = pkgs.rosenpass;
+                rosenpass = pkgs.rosenpass;
+                rosenpass-oci-image = pkgs.rosenpass-oci-image;
+                rp = pkgs.rp;

-              release-package = pkgs.release-package;
+                release-package = pkgs.release-package;

-              # for good measure, we also offer to cross compile to Linux on Arm
-              aarch64-linux-rosenpass-static =
-                pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass;
-              aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp;
-            }
-            //
-            # We only offer static builds for linux, as this is not supported on OS X
-            (nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux {
-              rosenpass-static = pkgs.pkgsStatic.rosenpass;
-              rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image;
-              rp-static = pkgs.pkgsStatic.rp;
-            });
+                # for good measure, we also offer to cross compile to Linux on Arm
+                aarch64-linux-rosenpass-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rosenpass;
+                aarch64-linux-rp-static = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic.rp;
+              }
+              //
+              # We only offer static builds for linux, as this is not supported on OS X
+              (nixpkgs.lib.attrsets.optionalAttrs pkgs.stdenv.isLinux {
+                rosenpass-static = pkgs.pkgsStatic.rosenpass;
+                rosenpass-static-oci-image = pkgs.pkgsStatic.rosenpass-oci-image;
+                rp-static = pkgs.pkgsStatic.rp;
+              });
          }
-        ))
-
+        )
+      )

      #
      ### Linux specifics ###
      #
-      (flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
-        let
-          pkgs = import nixpkgs {
-            inherit system;
+      (flake-utils.lib.eachSystem
+        [
+          "x86_64-linux"
+          "aarch64-linux"
+          "i686-linux"
+        ]
+        (
+          system:
+          let
+            pkgs = import nixpkgs {
+              inherit system;

-            # apply our own overlay, overriding/inserting our packages as defined in ./pkgs
-            overlays = [
-              self.overlays.default
-              nix-vm-test.overlays.default
-            ];
-          };
-        in
-        {
-          packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix {
-            rosenpass = pkgs.pkgsStatic.rosenpass;
-          };
-          packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix {
-            rosenpass = pkgs.pkgsStatic.rosenpass;
-          };
+              overlays = [
+                # apply our own overlay, overriding/inserting our packages as defined in ./pkgs
+                self.overlays.default

-          #
-          ### Reading materials ###
-          #
-          packages.whitepaper = pkgs.whitepaper;
+                nix-vm-test.overlays.default

-          #
-          ### Proof and Proof Tools ###
-          #
-          packages.proverif-patched = pkgs.proverif-patched;
-          packages.proof-proverif = pkgs.proof-proverif;
+                # apply rust-overlay to get specific versions of the rust toolchain for a MSRV check
+                (import rust-overlay)
+              ];
+            };

+            treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
+          in
+          {
+            packages.package-deb = pkgs.callPackage ./pkgs/package-deb.nix {
+              rosenpass = pkgs.pkgsStatic.rosenpass;
+            };
+            packages.package-rpm = pkgs.callPackage ./pkgs/package-rpm.nix {
+              rosenpass = pkgs.pkgsStatic.rosenpass;
+            };

-          #
-          ### Devshells ###
-          #
-          devShells.default = pkgs.mkShell {
-            inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
-            inputsFrom = [ pkgs.rosenpass ];
-            nativeBuildInputs = with pkgs; [
-              cargo-release
-              clippy
-              rustfmt
-              nodePackages.prettier
-              nushell # for the .ci/gen-workflow-files.nu script
-              proverif-patched
-            ];
-          };
-          # TODO: Write this as a patched version of the default environment
-          devShells.fullEnv = pkgs.mkShell {
-            inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
-            inputsFrom = [ pkgs.rosenpass ];
-            nativeBuildInputs = with pkgs; [
-              cargo-audit
-              cargo-release
-              cargo-msrv
-              rustfmt
-              nodePackages.prettier
-              nushell # for the .ci/gen-workflow-files.nu script
-              proverif-patched
-              inputs.fenix.packages.${system}.complete.toolchain
-              pkgs.cargo-llvm-cov
-              pkgs.grcov
-            ];
-          };
-          devShells.coverage = pkgs.mkShell {
-            inputsFrom = [ pkgs.rosenpass ];
-            nativeBuildInputs = [
-              inputs.fenix.packages.${system}.complete.toolchain
-              pkgs.cargo-llvm-cov
-              pkgs.grcov
-            ];
-          };
+            #
+            ### Reading materials ###
+            #
+            packages.whitepaper = pkgs.whitepaper;

+            #
+            ### Proof and Proof Tools ###
+            #
+            packages.proverif-patched = pkgs.proverif-patched;
+            packages.proof-proverif = pkgs.proof-proverif;

-          checks = {
-            systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
-            systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
+            #
+            ### Devshells ###
+            #
+            devShells.default = pkgs.mkShell {
+              inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
+              inputsFrom = [ pkgs.rosenpass ];
+              nativeBuildInputs = with pkgs; [
+                cargo-release
+                clippy
+                rustfmt
+                nodePackages.prettier
+                nushell # for the .ci/gen-workflow-files.nu script
+                proverif-patched
+              ];
+            };
+            # TODO: Write this as a patched version of the default environment
+            devShells.fullEnv = pkgs.mkShell {
+              inherit (pkgs.proof-proverif) CRYPTOVERIF_LIB;
+              inputsFrom = [ pkgs.rosenpass ];
+              nativeBuildInputs = with pkgs; [
+                cargo-audit
+                cargo-msrv
+                cargo-release
+                cargo-vet
+                rustfmt
+                nodePackages.prettier
+                nushell # for the .ci/gen-workflow-files.nu script
+                proverif-patched
+                pkgs.cargo-llvm-cov
+                pkgs.grcov
+                pkgs.rust-bin.stable.latest.complete
+              ];
+            };
+            devShells.coverage = pkgs.mkShell {
+              inputsFrom = [ pkgs.rosenpass ];
+              nativeBuildInputs = [
+                pkgs.cargo-llvm-cov
+                pkgs.grcov
+                pkgs.rustc.llvmPackages.llvm
+              ];
+              env = {
+                inherit (pkgs.cargo-llvm-cov) LLVM_COV LLVM_PROFDATA;
+              };
+            };
+            devShells.benchmarks = pkgs.mkShell {
+              inputsFrom = [ pkgs.rosenpass ];
+              nativeBuildInputs = with pkgs; [
+                cargo-release
+                clippy
+                rustfmt
+              ];
+            };
+            # a devshell to hunt unsafe `unsafe` in the code
+            devShells.miri = pkgs.mkShell {
+              # inputsFrom = [ self.packages.${system}.rosenpass ];
+              nativeBuildInputs = with pkgs; [
+                ((rust-bin.selectLatestNightlyWith (toolchain: toolchain.default)).override {
+                  extensions = [
+                    "rust-analysis"
+                    "rust-src"
+                    "miri-preview"
+                  ];
+                })
+                pkgs.cmake
+                pkgs.rustPlatform.bindgenHook
+              ];
+              # Run this to find unsafe `unsafe`:
+              # MIRIFLAGS="-Zmiri-disable-isolation" cargo miri test --no-fail-fast --lib --bins --tests
+              #
+              # - Some test failure is expected.
+            };

-            cargo-fmt = pkgs.runCommand "check-cargo-fmt"
-              { inherit (self.devShells.${system}.default) nativeBuildInputs buildInputs; } ''
-              cargo fmt --manifest-path=${./.}/Cargo.toml --check --all && touch $out
-            '';
-            nixpkgs-fmt = pkgs.runCommand "check-nixpkgs-fmt"
-              { nativeBuildInputs = [ pkgs.nixpkgs-fmt ]; } ''
-              nixpkgs-fmt --check ${./.} && touch $out
-            '';
-            prettier-check = pkgs.runCommand "check-with-prettier"
-              { nativeBuildInputs = [ pkgs.nodePackages.prettier ]; } ''
-              cd ${./.} && prettier --check . && touch $out
-            '';
-          } // pkgs.lib.optionalAttrs (system == "x86_64-linux") (import ./tests/legacy-distro-packaging.nix {
-            inherit pkgs;
-            rosenpass-deb = self.packages.${system}.package-deb;
-            rosenpass-rpm = self.packages.${system}.package-rpm;
-          });
+            checks =
+              import ./tests/integration/integration-checks.nix {
+                inherit system;
+                pkgs = inputs.nixpkgs;
+                lib = nixpkgs.lib;
+                rosenpassNew = self.packages.${system}.default;
+                rosenpassOld = rosenpassOld.packages.${system}.default;
+              }
+              // {
+                systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
+                systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
+                formatting = treefmtEval.config.build.check self;
+                rosenpass-msrv-check =
+                  let
+                    rosenpassCargoToml = pkgs.lib.trivial.importTOML ./rosenpass/Cargo.toml;

-          formatter = pkgs.nixpkgs-fmt;
-        }))
+                    rustToolchain = pkgs.rust-bin.stable.${rosenpassCargoToml.package.rust-version}.default;
+                    rustPlatform = pkgs.makeRustPlatform {
+                      cargo = rustToolchain;
+                      rustc = rustToolchain;
+                    };
+                  in
+                  pkgs.rosenpass.override { inherit rustPlatform; };
+              }
+              // pkgs.lib.optionalAttrs (system == "x86_64-linux") (
+                import ./tests/legacy-distro-packaging.nix {
+                  inherit pkgs;
+                  rosenpass-deb = self.packages.${system}.package-deb;
+                  rosenpass-rpm = self.packages.${system}.package-rpm;
+                }
+              );
+
+            # for `nix fmt`
+            formatter = treefmtEval.config.build.wrapper;
+          }
+        )
+      )
    ];
 }
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -3,7 +3,7 @@ name = "rosenpass-fuzzing"
 version = "0.0.1"
 publish = false
 edition = "2021"
-rust-version = "1.77"
+rust-version = "1.77.0"

 [features]
 experiment_libcrux = ["rosenpass-ciphers/experiment_libcrux_all"]
--- a/oqs/Cargo.toml
+++ b/oqs/Cargo.toml
@@ -8,7 +8,7 @@ description = "Rosenpass internal bindings to liboqs"
 homepage = "https://rosenpass.eu/"
 repository = "https://github.com/rosenpass/rosenpass"
 readme = "readme.md"
-rust-version = "1.77"
+rust-version = "1.77.0"

 [dependencies]
 rosenpass-cipher-traits = { workspace = true }
--- a/overlay.nix
+++ b/overlay.nix
@@ -1,6 +1,5 @@
 final: prev: {

-
  #
  ### Actual rosenpass software ###
  #
@@ -27,7 +26,10 @@ final: prev: {
      "marzipan(/marzipan.awk)?"
      "analysis(/.*)?"
    ];
-    nativeBuildInputs = [ final.proverif final.graphviz ];
+    nativeBuildInputs = [
+      final.proverif
+      final.graphviz
+    ];
    CRYPTOVERIF_LIB = final.proverif-patched + "/lib/cryptoverif.pvl";
    installPhase = ''
      mkdir -p $out
--- a/papers/graphics/rosenpass-wireguard-hybrid-security.pdf
+++ b/papers/graphics/rosenpass-wireguard-hybrid-security.pdf
--- a/papers/graphics/rosenpass-wp-hashing-tree-rgb.pdf
+++ b/papers/graphics/rosenpass-wp-hashing-tree-rgb.pdf
--- a/papers/graphics/rosenpass-wp-hashing-tree-rgb.svg
+++ b/papers/graphics/rosenpass-wp-hashing-tree-rgb.svg
--- a/papers/graphics/rosenpass-wp-hashing-tree.afdesign
+++ b/papers/graphics/rosenpass-wp-hashing-tree.afdesign
--- a/papers/graphics/rosenpass-wp-hashing-tree.pdf
+++ b/papers/graphics/rosenpass-wp-hashing-tree.pdf
--- a/papers/graphics/rosenpass-wp-hashing-tree.png
+++ b/papers/graphics/rosenpass-wp-hashing-tree.png
--- a/papers/graphics/rosenpass-wp-hashing-tree.svg
+++ b/papers/graphics/rosenpass-wp-hashing-tree.svg
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.pdf
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.pdf
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.svg
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.svg
@@ -1,191 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg width="100%" height="100%" viewBox="0 0 2037 1491" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
-        <rect id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
-        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51"/>
-        </clipPath>
-        <g clip-path="url(#_clip1)">
-            <g transform="matrix(0.377816,0,0,0.318513,-62.5845,3.62207)">
-                <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.11885,0,0,0.472336,1334.4,22.5297)">
-                <path d="M497.076,394.18L497.076,1793.56C497.076,1793.56 -810.094,1791.78 -810.094,1793.56L-810.094,2231.73L497.076,2231.73L497.076,3888.59" style="fill:none;stroke:rgb(255,166,48);stroke-width:15.37px;"/>
-            </g>
-            <g transform="matrix(1.10326,0,0,0.239529,-152.083,336.057)">
-                <g transform="matrix(0.946041,-0,-0,4.72559,298.433,-663.352)">
-                    <path d="M1597.09,252.781L1609.59,265.281L1597.09,277.781" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M209.973,265.281L1609.59,265.281" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,90.8277)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-323.596,-1172.27)">
-                <g transform="matrix(50,0,0,50,1497.15,1475.25)">
-                </g>
-                <text x="1302.95px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1469.15px " y="1475.25px ">o</tspan></text>
-            </g>
-            <g transform="matrix(1.10157,0,0,0.239529,-151.245,1006.25)">
-                <g transform="matrix(0.947489,-0,-0,4.72559,298.129,-3461.31)">
-                    <path d="M1597.09,844.867L1609.59,857.367L1597.09,869.867" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M209.973,857.367L1609.59,857.367" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,752.344)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.19416,0,0,0.275328,1052.99,940.806)">
-                <path d="M1608.99,571.746C1608.99,563.706 1600.46,557.179 1589.95,557.179L666.712,557.179C656.199,557.179 647.664,563.706 647.664,571.746L647.664,931.068C647.664,939.108 656.199,945.635 666.712,945.635L1589.95,945.635C1600.46,945.635 1608.99,939.108 1608.99,931.068L1608.99,571.746Z" style="fill:rgb(255,211,152);stroke:white;stroke-width:19.24px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-345.04,-502.074)">
-                <g transform="matrix(50,0,0,50,1404.28,1475.25)">
-                </g>
-                <text x="1227.23px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1330.68px " y="1475.25px ">o</tspan>nf</text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-34.3588,-501.229)">
-                <g transform="matrix(41.6667,0,0,41.6667,1315.29,1464.53)">
-                </g>
-                <text x="1188.09px" y="1464.53px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:41.667px;">Biscuit</text>
-            </g>
-            <g transform="matrix(8.61155e-18,1.13192,-0.0754413,3.71795e-17,1069.8,-342.031)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(247,4,132);stroke-width:17.63px;"/>
-            </g>
-            <g transform="matrix(8.61155e-18,1.13192,-0.0754413,3.71795e-17,1069.8,-288.169)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.63px;"/>
-            </g>
-            <g transform="matrix(1.10808,0,0,1.04133,-187.35,-115.819)">
-                <path d="M497.076,394.18L497.076,1896.68" style="fill:none;stroke:rgb(247,4,132);stroke-width:12.58px;"/>
-            </g>
-            <g transform="matrix(-1.09658,0,0,0.321304,2399.88,618.547)">
-                <g transform="matrix(-0.9518,0,0,3.52288,2026.95,-1373.72)">
-                    <path d="M220.225,569.992L207.725,557.492L220.225,544.992" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M1607.34,557.492L207.725,557.492" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,421.586)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.19416,0,0,0.275328,1052.99,601.372)">
-                <path d="M1608.99,571.746C1608.99,563.706 1600.46,557.179 1589.95,557.179L666.712,557.179C656.199,557.179 647.664,563.706 647.664,571.746L647.664,931.068C647.664,939.108 656.199,945.635 666.712,945.635L1589.95,945.635C1600.46,945.635 1608.99,939.108 1608.99,931.068L1608.99,571.746Z" style="fill:rgb(255,211,152);stroke:white;stroke-width:19.24px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-345.04,-841.508)">
-                <g transform="matrix(50,0,0,50,1433.76,1475.25)">
-                </g>
-                <text x="1197.76px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1230.81px " y="1475.25px ">e</tspan>spHell<tspan x="1405.76px " y="1475.25px ">o</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-34.3588,-841.794)">
-                <g transform="matrix(41.6667,0,0,41.6667,1315.29,1464.53)">
-                </g>
-                <text x="1188.09px" y="1464.53px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:41.667px;">Biscuit</text>
-            </g>
-            <g transform="matrix(-1.10076,0,0,0.321304,2401.96,1404.06)">
-                <g transform="matrix(-0.94819,0,0,3.52288,2021.14,-3818.47)">
-                    <path d="M220.225,1263.96L207.725,1251.46L220.225,1238.96" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M1607.34,1251.46L207.725,1251.46" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,1207.09)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-323.596,-115.707)">
-                <g transform="matrix(50,0,0,50,1528.5,1528)">
-                </g>
-                <text x="1274.4px" y="1528px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">Emp<tspan x="1375.85px 1394.1px " y="1528px 1528px ">ty</tspan>Data</text>
-            </g>
-            <g transform="matrix(1.16933e-17,1.13192,-0.102439,3.71795e-17,1384.12,272.481)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.59px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.16933e-17,1.13192,-0.102439,3.71795e-17,1384.12,612.276)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.59px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(0.377816,0,0,0.318513,1464.43,3.62207)">
-                <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.04373,2.9937e-16,-2.74652e-16,1.13192,767.205,-815.996)">
-                <text x="1171.58px" y="1474.94px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">r<tspan x="1185.58px " y="1474.94px ">e</tspan>sponder</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1432.53,1516.61)">
-                </g>
-                <text x="1171.58px" y="1516.61px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">aut<tspan x="1230.45px " y="1516.61px ">h</tspan>ent<tspan x="1313.16px 1322.41px 1341.33px 1363.08px 1377.16px " y="1516.61px 1516.61px 1516.61px 1516.61px 1516.61px ">icati</tspan>on</text>
-            </g>
-            <g transform="matrix(1.04373,1.80409e-17,1.85964e-17,1.13192,767.205,-611.456)">
-                <text x="1171.58px" y="1454.11px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">init<tspan x="1227.49px " y="1454.11px ">i</tspan>at<tspan x="1272.24px " y="1454.11px ">o</tspan>r</text>
-                <text x="1171.58px" y="1495.78px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">aut<tspan x="1230.45px " y="1495.78px ">h</tspan>ent<tspan x="1313.16px 1322.41px 1341.33px 1363.08px 1377.16px " y="1495.78px 1495.78px 1495.78px 1495.78px 1495.78px ">icati</tspan>on,</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1464.49,1537.44)">
-                </g>
-                <text x="1171.58px" y="1537.44px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">f<tspan x="1184.24px 1207.03px 1222.53px 1256.91px 1278.66px 1292.66px " y="1537.44px 1537.44px 1537.44px 1537.44px 1537.44px 1537.44px ">orward</tspan> secr<tspan x="1402.12px " y="1537.44px ">e</tspan>cy</text>
-            </g>
-            <g transform="matrix(1.04373,1.80409e-17,1.85964e-17,1.13192,705.967,-92.9691)">
-                <text x="1171.58px" y="1474.94px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">ackno<tspan x="1278.49px 1313.28px 1324.95px " y="1474.94px 1474.94px 1474.94px ">wle</tspan>dges</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1314.2,1516.61)">
-                </g>
-                <text x="1171.58px" y="1516.61px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">InitC<tspan x="1254.78px " y="1516.61px ">o</tspan>nf</text>
-            </g>
-            <g transform="matrix(1.04373,1.72621e-17,1.94353e-17,1.13192,767.205,-321.469)">
-                <text x="1171.58px" y="1472.39px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">OSK handed</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1422.78,1514.06)">
-                </g>
-                <text x="1171.58px" y="1514.06px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">t<tspan x="1185.33px " y="1514.06px ">o</tspan> W<tspan x="1264.74px 1273.99px 1287.99px " y="1514.06px 1514.06px 1514.06px ">ire</tspan>Guar<tspan x="1398.83px " y="1514.06px ">d</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-159.675,-1425.03)">
-                <g transform="matrix(33.3333,0,0,33.3333,1376.21,1461.44)">
-                </g>
-                <text x="1171.58px" y="1461.44px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:33.333px;fill:rgb(64,63,73);">Init<tspan x="1219.48px " y="1461.44px ">i</tspan>at<tspan x="1256.91px " y="1461.44px ">o</tspan>r Stat<tspan x="1358.41px " y="1461.44px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-159.675,-1369.01)">
-                <g transform="matrix(33.3333,0,0,33.3333,1422.81,1461.44)">
-                </g>
-                <text x="1171.58px" y="1461.44px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:33.333px;fill:rgb(64,63,73);">R<tspan x="1193.61px " y="1461.44px ">e</tspan>sponder Stat<tspan x="1405.01px " y="1461.44px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-1040.69,-1406.95)">
-                <g transform="matrix(50,0,0,50,1434.05,1476.14)">
-                </g>
-                <text x="1257.1px" y="1476.14px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:50px;fill:white;">Init<tspan x="1330.14px " y="1476.14px ">i</tspan>at<tspan x="1387.14px " y="1476.14px ">o</tspan>r</text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,486.326,-1406.95)">
-                <g transform="matrix(50,0,0,50,1468.55,1476.14)">
-                </g>
-                <text x="1222.6px" y="1476.14px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:50px;fill:white;">R<tspan x="1255.85px " y="1476.14px ">e</tspan>sponder</text>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,-284.091)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,-79.5508)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,207.55)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,2.04033e-17,1.82707e-17,1.13192,287.154,-312.768)">
-                <g transform="matrix(41.6667,0,0,41.6667,1473.76,1457.69)">
-                </g>
-                <text x="1274.85px" y="1457.69px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">handshak<tspan x="1451.8px " y="1457.69px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,4.8711e-17,3.06091e-17,1.13192,312.355,-241.08)">
-                <g transform="matrix(41.6667,0,0,41.6667,1449.62,1457.69)">
-                </g>
-                <text x="1249.16px" y="1457.69px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">l<tspan x="1262.7px 1273.62px 1296.24px 1319.87px 1332.03px 1357.66px 1382.66px 1406.07px 1427.66px " y="1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px ">ive phase</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.24761,-135.752,-334.388)">
-                <g transform="matrix(1,-0,-0,0.90727,299.807,410.028)">
-                    <path d="M1593.36,999.66L1602.74,980.91L1612.11,999.66C1607.42,994.973 1598.05,994.973 1593.36,999.66Z" style="fill:rgb(179,178,182);"/>
-                    <path d="M1602.74,1027.14L1602.74,995.91" style="fill:none;stroke:rgb(179,178,182);stroke-width:6.25px;stroke-linecap:round;"/>
-                </g>
-            </g>
-            <g transform="matrix(-1.04373,1.52788e-16,-1.2782e-16,-1.24761,3835.73,3054.11)">
-                <g transform="matrix(-1,-1.22465e-16,1.11109e-16,-0.90727,3505.28,2305.97)">
-                    <path d="M1612.11,1090.07L1602.74,1108.82L1593.36,1090.07C1598.05,1094.75 1607.42,1094.75 1612.11,1090.07Z" style="fill:rgb(179,178,182);"/>
-                    <path d="M1602.74,1062.59L1602.74,1093.82" style="fill:none;stroke:rgb(179,178,182);stroke-width:6.25px;stroke-linecap:round;"/>
-                </g>
-            </g>
-        </g>
-    </g>
-</svg>
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol.afdesign
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.afdesign
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol.pdf
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.pdf
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol.png
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.png
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol.svg
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.svg
@@ -1,15 +1,12 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 2037 1491" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
-        <rect id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
+        <rect x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51"/>
+            <rect x="177.165" y="177.165" width="2125.98" height="1687.51"/>
        </clipPath>
        <g clip-path="url(#_clip1)">
-            <g transform="matrix(1.04373,0,0,1.13192,177.165,177.165)">
-                <rect x="-16.526" y="0" width="2083.17" height="1490.84" style="fill:white;"/>
-            </g>
            <g transform="matrix(0.377816,0,0,0.318513,-62.5845,3.62207)">
                <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(247,4,132);"/>
            </g>
--- a/papers/graphics/rosenpass-wp-message-handling-code-rgb.pdf
+++ b/papers/graphics/rosenpass-wp-message-handling-code-rgb.pdf
--- a/papers/graphics/rosenpass-wp-message-handling-code-rgb.svg
+++ b/papers/graphics/rosenpass-wp-message-handling-code-rgb.svg
--- a/papers/graphics/rosenpass-wp-message-handling-code.afdesign
+++ b/papers/graphics/rosenpass-wp-message-handling-code.afdesign
--- a/papers/graphics/rosenpass-wp-message-handling-code.pdf
+++ b/papers/graphics/rosenpass-wp-message-handling-code.pdf
--- a/papers/graphics/rosenpass-wp-message-handling-code.png
+++ b/papers/graphics/rosenpass-wp-message-handling-code.png
--- a/papers/graphics/rosenpass-wp-message-handling-code.svg
+++ b/papers/graphics/rosenpass-wp-message-handling-code.svg
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 2990 2133" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(1.0091,0,0,1.00305,-371.54,-177.706)">
-        <rect id="ArtBoard1" x="368.192" y="177.165" width="2962.52" height="2125.98" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(1.0091,0,0,1.00305,-371.54,-177.706)">
+        <rect x="368.192" y="177.165" width="2962.52" height="2125.98" style="fill:none;"/>
        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="368.192" y="177.165" width="2962.52" height="2125.98"/>
+            <rect x="368.192" y="177.165" width="2962.52" height="2125.98"/>
        </clipPath>
        <g clip-path="url(#_clip1)">
            <g transform="matrix(0.990987,0,0,0.996959,368.192,177.165)">
@@ -70,9 +70,6 @@
            <g transform="matrix(0.72523,0,0,0.837445,1933.65,1691.32)">
                <path d="M1922.27,398.791C1922.27,390.83 1914.85,384.367 1905.72,384.367L363.747,384.367C354.61,384.367 347.192,390.83 347.192,398.791L347.192,427.639C347.192,435.599 354.61,442.062 363.747,442.062L1905.72,442.062C1914.85,442.062 1922.27,435.599 1922.27,427.639L1922.27,398.791Z" style="fill:rgb(253,180,218);fill-opacity:0.5;"/>
            </g>
-            <g transform="matrix(1.1024,0,0,1.21164,9.17461,250.929)">
-                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
-            </g>
            <g transform="matrix(1.1024,0,0,1.20414,9.17461,982.985)">
                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(255,229,193);"/>
            </g>
@@ -94,6 +91,9 @@
            <g transform="matrix(1.1024,0,0,1.21164,9.17461,375.544)">
                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
            </g>
+            <g transform="matrix(1.1024,0,0,1.21164,9.17461,251.722)">
+                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
+            </g>
            <g transform="matrix(1.1024,0,0,0.837445,9.17461,1264.69)">
                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(255,229,193);"/>
            </g>
@@ -310,7 +310,7 @@
            <g transform="matrix(0.990987,0,0,0.996959,400.873,805.267)">
                <g transform="matrix(29.1667,0,0,29.1667,209.923,19.398)">
                </g>
-                <text x="142.169px" y="19.398px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">pidiC</text>
+                <text x="123.853px" y="19.398px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">pidi_<tspan x="185.89px " y="19.398px ">c</tspan>t</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,556.294,805.267)">
                <text x="63.967px" y="19.461px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
@@ -351,9 +351,9 @@
                <text x="46.506px" y="26.764px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="46.506px " y="26.764px ">m</tspan>ix(sidi, epki)</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1406.03,735.765)">
-                <g transform="matrix(29.1667,0,0,29.1667,595.77,26.2132)">
+                <g transform="matrix(29.1667,0,0,29.1667,595.391,26.2132)">
                </g>
-                <text x="70.595px" y="26.213px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="70.595px " y="26.213px ">d</tspan>ec<tspan x="115.978px " y="26.213px ">a</tspan>ps<tspan x="161.77px 176.207px " y="26.213px 26.213px ">_a</tspan>nd_mix&lt;SKEM&gt;(sskr<tspan x="457.374px " y="26.213px ">,</tspan> spkr<tspan x="525.303px " y="26.213px ">,</tspan> ct1)</text>
+                <text x="70.595px" y="26.213px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="70.595px " y="26.213px ">d</tspan>ec<tspan x="115.978px " y="26.213px ">a</tspan>ps<tspan x="161.77px 176.207px " y="26.213px 26.213px ">_a</tspan>nd_mix&lt;SKEM&gt;(sskr<tspan x="457.374px " y="26.213px ">,</tspan> spkr<tspan x="525.303px " y="26.213px ">,</tspan> sctr<tspan x="586.67px " y="26.213px ">)</tspan></text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,944.05,805.321)">
                <g transform="matrix(29.1667,0,0,29.1667,492.12,19.3437)">
@@ -362,9 +362,9 @@
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1343.8,805.267)">
                <text x="97.956px" y="19.461px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
-                <g transform="matrix(29.1667,0,0,29.1667,621.377,19.4608)">
+                <g transform="matrix(29.1667,0,0,29.1667,641.239,19.4608)">
                </g>
-                <text x="133.389px" y="19.461px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="133.389px 141.556px " y="19.461px 19.461px ">lo</tspan>okup<tspan x="219.81px " y="19.461px ">_</tspan>peer(<tspan x="300.31px " y="19.461px ">d</tspan>ecr<tspan x="356.689px 371.535px 388.16px 398.281px 412.718px " y="19.461px 19.461px 19.461px 19.461px 19.461px ">ypt_a</tspan>nd_mix(pidiC))</text>
+                <text x="133.389px" y="19.461px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="133.389px 141.556px " y="19.461px 19.461px ">lo</tspan>okup<tspan x="219.81px " y="19.461px ">_</tspan>peer(<tspan x="300.31px " y="19.461px ">d</tspan>ecr<tspan x="356.689px 371.535px 388.16px 398.281px 412.718px " y="19.461px 19.461px 19.461px 19.461px 19.461px ">ypt_a</tspan>nd_mix(pidi_<tspan x="590.956px 604.343px 616.448px " y="19.461px 19.461px 19.461px ">ct)</tspan>)</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1428.98,860.915)">
                <g transform="matrix(29.1667,0,0,29.1667,234.685,25.593)">
@@ -720,9 +720,9 @@
                <text x="85.515px" y="26.478px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="85.515px " y="26.478px ">d</tspan>ec<tspan x="130.898px " y="26.478px ">a</tspan>ps<tspan x="176.69px 191.127px " y="26.478px 26.478px ">_a</tspan>nd_mix&lt;SKEM&gt;(sski, spki, scti);</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,598.806,1534.07)">
-                <g transform="matrix(29.1667,0,0,29.1667,212.777,27.2845)">
+                <g transform="matrix(29.1667,0,0,29.1667,250.198,27.2845)">
                </g>
-                <text x="56.502px" y="27.284px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="56.502px " y="27.284px ">m</tspan>ix(biscuit<tspan x="196.706px " y="27.284px ">)</tspan></text>
+                <text x="56.502px" y="27.284px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="56.502px " y="27.284px ">m</tspan>ix(biscuit<tspan x="194.723px 208.635px 222.023px 234.127px " y="27.284px 27.284px 27.284px 27.284px ">_ct)</tspan></text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,589.076,1605.36)">
                <g transform="matrix(29.1667,0,0,29.1667,370.179,15.7636)">
@@ -774,9 +774,9 @@
                <text x="55.154px" y="28.384px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="55.154px 68.95px 78.575px 94.529px 104.329px " y="28.384px 28.384px 28.384px 28.384px 28.384px ">store</tspan>_biscuit(<tspan x="227.121px " y="28.384px ">)</tspan>;</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1231.61,1534.18)">
-                <g transform="matrix(29.1667,0,0,29.1667,192.222,28.1459)">
+                <g transform="matrix(28.75,0,0,28.75,192.222,27.9976)">
                </g>
-                <text x="106.705px" y="28.146px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">biscuit</text>
+                <text x="70.034px" y="27.998px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:28.75px;">biscuit<tspan x="154.761px 168.532px " y="27.998px 27.998px ">_c</tspan>t</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1413.83,1606.73)">
                <text x="27.294px" y="15.076px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
@@ -816,10 +816,10 @@
                <text x="39.094px" y="15.047px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">biscuit<tspan x="125.049px " y="15.047px ">_</tspan>no</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1414.45,1937)">
-                <text x="26.666px" y="15.727px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
-                <g transform="matrix(29.1667,0,0,29.1667,332.212,15.727)">
+                <text x="26.666px" y="15.72px" style="font-family:'Arial-BoldMT', 'Arial', sans-serif;font-weight:700;font-size:29.167px;">←</text>
+                <g transform="matrix(29.1667,0,0,29.1667,356.978,15.7199)">
                </g>
-                <text x="62.099px" y="15.727px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="62.099px 70.266px " y="15.727px 15.727px ">lo</tspan>ad_biscuit(biscuit<tspan x="309.753px " y="15.727px ">)</tspan>;</text>
+                <text x="63.183px" y="15.72px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;">l<tspan x="71.349px " y="15.72px ">o</tspan>ad_biscuit(biscuit<tspan x="308.853px 322.766px 336.153px 348.258px " y="15.72px 15.72px 15.72px 15.72px ">_ct)</tspan></text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1420.02,1985.2)">
                <g transform="matrix(29.1667,0,0,29.1667,408.55,14.2792)">
@@ -924,32 +924,32 @@
                    <path d="M25.178,1596.45L1770.22,1596.45" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-dasharray:8.33,16.67,0,0;"/>
                </g>
            </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,146.07)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,146.07)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
            </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,912.386)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,912.386)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(255,166,48);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
            </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,1569.58)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,1569.58)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,-393.972,-1123.82)">
-                <g transform="matrix(50,0,0,50,2059.59,1491.35)">
+                <g transform="matrix(50,0,0,50,2075.42,1491.35)">
                </g>
-                <text x="1219.89px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1386.09px " y="1491.35px ">o</tspan> { sidi, epki, sctr<tspan x="1760.64px " y="1491.35px ">,</tspan> pidiC<tspan x="1901.99px " y="1491.35px ">,</tspan> aut<tspan x="1999.89px " y="1491.35px ">h</tspan> }</text>
+                <text x="1204.07px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1370.27px " y="1491.35px ">o</tspan> { sidi, epki, sctr<tspan x="1744.82px " y="1491.35px ">,</tspan> pidi_<tspan x="1875.87px 1899.17px 1917.82px " y="1491.35px 1491.35px 1491.35px ">ct,</tspan> aut<tspan x="2015.72px " y="1491.35px ">h</tspan> }</text>
            </g>
-            <g transform="matrix(0.990987,0,0,0.996959,-433.456,-357.502)">
-                <g transform="matrix(50,0,0,50,2155.26,1491.35)">
+            <g transform="matrix(0.990987,0,0,0.996959,-477.45,-357.502)">
+                <g transform="matrix(50,0,0,50,2231.1,1491.35)">
                </g>
-                <text x="1203.91px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1235.96px 1261.66px 1284.81px 1313.16px 1350.36px 1376.06px 1390.11px 1403.91px 1430.91px 1442.96px 1460.01px 1472.06px 1495.21px 1506.06px 1534.41px 1550.56px 1561.21px 1573.26px 1596.41px 1607.26px 1635.61px 1646.46px 1657.11px 1669.16px 1694.86px 1717.16px 1734.46px 1745.31px 1755.96px 1768.01px 1791.16px 1813.46px 1830.76px 1841.61px 1852.26px 1864.31px 1892.66px 1903.51px 1926.66px 1948.91px 1976.16px 1987.01px 2004.66px 2015.31px 2027.36px 2053.01px 2080.26px 2097.56px 2125.16px 2137.21px " y="1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px ">espHello { sidr, sidi, ecti, scti, biscuit, auth }</tspan></text>
+                <text x="1216.85px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1248.9px 1274.6px 1297.75px 1326.1px 1363.3px 1389px 1403.05px 1416.85px 1443.85px 1455.9px 1472.95px 1485px 1508.15px 1519px 1547.35px 1563.5px 1574.15px 1586.2px 1609.35px 1620.2px 1648.55px 1659.4px 1670.05px 1682.1px 1707.8px 1730.1px 1747.4px 1758.25px 1768.9px 1780.95px 1804.1px 1826.4px 1843.7px 1854.55px 1865.2px 1877.25px 1905.6px 1916.45px 1939.6px 1961.85px 1989.1px 1999.95px 2017.6px 2040.55px 2062.85px 2080.5px 2091.15px 2103.2px 2128.85px 2156.1px 2173.4px 2201px 2213.05px " y="1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px ">espHello { sidr, sidi, ecti, scti, biscuit_ct, auth }</tspan></text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,-393.972,299.694)">
-                <g transform="matrix(50,0,0,50,2020.42,1491.35)">
+                <g transform="matrix(50,0,0,50,2053.37,1491.35)">
                </g>
-                <text x="1272.12px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1375.57px " y="1491.35px ">o</tspan>nf { sidi, sidr<tspan x="1677.72px " y="1491.35px ">,</tspan> biscuit<tspan x="1849.77px " y="1491.35px ">,</tspan> aut<tspan x="1947.67px " y="1491.35px ">h</tspan> }</text>
+                <text x="1239.17px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1342.62px " y="1491.35px ">o</tspan>nf { sidi, sidr<tspan x="1644.77px " y="1491.35px ">,</tspan> biscuit<tspan x="1816.82px 1840.77px 1864.07px 1882.72px " y="1491.35px 1491.35px 1491.35px 1491.35px ">_ct,</tspan> aut<tspan x="1980.62px " y="1491.35px ">h</tspan> }</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,467.587,-208.686)">
                <circle cx="92.21" cy="555.627" r="46.396" style="fill:rgb(64,63,73);"/>
--- a/papers/graphics/rosenpass-wp-message-types-rgb.pdf
+++ b/papers/graphics/rosenpass-wp-message-types-rgb.pdf
--- a/papers/graphics/rosenpass-wp-message-types-rgb.svg
+++ b/papers/graphics/rosenpass-wp-message-types-rgb.svg
@@ -1,393 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg width="100%" height="100%" viewBox="0 0 1890 1086" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
-        <rect id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
-        <g id="ArtBoard11" serif:id="ArtBoard1">
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-109.061,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-646.644,-769.875)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(4.00596,0,-1.23443e-32,1.24734,-4842.07,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1481.4,2496.4L1481.4,2517.3C1481.4,2519.61 1480.88,2521.47 1480.23,2521.47L1454.89,2521.47C1454.24,2521.47 1453.72,2519.61 1453.72,2517.3L1453.72,2496.4C1453.72,2494.1 1454.24,2492.23 1454.89,2492.23L1480.23,2492.23C1480.88,2492.23 1481.4,2494.1 1481.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-42.3997,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-579.982,-769.875)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(0.381932,0,0,1.66872,42.8569,1055.77)">
-                <path d="M1608.99,559.828C1608.99,558.366 1604.32,557.179 1598.56,557.179L658.104,557.179C652.342,557.179 647.664,558.366 647.664,559.828L647.664,942.986C647.664,944.448 652.342,945.635 658.104,945.635L1598.56,945.635C1604.32,945.635 1608.99,944.448 1608.99,942.986L1608.99,559.828Z" style="fill:none;stroke:rgb(64,63,73);stroke-width:8.54px;"/>
-            </g>
-            <g transform="matrix(0.319269,0,0,0.306737,111.831,2084.53)">
-                <path d="M1608.99,571.588C1608.99,563.635 1603.4,557.179 1596.51,557.179L660.153,557.179C653.26,557.179 647.664,563.635 647.664,571.588L647.664,931.226C647.664,939.179 653.26,945.635 660.153,945.635L1596.51,945.635C1603.4,945.635 1608.99,939.179 1608.99,931.226L1608.99,571.588Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.381932,0,0,0.364294,42.8569,1783.2)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(64,63,73);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-142.419,-742.377)">
-                <path d="M686.627,2406.91L686.627,2495.34C686.627,2499.6 683.172,2503.05 678.917,2503.05L413.249,2503.05C408.994,2503.05 405.539,2499.6 405.539,2495.34L405.539,2406.91C405.539,2402.65 408.994,2399.2 413.249,2399.2L678.917,2399.2C683.172,2399.2 686.627,2402.65 686.627,2406.91ZM413.872,2457.17L413.872,2494.72L678.293,2494.72L678.293,2457.17L413.872,2457.17Z" style="fill:rgb(179,178,182);"/>
-                <clipPath id="_clip1">
-                    <path d="M686.627,2406.91L686.627,2495.34C686.627,2499.6 683.172,2503.05 678.917,2503.05L413.249,2503.05C408.994,2503.05 405.539,2499.6 405.539,2495.34L405.539,2406.91C405.539,2402.65 408.994,2399.2 413.249,2399.2L678.917,2399.2C683.172,2399.2 686.627,2402.65 686.627,2406.91ZM413.872,2457.17L413.872,2494.72L678.293,2494.72L678.293,2457.17L413.872,2457.17Z"/>
-                </clipPath>
-                <g clip-path="url(#_clip1)">
-                    <g>
-                        <g transform="matrix(0.707107,0.707107,-0.707107,0.707107,1731.31,392.021)">
-                            <rect x="320.594" y="2142.43" width="296.282" height="308.698" style="fill:rgb(247,4,132);"/>
-                        </g>
-                        <g transform="matrix(0.707107,0.707107,-0.707107,0.707107,1939.29,599.998)">
-                            <rect x="320.594" y="2142.43" width="296.282" height="308.698" style="fill:rgb(255,166,48);"/>
-                        </g>
-                    </g>
-                </g>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-988.061,373.696)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">t<tspan x="1183.44px " y="1445.64px ">y</tspan>pe</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(160,159,164);">r<tspan x="1183.31px " y="1487.31px ">e</tspan>ser<tspan x="1247.74px 1264.68px " y="1487.31px 1487.31px ">ve</tspan>d</text>
-                <text x="1171.58px" y="1545.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1208.51px 1225.64px 1235.34px " y="1545.64px 1545.64px 1545.64px ">ylo</tspan>ad</text>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">mac</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1265.88,1695.64)">
-                </g>
-                <text x="1171.58px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">c<tspan x="1186.68px " y="1695.64px ">o</tspan>okie</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1032.48,373.696)">
-                <text x="1443.43px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">1</text>
-                <text x="1443.43px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">3</text>
-                <text x="1444.5px" y="1545.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">n</text>
-                <text x="1423.43px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1443.43px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">6</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1463.43,1766.48)">
-                </g>
-                <text x="1213.53px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">en<tspan x="1250.03px 1266.96px 1284.7px 1294.4px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  n + 36</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1006.67,212.568)">
-                <text x="1228.7px" y="1470.55px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;fill:white;">En<tspan x="1276.75px 1298px 1320.25px 1332.58px " y="1470.55px 1470.55px 1470.55px 1470.55px ">velo</tspan>pe</text>
-                <g transform="matrix(25,0,0,25,1459.75,1516.38)">
-                </g>
-                <text x="1398.3px" y="1516.38px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;fill:white;">b<tspan x="1412.7px 1425.8px 1434.42px " y="1516.38px 1516.38px 1516.38px ">yte</tspan>s</text>
-            </g>
-            <g transform="matrix(0.597054,0,0,0.741612,65.5056,511.466)">
-                <path d="M432.703,2196.97L345.361,2196.97L345.361,2547.98L432.703,2547.98" style="fill:none;stroke:rgb(160,159,164);stroke-width:5.18px;"/>
-            </g>
-            <g transform="matrix(0.63007,0,0,0.90399,0.337587,154.729)">
-                <path d="M376.162,2196.97L345.361,2196.97L345.361,2544.77L513.459,2544.77" style="fill:none;stroke:rgb(160,159,164);stroke-width:4.5px;"/>
-            </g>
-            <g transform="matrix(4.69386e-17,-1.24734,1.12527,9.74939e-17,-2569.76,2501.33)">
-                <g transform="matrix(25,0,0,25,286.877,2518.25)">
-                </g>
-                <text x="82.852px" y="2518.25px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">M<tspan x="103.602px 120.902px 137.352px 147.927px 174.827px 180.627px 196.727px 210.927px 222.802px 240.427px 256.127px 268.652px " y="2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px ">AC_WIRE_DATA</tspan></text>
-            </g>
-            <g transform="matrix(4.35236e-17,-1.24734,1.12527,9.46525e-17,-2623.43,2555.42)">
-                <g transform="matrix(25,0,0,25,325.196,2518.25)">
-                </g>
-                <text x="87.896px" y="2518.25px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">C<tspan x="103.571px 122.121px 140.671px 155.671px 161.471px 175.671px 186.246px 213.146px 218.946px 235.046px 249.246px 261.121px 278.746px 294.446px 306.971px " y="2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px ">OOKIE_WIRE_DATA</tspan></text>
-            </g>
-            <g transform="matrix(0.986529,0,0,1.24734,-548.881,-459.807)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:3.1px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,413.374,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,411.795,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-536.656,211.942)">
-                <text x="1254.57px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">InitHell<tspan x="1393.07px " y="1470.8px ">o</tspan></text>
-                <g transform="matrix(25,0,0,25,1397.15,1512.47)">
-                </g>
-                <text x="1273.83px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1282.95px " y="1512.47px ">y</tspan>pe=0x81</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-550.023,408.588)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">epki</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sctr</text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">peerid</text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-505.817,408.588)">
-                <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1423.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">800</text>
-                <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1327.57px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">32 + 16 =</text>
-                <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">48</text>
-                <text x="1443.37px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1266.77px" y="1683.14px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1303.71px 1320.84px 1330.54px " y="1683.14px 1683.14px 1683.14px ">ylo</tspan>ad  1056</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1483.37,1724.81)">
-                </g>
-                <text x="1221.01px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1286.11px 1303.04px 1320.77px 1330.47px " y="1724.81px 1724.81px 1724.81px 1724.81px ">velo</tspan>pe  1092</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-418.853,-527.648)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,959.846,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1048.63,2310.36)">
-                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,958.268,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-187.43,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,255.507,157.594)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-122.635,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,350.049,158.841)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-56.47,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,452.097,158.629)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,15.782,211.942)">
-                <text x="1231.86px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">R<tspan x="1259.4px " y="1470.8px ">e</tspan>spHell<tspan x="1405.19px " y="1470.8px ">o</tspan></text>
-                <g transform="matrix(25,0,0,25,1391.85,1512.47)">
-                </g>
-                <text x="1268.53px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1277.65px " y="1512.47px ">y</tspan>pe=0x82</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-3.54999,383.641)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ect<tspan x="1216.61px " y="1528.98px ">i</tspan></text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sct<tspan x="1214.91px " y="1570.64px ">i</tspan></text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1653.98)">
-                </g>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1653.98px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,5.40653,383.641)">
-                <text x="1494.7px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1494.7px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1454.7px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">768</text>
-                <text x="1454.7px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1281px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1454.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1474.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1298.1px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1335.03px 1352.16px 1361.86px " y="1724.81px 1724.81px 1724.81px ">ylo</tspan>ad  1096</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1514.7,1766.48)">
-                </g>
-                <text x="1252.33px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1317.43px 1334.36px 1352.1px 1361.8px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  1132</text>
-            </g>
-            <g transform="matrix(1.12526,-0.00552033,0,1.24736,577.101,1504.92)">
-                <g transform="matrix(25,0,0,25,1221.4,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">data</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,671.631,1498.47)">
-                <g transform="matrix(25,0,0,25,1238.5,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">nonc<tspan x="1225.2px " y="1439.71px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,773.678,1498.47)">
-                <g transform="matrix(25,0,0,25,1281.5,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">aut<tspan x="1207.75px " y="1439.71px ">h</tspan> c<tspan x="1239.73px " y="1439.71px ">o</tspan>de</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,127.619,-497.943)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,-133.099,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,-134.677,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1077.16,1002.61)">
-                <text x="1224.31px" y="1471.18px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">Emp<tspan x="1308.86px 1324.06px " y="1471.18px 1471.18px ">ty</tspan>Data</text>
-                <g transform="matrix(25,0,0,25,1391.85,1512.85)">
-                </g>
-                <text x="1268.53px" y="1512.85px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1277.65px " y="1512.85px ">y</tspan>pe=0x84</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1096.5,1200.43)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidx</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ctr</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1528.98)">
-                </g>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1528.98px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1029.53,1200.43)">
-                <text x="1443.14px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1443.14px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">8</text>
-                <text x="1423.14px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1286.55px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.48px 1340.61px 1350.31px " y="1599.81px 1599.81px 1599.81px ">ylo</tspan>ad  28</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1463.15,1641.48)">
-                </g>
-                <text x="1240.78px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1305.88px 1322.81px 1340.55px 1350.25px " y="1641.48px 1641.48px 1641.48px 1641.48px ">velo</tspan>pe  64</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-965.326,161.211)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,959.846,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,958.268,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,15.782,1002.61)">
-                <text x="1211.79px" y="1471.12px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:42.083px;">C<tspan x="1238.72px " y="1471.12px ">o</tspan>okieR<tspan x="1367.5px " y="1471.12px ">e</tspan>pl<tspan x="1426.83px " y="1471.12px ">y</tspan></text>
-                <g transform="matrix(25.4167,0,0,25.4167,1392.88,1513.2)">
-                </g>
-                <text x="1267.5px" y="1513.2px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25.417px;fill:white;">t<tspan x="1276.78px " y="1513.2px ">y</tspan>pe=0x86</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1.30896,1200.2)">
-                <text x="1171.58px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">sidx</text>
-                <text x="1171.58px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">nonc<tspan x="1243.97px " y="1487.61px ">e</tspan></text>
-                <g transform="matrix(33.75,0,0,33.75,1267.05,1529.27)">
-                </g>
-                <text x="1171.58px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">c<tspan x="1186.87px " y="1529.27px ">o</tspan>okie</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,65.6578,1200.2)">
-                <text x="1442.89px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">4</text>
-                <text x="1422.64px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">24</text>
-                <text x="1296.21px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25.417px;">16 + 16 =</text>
-                <text x="1422.64px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1284.34px" y="1600.11px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pa<tspan x="1321.73px 1339.08px 1348.9px " y="1600.11px 1600.11px 1600.11px ">ylo</tspan>ad  60</text>
-                <g transform="matrix(33.75,0,0,33.75,1463.15,1641.77)">
-                </g>
-                <text x="1238px" y="1641.77px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ en<tspan x="1303.91px 1321.06px 1339.01px 1348.83px " y="1641.77px 1641.77px 1641.77px 1641.77px ">velo</tspan>pe  96</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,129.86,160.982)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,1506.32,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1595.1,2285.75)">
-                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,359.526,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,424.321,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,490.486,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,1504.74,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,568.22,211.942)">
-                <text x="1251.12px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">InitC<tspan x="1337.33px " y="1470.8px ">o</tspan>nf</text>
-                <g transform="matrix(25,0,0,25,1386.55,1512.47)">
-                </g>
-                <text x="1263.23px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1272.35px " y="1512.47px ">y</tspan>pe=0x83</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,542.923,463.055)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1570.64)">
-                </g>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1570.64px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,587.128,463.055)">
-                <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1463.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1249.67px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1286.77px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.71px 1340.84px 1350.54px " y="1641.48px 1641.48px 1641.48px ">ylo</tspan>ad  140</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1483.37,1683.14)">
-                </g>
-                <text x="1241.01px" y="1683.14px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1306.11px 1323.04px 1340.77px 1350.47px " y="1683.14px 1683.14px 1683.14px 1683.14px ">velo</tspan>pe  176</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,674.092,-525.153)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,413.374,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,411.795,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-524.725,1002.61)">
-                <text x="1279.66px" y="1471.18px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">Data</text>
-                <g transform="matrix(25,0,0,25,1386.55,1512.85)">
-                </g>
-                <text x="1263.23px" y="1512.85px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1272.35px " y="1512.85px ">y</tspan>pe=0x85</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-550.023,1200.57)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidx</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ctr</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1290.6,1528.98)">
-                </g>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">data</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-586.775,1200.57)">
-                <text x="1535.32px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1535.32px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">8</text>
-                <text x="1398.39px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1411.02px " y="1528.98px ">a</tspan>riabl<tspan x="1474.12px " y="1528.98px ">e</tspan> +</text>
-                <text x="1515.32px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1268.24px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1305.18px 1322.31px 1332.01px " y="1599.81px 1599.81px 1599.81px ">ylo</tspan>ad</text>
-                <text x="1396.24px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1408.87px " y="1599.81px ">a</tspan>riabl<tspan x="1471.97px " y="1599.81px ">e</tspan> +</text>
-                <text x="1515.32px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">28</text>
-                <text x="1222.48px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1287.58px 1304.51px 1322.24px 1331.94px " y="1641.48px 1641.48px 1641.48px 1641.48px ">velo</tspan>pe</text>
-                <text x="1396.24px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1408.87px " y="1641.48px ">a</tspan>riabl<tspan x="1471.97px " y="1641.48px ">e</tspan> +</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1555.32,1641.48)">
-                </g>
-                <text x="1515.32px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">64</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-416.123,162.22)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.400209,0,0,1.19089,1603.98,2115.3)">
-                <path d="M1608.99,560.89C1608.99,558.842 1604.53,557.179 1599.03,557.179L657.627,557.179C652.128,557.179 647.664,558.842 647.664,560.89L647.664,941.924C647.664,943.972 652.128,945.635 657.627,945.635L1599.03,945.635C1604.53,945.635 1608.99,943.972 1608.99,941.924L1608.99,560.89Z" style="fill:white;stroke:rgb(255,211,152);stroke-width:11.57px;"/>
-            </g>
-            <g transform="matrix(0.400209,0,0,0.196676,1603.98,2669.25)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,550.082,1014.76)">
-                <g transform="matrix(41.6667,0,0,41.6667,1401.28,1457.77)">
-                </g>
-                <text x="1279.11px" y="1457.77px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">biscuit</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,588.6,1106.02)">
-                <text x="1398.83px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1398.83px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">12</text>
-                <text x="1398.83px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1283.47px" y="1600.11px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">biscuit  76</text>
-                <text x="1241.85px" y="1641.77px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ nonc<tspan x="1343.21px " y="1641.77px ">e</tspan>  100</text>
-                <g transform="matrix(33.75,0,0,33.75,1450.58,1683.44)">
-                </g>
-                <text x="1183.8px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ aut<tspan x="1261.6px " y="1683.44px ">h</tspan> c<tspan x="1304.76px " y="1683.44px ">o</tspan>de  116</text>
-            </g>
-            <g transform="matrix(1.05033,0,0,1.24734,960.732,66.8014)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:3.02px;"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,578.408,1106.02)">
-                <text x="1171.58px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">peerid</text>
-                <text x="1171.58px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">no</text>
-                <g transform="matrix(33.75,0,0,33.75,1204.08,1529.27)">
-                </g>
-                <text x="1171.58px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">ck</text>
-            </g>
-        </g>
-    </g>
-</svg>
--- a/papers/graphics/rosenpass-wp-message-types.afdesign
+++ b/papers/graphics/rosenpass-wp-message-types.afdesign
--- a/papers/graphics/rosenpass-wp-message-types.pdf
+++ b/papers/graphics/rosenpass-wp-message-types.pdf
--- a/papers/graphics/rosenpass-wp-message-types.png
+++ b/papers/graphics/rosenpass-wp-message-types.png
--- a/papers/graphics/rosenpass-wp-message-types.svg
+++ b/papers/graphics/rosenpass-wp-message-types.svg
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 1890 1086" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
-        <rect id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
+        <rect x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42"/>
+            <rect x="177.165" y="1977.29" width="2125.98" height="1353.42"/>
        </clipPath>
        <g clip-path="url(#_clip1)">
            <g transform="matrix(1.12527,0,0,1.24734,177.165,1977.29)">
@@ -72,7 +72,7 @@
                <text x="1423.43px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
                <g transform="matrix(33.3333,0,0,33.3333,1463.43,1766.48)">
                </g>
-                <text x="1213.53px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">en<tspan x="1250.03px 1266.96px 1284.7px 1294.4px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  n + 36</text>
+                <text x="1226.13px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pack<tspan x="1295.16px " y="1766.48px ">a</tspan>ge  n + 36</text>
            </g>
            <g transform="matrix(1.12527,0,0,1.24734,-1007.2,213.348)">
                <text x="1228.7px" y="1470.55px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;fill:white;">En<tspan x="1276.75px 1298px 1320.25px 1332.58px " y="1470.55px 1470.55px 1470.55px 1470.55px ">velo</tspan>pe</text>
@@ -115,7 +115,7 @@
                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">epki</text>
                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sctr</text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pidiC</text>
+                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pidi_<tspan x="1241.84px " y="1570.64px ">c</tspan>t</text>
                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
            </g>
            <g transform="matrix(1.12527,0,0,1.24734,-506.344,409.368)">
@@ -136,14 +136,14 @@
            <g transform="matrix(0.49129,0,0,1.66616,959.319,1057.98)">
                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.39px;"/>
            </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1048.1,2311.14)">
+            <g transform="matrix(0.410953,0,0,0.095385,1048.1,2363.41)">
                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
+                <path d="M1631.81,603.515L1631.81,899.299L1631.15,930.502L1629.25,959.805L1626.24,986.218L1622.29,1009.11L1617.49,1028.01L1611.96,1042.35L1605.83,1051.45L1599.29,1054.61L657.366,1054.61L650.833,1051.45L644.697,1042.35L639.166,1028.01L634.372,1009.11L630.416,986.218L627.414,959.805L625.507,930.502L624.846,899.299L624.846,603.515L625.507,572.312L627.414,543.009L630.416,516.596L634.372,493.7L639.166,474.808L644.697,460.468L650.833,451.364L657.366,448.205L1599.29,448.205L1605.83,451.364L1611.96,460.468L1617.49,474.808L1622.29,493.7L1626.24,516.596L1629.25,543.009L1631.15,572.312L1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
            </g>
            <g transform="matrix(0.49129,0,0,0.365649,957.741,1782.7)">
                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-187.957,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-161.376,-690.576)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
            </g>
@@ -151,7 +151,7 @@
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-123.162,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-109.871,-690.576)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
            </g>
@@ -159,7 +159,7 @@
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-56.9969,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-56.9969,-690.576)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
            </g>
@@ -178,19 +178,17 @@
                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ect<tspan x="1216.61px " y="1528.98px ">i</tspan></text>
                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sct<tspan x="1214.91px " y="1570.64px ">i</tspan></text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1653.98)">
-                </g>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1653.98px ">h</tspan></text>
+                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
+                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">b<tspan x="1190.01px 1196.74px 1211.78px 1226.21px 1243.91px 1250.64px 1261.78px 1276.71px 1291.14px " y="1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px ">iscuit_ct</tspan></text>
            </g>
            <g transform="matrix(1.12527,0,0,1.24734,4.87963,384.421)">
                <text x="1494.7px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                <text x="1494.7px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                <text x="1454.7px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">768</text>
                <text x="1454.7px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1281px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1454.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1474.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
+                <text x="1474.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
+                <text x="1306.8px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76+24+16 =</text>
+                <text x="1454.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
                <text x="1298.1px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1335.03px 1352.16px 1361.86px " y="1724.81px 1724.81px 1724.81px ">ylo</tspan>ad  1096</text>
                <g transform="matrix(33.3333,0,0,33.3333,1514.7,1766.48)">
                </g>
@@ -275,7 +273,7 @@
                <text x="1422.64px" y="1612.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
                <g transform="matrix(33.75,0,0,33.75,1463.15,1683.44)">
                </g>
-                <text x="1284.34px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pa<tspan x="1321.73px 1339.08px 1348.9px " y="1683.44px 1683.44px 1683.44px ">ylo</tspan>ad  64</text>
+                <text x="1279.71px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pack<tspan x="1349.61px " y="1683.44px ">a</tspan>ge  64</text>
            </g>
            <g transform="matrix(1.33216,0,0,1.24734,129.333,240.128)">
                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
@@ -285,13 +283,13 @@
            </g>
            <g transform="matrix(0.410953,0,0,0.095385,1594.58,2286.53)">
                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
+                <path d="M1631.81,603.515L1631.81,899.299L1631.15,930.502L1629.25,959.805L1626.24,986.218L1622.29,1009.11L1617.49,1028.01L1611.96,1042.35L1605.83,1051.45L1599.29,1054.61L657.366,1054.61L650.833,1051.45L644.697,1042.35L639.166,1028.01L634.372,1009.11L630.416,986.218L627.414,959.805L625.507,930.502L624.846,899.299L624.846,603.515L625.507,572.312L627.414,543.009L630.416,516.596L634.372,493.7L639.166,474.808L644.697,460.468L650.833,451.364L657.366,448.205L1599.29,448.205L1605.83,451.364L1611.96,460.468L1617.49,474.808L1622.29,493.7L1626.24,516.596L1629.25,543.009L1631.15,572.312L1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,358.999,-768.503)">
+            <g transform="matrix(1.12527,0,0,1.24734,385.58,-768.503)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,423.794,-768.503)">
+            <g transform="matrix(1.12527,0,0,1.24734,437.085,-768.503)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
            </g>
@@ -311,7 +309,7 @@
            <g transform="matrix(1.12527,0,0,1.24734,542.396,463.835)">
                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
+                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">b<tspan x="1190.01px 1196.74px 1211.78px 1226.21px 1243.91px 1250.64px 1261.78px 1276.71px 1291.14px " y="1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px ">iscuit_ct</tspan></text>
                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1570.64)">
                </g>
                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1570.64px ">h</tspan></text>
@@ -319,7 +317,7 @@
            <g transform="matrix(1.12527,0,0,1.24734,586.601,463.835)">
                <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                <text x="1463.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1249.67px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
+                <text x="1275.47px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76+24+16 =</text>
                <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
                <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
                <text x="1286.77px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.71px 1340.84px 1350.54px " y="1641.48px 1641.48px 1641.48px ">ylo</tspan>ad  140</text>
--- a/papers/references.bib
+++ b/papers/references.bib
@@ -179,20 +179,42 @@
@techreport{mceliece,
    title = {{C}lassic {M}c{E}liece: conservative code-based cryptography},
    author = {Martin R. Albrecht and Daniel J. Bernstein and Tung Chou and Carlos Cid and Jan Gilcher and Tanja Lange and Varun Maram and Ingo von Maurich and Rafael Misoczki and Ruben Niederhagen and Kenneth G. Paterson and Edoardo Persichetti and Christiane Peters and Peter Schwabe and Nicolas Sendrier and Jakub Szefer and Cen Jung Tjhai and Martin Tomlinson and Wen Wang},
-    year = 2022,
+    year = 2020,
    month = 10,
-    day = 23,
-    type = {NIST Post-Quantum Cryptography Round 4 Submission},
-    url = {https://classic.mceliece.org/}
+    day = 10,
+    type = {NIST Post-Quantum Cryptography Round 3 Submission},
+    url={https://classic.mceliece.org/nist/mceliece-20201010.pdf},
 }

@techreport{kyber,
-    title = {CRYSTALS-Kyber},
-    author = {Roberto Avanzi and Joppe Bos and Léo Ducas and Eike Kiltz and Tancrède Lepoint and
-Vadim Lyubashevsky and John M. Schanck and Peter Schwabe and Gregor Seiler and Damien Stehlé},
-    year = 2020,
-    month = 10,
-    day = 1,
-    type = {NIST Post-Quantum Cryptography Selected Algorithm},
-    url = {https://pq-crystals.org/kyber/}
+  title={CRYSTALS-Kyber algorithm specifications and supporting documentation},
+  author={Avanzi, Roberto and Bos, Joppe and Ducas, L{\'e}o and Kiltz, Eike and Lepoint, Tancr{\`e}de and Lyubashevsky, Vadim and Schanck, John M and Schwabe, Peter and Seiler, Gregor and Stehl{\'e}, Damien and others},
+  year = 2021,
+  month = 08,
+  day = 04,
+  url = {https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf}
+}
+
+@misc{SHAKE256,
+  author   = "National Institute of Standards and Technology",
+  title    = "FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions",
+  year     = {2015},
+  month    = {August},
+  doi      = {10.6028/NIST.FIPS.202}
+}
+
+@misc{boneh_shoup_graduate,
+  title  = "A graduate course in applied cryptography",
+  author = "Dan Boneh and Victor Shoup",
+  url    = "https://toc.cryptobook.us/",
+  year   = {2023},
+}
+
+@inproceedings{hmac,
+  title={Keying hash functions for message authentication},
+  author={Bellare, Mihir and Canetti, Ran and Krawczyk, Hugo},
+  booktitle={Annual international cryptology conference},
+  pages={1--15},
+  year={1996},
+  organization={Springer}
 }
--- a/papers/tex/template-rosenpass.tex
+++ b/papers/tex/template-rosenpass.tex
@@ -2,6 +2,7 @@
 \usepackage{amssymb}
 \usepackage{mathtools}
 \usepackage{fontspec}
+\usepackage{dirtytalk}

 %font fallback
 \directlua{luaotfload.add_fallback
--- a/papers/whitepaper.md
+++ b/papers/whitepaper.md
@@ -8,21 +8,23 @@ author:
 - Lisa Schmidt = {Scientific Illustrator – \\url{mullana.de}}
 - Prabhpreet Dua
 abstract: |
-       Rosenpass is used to create post-quantum-secure VPNs. Rosenpass computes a shared key, WireGuard (WG) [@wg] uses the shared key to establish a secure connection. Rosenpass can also be used without WireGuard, deriving post-quantum-secure symmetric keys for another application. The Rosenpass protocol builds on “Post-quantum WireGuard” (PQWG) [@pqwg] and improves it by using a cookie mechanism to provide security against state disruption attacks.
+       Rosenpass is a post-quantum-secure authenticated key exchange protocol. Its main practical use case is creating post-quantum-secure VPNs by combining WireGuard and Rosenpass.

-       The WireGuard implementation enjoys great trust from the cryptography community and has excellent performance characteristics. To preserve these features, the Rosenpass application runs side-by-side with WireGuard and supplies a new post-quantum-secure pre-shared key (PSK) every two minutes. WireGuard itself still performs the pre-quantum-secure key exchange and transfers any transport data with no involvement from Rosenpass at all.
+       In this combination, Rosenpass generates a post-quantum-secure shared key every two minutes that is then used by WireGuard (WG) [@wg] to establish a secure connection. Rosenpass can also be used without WireGuard, providing post-quantum-secure symmetric keys for other applications, as long as the other application accepts a pre-shared key and provides cryptographic security based on the pre-shared key alone.
+
+       The Rosenpass protocol builds on “Post-quantum WireGuard” (PQWG) [@pqwg] and improves it by using a cookie mechanism to provide security against state disruption attacks. From a cryptographic perspective, Rosenpass can be thought of as a post-quantum secure variant of the Noise IK[@noise] key exchange. \say{Noise IK} means that the protocol makes both parties authenticate themselves, but that the initiator knows before the protocol starts which other party they are communicating with. There is no negotiation step where the responder communicates their identity to the initiator.

       The Rosenpass project consists of a protocol description, an implementation written in Rust, and a symbolic analysis of the protocol’s security using ProVerif [@proverif]. We are working on a cryptographic security proof using CryptoVerif [@cryptoverif].

-       This document is a guide for engineers and researchers implementing the protocol; a scientific paper discussing the security properties of Rosenpass is work in progress.
+       This document is a guide for engineers and researchers implementing the protocol.
 ---

 \enlargethispage{5mm}
 \setupimage{label=img:KeyExchangeProt,width=.9\linewidth}
-![Rosenpass Key Exchange Protocol](graphics/rosenpass-wp-key-exchange-protocol-rgb.svg)
+![Rosenpass Key Exchange Protocol](graphics/rosenpass-wp-key-exchange-protocol.svg)

 \setupimage{label=img:MessageTypes}
-![Rosenpass Message Types](graphics/rosenpass-wp-message-types-rgb.svg)
+![Rosenpass Message Types](graphics/rosenpass-wp-message-types.svg)

 \clearpage

@@ -31,10 +33,10 @@ abstract: |

 # Security

-Rosenpass inherits most security properties from Post-Quantum WireGuard (PQWG). The security properties mentioned here are covered by the symbolic analysis in the Rosenpass repository. 
+Rosenpass inherits most security properties from Post-Quantum WireGuard (PQWG). The security properties mentioned here are covered by the symbolic analysis in the Rosenpass repository.

 ## Secrecy
-Three key encapsulations using the keypairs `sski`/`spki`, `sskr`/`spkr`, and `eski`/`epki` provide secrecy (see Section \ref{variables} for an introduction of the variables). Their respective ciphertexts are called `scti`, `sctr`, and `ectr` and the resulting keys are called `spti`, `sptr`, `epti`. A single secure encapsulation is sufficient to provide secrecy. We use two different KEMs (Key Encapsulation Mechanisms; see section \ref{skem}): Kyber and Classic McEliece.
+Three key encapsulations using the keypairs `sski`/`spki`, `sskr`/`spkr`, and `eski`/`epki` provide secrecy (see Section \ref{variables} for an introduction of the variables). Their respective ciphertexts are called `scti`, `sctr`, and `ectr` and the resulting keys are called `spti`, `sptr`, `epti`. A single secure encapsulation is sufficient to provide secrecy. We use two different KEMs (Key Encapsulation Mechanisms; see Section \ref{skem}): Kyber and Classic McEliece.

 ## Authenticity

@@ -64,9 +66,14 @@ Note that while Rosenpass is secure against state disruption, using it does not
 All symmetric keys and hash values used in Rosenpass are 32 bytes long.


-### Hash
+### Hash {#hash}

-A keyed hash function with one 32-byte input, one variable-size input, and one 32-byte output. As keyed hash function we use the HMAC construction [@rfc_hmac] with BLAKE2s [@rfc_blake2] as the inner hash function.
+A keyed hash function with one 32-byte input, one variable-size input, and one 32-byte output. As keyed hash function we offer two options that can be configured on a peer-basis, with Blake2b being the default:
+
+1. an **incorrect** HMAC construction [@rfc_hmac] with BLAKE2b [@rfc_blake2] as the inner hash function. See Sec. \ref{incorrect-hmac} for details.
+2. the SHAKE256 extendable output function (XOF) [@SHAKE256] truncated to a 32-byte output. The result is produced be concatenating the 32-byte input with the variable-size input in this order.
+
+The use of BLAKE2b is being phased out.

 ```pseudorust
 hash(key, data) -> key
@@ -93,7 +100,7 @@ XAEAD::dec(key, nonce, ciphertext, additional_data) -> plaintext

 ### SKEM {#skem}

-“Key Encapsulation Mechanism” (KEM) is the name of an interface widely used in post-quantum-secure protocols. KEMs can be seen as asymmetric encryption specifically for symmetric keys. Rosenpass uses two different KEMs. SKEM is the key encapsulation mechanism used with the static keypairs in Rosenpass. The public keys of these keypairs are not transmitted over the wire during the protocol. We use Classic McEliece 460896 [@mceliece] which claims to be as hard to break as 192-bit AES. As one of the oldest post-quantum-secure KEMs, it enjoys wide trust among cryptographers, but it has not been chosen for standardization by NIST. Its ciphertexts and private keys are small (188 bytes and 13568 bytes), and its public keys are large (524160 bytes). This fits our use case: public keys are exchanged out-of-band, and only the small ciphertexts have to be transmitted during the handshake.
+“Key Encapsulation Mechanism” (KEM) is the name of an interface widely used in post-quantum-secure protocols. KEMs can be seen as asymmetric encryption specifically for symmetric keys. Rosenpass uses two different KEMs. SKEM is the key encapsulation mechanism used with the static keypairs in Rosenpass. The public keys of these keypairs are not transmitted over the wire during the protocol. We use Classic McEliece 460896\footnote{The exact Classic McEliece version is from the NIST-Competition, Round 3: \par https://classic.mceliece.org/nist/mceliece-20201010.tar.gz}[@mceliece] which claims to be as hard to break as 192-bit AES. As one of the oldest post-quantum-secure KEMs, it enjoys wide trust among cryptographers, but it has not been chosen for standardization by NIST. Its ciphertexts and secret keys are small (188 bytes and 13568 bytes), and its public keys are large (524160 bytes). This fits our use case: public keys are exchanged out-of-band, and only the small ciphertexts have to be transmitted during the handshake.

 ```pseudorust
 SKEM::enc(public_key) -> (ciphertext, shared_key)
@@ -102,7 +109,7 @@ SKEM::dec(secret_key, ciphertext) -> shared_key

 ### EKEM

-Key encapsulation mechanism used with the ephemeral KEM keypairs in Rosenpass. The public keys of these keypairs need to be transmitted over the wire during the protocol. We use Kyber-512 [@kyber], which has been selected in the NIST post-quantum cryptography competition and claims to be as hard to break as 128-bit AES. Its ciphertexts, public keys, and private keys are 768, 800, and 1632 bytes long, respectively, providing a good balance for our use case as both a public key and a ciphertext have to be transmitted during the handshake.
+Key encapsulation mechanism used with the ephemeral KEM keypairs in Rosenpass. The public keys of these keypairs need to be transmitted over the wire during the protocol. We use Kyber-512\footnote{The exact Kyber version is from the NIST-Competition, Round 3: \par https://pq-crystals.org/kyber/data/kyber-submission-nist-round3.zip \par https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf}[@kyber], which has been selected in the NIST post-quantum cryptography competition and claims to be as hard to break as 128-bit AES. Its ciphertexts, public keys, and secret keys are 768, 800, and 1632 bytes long, respectively, providing a good balance for our use case as both a public key and a ciphertext have to be transmitted during the handshake.

 ```pseudorust
 EKEM::enc(public_key) -> (ciphertext, shared_key)
@@ -113,7 +120,46 @@ Using a combination of two KEMs – Classic McEliece for static keys and Kyber f

 Rosenpass uses libsodium [@libsodium] as cryptographic backend for hash, AEAD, and XAEAD, and liboqs [@liboqs] for the post-quantum-secure KEMs.

-## Variables {#variables}
+## Protocol Roles {#roles}
+
+The protocol specifies two roles: initiator and responder.
+
+* initiator – The party that starts a handshake.
+* responder – The party that does not start a handshake.
+
+All Rosenpass instances operate in either mode; the traditional "client"/"server" distinction does not apply to the Rosenpass protocol. We sometimes use the term "server". In these cases, we generally refer to the "Rosenpass Server," as in the application that implements the Rosenpass protocol, not to a server/client distinction.
+
+The initiator is stateful, and directs the handshake process. The responder is stateless for most of the protocol and reacts to the initiator's messages; this is important to protect our protocol against state disruption (protocol level denial of service) attacks. Since the responder does require some state to complete the protocol, this state is moved into an encrypted cookie, called "biscuit".
+
+The number of concurrent responder-role handshakes with another client is unlimited to account for the possibility of an imposter trying to execute a handshake: before completion of said handshake, there is no way to figure out which peer is an imposter and which peer is a legitimate party; any attempt to do so might lead to a state-disruption attack -- denial of service on the protocol level.
+
+There is no particular mechanism to negotiate which party acts as initiator and which acts as responder. At startup and when a key exchange is timer-triggered, Rosenpass will *initiate* a key exchange in initiator mode. At startup of another peer, and when they start a timer-triggered key exchange, the local server will *respond* in responder mode.
+
+Implementations must account for one ongoing initiator-role key exchange and many ongoing responder-role key exchanges. Upon receiving a well-formed InitConf package and successfully completing a responder-role key exchange, implementations should abort any ongoing initiator-role key exchange. Implementations should also use different back-off periods depending on whether the handshake was completed in initiator role or in responder role. The following values are used in the Rust reference implementation:
+
+- Initiator rekey interval: 130s
+- Responder rekey interval: 120s
+
+In practice these delays cause participants to take turns acting as initiator and acting as responder, since the ten-second difference is usually enough for the handshake with switched roles to complete before the old initiator's rekey timer goes to zero.
+
+## Packages {#packages}
+
+The packages, their contents, and their type IDs are graphically represented in Fig. \ref{img:MessageTypes}. Their purposes are:
+
+* \textbf{Envelope} – This is not a package on its own; it is the envelope all the other packages are put into.
+* \textbf{InitHello} – First package of the handshake, from initiator to responder.
+* \textbf{RespHello} – Second package of the handshake, from responder to initiator.
+* \textbf{InitConf} – Third package of the handshake, from initiator to responder.
+* \textbf{EmptyData} – Empty payload package. Used as acknowledgment to abort data retransmission (see Secs. \ref{payload-keys}, \ref{packet-loss}, and function `enter_live()` in Sec. \ref{fn:enter_live}).
+* \textbf{Data} – Transmission of actual payload data is not used in Rosenpass, but the package is still specified since it is part of WireGuard (see Sec. \ref{payload-keys} and function `enter_live()` in Sec. \ref{fn:enter_live}).
+* \textbf{CookieReply} – Used for proof-of-IP-ownership-based denial-of-service mitigation (see Sec. \ref{dos-mitigation}).
+* \textbf{biscuit} – This is not a stand-alone package; instead, it is an encrypted fragment present in \textbf{RespHello} and \textbf{InitConf}.
+
+## Endianness {#endianess}
+
+Unless otherwise specified, all integer values in the Rosenpass protocol use little-endian encoding.
+
+## Variables and Domain Separators {#variables}

 ### KEM Keypairs and Ciphertexts

@@ -133,10 +179,10 @@ Rosenpass uses multiple keypairs, ciphertexts, and plaintexts for key encapsulat

 These values use a naming scheme consisting of four lower-case characters. The first character indicates whether the key is static `s` or ephemeral `e`. The second character is an `s` or a `p` for secret or public. The third character is always a `k`. The fourth and final character is an `i`, `r`, `m`, or `t`, for `initiator`, `responder`, `mine`, or `theirs`. The initiator's static public key for instance is `spki`. During execution of the protocol, three KEM ciphertexts are produced: `scti`, `sctr`, and `ecti`.

-Besides the initiator and responder roles, we define the roles `mine` and `theirs` (`m`/`t`). These are sometimes used in the code when the assignment to initiator or responder roles is flexible. As an example, “this server's” static secret key is `sskm`, and the peer's public key is `spkt`.
+Besides the initiator and responder roles, we define the roles `mine` and `theirs` (`m`/`t`). These are sometimes used in the code when the assignment to initiator or responder roles is flexible. As an example, our static secret key is `sskm`, and the peer's public key is `spkt`.


-### IDs
+### IDs {#peer-ids}

 Rosenpass uses two types of ID variables. See Figure \ref{img:HashingTree} for how the IDs are calculated.

@@ -151,38 +197,112 @@ Rosenpass uses two types of ID variables. See Figure \ref{img:HashingTree} for h

 The first lower-case character indicates whether the variable is a session ID (`sid`) or a peer ID (`pid`). The final character indicates the role using the characters `i`, `r`, `m`, or `t`, for `initiator`, `responder`, `mine`, or `theirs` respectively.

-### Symmetric Keys
-
-Rosenpass uses two symmetric key variables `psk` and `osk` in its interface, and maintains the entire handshake state in a variable called the chaining key.
+### Symmetric Keys {#symmetric-keys}

+Rosenpass uses two main symmetric key variables `psk` and `osk` in its interface, and maintains the entire handshake state in a variable called the chaining key.

 * `psk`: A pre-shared key that can be optionally supplied as input to Rosenpass.
-* `osk`: The output shared key, generated by Rosenpass and supplied to WireGuard for use as its pre-shared key.
-* `ck`: The chaining key.
+* `osk`: The output shared key, generated by Rosenpass. The main use case is to supply the key to WireGuard for use as its pre-shared key.
+* `ck`: The chaining key. This refers to various intermediate keys produced during the execution of the protocol, before the final `osk` is produced.

-We mix all key material (e.g. `psk`) into the chaining key, and derive symmetric keys such as `osk` from it. We authenticate public values by mixing them into the chaining key; in particular, we include the entire protocol transcript in the chaining key, i.e., all values transmitted over the network.
+We mix all key material (e.g. `psk`) into the chaining key and derive symmetric keys such as `osk` from it. We authenticate public values by mixing them into the chaining key; in particular, we include the entire protocol transcript in the chaining key, i.e., all values transmitted over the network.
+
+The protocol allows for multiple `osk`s to be generated; each of these keys is labeled with a domain separator to make sure different key usages are always given separate keys. The domain separator for using Rosenpass and WireGuard together is a token generated using the domain separator sequence `["rosenpass.eu", "wireguard psk"]` (see Fig. \ref{img:HashingTree}), as described in \ref{protocol-extension-wireguard-psk}. Third-parties using Rosenpass-keys for other purposes are asked to define their own protocol-extensions. Standard protocol extensions are described in \ref{protocol-extensions}.
+
+#### Symmetric Keys and Nonces for payload data transmission {#payload-keys}
+
+Keys generated by the Rosenpass key exchange could be used for encryption of payload data if post-quantum security but not hybrid post-quantum security is a goal. Despite this, we do not generally offer payload transmission in the protocol. Instead, the Rosenpass protocol focuses on providing a key exchange, letting external applications handle data transmission. When used with WireGuard, the default use case, this integration also ensures hybrid security.
+
+Still we specify the `Data` and `EmptyData` packets. `Data` is not used, but we still specify it as the same packet is also present in WireGuard. `EmptyData` is used for packet retransmission (see Sec. \ref{packet-loss}).
+
+We also specify how symmetric keys are generated for payload encryption. See Sec. {#live-session-state} and the function `enter_live()` (Sec. \ref{fn:enter_live}).
+
+Keys and nonces for this purpose use the following naming scheme:
+
+\begin{namepartpicture}
+\namepart{tx=Transmission,rx=Reception}
+\namepart[3.5cm]{k=Key,n=Nonce}
+\namepart[7cm]{i=Initiator,r=Responder,m=Mine,t=Theirs}
+\begin{scope}[decoration={brace,amplitude=5mm},thick]
+\namebraceright{tx}{rx}
+\namebraceleft{k}{n}
+\namebraceright{k}{n}
+\namebraceleft{i}{t}
+\end{scope}
+\end{namepartpicture}
+
+Note that this scheme is deliberately redundant. For instance, when we are the initiator, then `txki = rxki = txkm = rxkt`. I.e. the initiator's transmission key is the responder's reception key. Since we are the initiator, the initiator's transmission key is also the transmission key of `mine` and the reception key of `theirs`.
+
+There also is a -- now deprecated -- naming scheme:
+
+\begin{namepartpicture}
+\namepart{ini=Initiator,res=Responder,hs=Handshake}
+\SingleNamePart[3.5cm]{enc}{\textunderscore{}enc}{Encryption}
+\begin{scope}[decoration={brace,amplitude=5mm},thick]
+\namebraceright{ini}{hs}
+\namebraceleft{enc}{enc}
+\end{scope}
+\end{namepartpicture}
+
+`ini_enc = txki = rxkr` and `res_enc = txkr = rxki`, but this usage is deprecated. The third name `hs_enc` is for encryption as part of the key exchange itself; this name is still in use.
+
+### Labels
+
+Fig. \ref{img:HashingTree} specifies multiple domain separators for various uses.
+
+* `PROTOCOL` (`[0, PROTOCOL]`) – The global domain separator; used to generate more domain separators.
+
+Immediately below the global domain separator, you can find:
+
+* `"mac"` – Network package integrity verification and pre-authentication with `spkt`. See Sec. \ref{envelope-mac-field}.
+* `"cookie"` – Denial of Service mitigation through proof-of-ip ownership. See Sec. \ref{dos-mitigation}.
+* `"peer id"` – Generation of peer ids. See Sec. \ref{peer-ids}.
+* `"biscuit additional data"` – Storing the protocol state in encrypted cookies so the responder is stateless. See Sec. \ref{hs-state-and-biscuits}.
+* `"chaining key init"` – Starting point for the execution of the actual rosenpass protocol.
+* `"chaining key extract"` – Key derivation from the current protocol state, the chaining key. See Sec. \ref{symmetric-keys}.
+
+Below `"chaining key extract"`, there are multiple labels, generating domain separators for deriving keys for various purposes during the execution of the protocol.
+
+It is important to understand that there are two phases for these labels, e.g. applying the `"mix"` label produces a random fixed-size hash value we call `mix`. Not the label `"mix"` but the resulting hash value is used to derive keys during protocol execution. This allows us to use very complicated label structures for key derivation without losing efficiency.
+
+The different labels are:
+
+* `"mix"` – Mixing further values into the chaining key; i.e. into the protocol state.
+* `"user"` – Labels for external uses; these are what generate the `osk` (output shared key). See Sec. \ref{symmetric-keys}.
+* `"handshake encryption"` – Used when encrypting data using a shared key as part of the protocol execution; e.g. used to generate the `auth` (authentication tag) fields in protocol packages.
+* `"initiator handshake encryption"` and `"responder handshake encryption"` – For transmission of data after the key-exchange finishes. See Sec. \ref{symmetric-keys}.

 ## Hashes

 Rosenpass uses a cryptographic hash function for multiple purposes:

 * Computing the message authentication code in the message envelope as in WireGuard
-* Computing the cookie to guard against denial of service attacks. This is a feature adopted from WireGuard, but not yet included in the implementation of Rosenpass.
+* Computing the cookie to guard against denial of service attacks.
 * Computing the peer ID
 * Key derivation during and after the handshake
 * Computing the additional data for the biscuit encryption, to provide some privacy for its contents

+Recall from Section \ref{hash} that rosenpass supports using either BLAKE2b or SHAKE256 as hash function, which can be configured for each peer ID. However, as noted above, rosenpass uses a hash function to compute the peer ID and thus also to access the configuration for a peer ID. This is an issue when receiving an `InitHello`-message, because the correct hash function is not known when a responder receives this message and at the same the responders needs it in order to compute the peer ID and by that also identfy the hash function for that peer. The reference implementation resolves this issue by first trying to derive the peer ID using SHAKE256. If that does not work (i.e. leads to an AEAD decryption error), the reference implementation tries again with BLAKE2b. The reference implementation verifies that the hash function matches the one confgured for the peer. Similarly, if the correct peer ID is not cached when receiving an InitConf message, the reference implementation proceeds in the same manner.
+
 Using one hash function for multiple purposes can cause real-world security issues and even key recovery attacks [@oraclecloning]. We choose a tree-based domain separation scheme based on a keyed hash function – the previously introduced primitive `hash` – to make sure all our hash function calls can be seen as distinct.

 \setupimage{landscape,fullpage,label=img:HashingTree}
-![Rosenpass Hashing Tree](graphics/rosenpass-wp-hashing-tree-rgb.svg)
+![Rosenpass Hashing Tree](graphics/rosenpass-wp-hashing-tree.svg)

-Each tree node $\circ{}$ in Figure 3 represents the application of the keyed hash function, using the previous chaining key value as first parameter. The root of the tree is the zero key. In level one, the `PROTOCOL` identifier is applied to the zero key to generate a label unique across cryptographic protocols (unless the same label is deliberately used elsewhere). In level two, purpose identifiers are applied to the protocol label to generate labels to use with each separate hash function application within the Rosenpass protocol. The following layers contain the inputs used in each separate usage of the hash function: Beneath the identifiers `"mac"`, `"cookie"`, `"peer id"`, and `"biscuit additional data"` are hash functions or message authentication codes with a small number of inputs. The second, third, and fourth column in Figure 3 cover the long sequential branch beneath the identifier `"chaining key init"` representing the entire protocol execution, one column for each message processed during the handshake. The leaves beneath `"chaining key extract"` in the left column represent pseudo-random labels for use when extracting values from the chaining key during the protocol execution. These values such as `mix >` appear as outputs in the left column, and then as inputs `< mix` in the other three columns.
+Each tree node $\circ{}$ in Figure \ref{img:HashingTree} represents the application of the keyed hash function, using the previous chaining key value as first parameter. The root of the tree is the zero key. In level one, the `PROTOCOL` identifier is applied to the zero key to generate a label unique across cryptographic protocols (unless the same label is deliberately used elsewhere). In level two, purpose identifiers are applied to the protocol label to generate labels to use with each separate hash function application within the Rosenpass protocol. The following layers contain the inputs used in each separate usage of the hash function: Beneath the identifiers `"mac"`, `"cookie"`, `"peer id"`, and `"biscuit additional data"` are hash functions or message authentication codes with a small number of inputs. The second, third, and fourth column in Figure \ref{img:HashingTree} cover the long sequential branch beneath the identifier `"chaining key init"` representing the entire protocol execution, one column for each message processed during the handshake. The leaves beneath `"chaining key extract"` in the left column represent pseudo-random labels for use when extracting values from the chaining key during the protocol execution. These values such as `mix >` appear as outputs in the left column, and then as inputs `< mix` in the other three columns.

-The protocol identifier is defined as follows:
+The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2b [@rfc_blake2] is used:

 ```pseudorust
-PROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 hash=blake2s ekem=kyber512 skem=mceliece460896 xaead=xchachapoly1305"
+PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 BLAKE2s"
+```
+Note that the domain separator used here maintains that BLAKE2s is used, while in
+reality, we use BLAKE2b. The reason for this is an implementation error. Since fixing this would have led to a breaking change in the Rosenpass reference implementation, and all other known implementations of Rosenpass simply reproduced this error, we chose to harmonize the white paper with the implementation instead of fixing the implementation.
+
+If SHAKE256 [@SHAKE256] is used, then `BLAKE2s` is substituted with `SHAKE256`:
+
+```pseudorust
+PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 SHAKE256"
 ```

 Since every tree node represents a sequence of `hash` calls, the node beneath `"handshake encryption"` called `hs_enc` can be written as follows:
@@ -209,7 +329,7 @@ hs_enc = hash(hash(hash(0, PROTOCOL), "chaining key extract"), "handshake encryp
       = lhash("chaining key extract", "handshake encryption")
 ```

-## Server State
+## Rosenpass Server State

 ### Global

@@ -233,8 +353,9 @@ For each peer, the server stores:
 * `psk` – The pre-shared key used with the peer
 * `spkt` – The peer's public key
 * `biscuit_used` – The `biscuit_no` from the last biscuit accepted for the peer as part of InitConf processing
+* `hash_function` – The hash function, SHAKE256 or BLAKE2b, used with the peer.

-### Handshake State and Biscuits
+### Handshake State and Biscuits {#hs-state-and-biscuits}

 The initiator stores the following local state for each ongoing handshake:

@@ -255,9 +376,13 @@ The responder stores no state. While the responder has access to all of the abov

 The biscuit is encrypted with the `XAEAD` primitive and a randomly chosen nonce. The values `sidi` and `sidr` are transmitted publicly as part of InitConf, so they do not need to be present in the biscuit, but they are added to the biscuit's additional data to make sure the correct values are transmitted as part of InitConf.

-The `biscuit_key` used to encrypt biscuits should be rotated every two minutes. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when `biscuit_key` is rotated.
+The `biscuit_key` used to encrypt biscuits should be rotated frequently. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when `biscuit_key` is rotated. The Rosenpass reference implementation retires biscuits after five minutes and erases them after ten.

-### Live Session State
+### Live Session State {#live-session-state}
+
+These variables are used after the handshake terminates for encryption of the \textbf{Data} and \textbf{EmptyData} packages.
+\textbf{EmptyData} is used as an acknowledgement package to terminate package retransmission (see Sec. \ref{packet-loss}).
+\textbf{Data} would be used for transmission of actual payload, but this feature is currently not specified for Rosenpass. Despite this, we do specify the however as it is also part of WireGuard.

 * `ck` – The chaining key
 * `sidm` – Our session ID (“mine”)
@@ -267,6 +392,13 @@ The `biscuit_key` used to encrypt biscuits should be rotated every two minutes.
 * `txkt` – Peer's transmission key
 * `txnt` – Peer's transmission nonce

+## Protocol Code {#functions}
+
+The main reference for how messages are processed in the Rosenpass protocol can be found in Fig. \ref{img:HandlingCode}. The figure uses Rust-like pseudo code.
+
+\setupimage{landscape,fullpage,label=img:HandlingCode}
+![Rosenpass Message Handling Code](graphics/rosenpass-wp-message-handling-code.svg)
+
 ## Helper Functions {#functions}

 Given the peer ID, look up the peer and load the peer's variables.
@@ -283,7 +415,7 @@ fn lookup_session(sid);

 The protocol framework used by Rosenpass allows arbitrarily many different keys to be extracted using labels for each key. The `extract_key` function is used to derive protocol-internal keys, its labels are under the “chaining key extract” node in Figure \ref{img:HashingTree}. The export key function is used to export application keys.

-Third-party applications using the protocol are supposed to choose a unique label (e.g., their domain name) and use that as their own namespace for custom labels. The Rosenpass project itself uses the “rosenpass.eu” namespace.
+Third-party applications using the protocol are supposed to define a protocol extension (see \ref{protocol-extensions}) and choose a globally unique label, such as their domain name for custom labels of their own. The Rosenpass project itself uses the `["rosenpass.eu"]` namespace in the WireGuard PSK protocol extension (see \ref{protocol-extension-wireguard-psk}).

 Applications can cache or statically compile the pseudo-random label values into their binary to improve performance.

@@ -337,13 +469,13 @@ Rosenpass is built with KEMs, not with NIKEs (Diffie-Hellman-style operations);
 ```pseudorust
 fn encaps_and_mix<T: KEM>(pk) {
    let (ct, shk) = T::enc(pk);
-    mix(pk, ct, shk);
+    mix(pk, shk, ct);
    ct
 }

 fn decaps_and_mix<T: KEM>(sk, pk, ct) {
    let shk = T::dec(sk, ct);
-    mix(pk, ct, shk);
+    mix(pk, shk, ct);
 }
 ```

@@ -365,40 +497,40 @@ fn store_biscuit() {
      "biscuit additional data",
      spkr, sidi, sidr);
    let ct = XAEAD::enc(k, n, pt, ad);
-    let nct = concat(n, ct);
+    let biscuit_ct = concat(n, ct);

-    mix(nct)
-    nct
+    mix(biscuit_ct)
+    biscuit_ct
 }
 ```
-Note that the `mix(nct)` call updates the chaining key, but that update does not make it into the biscuit. Therefore, `mix(nct)` is reapplied in `load_biscuit`. The responder handshake code also needs to reapply any other operations modifying `ck` after calling `store_biscuit`. The handshake code on the initiator's side also needs to call `mix(nct)`.
+Note that the `mix(biscuit_ct)` call updates the chaining key, but that update does not make it into the biscuit. Therefore, `mix(biscuit_ct)` is reapplied in `load_biscuit`. The responder handshake code also needs to reapply any other operations modifying `ck` after calling `store_biscuit`. The handshake code on the initiator's side also needs to call `mix(biscuit_ct)`.


 ```pseudorust
-fn load_biscuit(nct) {
+fn load_biscuit(biscuit_ct) {
    // Decrypt the biscuit
    let k = biscuit_key;
-    let (n, ct) = nct;
+    let concat(n, ct) = biscuit_ct;
    let ad = lhash(
      "biscuit additional data",
      spkr, sidi, sidr);
    let pt : Biscuit = XAEAD::dec(k, n, ct, ad);

    // Find the peer and apply retransmission protection
-    lookup_peer(pt.peerid);
+    lookup_peer(pt.pidi);

-    // In December 2024, the InitConf retransmission mechanisim was redesigned
+    // In December 2024, the InitConf retransmission mechanism was redesigned
    // in a backwards-compatible way. See the changelog.
-    // 
+    //
    // -- 2024-11-30, Karolin Varner
    if (protocol_version!(< "0.3.0")) {
        // Ensure that the biscuit is used only once
-        assert(pt.biscuit_no <= peer.biscuit_used);
+        assert(pt.biscuit_no >= peer.biscuit_used);
    }

    // Restore the chaining key
    ck ← pt.ck;
-    mix(nct);
+    mix(biscuit_ct);

    // Expose the biscuit no,
    // so the handshake code can differentiate
@@ -407,6 +539,8 @@ fn load_biscuit(nct) {
 }
 ```

+\phantomsection\label{fn:enter_live}
+
 Entering the live session is very simple in Rosenpass – we just use `extract_key` with dedicated identifiers to derive initiator and responder keys.

 ```pseudorust
@@ -415,6 +549,18 @@ fn enter_live() {
    txkr ← extract_key("responder payload encryption");
    txnm ← 0;
    txnt ← 0;
+
+    // Setup output keys for protocol extensions such as the
+    // WireGuard PSK protocol extension.
+    setup_osks();
+}
+```
+
+The final step `setup_osks()` can be defined by protocol extensions (see \ref{protocol-extensions}) to set up `osk`s for custom use cases. By default, the WireGuard PSK (see \ref{protocol-extension-wireguard-psk}) is active.
+
+```pseudorust
+fn setup_osks() {
+    ... // Defined by protocol extensions
 }
 ```

@@ -440,30 +586,32 @@ The responder code handling InitConf needs to deal with the biscuits and package

 ICR5 and ICR6 perform biscuit replay protection using the biscuit number. This is not handled in `load_biscuit()` itself because there is the case that `biscuit_no = biscuit_used` which needs to be dealt with for retransmission handling.

-### Denial of Service Mitigation and Cookies
+### Denial of Service Mitigation and Cookies {#dos-mitigation}

-Rosenpass derives its cookie-based DoS mitigation technique for a responder when receiving InitHello messages from Wireguard [@wg]. 
+Rosenpass derives its cookie-based DoS mitigation technique for a responder when receiving InitHello messages from WireGuard [@wg].
+
+**This is currently implemented in the Rosenpass implementation but still considered an experimental feature and not enabled by default.**

 When the responder is under load, it may choose to not process further InitHello handshake messages, but instead to respond with a cookie reply message (see Figure \ref{img:MessageTypes}).

-The sender of the exchange then uses this cookie in order to resend the message and have it accepted the following time by the reciever. 
+The sender of the exchange then uses this cookie in order to resend the message and have it accepted the following time by the receiver.

 For an initiator, Rosenpass ignores all messages when under load.

 #### Cookie Reply Message

-The cookie reply message is sent by the responder on receiving an InitHello message when under load. It consists of the `sidi` of the initiator, a random 24-byte bitstring `nonce` and encrypting `cookie_value` into a `cookie_encrypted` reply field which consists of the following:
+The cookie reply message is sent by the responder on receiving an InitHello message when under load. It consists of the `sidi` of the initiator, a random 24-byte bitstring `nonce` and encrypting `cookie_value` into a `cookie_encrypted` reply field, which consists of the following:

 ```pseudorust
 cookie_value = lhash("cookie-value", cookie_secret, initiator_host_info)[0..16]
 cookie_encrypted = XAEAD(lhash("cookie-key", spkm), nonce, cookie_value, mac_peer)
 ```

-where `cookie_secret` is a secret variable that changes every two minutes to a random value. `initiator_host_info` is used to identify the initiator host, and is implementation-specific for the client. This paramaters used to identify the host must be carefully chosen to ensure there is a unique mapping, especially when using IPv4 and IPv6 addresses to identify the host (such as taking care of IPv6 link-local addresses). `cookie_value` is a truncated 16 byte value from the above hash operation. `mac_peer` is the `mac` field of the peer's handshake message to which message is the reply.  
+where `cookie_secret` is a secret variable that changes every two minutes to a random value. Moreover, `lhash` is always instantiated with SHAKE256 when computing `cookie_value` for compatability reasons.  `initiator_host_info` is used to identify the initiator host, and is implementation-specific for the client. This paramaters used to identify the host must be carefully chosen to ensure there is a unique mapping, especially when using IPv4 and IPv6 addresses to identify the host (such as taking care of IPv6 link-local addresses). `cookie_value` is a truncated 16 byte value from the above hash operation. `mac_peer` is the `mac` field of the peer's handshake message to which message is the reply.

-#### Envelope `mac` Field
+#### Envelope `mac` Field {#envelope-mac-field}

-Similar to `mac.1` in Wireguard handshake messages, the `mac` field of a Rosenpass envelope from a handshake packet sender's point of view consists of the following:
+Similar to `mac.1` in WireGuard handshake messages, the `mac` field of a Rosenpass envelope from a handshake packet sender's point of view consists of the following:

 ```pseudorust
 mac = lhash("mac", spkt, MAC_WIRE_DATA)[0..16]
@@ -486,27 +634,27 @@ else {
 }
 ```

-Here, `seconds_since_update(peer.cookie_value)` is the amount of time in seconds ellapsed since last cookie was received, and `COOKIE_WIRE_DATA` are the message contents of all bytes of the retransmitted message prior to the `cookie` field.
+Here, `seconds_since_update(peer.cookie_value)` is the amount of time in seconds elapsed since last cookie was received, and `COOKIE_WIRE_DATA` are the message contents of all bytes of the retransmitted message prior to the `cookie` field.

 The inititator can use an invalid value for the `cookie` value, when the responder is not under load, and the responder must ignore this value.
-However, when the responder is under load, it may reject InitHello messages with the invalid `cookie` value, and issue a cookie reply message. 
+However, when the responder is under load, it may reject InitHello messages with the invalid `cookie` value, and issue a cookie reply message.

 ### Conditions to trigger DoS Mechanism

 This whitepaper does not mandate any specific mechanism to detect responder contention (also mentioned as the under load condition) that would trigger use of the cookie mechanism.

-For the reference implemenation, Rosenpass has derived inspiration from the linux implementation of Wireguard.  This implementation suggests that the reciever keep track of the number of messages it is processing at a given time. 
+For the reference implemenation, Rosenpass has derived inspiration from the Linux implementation of WireGuard.  This implementation suggests that the receiver keep track of the number of messages it is processing at a given time.

-On receiving an incoming message, if the length of the message queue to be processed exceeds a threshold `MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD`, the client is considered under load and its state is stored as under load. In addition, the timestamp of this instant when the client was last under load is stored. When recieving subsequent messages, if the client is still in an under load state, the client will check if the time ellpased since the client was last under load has exceeded `LAST_UNDER_LOAD_WINDOW` seconds. If this is the case, the client will update its state to normal operation, and process the message in a normal fashion.
+On receiving an incoming message, if the length of the message queue to be processed exceeds a threshold `MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD`, the client is considered under load and its state is stored as under load. In addition, the timestamp of this instant when the client was last under load is stored. When recieving subsequent messages, if the client is still in an under load state, the client will check if the time elapsed since the client was last under load has exceeded `LAST_UNDER_LOAD_WINDOW` seconds. If this is the case, the client will update its state to normal operation, and process the message in a normal fashion.

-Currently, the following constants are derived from the Linux kernel implementation of Wireguard:
+Currently, the following constants are derived from the Linux kernel implementation of WireGuard:

 ```pseudorust
 MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD = 4096
 LAST_UNDER_LOAD_WINDOW = 1 //seconds
 ```

-## Dealing with Packet Loss
+## Dealing with Packet Loss {#packet-loss}

 The initiator deals with packet loss by storing the messages it sends to the responder and retransmitting them in randomized, exponentially increasing intervals until they get a response. Receiving RespHello terminates retransmission of InitHello. A Data or EmptyData message serves as acknowledgement of receiving InitConf and terminates its retransmission.

@@ -514,25 +662,457 @@ The responder uses less complex form of the same mechanism: The responder never

 ### Interaction with cookie reply system

-The cookie reply system does not interfere with the retransmission logic discussed above. 
+The cookie reply system does not interfere with the retransmission logic discussed above.

 When the initator is under load, it will ignore processing any incoming messages.

-When a responder is under load and it receives an InitHello handshake message, the InitHello message will be discarded and a cookie reply message is sent. The initiator, then on the reciept of the cookie reply message, will store a decrypted `cookie_value` to set the `cookie` field to subsequently sent messages. As per the retransmission mechanism above, the initiator will send a retransmitted InitHello message with a valid `cookie` value appended. On receiving the retransmitted handshake message, the responder will validate the `cookie` value and resume with the handshake process. 
+When a responder is under load and it receives an InitHello handshake message, the InitHello message will be discarded and a cookie reply message is sent. The initiator, then on the reciept of the cookie reply message, will store a decrypted `cookie_value` to set the `cookie` field to subsequently sent messages. As per the retransmission mechanism above, the initiator will send a retransmitted InitHello message with a valid `cookie` value appended. On receiving the retransmitted handshake message, the responder will validate the `cookie` value and resume with the handshake process.

 When the responder is under load and it recieves an InitConf message, the message will be directly processed without checking the validity of the cookie field.

+## Timers
+
+The Rosenpass protocol uses various timer-triggered events during its operation. This section provides a listing of the timers used and gives the values used in the reference implementation. Other implementations may choose different values.
+
+### Rekeying
+
+Period after which the previous responder starts a new handshake in initiator role; period after which the previous initiator starts a new handshake in initiator role again; period after which a peer rejects an existing shared key.
+
+```pseudorust
+REKEY_AFTER_TIME_RESPONDER = 120s
+REKEY_AFTER_TIME_INITIATOR = 130s
+REJECT_AFTER_TIME = 180s
+```
+
+### Biscuits
+
+Period after which the biscuit key is rotated.
+
+```pseudorust
+BISCUIT_EPOCH = 300s
+```
+
+### Retransmission
+
+Delay after which all retransmission attempts are aborted; exponential backoff factor for retransmission delay; initial (minimum) retransmission delay; final (maximum) retransmission delay; retransmission jitter/variance factor.
+
+```pseudorust
+RETRANSMIT_ABORT        = 120s
+RETRANSMIT_DELAY_GROWTH = 2
+RETRANSMIT_DELAY_BEGIN  = 500ms
+RETRANSMIT_DELAY_END    = 10s
+RETRANSMIT_DELAY_JITTER = 0.5
+```
+
+# Protocol extensions {#protocol-extensions}
+
+The main extension point for the Rosenpass protocol is to generate `osk`s (speak output shared keys, see Sec. \ref{symmetric-keys}) for purposes other than using them to secure WireGuard. By default, the Rosenpass application generates keys for the WireGuard PSK (see \ref{protocol-extension-wireguard-psk}). It would not be impossible to use the keys generated for WireGuard in other use cases, but this might lead to attacks[@oraclecloning]. Specifying a custom protocol extension in practice just means settling on alternative domain separators (see Sec. \ref{symmetric-keys}, Fig. \ref{img:HashingTree}).
+
+## Using custom domain separators in the Rosenpass application
+
+The Rosenpass application supports protocol extensions to change the OSK domain separator without modification of the source code.
+
+The following example configuration file can be used to execute Rosenpass in outfile mode with custom domain separators.
+In this mode, the Rosenpass application will write keys to the file specified with `key_out` and send notifications when new keys are exchanged via standard out.
+This can be used to embed Rosenpass into third-party application.
+
+```toml
+# peer-a.toml
+public_key = "peer-a.pk"
+secret_key = "peer-a.sk"
+listen = ["[::1]:6789"]
+verbosity = "Verbose"
+
+[[peers]]
+public_key = "peer-b.pk"
+key_out = "peer-a.osk" # path to store the key
+osk_organization = "myorg.com"
+osk_label = ["My Custom Messenger app", "Backend VPN Example Subusecase"]
+```
+
+## Extension: WireGuard PSK {#protocol-extension-wireguard-psk}
+
+The WireGuard PSK protocol extension is active by default; this is the mode where Rosenpass is used to provide post-quantum security for WireGuard. Hybrid security (i.e. redundant pre-quantum and post-quantum security) is achieved because WireGuard provides pre-quantum security, with or without Rosenpass.
+
+This extension uses the `"rosenpass.eu"` namespace for user-labels and specifies a single additional user-label:
+
+* `["rosenpass.eu", "wireguard psk"]`
+
+The label's full domain separator is
+
+* `[PROTOCOL, "user", "rosenpass.eu", "wireguard psk"]`
+
+and can be seen in Figure \ref{img:HashingTree}.
+
+We require two extra per-peer configuration variables:
+
+* `wireguard_interface` — Name of a local network interface. Identifies local WireGuard interface we are supplying a PSK to.
+* `wireguard_peer` — A WireGuard public key. Identifies the particular WireGuard peer whose connection we are supplying PSKs for.
+
+When creating the WireGuard interface for use with Rosenpass, the PSK used by WireGuard must be initialized to a random value; otherwise, WireGuard can establish an insecure key before Rosenpass had a change to exchange its own key.
+
+```pseudorust
+fn on_wireguard_setup() {
+    // We use a random PSK to make sure the other side will never
+    // have a matching PSK when the WireGuard interface is created.
+    //
+    // Never use a fixed value here as this would lead to an attack!
+    let fake_wireguard_psk = random_key();
+
+    // How the interface is create
+    let wg_peer = WireGuard::setup_peer()
+        .public_key(wireguard_peer)
+        ... // Supply any custom peerconfiguration
+        .psk(fake_wireguard_psk);
+
+    // The random PSK must be supplied before the
+    // WireGuard interface comes up
+    WireGuard::setup_interface()
+        .name(wireguard_interface)
+        ... // Supply any custom configuration
+        .add_peer(wg_peer)
+        .create();
+}
+```
+
+Every time a key is successfully negotiated, we upload the key to WireGuard.
+For this protocol extension, the `setup_osks()` function is thus defined as:
+
+```pseudorust
+fn setup_osks() {
+    // Generate WireGuard OSK (output shared key) from Rosenpass'
+    // perspective, respectively the PSK (preshared key) from
+    // WireGuard's perspective
+    let wireguard_psk = export_key("rosenpass.eu", "wireguard psk");
+
+    /// Supply the PSK to WireGuard
+    WireGuard::get_interface(wireguard_interface)
+        .get_peer(wireguard_peer)
+        .set_psk(wireguard_psk);
+}
+```
+
+The Rosenpass protocol uses key renegotiation, just like WireGuard.
+If no new `osk` is produced within a set amount of time, the OSK generated by Rosenpass times out.
+In this case, the WireGuard PSK must be overwritten with a random key.
+This interaction is visualized in Figure \ref{img:ExtWireguardPSKHybridSecurity}.
+
+```pseudorust
+fn on_key_timeout() {
+    // Generate a random – deliberately invalid – WireGuard PSK.
+    // Never use a fixed value here as this would lead to an attack!
+    let fake_wireguard_psk = random_key();
+
+    // Securely erase the PSK currently used by WireGuard by
+    // overwriting it with the fake key we just generated.
+    WireGuard::get_interface(wireguard_interface)
+        .get_peer(wireguard_peer)
+        .set_psk(fake_wireguard_psk);
+}
+```
+
+\begin{minipage}{\textwidth}
+\setupimage{label=img:ExtWireguardPSKHybridSecurity,fullpage}
+![Rosenpass + WireGuard: Hybrid Security](graphics/rosenpass-wireguard-hybrid-security.pdf)
+\end{minipage}
+
+# Errata {#errata}
+
+## Incorrect HMAC, Hash Function Choice {#incorrect-hmac}
+
+Initially, we chose to use `HMAC+BLAKE2s` for our message authentication code, mostly as a form of cargo cult. WireGuard used BLAKE2s, so we should use it too. BLAKE2 supports a directly keyed mode, so there is not much reason to prefer rolling your own using HMAC from a security standpoint.
+
+It seems likely that WireGuard used HMAC as a heuristic security measure. Message authentication codes, keyed hash functions, had long been constructed by combining HMAC with a hash function; why change that? And there actually is a good reason to use HMAC: Merkle-Damgard constructions have long been the norm for hash functions; their usage was even standardized as MD5 or SHA-2. But Merkle-Damgard constructions are susceptible to extension attacks, where you can calculate `H(message || suffix)` assuming `H(message)` is known to you. HMAC fixes this issue[@boneh_shoup_graduate][@hmac].
+
+
+But SHA-3 (or SHAKE) and BLAKE2 depart from this long-standing status quo: these hash functions are not based on Merkle-Damgard and they are deliberately designed so they are not susceptible to length extension attacks. On top of this, both schemes provide a keyed mode as a feature of the hash function. At this point it makes much more sense to require a keyed hash function, satisfying the PRF ("pseudo random function") security property and the PRF-SWAP security property[@pqwg] instead of building our own keyed hash from a hash function. HMAC can still be used; if someone wanted to operate Rosenpass with SHA2, the best way to do it would be using `HMAC-SHA512` as the underlying keyed hash. We just also allow using `SHAKE256` without an extra application of HMAC.
+
+Unfortunately, there were a couple of errors in the implementation: we should have used BLAKE2s like WireGuard; instead, we used BLAKE2b. We should have implemented HMAC properly, but we failed to do so. For a fixed-length, 32 byte key and a 32 byte block size, the HMAC function is specified as:
+
+```pseudorust
+type Key = [u8; 32];
+type HashFunction = Fn(&[u8]) -> Key;
+
+const INNER_PAD: [u8; KEY_LEN] = [0x36u8; KEY_LEN];
+const OUTER_PAD: [u8; KEY_LEN] = [0x5Cu8; KEY_LEN];
+
+fn hmac<Hash: HashFunction>(h: Hash, key: Key, data: &[u8]) -> Key {
+    // `^` denotes XOR, `||` denotes concatenation
+
+    let inner_key = key ^ INNER_PAD; 
+    let outer_key = key ^ OUTER_PAD;
+
+    let inner_hash = h(inner_key || data);
+    let outer_hash = h(outer_key || inner_hash);
+
+    return outer_hash;
+} 
+```
+
+Instead of implementing this function, we somehow lost track of the fact that HMAC uses concatenation to combine the keys with its data, and instead we built a construction around BLAKE2b in keyed hash mode. That is, we replaced the concatenation with calls to the keyed version of our hash:
+
+```pseudorust
+type Key = [u8; 32];
+type KeyedHashFunction = Fn(Key, &[u8]) -> Key;
+
+const INNER_PAD: [u8; KEY_LEN] = [0x36u8; KEY_LEN];
+const OUTER_PAD: [u8; KEY_LEN] = [0x5Cu8; KEY_LEN];
+
+fn incorrect_rosenpass_hmac<KeyedHash: KeyedHashFunction>(kh: KeyedHashFunction, key: Key, data: &[u8]) -> Key {
+    // `^` denotes XOR, `||` denotes concatenation
+
+    let inner_key = key ^ INNER_PAD; 
+    let outer_key = key ^ OUTER_PAD;
+
+    let inner_hash = kh(inner_key, data);
+    let outer_hash = kh(outer_key, inner_hash);
+
+    return outer_hash;
+} 
+```
+
+We therefore add this section explaining our incorrect HMAC usage to harmonize the white paper with the implementation.
+To ensure compatibility with the existing versions of Rosenpass, you have to replicate this incorrect variant of HMAC.
+
+Neither mistake is assumed to cause security issues. BLAKE2b is a secure hash function.
+There is no reason to assume that our incorrect variant of HMAC-BLAKE2b would be insecure; it is, however, non-standard and needlessly complicates the protocol. We are therefore phasing out usage of HMAC-BLAKE2b in favor of us using SHAKE256 as our keyed hash of choice.
+
 # Changelog

 ### 0.3.x

+#### 2025-08-10 – Applying fixes from Steffen Vogel proof reading of the whitepaper
+
+\vspace{0.5em}
+
+Author: Karolin varner
+
+Issue: [#68](https://github.com/rosenpass/rosenpass/issues/68)
+
+PR: [#664](https://github.com/rosenpass/rosenpass/)
+
+\vspace{0.5em}
+
+Early in the project lifetime, Steffen Vogel successfully implemented a [port of the Rosenpass protocol in [go](https://github.com/cunicu/go-rosenpass).
+This implementation has not received an in-depth review from a cryptography implementation perspective, which is why we (the Rosenpass project) are not yet recommending this implementation for production usage;
+still, creating this implementation was a great achievement.
+
+During the process, Steffen discovered a large number of possible improvements for the whitepaper. With this update, we are addressing those issues.
+
+This process also ensures that the world knows, that I have ADHD and makes me fix all the little mistakes I could not spot even on the seventh review of the whitepaper.
+
+Changes, in particular:
+
+1. Added a comprehensive reference about labels used in the protocol
+2. Added a comprehensive reference about symmetric keys and nonces used for encryption/decryption (`txki`, `txni`, `ini_enc`, `hs_enc`, …)
+3. Added a comprehensive reference about packages used.
+4. Added an explaining paragraph to section "Live Session State".
+5. Added a section about protocol roles.
+6. Brief section about endianness.
+7. In Fig. 5: Rosenpass Message Handling Code; in IHR5 we replace
+
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        decaps_and_mix<SKEM>(sskr, spkr, ct1)
+        \end{minted}
+    \end{quote}
+
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        decaps_and_mix<SKEM>(sskr, spkr, sctr)
+        \end{minted}
+    \end{quote}
+    ```
+
+8. In `load_biscuit()`, there was a typo doing an incorrect comparison between `biscuit_no` and `biscuit_used`. This is not a security issue, as a verbatim implementation would simply have lead to a non-functional implementation. We replace
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        assert(pt.biscuit_no <= peer.biscuit_used);
+        \end{minted}
+    \end{quote}
+
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        assert(pt.biscuit_no >= peer.biscuit_used);
+        \end{minted}
+    \end{quote}
+    ```
+
+9. In the whitepaper we used the labels `"initiator session encryption"` and `"responder session encryption"`, but in the implementation we used `"initiator handshake encryption"` and `"responder handshake encryption"`. While the whitepaper was correct and the implementation was not, we opt to harmonize the whitepaper with the implementation to avoid a breaking change.
+10. The protocol strings used in the whitepaper where different to the ones used in the implementation. We harmonize the two by updating the whitepaper to reflect the protocol identifier used in the implementation. We substitute
+
+    ``` {=tex}
+    \begin{quote}
+        The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2s is used:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 hash=blake2s ekem=kyber512 skem=mceliece460896 xaead=xchachapoly1305"
+        \end{minted}
+
+        If SHAKE256 is used, \texttt{blake2s} is replaced by \texttt{shake256} in \texttt{PROTOCOL}.
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2s is used:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 BLAKE2s"
+        \end{minted}
+
+        If SHAKE256 is used, then \texttt{BLAKE2s} is substituted with \texttt{SHAKE256}:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 SHAKE256"
+        \end{minted}
+    \end{quote}
+    ```
+11. The whitepaper stated that Rosenpass uses BLAKE2s, while the implementation used BLAKE2b; we update the whitepaper to reflect that reality. The places where this substitution happened are a bit too numerous to count them all here. On top of this, we added the following paragraph to explain the discrepancy between `PROTOCOL` and actual hash function used:
+    ``` {=tex}
+    \begin{quote}
+    Note that the domain separator used here maintains that BLAKE2s is used, while in
+    reality, we use BLAKE2b. The reason for this is an implementation error. Since fixing this would have led to a breaking change in the Rosenpass reference implementation, and all other known implementations of Rosenpass simply reproduced this error, we chose to harmonize the white paper with the implementation instead of fixing the implementation.
+    \end{quote}
+    ```
+12. Added a section to explain and specify our incorrect implementation of HMAC-BLAKE2b.
+13. In `encaps_and_mix()`/`decaps_and_mix()` the whitepaper stated that public key, ciphertext, and shared key are mixed into the chaining key in that order, but the implementation used a different order: public key, shared key, and ciphertext (shared key and ciphertext are swapped). We harmonize the white paper with the implementation.
+14. In the white paper, in package `RespHello` the field `auth` was indicated to come after `biscuit`, but in the implementation, `auth` came first and `biscuit` was last. The semantics of how fields in Rosenpass messages are processed generally demand that fields are processed in the order they appear in the message, so having `biscuit` first and `auth` second—as was done in the white paper—would be correct; still, we harmonize the white paper with the implementation.
+15. Fix a discrepancy with regard to biscuit key life times.
+
+    ``` {=tex}
+    \begin{quote}
+    The \texttt{biscuit\textunderscore{}key} used to encrypt biscuits should be rotated every two minutes. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when \texttt{biscuit\textunderscore{}key} is rotated.
+    \end{quote}
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+    The \texttt{biscuit\textunderscore{}key} used to encrypt biscuits should be rotated frequently. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when \texttt{biscuit\textunderscore{}key} is rotated. The Rosenpass reference implementation retires biscuits after five minutes and erases them after ten.
+    \end{quote}
+    ```
+16. Point out explicitly that we use KEMs from NIST-Competition Round 3. Include links to the competition submission packages. Update citations to reflect the exact specification version.
+17. Consistent naming convention. Always use the term `secret key`, never  `private key`.
+18. `pidiC` -> `pidi_ct`; to make it clearer that this is a cipher text
+19. Where we refer to the biscuit ciphertext, we now use the term `biscuit_ct`. Previously we had used various variable names such as `nct` (nonce followed by cipher text) or just plain `biscuit`.
+20. In `load_biscuit`, we make it clear that destructuring of `biscuit_ct` destructures a concatenation.
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        let (n, ct) = biscuit_ct;
+        \end{minted}
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        let concat(n, ct) = biscuit_ct;
+        \end{minted}
+    \end{quote}
+    ```
+21. Added a section about timers used in the Rosenpass protocol
+
+Additional changes (also motivated by a close review, but not reported by Steffen):
+
+1. Fig. 2 "Rosenpass Message Types", CookieReply package. Renamed the length sum from payload to package.
+2. Fig. 2 "Rosenpass Message Types", Envelope package. Renamed the length sum from envelope to package.
+3. In `load_biscuit()` fix a naming typo:
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        lookup_peer(pt.peerid);
+        \end{minted}
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        lookup_peer(pt.pidi);
+        \end{minted}
+    \end{quote}
+    ```
+4. Remove reference to the proof-of-IP-ownership-based DoS mitigation feature not being implemented. Add a notice, that the feature is currently experimental.
+5. Fixed a few typos and capitalization issues
+
+#### 2025-06-24 – Specifying the `osk` used for WireGuard as a protocol extension
+
+\vspace{0.5em}
+
+Author: Karolin varner
+
+PR: [#664](https://github.com/rosenpass/rosenpass/pull/664)
+
+\vspace{0.5em}
+
+We introduce the concept of protocol extensions to make the option of using Rosenpass for purposes other than encrypting WireGuard more explicit. This captures the status-quo in a better way and does not constitute a functional change of the protocol.
+
+When we designed the Rosenpass protocol, we built it with support for alternative `osk`-labels in mind.
+This is why we specified the domain separator for the `osk` to be `[PROTOCOL, "user", "rosenpass.eu", "wireguard psk"]`.
+By choosing alternative values for the namespace (e.g. `"myorg.eu"` instead of `"rosenpass.eu`) and the label (e.g. `"MyApp Symmetric Encryption"`), the protocol could easily accommodate alternative usage scenarios.
+
+By introducing the concept of protocol extensions, we make this possibility explicit.
+
+1. Reworded the abstract to make it clearer that Rosenpass can be used for other purposes than to secure WireGuard
+2. Reworded Section Symmetric Keys, adding references to the new section on protocol extension
+3. Added a `setup_osks()` function in section Hashes, to make the reference to protocol extensions explicit
+4. Added a new section on protocol extensions and the standard extension for using Rosenpass with WireGuard
+5. Added a new graphic to showcase how Rosenpass and WireGuard interact
+5. Minor formatting and intra-document references fixes
+
+#### 2025-05-22 - SHAKE256 keyed hash
+\vspace{0.5em}
+
+Author: David Niehues
+
+PR: [#653](https://github.com/rosenpass/rosenpass/pull/653)
+
+\vspace{0.5em}
+
+We document the support for SHAKE256 with prepended key as an alternative to BLAKE2s with HMAC.
+
+Previously, BLAKE2s with HMAC was the only supported keyed hash function. Recently, SHAKE256 was added as an option. SHAKE256 is used as a keyed hash function by prepending the key to the variable-length data and then evaluating SHAKE256.
+In order to maintain compatablity without introducing an explcit version number in the protocol messages, SHAKE256 is truncated to 32 bytes. In the update to the whitepaper, we explain where and how SHAKE256 is used. That is:
+
+1. We explain that SHAKE256 or BLAKE2s can be configured to be used on a peer basis.
+2. We explain under which circumstances, the reference implementation tries both hash functions for messages in order to determine the correct hash function.
+3. We document that the cookie mechanism always uses SHAKE256.
+
+
 #### 2024-10-30 – InitConf retransmission updates

 \vspace{0.5em}

-Author: Karolin Varner  
-Issue: [#331](https://github.com/rosenpass/rosenpass/issues/331)  
-PR: [#513](https://github.com/rosenpass/rosenpass/pull/513)  
+Author: Karolin Varner
+
+Issue: [#331](https://github.com/rosenpass/rosenpass/issues/331)
+
+PR: [#513](https://github.com/rosenpass/rosenpass/pull/513)

 \vspace{0.5em}

@@ -550,7 +1130,7 @@ By removing all retransmission handling code from the cryptographic protocol, we
        The responder does not need to do anything special to handle RespHello retransmission – if the RespHello package is lost, the initiator retransmits InitHello and the responder can generate another RespHello package from that. InitConf retransmission needs to be handled specifically in the responder code because accepting an InitConf retransmission would reset the live session including the nonce counter, which would cause nonce reuse. Implementations must detect the case that `biscuit_no = biscuit_used` in ICR5, skip execution of ICR6 and ICR7, and just transmit another EmptyData package to confirm that the initiator can stop transmitting InitConf.
    \end{quote}

-    by 
+    by

    \begin{quote}
        The responder uses less complex form of the same mechanism: The responder never retransmits RespHello, instead the responder generates a new RespHello message if InitHello is retransmitted. Responder confirmation messages of completed handshake (EmptyData) messages are retransmitted by storing the most recent InitConf messages (or their hashes) and caching the associated EmptyData messages. Through this cache, InitConf retransmission is detected and the associated EmptyData message is retransmitted.
@@ -571,9 +1151,9 @@ By removing all retransmission handling code from the cryptographic protocol, we
    ``` {=tex}
    \begin{quote}
        \begin{minted}{pseudorust}
-        // In December 2024, the InitConf retransmission mechanisim was redesigned
+        // In December 2024, the InitConf retransmission mechanism was redesigned
        // in a backwards-compatible way. See the changelog.
-        // 
+        //
        // -- 2024-11-30, Karolin Varner
        if (protocol_version!(< "0.3.0")) {
            // Ensure that the biscuit is used only once
@@ -587,9 +1167,11 @@ By removing all retransmission handling code from the cryptographic protocol, we

 \vspace{0.5em}

-Author: Prabhpreet Dua  
-Issue: [#137](https://github.com/rosenpass/rosenpass/issues/137)  
-PR: [#142](https://github.com/rosenpass/rosenpass/pull/142)  
+Author: Prabhpreet Dua
+
+Issue: [#137](https://github.com/rosenpass/rosenpass/issues/137)
+
+PR: [#142](https://github.com/rosenpass/rosenpass/pull/142)

 \vspace{0.5em}

@@ -597,7 +1179,3 @@ PR: [#142](https://github.com/rosenpass/rosenpass/pull/142)
 - Added section "Denial of Service Mitigation and Cookies", and modify "Dealing with Packet Loss" for DoS cookie mechanism

 \printbibliography
-
-\setupimage{landscape,fullpage,label=img:HandlingCode}
-![Rosenpass Message Handling Code](graphics/rosenpass-wp-message-handling-code-rgb.svg)
-
--- a/pkgs/package-deb.nix
+++ b/pkgs/package-deb.nix
@@ -1,4 +1,8 @@
-{ runCommand, dpkg, rosenpass }:
+{
+  runCommand,
+  dpkg,
+  rosenpass,
+}:

 let
  inherit (rosenpass) version;
--- a/pkgs/package-rpm.nix
+++ b/pkgs/package-rpm.nix
@@ -1,12 +1,15 @@
-{ lib, system, runCommand, rosenpass, rpm }:
+{
+  lib,
+  system,
+  runCommand,
+  rosenpass,
+  rpm,
+}:

 let
  splitVersion = lib.strings.splitString "-" rosenpass.version;
  version = builtins.head splitVersion;
-  release =
-    if builtins.length splitVersion != 2
-    then "release"
-    else builtins.elemAt splitVersion 1;
+  release = if builtins.length splitVersion != 2 then "release" else builtins.elemAt splitVersion 1;
  arch = builtins.head (builtins.split "-" system);
 in

--- a/pkgs/release-package.nix
+++ b/pkgs/release-package.nix
@@ -1,21 +1,24 @@
-{ lib, stdenvNoCC, runCommandNoCC, pkgsStatic, rosenpass, rosenpass-oci-image, rp } @ args:
+{
+  lib,
+  stdenvNoCC,
+  runCommandNoCC,
+  pkgsStatic,
+  rosenpass,
+  rosenpass-oci-image,
+  rp,
+}@args:

 let
  version = rosenpass.version;

  # select static packages on Linux, default packages otherwise
-  package =
-    if stdenvNoCC.hostPlatform.isLinux then
-      pkgsStatic.rosenpass
-    else args.rosenpass;
-  rp =
-    if stdenvNoCC.hostPlatform.isLinux then
-      pkgsStatic.rp
-    else args.rp;
+  package = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rosenpass else args.rosenpass;
+  rp = if stdenvNoCC.hostPlatform.isLinux then pkgsStatic.rp else args.rp;
  oci-image =
    if stdenvNoCC.hostPlatform.isLinux then
      pkgsStatic.rosenpass-oci-image
-    else args.rosenpass-oci-image;
+    else
+      args.rosenpass-oci-image;
 in
 runCommandNoCC "lace-result" { } ''
  mkdir {bin,$out}
--- a/pkgs/rosenpass-oci-image.nix
+++ b/pkgs/rosenpass-oci-image.nix
@@ -1,4 +1,8 @@
-{ dockerTools, buildEnv, rosenpass }:
+{
+  dockerTools,
+  buildEnv,
+  rosenpass,
+}:

 dockerTools.buildImage {
  name = rosenpass.name + "-oci";
--- a/pkgs/rosenpass.nix
+++ b/pkgs/rosenpass.nix
@@ -1,4 +1,13 @@
-{ lib, stdenv, rustPlatform, cmake, mandoc, removeReferencesTo, bash, package ? "rosenpass" }:
+{
+  lib,
+  stdenv,
+  rustPlatform,
+  cmake,
+  mandoc,
+  removeReferencesTo,
+  bash,
+  package ? "rosenpass",
+}:

 let
  # whether we want to build a statically linked binary
@@ -15,26 +24,33 @@ let
      "service"
      "target"
      "toml"
+      "zstd" # used for offloaded test vector values
    ];
    # Files to explicitly include
-    files = [
-      "to/README.md"
-    ];
+    files = [ "to/README.md" ];

    src = ../.;
-    filter = (path: type: scoped rec {
-      inherit (lib) any id removePrefix hasSuffix;
-      anyof = (any id);
+    filter = (
+      path: type:
+      scoped rec {
+        inherit (lib)
+          any
+          id
+          removePrefix
+          hasSuffix
+          ;
+        anyof = (any id);

-      basename = baseNameOf (toString path);
-      relative = removePrefix (toString src + "/") (toString path);
+        basename = baseNameOf (toString path);
+        relative = removePrefix (toString src + "/") (toString path);

-      result = anyof [
-        (type == "directory")
-        (any (ext: hasSuffix ".${ext}" basename) extensions)
-        (any (file: file == relative) files)
-      ];
-    });
+        result = anyof [
+          (type == "directory")
+          (any (ext: hasSuffix ".${ext}" basename) extensions)
+          (any (file: file == relative) files)
+        ];
+      }
+    );

    result = lib.sources.cleanSourceWith { inherit src filter; };
  };
@@ -47,8 +63,16 @@ rustPlatform.buildRustPackage {
  version = cargoToml.package.version;
  inherit src;

-  cargoBuildOptions = [ "--package" package ];
-  cargoTestOptions = [ "--package" package ];
+  cargoBuildOptions = [
+    "--package"
+    package
+  ];
+  cargoTestOptions = [
+    "--package"
+    package
+  ];
+
+  configFileVersion = "1";

  doCheck = true;

@@ -58,6 +82,7 @@ rustPlatform.buildRustPackage {
      "memsec-0.6.3" = "sha256-4ri+IEqLd77cLcul3lZrmpDKj4cwuYJ8oPRAiQNGeLw=";
      "uds-0.4.2" = "sha256-qlxr/iJt2AV4WryePIvqm/8/MK/iqtzegztNliR93W8=";
      "libcrux-blake2-0.0.3-pre" = "sha256-0CLjuzwJqGooiODOHf5D8Hc8ClcG/XcGvVGyOVnLmJY=";
+      "libcrux-macros-0.0.3" = "sha256-Tb5uRirwhRhoFEK8uu1LvXl89h++40pxzZ+7kXe8RAI=";
    };
  };

@@ -81,7 +106,10 @@ rustPlatform.buildRustPackage {

  meta = {
    inherit (cargoToml.package) description homepage;
-    license = with lib.licenses; [ mit asl20 ];
+    license = with lib.licenses; [
+      mit
+      asl20
+    ];
    maintainers = [ lib.maintainers.wucke13 ];
    platforms = lib.platforms.all;
  };
--- a/pkgs/whitepaper.nix
+++ b/pkgs/whitepaper.nix
@@ -1,13 +1,53 @@
-{ stdenvNoCC, texlive, ncurses, python3Packages, which }:
+{
+  stdenvNoCC,
+  texlive,
+  ncurses,
+  python3Packages,
+  which,
+}:

 let
-  customTexLiveSetup = (texlive.combine {
-    inherit (texlive) acmart amsfonts biber biblatex biblatex-software
-      biblatex-trad ccicons csquotes csvsimple doclicense eso-pic fancyvrb
-      fontspec gitinfo2 gobble ifmtarg koma-script latexmk lm lualatex-math
-      markdown mathtools minted noto nunito paralist pgf scheme-basic soul
-      unicode-math upquote xifthen xkeyval xurl;
-  });
+  customTexLiveSetup = (
+    texlive.combine {
+      inherit (texlive)
+        acmart
+        amsfonts
+        biber
+        biblatex
+        biblatex-software
+        biblatex-trad
+        ccicons
+        csquotes
+        csvsimple
+        doclicense
+        eso-pic
+        fancyvrb
+        fontspec
+        gitinfo2
+        gobble
+        ifmtarg
+        koma-script
+        latexmk
+        lm
+        lualatex-math
+        markdown
+        mathtools
+        minted
+        noto
+        nunito
+        paralist
+        pgf
+        scheme-basic
+        soul
+        unicode-math
+        upquote
+        xifthen
+        xkeyval
+        xurl
+        dirtytalk
+        ;
+    }
+  );
 in
 stdenvNoCC.mkDerivation {
  name = "whitepaper";
--- a/readme.md
+++ b/readme.md
@@ -14,7 +14,7 @@ This repository contains

 ## Getting started

-First, [install rosenpass](#Getting-Rosenpass). Then, check out the help functions of `rp` & `rosenpass`:
+First, [install rosenpass](#getting-rosenpass). Then, check out the help functions of `rp` & `rosenpass`:

 ```sh
 rp help
@@ -64,11 +64,7 @@ The analysis is implemented according to modern software engineering principles:
 The code uses a variety of optimizations to speed up analysis such as using secret functions to model trusted/malicious setup. We split the model into two separate entry points which can be analyzed in parallel. Each is much faster than both models combined.
 A wrapper script provides instant feedback about which queries execute as expected in color: A red cross if a query fails and a green check if it succeeds.

-[^liboqs]: https://openquantumsafe.org/liboqs/
-[^wg]: https://www.wireguard.com/
-[^pqwg]: https://eprint.iacr.org/2020/379
-[^pqwg-statedis]: Unless supplied with a pre-shared-key, but this defeats the purpose of a key exchange protocol
-[^wg-statedis]: https://lists.zx2c4.com/pipermail/wireguard/2021-August/006916.htmlA
+[^liboqs]: <https://openquantumsafe.org/liboqs/>

 # Getting Rosenpass

@@ -87,6 +83,47 @@ Rosenpass is also available as prebuilt Docker images:

 For details on how to use these images, refer to the [Docker usage guide](docker/USAGE.md).

+## Benchmarks
+
+This repository contains facilities for benchmarking both the Rosenpass
+protocol code and the implementations of the cryptographic primitives used
+by it. The primitives are benchmarked using criterion. For the protocol code
+benchmarks we use a library for instrumenting the code such that events are
+written to a trace, which is then inspected after a run.
+
+Benchmarks are automatically run on CI. The measurements are visualized in the
+[Benchmark Dashboard].
+
+[Benchmark Dashboard]: https://rosenpass.github.io/rosenpass/benchmarks
+
+### Primitive Benchmarks
+
+There are benchmarks for the functions of the traits `Kem`, `Aead` and
+`KeyedHash`. They are run for all implementations in the `primitives`
+benchmark of `rosenpass-ciphers`. Run the benchmarks and view their results using
+
+```
+cargo bench -p rosenpass-ciphers --bench primitives -F bench
+```
+
+Note that the `bench` feature enables the inclusion of the libcrux-backed
+trait implementations in the module tree, but does not enable them
+as default.
+
+### Protocol Benchmarks
+
+The trace that is being written to lives in a new module
+`trace_bench` in the util crate. A basic benchmark that
+performs some minor statistical analysis of the trace can be run using
+
+```
+cargo bench -p rosenpass --bench trace_handshake -F trace_bench
+```
+
+This runs the benchmarks and prints the results in machine-readable JSON.
+
+---
+
 # Mirrors

 Don't want to use GitHub or only have an IPv6 connection? Rosenpass has set up two mirrors for this:
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml
@@ -0,0 +1,351 @@
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer a secret key"
+name = "peer_a_sk"
+code_location = "tests/test_vector_crypto_server.rs:95"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer a public key"
+name = "peer_a_pk"
+code_location = "tests/test_vector_crypto_server.rs:96"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer b secret key"
+name = "peer_b_sk"
+code_location = "tests/test_vector_crypto_server.rs:101"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer b public key"
+name = "peer_b_pk"
+code_location = "tests/test_vector_crypto_server.rs:102"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "pre-shared key"
+name = "psk"
+value = "Vw7bZ1vyXfZo4D5/633F5IbTOntNFBjZRCWf/0cP3Ss="
+code_location = "tests/test_vector_crypto_server.rs:105"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[0]"
+value = "COU/279CXvyB3mwVxT6fCQ=="
+code_location = "tests/test_vector_crypto_server.rs:167"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[1]"
+value = "5Q+e2O020FTcmBWlAPnWlw=="
+code_location = "tests/test_vector_crypto_server.rs:172"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[0]"
+value = "5h9KZ2KfLP5uNbEdimMNLHUjPFm0L3helyg8QE7pd/E="
+code_location = "tests/test_vector_crypto_server.rs:177"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[1]"
+value = "uwyhSvwuEeXwVUg4+9CBoPWPL0AY+oSVUhFpGpnBaY8="
+code_location = "tests/test_vector_crypto_server.rs:179"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[0]"
+value = "KtKzsfp1NMN3mrln54w0TA=="
+code_location = "tests/test_vector_crypto_server.rs:167"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[1]"
+value = "cc1hSqM+Jhal8AII5NIWLA=="
+code_location = "tests/test_vector_crypto_server.rs:172"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[0]"
+value = "ih8UroUklL5NLdegMFQAEWE6huLEO4HBNL44jpk0VsI="
+code_location = "tests/test_vector_crypto_server.rs:177"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[1]"
+value = "mXEYSvzhz5E9eUskbKJBZlXlYF2N3Q1MwmbGeXmhXoI="
+code_location = "tests/test_vector_crypto_server.rs:179"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.cookie_value.value"
+value = "BryZRk1KR5Gc+AEm0plH1Q=="
+code_location = "rosenpass/src/protocol/protocol.rs:3559"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.core.sidi"
+value = "avpJ6g=="
+code_location = "rosenpass/src/protocol/protocol.rs:3572"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.eski"
+value = "KpIH2rHL5MR1TQosRVTAUhpDGYUfE7FbeDA/VgN2shd0gdwBRkdeTEZqKKdAY+ikmKydZQwNlFQW8WuH8fwknbUt/SCzo2iPbDg22sAuClQFN1sXckmEpDG2G4cqXHqkdVSuwhymt9V0w1lKFotTwNIN9Fo0eKq19twT16DP+nIPwrkDveAAm8OqwNp1iAODI8GuB3aL3Str/HDC7YR8QtuuzJQwfEa8CbihEpk+zZqVCJVZDrlfH6ydcJsahypuWpJQ4RwS+NejEvJirvgKngsgdPkGXyYLzQQhS4qagQDMkklWaxwL5pdSqlB+M/Cbx1iqgXgOp2PEykkOpgpEBKfDoCQxBnIYNEisx9B8XuibzqQiq0qctty3GBUf+peApMdataC6WwGqH1KpQiW8aUufIWFDK8xW56t3/bMV/AIsMWx3XpaxbGOQOgqAmRAxeYh23TeQ6lVturw/aMsV2phXBkgG6iQnzyd9z6Zufgezz3Ui2hdeJ/iCzfG0A7SMWlS8zETM46wExxO5smNh8jCoTzeSMpOeH3GfFyRs44PFybSQHtAbdcpcA+pj2VljGfRzq5U1AjpdbSKm8JO6n2PDOQlXHaNp5wZMTHZeywq/BrRWO0FXU9davLcEqUJ2xkwRIvEo24ae0MSD1SSd0rRK5LFilFWZXpDCkaoHvst87mdMeIBUYppMD+WkSuKun0XMXXSSWNPIvrGKFJlt4yTCNYsdfRBthGEa5sEApYd4jmi49zKbRSGGm/u915gdo0AvsFYa85EZzzBI0wfK3uW0X+YvGSEzwHGOAMaAyJu3tCGHt2tuevqND2lybzkJS+ih80l3jyaBbNmqQzBRt8YZtLg+e0ijH/x8IyGq+efCioRQjeN50sBAJrsSgncVtgoSraWbPLNu9movqQMtLiwGkUaZSqVANtQPQuccOFyzK7XD8zy5V0Bx/We0ijOvlyUPJWW+1LoALiArHhG7xIRQL8oe9RDP1mzPoGQd1MNRvCuePNpRX+JAO7a49vwsqUtsK6iAY5C1WIxc1TAVhrIz2YzKuyOQYJCbtkOTx5EZ+AbCsTa/E7VHJacj5xQXtYpy3NogXpAnI/ubjABhCVKTfNFytwKkQUAR1ZcoqzJlngdFILIFBeTEUJChXpBb3/obCCQOFVWCKaYfuLam34JgWkmKYUoao4ZP68yn7yc1l4lDRswKSgFt6YI31PcWGAbKM9QeKLF1Tso2bQOXlEF8MssCQjhN+PimSYU/A1ANTHEyQMxM+uUGXBAJwViSGSshHpioLkF3nBc2h7FT5Fi6hMU4xqUwsBgkfZKYQ6gMsMIqZjd/gIkbawwGU6VdLNNf4tw1f4ssD3QbKSA9LfsSHHV8YjcJ3vVoIVVd/Pmbe/kV8Ccz0zLPYWxyrrEanTOJwPqzYxBqTOBilVWlEfREu1ddYaccILMGEMdsQ6eBj4ySZYhj24Ajc3R8afR+anR2NNorfgIlF1d7VuW1BQG+loA3UqdO9lE4mwrARoy87LZKagYHUshet/CAYxinr0UlfCKqbEydljslyafPC4x/mmRWqjTNsTAVfZdOc1ESLyQ6fCkZ/ewOMmsVgUZsBPHI5LgE/2qjYhgXxzg72OmYynR4+8EWunEd2JScjTAurTVZBEPDfGq9wvySBeMbyIGgY0yIfJF/oGRI6/oyNoOBMyKff7oCVNzH+UBGPQJE0De7U1wmEqBNIOu6MMx4nFVgdNzA3TyLrhaOT3uDoJMo/9NnnvWDS5xhp9l8URkcVsol12MhmZAhqlhtGIOR72e5Jml6DNkLvYCX49ZKfMGBbnHNk/RhN5k3dccuD+UvIwxR3irMUXt6jITE0RbPCYWX14N4Jlcdz2oxA6U+RXW8ccJ0YQYjsNgmj1xpsnwY8/O6LkiB+Sm/fsJAkRGsKrWeyPKRcNR1uioBr6YpqKa0aHC0meQX7YqKNWZujOQX6ZJb2aMgx4CRJOc/fbqrtgpQy8mEy4JG2dmEPCdYKmY3YTGlpiVb65pLciEtJRIRiCqh4QNmCwtrixM5QgO5Y5gNfX/fXULtbtZdCDgQJ8CKaJNgxosHESp7YfeW+bO2tmmEwSHG+/s4YEEVQZm2OfJ46gLFPIixcTmADwFGOKEgTRofmHFxOUlIH1gXBkuqH0zWp71FqEpAoucjrROw"
+code_location = "rosenpass/src/protocol/protocol.rs:3579"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.core.ck"
+value = "qUtsK6iAY5C1WIxc1TAVhrIz2YzKuyOQYJCbtkOTx5EZ+AbCsTa/E7VHJacj5xQXtYpy3NogXpAnI/ubjABhCVKTfNFytwKkQUAR1ZcoqzJlngdFILIFBeTEUJChXpBb3/obCCQOFVWCKaYfuLam34JgWkmKYUoao4ZP68yn7yc1l4lDRswKSgFt6YI31PcWGAbKM9QeKLF1Tso2bQOXlEF8MssCQjhN+PimSYU/A1ANTHEyQMxM+uUGXBAJwViSGSshHpioLkF3nBc2h7FT5Fi6hMU4xqUwsBgkfZKYQ6gMsMIqZjd/gIkbawwGU6VdLNNf4tw1f4ssD3QbKSA9LfsSHHV8YjcJ3vVoIVVd/Pmbe/kV8Ccz0zLPYWxyrrEanTOJwPqzYxBqTOBilVWlEfREu1ddYaccILMGEMdsQ6eBj4ySZYhj24Ajc3R8afR+anR2NNorfgIlF1d7VuW1BQG+loA3UqdO9lE4mwrARoy87LZKagYHUshet/CAYxinr0UlfCKqbEydljslyafPC4x/mmRWqjTNsTAVfZdOc1ESLyQ6fCkZ/ewOMmsVgUZsBPHI5LgE/2qjYhgXxzg72OmYynR4+8EWunEd2JScjTAurTVZBEPDfGq9wvySBeMbyIGgY0yIfJF/oGRI6/oyNoOBMyKff7oCVNzH+UBGPQJE0De7U1wmEqBNIOu6MMx4nFVgdNzA3TyLrhaOT3uDoJMo/9NnnvWDS5xhp9l8URkcVsol12MhmZAhqlhtGIOR72e5Jml6DNkLvYCX49ZKfMGBbnHNk/RhN5k3dccuD+UvIwxR3irMUXt6jITE0RbPCYWX14N4Jlcdz2oxA6U+RXW8ccJ0YQYjsNgmj1xpsnwY8/O6LkiB+Sm/fsJAkRGsKrWeyPKRcNR1uioBr6YpqKa0aHC0meQX7YqKNWZujOQX6ZJb2aMgx4CRJOc/fbqrtgpQy8mEy4JG2dmEPCdYKmY3YTGlpiVb65pLciEtJRIRiCqh4QNmCwtrixM5QgO5Y5gNfX/fXULtbtZdCDgQJ8CKaJNgxosHESp7YfeW+bM="
+code_location = "rosenpass/src/protocol/protocol.rs:3580"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 1"
+value = "z2JAxQ4DPIikqHMSpFDAlmhjSBumhLZatJMrFAP+D1U="
+code_location = "rosenpass/src/protocol/protocol.rs:3587"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+value = "crPEWzqlCERLJr83BrZupxLUOxWHsYZalisk94tma0k="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "eJXlj5zOJo/Eq85TzOTi7QY8zqWBP0QOOl3PAcpFDYnZyWmuzdpwDZJTbagAP52Md9r+j2vME4SW9UvdvOQo+jbNfuCHytU5K3yxI77srR4aWepM+xPAmxbyIwD4VGjDOQNAjP4Rn8n5L9cCju1tgit7yeM0S4Mx2KDR/Emr8V7gQnERob6LrPJgu6BMWkbZA2+dLVZOsvWPFmmn"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 2"
+value = "UVoOgm+xgnV9tXlaLrlBHiM8XDAH+4tPm3DTbP9uJzs="
+code_location = "rosenpass/src/protocol/protocol.rs:3602"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "ih.pidi_ct"
+value = "Y3Wstn84+vmUb/a/CtWHFixkdyTFKEaE7joUFM0vBZPehPAeDOXls/u5I1PvViF6"
+code_location = "rosenpass/src/protocol/protocol.rs:3615"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 3"
+value = "RTCFQy236fEakHlQn8Pq4+ZbWAg4zvkP5iSp+RU7CpQ="
+code_location = "rosenpass/src/protocol/protocol.rs:3616"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 4"
+value = "9bjg2ICzmCeqYMt4ACfX5UMQUde7WgeuI6H+vdQuWck="
+code_location = "rosenpass/src/protocol/protocol.rs:3627"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "ih.auth"
+value = "E+AP6wyOrpngo7vE9Vpkjg=="
+code_location = "rosenpass/src/protocol/protocol.rs:3636"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 5"
+value = "MkkapMEoAWftWlVPIcroCCTpqOrMv5TYSff5h8Un/OE="
+code_location = "rosenpass/src/protocol/protocol.rs:3637"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 4"
+value = "z2JAxQ4DPIikqHMSpFDAlmhjSBumhLZatJMrFAP+D1U="
+code_location = "rosenpass/src/protocol/protocol.rs:3693"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 5"
+value = "UVoOgm+xgnV9tXlaLrlBHiM8XDAH+4tPm3DTbP9uJzs="
+code_location = "rosenpass/src/protocol/protocol.rs:3702"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 6"
+value = "RTCFQy236fEakHlQn8Pq4+ZbWAg4zvkP5iSp+RU7CpQ="
+code_location = "rosenpass/src/protocol/protocol.rs:3714"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 7"
+value = "9bjg2ICzmCeqYMt4ACfX5UMQUde7WgeuI6H+vdQuWck="
+code_location = "rosenpass/src/protocol/protocol.rs:3724"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 8"
+value = "MkkapMEoAWftWlVPIcroCCTpqOrMv5TYSff5h8Un/OE="
+code_location = "rosenpass/src/protocol/protocol.rs:3733"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+name = "session_id"
+value = "+qqWGQ=="
+code_location = "rosenpass/src/protocol/protocol.rs:3741"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 3"
+value = "rPSnj3sQzMcnolHZJZpDlZ71VcFEtIEENGLWUPyRZws="
+code_location = "rosenpass/src/protocol/protocol.rs:3749"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+value = "aQGM2N7OhVgSlsa7pEaqdiRZLacxgDhwuEplHORsv3s="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "XIOzetMa7cemW0Qq+vEu1frv9J/MhfFiT68mfbWZrZbzM5AI2lVPLXi75KvjbNC7YrqVG20d2DhZ38g9vjIAG50Lc8LHw3C+tQV2g/lCa4p1XySyQOJUAj/CpBGito8MdcdcxpFzLhCnq0owBSonbgyboxZq/hsX5z+unJu+5UiJYlxpcvu++w954OQiXi9lJpfnC4biY8Mw+8UL5d2UgWp8Yn3y3ZoIKSNGA5hR5/JUg1QStbSvWrhNiiDrfNUR0k2zKmLPXPS1pmaBvSuWQptq3WiA1OtkRsCSrAzjOtyUPWSZyXrttAZ4VJCBkEnd4OZy7eC/mBa3FjwJAfcvVY7i8mU1yDpLtS7MtdAZKMeGn0fQDWOx5z+vM+jbwOxXer79jPKPcdigxjTfARz+SxhfWfqGO5hBh86Ra0F+vgw3KH/YQgTchroWVF8WIwZlNwp6DqvwXBXwRPbtrv+uxmRHT9Oe+ZxJr88Nd1gRtjL0FN6faE1quGDAHWPuAfhFcxa7kdPpHN46cHSC+nzO1gtabPX/b0PM2awmNPB5QPpWoGHzz4HTYV7MYHmC4mxdKU7BT+U3vJd4+vl+7wGQSVxSCwzWHqCjRwOkIDLeiyZss7iz8BnOeErDySbPTMYI/Jv/R7lalOk4+73a1m2m4uZKetXRGEjg8btiKfhFaPZMc9p8xZeJNbsUbqoMl8/R1QGRqXHxzk9tTZW0AHV0t4uLnvHJgu9mR6LApZ99sAJpNcuU9TnsSPfT32DlXWNxtb0DnTQXxLQ7TnSWFYPCYyv7hbfNk8lDdGJqStSvnCe16KYoYjxpExEIfCAFicYhhar5MOpkinJMeyhMhVd2ctVIIIzZXePfZXcdOod2JbYh6+dmp0bnTyussHv9R+qYCCv5AyU/crKSmTbjgyOsmaVpyoTljsozC32uhqZh4M7KBUz1XyPJfD6L4NE1ovCKSfwJepYOqBw0MkdWoXwScyhMWNpVhS8X1aZ/QOZFVIuyYxoiwqpF/y3xV6QYFZmd"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 4"
+value = "WCh3N6kKat+5vvn3WNTxsF9yXGYTQS7hlMUplMac/14="
+code_location = "rosenpass/src/protocol/protocol.rs:3764"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+value = "Sx7y7DSdVQVHWxR4OOMjyrDr8vuZa7MPX/U8GnPCIHY="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "VwqEOlvdW0Evc1CasejxXQ0dN3mZ4HPMA6ogk3Q7OUzzgCIvbTU8BvBK6d1UH2R7Y5Nd/JdHgag42f5FpjVljX2vlXMk3XxUtREpORxqJ5qUgHejsgJyRO9caOPX/ZXmUZ6vORP7pIulLt2i47ykPNNlWuJmxVJj6NK+lE1BDMIuivHebR31atigV/fFFJui26vy5V9y6xZmnCJm"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 5"
+value = "7gd9Mw7X0ZFmkIkP/JDofflRSAw21F1RjG4HXeMJfTI="
+code_location = "rosenpass/src/protocol/protocol.rs:3779"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+value = "QyffgzBjc8qAqK18vYsH9TKs9lc6Njg8Q8nANsF/FMMBAAAAAAAAAAAAAADuB30zDtfRkWaQiQ/8kOh9+VFIDDbUXVGMbgdd4wl9Mg=="
+code_location = "rosenpass/src/protocol/protocol.rs:3336"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Const"
+description = "Biscuit key after being cycled"
+name = "CryptoServer::biscuit_key[r]"
+value = "TIDswcSHh8WKsEsuwMCyldE0zVH8IEjV97ES8v3nHw0="
+code_location = "rosenpass/src/protocol/protocol.rs:1430"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:127"
+
+[[entries]]
+entry_type = "Const"
+value = "iSR2RKOw5VeBICb4b+i8P4QtF8XnJq2N"
+code_location = "rosenpass/src/protocol/protocol.rs:3353"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Output"
+value = "iSR2RKOw5VeBICb4b+i8P4QtF8XnJq2Nq1gaCMgEJ+v1LulDYsjbfU5O0alWStfs4fBy7zS69RkzT8p0m3mVcK0TY9RRdWfxmCzU1U8DP7CbhfZxZHJC9CO8xwIa5r1NjVE1gxJJUEJCTHvtCc3PtFj861c="
+code_location = "rosenpass/src/protocol/protocol.rs:3361"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 6"
+value = "urS3a0/ufhUxj7bAnafEQ3j7it4q2XOfO+DVCeQJp4U="
+code_location = "rosenpass/src/protocol/protocol.rs:3788"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 7"
+value = "bbWd4iHXPK6helZLik4t96JKB7yiyw+qcNWbvlDiaQs="
+code_location = "rosenpass/src/protocol/protocol.rs:3797"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "final exchanged key"
+name = "exchanged_key"
+value = "NKG5/vCPc0akKnm5RxctcPigO8fvd0zqJeO2+xbDpq4="
+code_location = "tests/test_vector_crypto_server.rs:153"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_0.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_0.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_1.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_1.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_13.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_13.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_14.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_14.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_15.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_15.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_16.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_16.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_2.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_2.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_26.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_26.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_3.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_3.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_46.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_46.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_47.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_47.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_48.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_48.zstd
--- a/rosenpass/Cargo.toml
+++ b/rosenpass/Cargo.toml
@@ -8,7 +8,7 @@ description = "Build post-quantum-secure VPNs with WireGuard!"
 homepage = "https://rosenpass.eu/"
 repository = "https://github.com/rosenpass/rosenpass"
 readme = "readme.md"
-rust-version = "1.77"
+rust-version = "1.77.0"

 [[bin]]
 name = "rosenpass"
@@ -30,11 +30,16 @@ required-features = ["experiment_api", "internal_testing"]
 [[test]]
 name = "gen-ipc-msg-types"
 required-features = [
-    "experiment_api",
-    "internal_testing",
-    "internal_bin_gen_ipc_msg_types",
+  "experiment_api",
+  "internal_testing",
+  "internal_bin_gen_ipc_msg_types",
 ]

+[[bench]]
+name = "trace_handshake"
+harness = false
+required-features = ["trace_bench"]
+
 [[bench]]
 name = "handshake"
 harness = false
@@ -59,6 +64,8 @@ clap = { workspace = true }
 clap_complete = { workspace = true }
 clap_mangen = { workspace = true }
 mio = { workspace = true }
+signal-hook = { workspace = true }
+signal-hook-mio = { workspace = true }
 rand = { workspace = true }
 zerocopy = { workspace = true }
 home = { workspace = true }
@@ -71,7 +78,10 @@ heck = { workspace = true, optional = true }
 command-fds = { workspace = true, optional = true }
 rustix = { workspace = true, optional = true }
 uds = { workspace = true, optional = true, features = ["mio_1xx"] }
-signal-hook = { workspace = true, optional = true }
+libcrux-test-utils = { workspace = true, optional = true }
+assert_tv = { workspace = true }
+base64 = { workspace = true }
+serde_json = { workspace = true }

 [build-dependencies]
 anyhow = { workspace = true }
@@ -84,28 +94,28 @@ serial_test = { workspace = true }
 procspawn = { workspace = true }
 tempfile = { workspace = true }
 rustix = { workspace = true }
+serde_json = { workspace = true }

 [features]
-#default = ["experiment_libcrux_all"]
 experiment_cookie_dos_mitigation = []
 experiment_memfd_secret = ["rosenpass-wireguard-broker/experiment_memfd_secret"]
 experiment_libcrux_all = ["rosenpass-ciphers/experiment_libcrux_all"]
 experiment_libcrux_blake2 = ["rosenpass-ciphers/experiment_libcrux_blake2"]
 experiment_libcrux_chachapoly = [
-    "rosenpass-ciphers/experiment_libcrux_chachapoly",
+  "rosenpass-ciphers/experiment_libcrux_chachapoly",
 ]
 experiment_libcrux_kyber = ["rosenpass-ciphers/experiment_libcrux_kyber"]
 experiment_api = [
-    "hex-literal",
-    "uds",
-    "command-fds",
-    "rustix",
-    "rosenpass-util/experiment_file_descriptor_passing",
-    "rosenpass-wireguard-broker/experiment_api",
+  "hex-literal",
+  "uds",
+  "command-fds",
+  "rustix",
+  "rosenpass-util/experiment_file_descriptor_passing",
+  "rosenpass-wireguard-broker/experiment_api",
 ]
-internal_signal_handling_for_coverage_reports = ["signal-hook"]
 internal_testing = []
 internal_bin_gen_ipc_msg_types = ["hex", "heck"]
+trace_bench = ["rosenpass-util/trace_bench", "dep:libcrux-test-utils"]

 [lints.rust]
 unexpected_cfgs = { level = "allow", check-cfg = ['cfg(coverage)'] }
--- a/rosenpass/benches/handshake.rs
+++ b/rosenpass/benches/handshake.rs
@@ -1,15 +1,16 @@
-use anyhow::Result;
-use rosenpass::protocol::{
-    CryptoServer, HandleMsgResult, MsgBuf, PeerPtr, ProtocolVersion, SPk, SSk, SymKey,
-};
 use std::ops::DerefMut;

+use anyhow::Result;
+use criterion::{black_box, criterion_group, criterion_main, Criterion};
+
 use rosenpass_cipher_traits::primitives::Kem;
 use rosenpass_ciphers::StaticKem;
-
-use criterion::{black_box, criterion_group, criterion_main, Criterion};
 use rosenpass_secret_memory::secret_policy_try_use_memfd_secrets;

+use rosenpass::protocol::basic_types::{MsgBuf, SPk, SSk, SymKey};
+use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+use rosenpass::protocol::{CryptoServer, HandleMsgResult, PeerPtr, ProtocolVersion};
+
 fn handle(
    tx: &mut CryptoServer,
    msgb: &mut MsgBuf,
@@ -54,8 +55,18 @@ fn make_server_pair(protocol_version: ProtocolVersion) -> Result<(CryptoServer,
        CryptoServer::new(ska, pka.clone()),
        CryptoServer::new(skb, pkb.clone()),
    );
-    a.add_peer(Some(psk.clone()), pkb, protocol_version.clone())?;
-    b.add_peer(Some(psk), pka, protocol_version)?;
+    a.add_peer(
+        Some(psk.clone()),
+        pkb,
+        protocol_version.clone(),
+        OskDomainSeparator::default(),
+    )?;
+    b.add_peer(
+        Some(psk),
+        pka,
+        protocol_version,
+        OskDomainSeparator::default(),
+    )?;
    Ok((a, b))
 }

--- a/rosenpass/benches/trace_handshake.rs
+++ b/rosenpass/benches/trace_handshake.rs
@@ -0,0 +1,376 @@
+use std::{
+    collections::HashMap,
+    hint::black_box,
+    ops::DerefMut,
+    time::{Duration, Instant},
+};
+
+use anyhow::Result;
+
+use libcrux_test_utils::tracing::{EventType, Trace as _};
+
+use rosenpass_cipher_traits::primitives::Kem;
+use rosenpass_ciphers::StaticKem;
+use rosenpass_secret_memory::secret_policy_try_use_memfd_secrets;
+use rosenpass_util::trace_bench::RpEvent;
+
+use rosenpass::protocol::basic_types::{MsgBuf, SPk, SSk, SymKey};
+use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+use rosenpass::protocol::{CryptoServer, HandleMsgResult, PeerPtr, ProtocolVersion};
+use serde::ser::SerializeStruct;
+
+const ITERATIONS: usize = 100;
+
+/// Performs a full protocol run by processing a message and recursing into handling that message,
+/// until no further response is produced. Returns the keys produce by the two parties.
+///
+/// Ensures that each party produces one of the two keys.
+fn handle(
+    tx: &mut CryptoServer,
+    msgb: &mut MsgBuf,
+    msgl: usize,
+    rx: &mut CryptoServer,
+    resb: &mut MsgBuf,
+) -> Result<(Option<SymKey>, Option<SymKey>)> {
+    let HandleMsgResult {
+        exchanged_with: xch,
+        resp,
+    } = rx.handle_msg(&msgb[..msgl], &mut **resb)?;
+
+    assert!(matches!(xch, None | Some(PeerPtr(0))));
+
+    let xch = xch.map(|p| rx.osk(p).unwrap());
+
+    let (rxk, txk) = resp
+        .map(|resl| handle(rx, resb, resl, tx, msgb))
+        .transpose()?
+        .unwrap_or((None, None));
+
+    assert!(rxk.is_none() || xch.is_none());
+
+    Ok((txk, rxk.or(xch)))
+}
+
+/// Performs the full handshake by calling `handle` with the correct values, based on just two
+/// `CryptoServer`s.
+///
+/// Ensures that both parties compute the same keys.
+fn hs(ini: &mut CryptoServer, res: &mut CryptoServer) -> Result<()> {
+    let (mut inib, mut resb) = (MsgBuf::zero(), MsgBuf::zero());
+    let sz = ini.initiate_handshake(PeerPtr(0), &mut *inib)?;
+    let (kini, kres) = handle(ini, &mut inib, sz, res, &mut resb)?;
+    assert!(kini.unwrap().secret() == kres.unwrap().secret());
+    Ok(())
+}
+
+/// Generates a new key pair.
+fn keygen() -> Result<(SSk, SPk)> {
+    let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
+    StaticKem.keygen(sk.secret_mut(), pk.deref_mut())?;
+    Ok((sk, pk))
+}
+
+/// Creates two instanves of `CryptoServer`, generating key pairs for each.
+fn make_server_pair(protocol_version: ProtocolVersion) -> Result<(CryptoServer, CryptoServer)> {
+    let psk = SymKey::random();
+    let ((ska, pka), (skb, pkb)) = (keygen()?, keygen()?);
+    let (mut a, mut b) = (
+        CryptoServer::new(ska, pka.clone()),
+        CryptoServer::new(skb, pkb.clone()),
+    );
+    a.add_peer(
+        Some(psk.clone()),
+        pkb,
+        protocol_version.clone(),
+        OskDomainSeparator::default(),
+    )?;
+    b.add_peer(
+        Some(psk),
+        pka,
+        protocol_version,
+        OskDomainSeparator::default(),
+    )?;
+    Ok((a, b))
+}
+
+fn main() {
+    let trace = rosenpass_util::trace_bench::trace();
+
+    // Attempt to use memfd_secrets for storing sensitive key material
+    secret_policy_try_use_memfd_secrets();
+
+    // Run protocol for V02
+    let (mut a_v02, mut b_v02) = make_server_pair(ProtocolVersion::V02).unwrap();
+    for _ in 0..ITERATIONS {
+        hs(black_box(&mut a_v02), black_box(&mut b_v02)).unwrap();
+    }
+
+    // Emit a marker event to separate V02 and V03 trace sections
+    trace.emit_on_the_fly("start-hs-v03");
+
+    // Run protocol for V03
+    let (mut a_v03, mut b_v03) = make_server_pair(ProtocolVersion::V03).unwrap();
+    for _ in 0..ITERATIONS {
+        hs(black_box(&mut a_v03), black_box(&mut b_v03)).unwrap();
+    }
+
+    // Collect the trace events generated during the handshakes
+    let trace: Vec<_> = trace.clone().report();
+
+    // Split the trace into V02 and V03 sections based on the marker
+    let (trace_v02, trace_v03) = {
+        let cutoff = trace
+            .iter()
+            .position(|entry| entry.label == "start-hs-v03")
+            .unwrap();
+        // Exclude the marker itself from the V03 trace
+        let (v02, v03_with_marker) = trace.split_at(cutoff);
+        (v02, &v03_with_marker[1..])
+    };
+
+    // Perform statistical analysis on both trace sections
+    let analysis_v02 = statistical_analysis(trace_v02);
+    let analysis_v03 = statistical_analysis(trace_v03);
+
+    // Transform analysis results to JSON-encodable data type
+    let stats_v02 = analysis_v02
+        .iter()
+        .map(|(label, agg_stat)| JsonAggregateStat {
+            protocol_version: "V02",
+            label,
+            agg_stat,
+        });
+    let stats_v03 = analysis_v03
+        .iter()
+        .map(|(label, agg_stat)| JsonAggregateStat {
+            protocol_version: "V03",
+            label,
+            agg_stat: &agg_stat,
+        });
+
+    // Write results as JSON
+    let stats_all: Vec<_> = stats_v02.chain(stats_v03).collect();
+    let stats_json = serde_json::to_string_pretty(&stats_all).expect("error encoding to json");
+    println!("{stats_json}");
+}
+
+/// Performs a simple statistical analysis:
+/// - bins trace events by label
+/// - extracts durations of spamns
+/// - filters out empty bins
+/// - calculates aggregate statistics (mean, std dev)
+fn statistical_analysis(trace: &[RpEvent]) -> Vec<(&'static str, AggregateStat<Duration>)> {
+    bin_events(trace)
+        .into_iter()
+        .map(|(label, spans)| (label, extract_span_durations(label, spans.as_slice())))
+        .filter(|(_, durations)| !durations.is_empty())
+        .map(|(label, durations)| (label, AggregateStat::analyze_durations(&durations)))
+        .collect()
+}
+
+/// Used to group benchmark results in visualizations
+enum RunTimeGroup {
+    /// For particularly long operations.
+    Long,
+    /// Operations of moderate duration.
+    Medium,
+    /// Operations expected to complete under a millisecond.
+    BelowMillisec,
+    /// Very fast operations, likely under a microsecond.
+    BelowMicrosec,
+}
+
+impl std::fmt::Display for RunTimeGroup {
+    /// Used when writing the group information to JSON output.
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let txt = match self {
+            RunTimeGroup::Long => "long",
+            RunTimeGroup::Medium => "medium",
+            RunTimeGroup::BelowMillisec => "below 1ms",
+            RunTimeGroup::BelowMicrosec => "below 1us",
+        };
+        write!(f, "{txt}")
+    }
+}
+
+/// Maps specific internal timing labels (likely from rosenpass internals)
+/// to the broader SpanGroup categories.
+fn run_time_group(label: &str) -> RunTimeGroup {
+    match label {
+        // Explicitly categorized labels based on expected performance characteristics
+        "handle_init_hello" | "handle_resp_hello" | "RHI5" | "IHR5" => RunTimeGroup::Long,
+        "RHR1" | "IHI2" | "ICR6" => RunTimeGroup::BelowMicrosec,
+        "RHI6" | "ICI7" | "ICR7" | "RHR3" | "ICR3" | "IHR8" | "ICI4" | "RHI3" | "RHI4" | "RHR4"
+        | "RHR7" | "ICI3" | "IHI3" | "IHI8" | "ICR2" | "ICR4" | "IHR4" | "IHR6" | "IHI4"
+        | "RHI7" => RunTimeGroup::BelowMillisec,
+        // Default protocol_version for any other labels
+        _ => RunTimeGroup::Medium,
+    }
+}
+
+/// Used temporarily within `extract_span_durations` to track open spans
+/// and calculated durations.
+#[derive(Debug, Clone)]
+enum StatEntry {
+    /// Represents an unmatched SpanOpen event with its timestamp.
+    Start(Instant),
+    /// Represents a completed span with its calculated duration.
+    Duration(Duration),
+}
+
+/// Takes a flat list of events and organizes them into a HashMap where keys
+/// are event labels and values are vectors of events with that label.
+fn bin_events(events: &[RpEvent]) -> HashMap<&'static str, Vec<RpEvent>> {
+    let mut spans = HashMap::<_, Vec<_>>::new();
+    for event in events {
+        // Get the vector for the event's label, or create a new one
+        let spans_for_label = spans.entry(event.label).or_default();
+        // Add the event to the vector
+        spans_for_label.push(event.clone());
+    }
+    spans
+}
+
+/// Processes a list of events (assumed to be for the same label), matching
+/// `SpanOpen` and `SpanClose` events to calculate the duration of each span.
+/// It handles potentially interleaved spans correctly.
+fn extract_span_durations(label: &str, events: &[RpEvent]) -> Vec<Duration> {
+    let mut processing_list: Vec<StatEntry> = vec![]; // List to track open spans and final durations
+
+    for entry in events {
+        match &entry.ty {
+            EventType::SpanOpen => {
+                // Record the start time of a new span
+                processing_list.push(StatEntry::Start(entry.at));
+            }
+            EventType::SpanClose => {
+                // Find the most recent unmatched 'Start' entry
+                let start_index = processing_list
+                    .iter()
+                    .rposition(|span| matches!(span, StatEntry::Start(_))); // Find last Start
+
+                match start_index {
+                    Some(index) => {
+                        // Retrieve the start time
+                        let start_time = match processing_list[index] {
+                            StatEntry::Start(t) => t,
+                            _ => unreachable!(), // Should always be Start based on rposition logic
+                        };
+                        // Calculate duration and replace the 'Start' entry with 'Duration'
+                        processing_list[index] = StatEntry::Duration(entry.at - start_time);
+                    }
+                    None => {
+                        // This should not happen with well-formed traces
+                        eprintln!(
+                            "Warning: Found SpanClose without a matching SpanOpen for label '{}': {:?}",
+                            label, entry
+                        );
+                    }
+                }
+            }
+            EventType::OnTheFly => {
+                // Ignore OnTheFly events for duration calculation
+            }
+        }
+    }
+
+    // Collect all calculated durations, reporting any unmatched starts
+    processing_list
+        .into_iter()
+        .filter_map(|span| match span {
+            StatEntry::Start(at) => {
+                // Report error if a span was opened but never closed
+                eprintln!(
+                    "Warning: Unmatched SpanOpen at {:?} for label '{}'",
+                    at, label
+                );
+                None // Discard unmatched starts
+            }
+            StatEntry::Duration(dur) => Some(dur), // Keep calculated durations
+        })
+        .collect()
+}
+
+/// Stores the mean, standard deviation, relative standard deviation (sd/mean),
+/// and the number of samples used for calculation.
+#[derive(Debug)]
+#[allow(dead_code)]
+struct AggregateStat<T> {
+    /// Average duration.
+    mean_duration: T,
+    /// Standard deviation of durations.
+    sd_duration: T,
+    /// Standard deviation as a percentage of the mean.
+    sd_by_mean: String,
+    /// Number of duration measurements.
+    sample_size: usize,
+}
+
+impl AggregateStat<Duration> {
+    /// Calculates mean, variance, and standard deviation for a slice of Durations.
+    fn analyze_durations(durations: &[Duration]) -> Self {
+        let sample_size = durations.len();
+        assert!(sample_size > 0, "Cannot analyze empty duration slice");
+
+        // Calculate the sum of durations
+        let sum: Duration = durations.iter().sum();
+        // Calculate the mean duration
+        let mean = sum / (sample_size as u32);
+
+        // Calculate mean in nanoseconds, adding 1 to avoid potential division by zero later
+        // (though highly unlikely with realistic durations)
+        let mean_ns = mean.as_nanos().saturating_add(1);
+
+        // Calculate variance (sum of squared differences from the mean) / N
+        let variance = durations
+            .iter()
+            .map(Duration::as_nanos)
+            .map(|d_ns| d_ns.abs_diff(mean_ns).pow(2)) // (duration_ns - mean_ns)^2
+            .sum::<u128>() // Sum of squares
+            / (sample_size as u128); // Divide by sample size
+
+        // Calculate standard deviation (sqrt of variance)
+        let sd_ns = (variance as f64).sqrt() as u128;
+        let sd = Duration::from_nanos(sd_ns as u64); // Convert back to Duration
+
+        // Calculate relative standard deviation (sd / mean) as a percentage string
+        let sd_rel_permille = (10000 * sd_ns).checked_div(mean_ns).unwrap_or(0); // Calculate sd/mean * 10000
+        let sd_rel_formatted = format!("{}.{:02}%", sd_rel_permille / 100, sd_rel_permille % 100);
+
+        AggregateStat {
+            mean_duration: mean,
+            sd_duration: sd,
+            sd_by_mean: sd_rel_formatted,
+            sample_size,
+        }
+    }
+}
+
+struct JsonAggregateStat<'a, T> {
+    agg_stat: &'a AggregateStat<T>,
+    label: &'a str,
+    protocol_version: &'a str,
+}
+
+impl<'a> serde::Serialize for JsonAggregateStat<'a, Duration> {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        let mut stat = serializer.serialize_struct("AggregateStat", 9)?;
+        stat.serialize_field("name", self.label)?;
+        stat.serialize_field("unit", "ns/iter")?;
+        stat.serialize_field("value", &self.agg_stat.mean_duration.as_nanos().to_string())?;
+        stat.serialize_field(
+            "range",
+            &format!("± {}", self.agg_stat.sd_duration.as_nanos()),
+        )?;
+        stat.serialize_field("protocol version", self.protocol_version)?;
+        stat.serialize_field("sample size", &self.agg_stat.sample_size)?;
+        stat.serialize_field("operating system", std::env::consts::OS)?;
+        stat.serialize_field("architecture", std::env::consts::ARCH)?;
+        stat.serialize_field("run time", &run_time_group(self.label).to_string())?;
+
+        stat.end()
+    }
+}
--- a/rosenpass/src/api/api_handler.rs
+++ b/rosenpass/src/api/api_handler.rs
@@ -158,10 +158,10 @@ where
            );

            // Actually read the secrets
-            let mut sk = crate::protocol::SSk::zero();
+            let mut sk = crate::protocol::basic_types::SSk::zero();
            sk_io.read_exact_til_end(sk.secret_mut()).einvalid_req()?;

-            let mut pk = crate::protocol::SPk::zero();
+            let mut pk = crate::protocol::basic_types::SPk::zero();
            pk_io.read_exact_til_end(pk.borrow_mut()).einvalid_req()?;

            // Retrieve the construction site
--- a/rosenpass/src/api/config.rs
+++ b/rosenpass/src/api/config.rs
@@ -8,6 +8,7 @@ use crate::app_server::AppServer;

 /// Configuration options for the Rosenpass API
 #[derive(Debug, Serialize, Deserialize, Default, Clone, PartialEq, Eq)]
+#[serde(deny_unknown_fields)]
 pub struct ApiConfig {
    /// Where in the file-system to create the unix socket the rosenpass API will be listening for
    /// connections on
--- a/rosenpass/src/app_server.rs
+++ b/rosenpass/src/app_server.rs
@@ -1,56 +1,37 @@
-/// This contains the bulk of the rosenpass server IO handling code whereas
-/// the actual cryptographic code lives in the [crate::protocol] module
-use anyhow::bail;
+//! This contains the bulk of the rosenpass server IO handling code whereas
+//! the actual cryptographic code lives in the [crate::protocol] module

-use anyhow::Context;
-use anyhow::Result;
+use std::collections::{HashMap, VecDeque};
+use std::io::{stdout, ErrorKind, Write};
+use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSocketAddrs};
+use std::time::{Duration, Instant};
+use std::{cell::Cell, fmt::Debug, io, path::PathBuf, slice};
+
+use mio::{Interest, Token};
+use signal_hook_mio::v1_0 as signal_hook_mio;
+
+use anyhow::{bail, Context, Result};
 use derive_builder::Builder;
 use log::{error, info, warn};
-use mio::Interest;
-use mio::Token;
-use rosenpass_secret_memory::Public;
-use rosenpass_secret_memory::Secret;
-use rosenpass_util::build::ConstructionSite;
-use rosenpass_util::file::StoreValueB64;
-use rosenpass_util::functional::run;
-use rosenpass_util::functional::ApplyExt;
-use rosenpass_util::io::IoResultKindHintExt;
-use rosenpass_util::io::SubstituteForIoErrorKindExt;
-use rosenpass_util::option::SomeExt;
-use rosenpass_util::result::OkExt;
-use rosenpass_wireguard_broker::WireguardBrokerMio;
-use rosenpass_wireguard_broker::{WireguardBrokerCfg, WG_KEY_LEN};
 use zerocopy::AsBytes;

-use std::cell::Cell;
-
-use std::collections::HashMap;
-use std::collections::VecDeque;
-use std::fmt::Debug;
-use std::io;
-use std::io::stdout;
-use std::io::ErrorKind;
-use std::io::Write;
-use std::net::Ipv4Addr;
-use std::net::Ipv6Addr;
-use std::net::SocketAddr;
-use std::net::SocketAddrV4;
-use std::net::SocketAddrV6;
-use std::net::ToSocketAddrs;
-use std::path::PathBuf;
-use std::slice;
-use std::time::Duration;
-use std::time::Instant;
-
-use crate::config::ProtocolVersion;
-use crate::protocol::BuildCryptoServer;
-use crate::protocol::HostIdentification;
-use crate::{
-    config::Verbosity,
-    protocol::{CryptoServer, MsgBuf, PeerPtr, SPk, SSk, SymKey, Timing},
-};
 use rosenpass_util::attempt;
-use rosenpass_util::b64::B64Display;
+use rosenpass_util::fmt::debug::NullDebug;
+use rosenpass_util::functional::{run, ApplyExt};
+use rosenpass_util::io::{IoResultKindHintExt, SubstituteForIoErrorKindExt};
+use rosenpass_util::{
+    b64::B64Display, build::ConstructionSite, file::StoreValueB64, result::OkExt,
+};
+
+use rosenpass_secret_memory::{Public, Secret};
+use rosenpass_wireguard_broker::{WireguardBrokerCfg, WireguardBrokerMio, WG_KEY_LEN};
+
+use crate::config::{ProtocolVersion, Verbosity};
+
+use crate::protocol::basic_types::{MsgBuf, SPk, SSk, SymKey};
+use crate::protocol::osk_domain_separator::OskDomainSeparator;
+use crate::protocol::timing::Timing;
+use crate::protocol::{BuildCryptoServer, CryptoServer, HostIdentification, PeerPtr};

 /// The maximum size of a base64 encoded symmetric key (estimate)
 pub const MAX_B64_KEY_SIZE: usize = 32 * 5 / 3;
@@ -151,7 +132,7 @@ pub struct BrokerStore {
    /// The collection of WireGuard brokers. See [Self].
    pub store: HashMap<
        Public<BROKER_ID_BYTES>,
-        Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error>>,
+        Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error> + Send>,
    >,
 }

@@ -168,12 +149,12 @@ pub struct BrokerPeer {
    ///
    /// This is woefully overengineered and there is very little reason why the broker
    /// configuration should not live in the particular WireGuard broker.
-    peer_cfg: Box<dyn WireguardBrokerCfg>,
+    peer_cfg: Box<dyn WireguardBrokerCfg + Send>,
 }

 impl BrokerPeer {
    /// Create a broker peer
-    pub fn new(ptr: BrokerStorePtr, peer_cfg: Box<dyn WireguardBrokerCfg>) -> Self {
+    pub fn new(ptr: BrokerStorePtr, peer_cfg: Box<dyn WireguardBrokerCfg + Send>) -> Self {
        Self { ptr, peer_cfg }
    }

@@ -308,12 +289,20 @@ pub enum AppServerIoSource {
    Socket(usize),
    /// IO source refers to a PSK broker in [AppServer::brokers]
    PskBroker(Public<BROKER_ID_BYTES>),
+    /// IO source refers to our signal handlers
+    SignalHandler,
    /// IO source refers to some IO sources used in the API;
    /// see [AppServer::api_manager]
    #[cfg(feature = "experiment_api")]
    MioManager(crate::api::mio::MioManagerIoSource),
 }

+pub enum AppServerTryRecvResult {
+    None,
+    Terminate,
+    NetworkMessage(usize, Endpoint),
+}
+
 /// Number of epoll(7) events Rosenpass can receive at a time
 const EVENT_CAPACITY: usize = 20;

@@ -354,6 +343,8 @@ pub struct AppServer {
    /// MIO associates IO sources with numeric tokens. This struct takes care of generating these
    /// tokens
    pub mio_token_dispenser: MioTokenDispenser,
+    /// Mio-based handler for signals
+    pub signal_handler: NullDebug<signal_hook_mio::Signals>,
    /// Helpers handling communication with WireGuard; these take a generated key and forward it to
    /// WireGuard
    pub brokers: BrokerStore,
@@ -379,16 +370,6 @@ pub struct AppServer {
    /// Used by integration tests to force [Self] into DoS condition
    /// and to terminate the AppServer after the test is complete
    pub test_helpers: Option<AppServerTest>,
-    /// Helper for integration tests running rosenpass as a subprocess
-    /// to terminate properly upon receiving an appropriate system signal.
-    ///
-    /// This is primarily needed for coverage testing, since llvm-cov does not
-    /// write coverage reports to disk when a process is stopped by the default
-    /// signal handler.
-    ///
-    /// See <https://github.com/rosenpass/rosenpass/issues/385>
-    #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-    pub term_signal: terminate::TerminateRequested,
    #[cfg(feature = "experiment_api")]
    /// The Rosenpass unix socket API handler; this is an experimental
    /// feature that can be used to embed Rosenpass in external applications
@@ -478,6 +459,8 @@ impl AppPeerPtr {
 /// Instructs [AppServer::event_loop_without_error_handling] on how to proceed.
 #[derive(Debug)]
 pub enum AppPollResult {
+    /// Received request to terminate the application
+    Terminate,
    /// Erase the key for a given peer. Corresponds to [crate::protocol::PollResult::DeleteKey]
    DeleteKey(AppPeerPtr),
    /// Send an initiation to the given peer. Corresponds to [crate::protocol::PollResult::SendInitiation]
@@ -824,10 +807,27 @@ impl AppServer {
        verbosity: Verbosity,
        test_helpers: Option<AppServerTest>,
    ) -> anyhow::Result<Self> {
-        // setup mio
+        // Setup Mio itself
        let mio_poll = mio::Poll::new()?;
        let events = mio::Events::with_capacity(EVENT_CAPACITY);
+
+        // And helpers to map mio tokens to internal event types
        let mut mio_token_dispenser = MioTokenDispenser::default();
+        let mut io_source_index = HashMap::new();
+
+        // Setup signal handling
+        let signal_handler = attempt!({
+            let mut handler =
+                signal_hook_mio::Signals::new(signal_hook::consts::TERM_SIGNALS.iter())?;
+            let mio_token = mio_token_dispenser.dispense();
+            mio_poll
+                .registry()
+                .register(&mut handler, mio_token, Interest::READABLE)?;
+            let prev = io_source_index.insert(mio_token, AppServerIoSource::SignalHandler);
+            assert!(prev.is_none());
+            Ok(NullDebug(handler))
+        })
+        .context("Failed to set up signal (user triggered program termination) handler")?;

        // bind each SocketAddr to a socket
        let maybe_sockets: Result<Vec<_>, _> =
@@ -901,7 +901,6 @@ impl AppServer {
        }

        // register all sockets to mio
-        let mut io_source_index = HashMap::new();
        for (idx, socket) in sockets.iter_mut().enumerate() {
            let mio_token = mio_token_dispenser.dispense();
            mio_poll
@@ -917,8 +916,6 @@ impl AppServer {
        };

        Ok(Self {
-            #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-            term_signal: terminate::TerminateRequested::new()?,
            crypto_site,
            peers: Vec::new(),
            verbosity,
@@ -929,6 +926,7 @@ impl AppServer {
            io_source_index,
            mio_poll,
            mio_token_dispenser,
+            signal_handler,
            brokers: BrokerStore::default(),
            all_sockets_drained: false,
            under_load: DoSOperation::Normal,
@@ -999,7 +997,7 @@ impl AppServer {
    /// Register a new WireGuard PSK broker
    pub fn register_broker(
        &mut self,
-        broker: Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error>>,
+        broker: Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error> + Send>,
    ) -> Result<BrokerStorePtr> {
        let ptr = Public::from_slice((self.brokers.store.len() as u64).as_bytes());
        if self.brokers.store.insert(ptr, broker).is_some() {
@@ -1036,6 +1034,7 @@ impl AppServer {
    /// # Examples
    ///
    /// See [Self::new].
+    #[allow(clippy::too_many_arguments)]
    pub fn add_peer(
        &mut self,
        psk: Option<SymKey>,
@@ -1044,11 +1043,16 @@ impl AppServer {
        broker_peer: Option<BrokerPeer>,
        hostname: Option<String>,
        protocol_version: ProtocolVersion,
+        osk_domain_separator: OskDomainSeparator,
    ) -> anyhow::Result<AppPeerPtr> {
        let PeerPtr(pn) = match &mut self.crypto_site {
            ConstructionSite::Void => bail!("Crypto server construction site is void"),
-            ConstructionSite::Builder(builder) => builder.add_peer(psk, pk, protocol_version),
-            ConstructionSite::Product(srv) => srv.add_peer(psk, pk, protocol_version.into())?,
+            ConstructionSite::Builder(builder) => {
+                builder.add_peer(psk, pk, protocol_version, osk_domain_separator)
+            }
+            ConstructionSite::Product(srv) => {
+                srv.add_peer(psk, pk, protocol_version.into(), osk_domain_separator)?
+            }
        };
        assert!(pn == self.peers.len());

@@ -1065,7 +1069,7 @@ impl AppServer {
        Ok(AppPeerPtr(pn))
    }

-    /// Main IO handler; this generally does not terminate
+    /// Main IO handler; this generally does not terminate other than through unix signals
    ///
    /// # Examples
    ///
@@ -1082,23 +1086,6 @@ impl AppServer {
                Err(e) => e,
            };

-            #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-            {
-                let terminated_by_signal = err
-                    .downcast_ref::<std::io::Error>()
-                    .filter(|e| e.kind() == std::io::ErrorKind::Interrupted)
-                    .filter(|_| self.term_signal.value())
-                    .is_some();
-                if terminated_by_signal {
-                    log::warn!(
-                        "\
-                        Terminated by signal; this signal handler is correct during coverage testing \
-                        but should be otherwise disabled"
-                    );
-                    return Ok(());
-                }
-            }
-
            // This should not happen…
            failure_cnt = if msgs_processed > 0 {
                0
@@ -1151,6 +1138,7 @@ impl AppServer {
            use AppPollResult::*;
            use KeyOutputReason::*;

+            // TODO: We should read from this using a mio channel
            if let Some(AppServerTest {
                termination_handler: Some(terminate),
                ..
@@ -1174,6 +1162,8 @@ impl AppServer {

            #[allow(clippy::redundant_closure_call)]
            match (have_crypto, poll_result) {
+                (_, Terminate) => return Ok(()),
+
                (CryptoSrv::Missing, SendInitiation(_)) => {}
                (CryptoSrv::Avail, SendInitiation(peer)) => tx_maybe_with!(peer, || self
                    .crypto_server_mut()?
@@ -1321,6 +1311,7 @@ impl AppServer {
    pub fn poll(&mut self, rx_buf: &mut [u8]) -> anyhow::Result<AppPollResult> {
        use crate::protocol::PollResult as C;
        use AppPollResult as A;
+        use AppServerTryRecvResult as R;
        let res = loop {
            // Call CryptoServer's poll (if available)
            let crypto_poll = self
@@ -1337,12 +1328,14 @@ impl AppServer {
                    break A::SendRetransmission(AppPeerPtr(no))
                }
                Some(C::Sleep(timeout)) => timeout, // No event from crypto-server, do IO
-                None => crate::protocol::UNENDING,  // Crypto server is uninitialized, do IO
+                None => crate::protocol::timing::UNENDING, // Crypto server is uninitialized, do IO
            };

            // Perform IO (look for a message)
-            if let Some((len, addr)) = self.try_recv(rx_buf, io_poll_timeout)? {
-                break A::ReceivedMessage(len, addr);
+            match self.try_recv(rx_buf, io_poll_timeout)? {
+                R::None => {}
+                R::Terminate => break A::Terminate,
+                R::NetworkMessage(len, addr) => break A::ReceivedMessage(len, addr),
            }
        };

@@ -1360,12 +1353,12 @@ impl AppServer {
        &mut self,
        buf: &mut [u8],
        timeout: Timing,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
        let timeout = Duration::from_secs_f64(timeout);

        // if there is no time to wait on IO, well, then, lets not waste any time!
        if timeout.is_zero() {
-            return Ok(None);
+            return Ok(AppServerTryRecvResult::None);
        }

        // NOTE when using mio::Poll, there are some particularities (taken from
@@ -1475,12 +1468,19 @@ impl AppServer {
        // blocking poll, we go through all available IO sources to see if we missed anything.
        {
            while let Some(ev) = self.short_poll_queue.pop_front() {
-                if let Some(v) = self.try_recv_from_mio_token(buf, ev.token())? {
-                    return Ok(Some(v));
+                match self.try_recv_from_mio_token(buf, ev.token())? {
+                    AppServerTryRecvResult::None => continue,
+                    res => return Ok(res),
                }
            }
        }

+        // Drain operating system signals
+        match self.try_recv_from_signal_handler()? {
+            AppServerTryRecvResult::None => {} // Nop
+            res => return Ok(res),
+        }
+
        // drain all sockets
        let mut would_block_count = 0;
        for sock_no in 0..self.sockets.len() {
@@ -1488,11 +1488,11 @@ impl AppServer {
                .try_recv_from_listen_socket(buf, sock_no)
                .io_err_kind_hint()
            {
-                Ok(None) => continue,
-                Ok(Some(v)) => {
+                Ok(AppServerTryRecvResult::None) => continue,
+                Ok(res) => {
                    // at least one socket was not drained...
                    self.all_sockets_drained = false;
-                    return Ok(Some(v));
+                    return Ok(res);
                }
                Err((_, ErrorKind::WouldBlock)) => {
                    would_block_count += 1;
@@ -1520,12 +1520,24 @@ impl AppServer {

        self.performed_long_poll = true;

-        Ok(None)
+        Ok(AppServerTryRecvResult::None)
    }

    /// Internal helper for [Self::try_recv]
    fn perform_mio_poll_and_register_events(&mut self, timeout: Duration) -> io::Result<()> {
-        self.mio_poll.poll(&mut self.events, Some(timeout))?;
+        loop {
+            use std::io::ErrorKind as IOE;
+            match self
+                .mio_poll
+                .poll(&mut self.events, Some(timeout))
+                .io_err_kind_hint()
+            {
+                Ok(()) => break,
+                Err((_, IOE::Interrupted)) => continue,
+                Err((err, _)) => return Err(err),
+            }
+        }
+
        // Fill the short poll buffer with the acquired events
        self.events
            .iter()
@@ -1539,12 +1551,12 @@ impl AppServer {
        &mut self,
        buf: &mut [u8],
        token: mio::Token,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
        let io_source = match self.io_source_index.get(&token) {
            Some(io_source) => *io_source,
            None => {
                log::warn!("No IO source assiociated with mio token ({token:?}). Polling using mio tokens directly is an experimental feature and IO handler should recover when all available io sources are polled. This is a developer error. Please report it.");
-                return Ok(None);
+                return Ok(AppServerTryRecvResult::None);
            }
        };

@@ -1556,11 +1568,13 @@ impl AppServer {
        &mut self,
        buf: &mut [u8],
        io_source: AppServerIoSource,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
        match io_source {
+            AppServerIoSource::SignalHandler => self.try_recv_from_signal_handler()?.ok(),
+
            AppServerIoSource::Socket(idx) => self
                .try_recv_from_listen_socket(buf, idx)
-                .substitute_for_ioerr_wouldblock(None)?
+                .substitute_for_ioerr_wouldblock(AppServerTryRecvResult::None)?
                .ok(),

            AppServerIoSource::PskBroker(key) => self
@@ -1569,7 +1583,7 @@ impl AppServer {
                .get_mut(&key)
                .with_context(|| format!("No PSK broker under key {key:?}"))?
                .process_poll()
-                .map(|_| None),
+                .map(|_| AppServerTryRecvResult::None),

            #[cfg(feature = "experiment_api")]
            AppServerIoSource::MioManager(mmio_src) => {
@@ -1577,17 +1591,28 @@ impl AppServer {

                MioManagerFocus(self)
                    .poll_particular(mmio_src)
-                    .map(|_| None)
+                    .map(|_| AppServerTryRecvResult::None)
            }
        }
    }

+    /// Internal helper for [Self::try_recv]
+    fn try_recv_from_signal_handler(&mut self) -> io::Result<AppServerTryRecvResult> {
+        #[allow(clippy::never_loop)]
+        for signal in self.signal_handler.pending() {
+            log::debug!("Received operating system signal no {signal}.");
+            log::info!("Received termination request; exiting.");
+            return Ok(AppServerTryRecvResult::Terminate);
+        }
+        Ok(AppServerTryRecvResult::None)
+    }
+
    /// Internal helper for [Self::try_recv]
    fn try_recv_from_listen_socket(
        &mut self,
        buf: &mut [u8],
        idx: usize,
-    ) -> io::Result<Option<(usize, Endpoint)>> {
+    ) -> io::Result<AppServerTryRecvResult> {
        use std::io::ErrorKind as K;
        let (n, addr) = loop {
            match self.sockets[idx].recv_from(buf).io_err_kind_hint() {
@@ -1599,8 +1624,7 @@ impl AppServer {
        SocketPtr(idx)
            .apply(|sp| SocketBoundEndpoint::new(sp, addr))
            .apply(Endpoint::SocketBoundAddress)
-            .apply(|ep| (n, ep))
-            .some()
+            .apply(|ep| AppServerTryRecvResult::NetworkMessage(n, ep))
            .ok()
    }

@@ -1652,48 +1676,3 @@ impl crate::api::mio::MioManagerContext for MioManagerFocus<'_> {
        self.0
    }
 }
-
-/// These signal handlers are used exclusively used during coverage testing
-/// to ensure that the llvm-cov can produce reports during integration tests
-/// with multiple processes where subprocesses are terminated via kill(2).
-///
-/// llvm-cov does not support producing coverage reports when the process exits
-/// through a signal, so this is necessary.
-///
-/// The functionality of exiting gracefully upon reception of a terminating signal
-/// is desired for the production variant of Rosenpass, but we should make sure
-/// to use a higher quality implementation; in particular, we should use signalfd(2).
-///
-#[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-mod terminate {
-    use signal_hook::flag::register as sig_register;
-    use std::sync::{
-        atomic::{AtomicBool, Ordering},
-        Arc,
-    };
-
-    /// Automatically register a signal handler for common termination signals;
-    /// whether one of these signals was issued can be polled using [Self::value].
-    ///
-    /// The signal handler is not removed when this struct goes out of scope.
-    #[derive(Debug)]
-    pub struct TerminateRequested {
-        value: Arc<AtomicBool>,
-    }
-
-    impl TerminateRequested {
-        /// Register signal handlers watching for common termination signals
-        pub fn new() -> anyhow::Result<Self> {
-            let value = Arc::new(AtomicBool::new(false));
-            for sig in signal_hook::consts::TERM_SIGNALS.iter().copied() {
-                sig_register(sig, Arc::clone(&value))?;
-            }
-            Ok(Self { value })
-        }
-
-        /// Check whether a termination signal has been set
-        pub fn value(&self) -> bool {
-            self.value.load(Ordering::Relaxed)
-        }
-    }
-}
--- a/rosenpass/src/cli.rs
+++ b/rosenpass/src/cli.rs
@@ -17,7 +17,7 @@ use std::path::PathBuf;

 use crate::app_server::AppServerTest;
 use crate::app_server::{AppServer, BrokerPeer};
-use crate::protocol::{SPk, SSk, SymKey};
+use crate::protocol::basic_types::{SPk, SSk, SymKey};

 use super::config;

@@ -490,7 +490,8 @@ impl CliArgs {
                cfg_peer.key_out,
                broker_peer,
                cfg_peer.endpoint.clone(),
-                cfg_peer.protocol_version.into(),
+                cfg_peer.protocol_version,
+                cfg_peer.osk_domain_separator.try_into()?,
            )?;
        }

@@ -514,7 +515,7 @@ impl CliArgs {
    fn create_broker(
        broker_interface: Option<BrokerInterface>,
    ) -> Result<
-        Box<dyn WireguardBrokerMio<MioError = anyhow::Error, Error = anyhow::Error>>,
+        Box<dyn WireguardBrokerMio<MioError = anyhow::Error, Error = anyhow::Error> + Send>,
        anyhow::Error,
    > {
        if let Some(interface) = broker_interface {
@@ -607,8 +608,8 @@ impl CliArgs {

 /// generate secret and public keys, store in files according to the paths passed as arguments
 pub fn generate_and_save_keypair(secret_key: PathBuf, public_key: PathBuf) -> anyhow::Result<()> {
-    let mut ssk = crate::protocol::SSk::random();
-    let mut spk = crate::protocol::SPk::random();
+    let mut ssk = crate::protocol::basic_types::SSk::random();
+    let mut spk = crate::protocol::basic_types::SPk::random();
    StaticKem.keygen(ssk.secret_mut(), spk.deref_mut())?;
    ssk.store_secret(secret_key)?;
    spk.store(public_key)
--- a/rosenpass/src/config.rs
+++ b/rosenpass/src/config.rs
@@ -7,20 +7,19 @@
 //! - TODO: support `~` in <https://github.com/rosenpass/rosenpass/issues/237>
 //! - TODO: provide tooling to create config file from shell <https://github.com/rosenpass/rosenpass/issues/247>

-use crate::protocol::{SPk, SSk};
-use rosenpass_util::file::LoadValue;
-use std::{
-    collections::HashSet,
-    fs,
-    io::Write,
-    net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSocketAddrs},
-    path::{Path, PathBuf},
-};
+use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSocketAddrs};
+use std::path::{Path, PathBuf};
+use std::{collections::HashSet, fs, io::Write};

 use anyhow::{bail, ensure};
-use rosenpass_util::file::{fopen_w, Visibility};
+
 use serde::{Deserialize, Serialize};

+use rosenpass_util::file::{fopen_w, LoadValue, Visibility};
+
+use crate::protocol::basic_types::{SPk, SSk};
+use crate::protocol::osk_domain_separator::OskDomainSeparator;
+
 use crate::app_server::AppServer;

 #[cfg(feature = "experiment_api")]
@@ -36,6 +35,7 @@ fn empty_api_config() -> crate::api::config::ApiConfig {
 ///
 /// i.e. configuration for the `rosenpass exchange` and `rosenpass exchange-config` commands
 #[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(deny_unknown_fields)]
 pub struct Rosenpass {
    // TODO: Raise error if secret key or public key alone is set during deserialization
    // SEE: https://github.com/serde-rs/serde/issues/2793
@@ -77,6 +77,7 @@ pub struct Rosenpass {

 /// Public key and secret key locations.
 #[derive(Debug, Deserialize, Serialize, PartialEq, Eq, Clone)]
+#[serde(deny_unknown_fields)]
 pub struct Keypair {
    /// path to the public key file
    pub public_key: PathBuf,
@@ -104,6 +105,7 @@ impl Keypair {
 ///
 /// - TODO: replace this type with [`log::LevelFilter`], also see <https://github.com/rosenpass/rosenpass/pull/246>
 #[derive(Debug, PartialEq, Eq, Serialize, Deserialize, Copy, Clone)]
+#[serde(deny_unknown_fields)]
 pub enum Verbosity {
    Quiet,
    Verbose,
@@ -111,6 +113,7 @@ pub enum Verbosity {

 /// The protocol version to be used by a peer.
 #[derive(Debug, PartialEq, Eq, Serialize, Deserialize, Copy, Clone, Default)]
+#[serde(deny_unknown_fields)]
 pub enum ProtocolVersion {
    #[default]
    V02,
@@ -119,6 +122,7 @@ pub enum ProtocolVersion {

 /// Configuration data for a single Rosenpass peer
 #[derive(Debug, Default, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
 pub struct RosenpassPeer {
    /// path to the public key of the peer
    pub public_key: PathBuf,
@@ -150,10 +154,78 @@ pub struct RosenpassPeer {
    #[serde(default)]
    /// The protocol version to use for the exchange
    pub protocol_version: ProtocolVersion,
+
+    /// Allows using a custom domain separator
+    #[serde(flatten)]
+    pub osk_domain_separator: RosenpassPeerOskDomainSeparator,
+}
+
+/// Configuration for [crate::protocol::osk_domain_separator::OskDomainSeparator]
+///
+/// Refer to its documentation for more information and examples of how to use this.
+#[derive(Debug, Default, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
+pub struct RosenpassPeerOskDomainSeparator {
+    /// If Rosenpass is used for purposes other then securing WireGuard,
+    /// a custom domain separator and domain separator must be specified.
+    ///
+    /// Use `osk_organization` to indicate the organization who specifies the use case
+    /// and `osk_label` for a specific purpose within that organization.
+    ///
+    /// ```toml
+    /// [[peer]]
+    /// public_key = "my_public_key"
+    /// ...
+    /// osk_organization = "myorg.com"
+    /// osk_label = ["My Custom Messenger app"]
+    /// ```
+    pub osk_organization: Option<String>,
+    // If Rosenpass is used for purposes other then securing WireGuard,
+    /// a custom domain separator and domain separator must be specified.
+    ///
+    /// Use `osk_organization` to indicate the organization who specifies the use case
+    /// and `osk_label` for a specific purpose within that organization.
+    ///
+    /// ```toml
+    /// [[peer]]
+    /// public_key = "my_public_key"
+    /// ...
+    /// osk_namespace = "myorg.com"
+    /// osk_label = ["My Custom Messenger app"]
+    /// ```
+    pub osk_label: Option<Vec<String>>,
+}
+
+impl RosenpassPeerOskDomainSeparator {
+    pub fn org_and_label(&self) -> anyhow::Result<Option<(&String, &Vec<String>)>> {
+        match (&self.osk_organization, &self.osk_label) {
+            (None, None) => Ok(None),
+            (Some(org), Some(label)) => Ok(Some((org, label))),
+            (Some(_), None) => bail!("Specified osk_organization but not osk_label in config file. You need to specify both, or none."),
+            (None, Some(_)) =>  bail!("Specified osk_label but not osk_organization in config file. You need to specify both, or none."),
+        }
+    }
+
+    pub fn validate(&self) -> anyhow::Result<()> {
+        let _org_and_label: Option<(_, _)> = self.org_and_label()?;
+        Ok(())
+    }
+}
+
+impl TryFrom<RosenpassPeerOskDomainSeparator> for OskDomainSeparator {
+    type Error = anyhow::Error;
+
+    fn try_from(val: RosenpassPeerOskDomainSeparator) -> anyhow::Result<Self> {
+        match val.org_and_label()? {
+            None => Ok(OskDomainSeparator::default()),
+            Some((org, label)) => Ok(OskDomainSeparator::custom_utf8(org, label)),
+        }
+    }
 }

 /// Information for supplying exchanged keys directly to WireGuard
 #[derive(Debug, Default, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(deny_unknown_fields)]
 pub struct WireGuard {
    /// Name of the WireGuard interface to supply with pre-shared keys generated by the Rosenpass
    /// key exchange
@@ -292,7 +364,7 @@ impl Rosenpass {
            // check the secret-key file is a valid key
            ensure!(
                SSk::load(&keypair.secret_key).is_ok(),
-                "could not load public-key file {:?}: invalid key",
+                "could not load secret-key file {:?}: invalid key",
                keypair.secret_key
            );
        }
@@ -337,6 +409,10 @@ impl Rosenpass {
                    );
                }
            }
+
+            if let Err(e) = peer.osk_domain_separator.validate() {
+                bail!("Invalid OSK domain separation configuration for peer {i}: {e}");
+            }
        }

        Ok(())
--- a/rosenpass/src/hash_domains.rs
+++ b/rosenpass/src/hash_domains.rs
@@ -166,7 +166,7 @@ hash_domain_ns!(
    protocol, cookie_key, "cookie-key");
 hash_domain_ns!(
    /// Hash domain based on [protocol] for calculating the peer id as transmitted (encrypted)
-    /// in [crate::msgs::InitHello::pidic].
+    /// in [crate::msgs::InitHello::pidi_ct].
    ///
    /// # Examples
    ///
@@ -179,7 +179,7 @@ hash_domain_ns!(
 hash_domain_ns!(
    /// Hash domain based on [protocol] for calculating the additional data
    /// during [crate::msgs::Biscuit] encryption, storing the biscuit into
-    /// [crate::msgs::RespHello::biscuit].
+    /// [crate::msgs::RespHello::biscuit_ct].
    ///
    /// # Examples
    ///
@@ -295,25 +295,21 @@ hash_domain_ns!(
    /// We do recommend that third parties base their specific domain separators
    /// on a internet domain and/or mix in much more specific information.
    ///
-    /// We only really use this to derive a output key for wireguard; see [osk].
-    ///
    /// See [_ckextract].
    ///
    /// # Examples
    ///
    /// See the [module](self) documentation on how to use the hash domains in general.
-    _ckextract, _user, "user");
+    _ckextract, cke_user, "user");
 hash_domain_ns!(
    /// Chaining key domain separator for any rosenpass specific purposes.
    ///
-    /// We only really use this to derive a output key for wireguard; see [osk].
-    ///
    /// See [_ckextract].
    ///
    /// # Examples
    ///
    /// See the [module](self) documentation on how to use the hash domains in general.
-    _user, _rp, "rosenpass.eu");
+    cke_user, cke_user_rosenpass, "rosenpass.eu");
 hash_domain!(
    /// Chaining key domain separator for deriving the key sent to WireGuard.
    ///
@@ -325,4 +321,4 @@ hash_domain!(
    /// Check out its source code!
    ///
    /// See the [module](self) documentation on how to use the hash domains in general.
-    _rp, osk, "wireguard psk");
+    cke_user_rosenpass, ext_wireguard_psk_osk, "wireguard psk");
--- a/rosenpass/src/msgs.rs
+++ b/rosenpass/src/msgs.rs
@@ -135,7 +135,7 @@ pub struct InitHello {
    /// Classic McEliece Ciphertext
    pub sctr: [u8; StaticKem::CT_LEN],
    /// Encryped: 16 byte hash of McEliece initiator static key
-    pub pidic: [u8; Aead::TAG_LEN + 32],
+    pub pidi_ct: [u8; Aead::TAG_LEN + 32],
    /// Encrypted TAI64N Time Stamp (against replay attacks)
    pub auth: [u8; Aead::TAG_LEN],
 }
@@ -188,7 +188,7 @@ pub struct RespHello {
    /// Empty encrypted message (just an auth tag)
    pub auth: [u8; Aead::TAG_LEN],
    /// Responders handshake state in encrypted form
-    pub biscuit: [u8; BISCUIT_CT_LEN],
+    pub biscuit_ct: [u8; BISCUIT_CT_LEN],
 }

 /// This is the third message sent by the initiator to the responder
@@ -233,7 +233,7 @@ pub struct InitConf {
    /// Copied from RespHello
    pub sidr: [u8; 4],
    /// Responders handshake state in encrypted form
-    pub biscuit: [u8; BISCUIT_CT_LEN],
+    pub biscuit_ct: [u8; BISCUIT_CT_LEN],
    /// Empty encrypted message (just an auth tag)
    pub auth: [u8; Aead::TAG_LEN],
 }
--- a/rosenpass/src/protocol/basic_types.rs
+++ b/rosenpass/src/protocol/basic_types.rs
@@ -0,0 +1,38 @@
+//! Key types and other fundamental types used in the Rosenpass protocol
+
+use rosenpass_cipher_traits::primitives::{Aead, Kem};
+use rosenpass_ciphers::{EphemeralKem, StaticKem, XAead, KEY_LEN};
+use rosenpass_secret_memory::{Public, PublicBox, Secret};
+
+use crate::msgs::{BISCUIT_ID_LEN, MAX_MESSAGE_LEN, SESSION_ID_LEN};
+
+/// Static public key
+///
+/// Using [PublicBox] instead of [Public] because Classic McEliece keys are very large.
+pub type SPk = PublicBox<{ StaticKem::PK_LEN }>;
+/// Static secret key
+pub type SSk = Secret<{ StaticKem::SK_LEN }>;
+/// Ephemeral public key
+pub type EPk = Public<{ EphemeralKem::PK_LEN }>;
+pub type ESk = Secret<{ EphemeralKem::SK_LEN }>;
+
+/// Symmetric key
+pub type SymKey = Secret<KEY_LEN>;
+/// Variant of [SymKey] for use cases where the value is public
+pub type PublicSymKey = [u8; 32];
+
+/// Peer ID (derived from the public key, see the hash derivations in the [whitepaper](https://rosenpass.eu/whitepaper.pdf))
+pub type PeerId = Public<KEY_LEN>;
+/// Session ID
+pub type SessionId = Public<SESSION_ID_LEN>;
+/// Biscuit ID
+pub type BiscuitId = Public<BISCUIT_ID_LEN>;
+
+/// Nonce for use with random-nonce AEAD
+pub type XAEADNonce = Public<{ XAead::NONCE_LEN }>;
+
+/// Buffer capably of holding any Rosenpass protocol message
+pub type MsgBuf = Public<MAX_MESSAGE_LEN>;
+
+/// Server-local peer number; this is just the index in [super::CryptoServer::peers]
+pub type PeerNo = usize;
--- a/Show More
+++ b/Show More