chore(deps): bump stefanzweifel/git-auto-commit-action from 6 to 7

Bumps [stefanzweifel/git-auto-commit-action](https://github.com/stefanzweifel/git-auto-commit-action) from 6 to 7. - [Release notes](https://github.com/stefanzweifel/git-auto-commit-action/releases) - [Changelog](https://github.com/stefanzweifel/git-auto-commit-action/blob/master/CHANGELOG.md) - [Commits](https://github.com/stefanzweifel/git-auto-commit-action/compare/v6...v7) --- updated-dependencies: - dependency-name: stefanzweifel/git-auto-commit-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Regenerate cargo vet exemptions
2025-12-18 13:24:38 +03:00 · 2025-12-17 20:52:29 +01:00 · 2025-12-17 20:52:09 +01:00 · 2025-12-17 20:52:09 +01:00 · 2025-09-20 11:31:50 +02:00 · 2025-09-16 08:45:06 +00:00
116 changed files with 5786 additions and 5438 deletions
--- a/.github/workflows/bench-primitives.yml
+++ b/.github/workflows/bench-primitives.yml
@@ -21,13 +21,13 @@ jobs:
      matrix:
        system: ["x86_64-linux", "i686-linux"]

-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    defaults:
      run:
        shell: bash

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      # Install nix

@@ -93,7 +93,7 @@ jobs:
  ciphers-primitives-bench-status:
    if: ${{ always() }}
    needs: [prim-benchmark]
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    steps:
      - name: Successful
        if: ${{ !(contains(needs.*.result, 'failure')) }}
--- a/.github/workflows/bench-protocol.yml
+++ b/.github/workflows/bench-protocol.yml
@@ -21,13 +21,13 @@ jobs:
      matrix:
        system: ["x86_64-linux", "i686-linux"]

-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    defaults:
      run:
        shell: bash

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5

      # Install nix

@@ -80,7 +80,7 @@ jobs:
  ciphers-protocol-bench-status:
    if: ${{ always() }}
    needs: [proto-benchmark]
-    runs-on: ubuntu-latest
+    runs-on: ubicloud-standard-2
    steps:
      - name: Successful
        if: ${{ !(contains(needs.*.result, 'failure')) }}
--- a/.github/workflows/doc-upload.yml
+++ b/.github/workflows/doc-upload.yml
@@ -13,10 +13,10 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Clone rosenpass-website repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          repository: rosenpass/rosenpass-website
          ref: main
--- a/.github/workflows/docker.yaml
+++ b/.github/workflows/docker.yaml
@@ -30,7 +30,7 @@ jobs:
    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build (no push) and Load
@@ -128,7 +128,7 @@ jobs:
    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Docker meta
        id: meta
@@ -173,7 +173,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: digests-rp-${{ matrix.arch }}
          path: ${{ runner.temp }}/digests/*
@@ -193,7 +193,7 @@ jobs:
    runs-on: ${{ matrix.arch == 'arm64' && 'ubuntu-24.04-arm' || 'ubuntu-latest' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5

      - name: Docker meta
        id: meta
@@ -237,7 +237,7 @@ jobs:
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
        with:
          name: digests-rosenpass-${{ matrix.arch }}
          path: ${{ runner.temp }}/digests/*
@@ -255,7 +255,7 @@ jobs:
        target: [rp, rosenpass]
    steps:
      - name: Download digests
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-${{ matrix.target }}-*
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -0,0 +1,166 @@
+name: Integration Tests
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  integration-tests-x86_64-linux:
+    name: Integration tests x86_64-linux
+    runs-on:
+      - ubicloud-standard-2-ubuntu-2204
+    steps:
+      - uses: actions/checkout@v5
+      - uses: cachix/install-nix-action@v30
+        with:
+          nix_path: nixpkgs=channel:nixos-unstable
+      - uses: cachix/cachix-action@v15
+        with:
+          name: rosenpass
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      - name: Extract the reference of before and after for the integration tests.
+        run: |
+          EVENT_NAME="${{ github.event_name }}"
+          REF_BEFORE=""
+          REF_AFTER="path:../../"
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            echo "This CI run was triggered in the context of a pull request."
+            REF_BEFORE="github:rosenpass/rosenpass/main"
+            git checkout -B pr-${{ github.event.pull_request.number }}
+            REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+          elif [[ "$EVENT_NAME" == "push" ]]; then
+            echo "This CI run was triggered in the context of a push."
+            REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+            REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+          else
+            echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+            exit 1
+          fi
+          echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+          echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+      - name: Check
+        run: |
+          cd ./tests/integration
+          nix flake check --print-build-logs --system x86_64-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  # THE FOLLOWING TEST IS DISABLED FOR THE TIME BENG UNTIL WE GET AN ARM64 RUNNER THAT SUPPORTS KVM
+  #integration-tests-aarch64-linux:
+  #  name: Integration tests aarch64-linux
+  #  runs-on:
+  #    - ubicloud-standard-2-arm-ubuntu-2204
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          #git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #          #git checkout -B ${{ github.ref_name }}
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        # export QEMU_OPTS="-machine virt -cpu cortex-a57"
+  #        nix flake check --print-build-logs --system aarch64-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  #integration-tests-i686-linux:
+  #  name: Integration tests i686-linux
+  #  timeout-minutes: 144000
+  #  runs-on:
+  #    - ubicloud-standard-8-ubuntu-2204
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        nix flake check --print-build-logs --system i686-linux --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
+  # THE FOLLOWING TEST IS DISABLED FOR THE TIME BENG UNTIL THIS ISSUE WITH NIXOS TESTS ON DARWIN GETS RESOLVED: https://github.com/NixOS/nixpkgs/issues/294725
+  #integration-tests-aarch64-darwin:
+  #  name: Integration tests aarch64-darwin
+  #  runs-on:
+  #    - warp-macos-13-arm64-6x
+  #  steps:
+  #    - uses: actions/checkout@v5
+  #    - uses: cachix/install-nix-action@v30
+  #      with:
+  #        nix_path: nixpkgs=channel:nixos-unstable
+  #    - uses: cachix/cachix-action@v15
+  #      with:
+  #        name: rosenpass
+  #        authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
+  #    - name: Extract the reference of before and after for the integration tests.
+  #      run: |
+  #        EVENT_NAME="${{ github.event_name }}"
+  #        REF_BEFORE=""
+  #        REF_AFTER="path:../../"
+  #        if [[ "$EVENT_NAME" == "pull_request" ]]; then
+  #          echo "This CI run was triggered in the context of a pull request."
+  #          REF_BEFORE="github:rosenpass/rosenpass/main"
+  #          git checkout -B pr-${{ github.event.pull_request.number }}
+  #          REF_AFTER="git+file://../../../?ref=pr-${{ github.event.pull_request.number }}"
+  #        elif [[ "$EVENT_NAME" == "push" ]]; then
+  #          echo "This CI run was triggered in the context of a push."
+  #          REF_BEFORE="github:rosenpass/rosenpass/${{ github.event.before }}"
+  #          REF_AFTER="github:rosenpass/rosenpass/${{ github.event.after }}"
+  #        else
+  #          echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+  #          exit 1
+  #        fi
+  #        echo "REF_BEFORE=$REF_BEFORE" >> $GITHUB_ENV
+  #        echo "REF_AFTER=$REF_AFTER" >> $GITHUB_ENV
+  #    - name: Check
+  #      run: |
+  #        cd ./tests/integration
+  #        nix flake check --print-build-logs --system aarch64-darwin --override-input rosenpass-old $REF_BEFORE --override-input rosenpass-new $REF_AFTER
--- a/.github/workflows/nix-mac.yaml
+++ b/.github/workflows/nix-mac.yaml
@@ -19,7 +19,7 @@ jobs:
    needs:
      - aarch64-darwin---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -38,7 +38,7 @@ jobs:
      - aarch64-darwin---rp
      - aarch64-darwin---rosenpass-oci-image
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -54,7 +54,7 @@ jobs:
      - warp-macos-13-arm64-6x
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -70,7 +70,7 @@ jobs:
      - warp-macos-13-arm64-6x
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -87,7 +87,7 @@ jobs:
    needs:
      - aarch64-darwin---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -102,7 +102,7 @@ jobs:
    runs-on:
      - warp-macos-13-arm64-6x
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
--- a/.github/workflows/nix.yaml
+++ b/.github/workflows/nix.yaml
@@ -19,7 +19,7 @@ jobs:
    needs:
      - i686-linux---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -35,7 +35,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -52,7 +52,7 @@ jobs:
    needs:
      - i686-linux---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -67,7 +67,7 @@ jobs:
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -76,7 +76,8 @@ jobs:
          name: rosenpass
          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
      - name: Check
-        run: nix flake check . --print-build-logs
+        run: |
+          nix flake check . --print-build-logs
  x86_64-linux---default:
    name: Build x86_64-linux.default
    runs-on:
@@ -84,7 +85,7 @@ jobs:
    needs:
      - x86_64-linux---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -101,7 +102,7 @@ jobs:
    needs:
      - x86_64-linux---proverif-patched
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -117,7 +118,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -136,7 +137,7 @@ jobs:
      - x86_64-linux---rosenpass-static-oci-image
      - x86_64-linux---rp-static
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -158,7 +159,7 @@ jobs:
  #     - run: |
  #         DEBIAN_FRONTEND=noninteractive
  #         sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi binfmt-support qemu-user-static
-  #     - uses: actions/checkout@v4
+  #     - uses: actions/checkout@v5
  #     - uses: cachix/install-nix-action@v30
  #       with:
  #         nix_path: nixpkgs=channel:nixos-unstable
@@ -176,7 +177,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -195,7 +196,7 @@ jobs:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -216,7 +217,7 @@ jobs:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -235,7 +236,7 @@ jobs:
    needs:
      - x86_64-linux---rosenpass
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -255,7 +256,7 @@ jobs:
      - run: |
          DEBIAN_FRONTEND=noninteractive
          sudo apt-get update -q -y && sudo apt-get install -q -y qemu-system-aarch64 qemu-efi-aarch64 binfmt-support qemu-user-static
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -273,7 +274,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -289,7 +290,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -306,7 +307,7 @@ jobs:
    needs:
      - x86_64-linux---rosenpass-static
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -322,7 +323,7 @@ jobs:
      - ubicloud-standard-2-ubuntu-2204
    needs: []
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -337,7 +338,7 @@ jobs:
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -352,7 +353,7 @@ jobs:
    runs-on: ubicloud-standard-2-ubuntu-2204
    if: ${{ github.ref == 'refs/heads/main' }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
--- a/.github/workflows/qc-mac.yaml
+++ b/.github/workflows/qc-mac.yaml
@@ -16,7 +16,7 @@ jobs:
  cargo-test-mac:
    runs-on: warp-macos-13-arm64-6x
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
--- a/.github/workflows/qc.yaml
+++ b/.github/workflows/qc.yaml
@@ -16,7 +16,7 @@ jobs:
  prettier:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actionsx/prettier@v3
        with:
          args: --check .
@@ -25,7 +25,7 @@ jobs:
    name: Shellcheck
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - name: Run ShellCheck
        uses: ludeeus/action-shellcheck@master

@@ -33,7 +33,7 @@ jobs:
    name: Rust code formatting
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
@@ -56,7 +56,7 @@ jobs:
  cargo-bench:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
@@ -77,14 +77,14 @@ jobs:
    steps:
      - name: Install mandoc
        run: sudo apt-get install -y mandoc
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - name: Check rp.1
        run: doc/check.sh doc/rp.1

  cargo-audit:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -92,7 +92,7 @@ jobs:
  cargo-clippy:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
@@ -111,7 +111,7 @@ jobs:
  cargo-doc:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
@@ -130,7 +130,7 @@ jobs:
  cargo-test:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
@@ -149,7 +149,7 @@ jobs:
    runs-on:
      - ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
@@ -171,7 +171,7 @@ jobs:
  cargo-fuzz:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
@@ -206,7 +206,7 @@ jobs:
    env:
      RUSTUP_TOOLCHAIN: nightly
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
--- a/.github/workflows/regressions.yml
+++ b/.github/workflows/regressions.yml
@@ -16,7 +16,7 @@ jobs:
  multi-peer:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - run: cargo build --bin rosenpass --release
      - run: python misc/generate_configs.py
      - run: chmod +x .ci/run-regression.sh
@@ -27,7 +27,7 @@ jobs:
  boot-race:
    runs-on: ubicloud-standard-2-ubuntu-2204
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - run: cargo build --bin rosenpass --release
      - run: chmod +x .ci/boot_race/run.sh
      - run: cargo run --release --bin rosenpass gen-keys .ci/boot_race/a.toml
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,7 +11,7 @@ jobs:
    runs-on:
      - ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
      - uses: cachix/cachix-action@v15
        with:
@@ -30,7 +30,7 @@ jobs:
    runs-on:
      - macos-13
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
      - uses: cachix/cachix-action@v15
        with:
@@ -49,7 +49,7 @@ jobs:
    runs-on:
      - ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
        with:
          nix_path: nixpkgs=channel:nixos-unstable
@@ -69,7 +69,7 @@ jobs:
    name: Build and upload DEB and RPM packages
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: cachix/install-nix-action@v30
      - uses: cachix/cachix-action@v15
        with:
--- a/.github/workflows/supply-chain.yml
+++ b/.github/workflows/supply-chain.yml
@@ -13,13 +13,13 @@ jobs:
    name: Deny dependencies with vulnerabilities or incompatible licenses
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: EmbarkStudios/cargo-deny-action@v2
  cargo-supply-chain:
    name: Supply Chain Report
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
      - uses: actions/cache@v4
        with:
          path: |
@@ -28,10 +28,10 @@ jobs:
            ~/.cargo/registry/cache/
            ~/.cache/cargo-supply-chain/
          key: cargo-supply-chain-cache
-      - name: Install stable toolchain # Cargo-supply-chain is incompatible with older versions
+      - name: Install nightly toolchain
        run: |
-          rustup toolchain install stable
-          rustup default stable
+          rustup toolchain install nightly
+          rustup override set nightly
      - uses: actions/cache@v4
        with:
          path: ${{ runner.tool_cache }}/cargo-supply-chain
@@ -39,7 +39,7 @@ jobs:
      - name: Add the tool cache directory to the search path
        run: echo "${{ runner.tool_cache }}/cargo-supply-chain/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-supply-chain binary
-        run: cargo +stable install --root ${{ runner.tool_cache }}/cargo-supply-chain cargo-supply-chain
+        run: cargo install --root ${{ runner.tool_cache }}/cargo-supply-chain cargo-supply-chain
      - name: Update data for cargo-supply-chain
        run: cargo supply-chain update
      - name: Generate cargo-supply-chain report about publishers
@@ -53,7 +53,9 @@ jobs:
    permissions:
      contents: write
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/cache@v4
        with:
          path: |
@@ -61,10 +63,10 @@ jobs:
            ~/.cargo/registry/index/
            ~/.cargo/registry/cache/
          key: cargo-vet-cache
-      - name: Install stable toolchain # Since we are running/compiling cargo-vet, we should rely on the stable toolchain.
+      - name: Install nightly toolchain
        run: |
-          rustup toolchain install stable
-          rustup default stable
+          rustup toolchain install nightly
+          rustup override set nightly
      - uses: actions/cache@v4
        with:
          path: ${{ runner.tool_cache }}/cargo-vet
@@ -72,24 +74,104 @@ jobs:
      - name: Add the tool cache directory to the search path
        run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
      - name: Ensure that the tool cache is populated with the cargo-vet binary
-        run: cargo +stable install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
-      - name: Regenerate vet exemptions for dependabot PRs
-        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-        run: cargo vet regenerate exemptions
-      - name: Check for changes in case of dependabot PR
-        if: github.actor == 'dependabot[bot]' # Run only for Dependabot PRs
-        run: git diff --exit-code || echo "Changes detected, committing..."
-      - name: Commit and push changes for dependabot PRs
-        if: success() && github.actor == 'dependabot[bot]'
+        run: cargo install --root ${{ runner.tool_cache }}/cargo-vet cargo-vet
+      - name: Check which event triggered this CI run, a push or a pull request.
        run: |
-          git fetch origin ${{ github.head_ref }}
-          git switch ${{ github.head_ref }}
-          git config --global user.name "github-actions[bot]"
-          git config --global user.email "github-actions@github.com"
-          git add supply-chain/*
-          git commit -m "Regenerate cargo vet exemptions"
-          git push origin ${{ github.head_ref }}
+          EVENT_NAME="${{ github.event_name }}"
+          IS_PR="false"
+          IS_PUSH="false"
+          if [[ "$EVENT_NAME" == "pull_request" ]]; then
+            echo "This CI run was triggered in the context of a pull request."
+            IS_PR="true"
+          elif [[ "$EVENT_NAME" == "push" ]]; then
+            echo "This CI run was triggered in the context of a push."
+            IS_PUSH="true"
+          else
+            echo "ERROR: This CI run was not triggered in the context of a pull request or a push. Exiting with error."
+            exit 1
+          fi
+          echo "IS_PR=$IS_PR" >> $GITHUB_ENV
+          echo "IS_PUSH=$IS_PUSH" >> $GITHUB_ENV
+        shell: bash
+      - name: Check if last commit was by Dependabot
+        run: |
+          # Depending on the trigger for, the relevant commit has to be deduced differently.
+          if [[ "$IS_PR" == true ]]; then
+            # This is the commit ID for the last commit to the head branch of the pull request.
+            # If we used github.sha here instead, it would point to a merge commit between the PR and the main branch, which is only created for the CI run.
+            SHA="${{ github.event.pull_request.head.sha }}"
+            REF="${{ github.head_ref }}"
+          elif [[ "$IS_PUSH" == "true" ]]; then
+            SHA="${{ github.sha }}" # This is the last commit to the branch.
+            REF=${GITHUB_REF#refs/heads/}
+          else
+            echo "ERROR: This action only supports pull requests and push events as triggers. Exiting with error."
+            exit 1
+          fi
+          echo "Commit SHA is $SHA"
+          echo "Branch is $REF"
+          echo "REF=$REF" >> $GITHUB_ENV
+
+          COMMIT_AUTHOR=$(gh api repos/${{ github.repository }}/commits/$SHA --jq .author.login) # .author.login might be null, but for dependabot it will always be there and cannot be spoofed in contrast to .commit.author.name
+          echo "The author of the last commit is $COMMIT_AUTHOR"
+          if [[ "$COMMIT_AUTHOR" == "dependabot[bot]" ]]; then
+            echo "The last commit was made by dependabot"
+            LAST_COMMIT_IS_BY_DEPENDABOT=true
+          else
+            echo "The last commit was made by $COMMIT_AUTHOR not by dependabot"
+            LAST_COMMIT_IS_BY_DEPENDABOT=false
+          fi
+          echo "LAST_COMMIT_IS_BY_DEPENDABOT=$LAST_COMMIT_IS_BY_DEPENDABOT" >> $GITHUB_ENV
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+      - name: Check if the last commit's message ends in "--regenerate-exemptions"
+        run: |
+          # Get commit message
+          COMMIT_MESSAGE=$(git log -1 --pretty=format:"%s")
+          if [[ "$COMMIT_MESSAGE" == *"--regenerate-exemptions" ]]; then
+            echo "The last commit message ends in --regenerate-exemptions"
+            REGEN_EXEMP=true
+          else
+            echo "The last commit message does not end in --regenerate-exemptions"
+            REGEN_EXEMP=false
+          fi
+          echo "REGEN_EXEMP=$REGEN_EXEMP" >> $GITHUB_ENV
+        shell: bash
+      - name: Check if the CI run happens in the context of a dependabot PR # Even if a PR is created by dependabot, the last commit can, and often should be, the regeneration of the cargo vet exemptions. It could also be from an individual making manual changes.
+        run: |
+          IN_DEPENDABOT_PR_CONTEXT="false"
+          if [[ $IS_PR == "true" && "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
+            IN_DEPENDABOT_PR_CONTEXT="true"
+            echo "This CI run is in the context of PR by dependabot."
+          else
+            echo "This CI run is NOT in the context of PR by dependabot."
+            IN_DEPENDABOT_PR_CONTEXT="false"
+          fi
+          echo "IN_DEPENDABOT_PR_CONTEXT=$IN_DEPENDABOT_PR_CONTEXT" >> $GITHUB_ENV
+        shell: bash
+      - uses: actions/checkout@v5
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true'
+        with:
+          token: ${{ secrets.CI_BOT_PAT }}
+      - name: In case of a dependabot PR, ensure that we are not in a detached HEAD state
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true'
+        run: |
+          git fetch origin $REF # ensure that we are up to date.
+          git switch $REF # ensure that we are NOT in a detached HEAD state. This is important for the commit action in the end
+        shell: bash
+      - name: Regenerate cargo vet exemptions if we are in the context of a PR created by dependabot and the last commit is by dependabot or a regeneration of cargo vet exemptions was explicitly requested.
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true' && (env.LAST_COMMIT_IS_BY_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true') # Run only for Dependabot PRs or if specifically requested
+        run: cargo vet regenerate exemptions
+      - name: Commit and push changes if we are in the context of a PR created by dependabot and the last commit is by dependabot or a regeneration of cargo vet exemptions was explicitly requested.
+        if: env.IN_DEPENDABOT_PR_CONTEXT == 'true' && (env.LAST_COMMIT_IS_BY_DEPENDABOT == 'true' || env.REGEN_EXEMP=='true')
+        uses: stefanzweifel/git-auto-commit-action@v7
+        with:
+          commit_message: Regenerate cargo vet exemptions
+          commit_user_name: rosenpass-ci-bot[bot]
+          commit_user_email: noreply@rosenpass.eu
+          commit_author: Rosenpass CI Bot <noreply@rosenpass.eu>
+        env:
+          GITHUB_TOKEN: ${{ secrets.CI_BOT_PAT }}
      - name: Invoke cargo-vet
        run: cargo vet --locked
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -110,9 +110,9 @@ dependencies = [

 [[package]]
 name = "anyhow"
-version = "1.0.96"
+version = "1.0.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6b964d184e89d9b6b67dd2715bc8e74cf3107fb2b529990c90cf517326150bf4"
+checksum = "e16d2d3311acee920a9eb8d33b8cbc1787ce4a264e85f964c2404b969bdcd487"
 dependencies = [
 "backtrace",
 ]
@@ -126,6 +126,34 @@ dependencies = [
 "derive_arbitrary",
 ]

+[[package]]
+name = "assert_tv"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4aa42a8e0531efffd0fe96c6feef83221dc673c34b4ba2c2c9cbcd499511acba"
+dependencies = [
+ "anyhow",
+ "assert_tv_macros",
+ "base64",
+ "log",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "toml",
+ "zstd",
+]
+
+[[package]]
+name = "assert_tv_macros"
+version = "0.6.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c7b50043d3ecb7bc6e5e60dc6704757b7f9a9903d2c5ca13f8d62d494c68333"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.98",
+]
+
 [[package]]
 name = "atomic-polyfill"
 version = "1.0.3"
@@ -157,6 +185,12 @@ dependencies = [
 "windows-targets 0.52.6",
 ]

+[[package]]
+name = "base64"
+version = "0.22.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
+
 [[package]]
 name = "base64ct"
 version = "1.6.0"
@@ -408,9 +442,9 @@ checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6"

 [[package]]
 name = "clap_mangen"
-version = "0.2.24"
+version = "0.2.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fbae9cbfdc5d4fa8711c09bd7b83f644cb48281ac35bf97af3e47b0675864bdf"
+checksum = "27b4c3c54b30f0d9adcb47f25f61fcce35c4dd8916638c6b82fbd5f4fb4179e2"
 dependencies = [
 "clap",
 "roff",
@@ -1153,6 +1187,17 @@ dependencies = [
 "generic-array",
 ]

+[[package]]
+name = "io-uring"
+version = "0.7.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d93587f37623a1a17d94ef2bc9ada592f5465fe7732084ab7beefabe5c77c0c4"
+dependencies = [
+ "bitflags 2.8.0",
+ "cfg-if",
+ "libc",
+]
+
 [[package]]
 name = "ipc-channel"
 version = "0.18.3"
@@ -1246,9 +1291,9 @@ checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"

 [[package]]
 name = "libc"
-version = "0.2.169"
+version = "0.2.174"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
+checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"

 [[package]]
 name = "libcrux"
@@ -1383,9 +1428,9 @@ dependencies = [

 [[package]]
 name = "libfuzzer-sys"
-version = "0.4.9"
+version = "0.4.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf78f52d400cf2d84a3a973a78a592b4adc535739e0a5597a0da6f0c357adc75"
+checksum = "5037190e1f70cbeef565bd267599242926f724d3b8a9f510fd7e0b540cfa4404"
 dependencies = [
 "arbitrary",
 "cc",
@@ -1429,9 +1474,9 @@ dependencies = [

 [[package]]
 name = "log"
-version = "0.4.26"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "30bde2b3dc3671ae49d8e2e9f044c7c005836e7a023ee57cffa25ab82764bb9e"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"

 [[package]]
 name = "memchr"
@@ -2030,6 +2075,8 @@ name = "rosenpass"
 version = "0.3.0-dev"
 dependencies = [
 "anyhow",
+ "assert_tv",
+ "base64",
 "clap",
 "clap_complete",
 "clap_mangen",
@@ -2057,8 +2104,10 @@ dependencies = [
 "rosenpass-wireguard-broker",
 "rustix",
 "serde",
+ "serde_json",
 "serial_test",
 "signal-hook",
+ "signal-hook-mio",
 "stacker",
 "static_assertions",
 "tempfile",
@@ -2141,6 +2190,38 @@ dependencies = [
 "rosenpass-util",
 ]

+[[package]]
+name = "rosenpass-rp"
+version = "0.2.1"
+dependencies = [
+ "anyhow",
+ "base64ct",
+ "ctrlc-async",
+ "env_logger",
+ "futures",
+ "futures-util",
+ "genetlink",
+ "libc",
+ "log",
+ "netlink-packet-core",
+ "netlink-packet-generic",
+ "netlink-packet-wireguard",
+ "rosenpass",
+ "rosenpass-cipher-traits",
+ "rosenpass-ciphers",
+ "rosenpass-secret-memory",
+ "rosenpass-util",
+ "rosenpass-wireguard-broker",
+ "rtnetlink",
+ "serde",
+ "stacker",
+ "tempfile",
+ "tokio",
+ "toml",
+ "x25519-dalek",
+ "zeroize",
+]
+
 [[package]]
 name = "rosenpass-secret-memory"
 version = "0.1.0"
@@ -2148,6 +2229,8 @@ dependencies = [
 "allocator-api2",
 "allocator-api2-tests",
 "anyhow",
+ "assert_tv",
+ "base64",
 "base64ct",
 "log",
 "memsec",
@@ -2155,6 +2238,8 @@ dependencies = [
 "rand 0.8.5",
 "rosenpass-to",
 "rosenpass-util",
+ "serde",
+ "serde_json",
 "tempfile",
 "zeroize",
 ]
@@ -2173,11 +2258,13 @@ dependencies = [
 "anyhow",
 "base64ct",
 "libcrux-test-utils",
+ "log",
 "mio",
 "rustix",
 "static_assertions",
 "tempfile",
 "thiserror 1.0.69",
+ "tokio",
 "typenum",
 "uds",
 "zerocopy 0.7.35",
@@ -2208,35 +2295,6 @@ dependencies = [
 "zerocopy 0.7.35",
 ]

-[[package]]
-name = "rp"
-version = "0.2.1"
-dependencies = [
- "anyhow",
- "base64ct",
- "ctrlc-async",
- "futures",
- "futures-util",
- "genetlink",
- "netlink-packet-core",
- "netlink-packet-generic",
- "netlink-packet-wireguard",
- "rosenpass",
- "rosenpass-cipher-traits",
- "rosenpass-ciphers",
- "rosenpass-secret-memory",
- "rosenpass-util",
- "rosenpass-wireguard-broker",
- "rtnetlink",
- "serde",
- "stacker",
- "tempfile",
- "tokio",
- "toml",
- "x25519-dalek",
- "zeroize",
-]
-
 [[package]]
 name = "rtnetlink"
 version = "0.14.1"
@@ -2359,9 +2417,9 @@ dependencies = [

 [[package]]
 name = "serde_json"
-version = "1.0.139"
+version = "1.0.140"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44f86c3acccc9c65b153fe1b85a3be07fe5515274ec9f0653b4a0875731c72a6"
+checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
 dependencies = [
 "itoa",
 "memchr",
@@ -2378,6 +2436,19 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "serde_yaml"
+version = "0.9.34+deprecated"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
+dependencies = [
+ "indexmap",
+ "itoa",
+ "ryu",
+ "serde",
+ "unsafe-libyaml",
+]
+
 [[package]]
 name = "serial_test"
 version = "3.2.0"
@@ -2421,14 +2492,25 @@ checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"

 [[package]]
 name = "signal-hook"
-version = "0.3.17"
+version = "0.3.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8621587d4798caf8eb44879d42e56b9a93ea5dcd315a6487c357130095b62801"
+checksum = "d881a16cf4426aa584979d30bd82cb33429027e42122b169753d6ef1085ed6e2"
 dependencies = [
 "libc",
 "signal-hook-registry",
 ]

+[[package]]
+name = "signal-hook-mio"
+version = "0.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "34db1a06d485c9142248b7a054f034b349b212551f3dfd19c94d45a754a217cd"
+dependencies = [
+ "libc",
+ "mio",
+ "signal-hook",
+]
+
 [[package]]
 name = "signal-hook-registry"
 version = "1.4.2"
@@ -2461,12 +2543,12 @@ checksum = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd"

 [[package]]
 name = "socket2"
-version = "0.5.8"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8"
+checksum = "233504af464074f9d066d7b5416c5f9b894a5862a6506e306f7b816cdd6f1807"
 dependencies = [
 "libc",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -2486,9 +2568,9 @@ checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"

 [[package]]
 name = "stacker"
-version = "0.1.19"
+version = "0.1.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9156ebd5870ef293bfb43f91c7a74528d363ec0d424afe24160ed5a4343d08a"
+checksum = "cddb07e32ddb770749da91081d8d0ac3a16f1a569a18b20348cd371f5dead06b"
 dependencies = [
 "cc",
 "cfg-if",
@@ -2630,20 +2712,22 @@ dependencies = [

 [[package]]
 name = "tokio"
-version = "1.44.2"
+version = "1.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6b88822cbe49de4185e3a4cbf8321dd487cf5fe0c5c65695fef6346371e9c48"
+checksum = "43864ed400b6043a4757a25c7a64a8efde741aed79a056a2fb348a406701bb35"
 dependencies = [
 "backtrace",
 "bytes",
+ "io-uring",
 "libc",
 "mio",
 "parking_lot",
 "pin-project-lite",
 "signal-hook-registry",
+ "slab",
 "socket2",
 "tokio-macros",
- "windows-sys 0.52.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -2722,6 +2806,12 @@ dependencies = [
 "subtle",
 ]

+[[package]]
+name = "unsafe-libyaml"
+version = "0.2.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "673aac59facbab8a9007c7f6108d11f63b603f7cabff99fabf650fea5c32b861"
+
 [[package]]
 name = "utf8parse"
 version = "0.2.2"
@@ -3261,3 +3351,31 @@ dependencies = [
 "quote",
 "syn 2.0.98",
 ]
+
+[[package]]
+name = "zstd"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
+dependencies = [
+ "zstd-safe",
+]
+
+[[package]]
+name = "zstd-safe"
+version = "7.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
+dependencies = [
+ "zstd-sys",
+]
+
+[[package]]
+name = "zstd-sys"
+version = "2.0.15+zstd.1.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237"
+dependencies = [
+ "cc",
+ "pkg-config",
+]
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -46,14 +46,16 @@ memsec = { git = "https://github.com/rosenpass/memsec.git", rev = "aceb9baee8aec
 ] }
 rand = "0.8.5"
 typenum = "1.17.0"
-log = { version = "0.4.22" }
+log = { version = "0.4.27" }
 clap = { version = "4.5.23", features = ["derive"] }
-clap_mangen = "0.2.24"
+clap_mangen = "0.2.29"
 clap_complete = "4.5.40"
 serde = { version = "1.0.217", features = ["derive"] }
 arbitrary = { version = "1.4.1", features = ["derive"] }
-anyhow = { version = "1.0.95", features = ["backtrace", "std"] }
+anyhow = { version = "1.0.98", features = ["backtrace", "std"] }
 mio = { version = "1.0.3", features = ["net", "os-poll"] }
+signal-hook-mio = { version = "0.2.4", features = ["support-v1_0"] }
+signal-hook = "0.3.17"
 oqs-sys = { version = "0.9.1", default-features = false, features = [
  'classic_mceliece',
  'kyber',
@@ -67,7 +69,7 @@ chacha20poly1305 = { version = "0.10.1", default-features = false, features = [
 zerocopy = { version = "0.7.35", features = ["derive"] }
 home = "=0.5.9" # 5.11 requires rustc 1.81
 derive_builder = "0.20.1"
-tokio = { version = "1.42", features = ["macros", "rt-multi-thread"] }
+tokio = { version = "1.46", features = ["macros", "rt-multi-thread"] }
 postcard = { version = "1.1.1", features = ["alloc"] }
 libcrux = { version = "0.0.2-pre.2" }
 libcrux-chacha20poly1305 = { version = "0.0.2-beta.3" }
@@ -79,18 +81,20 @@ hex = { version = "0.4.3" }
 heck = { version = "0.5.0" }
 libc = { version = "0.2" }
 uds = { git = "https://github.com/rosenpass/uds" }
-signal-hook = "0.3.17"
 lazy_static = "1.5"

 #Dev dependencies
+assert_tv = { version = "0.6.4" }
+base64 = { version = "0.22.1" }
 serial_test = "3.2.0"
 tempfile = "3"
-stacker = "0.1.17"
+stacker = "0.1.21"
 libfuzzer-sys = "0.4"
 test_bin = "0.4.0"
 criterion = "0.5.1"
 allocator-api2-tests = "0.2.15"
 procspawn = { version = "1.0.1", features = ["test-support"] }
+serde_json = { version = "1.0.140" }

 #Broker dependencies (might need cleanup or changes)
 wireguard-uapi = { version = "3.0.0", features = ["xplatform"] }
--- a/analysis/03_identity_hiding_initiator.entry.mpv
+++ b/analysis/03_identity_hiding_initiator.entry.mpv
@@ -1,25 +0,0 @@
-#define INITIATOR_TEST 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-// nounif a:Atom, s:seed, a2:Atom;
-// 	ConsumeSeed(a, s, a2) / 6300[conclusion].
-
-nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
-nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
-nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
-nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
-nounif Spk:kem_sk_tmpl;
-  attacker(Creveal_kem_pk(Spk))/6110[conclusion].
-nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-  attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
-nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-  attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
-nounif rh:RespHello_t;
-  attacker(Cresp_hello( *rh ))/6107[conclusion].
-nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].
--- a/analysis/03_identity_hiding_responder.entry.mpv
+++ b/analysis/03_identity_hiding_responder.entry.mpv
@@ -1,96 +0,0 @@
-#define RESPONDER_TEST 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-// select k:kem_pk,ih: InitHello_t;         attacker(prf(prf(prf(prf(key0, PROTOCOL), MAC), kem_pk2b(k) ), IH2b(ih))) phase 1/6300[hypothesis].
-
-// select epki:kem_pk, sctr:bits, pidiC:bits, auth:bits, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits;
-// 	mess(D, prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder1)))),
-// 			IH2b(InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth)))
-// 		) [hypothesis, conclusion].
-
-// select epki:kem_pk, sctr:bits, pidiC:bits, auth:bits, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits;
-// attacker(choice[prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder1)))),
-// 		IH2b(InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth))),
-
-// 		prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pk2b(kem_pub(trusted_kem_sk(responder2)))),
-// 				IH2b(InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2)))]
-// 	) [hypothesis, conclusion].
-
-// select 
-// attacker(prf(prf(key0,PROTOCOL),MAC)) [hypothesis, conclusion].
-
-// select 
-// attacker(prf(key0,PROTOCOL)) [conclusion].
-
-// select  
-// attacker(key0) [conclusion].
-
-// select  
-// attacker(PROTOCOL) [conclusion].
-
-// select 
-// attacker(kem_pub(trusted_kem_sk(responder1))) /9999 [hypothesis, conclusion].
-
-// select 
-// attacker(kem_pub(trusted_kem_sk(responder2))) /9999 [hypothesis, conclusion].
-
-// nounif ih:InitHello_t;
-// 	attacker(ih) / 9999 [hypothesis].
-
-// nounif rh:RespHello_t;
-// 	attacker(rh) / 9999 [hypothesis].
-
-// nounif ic:InitConf_t;
-// 	attacker(ic) / 9999 [hypothesis].
-
-// nounif k:key;
-// attacker(ck_hs_enc( *k )) [hypothesis, conclusion].
-
-// nounif k:key;
-// attacker(ck_hs_enc( *k )) phase 1   [hypothesis, conclusion].
-
-// nounif k:key, b:bits;
-// attacker(ck_mix( *k , *b ))   [hypothesis, conclusion].
-
-// nounif k:key, b:bits;
-// attacker(ck_mix( *k , *b ))phase 1   [hypothesis, conclusion].
-
-// // select k:kem_pk, epki2:kem_pk, sctr2:bits, pidiC2:bits, auth2:bits, epki:kem_pk, sctr:bits, pidiC:bits, auth:bits;
-// // attacker(choice[Envelope(prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pub(trusted_kem_sk(responder1))),
-// // 	InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2)
-// // 	), InitHello(secure_sidi, *epki2, *sctr2, *pidiC2, *auth2))
-// // 	Envelope(prf(prf(prf(prf(key0,PROTOCOL),MAC),kem_pub(trusted_kem_sk(responder2))),
-// // 		InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth)),
-// // 		InitHello(secure_sidi, *epki, *sctr, *pidiC, *auth))
-// // 	]) / 9999[hypothesis, conclusion].
-
-// nounif k:key, b1:bits, b2:bits;
-// 	attacker(xaead_enc( *k, *b1, *b2)) / 9999[hypothesis,conclusion].
-
-// nounif pk:kem_pk, k:key; 
-// 	attacker(kem_enc( *pk , *k )) / 9999[hypothesis,conclusion].
-
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/9999[hypothesis, conclusion].
-// nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-//   attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/9999[hypothesis, conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr )) /9999 [hypothesis, conclusion].
-
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   mess(C, Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/9999[hypothesis, conclusion].
-// nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-//   mess(C, Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/9999[hypothesis, conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   mess(C, Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr )) /9999 [hypothesis, conclusion].
-// nounif rh:RespHello_t;
-//   attacker(Cresp_hello( *rh ))[conclusion].
-// nounif v:seed_prec;   attacker(prepare_seed(trusted_seed( v )))/6217[hypothesis].
-// nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-// nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-// nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-// nounif v:key_prec;    attacker(prepare_key(trusted_key( v )))/6213[hypothesis].
-// nounif v:kem_sk_prec; attacker(prepare_kem_sk(trusted_kem_sk( v )))/6212[hypothesis].
-// nounif v:key;         attacker(prepare_key( v ))/6211[hypothesis].
-// nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
--- a/analysis/03_identity_hiding_test.entry.mpv
+++ b/analysis/03_identity_hiding_test.entry.mpv
@@ -1,29 +0,0 @@
-#define INITIATOR_TEST 1
-#define CUSTOM_MAIN 1
-
-#include "rosenpass/03_identity_hiding.mpv"
-
-let Oinitiator_bad_actor_inner(sk_tmp:kem_sk_prec) =
-
-  in(C, Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr));
-
-  #if RANDOMIZED_CALL_IDS
-    new call:Atom;
-  #else
-    call <- Cinitiator(sidi, Ssskm, Spsk, Sspkt, Seski, Ssptr);
-  #endif
-
-  in(C, last_cookie:key);
-  tmpl <- make_trusted_kem_sk(sk_tmp);
-  out(C, setup_kem_sk(tmpl));
-  Oinitiator_inner(sidi, Ssskm, Spsk, tmpl, Seski, Ssptr, last_cookie, C, call).
-
-let Oinitiator_bad_actor() =
-  Oinitiator_bad_actor_inner(responder1) | Oinitiator_bad_actor_inner(responder2) | Oinitiator_bad_actor_inner(initiator1) | Oinitiator_bad_actor_inner(initiator2).
-
-
-let identity_hiding_main2() = 
-  0 | Oinitiator_bad_actor() | rosenpass_main2() | participants_communication() | phase 1; secretCommunication().
-
-
-let main = identity_hiding_main2.
--- a/analysis/04_dos_protection.entry.mpv
+++ b/analysis/04_dos_protection.entry.mpv
@@ -1,136 +0,0 @@
-#define CHAINING_KEY_EVENTS 1
-#define MESSAGE_TRANSMISSION_EVENTS 0
-#define SESSION_START_EVENTS 0
-#define RANDOMIZED_CALL_IDS 0
-#define COOKIE_EVENTS 1
-#define KEM_EVENTS 1
-
-#include "config.mpv"
-#include "prelude/basic.mpv"
-#include "crypto/key.mpv"
-#include "crypto/kem.mpv"
-#include "rosenpass/handshake_state.mpv"
-
-/* The cookie data structure is implemented based on the WireGuard protocol.
- * The ip and port is based purely on the public key and the implementation of the private cookie key is intended to mirror the biscuit key.
- * The code tests the response to a possible DOS attack by setting up alternative branches for the protocol
- * processes: Oinit_conf, Oinit_hello and resp_hello to simulate what happens when the responder or initiator is overloaded.
- * When under heavy load a valid cookie is required. When such a cookie is not present a cookie message is sent as a response.
- * Queries then test to make sure that expensive KEM operations are only conducted after a cookie has been successfully validated.
- */
-
-type CookieMsg_t.
-fun CookieMsg(
-  SessionId,  // sender
-  bits,     // nonce
-  bits      // cookie
-) : CookieMsg_t [data].
-
-#define COOKIE_EVENTS(eventLbl) \
-  COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (SessionId, SessionId, Atom).)   \
-  COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (SessionId, SessionId, Atom).)   \
-  COOKIE_EV(event MCAT(eventLbl, _CookieSent) (SessionId, SessionId, Atom, CookieMsg_t).)
-
-fun cookie_key(kem_sk) : key [private].
-fun ip_and_port(kem_pk):bits.
-letfun create_mac2_key(sskm:kem_sk, spkt:kem_pk) = prf(cookie_key(sskm), ip_and_port(spkt)).
-letfun create_cookie(sskm:kem_sk, spkm:kem_pk, spkt:kem_pk, nonce:bits, msg:bits) = xaead_enc(lprf2(COOKIE, kem_pk2b(spkm), nonce),
-    k2b(create_mac2_key(sskm, spkm)), msg).
-
-#define COOKIE_PROCESS(eventLbl, innerFunc) \
-  new nonce:bits; \
-  in(C, Ccookie(mac1, mac2)); \
-  COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (sidi, sidr, call);)  \
-  msgB <- Envelope(mac1, msg); \
-  mac2_key <- create_mac2_key(sskm, spkt); \
-  if k2b(create_mac2(mac2_key, msgB)) = mac2 then  \
-    COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (sidi, sidr, call);)  \
-    innerFunc \
-  else \
-    cookie <- create_cookie(sskm, spkm, spkt, nonce, msg); \
-    cookie_msg <- CookieMsg(sidi, nonce, cookie); \
-    COOKIE_EV(event MCAT(eventLbl, _CookieSent) (sidi, sidr, call, cookie_msg);)  \
-    out(C, cookie_msg). \
-
-#include "rosenpass/oracles.mpv"
-
-#include "rosenpass/responder.macro"
-COOKIE_EVENTS(Oinit_conf)
-let Oinit_conf_underLoad() =
-  in(C, Cinit_conf(Ssskm, Spsk, Sspkt, ic));
-  in(C, last_cookie:bits);
-
-  msg <- IC2b(ic);
-  let InitConf(sidi, sidr, biscuit, auth) = ic in 
-
-  new call:Atom;
-
-  SETUP_HANDSHAKE_STATE()
-
-  COOKIE_PROCESS(Oinit_conf, Oinit_conf_inner(Ssskm, Spsk, Sspkt, ic, call))
-
-#include "rosenpass/responder.macro"
-COOKIE_EVENTS(Oinit_hello)
-let Oinit_hello_underLoad() =
-
-  in(C, Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih));
-  in(C, Oinit_hello_last_cookie:key);
-  new call:Atom;
-
-  msg <- IH2b(ih);
-  let InitHello(sidi, epki, sctr, pidic, auth) = ih in
-  SETUP_HANDSHAKE_STATE()
-
-  COOKIE_PROCESS(Oinit_hello, Oinit_hello_inner(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih, Oinit_hello_last_cookie, C, call))
-
-let rosenpass_dos_main() = 0
-  | !Oreveal_kem_pk
-  | REP(INITIATOR_BOUND, Oinitiator)
-  | REP(RESPONDER_BOUND, Oinit_hello)
-  | REP(RESPONDER_BOUND, Oinit_conf)
-  | REP(RESPONDER_BOUND, Oinit_hello_underLoad)
-  | REP(RESPONDER_BOUND, Oinit_conf_underLoad).
-
-let main = rosenpass_dos_main.
-
-select cookie:CookieMsg_t;         attacker(cookie)/6220[hypothesis].
-nounif v:key;         attacker(prepare_key( v ))/6217[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(prepare_seed( v ))/6216[hypothesis].
-nounif v:seed;        attacker(rng_kem_sk( v ))/6215[hypothesis].
-nounif v:seed;        attacker(rng_key( v ))/6214[hypothesis].
-nounif v:kem_sk;      attacker(prepare_kem_sk( v ))/6210[hypothesis].
-
-// nounif Spk:kem_sk_tmpl;
-//   attacker(Creveal_kem_pk(Spk))/6110[conclusion].
-// nounif sid:SessionId, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Seski:seed_tmpl, Ssptr:seed_tmpl;
-//   attacker(Cinitiator( *sid, *Ssskm, *Spsk, *Sspkt, *Seski, *Ssptr ))/6109[conclusion].
-// nounif sid:SessionId, biscuit_no:Atom, Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, Septi:seed_tmpl, Sspti:seed_tmpl, ih:InitHello_t;
-//   attacker(Cinit_hello( *sid, *biscuit_no, *Ssskm, *Spsk, *Sspkt, *Septi, *Sspti, *ih ))/6108[conclusion].
-nounif rh:RespHello_t;
-  attacker(Cresp_hello( *rh ))/6107[conclusion].
-nounif Ssskm:kem_sk_tmpl, Spsk:key_tmpl, Sspkt:kem_sk_tmpl, ic:InitConf_t;
-  attacker(Cinit_conf( *Ssskm, *Spsk, *Sspkt, *ic ))/6106[conclusion].
-
-@reachable "DOS protection: cookie sent"
-query sidi:SessionId, sidr:SessionId, call:Atom, cookieMsg:CookieMsg_t;
-  event (Oinit_hello_CookieSent(sidi, sidr, call, cookieMsg)).
-
-@lemma "DOS protection: Oinit_hello kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oinit_hello_UnderLoadEV(sidi, sidr, call))
-  && event(Oinit_hello_KemUse(sidi, sidr, call))
-  ==> event(Oinit_hello_CookieValidated(sidi, sidr, call)).
-
-@lemma "DOS protection: Oinit_conf kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oinit_conf_UnderLoadEV(sidi, sidr, call))
-  && event(Oinit_conf_KemUse(sidi, sidr, call))
-  ==> event(Oinit_conf_CookieValidated(sidi, sidr, call)).
-
-@lemma "DOS protection: Oresp_hello kem use when under load implies validated cookie"
-lemma sidi:SessionId, sidr:SessionId, call:Atom;
-event(Oresp_hello_UnderLoadEV(sidi, sidr, call))
-  && event(Oresp_hello_KemUse(sidi, sidr, call))
-  ==> event(Oresp_hello_CookieValidated(sidi, sidr, call)).
-
--- a/analysis/rosenpass/03_identity_hiding.mpv
+++ b/analysis/rosenpass/03_identity_hiding.mpv
@@ -58,7 +58,7 @@ let secure_init_hello(initiator: kem_sk_tmpl, sidi : SessionId, psk: key_tmpl, r

  new epkit:kem_pk;    // epki
  new sctrt:bits;      // sctr 
-  new pidiCt:bits;      // pidiC
+  new pidi_ct:bits;      // pidi_ct
  new autht:bits;       // auth

  NEW_TRUSTED_SEED(seski_trusted_seed)
@@ -70,9 +70,9 @@ let secure_init_hello(initiator: kem_sk_tmpl, sidi : SessionId, psk: key_tmpl, r

 let secure_resp_hello(initiator: kem_sk_tmpl, responder: kem_sk_tmpl, sidi:SessionId, sidr:SessionId, biscuit_no:Atom, psk:key_tmpl) =

-  in(D, InitHello(=secure_sidi, epki, sctr, pidiC, auth));
+  in(D, InitHello(=secure_sidi, epki, sctr, pidi_ct, auth));

-  ih <- InitHello(sidi, epki, sctr, pidiC, auth);
+  ih <- InitHello(sidi, epki, sctr, pidi_ct, auth);
  NEW_TRUSTED_SEED(septi_trusted_seed)
  NEW_TRUSTED_SEED(sspti_trusted_seed)
  new last_cookie:key;
--- a/analysis/rosenpass/cookie.mpv
+++ b/analysis/rosenpass/cookie.mpv
@@ -19,7 +19,7 @@ fun CookieMsg(
  COOKIE_EV(event MCAT(eventLbl, _UnderLoadEV) (spkm, spkt, last_cookie);)	\
  msgB <- Envelope(mac1, RH2b(rh));	\
  mac2_key <- create_mac2_key(sskm, spkt)	\
-  let RespHello(sidi, sidr, ecti, scti, biscuit, auth) = rh in \
+  let RespHello(sidi, sidr, ecti, scti, biscuit_ct, auth) = rh in \
  if Envelope(mac2_key, msgB) = mac2 then	\
    COOKIE_EV(event MCAT(eventLbl, _CookieValidated) (spkm, last_cookie);)	\
    innerFunc	\
--- a/analysis/rosenpass/handshake_state.mpv
+++ b/analysis/rosenpass/handshake_state.mpv
@@ -143,10 +143,10 @@ letfun ENCRYPT_AND_MIX(ct, pt) \
 // TODO: Migrate kems to use binary ciphertexts directly
 #define ENCAPS_AND_MIX(ct, pk, shk) \
  ct <- kem_enc(pk, shk);           \
-  MIX3(kem_pk2b(pk), ct, k2b(shk))
+  MIX3(kem_pk2b(pk), k2b(shk), ct)
 #define DECAPS_AND_MIX(sk, pk, ct) \
  DUMMY(shk) <- kem_dec(sk, ct);   \
-  MIX3(kem_pk2b(pk), ct, k2b(DUMMY(shk)))
+  MIX3(kem_pk2b(pk), k2b(DUMMY(shk)), ct)


 // biscuits
--- a/analysis/rosenpass/oracles.mpv
+++ b/analysis/rosenpass/oracles.mpv
@@ -86,8 +86,8 @@ MTX_EV( event RHRjct(RespHello_t, key, kem_sk, kem_pk). )
 MTX_EV( event ICSent(RespHello_t, InitConf_t, key, kem_sk, kem_pk). )
 SES_EV( event InitiatorSession(RespHello_t, key). )
 let Oresp_hello(HS_DECL_ARGS) =
-  in(C, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit, auth)));
-  rh <- RespHello(sidr, sidi, ecti, scti, biscuit, auth);
+  in(C, Cresp_hello(RespHello(sidr, =sidi, ecti, scti, biscuit_ct, auth)));
+  rh <- RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth);
  /* try */ let ic = (
    ck_ini <- ck;
    RESPHELLO_CONSUME()
@@ -124,7 +124,7 @@ let Oinit_hello() =
  call <- Cinit_hello(sidr, biscuit_no, Ssskm, Spsk, Sspkt, Septi, Sspti, ih);
 #endif
  // TODO: This is ugly
-  let InitHello(sidi, epki, sctr, pidiC, auth) = ih in
+  let InitHello(sidi, epki, sctr, pidi_ct, auth) = ih in
  SETUP_HANDSHAKE_STATE()
  eski <- kem_sk0;
  epti <- rng_key(setup_seed(Septi)); // RHR4
--- a/analysis/rosenpass/protocol.mpv
+++ b/analysis/rosenpass/protocol.mpv
@@ -7,7 +7,7 @@ fun InitHello(
  SessionId, // sidi
  kem_pk,    // epki
  bits,      // sctr 
-  bits,      // pidiC
+  bits,      // pidi_ct
  bits       // auth
 ) : InitHello_t [data].

@@ -17,16 +17,16 @@ fun InitHello(
  /* not handled here */                /* IHI3 */ \
  MIX2(sid2b(sidi), kem_pk2b(epki))     /* IHI4 */ \
  ENCAPS_AND_MIX(sctr, spkr, sptr)      /* IHI5 */ \
-  ENCRYPT_AND_MIX(pidiC, pidi)          /* IHI6 */ \
+  ENCRYPT_AND_MIX(pidi_ct, pidi)        /* IHI6 */ \
  MIX2(kem_pk2b(spki), k2b(psk))        /* IHI7 */ \
  ENCRYPT_AND_MIX(auth, empty)          /* IHI8 */ \
-  ih <- InitHello(sidi, epki, sctr, pidiC, auth);
+  ih <- InitHello(sidi, epki, sctr, pidi_ct, auth);

 #define INITHELLO_CONSUME()                       \
  ck <- lprf1(CK_INIT, kem_pk2b(spkr)); /* IHR1 */ \
  MIX2(sid2b(sidi), kem_pk2b(epki))     /* IHR4 */ \
  DECAPS_AND_MIX(sskr, spkr, sctr)      /* IHR5 */ \
-  DECRYPT_AND_MIX(pid, pidiC)           /* IHR6 */ \
+  DECRYPT_AND_MIX(pid, pidi_ct)         /* IHR6 */ \
  LOOKUP_SENDER(pid)                    /* IHR6 */ \
  MIX2(kem_pk2b(spki), k2b(psk))        /* IHR7 */ \
  DECRYPT_AND_MIX(DUMMY(empty), auth)
@@ -46,17 +46,17 @@ fun RespHello(
  MIX2(sid2b(sidr), sid2b(sidi))   /* RHR3 */ \
  ENCAPS_AND_MIX(ecti, epki, epti) /* RHR4 */ \
  ENCAPS_AND_MIX(scti, spki, spti) /* RHR5 */ \
-  STORE_BISCUIT(biscuit)           /* RHR6 */ \
+  STORE_BISCUIT(biscuit_ct)        /* RHR6 */ \
  ENCRYPT_AND_MIX(auth, empty)     /* RHR7 */ \
-  rh <- RespHello(sidr, sidi, ecti, scti, biscuit, auth);
+  rh <- RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth);

 #define RESPHELLO_CONSUME()                                    \
-  let RespHello(sidr, sidi, ecti, scti, biscuit, auth) = rh in \
+  let RespHello(sidr, sidi, ecti, scti, biscuit_ct, auth) = rh in \
  /* not handled here */               /* RHI2 */ \
  MIX2(sid2b(sidr), sid2b(sidi))       /* RHI3 */ \
  DECAPS_AND_MIX(eski, epki, ecti)     /* RHI4 */ \
  DECAPS_AND_MIX(sski, spki, scti)     /* RHI5 */ \
-  MIX(biscuit)                         /* RHI6 */ \
+  MIX(biscuit_ct)                      /* RHI6 */ \
  DECRYPT_AND_MIX(DUMMY(empty), auth)  /* RHI7 */

 type InitConf_t.
@@ -70,11 +70,11 @@ fun InitConf(
 #define INITCONF_PRODUCE()                  \
  MIX2(sid2b(sidi), sid2b(sidr)) /* ICI3 */ \
  ENCRYPT_AND_MIX(auth, empty)   /* ICI4 */ \
-  ic <- InitConf(sidi, sidr, biscuit, auth);
+  ic <- InitConf(sidi, sidr, biscuit_ct, auth);

 #define INITCONF_CONSUME()                        \
-  let InitConf(sidi, sidr, biscuit, auth) = ic in \
-  LOAD_BISCUIT(biscuit_no, biscuit)   /* ICR1 */    \
+  let InitConf(sidi, sidr, biscuit_ct, auth) = ic in \
+  LOAD_BISCUIT(biscuit_no, biscuit_ct)/* ICR1 */    \
  ENCRYPT_AND_MIX(rh_auth, empty)     /* ICIR */    \
  ck_rh <- ck;                        /* ---- */ /* TODO: Move into oracles.mpv */ \
  MIX2(sid2b(sidi), sid2b(sidr))      /* ICR3 */    \
--- a/cipher-traits/src/primitives/keyed_hash.rs
+++ b/cipher-traits/src/primitives/keyed_hash.rs
@@ -40,7 +40,7 @@ pub struct InferKeyedHash<Static, const KEY_LEN: usize, const HASH_LEN: usize>
 where
    Static: KeyedHash<KEY_LEN, HASH_LEN>,
 {
-    pub _phantom_keyed_hasher: PhantomData<*const Static>,
+    pub _phantom_keyed_hasher: PhantomData<Static>,
 }

 impl<Static, const KEY_LEN: usize, const HASH_LEN: usize> InferKeyedHash<Static, KEY_LEN, HASH_LEN>
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,9 +1,10 @@
 # syntax=docker/dockerfile:1

 ARG BASE_IMAGE=debian:bookworm-slim
+ARG CHEF_IMAGE=rust:slim-bookworm

 # Stage 1: Base image with cargo-chef installed
-FROM rust:latest AS chef
+FROM ${CHEF_IMAGE} AS chef
 RUN cargo install cargo-chef
 # install software required for liboqs-rust
 RUN apt-get update && apt-get install -y clang cmake && rm -rf /var/lib/apt/lists/*
--- a/flake.lock
+++ b/flake.lock
@@ -18,6 +18,24 @@
        "type": "github"
      }
    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
    "nix-vm-test": {
      "inputs": {
        "nixpkgs": [
@@ -38,6 +56,27 @@
        "type": "github"
      }
    },
+    "nix-vm-test_2": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1734355073,
+        "narHash": "sha256-FfdPOGy1zElTwKzjgIMp5K2D3gfPn6VWjVa4MJ9L1Tc=",
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "rev": "5948de39a616f2261dbbf4b6f25cbe1cbefd788c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "nix-vm-test",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1728193676,
@@ -59,11 +98,58 @@
        "flake-utils": "flake-utils",
        "nix-vm-test": "nix-vm-test",
        "nixpkgs": "nixpkgs",
+        "rosenpassOld": "rosenpassOld",
+        "rust-overlay": "rust-overlay_2",
+        "treefmt-nix": "treefmt-nix_2"
+      }
+    },
+    "rosenpassOld": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nix-vm-test": "nix-vm-test_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
        "rust-overlay": "rust-overlay",
        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1754748821,
+        "narHash": "sha256-mMggTZDC97lLvKNOLtDz3GBjjxXFD++e1s0RZsVH/vI=",
+        "owner": "rosenpass",
+        "repo": "rosenpass",
+        "rev": "916a9ebb7133f0b22057fb097a473217f261928a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "rosenpass",
+        "repo": "rosenpass",
+        "rev": "916a9ebb7133f0b22057fb097a473217f261928a",
+        "type": "github"
      }
    },
    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744513456,
+        "narHash": "sha256-NLVluTmK8d01Iz+WyarQhwFcXpHEwU7m5hH3YQQFJS0=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "730fd8e82799219754418483fabe1844262fd1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "rust-overlay_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
@@ -98,7 +184,43 @@
        "type": "github"
      }
    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "rosenpassOld",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743748085,
+        "narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
--- a/flake.nix
+++ b/flake.nix
@@ -13,6 +13,10 @@

    treefmt-nix.url = "github:numtide/treefmt-nix";
    treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
+
+    # Older version of rosenpass, referenced here for backwards compatibility
+    rosenpassOld.url = "github:rosenpass/rosenpass?rev=916a9ebb7133f0b22057fb097a473217f261928a";
+    rosenpassOld.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs =
@@ -23,6 +27,7 @@
      nix-vm-test,
      rust-overlay,
      treefmt-nix,
+      rosenpassOld,
      ...
    }@inputs:
    nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [
@@ -181,9 +186,35 @@
                rustfmt
              ];
            };
+            # a devshell to hunt unsafe `unsafe` in the code
+            devShells.miri = pkgs.mkShell {
+              # inputsFrom = [ self.packages.${system}.rosenpass ];
+              nativeBuildInputs = with pkgs; [
+                ((rust-bin.selectLatestNightlyWith (toolchain: toolchain.default)).override {
+                  extensions = [
+                    "rust-analysis"
+                    "rust-src"
+                    "miri-preview"
+                  ];
+                })
+                pkgs.cmake
+                pkgs.rustPlatform.bindgenHook
+              ];
+              # Run this to find unsafe `unsafe`:
+              # MIRIFLAGS="-Zmiri-disable-isolation" cargo miri test --no-fail-fast --lib --bins --tests
+              #
+              # - Some test failure is expected.
+            };

            checks =
-              {
+              import ./tests/integration/integration-checks.nix {
+                inherit system;
+                pkgs = inputs.nixpkgs;
+                lib = nixpkgs.lib;
+                rosenpassNew = self.packages.${system}.default;
+                rosenpassOld = rosenpassOld.packages.${system}.default;
+              }
+              // {
                systemd-rosenpass = pkgs.testers.runNixOSTest ./tests/systemd/rosenpass.nix;
                systemd-rp = pkgs.testers.runNixOSTest ./tests/systemd/rp.nix;
                formatting = treefmtEval.config.build.check self;
--- a/papers/graphics/rosenpass-wp-hashing-tree-rgb.pdf
+++ b/papers/graphics/rosenpass-wp-hashing-tree-rgb.pdf
--- a/papers/graphics/rosenpass-wp-hashing-tree-rgb.svg
+++ b/papers/graphics/rosenpass-wp-hashing-tree-rgb.svg
--- a/papers/graphics/rosenpass-wp-hashing-tree.afdesign
+++ b/papers/graphics/rosenpass-wp-hashing-tree.afdesign
--- a/papers/graphics/rosenpass-wp-hashing-tree.pdf
+++ b/papers/graphics/rosenpass-wp-hashing-tree.pdf
--- a/papers/graphics/rosenpass-wp-hashing-tree.png
+++ b/papers/graphics/rosenpass-wp-hashing-tree.png
--- a/papers/graphics/rosenpass-wp-hashing-tree.svg
+++ b/papers/graphics/rosenpass-wp-hashing-tree.svg
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.pdf
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.pdf
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.svg
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol-rgb.svg
@@ -1,191 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg width="100%" height="100%" viewBox="0 0 2037 1491" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
-        <rect id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
-        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51"/>
-        </clipPath>
-        <g clip-path="url(#_clip1)">
-            <g transform="matrix(0.377816,0,0,0.318513,-62.5845,3.62207)">
-                <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.11885,0,0,0.472336,1334.4,22.5297)">
-                <path d="M497.076,394.18L497.076,1793.56C497.076,1793.56 -810.094,1791.78 -810.094,1793.56L-810.094,2231.73L497.076,2231.73L497.076,3888.59" style="fill:none;stroke:rgb(255,166,48);stroke-width:15.37px;"/>
-            </g>
-            <g transform="matrix(1.10326,0,0,0.239529,-152.083,336.057)">
-                <g transform="matrix(0.946041,-0,-0,4.72559,298.433,-663.352)">
-                    <path d="M1597.09,252.781L1609.59,265.281L1597.09,277.781" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M209.973,265.281L1609.59,265.281" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,90.8277)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-323.596,-1172.27)">
-                <g transform="matrix(50,0,0,50,1497.15,1475.25)">
-                </g>
-                <text x="1302.95px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1469.15px " y="1475.25px ">o</tspan></text>
-            </g>
-            <g transform="matrix(1.10157,0,0,0.239529,-151.245,1006.25)">
-                <g transform="matrix(0.947489,-0,-0,4.72559,298.129,-3461.31)">
-                    <path d="M1597.09,844.867L1609.59,857.367L1597.09,869.867" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M209.973,857.367L1609.59,857.367" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,752.344)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.19416,0,0,0.275328,1052.99,940.806)">
-                <path d="M1608.99,571.746C1608.99,563.706 1600.46,557.179 1589.95,557.179L666.712,557.179C656.199,557.179 647.664,563.706 647.664,571.746L647.664,931.068C647.664,939.108 656.199,945.635 666.712,945.635L1589.95,945.635C1600.46,945.635 1608.99,939.108 1608.99,931.068L1608.99,571.746Z" style="fill:rgb(255,211,152);stroke:white;stroke-width:19.24px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-345.04,-502.074)">
-                <g transform="matrix(50,0,0,50,1404.28,1475.25)">
-                </g>
-                <text x="1227.23px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1330.68px " y="1475.25px ">o</tspan>nf</text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-34.3588,-501.229)">
-                <g transform="matrix(41.6667,0,0,41.6667,1315.29,1464.53)">
-                </g>
-                <text x="1188.09px" y="1464.53px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:41.667px;">Biscuit</text>
-            </g>
-            <g transform="matrix(8.61155e-18,1.13192,-0.0754413,3.71795e-17,1069.8,-342.031)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(247,4,132);stroke-width:17.63px;"/>
-            </g>
-            <g transform="matrix(8.61155e-18,1.13192,-0.0754413,3.71795e-17,1069.8,-288.169)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.63px;"/>
-            </g>
-            <g transform="matrix(1.10808,0,0,1.04133,-187.35,-115.819)">
-                <path d="M497.076,394.18L497.076,1896.68" style="fill:none;stroke:rgb(247,4,132);stroke-width:12.58px;"/>
-            </g>
-            <g transform="matrix(-1.09658,0,0,0.321304,2399.88,618.547)">
-                <g transform="matrix(-0.9518,0,0,3.52288,2026.95,-1373.72)">
-                    <path d="M220.225,569.992L207.725,557.492L220.225,544.992" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M1607.34,557.492L207.725,557.492" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,421.586)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.19416,0,0,0.275328,1052.99,601.372)">
-                <path d="M1608.99,571.746C1608.99,563.706 1600.46,557.179 1589.95,557.179L666.712,557.179C656.199,557.179 647.664,563.706 647.664,571.746L647.664,931.068C647.664,939.108 656.199,945.635 666.712,945.635L1589.95,945.635C1600.46,945.635 1608.99,939.108 1608.99,931.068L1608.99,571.746Z" style="fill:rgb(255,211,152);stroke:white;stroke-width:19.24px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-345.04,-841.508)">
-                <g transform="matrix(50,0,0,50,1433.76,1475.25)">
-                </g>
-                <text x="1197.76px" y="1475.25px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1230.81px " y="1475.25px ">e</tspan>spHell<tspan x="1405.76px " y="1475.25px ">o</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-34.3588,-841.794)">
-                <g transform="matrix(41.6667,0,0,41.6667,1315.29,1464.53)">
-                </g>
-                <text x="1188.09px" y="1464.53px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:41.667px;">Biscuit</text>
-            </g>
-            <g transform="matrix(-1.10076,0,0,0.321304,2401.96,1404.06)">
-                <g transform="matrix(-0.94819,0,0,3.52288,2021.14,-3818.47)">
-                    <path d="M220.225,1263.96L207.725,1251.46L220.225,1238.96" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-linejoin:miter;stroke-miterlimit:10;"/>
-                    <path d="M1607.34,1251.46L207.725,1251.46" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.33px;stroke-linecap:round;stroke-dasharray:8.33,16.67,0,0;"/>
-                </g>
-            </g>
-            <g transform="matrix(0.54423,0,0,0.514519,523.603,1207.09)">
-                <path d="M1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1624.98,583.163L1624.98,919.651C1624.98,944.11 1607.66,963.968 1586.34,963.968L670.315,963.968C648.993,963.968 631.682,944.11 631.682,919.651L631.682,583.163C631.682,558.704 648.993,538.846 670.315,538.846L1586.34,538.846C1607.66,538.846 1624.98,558.704 1624.98,583.163ZM1608.99,583.163C1608.99,568.822 1598.85,557.179 1586.34,557.179L670.315,557.179C657.814,557.179 647.664,568.822 647.664,583.163L647.664,919.651C647.664,933.992 657.814,945.635 670.315,945.635L1586.34,945.635C1598.85,945.635 1608.99,933.992 1608.99,919.651L1608.99,583.163Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-323.596,-115.707)">
-                <g transform="matrix(50,0,0,50,1528.5,1528)">
-                </g>
-                <text x="1274.4px" y="1528px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">Emp<tspan x="1375.85px 1394.1px " y="1528px 1528px ">ty</tspan>Data</text>
-            </g>
-            <g transform="matrix(1.16933e-17,1.13192,-0.102439,3.71795e-17,1384.12,272.481)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.59px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(1.16933e-17,1.13192,-0.102439,3.71795e-17,1384.12,612.276)">
-                <path d="M497.076,394.18L497.076,1793.56" style="fill:none;stroke:rgb(255,166,48);stroke-width:17.59px;stroke-linecap:round;"/>
-            </g>
-            <g transform="matrix(0.377816,0,0,0.318513,1464.43,3.62207)">
-                <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.04373,2.9937e-16,-2.74652e-16,1.13192,767.205,-815.996)">
-                <text x="1171.58px" y="1474.94px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">r<tspan x="1185.58px " y="1474.94px ">e</tspan>sponder</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1432.53,1516.61)">
-                </g>
-                <text x="1171.58px" y="1516.61px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">aut<tspan x="1230.45px " y="1516.61px ">h</tspan>ent<tspan x="1313.16px 1322.41px 1341.33px 1363.08px 1377.16px " y="1516.61px 1516.61px 1516.61px 1516.61px 1516.61px ">icati</tspan>on</text>
-            </g>
-            <g transform="matrix(1.04373,1.80409e-17,1.85964e-17,1.13192,767.205,-611.456)">
-                <text x="1171.58px" y="1454.11px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">init<tspan x="1227.49px " y="1454.11px ">i</tspan>at<tspan x="1272.24px " y="1454.11px ">o</tspan>r</text>
-                <text x="1171.58px" y="1495.78px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">aut<tspan x="1230.45px " y="1495.78px ">h</tspan>ent<tspan x="1313.16px 1322.41px 1341.33px 1363.08px 1377.16px " y="1495.78px 1495.78px 1495.78px 1495.78px 1495.78px ">icati</tspan>on,</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1464.49,1537.44)">
-                </g>
-                <text x="1171.58px" y="1537.44px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">f<tspan x="1184.24px 1207.03px 1222.53px 1256.91px 1278.66px 1292.66px " y="1537.44px 1537.44px 1537.44px 1537.44px 1537.44px 1537.44px ">orward</tspan> secr<tspan x="1402.12px " y="1537.44px ">e</tspan>cy</text>
-            </g>
-            <g transform="matrix(1.04373,1.80409e-17,1.85964e-17,1.13192,705.967,-92.9691)">
-                <text x="1171.58px" y="1474.94px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">ackno<tspan x="1278.49px 1313.28px 1324.95px " y="1474.94px 1474.94px 1474.94px ">wle</tspan>dges</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1314.2,1516.61)">
-                </g>
-                <text x="1171.58px" y="1516.61px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">InitC<tspan x="1254.78px " y="1516.61px ">o</tspan>nf</text>
-            </g>
-            <g transform="matrix(1.04373,1.72621e-17,1.94353e-17,1.13192,767.205,-321.469)">
-                <text x="1171.58px" y="1472.39px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">OSK handed</text>
-                <g transform="matrix(41.6667,0,0,41.6667,1422.78,1514.06)">
-                </g>
-                <text x="1171.58px" y="1514.06px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">t<tspan x="1185.33px " y="1514.06px ">o</tspan> W<tspan x="1264.74px 1273.99px 1287.99px " y="1514.06px 1514.06px 1514.06px ">ire</tspan>Guar<tspan x="1398.83px " y="1514.06px ">d</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-159.675,-1425.03)">
-                <g transform="matrix(33.3333,0,0,33.3333,1376.21,1461.44)">
-                </g>
-                <text x="1171.58px" y="1461.44px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:33.333px;fill:rgb(64,63,73);">Init<tspan x="1219.48px " y="1461.44px ">i</tspan>at<tspan x="1256.91px " y="1461.44px ">o</tspan>r Stat<tspan x="1358.41px " y="1461.44px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-159.675,-1369.01)">
-                <g transform="matrix(33.3333,0,0,33.3333,1422.81,1461.44)">
-                </g>
-                <text x="1171.58px" y="1461.44px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:33.333px;fill:rgb(64,63,73);">R<tspan x="1193.61px " y="1461.44px ">e</tspan>sponder Stat<tspan x="1405.01px " y="1461.44px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,-1040.69,-1406.95)">
-                <g transform="matrix(50,0,0,50,1434.05,1476.14)">
-                </g>
-                <text x="1257.1px" y="1476.14px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:50px;fill:white;">Init<tspan x="1330.14px " y="1476.14px ">i</tspan>at<tspan x="1387.14px " y="1476.14px ">o</tspan>r</text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.13192,486.326,-1406.95)">
-                <g transform="matrix(50,0,0,50,1468.55,1476.14)">
-                </g>
-                <text x="1222.6px" y="1476.14px" style="font-family:'Nunito-SemiBold', 'Nunito';font-weight:600;font-size:50px;fill:white;">R<tspan x="1255.85px " y="1476.14px ">e</tspan>sponder</text>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,-284.091)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,-79.5508)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.29981,-1.40964,1.29981,1.40964,-996.095,207.55)">
-                <path d="M735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:rgb(179,178,182);"/>
-                <path d="M736.092,1546.36L712.445,1552.02L708.168,1547.74L713.825,1524.09L719.785,1522.41L737.776,1540.4L736.092,1546.36ZM735.267,1542.91L717.276,1524.92L711.619,1548.57L735.267,1542.91Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(1.04373,2.04033e-17,1.82707e-17,1.13192,287.154,-312.768)">
-                <g transform="matrix(41.6667,0,0,41.6667,1473.76,1457.69)">
-                </g>
-                <text x="1274.85px" y="1457.69px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">handshak<tspan x="1451.8px " y="1457.69px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,4.8711e-17,3.06091e-17,1.13192,312.355,-241.08)">
-                <g transform="matrix(41.6667,0,0,41.6667,1449.62,1457.69)">
-                </g>
-                <text x="1249.16px" y="1457.69px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:41.667px;fill:rgb(64,63,73);">l<tspan x="1262.7px 1273.62px 1296.24px 1319.87px 1332.03px 1357.66px 1382.66px 1406.07px 1427.66px " y="1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px 1457.69px ">ive phase</tspan></text>
-            </g>
-            <g transform="matrix(1.04373,0,0,1.24761,-135.752,-334.388)">
-                <g transform="matrix(1,-0,-0,0.90727,299.807,410.028)">
-                    <path d="M1593.36,999.66L1602.74,980.91L1612.11,999.66C1607.42,994.973 1598.05,994.973 1593.36,999.66Z" style="fill:rgb(179,178,182);"/>
-                    <path d="M1602.74,1027.14L1602.74,995.91" style="fill:none;stroke:rgb(179,178,182);stroke-width:6.25px;stroke-linecap:round;"/>
-                </g>
-            </g>
-            <g transform="matrix(-1.04373,1.52788e-16,-1.2782e-16,-1.24761,3835.73,3054.11)">
-                <g transform="matrix(-1,-1.22465e-16,1.11109e-16,-0.90727,3505.28,2305.97)">
-                    <path d="M1612.11,1090.07L1602.74,1108.82L1593.36,1090.07C1598.05,1094.75 1607.42,1094.75 1612.11,1090.07Z" style="fill:rgb(179,178,182);"/>
-                    <path d="M1602.74,1062.59L1602.74,1093.82" style="fill:none;stroke:rgb(179,178,182);stroke-width:6.25px;stroke-linecap:round;"/>
-                </g>
-            </g>
-        </g>
-    </g>
-</svg>
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol.afdesign
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.afdesign
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol.pdf
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.pdf
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol.png
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.png
--- a/papers/graphics/rosenpass-wp-key-exchange-protocol.svg
+++ b/papers/graphics/rosenpass-wp-key-exchange-protocol.svg
@@ -1,15 +1,12 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 2037 1491" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
-        <rect id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(0.958104,0,0,0.883458,-169.743,-156.518)">
+        <rect x="177.165" y="177.165" width="2125.98" height="1687.51" style="fill:none;"/>
        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="177.165" width="2125.98" height="1687.51"/>
+            <rect x="177.165" y="177.165" width="2125.98" height="1687.51"/>
        </clipPath>
        <g clip-path="url(#_clip1)">
-            <g transform="matrix(1.04373,0,0,1.13192,177.165,177.165)">
-                <rect x="-16.526" y="0" width="2083.17" height="1490.84" style="fill:white;"/>
-            </g>
            <g transform="matrix(0.377816,0,0,0.318513,-62.5845,3.62207)">
                <path d="M1608.99,599.153C1608.99,575.987 1594.37,557.179 1576.37,557.179L680.292,557.179C662.284,557.179 647.664,575.987 647.664,599.153L647.664,903.661C647.664,926.827 662.284,945.635 680.292,945.635L1576.37,945.635C1594.37,945.635 1608.99,926.827 1608.99,903.661L1608.99,599.153Z" style="fill:rgb(247,4,132);"/>
            </g>
--- a/papers/graphics/rosenpass-wp-message-handling-code-rgb.pdf
+++ b/papers/graphics/rosenpass-wp-message-handling-code-rgb.pdf
--- a/papers/graphics/rosenpass-wp-message-handling-code-rgb.svg
+++ b/papers/graphics/rosenpass-wp-message-handling-code-rgb.svg
--- a/papers/graphics/rosenpass-wp-message-handling-code.afdesign
+++ b/papers/graphics/rosenpass-wp-message-handling-code.afdesign
--- a/papers/graphics/rosenpass-wp-message-handling-code.pdf
+++ b/papers/graphics/rosenpass-wp-message-handling-code.pdf
--- a/papers/graphics/rosenpass-wp-message-handling-code.png
+++ b/papers/graphics/rosenpass-wp-message-handling-code.png
--- a/papers/graphics/rosenpass-wp-message-handling-code.svg
+++ b/papers/graphics/rosenpass-wp-message-handling-code.svg
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 2990 2133" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(1.0091,0,0,1.00305,-371.54,-177.706)">
-        <rect id="ArtBoard1" x="368.192" y="177.165" width="2962.52" height="2125.98" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(1.0091,0,0,1.00305,-371.54,-177.706)">
+        <rect x="368.192" y="177.165" width="2962.52" height="2125.98" style="fill:none;"/>
        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="368.192" y="177.165" width="2962.52" height="2125.98"/>
+            <rect x="368.192" y="177.165" width="2962.52" height="2125.98"/>
        </clipPath>
        <g clip-path="url(#_clip1)">
            <g transform="matrix(0.990987,0,0,0.996959,368.192,177.165)">
@@ -70,9 +70,6 @@
            <g transform="matrix(0.72523,0,0,0.837445,1933.65,1691.32)">
                <path d="M1922.27,398.791C1922.27,390.83 1914.85,384.367 1905.72,384.367L363.747,384.367C354.61,384.367 347.192,390.83 347.192,398.791L347.192,427.639C347.192,435.599 354.61,442.062 363.747,442.062L1905.72,442.062C1914.85,442.062 1922.27,435.599 1922.27,427.639L1922.27,398.791Z" style="fill:rgb(253,180,218);fill-opacity:0.5;"/>
            </g>
-            <g transform="matrix(1.1024,0,0,1.21164,9.17461,250.929)">
-                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
-            </g>
            <g transform="matrix(1.1024,0,0,1.20414,9.17461,982.985)">
                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(255,229,193);"/>
            </g>
@@ -94,6 +91,9 @@
            <g transform="matrix(1.1024,0,0,1.21164,9.17461,375.544)">
                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
            </g>
+            <g transform="matrix(1.1024,0,0,1.21164,9.17461,251.722)">
+                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(253,180,218);"/>
+            </g>
            <g transform="matrix(1.1024,0,0,0.837445,9.17461,1264.69)">
                <rect x="347.192" y="384.367" width="1575.08" height="57.695" style="fill:rgb(255,229,193);"/>
            </g>
@@ -310,7 +310,7 @@
            <g transform="matrix(0.990987,0,0,0.996959,400.873,805.267)">
                <g transform="matrix(29.1667,0,0,29.1667,209.923,19.398)">
                </g>
-                <text x="142.169px" y="19.398px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">pidiC</text>
+                <text x="123.853px" y="19.398px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">pidi_<tspan x="185.89px " y="19.398px ">c</tspan>t</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,556.294,805.267)">
                <text x="63.967px" y="19.461px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
@@ -351,9 +351,9 @@
                <text x="46.506px" y="26.764px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="46.506px " y="26.764px ">m</tspan>ix(sidi, epki)</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1406.03,735.765)">
-                <g transform="matrix(29.1667,0,0,29.1667,595.77,26.2132)">
+                <g transform="matrix(29.1667,0,0,29.1667,595.391,26.2132)">
                </g>
-                <text x="70.595px" y="26.213px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="70.595px " y="26.213px ">d</tspan>ec<tspan x="115.978px " y="26.213px ">a</tspan>ps<tspan x="161.77px 176.207px " y="26.213px 26.213px ">_a</tspan>nd_mix&lt;SKEM&gt;(sskr<tspan x="457.374px " y="26.213px ">,</tspan> spkr<tspan x="525.303px " y="26.213px ">,</tspan> ct1)</text>
+                <text x="70.595px" y="26.213px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="70.595px " y="26.213px ">d</tspan>ec<tspan x="115.978px " y="26.213px ">a</tspan>ps<tspan x="161.77px 176.207px " y="26.213px 26.213px ">_a</tspan>nd_mix&lt;SKEM&gt;(sskr<tspan x="457.374px " y="26.213px ">,</tspan> spkr<tspan x="525.303px " y="26.213px ">,</tspan> sctr<tspan x="586.67px " y="26.213px ">)</tspan></text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,944.05,805.321)">
                <g transform="matrix(29.1667,0,0,29.1667,492.12,19.3437)">
@@ -362,9 +362,9 @@
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1343.8,805.267)">
                <text x="97.956px" y="19.461px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
-                <g transform="matrix(29.1667,0,0,29.1667,621.377,19.4608)">
+                <g transform="matrix(29.1667,0,0,29.1667,641.239,19.4608)">
                </g>
-                <text x="133.389px" y="19.461px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="133.389px 141.556px " y="19.461px 19.461px ">lo</tspan>okup<tspan x="219.81px " y="19.461px ">_</tspan>peer(<tspan x="300.31px " y="19.461px ">d</tspan>ecr<tspan x="356.689px 371.535px 388.16px 398.281px 412.718px " y="19.461px 19.461px 19.461px 19.461px 19.461px ">ypt_a</tspan>nd_mix(pidiC))</text>
+                <text x="133.389px" y="19.461px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="133.389px 141.556px " y="19.461px 19.461px ">lo</tspan>okup<tspan x="219.81px " y="19.461px ">_</tspan>peer(<tspan x="300.31px " y="19.461px ">d</tspan>ecr<tspan x="356.689px 371.535px 388.16px 398.281px 412.718px " y="19.461px 19.461px 19.461px 19.461px 19.461px ">ypt_a</tspan>nd_mix(pidi_<tspan x="590.956px 604.343px 616.448px " y="19.461px 19.461px 19.461px ">ct)</tspan>)</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1428.98,860.915)">
                <g transform="matrix(29.1667,0,0,29.1667,234.685,25.593)">
@@ -720,9 +720,9 @@
                <text x="85.515px" y="26.478px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="85.515px " y="26.478px ">d</tspan>ec<tspan x="130.898px " y="26.478px ">a</tspan>ps<tspan x="176.69px 191.127px " y="26.478px 26.478px ">_a</tspan>nd_mix&lt;SKEM&gt;(sski, spki, scti);</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,598.806,1534.07)">
-                <g transform="matrix(29.1667,0,0,29.1667,212.777,27.2845)">
+                <g transform="matrix(29.1667,0,0,29.1667,250.198,27.2845)">
                </g>
-                <text x="56.502px" y="27.284px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="56.502px " y="27.284px ">m</tspan>ix(biscuit<tspan x="196.706px " y="27.284px ">)</tspan></text>
+                <text x="56.502px" y="27.284px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="56.502px " y="27.284px ">m</tspan>ix(biscuit<tspan x="194.723px 208.635px 222.023px 234.127px " y="27.284px 27.284px 27.284px 27.284px ">_ct)</tspan></text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,589.076,1605.36)">
                <g transform="matrix(29.1667,0,0,29.1667,370.179,15.7636)">
@@ -774,9 +774,9 @@
                <text x="55.154px" y="28.384px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="55.154px 68.95px 78.575px 94.529px 104.329px " y="28.384px 28.384px 28.384px 28.384px 28.384px ">store</tspan>_biscuit(<tspan x="227.121px " y="28.384px ">)</tspan>;</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1231.61,1534.18)">
-                <g transform="matrix(29.1667,0,0,29.1667,192.222,28.1459)">
+                <g transform="matrix(28.75,0,0,28.75,192.222,27.9976)">
                </g>
-                <text x="106.705px" y="28.146px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">biscuit</text>
+                <text x="70.034px" y="27.998px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:28.75px;">biscuit<tspan x="154.761px 168.532px " y="27.998px 27.998px ">_c</tspan>t</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1413.83,1606.73)">
                <text x="27.294px" y="15.076px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
@@ -816,10 +816,10 @@
                <text x="39.094px" y="15.047px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:29.167px;">biscuit<tspan x="125.049px " y="15.047px ">_</tspan>no</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1414.45,1937)">
-                <text x="26.666px" y="15.727px" style="font-family:'ArialMT', 'Arial', sans-serif;font-size:29.167px;">←</text>
-                <g transform="matrix(29.1667,0,0,29.1667,332.212,15.727)">
+                <text x="26.666px" y="15.72px" style="font-family:'Arial-BoldMT', 'Arial', sans-serif;font-weight:700;font-size:29.167px;">←</text>
+                <g transform="matrix(29.1667,0,0,29.1667,356.978,15.7199)">
                </g>
-                <text x="62.099px" y="15.727px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;"><tspan x="62.099px 70.266px " y="15.727px 15.727px ">lo</tspan>ad_biscuit(biscuit<tspan x="309.753px " y="15.727px ">)</tspan>;</text>
+                <text x="63.183px" y="15.72px" style="font-family:'Nunito-Light', 'Nunito';font-weight:300;font-size:29.167px;">l<tspan x="71.349px " y="15.72px ">o</tspan>ad_biscuit(biscuit<tspan x="308.853px 322.766px 336.153px 348.258px " y="15.72px 15.72px 15.72px 15.72px ">_ct)</tspan></text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,1420.02,1985.2)">
                <g transform="matrix(29.1667,0,0,29.1667,408.55,14.2792)">
@@ -924,32 +924,32 @@
                    <path d="M25.178,1596.45L1770.22,1596.45" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.33px;stroke-dasharray:8.33,16.67,0,0;"/>
                </g>
            </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,146.07)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,146.07)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
            </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,912.386)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(255,166,48);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,912.386)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(255,166,48);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
            </g>
-            <g transform="matrix(1.04736,0,0,0.265077,49.2217,1569.58)">
-                <path d="M1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
-                <path d="M1616.88,601.6L1616.88,901.214C1616.88,943.028 1608.34,976.977 1597.82,976.977L658.84,976.977C648.32,976.977 639.779,943.028 639.779,901.214L639.779,601.6C639.779,559.786 648.32,525.837 658.84,525.837L1597.82,525.837C1608.34,525.837 1616.88,559.786 1616.88,601.6ZM1608.99,601.6C1608.99,577.084 1603.99,557.179 1597.82,557.179L658.84,557.179C652.672,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.672,945.635 658.84,945.635L1597.82,945.635C1603.99,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
+            <g transform="matrix(1.11927,0,0,0.265077,-31.9199,1569.58)">
+                <path d="M1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:rgb(247,4,132);"/>
+                <path d="M1616.37,601.6L1616.37,901.214C1616.37,943.028 1608.38,976.977 1598.54,976.977L658.122,976.977C648.278,976.977 640.286,943.028 640.286,901.214L640.286,601.6C640.286,559.786 648.278,525.837 658.122,525.837L1598.54,525.837C1608.38,525.837 1616.37,559.786 1616.37,601.6ZM1608.99,601.6C1608.99,577.084 1604.31,557.179 1598.54,557.179L658.122,557.179C652.35,557.179 647.664,577.084 647.664,601.6L647.664,901.214C647.664,925.73 652.35,945.635 658.122,945.635L1598.54,945.635C1604.31,945.635 1608.99,925.73 1608.99,901.214L1608.99,601.6Z" style="fill:white;"/>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,-393.972,-1123.82)">
-                <g transform="matrix(50,0,0,50,2059.59,1491.35)">
+                <g transform="matrix(50,0,0,50,2075.42,1491.35)">
                </g>
-                <text x="1219.89px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1386.09px " y="1491.35px ">o</tspan> { sidi, epki, sctr<tspan x="1760.64px " y="1491.35px ">,</tspan> pidiC<tspan x="1901.99px " y="1491.35px ">,</tspan> aut<tspan x="1999.89px " y="1491.35px ">h</tspan> }</text>
+                <text x="1204.07px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitHell<tspan x="1370.27px " y="1491.35px ">o</tspan> { sidi, epki, sctr<tspan x="1744.82px " y="1491.35px ">,</tspan> pidi_<tspan x="1875.87px 1899.17px 1917.82px " y="1491.35px 1491.35px 1491.35px ">ct,</tspan> aut<tspan x="2015.72px " y="1491.35px ">h</tspan> }</text>
            </g>
-            <g transform="matrix(0.990987,0,0,0.996959,-433.456,-357.502)">
-                <g transform="matrix(50,0,0,50,2155.26,1491.35)">
+            <g transform="matrix(0.990987,0,0,0.996959,-477.45,-357.502)">
+                <g transform="matrix(50,0,0,50,2231.1,1491.35)">
                </g>
-                <text x="1203.91px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1235.96px 1261.66px 1284.81px 1313.16px 1350.36px 1376.06px 1390.11px 1403.91px 1430.91px 1442.96px 1460.01px 1472.06px 1495.21px 1506.06px 1534.41px 1550.56px 1561.21px 1573.26px 1596.41px 1607.26px 1635.61px 1646.46px 1657.11px 1669.16px 1694.86px 1717.16px 1734.46px 1745.31px 1755.96px 1768.01px 1791.16px 1813.46px 1830.76px 1841.61px 1852.26px 1864.31px 1892.66px 1903.51px 1926.66px 1948.91px 1976.16px 1987.01px 2004.66px 2015.31px 2027.36px 2053.01px 2080.26px 2097.56px 2125.16px 2137.21px " y="1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px ">espHello { sidr, sidi, ecti, scti, biscuit, auth }</tspan></text>
+                <text x="1216.85px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">R<tspan x="1248.9px 1274.6px 1297.75px 1326.1px 1363.3px 1389px 1403.05px 1416.85px 1443.85px 1455.9px 1472.95px 1485px 1508.15px 1519px 1547.35px 1563.5px 1574.15px 1586.2px 1609.35px 1620.2px 1648.55px 1659.4px 1670.05px 1682.1px 1707.8px 1730.1px 1747.4px 1758.25px 1768.9px 1780.95px 1804.1px 1826.4px 1843.7px 1854.55px 1865.2px 1877.25px 1905.6px 1916.45px 1939.6px 1961.85px 1989.1px 1999.95px 2017.6px 2040.55px 2062.85px 2080.5px 2091.15px 2103.2px 2128.85px 2156.1px 2173.4px 2201px 2213.05px " y="1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px 1491.35px ">espHello { sidr, sidi, ecti, scti, biscuit_ct, auth }</tspan></text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,-393.972,299.694)">
-                <g transform="matrix(50,0,0,50,2020.42,1491.35)">
+                <g transform="matrix(50,0,0,50,2053.37,1491.35)">
                </g>
-                <text x="1272.12px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1375.57px " y="1491.35px ">o</tspan>nf { sidi, sidr<tspan x="1677.72px " y="1491.35px ">,</tspan> biscuit<tspan x="1849.77px " y="1491.35px ">,</tspan> aut<tspan x="1947.67px " y="1491.35px ">h</tspan> }</text>
+                <text x="1239.17px" y="1491.35px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:50px;">InitC<tspan x="1342.62px " y="1491.35px ">o</tspan>nf { sidi, sidr<tspan x="1644.77px " y="1491.35px ">,</tspan> biscuit<tspan x="1816.82px 1840.77px 1864.07px 1882.72px " y="1491.35px 1491.35px 1491.35px 1491.35px ">_ct,</tspan> aut<tspan x="1980.62px " y="1491.35px ">h</tspan> }</text>
            </g>
            <g transform="matrix(0.990987,0,0,0.996959,467.587,-208.686)">
                <circle cx="92.21" cy="555.627" r="46.396" style="fill:rgb(64,63,73);"/>
--- a/papers/graphics/rosenpass-wp-message-types-rgb.pdf
+++ b/papers/graphics/rosenpass-wp-message-types-rgb.pdf
--- a/papers/graphics/rosenpass-wp-message-types-rgb.svg
+++ b/papers/graphics/rosenpass-wp-message-types-rgb.svg
@@ -1,393 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
-<svg width="100%" height="100%" viewBox="0 0 1890 1086" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
-        <rect id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
-        <g id="ArtBoard11" serif:id="ArtBoard1">
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-109.061,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-646.644,-769.875)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(4.00596,0,-1.23443e-32,1.24734,-4842.07,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1481.4,2496.4L1481.4,2517.3C1481.4,2519.61 1480.88,2521.47 1480.23,2521.47L1454.89,2521.47C1454.24,2521.47 1453.72,2519.61 1453.72,2517.3L1453.72,2496.4C1453.72,2494.1 1454.24,2492.23 1454.89,2492.23L1480.23,2492.23C1480.88,2492.23 1481.4,2494.1 1481.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-42.3997,-29.2601)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,-3.46751e-33,1.24734,-579.982,-769.875)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(0.381932,0,0,1.66872,42.8569,1055.77)">
-                <path d="M1608.99,559.828C1608.99,558.366 1604.32,557.179 1598.56,557.179L658.104,557.179C652.342,557.179 647.664,558.366 647.664,559.828L647.664,942.986C647.664,944.448 652.342,945.635 658.104,945.635L1598.56,945.635C1604.32,945.635 1608.99,944.448 1608.99,942.986L1608.99,559.828Z" style="fill:none;stroke:rgb(64,63,73);stroke-width:8.54px;"/>
-            </g>
-            <g transform="matrix(0.319269,0,0,0.306737,111.831,2084.53)">
-                <path d="M1608.99,571.588C1608.99,563.635 1603.4,557.179 1596.51,557.179L660.153,557.179C653.26,557.179 647.664,563.635 647.664,571.588L647.664,931.226C647.664,939.179 653.26,945.635 660.153,945.635L1596.51,945.635C1603.4,945.635 1608.99,939.179 1608.99,931.226L1608.99,571.588Z" style="fill:white;"/>
-            </g>
-            <g transform="matrix(0.381932,0,0,0.364294,42.8569,1783.2)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(64,63,73);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-142.419,-742.377)">
-                <path d="M686.627,2406.91L686.627,2495.34C686.627,2499.6 683.172,2503.05 678.917,2503.05L413.249,2503.05C408.994,2503.05 405.539,2499.6 405.539,2495.34L405.539,2406.91C405.539,2402.65 408.994,2399.2 413.249,2399.2L678.917,2399.2C683.172,2399.2 686.627,2402.65 686.627,2406.91ZM413.872,2457.17L413.872,2494.72L678.293,2494.72L678.293,2457.17L413.872,2457.17Z" style="fill:rgb(179,178,182);"/>
-                <clipPath id="_clip1">
-                    <path d="M686.627,2406.91L686.627,2495.34C686.627,2499.6 683.172,2503.05 678.917,2503.05L413.249,2503.05C408.994,2503.05 405.539,2499.6 405.539,2495.34L405.539,2406.91C405.539,2402.65 408.994,2399.2 413.249,2399.2L678.917,2399.2C683.172,2399.2 686.627,2402.65 686.627,2406.91ZM413.872,2457.17L413.872,2494.72L678.293,2494.72L678.293,2457.17L413.872,2457.17Z"/>
-                </clipPath>
-                <g clip-path="url(#_clip1)">
-                    <g>
-                        <g transform="matrix(0.707107,0.707107,-0.707107,0.707107,1731.31,392.021)">
-                            <rect x="320.594" y="2142.43" width="296.282" height="308.698" style="fill:rgb(247,4,132);"/>
-                        </g>
-                        <g transform="matrix(0.707107,0.707107,-0.707107,0.707107,1939.29,599.998)">
-                            <rect x="320.594" y="2142.43" width="296.282" height="308.698" style="fill:rgb(255,166,48);"/>
-                        </g>
-                    </g>
-                </g>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-988.061,373.696)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">t<tspan x="1183.44px " y="1445.64px ">y</tspan>pe</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(160,159,164);">r<tspan x="1183.31px " y="1487.31px ">e</tspan>ser<tspan x="1247.74px 1264.68px " y="1487.31px 1487.31px ">ve</tspan>d</text>
-                <text x="1171.58px" y="1545.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1208.51px 1225.64px 1235.34px " y="1545.64px 1545.64px 1545.64px ">ylo</tspan>ad</text>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">mac</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1265.88,1695.64)">
-                </g>
-                <text x="1171.58px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">c<tspan x="1186.68px " y="1695.64px ">o</tspan>okie</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1032.48,373.696)">
-                <text x="1443.43px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">1</text>
-                <text x="1443.43px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">3</text>
-                <text x="1444.5px" y="1545.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">n</text>
-                <text x="1423.43px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1443.43px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">6</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1463.43,1766.48)">
-                </g>
-                <text x="1213.53px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">en<tspan x="1250.03px 1266.96px 1284.7px 1294.4px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  n + 36</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1006.67,212.568)">
-                <text x="1228.7px" y="1470.55px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;fill:white;">En<tspan x="1276.75px 1298px 1320.25px 1332.58px " y="1470.55px 1470.55px 1470.55px 1470.55px ">velo</tspan>pe</text>
-                <g transform="matrix(25,0,0,25,1459.75,1516.38)">
-                </g>
-                <text x="1398.3px" y="1516.38px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;fill:white;">b<tspan x="1412.7px 1425.8px 1434.42px " y="1516.38px 1516.38px 1516.38px ">yte</tspan>s</text>
-            </g>
-            <g transform="matrix(0.597054,0,0,0.741612,65.5056,511.466)">
-                <path d="M432.703,2196.97L345.361,2196.97L345.361,2547.98L432.703,2547.98" style="fill:none;stroke:rgb(160,159,164);stroke-width:5.18px;"/>
-            </g>
-            <g transform="matrix(0.63007,0,0,0.90399,0.337587,154.729)">
-                <path d="M376.162,2196.97L345.361,2196.97L345.361,2544.77L513.459,2544.77" style="fill:none;stroke:rgb(160,159,164);stroke-width:4.5px;"/>
-            </g>
-            <g transform="matrix(4.69386e-17,-1.24734,1.12527,9.74939e-17,-2569.76,2501.33)">
-                <g transform="matrix(25,0,0,25,286.877,2518.25)">
-                </g>
-                <text x="82.852px" y="2518.25px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">M<tspan x="103.602px 120.902px 137.352px 147.927px 174.827px 180.627px 196.727px 210.927px 222.802px 240.427px 256.127px 268.652px " y="2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px ">AC_WIRE_DATA</tspan></text>
-            </g>
-            <g transform="matrix(4.35236e-17,-1.24734,1.12527,9.46525e-17,-2623.43,2555.42)">
-                <g transform="matrix(25,0,0,25,325.196,2518.25)">
-                </g>
-                <text x="87.896px" y="2518.25px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">C<tspan x="103.571px 122.121px 140.671px 155.671px 161.471px 175.671px 186.246px 213.146px 218.946px 235.046px 249.246px 261.121px 278.746px 294.446px 306.971px " y="2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px 2518.25px ">OOKIE_WIRE_DATA</tspan></text>
-            </g>
-            <g transform="matrix(0.986529,0,0,1.24734,-548.881,-459.807)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:3.1px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,413.374,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,411.795,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-536.656,211.942)">
-                <text x="1254.57px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">InitHell<tspan x="1393.07px " y="1470.8px ">o</tspan></text>
-                <g transform="matrix(25,0,0,25,1397.15,1512.47)">
-                </g>
-                <text x="1273.83px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1282.95px " y="1512.47px ">y</tspan>pe=0x81</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-550.023,408.588)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">epki</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sctr</text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">peerid</text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-505.817,408.588)">
-                <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1423.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">800</text>
-                <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1327.57px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">32 + 16 =</text>
-                <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">48</text>
-                <text x="1443.37px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1266.77px" y="1683.14px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1303.71px 1320.84px 1330.54px " y="1683.14px 1683.14px 1683.14px ">ylo</tspan>ad  1056</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1483.37,1724.81)">
-                </g>
-                <text x="1221.01px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1286.11px 1303.04px 1320.77px 1330.47px " y="1724.81px 1724.81px 1724.81px 1724.81px ">velo</tspan>pe  1092</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-418.853,-527.648)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,959.846,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1048.63,2310.36)">
-                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,958.268,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-187.43,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,255.507,157.594)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-122.635,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,350.049,158.841)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-56.47,-743.625)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,452.097,158.629)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,15.782,211.942)">
-                <text x="1231.86px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">R<tspan x="1259.4px " y="1470.8px ">e</tspan>spHell<tspan x="1405.19px " y="1470.8px ">o</tspan></text>
-                <g transform="matrix(25,0,0,25,1391.85,1512.47)">
-                </g>
-                <text x="1268.53px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1277.65px " y="1512.47px ">y</tspan>pe=0x82</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-3.54999,383.641)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ect<tspan x="1216.61px " y="1528.98px ">i</tspan></text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sct<tspan x="1214.91px " y="1570.64px ">i</tspan></text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1653.98)">
-                </g>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1653.98px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,5.40653,383.641)">
-                <text x="1494.7px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1494.7px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1454.7px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">768</text>
-                <text x="1454.7px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1281px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1454.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1474.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1298.1px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1335.03px 1352.16px 1361.86px " y="1724.81px 1724.81px 1724.81px ">ylo</tspan>ad  1096</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1514.7,1766.48)">
-                </g>
-                <text x="1252.33px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1317.43px 1334.36px 1352.1px 1361.8px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  1132</text>
-            </g>
-            <g transform="matrix(1.12526,-0.00552033,0,1.24736,577.101,1504.92)">
-                <g transform="matrix(25,0,0,25,1221.4,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">data</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,671.631,1498.47)">
-                <g transform="matrix(25,0,0,25,1238.5,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">nonc<tspan x="1225.2px " y="1439.71px ">e</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,773.678,1498.47)">
-                <g transform="matrix(25,0,0,25,1281.5,1439.71)">
-                </g>
-                <text x="1171.58px" y="1439.71px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">aut<tspan x="1207.75px " y="1439.71px ">h</tspan> c<tspan x="1239.73px " y="1439.71px ">o</tspan>de</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,127.619,-497.943)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,-133.099,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,-134.677,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1077.16,1002.61)">
-                <text x="1224.31px" y="1471.18px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">Emp<tspan x="1308.86px 1324.06px " y="1471.18px 1471.18px ">ty</tspan>Data</text>
-                <g transform="matrix(25,0,0,25,1391.85,1512.85)">
-                </g>
-                <text x="1268.53px" y="1512.85px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1277.65px " y="1512.85px ">y</tspan>pe=0x84</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1096.5,1200.43)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidx</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ctr</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1528.98)">
-                </g>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1528.98px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1029.53,1200.43)">
-                <text x="1443.14px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1443.14px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">8</text>
-                <text x="1423.14px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1286.55px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.48px 1340.61px 1350.31px " y="1599.81px 1599.81px 1599.81px ">ylo</tspan>ad  28</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1463.15,1641.48)">
-                </g>
-                <text x="1240.78px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1305.88px 1322.81px 1340.55px 1350.25px " y="1641.48px 1641.48px 1641.48px 1641.48px ">velo</tspan>pe  64</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-965.326,161.211)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,959.846,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,958.268,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,15.782,1002.61)">
-                <text x="1211.79px" y="1471.12px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:42.083px;">C<tspan x="1238.72px " y="1471.12px ">o</tspan>okieR<tspan x="1367.5px " y="1471.12px ">e</tspan>pl<tspan x="1426.83px " y="1471.12px ">y</tspan></text>
-                <g transform="matrix(25.4167,0,0,25.4167,1392.88,1513.2)">
-                </g>
-                <text x="1267.5px" y="1513.2px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25.417px;fill:white;">t<tspan x="1276.78px " y="1513.2px ">y</tspan>pe=0x86</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-1.30896,1200.2)">
-                <text x="1171.58px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">sidx</text>
-                <text x="1171.58px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">nonc<tspan x="1243.97px " y="1487.61px ">e</tspan></text>
-                <g transform="matrix(33.75,0,0,33.75,1267.05,1529.27)">
-                </g>
-                <text x="1171.58px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">c<tspan x="1186.87px " y="1529.27px ">o</tspan>okie</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,65.6578,1200.2)">
-                <text x="1442.89px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">4</text>
-                <text x="1422.64px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">24</text>
-                <text x="1296.21px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25.417px;">16 + 16 =</text>
-                <text x="1422.64px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1284.34px" y="1600.11px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pa<tspan x="1321.73px 1339.08px 1348.9px " y="1600.11px 1600.11px 1600.11px ">ylo</tspan>ad  60</text>
-                <g transform="matrix(33.75,0,0,33.75,1463.15,1641.77)">
-                </g>
-                <text x="1238px" y="1641.77px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ en<tspan x="1303.91px 1321.06px 1339.01px 1348.83px " y="1641.77px 1641.77px 1641.77px 1641.77px ">velo</tspan>pe  96</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,129.86,160.982)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.66616,1506.32,1057.2)">
-                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:8.39px;"/>
-            </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1595.1,2285.75)">
-                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,359.526,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,424.321,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,490.486,-769.283)">
-                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
-                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.365649,1504.74,1781.92)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,568.22,211.942)">
-                <text x="1251.12px" y="1470.8px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">InitC<tspan x="1337.33px " y="1470.8px ">o</tspan>nf</text>
-                <g transform="matrix(25,0,0,25,1386.55,1512.47)">
-                </g>
-                <text x="1263.23px" y="1512.47px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1272.35px " y="1512.47px ">y</tspan>pe=0x83</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,542.923,463.055)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1570.64)">
-                </g>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1570.64px ">h</tspan></text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,587.128,463.055)">
-                <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1463.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1249.67px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1286.77px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.71px 1340.84px 1350.54px " y="1641.48px 1641.48px 1641.48px ">ylo</tspan>ad  140</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1483.37,1683.14)">
-                </g>
-                <text x="1241.01px" y="1683.14px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1306.11px 1323.04px 1340.77px 1350.47px " y="1683.14px 1683.14px 1683.14px 1683.14px ">velo</tspan>pe  176</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,674.092,-525.153)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,1.40614,413.374,1992.75)">
-                <path d="M1608.99,560.322C1608.99,558.587 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.587 647.664,560.322L647.664,942.492C647.664,944.227 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.227 1608.99,942.492L1608.99,560.322Z" style="fill:none;stroke:rgb(247,4,132);stroke-width:9.75px;"/>
-            </g>
-            <g transform="matrix(0.49129,0,0,0.368077,411.795,2571.24)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(247,4,132);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-524.725,1002.61)">
-                <text x="1279.66px" y="1471.18px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">Data</text>
-                <g transform="matrix(25,0,0,25,1386.55,1512.85)">
-                </g>
-                <text x="1263.23px" y="1512.85px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:25px;fill:white;">t<tspan x="1272.35px " y="1512.85px ">y</tspan>pe=0x85</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-550.023,1200.57)">
-                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidx</text>
-                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ctr</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1290.6,1528.98)">
-                </g>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">data</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-586.775,1200.57)">
-                <text x="1535.32px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1535.32px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">8</text>
-                <text x="1398.39px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1411.02px " y="1528.98px ">a</tspan>riabl<tspan x="1474.12px " y="1528.98px ">e</tspan> +</text>
-                <text x="1515.32px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
-                <text x="1268.24px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1305.18px 1322.31px 1332.01px " y="1599.81px 1599.81px 1599.81px ">ylo</tspan>ad</text>
-                <text x="1396.24px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1408.87px " y="1599.81px ">a</tspan>riabl<tspan x="1471.97px " y="1599.81px ">e</tspan> +</text>
-                <text x="1515.32px" y="1599.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">28</text>
-                <text x="1222.48px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">+ en<tspan x="1287.58px 1304.51px 1322.24px 1331.94px " y="1641.48px 1641.48px 1641.48px 1641.48px ">velo</tspan>pe</text>
-                <text x="1396.24px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">v<tspan x="1408.87px " y="1641.48px ">a</tspan>riabl<tspan x="1471.97px " y="1641.48px ">e</tspan> +</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1555.32,1641.48)">
-                </g>
-                <text x="1515.32px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;fill:rgb(102,101,109);">64</text>
-            </g>
-            <g transform="matrix(1.33216,0,0,1.24734,-416.123,162.22)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
-            </g>
-            <g transform="matrix(0.400209,0,0,1.19089,1603.98,2115.3)">
-                <path d="M1608.99,560.89C1608.99,558.842 1604.53,557.179 1599.03,557.179L657.627,557.179C652.128,557.179 647.664,558.842 647.664,560.89L647.664,941.924C647.664,943.972 652.128,945.635 657.627,945.635L1599.03,945.635C1604.53,945.635 1608.99,943.972 1608.99,941.924L1608.99,560.89Z" style="fill:white;stroke:rgb(255,211,152);stroke-width:11.57px;"/>
-            </g>
-            <g transform="matrix(0.400209,0,0,0.196676,1603.98,2669.25)">
-                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,211,152);"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,550.082,1014.76)">
-                <g transform="matrix(41.6667,0,0,41.6667,1401.28,1457.77)">
-                </g>
-                <text x="1279.11px" y="1457.77px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;">biscuit</text>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,588.6,1106.02)">
-                <text x="1398.83px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1398.83px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">12</text>
-                <text x="1398.83px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
-                <text x="1283.47px" y="1600.11px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">biscuit  76</text>
-                <text x="1241.85px" y="1641.77px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ nonc<tspan x="1343.21px " y="1641.77px ">e</tspan>  100</text>
-                <g transform="matrix(33.75,0,0,33.75,1450.58,1683.44)">
-                </g>
-                <text x="1183.8px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;fill:rgb(102,101,109);">+ aut<tspan x="1261.6px " y="1683.44px ">h</tspan> c<tspan x="1304.76px " y="1683.44px ">o</tspan>de  116</text>
-            </g>
-            <g transform="matrix(1.05033,0,0,1.24734,960.732,66.8014)">
-                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:3.02px;"/>
-            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,578.408,1106.02)">
-                <text x="1171.58px" y="1445.94px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">peerid</text>
-                <text x="1171.58px" y="1487.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">no</text>
-                <g transform="matrix(33.75,0,0,33.75,1204.08,1529.27)">
-                </g>
-                <text x="1171.58px" y="1529.27px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">ck</text>
-            </g>
-        </g>
-    </g>
-</svg>
--- a/papers/graphics/rosenpass-wp-message-types.afdesign
+++ b/papers/graphics/rosenpass-wp-message-types.afdesign
--- a/papers/graphics/rosenpass-wp-message-types.pdf
+++ b/papers/graphics/rosenpass-wp-message-types.pdf
--- a/papers/graphics/rosenpass-wp-message-types.png
+++ b/papers/graphics/rosenpass-wp-message-types.png
--- a/papers/graphics/rosenpass-wp-message-types.svg
+++ b/papers/graphics/rosenpass-wp-message-types.svg
@@ -1,10 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 <svg width="100%" height="100%" viewBox="0 0 1890 1086" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:1.5;">
-    <g transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
-        <rect id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
+    <g id="ArtBoard1" transform="matrix(0.888676,0,0,0.801704,-157.443,-1585.2)">
+        <rect x="177.165" y="1977.29" width="2125.98" height="1353.42" style="fill:none;"/>
        <clipPath id="_clip1">
-            <rect id="ArtBoard11" serif:id="ArtBoard1" x="177.165" y="1977.29" width="2125.98" height="1353.42"/>
+            <rect x="177.165" y="1977.29" width="2125.98" height="1353.42"/>
        </clipPath>
        <g clip-path="url(#_clip1)">
            <g transform="matrix(1.12527,0,0,1.24734,177.165,1977.29)">
@@ -72,7 +72,7 @@
                <text x="1423.43px" y="1695.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
                <g transform="matrix(33.3333,0,0,33.3333,1463.43,1766.48)">
                </g>
-                <text x="1213.53px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">en<tspan x="1250.03px 1266.96px 1284.7px 1294.4px " y="1766.48px 1766.48px 1766.48px 1766.48px ">velo</tspan>pe  n + 36</text>
+                <text x="1226.13px" y="1766.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pack<tspan x="1295.16px " y="1766.48px ">a</tspan>ge  n + 36</text>
            </g>
            <g transform="matrix(1.12527,0,0,1.24734,-1007.2,213.348)">
                <text x="1228.7px" y="1470.55px" style="font-family:'Nunito-Medium', 'Nunito';font-weight:500;font-size:41.667px;fill:white;">En<tspan x="1276.75px 1298px 1320.25px 1332.58px " y="1470.55px 1470.55px 1470.55px 1470.55px ">velo</tspan>pe</text>
@@ -115,7 +115,7 @@
                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">epki</text>
                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sctr</text>
-                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pidiC</text>
+                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pidi_<tspan x="1241.84px " y="1570.64px ">c</tspan>t</text>
                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
            </g>
            <g transform="matrix(1.12527,0,0,1.24734,-506.344,409.368)">
@@ -136,14 +136,14 @@
            <g transform="matrix(0.49129,0,0,1.66616,959.319,1057.98)">
                <path d="M1608.99,559.832C1608.99,558.368 1605.36,557.179 1600.88,557.179L655.78,557.179C651.301,557.179 647.664,558.368 647.664,559.832L647.664,942.982C647.664,944.446 651.301,945.635 655.78,945.635L1600.88,945.635C1605.36,945.635 1608.99,944.446 1608.99,942.982L1608.99,559.832Z" style="fill:none;stroke:rgb(255,166,48);stroke-width:8.39px;"/>
            </g>
-            <g transform="matrix(0.410953,0,0,0.095385,1048.1,2311.14)">
+            <g transform="matrix(0.410953,0,0,0.095385,1048.1,2363.41)">
                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
+                <path d="M1631.81,603.515L1631.81,899.299L1631.15,930.502L1629.25,959.805L1626.24,986.218L1622.29,1009.11L1617.49,1028.01L1611.96,1042.35L1605.83,1051.45L1599.29,1054.61L657.366,1054.61L650.833,1051.45L644.697,1042.35L639.166,1028.01L634.372,1009.11L630.416,986.218L627.414,959.805L625.507,930.502L624.846,899.299L624.846,603.515L625.507,572.312L627.414,543.009L630.416,516.596L634.372,493.7L639.166,474.808L644.697,460.468L650.833,451.364L657.366,448.205L1599.29,448.205L1605.83,451.364L1611.96,460.468L1617.49,474.808L1622.29,493.7L1626.24,516.596L1629.25,543.009L1631.15,572.312L1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
            </g>
            <g transform="matrix(0.49129,0,0,0.365649,957.741,1782.7)">
                <rect x="647.664" y="557.179" width="961.33" height="388.456" style="fill:rgb(255,166,48);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-187.957,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-161.376,-690.576)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
            </g>
@@ -151,7 +151,7 @@
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-123.162,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-109.871,-690.576)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
            </g>
@@ -159,7 +159,7 @@
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,-56.9969,-742.844)">
+            <g transform="matrix(1.12527,0,0,1.24734,-56.9969,-690.576)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(198,198,201);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(198,198,201);"/>
            </g>
@@ -178,19 +178,17 @@
                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">ect<tspan x="1216.61px " y="1528.98px ">i</tspan></text>
                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sct<tspan x="1214.91px " y="1570.64px ">i</tspan></text>
-                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
-                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1653.98)">
-                </g>
-                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1653.98px ">h</tspan></text>
+                <text x="1171.58px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1612.31px ">h</tspan></text>
+                <text x="1171.58px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">b<tspan x="1190.01px 1196.74px 1211.78px 1226.21px 1243.91px 1250.64px 1261.78px 1276.71px 1291.14px " y="1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px 1653.98px ">iscuit_ct</tspan></text>
            </g>
            <g transform="matrix(1.12527,0,0,1.24734,4.87963,384.421)">
                <text x="1494.7px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                <text x="1494.7px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                <text x="1454.7px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">768</text>
                <text x="1454.7px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">188</text>
-                <text x="1281px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
-                <text x="1454.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
-                <text x="1474.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
+                <text x="1474.7px" y="1612.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
+                <text x="1306.8px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76+24+16 =</text>
+                <text x="1454.7px" y="1653.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
                <text x="1298.1px" y="1724.81px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1335.03px 1352.16px 1361.86px " y="1724.81px 1724.81px 1724.81px ">ylo</tspan>ad  1096</text>
                <g transform="matrix(33.3333,0,0,33.3333,1514.7,1766.48)">
                </g>
@@ -275,7 +273,7 @@
                <text x="1422.64px" y="1612.61px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">32</text>
                <g transform="matrix(33.75,0,0,33.75,1463.15,1683.44)">
                </g>
-                <text x="1284.34px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pa<tspan x="1321.73px 1339.08px 1348.9px " y="1683.44px 1683.44px 1683.44px ">ylo</tspan>ad  64</text>
+                <text x="1279.71px" y="1683.44px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.75px;">pack<tspan x="1349.61px " y="1683.44px ">a</tspan>ge  64</text>
            </g>
            <g transform="matrix(1.33216,0,0,1.24734,129.333,240.128)">
                <path d="M891.165,2388.54L1187.72,2388.54" style="fill:none;stroke:rgb(64,63,73);stroke-width:2.66px;"/>
@@ -285,13 +283,13 @@
            </g>
            <g transform="matrix(0.410953,0,0,0.095385,1594.58,2286.53)">
                <path d="M1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
-                <path d="M1631.81,603.515L1631.81,899.299C1631.81,985.017 1617.24,1054.61 1599.29,1054.61L657.366,1054.61C639.418,1054.61 624.846,985.017 624.846,899.299L624.846,603.515C624.846,517.797 639.418,448.205 657.366,448.205L1599.29,448.205C1617.24,448.205 1631.81,517.797 1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
+                <path d="M1631.81,603.515L1631.81,899.299L1631.15,930.502L1629.25,959.805L1626.24,986.218L1622.29,1009.11L1617.49,1028.01L1611.96,1042.35L1605.83,1051.45L1599.29,1054.61L657.366,1054.61L650.833,1051.45L644.697,1042.35L639.166,1028.01L634.372,1009.11L630.416,986.218L627.414,959.805L625.507,930.502L624.846,899.299L624.846,603.515L625.507,572.312L627.414,543.009L630.416,516.596L634.372,493.7L639.166,474.808L644.697,460.468L650.833,451.364L657.366,448.205L1599.29,448.205L1605.83,451.364L1611.96,460.468L1617.49,474.808L1622.29,493.7L1626.24,516.596L1629.25,543.009L1631.15,572.312L1631.81,603.515ZM1608.99,603.515C1608.99,577.941 1604.65,557.179 1599.29,557.179L657.366,557.179C652.012,557.179 647.664,577.941 647.664,603.515L647.664,899.299C647.664,924.873 652.012,945.635 657.366,945.635L1599.29,945.635C1604.65,945.635 1608.99,924.873 1608.99,899.299L1608.99,603.515Z" style="fill:rgb(255,211,152);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,358.999,-768.503)">
+            <g transform="matrix(1.12527,0,0,1.24734,385.58,-768.503)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(212,226,247);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(212,226,247);"/>
            </g>
-            <g transform="matrix(1.12527,0,0,1.24734,423.794,-768.503)">
+            <g transform="matrix(1.12527,0,0,1.24734,437.085,-768.503)">
                <rect x="1454.89" y="2496.4" width="25.344" height="20.909" style="fill:rgb(253,180,218);"/>
                <path d="M1484.4,2496.4L1484.4,2517.3C1484.4,2519.61 1482.53,2521.47 1480.23,2521.47L1454.89,2521.47C1452.59,2521.47 1450.72,2519.61 1450.72,2517.3L1450.72,2496.4C1450.72,2494.1 1452.59,2492.23 1454.89,2492.23L1480.23,2492.23C1482.53,2492.23 1484.4,2494.1 1484.4,2496.4ZM1480.23,2496.4L1454.89,2496.4L1454.89,2517.3L1480.23,2517.3L1480.23,2496.4Z" style="fill:rgb(253,180,218);"/>
            </g>
@@ -311,7 +309,7 @@
            <g transform="matrix(1.12527,0,0,1.24734,542.396,463.835)">
                <text x="1171.58px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidi</text>
                <text x="1171.58px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">sidr</text>
-                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">biscuit</text>
+                <text x="1171.58px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">b<tspan x="1190.01px 1196.74px 1211.78px 1226.21px 1243.91px 1250.64px 1261.78px 1276.71px 1291.14px " y="1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px 1528.98px ">iscuit_ct</tspan></text>
                <g transform="matrix(33.3333,0,0,33.3333,1238.74,1570.64)">
                </g>
                <text x="1171.58px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">aut<tspan x="1219.81px " y="1570.64px ">h</tspan></text>
@@ -319,7 +317,7 @@
            <g transform="matrix(1.12527,0,0,1.24734,586.601,463.835)">
                <text x="1463.37px" y="1445.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
                <text x="1463.37px" y="1487.31px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">4</text>
-                <text x="1249.67px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76 + 24 + 16 =</text>
+                <text x="1275.47px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:25px;">76+24+16 =</text>
                <text x="1423.37px" y="1528.98px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">116</text>
                <text x="1443.37px" y="1570.64px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">16</text>
                <text x="1286.77px" y="1641.48px" style="font-family:'Nunito-Regular', 'Nunito';font-size:33.333px;">pa<tspan x="1323.71px 1340.84px 1350.54px " y="1641.48px 1641.48px 1641.48px ">ylo</tspan>ad  140</text>
--- a/papers/references.bib
+++ b/papers/references.bib
@@ -179,25 +179,22 @@
@techreport{mceliece,
    title = {{C}lassic {M}c{E}liece: conservative code-based cryptography},
    author = {Martin R. Albrecht and Daniel J. Bernstein and Tung Chou and Carlos Cid and Jan Gilcher and Tanja Lange and Varun Maram and Ingo von Maurich and Rafael Misoczki and Ruben Niederhagen and Kenneth G. Paterson and Edoardo Persichetti and Christiane Peters and Peter Schwabe and Nicolas Sendrier and Jakub Szefer and Cen Jung Tjhai and Martin Tomlinson and Wen Wang},
-    year = 2022,
+    year = 2020,
    month = 10,
-    day = 23,
-    type = {NIST Post-Quantum Cryptography Round 4 Submission},
-    url = {https://classic.mceliece.org/}
+    day = 10,
+    type = {NIST Post-Quantum Cryptography Round 3 Submission},
+    url={https://classic.mceliece.org/nist/mceliece-20201010.pdf},
 }

@techreport{kyber,
-    title = {CRYSTALS-Kyber},
-    author = {Roberto Avanzi and Joppe Bos and Léo Ducas and Eike Kiltz and Tancrède Lepoint and
-Vadim Lyubashevsky and John M. Schanck and Peter Schwabe and Gregor Seiler and Damien Stehlé},
-    year = 2020,
-    month = 10,
-    day = 1,
-    type = {NIST Post-Quantum Cryptography Selected Algorithm},
-    url = {https://pq-crystals.org/kyber/}
+  title={CRYSTALS-Kyber algorithm specifications and supporting documentation},
+  author={Avanzi, Roberto and Bos, Joppe and Ducas, L{\'e}o and Kiltz, Eike and Lepoint, Tancr{\`e}de and Lyubashevsky, Vadim and Schanck, John M and Schwabe, Peter and Seiler, Gregor and Stehl{\'e}, Damien and others},
+  year = 2021,
+  month = 08,
+  day = 04,
+  url = {https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf}
 }

-
@misc{SHAKE256,
  author   = "National Institute of Standards and Technology",
  title    = "FIPS PUB 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions",
@@ -206,3 +203,18 @@ Vadim Lyubashevsky and John M. Schanck and Peter Schwabe and Gregor Seiler and D
  doi      = {10.6028/NIST.FIPS.202}
 }

+@misc{boneh_shoup_graduate,
+  title  = "A graduate course in applied cryptography",
+  author = "Dan Boneh and Victor Shoup",
+  url    = "https://toc.cryptobook.us/",
+  year   = {2023},
+}
+
+@inproceedings{hmac,
+  title={Keying hash functions for message authentication},
+  author={Bellare, Mihir and Canetti, Ran and Krawczyk, Hugo},
+  booktitle={Annual international cryptology conference},
+  pages={1--15},
+  year={1996},
+  organization={Springer}
+}
--- a/papers/whitepaper.md
+++ b/papers/whitepaper.md
@@ -21,10 +21,10 @@ abstract: |

 \enlargethispage{5mm}
 \setupimage{label=img:KeyExchangeProt,width=.9\linewidth}
-![Rosenpass Key Exchange Protocol](graphics/rosenpass-wp-key-exchange-protocol-rgb.svg)
+![Rosenpass Key Exchange Protocol](graphics/rosenpass-wp-key-exchange-protocol.svg)

 \setupimage{label=img:MessageTypes}
-![Rosenpass Message Types](graphics/rosenpass-wp-message-types-rgb.svg)
+![Rosenpass Message Types](graphics/rosenpass-wp-message-types.svg)

 \clearpage

@@ -68,11 +68,13 @@ All symmetric keys and hash values used in Rosenpass are 32 bytes long.

 ### Hash {#hash}

-A keyed hash function with one 32-byte input, one variable-size input, and one 32-byte output. As keyed hash function we offer two options that can be configured on a peer-basis, with Blake2s being the default:
+A keyed hash function with one 32-byte input, one variable-size input, and one 32-byte output. As keyed hash function we offer two options that can be configured on a peer-basis, with Blake2b being the default:

-1. the HMAC construction [@rfc_hmac] with BLAKE2s [@rfc_blake2] as the inner hash function.
+1. an **incorrect** HMAC construction [@rfc_hmac] with BLAKE2b [@rfc_blake2] as the inner hash function. See Sec. \ref{incorrect-hmac} for details.
 2. the SHAKE256 extendable output function (XOF) [@SHAKE256] truncated to a 32-byte output. The result is produced be concatenating the 32-byte input with the variable-size input in this order.

+The use of BLAKE2b is being phased out.
+
 ```pseudorust
 hash(key, data) -> key
 ```
@@ -98,7 +100,7 @@ XAEAD::dec(key, nonce, ciphertext, additional_data) -> plaintext

 ### SKEM {#skem}

-“Key Encapsulation Mechanism” (KEM) is the name of an interface widely used in post-quantum-secure protocols. KEMs can be seen as asymmetric encryption specifically for symmetric keys. Rosenpass uses two different KEMs. SKEM is the key encapsulation mechanism used with the static keypairs in Rosenpass. The public keys of these keypairs are not transmitted over the wire during the protocol. We use Classic McEliece 460896 [@mceliece] which claims to be as hard to break as 192-bit AES. As one of the oldest post-quantum-secure KEMs, it enjoys wide trust among cryptographers, but it has not been chosen for standardization by NIST. Its ciphertexts and private keys are small (188 bytes and 13568 bytes), and its public keys are large (524160 bytes). This fits our use case: public keys are exchanged out-of-band, and only the small ciphertexts have to be transmitted during the handshake.
+“Key Encapsulation Mechanism” (KEM) is the name of an interface widely used in post-quantum-secure protocols. KEMs can be seen as asymmetric encryption specifically for symmetric keys. Rosenpass uses two different KEMs. SKEM is the key encapsulation mechanism used with the static keypairs in Rosenpass. The public keys of these keypairs are not transmitted over the wire during the protocol. We use Classic McEliece 460896\footnote{The exact Classic McEliece version is from the NIST-Competition, Round 3: \par https://classic.mceliece.org/nist/mceliece-20201010.tar.gz}[@mceliece] which claims to be as hard to break as 192-bit AES. As one of the oldest post-quantum-secure KEMs, it enjoys wide trust among cryptographers, but it has not been chosen for standardization by NIST. Its ciphertexts and secret keys are small (188 bytes and 13568 bytes), and its public keys are large (524160 bytes). This fits our use case: public keys are exchanged out-of-band, and only the small ciphertexts have to be transmitted during the handshake.

 ```pseudorust
 SKEM::enc(public_key) -> (ciphertext, shared_key)
@@ -107,7 +109,7 @@ SKEM::dec(secret_key, ciphertext) -> shared_key

 ### EKEM

-Key encapsulation mechanism used with the ephemeral KEM keypairs in Rosenpass. The public keys of these keypairs need to be transmitted over the wire during the protocol. We use Kyber-512 [@kyber], which has been selected in the NIST post-quantum cryptography competition and claims to be as hard to break as 128-bit AES. Its ciphertexts, public keys, and private keys are 768, 800, and 1632 bytes long, respectively, providing a good balance for our use case as both a public key and a ciphertext have to be transmitted during the handshake.
+Key encapsulation mechanism used with the ephemeral KEM keypairs in Rosenpass. The public keys of these keypairs need to be transmitted over the wire during the protocol. We use Kyber-512\footnote{The exact Kyber version is from the NIST-Competition, Round 3: \par https://pq-crystals.org/kyber/data/kyber-submission-nist-round3.zip \par https://pq-crystals.org/kyber/data/kyber-specification-round3-20210804.pdf}[@kyber], which has been selected in the NIST post-quantum cryptography competition and claims to be as hard to break as 128-bit AES. Its ciphertexts, public keys, and secret keys are 768, 800, and 1632 bytes long, respectively, providing a good balance for our use case as both a public key and a ciphertext have to be transmitted during the handshake.

 ```pseudorust
 EKEM::enc(public_key) -> (ciphertext, shared_key)
@@ -118,7 +120,46 @@ Using a combination of two KEMs – Classic McEliece for static keys and Kyber f

 Rosenpass uses libsodium [@libsodium] as cryptographic backend for hash, AEAD, and XAEAD, and liboqs [@liboqs] for the post-quantum-secure KEMs.

-## Variables {#variables}
+## Protocol Roles {#roles}
+
+The protocol specifies two roles: initiator and responder.
+
+* initiator – The party that starts a handshake.
+* responder – The party that does not start a handshake.
+
+All Rosenpass instances operate in either mode; the traditional "client"/"server" distinction does not apply to the Rosenpass protocol. We sometimes use the term "server". In these cases, we generally refer to the "Rosenpass Server," as in the application that implements the Rosenpass protocol, not to a server/client distinction.
+
+The initiator is stateful, and directs the handshake process. The responder is stateless for most of the protocol and reacts to the initiator's messages; this is important to protect our protocol against state disruption (protocol level denial of service) attacks. Since the responder does require some state to complete the protocol, this state is moved into an encrypted cookie, called "biscuit".
+
+The number of concurrent responder-role handshakes with another client is unlimited to account for the possibility of an imposter trying to execute a handshake: before completion of said handshake, there is no way to figure out which peer is an imposter and which peer is a legitimate party; any attempt to do so might lead to a state-disruption attack -- denial of service on the protocol level.
+
+There is no particular mechanism to negotiate which party acts as initiator and which acts as responder. At startup and when a key exchange is timer-triggered, Rosenpass will *initiate* a key exchange in initiator mode. At startup of another peer, and when they start a timer-triggered key exchange, the local server will *respond* in responder mode.
+
+Implementations must account for one ongoing initiator-role key exchange and many ongoing responder-role key exchanges. Upon receiving a well-formed InitConf package and successfully completing a responder-role key exchange, implementations should abort any ongoing initiator-role key exchange. Implementations should also use different back-off periods depending on whether the handshake was completed in initiator role or in responder role. The following values are used in the Rust reference implementation:
+
+- Initiator rekey interval: 130s
+- Responder rekey interval: 120s
+
+In practice these delays cause participants to take turns acting as initiator and acting as responder, since the ten-second difference is usually enough for the handshake with switched roles to complete before the old initiator's rekey timer goes to zero.
+
+## Packages {#packages}
+
+The packages, their contents, and their type IDs are graphically represented in Fig. \ref{img:MessageTypes}. Their purposes are:
+
+* \textbf{Envelope} – This is not a package on its own; it is the envelope all the other packages are put into.
+* \textbf{InitHello} – First package of the handshake, from initiator to responder.
+* \textbf{RespHello} – Second package of the handshake, from responder to initiator.
+* \textbf{InitConf} – Third package of the handshake, from initiator to responder.
+* \textbf{EmptyData} – Empty payload package. Used as acknowledgment to abort data retransmission (see Secs. \ref{payload-keys}, \ref{packet-loss}, and function `enter_live()` in Sec. \ref{fn:enter_live}).
+* \textbf{Data} – Transmission of actual payload data is not used in Rosenpass, but the package is still specified since it is part of WireGuard (see Sec. \ref{payload-keys} and function `enter_live()` in Sec. \ref{fn:enter_live}).
+* \textbf{CookieReply} – Used for proof-of-IP-ownership-based denial-of-service mitigation (see Sec. \ref{dos-mitigation}).
+* \textbf{biscuit} – This is not a stand-alone package; instead, it is an encrypted fragment present in \textbf{RespHello} and \textbf{InitConf}.
+
+## Endianness {#endianess}
+
+Unless otherwise specified, all integer values in the Rosenpass protocol use little-endian encoding.
+
+## Variables and Domain Separators {#variables}

 ### KEM Keypairs and Ciphertexts

@@ -138,10 +179,10 @@ Rosenpass uses multiple keypairs, ciphertexts, and plaintexts for key encapsulat

 These values use a naming scheme consisting of four lower-case characters. The first character indicates whether the key is static `s` or ephemeral `e`. The second character is an `s` or a `p` for secret or public. The third character is always a `k`. The fourth and final character is an `i`, `r`, `m`, or `t`, for `initiator`, `responder`, `mine`, or `theirs`. The initiator's static public key for instance is `spki`. During execution of the protocol, three KEM ciphertexts are produced: `scti`, `sctr`, and `ecti`.

-Besides the initiator and responder roles, we define the roles `mine` and `theirs` (`m`/`t`). These are sometimes used in the code when the assignment to initiator or responder roles is flexible. As an example, “this server's” static secret key is `sskm`, and the peer's public key is `spkt`.
+Besides the initiator and responder roles, we define the roles `mine` and `theirs` (`m`/`t`). These are sometimes used in the code when the assignment to initiator or responder roles is flexible. As an example, our static secret key is `sskm`, and the peer's public key is `spkt`.


-### IDs
+### IDs {#peer-ids}

 Rosenpass uses two types of ID variables. See Figure \ref{img:HashingTree} for how the IDs are calculated.

@@ -168,33 +209,103 @@ We mix all key material (e.g. `psk`) into the chaining key and derive symmetric

 The protocol allows for multiple `osk`s to be generated; each of these keys is labeled with a domain separator to make sure different key usages are always given separate keys. The domain separator for using Rosenpass and WireGuard together is a token generated using the domain separator sequence `["rosenpass.eu", "wireguard psk"]` (see Fig. \ref{img:HashingTree}), as described in \ref{protocol-extension-wireguard-psk}. Third-parties using Rosenpass-keys for other purposes are asked to define their own protocol-extensions. Standard protocol extensions are described in \ref{protocol-extensions}.

+#### Symmetric Keys and Nonces for payload data transmission {#payload-keys}
+
+Keys generated by the Rosenpass key exchange could be used for encryption of payload data if post-quantum security but not hybrid post-quantum security is a goal. Despite this, we do not generally offer payload transmission in the protocol. Instead, the Rosenpass protocol focuses on providing a key exchange, letting external applications handle data transmission. When used with WireGuard, the default use case, this integration also ensures hybrid security.
+
+Still we specify the `Data` and `EmptyData` packets. `Data` is not used, but we still specify it as the same packet is also present in WireGuard. `EmptyData` is used for packet retransmission (see Sec. \ref{packet-loss}).
+
+We also specify how symmetric keys are generated for payload encryption. See Sec. {#live-session-state} and the function `enter_live()` (Sec. \ref{fn:enter_live}).
+
+Keys and nonces for this purpose use the following naming scheme:
+
+\begin{namepartpicture}
+\namepart{tx=Transmission,rx=Reception}
+\namepart[3.5cm]{k=Key,n=Nonce}
+\namepart[7cm]{i=Initiator,r=Responder,m=Mine,t=Theirs}
+\begin{scope}[decoration={brace,amplitude=5mm},thick]
+\namebraceright{tx}{rx}
+\namebraceleft{k}{n}
+\namebraceright{k}{n}
+\namebraceleft{i}{t}
+\end{scope}
+\end{namepartpicture}
+
+Note that this scheme is deliberately redundant. For instance, when we are the initiator, then `txki = rxki = txkm = rxkt`. I.e. the initiator's transmission key is the responder's reception key. Since we are the initiator, the initiator's transmission key is also the transmission key of `mine` and the reception key of `theirs`.
+
+There also is a -- now deprecated -- naming scheme:
+
+\begin{namepartpicture}
+\namepart{ini=Initiator,res=Responder,hs=Handshake}
+\SingleNamePart[3.5cm]{enc}{\textunderscore{}enc}{Encryption}
+\begin{scope}[decoration={brace,amplitude=5mm},thick]
+\namebraceright{ini}{hs}
+\namebraceleft{enc}{enc}
+\end{scope}
+\end{namepartpicture}
+
+`ini_enc = txki = rxkr` and `res_enc = txkr = rxki`, but this usage is deprecated. The third name `hs_enc` is for encryption as part of the key exchange itself; this name is still in use.
+
+### Labels
+
+Fig. \ref{img:HashingTree} specifies multiple domain separators for various uses.
+
+* `PROTOCOL` (`[0, PROTOCOL]`) – The global domain separator; used to generate more domain separators.
+
+Immediately below the global domain separator, you can find:
+
+* `"mac"` – Network package integrity verification and pre-authentication with `spkt`. See Sec. \ref{envelope-mac-field}.
+* `"cookie"` – Denial of Service mitigation through proof-of-ip ownership. See Sec. \ref{dos-mitigation}.
+* `"peer id"` – Generation of peer ids. See Sec. \ref{peer-ids}.
+* `"biscuit additional data"` – Storing the protocol state in encrypted cookies so the responder is stateless. See Sec. \ref{hs-state-and-biscuits}.
+* `"chaining key init"` – Starting point for the execution of the actual rosenpass protocol.
+* `"chaining key extract"` – Key derivation from the current protocol state, the chaining key. See Sec. \ref{symmetric-keys}.
+
+Below `"chaining key extract"`, there are multiple labels, generating domain separators for deriving keys for various purposes during the execution of the protocol.
+
+It is important to understand that there are two phases for these labels, e.g. applying the `"mix"` label produces a random fixed-size hash value we call `mix`. Not the label `"mix"` but the resulting hash value is used to derive keys during protocol execution. This allows us to use very complicated label structures for key derivation without losing efficiency.
+
+The different labels are:
+
+* `"mix"` – Mixing further values into the chaining key; i.e. into the protocol state.
+* `"user"` – Labels for external uses; these are what generate the `osk` (output shared key). See Sec. \ref{symmetric-keys}.
+* `"handshake encryption"` – Used when encrypting data using a shared key as part of the protocol execution; e.g. used to generate the `auth` (authentication tag) fields in protocol packages.
+* `"initiator handshake encryption"` and `"responder handshake encryption"` – For transmission of data after the key-exchange finishes. See Sec. \ref{symmetric-keys}.

 ## Hashes

 Rosenpass uses a cryptographic hash function for multiple purposes:

 * Computing the message authentication code in the message envelope as in WireGuard
-* Computing the cookie to guard against denial of service attacks. This is a feature adopted from WireGuard, but not yet included in the implementation of Rosenpass.
+* Computing the cookie to guard against denial of service attacks.
 * Computing the peer ID
 * Key derivation during and after the handshake
 * Computing the additional data for the biscuit encryption, to provide some privacy for its contents

-Recall from Section \ref{hash} that rosenpass supports using either BLAKE2s or SHAKE256 as hash function, which can be configured for each peer ID. However, as noted above, rosenpass uses a hash function to compute the peer ID and thus also to access the configuration for a peer ID. This is an issue when receiving an `InitHello`-message, because the correct hash function is not known when a responder receives this message and at the same the responders needs it in order to compute the peer ID and by that also identfy the hash function for that peer. The reference implementation resolves this issue by first trying to derive the peer ID using SHAKE256. If that does not work (i.e. leads to an AEAD decryption error), the reference implementation tries again with BLAKE2s. The reference implementation verifies that the hash function matches the one confgured for the peer. Similarly, if the correct peer ID is not cached when receiving an InitConf message, the reference implementation proceeds in the same manner.
+Recall from Section \ref{hash} that rosenpass supports using either BLAKE2b or SHAKE256 as hash function, which can be configured for each peer ID. However, as noted above, rosenpass uses a hash function to compute the peer ID and thus also to access the configuration for a peer ID. This is an issue when receiving an `InitHello`-message, because the correct hash function is not known when a responder receives this message and at the same the responders needs it in order to compute the peer ID and by that also identfy the hash function for that peer. The reference implementation resolves this issue by first trying to derive the peer ID using SHAKE256. If that does not work (i.e. leads to an AEAD decryption error), the reference implementation tries again with BLAKE2b. The reference implementation verifies that the hash function matches the one confgured for the peer. Similarly, if the correct peer ID is not cached when receiving an InitConf message, the reference implementation proceeds in the same manner.

 Using one hash function for multiple purposes can cause real-world security issues and even key recovery attacks [@oraclecloning]. We choose a tree-based domain separation scheme based on a keyed hash function – the previously introduced primitive `hash` – to make sure all our hash function calls can be seen as distinct.

 \setupimage{landscape,fullpage,label=img:HashingTree}
-![Rosenpass Hashing Tree](graphics/rosenpass-wp-hashing-tree-rgb.svg)
+![Rosenpass Hashing Tree](graphics/rosenpass-wp-hashing-tree.svg)

 Each tree node $\circ{}$ in Figure \ref{img:HashingTree} represents the application of the keyed hash function, using the previous chaining key value as first parameter. The root of the tree is the zero key. In level one, the `PROTOCOL` identifier is applied to the zero key to generate a label unique across cryptographic protocols (unless the same label is deliberately used elsewhere). In level two, purpose identifiers are applied to the protocol label to generate labels to use with each separate hash function application within the Rosenpass protocol. The following layers contain the inputs used in each separate usage of the hash function: Beneath the identifiers `"mac"`, `"cookie"`, `"peer id"`, and `"biscuit additional data"` are hash functions or message authentication codes with a small number of inputs. The second, third, and fourth column in Figure \ref{img:HashingTree} cover the long sequential branch beneath the identifier `"chaining key init"` representing the entire protocol execution, one column for each message processed during the handshake. The leaves beneath `"chaining key extract"` in the left column represent pseudo-random labels for use when extracting values from the chaining key during the protocol execution. These values such as `mix >` appear as outputs in the left column, and then as inputs `< mix` in the other three columns.

-The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2s [@rfc_blake2] is used:
+The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2b [@rfc_blake2] is used:

 ```pseudorust
-PROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 hash=blake2s ekem=kyber512 skem=mceliece460896 xaead=xchachapoly1305"
+PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 BLAKE2s"
+```
+Note that the domain separator used here maintains that BLAKE2s is used, while in
+reality, we use BLAKE2b. The reason for this is an implementation error. Since fixing this would have led to a breaking change in the Rosenpass reference implementation, and all other known implementations of Rosenpass simply reproduced this error, we chose to harmonize the white paper with the implementation instead of fixing the implementation.
+
+If SHAKE256 [@SHAKE256] is used, then `BLAKE2s` is substituted with `SHAKE256`:
+
+```pseudorust
+PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 SHAKE256"
 ```

-If SHAKE256 [@SHAKE256] is used, `blake2s` is replaced by `shake256` in `PROTOCOL`. Since every tree node represents a sequence of `hash` calls, the node beneath `"handshake encryption"` called `hs_enc` can be written as follows:
+Since every tree node represents a sequence of `hash` calls, the node beneath `"handshake encryption"` called `hs_enc` can be written as follows:

 ```pseudorust
 hs_enc = hash(hash(hash(0, PROTOCOL), "chaining key extract"), "handshake encryption")
@@ -218,7 +329,7 @@ hs_enc = hash(hash(hash(0, PROTOCOL), "chaining key extract"), "handshake encryp
       = lhash("chaining key extract", "handshake encryption")
 ```

-## Server State
+## Rosenpass Server State

 ### Global

@@ -242,9 +353,9 @@ For each peer, the server stores:
 * `psk` – The pre-shared key used with the peer
 * `spkt` – The peer's public key
 * `biscuit_used` – The `biscuit_no` from the last biscuit accepted for the peer as part of InitConf processing
-* `hash_function` – The hash function, SHAKE256 or BLAKE2s, used with the peer.
+* `hash_function` – The hash function, SHAKE256 or BLAKE2b, used with the peer.

-### Handshake State and Biscuits
+### Handshake State and Biscuits {#hs-state-and-biscuits}

 The initiator stores the following local state for each ongoing handshake:

@@ -265,9 +376,13 @@ The responder stores no state. While the responder has access to all of the abov

 The biscuit is encrypted with the `XAEAD` primitive and a randomly chosen nonce. The values `sidi` and `sidr` are transmitted publicly as part of InitConf, so they do not need to be present in the biscuit, but they are added to the biscuit's additional data to make sure the correct values are transmitted as part of InitConf.

-The `biscuit_key` used to encrypt biscuits should be rotated every two minutes. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when `biscuit_key` is rotated.
+The `biscuit_key` used to encrypt biscuits should be rotated frequently. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when `biscuit_key` is rotated. The Rosenpass reference implementation retires biscuits after five minutes and erases them after ten.

-### Live Session State
+### Live Session State {#live-session-state}
+
+These variables are used after the handshake terminates for encryption of the \textbf{Data} and \textbf{EmptyData} packages.
+\textbf{EmptyData} is used as an acknowledgement package to terminate package retransmission (see Sec. \ref{packet-loss}).
+\textbf{Data} would be used for transmission of actual payload, but this feature is currently not specified for Rosenpass. Despite this, we do specify the however as it is also part of WireGuard.

 * `ck` – The chaining key
 * `sidm` – Our session ID (“mine”)
@@ -277,6 +392,13 @@ The `biscuit_key` used to encrypt biscuits should be rotated every two minutes.
 * `txkt` – Peer's transmission key
 * `txnt` – Peer's transmission nonce

+## Protocol Code {#functions}
+
+The main reference for how messages are processed in the Rosenpass protocol can be found in Fig. \ref{img:HandlingCode}. The figure uses Rust-like pseudo code.
+
+\setupimage{landscape,fullpage,label=img:HandlingCode}
+![Rosenpass Message Handling Code](graphics/rosenpass-wp-message-handling-code.svg)
+
 ## Helper Functions {#functions}

 Given the peer ID, look up the peer and load the peer's variables.
@@ -347,13 +469,13 @@ Rosenpass is built with KEMs, not with NIKEs (Diffie-Hellman-style operations);
 ```pseudorust
 fn encaps_and_mix<T: KEM>(pk) {
    let (ct, shk) = T::enc(pk);
-    mix(pk, ct, shk);
+    mix(pk, shk, ct);
    ct
 }

 fn decaps_and_mix<T: KEM>(sk, pk, ct) {
    let shk = T::dec(sk, ct);
-    mix(pk, ct, shk);
+    mix(pk, shk, ct);
 }
 ```

@@ -375,40 +497,40 @@ fn store_biscuit() {
      "biscuit additional data",
      spkr, sidi, sidr);
    let ct = XAEAD::enc(k, n, pt, ad);
-    let nct = concat(n, ct);
+    let biscuit_ct = concat(n, ct);

-    mix(nct)
-    nct
+    mix(biscuit_ct)
+    biscuit_ct
 }
 ```
-Note that the `mix(nct)` call updates the chaining key, but that update does not make it into the biscuit. Therefore, `mix(nct)` is reapplied in `load_biscuit`. The responder handshake code also needs to reapply any other operations modifying `ck` after calling `store_biscuit`. The handshake code on the initiator's side also needs to call `mix(nct)`.
+Note that the `mix(biscuit_ct)` call updates the chaining key, but that update does not make it into the biscuit. Therefore, `mix(biscuit_ct)` is reapplied in `load_biscuit`. The responder handshake code also needs to reapply any other operations modifying `ck` after calling `store_biscuit`. The handshake code on the initiator's side also needs to call `mix(biscuit_ct)`.


 ```pseudorust
-fn load_biscuit(nct) {
+fn load_biscuit(biscuit_ct) {
    // Decrypt the biscuit
    let k = biscuit_key;
-    let (n, ct) = nct;
+    let concat(n, ct) = biscuit_ct;
    let ad = lhash(
      "biscuit additional data",
      spkr, sidi, sidr);
    let pt : Biscuit = XAEAD::dec(k, n, ct, ad);

    // Find the peer and apply retransmission protection
-    lookup_peer(pt.peerid);
+    lookup_peer(pt.pidi);

-    // In December 2024, the InitConf retransmission mechanisim was redesigned
+    // In December 2024, the InitConf retransmission mechanism was redesigned
    // in a backwards-compatible way. See the changelog.
    //
    // -- 2024-11-30, Karolin Varner
    if (protocol_version!(< "0.3.0")) {
        // Ensure that the biscuit is used only once
-        assert(pt.biscuit_no <= peer.biscuit_used);
+        assert(pt.biscuit_no >= peer.biscuit_used);
    }

    // Restore the chaining key
    ck ← pt.ck;
-    mix(nct);
+    mix(biscuit_ct);

    // Expose the biscuit no,
    // so the handshake code can differentiate
@@ -417,6 +539,8 @@ fn load_biscuit(nct) {
 }
 ```

+\phantomsection\label{fn:enter_live}
+
 Entering the live session is very simple in Rosenpass – we just use `extract_key` with dedicated identifiers to derive initiator and responder keys.

 ```pseudorust
@@ -462,13 +586,15 @@ The responder code handling InitConf needs to deal with the biscuits and package

 ICR5 and ICR6 perform biscuit replay protection using the biscuit number. This is not handled in `load_biscuit()` itself because there is the case that `biscuit_no = biscuit_used` which needs to be dealt with for retransmission handling.

-### Denial of Service Mitigation and Cookies
+### Denial of Service Mitigation and Cookies {#dos-mitigation}

-Rosenpass derives its cookie-based DoS mitigation technique for a responder when receiving InitHello messages from Wireguard [@wg].
+Rosenpass derives its cookie-based DoS mitigation technique for a responder when receiving InitHello messages from WireGuard [@wg].
+
+**This is currently implemented in the Rosenpass implementation but still considered an experimental feature and not enabled by default.**

 When the responder is under load, it may choose to not process further InitHello handshake messages, but instead to respond with a cookie reply message (see Figure \ref{img:MessageTypes}).

-The sender of the exchange then uses this cookie in order to resend the message and have it accepted the following time by the reciever.
+The sender of the exchange then uses this cookie in order to resend the message and have it accepted the following time by the receiver.

 For an initiator, Rosenpass ignores all messages when under load.

@@ -483,9 +609,9 @@ cookie_encrypted = XAEAD(lhash("cookie-key", spkm), nonce, cookie_value, mac_pee

 where `cookie_secret` is a secret variable that changes every two minutes to a random value. Moreover, `lhash` is always instantiated with SHAKE256 when computing `cookie_value` for compatability reasons.  `initiator_host_info` is used to identify the initiator host, and is implementation-specific for the client. This paramaters used to identify the host must be carefully chosen to ensure there is a unique mapping, especially when using IPv4 and IPv6 addresses to identify the host (such as taking care of IPv6 link-local addresses). `cookie_value` is a truncated 16 byte value from the above hash operation. `mac_peer` is the `mac` field of the peer's handshake message to which message is the reply.

-#### Envelope `mac` Field
+#### Envelope `mac` Field {#envelope-mac-field}

-Similar to `mac.1` in Wireguard handshake messages, the `mac` field of a Rosenpass envelope from a handshake packet sender's point of view consists of the following:
+Similar to `mac.1` in WireGuard handshake messages, the `mac` field of a Rosenpass envelope from a handshake packet sender's point of view consists of the following:

 ```pseudorust
 mac = lhash("mac", spkt, MAC_WIRE_DATA)[0..16]
@@ -508,7 +634,7 @@ else {
 }
 ```

-Here, `seconds_since_update(peer.cookie_value)` is the amount of time in seconds ellapsed since last cookie was received, and `COOKIE_WIRE_DATA` are the message contents of all bytes of the retransmitted message prior to the `cookie` field.
+Here, `seconds_since_update(peer.cookie_value)` is the amount of time in seconds elapsed since last cookie was received, and `COOKIE_WIRE_DATA` are the message contents of all bytes of the retransmitted message prior to the `cookie` field.

 The inititator can use an invalid value for the `cookie` value, when the responder is not under load, and the responder must ignore this value.
 However, when the responder is under load, it may reject InitHello messages with the invalid `cookie` value, and issue a cookie reply message.
@@ -517,18 +643,18 @@ However, when the responder is under load, it may reject InitHello messages with

 This whitepaper does not mandate any specific mechanism to detect responder contention (also mentioned as the under load condition) that would trigger use of the cookie mechanism.

-For the reference implemenation, Rosenpass has derived inspiration from the Linux implementation of Wireguard.  This implementation suggests that the reciever keep track of the number of messages it is processing at a given time.
+For the reference implemenation, Rosenpass has derived inspiration from the Linux implementation of WireGuard.  This implementation suggests that the receiver keep track of the number of messages it is processing at a given time.

-On receiving an incoming message, if the length of the message queue to be processed exceeds a threshold `MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD`, the client is considered under load and its state is stored as under load. In addition, the timestamp of this instant when the client was last under load is stored. When recieving subsequent messages, if the client is still in an under load state, the client will check if the time ellpased since the client was last under load has exceeded `LAST_UNDER_LOAD_WINDOW` seconds. If this is the case, the client will update its state to normal operation, and process the message in a normal fashion.
+On receiving an incoming message, if the length of the message queue to be processed exceeds a threshold `MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD`, the client is considered under load and its state is stored as under load. In addition, the timestamp of this instant when the client was last under load is stored. When recieving subsequent messages, if the client is still in an under load state, the client will check if the time elapsed since the client was last under load has exceeded `LAST_UNDER_LOAD_WINDOW` seconds. If this is the case, the client will update its state to normal operation, and process the message in a normal fashion.

-Currently, the following constants are derived from the Linux kernel implementation of Wireguard:
+Currently, the following constants are derived from the Linux kernel implementation of WireGuard:

 ```pseudorust
 MAX_QUEUED_INCOMING_HANDSHAKES_THRESHOLD = 4096
 LAST_UNDER_LOAD_WINDOW = 1 //seconds
 ```

-## Dealing with Packet Loss
+## Dealing with Packet Loss {#packet-loss}

 The initiator deals with packet loss by storing the messages it sends to the responder and retransmitting them in randomized, exponentially increasing intervals until they get a response. Receiving RespHello terminates retransmission of InitHello. A Data or EmptyData message serves as acknowledgement of receiving InitConf and terminates its retransmission.

@@ -544,6 +670,40 @@ When a responder is under load and it receives an InitHello handshake message, t

 When the responder is under load and it recieves an InitConf message, the message will be directly processed without checking the validity of the cookie field.

+## Timers
+
+The Rosenpass protocol uses various timer-triggered events during its operation. This section provides a listing of the timers used and gives the values used in the reference implementation. Other implementations may choose different values.
+
+### Rekeying
+
+Period after which the previous responder starts a new handshake in initiator role; period after which the previous initiator starts a new handshake in initiator role again; period after which a peer rejects an existing shared key.
+
+```pseudorust
+REKEY_AFTER_TIME_RESPONDER = 120s
+REKEY_AFTER_TIME_INITIATOR = 130s
+REJECT_AFTER_TIME = 180s
+```
+
+### Biscuits
+
+Period after which the biscuit key is rotated.
+
+```pseudorust
+BISCUIT_EPOCH = 300s
+```
+
+### Retransmission
+
+Delay after which all retransmission attempts are aborted; exponential backoff factor for retransmission delay; initial (minimum) retransmission delay; final (maximum) retransmission delay; retransmission jitter/variance factor.
+
+```pseudorust
+RETRANSMIT_ABORT        = 120s
+RETRANSMIT_DELAY_GROWTH = 2
+RETRANSMIT_DELAY_BEGIN  = 500ms
+RETRANSMIT_DELAY_END    = 10s
+RETRANSMIT_DELAY_JITTER = 0.5
+```
+
 # Protocol extensions {#protocol-extensions}

 The main extension point for the Rosenpass protocol is to generate `osk`s (speak output shared keys, see Sec. \ref{symmetric-keys}) for purposes other than using them to secure WireGuard. By default, the Rosenpass application generates keys for the WireGuard PSK (see \ref{protocol-extension-wireguard-psk}). It would not be impossible to use the keys generated for WireGuard in other use cases, but this might lead to attacks[@oraclecloning]. Specifying a custom protocol extension in practice just means settling on alternative domain separators (see Sec. \ref{symmetric-keys}, Fig. \ref{img:HashingTree}).
@@ -651,13 +811,255 @@ fn on_key_timeout() {
 }
 ```

+\begin{minipage}{\textwidth}
 \setupimage{label=img:ExtWireguardPSKHybridSecurity,fullpage}
 ![Rosenpass + WireGuard: Hybrid Security](graphics/rosenpass-wireguard-hybrid-security.pdf)
+\end{minipage}
+
+# Errata {#errata}
+
+## Incorrect HMAC, Hash Function Choice {#incorrect-hmac}
+
+Initially, we chose to use `HMAC+BLAKE2s` for our message authentication code, mostly as a form of cargo cult. WireGuard used BLAKE2s, so we should use it too. BLAKE2 supports a directly keyed mode, so there is not much reason to prefer rolling your own using HMAC from a security standpoint.
+
+It seems likely that WireGuard used HMAC as a heuristic security measure. Message authentication codes, keyed hash functions, had long been constructed by combining HMAC with a hash function; why change that? And there actually is a good reason to use HMAC: Merkle-Damgard constructions have long been the norm for hash functions; their usage was even standardized as MD5 or SHA-2. But Merkle-Damgard constructions are susceptible to extension attacks, where you can calculate `H(message || suffix)` assuming `H(message)` is known to you. HMAC fixes this issue[@boneh_shoup_graduate][@hmac].
+
+
+But SHA-3 (or SHAKE) and BLAKE2 depart from this long-standing status quo: these hash functions are not based on Merkle-Damgard and they are deliberately designed so they are not susceptible to length extension attacks. On top of this, both schemes provide a keyed mode as a feature of the hash function. At this point it makes much more sense to require a keyed hash function, satisfying the PRF ("pseudo random function") security property and the PRF-SWAP security property[@pqwg] instead of building our own keyed hash from a hash function. HMAC can still be used; if someone wanted to operate Rosenpass with SHA2, the best way to do it would be using `HMAC-SHA512` as the underlying keyed hash. We just also allow using `SHAKE256` without an extra application of HMAC.
+
+Unfortunately, there were a couple of errors in the implementation: we should have used BLAKE2s like WireGuard; instead, we used BLAKE2b. We should have implemented HMAC properly, but we failed to do so. For a fixed-length, 32 byte key and a 32 byte block size, the HMAC function is specified as:
+
+```pseudorust
+type Key = [u8; 32];
+type HashFunction = Fn(&[u8]) -> Key;
+
+const INNER_PAD: [u8; KEY_LEN] = [0x36u8; KEY_LEN];
+const OUTER_PAD: [u8; KEY_LEN] = [0x5Cu8; KEY_LEN];
+
+fn hmac<Hash: HashFunction>(h: Hash, key: Key, data: &[u8]) -> Key {
+    // `^` denotes XOR, `||` denotes concatenation
+
+    let inner_key = key ^ INNER_PAD; 
+    let outer_key = key ^ OUTER_PAD;
+
+    let inner_hash = h(inner_key || data);
+    let outer_hash = h(outer_key || inner_hash);
+
+    return outer_hash;
+} 
+```
+
+Instead of implementing this function, we somehow lost track of the fact that HMAC uses concatenation to combine the keys with its data, and instead we built a construction around BLAKE2b in keyed hash mode. That is, we replaced the concatenation with calls to the keyed version of our hash:
+
+```pseudorust
+type Key = [u8; 32];
+type KeyedHashFunction = Fn(Key, &[u8]) -> Key;
+
+const INNER_PAD: [u8; KEY_LEN] = [0x36u8; KEY_LEN];
+const OUTER_PAD: [u8; KEY_LEN] = [0x5Cu8; KEY_LEN];
+
+fn incorrect_rosenpass_hmac<KeyedHash: KeyedHashFunction>(kh: KeyedHashFunction, key: Key, data: &[u8]) -> Key {
+    // `^` denotes XOR, `||` denotes concatenation
+
+    let inner_key = key ^ INNER_PAD; 
+    let outer_key = key ^ OUTER_PAD;
+
+    let inner_hash = kh(inner_key, data);
+    let outer_hash = kh(outer_key, inner_hash);
+
+    return outer_hash;
+} 
+```
+
+We therefore add this section explaining our incorrect HMAC usage to harmonize the white paper with the implementation.
+To ensure compatibility with the existing versions of Rosenpass, you have to replicate this incorrect variant of HMAC.
+
+Neither mistake is assumed to cause security issues. BLAKE2b is a secure hash function.
+There is no reason to assume that our incorrect variant of HMAC-BLAKE2b would be insecure; it is, however, non-standard and needlessly complicates the protocol. We are therefore phasing out usage of HMAC-BLAKE2b in favor of us using SHAKE256 as our keyed hash of choice.

 # Changelog

 ### 0.3.x

+#### 2025-08-10 – Applying fixes from Steffen Vogel proof reading of the whitepaper
+
+\vspace{0.5em}
+
+Author: Karolin varner
+
+Issue: [#68](https://github.com/rosenpass/rosenpass/issues/68)
+
+PR: [#664](https://github.com/rosenpass/rosenpass/)
+
+\vspace{0.5em}
+
+Early in the project lifetime, Steffen Vogel successfully implemented a [port of the Rosenpass protocol in [go](https://github.com/cunicu/go-rosenpass).
+This implementation has not received an in-depth review from a cryptography implementation perspective, which is why we (the Rosenpass project) are not yet recommending this implementation for production usage;
+still, creating this implementation was a great achievement.
+
+During the process, Steffen discovered a large number of possible improvements for the whitepaper. With this update, we are addressing those issues.
+
+This process also ensures that the world knows, that I have ADHD and makes me fix all the little mistakes I could not spot even on the seventh review of the whitepaper.
+
+Changes, in particular:
+
+1. Added a comprehensive reference about labels used in the protocol
+2. Added a comprehensive reference about symmetric keys and nonces used for encryption/decryption (`txki`, `txni`, `ini_enc`, `hs_enc`, …)
+3. Added a comprehensive reference about packages used.
+4. Added an explaining paragraph to section "Live Session State".
+5. Added a section about protocol roles.
+6. Brief section about endianness.
+7. In Fig. 5: Rosenpass Message Handling Code; in IHR5 we replace
+
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        decaps_and_mix<SKEM>(sskr, spkr, ct1)
+        \end{minted}
+    \end{quote}
+
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        decaps_and_mix<SKEM>(sskr, spkr, sctr)
+        \end{minted}
+    \end{quote}
+    ```
+
+8. In `load_biscuit()`, there was a typo doing an incorrect comparison between `biscuit_no` and `biscuit_used`. This is not a security issue, as a verbatim implementation would simply have lead to a non-functional implementation. We replace
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        assert(pt.biscuit_no <= peer.biscuit_used);
+        \end{minted}
+    \end{quote}
+
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        assert(pt.biscuit_no >= peer.biscuit_used);
+        \end{minted}
+    \end{quote}
+    ```
+
+9. In the whitepaper we used the labels `"initiator session encryption"` and `"responder session encryption"`, but in the implementation we used `"initiator handshake encryption"` and `"responder handshake encryption"`. While the whitepaper was correct and the implementation was not, we opt to harmonize the whitepaper with the implementation to avoid a breaking change.
+10. The protocol strings used in the whitepaper where different to the ones used in the implementation. We harmonize the two by updating the whitepaper to reflect the protocol identifier used in the implementation. We substitute
+
+    ``` {=tex}
+    \begin{quote}
+        The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2s is used:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "rosenpass 1 rosenpass.eu aead=chachapoly1305 hash=blake2s ekem=kyber512 skem=mceliece460896 xaead=xchachapoly1305"
+        \end{minted}
+
+        If SHAKE256 is used, \texttt{blake2s} is replaced by \texttt{shake256} in \texttt{PROTOCOL}.
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        The protocol identifier depends on the hash function used with the respective peer is defined as follows if BLAKE2s is used:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 BLAKE2s"
+        \end{minted}
+
+        If SHAKE256 is used, then \texttt{BLAKE2s} is substituted with \texttt{SHAKE256}:
+
+        \begin{minted}{pseudorust}
+        PROTOCOL = "Rosenpass v1 mceliece460896 Kyber512 ChaChaPoly1305 SHAKE256"
+        \end{minted}
+    \end{quote}
+    ```
+11. The whitepaper stated that Rosenpass uses BLAKE2s, while the implementation used BLAKE2b; we update the whitepaper to reflect that reality. The places where this substitution happened are a bit too numerous to count them all here. On top of this, we added the following paragraph to explain the discrepancy between `PROTOCOL` and actual hash function used:
+    ``` {=tex}
+    \begin{quote}
+    Note that the domain separator used here maintains that BLAKE2s is used, while in
+    reality, we use BLAKE2b. The reason for this is an implementation error. Since fixing this would have led to a breaking change in the Rosenpass reference implementation, and all other known implementations of Rosenpass simply reproduced this error, we chose to harmonize the white paper with the implementation instead of fixing the implementation.
+    \end{quote}
+    ```
+12. Added a section to explain and specify our incorrect implementation of HMAC-BLAKE2b.
+13. In `encaps_and_mix()`/`decaps_and_mix()` the whitepaper stated that public key, ciphertext, and shared key are mixed into the chaining key in that order, but the implementation used a different order: public key, shared key, and ciphertext (shared key and ciphertext are swapped). We harmonize the white paper with the implementation.
+14. In the white paper, in package `RespHello` the field `auth` was indicated to come after `biscuit`, but in the implementation, `auth` came first and `biscuit` was last. The semantics of how fields in Rosenpass messages are processed generally demand that fields are processed in the order they appear in the message, so having `biscuit` first and `auth` second—as was done in the white paper—would be correct; still, we harmonize the white paper with the implementation.
+15. Fix a discrepancy with regard to biscuit key life times.
+
+    ``` {=tex}
+    \begin{quote}
+    The \texttt{biscuit\textunderscore{}key} used to encrypt biscuits should be rotated every two minutes. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when \texttt{biscuit\textunderscore{}key} is rotated.
+    \end{quote}
+    ```
+
+    by
+
+    ``` {=tex}
+    \begin{quote}
+    The \texttt{biscuit\textunderscore{}key} used to encrypt biscuits should be rotated frequently. Implementations should keep two biscuit keys in memory at any given time to avoid having to drop packages when \texttt{biscuit\textunderscore{}key} is rotated. The Rosenpass reference implementation retires biscuits after five minutes and erases them after ten.
+    \end{quote}
+    ```
+16. Point out explicitly that we use KEMs from NIST-Competition Round 3. Include links to the competition submission packages. Update citations to reflect the exact specification version.
+17. Consistent naming convention. Always use the term `secret key`, never  `private key`.
+18. `pidiC` -> `pidi_ct`; to make it clearer that this is a cipher text
+19. Where we refer to the biscuit ciphertext, we now use the term `biscuit_ct`. Previously we had used various variable names such as `nct` (nonce followed by cipher text) or just plain `biscuit`.
+20. In `load_biscuit`, we make it clear that destructuring of `biscuit_ct` destructures a concatenation.
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        let (n, ct) = biscuit_ct;
+        \end{minted}
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        let concat(n, ct) = biscuit_ct;
+        \end{minted}
+    \end{quote}
+    ```
+21. Added a section about timers used in the Rosenpass protocol
+
+Additional changes (also motivated by a close review, but not reported by Steffen):
+
+1. Fig. 2 "Rosenpass Message Types", CookieReply package. Renamed the length sum from payload to package.
+2. Fig. 2 "Rosenpass Message Types", Envelope package. Renamed the length sum from envelope to package.
+3. In `load_biscuit()` fix a naming typo:
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        lookup_peer(pt.peerid);
+        \end{minted}
+    \end{quote}
+    ```
+
+    with
+
+    ``` {=tex}
+    \begin{quote}
+        \begin{minted}{pseudorust}
+        lookup_peer(pt.pidi);
+        \end{minted}
+    \end{quote}
+    ```
+4. Remove reference to the proof-of-IP-ownership-based DoS mitigation feature not being implemented. Add a notice, that the feature is currently experimental.
+5. Fixed a few typos and capitalization issues
+
 #### 2025-06-24 – Specifying the `osk` used for WireGuard as a protocol extension

 \vspace{0.5em}
@@ -749,7 +1151,7 @@ By removing all retransmission handling code from the cryptographic protocol, we
    ``` {=tex}
    \begin{quote}
        \begin{minted}{pseudorust}
-        // In December 2024, the InitConf retransmission mechanisim was redesigned
+        // In December 2024, the InitConf retransmission mechanism was redesigned
        // in a backwards-compatible way. See the changelog.
        //
        // -- 2024-11-30, Karolin Varner
@@ -777,7 +1179,3 @@ PR: [#142](https://github.com/rosenpass/rosenpass/pull/142)
 - Added section "Denial of Service Mitigation and Cookies", and modify "Dealing with Packet Loss" for DoS cookie mechanism

 \printbibliography
-
-\setupimage{landscape,fullpage,label=img:HandlingCode}
-![Rosenpass Message Handling Code](graphics/rosenpass-wp-message-handling-code-rgb.svg)
-
--- a/pkgs/rosenpass.nix
+++ b/pkgs/rosenpass.nix
@@ -24,6 +24,7 @@ let
      "service"
      "target"
      "toml"
+      "zstd" # used for offloaded test vector values
    ];
    # Files to explicitly include
    files = [ "to/README.md" ];
@@ -71,6 +72,8 @@ rustPlatform.buildRustPackage {
    package
  ];

+  configFileVersion = "1";
+
  doCheck = true;

  cargoLock = {
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml
@@ -0,0 +1,351 @@
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer a secret key"
+name = "peer_a_sk"
+code_location = "tests/test_vector_crypto_server.rs:95"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer a public key"
+name = "peer_a_pk"
+code_location = "tests/test_vector_crypto_server.rs:96"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer b secret key"
+name = "peer_b_sk"
+code_location = "tests/test_vector_crypto_server.rs:101"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "test setup: peer b public key"
+name = "peer_b_pk"
+code_location = "tests/test_vector_crypto_server.rs:102"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Const"
+description = "pre-shared key"
+name = "psk"
+value = "Vw7bZ1vyXfZo4D5/633F5IbTOntNFBjZRCWf/0cP3Ss="
+code_location = "tests/test_vector_crypto_server.rs:105"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[0]"
+value = "COU/279CXvyB3mwVxT6fCQ=="
+code_location = "tests/test_vector_crypto_server.rs:167"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[1]"
+value = "5Q+e2O020FTcmBWlAPnWlw=="
+code_location = "tests/test_vector_crypto_server.rs:172"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[0]"
+value = "5h9KZ2KfLP5uNbEdimMNLHUjPFm0L3helyg8QE7pd/E="
+code_location = "tests/test_vector_crypto_server.rs:177"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[1]"
+value = "uwyhSvwuEeXwVUg4+9CBoPWPL0AY+oSVUhFpGpnBaY8="
+code_location = "tests/test_vector_crypto_server.rs:179"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[0]"
+value = "KtKzsfp1NMN3mrln54w0TA=="
+code_location = "tests/test_vector_crypto_server.rs:167"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::cookie_secrets[1]"
+value = "cc1hSqM+Jhal8AII5NIWLA=="
+code_location = "tests/test_vector_crypto_server.rs:172"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[0]"
+value = "ih8UroUklL5NLdegMFQAEWE6huLEO4HBNL44jpk0VsI="
+code_location = "tests/test_vector_crypto_server.rs:177"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "CryptoServer::biscuit_keys[1]"
+value = "mXEYSvzhz5E9eUskbKJBZlXlYF2N3Q1MwmbGeXmhXoI="
+code_location = "tests/test_vector_crypto_server.rs:179"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:69"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.cookie_value.value"
+value = "BryZRk1KR5Gc+AEm0plH1Q=="
+code_location = "rosenpass/src/protocol/protocol.rs:3559"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.core.sidi"
+value = "avpJ6g=="
+code_location = "rosenpass/src/protocol/protocol.rs:3572"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.eski"
+value = "KpIH2rHL5MR1TQosRVTAUhpDGYUfE7FbeDA/VgN2shd0gdwBRkdeTEZqKKdAY+ikmKydZQwNlFQW8WuH8fwknbUt/SCzo2iPbDg22sAuClQFN1sXckmEpDG2G4cqXHqkdVSuwhymt9V0w1lKFotTwNIN9Fo0eKq19twT16DP+nIPwrkDveAAm8OqwNp1iAODI8GuB3aL3Str/HDC7YR8QtuuzJQwfEa8CbihEpk+zZqVCJVZDrlfH6ydcJsahypuWpJQ4RwS+NejEvJirvgKngsgdPkGXyYLzQQhS4qagQDMkklWaxwL5pdSqlB+M/Cbx1iqgXgOp2PEykkOpgpEBKfDoCQxBnIYNEisx9B8XuibzqQiq0qctty3GBUf+peApMdataC6WwGqH1KpQiW8aUufIWFDK8xW56t3/bMV/AIsMWx3XpaxbGOQOgqAmRAxeYh23TeQ6lVturw/aMsV2phXBkgG6iQnzyd9z6Zufgezz3Ui2hdeJ/iCzfG0A7SMWlS8zETM46wExxO5smNh8jCoTzeSMpOeH3GfFyRs44PFybSQHtAbdcpcA+pj2VljGfRzq5U1AjpdbSKm8JO6n2PDOQlXHaNp5wZMTHZeywq/BrRWO0FXU9davLcEqUJ2xkwRIvEo24ae0MSD1SSd0rRK5LFilFWZXpDCkaoHvst87mdMeIBUYppMD+WkSuKun0XMXXSSWNPIvrGKFJlt4yTCNYsdfRBthGEa5sEApYd4jmi49zKbRSGGm/u915gdo0AvsFYa85EZzzBI0wfK3uW0X+YvGSEzwHGOAMaAyJu3tCGHt2tuevqND2lybzkJS+ih80l3jyaBbNmqQzBRt8YZtLg+e0ijH/x8IyGq+efCioRQjeN50sBAJrsSgncVtgoSraWbPLNu9movqQMtLiwGkUaZSqVANtQPQuccOFyzK7XD8zy5V0Bx/We0ijOvlyUPJWW+1LoALiArHhG7xIRQL8oe9RDP1mzPoGQd1MNRvCuePNpRX+JAO7a49vwsqUtsK6iAY5C1WIxc1TAVhrIz2YzKuyOQYJCbtkOTx5EZ+AbCsTa/E7VHJacj5xQXtYpy3NogXpAnI/ubjABhCVKTfNFytwKkQUAR1ZcoqzJlngdFILIFBeTEUJChXpBb3/obCCQOFVWCKaYfuLam34JgWkmKYUoao4ZP68yn7yc1l4lDRswKSgFt6YI31PcWGAbKM9QeKLF1Tso2bQOXlEF8MssCQjhN+PimSYU/A1ANTHEyQMxM+uUGXBAJwViSGSshHpioLkF3nBc2h7FT5Fi6hMU4xqUwsBgkfZKYQ6gMsMIqZjd/gIkbawwGU6VdLNNf4tw1f4ssD3QbKSA9LfsSHHV8YjcJ3vVoIVVd/Pmbe/kV8Ccz0zLPYWxyrrEanTOJwPqzYxBqTOBilVWlEfREu1ddYaccILMGEMdsQ6eBj4ySZYhj24Ajc3R8afR+anR2NNorfgIlF1d7VuW1BQG+loA3UqdO9lE4mwrARoy87LZKagYHUshet/CAYxinr0UlfCKqbEydljslyafPC4x/mmRWqjTNsTAVfZdOc1ESLyQ6fCkZ/ewOMmsVgUZsBPHI5LgE/2qjYhgXxzg72OmYynR4+8EWunEd2JScjTAurTVZBEPDfGq9wvySBeMbyIGgY0yIfJF/oGRI6/oyNoOBMyKff7oCVNzH+UBGPQJE0De7U1wmEqBNIOu6MMx4nFVgdNzA3TyLrhaOT3uDoJMo/9NnnvWDS5xhp9l8URkcVsol12MhmZAhqlhtGIOR72e5Jml6DNkLvYCX49ZKfMGBbnHNk/RhN5k3dccuD+UvIwxR3irMUXt6jITE0RbPCYWX14N4Jlcdz2oxA6U+RXW8ccJ0YQYjsNgmj1xpsnwY8/O6LkiB+Sm/fsJAkRGsKrWeyPKRcNR1uioBr6YpqKa0aHC0meQX7YqKNWZujOQX6ZJb2aMgx4CRJOc/fbqrtgpQy8mEy4JG2dmEPCdYKmY3YTGlpiVb65pLciEtJRIRiCqh4QNmCwtrixM5QgO5Y5gNfX/fXULtbtZdCDgQJ8CKaJNgxosHESp7YfeW+bO2tmmEwSHG+/s4YEEVQZm2OfJ46gLFPIixcTmADwFGOKEgTRofmHFxOUlIH1gXBkuqH0zWp71FqEpAoucjrROw"
+code_location = "rosenpass/src/protocol/protocol.rs:3579"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+name = "hs.core.ck"
+value = "qUtsK6iAY5C1WIxc1TAVhrIz2YzKuyOQYJCbtkOTx5EZ+AbCsTa/E7VHJacj5xQXtYpy3NogXpAnI/ubjABhCVKTfNFytwKkQUAR1ZcoqzJlngdFILIFBeTEUJChXpBb3/obCCQOFVWCKaYfuLam34JgWkmKYUoao4ZP68yn7yc1l4lDRswKSgFt6YI31PcWGAbKM9QeKLF1Tso2bQOXlEF8MssCQjhN+PimSYU/A1ANTHEyQMxM+uUGXBAJwViSGSshHpioLkF3nBc2h7FT5Fi6hMU4xqUwsBgkfZKYQ6gMsMIqZjd/gIkbawwGU6VdLNNf4tw1f4ssD3QbKSA9LfsSHHV8YjcJ3vVoIVVd/Pmbe/kV8Ccz0zLPYWxyrrEanTOJwPqzYxBqTOBilVWlEfREu1ddYaccILMGEMdsQ6eBj4ySZYhj24Ajc3R8afR+anR2NNorfgIlF1d7VuW1BQG+loA3UqdO9lE4mwrARoy87LZKagYHUshet/CAYxinr0UlfCKqbEydljslyafPC4x/mmRWqjTNsTAVfZdOc1ESLyQ6fCkZ/ewOMmsVgUZsBPHI5LgE/2qjYhgXxzg72OmYynR4+8EWunEd2JScjTAurTVZBEPDfGq9wvySBeMbyIGgY0yIfJF/oGRI6/oyNoOBMyKff7oCVNzH+UBGPQJE0De7U1wmEqBNIOu6MMx4nFVgdNzA3TyLrhaOT3uDoJMo/9NnnvWDS5xhp9l8URkcVsol12MhmZAhqlhtGIOR72e5Jml6DNkLvYCX49ZKfMGBbnHNk/RhN5k3dccuD+UvIwxR3irMUXt6jITE0RbPCYWX14N4Jlcdz2oxA6U+RXW8ccJ0YQYjsNgmj1xpsnwY8/O6LkiB+Sm/fsJAkRGsKrWeyPKRcNR1uioBr6YpqKa0aHC0meQX7YqKNWZujOQX6ZJb2aMgx4CRJOc/fbqrtgpQy8mEy4JG2dmEPCdYKmY3YTGlpiVb65pLciEtJRIRiCqh4QNmCwtrixM5QgO5Y5gNfX/fXULtbtZdCDgQJ8CKaJNgxosHESp7YfeW+bM="
+code_location = "rosenpass/src/protocol/protocol.rs:3580"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 1"
+value = "z2JAxQ4DPIikqHMSpFDAlmhjSBumhLZatJMrFAP+D1U="
+code_location = "rosenpass/src/protocol/protocol.rs:3587"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Const"
+value = "crPEWzqlCERLJr83BrZupxLUOxWHsYZalisk94tma0k="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "eJXlj5zOJo/Eq85TzOTi7QY8zqWBP0QOOl3PAcpFDYnZyWmuzdpwDZJTbagAP52Md9r+j2vME4SW9UvdvOQo+jbNfuCHytU5K3yxI77srR4aWepM+xPAmxbyIwD4VGjDOQNAjP4Rn8n5L9cCju1tgit7yeM0S4Mx2KDR/Emr8V7gQnERob6LrPJgu6BMWkbZA2+dLVZOsvWPFmmn"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 2"
+value = "UVoOgm+xgnV9tXlaLrlBHiM8XDAH+4tPm3DTbP9uJzs="
+code_location = "rosenpass/src/protocol/protocol.rs:3602"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "ih.pidi_ct"
+value = "Y3Wstn84+vmUb/a/CtWHFixkdyTFKEaE7joUFM0vBZPehPAeDOXls/u5I1PvViF6"
+code_location = "rosenpass/src/protocol/protocol.rs:3615"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 3"
+value = "RTCFQy236fEakHlQn8Pq4+ZbWAg4zvkP5iSp+RU7CpQ="
+code_location = "rosenpass/src/protocol/protocol.rs:3616"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 4"
+value = "9bjg2ICzmCeqYMt4ACfX5UMQUde7WgeuI6H+vdQuWck="
+code_location = "rosenpass/src/protocol/protocol.rs:3627"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "ih.auth"
+value = "E+AP6wyOrpngo7vE9Vpkjg=="
+code_location = "rosenpass/src/protocol/protocol.rs:3636"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+name = "hs.core.ck 5"
+value = "MkkapMEoAWftWlVPIcroCCTpqOrMv5TYSff5h8Un/OE="
+code_location = "rosenpass/src/protocol/protocol.rs:3637"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:44"
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 4"
+value = "z2JAxQ4DPIikqHMSpFDAlmhjSBumhLZatJMrFAP+D1U="
+code_location = "rosenpass/src/protocol/protocol.rs:3693"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 5"
+value = "UVoOgm+xgnV9tXlaLrlBHiM8XDAH+4tPm3DTbP9uJzs="
+code_location = "rosenpass/src/protocol/protocol.rs:3702"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 6"
+value = "RTCFQy236fEakHlQn8Pq4+ZbWAg4zvkP5iSp+RU7CpQ="
+code_location = "rosenpass/src/protocol/protocol.rs:3714"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 7"
+value = "9bjg2ICzmCeqYMt4ACfX5UMQUde7WgeuI6H+vdQuWck="
+code_location = "rosenpass/src/protocol/protocol.rs:3724"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr IHR 8"
+value = "MkkapMEoAWftWlVPIcroCCTpqOrMv5TYSff5h8Un/OE="
+code_location = "rosenpass/src/protocol/protocol.rs:3733"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+name = "session_id"
+value = "+qqWGQ=="
+code_location = "rosenpass/src/protocol/protocol.rs:3741"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 3"
+value = "rPSnj3sQzMcnolHZJZpDlZ71VcFEtIEENGLWUPyRZws="
+code_location = "rosenpass/src/protocol/protocol.rs:3749"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+value = "aQGM2N7OhVgSlsa7pEaqdiRZLacxgDhwuEplHORsv3s="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "XIOzetMa7cemW0Qq+vEu1frv9J/MhfFiT68mfbWZrZbzM5AI2lVPLXi75KvjbNC7YrqVG20d2DhZ38g9vjIAG50Lc8LHw3C+tQV2g/lCa4p1XySyQOJUAj/CpBGito8MdcdcxpFzLhCnq0owBSonbgyboxZq/hsX5z+unJu+5UiJYlxpcvu++w954OQiXi9lJpfnC4biY8Mw+8UL5d2UgWp8Yn3y3ZoIKSNGA5hR5/JUg1QStbSvWrhNiiDrfNUR0k2zKmLPXPS1pmaBvSuWQptq3WiA1OtkRsCSrAzjOtyUPWSZyXrttAZ4VJCBkEnd4OZy7eC/mBa3FjwJAfcvVY7i8mU1yDpLtS7MtdAZKMeGn0fQDWOx5z+vM+jbwOxXer79jPKPcdigxjTfARz+SxhfWfqGO5hBh86Ra0F+vgw3KH/YQgTchroWVF8WIwZlNwp6DqvwXBXwRPbtrv+uxmRHT9Oe+ZxJr88Nd1gRtjL0FN6faE1quGDAHWPuAfhFcxa7kdPpHN46cHSC+nzO1gtabPX/b0PM2awmNPB5QPpWoGHzz4HTYV7MYHmC4mxdKU7BT+U3vJd4+vl+7wGQSVxSCwzWHqCjRwOkIDLeiyZss7iz8BnOeErDySbPTMYI/Jv/R7lalOk4+73a1m2m4uZKetXRGEjg8btiKfhFaPZMc9p8xZeJNbsUbqoMl8/R1QGRqXHxzk9tTZW0AHV0t4uLnvHJgu9mR6LApZ99sAJpNcuU9TnsSPfT32DlXWNxtb0DnTQXxLQ7TnSWFYPCYyv7hbfNk8lDdGJqStSvnCe16KYoYjxpExEIfCAFicYhhar5MOpkinJMeyhMhVd2ctVIIIzZXePfZXcdOod2JbYh6+dmp0bnTyussHv9R+qYCCv5AyU/crKSmTbjgyOsmaVpyoTljsozC32uhqZh4M7KBUz1XyPJfD6L4NE1ovCKSfwJepYOqBw0MkdWoXwScyhMWNpVhS8X1aZ/QOZFVIuyYxoiwqpF/y3xV6QYFZmd"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 4"
+value = "WCh3N6kKat+5vvn3WNTxsF9yXGYTQS7hlMUplMac/14="
+code_location = "rosenpass/src/protocol/protocol.rs:3764"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Const"
+value = "Sx7y7DSdVQVHWxR4OOMjyrDr8vuZa7MPX/U8GnPCIHY="
+code_location = "rosenpass/src/protocol/protocol.rs:3263"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Const"
+value = "VwqEOlvdW0Evc1CasejxXQ0dN3mZ4HPMA6ogk3Q7OUzzgCIvbTU8BvBK6d1UH2R7Y5Nd/JdHgag42f5FpjVljX2vlXMk3XxUtREpORxqJ5qUgHejsgJyRO9caOPX/ZXmUZ6vORP7pIulLt2i47ykPNNlWuJmxVJj6NK+lE1BDMIuivHebR31atigV/fFFJui26vy5V9y6xZmnCJm"
+code_location = "rosenpass/src/protocol/protocol.rs:3264"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:23"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 5"
+value = "7gd9Mw7X0ZFmkIkP/JDofflRSAw21F1RjG4HXeMJfTI="
+code_location = "rosenpass/src/protocol/protocol.rs:3779"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+value = "QyffgzBjc8qAqK18vYsH9TKs9lc6Njg8Q8nANsF/FMMBAAAAAAAAAAAAAADuB30zDtfRkWaQiQ/8kOh9+VFIDDbUXVGMbgdd4wl9Mg=="
+code_location = "rosenpass/src/protocol/protocol.rs:3336"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Const"
+description = "Biscuit key after being cycled"
+name = "CryptoServer::biscuit_key[r]"
+value = "TIDswcSHh8WKsEsuwMCyldE0zVH8IEjV97ES8v3nHw0="
+code_location = "rosenpass/src/protocol/protocol.rs:1430"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:127"
+
+[[entries]]
+entry_type = "Const"
+value = "iSR2RKOw5VeBICb4b+i8P4QtF8XnJq2N"
+code_location = "rosenpass/src/protocol/protocol.rs:3353"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Output"
+value = "iSR2RKOw5VeBICb4b+i8P4QtF8XnJq2Nq1gaCMgEJ+v1LulDYsjbfU5O0alWStfs4fBy7zS69RkzT8p0m3mVcK0TY9RRdWfxmCzU1U8DP7CbhfZxZHJC9CO8xwIa5r1NjVE1gxJJUEJCTHvtCc3PtFj861c="
+code_location = "rosenpass/src/protocol/protocol.rs:3361"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:31"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 6"
+value = "urS3a0/ufhUxj7bAnafEQ3j7it4q2XOfO+DVCeQJp4U="
+code_location = "rosenpass/src/protocol/protocol.rs:3788"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+name = "chaining_key_ihr RHR 7"
+value = "bbWd4iHXPK6helZLik4t96JKB7yiyw+qcNWbvlDiaQs="
+code_location = "rosenpass/src/protocol/protocol.rs:3797"
+test_vec_set_code_location = "rosenpass/src/protocol/test_vector_sets.rs:84"
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "message exchanged by the protocol parties"
+name = "message"
+code_location = "tests/test_vector_crypto_server.rs:136"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
+offload = true
+
+[[entries]]
+entry_type = "Output"
+description = "final exchanged key"
+name = "exchanged_key"
+value = "NKG5/vCPc0akKnm5RxctcPigO8fvd0zqJeO2+xbDpq4="
+code_location = "tests/test_vector_crypto_server.rs:153"
+test_vec_set_code_location = "rosenpass/tests/test_vector_crypto_server.rs:33"
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_0.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_0.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_1.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_1.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_13.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_13.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_14.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_14.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_15.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_15.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_16.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_16.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_2.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_2.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_26.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_26.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_3.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_3.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_46.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_46.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_47.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_47.zstd
--- a/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_48.zstd
+++ b/rosenpass/.test_vectors/crypto_server_test_vector_1.toml_offloaded_value_48.zstd
--- a/rosenpass/Cargo.toml
+++ b/rosenpass/Cargo.toml
@@ -64,6 +64,8 @@ clap = { workspace = true }
 clap_complete = { workspace = true }
 clap_mangen = { workspace = true }
 mio = { workspace = true }
+signal-hook = { workspace = true }
+signal-hook-mio = { workspace = true }
 rand = { workspace = true }
 zerocopy = { workspace = true }
 home = { workspace = true }
@@ -76,8 +78,10 @@ heck = { workspace = true, optional = true }
 command-fds = { workspace = true, optional = true }
 rustix = { workspace = true, optional = true }
 uds = { workspace = true, optional = true, features = ["mio_1xx"] }
-signal-hook = { workspace = true, optional = true }
 libcrux-test-utils = { workspace = true, optional = true }
+assert_tv = { workspace = true }
+base64 = { workspace = true }
+serde_json = { workspace = true }

 [build-dependencies]
 anyhow = { workspace = true }
@@ -90,9 +94,9 @@ serial_test = { workspace = true }
 procspawn = { workspace = true }
 tempfile = { workspace = true }
 rustix = { workspace = true }
+serde_json = { workspace = true }

 [features]
-#default = ["experiment_libcrux_all"]
 experiment_cookie_dos_mitigation = []
 experiment_memfd_secret = ["rosenpass-wireguard-broker/experiment_memfd_secret"]
 experiment_libcrux_all = ["rosenpass-ciphers/experiment_libcrux_all"]
@@ -109,7 +113,6 @@ experiment_api = [
  "rosenpass-util/experiment_file_descriptor_passing",
  "rosenpass-wireguard-broker/experiment_api",
 ]
-internal_signal_handling_for_coverage_reports = ["signal-hook"]
 internal_testing = []
 internal_bin_gen_ipc_msg_types = ["hex", "heck"]
 trace_bench = ["rosenpass-util/trace_bench", "dep:libcrux-test-utils"]
--- a/rosenpass/benches/trace_handshake.rs
+++ b/rosenpass/benches/trace_handshake.rs
@@ -1,6 +1,9 @@
-use std::io::{self, Write};
-use std::time::{Duration, Instant};
-use std::{collections::HashMap, hint::black_box, ops::DerefMut};
+use std::{
+    collections::HashMap,
+    hint::black_box,
+    ops::DerefMut,
+    time::{Duration, Instant},
+};

 use anyhow::Result;

@@ -9,11 +12,12 @@ use libcrux_test_utils::tracing::{EventType, Trace as _};
 use rosenpass_cipher_traits::primitives::Kem;
 use rosenpass_ciphers::StaticKem;
 use rosenpass_secret_memory::secret_policy_try_use_memfd_secrets;
-use rosenpass_util::trace_bench::RpEventType;
+use rosenpass_util::trace_bench::RpEvent;

 use rosenpass::protocol::basic_types::{MsgBuf, SPk, SSk, SymKey};
 use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
 use rosenpass::protocol::{CryptoServer, HandleMsgResult, PeerPtr, ProtocolVersion};
+use serde::ser::SerializeStruct;

 const ITERATIONS: usize = 100;

@@ -124,15 +128,30 @@ fn main() {
        (v02, &v03_with_marker[1..])
    };

-    // Perform statistical analysis on both trace sections and write results as JSON
-    write_json_arrays(
-        &mut std::io::stdout(), // Write to standard output
-        vec![
-            ("V02", statistical_analysis(trace_v02.to_vec())),
-            ("V03", statistical_analysis(trace_v03.to_vec())),
-        ],
-    )
-    .expect("error writing json data");
+    // Perform statistical analysis on both trace sections
+    let analysis_v02 = statistical_analysis(trace_v02);
+    let analysis_v03 = statistical_analysis(trace_v03);
+
+    // Transform analysis results to JSON-encodable data type
+    let stats_v02 = analysis_v02
+        .iter()
+        .map(|(label, agg_stat)| JsonAggregateStat {
+            protocol_version: "V02",
+            label,
+            agg_stat,
+        });
+    let stats_v03 = analysis_v03
+        .iter()
+        .map(|(label, agg_stat)| JsonAggregateStat {
+            protocol_version: "V03",
+            label,
+            agg_stat: &agg_stat,
+        });
+
+    // Write results as JSON
+    let stats_all: Vec<_> = stats_v02.chain(stats_v03).collect();
+    let stats_json = serde_json::to_string_pretty(&stats_all).expect("error encoding to json");
+    println!("{stats_json}");
 }

 /// Performs a simple statistical analysis:
@@ -140,7 +159,7 @@ fn main() {
 /// - extracts durations of spamns
 /// - filters out empty bins
 /// - calculates aggregate statistics (mean, std dev)
-fn statistical_analysis(trace: Vec<RpEventType>) -> Vec<(&'static str, AggregateStat<Duration>)> {
+fn statistical_analysis(trace: &[RpEvent]) -> Vec<(&'static str, AggregateStat<Duration>)> {
    bin_events(trace)
        .into_iter()
        .map(|(label, spans)| (label, extract_span_durations(label, spans.as_slice())))
@@ -149,44 +168,6 @@ fn statistical_analysis(trace: Vec<RpEventType>) -> Vec<(&'static str, Aggregate
        .collect()
 }

-/// Takes an iterator of ("protocol_version", iterator_of_stats) pairs and writes them
-/// as a single flat JSON array to the provided writer.
-///
-/// # Arguments
-/// * `w` - The writer to output JSON to (e.g., stdout, file).
-/// * `item_groups` - An iterator producing tuples `(version, stats): (&'static str, II)`.
-///    Here `II` is itself an iterator producing `(label, agg_stat): (&'static str, AggregateStat<Duration>)`,
-///    where the label is the label of the span, e.g. "IHI2".
-///
-/// # Type Parameters
-/// * `W` - A type that implements `std::io::Write`.
-/// * `II` - An iterator type yielding (`&'static str`, `AggregateStat<Duration>`).
-fn write_json_arrays<W: Write, II: IntoIterator<Item = (&'static str, AggregateStat<Duration>)>>(
-    w: &mut W,
-    item_groups: impl IntoIterator<Item = (&'static str, II)>,
-) -> io::Result<()> {
-    // Flatten the groups into a single iterator of (protocol_version, label, stats)
-    let iter = item_groups.into_iter().flat_map(|(version, items)| {
-        items
-            .into_iter()
-            .map(move |(label, agg_stat)| (version, label, agg_stat))
-    });
-    let mut delim = ""; // Start with no delimiter
-
-    // Start the JSON array
-    write!(w, "[")?;
-
-    // Write the flattened statistics as JSON objects, separated by commas.
-    for (version, label, agg_stat) in iter {
-        write!(w, "{delim}")?; // Write delimiter (empty for first item, "," for subsequent)
-        agg_stat.write_json_ns(label, version, w)?; // Write the JSON object for the stat entry
-        delim = ","; // Set delimiter for the next iteration
-    }
-
-    // End the JSON array
-    write!(w, "]")
-}
-
 /// Used to group benchmark results in visualizations
 enum RunTimeGroup {
    /// For particularly long operations.
@@ -239,13 +220,13 @@ enum StatEntry {

 /// Takes a flat list of events and organizes them into a HashMap where keys
 /// are event labels and values are vectors of events with that label.
-fn bin_events(events: Vec<RpEventType>) -> HashMap<&'static str, Vec<RpEventType>> {
+fn bin_events(events: &[RpEvent]) -> HashMap<&'static str, Vec<RpEvent>> {
    let mut spans = HashMap::<_, Vec<_>>::new();
    for event in events {
        // Get the vector for the event's label, or create a new one
        let spans_for_label = spans.entry(event.label).or_default();
        // Add the event to the vector
-        spans_for_label.push(event);
+        spans_for_label.push(event.clone());
    }
    spans
 }
@@ -253,7 +234,7 @@ fn bin_events(events: Vec<RpEventType>) -> HashMap<&'static str, Vec<RpEventType
 /// Processes a list of events (assumed to be for the same label), matching
 /// `SpanOpen` and `SpanClose` events to calculate the duration of each span.
 /// It handles potentially interleaved spans correctly.
-fn extract_span_durations(label: &str, events: &[RpEventType]) -> Vec<Duration> {
+fn extract_span_durations(label: &str, events: &[RpEvent]) -> Vec<Duration> {
    let mut processing_list: Vec<StatEntry> = vec![]; // List to track open spans and final durations

    for entry in events {
@@ -313,6 +294,7 @@ fn extract_span_durations(label: &str, events: &[RpEventType]) -> Vec<Duration>
 /// Stores the mean, standard deviation, relative standard deviation (sd/mean),
 /// and the number of samples used for calculation.
 #[derive(Debug)]
+#[allow(dead_code)]
 struct AggregateStat<T> {
    /// Average duration.
    mean_duration: T,
@@ -362,32 +344,33 @@ impl AggregateStat<Duration> {
            sample_size,
        }
    }
+}

-    /// Writes the statistics as a JSON object to the provided writer.
-    /// Includes metadata like label, protocol_version, OS, architecture, and run time group.
-    ///
-    /// # Arguments
-    /// * `label` - The specific benchmark/span label.
-    /// * `protocol_version` - Version of the protocol that is benchmarked.
-    /// * `w` - The output writer (must implement `std::io::Write`).
-    fn write_json_ns(
-        &self,
-        label: &str,
-        protocol_version: &str,
-        w: &mut impl io::Write,
-    ) -> io::Result<()> {
-        // Format the JSON string using measured values and environment constants
-        writeln!(
-            w,
-            r#"{{"name":"{name}", "unit":"ns/iter", "value":"{value}", "range":"± {range}", "protocol version":"{protocol_version}", "sample size":"{sample_size}", "operating system":"{os}", "architecture":"{arch}", "run time":"{run_time}"}}"#,
-            name = label,                          // Benchmark name
-            value = self.mean_duration.as_nanos(), // Mean duration in nanoseconds
-            range = self.sd_duration.as_nanos(),   // Standard deviation in nanoseconds
-            sample_size = self.sample_size,        // Number of samples
-            os = std::env::consts::OS,             // Operating system
-            arch = std::env::consts::ARCH,         // CPU architecture
-            run_time = run_time_group(label),      // Run time group category (long, medium, etc.)
-            protocol_version = protocol_version // Overall protocol_version (e.g., protocol version)
-        )
+struct JsonAggregateStat<'a, T> {
+    agg_stat: &'a AggregateStat<T>,
+    label: &'a str,
+    protocol_version: &'a str,
+}
+
+impl<'a> serde::Serialize for JsonAggregateStat<'a, Duration> {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: serde::Serializer,
+    {
+        let mut stat = serializer.serialize_struct("AggregateStat", 9)?;
+        stat.serialize_field("name", self.label)?;
+        stat.serialize_field("unit", "ns/iter")?;
+        stat.serialize_field("value", &self.agg_stat.mean_duration.as_nanos().to_string())?;
+        stat.serialize_field(
+            "range",
+            &format!("± {}", self.agg_stat.sd_duration.as_nanos()),
+        )?;
+        stat.serialize_field("protocol version", self.protocol_version)?;
+        stat.serialize_field("sample size", &self.agg_stat.sample_size)?;
+        stat.serialize_field("operating system", std::env::consts::OS)?;
+        stat.serialize_field("architecture", std::env::consts::ARCH)?;
+        stat.serialize_field("run time", &run_time_group(self.label).to_string())?;
+
+        stat.end()
    }
 }
--- a/rosenpass/src/app_server.rs
+++ b/rosenpass/src/app_server.rs
@@ -7,17 +7,20 @@ use std::net::{Ipv4Addr, Ipv6Addr, SocketAddr, SocketAddrV4, SocketAddrV6, ToSoc
 use std::time::{Duration, Instant};
 use std::{cell::Cell, fmt::Debug, io, path::PathBuf, slice};

+use mio::{Interest, Token};
+use signal_hook_mio::v1_0 as signal_hook_mio;
+
 use anyhow::{bail, Context, Result};
 use derive_builder::Builder;
 use log::{error, info, warn};
-use mio::{Interest, Token};
 use zerocopy::AsBytes;

 use rosenpass_util::attempt;
+use rosenpass_util::fmt::debug::NullDebug;
 use rosenpass_util::functional::{run, ApplyExt};
 use rosenpass_util::io::{IoResultKindHintExt, SubstituteForIoErrorKindExt};
 use rosenpass_util::{
-    b64::B64Display, build::ConstructionSite, file::StoreValueB64, option::SomeExt, result::OkExt,
+    b64::B64Display, build::ConstructionSite, file::StoreValueB64, result::OkExt,
 };

 use rosenpass_secret_memory::{Public, Secret};
@@ -129,7 +132,7 @@ pub struct BrokerStore {
    /// The collection of WireGuard brokers. See [Self].
    pub store: HashMap<
        Public<BROKER_ID_BYTES>,
-        Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error>>,
+        Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error> + Send>,
    >,
 }

@@ -146,12 +149,12 @@ pub struct BrokerPeer {
    ///
    /// This is woefully overengineered and there is very little reason why the broker
    /// configuration should not live in the particular WireGuard broker.
-    peer_cfg: Box<dyn WireguardBrokerCfg>,
+    peer_cfg: Box<dyn WireguardBrokerCfg + Send>,
 }

 impl BrokerPeer {
    /// Create a broker peer
-    pub fn new(ptr: BrokerStorePtr, peer_cfg: Box<dyn WireguardBrokerCfg>) -> Self {
+    pub fn new(ptr: BrokerStorePtr, peer_cfg: Box<dyn WireguardBrokerCfg + Send>) -> Self {
        Self { ptr, peer_cfg }
    }

@@ -286,12 +289,20 @@ pub enum AppServerIoSource {
    Socket(usize),
    /// IO source refers to a PSK broker in [AppServer::brokers]
    PskBroker(Public<BROKER_ID_BYTES>),
+    /// IO source refers to our signal handlers
+    SignalHandler,
    /// IO source refers to some IO sources used in the API;
    /// see [AppServer::api_manager]
    #[cfg(feature = "experiment_api")]
    MioManager(crate::api::mio::MioManagerIoSource),
 }

+pub enum AppServerTryRecvResult {
+    None,
+    Terminate,
+    NetworkMessage(usize, Endpoint),
+}
+
 /// Number of epoll(7) events Rosenpass can receive at a time
 const EVENT_CAPACITY: usize = 20;

@@ -332,6 +343,8 @@ pub struct AppServer {
    /// MIO associates IO sources with numeric tokens. This struct takes care of generating these
    /// tokens
    pub mio_token_dispenser: MioTokenDispenser,
+    /// Mio-based handler for signals
+    pub signal_handler: NullDebug<signal_hook_mio::Signals>,
    /// Helpers handling communication with WireGuard; these take a generated key and forward it to
    /// WireGuard
    pub brokers: BrokerStore,
@@ -357,16 +370,6 @@ pub struct AppServer {
    /// Used by integration tests to force [Self] into DoS condition
    /// and to terminate the AppServer after the test is complete
    pub test_helpers: Option<AppServerTest>,
-    /// Helper for integration tests running rosenpass as a subprocess
-    /// to terminate properly upon receiving an appropriate system signal.
-    ///
-    /// This is primarily needed for coverage testing, since llvm-cov does not
-    /// write coverage reports to disk when a process is stopped by the default
-    /// signal handler.
-    ///
-    /// See <https://github.com/rosenpass/rosenpass/issues/385>
-    #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-    pub term_signal: terminate::TerminateRequested,
    #[cfg(feature = "experiment_api")]
    /// The Rosenpass unix socket API handler; this is an experimental
    /// feature that can be used to embed Rosenpass in external applications
@@ -456,6 +459,8 @@ impl AppPeerPtr {
 /// Instructs [AppServer::event_loop_without_error_handling] on how to proceed.
 #[derive(Debug)]
 pub enum AppPollResult {
+    /// Received request to terminate the application
+    Terminate,
    /// Erase the key for a given peer. Corresponds to [crate::protocol::PollResult::DeleteKey]
    DeleteKey(AppPeerPtr),
    /// Send an initiation to the given peer. Corresponds to [crate::protocol::PollResult::SendInitiation]
@@ -802,10 +807,27 @@ impl AppServer {
        verbosity: Verbosity,
        test_helpers: Option<AppServerTest>,
    ) -> anyhow::Result<Self> {
-        // setup mio
+        // Setup Mio itself
        let mio_poll = mio::Poll::new()?;
        let events = mio::Events::with_capacity(EVENT_CAPACITY);
+
+        // And helpers to map mio tokens to internal event types
        let mut mio_token_dispenser = MioTokenDispenser::default();
+        let mut io_source_index = HashMap::new();
+
+        // Setup signal handling
+        let signal_handler = attempt!({
+            let mut handler =
+                signal_hook_mio::Signals::new(signal_hook::consts::TERM_SIGNALS.iter())?;
+            let mio_token = mio_token_dispenser.dispense();
+            mio_poll
+                .registry()
+                .register(&mut handler, mio_token, Interest::READABLE)?;
+            let prev = io_source_index.insert(mio_token, AppServerIoSource::SignalHandler);
+            assert!(prev.is_none());
+            Ok(NullDebug(handler))
+        })
+        .context("Failed to set up signal (user triggered program termination) handler")?;

        // bind each SocketAddr to a socket
        let maybe_sockets: Result<Vec<_>, _> =
@@ -879,7 +901,6 @@ impl AppServer {
        }

        // register all sockets to mio
-        let mut io_source_index = HashMap::new();
        for (idx, socket) in sockets.iter_mut().enumerate() {
            let mio_token = mio_token_dispenser.dispense();
            mio_poll
@@ -895,8 +916,6 @@ impl AppServer {
        };

        Ok(Self {
-            #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-            term_signal: terminate::TerminateRequested::new()?,
            crypto_site,
            peers: Vec::new(),
            verbosity,
@@ -907,6 +926,7 @@ impl AppServer {
            io_source_index,
            mio_poll,
            mio_token_dispenser,
+            signal_handler,
            brokers: BrokerStore::default(),
            all_sockets_drained: false,
            under_load: DoSOperation::Normal,
@@ -977,7 +997,7 @@ impl AppServer {
    /// Register a new WireGuard PSK broker
    pub fn register_broker(
        &mut self,
-        broker: Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error>>,
+        broker: Box<dyn WireguardBrokerMio<Error = anyhow::Error, MioError = anyhow::Error> + Send>,
    ) -> Result<BrokerStorePtr> {
        let ptr = Public::from_slice((self.brokers.store.len() as u64).as_bytes());
        if self.brokers.store.insert(ptr, broker).is_some() {
@@ -1049,7 +1069,7 @@ impl AppServer {
        Ok(AppPeerPtr(pn))
    }

-    /// Main IO handler; this generally does not terminate
+    /// Main IO handler; this generally does not terminate other than through unix signals
    ///
    /// # Examples
    ///
@@ -1066,23 +1086,6 @@ impl AppServer {
                Err(e) => e,
            };

-            #[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-            {
-                let terminated_by_signal = err
-                    .downcast_ref::<std::io::Error>()
-                    .filter(|e| e.kind() == std::io::ErrorKind::Interrupted)
-                    .filter(|_| self.term_signal.value())
-                    .is_some();
-                if terminated_by_signal {
-                    log::warn!(
-                        "\
-                        Terminated by signal; this signal handler is correct during coverage testing \
-                        but should be otherwise disabled"
-                    );
-                    return Ok(());
-                }
-            }
-
            // This should not happen…
            failure_cnt = if msgs_processed > 0 {
                0
@@ -1135,6 +1138,7 @@ impl AppServer {
            use AppPollResult::*;
            use KeyOutputReason::*;

+            // TODO: We should read from this using a mio channel
            if let Some(AppServerTest {
                termination_handler: Some(terminate),
                ..
@@ -1158,6 +1162,8 @@ impl AppServer {

            #[allow(clippy::redundant_closure_call)]
            match (have_crypto, poll_result) {
+                (_, Terminate) => return Ok(()),
+
                (CryptoSrv::Missing, SendInitiation(_)) => {}
                (CryptoSrv::Avail, SendInitiation(peer)) => tx_maybe_with!(peer, || self
                    .crypto_server_mut()?
@@ -1305,6 +1311,7 @@ impl AppServer {
    pub fn poll(&mut self, rx_buf: &mut [u8]) -> anyhow::Result<AppPollResult> {
        use crate::protocol::PollResult as C;
        use AppPollResult as A;
+        use AppServerTryRecvResult as R;
        let res = loop {
            // Call CryptoServer's poll (if available)
            let crypto_poll = self
@@ -1325,8 +1332,10 @@ impl AppServer {
            };

            // Perform IO (look for a message)
-            if let Some((len, addr)) = self.try_recv(rx_buf, io_poll_timeout)? {
-                break A::ReceivedMessage(len, addr);
+            match self.try_recv(rx_buf, io_poll_timeout)? {
+                R::None => {}
+                R::Terminate => break A::Terminate,
+                R::NetworkMessage(len, addr) => break A::ReceivedMessage(len, addr),
            }
        };

@@ -1344,12 +1353,12 @@ impl AppServer {
        &mut self,
        buf: &mut [u8],
        timeout: Timing,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
        let timeout = Duration::from_secs_f64(timeout);

        // if there is no time to wait on IO, well, then, lets not waste any time!
        if timeout.is_zero() {
-            return Ok(None);
+            return Ok(AppServerTryRecvResult::None);
        }

        // NOTE when using mio::Poll, there are some particularities (taken from
@@ -1459,12 +1468,19 @@ impl AppServer {
        // blocking poll, we go through all available IO sources to see if we missed anything.
        {
            while let Some(ev) = self.short_poll_queue.pop_front() {
-                if let Some(v) = self.try_recv_from_mio_token(buf, ev.token())? {
-                    return Ok(Some(v));
+                match self.try_recv_from_mio_token(buf, ev.token())? {
+                    AppServerTryRecvResult::None => continue,
+                    res => return Ok(res),
                }
            }
        }

+        // Drain operating system signals
+        match self.try_recv_from_signal_handler()? {
+            AppServerTryRecvResult::None => {} // Nop
+            res => return Ok(res),
+        }
+
        // drain all sockets
        let mut would_block_count = 0;
        for sock_no in 0..self.sockets.len() {
@@ -1472,11 +1488,11 @@ impl AppServer {
                .try_recv_from_listen_socket(buf, sock_no)
                .io_err_kind_hint()
            {
-                Ok(None) => continue,
-                Ok(Some(v)) => {
+                Ok(AppServerTryRecvResult::None) => continue,
+                Ok(res) => {
                    // at least one socket was not drained...
                    self.all_sockets_drained = false;
-                    return Ok(Some(v));
+                    return Ok(res);
                }
                Err((_, ErrorKind::WouldBlock)) => {
                    would_block_count += 1;
@@ -1504,12 +1520,24 @@ impl AppServer {

        self.performed_long_poll = true;

-        Ok(None)
+        Ok(AppServerTryRecvResult::None)
    }

    /// Internal helper for [Self::try_recv]
    fn perform_mio_poll_and_register_events(&mut self, timeout: Duration) -> io::Result<()> {
-        self.mio_poll.poll(&mut self.events, Some(timeout))?;
+        loop {
+            use std::io::ErrorKind as IOE;
+            match self
+                .mio_poll
+                .poll(&mut self.events, Some(timeout))
+                .io_err_kind_hint()
+            {
+                Ok(()) => break,
+                Err((_, IOE::Interrupted)) => continue,
+                Err((err, _)) => return Err(err),
+            }
+        }
+
        // Fill the short poll buffer with the acquired events
        self.events
            .iter()
@@ -1523,12 +1551,12 @@ impl AppServer {
        &mut self,
        buf: &mut [u8],
        token: mio::Token,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
        let io_source = match self.io_source_index.get(&token) {
            Some(io_source) => *io_source,
            None => {
                log::warn!("No IO source assiociated with mio token ({token:?}). Polling using mio tokens directly is an experimental feature and IO handler should recover when all available io sources are polled. This is a developer error. Please report it.");
-                return Ok(None);
+                return Ok(AppServerTryRecvResult::None);
            }
        };

@@ -1540,11 +1568,13 @@ impl AppServer {
        &mut self,
        buf: &mut [u8],
        io_source: AppServerIoSource,
-    ) -> anyhow::Result<Option<(usize, Endpoint)>> {
+    ) -> anyhow::Result<AppServerTryRecvResult> {
        match io_source {
+            AppServerIoSource::SignalHandler => self.try_recv_from_signal_handler()?.ok(),
+
            AppServerIoSource::Socket(idx) => self
                .try_recv_from_listen_socket(buf, idx)
-                .substitute_for_ioerr_wouldblock(None)?
+                .substitute_for_ioerr_wouldblock(AppServerTryRecvResult::None)?
                .ok(),

            AppServerIoSource::PskBroker(key) => self
@@ -1553,7 +1583,7 @@ impl AppServer {
                .get_mut(&key)
                .with_context(|| format!("No PSK broker under key {key:?}"))?
                .process_poll()
-                .map(|_| None),
+                .map(|_| AppServerTryRecvResult::None),

            #[cfg(feature = "experiment_api")]
            AppServerIoSource::MioManager(mmio_src) => {
@@ -1561,17 +1591,28 @@ impl AppServer {

                MioManagerFocus(self)
                    .poll_particular(mmio_src)
-                    .map(|_| None)
+                    .map(|_| AppServerTryRecvResult::None)
            }
        }
    }

+    /// Internal helper for [Self::try_recv]
+    fn try_recv_from_signal_handler(&mut self) -> io::Result<AppServerTryRecvResult> {
+        #[allow(clippy::never_loop)]
+        for signal in self.signal_handler.pending() {
+            log::debug!("Received operating system signal no {signal}.");
+            log::info!("Received termination request; exiting.");
+            return Ok(AppServerTryRecvResult::Terminate);
+        }
+        Ok(AppServerTryRecvResult::None)
+    }
+
    /// Internal helper for [Self::try_recv]
    fn try_recv_from_listen_socket(
        &mut self,
        buf: &mut [u8],
        idx: usize,
-    ) -> io::Result<Option<(usize, Endpoint)>> {
+    ) -> io::Result<AppServerTryRecvResult> {
        use std::io::ErrorKind as K;
        let (n, addr) = loop {
            match self.sockets[idx].recv_from(buf).io_err_kind_hint() {
@@ -1583,8 +1624,7 @@ impl AppServer {
        SocketPtr(idx)
            .apply(|sp| SocketBoundEndpoint::new(sp, addr))
            .apply(Endpoint::SocketBoundAddress)
-            .apply(|ep| (n, ep))
-            .some()
+            .apply(|ep| AppServerTryRecvResult::NetworkMessage(n, ep))
            .ok()
    }

@@ -1636,48 +1676,3 @@ impl crate::api::mio::MioManagerContext for MioManagerFocus<'_> {
        self.0
    }
 }
-
-/// These signal handlers are used exclusively used during coverage testing
-/// to ensure that the llvm-cov can produce reports during integration tests
-/// with multiple processes where subprocesses are terminated via kill(2).
-///
-/// llvm-cov does not support producing coverage reports when the process exits
-/// through a signal, so this is necessary.
-///
-/// The functionality of exiting gracefully upon reception of a terminating signal
-/// is desired for the production variant of Rosenpass, but we should make sure
-/// to use a higher quality implementation; in particular, we should use signalfd(2).
-///
-#[cfg(feature = "internal_signal_handling_for_coverage_reports")]
-mod terminate {
-    use signal_hook::flag::register as sig_register;
-    use std::sync::{
-        atomic::{AtomicBool, Ordering},
-        Arc,
-    };
-
-    /// Automatically register a signal handler for common termination signals;
-    /// whether one of these signals was issued can be polled using [Self::value].
-    ///
-    /// The signal handler is not removed when this struct goes out of scope.
-    #[derive(Debug)]
-    pub struct TerminateRequested {
-        value: Arc<AtomicBool>,
-    }
-
-    impl TerminateRequested {
-        /// Register signal handlers watching for common termination signals
-        pub fn new() -> anyhow::Result<Self> {
-            let value = Arc::new(AtomicBool::new(false));
-            for sig in signal_hook::consts::TERM_SIGNALS.iter().copied() {
-                sig_register(sig, Arc::clone(&value))?;
-            }
-            Ok(Self { value })
-        }
-
-        /// Check whether a termination signal has been set
-        pub fn value(&self) -> bool {
-            self.value.load(Ordering::Relaxed)
-        }
-    }
-}
--- a/rosenpass/src/cli.rs
+++ b/rosenpass/src/cli.rs
@@ -490,7 +490,7 @@ impl CliArgs {
                cfg_peer.key_out,
                broker_peer,
                cfg_peer.endpoint.clone(),
-                cfg_peer.protocol_version.into(),
+                cfg_peer.protocol_version,
                cfg_peer.osk_domain_separator.try_into()?,
            )?;
        }
@@ -515,7 +515,7 @@ impl CliArgs {
    fn create_broker(
        broker_interface: Option<BrokerInterface>,
    ) -> Result<
-        Box<dyn WireguardBrokerMio<MioError = anyhow::Error, Error = anyhow::Error>>,
+        Box<dyn WireguardBrokerMio<MioError = anyhow::Error, Error = anyhow::Error> + Send>,
        anyhow::Error,
    > {
        if let Some(interface) = broker_interface {
--- a/rosenpass/src/config.rs
+++ b/rosenpass/src/config.rs
@@ -200,7 +200,7 @@ impl RosenpassPeerOskDomainSeparator {
    pub fn org_and_label(&self) -> anyhow::Result<Option<(&String, &Vec<String>)>> {
        match (&self.osk_organization, &self.osk_label) {
            (None, None) => Ok(None),
-            (Some(org), Some(label)) => Ok(Some((&org, &label))),
+            (Some(org), Some(label)) => Ok(Some((org, label))),
            (Some(_), None) => bail!("Specified osk_organization but not osk_label in config file. You need to specify both, or none."),
            (None, Some(_)) =>  bail!("Specified osk_label but not osk_organization in config file. You need to specify both, or none."),
        }
@@ -364,7 +364,7 @@ impl Rosenpass {
            // check the secret-key file is a valid key
            ensure!(
                SSk::load(&keypair.secret_key).is_ok(),
-                "could not load public-key file {:?}: invalid key",
+                "could not load secret-key file {:?}: invalid key",
                keypair.secret_key
            );
        }
--- a/rosenpass/src/hash_domains.rs
+++ b/rosenpass/src/hash_domains.rs
@@ -166,7 +166,7 @@ hash_domain_ns!(
    protocol, cookie_key, "cookie-key");
 hash_domain_ns!(
    /// Hash domain based on [protocol] for calculating the peer id as transmitted (encrypted)
-    /// in [crate::msgs::InitHello::pidic].
+    /// in [crate::msgs::InitHello::pidi_ct].
    ///
    /// # Examples
    ///
@@ -179,7 +179,7 @@ hash_domain_ns!(
 hash_domain_ns!(
    /// Hash domain based on [protocol] for calculating the additional data
    /// during [crate::msgs::Biscuit] encryption, storing the biscuit into
-    /// [crate::msgs::RespHello::biscuit].
+    /// [crate::msgs::RespHello::biscuit_ct].
    ///
    /// # Examples
    ///
--- a/rosenpass/src/msgs.rs
+++ b/rosenpass/src/msgs.rs
@@ -135,7 +135,7 @@ pub struct InitHello {
    /// Classic McEliece Ciphertext
    pub sctr: [u8; StaticKem::CT_LEN],
    /// Encryped: 16 byte hash of McEliece initiator static key
-    pub pidic: [u8; Aead::TAG_LEN + 32],
+    pub pidi_ct: [u8; Aead::TAG_LEN + 32],
    /// Encrypted TAI64N Time Stamp (against replay attacks)
    pub auth: [u8; Aead::TAG_LEN],
 }
@@ -188,7 +188,7 @@ pub struct RespHello {
    /// Empty encrypted message (just an auth tag)
    pub auth: [u8; Aead::TAG_LEN],
    /// Responders handshake state in encrypted form
-    pub biscuit: [u8; BISCUIT_CT_LEN],
+    pub biscuit_ct: [u8; BISCUIT_CT_LEN],
 }

 /// This is the third message sent by the initiator to the responder
@@ -233,7 +233,7 @@ pub struct InitConf {
    /// Copied from RespHello
    pub sidr: [u8; 4],
    /// Responders handshake state in encrypted form
-    pub biscuit: [u8; BISCUIT_CT_LEN],
+    pub biscuit_ct: [u8; BISCUIT_CT_LEN],
    /// Empty encrypted message (just an auth tag)
    pub auth: [u8; Aead::TAG_LEN],
 }
--- a/rosenpass/src/protocol/mod.rs
+++ b/rosenpass/src/protocol/mod.rs
@@ -86,6 +86,7 @@ pub mod constants;
 pub mod cookies;
 pub mod index;
 pub mod osk_domain_separator;
+pub mod test_vector_sets;
 pub mod testutils;
 pub mod timing;
 pub mod zerocopy;
--- a/rosenpass/src/protocol/protocol.rs
+++ b/rosenpass/src/protocol/protocol.rs
@@ -15,6 +15,7 @@ use std::{
 };

 use anyhow::{bail, ensure, Context, Result};
+use assert_tv::{TestVector, TestVectorNOP};
 use memoffset::span_of;
 use zerocopy::{AsBytes, FromBytes, Ref};

@@ -33,6 +34,10 @@ use rosenpass_util::{
    time::Timebase,
 };

+use crate::protocol::test_vector_sets::{
+    CycledBiscuitSecretKeyTestValues, EncapsAndMixTestValues, HandleInitHelloTestValues,
+    HandleInitiationTestValues, StoreBiscuitTestValues,
+};
 use crate::{hash_domains, msgs::*, RosenpassError};

 use super::basic_types::{
@@ -1392,6 +1397,20 @@ impl CryptoServer {
    ///
    /// Swap the biscuit keys, also advancing both biscuit key's mortality
    pub fn active_biscuit_key(&mut self) -> BiscuitKeyPtr {
+        self.active_biscuit_key_with_test_vector::<TestVectorNOP>()
+    }
+
+    /// Generic variant of [`Self::active_biscuit_key`] that allows selecting
+    /// a [`TestVector`] implementation.
+    ///
+    /// This function is primarily intended for testing with different
+    /// test vector strategies. In production code, prefer using
+    /// [`Self::active_biscuit_key`], which defaults to [`assert_tv::TestVectorNOP`].
+    ///
+    /// Use this function with [`assert_tv::TestVectorActive`] in tests that require
+    /// applying actual test vectors. See the `tests::test_vector_crypto_server`
+    /// test for an example
+    pub fn active_biscuit_key_with_test_vector<TV: TestVector>(&mut self) -> BiscuitKeyPtr {
        let (a, b) = (BiscuitKeyPtr(0), BiscuitKeyPtr(1));
        let (t, u) = (a.get(self).created_at, b.get(self).created_at);

@@ -1407,6 +1426,11 @@ impl CryptoServer {
        let r = if t < u { a } else { b };
        let tb = self.timebase.clone();
        r.get_mut(self).randomize(&tb);
+        let test_values: CycledBiscuitSecretKeyTestValues = TV::initialize_values();
+        TV::expose_mut_value(
+            &test_values.cycled_biscuit_secret_key,
+            &mut self.biscuit_keys[r.0].value,
+        );
        r
    }

@@ -1725,6 +1749,7 @@ impl Mortal for KnownInitConfResponsePtr {
 /// # Examples
 ///
 /// ```
+/// use assert_tv::TestVector;
 /// use rosenpass::protocol::{timing::Timing, Mortal, MortalExt, Lifecycle, CryptoServer, ProtocolVersion};
 /// use rosenpass::protocol::testutils::{ServerForTesting, time_travel_forward};
 ///
@@ -1865,13 +1890,31 @@ impl CryptoServer {
    ///
    /// See [Self::poll] on how to use this function with poll.
    pub fn initiate_handshake(&mut self, peer: PeerPtr, tx_buf: &mut [u8]) -> Result<usize> {
+        self.initiate_handshake_with_test_vector::<TestVectorNOP>(peer, tx_buf)
+    }
+
+    /// Generic variant of [`Self::initiate_handshake`] that allows selecting
+    /// a [`TestVector`] implementation.
+    ///
+    /// This function is primarily intended for testing with different
+    /// test vector strategies. In production code, prefer using
+    /// [`Self::initiate_handshake`], which defaults to [`assert_tv::TestVectorNOP`].
+    ///
+    /// Use this function with [`assert_tv::TestVectorActive`] in tests that require
+    /// applying actual test vectors. See the `tests::test_vector_crypto_server`
+    /// test for an example
+    pub fn initiate_handshake_with_test_vector<TV: TestVector>(
+        &mut self,
+        peer: PeerPtr,
+        tx_buf: &mut [u8],
+    ) -> Result<usize> {
        // NOTE retransmission? yes if initiator, no if responder
        // TODO remove unnecessary copying between global tx_buf and per-peer buf
        // TODO move retransmission storage to io server
        //
        // Envelope::<InitHello>::default(); // TODO
        let mut msg = truncating_cast_into::<Envelope<InitHello>>(tx_buf)?;
-        self.handle_initiation(peer, &mut msg.payload)?;
+        self.handle_initiation_with_test_vector::<TV>(peer, &mut msg.payload)?;
        let len = self.seal_and_commit_msg(peer, MsgType::InitHello, &mut msg)?;
        peer.hs()
            .store_msg_for_retransmission(self, msg.as_bytes())?;
@@ -1943,7 +1986,7 @@ impl CryptoServer {
        &mut self,
        rx_buf: &[u8],
        tx_buf: &mut [u8],
-        host_identification: &H,
+        _host_identification: &H,
    ) -> Result<HandleMsgResult> {
        self.handle_msg(rx_buf, tx_buf)
    }
@@ -2111,6 +2154,24 @@ impl CryptoServer {
    ///
    /// See [Self::poll] on how to use this function with poll.
    pub fn handle_msg(&mut self, rx_buf: &[u8], tx_buf: &mut [u8]) -> Result<HandleMsgResult> {
+        self.handle_msg_with_test_vector::<TestVectorNOP>(rx_buf, tx_buf)
+    }
+
+    /// Generic message handler that allows selecting a [`TestVector`]
+    /// implementation.
+    ///
+    /// This function is primarily intended for **testing** with different
+    /// test vector strategies. In production code, prefer using
+    /// [`Self::handle_msg`], which defaults to [`assert_tv::TestVectorNOP`].
+    ///
+    /// Use this function with [`assert_tv::TestVectorActive`] in tests that require
+    /// applying actual test vectors. See the `tests::test_vector_crypto_server`
+    /// test for an example
+    pub fn handle_msg_with_test_vector<TV: TestVector>(
+        &mut self,
+        rx_buf: &[u8],
+        tx_buf: &mut [u8],
+    ) -> Result<HandleMsgResult> {
        let seal_broken = "Message seal broken!";
        // length of the response. We assume no response, so None for now
        let mut len = 0;
@@ -2131,7 +2192,7 @@ impl CryptoServer {

                // At this point, we do not know the hash functon used by the peer, thus we try both,
                // with a preference for SHAKE256.
-                let peer_shake256 = self.handle_init_hello(
+                let peer_shake256 = self.handle_init_hello_with_test_vector::<TV>(
                    &msg_in.payload,
                    &mut msg_out.payload,
                    KeyedHash::keyed_shake256(),
@@ -2139,7 +2200,7 @@ impl CryptoServer {
                let (peer, peer_hash_choice) = match peer_shake256 {
                    Ok(peer) => (peer, KeyedHash::keyed_shake256()),
                    Err(_) => {
-                        let peer_blake2b = self.handle_init_hello(
+                        let peer_blake2b = self.handle_init_hello_with_test_vector::<TV>(
                            &msg_in.payload,
                            &mut msg_out.payload,
                            KeyedHash::incorrect_hmac_blake2b(),
@@ -3159,8 +3220,48 @@ impl HandshakeState {
        ct: &mut [u8; KEM_CT_LEN],
        pk: &[u8; KEM_PK_LEN],
    ) -> Result<&mut Self> {
+        self.encaps_and_mix_with_test_vector(kem, ct, pk, std::marker::PhantomData::<TestVectorNOP>)
+    }
+
+    /// Generic variant of [`Self::encaps_and_mix`] that allows selecting
+    /// a [`TestVector`] implementation.
+    ///
+    /// This function is primarily intended for testing with different
+    /// test vector strategies. In production code, prefer using
+    /// [`Self::encaps_and_mix`], which defaults to [`assert_tv::TestVectorNOP`].
+    ///
+    /// Use this function with [`assert_tv::TestVectorActive`] in tests that require
+    /// applying actual test vectors. See the `tests::test_vector_crypto_server`
+    /// test for an example.
+    ///
+    /// Note on `_tv: PhantomData<TV>` parameter:
+    /// - Rust’s type inference ties generic parameter specification together;
+    ///   explicitly selecting `TV` with turbofish can force you to also spell
+    ///   out the const generics.
+    /// - By adding a value parameter of type `PhantomData<TV>`, you can choose
+    ///   `TV` at the call site while allowing the compiler to infer `KEM_*`
+    ///    const generics from `ct` and `pk`.
+    /// - Call like: `encaps_and_mix_with_test_vector(&StaticKem, &mut ct, pk,
+    ///   PhantomData::<TestVectorActive>)?;`
+    pub fn encaps_and_mix_with_test_vector<
+        const KEM_SK_LEN: usize,
+        const KEM_PK_LEN: usize,
+        const KEM_CT_LEN: usize,
+        const KEM_SHK_LEN: usize,
+        KemImpl: Kem<KEM_SK_LEN, KEM_PK_LEN, KEM_CT_LEN, KEM_SHK_LEN>,
+        TV: TestVector,
+    >(
+        &mut self,
+        kem: &KemImpl,
+        ct: &mut [u8; KEM_CT_LEN],
+        pk: &[u8; KEM_PK_LEN],
+        _tv: std::marker::PhantomData<TV>,
+    ) -> Result<&mut Self> {
+        let test_values: EncapsAndMixTestValues<KEM_CT_LEN, KEM_SHK_LEN> = TV::initialize_values();
        let mut shk = Secret::<KEM_SHK_LEN>::zero();
        kem.encaps(shk.secret_mut(), ct, pk)?;
+        TV::expose_mut_value(&test_values.shk, &mut shk);
+        TV::expose_mut_value(&test_values.ct, ct);
        self.mix(pk)?.mix(shk.secret())?.mix(ct)
    }

@@ -3199,6 +3300,26 @@ impl HandshakeState {
        peer: PeerPtr,
        biscuit_ct: &mut [u8],
    ) -> Result<&mut Self> {
+        self.store_biscuit_with_test_vector::<TestVectorNOP>(srv, peer, biscuit_ct)
+    }
+
+    /// Generic variant of [`Self::store_biscuit`] that allows selecting
+    /// a [`TestVector`] implementation.
+    ///
+    /// This function is primarily intended for testing with different
+    /// test vector strategies. In production code, prefer using
+    /// [`Self::store_biscuit`], which defaults to [`assert_tv::TestVectorNOP`].
+    ///
+    /// Use this function with [`assert_tv::TestVectorActive`] in tests that require
+    /// applying actual test vectors. See the `tests::test_vector_crypto_server`
+    /// test for an example
+    pub fn store_biscuit_with_test_vector<TV: TestVector>(
+        &mut self,
+        srv: &mut CryptoServer,
+        peer: PeerPtr,
+        biscuit_ct: &mut [u8],
+    ) -> Result<&mut Self> {
+        let test_values: StoreBiscuitTestValues = TV::initialize_values();
        let mut biscuit = Secret::<BISCUIT_PT_LEN>::zero(); // pt buffer
        let mut biscuit: Ref<&mut [u8], Biscuit> =
            Ref::new(biscuit.secret_mut().as_mut_slice()).unwrap();
@@ -3212,6 +3333,8 @@ impl HandshakeState {
            .ck
            .copy_from_slice(self.ck.clone().danger_into_secret().secret());

+        TV::check_value(&test_values.biscuit, &biscuit.as_bytes().to_vec());
+
        // calculate ad contents
        let ad = hash_domains::biscuit_ad(peer.get(srv).protocol_version.keyed_hash())?
            .mix(srv.spkm.deref())?
@@ -3224,14 +3347,18 @@ impl HandshakeState {

        // The first bit of the nonce indicates which biscuit key was used
        // TODO: This is premature optimization. Remove!
-        let bk = srv.active_biscuit_key();
+        let bk = srv.active_biscuit_key_with_test_vector::<TV>();
        let mut n = XAEADNonce::random();
+
+        TV::expose_mut_value(&test_values.n, &mut n);
+
        n[0] &= 0b0111_1111;
        n[0] |= (bk.0 as u8 & 0x1) << 7;

        let k = bk.get(srv).value.secret();
        let pt = biscuit.as_bytes();
-        XAead.encrypt_with_nonce_in_ctxt(biscuit_ct, k, &*n, &ad, pt)?;
+        XAead.encrypt_with_nonce_in_ctxt(biscuit_ct, k, &n, &ad, pt)?;
+        TV::check_value(&test_values.biscuit_ct, &biscuit_ct.to_vec());

        self.mix(biscuit_ct)
    }
@@ -3400,6 +3527,26 @@ impl CryptoServer {
    /// Core cryptographic protocol implementation: Kicks of the handshake
    /// on the initiator side, producing the InitHello message.
    pub fn handle_initiation(&mut self, peer: PeerPtr, ih: &mut InitHello) -> Result<PeerPtr> {
+        self.handle_initiation_with_test_vector::<TestVectorNOP>(peer, ih)
+    }
+
+    /// Generic variant of [`Self::handle_initiation`] that allows selecting
+    /// a [`TestVector`] implementation.
+    ///
+    /// This function is primarily intended for testing with different
+    /// test vector strategies. In production code, prefer using
+    /// [`Self::handle_initiation`], which defaults to [`assert_tv::TestVectorNOP`].
+    ///
+    /// Use this function with [`assert_tv::TestVectorActive`] in tests that require
+    /// applying actual test vectors. See the `tests::test_vector_crypto_server`
+    /// test for an example
+    pub fn handle_initiation_with_test_vector<TV: TestVector>(
+        &mut self,
+        peer: PeerPtr,
+        ih: &mut InitHello,
+    ) -> Result<PeerPtr> {
+        let test_values: HandleInitiationTestValues = TV::initialize_values();
+
        #[cfg(feature = "trace_bench")]
        let _span_guard = rosenpass_util::trace_bench::trace().emit_span("handle_initiation");

@@ -3408,6 +3555,12 @@ impl CryptoServer {
            peer.get(self).protocol_version.keyed_hash(),
        );

+        // hs.cookie_value.created_at = tv_const!(hs.cookie_value.created_at, "init_handshake-cookie-created_at");
+        TV::expose_mut_value(
+            &test_values.init_handshake_cookie,
+            &mut hs.cookie_value.value,
+        );
+
        // IHI1
        protocol_section!("IHI1", {
            hs.core.init(peer.get(self).spkt.deref())?;
@@ -3416,33 +3569,54 @@ impl CryptoServer {
        // IHI2
        protocol_section!("IHI2", {
            hs.core.sidi.randomize();
+            TV::expose_mut_value(&test_values.init_handshake_sidi, &mut hs.core.sidi);
            ih.sidi.copy_from_slice(&hs.core.sidi.value);
        });

        // IHI3
        protocol_section!("IHI3", {
-            EphemeralKem.keygen(hs.eski.secret_mut(), &mut *hs.epki)?;
+            EphemeralKem.keygen(hs.eski.secret_mut(), &mut hs.epki)?;
+            TV::expose_mut_value(&test_values.init_handshake_eski, &mut hs.eski);
+            TV::expose_mut_value(&test_values.init_handshake_epki, &mut hs.epki);
            ih.epki.copy_from_slice(&hs.epki.value);
        });

        // IHI4
        protocol_section!("IHI4", {
            hs.core.mix(ih.sidi.as_slice())?.mix(ih.epki.as_slice())?;
+            TV::check_value(
+                &test_values.init_handshake_mix_1,
+                &hs.core.ck.clone().danger_into_secret(),
+            );
        });

        // IHI5
        protocol_section!("IHI5", {
-            hs.core
-                .encaps_and_mix(&StaticKem, &mut ih.sctr, peer.get(self).spkt.deref())?;
+            use std::marker::PhantomData;
+            hs.core.encaps_and_mix_with_test_vector(
+                &StaticKem,
+                &mut ih.sctr,
+                peer.get(self).spkt.deref(),
+                PhantomData::<TV>,
+            )?;
+            TV::check_value(
+                &test_values.init_handshake_mix_2,
+                &hs.core.ck.clone().danger_into_secret(),
+            );
        });

        // IHI6
        protocol_section!("IHI6", {
            hs.core.encrypt_and_mix(
-                ih.pidic.as_mut_slice(),
+                ih.pidi_ct.as_mut_slice(),
                self.pidm(peer.get(self).protocol_version.keyed_hash())?
                    .as_ref(),
            )?;
+            TV::check_value(&test_values.init_hello_pidi_ct, &ih.pidi_ct);
+            TV::check_value(
+                &test_values.init_handshake_mix_3,
+                &hs.core.ck.clone().danger_into_secret(),
+            );
        });

        // IHI7
@@ -3450,16 +3624,24 @@ impl CryptoServer {
            hs.core
                .mix(self.spkm.deref())?
                .mix(peer.get(self).psk.secret())?;
+            TV::check_value(
+                &test_values.init_handshake_mix_4,
+                &hs.core.ck.clone().danger_into_secret(),
+            );
        });

        // IHI8
        protocol_section!("IHI8", {
            hs.core.encrypt_and_mix(ih.auth.as_mut_slice(), &[])?;
+            TV::check_value(&test_values.init_hello_auth, &ih.auth);
+            TV::check_value(
+                &test_values.init_handshake_mix_5,
+                &hs.core.ck.clone().danger_into_secret(),
+            );
        });

        // Update the handshake hash last (not changing any state on prior error
        peer.hs().insert(self, hs)?;
-
        Ok(peer)
    }

@@ -3471,6 +3653,27 @@ impl CryptoServer {
        rh: &mut RespHello,
        keyed_hash: KeyedHash,
    ) -> Result<PeerPtr> {
+        self.handle_init_hello_with_test_vector::<TestVectorNOP>(ih, rh, keyed_hash)
+    }
+
+    /// Generic variant of [`Self::handle_init_hello`] that allows selecting
+    /// a [`TestVector`] implementation.
+    ///
+    /// This function is primarily intended for testing with different
+    /// test vector strategies. In production code, prefer using
+    /// [`Self::handle_init_hello`], which defaults to [`assert_tv::TestVectorNOP`].
+    ///
+    /// Use this function with [`assert_tv::TestVectorActive`] in tests that require
+    /// applying actual test vectors. See the `tests::test_vector_crypto_server`
+    /// test for an example
+    pub fn handle_init_hello_with_test_vector<TV: TestVector>(
+        &mut self,
+        ih: &InitHello,
+        rh: &mut RespHello,
+        keyed_hash: KeyedHash,
+    ) -> Result<PeerPtr> {
+        let test_values: HandleInitHelloTestValues = TV::initialize_values();
+
        #[cfg(feature = "trace_bench")]
        let _span_guard = rosenpass_util::trace_bench::trace().emit_span("handle_init_hello");

@@ -3487,34 +3690,55 @@ impl CryptoServer {
        protocol_section!("IHR4", {
            core.mix(&ih.sidi)?.mix(&ih.epki)?;
        });
+        TV::check_value(
+            &test_values.chaining_key_ihr_4,
+            &core.ck.clone().danger_into_secret(),
+        );

        // IHR5
        protocol_section!("IHR5", {
            core.decaps_and_mix(&StaticKem, self.sskm.secret(), self.spkm.deref(), &ih.sctr)?;
        });
+        TV::check_value(
+            &test_values.chaining_key_ihr_5,
+            &core.ck.clone().danger_into_secret(),
+        );

        // IHR6
        let peer = protocol_section!("IHR6", {
            let mut peerid = PeerId::zero();
-            core.decrypt_and_mix(&mut *peerid, &ih.pidic)?;
+            core.decrypt_and_mix(&mut *peerid, &ih.pidi_ct)?;
            self.find_peer(peerid)
                .with_context(|| format!("No such peer {peerid:?}."))?
        });
+        TV::check_value(
+            &test_values.chaining_key_ihr_6,
+            &core.ck.clone().danger_into_secret(),
+        );

        // IHR7
        protocol_section!("IHR7", {
            core.mix(peer.get(self).spkt.deref())?
                .mix(peer.get(self).psk.secret())?;
        });
+        TV::check_value(
+            &test_values.chaining_key_ihr_7,
+            &core.ck.clone().danger_into_secret(),
+        );

        // IHR8
        protocol_section!("IHR8", {
            core.decrypt_and_mix(&mut [0u8; 0], &ih.auth)?;
        });
+        TV::check_value(
+            &test_values.chaining_key_ihr_8,
+            &core.ck.clone().danger_into_secret(),
+        );

        // RHR1
        protocol_section!("RHR1", {
            core.sidr.randomize();
+            TV::expose_mut_value(&test_values.session_id, &mut core.sidr);
            rh.sidi.copy_from_slice(core.sidi.as_ref());
            rh.sidr.copy_from_slice(core.sidr.as_ref());
        });
@@ -3522,28 +3746,59 @@ impl CryptoServer {
        // RHR3
        protocol_section!("RHR3", {
            core.mix(&rh.sidr)?.mix(&rh.sidi)?;
+            TV::check_value(
+                &test_values.chaining_key_rhr_3,
+                &core.ck.clone().danger_into_secret(),
+            );
        });

        // RHR4
        protocol_section!("RHR4", {
-            core.encaps_and_mix(&EphemeralKem, &mut rh.ecti, &ih.epki)?;
+            use std::marker::PhantomData;
+            core.encaps_and_mix_with_test_vector(
+                &EphemeralKem,
+                &mut rh.ecti,
+                &ih.epki,
+                PhantomData::<TV>,
+            )?;
+            TV::check_value(
+                &test_values.chaining_key_rhr_4,
+                &core.ck.clone().danger_into_secret(),
+            );
        });

        // RHR5
        protocol_section!("RHR5", {
-            core.encaps_and_mix(&StaticKem, &mut rh.scti, peer.get(self).spkt.deref())?;
+            use std::marker::PhantomData;
+            core.encaps_and_mix_with_test_vector(
+                &StaticKem,
+                &mut rh.scti,
+                peer.get(self).spkt.deref(),
+                PhantomData::<TV>,
+            )?;
+            TV::check_value(
+                &test_values.chaining_key_rhr_5,
+                &core.ck.clone().danger_into_secret(),
+            );
        });

        // RHR6
        protocol_section!("RHR6", {
-            core.store_biscuit(self, peer, &mut rh.biscuit)?;
+            core.store_biscuit_with_test_vector::<TV>(self, peer, &mut rh.biscuit_ct)?;
+            TV::check_value(
+                &test_values.chaining_key_rhr_6,
+                &core.ck.clone().danger_into_secret(),
+            );
        });

        // RHR7
        protocol_section!("RHR7", {
            core.encrypt_and_mix(&mut rh.auth, &[])?;
+            TV::check_value(
+                &test_values.chaining_key_rhr_7,
+                &core.ck.clone().danger_into_secret(),
+            );
        });
-
        Ok(peer)
    }

@@ -3617,7 +3872,7 @@ impl CryptoServer {

        // RHI6
        protocol_section!("RHI6", {
-            core.mix(&rh.biscuit)?;
+            core.mix(&rh.biscuit_ct)?;
        });

        // RHI7
@@ -3634,7 +3889,7 @@ impl CryptoServer {
        // ICI3
        protocol_section!("ICI3", {
            core.mix(&ic.sidi)?.mix(&ic.sidr)?;
-            ic.biscuit.copy_from_slice(&rh.biscuit);
+            ic.biscuit_ct.copy_from_slice(&rh.biscuit_ct);
        });

        // ICI4
@@ -3682,7 +3937,7 @@ impl CryptoServer {
        let (peer, biscuit_no, mut core) = protocol_section!("ICR1", {
            HandshakeState::load_biscuit(
                self,
-                &ic.biscuit,
+                &ic.biscuit_ct,
                SessionId::from_slice(&ic.sidi),
                SessionId::from_slice(&ic.sidr),
                keyed_hash,
--- a/rosenpass/src/protocol/test.rs
+++ b/rosenpass/src/protocol/test.rs
@@ -55,12 +55,14 @@ fn setup_logging() {

 #[test]
 #[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
 fn handles_incorrect_size_messages_v02() {
    handles_incorrect_size_messages(ProtocolVersion::V02)
 }

 #[test]
 #[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
 fn handles_incorrect_size_messages_v03() {
    handles_incorrect_size_messages(ProtocolVersion::V03)
 }
@@ -163,12 +165,14 @@ fn make_server_pair(protocol_version: ProtocolVersion) -> Result<(CryptoServer,

 #[test]
 #[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
 fn test_regular_exchange_v02() {
    test_regular_exchange(ProtocolVersion::V02)
 }

 #[test]
 #[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
 fn test_regular_exchange_v03() {
    test_regular_exchange(ProtocolVersion::V03)
 }
@@ -234,12 +238,14 @@ fn test_regular_exchange(protocol_version: ProtocolVersion) {

 #[test]
 #[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
 fn test_regular_init_conf_retransmit_v02() {
    test_regular_init_conf_retransmit(ProtocolVersion::V02)
 }

 #[test]
 #[serial]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
 fn test_regular_init_conf_retransmit_v03() {
    test_regular_init_conf_retransmit(ProtocolVersion::V03)
 }
@@ -507,11 +513,13 @@ fn cookie_reply_mechanism_initiator_bails_on_message_under_load(protocol_version
 }

 #[test]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
 fn init_conf_retransmission_v02() -> Result<()> {
    init_conf_retransmission(ProtocolVersion::V02)
 }

 #[test]
+#[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
 fn init_conf_retransmission_v03() -> Result<()> {
    init_conf_retransmission(ProtocolVersion::V03)
 }
--- a/rosenpass/src/protocol/test_vector_sets.rs
+++ b/rosenpass/src/protocol/test_vector_sets.rs
@@ -0,0 +1,176 @@
+//! Test vector definitions for derandomizing protocol internals.
+//!
+//! This module contains the definitions of internal test vector values used by
+//! `CryptoServer` and the functions in `protocol.rs`. These values allow the
+//! protocol implementation to be derandomized for deterministic testing and
+//! reproducible behavior across runs.
+//!
+//! For an example of a test that uses these test vector values, see:
+//! `rosenpass/tests/test_vector_crypto_server.rs`.
+
+use crate::msgs::SESSION_ID_LEN;
+use crate::protocol::basic_types::SessionId;
+use crate::protocol::constants::COOKIE_VALUE_LEN;
+use anyhow::anyhow;
+use assert_tv::TestValue;
+use assert_tv::TestVectorSet;
+use base64::Engine;
+use rosenpass_cipher_traits::primitives::{Aead, Kem};
+use rosenpass_ciphers::{EphemeralKem, XAead, KEY_LEN};
+use rosenpass_secret_memory::{Public, PublicBox, Secret};
+use serde_json::Value;
+
+#[derive(TestVectorSet)]
+pub struct EncapsAndMixTestValues<const KEM_CT_LEN: usize, const KEM_SHK_LEN: usize> {
+    #[test_vec(serialize_with = "serialize_byte_arr")]
+    #[test_vec(deserialize_with = "deserialize_byte_arr")]
+    pub ct: TestValue<[u8; KEM_CT_LEN]>,
+    pub shk: TestValue<Secret<KEM_SHK_LEN>>,
+}
+
+#[derive(TestVectorSet)]
+pub struct StoreBiscuitTestValues {
+    #[test_vec(serialize_with = "serialize_byte_vec")]
+    #[test_vec(deserialize_with = "deserialize_byte_vec")]
+    pub biscuit: TestValue<Vec<u8>>,
+
+    pub n: TestValue<Public<{ XAead::NONCE_LEN }>>,
+
+    #[test_vec(serialize_with = "serialize_byte_vec")]
+    #[test_vec(deserialize_with = "deserialize_byte_vec")]
+    pub biscuit_ct: TestValue<Vec<u8>>,
+}
+
+#[derive(TestVectorSet)]
+pub struct HandleInitiationTestValues {
+    #[test_vec(name = "hs.cookie_value.value")]
+    pub init_handshake_cookie: TestValue<Secret<COOKIE_VALUE_LEN>>,
+
+    #[test_vec(name = "hs.core.sidi")]
+    pub init_handshake_sidi: TestValue<Public<SESSION_ID_LEN>>,
+
+    #[test_vec(name = "hs.eski")]
+    pub init_handshake_eski: TestValue<Secret<{ EphemeralKem::SK_LEN }>>,
+
+    #[test_vec(name = "hs.core.ck")]
+    pub init_handshake_epki: TestValue<Public<{ EphemeralKem::PK_LEN }>>,
+
+    #[test_vec(name = "hs.core.ck 1")]
+    pub init_handshake_mix_1: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "hs.core.ck 2")]
+    pub init_handshake_mix_2: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "ih.pidi_ct")]
+    #[test_vec(serialize_with = "serialize_byte_arr")]
+    #[test_vec(deserialize_with = "deserialize_byte_arr")]
+    pub init_hello_pidi_ct: TestValue<[u8; rosenpass_ciphers::Aead::TAG_LEN + 32]>,
+
+    #[test_vec(name = "hs.core.ck 3")]
+    pub init_handshake_mix_3: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "hs.core.ck 4")]
+    pub init_handshake_mix_4: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "ih.auth")]
+    #[test_vec(serialize_with = "serialize_byte_arr")]
+    #[test_vec(deserialize_with = "deserialize_byte_arr")]
+    pub init_hello_auth: TestValue<[u8; rosenpass_ciphers::Aead::TAG_LEN]>,
+
+    #[test_vec(name = "hs.core.ck 5")]
+    pub init_handshake_mix_5: TestValue<Secret<KEY_LEN>>,
+}
+
+#[derive(TestVectorSet)]
+pub struct HandleInitHelloTestValues {
+    #[test_vec(name = "chaining_key_ihr IHR 4")]
+    pub chaining_key_ihr_4: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "chaining_key_ihr IHR 5")]
+    pub chaining_key_ihr_5: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "chaining_key_ihr IHR 6")]
+    pub chaining_key_ihr_6: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "chaining_key_ihr IHR 7")]
+    pub chaining_key_ihr_7: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "chaining_key_ihr IHR 8")]
+    pub chaining_key_ihr_8: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "session_id")]
+    pub session_id: TestValue<SessionId>,
+
+    #[test_vec(name = "chaining_key_ihr RHR 3")]
+    pub chaining_key_rhr_3: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "chaining_key_ihr RHR 4")]
+    pub chaining_key_rhr_4: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "chaining_key_ihr RHR 5")]
+    pub chaining_key_rhr_5: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "chaining_key_ihr RHR 6")]
+    pub chaining_key_rhr_6: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "chaining_key_ihr RHR 7")]
+    pub chaining_key_rhr_7: TestValue<Secret<KEY_LEN>>,
+}
+
+#[derive(TestVectorSet)]
+pub struct InitHandshakeTestValues {
+    #[test_vec(serialize_with = "serialize_byte_vec")]
+    #[test_vec(deserialize_with = "deserialize_byte_vec")]
+    pub msg: TestValue<Vec<u8>>,
+}
+
+#[derive(TestVectorSet)]
+pub struct CycledBiscuitSecretKeyTestValues {
+    #[test_vec(name = "CryptoServer::biscuit_key[r]")]
+    #[test_vec(description = "Biscuit key after being cycled")]
+    pub cycled_biscuit_secret_key: TestValue<Secret<KEY_LEN>>,
+}
+
+// Serialization helpers for raw byte arrays and vectors.
+//
+// These functions provide a small bridge implementation to serialize/deserialize
+// standard values that do not carry serde implementations with the desired
+// base64 format by default. They are used by the test vector machinery to
+// encode `[u8; N]` and `Vec<u8>` values consistently.
+
+/// Serialize a byte array as a base64 JSON string (bridge for `[u8; N]`).
+pub fn serialize_byte_arr<const N: usize>(observed_value: &[u8; N]) -> anyhow::Result<Value> {
+    let encoded = base64::engine::general_purpose::STANDARD.encode(observed_value);
+    Ok(Value::String(encoded))
+}
+
+/// Deserialize a base64 JSON string into a byte array (bridge for `[u8; N]`).
+pub fn deserialize_byte_arr<const N: usize>(value: &Value) -> anyhow::Result<[u8; N]> {
+    let value: &str = value
+        .as_str()
+        .ok_or_else(|| anyhow!("Unexpected value, expected string"))?;
+    let decoded = base64::engine::general_purpose::STANDARD
+        .decode(value.as_bytes())
+        .map_err(|e| anyhow!("Couldn't decode value: {e}"))?;
+    decoded
+        .as_slice()
+        .try_into()
+        .map_err(|e| anyhow!("Couldn't convert to array of size={}: {e}", N))
+}
+
+/// Serialize a byte vector as a base64 JSON string (bridge for `Vec<u8>`).
+pub fn serialize_byte_vec(observed_value: &Vec<u8>) -> anyhow::Result<Value> {
+    let encoded = base64::engine::general_purpose::STANDARD.encode(observed_value);
+    Ok(Value::String(encoded))
+}
+
+/// Deserialize a base64 JSON string into a byte vector (bridge for `Vec<u8>`).
+pub fn deserialize_byte_vec(value: &Value) -> anyhow::Result<Vec<u8>> {
+    let value: &str = value
+        .as_str()
+        .ok_or_else(|| anyhow!("Unexpected value, expected string"))?;
+    let decoded = base64::engine::general_purpose::STANDARD
+        .decode(value.as_bytes())
+        .map_err(|e| anyhow!("Couldn't decode value: {e}"))?;
+    Ok(decoded)
+}
--- a/rosenpass/tests/api-integration-tests-api-setup.rs
+++ b/rosenpass/tests/api-integration-tests-api-setup.rs
@@ -105,7 +105,7 @@ fn api_integration_api_setup(protocol_version: ProtocolVersion) -> anyhow::Resul
                peer: format!("{}", peer_b_wg_peer_id.fmt_b64::<8129>()),
                extra_params: vec![],
            }),
-            protocol_version: protocol_version.clone(),
+            protocol_version: protocol_version,
            osk_domain_separator: Default::default(),
        }],
    };
@@ -127,7 +127,7 @@ fn api_integration_api_setup(protocol_version: ProtocolVersion) -> anyhow::Resul
            endpoint: Some(peer_a_endpoint.to_owned()),
            pre_shared_key: None,
            wg: None,
-            protocol_version: protocol_version.clone(),
+            protocol_version: protocol_version,
            osk_domain_separator: Default::default(),
        }],
    };
--- a/rosenpass/tests/api-integration-tests.rs
+++ b/rosenpass/tests/api-integration-tests.rs
@@ -82,7 +82,7 @@ fn api_integration_test(protocol_version: ProtocolVersion) -> anyhow::Result<()>
            endpoint: None,
            pre_shared_key: None,
            wg: None,
-            protocol_version: protocol_version.clone(),
+            protocol_version: protocol_version,
            osk_domain_separator: Default::default(),
        }],
    };
@@ -104,7 +104,7 @@ fn api_integration_test(protocol_version: ProtocolVersion) -> anyhow::Result<()>
            endpoint: Some(peer_a_endpoint.to_owned()),
            pre_shared_key: None,
            wg: None,
-            protocol_version: protocol_version.clone(),
+            protocol_version: protocol_version,
            osk_domain_separator: Default::default(),
        }],
    };
--- a/rosenpass/tests/app_server_example.rs
+++ b/rosenpass/tests/app_server_example.rs
@@ -10,11 +10,13 @@ use rosenpass::protocol::basic_types::{SPk, SSk, SymKey};
 use rosenpass::{config::ProtocolVersion, protocol::osk_domain_separator::OskDomainSeparator};

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn key_exchange_with_app_server_v02() -> anyhow::Result<()> {
    key_exchange_with_app_server(ProtocolVersion::V02)
 }

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn key_exchange_with_app_server_v03() -> anyhow::Result<()> {
    key_exchange_with_app_server(ProtocolVersion::V03)
 }
--- a/rosenpass/tests/config_Rosenpass_validate.rs
+++ b/rosenpass/tests/config_Rosenpass_validate.rs
@@ -3,6 +3,7 @@ use std::fs;
 use rosenpass::{cli::generate_and_save_keypair, config::Rosenpass};

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn example_config_rosenpass_validate() -> anyhow::Result<()> {
    rosenpass_secret_memory::policy::secret_policy_use_only_malloc_secrets();

--- a/rosenpass/tests/integration_test.rs
+++ b/rosenpass/tests/integration_test.rs
@@ -144,7 +144,7 @@ fn check_example_config() {

    let tmp_dir = tempdir().unwrap();
    let config_path = tmp_dir.path().join("config.toml");
-    let mut config_file = File::create(config_path.to_owned()).unwrap();
+    let mut config_file = File::create(&config_path).unwrap();

    config_file
        .write_all(
@@ -182,6 +182,7 @@ fn check_example_config() {
 // check that we can exchange keys
 #[test]
 #[serial]
+#[cfg_attr(miri, ignore)] // TODO investigate why this panicks in miri
 fn check_exchange_under_normal() {
    setup_tests();
    setup_logging();
@@ -255,6 +256,7 @@ fn check_exchange_under_normal() {
 // This test creates a responder (server) with the feature flag "integration_test_always_under_load" to always be under load condition for the test.
 #[test]
 #[serial]
+#[cfg_attr(miri, ignore)] // integer-to-pointer cast
 fn check_exchange_under_dos() {
    setup_tests();
    setup_logging();
--- a/rosenpass/tests/poll_example.rs
+++ b/rosenpass/tests/poll_example.rs
@@ -19,16 +19,19 @@ use rosenpass::protocol::{CryptoServer, HostIdentification, PeerPtr, PollResult,
 // rosenpass::protocol::testutils;

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn test_successful_exchange_with_poll_v02() -> anyhow::Result<()> {
    test_successful_exchange_with_poll(ProtocolVersion::V02, OskDomainSeparator::default())
 }

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn test_successful_exchange_with_poll_v03() -> anyhow::Result<()> {
    test_successful_exchange_with_poll(ProtocolVersion::V03, OskDomainSeparator::default())
 }

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn test_successful_exchange_with_poll_v02_custom_domain_separator() -> anyhow::Result<()> {
    test_successful_exchange_with_poll(
        ProtocolVersion::V02,
@@ -37,6 +40,7 @@ fn test_successful_exchange_with_poll_v02_custom_domain_separator() -> anyhow::R
 }

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn test_successful_exchange_with_poll_v03_custom_domain_separator() -> anyhow::Result<()> {
    test_successful_exchange_with_poll(
        ProtocolVersion::V03,
@@ -108,11 +112,13 @@ fn test_successful_exchange_with_poll(
 }

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn test_successful_exchange_under_packet_loss_v02() -> anyhow::Result<()> {
    test_successful_exchange_under_packet_loss(ProtocolVersion::V02)
 }

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn test_successful_exchange_under_packet_loss_v03() -> anyhow::Result<()> {
    test_successful_exchange_under_packet_loss(ProtocolVersion::V03)
 }
@@ -202,6 +208,7 @@ fn test_successful_exchange_under_packet_loss(
 }

 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `mprotect` on OS `linux`
 fn test_osk_label_mismatch() -> anyhow::Result<()> {
    // Set security policy for storing secrets; choose the one that is faster for testing
    rosenpass_secret_memory::policy::secret_policy_use_only_malloc_secrets();
--- a/rosenpass/tests/test_vector_crypto_server.rs
+++ b/rosenpass/tests/test_vector_crypto_server.rs
@@ -0,0 +1,181 @@
+//! # Deterministic protocol test based on captured internal randomness
+//!
+//! This test validates the rosenpass protocol implementation by recording all internal randomness
+//! during execution and saving it to a test vector file (`crypto_server_test_vector_1.toml`).
+//! On subsequent runs, the test replays this randomness to enforce deterministic behavior,
+//! making any changes to the protocol's internal logic observable through test failures.
+//!
+//! ## Reinitializing the Test Vector
+//!
+//! If the test fails due to a mismatch between current output and the recorded test vector,
+//! it likely indicates a change in implementation. To accept and re-record the new behavior,
+//! re-run the test in initialization mode by setting the environment variable:
+//!
+//! ```bash
+//! TEST_MODE=init cargo test crypto_server_test_vector_1
+//! ```
+
+use assert_tv::{test_vec_case, TestValue, TestVector, TestVectorActive, TestVectorSet};
+use rosenpass::protocol::basic_types::{MsgBuf, SPk, SSk, SymKey};
+use rosenpass::protocol::osk_domain_separator::OskDomainSeparator;
+use rosenpass::protocol::test_vector_sets::deserialize_byte_vec;
+use rosenpass::protocol::test_vector_sets::serialize_byte_vec;
+use rosenpass::protocol::{CryptoServer, PeerPtr, ProtocolVersion};
+use rosenpass_cipher_traits::primitives::Kem;
+use rosenpass_ciphers::StaticKem;
+use rosenpass_secret_memory::policy::*;
+use rosenpass_secret_memory::{PublicBox, Secret};
+use std::ops::DerefMut;
+
+use rosenpass::protocol::constants::COOKIE_SECRET_LEN;
+use rosenpass_ciphers::KEY_LEN;
+
+#[derive(TestVectorSet)]
+pub struct TestCaseValues {
+    #[test_vec(name = "peer_a_sk")]
+    #[test_vec(description = "test setup: peer a secret key")]
+    #[test_vec(offload = true)]
+    peer_a_sk: TestValue<Secret<{ StaticKem::SK_LEN }>>,
+    #[test_vec(name = "peer_a_pk")]
+    #[test_vec(description = "test setup: peer a public key")]
+    #[test_vec(offload = true)]
+    peer_a_pk: TestValue<PublicBox<{ StaticKem::PK_LEN }>>,
+
+    #[test_vec(name = "peer_b_sk")]
+    #[test_vec(description = "test setup: peer b secret key")]
+    #[test_vec(offload = true)]
+    peer_b_sk: TestValue<Secret<{ StaticKem::SK_LEN }>>,
+    #[test_vec(name = "peer_b_pk")]
+    #[test_vec(description = "test setup: peer b public key")]
+    #[test_vec(offload = true)]
+    peer_b_pk: TestValue<PublicBox<{ StaticKem::PK_LEN }>>,
+
+    #[test_vec(name = "psk")]
+    #[test_vec(description = "pre-shared key")]
+    psk: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "message")]
+    #[test_vec(description = "message exchanged by the protocol parties")]
+    #[test_vec(serialize_with = "serialize_byte_vec")]
+    #[test_vec(deserialize_with = "deserialize_byte_vec")]
+    #[test_vec(offload = true)]
+    message: TestValue<Vec<u8>>,
+
+    #[test_vec(name = "exchanged_key")]
+    #[test_vec(description = "final exchanged key")]
+    exchanged_key: TestValue<Secret<KEY_LEN>>,
+}
+
+#[derive(TestVectorSet)]
+struct CryptoServerTestValues {
+    #[test_vec(name = "CryptoServer::cookie_secrets[0]")]
+    cookie_secret_0: TestValue<Secret<COOKIE_SECRET_LEN>>,
+
+    #[test_vec(name = "CryptoServer::cookie_secrets[1]")]
+    cookie_secret_1: TestValue<Secret<COOKIE_SECRET_LEN>>,
+
+    #[test_vec(name = "CryptoServer::biscuit_keys[0]")]
+    biscuit_key_0: TestValue<Secret<KEY_LEN>>,
+
+    #[test_vec(name = "CryptoServer::biscuit_keys[1]")]
+    biscuit_key_1: TestValue<Secret<KEY_LEN>>,
+}
+
+#[test_vec_case(format = "toml")]
+#[cfg_attr(miri, ignore)] // unsupported operation: can't call foreign function `ZSTD_DStreamInSize` on OS `linux`
+fn crypto_server_test_vector_1() -> anyhow::Result<()> {
+    type TV = TestVectorActive;
+    let test_values: TestCaseValues = TV::initialize_values();
+
+    // Set security policy for storing secrets
+    secret_policy_try_use_memfd_secrets();
+
+    // initialize secret and public key for peer a ...
+    let (mut peer_a_sk, mut peer_a_pk) = gen_keypair::<TV>();
+
+    TV::expose_mut_value(&test_values.peer_a_sk, &mut peer_a_sk);
+    TV::expose_mut_value(&test_values.peer_a_pk, &mut peer_a_pk);
+
+    // ... and for peer b
+    let (mut peer_b_sk, mut peer_b_pk) = gen_keypair::<TV>();
+
+    TV::expose_mut_value(&test_values.peer_b_sk, &mut peer_b_sk);
+    TV::expose_mut_value(&test_values.peer_b_pk, &mut peer_b_pk);
+
+    // initialize server and a pre-shared key
+    let psk = TV::expose_value(&test_values.psk, SymKey::random());
+
+    let mut a = CryptoServer::new(peer_a_sk, peer_a_pk.clone());
+    de_randomize_time_base_cookie_secrets::<TV>(&mut a);
+
+    let mut b = CryptoServer::new(peer_b_sk, peer_b_pk.clone());
+    de_randomize_time_base_cookie_secrets::<TV>(&mut b);
+
+    // introduce peers to each other
+    a.add_peer(
+        Some(psk.clone()),
+        peer_b_pk,
+        ProtocolVersion::V03,
+        OskDomainSeparator::default(),
+    )?;
+    b.add_peer(
+        Some(psk),
+        peer_a_pk,
+        ProtocolVersion::V03,
+        OskDomainSeparator::default(),
+    )?;
+
+    // declare buffers for message exchange
+    let (mut a_buf, mut b_buf) = (MsgBuf::zero(), MsgBuf::zero());
+
+    // let a initiate a handshake
+    let mut maybe_len =
+        Some(a.initiate_handshake_with_test_vector::<TV>(PeerPtr(0), a_buf.as_mut_slice())?);
+
+    // let a and b communicate
+    while let Some(len) = maybe_len {
+        TV::check_value(&test_values.message, &a_buf[..len].to_vec());
+        maybe_len = b
+            .handle_msg_with_test_vector::<TV>(&a_buf[..len], &mut b_buf[..])?
+            .resp;
+        std::mem::swap(&mut a, &mut b);
+        std::mem::swap(&mut a_buf, &mut b_buf);
+    }
+
+    // all done! Extract the shared keys and ensure they are identical
+    let a_key = a.osk(PeerPtr(0))?;
+    let b_key = b.osk(PeerPtr(0))?;
+    assert_eq!(
+        a_key.secret(),
+        b_key.secret(),
+        "the key exchanged failed to establish a shared secret"
+    );
+
+    TV::check_value(&test_values.exchanged_key, &a_key);
+    Ok(())
+}
+fn gen_keypair<TV: TestVector>() -> (SSk, SPk) {
+    let (mut sk, mut pk) = (SSk::zero(), SPk::zero());
+    StaticKem
+        .keygen(sk.secret_mut(), pk.deref_mut())
+        .expect("Error generating keypair");
+    (sk, pk)
+}
+
+pub fn de_randomize_time_base_cookie_secrets<TV: TestVector>(cs: &mut CryptoServer) {
+    let test_values: CryptoServerTestValues = TV::initialize_values();
+
+    TV::expose_mut_value(
+        &test_values.cookie_secret_0,
+        &mut cs.cookie_secrets[0].value,
+    );
+
+    TV::expose_mut_value(
+        &test_values.cookie_secret_1,
+        &mut cs.cookie_secrets[1].value,
+    );
+
+    TV::expose_mut_value(&test_values.biscuit_key_0, &mut cs.biscuit_keys[0].value);
+
+    TV::expose_mut_value(&test_values.biscuit_key_1, &mut cs.biscuit_keys[1].value);
+}
--- a/rp/Cargo.toml
+++ b/rp/Cargo.toml
@@ -1,5 +1,5 @@
 [package]
-name = "rp"
+name = "rosenpass-rp"
 version = "0.2.1"
 edition = "2021"
 license = "MIT OR Apache-2.0"
@@ -8,7 +8,9 @@ homepage = "https://rosenpass.eu/"
 repository = "https://github.com/rosenpass/rosenpass"
 rust-version = "1.77.0"

-# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+[[bin]]
+name = "rp"
+path = "src/main.rs"

 [dependencies]
 anyhow = { workspace = true }
@@ -17,12 +19,15 @@ serde = { workspace = true }
 toml = { workspace = true }
 x25519-dalek = { workspace = true, features = ["static_secrets"] }
 zeroize = { workspace = true }
+libc = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }

 rosenpass = { workspace = true }
 rosenpass-ciphers = { workspace = true }
 rosenpass-cipher-traits = { workspace = true }
 rosenpass-secret-memory = { workspace = true }
-rosenpass-util = { workspace = true }
+rosenpass-util = { workspace = true, features = ["tokio"] }
 rosenpass-wireguard-broker = { workspace = true }

 tokio = { workspace = true }
--- a/rp/src/exchange.rs
+++ b/rp/src/exchange.rs
@@ -1,16 +1,63 @@
-use std::{
-    future::Future, net::SocketAddr, ops::DerefMut, path::PathBuf, pin::Pin, process::Command,
-    sync::Arc,
-};
+use std::any::type_name;
+use std::{borrow::Borrow, net::SocketAddr, path::PathBuf};

-use anyhow::{Error, Result};
+use tokio::process::Command;
+
+use anyhow::{bail, ensure, Context, Result};
+use futures_util::TryStreamExt as _;
 use serde::Deserialize;

 use rosenpass::config::ProtocolVersion;
+use rosenpass::{
+    app_server::{AppServer, BrokerPeer},
+    config::Verbosity,
+    protocol::{
+        basic_types::{SPk, SSk, SymKey},
+        osk_domain_separator::OskDomainSeparator,
+    },
+};
+use rosenpass_secret_memory::Secret;
+use rosenpass_util::file::{LoadValue as _, LoadValueB64};
+use rosenpass_util::functional::{ApplyExt, MutatingExt};
+use rosenpass_util::result::OkExt;
+use rosenpass_util::tokio::janitor::{spawn_cleanup_job, try_spawn_daemon};
+use rosenpass_wireguard_broker::brokers::native_unix::{
+    NativeUnixBroker, NativeUnixBrokerConfigBaseBuilder,
+};
+use tokio::task::spawn_blocking;

-#[cfg(any(target_os = "linux", target_os = "freebsd"))]
 use crate::key::WG_B64_LEN;

+/// Extra-special measure to structure imports from the various
+/// netlink related crates used in [super]
+mod netlink {
+    /// Re-exports from [::netlink_packet_core]
+    pub mod core {
+        pub use ::netlink_packet_core::{NetlinkMessage, NLM_F_ACK, NLM_F_REQUEST};
+    }
+
+    /// Re-exports from [::rtnetlink]
+    pub mod rtnl {
+        pub use ::rtnetlink::Error;
+        pub use ::rtnetlink::Handle;
+    }
+
+    /// Re-exports from [::genetlink] and [::netlink_packet_generic]
+    pub mod genl {
+        pub use ::genetlink::GenetlinkHandle as Handle;
+        pub use ::netlink_packet_generic::GenlMessage as Message;
+    }
+
+    /// Re-exports from [::netlink_packet_wireguard]
+    pub mod wg {
+        pub use ::netlink_packet_wireguard::constants::WG_KEY_LEN as KEY_LEN;
+        pub use ::netlink_packet_wireguard::nlas::WgDeviceAttrs as DeviceAttrs;
+        pub use ::netlink_packet_wireguard::{Wireguard, WireguardCmd};
+    }
+}
+
+type WgSecretKey = Secret<{ netlink::wg::KEY_LEN }>;
+
 /// Used to define a peer for the rosenpass connection that consists of
 /// a directory for storing public keys and optionally an IP address and port of the endpoint,
 /// for how long the connection should be kept alive and a list of allowed IPs for the peer.
@@ -43,286 +90,401 @@ pub struct ExchangeOptions {
    pub dev: Option<String>,
    /// The IP-address rosenpass should run under.
    pub ip: Option<String>,
-    /// The IP-address and port that the rosenpass [AppServer](rosenpass::app_server::AppServer)
+    /// The IP-address and port that the rosenpass [AppServer]
    /// should use.
    pub listen: Option<SocketAddr>,
    /// Other peers a connection should be initialized to
    pub peers: Vec<ExchangePeer>,
 }

-#[cfg(not(any(target_os = "linux", target_os = "freebsd")))]
-pub async fn exchange(_: ExchangeOptions) -> Result<()> {
-    use anyhow::anyhow;
-
-    Err(anyhow!(
-        "Your system {} is not yet supported. We are happy to receive patches to address this :)",
-        std::env::consts::OS
-    ))
+/// Manage the lifetime of WireGuard devices uses for rp
+#[derive(Debug, Default)]
+struct WireGuardDeviceImpl {
+    // TODO: Can we merge these two somehow?
+    rtnl_netlink_handle_cache: Option<netlink::rtnl::Handle>,
+    genl_netlink_handle_cache: Option<netlink::genl::Handle>,
+    /// Handle and name of the device
+    device: Option<(u32, String)>,
 }

-#[cfg(any(target_os = "linux", target_os = "freebsd"))]
-mod netlink {
-    use anyhow::Result;
-    use futures_util::{StreamExt as _, TryStreamExt as _};
-    use genetlink::GenetlinkHandle;
-    use netlink_packet_core::{NLM_F_ACK, NLM_F_REQUEST};
-    use netlink_packet_wireguard::nlas::WgDeviceAttrs;
-    use rtnetlink::Handle;
+impl WireGuardDeviceImpl {
+    fn take(&mut self) -> WireGuardDeviceImpl {
+        Self::default().mutating(|nu| std::mem::swap(self, nu))
+    }

+    async fn open(&mut self, device_name: String) -> anyhow::Result<()> {
+        let mut rtnl_link = self.rtnl_netlink_handle()?.link();
+        let device_name_ref = &device_name;
+
+        // Make sure that there is no device called `device_name` before we start
+        rtnl_link
+            .get()
+            .match_name(device_name.to_owned())
+            .execute()
+            // Count the number of occurences
+            .try_fold(0, |acc, _val| async move {
+                Ok(acc + 1)
+            }).await
+            // Extract the error's raw system error code
+            .map_err(|e| {
+                use netlink::rtnl::Error as E;
+                match e {
+                    E::NetlinkError(msg) => {
+                        let raw_code = -msg.raw_code();
+                        (E::NetlinkError(msg), Some(raw_code))
+                    },
+                    _ => (e, None),
+                }
+            })
+            .apply(|r| {
+                match r {
+                    // No such device, which is exactly what we are expecting
+                    Ok(0) | Err((_, Some(libc::ENODEV))) => Ok(()),
+                    // Device already exists
+                    Ok(_) => bail!("\
+                        Trying to create a network device for Rosenpass under the name \"{device_name}\", \
+                        but at least one device under the name aready exists."),
+                    // Other error
+                    Err((e, _)) => bail!(e),
+                }
+            })?;
+
+        // Add the link, equivalent to `ip link add <link_name> type wireguard`.
+        rtnl_link
+            .add()
+            .wireguard(device_name.to_owned())
+            .execute()
+            .await?;
+        log::info!("Created network device!");
+
+        // Retrieve a handle for the newly created device
+        let device_handle = rtnl_link
+            .get()
+            .match_name(device_name.to_owned())
+            .execute()
+            .err_into::<anyhow::Error>()
+            .try_fold(Option::None, |acc, val| async move {
+                ensure!(acc.is_none(), "\
+                    Created a network device for Rosenpass under the name \"{device_name_ref}\", \
+                    but upon trying to determine the handle for the device using named-based lookup, we received multiple handles. \
+                    We checked beforehand whether the device already exists. \
+                    This should not happen. Unsure how to proceed. Terminating.");
+                Ok(Some(val))
+            }).await?
+            .with_context(|| format!("\
+                Created a network device for Rosenpass under the name \"{device_name}\", \
+                but upon trying to determine the handle for the device using named-based lookup, we received no handle. \
+                This should not happen. Unsure how to proceed. Terminating."))?
+            .apply(|msg| msg.header.index);
+
+        // Now we can actually start to mark the device as initialized.
+        // Note that if the handle retrieval above does not work, the destructor
+        // will not run and the device will not be erased.
+        // This is, for now, the desired behavior as we need the handle to erase
+        // the device anyway.
+        self.device = Some((device_handle, device_name));
+
+        // Activate the link, equivalent to `ip link set dev <DEV> up`.
+        rtnl_link.set(device_handle).up().execute().await?;
+
+        Ok(())
+    }
+
+    async fn close(mut self) {
+        // Check if the device is properly initialized and retrieve the device info
+        let (device_handle, device_name) = match self.device.take() {
+            Some(val) => val,
+            // Nothing to do, not yet properly initialized
+            None => return,
+        };
+
+        // Erase the network device; the rest of the function is just error handling
+        let res = async move {
+            self.rtnl_netlink_handle()?
+                .link()
+                .del(device_handle)
+                .execute()
+                .await?;
+            log::debug!("Erased network interface!");
+            anyhow::Ok(())
+        }
+        .await;
+
+        // Here we test if the error needs printing at all
+        let res = 'do_print: {
+            // Short-circuit if the deletion was successful
+            let err = match res {
+                Ok(()) => break 'do_print Ok(()),
+                Err(err) => err,
+            };
+
+            // Extract the rtnetlink error, so we can inspect it
+            let err = match err.downcast::<netlink::rtnl::Error>() {
+                Ok(rtnl_err) => rtnl_err,
+                Err(other_err) => break 'do_print Err(other_err),
+            };
+
+            // TODO: This is a bit brittle, as the rtnetlink error enum looks like
+            //       E::NetlinkError is a sort of "unknown error" case. If they explicitly
+            //       add support for the "no such device" errors or other ones we check for in
+            //       this block, then this code may no longer filter these errors
+            // Extract the raw netlink error code
+            use netlink::rtnl::Error as E;
+            let error_code = match err {
+                E::NetlinkError(ref msg) => -msg.raw_code(),
+                err => break 'do_print Err(err.into()),
+            };
+
+            // Check whether its just the "no such device" error
+            #[allow(clippy::single_match)]
+            match error_code {
+                libc::ENODEV => break 'do_print Ok(()),
+                _ => {}
+            }
+
+            // Otherwise, we just print the error
+            Err(err.into())
+        };
+
+        if let Err(err) = res {
+            log::warn!("Could not remove network device `{device_name}`: {err:?}");
+        }
+    }
+
+    pub async fn add_ip_address(&self, addr: &str) -> anyhow::Result<()> {
+        // TODO: Migrate to using netlink
+        Command::new("ip")
+            .args(["address", "add", addr, "dev", self.name()?])
+            .status()
+            .await?;
+        Ok(())
+    }
+
+    pub fn is_open(&self) -> bool {
+        self.device.is_some()
+    }
+
+    pub fn maybe_name(&self) -> Option<&str> {
+        self.device.as_ref().map(|slot| slot.1.borrow())
+    }
+
+    /// Return the raw handle for this device
+    pub fn maybe_raw_handle(&self) -> Option<u32> {
+        self.device.as_ref().map(|slot| slot.0)
+    }
+
+    pub fn name(&self) -> anyhow::Result<&str> {
+        self.maybe_name()
+            .with_context(|| format!("{} has not been initialized!", type_name::<Self>()))
+    }
+
+    /// Return the raw handle for this device
+    pub fn raw_handle(&self) -> anyhow::Result<u32> {
+        self.maybe_raw_handle()
+            .with_context(|| format!("{} has not been initialized!", type_name::<Self>()))
+    }
+
+    pub async fn set_private_key_and_listen_addr(
+        &mut self,
+        wgsk: &WgSecretKey,
+        listen_port: Option<u16>,
+    ) -> anyhow::Result<()> {
+        use netlink as nl;
+
+        // The attributes to set
+        // TODO: This exposes the secret key; we should probably run this in a separate process
+        //       or on a separate stack and have zeroizing allocator globally.
+        let mut attrs = vec![
+            nl::wg::DeviceAttrs::IfIndex(self.raw_handle()?),
+            nl::wg::DeviceAttrs::PrivateKey(*wgsk.secret()),
+        ];
+
+        // Optional listen port for WireGuard
+        if let Some(port) = listen_port {
+            attrs.push(nl::wg::DeviceAttrs::ListenPort(port));
+        }
+
+        // The netlink request we are trying to send
+        let req = nl::wg::Wireguard {
+            cmd: nl::wg::WireguardCmd::SetDevice,
+            nlas: attrs,
+        };
+
+        // Boilerplate; wrap the request into more structures
+        let req = req
+            .apply(nl::genl::Message::from_payload)
+            .apply(nl::core::NetlinkMessage::from)
+            .mutating(|req| {
+                req.header.flags = nl::core::NLM_F_REQUEST | nl::core::NLM_F_ACK;
+            });
+
+        // Send the request
+        self.genl_netlink_handle()?
+            .request(req)
+            .await?
+            // Collect all errors (let try_fold do all the work)
+            .try_fold((), |_, _| async move { Ok(()) })
+            .await?;
+
+        Ok(())
+    }
+
+    fn take_rtnl_netlink_handle(&mut self) -> Result<netlink::rtnl::Handle> {
+        if let Some(handle) = self.rtnl_netlink_handle_cache.take() {
+            Ok(handle)
+        } else {
+            let (connection, handle, _) = rtnetlink::new_connection()?;
+
+            // Making sure that the connection has a chance to terminate before the
+            // application exits
+            try_spawn_daemon(async move {
+                connection.await;
+                Ok(())
+            })?;
+
+            Ok(handle)
+        }
+    }
+
+    fn rtnl_netlink_handle(&mut self) -> Result<&mut netlink::rtnl::Handle> {
+        let netlink_handle = self.take_rtnl_netlink_handle()?;
+        self.rtnl_netlink_handle_cache.insert(netlink_handle).ok()
+    }
+
+    fn take_genl_netlink_handle(&mut self) -> Result<netlink::genl::Handle> {
+        if let Some(handle) = self.genl_netlink_handle_cache.take() {
+            Ok(handle)
+        } else {
+            let (connection, handle, _) = genetlink::new_connection()?;
+
+            // Making sure that the connection has a chance to terminate before the
+            // application exits
+            try_spawn_daemon(async move {
+                connection.await;
+                Ok(())
+            })?;
+
+            Ok(handle)
+        }
+    }
+
+    fn genl_netlink_handle(&mut self) -> Result<&mut netlink::genl::Handle> {
+        let netlink_handle = self.take_genl_netlink_handle()?;
+        self.genl_netlink_handle_cache.insert(netlink_handle).ok()
+    }
+}
+
+struct WireGuardDevice {
+    _impl: WireGuardDeviceImpl,
+}
+
+impl WireGuardDevice {
    /// Creates a netlink named `link_name` and changes the state to up. It returns the index
    /// of the interface in the list of interfaces as the result or an error if any of the
    /// operations of creating the link or changing its state to up fails.
-    pub async fn link_create_and_up(rtnetlink: &Handle, link_name: String) -> Result<u32> {
-        // Add the link, equivalent to `ip link add <link_name> type wireguard`.
-        rtnetlink
-            .link()
-            .add()
-            .wireguard(link_name.clone())
-            .execute()
-            .await?;
+    pub async fn create_device(device_name: String) -> Result<Self> {
+        let mut _impl = WireGuardDeviceImpl::default();
+        _impl.open(device_name).await?;
+        assert!(_impl.is_open()); // Sanity check
+        Ok(WireGuardDevice { _impl })
+    }

-        // Retrieve the link to be able to up it, equivalent to `ip link show` and then
-        // using the link shown that is identified by `link_name`.
-        let link = rtnetlink
-            .link()
-            .get()
-            .match_name(link_name.clone())
-            .execute()
-            .into_stream()
-            .into_future()
+    pub fn name(&self) -> &str {
+        self._impl.name().unwrap()
+    }
+
+    /// Return the raw handle for this device
+    #[allow(dead_code)]
+    pub fn raw_handle(&self) -> u32 {
+        self._impl.raw_handle().unwrap()
+    }
+
+    pub async fn add_ip_address(&self, addr: &str) -> anyhow::Result<()> {
+        self._impl.add_ip_address(addr).await
+    }
+
+    pub async fn set_private_key_and_listen_addr(
+        &mut self,
+        wgsk: &WgSecretKey,
+        listen_port: Option<u16>,
+    ) -> anyhow::Result<()> {
+        self._impl
+            .set_private_key_and_listen_addr(wgsk, listen_port)
            .await
-            .0
-            .unwrap()?;
-
-        // Up the link, equivalent to `ip link set dev <DEV> up`.
-        rtnetlink
-            .link()
-            .set(link.header.index)
-            .up()
-            .execute()
-            .await?;
-
-        Ok(link.header.index)
-    }
-
-    /// Deletes a link using rtnetlink. The link is specified using its index in the list of links.
-    pub async fn link_cleanup(rtnetlink: &Handle, index: u32) -> Result<()> {
-        rtnetlink.link().del(index).execute().await?;
-
-        Ok(())
-    }
-
-    /// Deletes a link using rtnetlink. The link is specified using its index in the list of links.
-    /// In contrast to [link_cleanup], this function create a new socket connection to netlink and
-    /// *ignores errors* that occur during deletion.
-    pub async fn link_cleanup_standalone(index: u32) -> Result<()> {
-        let (connection, rtnetlink, _) = rtnetlink::new_connection()?;
-        tokio::spawn(connection);
-
-        // We don't care if this fails, as the device may already have been auto-cleaned up.
-        let _ = rtnetlink.link().del(index).execute().await;
-
-        Ok(())
-    }
-
-    /// This replicates the functionality of the `wg set` command line tool.
-    ///
-    /// It sets the specified WireGuard attributes of the indexed device by
-    /// communicating with WireGuard's generic netlink interface, like the
-    /// `wg` tool does.
-    pub async fn wg_set(
-        genetlink: &mut GenetlinkHandle,
-        index: u32,
-        mut attr: Vec<WgDeviceAttrs>,
-    ) -> Result<()> {
-        use futures_util::StreamExt as _;
-        use netlink_packet_core::{NetlinkMessage, NetlinkPayload};
-        use netlink_packet_generic::GenlMessage;
-        use netlink_packet_wireguard::{Wireguard, WireguardCmd};
-
-        // Scope our `set` command to only the device of the specified index.
-        attr.insert(0, WgDeviceAttrs::IfIndex(index));
-
-        // Construct the WireGuard-specific netlink packet
-        let wgc = Wireguard {
-            cmd: WireguardCmd::SetDevice,
-            nlas: attr,
-        };
-
-        // Construct final message.
-        let genl = GenlMessage::from_payload(wgc);
-        let mut nlmsg = NetlinkMessage::from(genl);
-        nlmsg.header.flags = NLM_F_REQUEST | NLM_F_ACK;
-
-        // Send and wait for the ACK or error.
-        let (res, _) = genetlink.request(nlmsg).await?.into_future().await;
-        if let Some(res) = res {
-            let res = res?;
-            if let NetlinkPayload::Error(err) = res.payload {
-                return Err(err.to_io().into());
-            }
-        }
-
-        Ok(())
    }
 }

-/// A wrapper for a list of cleanup handlers that can be used in an asynchronous context
-/// to clean up after the usage of rosenpass or if the `rp` binary is interrupted with ctrl+c
-/// or a `SIGINT` signal in general.
-#[derive(Clone)]
-#[cfg(any(target_os = "linux", target_os = "freebsd"))]
-struct CleanupHandlers(
-    Arc<::futures::lock::Mutex<Vec<Pin<Box<dyn Future<Output = Result<(), Error>> + Send>>>>>,
-);
-
-#[cfg(any(target_os = "linux", target_os = "freebsd"))]
-impl CleanupHandlers {
-    /// Creates a new list of [CleanupHandlers].
-    fn new() -> Self {
-        CleanupHandlers(Arc::new(::futures::lock::Mutex::new(vec![])))
-    }
-
-    /// Enqueues a new cleanup handler in the form of a [Future].
-    async fn enqueue(&self, handler: Pin<Box<dyn Future<Output = Result<(), Error>> + Send>>) {
-        self.0.lock().await.push(Box::pin(handler))
-    }
-
-    /// Runs all cleanup handlers. Following the documentation of [futures::future::try_join_all]:
-    /// If any cleanup handler returns an error then all other cleanup handlers will be canceled and
-    /// an error will be returned immediately. If all cleanup handlers complete successfully,
-    /// however, then the returned future will succeed with a Vec of all the successful results.
-    async fn run(self) -> Result<Vec<()>, Error> {
-        futures::future::try_join_all(self.0.lock().await.deref_mut()).await
+impl Drop for WireGuardDevice {
+    fn drop(&mut self) {
+        let _impl = self._impl.take();
+        spawn_cleanup_job(async move {
+            _impl.close().await;
+            Ok(())
+        });
    }
 }

 /// Sets up the rosenpass link and wireguard and configures both with the configuration specified by
 /// `options`.
-#[cfg(any(target_os = "linux", target_os = "freebsd"))]
 pub async fn exchange(options: ExchangeOptions) -> Result<()> {
-    use std::fs;
+    // Load the server parameter files
+    let wgsk = options.private_keys_dir.join("wgsk");
+    let rpsk = options.private_keys_dir.join("pqsk");
+    let rppk = options.private_keys_dir.join("pqpk");
+    let (wgsk, rpsk, rppk) = spawn_blocking(move || {
+        let wgsk = WgSecretKey::load_b64::<WG_B64_LEN, _>(wgsk)?;
+        let rpsk = SSk::load(rpsk)?;
+        let wgpk = SPk::load(rppk)?;
+        anyhow::Ok((wgsk, rpsk, wgpk))
+    })
+    .await??;

-    use anyhow::anyhow;
-    use netlink_packet_wireguard::{constants::WG_KEY_LEN, nlas::WgDeviceAttrs};
-    use rosenpass::{
-        app_server::{AppServer, BrokerPeer},
-        config::Verbosity,
-        protocol::{
-            basic_types::{SPk, SSk, SymKey},
-            osk_domain_separator::OskDomainSeparator,
-        },
-    };
-    use rosenpass_secret_memory::Secret;
-    use rosenpass_util::file::{LoadValue as _, LoadValueB64};
-    use rosenpass_wireguard_broker::brokers::native_unix::{
-        NativeUnixBroker, NativeUnixBrokerConfigBaseBuilder, NativeUnixBrokerConfigBaseBuilderError,
-    };
+    // Setup the WireGuard device
+    let device = options.dev.as_deref().unwrap_or("rosenpass0");
+    let mut device = WireGuardDevice::create_device(device.to_owned()).await?;

-    let (connection, rtnetlink, _) = rtnetlink::new_connection()?;
-    tokio::spawn(connection);
+    // Assign WG secret key & port
+    device
+        .set_private_key_and_listen_addr(&wgsk, options.listen.map(|ip| ip.port() + 1))
+        .await?;
+    std::mem::drop(wgsk);

-    let link_name = options.dev.clone().unwrap_or("rosenpass0".to_string());
-    let link_index = netlink::link_create_and_up(&rtnetlink, link_name.clone()).await?;
-
-    // Set up a list of (initiallc empty) cleanup handlers that are to be run if
-    // ctrl-c is hit or generally a `SIGINT` signal is received and always in the end.
-    let cleanup_handlers = CleanupHandlers::new();
-    let final_cleanup_handlers = (&cleanup_handlers).clone();
-
-    cleanup_handlers
-        .enqueue(Box::pin(async move {
-            netlink::link_cleanup_standalone(link_index).await
-        }))
-        .await;
-
-    ctrlc_async::set_async_handler(async move {
-        final_cleanup_handlers
-            .run()
-            .await
-            .expect("Failed to clean up");
-    })?;
-
-    // Run `ip address add <ip> dev <dev>` and enqueue `ip address del <ip> dev <dev>` as a cleanup.
-    if let Some(ip) = options.ip {
-        let dev = options.dev.clone().unwrap_or("rosenpass0".to_string());
-        Command::new("ip")
-            .arg("address")
-            .arg("add")
-            .arg(ip.clone())
-            .arg("dev")
-            .arg(dev.clone())
-            .status()
-            .expect("failed to configure ip");
-        cleanup_handlers
-            .enqueue(Box::pin(async move {
-                Command::new("ip")
-                    .arg("address")
-                    .arg("del")
-                    .arg(ip)
-                    .arg("dev")
-                    .arg(dev)
-                    .status()
-                    .expect("failed to remove ip");
-                Ok(())
-            }))
-            .await;
+    // Assign the public IP address for the interface
+    if let Some(ref ip) = options.ip {
+        device.add_ip_address(ip).await?;
    }

-    // Deploy the classic wireguard private key.
-    let (connection, mut genetlink, _) = genetlink::new_connection()?;
-    tokio::spawn(connection);
-
-    let wgsk_path = options.private_keys_dir.join("wgsk");
-
-    let wgsk = Secret::<WG_KEY_LEN>::load_b64::<WG_B64_LEN, _>(wgsk_path)?;
-
-    let mut attr: Vec<WgDeviceAttrs> = Vec::with_capacity(2);
-    attr.push(WgDeviceAttrs::PrivateKey(*wgsk.secret()));
-
-    if let Some(listen) = options.listen {
-        if listen.port() == u16::MAX {
-            return Err(anyhow!("You may not use {} as the listen port.", u16::MAX));
-        }
-
-        attr.push(WgDeviceAttrs::ListenPort(listen.port() + 1));
-    }
-
-    netlink::wg_set(&mut genetlink, link_index, attr).await?;
-
-    // set up the rosenpass AppServer
-    let pqsk = options.private_keys_dir.join("pqsk");
-    let pqpk = options.private_keys_dir.join("pqpk");
-
-    let sk = SSk::load(&pqsk)?;
-    let pk = SPk::load(&pqpk)?;
-
    let mut srv = Box::new(AppServer::new(
-        Some((sk, pk)),
-        if let Some(listen) = options.listen {
-            vec![listen]
-        } else {
-            Vec::with_capacity(0)
-        },
-        if options.verbose {
-            Verbosity::Verbose
-        } else {
-            Verbosity::Quiet
+        Some((rpsk, rppk)),
+        Vec::from_iter(options.listen),
+        match options.verbose {
+            true => Verbosity::Verbose,
+            false => Verbosity::Quiet,
        },
        None,
    )?);

    let broker_store_ptr = srv.register_broker(Box::new(NativeUnixBroker::new()))?;

-    fn cfg_err_map(e: NativeUnixBrokerConfigBaseBuilderError) -> anyhow::Error {
-        anyhow::Error::msg(format!("NativeUnixBrokerConfigBaseBuilderError: {:?}", e))
-    }
-
    // Configure everything per peer.
    for peer in options.peers {
-        let wgpk = peer.public_keys_dir.join("wgpk");
+        // TODO: Some of this is sync but should be async
+        let wgpk = peer
+            .public_keys_dir
+            .join("wgpk")
+            .apply(tokio::fs::read_to_string)
+            .await?;
        let pqpk = peer.public_keys_dir.join("pqpk");
        let psk = peer.public_keys_dir.join("psk");
+        let (pqpk, psk) = spawn_blocking(move || {
+            let pqpk = SPk::load(pqpk)?;
+            let psk = psk
+                .exists()
+                .then(|| SymKey::load_b64::<WG_B64_LEN, _>(psk))
+                .transpose()?;
+            anyhow::Ok((pqpk, psk))
+        })
+        .await??;

        let mut extra_params: Vec<String> = Vec::with_capacity(6);
        if let Some(endpoint) = peer.endpoint {
@@ -342,11 +504,11 @@ pub async fn exchange(options: ExchangeOptions) -> Result<()> {
        }

        let peer_cfg = NativeUnixBrokerConfigBaseBuilder::default()
-            .peer_id_b64(&fs::read_to_string(wgpk)?)?
-            .interface(link_name.clone())
+            .peer_id_b64(&wgpk)?
+            .interface(device.name().to_owned())
            .extra_params_ser(&extra_params)?
            .build()
-            .map_err(cfg_err_map)?;
+            .with_context(|| format!("Could not configure broker to supply keys from Rosenpass to WireGuard for peer {wgpk}."))?;

        let broker_peer = Some(BrokerPeer::new(
            broker_store_ptr.clone(),
@@ -354,13 +516,8 @@ pub async fn exchange(options: ExchangeOptions) -> Result<()> {
        ));

        srv.add_peer(
-            if psk.exists() {
-                Some(SymKey::load_b64::<WG_B64_LEN, _>(psk))
-            } else {
-                None
-            }
-            .transpose()?,
-            SPk::load(&pqpk)?,
+            psk,
+            pqpk,
            None,
            broker_peer,
            peer.endpoint.map(|x| x.to_string()),
@@ -372,47 +529,13 @@ pub async fn exchange(options: ExchangeOptions) -> Result<()> {
        // the cleanup as `ip route del <allowed_ips>`.
        if let Some(allowed_ips) = peer.allowed_ips {
            Command::new("ip")
-                .arg("route")
-                .arg("replace")
-                .arg(allowed_ips.clone())
-                .arg("dev")
-                .arg(options.dev.clone().unwrap_or("rosenpass0".to_string()))
+                .args(["route", "replace", &allowed_ips, "dev", device.name()])
                .status()
-                .expect("failed to configure route");
-            cleanup_handlers
-                .enqueue(Box::pin(async move {
-                    Command::new("ip")
-                        .arg("route")
-                        .arg("del")
-                        .arg(allowed_ips)
-                        .status()
-                        .expect("failed to remove ip");
-                    Ok(())
-                }))
-                .await;
+                .await
+                .with_context(|| format!("Could not configure routes for peer {wgpk}"))?;
        }
    }

-    let out = srv.event_loop();
-
-    netlink::link_cleanup(&rtnetlink, link_index).await?;
-
-    match out {
-        Ok(_) => Ok(()),
-        Err(e) => {
-            // Check if the returned error is actually EINTR, in which case, the run actually
-            // succeeded.
-            let is_ok = if let Some(e) = e.root_cause().downcast_ref::<std::io::Error>() {
-                matches!(e.kind(), std::io::ErrorKind::Interrupted)
-            } else {
-                false
-            };
-
-            if is_ok {
-                Ok(())
-            } else {
-                Err(e)
-            }
-        }
-    }
+    log::info!("Starting to perform rosenpass key exchanges!");
+    spawn_blocking(move || srv.event_loop()).await?
 }
--- a/rp/src/key.rs
+++ b/rp/src/key.rs
@@ -128,6 +128,7 @@ mod tests {
    use crate::key::{genkey, pubkey, WG_B64_LEN};

    #[test]
+    #[cfg_attr(miri, ignore)] // Miri does not support calls to mmap with protections other than PROT_READ|PROT_WRITE
    fn test_key_loopback() {
        secret_policy_try_use_memfd_secrets();
        let private_keys_dir = tempdir().unwrap();
--- a/rp/src/main.rs
+++ b/rp/src/main.rs
@@ -1,59 +1,19 @@
-use std::{fs, process::exit};
-
-use cli::{Cli, Command};
-use exchange::exchange;
-use key::{genkey, pubkey};
-use rosenpass_secret_memory::policy;
-
+#[cfg(any(target_os = "linux", target_os = "freebsd"))]
 mod cli;
+#[cfg(any(target_os = "linux", target_os = "freebsd"))]
 mod exchange;
+#[cfg(any(target_os = "linux", target_os = "freebsd"))]
 mod key;

-#[tokio::main]
-async fn main() {
-    #[cfg(feature = "experiment_memfd_secret")]
-    policy::secret_policy_try_use_memfd_secrets();
-    #[cfg(not(feature = "experiment_memfd_secret"))]
-    policy::secret_policy_use_only_malloc_secrets();
+#[cfg(any(target_os = "linux", target_os = "freebsd"))]
+mod main_supported_platforms;

-    let cli = match Cli::parse(std::env::args().peekable()) {
-        Ok(cli) => cli,
-        Err(err) => {
-            eprintln!("{}", err);
-            exit(1);
-        }
-    };
-
-    let command = cli.command.unwrap();
-
-    let res = match command {
-        Command::GenKey { private_keys_dir } => genkey(&private_keys_dir),
-        Command::PubKey {
-            private_keys_dir,
-            public_keys_dir,
-        } => pubkey(&private_keys_dir, &public_keys_dir),
-        Command::Exchange(mut options) => {
-            options.verbose = cli.verbose;
-            exchange(options).await
-        }
-        Command::ExchangeConfig { config_file } => {
-            let s: String = fs::read_to_string(config_file).expect("cannot read config");
-            let mut options: exchange::ExchangeOptions =
-                toml::from_str::<exchange::ExchangeOptions>(&s).expect("cannot parse config");
-            options.verbose = options.verbose || cli.verbose;
-            exchange(options).await
-        }
-        Command::Help => {
-            println!("Usage: rp [verbose] genkey|pubkey|exchange [ARGS]...");
-            Ok(())
-        }
-    };
-
-    match res {
-        Ok(_) => {}
-        Err(err) => {
-            eprintln!("An error occurred: {}", err);
-            exit(1);
-        }
-    }
+#[cfg(any(target_os = "linux", target_os = "freebsd"))]
+fn main() -> anyhow::Result<()> {
+    main_supported_platforms::main()
+}
+
+#[cfg(not(any(target_os = "linux", target_os = "freebsd")))]
+fn main() {
+    panic!("Unfortunately, the rp command is currently not supported on your platform. See https://github.com/rosenpass/rosenpass/issues/689 for more information and discussion.")
 }
--- a/rp/src/main_supported_platforms.rs
+++ b/rp/src/main_supported_platforms.rs
@@ -0,0 +1,58 @@
+use std::{fs, process::exit};
+
+use rosenpass_util::tokio::janitor::ensure_janitor;
+
+use rosenpass_secret_memory::policy;
+
+use crate::cli::{Cli, Command};
+use crate::exchange::{exchange, ExchangeOptions};
+use crate::key::{genkey, pubkey};
+
+#[tokio::main]
+pub async fn main() -> anyhow::Result<()> {
+    #[cfg(feature = "experiment_memfd_secret")]
+    policy::secret_policy_try_use_memfd_secrets();
+    #[cfg(not(feature = "experiment_memfd_secret"))]
+    policy::secret_policy_use_only_malloc_secrets();
+
+    ensure_janitor(async move { main_impl().await }).await
+}
+
+async fn main_impl() -> anyhow::Result<()> {
+    let cli = match Cli::parse(std::env::args().peekable()) {
+        Ok(cli) => cli,
+        Err(err) => {
+            eprintln!("{}", err);
+            exit(1);
+        }
+    };
+
+    // init logging
+    // TODO: Taken from rosenpass; we should deduplicate the code.
+    env_logger::Builder::from_default_env().init(); // sets log level filter from environment (or defaults)
+
+    let command = cli.command.unwrap();
+
+    match command {
+        Command::GenKey { private_keys_dir } => genkey(&private_keys_dir),
+        Command::PubKey {
+            private_keys_dir,
+            public_keys_dir,
+        } => pubkey(&private_keys_dir, &public_keys_dir),
+        Command::Exchange(mut options) => {
+            options.verbose = cli.verbose;
+            exchange(options).await
+        }
+        Command::ExchangeConfig { config_file } => {
+            let s: String = fs::read_to_string(config_file).expect("cannot read config");
+            let mut options: ExchangeOptions =
+                toml::from_str::<ExchangeOptions>(&s).expect("cannot parse config");
+            options.verbose = options.verbose || cli.verbose;
+            exchange(options).await
+        }
+        Command::Help => {
+            println!("Usage: rp [verbose] genkey|pubkey|exchange [ARGS]...");
+            Ok(())
+        }
+    }
+}
--- a/rp/tests/smoketest.rs
+++ b/rp/tests/smoketest.rs
@@ -1,6 +1,8 @@
 use std::process::Command;

+#[cfg(any(target_os = "linux", target_os = "freebsd"))]
 #[test]
+#[cfg_attr(miri, ignore)] // unsupported operation: extern static `pidfd_spawnp` is not supported by Miri
 fn smoketest() -> anyhow::Result<()> {
    let tmpdir = tempfile::tempdir()?;

--- a/secret-memory/Cargo.toml
+++ b/secret-memory/Cargo.toml
@@ -19,6 +19,10 @@ rand = { workspace = true }
 memsec = { workspace = true }
 allocator-api2 = { workspace = true }
 log = { workspace = true }
+assert_tv = { workspace = true }
+base64 = { workspace = true }
+serde_json = { workspace = true }
+serde = { workspace = true }

 [dev-dependencies]
 allocator-api2-tests = { workspace = true }
--- a/secret-memory/src/lib.rs
+++ b/secret-memory/src/lib.rs
@@ -47,4 +47,6 @@ mod secret;
 pub use crate::secret::Secret;

 pub mod policy;
+mod serialization;
+
 pub use crate::policy::*;
--- a/secret-memory/src/secret.rs
+++ b/secret-memory/src/secret.rs
@@ -379,10 +379,7 @@ impl<const N: usize> StoreSecret for Secret<N> {

 #[cfg(test)]
 mod test {
-    use crate::{
-        secret_policy_try_use_memfd_secrets, secret_policy_use_only_malloc_secrets,
-        test_spawn_process_provided_policies,
-    };
+    use crate::{secret_policy_use_only_malloc_secrets, test_spawn_process_provided_policies};

    use super::*;
    use std::{fs, os::unix::fs::PermissionsExt};
--- a/secret-memory/src/serialization.rs
+++ b/secret-memory/src/serialization.rs
@@ -0,0 +1,214 @@
+use crate::{Public, PublicBox, Secret};
+use base64::Engine;
+use serde::de::{Error as DeError, Visitor};
+use serde::{Deserialize, Deserializer, Serialize, Serializer};
+use std::fmt;
+
+fn encode_b64(bytes: &[u8]) -> String {
+    base64::engine::general_purpose::STANDARD.encode(bytes)
+}
+
+fn decode_b64(s: &str) -> Result<Vec<u8>, String> {
+    base64::engine::general_purpose::STANDARD
+        .decode(s.as_bytes())
+        .map_err(|e| format!("Couldn't decode base64: {e}"))
+}
+
+struct B64BytesVisitor;
+
+impl<'de> Visitor<'de> for B64BytesVisitor {
+    type Value = Vec<u8>;
+
+    fn expecting(&self, f: &mut fmt::Formatter) -> fmt::Result {
+        write!(f, "a base64-encoded string")
+    }
+
+    fn visit_str<E: DeError>(self, v: &str) -> Result<Self::Value, E> {
+        decode_b64(v).map_err(E::custom)
+    }
+
+    fn visit_string<E: DeError>(self, v: String) -> Result<Self::Value, E> {
+        self.visit_str(&v)
+    }
+}
+
+impl<const N: usize> Serialize for Secret<N> {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        serializer.serialize_str(&encode_b64(self.secret()))
+    }
+}
+
+impl<'de, const N: usize> Deserialize<'de> for Secret<N> {
+    fn deserialize<D: Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
+        let bytes: Vec<u8> = deserializer.deserialize_string(B64BytesVisitor)?;
+        if bytes.len() != N {
+            return Err(D::Error::custom(format!(
+                "Unexpected length: got {}, expected {}",
+                bytes.len(),
+                N
+            )));
+        }
+        // Copies from heap bytes into the internal storage;
+        // no large stack temporaries.
+        Ok(Secret::<N>::from_slice(bytes.as_slice()))
+    }
+}
+
+impl<const N: usize> Serialize for Public<N> {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        serializer.serialize_str(&encode_b64(&self.value))
+    }
+}
+
+impl<'de, const N: usize> Deserialize<'de> for Public<N> {
+    fn deserialize<D: Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
+        let bytes: Vec<u8> = deserializer.deserialize_string(B64BytesVisitor)?;
+        if bytes.len() != N {
+            return Err(D::Error::custom(format!(
+                "Unexpected length: got {}, expected {}",
+                bytes.len(),
+                N
+            )));
+        }
+        Ok(Public::<N>::from_slice(bytes.as_slice()))
+    }
+}
+
+impl<const N: usize> Serialize for PublicBox<N> {
+    fn serialize<S: Serializer>(&self, serializer: S) -> Result<S::Ok, S::Error> {
+        serializer.serialize_str(&encode_b64(self.inner.value.as_slice()))
+    }
+}
+
+impl<'de, const N: usize> Deserialize<'de> for PublicBox<N> {
+    fn deserialize<D: Deserializer<'de>>(deserializer: D) -> Result<Self, D::Error> {
+        let bytes: Vec<u8> = deserializer.deserialize_string(B64BytesVisitor)?;
+        if bytes.len() != N {
+            return Err(D::Error::custom(format!(
+                "Unexpected length: got {}, expected {}",
+                bytes.len(),
+                N
+            )));
+        }
+        // Allocate Public<N> on the heap and copy bytes into it
+        let mut inner = Box::new(Public::<N>::zero());
+        inner.copy_from_slice(bytes.as_slice());
+        Ok(PublicBox { inner })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::secret_policy_use_only_malloc_secrets;
+    use serde::{de::DeserializeOwned, Serialize};
+    use serde_json;
+
+    // Generic helper: serialize to JSON, then deserialize back.
+    fn roundtrip_json<T>(value: &T) -> T
+    where
+        T: Serialize + DeserializeOwned,
+    {
+        let json = serde_json::to_string(value).expect("serialize");
+        serde_json::from_str::<T>(&json).expect("deserialize")
+    }
+
+    pub fn test_init_secret_memory_policy() {
+        secret_policy_use_only_malloc_secrets();
+    }
+
+    #[test]
+    fn secret_roundtrip_json() {
+        test_init_secret_memory_policy();
+        const N: usize = 32;
+        let src = [0xABu8; N];
+        let original = Secret::<N>::from_slice(&src);
+        let recovered: Secret<N> = roundtrip_json(&original);
+        assert_eq!(
+            original.secret(),
+            recovered.secret(),
+            "Secret bytes must match after roundtrip"
+        );
+    }
+
+    #[test]
+    fn public_roundtrip_json() {
+        const N: usize = 48;
+        let src = [0x11u8; N];
+        let original = Public::<N>::from_slice(&src);
+        let json = serde_json::to_string(&original).expect("serialize");
+        let recovered: Public<N> = serde_json::from_str(&json).expect("deserialize");
+        // Avoid relying on private fields: compare canonical serialization strings.
+        let json2 = serde_json::to_string(&recovered).expect("re-serialize");
+        assert_eq!(
+            json, json2,
+            "Public must serialize identically after roundtrip"
+        );
+    }
+
+    #[test]
+    fn public_box_roundtrip_json() {
+        const N: usize = 64;
+        let src = [0x7Fu8; N];
+
+        let original = PublicBox::<N>::new(src);
+
+        let json = serde_json::to_string(&original).expect("serialize");
+        let recovered: PublicBox<N> = serde_json::from_str(&json).expect("deserialize");
+        let json2 = serde_json::to_string(&recovered).expect("re-serialize");
+        assert_eq!(
+            json, json2,
+            "PublicBox must serialize identically after roundtrip"
+        );
+    }
+
+    #[test]
+    fn secret_len_mismatch_is_error() {
+        test_init_secret_memory_policy();
+        const N_SMALL: usize = 16;
+        const N_BIG: usize = 32;
+
+        let src = [0x55u8; N_SMALL];
+        let small = Secret::<N_SMALL>::from_slice(&src);
+        let json = serde_json::to_string(&small).expect("serialize");
+
+        // Attempt to deserialize a 16-byte payload into Secret<32> should fail.
+        let res = serde_json::from_str::<Secret<N_BIG>>(&json);
+        assert!(
+            res.is_err(),
+            "Deserializing into a larger fixed size must error"
+        );
+    }
+
+    #[test]
+    fn public_len_mismatch_is_error() {
+        const N_SMALL: usize = 24;
+        const N_BIG: usize = 40;
+
+        let src = [0x33u8; N_SMALL];
+        let small = Public::<N_SMALL>::from_slice(&src);
+        let json = serde_json::to_string(&small).expect("serialize");
+
+        let res = serde_json::from_str::<Public<N_BIG>>(&json);
+        assert!(
+            res.is_err(),
+            "Deserializing into a larger fixed size must error"
+        );
+    }
+
+    #[test]
+    fn public_box_len_mismatch_is_error() {
+        const N_SMALL: usize = 8;
+        const N_BIG: usize = 12;
+
+        let src = [0xE0u8; N_SMALL];
+        let small = PublicBox::<N_SMALL>::new(src);
+        let json = serde_json::to_string(&small).expect("serialize");
+
+        let res = serde_json::from_str::<PublicBox<N_BIG>>(&json);
+        assert!(
+            res.is_err(),
+            "Deserializing into a different fixed size must error"
+        );
+    }
+}
--- a/supply-chain-CI.md
+++ b/supply-chain-CI.md
@@ -0,0 +1,25 @@
+# Continuous Integration for supply chain protection
+
+This repository's CI uses non-standard mechanisms to harmonize the usage of `dependabot` together with [`cargo vet`](https://mozilla.github.io/cargo-vet/). Since cargo-vet audits for new versions of crates are rarely immediately available once dependabots bumps the version,
+the exemptions for `cargo vet` have to be regenerated for each push request opened by dependabot. To make this work, some setup is neccessary to setup the CI. The required steps are as follows:
+
+1. Create a mew user on github. For the purpose of these instructions, we will assume that its mail address is `ci@example.com` and that its username is `ci-bot`. Protect this user account as you would any other user account that you intend to gve write permissions to. For example, setup MFA or protect the email address of the user. Make sure to verify your e-mail.
+2. Add `ci-bot` as a member of your organizaton with write access to the repository.
+3. In your organization, go to "Settings" -> "Personal Access tokens" -> "Settings". There select "Allow access via fine-grained personal access tokens" and save. Depending on your preferences either choose "Require administrator approval" or "Do not require administrator approval".
+4. Create a new personal access token as `ci-bot` for the rosenpass repository. That is, in the settings for `ci-bot`, select "Developer settings" -> "Personal Access tokens" -> "Fine-grained tokens". Then click on "Generate new token". Enter a name of your choosing and choose an expiration date that you feel comfortable with. A shorter expiration period will requrie more manual management by you but is more secure than a longer one. Select your organization as the resource owner and select the rosenpass repository as the repository. Under "Repository permissions", grant "Read and write"-access to the "Contens" premission for the token. Grant no other permissions to the token, except for the read-only access to the "Metadata" permission, which is mandatory. Then generate the token and copy it for the next steps.
+5. If you chose "Require administrator approval" in step 3, approve the fine grained access token by, as a organization administrator, going to "Settings" -> "Personal Access tokens" -> "Pending requests" and grant the request.
+6. Now, with your account that has administrative permissions for the repository, open the settings page for the repository and select "Secrets and variables" -> "Actions" and click "New repository secret". In the name field enter "CI_BOT_PAT". This name is mandatory, since it is explicitly referenced in the supply-chain workflow. Below, enter the token that was generated in step 4.
+7. Analogously to step 6, open the settings page for the repository and select "Secrets and variables" -> "Dependabot" and click "New repository secret". In the name field enter "CI_BOT_PAT". This name is mandatory, since it is explicitly referenced in the supply-chain workflow. Below, enter the token that was generated in step 4.
+
+## What this does
+
+For the `cargo vet` check in the CI for dependabot, the `cargo vet`-exemptions have to automatically be regenerated, because otherwise this CI job will always fail for dependabot PRs. After the exemptions have been regenerated, they need to be commited and pushed to the PR. This invalidates the CI run that pushed the commit so that it does not show up in the PR anymore but does not trigger a new CI run. This is a [protection by Github](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) to prevent infinite loops. However, in this case it prevents us from having a proper CI run for dependabot PRs. The solution to this is to execute `push` operation with a personal access token.
+
+## Preventing infinite loops
+
+The CI is configured to avoid infinite loops by only regenerating and pushing the `cargo vet` exemptions if the CI run happens with respect to a PR opened by dependabot and not for any other pushed or pull requests. In addition one of the following conditions has to be met:
+
+- The last commit was performed by dependabot
+- The last commit message ends in `--regenerate-exemptions`
+
+Summarizing, the exemptions are only regenerated in the context of pull requests opened by dependabot and, the last commit was was performed by dependabot or the last commit message ends in `--regenerate-exemptions`.
--- a/supply-chain/audits.toml
+++ b/supply-chain/audits.toml
@@ -1,4 +1,27 @@

 # cargo-vet audits file

-[audits]
+[[audits.assert_tv]]
+who = "Amin Faez <amin.faez.inbox@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.5.1"
+
+[[audits.assert_tv]]
+who = "Amin Faez <amin.faez.inbox@gmail.com>"
+criteria = "safe-to-deploy"
+version = "0.5.1"
+
+[[audits.assert_tv_macros]]
+who = "Amin Faez <amin.faez.inbox@gmail.com>"
+criteria = "safe-to-run"
+version = "0.5.1"
+
+[[audits.ryu]]
+who = "Amin Faez <amin.faez.inbox@gmail.com>"
+criteria = "safe-to-deploy"
+version = "1.0.10"
+
+[[audits.serde_json]]
+who = "Amin Faez <amin.faez.inbox@gmail.com>"
+criteria = "safe-to-deploy"
+version = "1.0.138"
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@@ -74,7 +74,15 @@ version = "3.0.7"
 criteria = "safe-to-deploy"

 [[exemptions.anyhow]]
-version = "1.0.96"
+version = "1.0.98"
+criteria = "safe-to-deploy"
+
+[[exemptions.assert_tv]]
+version = "0.6.5"
+criteria = "safe-to-deploy"
+
+[[exemptions.assert_tv_macros]]
+version = "0.6.5"
 criteria = "safe-to-deploy"

 [[exemptions.atomic-polyfill]]
@@ -142,7 +150,7 @@ version = "0.7.4"
 criteria = "safe-to-deploy"

 [[exemptions.clap_mangen]]
-version = "0.2.24"
+version = "0.2.29"
 criteria = "safe-to-deploy"

 [[exemptions.cmake]]
@@ -249,18 +257,10 @@ criteria = "safe-to-deploy"
 version = "0.10.7"
 criteria = "safe-to-deploy"

-[[exemptions.embedded-io]]
-version = "0.6.1"
-criteria = "safe-to-deploy"
-
 [[exemptions.env_logger]]
 version = "0.10.2"
 criteria = "safe-to-deploy"

-[[exemptions.fastrand]]
-version = "2.3.0"
-criteria = "safe-to-deploy"
-
 [[exemptions.findshlibs]]
 version = "0.10.2"
 criteria = "safe-to-run"
@@ -285,10 +285,6 @@ criteria = "safe-to-deploy"
 version = "0.2.15"
 criteria = "safe-to-deploy"

-[[exemptions.gimli]]
-version = "0.31.1"
-criteria = "safe-to-deploy"
-
 [[exemptions.hash32]]
 version = "0.2.1"
 criteria = "safe-to-deploy"
@@ -341,6 +337,10 @@ criteria = "safe-to-deploy"
 version = "2.1.0"
 criteria = "safe-to-deploy"

+[[exemptions.io-uring]]
+version = "0.7.9"
+criteria = "safe-to-deploy"
+
 [[exemptions.ipc-channel]]
 version = "0.18.3"
 criteria = "safe-to-run"
@@ -370,7 +370,7 @@ version = "1.3.0"
 criteria = "safe-to-deploy"

 [[exemptions.libc]]
-version = "0.2.169"
+version = "0.2.174"
 criteria = "safe-to-deploy"

 [[exemptions.libcrux]]
@@ -414,7 +414,7 @@ version = "0.0.2-beta.3"
 criteria = "safe-to-deploy"

 [[exemptions.libfuzzer-sys]]
-version = "0.4.9"
+version = "0.4.10"
 criteria = "safe-to-deploy"

 [[exemptions.libjade-sys]]
@@ -529,10 +529,6 @@ criteria = "safe-to-deploy"
 version = "1.0.15"
 criteria = "safe-to-deploy"

-[[exemptions.pin-project-lite]]
-version = "0.2.16"
-criteria = "safe-to-deploy"
-
 [[exemptions.pkg-config]]
 version = "0.3.31"
 criteria = "safe-to-deploy"
@@ -581,14 +577,6 @@ criteria = "safe-to-deploy"
 version = "0.9.0"
 criteria = "safe-to-deploy"

-[[exemptions.rand_chacha]]
-version = "0.9.0"
-criteria = "safe-to-deploy"
-
-[[exemptions.rand_core]]
-version = "0.9.3"
-criteria = "safe-to-deploy"
-
 [[exemptions.redox_syscall]]
 version = "0.5.9"
 criteria = "safe-to-deploy"
@@ -613,10 +601,6 @@ criteria = "safe-to-deploy"
 version = "0.38.44"
 criteria = "safe-to-deploy"

-[[exemptions.ryu]]
-version = "1.0.19"
-criteria = "safe-to-deploy"
-
 [[exemptions.scc]]
 version = "2.3.3"
 criteria = "safe-to-run"
@@ -630,13 +614,17 @@ version = "3.0.7"
 criteria = "safe-to-run"

 [[exemptions.serde_json]]
-version = "1.0.139"
+version = "1.0.140"
 criteria = "safe-to-deploy"

 [[exemptions.serde_spanned]]
 version = "0.6.8"
 criteria = "safe-to-deploy"

+[[exemptions.serde_yaml]]
+version = "0.9.34+deprecated"
+criteria = "safe-to-deploy"
+
 [[exemptions.serial_test]]
 version = "3.2.0"
 criteria = "safe-to-run"
@@ -646,7 +634,11 @@ version = "3.2.0"
 criteria = "safe-to-run"

 [[exemptions.signal-hook]]
-version = "0.3.17"
+version = "0.3.18"
+criteria = "safe-to-deploy"
+
+[[exemptions.signal-hook-mio]]
+version = "0.2.4"
 criteria = "safe-to-deploy"

 [[exemptions.signal-hook-registry]]
@@ -658,7 +650,7 @@ version = "0.4.9"
 criteria = "safe-to-deploy"

 [[exemptions.socket2]]
-version = "0.5.8"
+version = "0.6.0"
 criteria = "safe-to-deploy"

 [[exemptions.spin]]
@@ -666,7 +658,7 @@ version = "0.9.8"
 criteria = "safe-to-deploy"

 [[exemptions.stacker]]
-version = "0.1.19"
+version = "0.1.21"
 criteria = "safe-to-deploy"

 [[exemptions.syn]]
@@ -702,7 +694,7 @@ version = "2.0.11"
 criteria = "safe-to-deploy"

 [[exemptions.tokio]]
-version = "1.44.2"
+version = "1.47.0"
 criteria = "safe-to-deploy"

 [[exemptions.tokio-macros]]
@@ -733,8 +725,8 @@ criteria = "safe-to-deploy"
 version = "1.0.17"
 criteria = "safe-to-deploy"

-[[exemptions.utf8parse]]
-version = "0.2.2"
+[[exemptions.unsafe-libyaml]]
+version = "0.2.11"
 criteria = "safe-to-deploy"

 [[exemptions.uuid]]
@@ -968,3 +960,15 @@ criteria = "safe-to-deploy"
 [[exemptions.zerocopy-derive]]
 version = "0.8.24"
 criteria = "safe-to-deploy"
+
+[[exemptions.zstd]]
+version = "0.13.3"
+criteria = "safe-to-deploy"
+
+[[exemptions.zstd-safe]]
+version = "7.2.4"
+criteria = "safe-to-deploy"
+
+[[exemptions.zstd-sys]]
+version = "2.0.15+zstd.1.5.7"
+criteria = "safe-to-deploy"
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -28,14 +28,14 @@ who = "Nick Fitzgerald <fitzgen@gmail.com>"
 criteria = "safe-to-deploy"
 user-id = 696 # Nick Fitzgerald (fitzgen)
 start = "2019-03-16"
-end = "2025-07-30"
+end = "2026-08-21"

 [[audits.bytecode-alliance.wildcard-audits.wit-bindgen-rt]]
 who = "Alex Crichton <alex@alexcrichton.com>"
 criteria = "safe-to-deploy"
 user-id = 73222 # wasmtime-publish
 start = "2023-01-01"
-end = "2025-05-08"
+end = "2026-06-03"
 notes = """
 The Bytecode Alliance uses the `wasmtime-publish` crates.io account to automate
 publication of this crate from CI. This repository requires all PRs are reviewed
@@ -59,6 +59,17 @@ who = "Nick Fitzgerald <fitzgen@gmail.com>"
 criteria = "safe-to-deploy"
 version = "1.4.1"

+[[audits.bytecode-alliance.audits.base64]]
+who = "Pat Hickey <phickey@fastly.com>"
+criteria = "safe-to-deploy"
+version = "0.21.0"
+notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
+
+[[audits.bytecode-alliance.audits.base64]]
+who = "Andrew Brown <andrew.brown@intel.com>"
+criteria = "safe-to-deploy"
+delta = "0.21.3 -> 0.22.1"
+
 [[audits.bytecode-alliance.audits.bitflags]]
 who = "Jamey Sharp <jsharp@fastly.com>"
 criteria = "safe-to-deploy"
@@ -127,6 +138,12 @@ criteria = "safe-to-deploy"
 version = "0.4.0"
 notes = "No `unsafe` code and only uses `std` in ways one would expect the crate to do so."

+[[audits.bytecode-alliance.audits.embedded-io]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+delta = "0.4.0 -> 0.6.1"
+notes = "Major updates, but almost all safe code. Lots of pruning/deletions, nothing out of the ordrinary."
+
 [[audits.bytecode-alliance.audits.errno]]
 who = "Dan Gohman <dev@sunfishcode.online>"
 criteria = "safe-to-deploy"
@@ -144,6 +161,21 @@ who = "Dan Gohman <dev@sunfishcode.online>"
 criteria = "safe-to-deploy"
 delta = "0.3.9 -> 0.3.10"

+[[audits.bytecode-alliance.audits.fastrand]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+delta = "2.0.0 -> 2.0.1"
+notes = """
+This update had a few doc updates but no otherwise-substantial source code
+updates.
+"""
+
+[[audits.bytecode-alliance.audits.fastrand]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+delta = "2.1.1 -> 2.3.0"
+notes = "Minor refactoring, nothing new."
+
 [[audits.bytecode-alliance.audits.futures]]
 who = "Joel Dice <joel.dice@gmail.com>"
 criteria = "safe-to-deploy"
@@ -190,6 +222,18 @@ who = "Pat Hickey <pat@moreproductive.org>"
 criteria = "safe-to-deploy"
 delta = "0.3.28 -> 0.3.31"

+[[audits.bytecode-alliance.audits.gimli]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+delta = "0.29.0 -> 0.31.0"
+notes = "Various updates here and there, nothing too major, what you'd expect from a DWARF parsing crate."
+
+[[audits.bytecode-alliance.audits.gimli]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+delta = "0.31.0 -> 0.31.1"
+notes = "No fundmanetally new `unsafe` code, some small refactoring of existing code. Lots of changes in tests, not as many changes in the rest of the crate. More dwarf!"
+
 [[audits.bytecode-alliance.audits.heck]]
 who = "Alex Crichton <alex@alexcrichton.com>"
 criteria = "safe-to-deploy"
@@ -207,6 +251,12 @@ who = "Dan Gohman <dev@sunfishcode.online>"
 criteria = "safe-to-deploy"
 delta = "1.0.11 -> 1.0.14"

+[[audits.bytecode-alliance.audits.log]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+delta = "0.4.22 -> 0.4.27"
+notes = "Lots of minor updates to macros and such, nothing touching `unsafe`"
+
 [[audits.bytecode-alliance.audits.miniz_oxide]]
 who = "Alex Crichton <alex@alexcrichton.com>"
 criteria = "safe-to-deploy"
@@ -249,6 +299,12 @@ criteria = "safe-to-deploy"
 version = "1.0.0"
 notes = "I am the author of this crate."

+[[audits.bytecode-alliance.audits.pin-project-lite]]
+who = "Alex Crichton <alex@alexcrichton.com>"
+criteria = "safe-to-deploy"
+delta = "0.2.13 -> 0.2.14"
+notes = "No substantive changes in this update"
+
 [[audits.bytecode-alliance.audits.pin-utils]]
 who = "Pat Hickey <phickey@fastly.com>"
 criteria = "safe-to-deploy"
@@ -301,6 +357,12 @@ criteria = "safe-to-deploy"
 version = "1.0.40"
 notes = "Found no unsafe or ambient capabilities used"

+[[audits.embark-studios.audits.utf8parse]]
+who = "Johan Andersson <opensource@embark-studios.com>"
+criteria = "safe-to-deploy"
+version = "0.2.1"
+notes = "Single unsafe usage that looks sound, no ambient capabilities"
+
 [[audits.fermyon.audits.oorandom]]
 who = "Radu Matei <radu.matei@fermyon.com>"
 criteria = "safe-to-run"
@@ -411,6 +473,16 @@ delta = "1.0.1 -> 1.0.2"
 notes = "No changes to any .rs files or Rust code."
 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

+[[audits.google.audits.fastrand]]
+who = "George Burgess IV <gbiv@google.com>"
+criteria = "safe-to-deploy"
+version = "1.9.0"
+notes = """
+`does-not-implement-crypto` is certified because this crate explicitly says
+that the RNG here is not cryptographically secure.
+"""
+aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
+
 [[audits.google.audits.glob]]
 who = "George Burgess IV <gbiv@google.com>"
 criteria = "safe-to-deploy"
@@ -524,20 +596,6 @@ describe in the review doc.
 """
 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

-[[audits.google.audits.log]]
-who = "Lukasz Anforowicz <lukasza@chromium.org>"
-criteria = "safe-to-deploy"
-delta = "0.4.22 -> 0.4.25"
-notes = "No impact on `unsafe` usage in `lib.rs`."
-aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
-
-[[audits.google.audits.log]]
-who = "Daniel Cheng <dcheng@chromium.org>"
-criteria = "safe-to-deploy"
-delta = "0.4.25 -> 0.4.26"
-notes = "Only trivial code and documentation changes."
-aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
-
 [[audits.google.audits.nom]]
 who = "danakj@chromium.org"
 criteria = "safe-to-deploy"
@@ -554,6 +612,20 @@ version = "0.1.46"
 notes = "Contains no unsafe"
 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

+[[audits.google.audits.pin-project-lite]]
+who = "David Koloski <dkoloski@google.com>"
+criteria = "safe-to-deploy"
+version = "0.2.9"
+notes = "Reviewed on https://fxrev.dev/824504"
+aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
+
+[[audits.google.audits.pin-project-lite]]
+who = "David Koloski <dkoloski@google.com>"
+criteria = "safe-to-deploy"
+delta = "0.2.9 -> 0.2.13"
+notes = "Audited at https://fxrev.dev/946396"
+aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
+
 [[audits.google.audits.proc-macro-error-attr]]
 who = "George Burgess IV <gbiv@google.com>"
 criteria = "safe-to-deploy"
@@ -708,6 +780,24 @@ For more detailed unsafe review notes please see https://crrev.com/c/6362797
 """
 aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"

+[[audits.google.audits.rand_chacha]]
+who = "Lukasz Anforowicz <lukasza@chromium.org>"
+criteria = "safe-to-deploy"
+version = "0.3.1"
+notes = """
+For more detailed unsafe review notes please see https://crrev.com/c/6362797
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
+[[audits.google.audits.rand_core]]
+who = "Lukasz Anforowicz <lukasza@chromium.org>"
+criteria = "safe-to-deploy"
+version = "0.6.4"
+notes = """
+For more detailed unsafe review notes please see https://crrev.com/c/6362797
+"""
+aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
+
 [[audits.google.audits.regex-syntax]]
 who = "Manish Goregaokar <manishearth@google.com>"
 criteria = "safe-to-deploy"
@@ -1065,6 +1155,21 @@ criteria = "safe-to-run"
 version = "1.2.1"
 aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"

+[[audits.isrg.audits.base64]]
+who = "Tim Geoghegan <timg@letsencrypt.org>"
+criteria = "safe-to-deploy"
+delta = "0.21.0 -> 0.21.1"
+
+[[audits.isrg.audits.base64]]
+who = "Brandon Pitman <bran@bran.land>"
+criteria = "safe-to-deploy"
+delta = "0.21.1 -> 0.21.2"
+
+[[audits.isrg.audits.base64]]
+who = "David Cook <dcook@divviup.org>"
+criteria = "safe-to-deploy"
+delta = "0.21.2 -> 0.21.3"
+
 [[audits.isrg.audits.block-buffer]]
 who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
@@ -1158,12 +1263,12 @@ version = "0.3.0"
 [[audits.isrg.audits.rand_chacha]]
 who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
-version = "0.3.1"
+delta = "0.3.1 -> 0.9.0"

 [[audits.isrg.audits.rand_core]]
 who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
-version = "0.6.3"
+delta = "0.6.4 -> 0.9.3"

 [[audits.isrg.audits.rayon]]
 who = "Brandon Pitman <bran@bran.land>"
@@ -1379,6 +1484,25 @@ criteria = "safe-to-deploy"
 delta = "0.3.1 -> 0.3.3"
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

+[[audits.mozilla.audits.fastrand]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "1.9.0 -> 2.0.0"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.fastrand]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "2.0.1 -> 2.1.0"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.fastrand]]
+who = "Chris Martin <cmartin@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "2.1.0 -> 2.1.1"
+notes = "Fairly trivial changes, no chance of security regression."
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.fnv]]
 who = "Bobby Holley <bobbyholley@gmail.com>"
 criteria = "safe-to-deploy"
@@ -1409,6 +1533,23 @@ documentation.
 """
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

+[[audits.mozilla.audits.gimli]]
+who = "Alex Franchuk <afranchuk@mozilla.com>"
+criteria = "safe-to-deploy"
+version = "0.30.0"
+notes = """
+Unsafe code blocks are sound. Minimal dependencies used. No use of
+side-effectful std functions.
+"""
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.gimli]]
+who = "Chris Martin <cmartin@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "0.30.0 -> 0.29.0"
+notes = "No unsafe code, mostly algorithms and parsing. Very unlikely to cause security issues."
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.hex]]
 who = "Simon Friedberger <simon@mozilla.com>"
 criteria = "safe-to-deploy"
@@ -1428,11 +1569,15 @@ delta = "1.0.0 -> 0.1.2"
 notes = "Small refactor of some simple iterator logic, no unsafe code or capabilities."
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

-[[audits.mozilla.audits.rand_core]]
-who = "Mike Hommey <mh+mozilla@glandium.org>"
+[[audits.mozilla.audits.pin-project-lite]]
+who = "Nika Layzell <nika@thelayzells.com>"
 criteria = "safe-to-deploy"
-delta = "0.6.3 -> 0.6.4"
-aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+delta = "0.2.14 -> 0.2.16"
+notes = """
+Only functional change is to work around a bug in the negative_impls feature
+(https://github.com/taiki-e/pin-project/issues/340#issuecomment-2432146009)
+"""
+aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"

 [[audits.mozilla.audits.rayon]]
 who = "Josh Stone <jistone@redhat.com>"
@@ -1454,6 +1599,24 @@ version = "1.1.0"
 notes = "Straightforward crate with no unsafe code, does what it says on the tin."
 aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"

+[[audits.mozilla.audits.ryu]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "1.0.10 -> 1.0.11"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.ryu]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "1.0.11 -> 1.0.12"
+aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[[audits.mozilla.audits.ryu]]
+who = "Jan-Erik Rediger <jrediger@mozilla.com>"
+criteria = "safe-to-deploy"
+delta = "1.0.12 -> 1.0.19"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.semver]]
 who = "Jan-Erik Rediger <jrediger@mozilla.com>"
 criteria = "safe-to-deploy"
@@ -1491,6 +1654,12 @@ criteria = "safe-to-deploy"
 delta = "1.0.43 -> 1.0.69"
 aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"

+[[audits.mozilla.audits.utf8parse]]
+who = "Nika Layzell <nika@thelayzells.com>"
+criteria = "safe-to-deploy"
+delta = "0.2.1 -> 0.2.2"
+aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
+
 [[audits.mozilla.audits.zeroize]]
 who = "Benjamin Beurdouche <beurdouche@mozilla.com>"
 criteria = "safe-to-deploy"
--- a/tests/integration/README.md
+++ b/tests/integration/README.md
@@ -0,0 +1,29 @@
+# Integration Tests
+
+This directory contains integration tests for rosenpass in the form of a nix flake. Put simply, in order to run the integration tests for the main branch as they are on github right now, just run the following on a linux machine with nix installed and flakes enabled:
+
+```
+nix flake check
+```
+
+## Overview
+
+The integration tests recognize two rosenpass versions, a new version and an old version. If not adapted, both are set to the version of the current main branch of rosenpass on github. We describe below how to change this.
+All integration tests install rosenpass on virtual machines, run the key exchange, create a connection via wireguard that uses rosenpass and then checks whether all peers can ping each other via wireguard. Overall there are four integration tests:
+
+- `basicConnectivity` -- This test only uses the new rosenpass version and checks whether the key exchange between two peers works such that they can ping each other.
+- `backwardClient` -- This test is the same as the `basicConnectivity` test, but with the client using the old rosenpass version.
+- `backwardServer` -- This test is the same as the `backwardClient` test, but with the server using the old rosenpass version.
+- `multiPeer` -- This test again only uses the new rosenpass version, but with three peers. The first peer acts as a server towards the other two peers. The second peer acts as a client towards the first peer and as a server towards the third peer. The third peer acts as a client towards all peers.
+
+## Testing specific versions
+
+You can specify specific versions of rosenpass to test compatability. The proper way to do so is by overriding the respective inputs to the nix flake. As an example, say you want to test the compatability of your local version of rosenpass with the branch `new-feature` on github. You can achieve this by running the following command:
+
+```
+nix flake check  --override-input rosenpass-old ../../ --override-input rosenpass-new github:rosenpass/rosenpass/new-feature
+```
+
+## Usage in the CI
+
+In the CI, the integration tests are used differently, depending on whether the CI run is triggered by a push to the main branch or by a pull request. If the CI run is triggered by a pull request, then the result of merging the main branch and the PR branch is set as the new version and the current state of the main branch is set as the old version. For push events, the CI is only triggered if the push is onto the main branch. In that case, the state before the push event is considered the old version and the state after the push event is considered as the new version.
--- a/Show More
+++ b/Show More