sembr update

<img width="1158" height="635" alt="image"
src="https://github.com/user-attachments/assets/3f3582b4-77b2-4eb5-a7ea-12b60951303c"
/>

.github/workflows/.gitignore

@@ -0,0 +1 @@
+.DS_Store

.github/workflows/.markdownlint.json

@@ -0,0 +1,4 @@
+{
+        "MD013": false,
+        "MD024": false
+}

.github/workflows/markdown-lint.yml

@@ -0,0 +1,23 @@
+name: markdown-linting
+
+on:
+
+  push:
+    branches: 
+      - '**'
+  pull_request:
+    branches: 
+      - '**'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      
+      - name: Markdown Linter
+        uses: DavidAnson/markdownlint-cli2-action@v15
+        with:
+          config: .github/workflows/.markdownlint.json
+          globs: '**/*.md'

README.md

@@ -2,21 +2,46 @@
 
 *NOTE*: This repo is WIP. We are currently restructuring the RFC process.
 
-## RFC Process
+This repository contains specifications from the [Waku](https://waku.org/), [Nomos](https://nomos.tech/),
+[Codex](https://codex.storage/), and
+[Status](https://status.app/) projects that are part of the [IFT portfolio](https://free.technology/).
+[Vac](https://vac.dev) is an
+[IFT service](https://free.technology/services) that will manage the RFC,
+[Request for Comments](https://en.wikipedia.org/wiki/Request_for_Comments),
+process within this repository.
 
-This repository contains specifications from the [Waku](https://waku.org/), [Nomos](https://nomos.tech/), 
-[Codex](https://codex.storage/), and [Status](https://status.app/) projects that are part of the [IFT portfolio](https://free.technology/).
-[Vac](https://vac.dev) is an [IFT service](https://free.technology/services) that will manage the RFC process within this repository.
-The goal of the RFC, [Request for Comments](https://en.wikipedia.org/wiki/Request_for_Comments),
-process is to standardize technical specifications. 
-Specifications will adhere to [1/COSS](./vac/1/coss.md) by obtaining a rough consensus within each project.
+## New RFC Process
 
-**See [rfc.vac.dev](https://rfc.vac.dev) for an easy to browse index of all RFCs.**
+This repository replaces the previous `rfc.vac.dev` resource.
+Each project will maintain initial specifications in separate repositories,
+which may be considered as a **raw** specification.
+All [Vac](https://vac.dev) **raw** specifications and
+discussions will live in the Vac subdirectory.
+When projects have reached some level of maturity
+for a specification living in their repository,
+the process of updating the status to **draft** may begin in this repository.
+Specifications will adhere to
+[1/COSS](./vac/1/coss.md) before obtaining **draft** status.
+
+Implementations should follow specifications as described,
+and all contributions will be discussed before the **stable** status is obtained.
+The goal of this RFC process will to engage all interseted parities and
+reach a rough consensus for techcinal specifications.
 
 ## Contributing
 
-Please see [1/COSS](https://rfc.vac.dev/spec/1/) for general guidelines and specification lifecycle.
+Please see [1/COSS](./vac/1/coss.md) for general guidelines and specification lifecycle.
 
-Feel free to join the [Vac discord](https://discord.gg/Vy54fEWuqC). 
+Feel free to join the [Vac discord](https://discord.gg/Vy54fEWuqC).
 
 Here's the project board used by core contributors and maintainers: [Projects](https://github.com/orgs/vacp2p/projects/5)
+
+## IFT Projects' Raw Specifications
+
+The repository for each project **raw** specifications:
+
+- [Vac Raw Specifications](./vac/raw)
+- [Status Raw Specifications](./status/raw)
+- [Waku Raw Specificiations](https://github.com/waku-org/specs/tree/master)
+- [Codex Raw Specifications](none)
+- [Nomos Raw Specifications](https://github.com/logos-co/nomos-specs)

codex/README.md

@@ -1,3 +1,5 @@
 # Codex RFCs
 
-Codex specifications related to a decentralised data storage platform.
+Specifications related the Codex decentralised data storage platform.
+Visit [Codex specs](https://github.com/codex-storage/codex-spec)
+to view the new Codex specifications currently under discussion.

codex/raw/codex-marketplace.md

@@ -0,0 +1,802 @@
+---
+slug: codex-marketplace
+title: CODEX-MARKETPLACE
+name: Codex Storage Marketplace
+status: raw
+category: Standards Track
+tags: codex, storage, marketplace, smart-contract
+editor: Codex Team and Dmitriy Ryajov <dryajov@status.im>
+contributors:
+  - Mark Spanbroek <mark@codex.storage>
+  - Adam Uhlíř <adam@codex.storage>
+  - Eric Mastro <eric@codex.storage>
+  - Jimmy Debe <jimmy@status.im>
+  - Filip Dimitrijevic <filip@status.im>
+---
+
+## Abstract
+
+Codex Marketplace and its interactions are defined by a smart contract deployed on an EVM-compatible blockchain. This specification describes these interactions for the various roles within the network.
+
+The document is intended for implementors of Codex nodes.
+
+## Semantics
+
+The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
+
+### Definitions
+
+| Terminology               | Description                                                                                                               |
+|---------------------------|---------------------------------------------------------------------------------------------------------------------------|
+| Storage Provider (SP)      | A node in the Codex network that provides storage services to the marketplace.                                             |
+| Validator                  | A node that assists in identifying missing storage proofs.                                                                |
+| Client                     | A node that interacts with other nodes in the Codex network to store, locate, and retrieve data.                           |
+| Storage Request or Request | A request created by a client node to persist data on the Codex network.                                                  |
+| Slot or Storage Slot       | A space allocated by the storage request to store a piece of the request's dataset.              |
+| Smart Contract             | A smart contract implementing the marketplace functionality.                                                               |
+| Token               | The ERC20-based token used within the Codex network.     |
+
+## Motivation
+
+The Codex network aims to create a peer-to-peer storage engine with robust data durability, data persistence guarantees, and a comprehensive incentive structure.
+
+The marketplace is a critical component of the Codex network, serving as a platform where all involved parties interact to ensure data persistence. It provides mechanisms to enforce agreements and facilitate data repair when SPs fail to fulfill their duties.
+
+Implemented as a smart contract on an EVM-compatible blockchain, the marketplace enables various scenarios where nodes assume one or more roles to maintain a reliable persistence layer for users. This specification details these interactions.
+
+The marketplace contract manages storage requests, maintains the state of allocated storage slots, and orchestrates SP rewards, collaterals, and storage proofs.
+
+A node that wishes to participate in the Codex persistence layer MUST implement one or more roles described in this document.
+
+### Roles
+
+A node can assume one of the three main roles in the network: the client, SP, and validator.
+
+A client is a potentially short-lived node in the network with the purpose of persisting its data in the Codex persistence layer.
+
+An SP is a long-lived node providing storage for clients in exchange for profit. To ensure a reliable, robust service for clients, SPs are required to periodically provide proofs that they are persisting the data.
+
+A validator ensures that SPs have submitted valid proofs each period where the smart contract required a proof to be submitted for slots filled by the SP.
+
+---
+
+## Part I: Protocol Specification
+
+This part defines the **normative requirements** for the Codex Marketplace protocol. All implementations MUST comply with these requirements to participate in the Codex network. The protocol is defined by smart contract interactions on an EVM-compatible blockchain.
+
+## Storage Request Lifecycle
+
+The diagram below depicts the lifecycle of a storage request:
+
+```text
+                      ┌───────────┐
+                      │ Cancelled │
+                      └───────────┘
+                            ▲
+                            │ Not all
+                            │ Slots filled
+                            │
+    ┌───────────┐    ┌──────┴─────────────┐           ┌─────────┐
+    │ Submitted ├───►│ Slots Being Filled ├──────────►│ Started │
+    └───────────┘    └────────────────────┘ All Slots └────┬────┘
+                                            Filled         │
+                                                           │
+                                   ┌───────────────────────┘
+                           Proving ▼
+    ┌────────────────────────────────────────────────────────────┐
+    │                                                            │
+    │                 Proof submitted                            │
+    │       ┌─────────────────────────► All good                 │
+    │       │                                                    │
+    │ Proof required                                             │
+    │       │                                                    │
+    │       │         Proof missed                               │
+    │       └─────────────────────────► After some time slashed  │
+    │                                   eventually Slot freed    │
+    │                                                            │
+    └────────┬─┬─────────────────────────────────────────────────┘
+             │ │                                      ▲
+             │ │                                      │
+             │ │ SP kicked out and Slot freed ┌───────┴────────┐
+All good     │ ├─────────────────────────────►│ Repair process │
+Time ran out │ │                              └────────────────┘
+             │ │
+             │ │ Too many Slots freed         ┌────────┐
+             │ └─────────────────────────────►│ Failed │
+             ▼                                └────────┘
+       ┌──────────┐
+       │ Finished │
+       └──────────┘
+```
+
+## Client Role
+
+A node implementing the client role mediates the persistence of data within the Codex network.
+
+A client has two primary responsibilities:
+
+- Requesting storage from the network by sending a storage request to the smart contract.
+- Withdrawing funds from the storage requests previously created by the client.
+
+### Creating Storage Requests
+
+When a user prompts the client node to create a storage request, the client node SHOULD receive the input parameters for the storage request from the user.
+
+To create a request to persist a dataset on the Codex network, client nodes MUST split the dataset into data chunks, $(c_1, c_2, c_3, \ldots, c_{n})$. Using the erasure coding method and the provided input parameters, the data chunks are encoded and distributed over a number of slots. The applied erasure coding method MUST use the [Reed-Solomon algorithm](https://hackmd.io/FB58eZQoTNm-dnhu0Y1XnA). The final slot roots and other metadata MUST be placed into a `Manifest` (TODO: Manifest RFC). The CID for the `Manifest` MUST then be used as the `cid` for the stored dataset.
+
+After the dataset is prepared, a client node MUST call the smart contract function `requestStorage(request)`, providing the desired request parameters in the `request` parameter. The `request` parameter is of type `Request`:
+
+```solidity
+struct Request {
+  address client;
+  Ask ask;
+  Content content;
+  uint64 expiry;
+  bytes32 nonce;
+}
+
+struct Ask {
+  uint256 proofProbability;
+  uint256 pricePerBytePerSecond;
+  uint256 collateralPerByte;
+  uint64 slots;
+  uint64 slotSize;
+  uint64 duration;
+  uint64 maxSlotLoss;
+}
+
+struct Content {
+  bytes cid;
+  bytes32 merkleRoot;
+}
+```
+
+The table below provides the description of the `Request` and the associated types attributes:
+
+| attribute | type | description |
+|-----------|------|-------------|
+| `client` | `address` | The Codex node requesting storage. |
+| `ask` | `Ask` | Parameters of Request. |
+| `content` | `Content` | The dataset that will be hosted with the storage request. |
+| `expiry` | `uint64` | Timeout in seconds during which all the slots have to be filled, otherwise Request will get cancelled. The final deadline timestamp is calculated at the moment the transaction is mined. |
+| `nonce` | `bytes32` | Random value to differentiate from other requests of same parameters. It SHOULD be a random byte array. |
+| `pricePerBytePerSecond` | `uint256` | Amount of tokens that will be awarded to SPs for finishing the storage request. It MUST be an amount of tokens offered per slot per second per byte. The Ethereum address that submits the `requestStorage()` transaction MUST have [approval](https://docs.openzeppelin.com/contracts/2.x/api/token/erc20#IERC20-approve-address-uint256-) for the transfer of at least an equivalent amount of full reward (`pricePerBytePerSecond * duration * slots * slotSize`) in tokens. |
+| `collateralPerByte` | `uint256` | The amount of tokens per byte of slot's size that SPs submit when they fill slots. Collateral is then slashed or forfeited if SPs fail to provide the service requested by the storage request (more information in the [Slashing](#### Slashing) section). |
+| `proofProbability` | `uint256` | Determines the average frequency that a proof is required within a period: $\frac{1}{proofProbability}$. SPs are required to provide proofs of storage to the marketplace contract when challenged. To prevent hosts from only coming online when proofs are required, the frequency at which proofs are requested from SPs is stochastic and is influenced by the `proofProbability` parameter. |
+| `duration` | `uint64` | Total duration of the storage request in seconds. It MUST NOT exceed the limit specified in the configuration `config.requestDurationLimit`. |
+| `slots` | `uint64` | The number of requested slots. The slots will all have the same size. |
+| `slotSize` | `uint64` | Amount of storage per slot in bytes. |
+| `maxSlotLoss` | `uint64` |  Max slots that can be lost without data considered to be lost. |
+| `cid`     | `bytes` | An identifier used to locate the Manifest representing the dataset. It MUST be a [CIDv1](https://github.com/multiformats/cid#cidv1), SHA-256 [multihash](https://github.com/multiformats/multihash) and the data it represents SHOULD be discoverable in the network, otherwise the request will be eventually canceled. |
+| `merkleRoot` | `bytes32` | Merkle root of the dataset, used to verify storage proofs |
+
+#### Renewal of Storage Requests
+
+It should be noted that the marketplace does not support extending requests. It is REQUIRED that if the user wants to extend the duration of a request, a new request with the same CID must be [created](### Creating Storage Requests) **before the original request completes**.
+
+This ensures that the data will continue to persist in the network at the time when the new (or existing) SPs need to retrieve the complete dataset to fill the slots of the new request.
+
+### Monitoring and State Management
+
+Client nodes MUST implement the following smart contract interactions for monitoring and state management:
+
+- **getRequest(requestId)**: Retrieve the full `StorageRequest` data from the marketplace. This function is used for recovery and state verification after restarts or failures.
+
+- **requestState(requestId)**: Query the current state of a storage request. Used for monitoring request progress and determining the appropriate client actions.
+
+- **requestExpiresAt(requestId)**: Query when the request will expire if not fulfilled.
+
+- **getRequestEnd(requestId)**: Query when a fulfilled request will end (used to determine when to call `freeSlot` or `withdrawFunds`).
+
+Client nodes MUST subscribe to the following marketplace events:
+
+- **RequestFulfilled(requestId)**: Emitted when a storage request has enough filled slots to start. Clients monitor this event to determine when their request becomes active and transitions from the submission phase to the active phase.
+
+- **RequestFailed(requestId)**: Emitted when a storage request fails due to proof failures or other reasons. Clients observe this event to detect failed requests and initiate fund withdrawal.
+
+### Withdrawing Funds
+
+The client node MUST monitor the status of the requests it created. When a storage request enters the `Cancelled`, `Failed`, or `Finished` state, the client node MUST initiate the withdrawal of the remaining or refunded funds from the smart contract using the `withdrawFunds(requestId)` function.
+
+Request states are determined as follows:
+
+- The request is considered `Cancelled` if no `RequestFulfilled(requestId)` event is observed during the timeout specified by the value returned from the `requestExpiresAt(requestId)` function.
+- The request is considered `Failed` when the `RequestFailed(requestId)` event is observed.
+- The request is considered `Finished` after the interval specified by the value returned from the `getRequestEnd(requestId)` function has elapsed.
+
+## Storage Provider Role
+
+A Codex node acting as an SP persists data across the network by hosting slots requested by clients in their storage requests.
+
+The following tasks need to be considered when hosting a slot:
+
+- Filling a slot
+- Proving
+- Repairing a slot
+- Collecting request reward and collateral
+
+### Filling Slots
+
+When a new request is created, the `StorageRequested(requestId, ask, expiry)` event is emitted with the following properties:
+
+- `requestId` - the ID of the request.
+- `ask` - the specification of the request parameters. For details, see the definition of the `Request` type in the [Creating Storage Requests](### Creating Storage Requests) section above.
+- `expiry` - a Unix timestamp specifying when the request will be canceled if all slots are not filled by then.
+
+It is then up to the SP node to decide, based on the emitted parameters and node's operator configuration, whether it wants to participate in the request and attempt to fill its slot(s) (note that one SP can fill more than one slot). If the SP node decides to ignore the request, no further action is required. However, if the SP decides to fill a slot, it MUST follow the remaining steps described below.
+
+The node acting as an SP MUST decide which slot, specified by the slot index, it wants to fill. The SP MAY attempt to fill more than one slot. To fill a slot, the SP MUST first reserve the slot in the smart contract using `reserveSlot(requestId, slotIndex)`. If reservations for this slot are full, or if the SP has already reserved the slot, the transaction will revert. If the reservation was unsuccessful, then the SP is not allowed to fill the slot. If the reservation was successful, the node MUST then download the slot data using the CID of the manifest (**TODO: Manifest RFC**) and the slot index. The CID is specified in `request.content.cid`, which can be retrieved from the smart contract using `getRequest(requestId)`. Then, the node MUST generate a proof over the downloaded data (**TODO: Proving RFC**).
+
+When the proof is ready, the SP MUST call `fillSlot()` on the smart contract with the following REQUIRED parameters:
+
+- `requestId` - the ID of the request.
+- `slotIndex` - the slot index that the node wants to fill.
+- `proof` - the `Groth16Proof` proof structure, generated over the slot data.
+
+The Ethereum address of the SP node from which the transaction originates MUST have [approval](https://docs.openzeppelin.com/contracts/2.x/api/token/erc20#IERC20-approve-address-uint256-) for the transfer of at least the amount of tokens required as collateral for the slot (`collateralPerByte * slotSize`).
+
+If the proof delivered by the SP is invalid or the slot was already filled by another SP, then the transaction will revert. Otherwise, a `SlotFilled(requestId, slotIndex)` event is emitted. If the transaction is successful, the SP SHOULD transition into the **proving** state, where it will need to submit proof of data possession when challenged by the smart contract.
+
+It should be noted that if the SP node observes a `SlotFilled` event for the slot it is currently downloading the dataset for or generating the proof for, it means that the slot has been filled by another node in the meantime. In response, the SP SHOULD stop its current operation and attempt to fill a different, unfilled slot.
+
+### Proving
+
+Once an SP fills a slot, it MUST submit proofs to the marketplace contract when a challenge is issued by the contract. SPs SHOULD detect that a proof is required for the current period using the `isProofRequired(slotId)` function, or that it will be required using the `willProofBeRequired(slotId)` function in the case that the [proving clock pointer is in downtime](https://github.com/codex-storage/codex-research/blob/41c4b4409d2092d0a5475aca0f28995034e58d14/design/storage-proof-timing.md).
+
+Once an SP knows it has to provide a proof it MUST get the proof challenge using `getChallenge(slotId)`, which then
+MUST be incorporated into the proof generation as described in Proving RFC (**TODO: Proving RFC**).
+
+When the proof is generated, it MUST be submitted by calling the `submitProof(slotId, proof)` smart contract function.
+
+#### Slashing
+
+There is a slashing scheme orchestrated by the smart contract to incentivize correct behavior and proper proof submissions by SPs. This scheme is configured at the smart contract level and applies uniformly to all participants in the network. The configuration of the slashing scheme can be obtained via the `configuration()` contract call.
+
+The slashing works as follows:
+
+- When SP misses a proof and a validator trigger detection of this event using the `markProofAsMissing()` call, the SP is slashed by `config.collateral.slashPercentage` **of the originally required collateral** (hence the slashing amount is always the same for a given request).
+- If the number of slashes exceeds `config.collateral.maxNumberOfSlashes`, the slot is freed, the remaining collateral is burned, and the slot is offered to other nodes for repair. The smart contract also emits the `SlotFreed(requestId, slotIndex)` event.
+
+If, at any time, the number of freed slots exceeds the value specified by the `request.ask.maxSlotLoss` parameter, the dataset is considered lost, and the request is deemed _failed_. The collateral of all SPs that hosted the slots associated with the storage request is burned, and the `RequestFailed(requestId)` event is emitted.
+
+### Repair
+
+When a slot is freed due to too many missed proofs, which SHOULD be detected by listening to the `SlotFreed(requestId, slotIndex)` event, an SP node can decide whether to participate in repairing the slot. Similar to filling a slot, the node SHOULD consider the operator's configuration when making this decision. The SP that originally hosted the slot but failed to comply with proving requirements MAY also participate in the repair. However, by refilling the slot, the SP **will not** recover its original collateral and must submit new collateral using the `fillSlot()` call.
+
+The repair process is similar to filling slots. If the original slot dataset is no longer present in the network, the SP MAY use erasure coding to reconstruct the dataset. Reconstructing the original slot dataset requires retrieving other pieces of the dataset stored in other slots belonging to the request. For this reason, the node that successfully repairs a slot is entitled to an additional reward. (**TODO: Implementation**)
+
+The repair process proceeds as follows:
+
+1. The SP observes the `SlotFreed` event and decides to repair the slot.
+2. The SP MUST reserve the slot with the `reserveSlot(requestId, slotIndex)` call. For more information see the [Filling Slots](###filling slots) section.
+3. The SP MUST download the chunks of data required to reconstruct the freed slot's data. The node MUST use the [Reed-Solomon algorithm](https://hackmd.io/FB58eZQoTNm-dnhu0Y1XnA) to reconstruct the missing data.
+4. The SP MUST generate proof over the reconstructed data.
+5. The SP MUST call the `fillSlot()` smart contract function with the same parameters and collateral allowance as described in the [Filling Slots](###filling slots) section.
+
+### Collecting Funds
+
+An SP node SHOULD monitor the requests and the associated slots it hosts.
+
+When a storage request enters the `Cancelled`, `Finished`, or `Failed` state, the SP node SHOULD call the `freeSlot(slotId)` smart contract function.
+
+The aforementioned storage request states (`Cancelled`, `Finished`, and `Failed`) can be detected as follows:
+
+- A storage request is considered `Cancelled` if no `RequestFulfilled(requestId)` event is observed within the time indicated by the `expiry` request parameter. Note that a `RequestCancelled` event may also be emitted, but the node SHOULD NOT rely on this event to assert the request expiration, as the `RequestCancelled` event is not guaranteed to be emitted at the time of expiry.
+- A storage request is considered `Finished` when the time indicated by the value returned from the `getRequestEnd(requestId)` function has elapsed.
+- A node concludes that a storage request has `Failed` upon observing the `RequestFailed(requestId)` event.
+
+For each of the states listed above, different funds are handled as follows:
+
+- In the `Cancelled` state, the collateral is returned along with a proportional payout based on the time the node actually hosted the dataset before the expiry was reached.
+- In the `Finished` state, the full reward for hosting the slot, along with the collateral, is collected.
+- In the `Failed` state, no funds are collected. The reward is returned to the client, and the collateral is burned. The slot is removed from the list of slots and is no longer included in the list of slots returned by the `mySlots()` function.
+
+## Validator Role
+
+In a blockchain, a contract cannot change its state without a transaction and gas initiating the state change. Therefore, our smart contract requires an external trigger to periodically check and confirm that a storage proof has been delivered by the SP. This is where the validator role is essential.
+
+The validator role is fulfilled by nodes that help to verify that SPs have submitted the required storage proofs.
+
+It is the smart contract that checks if the proof requested from an SP has been delivered. The validator only triggers the decision-making function in the smart contract. To incentivize validators, they receive a reward each time they correctly mark a proof as missing corresponding to the percentage of the slashed collateral defined by `config.collateral.validatorRewardPercentage`.
+
+Each time a validator observes the `SlotFilled` event, it SHOULD add the slot reported in the `SlotFilled` event to the validator's list of watched slots. Then, after the end of each period, a validator has up to `config.proofs.timeout` seconds (a configuration parameter retrievable with `configuration()`) to validate all the slots. If a slot lacks the required proof, the validator SHOULD call the `markProofAsMissing(slotId, period)` function on the smart contract. This function validates the correctness of the claim, and if right, will send a reward to the validator.
+
+If validating all the slots observed by the validator is not feasible within the specified `timeout`, the validator MAY choose to validate only a subset of the observed slots.
+
+---
+
+## Part II: Implementation Suggestions
+
+> **IMPORTANT**: The sections above (Abstract through Validator Role) define the normative Codex Marketplace protocol requirements. All implementations MUST comply with those protocol requirements to participate in the Codex network.
+>
+> **The sections below are non-normative**. They document implementation approaches used in the nim-codex reference implementation. These are suggestions to guide implementors but are NOT required by the protocol. Alternative implementations MAY use different approaches as long as they satisfy the protocol requirements defined in Part I.
+
+## Implementation Suggestions
+
+This section describes implementation approaches used in reference implementations. These are **suggestions and not normative requirements**. Implementations are free to use different internal architectures, state machines, and data structures as long as they correctly implement the protocol requirements defined above.
+
+### Storage Provider Implementation
+
+The nim-codex reference implementation provides a complete Storage Provider implementation with state machine management, slot queueing, and resource management. This section documents the nim-codex approach.
+
+#### State Machine
+
+The Sales module implements a deterministic state machine for each slot, progressing through the following states:
+
+1. **SalePreparing** - Find a matching availability and create a reservation
+2. **SaleSlotReserving** - Reserve the slot on the marketplace
+3. **SaleDownloading** - Stream and persist the slot's data
+4. **SaleInitialProving** - Wait for stable challenge and generate initial proof
+5. **SaleFilling** - Compute collateral and fill the slot
+6. **SaleFilled** - Post-filling operations and expiry updates
+7. **SaleProving** - Generate and submit proofs periodically
+8. **SalePayout** - Free slot and calculate collateral
+9. **SaleFinished** - Terminal success state
+10. **SaleFailed** - Free slot on market and transition to error
+11. **SaleCancelled** - Cancellation path
+12. **SaleIgnored** - Sale ignored (no matching availability or other conditions)
+13. **SaleErrored** - Terminal error state
+14. **SaleUnknown** - Recovery state for crash recovery
+15. **SaleProvingSimulated** - Proving with injected failures for testing
+
+All states move to `SaleErrored` if an error is raised.
+
+##### SalePreparing
+
+- Find a matching availability based on the following criteria: `freeSize`, `duration`, `collateralPerByte`, `minPricePerBytePerSecond` and `until`
+- Create a reservation
+- Move to `SaleSlotReserving` if successful
+- Move to `SaleIgnored` if no availability is found or if `BytesOutOfBoundsError` is raised because of no space available.
+- Move to `SaleFailed` on `RequestFailed` event from the `marketplace`
+- Move to `SaleCancelled` on cancelled timer elapsed, set to storage contract expiry
+
+##### SaleSlotReserving
+
+- Check if the slot can be reserved
+- Move to `SaleDownloading` if successful
+- Move to `SaleIgnored` if `SlotReservationNotAllowedError` is raised or the slot cannot be reserved. The collateral is returned.
+- Move to `SaleFailed` on `RequestFailed` event from the `marketplace`
+- Move to `SaleCancelled` on cancelled timer elapsed, set to storage contract expiry
+
+##### SaleDownloading
+
+- Select the correct data expiry:
+  - When the request is started, the request end date is used
+  - Otherwise the expiry date is used
+- Stream and persist data via `onStore`
+- For each written batch, release bytes from the reservation
+- Move to `SaleInitialProving` if successful
+- Move to `SaleFailed` on `RequestFailed` event from the `marketplace`
+- Move to `SaleCancelled` on cancelled timer elapsed, set to storage contract expiry
+- Move to `SaleFilled` on `SlotFilled` event from the `marketplace`
+
+##### SaleInitialProving
+
+- Wait for a stable initial challenge
+- Produce the initial proof via `onProve`
+- Move to `SaleFilling` if successful
+- Move to `SaleFailed` on `RequestFailed` event from the `marketplace`
+- Move to `SaleCancelled` on cancelled timer elapsed, set to storage contract expiry
+
+##### SaleFilling
+
+- Get the slot collateral
+- Fill the slot
+- Move to `SaleFilled` if successful
+- Move to `SaleIgnored` on `SlotStateMismatchError`. The collateral is returned.
+- Move to `SaleFailed` on `RequestFailed` event from the `marketplace`
+- Move to `SaleCancelled` on cancelled timer elapsed, set to storage contract expiry
+
+##### SaleFilled
+
+- Ensure that the current host has filled the slot by checking the signer address
+- Notify by calling `onFilled` hook
+- Call `onExpiryUpdate` to change the data expiry from expiry date to request end date
+- Move to `SaleProving` (or `SaleProvingSimulated` for simulated mode)
+- Move to `SaleFailed` on `RequestFailed` event from the `marketplace`
+- Move to `SaleCancelled` on cancelled timer elapsed, set to storage contract expiry
+
+##### SaleProving
+
+- For each period: fetch challenge, call `onProve`, and submit proof
+- Move to `SalePayout` when the slot request ends
+- Re-raise `SlotFreedError` when the slot is freed
+- Raise `SlotNotFilledError` when the slot is not filled
+- Move to `SaleFailed` on `RequestFailed` event from the `marketplace`
+- Move to `SaleCancelled` on cancelled timer elapsed, set to storage contract expiry
+
+##### SaleProvingSimulated
+
+- Submit invalid proofs every `N` periods (`failEveryNProofs` in configuration) to test failure scenarios
+
+##### SalePayout
+
+- Get the current collateral and try to free the slot to ensure that the slot is freed after payout.
+- Forward the returned collateral to cleanup
+- Move to `SaleFinished` if successful
+- Move to `SaleFailed` on `RequestFailed` event from the `marketplace`
+- Move to `SaleCancelled` on cancelled timer elapsed, set to storage contract expiry
+
+##### SaleFinished
+
+- Call `onClear` hook
+- Call `onCleanUp` hook
+
+##### SaleFailed
+
+- Free the slot
+- Move to `SaleErrored` with the failure message
+
+##### SaleCancelled
+
+- Ensure that the node hosting the slot frees the slot
+- Call `onClear` hook
+- Call `onCleanUp` hook with the current collateral
+
+##### SaleIgnored
+
+- Call `onCleanUp` hook with the current collateral
+
+##### SaleErrored
+
+- Call `onClear` hook
+- Call `onCleanUp` hook
+
+##### SaleUnknown
+
+- Recovery entry: get the `on-chain` state and jump to the appropriate state
+
+#### Slot Queue
+
+Slot queue schedules slot work and instantiates one `SalesAgent` per item with bounded concurrency.
+
+- Accepts `(requestId, slotIndex, …)` items and orders them by priority
+- Spawns one `SalesAgent` for each dequeued item, in other words, one item for one agent
+- Caps concurrent agents to `maxWorkers`
+- Supports pause/resume
+- Allows controlled requeue when an agent finishes with `reprocessSlot`
+
+##### Slot Ordering
+
+The criteria are in the following order:
+
+1) **Unseen before seen** - Items that have not been seen are dequeued first.
+2) **More profitable first** - Higher `profitability` wins. `profitability` is `duration * pricePerSlotPerSecond`.
+3) **Less collateral first** - The item with the smaller `collateral` wins.
+4) **Later expiry first** - If both items carry an `expiry`, the one with the greater timestamp wins.
+
+Within a single request, per-slot items are shuffled before enqueuing so the default slot-index order does not influence priority.
+
+##### Pause / Resume
+
+When the Slot queue processes an item with `seen = true`, it means that the item was already evaluated against the current availabilities and did not match.
+To avoid draining the queue with untenable requests (due to insufficient availability), the queue pauses itself.
+
+The queue resumes when:
+
+- `OnAvailabilitySaved` fires after an availability update that increases one of: `freeSize`, `duration`, `minPricePerBytePerSecond`, or `totalRemainingCollateral`.
+- A new unseen item (`seen = false`) is pushed.
+- `unpause()` is called explicitly.
+
+##### Reprocess
+
+Availability matching occurs in `SalePreparing`.
+If no availability fits at that time, the sale is ignored with `reprocessSlot` to true, meaning that the slot is added back to the queue with the flag `seen` to true.
+
+##### Startup
+
+On `SlotQueue.start()`, the sales module first deletes reservations associated with inactive storage requests, then starts a new `SalesAgent` for each active storage request:
+
+- Fetch the active `on-chain` active slots.
+- Delete the local reservations for slots that are not in the active list.
+- Create a new agent for each slot and assign the `onCleanUp` callback.
+- Start the agent in the `SaleUnknown` state.
+
+#### Main Behaviour
+
+When a new slot request is received, the sales module extracts the pair `(requestId, slotIndex, …)` from the request.
+A `SlotQueueItem` is then created with metadata such as `profitability`, `collateral`, `expiry`, and the `seen` flag set to `false`.
+This item is pushed into the `SlotQueue`, where it will be prioritised according to the ordering rules.
+
+#### SalesAgent
+
+SalesAgent is the instance that executes the state machine for a single slot.
+
+- Executes the sale state machine across the slot lifecycle
+- Holds a `SalesContext` with dependencies and host hooks
+- Supports crash recovery via the `SaleUnknown` state
+- Handles errors by entering `SaleErrored`, which runs cleanup routines
+
+#### SalesContext
+
+SalesContext is a container for dependencies used by all sales.
+
+- Provides external interfaces: `Market` (marketplace) and `Clock`
+- Provides access to `Reservations`
+- Provides host hooks: `onStore`, `onProve`, `onExpiryUpdate`, `onClear`, `onSale`
+- Shares the `SlotQueue` handle for scheduling work
+- Provides configuration such as `simulateProofFailures`
+- Passed to each `SalesAgent`
+
+#### Marketplace Subscriptions
+
+The sales module subscribes to on-chain events to keep the queue and agents consistent.
+
+##### StorageRequested
+
+When the marketplace signals a new request, the sales module:
+
+- Computes collateral for free slots.
+- Creates per-slot `SlotQueueItem` entries (one per `slotIndex`) with `seen = false`.
+- Pushes the items into the `SlotQueue`.
+
+##### SlotFreed
+
+When the marketplace signals a freed slot (needs repair), the sales module:
+
+- Retrieves the request data for the `requestId`.
+- Computes collateral for repair.
+- Creates a `SlotQueueItem`.
+- Pushes the item into the `SlotQueue`.
+
+##### RequestCancelled
+
+When a request is cancelled, the sales module removes all queue items for that `requestId`.
+
+##### RequestFulfilled
+
+When a request is fulfilled, the sales module removes all queue items for that `requestId` and notifies active agents bound to the request.
+
+##### RequestFailed
+
+When a request fails, the sales module removes all queue items for that `requestId` and notifies active agents bound to the request.
+
+##### SlotFilled
+
+When a slot is filled, the sales module removes the queue item for that specific `(requestId, slotIndex)` and notifies the active agent for that slot.
+
+##### SlotReservationsFull
+
+When the marketplace signals that reservations are full, the sales module removes the queue item for that specific `(requestId, slotIndex)`.
+
+#### Reservations
+
+The Reservations module manages both Availabilities and Reservations.
+When an Availability is created, it reserves bytes in the storage module so no other modules can use those bytes.
+Before a dataset for a slot is downloaded, a Reservation is created, and the freeSize of the Availability is reduced.
+When bytes are downloaded, the reservation of those bytes in the storage module is released.
+Accounting of both reserved bytes in the storage module and freeSize in the Availability are cleaned up upon completion of the state machine.
+
+```mermaid
+graph TD
+    A[Availability] -->|creates| R[Reservation]
+    A -->|reserves bytes in| SM[Storage Module]
+    R -->|reduces| AF[Availability.freeSize]
+    R -->|downloads data| D[Dataset]
+    D -->|releases bytes to| SM
+    TC[Terminal State] -->|triggers cleanup| C[Cleanup]
+    C -->|returns bytes to| AF
+    C -->|deletes| R
+    C -->|returns collateral to| A
+```
+
+#### Hooks
+
+- **onStore**: streams data into the node's storage
+- **onProve**: produces proofs for initial and periodic proving
+- **onExpiryUpdate**: notifies the client node of a change in the expiry data
+- **onSale**: notifies that the host is now responsible for the slot
+- **onClear**: notification emitted once the state machine has concluded; used to reconcile Availability bytes and reserved bytes in the storage module
+- **onCleanUp**: cleanup hook called in terminal states to release resources, delete reservations, and return collateral to availabilities
+
+#### Error Handling
+
+- Always catch `CancelledError` from `nim-chronos` and log a trace, exiting gracefully
+- Catch `CatchableError`, log it, and route to `SaleErrored`
+
+#### Cleanup
+
+Cleanup releases resources held by a sales agent and optionally requeues the slot.
+
+- Return reserved bytes to the availability if a reservation exists
+- Delete the reservation and return any remaining collateral
+- If `reprocessSlot` is true, push the slot back into the queue marked as seen
+- Remove the agent from the sales set and track the removal future
+
+#### Resource Management Approach
+
+The nim-codex implementation uses Availabilities and Reservations to manage local storage resources:
+
+##### Reservation Management
+
+- Maintain `Availability` and `Reservation` records locally
+- Match incoming slot requests to available capacity using prioritisation rules
+- Lock capacity and collateral when creating a reservation
+- Release reserved bytes progressively during download and free all remaining resources in terminal states
+
+**Note:** Availabilities and Reservations are completely local to the Storage Provider implementation and are not visible at the protocol level. They provide one approach to managing storage capacity, but other implementations may use different resource management strategies.
+
+---
+
+> **Protocol Compliance Note**: The Storage Provider implementation described above is specific to nim-codex. The only normative requirements for Storage Providers are defined in the [Storage Provider Role](#storage-provider-role) section of Part I. Implementations must satisfy those protocol requirements but may use completely different internal designs.
+
+### Client Implementation
+
+The nim-codex reference implementation provides a complete Client implementation with state machine management for storage request lifecycles. This section documents the nim-codex approach.
+
+The nim-codex implementation uses a state machine pattern to manage purchase lifecycles, providing deterministic state transitions, explicit terminal states, and recovery support. The state machine definitions (state identifiers, transitions, state descriptions, requirements, data models, and interfaces) are documented in the subsections below.
+
+> **Note**: The Purchase module terminology and state machine design are specific to the nim-codex implementation. The protocol only requires that clients interact with the marketplace smart contract as specified in the Client Role section.
+
+#### State Identifiers
+
+- PurchasePending: `pending`
+- PurchaseSubmitted: `submitted`
+- PurchaseStarted: `started`
+- PurchaseFinished: `finished`
+- PurchaseErrored: `errored`
+- PurchaseCancelled: `cancelled`
+- PurchaseFailed: `failed`
+- PurchaseUnknown: `unknown`
+
+#### General Rules for All States
+
+- If a `CancelledError` is raised, the state machine logs the cancellation message and takes no further action.
+- If a `CatchableError` is raised, the state machine moves to `errored` with the error message.
+
+#### State Transitions
+
+```text
+                                                                      |
+                                                                      v
+                                         ------------------------- unknown
+        |                               /                             /
+        v                              v                             /
+     pending ----> submitted ----> started ---------> finished <----/
+                        \              \                           /
+                         \              ------------> failed <----/
+                          \                                      /
+                           --> cancelled <-----------------------
+```
+
+**Note:**
+
+Any state can transition to errored upon a `CatchableError`.
+`failed` is an intermediate state before `errored`.
+`finished`, `cancelled`, and `errored` are terminal states.
+
+#### State Descriptions
+
+**Pending State (`pending`)**
+
+A storage request is being created by making a call `on-chain`. If the storage request creation fails, the state machine moves to the `errored` state with the corresponding error.
+
+**Submitted State (`submitted`)**
+
+The storage request has been created and the purchase waits for the request to start. When it starts, an `on-chain` event `RequestFulfilled` is emitted, triggering the subscription callback, and the state machine moves to the `started` state. If the expiry is reached before the callback is called, the state machine moves to the `cancelled` state.
+
+**Started State (`started`)**
+
+The purchase is active and waits until the end of the request, defined by the storage request parameters, before moving to the `finished` state. A subscription is made to the marketplace to be notified about request failure. If a request failure is notified, the state machine moves to `failed`.
+
+Marketplace subscription signature:
+
+```nim
+method subscribeRequestFailed*(market: Market, requestId: RequestId, callback: OnRequestFailed): Future[Subscription] {.base, async.}
+```
+
+**Finished State (`finished`)**
+
+The purchase is considered successful and cleanup routines are called. The purchase module calls `marketplace.withdrawFunds` to release the funds locked by the marketplace:
+
+```nim
+method withdrawFunds*(market: Market, requestId: RequestId) {.base, async: (raises: [CancelledError, MarketError]).}
+```
+
+After that, the purchase is done; no more states are called and the state machine stops successfully.
+
+**Failed State (`failed`)**
+
+If the marketplace emits a `RequestFailed` event, the state machine moves to the `failed` state and the purchase module calls `marketplace.withdrawFunds` (same signature as above) to release the funds locked by the marketplace. After that, the state machine moves to `errored`.
+
+**Cancelled State (`cancelled`)**
+
+The purchase is cancelled and the purchase module calls `marketplace.withdrawFunds` to release the funds locked by the marketplace (same signature as above). After that, the purchase is terminated; no more states are called and the state machine stops with the reason of failure as error.
+
+**Errored State (`errored`)**
+
+The purchase is terminated; no more states are called and the state machine stops with the reason of failure as error.
+
+**Unknown State (`unknown`)**
+
+The purchase is in recovery mode, meaning that the state has to be determined. The purchase module calls the marketplace to get the request data (`getRequest`) and the request state (`requestState`):
+
+```nim
+method getRequest*(market: Market, id: RequestId): Future[?StorageRequest] {.base, async: (raises: [CancelledError]).}
+
+method requestState*(market: Market, requestId: RequestId): Future[?RequestState] {.base, async.}
+```
+
+Based on this information, it moves to the corresponding next state.
+
+> **Note**: Functional and non-functional requirements for the client role are summarized in the [Codex Marketplace Specification](https://github.com/codex-storage/codex-spec/blob/master/specs/marketplace.md). The requirements listed below are specific to the nim-codex Purchase module implementation.
+
+#### Functional Requirements
+
+##### Purchase Definition
+
+- Every purchase MUST represent exactly one `StorageRequest`
+- The purchase MUST have a unique, deterministic identifier `PurchaseId` derived from `requestId`
+- It MUST be possible to restore any purchase from its `requestId` after a restart
+- A purchase is considered expired when the expiry timestamp in its `StorageRequest` is reached before the request start, i.e, an event `RequestFulfilled` is emitted by the `marketplace`
+
+##### State Machine Progression
+
+- New purchases MUST start in the `pending` state (submission flow)
+- Recovered purchases MUST start in the `unknown` state (recovery flow)
+- The state machine MUST progress step-by-step until a deterministic terminal state is reached
+- The choice of terminal state MUST be based on the `RequestState` returned by the `marketplace`
+
+##### Failure Handling
+
+- On marketplace failure events, the purchase MUST immediately transition to `errored` without retries
+- If a `CancelledError` is raised, the state machine MUST log the cancellation and stop further processing
+- If a `CatchableError` is raised, the state machine MUST transition to `errored` and record the error
+
+#### Non-Functional Requirements
+
+##### Execution Model
+
+A purchase MUST be handled by a single thread; only one worker SHOULD process a given purchase instance at a time.
+
+##### Reliability
+
+`load` supports recovery after process restarts.
+
+##### Performance
+
+State transitions should be non-blocking; all I/O is async.
+
+##### Logging
+
+All state transitions and errors should be clearly logged for traceability.
+
+##### Safety
+
+- Avoid side effects during `new` other than initialising internal fields; `on-chain` interactions are delegated to states using `marketplace` dependency.
+- Retry policy for external calls.
+
+##### Testing
+
+- Unit tests check that each state handles success and error properly.
+- Integration tests check that a full purchase flows correctly through states.
+
+---
+
+> **Protocol Compliance Note**: The Client implementation described above is specific to nim-codex. The only normative requirements for Clients are defined in the [Client Role](#client-role) section of Part I. Implementations must satisfy those protocol requirements but may use completely different internal designs.
+
+---
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+### Normative
+
+- [RFC 2119](https://www.ietf.org/rfc/rfc2119.txt) - Key words for use in RFCs to Indicate Requirement Levels
+- [Reed-Solomon algorithm](https://hackmd.io/FB58eZQoTNm-dnhu0Y1XnA) - Erasure coding algorithm used for data encoding
+- [CIDv1](https://github.com/multiformats/cid#cidv1) - Content Identifier specification
+- [multihash](https://github.com/multiformats/multihash) - Self-describing hashes
+- [Proof-of-Data-Possession](https://hackmd.io/2uRBltuIT7yX0CyczJevYg?view) - Zero-knowledge proof system for storage verification
+- [Original Codex Marketplace Spec](https://github.com/codex-storage/codex-spec/blob/master/specs/marketplace.md) - Source specification for this document
+
+### Informative
+
+- [Codex Implementation](https://github.com/codex-storage/nim-codex) - Reference implementation in Nim
+- [Codex market implementation](https://github.com/codex-storage/nim-codex/blob/master/codex/market.nim) - Marketplace module implementation
+- [Codex Sales Component Spec](https://github.com/codex-storage/codex-docs-obsidian/blob/main/10%20Notes/Specs/Component%20Specification%20-%20Sales.md) - Storage Provider implementation details
+- [Codex Purchase Component Spec](https://github.com/codex-storage/codex-docs-obsidian/blob/main/10%20Notes/Specs/Component%20Specification%20-%20Purchase.md) - Client implementation details
+- [Nim Chronos](https://github.com/status-im/nim-chronos) - Async/await framework for Nim
+- [Storage proof timing design](https://github.com/codex-storage/codex-research/blob/41c4b4409d2092d0a5475aca0f28995034e58d14/design/storage-proof-timing.md) - Proof timing mechanism

nomos/README.md

@@ -1,3 +1,6 @@
-# Nomos Request For Comments(RFC)
+# Nomos RFCs
 
-Nomos is building secure, flexible, and scalable infrastructure for developers creating applications for the network state.
+Nomos is building a secure, flexible, and
+scalable infrastructure for developers creating applications for the network state.
+Published Specifications are currently available here,
+[Nomos Specifications](https://nomos-tech.notion.site/project).

nomos/deprecated/claro.md

@@ -1,17 +1,17 @@
 ---
-slug: 38
-title: 38/CONSENSUS-CLARO
+title: CONSENSUS-CLARO
 name: Claro Consensus Protocol
-status: raw
+status: deprecated
 category: Standards Track
-tags: logos/consensus
+tags:
+  - logos/consensus
 editor: Corey Petty <corey@status.im>
 created: 01-JUL-2022
 revised: <2022-08-26 Fri 13:11Z>
 uri: <https://rdf.logos.co/protocol/Claro/1/0/0#<2022-08-26%20Fri$2013:11Z>
 contributors:
-    - Álvaro Castro-Castilla 
-    - Mark Evenson
+  - Álvaro Castro-Castilla
+  - Mark Evenson
 ---
 
 ## Abstract
@@ -26,33 +26,80 @@ consensus mechanism.  We outline a simple taxonomy of Byzantine
 adversaries, leaving explicit explorations of to subsequent
 publication.
 
-NOTE: We have renamed this variant to `Claro` from `Glacier` in order to disambiguate from a previously released research endeavor by [Amores-Sesar, Cachin, and Tedeschi](https://arxiv.org/pdf/2210.03423.pdf). Their naming was coincidentally named the same as our work but is sufficiently differentiated from how ours works. 
+NOTE: We have renamed this variant to `Claro` from `Glacier`
+in order to disambiguate from a previously released research endeavor by
+[Amores-Sesar, Cachin, and Tedeschi](https://arxiv.org/pdf/2210.03423.pdf).
+Their naming was coincidentally named the same as our work but
+is sufficiently differentiated from how ours works.
 
-## Motivation 
-This work is a part of a larger research endeavor to explore highly scalable Byzantine Fault Tolerant (BFT) consensus protocols. Consensus lies at the heart of many decentralized protocols, and thus its characteristics and properties are inherited by applications built on top. Thus, we seek to improve upon the current state of the art in two main directions: base-layer scalability and censorship resistance. 
+## Motivation
 
-Avalanche has shown to exibit the former in a production environment in a way that is differentiated from Nakamoto consensus and other Proof of Stake (PoS) protocols based in practical Byzantine Fault Tolerant (pBFT) methodologies. We aim to understand its limitations and improve upon them.
+This work is a part of a larger research endeavor to
+explore highly scalable Byzantine Fault Tolerant (BFT) consensus protocols.
+Consensus lies at the heart of many decentralized protocols, and
+thus its characteristics and properties are inherited by applications built on top.
+Thus, we seek to improve upon the current state of the art in two main directions:
+base-layer scalability and censorship resistance.
+
+Avalanche has shown to exibit the former in a production environment in a way
+that is differentiated from Nakamoto consensus and
+other Proof of Stake (PoS) protocols based in practical Byzantine Fault Tolerant
+(pBFT) methodologies.
+We aim to understand its limitations and improve upon them.
 
 ## Background
-Our starting point is Avalanche’s Binary Byzantine Agreement algorithm, called Snowball. As long as modifications allow a DAG to be constructed later on, this simplifies the design significantly. The DAG stays the same in principle: it supports confidence, but the core algorithm can be modeled without.
 
-The concept of the Snowball algorithm is relatively simple. Following is a simplified description (lacking some details, but giving an overview). For further details, please refer to the [Avalanche paper](https://assets.website-files.com/5d80307810123f5ffbb34d6e/6009805681b416f34dcae012_Avalanche%20Consensus%20Whitepaper.pdf).
+Our starting point is Avalanche’s Binary Byzantine Agreement algorithm,
+called Snowball.
+As long as modifications allow a DAG to be constructed later on,
+this simplifies the design significantly.
+The DAG stays the same in principle: it supports confidence,
+but the core algorithm can be modeled without.
 
-1. The objective is to vote yes/no on a decision (this decision could be a single bit, or, in our DAG use case, whether a vertex should be included or not).
-2. Every node has an eventually-consistent complete view of the network. It will select at random k nodes, and will ask their opinion on the decision (yes/no).
-3. After this sampling is finished, if there is a vote that has more than an `alpha` threshold, it accumulates one count for this opinion, as well as changes its opinion to this one. But, if a different opinion is received, the counter is reset to 1. If no threshold `alpha` is reached, the counter is reset to 0 instead.
-4. After several iterations of this algorithm, we will reach a threshold `beta`, and decide on that as final.
+The concept of the Snowball algorithm is relatively simple.
+Following is a simplified description (lacking some details, but giving an overview).
+For further details, please refer to the [Avalanche paper](https://assets.website-files.com/5d80307810123f5ffbb34d6e/6009805681b416f34dcae012_Avalanche%20Consensus%20Whitepaper.pdf).
 
-Next, we will proceed to describe our new algorithm, based on Snowball. 
+1. The objective is to vote yes/no on a decision
+(this decision could be a single bit or,
+in our DAG use case, whether a vertex should be included or not).
+2. Every node has an eventually-consistent complete view of the network.
+It will select at random k nodes, and
+will ask their opinion on the decision (yes/no).
+3. After this sampling is finished,
+if there is a vote that has more than an `alpha` threshold,
+it accumulates one count for this opinion,
+as well as changes its opinion to this one.
+But, if a different opinion is received, the counter is reset to 1.
+If no threshold `alpha` is reached, the counter is reset to 0 instead.
+4. After several iterations of this algorithm,
+we will reach a threshold `beta`, and decide on that as final.
 
-We have identified a shortcoming of the Snowball algorithm that was a perfect starting point for devising improvements. The scenario is as follows:
+Next, we will proceed to describe our new algorithm, based on Snowball.
 
-- There is a powerful adversary in the network, that controls a large percentage of the node population: 10% to ~50%.
-- This adversary follows a strategy that allows them to rapidly change the decision bit (possibly even in a coordinated way) so as to maximally confuse the honest nodes.
-- Under normal conditions, honest nodes will accumulate supermajorities soon enough, and reach the `beta` threshold. However, when an honest node performs a query and does not reach the threshold `alpha` of responses, the counter will be set to 0.
-- The highest threat to Snowball is an adversary that keeps it from reaching the `beta` threshold, managing to continuously reset the counter, and steering Snowball away from making a decision.
+We have identified a shortcoming of the Snowball algorithm
+that was a perfect starting point for devising improvements.
+The scenario is as follows:
 
-This document only outlines the specification to Claro. Subsequent analysis work on Claro (both on its performance and how it differentiates with Snowball) will be published shortly and this document will be updated. 
+- There is a powerful adversary in the network,
+that controls a large percentage of the node population: 10% to ~50%.
+- This adversary follows a strategy that allows them to
+rapidly change the decision bit
+(possibly even in a coordinated way) so as to maximally confuse the honest nodes.
+- Under normal conditions,
+honest nodes will accumulate supermajorities soon enough, and
+reach the `beta` threshold.
+However, when an honest node performs a query and does not reach the threshold
+`alpha` of responses, the counter will be set to 0.
+- The highest threat to Snowball is an adversary
+that keeps it from reaching the `beta` threshold,
+managing to continuously reset the counter, and
+steering Snowball away from making a decision.
+
+This document only outlines the specification to Claro.
+Subsequent analysis work on Claro
+(both on its performance and how it differentiates with Snowball)
+will be published shortly and this document will be updated.
 
 ## Claro Algorithm Specification
 
@@ -63,29 +110,64 @@ finality that provides good reliability for network and Byzantine
 fault tolerance.
 
 ### Algorithmic concept
-Claro is an evolution of the Snowball Byzantine Binary Agreement (BBA) algorithm, in which we tackle specifically the perceived weakness described above. The main focus is going to be the counter and the triggering of the reset. Following, we elaborate the different modifications and features that have been added to the reference algorithm:
 
-1. Instead of allowing the latest evidence to change the opinion completely, we take into account all accumulated evidence, to reduce the impact of high variability when there is already a large amount of evidence collected.
-2. Eliminate the counter and threshold scheme, and introduce instead two regimes of operation:
-    - One focused on grabbing opinions and reacting as soon as possible. This part is somewhat closer conceptually to the reference algorithm.
-    - Another one focused on interpreting the accumulated data instead of reacting to the latest information gathered.
-3. Finally, combine those two phases via a transition function. This avoids the creation of a step function, or a sudden change in behavior that could complicate analysis and understanding of the dynamics. Instead, we can have a single algorithm that transfers weight from one operation to the other as more evidence is gathered.
-4. Additionally, we introduce a function for weighted sampling. This will allow the combination of different forms of weighting:
+Claro is an evolution of the Snowball Byzantine Binary Agreement (BBA) algorithm,
+in which we tackle specifically the perceived weakness described above.
+The main focus is going to be the counter and the triggering of the reset.
+Following, we elaborate the different modifications and
+features that have been added to the reference algorithm:
+
+1. Instead of allowing the latest evidence to change the opinion completely,
+we take into account all accumulated evidence,
+to reduce the impact of high variability when there is already a
+large amount of evidence collected.
+2. Eliminate the counter and threshold scheme,
+and introduce instead two regimes of operation:
+    - One focused on grabbing opinions and reacting as soon as possible.
+    This part is somewhat closer conceptually to the reference algorithm.
+    - Another one focused on interpreting the accumulated data
+    instead of reacting to the latest information gathered.
+3. Finally, combine those two phases via a transition function.
+This avoids the creation of a step function, or
+a sudden change in behavior that could complicate analysis and
+understanding of the dynamics.
+Instead, we can have a single algorithm that transfers weight
+from one operation to the other as more evidence is gathered.
+4. Additionally, we introduce a function for weighted sampling.
+This will allow the combination of different forms of weighting:
     - Staking
     - Heuristic reputation
     - Manual reputation.
 
-It’s worth delving a bit into the way the data is interpreted in order to reach a decision. Our approach is based conceptually on the paper [Confidence as Higher-Order Uncertainty](https://cis.temple.edu/~pwang/Publication/confidence.pdf), which describes a frequentist approach to decision certainty. The first-order certainty, measured by frequency, is caused by known positive evidence, and the higher-order certainty is caused by potential positive evidence. Because confidence is a relative measurement defined on evidence, it naturally follows comparing the amount of evidence the system knows with the amount that it will know in the near future (defining “near” as a constant). 
+It’s worth delving a bit into the way the data is interpreted
+in order to reach a decision.
+Our approach is based conceptually on the paper [Confidence as Higher-Order Uncertainty](https://cis.temple.edu/~pwang/Publication/confidence.pdf),
+which describes a frequentist approach to decision certainty.
+The first-order certainty, measured by frequency,
+is caused by known positive evidence, and
+the higher-order certainty is caused by potential positive evidence.
+Because confidence is a relative measurement defined on evidence,
+it naturally follows comparing the amount of evidence the system knows
+with the amount that it will know in the near future (defining “near” as a constant).
 
-Intuitively, we are looking for a function of evidence, **`w`**, call it **`c`** for confidence, that satisfies the following conditions:
+Intuitively, we are looking for a function of evidence, **`w`**,
+call it **`c`** for confidence, that satisfies the following conditions:
 
-1. Confidence `c` is a continuous and monotonically increasing function of `w`. (More evidence, higher confidence.)
+1. Confidence `c` is a continuous and monotonically increasing function of `w`.
+(More evidence, higher confidence.)
 2. When `w = 0`, `c = 0`. (Without any evidence, confidence is minimum.)
-3. When `w` goes to infinity, `c` converges to 1. (With infinite evidence, confidence is maximum.)
+3. When `w` goes to infinity, `c` converges to 1.
+(With infinite evidence, confidence is maximum.)
 
-The paper describes also a set of operations for the evidence/confidence pairs, so that different sources of knowledge could be combined. However, we leave here the suggestion of a possible research line in the future combining an algebra of evidence/confidence pairs with swarm-propagation algorithm like the one described in [this paper](http://replicated.cc/files/schmebulock.pdf).
+The paper describes also a set of operations for the evidence/confidence pairs,
+so that different sources of knowledge could be combined.
+However, we leave here the suggestion of a possible research line in the future
+combining an algebra of evidence/confidence pairs with
+swarm-propagation algorithm like the one described in
+[this paper](http://replicated.cc/files/schmebulock.pdf).
 
 ### Initial opinion
+
 A proposal is formulated to which consensus of truth or falsity is
 desired.  Each node that participates starts the protocol with an
 opinion on the proposal, represented in the sequel as `NO`, `NONE`,
@@ -97,8 +179,11 @@ compute a justification of the proposal, it sets its opinion to one of
 `YES` or `NO`.  If it cannot form an opinion, it leaves its opinion as
 `NONE`.
 
-For now, we will ignore the proposal dissemination process and assume all nodes participating have an initial opinion to respond to within a given request. Further research will relax this assumption and analyze timing attacks on proposal propagation through the network. 
-
+For now, we will ignore the proposal dissemination process and
+assume all nodes participating have an initial opinion
+to respond to within a given request.
+Further research will relax this assumption and
+analyze timing attacks on proposal propagation through the network.
 
 The node then participates in a number of query rounds in which it
 solicits other node's opinion in query rounds.  Given a set of `N`
@@ -114,6 +199,7 @@ may not have a view on the complete members participating in the
 consensus on a proposal in a given round.
 
 The algorithm is divided into 4 phases:
+
 1. Querying
 2. Computing `confidence`, `evidence`, and `accumulated evidence`
 3. Transition function
@@ -141,7 +227,8 @@ final opinion on the truth of the proposal. -->
 ### Setup Parameters
 
 The node initializes the following integer ratios as constants:
-```
+
+``` markdown
 # The following values are constants chosen with justification from experiments
 # performed with the adversarial models
 
@@ -177,10 +264,10 @@ k_initial
 max_rounds ;; placeholder for simulation work, no justification yet
    <-- 100 
 ```
-      
+
 The following variables are needed to keep the state of Claro:
 
-```
+``` markdown
 ;; current number of nodes to attempt to query in a round
 k 
   <-- k_original
@@ -196,20 +283,20 @@ round
   <-- 0
 ```
 
-
-###  Phase One: Query 
+### Phase One: Query
 
 A node selects `k` nodes randomly from the complete pool of peers in the
 network. This query is can optionally be weighted, so the probability
-of selecting nodes is proportional to their 
+of selecting nodes is proportional to their
 
 Node Weighting
-$$ 
-P(i) = \frac{w_i}{\sum_{j=0}^{j=N} w_j} 
+$$
+P(i) = \frac{w_i}{\sum_{j=0}^{j=N} w_j}
 $$
 
-where `w` is evidence. The list of nodes is maintained by a separate protocol (the network
-layer), and eventual consistency of this knowledge in the network
+where `w` is evidence.
+The list of nodes is maintained by a separate protocol (the network layer),
+and eventual consistency of this knowledge in the network
 suffices. Even if there are slight divergences in the network view
 from different nodes, the algorithm is resilient to those.
 
@@ -244,12 +331,15 @@ nodes queried is too high.
 When the query finishes, the node now initializes the following two
 values:
 
+```markdown
     new_votes 
       <-- |total vote replies received in this round to the current query|
     positive_votes 
       <-- |YES votes received from the query| 
-    
+```
+  
 ### Phase Two: Computation
+
 When the query returns, three ratios are used later on to compute the
 transition function and the opinion forming. Confidence encapsulates
 the notion of how much we know (as a node) in relation to how much we
@@ -270,15 +360,20 @@ $$
 Computation
 $$
 \begin{array}{lc}
-\text{Confidence}                & c_{accum} \impliedby \frac{total\ votes}{total\ votes + l} \newline
-\text{Total accumulated evidence}& e_{accum} \impliedby \frac{total\ positive\ votes}{total\ votes} \newline
-\text{Evidence per round}        & e_{round} \impliedby \frac{round\ positive\ votes}{round\ votes} \newline
+\text{Confidence}                & c_{accum} \impliedby \frac{total\ votes}
+{total\ votes + l} \newline
+\text{Total accumulated evidence}& e_{accum} \impliedby \frac{total\ positive\
+votes}{total\ votes} \newline
+\text{Evidence per round}        & e_{round} \impliedby \frac{round\ positive\
+votes}{round\ votes} \newline
 \end{array}
 $$
 
 The node runs the `new_votes` and `positive_votes` parameters received
 in the query round through the following algorithm:
 
+```markdown
+
     total_votes 
       +== new_votes
     total_positive 
@@ -293,8 +388,10 @@ in the query round through the following algorithm:
       <-- new_evidence * ( 1 - confidence ) + total_evidence * confidence 
     alpha 
       <-- doubt * ( 1 - confidence ) + certainty * confidence 
-    
+```
+
 ### Phase Three: Computation
+
 In order to eliminate the need for a step function (a conditional in
 the code), we introduce a transition function from one regime to the
 other. Our interest in removing the step function is twofold:
@@ -314,9 +411,9 @@ $$
 \begin{array}{cl}
 evidence & \impliedby e_{round} (1 - c_{accum}) + e_{accum} c_{accum} \newline
 \alpha &  \impliedby \alpha_1 (1 - c_{accum}) + \alpha_2 c_{accum} \newline
-\end{array} 
+\end{array}
 $$
-    
+
 Since the confidence is modeled as a ratio that depends on the
 constant *`l`*, we can visualize the transition function at
 different values of *`l`*. Recall that this constant encapsulates
@@ -327,11 +424,11 @@ valuable input of evidence to happen.
 We have observed via experiment that for a transition function to be
 useful, we need establish two requirements:
 
-1.  The change has to be balanced and smooth, giving an
+1. The change has to be balanced and smooth, giving an
     opportunity to the first regime to operate and not jump directly
     to the second regime.
 
-2.  The convergence to 1.0 (fully operating in the second regime)
+2. The convergence to 1.0 (fully operating in the second regime)
     should happen within a reasonable time-frame. We’ve set this
     time-frame experimentally at 1000 votes, which is in the order of
     ~100 queries given a *`k`* of 9.
@@ -344,6 +441,7 @@ The node updates its local opinion on the consensus proposal by
 examining the relationship between the evidence accumulated for a
 proposal with the confidence encoded in the `alpha` parameter:
 
+```php
     IF
       evidence > alpha
     THEN 
@@ -352,12 +450,15 @@ proposal with the confidence encoded in the `alpha` parameter:
       evidence < 1 - alpha
     THEN 
       opinion <-- NO
-       
+```
+
 If the opinion of the node is `NONE` after evaluating the relation
 between `evidence` and `alpha`, adjust the number of uniform randomly
 queried nodes by multiplying the neighbors `k` by the `k_multiplier`
 up to the limit of `k_max_multiplier_power` query size increases.
-    
+
+```php
+
     ;; possibly increase number nodes to uniformly randomly query in next round
     WHEN
          opinion is NONE
@@ -365,8 +466,10 @@ up to the limit of `k_max_multiplier_power` query size increases.
          k < k_original * k_multiplier ^ max_k_multiplier_power
     THEN 
        k <-- k * k_multiplier
+```
+
+### Decision
 
-###  Decision 
 The next step is a simple one: change our opinion if the threshold
 *`alpha`* is reached. This needs to be done separately for the `YES/NO`
 decision, checking both boundaries. The last step is then to *`decide`*
@@ -389,7 +492,9 @@ network size and directly related to the total votes received, an
 honest node marks the decision as final, and always returns this
 opinion is response to further queries from other nodes on the
 network.
- 
+
+```php
+
     IF 
       confidence > confidence_threshold
     OR 
@@ -400,27 +505,27 @@ network.
     ELSE 
       round +== 1
       QUERY LOOP CONTINUES
+```
 
 Thus, after the decision phase, either a decision has been finalized
 and the local node becomes quiescent never initiating a new query, or
-it initiates a [new query](#query).
+it initiates a [new query](query).
 
 ### Termination
 
 A local round of Claro terminates in one of the following
 execution model considerations:
 
-
-1.  No queries are received for any newly initiated round for temporal
+1. No queries are received for any newly initiated round for temporal
     periods observed via a locally computed passage of time.  See [the
     following point on local time](#clock).
 
-2.  The `confidence` on the proposal exceeds our threshold for
+2. The `confidence` on the proposal exceeds our threshold for
     finalization.
-    
-3.  The number of `rounds` executed would be greater than
-    `max_rounds`. 
-    
+
+3. The number of `rounds` executed would be greater than
+    `max_rounds`.
+
 #### Quiescence
 
 After a local node has finalized an `opinion` into a `decision`, it enters a quiescent
@@ -438,6 +543,7 @@ of a phase locked-loop feedback to measure local clock drift see
 ## Further points
 
 ### Node receives information during round
+
 In the query step, the node is envisioned as packing information into
 the query to cut down on the communication overhead a query to each of
 this `k` nodes containing the node's own current opinion on the
@@ -448,24 +554,27 @@ active round, and discard the information if the node is in a
 quiescent state.
 
 #### Problems with Weighting Node Value of Opinions
+
 If the view of other nodes is incomplete, then the sum of the optional
 weighting will not be a probability distribution normalized to 1.
 
 The current algorithm doesn't describe how the initial opinions are formed.
 
 ## Implementation status
-The following implementations have been created for various testing and simulation purposes:
-- [Rust](https://github.com/logos-co/consensus-research)
-- [Python]() - FILL THIS IN WITH NEWLY CREATED REPO
-- [Common Lisp]() - FILL THIS IN WITH NEWLY CREATED REPO
 
-## Wire Protocol 
+The following implementations have been created for various testing and
+simulation purposes:
+
+- [Rust](https://github.com/logos-co/consensus-research)
+- [Python](none) - FILL THIS IN WITH NEWLY CREATED REPO
+- [Common Lisp](none) - FILL THIS IN WITH NEWLY CREATED REPO
+
+## Wire Protocol
 
 For interoperability we present a wire protocol semantics by requiring
 the validity of the following statements expressed in Notation3 (aka
 `n3`) about any query performed by a query node:
 
-
 ```n3
 @prefix rdf:         <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
 @prefix rdfs:        <http://www.w3.org/2000/01/rdf-schema#> .
@@ -515,18 +624,17 @@ canonical mapping to UTF-8 JSON.
 At their core, the query messages are a simple enumeration of the
 three possible values of the opinion:
 
-    { NO, NONE, YES }
+> { NO, NONE, YES }
 
-When represented via integers, such as choosing 
- 
-     { -1, 0, +1 }
+When represented via integers, such as choosing
+
+> { -1, 0, +1 }
 
 the parity summations across network invariants often become easier to
 manipulate.
 
 ## Security Considerations
 
-
 ### Privacy
 
 In practice, each honest node gossips its current opinion which
@@ -534,7 +642,7 @@ reduces the number of messages that need to be gossiped for a given
 proposal.  The resulting impact on the privacy of the node's opinion
 is not currently analyzed.
 
-### Security with respect to various Adversarial Models 
+### Security with respect to various Adversarial Models
 
 Adversarial models have been tested for which the values for current
 parameters of Claro have been tuned.  Exposition of the
@@ -585,7 +693,7 @@ Although we have proposed a normative description of the
 implementation of the underlying binary consensus algorithm (Claro),
 we believe we have prepared for analysis its adversarial performance
 in a manner that is amenable to replacement by another member of the
-[snow*](#snow*) family.
+[snow*](snow) family.
 
 We have presumed the existence of a general family of algorithms that
 can be counted on to vote on nodes in the DAG in a fair manner.
@@ -594,7 +702,7 @@ transactions.  One can express all state machine, i.e. account-based
 models as checkpoints anchored in UTXO trust, so we believe that this
 presupposition has some justification.  We can envision a need for
 tooling abstraction that allow one to just program the DAG itself, as
-they should be of stable interest no matter if Claro isn't. 
+they should be of stable interest no matter if Claro isn't.
 
 ## Informative References
 
@@ -607,15 +715,15 @@ they should be of stable interest no matter if Claro isn't.
 
 3. [snow*](<https://www.avalabs.org/whitepapers>) The Snow family of
    algorithms
-   
+
 4. [Move](<https://cloud.google.com/composer/docs/how-to/using/writing-dags>)
-    Move: a Language for Writing DAG Abstractions 
+    Move: a Language for Writing DAG Abstractions
 
 5. [rdf](<http://www.w3.org/1999/02/22-rdf-syntax-ns#>)
 
 6. [rdfs](<http://www.w3.org/2000/01/rdf-schema#>)
 
-7. [xsd](<http://www.w3.org/2001/XMLSchema#>) 
+7. [xsd](<http://www.w3.org/2001/XMLSchema#>)
 
 8. [n3-w3c-notes](<https://www.w3.org/TeamSubmission/n3/>)
 
@@ -632,4 +740,4 @@ they should be of stable interest no matter if Claro isn't.
 ## Copyright
 
 Copyright and related rights waived via
-[CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+[CC0](https://creativecommons.org/public)

nomos/raw/nomosda-encoding.md

@@ -0,0 +1,170 @@
+--- 
+title: NOMOSDA-ENCODING
+name: NomosDA Encoding Protocol 
+status: raw
+category: 
+tags: data-availability
+editor: Daniel Sanchez-Quiros <danielsq@status.im>
+contributors:
+- Daniel Kashepava <danielkashepava@status.im>
+- Álvaro Castro-Castilla <alvaro@status.im>
+- Filip Dimitrijevic <filip@status.im>
+- Thomas Lavaur <thomaslavaur@status.im>
+- Mehmet Gonen <mehmet@status.im>
+---
+
+## Introduction
+
+This document describes the encoding and verification processes of NomosDA, which is the data availability (DA) solution used by the Nomos blockchain. NomosDA provides an assurance that all data from Nomos blobs are accessible and verifiable by every network participant.
+
+This document presents an implementation specification describing how:
+
+- Encoders encode blobs they want to upload to the Data Availability layer.
+- Other nodes implement the verification of blobs that were already uploaded to DA.
+
+## Definitions
+
+- **Encoder**: An encoder is any actor who performs the encoding process described in this document. This involves committing to the data, generating proofs, and submitting the result to the DA layer.
+
+    In the Nomos architecture, the rollup sequencer typically acts as the encoder, but the role is not exclusive and any actor in the DA layer can also act as encoders.
+- **Verifier**: Verifies its portion of the distributed blob data as per the verification protocol. In the Nomos architecture, the DA nodes act as the verifiers.
+
+## Overview
+
+In the encoding stage, the encoder takes the DA parameters and the padded blob data and creates an initial matrix of data chunks. This matrix is expanded using Reed-Solomon coding and various commitments and proofs are created for the data.
+
+When a verifier receives a sample, it verifies the data it receives from the encoder and broadcasts the information if the data is verified. Finally, the verifier stores the sample data for the required length of time.
+
+## Construction
+
+The encoder and verifier use the [NomosDA cryptographic protocol](https://www.notion.so/NomosDA-Cryptographic-Protocol-1fd261aa09df816fa97ac81304732e77?pvs=21) to carry out their respective functions. These functions are implemented as abstracted and configurable software entities that allow the original data to be encoded and verified via high-level operations.
+
+### Glossary
+
+| Name | Description | Representation |
+| --- | --- | --- |
+| `Commitment` | Commitment as per the [NomosDA Cryptographic Protocol](https://www.notion.so/NomosDA-Cryptographic-Protocol-1fd261aa09df816fa97ac81304732e77?pvs=21) | `bytes` |
+| `Proof` | Proof as per the [NomosDA Cryptographic Protocol](https://www.notion.so/NomosDA-Cryptographic-Protocol-1fd261aa09df816fa97ac81304732e77?pvs=21) | `bytes` |
+| `ChunksMatrix` | Matrix of chunked data. Each chunk is **31 bytes.** Row and Column sizes depend on the encoding necessities. | `List[List[bytes]]` |
+
+### Encoder
+
+An encoder takes a set of parameters and the blob data, and creates a matrix of chunks that it uses to compute the necessary cryptographic data. It produces the set of Reed-Solomon (RS) encoded data, the commitments, and the proofs that are needed prior to [dispersal](https://www.notion.so/NomosDA-Dispersal-1fd261aa09df815288c9caf45ed72c95?pvs=21).
+
+```mermaid
+flowchart LR
+    A[DaEncoderParams] -->|Input| B(Encoder)
+    I[31bytes-padded-input] -->|Input| B
+    B -->|Creates| D[Chunks matrix]
+    D --> |Input| C[NomosDA encoding]
+    C --> E{Encoded data📄}
+```
+
+#### Encoding Process
+
+The encoder executes the encoding process as follows:
+
+1. The encoder takes the following input parameters:
+
+    ```python
+    class DAEncoderParams:
+        column_count: usize
+        bytes_per_field_element: usize
+    ```
+
+    | Name | Description | Representation |
+    | --- | --- | --- |
+    | `column_count` | The number of subnets available for dispersal in the system | `usize`, `int` in Python |
+    | `bytes_per_field_element` | The amount of bytes per data chunk. This is set to 31 bytes. Each chunk has 31 bytes rather than 32 to ensure that the chunk value does not exceed the maximum value on the [BLS12-381 elliptic curve](https://electriccoin.co/blog/new-snark-curve/). | `usize`, `int` in Python |
+
+2. The encoder also includes the blob data to be encoded, which must be of a size that is a multiple of `bytes_per_field_element` bytes. Clients are responsible for padding the data so it fits this constraint.
+3. The encoder splits the data into `bytes_per_field_element`-sized chunks. It also arranges these chunks into rows and columns, creating a matrix.
+    a. The amount of columns of the matrix needs to fit with the `column_count` parameter, taking into account the `rs_expansion_factor` (currently fixed to 2).
+        i. This means that the size of each row in this matrix is `(bytes_per_field_element*column_count)/rs_expansion_factor`.
+    b. The amount of rows depends on the size of the data.
+4. The data is encoded as per [the cryptographic details](https://www.notion.so/NomosDA-Cryptographic-Protocol-1fd261aa09df816fa97ac81304732e77?pvs=21).
+5. The encoder provides the encoded data set:
+
+    | Name | Description | Representation |
+    | --- | --- | --- |
+    | `data` | Original data | `bytes` |
+    | `chunked_data` | Matrix before RS expansion | `ChunksMatrix` |
+    | `extended_matrix` | Matrix after RS expansion | `ChunksMatrix` |
+    | `row_commitments` | Commitments for each matrix row | `List[Commitment]` |
+    | `combined_column_proofs` | Proofs for each matrix column | `List[Proof]` |
+
+    ```python
+    class EncodedData:
+        data: bytes
+        chunked_data: ChunksMatrix
+        extended_matrix: ChunksMatrix
+        row_commitments: List[Commitment]
+        combined_column_proofs: List[Proof]
+    ```
+
+#### Encoder Limits
+
+NomosDA does not impose a fixed limit on blob size at the encoding level. However, protocols that involve resource-intensive operations must include upper bounds to prevent abuse. In the case of NomosDA, blob size limits are expected to be enforced, as part of the protocol's broader responsibility for resource management and fairness.
+
+Larger blobs naturally result in higher computational and bandwidth costs, particularly for the encoder, who must compute a proof for each column. Without size limits, malicious clients could exploit the system by attempting to stream unbounded data to DA nodes. Since payment is provided before blob dispersal, DA nodes are protected from performing unnecessary work. This enables the protocol to safely accept very large blobs, as the primary computational cost falls on the encoder. The protocol can accommodate generous blob sizes in practice, while rejecting only absurdly large blobs, such as those exceeding 1 GB, to prevent denial-of-service attacks and ensure network stability.
+
+To mitigate this, the protocol define acceptable blob size limits, and DA implementations enforce local mitigation strategies, such as flagging or blacklisting clients that violate these constraints.
+
+### Verifier
+
+A verifier checks the proper encoding of data blobs it receives. A verifier executes the verification process as follows:
+
+1. The verifier receives a `DAShare` with the required verification data:
+
+    | Name | Description | Representation |
+    | --- | --- | --- |
+    | `column` | Column chunks (31 bytes) from the encoded matrix | `List[bytes]` |
+    | `column_idx` | Column id (`0..2047`). It is directly related to the `subnetworks` in the [network specification](https://www.notion.so/NomosDA-Network-Specification-1fd261aa09df81188e76cb083791252d?pvs=21). | `u16`, unsigned int of 16 bits. `int` in Python |
+    | `combined_column_proof` | Proof of the random linear combination of the column elements. | `Proof` |
+    | `row_commitments` | Commitments for each matrix row | `List[Commitment]` |
+    | `blob_id` | This is computed as the hash (**blake2b**) of `row_commitments` | `bytes` |
+
+2. Upon receiving the above data it verifies the column data as per the [cryptographic details](https://www.notion.so/NomosDA-Cryptographic-Protocol-1fd261aa09df816fa97ac81304732e77?pvs=21). If the verification is successful, the node triggers the [replication protocol](https://www.notion.so/NomosDA-Subnetwork-Replication-1fd261aa09df811d93f8c6280136bfbb?pvs=21) and stores the blob.
+
+    ```python
+    class DAShare:
+        column: Column
+        column_idx: u16
+        combined_column_proof: Proof
+        row_commitments: List[Commitment]
+
+        def blob_id(self) -> BlobId:
+            hasher = blake2b(digest_size=32)
+            for c in self.row_commitments:
+                hasher.update(bytes(c))
+            return hasher.digest()
+    ```
+
+### Verification Logic
+
+```mermaid
+sequenceDiagram
+    participant N as Node
+    participant S as Subnetwork Column N
+    loop For each incoming blob column
+        N-->>N: If blob is valid
+        N-->>S: Replication
+        N->>N: Stores blob
+    end
+```
+
+## Details
+
+The encoder and verifier processes described above make use of a variety of cryptographic functions to facilitate the correct verification of column data by verifiers. These functions rely on primitives such as polynomial commitments and Reed-Solomon erasure codes, the details of which are outside the scope of this document. These details, as well as introductions to the cryptographic primitives being used, can be found in the NomosDA Cryptographic Protocol:
+
+[NomosDA Cryptographic Protocol](https://www.notion.so/NomosDA-Cryptographic-Protocol-1fd261aa09df816fa97ac81304732e77?pvs=21)
+
+## References
+
+- Encoder Specification: [GitHub/encoder.py](https://github.com/logos-co/nomos-specs/blob/master/da/encoder.py)
+- Verifier Specification: [GitHub/verifier.py](https://github.com/logos-co/nomos-specs/blob/master/da/verifier.py)
+- Cryptographic protocol: [NomosDA Cryptographic Protocol](https://www.notion.so/NomosDA-Cryptographic-Protocol-1fd261aa09df816fa97ac81304732e77?pvs=21)
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

nomos/raw/nomosda-network.md

@@ -0,0 +1,255 @@
+---
+title: NOMOS-DA-NETWORK
+name: NomosDA Network
+status: raw
+category:
+tags: network, data-availability, da-nodes, executors, sampling
+editor: Daniel Sanchez Quiros <danielsq@status.im>
+contributors:
+- Álvaro Castro-Castilla <alvaro@status.im>
+- Daniel Kashepava <danielkashepava@status.im>
+- Gusto Bacvinka <augustinas@status.im>
+- Filip Dimitrijevic <filip@status.im>
+---
+
+## Introduction
+
+NomosDA is the scalability solution protocol for data availability within the Nomos network.
+This document delineates the protocol's structure at the network level,
+identifies participants,
+and describes the interactions among its components.  
+Please note that this document does not delve into the cryptographic aspects of the design.
+For comprehensive details on the cryptographic operations,
+a detailed specification is a work in progress.
+
+## Objectives
+
+NomosDA was created to ensure that data from Nomos zones is distributed, verifiable, immutable, and accessible.
+At the same time, it is optimised for the following properties:
+
+- **Decentralization**: NomosDA’s data availability guarantees must be achieved with minimal trust assumptions
+and centralised actors. Therefore,
+permissioned DA schemes involving a Data Availability Committee (DAC) had to be avoided in the design.
+Schemes that require some nodes to download the entire blob data were also off the list
+due to the disproportionate role played by these “supernodes”.
+
+- **Scalability**: NomosDA is intended to be a bandwidth-scalable protocol, ensuring that its functions are maintained as the Nomos network grows. Therefore, NomosDA was designed to minimise the amount of data sent to participants, reducing the communication bottleneck and allowing more parties to participate in the DA process.
+
+To achieve the above properties, NomosDA splits up zone data and
+distributes it among network participants,
+with cryptographic properties used to verify the data’s integrity.
+A major feature of this design is that parties who wish to receive an assurance of data availability
+can do so very quickly and with minimal hardware requirements.
+However, this comes at the cost of additional complexity and resources required by more integral participants.
+
+## Requirements
+
+In order to ensure that the above objectives are met,
+the NomosDA network requires a group of participants
+that undertake a greater burden in terms of active involvement in the protocol.
+Recognising that not all node operators can do so,
+NomosDA assigns different roles to different kinds of participants,
+depending on their ability and willingness to contribute more computing power
+and bandwidth to the protocol.
+It was therefore necessary for NomosDA to be implemented as an opt-in Service Network.
+
+Because the NomosDA network has an arbitrary amount of participants,
+and the data is split into a fixed number of portions (see the [Encoding & Verification Specification](https://www.notion.so/NomosDA-Encoding-Verification-4d8ca269e96d4fdcb05abc70426c5e7c)),
+it was necessary to define exactly how each portion is assigned to a participant who will receive and verify it.
+This assignment algorithm must also be flexible enough to ensure smooth operation in a variety of scenarios,
+including where there are more or fewer participants than the number of portions.
+
+## Overview
+
+### Network Participants
+
+The NomosDA network includes three categories of participants:
+
+- **Executors**: Tasked with the encoding and dispersal of data blobs.  
+- **DA Nodes**: Receive and verify the encoded data,
+subsequently temporarily storing it for further network validation through sampling.  
+- **Light Nodes**: Employ sampling to ascertain data availability.
+
+### Network Distribution
+
+The NomosDA network is segmented into `num_subnets` subnetworks.
+These subnetworks represent subsets of peers from the overarching network,
+each responsible for a distinct portion of the distributed encoded data.
+Peers in the network may engage in one or multiple subnetworks,
+contingent upon network size and participant count.
+
+### Sub-protocols
+
+The NomosDA protocol consists of the following sub-protocols:
+
+- **Dispersal**: Describes how executors distribute encoded data blobs to subnetworks.
+[NomosDA Dispersal](https://www.notion.so/NomosDA-Dispersal-1818f96fb65c805ca257cb14798f24d4?pvs=21)
+- **Replication**: Defines how DA nodes distribute encoded data blobs within subnetworks.
+[NomosDA Subnetwork Replication](https://www.notion.so/NomosDA-Subnetwork-Replication-1818f96fb65c80119fa0e958a087cc2b?pvs=21)
+- **Sampling**: Used by sampling clients (e.g., light clients) to verify the availability of previously dispersed
+and replicated data.
+[NomosDA Sampling](https://www.notion.so/NomosDA-Sampling-1538f96fb65c8031a44cf7305d271779?pvs=21)
+- **Reconstruction**: Describes gathering and decoding dispersed data back into its original form.
+[NomosDA Reconstruction](https://www.notion.so/NomosDA-Reconstruction-1828f96fb65c80b2bbb9f4c5a0cf26a5?pvs=21)
+- **Indexing**: Tracks and exposes blob metadata on-chain.
+[NomosDA Indexing](https://www.notion.so/NomosDA-Indexing-1bb8f96fb65c8044b635da9df20c2411?pvs=21)
+
+## Construction
+
+### NomosDA Network Registration
+
+Entities wishing to participate in NomosDA must declare their role via [SDP](https://www.notion.so/Final-Draft-Validator-Role-Protocol-17b8f96fb65c80c69c2ef55e22e29506) (Service Declaration Protocol).
+Once declared, they're accounted for in the subnetwork construction.
+
+This enables participation in:
+
+- Dispersal (as executor)
+- Replication & sampling (as DA node)
+- Sampling (as light node)
+
+### Subnetwork Assignment
+
+The NomosDA network comprises `num_subnets` subnetworks,
+which are virtual in nature.
+A subnetwork is a subset of peers grouped together so nodes know who they should connect with,
+serving as groupings of peers tasked with executing the dispersal and replication sub-protocols.
+In each subnetwork, participants establish a fully connected overlay,
+ensuring all nodes maintain permanent connections for the lifetime of the SDP set
+with peers within the same subnetwork.
+Nodes refer to nodes in the Data Availability SDP set to ascertain their connectivity requirements across subnetworks.
+
+#### Assignment Algorithm
+
+The concrete distribution algorithm is described in the following specification:
+[DA Subnetwork Assignation](https://www.notion.so/DA-Subnetwork-Assignation-217261aa09df80fc8bb9cf46092741ce)
+
+## Executor Connections
+
+Each executor maintains a connection with one peer per subnetwork,
+necessitating at least num_subnets stable and healthy connections.
+Executors are expected to allocate adequate resources to sustain these connections.
+An example algorithm for peer selection would be:
+
+```python
+def select_peers(
+    subnetworks: Sequence[Set[PeerId]],
+    filtered_subnetworks: Set[int],
+    filtered_peers: Set[PeerId]
+) -> Set[PeerId]:
+    result = set()
+    for i, subnetwork in enumerate(subnetworks):
+        available_peers = subnetwork - filtered_peers
+        if i not in filtered_subnetworks and available_peers:
+            result.add(next(iter(available_peers)))
+    return result
+```
+
+## NomosDA Protocol Steps
+
+### Dispersal
+
+1. The NomosDA protocol is initiated by executors
+who perform data encoding as outlined in the [Encoding Specification](https://www.notion.so/NomosDA-Encoding-Verification-4d8ca269e96d4fdcb05abc70426c5e7c).
+2. Executors prepare and distribute each encoded data portion
+to its designated subnetwork (from `0` to `num_subnets - 1` ).
+3. Executors might opt to perform sampling to confirm successful dispersal.
+4. Post-dispersal, executors publish the dispersed `blob_id` and metadata to the mempool. <!-- TODO: add link to dispersal document-->
+
+### Replication
+
+DA nodes receive columns from dispersal or replication
+and validate the data encoding.
+Upon successful validation,
+they replicate the validated column to connected peers within their subnetwork.
+Replication occurs once per blob; subsequent validations of the same blob are discarded.
+
+### Sampling
+
+1. Sampling is [invoked based on the node's current role](https://www.notion.so/1538f96fb65c8031a44cf7305d271779?pvs=25#15e8f96fb65c8006b9d7f12ffdd9a159).
+2. The node selects `sample_size` random subnetworks
+and queries each for the availability of the corresponding column for the sampled blob. Sampling is deemed successful only if all queried subnetworks respond affirmatively.
+
+- If `num_subnets` is 2048, `sample_size` is [20 as per the sampling research](https://www.notion.so/1708f96fb65c80a08c97d728cb8476c3?pvs=25#1708f96fb65c80bab6f9c6a946940078)
+
+```mermaid
+sequenceDiagram
+    SamplingClient ->> DANode_1: Request
+    DANode_1 -->> SamplingClient: Response
+    SamplingClient ->>DANode_2: Request
+    DANode_2 -->> SamplingClient: Response
+    SamplingClient ->> DANode_n: Request
+    DANode_n -->> SamplingClient: Response
+```
+
+### Network Schematics
+
+The overall network and protocol interactions is represented by the following diagram
+
+```mermaid
+flowchart TD
+subgraph Replication
+    subgraph Subnetwork_N
+        N10 -->|Replicate| N20
+        N20 -->|Replicate| N30
+        N30 -->|Replicate| N10
+    end
+    subgraph ...
+    end
+    subgraph Subnetwork_0
+        N1 -->|Replicate| N2
+        N2 -->|Replicate| N3
+        N3 -->|Replicate| N1
+    end
+end
+subgraph Sampling
+    N9 -->|Sample 0| N2
+    N9 -->|Sample S| N20
+end
+subgraph Dispersal
+    Executor -->|Disperse| N1
+    Executor -->|Disperse| N10
+end
+```
+
+## Details
+
+### Network specifics
+
+The NomosDA network is engineered for connection efficiency.
+Executors manage numerous open connections,
+utilizing their resource capabilities.
+DA nodes, with their resource constraints,
+are designed to maximize connection reuse.
+
+NomosDA uses [multiplexed](https://docs.libp2p.io/concepts/transports/quic/#quic-native-multiplexing) streams over [QUIC](https://docs.libp2p.io/concepts/transports/quic/) connections.
+For each sub-protocol, a stream protocol ID is defined to negotiate the protocol,
+triggering the specific protocol once established:
+
+- Dispersal: /nomos/da/{version}/dispersal
+- Replication: /nomos/da/{version}/replication
+- Sampling: /nomos/da/{version}/sampling
+
+Through these multiplexed streams,
+DA nodes can utilize the same connection for all sub-protocols.
+This, combined with virtual subnetworks (membership sets),
+ensures the overlay node distribution is scalable for networks of any size.
+
+## References
+
+- [Encoding Specification](https://www.notion.so/NomosDA-Encoding-Verification-4d8ca269e96d4fdcb05abc70426c5e7c)
+- [Encoding & Verification Specification](https://www.notion.so/NomosDA-Encoding-Verification-4d8ca269e96d4fdcb05abc70426c5e7c)
+- [NomosDA Dispersal](https://www.notion.so/NomosDA-Dispersal-1818f96fb65c805ca257cb14798f24d4?pvs=21)
+- [NomosDA Subnetwork Replication](https://www.notion.so/NomosDA-Subnetwork-Replication-1818f96fb65c80119fa0e958a087cc2b?pvs=21)
+- [DA Subnetwork Assignation](https://www.notion.so/DA-Subnetwork-Assignation-217261aa09df80fc8bb9cf46092741ce)
+- [NomosDA Sampling](https://www.notion.so/NomosDA-Sampling-1538f96fb65c8031a44cf7305d271779?pvs=21)
+- [NomosDA Reconstruction](https://www.notion.so/NomosDA-Reconstruction-1828f96fb65c80b2bbb9f4c5a0cf26a5?pvs=21)
+- [NomosDA Indexing](https://www.notion.so/NomosDA-Indexing-1bb8f96fb65c8044b635da9df20c2411?pvs=21)
+- [SDP](https://www.notion.so/Final-Draft-Validator-Role-Protocol-17b8f96fb65c80c69c2ef55e22e29506)
+- [invoked based on the node's current role](https://www.notion.so/1538f96fb65c8031a44cf7305d271779?pvs=25#15e8f96fb65c8006b9d7f12ffdd9a159)
+- [20 as per the sampling research](https://www.notion.so/1708f96fb65c80a08c97d728cb8476c3?pvs=25#1708f96fb65c80bab6f9c6a946940078)
+- [multiplexed](https://docs.libp2p.io/concepts/transports/quic/#quic-native-multiplexing)
+- [QUIC](https://docs.libp2p.io/concepts/transports/quic/)
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

nomos/raw/p2p-hardware-requirements.md

@@ -0,0 +1,236 @@
+---
+title: P2P-HARDWARE-REQUIREMENTS
+name: Nomos p2p Network Hardware Requirements Specification
+status: raw
+category: infrastructure
+tags: [hardware, requirements, nodes, validators, services]
+editor: Daniel Sanchez-Quiros <danielsq@status.im>
+contributors:
+- Filip Dimitrijevic <filip@status.im>
+---
+
+## Abstract
+
+This specification defines the hardware requirements for running various types of Nomos blockchain nodes. Hardware needs vary significantly based on the node's role, from lightweight verification nodes to high-performance Zone Executors. The requirements are designed to support diverse participation levels while ensuring network security and performance.
+
+## Motivation
+
+The Nomos network is designed to be inclusive and accessible across a wide range of hardware configurations. By defining clear hardware requirements for different node types, we enable:
+
+1. **Inclusive Participation**: Allow users with limited resources to participate as Light Nodes
+2. **Scalable Infrastructure**: Support varying levels of network participation based on available resources
+3. **Performance Optimization**: Ensure adequate resources for computationally intensive operations
+4. **Network Security**: Maintain network integrity through properly resourced validator nodes
+5. **Service Quality**: Define requirements for optional services that enhance network functionality
+
+**Important Notice**: These hardware requirements are preliminary and subject to revision based on implementation testing and real-world network performance data.
+
+## Specification
+
+### Node Types Overview
+
+Hardware requirements vary based on the node's role and services:
+
+- **Light Node**: Minimal verification with minimal resources
+- **Basic Bedrock Node**: Standard validation participation
+- **Service Nodes**: Enhanced capabilities for optional network services
+
+### Light Node
+
+Light Nodes provide network verification with minimal resource requirements, suitable for resource-constrained environments.
+
+**Target Use Cases:**
+
+- Mobile devices and smartphones
+- Single-board computers (Raspberry Pi, etc.)
+- IoT devices with network connectivity
+- Users with limited hardware resources
+
+**Hardware Requirements:**
+
+| Component | Specification |
+|-----------|---------------|
+| **CPU** | Low-power processor (smartphone/SBC capable) |
+| **Memory (RAM)** | 512 MB |
+| **Storage** | Minimal (few GB) |
+| **Network** | Reliable connection, 1 Mbps free bandwidth |
+
+### Basic Bedrock Node (Validator)
+
+Basic validators participate in Bedrock consensus using typical consumer hardware.
+
+**Target Use Cases:**
+
+- Individual validators on consumer hardware
+- Small-scale validation operations
+- Entry-level network participation
+
+**Hardware Requirements:**
+
+| Component | Specification |
+|-----------|---------------|
+| **CPU** | 2 cores, 2 GHz modern multi-core processor |
+| **Memory (RAM)** | 1 GB minimum |
+| **Storage** | SSD with 100+ GB free space, expandable |
+| **Network** | Reliable connection, 1 Mbps free bandwidth |
+
+### Service-Specific Requirements
+
+Nodes can optionally run additional Bedrock Services that require enhanced resources beyond basic validation.
+
+#### Data Availability (DA) Service
+
+DA Service nodes store and serve data shares for the network's data availability layer.
+
+**Service Role:**
+
+- Store blockchain data and blob data long-term
+- Serve data shares to requesting nodes
+- Maintain high availability for data retrieval
+
+**Additional Requirements:**
+
+| Component | Specification | Rationale |
+|-----------|---------------|-----------|
+| **CPU** | Same as Basic Bedrock Node | Standard processing needs |
+| **Memory (RAM)** | Same as Basic Bedrock Node | Standard memory needs |
+| **Storage** | **Fast SSD, 500+ GB free** | Long-term chain and blob storage |
+| **Network** | **High bandwidth (10+ Mbps)** | Concurrent data serving |
+| **Connectivity** | **Stable, accessible external IP** | Direct peer connections |
+
+**Network Requirements:**
+
+- Capacity to handle multiple concurrent connections
+- Stable external IP address for direct peer access
+- Low latency for efficient data serving
+
+#### Blend Protocol Service
+
+Blend Protocol nodes provide anonymous message routing capabilities.
+
+**Service Role:**
+
+- Route messages anonymously through the network
+- Provide timing obfuscation for privacy
+- Maintain multiple concurrent connections
+
+**Additional Requirements:**
+
+| Component | Specification | Rationale |
+|-----------|---------------|-----------|
+| **CPU** | Same as Basic Bedrock Node | Standard processing needs |
+| **Memory (RAM)** | Same as Basic Bedrock Node | Standard memory needs |
+| **Storage** | Same as Basic Bedrock Node | Standard storage needs |
+| **Network** | **Stable connection (10+ Mbps)** | Multiple concurrent connections |
+| **Connectivity** | **Stable, accessible external IP** | Direct peer connections |
+
+**Network Requirements:**
+
+- Low-latency connection for effective message blending
+- Stable connection for timing obfuscation
+- Capability to handle multiple simultaneous connections
+
+#### Executor Network Service
+
+Zone Executors perform the most computationally intensive work in the network.
+
+**Service Role:**
+
+- Execute Zone state transitions
+- Generate zero-knowledge proofs
+- Process complex computational workloads
+
+**Critical Performance Note**: Zone Executors perform the heaviest computational work in the network. High-performance hardware is crucial for effective participation and may provide competitive advantages in execution markets.
+
+**Hardware Requirements:**
+
+| Component | Specification | Rationale |
+|-----------|---------------|-----------|
+| **CPU** | **Very high-performance multi-core processor** | Zone logic execution and ZK proving |
+| **Memory (RAM)** | **32+ GB strongly recommended** | Complex Zone execution requirements |
+| **Storage** | Same as Basic Bedrock Node | Standard storage needs |
+| **GPU** | **Highly recommended/often necessary** | Efficient ZK proof generation |
+| **Network** | **High bandwidth (10+ Mbps)** | Data dispersal and high connection load |
+
+**GPU Requirements:**
+
+- **NVIDIA**: CUDA-enabled GPU (RTX 3090 or equivalent recommended)
+- **Apple**: Metal-compatible Apple Silicon
+- **Performance Impact**: Strong GPU significantly reduces proving time
+
+**Network Requirements:**
+
+- Support for **2048+ direct UDP connections** to DA Nodes (for blob publishing)
+- High bandwidth for data dispersal operations
+- Stable connection for continuous operation
+
+*Note: DA Nodes utilizing [libp2p](https://docs.libp2p.io/) connections need sufficient capacity to receive and serve data shares over many connections.*
+
+## Implementation Requirements
+
+### Minimum Requirements
+
+All Nomos nodes MUST meet:
+
+1. **Basic connectivity** to the Nomos network via [libp2p](https://docs.libp2p.io/)
+2. **Adequate storage** for their designated role
+3. **Sufficient processing power** for their service level
+4. **Reliable network connection** with appropriate bandwidth for [QUIC](https://docs.libp2p.io/concepts/transports/quic/) transport
+
+### Optional Enhancements
+
+Node operators MAY implement:
+
+- Hardware redundancy for critical services
+- Enhanced cooling for high-performance configurations
+- Dedicated network connections for service nodes utilizing [libp2p](https://docs.libp2p.io/) protocols
+- Backup power systems for continuous operation
+
+### Resource Scaling
+
+Requirements may vary based on:
+
+- **Network Load**: Higher network activity increases resource demands
+- **Zone Complexity**: More complex Zones require additional computational resources
+- **Service Combinations**: Running multiple services simultaneously increases requirements
+- **Geographic Location**: Network latency affects optimal performance requirements
+
+## Security Considerations
+
+### Hardware Security
+
+1. **Secure Storage**: Use encrypted storage for sensitive node data
+2. **Network Security**: Implement proper firewall configurations
+3. **Physical Security**: Secure physical access to node hardware
+4. **Backup Strategies**: Maintain secure backups of critical data
+
+### Performance Security
+
+1. **Resource Monitoring**: Monitor resource usage to detect anomalies
+2. **Redundancy**: Plan for hardware failures in critical services
+3. **Isolation**: Consider containerization or virtualization for service isolation
+4. **Update Management**: Maintain secure update procedures for hardware drivers
+
+## Performance Characteristics
+
+### Scalability
+
+- **Light Nodes**: Minimal resource footprint, high scalability
+- **Validators**: Moderate resource usage, network-dependent scaling
+- **Service Nodes**: High resource usage, specialized scaling requirements
+
+### Resource Efficiency
+
+- **CPU Usage**: Optimized algorithms for different hardware tiers
+- **Memory Usage**: Efficient data structures for constrained environments
+- **Storage Usage**: Configurable retention policies and compression
+- **Network Usage**: Adaptive bandwidth utilization based on [libp2p](https://docs.libp2p.io/) capacity and [QUIC](https://docs.libp2p.io/concepts/transports/quic/) connection efficiency
+
+## References
+
+1. [libp2p protocol](https://docs.libp2p.io/)
+2. [QUIC protocol](https://docs.libp2p.io/concepts/transports/quic/)
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

nomos/raw/p2p-nat-solution.md

@@ -0,0 +1,377 @@
+---
+title: P2P-NAT-SOLUTION
+name: Nomos P2P Network NAT Solution Specification
+status: raw
+category: networking
+tags: [nat, traversal, autonat, upnp, pcp, nat-pmp]
+editor: Antonio Antonino <antonio@status.im>
+contributors:
+- Álvaro Castro-Castilla <alvaro@status.im>
+- Daniel Sanchez-Quiros <danielsq@status.im>
+- Petar Radovic <petar@status.im>
+- Gusto Bacvinka <augustinas@status.im>
+- Youngjoon Lee <youngjoon@status.im>
+- Filip Dimitrijevic <filip@status.im>
+---
+
+## Abstract
+
+This specification defines a comprehensive NAT (Network Address Translation) traversal solution for the Nomos P2P network. The solution enables nodes to automatically determine their NAT status and establish both outbound and inbound connections regardless of network configuration. The strategy combines [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md), dynamic port mapping protocols, and continuous verification to maximize public reachability while maintaining decentralized operation.
+
+## Motivation
+
+Network Address Translation presents a critical challenge for Nomos participants, particularly those operating on consumer hardware without technical expertise. The Nomos network requires a NAT traversal solution that:
+
+1. **Automatic Operation**: Works out-of-the-box without user configuration
+2. **Inclusive Participation**: Enables nodes on consumer hardware to participate effectively
+3. **Decentralized Approach**: Leverages the existing Nomos P2P network rather than centralized services
+4. **Progressive Fallback**: Escalates through increasingly complex protocols as needed
+5. **Dynamic Adaptation**: Handles changing network environments and configurations
+
+The solution must ensure that nodes can both establish outbound connections and accept inbound connections from other peers, maintaining network connectivity across diverse NAT configurations.
+
+## Specification
+
+### Terminology
+
+- **Public Node**: A node that is publicly reachable via a public IP address or valid port mapping
+- **Private Node**: A node that is not publicly reachable due to NAT/firewall restrictions
+- **Dialing**: The process of establishing a connection using the [libp2p protocol](https://docs.libp2p.io/) stack
+- **NAT Status**: Whether a node is publicly reachable or hidden behind NAT
+
+### Key Design Principles
+
+#### Optional Configuration
+
+The NAT traversal strategy must work out-of-the-box whenever possible. Users who do not want to engage in configuration should only need to install the node software package. However, users requiring full control must be able to configure every aspect of the strategy.
+
+#### Decentralized Operation
+
+The solution leverages the existing Nomos P2P network for coordination rather than relying on centralized third-party services. This maintains the decentralized nature of the network while providing necessary NAT traversal capabilities.
+
+#### Progressive Fallback
+
+The protocol begins with lightweight checks and escalates through more complex and resource-intensive protocols. Failure at any step moves the protocol to the next stage in the strategy, ensuring maximum compatibility across network configurations.
+
+#### Dynamic Network Environment
+
+Unless explicitly configured for static addresses, each node's public or private status is assumed to be dynamic. A once publicly-reachable node can become unreachable and vice versa, requiring continuous monitoring and adaptation.
+
+### Node Discovery Considerations
+
+The Nomos public network encourages participation from a large number of nodes, many deployed through simple installation procedures. Some nodes will not achieve Public status, but the discovery protocol must track these peers and allow other nodes to discover them. This prevents network partitioning and ensures Private nodes remain accessible to other participants.
+
+### NAT Traversal Protocol
+
+#### Protocol Requirements
+
+**Each node MUST:**
+
+- Run an [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) client, except for nodes statically configured as Public
+- Use the [Identify protocol](https://github.com/libp2p/specs/blob/master/identify/README.md) to advertise support for:
+  - `/nomos/autonat/2/dial-request` for main network
+  - `/nomos-testnet/autonat/2/dial-request` for public testnet
+  - `/nomos/autonat/2/dial-back` and `/nomos-testnet/autonat/2/dial-back` respectively
+
+#### NAT State Machine
+
+The NAT traversal process follows a multi-phase state machine:
+
+```mermaid
+graph TD
+  Start@{shape: circle, label: "Start"} -->|Preconfigured public IP or port mapping| StaticPublic[Statically configured as<br/>**Public**]
+  subgraph Phase0 [Phase 0]
+  Start -->|Default configuration| Boot
+  end
+  subgraph Phase1 [Phase 1]
+  Boot[Bootstrap and discover AutoNAT servers]--> Inspect
+  Inspect[Inspect own IP addresses]-->|At least 1 IP address in the public range| ConfirmPublic[AutoNAT]
+  end
+  subgraph Phase2 [Phase 2]
+  Inspect -->|No IP addresses in the public range| MapPorts[Port Mapping Client<br/>UPnP/NAT-PMP/PCP]
+  MapPorts -->|Successful port map| ConfirmMapPorts[AutoNAT]
+  end
+  ConfirmPublic -->|Node's IP address reachable by AutoNAT server| Public[**Public** Node]
+  ConfirmPublic -->|Node's IP address not reachable by AutoNAT server or Timeout| MapPorts
+  ConfirmMapPorts -->|Mapped IP address and port reachable by AutoNAT server| Public
+  ConfirmMapPorts -->|Mapped IP address and port not reachable by AutoNAT server or Timeout| Private
+  MapPorts -->|Failure or Timeout| Private[**Private** Node]
+  subgraph Phase3 [Phase 3]
+  Public -->Monitor
+  Private --> Monitor
+  end
+  Monitor[Network Monitoring] -->|Restart| Inspect
+```
+
+### Phase Implementation
+
+#### Phase 0: Bootstrapping and Identifying Public Nodes
+
+If the node is statically configured by the operator to be Public, the procedure stops here.
+
+The node utilizes bootstrapping and discovery mechanisms to find other Public nodes. The [Identify protocol](https://github.com/libp2p/specs/blob/master/identify/README.md) confirms which detected Public nodes support [AutoNAT v2](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md).
+
+#### Phase 1: NAT Detection
+
+The node starts an [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) client and inspects its own addresses. For each public IP address, the node verifies public reachability via [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md). If any public IP addresses are confirmed, the node assumes Public status and moves to Phase 3. Otherwise, it continues to Phase 2.
+
+#### Phase 2: Automated Port Mapping
+
+The node attempts to secure port mapping on the default gateway using:
+
+- **[PCP](https://datatracker.ietf.org/doc/html/rfc6887)** (Port Control Protocol) - Most reliable
+- **[NAT-PMP](https://datatracker.ietf.org/doc/html/rfc6886)** (NAT Port Mapping Protocol) - Second most reliable  
+- **[UPnP-IGD](https://datatracker.ietf.org/doc/html/rfc6970)** (Universal Plug and Play Internet Gateway Device) - Most widely deployed
+
+**Port Mapping Algorithm:**
+
+```python
+def try_port_mapping():
+    # Step 1: Get the local IPv4 address
+    local_ip = get_local_ipv4_address()
+    
+    # Step 2: Get the default gateway IPv4 address
+    gateway_ip = get_default_gateway_address()
+    
+    # Step 3: Abort if local or gateway IP could not be determined
+    if not local_ip or not gateway_ip:
+        return "Mapping failed: Unable to get local or gateway IPv4"
+
+    # Step 4: Probe the gateway for protocol support
+    supports_pcp = probe_pcp(gateway_ip)
+    supports_nat_pmp = probe_nat_pmp(gateway_ip)
+    supports_upnp = probe_upnp(gateway_ip)  # Optional for logging
+
+    # Step 5-9: Try protocols in order of reliability
+    # PCP (most reliable) -> NAT-PMP -> UPnP -> fallback attempts
+    
+    protocols = [
+        (supports_pcp, try_pcp_mapping),
+        (supports_nat_pmp, try_nat_pmp_mapping),
+        (True, try_upnp_mapping),  # Always try UPnP
+        (not supports_pcp, try_pcp_mapping),  # Fallback
+        (not supports_nat_pmp, try_nat_pmp_mapping)  # Last resort
+    ]
+    
+    for supported, mapping_func in protocols:
+        if supported:
+            mapping = mapping_func(local_ip, gateway_ip)
+            if mapping:
+                return mapping
+    
+    return "Mapping failed: No protocol succeeded"
+```
+
+If mapping succeeds, the node uses [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) to confirm public reachability. Upon confirmation, the node assumes Public status. Otherwise, it assumes Private status.
+
+**Port Mapping Sequence:**
+
+```mermaid
+sequenceDiagram
+    box Node
+        participant AutoNAT Client
+        participant NAT State Machine
+        participant Port Mapping Client
+    end
+    participant Router
+    
+    alt Mapping is successful
+        Note left of AutoNAT Client: Phase 2
+        Port Mapping Client ->> +Router: Requests new mapping
+        Router ->> Port Mapping Client: Confirms new mapping
+        Port Mapping Client ->> NAT State Machine: Mapping secured
+        NAT State Machine ->> AutoNAT Client: Requests confirmation<br/>that mapped address<br/>is publicly reachable
+        
+        alt Node asserts Public status
+            AutoNAT Client ->> NAT State Machine: Mapped address<br/>is publicly reachable
+            Note left of AutoNAT Client: Phase 3<br/>Network Monitoring
+        else Node asserts Private status
+            AutoNAT Client ->> NAT State Machine: Mapped address<br/>is not publicly reachable
+            Note left of AutoNAT Client: Phase 3<br/>Network Monitoring
+        end
+    else Mapping fails, node asserts Private status
+        Note left of AutoNAT Client: Phase 2
+        Port Mapping Client ->> Router: Requests new mapping
+        Router ->> Port Mapping Client: Refuses new mapping or Timeout
+        Port Mapping Client ->> NAT State Machine: Mapping failed
+        Note left of AutoNAT Client: Phase 3<br/>Network Monitoring
+    end
+```
+
+#### Phase 3: Network Monitoring
+
+Unless explicitly configured, nodes must monitor their network status and restart from Phase 1 when changes are detected.
+
+**Public Node Monitoring:**
+
+A Public node must restart when:
+
+- [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) client no longer confirms public reachability
+- A previously successful port mapping is lost or refresh fails
+
+**Private Node Monitoring:**
+
+A Private node must restart when:
+
+- It gains a new public IP address
+- Port mapping is likely to succeed (gateway change, sufficient time passed)
+
+**Network Monitoring Sequence:**
+
+```mermaid
+sequenceDiagram
+    participant AutoNAT Server
+    box Node
+        participant AutoNAT Client
+        participant NAT State Machine
+        participant Port Mapping Client
+    end
+    participant Router
+
+    Note left of AutoNAT Server: Phase 3<br/>Network Monitoring
+    par Refresh mapping and monitor changes
+        loop periodically refreshes mapping
+            Port Mapping Client ->> Router: Requests refresh
+            Router ->> Port Mapping Client: Confirms mapping refresh
+        end
+        break Mapping is lost, the node loses Public status
+            Router ->> Port Mapping Client: Refresh failed or mapping dropped
+            Port Mapping Client ->> NAT State Machine: Mapping lost
+            NAT State Machine ->> NAT State Machine: Restart
+        end
+    and Monitor public reachability of mapped addresses
+        loop periodically checks public reachability
+            AutoNAT Client ->> AutoNAT Server: Requests dialback
+            AutoNAT Server ->> AutoNAT Client: Dialback successful
+        end
+        break
+            AutoNAT Server ->> AutoNAT Client: Dialback failed or Timeout
+            AutoNAT Client ->> NAT State Machine: Public reachability lost
+            NAT State Machine ->> NAT State Machine: Restart
+        end
+    end
+    Note left of AutoNAT Server: Phase 1
+```
+
+### Public Node Responsibilities
+
+**A Public node MUST:**
+
+- Run an [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) server
+- Listen on and advertise via [Identify protocol](https://github.com/libp2p/specs/blob/master/identify/README.md) its publicly reachable [multiaddresses](https://github.com/libp2p/specs/blob/master/addressing/README.md):
+  
+  `/{public_peer_ip}/udp/{port}/quic-v1/p2p/{public_peer_id}`
+
+- Periodically renew port mappings according to protocol recommendations
+- Maintain high availability for [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) services
+
+### Peer Dialing
+
+Other peers can always dial a Public peer using its publicly reachable [multiaddresses](https://github.com/libp2p/specs/blob/master/addressing/README.md):
+
+`/{public_peer_ip}/udp/{port}/quic-v1/p2p/{public_peer_id}`
+
+## Implementation Requirements
+
+### Mandatory Components
+
+All Nomos nodes MUST implement:
+
+1. **[AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) client** for NAT status detection
+2. **Port mapping clients** for [PCP](https://datatracker.ietf.org/doc/html/rfc6887), [NAT-PMP](https://datatracker.ietf.org/doc/html/rfc6886), and [UPnP-IGD](https://datatracker.ietf.org/doc/html/rfc6970)
+3. **[Identify protocol](https://github.com/libp2p/specs/blob/master/identify/README.md)** for capability advertisement
+4. **Network monitoring** for status change detection
+
+### Optional Enhancements
+
+Nodes MAY implement:
+
+- Custom port mapping retry strategies
+- Enhanced network change detection
+- Advanced [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) server load balancing
+- Backup connectivity mechanisms
+
+### Configuration Parameters
+
+#### [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) Configuration
+
+```yaml
+autonat:
+  client:
+    dial_timeout: 15s
+    max_peer_addresses: 16
+    throttle_global_limit: 30
+    throttle_peer_limit: 3
+  server:
+    dial_timeout: 30s
+    max_peer_addresses: 16
+    throttle_global_limit: 30
+    throttle_peer_limit: 3
+```
+
+#### Port Mapping Configuration
+
+```yaml
+port_mapping:
+  pcp:
+    timeout: 30s
+    lifetime: 7200s  # 2 hours
+    retry_interval: 300s
+  nat_pmp:
+    timeout: 30s
+    lifetime: 7200s
+    retry_interval: 300s
+  upnp:
+    timeout: 30s
+    lease_duration: 7200s
+    retry_interval: 300s
+```
+
+## Security Considerations
+
+### NAT Traversal Security
+
+1. **Port Mapping Validation**: Verify that requested port mappings are actually created
+2. **[AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) Server Trust**: Implement peer reputation for [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) servers
+3. **Gateway Communication**: Secure communication with NAT devices
+4. **Address Validation**: Validate public addresses before advertisement
+
+### Privacy Considerations
+
+1. **IP Address Exposure**: Public nodes necessarily expose IP addresses
+2. **Traffic Analysis**: Monitor for patterns that could reveal node behavior
+3. **Gateway Information**: Minimize exposure of internal network topology
+
+### Denial of Service Protection
+
+1. **[AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) Rate Limiting**: Implement request throttling for [AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) services
+2. **Port Mapping Abuse**: Prevent excessive port mapping requests
+3. **Resource Exhaustion**: Limit concurrent NAT traversal attempts
+
+## Performance Characteristics
+
+### Scalability
+
+- **[AutoNAT](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md) Server Load**: Distributed across Public nodes
+- **Port Mapping Overhead**: Minimal ongoing resource usage
+- **Network Monitoring**: Efficient periodic checks
+
+### Reliability
+
+- **Fallback Mechanisms**: Multiple protocols ensure high success rates
+- **Continuous Monitoring**: Automatic recovery from connectivity loss
+- **Protocol Redundancy**: Multiple port mapping protocols increase reliability
+
+## References
+
+1. [Multiaddress spec](https://github.com/libp2p/specs/blob/master/addressing/README.md)
+2. [Identify protocol spec](https://github.com/libp2p/specs/blob/master/identify/README.md)
+3. [AutoNAT v2 protocol spec](https://github.com/libp2p/specs/blob/master/autonat/autonat-v2.md)
+4. [Circuit Relay v2 protocol spec](https://github.com/libp2p/specs/blob/master/relay/circuit-v2.md)
+5. [PCP - RFC 6887](https://datatracker.ietf.org/doc/html/rfc6887)
+6. [NAT-PMP - RFC 6886](https://datatracker.ietf.org/doc/html/rfc6886)
+7. [UPnP IGD - RFC 6970](https://datatracker.ietf.org/doc/html/rfc6970)
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

nomos/raw/p2p-network-bootstrapping.md

@@ -0,0 +1,185 @@
+---
+title: P2P-NETWORK-BOOTSTRAPPING
+name: Nomos P2P Network Bootstrapping Specification
+status: raw
+category: networking
+tags: [p2p, networking, bootstrapping, peer-discovery, libp2p]
+editor: Daniel Sanchez-Quiros <danielsq@status.im>
+contributors:
+- Álvaro Castro-Castilla <alvaro@status.im>
+- Petar Radovic <petar@status.im>
+- Gusto Bacvinka <augustinas@status.im>
+- Antonio Antonino <antonio@status.im>
+- Youngjoon Lee <youngjoon@status.im>
+- Filip Dimitrijevic <filip@status.im>
+---
+
+## Introduction
+
+Nomos network bootstrapping is the process by which a new node discovers peers and synchronizes with the existing decentralized network. It ensures that a node can:
+
+1. **Discover Peers** – Find other active nodes in the network.
+2. **Establish Connections** – Securely connect to trusted peers.
+3. **Negotiate (libp2p) Protocols** - Ensure that other peers operate in the same protocols as the node needs.
+
+## Overview
+
+The Nomos P2P network bootstrapping strategy relies on a designated subset of **bootstrap nodes** to facilitate secure and efficient node onboarding. These nodes serve as the initial entry points for new network participants.
+
+### Key Design Principles
+
+#### Trusted Bootstrap Nodes
+
+A curated set of publicly announced and highly available nodes ensures reliability during initial peer discovery. These nodes are configured with elevated connection limits to handle a high volume of incoming bootstrapping requests from new participants.
+
+#### Node Configuration & Onboarding
+
+New node operators must explicitly configure their instances with the addresses of bootstrap nodes. This configuration may be preloaded or dynamically fetched from a trusted source to minimize manual setup.
+
+#### Network Integration
+
+Upon initialization, the node establishes connections with the bootstrap nodes and begins participating in Nomos networking protocols. Through these connections, the node discovers additional peers, synchronizes with the network state, and engages in protocol-specific communication (e.g., consensus, block propagation).
+
+### Security & Decentralization Considerations
+
+**Trust Minimization**: While bootstrap nodes provide initial connectivity, the network rapidly transitions to decentralized peer discovery to prevent over-reliance on any single entity.
+
+**Authenticated Announcements**: The identities and addresses of bootstrap nodes are publicly verifiable to mitigate impersonation attacks. From [libp2p documentation](https://docs.libp2p.io/concepts/transports/quic/#quic-in-libp2p):
+
+> To authenticate each others' peer IDs, peers encode their peer ID into a self-signed certificate, which they sign using their host's private key.
+
+**Dynamic Peer Management**: After bootstrapping, nodes continuously refine their peer lists to maintain a resilient and distributed network topology.
+
+This approach ensures **rapid, secure, and scalable** network participation while preserving the decentralized ethos of the Nomos protocol.
+
+## Protocol
+
+### Protocol Overview
+
+The bootstrapping protocol follows libp2p conventions for peer discovery and connection establishment. Implementation details are handled by the underlying libp2p stack with Nomos-specific configuration parameters.
+
+### Bootstrapping Process
+
+#### Step-by-Step bootstrapping process
+
+1. **Node Initial Configuration**: New nodes load pre-configured bootstrap node addresses. Addresses may be `IP` or `DNS` embedded in a compatible [libp2p PeerId multiaddress](https://docs.libp2p.io/concepts/fundamentals/peers/#peer-ids-in-multiaddrs). Node operators may chose to advertise more than one address. This is out of the scope of this protocol. For example:
+
+    `/ip4/198.51.100.0/udp/4242/p2p/QmYyQSo1c1Ym7orWxLYvCrM2EmxFTANf8wXmmE7DWjhx5N` or
+
+    `/dns/foo.bar.net/udp/4242/p2p/QmYyQSo1c1Ym7orWxLYvCrM2EmxFTANf8wXmmE7DWjhx5N`
+
+2. **Secure Connection**: Nodes establish connections to bootstrap nodes announced addresses. Verifies network identity and protocol compatibility.
+
+3. **Peer Discovery**: Requests and receives validated peer lists from bootstrap nodes. Each entry includes connectivity details as per the peer discovery protocol engaging after the initial connection.
+
+4. **Network Integration**: Iteratively connects to discovered peers. Gradually build peer connections.
+
+5. **Protocol Engagement**: Establishes required protocol channels (gossip/consensus/sync). Begins participating in network operations.
+
+6. **Ongoing Maintenance**: Continuously evaluates and refreshes peer connections. Ideally removes the connection to the bootstrap node itself. Bootstrap nodes may chose to remove the connection on their side to keep high availability for other nodes.
+
+```mermaid
+sequenceDiagram
+    participant Nomos Network
+    participant Node
+    participant Bootstrap Node
+
+    Node->>Node: Fetches bootstrapping addresses
+
+    loop Interacts with bootstrap node
+        Node->>+Bootstrap Node: Connects
+        Bootstrap Node->>-Node: Sends discovered peers information
+    end
+
+    loop Connects to Network participants
+        Node->>Nomos Network: Engages in connections
+        Node->>Nomos Network: Negotiates protocols
+    end
+
+    loop Ongoing maintenance
+        Node-->>Nomos Network: Evaluates peer connections
+        alt Bootstrap connection no longer needed
+            Node-->>Bootstrap Node: Disconnects
+        else Bootstrap enforces disconnection
+            Bootstrap Node-->>Node: Disconnects
+        end
+    end
+```
+
+## Implementation Details
+
+The bootstrapping process for the Nomos p2p network uses the **QUIC** transport as specified in the Nomos network specification.
+
+Bootstrapping is separated from the network's peer discovery protocol. It assumes that there is one protocol that would engage as soon as the connection with the bootstrapping node triggers. Currently Nomos network uses `kademlia` as the current first approach for the Nomos p2p network, this comes granted.
+
+### Bootstrap Node Requirements
+
+Bootstrap nodes MUST fulfill the following requirements:
+
+- **High Availability**: Maintain uptime of 99.5% or higher
+- **Connection Capacity**: Support minimum 1000 concurrent connections
+- **Geographic Distribution**: Deploy across multiple regions
+- **Protocol Compatibility**: Support all required Nomos network protocols
+- **Security**: Implement proper authentication and rate limiting
+
+### Network Configuration
+
+Bootstrap node addresses are distributed through:
+
+- **Hardcoded addresses** in node software releases
+- **DNS seeds** for dynamic address resolution
+- **Community-maintained lists** with cryptographic verification
+
+## Security Considerations
+
+### Trust Model
+
+Bootstrap nodes operate under a **minimal trust model**:
+
+- Nodes verify peer identities through cryptographic authentication
+- Bootstrap connections are temporary and replaced by organic peer discovery
+- No single bootstrap node can control network participation
+
+### Attack Mitigation
+
+**Sybil Attack Protection**: Bootstrap nodes implement connection limits and peer verification to prevent malicious flooding.
+
+**Eclipse Attack Prevention**: Nodes connect to multiple bootstrap nodes and rapidly diversify their peer connections.
+
+**Denial of Service Resistance**: Rate limiting and connection throttling protect bootstrap nodes from resource exhaustion attacks.
+
+## Performance Characteristics
+
+### Bootstrapping Metrics
+
+- **Initial Connection Time**: Target < 30 seconds to first bootstrap node
+- **Peer Discovery Duration**: Discover minimum viable peer set within 2 minutes
+- **Network Integration**: Full protocol engagement within 5 minutes
+
+### Resource Requirements
+
+#### Bootstrap Nodes
+
+- Memory: Minimum 4GB RAM
+- Bandwidth: 100 Mbps sustained
+- Storage: 50GB available space
+
+#### Regular Nodes
+
+- Memory: 512MB for bootstrapping process
+- Bandwidth: 10 Mbps during initial sync
+- Storage: Minimal requirements
+
+## References
+
+- P2P Network Specification (internal document)
+- [libp2p QUIC Transport](https://docs.libp2p.io/concepts/transports/quic/)
+- [libp2p Peer IDs and Addressing](https://docs.libp2p.io/concepts/fundamentals/peers/)
+- [Ethereum bootnodes](https://ethereum.org/en/developers/docs/nodes-and-clients/bootnodes/)
+- [Bitcoin peer discovery](https://developer.bitcoin.org/devguide/p2p_network.html#peer-discovery)
+- [Cardano nodes connectivity](https://docs.cardano.org/stake-pool-operators/node-connectivity)
+- [Cardano peer sharing](https://www.coincashew.com/coins/overview-ada/guide-how-to-build-a-haskell-stakepool-node/part-v-tips/implementing-peer-sharing)
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

nomos/raw/p2p-network.md

@@ -0,0 +1,307 @@
+---
+title: NOMOS-P2P-NETWORK
+name: Nomos P2P Network Specification
+status: draft
+category: networking
+tags: [p2p, networking, libp2p, kademlia, gossipsub, quic]
+editor: Daniel Sanchez-Quiros <danielsq@status.im>
+contributors:
+- Filip Dimitrijevic <filip@status.im>
+---
+
+## Abstract
+
+This specification defines the peer-to-peer (P2P) network layer for Nomos blockchain nodes. The network serves as the comprehensive communication infrastructure enabling transaction dissemination through mempool and block propagation. The specification leverages established libp2p protocols to ensure robust, scalable performance with low bandwidth requirements and minimal latency while maintaining accessibility for diverse hardware configurations and network environments.
+
+## Motivation
+
+The Nomos blockchain requires a reliable, scalable P2P network that can:
+
+1. **Support diverse hardware**: From laptops to dedicated servers across various operating systems and geographic locations
+2. **Enable inclusive participation**: Allow non-technical users to operate nodes with minimal configuration
+3. **Maintain connectivity**: Ensure nodes remain reachable even with limited connectivity or behind NAT/routers
+4. **Scale efficiently**: Support large-scale networks (+10k nodes) with eventual consistency
+5. **Provide low-latency communication**: Enable efficient transaction and block propagation
+
+## Specification
+
+### Network Architecture Overview
+
+The Nomos P2P network addresses three critical challenges:
+
+- **Peer Connectivity**: Mechanisms for peers to join and connect to the network
+- **Peer Discovery**: Enabling peers to locate and identify network participants  
+- **Message Transmission**: Facilitating efficient message exchange across the network
+
+### Transport Protocol
+
+#### QUIC Protocol Transport
+
+The Nomos network employs **[QUIC protocol](https://docs.libp2p.io/concepts/transports/quic/)** as the primary transport protocol, leveraging the [libp2p protocol](https://docs.libp2p.io/) implementation.
+
+**Rationale for [QUIC protocol](https://docs.libp2p.io/concepts/transports/quic/):**
+
+- Rapid connection establishment
+- Enhanced NAT traversal capabilities (UDP-based)
+- Built-in multiplexing simplifies configuration
+- Production-tested reliability
+
+### Peer Discovery
+
+#### Kademlia DHT
+
+The network utilizes libp2p's Kademlia Distributed Hash Table (DHT) for peer discovery.
+
+**Protocol Identifiers:**
+
+- **Mainnet**: `/nomos/kad/1.0.0`
+- **Testnet**: `/nomos-testnet/kad/1.0.0`
+
+**Features:**
+
+- Proximity-based peer discovery heuristics
+- Distributed peer routing table
+- Resilient to network partitions
+- Automatic peer replacement
+
+#### Identify Protocol
+
+Complements Kademlia by enabling peer information exchange.
+
+**Protocol Identifiers:**
+
+- **Mainnet**: `/nomos/identify/1.0.0`
+- **Testnet**: `/nomos-testnet/identify/1.0.0`
+
+**Capabilities:**
+
+- Protocol support advertisement
+- Peer capability negotiation
+- Network interoperability enhancement
+
+#### Future Considerations
+
+The current Kademlia implementation is acknowledged as interim. Future improvements target:
+
+- Lightweight design without full DHT overhead
+- Highly-scalable eventual consistency
+- Support for 10k+ nodes with minimal resource usage
+
+### NAT Traversal
+
+The network implements comprehensive NAT traversal solutions to ensure connectivity across diverse network configurations.
+
+**Objectives:**
+
+- Configuration-free peer connections
+- Support for users with varying technical expertise
+- Enable nodes on standard consumer hardware
+
+**Implementation:**
+
+- Tailored solutions based on user network configuration
+- Automatic NAT type detection and adaptation
+- Fallback mechanisms for challenging network environments
+
+*Note: Detailed NAT traversal specifications are maintained in a separate document.*
+
+### Message Dissemination
+
+#### Gossipsub Protocol
+
+Nomos employs **gossipsub** for reliable message propagation across the network.
+
+**Integration:**
+
+- Seamless integration with Kademlia peer discovery
+- Automatic peer list updates
+- Efficient message routing and delivery
+
+#### Topic Configuration
+
+**Mempool Dissemination:**
+
+- **Mainnet**: `/nomos/mempool/0.1.0`
+- **Testnet**: `/nomos-testnet/mempool/0.1.0`
+
+**Block Propagation:**
+
+- **Mainnet**: `/nomos/cryptarchia/0.1.0`
+- **Testnet**: `/nomos-testnet/cryptarchia/0.1.0`
+
+#### Network Parameters
+
+**Peering Degree:**
+
+- **Minimum recommended**: 8 peers
+- **Rationale**: Ensures redundancy and efficient propagation
+- **Configurable**: Nodes may adjust based on resources and requirements
+
+### Bootstrapping
+
+#### Initial Network Entry
+
+New nodes connect to the network through designated bootstrap nodes.
+
+**Process:**
+
+1. Connect to known bootstrap nodes
+2. Obtain initial peer list through Kademlia
+3. Establish gossipsub connections
+4. Begin participating in network protocols
+
+**Bootstrap Node Requirements:**
+
+- High availability and reliability
+- Geographic distribution
+- Version compatibility maintenance
+
+### Message Encoding
+
+All network messages follow the Nomos Wire Format specification for consistent encoding and decoding across implementations.
+
+**Key Properties:**
+
+- Deterministic serialization
+- Efficient binary encoding
+- Forward/backward compatibility support
+- Cross-platform consistency
+
+*Note: Detailed wire format specifications are maintained in a separate document.*
+
+## Implementation Requirements
+
+### Mandatory Protocols
+
+All Nomos nodes MUST implement:
+
+1. **Kademlia DHT** for peer discovery
+2. **Identify protocol** for peer information exchange
+3. **Gossipsub** for message dissemination
+
+### Optional Enhancements
+
+Nodes MAY implement:
+
+- Advanced NAT traversal techniques
+- Custom peering strategies
+- Enhanced message routing optimizations
+
+### Network Versioning
+
+Protocol versions follow semantic versioning:
+
+- **Major version**: Breaking protocol changes
+- **Minor version**: Backward-compatible enhancements
+- **Patch version**: Bug fixes and optimizations
+
+## Configuration Parameters
+
+### Implementation Note
+
+**Current Status**: The Nomos P2P network implementation uses hardcoded libp2p protocol parameters for optimal performance and reliability. While the node configuration file (`config.yaml`) contains network-related settings, the core libp2p protocol parameters (Kademlia DHT, Identify, and Gossipsub) are embedded in the source code.
+
+### Node Configuration
+
+The following network parameters are configurable via `config.yaml`:
+
+#### Network Backend Settings
+
+```yaml
+network:
+  backend:
+    host: 0.0.0.0
+    port: 3000
+    node_key: <node_private_key>
+    initial_peers: []
+```
+
+#### Protocol-Specific Topics
+
+**Mempool Dissemination:**
+
+- **Mainnet**: `/nomos/mempool/0.1.0`
+- **Testnet**: `/nomos-testnet/mempool/0.1.0`
+
+**Block Propagation:**
+
+- **Mainnet**: `/nomos/cryptarchia/0.1.0`
+- **Testnet**: `/nomos-testnet/cryptarchia/0.1.0`
+
+### Hardcoded Protocol Parameters
+
+The following libp2p protocol parameters are currently hardcoded in the implementation:
+
+#### Peer Discovery Parameters
+
+- **Protocol identifiers** for Kademlia DHT and Identify protocols
+- **DHT routing table** configuration and query timeouts
+- **Peer discovery intervals** and connection management
+
+#### Message Dissemination Parameters  
+
+- **Gossipsub mesh parameters** (peer degree, heartbeat intervals)
+- **Message validation** and caching settings
+- **Topic subscription** and fanout management
+
+#### Rationale for Hardcoded Parameters
+
+1. **Network Stability**: Prevents misconfigurations that could fragment the network
+2. **Performance Optimization**: Parameters are tuned for the target network size and latency requirements
+3. **Security**: Reduces attack surface by limiting configurable network parameters
+4. **Simplicity**: Eliminates need for operators to understand complex P2P tuning
+
+## Security Considerations
+
+### Network-Level Security
+
+1. **Peer Authentication**: Utilize libp2p's built-in peer identity verification
+2. **Message Validation**: Implement application-layer message validation
+3. **Rate Limiting**: Protect against spam and DoS attacks
+4. **Blacklisting**: Mechanism for excluding malicious peers
+
+### Privacy Considerations
+
+1. **Traffic Analysis**: Gossipsub provides some resistance to traffic analysis
+2. **Metadata Leakage**: Minimize identifiable information in protocol messages
+3. **Connection Patterns**: Randomize connection timing and patterns
+
+### Denial of Service Protection
+
+1. **Resource Limits**: Impose limits on connections and message rates
+2. **Peer Scoring**: Implement reputation-based peer management
+3. **Circuit Breakers**: Automatic protection against resource exhaustion
+
+### Node Configuration Example
+
+[Nomos Node Configuration](https://github.com/logos-co/nomos/blob/master/nodes/nomos-node/config.yaml) is an example node configuration
+
+## Performance Characteristics
+
+### Scalability
+
+- **Target Network Size**: 10,000+ nodes
+- **Message Latency**: Sub-second for critical messages
+- **Bandwidth Efficiency**: Optimized for limited bandwidth environments
+
+### Resource Requirements
+
+- **Memory Usage**: Minimal DHT routing table overhead
+- **CPU Usage**: Efficient cryptographic operations
+- **Network Bandwidth**: Adaptive based on node role and capacity
+
+## References
+
+Original working document, from Nomos Notion: [P2P Network Specification](https://nomos-tech.notion.site/P2P-Network-Specification-206261aa09df81db8100d5f410e39d75).
+
+1. [libp2p Specifications](https://docs.libp2p.io/)
+2. [QUIC Protocol Specification](https://docs.libp2p.io/concepts/transports/quic/)
+3. [Kademlia DHT](https://docs.libp2p.io/concepts/discovery-routing/kaddht/)
+4. [Gossipsub Protocol](https://github.com/libp2p/specs/tree/master/pubsub/gossipsub)
+5. [Identify Protocol](https://github.com/libp2p/specs/blob/master/identify/README.md)
+6. [Nomos Implementation](https://github.com/logos-co/nomos) - Reference implementation and source code
+7. [Nomos Node Configuration](https://github.com/logos-co/nomos/blob/master/nodes/nomos-node/config.yaml) - Example node configuration
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

nomos/raw/sdp.md

@@ -0,0 +1,345 @@
+---
+title: NOMOS-SDP
+name: Nomos Service Declaration Protocol Specification
+status: raw
+category: 
+tags: participation, validators, declarations
+editor: Marcin Pawlowski <marcin@status.im>
+contributors:
+- Mehmet <mehmet@status.im>
+- Daniel Sanchez Quiros <danielsq@status.im>
+- Álvaro Castro-Castilla <alvaro@status.im>
+- Thomas Lavaur <thomaslavaur@status.im>
+- Filip Dimitrijevic <filip@status.im>
+- Gusto Bacvinka <augustinas@status.im>
+- David Rusu <davidrusu@status.im>
+---
+
+## Introduction
+
+This document defines a mechanism enabling validators to declare their participation in specific protocols that require a known and agreed-upon list of participants. Some examples of this are Data Availability and the Blend Network. We create a single repository of identifiers which is used to establish secure communication between validators and provide services. Before being admitted to the repository, the validator proves that it locked at least a minimum stake.
+
+## Requirements
+
+The requirements for the protocol are defined as follows:
+
+- A declaration must be backed by a confirmation that the sender of the declaration owns a certain value of the stake.
+- A declaration is valid until it is withdrawn or is not used for a service-specific amount of time.
+
+## Overview
+
+The SDP enables nodes to declare their eligibility to serve a specific service in the system, and withdraw their declarations.
+
+### Protocol Actions
+
+The protocol defines the following actions:
+
+- **Declare**: A node sends a declaration that confirms its willingness to provide a specific service, which is confirmed by locking a threshold of stake.
+- **Active**: A node marks that its participation in the protocol is active according to the service-specific activity logic. This action enables the protocol to monitor the node's activity. We utilize this as a non-intrusive differentiator of node activity. It is crucial to exclude inactive nodes from the set of active nodes, as it enhances the stability of services.
+- **Withdraw**: A node withdraws its declaration and stops providing a service.
+
+The logic of the protocol is straightforward:
+
+1. A node sends a declaration message for a specific service and proves it has a minimum stake.
+2. The declaration is registered on the ledger, and the node can commence its service according to the service-specific service logic.
+3. After a service-specific service-providing time, the node confirms its activity.
+4. The node must confirm its activity with a service-specific minimum frequency; otherwise, its declaration is inactive.
+5. After the service-specific locking period, the node can send a withdrawal message, and its declaration is removed from the ledger, which means that the node will no longer provide the service.
+
+💡 The protocol messages are subject to a finality that means messages become part of the immutable ledger after a delay. The delay at which it happens is defined by the consensus.
+
+## Construction
+
+In this section, we present the main constructions of the protocol. First, we start with data definitions. Second, we describe the protocol actions. Finally, we present part of the Bedrock Mantle design responsible for storing and processing SDP-related messages and data.
+
+### Data
+
+In this section, we discuss and define data types, messages, and their storage.
+
+#### Service Types
+
+We define the following services which can be used for service declaration:
+
+- `BN`: for Blend Network service.
+- `DA`: for Data Availability service.
+
+```python
+class ServiceType(Enum):
+    BN="BN"  # Blend Network
+    DA="DA"  # Data Availability
+```
+
+A declaration can be generated for any of the services above. Any declaration that is not one of the above must be rejected. The number of services might grow in the future.
+
+#### Minimum Stake
+
+The minimum stake is a global value that defines the minimum stake a node must have to perform any service.
+
+The `MinStake` is a structure that holds the value of the stake `stake_threshold` and the block number it was set at: `timestamp`.
+
+```python
+class MinStake:
+    stake_threshold: StakeThreshold
+    timestamp: BlockNumber
+```
+
+The `stake_thresholds` is a structure aggregating all defined `MinStake` values.
+
+```python
+stake_thresholds: list[MinStake]
+```
+
+For more information on how the minimum stake is calculated, please refer to the Nomos documentation.
+
+#### Service Parameters
+
+The service parameters structure defines the parameters set necessary for correctly handling interaction between the protocol and services. Each of the service types defined above must be mapped to a set of the following parameters:
+
+- `session_length` defines the session length expressed as the number of blocks; the sessions are counted from block `timestamp`.
+- `lock_period` defines the minimum time (as a number of sessions) during which the declaration cannot be withdrawn, this time must include the period necessary for finalizing the declaration (which might be implicit) and provision of a service for least a single session; it can be expressed as the number of blocks by multiplying its value by the `session_length`.
+- `inactivity_period` defines the maximum time (as a number of sessions) during which an activation message must be sent; otherwise, the declaration is considered inactive; it can be expressed as the number of blocks by multiplying its value by the `session_length`.
+- `retention_period` defines the time (as a number of sessions) after which the declaration can be safely deleted by the Garbage Collection mechanism; it can be expressed as the number of blocks by multiplying its value by the `session_length`.
+- `timestamp` defines the block number at which the parameter was set.
+
+```python
+class ServiceParameters:
+    session_length: NumberOfBlocks
+    lock_period: NumberOfSessions
+    inactivity_period: NumberOfSessions
+    retention_period: NumberOfSessions
+    timestamp: BlockNumber
+```
+
+The `parameters` is a structure aggregating all defined `ServiceParameters` values.
+
+```python
+parameters: list[ServiceParameters]
+```
+
+#### Identifiers
+
+We define the following set of identifiers which are used for service-specific cryptographic operations:
+
+- `provider_id`: used to sign the SDP messages and to establish secure links between validators; it is `Ed25519PublicKey`.
+- `zk_id`: used for zero-knowledge operations by the validator that includes rewarding ([Zero Knowledge Signature Scheme (ZkSignature)](https://www.notion.so/Zero-Knowledge-Signature-Scheme-ZkSignature-21c261aa09df8119bfb2dc74a3430df6?pvs=21)).
+
+#### Locators
+
+A `Locator` is the address of a validator which is used to establish secure communication between validators. It follows the [multiaddr addressing scheme from libp2p](https://docs.libp2p.io/concepts/fundamentals/addressing/), but it must contain only the location part and must not contain the node identity (`peer_id`).
+
+The `provider_id` must be used as the node identity. Therefore, the `Locator` must be completed by adding the `provider_id` at the end of it, which makes the `Locator` usable in the context of libp2p.
+
+The length of the `Locator` is restricted to 329 characters.
+
+The syntax of every `Locator` entry must be validated.
+
+**The common formatting of every** `Locator` **must be applied to maintain its unambiguity, to make deterministic ID generation work consistently.** The `Locator` must at least contain only lower case letters and every part of the address must be explicit (no implicit defaults).
+
+#### Declaration Message
+
+The construction of the declaration message is as follows:
+
+```python
+class DeclarationMessage:
+    service_type: ServiceType
+    locators: list[Locator]
+    provider_id: Ed25519PublicKey 
+    zk_id: ZkPublicKey
+```
+
+The `locators` list length must be limited to reduce the potential for abuse. Therefore, the length of the list cannot be longer than 8.
+
+The message must be signed by the `provider_id` key to prove ownership of the key that is used for network-level authentication of the validator. The message is also signed by the `zk_id` key (by default all Mantle transactions are signed with `zk_id` key).
+
+#### Declaration Storage
+
+Only valid declaration messages can be stored on the ledger. We define the `DeclarationInfo` as follows:
+
+```python
+class DeclarationInfo:
+    service: ServiceType
+    provider_id: Ed25519PublicKey
+    zk_id: ZkPublicKey
+    locators: list[Locator]
+    created: BlockNumber
+    active: BlockNumber
+    withdrawn: BlockNumber
+    nonce: Nonce
+```
+
+Where:
+
+- `service` defines the service type of the declaration;
+- `provider_id` is an `Ed25519PublicKey` used to sign the message by the validator;
+- `zk_id` is used for zero-knowledge operations by the validator that includes rewarding ([Zero Knowledge Signature Scheme (ZkSignature)](https://www.notion.so/Zero-Knowledge-Signature-Scheme-ZkSignature-21c261aa09df8119bfb2dc74a3430df6?pvs=21));
+- `locators` are a copy of the `locators` from the `DeclarationMessage`;
+- `created` refers to the block number of the block that contained the declaration;
+- `active` refers to the latest block number for which the active message was sent (it is set to `created` by default);
+- `withdrawn` refers to the block number for which the service declaration was withdrawn (it is set to 0 by default).
+- The `nonce` must be set to 0 for the declaration message and must increase monotonically by every message sent for the `declaration_id`.
+
+We also define the `declaration_id` (of a `DeclarationId` type) that is the unique identifier of `DeclarationInfo` calculated as a hash of the concatenation of `service`, `provider_id`, `locators` and `zk_id`. The implementation of the hash function is `blake2b` using 256 bits of the output.
+
+```python
+declaration_id = Hash(service||provider_id||zk_id||locators)
+```
+
+The `declaration_id` is not stored as part of the `DeclarationInfo` but it is used to index it.
+
+All `DeclarationInfo` references are stored in the `declarations` and are indexed by `declaration_id`.
+
+```python
+declarations: list[declaration_id]
+```
+
+#### Active Message
+
+The construction of the active message is as follows:
+
+```python
+class ActiveMessage:
+    declaration_id: DeclarationId
+    nonce: Nonce
+    metadata: Metadata
+```
+
+where `metadata` is a service-specific node activeness metadata.
+
+The message must be signed by the `zk_id` key associated with the `declaration_id`.
+
+The `nonce` must increase monotonically by every message sent for the `declaration_id`.
+
+#### Withdraw Message
+
+The construction of the withdraw message is as follows:
+
+```python
+class WithdrawMessage:
+    declaration_id: DeclarationId
+    nonce: Nonce
+```
+
+The message must be signed by the `zk_id` key from the `declaration_id`.
+
+The `nonce` must increase monotonically by every message sent for the `declaration_id`.
+
+#### Indexing
+
+Every event must be correctly indexed to enable lighter synchronization of the changes. Therefore, we index every `declaration_id` according to `EventType`, `ServiceType`, and `Timestamp`. Where `EventType = { "created", "active", "withdrawn" }` follows the type of the message.
+
+```python
+events = {
+    event_type: {
+        service_type: {
+            timestamp: {
+                declarations: list[declaration_id]
+            }
+        }
+    }
+}
+```
+
+### Protocol
+
+#### Declare
+
+The Declare action associates a validator with a service it wants to provide. It requires sending a valid `DeclarationMessage` (as defined in Declaration Message), which is then processed (as defined below) and stored (as defined in Declaration Storage).
+
+The declaration message is considered valid when all of the following are met:
+
+- The sender meets the stake requirements.
+- The `declaration_id` is unique.
+- The sender knows the secret behind the `provider_id` identifier.
+- The length of the `locators` list must not be longer than 8.
+- The `nonce` is increasing monotonically.
+
+If all of the above conditions are fulfilled, then the message is stored on the ledger; otherwise, the message is discarded.
+
+#### Active
+
+The Active action enables marking the provider as actively providing a service. It requires sending a valid `ActiveMessage` (as defined in Active Message), which is relayed to the service-specific node activity logic (as indicated by the service type in Common SDP Structures).
+
+The Active action updates the `active` value of the `DeclarationInfo`, which means that it also activates inactive (but not expired) providers.
+
+The SDP active action logic is:
+
+1. A node sends a `ActiveMessage` transaction.
+2. The `ActiveMessage` is verified by the SDP logic.
+    a. The `declaration_id` returns an existing `DeclarationInfo`.
+    b. The transaction containing `ActiveMessage` is signed by the `zk_id`.
+    c. The `withdrawn` from the `DeclarationInfo` is set to zero.
+    d. The `nonce` is increasing monotonically.
+3. If any of these conditions fail, discard the message and stop processing.
+4. The message is processed by the service-specific activity logic alongside the `active` value indicating the period since the last active message was sent. The `active` value comes from the `DeclarationInfo`.
+5. If the service-specific activity logic approves the node active message, then the `active` field of the `DeclarationInfo` is set to the current block height.
+
+#### Withdraw
+
+The withdraw action enables a withdrawal of a service declaration. It requires sending a valid `WithdrawMessage` (as defined in Withdraw Message). The withdrawal cannot happen before the end of the locking period, which is defined as the number of blocks counted since `created`. This lock period is stored as `lock_period` in the Service Parameters.
+
+The logic of the withdraw action is:
+
+1. A node sends a `WithdrawMessage` transaction.
+2. The `WithdrawMessage` is verified by the SDP logic:
+    a. The `declaration_id` returns an existing `DeclarationInfo`.
+    b. The transaction containing `WithdrawMessage` is signed by the `zk_id`.
+    c. The `withdrawn` from `DeclarationInfo` is set to zero.
+    d. The `nonce` is increasing monotonically.
+3. If any of the above is not correct, then discard the message and stop.
+4. Set the `withdrawn` from the `DeclarationInfo` to the current block height.
+5. Unlock the stake.
+
+#### Garbage Collection
+
+The protocol requires a garbage collection mechanism that periodically removes unused `DeclarationInfo` entries.
+
+The logic of garbage collection is:
+
+For every `DeclarationInfo` in the `declarations` set, remove the entry if either:
+
+1. The entry is past the retention period: `withdrawn + retention_period < current_block_height`.
+2. The entry is inactive beyond the inactivity and retention periods: `active + inactivity_period + retention_period < current_block_height`.
+
+#### Query
+
+The protocol must enable querying the ledger in at least the following manner:
+
+- `GetAllProviderId(timestamp)`, returns all `provider_id`s associated with the `timestamp`.
+- `GetAllProviderIdSince(timestamp)`, returns all `provider_id`s since the `timestamp`.
+- `GetAllDeclarationInfo(timestamp)`, returns all `DeclarationInfo` entries associated with the `timestamp`.
+- `GetAllDeclarationInfoSince(timestamp)`, returns all `DeclarationInfo` entries since the `timestamp`.
+- `GetDeclarationInfo(provider_id)`, returns the `DeclarationInfo` entry identified by the `provider_id`.
+- `GetDeclarationInfo(declaration_id)`, returns the `DeclarationInfo` entry identified by the `declaration_id`.
+- `GetAllServiceParameters(timestamp)`, returns all entries of the `ServiceParameters` store for the requested `timestamp`.
+- `GetAllServiceParametersSince(timestamp)`, returns all entries of the `ServiceParameters` store since the requested `timestamp`.
+- `GetServiceParameters(service_type, timestamp)`, returns the service parameter entry from the `ServiceParameters` store of a `service_type` for a specified `timestamp`.
+- `GetMinStake(timestamp)`, returns the `MinStake` structure at the requested `timestamp`.
+- `GetMinStakeSince(timestamp)`, returns a set of `MinStake` structures since the requested `timestamp`.
+
+The query must return an error if the retention period for the delegation has passed and the requested information is not available.
+
+The list of queries may be extended.
+
+Every query must return information for a finalized state only.
+
+### Mantle and ZK Proof
+
+For more information about the Mantle and ZK proofs, please refer to [Mantle Specification](https://www.notion.so/Mantle-Specification-21c261aa09df810c8820fab1d78b53d9?pvs=21).
+
+## Appendix
+
+### Future Improvements
+
+Refer to the [Mantle Specification](https://www.notion.so/Mantle-Specification-21c261aa09df810c8820fab1d78b53d9?pvs=21) for a list of potential improvements to the protocol.
+
+## References
+
+- Mantle and ZK Proof: [Mantle Specification](https://www.notion.so/Mantle-Specification-21c261aa09df810c8820fab1d78b53d9?pvs=21)
+- Ed25519 Digital Signatures: [RFC 8032](https://datatracker.ietf.org/doc/html/rfc8032)
+- BLAKE2b Cryptographic Hash: [RFC 7693](https://datatracker.ietf.org/doc/html/rfc7693)
+- libp2p Multiaddr: [Addressing Specification](https://docs.libp2p.io/concepts/fundamentals/addressing/)
+- Zero Knowledge Signatures: [ZkSignature Scheme](https://www.notion.so/Zero-Knowledge-Signature-Scheme-ZkSignature-21c261aa09df8119bfb2dc74a3430df6?pvs=21)
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

status/24/curation.md

@@ -9,44 +9,61 @@ editor: Szymon Szlachtowicz <szymon.s@ethworks.io>
 ---
 
 ## Abstract
-This specification is a voting protocol for peers to submit votes to a smart contract. Voting is immutable, 
+
+This specification is a voting protocol for peers to submit votes to a smart contract.
+Voting is immutable,
 this will help avoid sabotage from malicious peers.
 
 ## Motivation
 
-In open p2p protocol there is an issue with voting off-chain as there is much room for malicious peers to only include votes that support their case when submitting votes to chain.
+In open p2p protocol there is an issue with voting off-chain
+as there is much room for malicious peers to only include votes that support
+their case when submitting votes to chain.
 
-Proposed solution is to aggregate votes over waku and allow users to submit votes to smart contract that aren't already submitted.
+Proposed solution is to aggregate votes over waku and
+allow users to submit votes to smart contract that aren't already submitted.
 
 ### Smart contract
 
 Voting should be finalized on chain so that the finished vote is immutable.
 Because of that, smart contract needs to be deployed.
-When votes are submitted smart contract has to verify what votes are properly signed and that sender has correct amount of SNT.
-When Vote is verified the amount of SNT voted on specific topic by specific sender is saved on chain.
+When votes are submitted
+smart contract has to verify what votes are properly signed and
+that sender has correct amount of SNT.
+When Vote is verified
+the amount of SNT voted on specific topic by specific sender is saved on chain.
 
 ### Double voting
 
-Smart contract should also keep a list of all signatures so that no one can send the same vote twice.
+Smart contract should also keep a list of all signatures so
+that no one can send the same vote twice.
 Another possibility is to allow each sender to only vote once.
 
 ### Initializing Vote
 
-When someone wants to initialize vote he has to send a transaction to smart contract that will create a new voting session.
-When initializing a user has to specify type of vote (Addition, Deletion), amount of his initial SNT to submit and public key of community under vote.
+When someone wants to initialize vote
+he has to send a transaction to smart contract that will create a new voting session.
+When initializing a user has to specify type of vote (Addition, Deletion),
+amount of his initial SNT to submit and public key of community under vote.
 Smart contract will return a ID which is identifier of voting session.
-Also there will be function on Smart Contract that when given community public key it will return voting session ID or undefined if community isn't under vote.
+Also there will be function on Smart Contract that
+when given community public key it will return voting session ID or
+undefined if community isn't under vote.
 
 ## Voting
 
 ### Sending votes
 
-Sending votes is simple every peer is able to send a message to Waku topic specific to given application: 
-```
+Sending votes is simple every peer is able to send a message to Waku topic
+specific to given application:
+
+```json
+
 /status-community-directory-curation-vote/1/{voting-session-id}/json
+
 ```
 
-vote object that is sent over waku should contain information about: 
+vote object that is sent over waku should contain information about:
 
 ```ts
 type Vote = {
@@ -54,28 +71,36 @@ type Vote = {
     vote: string // vote sent eg. 'yes' 'no'
     sntAmount: BigNumber //number of snt cast on vote
     sign: string // cryptographic signature of a transaction (signed fields: sender,vote,sntAmount,nonce,sessionID)
-    nonce: number // number of votes cast from this address on current vote (only if we allow multiple votes from the same sender)
+    nonce: number // number of votes cast from this address on current vote 
+    // (only if we allow multiple votes from the same sender)
     sessionID: number // ID of voting session
 }
 ```
 
 ### Aggregating votes
 
-Every peer that is opening specific voting session will listen to votes sent over p2p network, and aggregate them for a single transaction to chain.
+Every peer that is opening specific voting session
+will listen to votes sent over p2p network, and
+aggregate them for a single transaction to chain.
 
 ### Submitting to chain
 
-Every peer that has aggregated at least one vote will be able to send them to smart contract.
-When someone votes he will aggregate his own vote and will be able to immediately send it.
+Every peer that has aggregated at least one vote
+will be able to send them to smart contract.
+When someone votes he will aggregate his own vote and
+will be able to immediately send it.
 
 Peer doesn't need to vote to be able to submit the votes to the chain.
 
-Smart contract needs to verify that all votes are valid (eg. all senders had enough SNT, all votes are correctly signed) and that votes aren't duplicated on smart contract.
+Smart contract needs to verify that all votes are valid
+(eg. all senders had enough SNT, all votes are correctly signed) and
+that votes aren't duplicated on smart contract.
 
-### Finalizing 
+### Finalizing
 
 Once the vote deadline has expired, the smart contract will not accept votes anymore.
-Also directory will be updated according to vote results (community added to directory, removed etc.)
+Also directory will be updated according to vote results
+(community added to directory, removed etc.)
 
 ## Copyright
 

status/28/featuring.md

@@ -9,26 +9,32 @@ editor: Szymon Szlachtowicz <szymon.s@ethworks.io>
 ---
 
 ## Abstract
+
 This specification describes a voting method to feature different active Status Communities.
 
 ## Overview
 
-When there is a active community that is seeking new members, current users of community should be able to feature their community so that it will be accessible to larger audience.
+When there is a active community that is seeking new members,
+current users of community should be able to feature their community so
+that it will be accessible to larger audience.
 Status community curation DApp should provide such a tool.
 
 Rules of featuring:
     - Given community can't be featured twice in a row.
     - Only one vote per user per community (single user can vote on multiple communities)
     - Voting will be done off-chain
-    - If community hasn't been featured votes for given community are still valid for the next 4 weeks
+    - If community hasn't been featured
+    votes for given community are still valid for the next 4 weeks
 
-Since voting for featuring is similar to polling solutions proposed in this spec could be also used for different applications.
+Since voting for featuring is similar to polling solutions proposed
+in this spec could be also used for different applications.
 
 ### Voting
 
-Voting for featuring will be done through waku v2. 
+Voting for featuring will be done through waku v2.
 
 Payload of waku message will be :
+
 ```ts
 type FeatureVote = {
     voter: string // address of a voter
@@ -44,12 +50,16 @@ timestamp is necessary so that votes can't be reused after 4 week period
 ### Counting Votes
 
 Votes will be counted by the DApp itself.
-DApp will aggregate all the votes in the last 4 weeks and calculate which communities should be displayed in the Featured tab of DApp.
+DApp will aggregate all the votes in the last 4 weeks and
+calculate which communities should be displayed in the Featured tab of DApp.
 
 Rules of counting:
-    - When multiple votes from the same address on the same community are encountered only the vote with highest timestamp is considered valid.
-    - If a community has been featured in a previous week it can't be featured in current week.
-    - In a current week top 5 (or 10) communities with highest amount of SNT votes up to previous Sunday 23:59:59 UTC are considered featured.
+    - When multiple votes from the same address on the same community are encountered
+    only the vote with highest timestamp is considered valid.
+    - If a community has been featured in a previous week
+    it can't be featured in current week.
+    - In a current week top 5 (or 10) communities with highest amount of SNT votes
+    up to previous Sunday 23:59:59 UTC are considered featured.
 
 ## Copyright
 

status/55/1to1-chat.md

@@ -6,7 +6,7 @@ status: draft
 category: Standards Track
 tags: waku-application
 description: A chat protocol to send public and private messages to a single recipient by the Status app.
-editor: Aaryamann Challani <aaryamann@status.im>
+editor: Aaryamann Challani <p1ge0nh8er@proton.me>
 contributors:
 - Andrea Piana <andreap@status.im>
 - Pedro Pombeiro <pedro@status.im>
@@ -17,7 +17,8 @@ contributors:
 
 ## Abstract
 
-This specification describes how the Status 1-to-1 chat protocol is implemented on top of the Waku v2 protocol. 
+This specification describes how the Status 1-to-1 chat protocol is implemented
+on top of the Waku v2 protocol.
 This protocol can be used to send messages to a single recipient.
 
 ## Terminology
@@ -27,11 +28,13 @@ This protocol can be used to send messages to a single recipient.
 - **Public chat**: A chat where any participant can join and read messages.
 - **Private chat**: A chat where only invited participants can join and read messages.
 - **Group chat**: A chat where multiple select participants can join and read messages.
-- **Group admin**: A participant that is able to add/remove participants from a group chat.
+- **Group admin**: A participant that is able to
+add/remove participants from a group chat.
 
 ## Background
 
-This document describes how 2 peers communicate with each other to send messages in a 1-to-1 chat, with privacy and authenticity guarantees.
+This document describes how 2 peers communicate with each other
+to send messages in a 1-to-1 chat, with privacy and authenticity guarantees.
 
 ## Specification
 
@@ -39,47 +42,61 @@ This document describes how 2 peers communicate with each other to send messages
 
 This protocol MAY use any key-exchange mechanism previously discussed -
 
-1. [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) 
-2. [WAKU2-NOISE](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/noise.md)
+1. [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md)
+2. [WAKU2-NOISE](https://github.com/waku-org/specs/blob/master/standards/application/noise.md)
 
-This protocol can provide end-to-end encryption to give peers a strong degree of privacy and security. 
-Public chat messages are publicly readable by anyone since there's no permission model for who is participating in a public chat.
+This protocol can provide end-to-end encryption
+to give peers a strong degree of privacy and security.
+Public chat messages are publicly readable by anyone since
+there's no permission model for who is participating in a public chat.
 
-## Flow
+## Chat Flow
 
 ### Negotiation of a 1:1 chat
 
 There are two phases in the initial negotiation of a 1:1 chat:
-1. **Identity verification** (e.g., face-to-face contact exchange through QR code, Identicon matching).
-A QR code serves two purposes simultaneously - identity verification and initial key material retrieval;
+
+1. **Identity verification**
+(e.g., face-to-face contact exchange through QR code, Identicon matching).
+A QR code serves two purposes simultaneously -
+identity verification and initial key material retrieval;
 1. **Asynchronous initial key exchange**
 
 For more information on account generation and trust establishment, see [65/ACCOUNT-ADDRESS](../65/account-address.md)
 
 ### Post Negotiation
 
-After the peers have shared their public key material, a 1:1 chat can be established using the methods described in the key-exchange protocols mentioned above.
+After the peers have shared their public key material,
+a 1:1 chat can be established using the methods described in the
+key-exchange protocols mentioned above.
 
 ### Session management
 
 The 1:1 chat is made robust by having sessions between peers.
 It is handled by the key-exchange protocol used. For example,
 
-1. [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md), the session management is described in [54/WAKU2-X3DH-SESSIONS](../../waku/standards/application/54/x3dh-sessions.md)
+1. [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md),
+the session management is described in [54/WAKU2-X3DH-SESSIONS](../../waku/standards/application/54/x3dh-sessions.md)
 
-2. [WAKU2-NOISE](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/noise.md), the session management is described in [WAKU2-NOISE-SESSIONS](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/noise-sessions/noise-sessions.md)
+2. [WAKU2-NOISE](https://github.com/waku-org/specs/blob/master/standards/application/noise.md),
+the session management is described in [WAKU2-NOISE-SESSIONS](https://github.com/waku-org/specs/blob/master/standards/application/noise-sessions.md)
 
 ## Negotiation of a 1:1 chat amongst multiple participants (group chat)
 
-A small, private group chat can be constructed by having multiple participants negotiate a 1:1 chat amongst each other.
-Each participant MUST maintain a session with all other participants in the group chat.
+A small, private group chat can be constructed by having multiple participants
+negotiate a 1:1 chat amongst each other.
+Each participant MUST
+maintain a session with all other participants in the group chat.
 This allows for a group chat to be created with a small number of participants.
 
-However, this method does not scale as the number of participants increases, for the following reasons -
+However, this method does not scale as the number of participants increases,
+for the following reasons -
+
 1. The number of messages sent over the network increases with the number of participants.
 2. Handling the X3DH key exchange for each participant is computationally expensive.
 
-The above issues are addressed in [56/STATUS-COMMUNITIES](../56/communities.md), with other trade-offs.
+The above issues are addressed in [56/STATUS-COMMUNITIES](../56/communities.md),
+with other trade-offs.
 
 ### Flow
 
@@ -96,7 +113,8 @@ message MembershipUpdateMessage {
   // chat_id = hex(chat_creator_public_key) + "-" + random_uuid
   // This chat_id MUST be validated by all participants
   string chat_id = 1;
-  // A list of events for this group chat, first 65 bytes are the signature, then is a 
+  // A list of events for this group chat, first 65 bytes are the signature, 
+  then is a 
   // protobuf encoded MembershipUpdateEvent
   repeated bytes events = 2;
   oneof chat_entity {
@@ -108,7 +126,8 @@ message MembershipUpdateMessage {
 }
 ```
 
-Note that in `events`, the first element is the signature, and all other elements after are encoded `MembershipUpdateEvent`'s.
+Note that in `events`, the first element is the signature, and
+all other elements after are encoded `MembershipUpdateEvent`'s.
 
 where `MembershipUpdateEvent` is defined as follows:
 
@@ -141,69 +160,102 @@ message MembershipUpdateEvent {
   }
 }
 ```
-<!-- Note: I don't like defining wire formats which are out of the scope of the rfc this way. Should explore alternatives -->
-Note that the definitions for `ChatMessage` and `EmojiReaction` can be found in [chat_message.proto](https://github.com/status-im/status-go/blob/5fd9e93e9c298ed087e6716d857a3951dbfb3c1e/protocol/protobuf/chat_message.proto#L1) and [emoji_reaction.proto](https://github.com/status-im/status-go/blob/5fd9e93e9c298ed087e6716d857a3951dbfb3c1e/protocol/protobuf/emoji_reaction.proto).
+<!-- Note: 
+I don't like defining wire formats which are out of the scope of the rfc this way. 
+Should explore alternatives -->
+Note that the definitions for `ChatMessage` and
+`EmojiReaction` can be found in
+[chat_message.proto](https://github.com/status-im/status-go/blob/5fd9e93e9c298ed087e6716d857a3951dbfb3c1e/protocol/protobuf/chat_message.proto#L1)
+and [emoji_reaction.proto](https://github.com/status-im/status-go/blob/5fd9e93e9c298ed087e6716d857a3951dbfb3c1e/protocol/protobuf/emoji_reaction.proto).
 
 ##### Chat Created
 
-When creating a group chat, this is the first event that MUST be sent. 
-Any event with a clock value lower than this MUST be discarded. 
-Upon receiving this event a client MUST validate the `chat_id` provided with the update and create a chat with identified by `chat_id`.
+When creating a group chat, this is the first event that MUST be sent.
+Any event with a clock value lower than this MUST be discarded.
+Upon receiving this event a client MUST validate the `chat_id`
+provided with the update and
+create a chat with identified by `chat_id`.
 
 By default, the creator of the group chat is the only group admin.
 
 ##### Name Changed
 
 To change the name of the group chat, group admins MUST use a `NAME_CHANGED` event.
-Upon receiving this event a client MUST validate the `chat_id` provided with the updates and MUST ensure the author of the event is an admin of the chat, otherwise the event MUST be ignored. 
+Upon receiving this event,
+a client MUST validate the `chat_id` provided with the updates and
+MUST ensure the author of the event is an admin of the chat,
+otherwise the event MUST be ignored.
 If the event is valid the chat name SHOULD be changed according to the provided message.
 
 ##### Members Added
 
-To add members to the chat, group admins MUST use a `MEMBERS_ADDED` event. 
-Upon receiving this event a participant MUST validate the `chat_id` provided with the updates and MUST ensure the author of the event is an admin of the chat, otherwise the event MUST be ignored. 
-If the event is valid, a participant MUST update the list of members of the chat who have not joined, adding the members received. 
+To add members to the chat, group admins MUST use a `MEMBERS_ADDED` event.
+Upon receiving this event,
+a participant MUST validate the `chat_id` provided with the updates and
+MUST ensure the author of the event is an admin of the chat,
+otherwise the event MUST be ignored.
+If the event is valid,
+a participant MUST update the list of members of the chat who have not joined,
+adding the members received.
 
 ##### Member Joined
 
-To signal the intent to start receiving messages from a given chat, new participants MUST use a `MEMBER_JOINED` event.
-Upon receiving this event a participant MUST validate the `chat_id` provided with the updates. 
-If the event is valid a participant MUST add the new participant to the list of participants stored locally. 
+To signal the intent to start receiving messages from a given chat,
+new participants MUST use a `MEMBER_JOINED` event.
+Upon receiving this event,
+a participant MUST validate the `chat_id` provided with the updates.
+If the event is valid a participant,
+a participant MUST add the new participant to the list of participants stored locally.
 Any message sent to the group chat MUST now include the new participant.
 
 ##### Member Removed
 
 There are two ways in which a member MAY be removed from a group chat:
-- A member MAY leave the chat by sending a `MEMBER_REMOVED` event, with the `members` field containing their own public key.
-- An admin MAY remove a member by sending a `MEMBER_REMOVED` event, with the `members` field containing the public key of the member to be removed.
 
-Each participant MUST validate the `chat_id` provided with the updates and MUST ensure the author of the event is an admin of the chat, otherwise the event MUST be ignored.
+- A member MAY leave the chat by sending a `MEMBER_REMOVED` event,
+with the `members` field containing their own public key.
+- An admin MAY remove a member by sending a `MEMBER_REMOVED` event,
+with the `members` field containing the public key of the member to be removed.
+
+Each participant MUST validate the `chat_id` provided with the updates and
+MUST ensure the author of the event is an admin of the chat,
+otherwise the event MUST be ignored.
 If the event is valid, a participant MUST update the local list of members accordingly.
 
 ##### Admins Added
 
 To promote participants to group admin, group admins MUST use an `ADMINS_ADDED` event.
-Upon receiving this event, a participant MUST validate the `chat_id` provided with the updates, MUST ensure the author of the event is an admin of the chat, otherwise the event MUST be ignored. 
-If the event is valid, a participant MUST update the list of admins of the chat accordingly.
+Upon receiving this event,
+a participant MUST validate the `chat_id` provided with the updates,
+MUST ensure the author of the event is an admin of the chat,
+otherwise the event MUST be ignored.
+If the event is valid,
+a participant MUST update the list of admins of the chat accordingly.
 
 ##### Admin Removed
 
 Group admins MUST NOT be able to remove other group admins.
-An admin MAY remove themselves by sending an `ADMIN_REMOVED` event, with the `members` field containing their own public key.
-Each participant MUST validate the `chat_id` provided with the updates and MUST ensure the author of the event is an admin of the chat, otherwise the event MUST be ignored.
+An admin MAY remove themselves by sending an `ADMIN_REMOVED` event,
+with the `members` field containing their own public key.
+Each participant MUST validate the `chat_id` provided with the updates and
+MUST ensure the author of the event is an admin of the chat,
+otherwise the event MUST be ignored.
 If the event is valid, a participant MUST update the list of admins of the chat accordingly.
 
 ##### Color Changed
 
-To change the text color of the group chat name, group admins MUST use a `COLOR_CHANGED` event.
+To change the text color of the group chat name,
+group admins MUST use a `COLOR_CHANGED` event.
 
 ##### Image Changed
 
-To change the display image of the group chat, group admins MUST use an `IMAGE_CHANGED` event.
+To change the display image of the group chat,
+group admins MUST use an `IMAGE_CHANGED` event.
 
 ## Security Considerations
 
-1. Inherits the security considerations of the key-exchange mechanism used, e.g., [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) or [WAKU2-NOISE](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/noise.md)
+1. Inherits the security considerations of the key-exchange mechanism used,
+e.g., [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) or [WAKU2-NOISE](https://github.com/waku-org/specs/blob/master/standards/application/noise.md)
 
 ## Copyright
 
@@ -212,10 +264,10 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public
 ## References
 
 1. [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md)
-2. [35/WAKU2-NOISE](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/noise.md)
+2. [WAKU2-NOISE](https://github.com/waku-org/specs/blob/master/standards/application/noise.md)
 3. [65/STATUS-ACCOUNT](../65/account-address.md)
 4. [54/WAKU2-X3DH-SESSIONS](../../waku/standards/application/54/x3dh-sessions.md)
-5. [37/WAKU2-NOISE-SESSIONS](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/noise-sessions/noise-sessions.md)
+5. [WAKU2-NOISE-SESSIONS](https://github.com/waku-org/specs/blob/master/standards/application/noise-sessions.md)
 6. [56/STATUS-COMMUNITIES](../56/communities.md)
 7. [chat_message.proto](https://github.com/status-im/status-go/blob/5fd9e93e9c298ed087e6716d857a3951dbfb3c1e/protocol/protobuf/chat_message.proto#L1)
 8. [emoji_reaction.proto](https://github.com/status-im/status-go/blob/5fd9e93e9c298ed087e6716d857a3951dbfb3c1e/protocol/protobuf/emoji_reaction.proto)

status/56/communities.md

@@ -6,56 +6,74 @@ status: draft
 category: Standards Track
 tags: waku-application
 description: Status Communities allow multiple users to communicate in a discussion space. This is a key feature of the Status application.
-editor: Aaryamann Challani <aaryamann@status.im>
+editor: Aaryamann Challani <p1ge0nh8er@proton.me>
 contributors:
 - Andrea Piana <andreap@status.im>
+- Prem Chaitanya Prathi <prem@waku.org>
 ---
 
 ## Abstract
 
-This document describes the design of Status Communities over Waku v2, allowing for multiple users to communicate in a discussion space. 
-This is a key feature for the Status messaging app. 
+This document describes the design of Status Communities over Waku v2,
+allowing for multiple users to communicate in a discussion space.
+This is a key feature for the Status messaging app.
 
 ## Background and Motivation
 
-The purpose of Status communities, as specified in this document, is allowing for large group chats.
+The purpose of Status communities, as specified in this document,
+is allowing for large group chats.
 Communities can have further substructure, e.g. specific channels.
 
-Smaller group chats, on the other hand, are out of scope for this document and can be built over [55/STATUS-1TO1-CHAT](../55/1to1-chat.md). 
-We refer to these smaller group chats simply as "group chats", to differentiate them from Communities.
+Smaller group chats, on the other hand,
+are out of scope for this document and
+can be built over [55/STATUS-1TO1-CHAT](../55/1to1-chat.md).
+We refer to these smaller group chats simply as "group chats",
+to differentiate them from Communities.
 
-For group chats based on [55/STATUS-1TO1-CHAT](../55/1to1-chat.md), the key exchange mechanism MUST be X3DH, as described in [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md).
+For group chats based on [55/STATUS-1TO1-CHAT](../55/1to1-chat.md),
+the key exchange mechanism MUST be X3DH,
+as described in [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md).
+
+However, this method does not scale as the number of participants increases,
+for the following reasons -
 
-However, this method does not scale as the number of participants increases, for the following reasons -
 1. The number of messages sent over the network increases with the number of participants.
 2. Handling the X3DH key exchange for each participant is computationally expensive.
 
 Having multicast channels reduces the overhead of a group chat based on 1:1 chat.
-Additionally, if all the participants of the group chat have a shared key, then the number of messages sent over the network is reduced to one per message.
+Additionally, if all the participants of the group chat have a shared key,
+then the number of messages sent over the network is reduced to one per message.
 
 ## Terminology
 
 - **Community**: A group of peers that can communicate with each other.
 - **Member**: A peer that is part of a community.
-- **Admin**: A member that has administrative privileges. Used interchangeably with "owner".
+- **Admin**: A member that has administrative privileges.
+Used interchangeably with "owner".
 - **Channel**: A designated subtopic for a community. Used interchangeably with "chat".
 
 ## Design Requirements
 
-Due to the nature of communities, the following requirements are necessary for the design of communities  -
+Due to the nature of communities,
+the following requirements are necessary for the design of communities  -
 
 1. The creator of the Community is the owner of the Community.
 2. The Community owner is trusted.
 3. The Community owner can add or remove members from the Community.
 This extends to banning and kicking members.
 4. The Community owner can add, edit and remove channels.
-5. Community members can send/receive messages to the channels which they have access to.
+5. Community members can send/receive messages
+to the channels which they have access to.
 6. Communities may be encrypted (private) or unencrypted (public).
 7. A Community is uniquely identified by a public key.
 8. The public key of the Community is shared out of band.
-9. The metadata of the Community can be found by listening on a content topic derived from the public key of the Community.
-10. Community members run their own Waku nodes, with the configuration described in [Waku-Protocols](#waku-protocols).
-Light nodes solely implementing [19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md) may not be able to run their own Waku node with the configuration described.
+9. The metadata of the Community can be found by listening on a content topic
+derived from the public key of the Community.
+10. Community members run their own Waku nodes,
+with the configuration described in [Waku-Protocols](#waku-protocols).
+Light nodes solely implementing
+[19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md)
+may not be able to run their own Waku node with the configuration described.
 
 ## Design
 
@@ -64,16 +82,17 @@ Light nodes solely implementing [19/WAKU2-LIGHTPUSH](../../waku/standards/core/1
 The following cryptographic primitives are used in the design -
 
 - X3DH
-- Single Ratchet 
-    - The single ratchet is used to encrypt the messages sent to the Community.
-    - The single ratchet is re-keyed when a member is added/removed from the Community.
+- Single Ratchet
+  - The single ratchet is used to encrypt the messages sent to the Community.
+  - The single ratchet is re-keyed when a member is added/removed from the Community.
 
 ## Wire format
 
 <!--   
 The wire format is described first to give an overview of the protocol.
 It is referenced in the flow of community creation and community management.
-More or less an intersection of https://github.com/status-im/specs/blob/403b5ce316a270565023fc6a1f8dec138819f4b0/docs/raw/organisation-channels.md and https://github.com/status-im/status-go/blob/6072bd17ab1e5d9fc42cf844fcb8ad18aa07760c/protocol/protobuf/communities.proto,
+More or less an intersection of https://github.com/status-im/specs/blob/403b5ce316a270565023fc6a1f8dec138819f4b0/docs/raw/organisation-channels.md 
+and https://github.com/status-im/status-go/blob/6072bd17ab1e5d9fc42cf844fcb8ad18aa07760c/protocol/protobuf/communities.proto,
 
 -->
 
@@ -88,7 +107,8 @@ message IdentityImage {
   SourceType source_type = 2;
   // image_type signals the image type and method of parsing the payload
   ImageType image_type = 3;
-  // encryption_keys is a list of encrypted keys that can be used to decrypt an encrypted payload
+  // encryption_keys is a list of encrypted keys that can be used to decrypt an 
+  // encrypted payload
   repeated bytes encryption_keys = 4;
   // encrypted signals the encryption state of the payload, default is false.
   bool encrypted = 5;
@@ -101,7 +121,8 @@ message IdentityImage {
 
     // ENS_AVATAR uses the ENS record's resolver get-text-data.avatar data
     // The `payload` field will be ignored if ENS_AVATAR is selected
-    // The application will read and parse the ENS avatar data as image payload data, URLs will be ignored
+    // The application will read and 
+    // parse the ENS avatar data as image payload data, URLs will be ignored
     // The parent `ChatMessageIdentity` must have a valid `ens_name` set
     ENS_AVATAR = 2;
   }
@@ -129,7 +150,8 @@ message ChatIdentity {
   string color = 6;
   string emoji = 7;
   repeated SocialLink social_links = 8;
-  // first known message timestamp in seconds (valid only for community chats for now)
+  // first known message timestamp in seconds 
+  // (valid only for community chats for now)
   // 0 - unknown
   // 1 - no messages
   uint32 first_message_timestamp = 9;
@@ -285,16 +307,54 @@ message CommunityDescription {
 
 Note: The usage of the clock is described in the [Clock](#clock) section.
 
+### Functional scope and shard assignment
+
+We define two special [functional scopes](../raw/status-app-protocols.md#functional-scope) for messages related to Status Communities:
+
+1. Global community control
+2. Global community content
+
+All messages that relate to controlling communities MUST be assigned the _global community control_ scope.
+All messages that carry user-generated content for communities MUST be assigned the _global community content_ scope.
+
+> **Note:** a previous iteration of Status Communities defined separate community-wide scopes for each community.
+However, this model was deprecated and all communities now operate on a global, shared scope.
+This implies that different communities will share shards on the routing layer.
+
+The following [Waku transport layer](../raw/status-app-protocols.md#waku-transport-layer) allocations are reserved for communities:
+As per [STATUS-SIMPLE-SCALING](https://rfc.vac.dev/status/raw/simple-scaling/#relay-shards), communities use the default cluster ID `16`
+set aside for all Status app protocols.
+Within this cluster, the following [shards](../raw/status-app-protocols.md#pubsub-topics-and-sharding) are reserved for the community functional scopes:
+
+1. All messages with a _global community control_ scope MUST be published to shard `128`
+2. All messages with a _global community content_ scope MUST be published to shard `256`
+
+### Content topic level encryption
+
+-a universal chat identifier is used for all community chats.
+<!-- Don't enforce any constraints on the unique id generation -->
+
+All messages are encrypted before they are handed over to waku ir-respective of the encryption explained above.
+All community chats are encrypted using a symmetric key generated from universal chat id using pbkdf2.
+
+```js
+symKey = pbkdf2(password:universalChatID, salt:nil, iteration-count:65356,key-length:32, hash-func: random-sha256)
+```
+
 ### Content topic usage
 
-"Content topic" refers to the field in [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md/#message-attributes), further elaborated in [10/WAKU2](../../waku/standards/core/10/waku2.md/#overview-of-protocol-interaction).
+"Content topic" refers to the field in [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md/#message-attributes),
+further elaborated in [10/WAKU2](../../waku/standards/core/10/waku2.md/#overview-of-protocol-interaction).
+The content-topic usage follows the guidelines specified at [23/topics](../../waku/informational/23/topics.md#content-topic-usage-guidelines)
 
 #### Advertising a Community
 
-The content topic that the community is advertised on MUST be derived from the public key of the community.
-The content topic MUST be the first four bytes of the keccak-256 hash of the compressed (33 bytes) public key of the community encoded into a hex string.
+The content topic that the community is advertised on
+MUST be derived from the public key of the community.
+The content topic MUST be the first four bytes of the keccak-256 hash
+of the compressed (33 bytes) public key of the community encoded into a hex string.
 
-```
+```js
 hash = hex(keccak256(encodeToHex(compressedPublicKey)))
 
 topicLen = 4
@@ -310,34 +370,14 @@ for i = 0; i < topicLen; i++ {
 contentTopic = "/waku/1/0x" + topic + "/rfc26"
 ```
 
-#### Community channels/chats
-
-The unique identifier for a community channel/chat is the chat id.
-<!-- Don't enforce any constraints on the unique id generation -->
-The content topic that Community channels/chats use MUST be the hex-encoded keccak-256 hash of the public key of the community concatenated with the chat id.
-
-```
-hash = hex(keccak256(encodeToHex(compressedPublicKey + chatId)))
-
-topicLen = 4
-if len(hash) < topicLen {
-    topicLen = len(hash)
-}
-var topic [4]byte
-for i = 0; i < topicLen; i++ {
-    topic[i] = hash[i]
-}
-
-contentTopic = "/waku/1/0x" + topic + "/rfc26"
-```
-
-
 #### Community event messages
 
-Requests to leave, join, kick and ban, as well as key exchange messages, MUST be sent to the content topic derived from the public key of the community.
-The content topic MUST be the hex-encoded keccak-256 hash of the public key of the community.
+Message such as community description
+MUST be sent to the content topic derived from the public key of the community.
+The content topic
+MUST be the hex-encoded keccak-256 hash of the public key of the community.
 
-```
+```js
 hash = hex(keccak256(encodeToHex(publicKey)))
 
 topicLen = 4
@@ -350,7 +390,54 @@ for i = 0; i < topicLen; i++ {
 }
 
 contentTopic = "/waku/1/0x" + topic + "/rfc26"
-``` 
+```
+
+#### Community Requests
+
+Requests to leave, join, kick and ban, as well as key exchange messages, MUST be sent to the content topic derived from the public key of the community on the common shard.
+
+The content topic
+MUST be the keccak-256 hash of hex-encoded universal chat id (public key appended with fixed string) of the community omitting the first 2 bytes.
+
+```js
+universalChatId = publicKey+"-memberUpdate"
+hash = hex(keccak256(encodeToHex(universalChatId))[2:])
+
+topicLen = 4
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+
+contentTopic = "/waku/1/0x" + topic + "/rfc26"
+```
+
+#### Community Shard Info
+
+If a community is assigned a dedicated shard then the shard info for that community is published on a content topic derived from a specialized key. This is useful for users joining the new community so that they can subscribe to this specific content topic.
+
+```js
+chatID = publicKey+"-shard-info"
+hash = hex(keccak256(encodeToHex(chatID))[2:])
+
+topicLen = 4
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+
+contentTopic = "/waku/1/0x" + topic + "/rfc26"
+```
+
+#### Community channels/chats
+
+All channels/chats shall use a single content-topic which is derived from a universal chat id irrespective of their individual unique chat ids.
 
 ### Community Management
 
@@ -359,84 +446,122 @@ The flows for Community management are as described below.
 #### Community Creation Flow
 
 1. The Community owner generates a public/private key pair.
-2. The Community owner configures the Community metadata, according to the wire format "CommunityDescription".
-3. The Community owner publishes the Community metadata on a content topic derived from the public key of the Community. 
-the Community metadata SHOULD be encrypted with the public key of the Community. <!-- TODO: Verify this-->
-The Community metadata MAY be sent during fixed intervals, to ensure that the Community metadata is available to members.
+2. The Community owner configures the Community metadata,
+according to the wire format "CommunityDescription".
+3. The Community owner publishes the Community metadata on a content topic
+derived from the public key of the Community.
+the Community metadata SHOULD be encrypted with the public key of the Community.
+The Community metadata is sent during fixed intervals,
+to ensure that the Community metadata is available to members.
 The Community metadata SHOULD be sent every time the Community metadata is updated.
-4. The Community owner MAY advertise the Community out of band, by sharing the public key of the Community on other mediums of communication.
+4. The Community owner MAY advertise the Community out of band,
+by sharing the public key of the Community on other mediums of communication.
 
 #### Community Join Flow (peer requests to join a Community)
 
 1. A peer and the Community owner establish a 1:1 chat as described in [55/STATUS-1TO1-CHAT](../55/1to1-chat.md).
-2. The peer requests to join a Community by sending a "CommunityRequestToJoin" message to the Community.
-At this point, the peer MAY send a "CommunityCancelRequestToJoin" message to cancel the request.
+2. The peer requests to join a Community by sending a
+"CommunityRequestToJoin" message to the Community.
+At this point, the peer MAY send a
+"CommunityCancelRequestToJoin" message to cancel the request.
 3. The Community owner MAY accept or reject the request.
-4. If the request is accepted, the Community owner sends a "CommunityRequestToJoinResponse" message to the peer.
-5. The Community owner then adds the member to the Community metadata, and publishes the updated Community metadata.
+4. If the request is accepted,
+the Community owner sends a "CommunityRequestToJoinResponse" message to the peer.
+5. The Community owner then adds the member to the Community metadata, and
+publishes the updated Community metadata.
 
 #### Community Join Flow (peer is invited to join a Community)
 
 1. The Community owner and peer establish a 1:1 chat as described in [55/STATUS-1TO1-CHAT](../55/1to1-chat.md).
-2. The peer is invited to join a Community by the Community owner, by sending a "CommunityInvitation" message.
+2. The peer is invited to join a Community by the Community owner,
+by sending a "CommunityInvitation" message.
 3. The peer decrypts the "CommunityInvitation" message, and verifies the signature.
-4. The peer requests to join a Community by sending a "CommunityRequestToJoin" message to the Community.
+4. The peer requests to join a Community by sending a
+"CommunityRequestToJoin" message to the Community.
 5. The Community owner MAY accept or reject the request.
-6. If the request is accepted, the Community owner sends a "CommunityRequestToJoinResponse" message to the peer.
-7. The Community owner then adds the member to the Community metadata, and publishes the updated Community metadata.
+6. If the request is accepted,
+the Community owner sends a "CommunityRequestToJoinResponse" message to the peer.
+7. The Community owner then adds the member to the Community metadata, and
+publishes the updated Community metadata.
 
 #### Community Leave Flow
 
-1. A member requests to leave a Community by sending a "CommunityRequestToLeave" message to the Community.
+1. A member requests to leave a Community by sending a
+"CommunityRequestToLeave" message to the Community.
 2. The Community owner MAY accept or reject the request.
-3. If the request is accepted, the Community owner removes the member from the Community metadata, and publishes the updated Community metadata.
+3. If the request is accepted,
+the Community owner removes the member from the Community metadata,
+and publishes the updated Community metadata.
 
 #### Community Ban Flow
 
-1. The Community owner adds a member to the ban list, revokes their grants, and publishes the updated Community metadata.
-2. If the Community is Private, Re-keying is performed between the members of the Community, to ensure that the banned member is unable to decrypt any messages.
+1. The Community owner adds a member to the ban list, revokes their grants,
+and publishes the updated Community metadata.
+2. If the Community is Private,
+Re-keying is performed between the members of the Community,
+to ensure that the banned member is unable to decrypt any messages.
 
-### Waku Protocols 
+### Waku Protocols
 
 The following Waku protocols SHOULD be used to implement Status Communities -
 
-1. [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md) - To send and receive messages
-2. [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) - To encrypt and decrypt messages
-3. [54/WAKU2-X3DH-SESSIONS](../../waku/standards/application/54/x3dh-sessions.md) - To handle session keys
-4. [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md) - To wrap community messages in a Waku message
-5. [13/WAKU2-STORE](../../waku/standards/core/13/store.md) - To store and retrieve messages for offline devices
-
+1. [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md) -
+To send and receive messages
+2. [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) -
+To encrypt and decrypt messages
+3. [54/WAKU2-X3DH-SESSIONS](../../waku/standards/application/54/x3dh-sessions.md)-
+To handle session keys
+4. [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md) -
+To wrap community messages in a Waku message
+5. [13/WAKU2-STORE](../../waku/standards/core/13/store.md) -
+To store and retrieve messages for offline devices
 
 The following Waku protocols MAY be used to implement Status Communities -
 
-1. [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md) - Content filtering for resource restricted devices
-2. [19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md) - Allows Light clients to participate in the network
+1. [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md) -
+Content filtering for resource restricted devices
+2. [19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md) -
+Allows Light clients to participate in the network
 
 ### Backups
 
-The member MAY back up their local settings, by encrypting it with their public key, and sending it to a given content topic.
-The member MAY then rely on this backup to restore their local settings, in case of a data loss.
-This feature relies on [13/WAKU2-STORE](../../waku/standards/core/13/store.md) for storing and retrieving messages.
+The member MAY back up their local settings,
+by encrypting it with their public key, and
+sending it to a given content topic.
+The member MAY then rely on this backup to restore their local settings,
+in case of a data loss.
+This feature relies on
+[13/WAKU2-STORE](../../waku/standards/core/13/store.md)
+for storing and retrieving messages.
 
 ### Clock
 
 The clock used in the wire format refers to the Lamport timestamp of the message.
-The Lamport timestamp is a logical clock that is used to determine the order of events in a distributed system.
-This allows ordering of messages in an asynchronous network where messages may be received out of order.
+The Lamport timestamp is a logical clock that is used to determine the order of events
+in a distributed system.
+This allows ordering of messages in an asynchronous network
+where messages may be received out of order.
 
 ## Security Considerations
 
-1. The Community owner is a single point of failure. If the Community owner is compromised, the Community is compromised.
+1. The Community owner is a single point of failure.
+If the Community owner is compromised, the Community is compromised.
 
-2. Follows the same security considerations as the [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) protocol.
+2. Follows the same security considerations as the
+[53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) protocol.
 
 ## Future work
 
-1. To scale and optimize the Community management, the Community metadata should be stored on a decentralized storage system, and only the references to the Community metadata should be broadcasted. The following document describes this method in more detail - [Optimizing the `CommunityDescription` dissemination](https://hackmd.io/rD1OfIbJQieDe3GQdyCRTw)
+1. To scale and optimize the Community management,
+the Community metadata should be stored on a decentralized storage system, and
+only the references to the Community metadata should be broadcasted.
+The following document describes this method in more detail -
+[Optimizing the `CommunityDescription` dissemination](https://hackmd.io/rD1OfIbJQieDe3GQdyCRTw)
 
 2. Token gating for communities
 
-3. Sharding the content topic used for [#Community Event Messages](#community-event-messages), since members of the community don't need to receive all the control messages.
+3. Sharding the content topic used for [#Community Event Messages](#community-event-messages),
+since members of the community don't need to receive all the control messages.
 
 ## Copyright
 
@@ -455,5 +580,6 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public
 - [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md)
 
 ### informative
+
 - [community.go](https://github.com/status-im/status-go/blob/6072bd17ab1e5d9fc42cf844fcb8ad18aa07760c/protocol/communities/community.go)
 - [organisation-channels.md](https://github.com/status-im/specs/blob/403b5ce316a270565023fc6a1f8dec138819f4b0/docs/raw/organisation-channels.md)

status/61/community-history-service.md

@@ -13,16 +13,31 @@ contributors:
 
 ## Abstract
 
-Messages are stored permanently by store nodes ([13/WAKU2-STORE](../../waku/standards/core/13/store.md)) for up to a certain configurable period of time, limited by the overall storage provided by a store node.
-Messages older than that period are no longer provided by store nodes, making it impossible for other nodes to request historical messages that go beyond that time range. 
-This raises issues in the case of Status communities, where recently joined members of a community are not able to request complete message histories of the community channels.
+Messages are stored permanently by store nodes
+([13/WAKU2-STORE](../../waku/standards/core/13/store.md))
+for up to a certain configurable period of time,
+limited by the overall storage provided by a store node.
+Messages older than that period are no longer provided by store nodes,
+making it impossible for other nodes to request historical messages
+that go beyond that time range.
+This raises issues in the case of Status communities,
+where recently joined members of a community
+ are not able to request complete message histories of the community channels.
 
-This specification describes how **Control Nodes** (which are specific nodes in Status communities) archive historical message data of their communities, beyond the time range limit provided by Store Nodes using the [BitTorrent](https://bittorrent.org) protocol.
-It also describes how the archives are distributed to community members via the Status network, so they can fetch them and gain access to a complete message history.
+This specification describes how **Control Nodes**
+(which are specific nodes in Status communities)
+archive historical message data of their communities,
+beyond the time range limit provided by Store Nodes using
+the [BitTorrent](https://bittorrent.org) protocol.
+It also describes how the archives are distributed to community members via
+the Status network,
+so they can fetch them and gain access to a complete message history.
 
 ## Terminology
 
-The following terminology is used throughout this specification. Notice that some actors listed here are nodes that operate in Waku networks only, while others operate in the Status communities layer):
+The following terminology is used throughout this specification.
+Notice that some actors listed here are nodes that operate in Waku networks only,
+while others operate in the Status communities layer):
 
 | Name                 | References |
 | -------------------- | --- |
@@ -43,7 +58,9 @@ The following terminology is used throughout this specification. Notice that som
 
 This specification has the following assumptions:
 
-- Store nodes([13/WAKU2-STORE](../../waku/standards/core/13/store.md)) are available 24/7, ensuring constant live message availability.
+- Store nodes,
+([13/WAKU2-STORE](../../waku/standards/core/13/store.md)),
+ are available 24/7 ensuring constant live message availability.
 - The storage time range limit is 30 days.
 - Store nodes have enough storage to persist historical messages for up to 30 days.
 - No store nodes have storage to persist historical messages older than 30 days.
@@ -52,95 +69,163 @@ This specification has the following assumptions:
 
 Furthermore, it assumes that:
 
-- Control nodes have enough storage to persist historical messages older than 30 days.
+- Control nodes have enough storage to persist historical messages
+older than 30 days.
 - Control nodes provide archives with historical messages **at least** every 30 days.
 - Control nodes receive all community messages.
 - Control nodes are honest.
 - Control nodes know at least one store node from which it can query historical messages.
 
-These assumptions are less than ideal and will be enhanced in future work. This [forum discussion](https://forum.vac.dev/t/status-communities-protocol-and-product-point-of-view/114) provides more details.
+These assumptions are less than ideal and will be enhanced in future work.
+This [forum discussion](https://forum.vac.dev/t/status-communities-protocol-and-product-point-of-view/114)
+provides more details.
 
 ## Overview
 
-The following is a high-level overview of the user flow and features this specification describes. For more detailed descriptions, read the dedicated sections in this specification.
+The following is a high-level overview of the user flow and
+features this specification describes.
+ For more detailed descriptions, read the dedicated sections in this specification.
 
 ### Serving community history archives
 
-Control nodes go through the following (high level) process to provide community members with message histories:
+Control nodes go through the following
+(high level) process to provide community members with message histories:
 
-1. Community owner creates a Status community (previously known as [org channels](https://github.com/status-im/specs/pull/151)) which makes its node a Control node.
-2. Community owner enables message archive capabilities (on by default but can be turned off as well - see [UI feature spec](https://github.com/status-im/feature-specs/pull/36)).
-3. A special type of channel to exchange metadata about the archival data is created, this channel is not visible in the user interface.
+1. Community owner creates a Status community
+(previously known as [org channels](https://github.com/status-im/specs/pull/151))
+which makes its node a Control node.
+2. Community owner enables message archive capabilities
+(on by default but can be turned off as well - see [UI feature spec](https://github.com/status-im/feature-specs/pull/36)).
+3. A special type of channel to exchange metadata about the archival data is created,
+this channel is not visible in the user interface.
 4. Community owner invites community members.
-5. Control node receives messages published in channels and stores them into a local database.
-6. After 7 days, the control node exports and compresses last 7 days worth of messages from database and bundles it together with a [message archive index](#waku-message-archive-index) into a torrent, from which it then creates a magnet link ([Magnet URI scheme](https://en.wikipedia.org/wiki/Magnet_URI_scheme), [Extensions for Peers to Send Metadata Files](https://www.bittorrent.org/beps/bep_0009.html)). 
-7. Control node sends the magnet link created in step 6 to community members via special channel created in step 3 through the Waku network.
-8. Every subsequent 7 days, steps 6 and 7 are repeated and the new message archive data is appended to the previously created message archive data.
+5. Control node receives messages published in channels and
+stores them into a local database.
+6. After 7 days, the control node exports and
+compresses last 7 days worth of messages from database and
+bundles it together with a
+[message archive index](#wakumessagearchiveindex) into a torrent,
+from which it then creates a magnet link ([Magnet URI scheme](https://en.wikipedia.org/wiki/Magnet_URI_scheme),
+[Extensions for Peers to Send Metadata Files](https://www.bittorrent.org/beps/bep_0009.html)).
+7. Control node sends the magnet link created in step 6 to community members via
+special channel created in step 3 through the Waku network.
+8. Every subsequent 7 days,
+steps 6 and 7 are repeated and
+the new message archive data
+is appended to the previously created message archive data.
 
 ### Serving archives for missed messages
 
-If the control node goes offline (where "offline" means, the control node's main process is no longer running), it MUST go through the following process:
+If the control node goes offline
+(where "offline" means, the control node's main process is no longer running),
+it MUST go through the following process:
 
 1. Control node restarts
-2. Control node requests messages from store nodes for the missed time range for all channels in their community
+2. Control node requests messages from store nodes
+for the missed time range for all channels in their community
 3. All missed messages are stored into control node's local message database
-4. If 7 or more days have elapsed since the last message history torrent was created, the control node will perform step 6 and 7 of [Serving community history archives](#serving-community-history-archives) for every 7 days worth of messages in the missed time range (e.g. if the node was offline for 30 days, it will create 4 message history archives)
+4. If 7 or more days have elapsed since the last message history torrent was created,
+the control node will perform step 6 and
+7 of [Serving community history archives](#serving-community-history-archives)
+for every 7 days worth of messages in the missed time range
+(e.g. if the node was offline for 30 days, it will create 4 message history archives)
 
 ### Receiving community history archives
 
-Community member nodes go through the following (high level) process to fetch and restore community message histories:
+Community member nodes go through the following (high level) process to fetch and
+restore community message histories:
 
 1. User joins community and becomes community member (see [org channels spec](../56/communities.md))
-2. By joining a community, member nodes automatically subscribe to special channel for message archive metadata exchange provided by the community
-3. Member node requests live message history (last 30 days) of all the community channels including the special channel from store nodes
-4. Member node receives Waku message ([14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md)) that contains the metadata magnet link from the special channel
-5. Member node extracts the magnet link from the Waku message and passes it to torrent client
-6. Member node downloads [message archive index](#message-history-archive-index) file and determines which message archives are not downloaded yet (all or some)
+2. By joining a community,
+member nodes automatically subscribe to special channel for
+message archive metadata exchange provided by the community
+3. Member node requests live message history
+(last 30 days) of all the community channels,
+including the special channel from store nodes
+4. Member node receives Waku message
+([14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md))
+that contains the metadata magnet link from the special channel
+5. Member node extracts the magnet link from the Waku message and
+passes it to torrent client
+6. Member node downloads
+[message archive index](#message-history-archive-index) file and
+determines which message archives are not downloaded yet (all or some)
 7. Member node fetches missing message archive data via torrent
-8. Member node unpacks and decompresses message archive data to then hydrate its local database, deleting any messages for that community that the database previously stored in the same time range as covered by the message history archive
+8. Member node unpacks and
+decompresses message archive data to then hydrate its local database,
+deleting any messages,
+for that community that the database previously stored in the same time range,
+as covered by the message history archive
 
 ## Storing live messages
 
 For archival data serving, the control node MUST store live messages as [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md).
-This is in addition to their database of application messages. 
-This is required to provide confidentiality, authenticity, and integrity of message data distributed via the BitTorrent layer, and later validated by community members when they unpack message history archives.
+This is in addition to their database of application messages.
+This is required to provide confidentiality, authenticity,
+and integrity of message data distributed via the BitTorrent layer, and
+later validated by community members when they unpack message history archives.
 
-Control nodes SHOULD remove those messages from their local databases once they are older than 30 days and after they have been turned into message archives and distributed to the BitTorrent network.
+Control nodes SHOULD remove those messages from their local databases
+once they are older than 30 days and
+after they have been turned into message archives and
+distributed to the BitTorrent network.
 
 ### Exporting messages for bundling
 
-Control nodes export Waku messages from their local database for creating and bundling history archives using the following criteria:
+Control nodes export Waku messages from their local database for creating and
+bundling history archives using the following criteria:
 
-- Waku messages to be exported MUST have a `contentTopic` that match any of the topics of the community channels
-- Waku messages to be exported MUST have a `timestamp` that lies within a time range of 7 days
+- Waku messages to be exported MUST have a `contentTopic`
+that match any of the topics of the community channels
+- Waku messages to be exported MUST have a `timestamp`
+that lies within a time range of 7 days
 
-The `timestamp` is determined by the context in which the control node attempts to create a message history archives as described below:
+The `timestamp` is determined by the context in which the control node attempts
+to create a message history archives as described below:
 
-1. The control node attempts to create an archive periodically for the past seven days (including the current day). In this case, the `timestamp` has to lie within those 7 days.
-2. The control node has been offline (control node's main process has stopped and needs restart) and attempts to create archives for all the live messages it has missed since it went offline. In this case, the `timestamp` has to lie within the day the latest message was received and the current day.
+1. The control node attempts to create an archive periodically
+for the past seven days (including the current day).
+In this case, the `timestamp` has to lie within those 7 days.
+2. The control node has been offline
+(control node's main process has stopped and needs restart) and
+attempts to create archives for all the live messages it has missed
+since it went offline.
+In this case,
+the `timestamp` has to lie within the day the latest message was received and
+the current day.
 
-Exported messages MUST be restored as [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md) for bundling. Waku messages that are older than 30 days and have been exported for bundling can be removed from the control node's database (control nodes still maintain a database of application messages).
+Exported messages MUST be restored as
+[14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md) for bundling.
+Waku messages that are older than 30 days and
+have been exported for bundling can be removed from the control node's database
+(control nodes still maintain a database of application messages).
 
 ## Message history archives
 
-Message history archives are represented as `WakuMessageArchive` and created from Waku messages exported from the local database. 
+Message history archives are represented as `WakuMessageArchive` and
+created from Waku messages exported from the local database.
 Message history archives are implemented using the following protocol buffer.
 
 ### WakuMessageHistoryArchive
 
 The `from` field SHOULD contain a timestamp of the time range's lower bound.
-The type parallels the `timestamp` of [WakuMessage](../../waku/standards/core/14/message.md/#payloads).
+The type parallels the `timestamp` of [WakuMessage](../../waku/standards/core/14/message.md/).
 
 The `to` field SHOULD contain a timestamp of the time range's the higher bound.
 
 The `contentTopic` field MUST contain a list of all communiity channel topics.
 
-The `messages` field MUST contain all messages that belong into the archive given its `from`, `to` and `contentTopic` fields.
+The `messages` field MUST contain all messages that belong into the archive
+given its `from`, `to` and `contentTopic` fields.
 
-The `padding` field MUST contain the amount of zero bytes needed so that the overall byte size of the protobuf encoded `WakuMessageArchive` is a multiple of the `pieceLength` used to divide the message archive data into pieces.
-This is needed for seamless encoding and decoding of archival data in interation with BitTorrent as explained in [creating message archive torrents](#creating-message-archive-torrents).
+The `padding` field MUST contain the amount of zero bytes needed so
+that the overall byte size of the protobuf encoded `WakuMessageArchive`
+is a multiple of the `pieceLength` used to divide the message archive data into pieces.
+This is needed for seamless encoding and
+decoding of archival data in interation with BitTorrent,
+as explained in [creating message archive torrents](#creating-message-archive-torrents).
 
-```
+```protobuf
 syntax = "proto3"
 
 message WakuMessageArchiveMetadata {
@@ -158,21 +243,32 @@ message WakuMessageArchive {
 }
 ```
 
-## Message history archive index
+## Message History Archive Index
 
 Control nodes MUST provide message archives for the entire community history.
-The entirey history consists of a set of `WakuMessageArchive`'s where each archive contains a subset of historical `WakuMessage`s for a time range of seven days. 
-All the `WakuMessageArchive`s are concatenated into a single file as a byte string (see [Ensuring reproducible data pieces](#ensuring-reproducible-data-pieces)).
+The entirey history consists of a set of `WakuMessageArchive`'s
+where each archive contains a subset of historical `WakuMessage`s
+for a time range of seven days.
+All the `WakuMessageArchive`s are concatenated into a single file as a byte string
+(see [Ensuring reproducible data pieces](#ensuring-reproducible-data-pieces)).
 
-Control nodes MUST create a message history archive index (`WakuMessageArchiveIndex`) with metadata that allows receiving nodes to only fetch the message history archives they are interested in.
+Control nodes MUST create a message history archive index
+(`WakuMessageArchiveIndex`) with metadata that allows receiving nodes
+to only fetch the message history archives they are interested in.
 
 ### WakuMessageArchiveIndex
 
-A `WakuMessageArchiveIndex` is a map where the key is the KECCAK-256 hash of the `WakuMessageArchiveIndexMetadata` derived from a 7-day archive and the value is an instance of that `WakuMessageArchiveIndexMetadata` corresponding to that archive.
+A `WakuMessageArchiveIndex` is a map where the key is the KECCAK-256 hash of
+the `WakuMessageArchiveIndexMetadata` derived from a 7-day archive and
+the value is an instance of that `WakuMessageArchiveIndexMetadata`
+corresponding to that archive.
 
-The `offset` field MUST contain the position at which the message history archive starts in the byte string of the total message archive data. This MUST be the sum of the length of all previously created message archives in bytes (see [Creating message archive torrents](#creating-message-archive-torrents)).
+The `offset` field MUST contain the position at which the message history archive
+starts in the byte string of the total message archive data.
+This MUST be the sum of the length of all previously created message archives
+in bytes (see [Creating message archive torrents](#creating-message-archive-torrents)).
 
-```
+```protobuf
 syntax = "proto3"
 
 message WakuMessageArchiveIndexMetadata {
@@ -187,45 +283,67 @@ message WakuMessageArchiveIndex {
 }
 ```
 
-The control node MUST update the `WakuMessageArchiveIndex` every time it creates one or more `WakuMessageArchive`s and bundle it into a new torrent.
-For every created `WakuMessageArchive`, there MUST be a `WakuMessageArchiveIndexMetadata` entry in the `archives` field `WakuMessageArchiveIndex`.
+The control node MUST update the `WakuMessageArchiveIndex`
+every time it creates one or
+more `WakuMessageArchive`s and bundle it into a new torrent.
+For every created `WakuMessageArchive`,
+there MUST be a `WakuMessageArchiveIndexMetadata` entry in the `archives` field `WakuMessageArchiveIndex`.
 
-# Creating message archive torrents
+## Creating message archive torrents
 
-Control nodes MUST create a torrent file ("torrent") containing metadata to all message history archives.
-To create a torrent file, and later serve the message archive data in the BitTorrent network, control nodes MUST store the necessary data in dedicated files on the file system.
+Control nodes MUST create a torrent file ("torrent")
+containing metadata to all message history archives.
+To create a torrent file, and
+later serve the message archive data in the BitTorrent network,
+control nodes MUST store the necessary data in dedicated files on the file system.
 
 A torrent's source folder MUST contain the following two files:
 
-- `data` - Contains all protobuf encoded `WakuMessageArchive`'s (as bit strings) concatenated in ascending order based on their time
+- `data` - Contains all protobuf encoded `WakuMessageArchive`'s (as bit strings)
+concatenated in ascending order based on their time
 - `index` - Contains the protobuf encoded `WakuMessageArchiveIndex`
 
-Control nodes SHOULD store these files in a dedicated folder that is identifiable via the community id.
+Control nodes SHOULD store these files in a dedicated folder that is identifiable,
+via the community id.
 
 ### Ensuring reproducible data pieces
 
-The control node MUST ensure that the byte string resulting from the protobuf encoded `data` is equal to the byte string `data` from the previously generated message archive torrent, plus the data of the latest 7 days worth of messages encoded as `WakuMessageArchive`.
+The control node MUST ensure that the byte string resulting from
+the protobuf encoded `data` is equal to the byte string `data`
+from the previously generated message archive torrent,
+plus the data of the latest 7 days worth of messages encoded as `WakuMessageArchive`.
 Therefore, the size of `data` grows every seven days as it's append only.
 
-The control nodes also MUST ensure that the byte size of every individual `WakuMessageArchive` encoded protobuf is a multiple of `pieceLength: ???` (**TODO**) using the `padding` field.
-If the protobuf encoded 'WakuMessageArchive` is not a multiple of `pieceLength`, its `padding` field MUST be filled with zero bytes and the `WakuMessageArchive` MUST be re-encoded until its size becomes multiple of `pieceLength`.
+The control nodes also MUST ensure that the byte size of every individual `WakuMessageArchive`
+encoded protobuf is a multiple of `pieceLength: ???` (**TODO**)
+using the `padding` field.
+If the protobuf encoded `WakuMessageArchive` is not a multiple of `pieceLength`,
+its `padding` field MUST be filled with zero bytes and
+the `WakuMessageArchive` MUST be re-encoded until its size becomes multiple of `pieceLength`.
 
-This is necessary because the content of the `data` file will be split into pieces of `pieceLength` when the torrent file is created, and the SHA1 hash of every piece is then stored in the torrent file and later used by other nodes to request the data for each individual data piece.
+This is necessary because the content of the `data` file
+will be split into pieces of `pieceLength` when the torrent file is created,
+and the SHA1 hash of every piece is then stored in the torrent file and
+later used by other nodes to request the data for each individual data piece.
 
-By fitting message archives into a multiple of `pieceLength` and ensuring they fill possible remaining space with zero bytes, control nodes prevent the **next** message archive to occupy that remaining space of the last piece, which will result in a different SHA1 hash for that piece.
+By fitting message archives into a multiple of `pieceLength` and
+ensuring they fill possible remaining space with zero bytes,
+control nodes prevent the **next** message archive to
+occupy that remaining space of the last piece,
+ which will result in a different SHA1 hash for that piece.
 
 #### **Example: Without padding**
 
 Let `WakuMessageArchive` "A1" be of size 20 bytes:
 
-```
+```json
  0 11 22 33 44 55 66 77 88 99
 10 11 12 13 14 15 16 17 18 19 
 ```
 
 With a `pieceLength` of 10 bytes, A1 will fit into `20 / 10 = 2` pieces:
 
-```
+```json
  0 11 22 33 44 55 66 77 88 99 // piece[0] SHA1: 0x123
 10 11 12 13 14 15 16 17 18 19 // piece[1] SHA1: 0x456
 ```
@@ -234,32 +352,37 @@ With a `pieceLength` of 10 bytes, A1 will fit into `20 / 10 = 2` pieces:
 
 Let `WakuMessageArchive` "A2" be of size 21 bytes:
 
-```
+```json
  0 11 22 33 44 55 66 77 88 99
 10 11 12 13 14 15 16 17 18 19
 20
 ```
 
-With a `pieceLength` of 10 bytes, A2 will fit into `21 / 10 = 2` pieces. The remainder will introduce a third piece:
+With a `pieceLength` of 10 bytes, A2 will fit into `21 / 10 = 2` pieces.
+The remainder will introduce a third piece:
 
-```
+```json
  0 11 22 33 44 55 66 77 88 99 // piece[0] SHA1: 0x123
 10 11 12 13 14 15 16 17 18 19 // piece[1] SHA1: 0x456
 20                            // piece[2] SHA1: 0x789
 ```
 
-The next `WakuMessageArchive` "A3" will be appended ("#3") to the existing data and occupy the remaining space of the third data piece. The piece at index 2 will now produce a different SHA1 hash:
+The next `WakuMessageArchive` "A3" will be appended ("#3") to the existing data
+and occupy the remaining space of the third data piece.
+The piece at index 2 will now produce a different SHA1 hash:
 
-```
+```json
  0 11 22 33 44 55 66 77 88 99 // piece[0] SHA1: 0x123
 10 11 12 13 14 15 16 17 18 19 // piece[1] SHA1: 0x456
 20 #3 #3 #3 #3 #3 #3 #3 #3 #3 // piece[2] SHA1: 0xeef
 #3 #3 #3 #3 #3 #3 #3 #3 #3 #3 // piece[3]
 ```
 
-By filling up the remaining space of the third piece with A2 using its `padding` field, it is guaranteed that its SHA1 will stay the same:
+By filling up the remaining space of the third piece
+with A2 using its `padding` field,
+ it is guaranteed that its SHA1 will stay the same:
 
-```
+```json
  0 11 22 33 44 55 66 77 88 99 // piece[0] SHA1: 0x123
 10 11 12 13 14 15 16 17 18 19 // piece[1] SHA1: 0x456
 20  0  0  0  0  0  0  0  0  0 // piece[2] SHA1: 0x999
@@ -269,82 +392,144 @@ By filling up the remaining space of the third piece with A2 using its `padding`
 
 ### Seeding message history archives
 
-The control node MUST seed the [generated torrent](#creating-message-archive-torrents) until a new `WakuMessageArchive` is created.
+The control node MUST seed the
+[generated torrent](#creating-message-archive-torrents)
+until a new `WakuMessageArchive` is created.
 
-The control node SHOULD NOT seed torrents for older message history archives. Only one torrent at a time should be seeded.
+The control node SHOULD NOT seed torrents for older message history archives.
+Only one torrent at a time should be seeded.
 
 ### Creating magnet links
 
-Once a torrent file for all message archives is created, the control node MUST derive a magnet link following the [Magnet URI scheme](https://en.wikipedia.org/wiki/Magnet_URI_scheme) using the underlying BitTorrent protocol client.
+Once a torrent file for all message archives is created,
+the control node MUST derive a magnet link following the
+[Magnet URI scheme](https://en.wikipedia.org/wiki/Magnet_URI_scheme)
+using the underlying BitTorrent protocol client.
 
 ### Message archive distribution
 
-Message archives are available via the BitTorrent network as they are being [seeded by the control node](#seeding-message-history-archives).
-Other community member nodes will download the message archives from the BitTorrent network once they receive a magnet link that contains a message archive index.
+Message archives are available via the BitTorrent network as they are being
+[seeded by the control node](#seeding-message-history-archives).
+Other community member nodes will download the message archives
+from the BitTorrent network once they receive a magnet link
+that contains a message archive index.
 
-The control node MUST send magnet links containing message archives and the message archive index to a special community channel. 
+The control node MUST send magnet links containing message archives and
+the message archive index to a special community channel.
 The topic of that special channel follows the following format:
 
-```
+```text
 /{application-name}/{version-of-the-application}/{content-topic-name}/{encoding}
 ```
 
-All messages sent with this topic MUST be instances of `ApplicationMetadataMessage` ([62/STATUS-PAYLOAD](../62/payload.md)) with a `payload` of `CommunityMessageArchiveIndex`.
+All messages sent with this topic MUST be instances of `ApplicationMetadataMessage`
+([62/STATUS-PAYLOADS](../62/payloads.md)) with a `payload` of `CommunityMessageArchiveIndex`.
 
-Only the control node MAY post to the special channel. Other messages on this specified channel MUST be ignored by clients.
+Only the control node MAY post to the special channel.
+Other messages on this specified channel MUST be ignored by clients.
 Community members MUST NOT have permission to send messages to the special channel.
-However, community member nodes MUST subscribe to special channel to receive Waku messages containing magnet links for message archives.
+However, community member nodes MUST subscribe to special channel
+to receive Waku messages containing magnet links for message archives.
 
 ### Canonical message histories
 
-Only control nodes are allowed to distribute messages with magnet links via the special channel for magnet link exchange.
+Only control nodes are allowed to distribute messages with magnet links via
+the special channel for magnet link exchange.
 Community members MUST NOT be allowed to post any messages to the special channel.
 
-Status nodes MUST ensure that any message that isn't signed by the control node in the special channel is ignored.
+Status nodes MUST ensure that any message
+that isn't signed by the control node in the special channel is ignored.
 
-Since the magnet links are created from the control node's database (and previously distributed archives), the message history provided by the control node becomes the canonical message history and single source of truth for the community.
+Since the magnet links are created from the control node's database
+(and previously distributed archives),
+the message history provided by the control node becomes the canonical message history
+and single source of truth for the community.
 
-Community member nodes MUST replace messages in their local databases with the messages extracted from archives within the same time range.
-Messages that the control node didn't receive  MUST be removed and are no longer part of the message history of interest, even if it already existed in a community member node's database.
+Community member nodes MUST replace messages in their local databases
+with the messages extracted from archives within the same time range.
+Messages that the control node didn't receive MUST be removed and
+are no longer part of the message history of interest,
+even if it already existed in a community member node's database.
 
 ## Fetching message history archives
 
 Generally, fetching message history archives is a three step process:
 
-1. Receive [message archive index](#message-history-archive-index) magnet link as described in [Message archive distribution], download `index` file from torrent, then determine which message archives to download
+1. Receive [message archive index](#message-history-archive-index)
+magnet link as described in [Message archive distribution],
+download `index` file from torrent, then determine which message archives to download
 2. Download individual archives
 
-Community member nodes subscribe to the special channel that control nodes publish magnet links for message history archives to. 
-There are two scenarios in which member nodes can receive such a magnet link message from the special channel:
+Community member nodes subscribe to the special channel
+that control nodes publish magnet links for message history archives to.
+There are two scenarios in which member nodes can receive such a magnet link message
+from the special channel:
 
-1. The member node receives it via live messages, by listening to the special channel 
-2. The member node requests messages for a time range of up to 30 days from store nodes (this is the case when a new community member joins a community)
+1. The member node receives it via live messages, by listening to the special channel
+2. The member node requests messages for a time range of up to 30 days
+from store nodes (this is the case when a new community member joins a community)
 
 ### Downloading message archives
-When member nodes receive a message with a `CommunityMessageHistoryArchive` ([62/STATUS-PAYLOAD](../62/payload.md)) from the aforementioned channnel, they MUST extract the `magnet_uri` and pass it to their underlying BitTorrent client so they can fetch the latest message history archive index, which is the `index` file of the torrent (see [Creating message archive torrents](#creating-message-archive-torrents)).
 
-Due to the nature of distributed systems, there's no guarantee that a received message is the "last" message. This is especially true when member nodes request historical messages from store nodes. 
+When member nodes receive a message with a `CommunityMessageHistoryArchive`
+([62/STATUS-PAYLOADS](../62/payloads.md)) from the aforementioned channnel,
+they MUST extract the `magnet_uri` and
+pass it to their underlying BitTorrent client
+so they can fetch the latest message history archive index,
+which is the `index` file of the torrent (see [Creating message archive torrents](#creating-message-archive-torrents)).
 
-Therefore, member nodes MUST wait for 20 seconds after receiving the last `CommunityMessageArchive` before they start extracting the magnet link to fetch the latest archive index.
+Due to the nature of distributed systems,
+there's no guarantee that a received message is the "last" message.
+This is especially true
+when member nodes request historical messages from store nodes.
 
-Once a message history archive index is downloaded and parsed back into `WakuMessageArchiveIndex`, community member nodes use a local lookup table to determine which of the listed archives are missing using the KECCAK-256 hashes stored in the index.
+Therefore, member nodes MUST wait for 20 seconds
+after receiving the last `CommunityMessageArchive`
+before they start extracting the magnet link to fetch the latest archive index.
 
-For this lookup to work, member nodes MUST store the KECCAK-256 hashes of the `WakuMessageArchiveIndexMetadata` provided by the `index` file for all of the message history archives that have been downlaoded in their local database.
+Once a message history archive index is downloaded and
+parsed back into `WakuMessageArchiveIndex`,
+community member nodes use a local lookup table
+to determine which of the listed archives are missing
+using the KECCAK-256 hashes stored in the index.
 
-Given a `WakuMessageArchiveIndex`, member nodes can access individual `WakuMessageArchiveIndexMetadata` to download individual archives.
+For this lookup to work,
+member nodes MUST store the KECCAK-256 hashes
+of the `WakuMessageArchiveIndexMetadata` provided by the `index` file
+for all of the message history archives that have been downlaoded
+in their local database.
+
+Given a `WakuMessageArchiveIndex`,
+member nodes can access individual `WakuMessageArchiveIndexMetadata`
+to download individual archives.
 
 Community member nodes MUST choose one of the following options:
 
-1. **Download all archives** - Request and download all data pieces for `data` provided by the torrent (this is the case for new community member nodes that haven't downloaded any archives yet)
-2. **Download only the latest archive** - Request and download all pieces starting at the `offset` of the latest `WakuMessageArchiveIndexMetadata` (this the case for any member node that already has downloaded all previous history and is now interested in only the latst archive)
-3. **Download specific archives** - Look into `from` and `to` fields of every `WakuMessageArchiveIndexMetadata` and determine the pieces for archives of a specific time range (can be the case for member nodes that have recently joined the network and are only interested in a subset of the complete history)
+1. **Download all archives** - Request and
+download all data pieces for `data` provided by the torrent
+(this is the case for new community member nodes
+that haven't downloaded any archives yet)
+2. **Download only the latest archive** -
+Request and download all pieces starting at the `offset` of the latest `WakuMessageArchiveIndexMetadata`
+(this the case for any member node
+that already has downloaded all previous history and
+is now interested in only the latst archive)
+3. **Download specific archives** -
+Look into `from` and
+`to` fields of every `WakuMessageArchiveIndexMetadata` and
+determine the pieces for archives of a specific time range
+(can be the case for member nodes that have recently joined the network and
+are only interested in a subset of the complete history)
 
 ### Storing historical messages
 
-When message archives are fetched, community member nodes MUST unwrap the resulting `WakuMessage` instances into `ApplicationMetadataMessage` instances and store them in their local database.
+When message archives are fetched,
+community member nodes MUST unwrap the resulting `WakuMessage` instances
+into `ApplicationMetadataMessage` instances and store them in their local database.
 Community member nodes SHOULD NOT store the wrapped `WakuMessage` messages.
 
-All message within the same time range MUST be replaced with the messages provided by the message history archive.
+All message within the same time range
+MUST be replaced with the messages provided by the message history archive.
 
 Community members nodes MUST ignore the expiration state of each archive message.
 
@@ -354,39 +539,58 @@ The following are things to cosider when implementing this specification.
 
 ## Control node honesty
 
-This spec assumes that all control nodes are honest and behave according to the spec. Meaning they don't inject their own messages into, or remove any messages from historic archives.
+This spec assumes that all control nodes are honest and behave according to the spec.
+Meaning they don't inject their own messages into, or
+remove any messages from historic archives.
 
 ## Bandwidth consumption
 
-Community member nodes will download the latest archive they've received from the archive index, which includes messages from the last seven days. Assuming that community members nodes were online for that time range, they have already downloaded that message data and will now download an archive that contains the same.
+Community member nodes will download the latest archive
+they've received from the archive index,
+which includes messages from the last seven days.
+Assuming that community members nodes were online for that time range,
+they have already downloaded that message data and
+will now download an archive that contains the same.
 
-This means there's a possibility member nodes will download the same data at least twice.
+This means there's a possibility member nodes
+will download the same data at least twice.
 
 ## Multiple community owners
 
-It is possible for control nodes to export the private key of their owned community and pass it to other users so they become control nodes as well.
+It is possible for control nodes
+to export the private key of their owned community and
+pass it to other users so they become control nodes as well.
 This means, it's possible for multiple control nodes to exist.
 
-This might conflict with the assumption that the control node serves as a single source of thruth. Multiple control nodes can have different message histories.
+This might conflict with the assumption that the control node
+serves as a single source of thruth.
+Multiple control nodes can have different message histories.
 
-Not only will multiple control nodes multiply the amount of archive index messages being distributed to the network, they might also contain different sets of magnet links and their corresponding hashes.
+Not only will multiple control nodes
+multiply the amount of archive index messages being distributed to the network,
+they might also contain different sets of magnet links and their corresponding hashes.
 
-Even if just a single message is missing in one of the histories, the hashes presented in archive indices will look completely different, resulting in the community member node to download the corresponding archive (which might be identical to an archive that was already downloaded, except for that one message).
+Even if just a single message is missing in one of the histories,
+the hashes presented in archive indices will look completely different,
+resulting in the community member node to download the corresponding archive
+(which might be identical to an archive that was already downloaded,
+except for that one message).
 
 ## Copyright
 
 Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
 
 ## References
-* [13/WAKU2-STORE](../../waku/standards/core/13/store.md)
-* [BitTorrent](https://bittorrent.org)
-* [10/WAKU2](../../waku/standards/core/10/waku2.md)
-* [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md)
-* [Magnet URI scheme](https://en.wikipedia.org/wiki/Magnet_URI_scheme)
-* [forum discussion](https://forum.vac.dev/t/status-communities-protocol-and-product-point-of-view/114)
-* [org channels](https://github.com/status-im/specs/pull/151)
-* [UI feature spec](https://github.com/status-im/feature-specs/pull/36)
-* [Extensions for Peers to Send Metadata Files](https://www.bittorrent.org/beps/bep_0009.html)
-* [org channels spec](../56/communities.md)
-* [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md)
-* [62/STATUS-PAYLOAD](../62/payload.md)
+
+- [13/WAKU2-STORE](../../waku/standards/core/13/store.md)
+- [BitTorrent](https://bittorrent.org)
+- [10/WAKU2](../../waku/standards/core/10/waku2.md)
+- [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md)
+- [Magnet URI scheme](https://en.wikipedia.org/wiki/Magnet_URI_scheme)
+- [forum discussion](https://forum.vac.dev/t/status-communities-protocol-and-product-point-of-view/114)
+- [org channels](https://github.com/status-im/specs/pull/151)
+- [UI feature spec](https://github.com/status-im/feature-specs/pull/36)
+- [Extensions for Peers to Send Metadata Files](https://www.bittorrent.org/beps/bep_0009.html)
+- [org channels spec](../56/communities.md)
+- [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md)
+- [62/STATUS-PAYLOADS](../62/payloads.md)

status/62/payloads.md

@@ -1,8 +1,9 @@
 ---
 slug: 62
-title: 62/STATUS-Payloads
+title: 62/STATUS-PAYLOADS
 name: Status Message Payloads
 status: draft
+description: Describes the payload of each message in Status.
 editor: r4bbit <r4bbit@status.im>
 contributors: 
 - Adam Babik <adam@status.im>
@@ -35,9 +36,13 @@ message StatusProtocolMessage {
 }
 ```
 
-`signature` is the bytes of the signed `SHA3-256` of the payload, signed with the key of the author of the message.
-The node needs the signature to validate authorship of the message, so that the message can be relayed to third parties.
-If a signature is not present, but an author is provided by a layer below, the message is not to be relayed to third parties, and it is considered plausibly deniable.
+`signature` is the bytes of the signed `SHA3-256` of the payload,
+signed with the key of the author of the message.
+The node needs the signature to validate authorship of the message,
+so that the message can be relayed to third parties.
+If a signature is not present, but an author is provided by a layer below,
+the message is not to be relayed to third parties,
+and it is considered plausibly deniable.
 
 ### Encoding
 
@@ -49,7 +54,7 @@ The node encodes the payload using [Protobuf](https://developers.google.com/prot
 
 The type `ChatMessage` represents a chat message exchanged between clients.
 
-#### Payload
+Payload
 
 The protobuf description is:
 
@@ -134,7 +139,7 @@ message ChatMessage {
 | 5 | ens_name | `string` | The ENS name of the user sending the message |
 | 6 | chat_id | `string` | The local ID of the chat the message is sent to |
 | 7 | message_type | `MessageType` | The type of message, different for one-to-one, public or group chats |
-| 8 | content_type | `ContentType` | The type of the content of the message | 
+| 8 | content_type | `ContentType` | The type of the content of the message |
 | 9 | payload | `Sticker` I `Image` I `Audio` I `DiscordMessage` I `bytes` I nil` | The payload of the message based on the content type |
 | 13 | grant | `bytes` | Grant for community chat messages |
 | 14 | display_name | `string` | The message author's display name |
@@ -143,12 +148,15 @@ message ChatMessage {
 
 #### Content types
 
-A node requires content types for a proper interpretation of incoming messages. Not each message is plain text but may carry different information.
+A node requires content types for a proper interpretation of incoming messages.
+Not each message is plain text but may carry different information.
 
 The following content types MUST be supported:
+
 * `TEXT_PLAIN` identifies a message which content is a plaintext.
 
 There are other content types that MAY be implemented by the client:
+
 * `STICKER`
 * `STATUS`
 * `EMOJI`
@@ -160,19 +168,29 @@ There are other content types that MAY be implemented by the client:
 * `DISCORD_MESSAGE`
 * `IDENTITY_VERIFICATION`
 
-##### Mentions 
+##### Mentions
 
-A mention MUST be represented as a string with the `@0xpk` format, where `pk` is the public key of the [user account](https://specs.status.im/spec/2) to be mentioned, within the `text` field of a message with content_type `TEXT_PLAIN`.
+A mention MUST be represented as a string with the `@0xpk` format,
+where `pk` is the public key of the
+[user account](https://specs.status.im/spec/2) to be mentioned,
+within the `text` field of a message with content_type `TEXT_PLAIN`.
 A message MAY contain more than one mention.
-This specification RECOMMENDs that the application does not require the user to enter the entire pk. 
-This specification RECOMMENDs that the application allows the user to create a mention by typing @ followed by the related ENS or 3-word pseudonym.
-This specification RECOMMENDs that the application provides the user auto-completion functionality to create a mention.
-For better user experience, the client SHOULD display a known [ens name or the 3-word pseudonym corresponding to the key](https://specs.status.im/spec/2#contact-verification) instead of the `pk`.
+This specification RECOMMENDs that the application
+does not require the user to enter the entire pk.
+This specification RECOMMENDs that the application
+allows the user to create a mention by typing @ followed by the related ENS or
+3-word pseudonym.
+This specification RECOMMENDs that the application
+provides the user auto-completion functionality to create a mention.
+For better user experience,
+the client SHOULD display a known
+[ens name or the 3-word pseudonym corresponding to the key](https://specs.status.im/spec/2#contact-verification)
+instead of the `pk`.
 
 ##### Sticker content type
 
-A `ChatMessage` with `STICKER` `Content/Type` MUST also specify the ID of the `Pack` and 
-the `Hash` of the pack, in the `Sticker` field of `ChatMessage`
+A `ChatMessage` with `STICKER` `Content/Type` MUST also specify the ID of the `Pack`
+and the `Hash` of the pack, in the `Sticker` field of `ChatMessage`
 
 ```protobuf
 message StickerMessage {
@@ -183,15 +201,17 @@ message StickerMessage {
 
 ##### Image content type
 
-A `ChatMessage` with `IMAGE` `Content/Type` MUST also specify the `payload` of the image
-and the `type`.
+A `ChatMessage` with `IMAGE` `Content/Type` MUST also
+specify the `payload` of the image and the `type`.
 
-Clients MUST sanitize the payload before accessing its content, in particular: 
-- Clients MUST choose a secure decoder
-- Clients SHOULD strip metadata if present without parsing/decoding it
-- Clients SHOULD NOT add metadata/exif when sending an image file for privacy and security reasons
-- Clients MUST make sure that the transport layer constraints the size of the payload to limit they are able to handle securely
+Clients MUST sanitize the payload before accessing its content, in particular:
 
+* Clients MUST choose a secure decoder
+* Clients SHOULD strip metadata if present without parsing/decoding it
+* Clients SHOULD NOT add metadata/exif when sending an image file for privacy
+and security reasons
+* Clients MUST make sure that the transport layer constraints the size of the payload
+to limit they are able to handle securely
 
 ```protobuf
 message ImageMessage {
@@ -209,14 +229,18 @@ message ImageMessage {
 
 ##### Audio content type
 
-A `ChatMessage` with `AUDIO` `Content/Type` MUST also specify the `payload` of the audio,
+A `ChatMessage` with `AUDIO`,
+`Content/Type` MUST also specify the `payload` of the audio,
 the `type` and the duration in milliseconds (`duration_ms`).
 
-Clients MUST sanitize the payload before accessing its content, in particular: 
-- Clients MUST choose a secure decoder
-- Clients SHOULD strip metadata if present without parsing/decoding it
-- Clients SHOULD NOT add metadata/exif when sending an audio file for privacy and security reasons
-- Clients MUST make sure that the transport layer constraints the size of the payload to limit they are able to handle securely
+Clients MUST sanitize the payload before accessing its content, in particular:
+
+* Clients MUST choose a secure decoder
+* Clients SHOULD strip metadata if present without parsing/decoding it
+* Clients SHOULD NOT add metadata/exif when sending an audio file for privacy
+and security reasons
+* Clients MUST make sure that the transport layer constraints the size
+of the payload to limit they are able to handle securely
 
 ```protobuf
 message AudioMessage {
@@ -231,11 +255,13 @@ message AudioMessage {
 
 ##### Community content type
 
-A `ChatMessage` with `COMMUNITY` `Content/Type` MUST also specify the `payload` of the community as bytes from a [CommunityDescription](#communitydescription).
+A `ChatMessage` with `COMMUNITY` `Content/Type`,
+MUST also specify the `payload` of the community as bytes from a [CommunityDescription](#communitydescription).
 
 ##### DiscordMessage content type
 
-A `ChatMessage` with `DISCORD_MESSAGE` `Content/Type` MUST also specify the `payload` of the `DiscordMessage`.
+A `ChatMessage` with `DISCORD_MESSAGE` `Content/Type`,
+MUST also specify the `payload` of the `DiscordMessage`.
 
 ```protobuf
 message DiscordMessage {
@@ -279,13 +305,16 @@ message DiscordMessageAttachment {
 
 #### Message types
 
-A node requires message types to decide how to encrypt a particular message and what metadata needs to be attached when passing a message to the transport layer.
+A node requires message types to decide how to encrypt a particular message and
+what metadata needs to be attached when passing a message to the transport layer.
 For more on this, see [10/WAKU2](../../waku/standards/core/10/waku2.md).
 
-<!-- TODO: This reference is a bit odd, considering the layer payloads should interact with is Secure Transport, and not Whisper/Waku. This requires more detail -->
-
+<!-- TODO: This reference is a bit odd,
+considering the layer payloads should interact with is Secure Transport, and
+not Whisper/Waku. This requires more detail -->
 
 The following messages types MUST be supported:
+
 * `ONE_TO_ONE` is a message to the public group
 * `PUBLIC_GROUP` is a private message
 * `PRIVATE_GROUP` is a message to the private group.
@@ -307,34 +336,56 @@ enum MessageType {
 
 #### Clock vs Timestamp and message ordering
 
-If a user sends a new message before the messages sent while the user was offline are received, the new message is supposed to be displayed last in a chat.
-This is where the basic algorithm of Lamport timestamp would fall short as it's only meant to order causally related events.
+If a user sends a new message,
+before the messages sent while the user was offline are received,
+the new message is supposed to be displayed last in a chat.
+This is where the basic algorithm of Lamport timestamp would fall short as
+it's only meant to order causally related events.
 
-The status client therefore makes a "bid", speculating that it will beat the current chat-timestamp, s.t. the status client's Lamport timestamp format is: `clock = `max({timestamp}, chat_clock + 1)`
+The status client therefore makes a "bid",
+speculating that it will beat the current chat-timestamp,
+s.t. the status client's Lamport timestamp format is:
+`clock = max({timestamp}, chat_clock + 1)`
 
 This will satisfy the Lamport requirement, namely: a -> b then T(a) < T(b)
 
-`timestamp` MUST be Unix time calculated, when the node creates the message, in milliseconds. 
+`timestamp` MUST be Unix time calculated, when the node creates the message,
+in milliseconds.
 This field SHOULD not be relied upon for message ordering.
 
-`clock` SHOULD be calculated using the algorithm of [Lamport timestamps](https://en.wikipedia.org/wiki/Lamport_timestamps). 
-When there are messages available in a chat, the node calculates `clock`'s value based on the last received message in a particular chat: `max(timeNowInMs, last-message-clock-value + 1)`. 
+`clock` SHOULD be calculated using the algorithm of
+[Lamport timestamps](https://en.wikipedia.org/wiki/Lamport_timestamps).
+When there are messages available in a chat,
+the node calculates `clock`'s value
+based on the last received message in a particular chat:
+`max(timeNowInMs, last-message-clock-value + 1)`.
 If there are no messages, `clock` is initialized with `timestamp`'s value.
 
-Messages with a `clock` greater than `120` seconds over the Whisper/Waku timestamp SHOULD be discarded, in order to avoid malicious users to increase the `clock` of a chat arbitrarily.
+Messages with a `clock` greater than `120` seconds over the Whisper/Waku timestamp
+SHOULD be discarded,
+in order to avoid malicious users to increase the `clock` of a chat arbitrarily.
 
-Messages with a `clock` less than `120` seconds under the Whisper/Waku timestamp might indicate an attempt to insert messages in the chat history which is not distinguishable from a `datasync` layer re-transit event. 
+Messages with a `clock` less than `120` seconds under the Whisper/Waku timestamp
+might indicate an attempt to insert messages in the chat history,
+which is not distinguishable from a `datasync` layer re-transit event.
 A client MAY mark this messages with a warning to the user, or discard them.
 
-The node uses `clock` value for the message ordering. The algorithm used, and the distributed nature of the system produces casual ordering, which might produce counter-intuitive results in some edge cases. 
-For example, when a user joins a public chat and sends a message before receiving the exist messages, their message `clock` value might be lower and the message will end up in the past when the historical messages are fetched.
+The node uses `clock` value for the message ordering.
+The algorithm used, and
+the distributed nature of the system produces casual ordering,
+which might produce counter-intuitive results in some edge cases.
+For example, when a user joins a public chat and
+sends a message before receiving the exist messages,
+their message `clock` value might be lower and
+the message will end up in the past when the historical messages are fetched.
 
 #### Chats
 
-Chat is a structure that helps organize messages. 
-It's usually desired to display messages only from a single recipient, or a group of recipients at a time and chats help to achieve that.
+Chat is a structure that helps organize messages.
+It's usually desired to display messages only from a single recipient,
+or a group of recipients at a time and chats help to achieve that.
 
-All incoming messages can be matched against a chat. 
+All incoming messages can be matched against a chat.
 The below table describes how to calculate a chat ID for each message type.
 
 |Message Type|Chat ID Calculation|Direction|Comment|
@@ -347,7 +398,9 @@ The below table describes how to calculate a chat ID for each message type.
 
 ### ContactUpdate
 
-`ContactUpdate` is a message exchange to notify peers that either the user has been added as a contact, or that information about the sending user have changed.
+`ContactUpdate` is a message exchange to notify peers
+that either the user has been added as a contact, or
+that information about the sending user have changed.
 
 ```protobuf
 message ContactUpdate {
@@ -368,7 +421,7 @@ message ContactRequestPropagatedState {
 }
 ```
 
-#### Payload
+#### Payload Fields
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
@@ -384,31 +437,38 @@ message ContactRequestPropagatedState {
 
 A client SHOULD send a `ContactUpdate` to all the contacts each time:
 
-- The ens_name has changed
-- A user edits the profile image
+* The ens_name has changed
+* A user edits the profile image
 
-A client SHOULD also periodically send a `ContactUpdate` to all the contacts, the interval is up to the client, the Status official client sends these updates every 48 hours.
+A client SHOULD also periodically send a `ContactUpdate` to all the contacts,
+the interval is up to the client,
+the Status official client sends these updates every 48 hours.
 
 ### EmojiReaction
 
-`EmojiReaction`s represents a user's "reaction" to a specific chat message. 
+`EmojiReaction`s represents a user's "reaction" to a specific chat message.
 For more information about the concept of emoji reactions see [Facebook Reactions](https://en.wikipedia.org/wiki/Facebook_like_button#Use_on_Facebook).
 
-This specification RECOMMENDS that the UI/UX implementation of sending `EmojiReactions` requires only a single click operation, as users have an expectation that emoji reactions are effortless and simple to perform.  
+This specification RECOMMENDS that the UI/UX implementation of sending `EmojiReactions`
+requires only a single click operation,
+as users have an expectation that emoji reactions are effortless
+and simple to perform.  
 
 ```protobuf
 message EmojiReaction {
   // clock Lamport timestamp of the chat message
   uint64 clock = 1;
 
-  // chat_id the ID of the chat the message belongs to, for query efficiency the chat_id is stored in the db even though the
+  // chat_id the ID of the chat the message belongs to, for query efficiency the
+  // chat_id is stored in the db even though the
   // target message also stores the chat_id
   string chat_id = 2;
 
   // message_id the ID of the target message that the user wishes to react to
   string message_id = 3;
 
-  // message_type is (somewhat confusingly) the ID of the type of chat the message belongs to
+  // message_type 
+  // is (somewhat confusingly) the ID of the type of chat the message belongs to
   MessageType message_type = 4;
 
   // type the ID of the emoji the user wishes to react with
@@ -431,20 +491,23 @@ message EmojiReaction {
 
 Clients MUST specify `clock`, `chat_id`, `message_id`, `type` and `message_type`.
 
-This specification RECOMMENDS that the UI/UX implementation of retracting an `EmojiReaction`s requires only a single click operation, as users have an expectation that emoji reaction removals are effortless and simple to perform.  
+This specification RECOMMENDS that the UI/UX implementation of retracting an `EmojiReaction`s
+requires only a single click operation,
+as users have an expectation that emoji reaction removals are effortless and
+ simple to perform.  
 
 ### MembershipUpdateMessage and MembershipUpdateEvent
 
-`MembershipUpdateEvent` is a message used to propagate information about group membership changes in a group chat.
+`MembershipUpdateEvent` is a message used to propagate information
+about group membership changes in a group chat.
 The details are in the [Group chats specs](../56/communities.md).
 
-
 ```protobuf
 message MembershipUpdateMessage {
   // The chat id of the private group chat
   string chat_id = 1;
-  // A list of events for this group chat, first x bytes are the signature, then is a 
-  // protobuf encoded MembershipUpdateEvent
+  // A list of events for this group chat, first x bytes are the signature, 
+  // then is a protobuf encoded MembershipUpdateEvent
   repeated bytes events = 2;
 
   // An optional chat message
@@ -483,7 +546,7 @@ message MembershipUpdateEvent {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
@@ -496,7 +559,8 @@ A `MembershipUpdateMessage` includes either a `ChatMessage` or `EmojiReaction`.
 
 ### SyncInstallationContactV2
 
-The node uses `SyncInstallationContact` messages to synchronize in a best-effort the contacts to other devices.
+The node uses `SyncInstallationContact` messages to synchronize
+in a best-effort the contacts to other devices.
 
 ```protobuf
 message SyncInstallationContactV2 {
@@ -522,16 +586,15 @@ message SyncInstallationContactV2 {
 }
 ```
 
-
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | last_updated_locally | `uint64` | Timestamp of last local update | 
+| 1 | last_updated_locally | `uint64` | Timestamp of last local update |
 | 2 | id | `string` | id of the contact synced |
 | 3 | profile_image | `string` |  `base64` encoded profile picture of the user |
 | 4 | ens_name | `string` | ENS name of the contact |
-| 5 | `array[string]` | Array of `system_tags` for the user, this can currently be: `":contact/added", ":contact/blocked", ":contact/request-received"`|
+| 5 | |`array[string]` | Array of `system_tags` for the user, this can currently be: `":contact/added", ":contact/blocked", ":contact/request-received"` |
 | 7 | local_nickname | `string` | Local display name of the contact |
 | 9 | added | `bool` | Wether the contact is added |
 | 10 | blocked | `bool` | Wether the contact is blocked |
@@ -547,7 +610,8 @@ message SyncInstallationContactV2 {
 
 ### SyncInstallationPublicChat
 
-The node uses `SyncInstallationPublicChat` message to synchronize in a best-effort the public chats to other devices.
+The node uses `SyncInstallationPublicChat` message to synchronize
+in a best-effort the public chats to other devices.
 
 ```protobuf
 message SyncInstallationPublicChat {
@@ -556,16 +620,17 @@ message SyncInstallationPublicChat {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | clock value of the chat | 
+| 1 | clock | `uint64` | clock value of the chat |
 | 2 | id | `string` | id of the chat synced |
 
 ### SyncPairInstallation
 
-The node uses `PairInstallation` messages to propagate information about a device to its paired devices.
+The node uses `PairInstallation` messages to propagate information
+about a device to its paired devices.
 
 ```protobuf
 message SyncPairInstallation {
@@ -578,18 +643,19 @@ message SyncPairInstallation {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | clock value of the chat | 
+| 1 | clock | `uint64` | clock value of the chat |
 | 2| installation_id | `string` | A randomly generated id that identifies this device |
 | 3 | device_type | `string` | The OS of the device `ios`,`android` or `desktop` |
 | 4 | name | `string` | The self-assigned name of the device |
 
 ### ChatIdentity
 
-`ChatIdentity` represents the user defined identity associated with their public chat key.
+`ChatIdentity` represents the user defined identity associated
+with their public chat key.
 
 ```protobuf
 message ChatIdentity {
@@ -601,18 +667,19 @@ message ChatIdentity {
   string color = 6;
   string emoji = 7;
   repeated SocialLink social_links = 8;
-  // first known message timestamp in seconds (valid only for community chats for now)
+  // first known message timestamp in seconds 
+  // (valid only for community chats for now)
   // 0 - unknown
   // 1 - no messages
   uint32 first_message_timestamp = 9;
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2| ens_name | `string` | A valid ENS associated with the chat key |
 | 3 | images | `map<string, IdentityImage>` | Image data associated with the chat key |
 | 4 | display_name | `string` | The self-assigned display_name of the chat key |
@@ -624,8 +691,8 @@ message ChatIdentity {
 
 ### CommunityDescription
 
-`CommunityDescription` represents a community metadata that is used to discover communities and share community updates.
-
+`CommunityDescription` represents a community metadata
+that is used to discover communities and share community updates.
 
 ```protobuf
 message CommunityDescription {
@@ -670,17 +737,20 @@ message CommunityPermissions {
   }
 
   bool ens_only = 1;
-  // https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md is a candidate for the algorithm to be used in case we want to have private communityal chats, lighter than pairwise encryption using the DR, less secure, but more efficient for large number of participants
+  // https://gitlab.matrix.org/matrix-org/olm/blob/master/docs/megolm.md is a 
+  // candidate for the algorithm to be used in case we want to have private 
+  // communityal chats, lighter than pairwise encryption using the DR, less secure,
+  // but more efficient for large number of participants
   bool private = 2;
   Access access = 3;
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2| members | `map<string, CommunityMember>` | The members of the community |
 | 3 | permissions | `CommunityPermissions` | Image data associated with the chat key |
 | 4 | display_name | `string` | The self-assigned display_name of the chat key |
@@ -692,9 +762,11 @@ message CommunityPermissions {
 
 ### CommunityRequestToJoin
 
-A `CommunityRequestToJoin` represents a request to join a community, sent by a user that is not yet a member of that community. 
+A `CommunityRequestToJoin` represents a request to join a community,
+sent by a user that is not yet a member of that community.
 A request to join a community includes a list of `RevealedAccount`.
-These are wallet addresses that users are willing to reveal with the community's control node and admins.
+These are wallet addresses that users are willing to reveal
+with the community's control node and admins.
 
 ```protobuf
 message CommunityRequestToJoin {
@@ -714,11 +786,11 @@ message RevealedAccount {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2| ens_name | `string` | The ENS of the user sending the request |
 | 3 | chat_id | `string` | The id of the chat to request access to |
 | 4 | community_id | `bytes` | The public key of the community |
@@ -727,7 +799,8 @@ message RevealedAccount {
 
 ### PinMessage
 
-A `PinMessage` is a signal that tells a client that a specific message has to be marked as pinned.
+A `PinMessage` is a signal that tells a client that a specific message
+has to be marked as pinned.
 
 ```protobuf
 message PinMessage {
@@ -739,22 +812,20 @@ message PinMessage {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2| message_id | `string` | The id of the message to be pinned |
 | 3 | chat_id | `string` | The id of the chat of the message to be pinned |
 | 4 | pinned | `bool` | Whether the message should be pinned or unpinned |
 | 5 | message_type | `MessageType` | The type of message (public/one-to-one/private-group-chat) |
 
-
 ### EditMessage
 
 A `EditMessage` represents an update to an existing message.
 
-
 ```protobuf
 message EditMessage {
   uint64 clock = 1;
@@ -773,11 +844,11 @@ message EditMessage {
 
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2| text | `string` | The updated message text |
 | 3 | chat_id | `string` | The id of the chat of the message |
 | 4 | message_id | `string` | The id of the message to be edited |
@@ -786,10 +857,10 @@ message EditMessage {
 | 7 | content_type | `ChatMessage.ContentType` | The updated content type of the message  |
 | 8 | unfurled_links | `array<UnfurledLink>` | Updated link metadata  |
 
-
 ### DeleteMessage
 
-A `DeleteMessage` represents a signal to delete a message from the local database of a client.
+A `DeleteMessage` represents a signal to delete a message
+from the local database of a client.
 
 ```protobuf
 message DeleteMessage {
@@ -808,21 +879,21 @@ message DeleteMessage {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | chat_id | `string` | The id of the chat of the message |
 | 3 | message_id | `string` | The id of the message to delete |
 | 4 | grant | `bytes` | A grant for a community edit messages  |
 | 5 | message_type | `MessageType` | The type of message  |
 | 6 | deleted_by | `string` | The public key of the user who deleted the message |
 
-
 ### CommunityMessageArchiveLink
 
-A `CommunityMessageArchiveLink` contains a magnet uri for a community's message archive, created using [61/STATUS-Community-History-Archives](../61/community-history-service.md).
+A `CommunityMessageArchiveLink` contains a magnet uri for a community's message archive,
+created using [61/STATUS-Community-History-Archives](../61/community-history-service.md).
 
 ```protobuf
 message CommunityMessageArchiveMagnetlink {
@@ -831,11 +902,11 @@ message CommunityMessageArchiveMagnetlink {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | magnet_uri | `string` | The magnet uri of the community archive torrent |
 
 ### AcceptContactRequest
@@ -850,16 +921,17 @@ message AcceptContactRequest {
 
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
 | 1 | id | `string` | The id of the contact request |
-| 2 | clock | `uint64` | Clock value of the message | 
+| 2 | clock | `uint64` | Clock value of the message |
 
 ### RetractContactRequest
 
-A `RetractContractRequest` message signals to the reiver of a request that the request was retracted.
+A `RetractContractRequest` message signals to the reiver, of a request,
+that the request was retracted.
 
 ```protobuf
 message RetractContactRequest {
@@ -869,12 +941,12 @@ message RetractContactRequest {
 
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
 | 1 | id | `string` | The id of the contact request |
-| 2 | clock | `uint64` | Clock value of the message | 
+| 2 | clock | `uint64` | Clock value of the message |
 
 ### CommunityRequestToJoinResponse
 
@@ -891,11 +963,11 @@ message CommunityRequestToJoinResponse {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | community | `CommunityDescription` | The community metadata |
 | 3 | accepted | `bool` | Whether the request was accepted |
 | 4 | grant | `bytes` | The grant |
@@ -904,7 +976,8 @@ message CommunityRequestToJoinResponse {
 
 ### CommunityRequestToLeave
 
-A `CommunityRequestToLeave` represents a signal to a community that a user wants to be removed from the community's member list.
+A `CommunityRequestToLeave` represents a signal to a community
+that a user wants to be removed from the community's member list.
 
 ```protobuf
 message CommunityRequestToLeave {
@@ -912,17 +985,19 @@ message CommunityRequestToLeave {
   bytes community_id = 2;
 }
 ```
-#### Payload
+
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | community_id | `bytes` | The id of the community |
 
-
 ### RequestContactVerification
 
-A `RequestContactVerification` is a request to verify a contact using a "challenge", which can by any string message and typically involves questions that only the contact should know.
+A `RequestContactVerification` is a request to verify a contact using a "challenge",
+which can by any string message and
+typically involves questions that only the contact should know.
 
 ```protobuf
 message RequestContactVerification {
@@ -930,17 +1005,18 @@ message RequestContactVerification {
   string challenge = 3;
 }
 ```
-#### Payload
+
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | challenge | `string` | The challenge message used for verification |
 
 ### AcceptContactVerification
 
-A `AcceptContactVerification` signals that a verification request was accepted and includes a response to the challenge.
-
+A `AcceptContactVerification` signals that a verification request was accepted and
+includes a response to the challenge.
 
 ```protobuf
 message AcceptContactVerification {
@@ -950,11 +1026,11 @@ message AcceptContactVerification {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | id | `string` | The verification request id |
 | 3 | response | `string` | The response for the challenge |
 
@@ -969,11 +1045,11 @@ message DeclineContactVerification {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | id | `string` | The verification request id |
 
 ### CancelContactVerification
@@ -987,14 +1063,13 @@ message CancelContactVerification {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | id | `string` | The verification request id |
 
-
 ### CommunityCancelRequestToJoin
 
 A `CommunityCancelRequestToJoin` cancels a pending request to join.
@@ -1009,11 +1084,11 @@ message CommunityCancelRequestToJoin {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | ens_name | `string` | The ENS name of the account cancelling the request |
 | 3 | chat_id | `string` | The id of the chat |
 | 4 | community_id | `bytes` | The id of the community |
@@ -1021,7 +1096,8 @@ message CommunityCancelRequestToJoin {
 
 ### CommunityEditSharedAddresses
 
-A `CommunityEditSharedAddresses` message allows users to edit the shared accounts they've revealed when requesting to join a community.
+A `CommunityEditSharedAddresses` message allows users to edit the shared accounts
+they've revealed when requesting to join a community.
 
 ```protobuf
 message CommunityEditSharedAddresses {
@@ -1031,11 +1107,11 @@ message CommunityEditSharedAddresses {
 }
 ```
 
-#### Payload
+Payload
 
 | Field | Name | Type | Description |
 | ----- | ---- | ---- | ---- |
-| 1 | clock | `uint64` | Clock value of the message | 
+| 1 | clock | `uint64` | Clock value of the message |
 | 2 | community_id | `bytes` | The id of the community |
 | 3 | revealed_accounts | `array<RevealedAccount>` | A list of revealed accounts |
 
@@ -1043,33 +1119,32 @@ message CommunityEditSharedAddresses {
 
 There are two ways to upgrade the protocol without breaking compatibility:
 
-- A node always supports accretion
-- A node does not support deletion of existing fields or messages, which might break compatibility
+* A node always supports accretion
+* A node does not support deletion of existing fields or messages,
+which might break compatibility
 
 ## Security Considerations
 
--
-
 ## Changelog
 
 ### Version 0.5
 
 Released [August 25, 2020](https://github.com/status-im/specs/commit/968fafff23cdfc67589b34dd64015de29aaf41f0)
 
-- Added support for emoji reactions
+* Added support for emoji reactions
 
 ### Version 0.4
 
 Released [July 16, 2020](https://github.com/status-im/specs/commit/ad45cd5fed3c0f79dfa472253a404f670dd47396)
 
-- Added support for images
-- Added support for audio
+* Added support for images
+* Added support for audio
 
 ### Version 0.3
 
 Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
 
-- Added language to include Waku in all relevant places
+* Added language to include Waku in all relevant places
 
 ## Copyright
 

status/63/keycard-usage.md

@@ -5,14 +5,16 @@ name: Status Keycard Usage
 status: draft
 category: Standards Track
 description: Describes how an application can use the Status Keycard to create, store and transact with different account addresses.
-editor: Aaryamann Challani <aaryamann@status.im>
+editor: Aaryamann Challani <p1ge0nh8er@proton.me>
 contributors:
   - Jimmy Debe <jimmy@status.im>
 ---
 
 ## Terminology
 
-- **Account**: A valid [BIP-32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki) compliant key.
+- **Account**: A valid
+[BIP-32](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)
+compliant key.
 - **Multiaccount**: An account from which multiple Accounts can be derived.
 
 ## Abstract
@@ -28,8 +30,11 @@ More documentation on the Status Keycard can be found [here](https://keycard.tec
 
 ## Motivation
 
-The Status Keycard is a hardware wallet that can be used to store and sign transactions.
-For the purpose of the Status App, this specification describes how the Keycard SHOULD be used to store and sign transactions.
+The Status Keycard is a hardware wallet that can be used to store and
+sign transactions.
+For the purpose of the Status App,
+this specification describes how the Keycard SHOULD be used to store and
+sign transactions.
 
 ## Usage
 
@@ -40,7 +45,7 @@ For the purpose of the Status App, this specification describes how the Keycard
 To initialize the keycard for use with the application.
 The keycard is locked with a 6 digit pin.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -48,7 +53,7 @@ The keycard is locked with a 6 digit pin.
 }
 ```
 
-#### Response wire format
+Response wire format
 
 ```json
 {
@@ -65,18 +70,19 @@ The application SHOULD provide a way to recover the keycard in case the pin is f
 
 To fetch if the keycard is ready to be used by the application.
 
-#### Request wire format
+Request wire format
 
 The requester MAY add a `pairing` field to filter through the generated keys
+
 ```json
 {
   "pairing": <shared_secret>/<pairing_index>/<256_bit_salt> OR null
 }
 ```
 
-#### Response wire format
+Response wire format
 
-##### If the keycard is not initialized yet
+#### If the keycard is not initialized yet
 
 ```json
 {
@@ -84,7 +90,7 @@ The requester MAY add a `pairing` field to filter through the generated keys
 }
 ```
 
-##### If the keycard is initialized
+#### If the keycard is initialized
 
 ```json
 {
@@ -101,9 +107,10 @@ The requester MAY add a `pairing` field to filter through the generated keys
 
 ### 3. Pairing the Keycard to the Client device (`/pair`)
 
-To establish a secure communication channel described [here](https://keycard.tech/docs/apdu/opensecurechannel.html), the keycard and the client device need to be paired.
+To establish a secure communication channel described [here](https://keycard.tech/docs/apdu/opensecurechannel.html),
+the keycard and the client device need to be paired.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -111,7 +118,7 @@ To establish a secure communication channel described [here](https://keycard.tec
 }
 ```
 
-#### Response wire format
+Response wire format
 
 ```json
 "<shared_secret>/<pairing_index>/<256_bit_salt>"
@@ -121,7 +128,7 @@ To establish a secure communication channel described [here](https://keycard.tec
 
 To generate a new set of keys and load them onto the keycard.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -131,7 +138,7 @@ To generate a new set of keys and load them onto the keycard.
 }
 ```
 
-#### Response wire format
+Response wire format
 
 ```json
 {
@@ -154,7 +161,7 @@ To generate a new set of keys and load them onto the keycard.
 
 To fetch the keys that are currently loaded on the keycard.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -163,7 +170,7 @@ To fetch the keys that are currently loaded on the keycard.
 }
 ```
 
-#### Response wire format
+Response wire format
 
 ```json
 {
@@ -184,9 +191,10 @@ To fetch the keys that are currently loaded on the keycard.
 
 ### 6. Sign a transaction (`/sign`)
 
-To sign a transaction using the keycard, passing in the pairing information and the transaction to be signed.
+To sign a transaction using the keycard, passing in the pairing information and
+the transaction to be signed.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -197,7 +205,7 @@ To sign a transaction using the keycard, passing in the pairing information and
 }
 ```
 
-#### Response wire format
+Response wire format
 
 ```json
 <256_bit_signature>
@@ -205,9 +213,10 @@ To sign a transaction using the keycard, passing in the pairing information and
 
 ### 7. Export a key (`/export-key`)
 
-To export a key from the keycard, passing in the pairing information and the path to the key to be exported.
+To export a key from the keycard, passing in the pairing information and
+the path to the key to be exported.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -217,17 +226,17 @@ To export a key from the keycard, passing in the pairing information and the pat
 }
 ```
 
-#### Response wire format
+Response wire format
 
 ```json
 <256_bit_public_key>
-``` 
+```
 
 ### 8. Verify a pin (`/verify-pin`)
 
 To verify the pin of the keycard.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -235,22 +244,22 @@ To verify the pin of the keycard.
 }
 ```
 
-#### Response wire format
+Response wire format
 
 ```json
 1_digit_status_code
 ```
 
 Status code reference:
+
 - 3: PIN is valid
 <!--TODO: what are the other status codes?-->
 
-
 ### 9. Change the pin (`/change-pin`)
 
 To change the pin of the keycard.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -260,15 +269,15 @@ To change the pin of the keycard.
 }
 ```
 
-#### Response wire format
+Response wire format
 
-##### If the operation was successful
+#### If the operation was successful
 
 ```json
 true
 ```
 
-##### If the operation was unsuccessful
+#### If the operation was unsuccessful
 
 ```json
 false
@@ -276,9 +285,10 @@ false
 
 ### 10. Unblock the keycard (`/unblock-pin`)
 
-If the Keycard is blocked due to too many incorrect pin attempts, it can be unblocked using the PUK.
+If the Keycard is blocked due to too many incorrect pin attempts,
+it can be unblocked using the PUK.
 
-#### Request wire format
+Request wire format
 
 ```json
 {
@@ -288,15 +298,15 @@ If the Keycard is blocked due to too many incorrect pin attempts, it can be unbl
 }
 ```
 
-#### Response wire format
+Response wire format
 
-##### If the operation was successful
+If the operation was successful
 
 ```json
 true
 ```
 
-##### If the operation was unsuccessful
+If the operation was unsuccessful
 
 ```json
 false
@@ -304,7 +314,8 @@ false
 
 ## Flows
 
-Any application that uses the Status Keycard MAY implement the following flows according to the actions listed above.
+Any application that uses the Status Keycard
+MAY implement the following flows according to the actions listed above.
 
 ### 1. A new user wants to use the Keycard with the application
 
@@ -335,7 +346,6 @@ Any application that uses the Status Keycard MAY implement the following flows a
 
 1. The user unblocks the Keycard using the `/unblock-pin` endpoint.
 
-
 ## Security Considerations
 
 Inherits the security considerations of [Status Keycard](https://keycard.tech/docs/)
@@ -344,7 +354,6 @@ Inherits the security considerations of [Status Keycard](https://keycard.tech/do
 
 Inherits the privacy considerations of [Status Keycard](https://keycard.tech/docs/)
 
-
 ## Copyright
 
 Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

status/65/account-address.md

@@ -5,7 +5,7 @@ name: Status Account Address
 status: draft
 category: Standards Track
 description: Details of what a Status account address is and how account addresses are created and used.
-editor: Aaryamann Challani <aaryamann@status.im>
+editor: Aaryamann Challani <p1ge0nh8er@proton.me>
 contributors:
 - Corey Petty <corey@status.im>
 - Oskar Thorén <oskarth@titanproxy.com>
@@ -14,42 +14,64 @@ contributors:
 
 ## Abstract
 
-This specification details what a Status account address is and how account addresses are created and used.
+This specification details what a Status account address is and
+how account addresses are created and used.
 
 ## Background
 
-The core concept of an account in Status is a set of cryptographic keypairs. Namely, the combination of the following:
+The core concept of an account in Status is a set of cryptographic keypairs.
+Namely, the combination of the following:
+
 1. a Waku chat identity keypair
 1. a set of cryptocurrency wallet keypairs
 
-The Status node verifies or derives everything else associated with the contact from the above items, including:
+The Status node verifies or
+derives everything else associated with the contact from the above items, including:
+
 - Ethereum address (future verification, currently the same base keypair)
 - identicon
 - message signatures
 
 ## Initial Key Generation
-### Public/Private Keypairs 
-- An ECDSA (secp256k1 curve) public/private keypair MUST be generated via a [BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki) derived path from a [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) mnemonic seed phrase.
+
+### Public/Private Keypairs
+
+- An ECDSA (secp256k1 curve) public/private keypair MUST be generated via a
+[BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki)
+derived path from a
+[BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)
+mnemonic seed phrase.
+
 - The default paths are defined as such:
-    - Waku Chat Key (`IK`): `m/43'/60'/1581'/0'/0`  (post Multiaccount integration)
-        - following [EIP1581](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1581.md)
-    - Status Wallet paths: `m/44'/60'/0'/0/i` starting at `i=0`
-        - following [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)
-        - NOTE: this (`i=0`) is also the current (and only) path for Waku key before Multiaccount integration
+  - Waku Chat Key (`IK`): `m/43'/60'/1581'/0'/0`  (post Multiaccount integration)
+    - following [EIP1581](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1581.md)
+  - Status Wallet paths: `m/44'/60'/0'/0/i` starting at `i=0`
+    - following [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)
+    - NOTE: this (`i=0`) is also the current (and only)
+    path for Waku key before Multiaccount integration
 
 ## Account Broadcasting
-- A user is responsible for broadcasting certain information publicly so that others may contact them.
+
+- A user is responsible for broadcasting certain information publicly so
+that others may contact them.
 
 ### X3DH Prekey bundles
-- Refer to [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) for details on the X3DH prekey bundle broadcasting, as well as regeneration.
+
+- Refer to [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md)
+for details on the X3DH prekey bundle broadcasting, as well as regeneration.
 
 ## Optional Account additions
 
 ### ENS Username
-- A user MAY register a public username on the Ethereum Name System (ENS).  This username is a user-chosen subdomain of the `stateofus.eth` ENS registration that maps to their Waku identity key (`IK`). 
+
+- A user MAY register a public username on the Ethereum Name System (ENS).
+This username is a user-chosen subdomain of the `stateofus.eth`
+ENS registration that maps to their Waku identity key (`IK`).
 
 ### User Profile Picture
-- An account MAY edit the `IK` generated identicon with a chosen picture.  This picture will become part of the publicly broadcasted profile of the account.
+
+- An account MAY edit the `IK` generated identicon with a chosen picture.
+This picture will become part of the publicly broadcasted profile of the account.
 
 <!-- TODO: Elaborate on wallet account and multiaccount -->
 
@@ -88,11 +110,14 @@ message MultiAccount {
 }
 ```
 
-The above payload is broadcasted when 2 devices that belong to a user need to be paired.
+The above payload is broadcasted when 2 devices
+that belong to a user need to be paired.
 
 ## Security Considerations
 
-- This specification inherits security considerations of [53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) and [54/WAKU2-X3DH-SESSIONS](../../waku/standards/application/54/x3dh-sessions.md).
+- This specification inherits security considerations of
+[53/WAKU2-X3DH](../../waku/standards/application/53/x3dh.md) and
+[54/WAKU2-X3DH-SESSIONS](../../waku/standards/application/54/x3dh-sessions.md).
 
 ## Copyright
 

status/71/push-notification-server.md

@@ -11,27 +11,40 @@ contributors:
 ---
 
 ## Abstract
-A push notification server implementation for IOS devices and Android devices. 
-This specification provides a set of methods that allow clients to use push notification services in mobile environments.
+
+A push notification server implementation for IOS devices and Android devices.
+This specification provides a set of methods that allow clients
+to use push notification services in mobile environments.
 
 ## Background
-Push notification for iOS and Android devices can only be implemented by relying on 
-[APN](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1), 
-Apple Push Notification, service for iOS or 
-[Firebase](https://firebase.google.com/) for Android. 
 
-For some Android devices, foreground services are restricted, requiring a user to grant authorization to applications to use foreground notifications. 
-Apple iOS devices restrict notifications to a few internal functions that every application can not use. 
-Applications on iOS can request execution time when they are in the background. This has a limited set of use cases for example, 
-it will not schedule any time if the application was closed with force quit. 
-Requesting execution time is not responsive enough to implement a push notification system. 
+Push notification for iOS and
+Android devices can only be implemented by relying on
+[APN](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1),
+Apple Push Notification, service for iOS or
+[Firebase](https://firebase.google.com/) for Android.
+
+For some Android devices, foreground services are restricted,
+requiring a user to grant authorization to applications
+to use foreground notifications.
+Apple iOS devices restrict notifications to
+a few internal functions that every application can not use.
+Applications on iOS can request execution time when they are in the background.
+This has a limited set of use cases for example,
+it will not schedule any time if the application was closed with force quit.
+Requesting execution time is not responsive enough to
+implement a push notification system.
 Status provides a set of methods to acheive push notification services.
 
-Since this can not be safely implemented in a privacy-preserving manner, clients need to be given an option to opt-in to receive and send push notifications. 
+Since this can not be safely implemented in a privacy-preserving manner,
+clients need to be given an option to opt-in to receive and send push notifications.
 They are disabled by default.
 
 ## Specification
-The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
+
+The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”,
+“SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and
+“OPTIONAL” in this document are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
 
 ### Definitions
 
@@ -42,8 +55,7 @@ The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL
 | server | A service that performs push notifications. |
 | Waku-Store | A Waku node that decides to provide functionality to store messages permanently and deliver the messages to requesting clients. As described in [13/WAKU-STORE](../../waku/standards/core/13/store.md) specification.|
 
-
-### Server Components 
+### Server Components
 
 | Components | Description |
 | --------------- | --------- |
@@ -52,37 +64,45 @@ The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL
 | Registering Client | A client that wants to receive push notifications. |
 | Sending Client | A client that wants to send push notifications. |
 
+### Requirements
 
-### Requirements:
-
-The party releasing the app MUST possess a certificate for the Apple Push Notification service and it MUST run a 
-[gorush](https://github.com/appleboy/gorush) publicly accessible server for sending the actual notification. 
+The party releasing the app MUST possess a certificate
+for the Apple Push Notification service and
+it MUST run a [gorush](https://github.com/appleboy/gorush)
+publicly accessible server for sending the actual notification.
 The party releasing the app MUST run its own [gorush](https://github.com/appleboy/gorush).
 
 ### Push Notification Server Flow
-#### Registration Process:
+
+#### Registration Process
 
 ![registration](./images/registration.png)
 
-#### Sending and Receiving Notification Process:
+#### Sending and Receiving Notification Process
 
 ![notification](./images/notification.png)
 
-
 ### Registering Client
+
 Registering a client with a push notification service.
 
-- A client MAY register with one or more push notification services in order to increase availability.
+- A client MAY register with one or
+more push notification services in order to increase availability.
 
-- A client SHOULD make sure that all the notification services they registered with have the same information about their tokens.
+- A client SHOULD make sure that all the notification services they registered with
+have the same information about their tokens.
 
 - A `PNR message` (Push Notification Registration) MUST be sent to the
-[partitioned topic](../../waku/standards/application/54/x3dh-sessions.md) for the public key of the node, encrypted with this key.
+[partitioned topic](../../waku/standards/application/54/x3dh-sessions.md)
+for the public key of the node, encrypted with this key.
 
-- The message MUST be wrapped in a [`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_REGISTRATION`.
+- The message MUST be wrapped in a
+[`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_REGISTRATION`.
 
-- The marshaled protobuf payload MUST also be encrypted with AES-GCM using the Diffie–Hellman key generated from the client and server identity.
-This is done in order to ensure that the extracted key from the signature will be considered invalid if it can’t decrypt the payload.
+- The marshaled protobuf payload MUST also be encrypted with AES-GCM
+using the Diffie–Hellman key generated from the client and server identity.
+This is done in order to ensure that the extracted key from the signature
+will be considered invalid if it can’t decrypt the payload.
 
 The content of the message MUST contain the following [protobuf record](https://developers.google.com/protocol-buffers/):
 
@@ -111,7 +131,9 @@ message PushNotificationRegistration {
 ```
 
 A push notification server will handle the message according to the following rules:
-- it MUST extract the public key of the sender from the signature and verify that the payload can be decrypted successfully.
+
+- it MUST extract the public key of the sender from the signature and
+verify that the payload can be decrypted successfully.
 
 - it MUST verify that `token_type` is supported.
 
@@ -119,7 +141,9 @@ A push notification server will handle the message according to the following ru
 
 - it MUST verify that `installation_id` is non empty.
 
-- it MUST verify that `version` is non-zero and greater than the currently stored version for the public key and `installation_id` of the sender, if any.
+- it MUST verify that `version` is non-zero and
+greater than the currently stored version for the public key and
+`installation_id` of the sender, if any.
 
 - it MUST verify that `grant` is non empty and according to the Grant Server specs.
 
@@ -127,7 +151,8 @@ A push notification server will handle the message according to the following ru
 
 - it MUST verify that `apn_topic` is set if token_type is APN_TOKEN.
 
-- The message MUST be wrapped in a [`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_REGISTRATION_RESPONSE`.
+- The message MUST be wrapped in a
+[`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_REGISTRATION_RESPONSE`.
 
 The payload of the response is:
 
@@ -148,69 +173,97 @@ message PushNotificationRegistrationResponse {
 
 ```
 
-A client SHOULD listen for a response sent on the [partitioned topic](../../waku/standards/application/54/x3dh-sessions.md) that the key used to register. 
+A client SHOULD listen for a response sent on the
+[partitioned topic](../../waku/standards/application/54/x3dh-sessions.md)
+that the key used to register.
 If success is true the client has registered successfully.
 
 If `success` is `false`:
-	> If `MALFORMED_MESSAGE` is returned, the request SHOULD NOT be retried without ensuring that it is correctly formed.
-	> If `INTERNAL_ERROR` is returned, the request MAY be retried, but the client MUST backoff exponentially.
+ > If `MALFORMED_MESSAGE` is returned,
+the request SHOULD NOT be retried without ensuring that it is correctly formed.
+ > If `INTERNAL_ERROR` is returned, the request MAY be retried,
+but the client MUST backoff exponentially.
+
+#### Handle Errors
 
-#### Handle Errors:
 - If the message can’t be decrypted, the message MUST be discarded.
 
 - If `token_type` is not supported, a response MUST be sent with `error` set to `UNSUPPORTED_TOKEN_TYPE`.
 
-- If `token`, `installation_id`, `device_tokens`, `version` are empty, a response MUST be sent with `error` set to `MALFORMED_MESSAGE`.
+- If `token`, `installation_id`, `device_tokens`, `version` are empty,
+a response MUST be sent with `error` set to `MALFORMED_MESSAGE`.
 
-- If the `version` is equal or less than the currently stored `version`, a response MUST be sent with `error` set to `VERSION_MISMATCH`.
+- If the `version` is equal or less than the currently stored `version`,
+a response MUST be sent with `error` set to `VERSION_MISMATCH`.
 
 - If any other error occurs the `error` SHOULD be set to `INTERNAL_ERROR`.
 
-- If the response is successful `success` MUST be set to `true` otherwise a response MUST be sent with `success` set to `false`.
+- If the response is successful `success` MUST be set to `true` otherwise
+a response MUST be sent with `success` set to `false`.
 
-- `request_id` SHOULD be set to the [`SHAKE-256`](https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf) of the encrypted payload.
+- `request_id` SHOULD be set to the
+[`SHAKE-256`](https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.202.pdf)
+of the encrypted payload.
 
-- The response MUST be sent on the [partitioned topic](../../waku/standards/application/54/x3dh-sessions.md) of the sender and
-MUST not be encrypted using the secure transport to facilitate the usage of ephemeral keys.
+- The response MUST be sent on the
+[partitioned topic](../../waku/standards/application/54/x3dh-sessions.md)
+of the sender and MUST not be encrypted using
+the secure transport to facilitate the usage of ephemeral keys.
 
 - If no response is returned, the request SHOULD be considered failed and
 MAY be retried with the same server or a different one, but clients
 MUST exponentially backoff after each trial.
 
 ## Push Notification Server
+
 A node that handles receiving and sending push notifications for clients.
 
-### Query Topic:
+### Query Topic
+
 On successful registration the server MUST be listening to the topic derived from:
   > `0x` + HexEncode(Shake256(CompressedClientPublicKey))
 
 Using the topic derivation algorithm described here and listen for client queries.
 
-#### Server Grant:
-A client MUST authorize a push notification server to send them push notifications. 
-This is done by building a grant which is specific to a given client-server pair. 
-When receiving a grant, the server MUST validate that the signature matches the registering client. 
+#### Server Grant
 
-The grant is built as:<br />
-`Signature(Keccak256(CompressedPublicKeyOfClient . CompressedPublicKeyOfServer . AccessToken), PrivateKeyOfClient)`
+A client MUST authorize a push notification server to send them push notifications.
+This is done by building a grant which is specific to a given client-server pair.
+When receiving a grant,
+the server MUST validate that the signature matches the registering client.
 
-#### Unregistering with a Server:
-- To unregister a client MUST send a `PushNotificationRegistration` request as described above with `unregister` set
-to `true`, or removing their device information.
-- The server MUST remove all data about this user if `unregistering` is `true`, apart from the `hash` of the public key and
-the `version` of the last options, in order to make sure that old messages are not processed.
-- A client MAY unregister from a server on explicit logout if multiple chat keys are used on a single device.
+The grant is built as:
+
+```js
+`Signature(Keccak256(CompressedPublicKeyOfClient.CompressedPublicKeyOfServer.AccessToken), PrivateKeyOfClient)`
+```
+
+#### Unregistering with a Server
+
+- To unregister a client MUST send a `PushNotificationRegistration`
+request as described above with `unregister` set to `true`,
+or removing their device information.
+- The server MUST remove all data about this user if `unregistering` is `true`,
+apart from the `hash` of the public key and
+the `version` of the last options,
+in order to make sure that old messages are not processed.
+- A client MAY unregister from a server on explicit logout
+if multiple chat keys are used on a single device.
+
+#### Re-registering with a Server
 
-#### Re-registering with a Server:
 - A client SHOULD re-register with the node if the APN or FIREBASE token changes.
-- When re-registering a client SHOULD ensure that it has the most up-to-date `PushNotificationRegistration` and
+- When re-registering a client SHOULD ensure
+that it has the most up-to-date `PushNotificationRegistration` and
 increment `version` if necessary.
 - Once re-registered, a client SHOULD advertise the changes.
 Changing options is handled the same as re-registering.
 
-#### Advertising a Server:
-Each user registered with one or more push notification servers 
-SHOULD advertise periodically the push notification services they have registered with for each device they own.
+#### Advertising a Server
+
+Each user registered with one or more push notification servers
+SHOULD advertise periodically the push notification services
+they have registered with for each device they own.
 
 ```protobuf
 message PushNotificationQueryInfo {
@@ -229,22 +282,33 @@ message ContactCodeAdvertisement {
 
 ```
 
-#### Handle Advertisement Message:
-- The message MUST be wrapped in a [`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_QUERY_INFO`.
-- If no filtering is done based on public keys, the access token SHOULD be included in the advertisement.
+#### Handle Advertisement Message
+
+- The message MUST be wrapped in a
+[`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_QUERY_INFO`.
+- If no filtering is done based on public keys,
+the access token SHOULD be included in the advertisement.
   Otherwise it SHOULD be left empty.
-- This SHOULD be advertised on the [contact code topic](../../waku/standards/application/53/x3dh.md) and
+- This SHOULD be advertised on the
+[contact code topic](../../waku/standards/application/53/x3dh.md) and
 SHOULD be coupled with normal contact-code advertisement.
-- When a user register or re-register with a push notification service, their contact-code SHOULD be re-advertised.
-- Multiple servers MAY be advertised for the same installation_id for redundancy reasons.
+- When a user register or re-register with a push notification service,
+their contact-code SHOULD be re-advertised.
+- Multiple servers MAY be advertised for the same installation_id
+ for redundancy reasons.
 
-#### Discovering a Server:
-To discover a push notification service for a given user, their 
-[contact code topic](../../waku/standards/application/53/x3dh.md) SHOULD be listened to. 
-A Waku-Store node can be queried for the specific topic to retrieve the most up-to-date contact code.
+#### Discovering a Server
 
-#### Querying a Server:
-If a token is not present in the latest advertisement for a user, the server SHOULD be queried directly.
+To discover a push notification service for a given user, their
+[contact code topic](../../waku/standards/application/53/x3dh.md)
+SHOULD be listened to.
+A Waku-Store node can be queried for the specific topic
+to retrieve the most up-to-date contact code.
+
+#### Querying a Server
+
+If a token is not present in the latest advertisement for a user,
+the server SHOULD be queried directly.
 
 To query a server a message:
 
@@ -255,9 +319,12 @@ message PushNotificationQuery {
 
 ```
 
-#### Handle Query Message:
-- The message MUST be wrapped in a [`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_QUERY`.
-- it MUST be sent to the server on the topic derived from the hashed public key of the key we are querying,
+#### Handle Query Message
+
+- The message MUST be wrapped in a
+[`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_QUERY`.
+- it MUST be sent to the server on the topic derived from the hashed public key
+of the key we are querying,
 [as described above](#query-topic).
 - An ephemeral key SHOULD be used and SHOULD NOT be encrypted using the [secure transport](../../waku/standards/application/53/x3dh.md).
 
@@ -282,32 +349,48 @@ message PushNotificationQueryResponse {
 
 ```
 
-#### Handle Query Response:
+#### Handle Query Response
+
 - A `PushNotificationQueryResponse` message MUST be wrapped in a
 [`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_QUERY_RESPONSE`.
 Otherwise a response MUST NOT be sent.
 
-- If `allowed_key_list` is not set `access_token` MUST be set and `allowed_key_list` MUST NOT be set.
+- If `allowed_key_list` is not set `access_token` MUST be set
+and `allowed_key_list` MUST NOT be set.
 
-- If `allowed_key_list` is set `allowed_key_list` MUST be set and `access_token` MUST NOT be set.
+- If `allowed_key_list` is set `allowed_key_list` MUST be set and
+`access_token` MUST NOT be set.
 
-- If `access_token` is returned, the `access_token` SHOULD be used to send push notifications.
+- If `access_token` is returned,
+the `access_token` SHOULD be used to send push notifications.
 
-- If `allowed_key_list` are returned, the client SHOULD decrypt each token by generating an `AES-GCM` symmetric key from the Diffie–Hellman between the target client and itself.
-If AES decryption succeeds it will return a valid `uuid` which is what is used for access_token.
+- If `allowed_key_list` are returned,
+the client SHOULD decrypt each token by generating an `AES-GCM` symmetric key
+from the Diffie–Hellman between the target client and itself.
+If AES decryption succeeds,
+it will return a valid `uuid` which is what is used for access_token.
 The token SHOULD be used to send push notifications.
 
-- The response MUST be sent on the [partitioned topic](../../waku/standards/application/54/x3dh-sessions.md) of the sender and
-MUST NOT be encrypted using the [secure transport](../../waku/standards/application/53/x3dh.md) to facilitate the usage of ephemeral keys.
+- The response MUST be sent on the
+[partitioned topic](../../waku/standards/application/54/x3dh-sessions.md)
+of the sender and
+MUST NOT be encrypted using the
+[secure transport](../../waku/standards/application/53/x3dh.md)
+to facilitate the usage of ephemeral keys.
 
-- On receiving a response a client MUST verify `grant` to ensure that the server has been authorized to send push notification to a given client.
+- On receiving a response,
+a client MUST verify `grant` to ensure that the server
+has been authorized to send push notification to a given client.
 
 ### Sending Client
+
 Sending a push notification
 
-- When sending a push notification, only the `installation_id` for the devices targeted by the message SHOULD be used.
+- When sending a push notification,
+only the `installation_id` for the devices targeted by the message SHOULD be used.
 
-- If a message is for all the user devices, all the `installation_id` known to the client MAY be used.
+- If a message is for all the user devices,
+all the `installation_id` known to the client MAY be used.
 
 - The number of devices MAY be capped in order to reduce resource consumption.
 
@@ -315,7 +398,8 @@ Sending a push notification
 
 - For any device that a token is available, or that
 a token is successfully queried,
-a push notification message SHOULD be sent to the corresponding push notification server.
+a push notification message SHOULD be sent to the corresponding
+push notification server.
 
 ```protobuf
 message PushNotification {
@@ -339,14 +423,19 @@ message PushNotificationRequest {
 }
 
 ```
-#### Handle Notification Request:
+
+#### Handle Notification Request
+
 - A `PushNotificationRequest` message MUST be wrapped in a
 [`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_REQUEST`.
 
-- Where `message` is the encrypted payload of the message and `chat_id` is the `SHAKE-256` of the `chat_id`.
-`message_id` is the id of the message `author` is the `SHAKE-256` of the public key of the sender.
+- Where `message` is the encrypted payload of the message and
+`chat_id` is the `SHAKE-256` of the `chat_id`.
+`message_id` is the id of the message,
+`author` is the `SHAKE-256` of the public key of the sender.
 
-- If multiple server are available for a given push notification, only one notification MUST be sent.
+- If multiple server are available for a given push notification,
+only one notification MUST be sent.
 
 - If no response is received a client SHOULD wait at least 3 seconds,
 after which the request MAY be retried against a different server.
@@ -354,7 +443,7 @@ after which the request MAY be retried against a different server.
 - This message SHOULD be sent using an ephemeral key.
 
 On receiving the message, the push notification server MUST validate the access token.
-If the access token is valid, a notification MUST be sent to the 
+If the access token is valid, a notification MUST be sent to the
 [gorush](https://github.com/appleboy/gorush) instance with the following data:
 
 ```yaml
@@ -405,39 +494,67 @@ message PushNotificationResponse {
 
 Where `message_id` is the `message_id` sent by the client.
 
-#### Handle Notification Response:
-- A `PushNotificationResponse` message MUST be wrapped in a [`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_RESPONSE`.
+#### Handle Notification Response
 
-- The response MUST be sent on the [partitioned topic](../../waku/standards/application/54/x3dh-sessions.md) of the sender and
-MUST not be encrypted using the [secure transport](../../waku/standards/application/53/x3dh.md) to facilitate the usage of ephemeral keys.
+- A `PushNotificationResponse` message MUST be wrapped in a
+[`ApplicationMetadataMessage`](../62/payloads.md) with type set to `PUSH_NOTIFICATION_RESPONSE`.
 
-- If the request is accepted `success` MUST be set to `true`. Otherwise `success` MUST be set to `false`.
+- The response MUST be sent on the
+[partitioned topic](../../waku/standards/application/54/x3dh-sessions.md)
+of the sender and
+MUST not be encrypted using the
+[secure transport](../../waku/standards/application/53/x3dh.md)
+to facilitate the usage of ephemeral keys.
 
-- If `error` is `BAD_TOKEN` the client MAY query again the server for the token and retry the request.
+- If the request is accepted `success` MUST be set to `true`.
+Otherwise `success` MUST be set to `false`.
+
+- If `error` is `BAD_TOKEN` the client MAY query again the server for the token and
+retry the request.
 
 - If `error` is `INTERNAL_ERROR` the client MAY retry the request.
 
 ### Protobuf Description
 
-#### PushNotificationRegistration:
-`token_type`: the type of token. Currently supported is `APN_TOKEN` for Apple Push.<br />
-`device_token`: the actual push notification token sent by `Firebase` or `APN` and `FIREBASE_TOKEN` for firebase.<br />
-`installation_id`: the `installation_id` of the device.<br />
-`access_token`: the access token that will be given to clients to send push notifications.<br />
-`enabled`: whether the device wants to be sent push notifications.<br />
-`version`: a monotonically increasing number identifying the current `PushNotificationRegistration`. 
-Any time anything is changed in the record it MUST be increased by the client, otherwise the request will not be accepted.<br />
-`allowed_key_list`: a list of `access_token` encrypted with the AES key generated by Diffie–Hellman between the publisher and the 
-allowed contact.<br />
-`blocked_chat_list`: a list of `SHA2-256` hashes of chat ids. Any chat id in this list will not trigger a notification.<br />
-`unregister`: whether the account should be unregistered.<br />
-`grant`: the grant for this specific server.<br />
-`allow_from_contacts_only`: whether the client only wants push notifications from contacts.<br />
-`apn_topic`: the APN topic for the push notification.<br />
-`block_mentions`: whether the client does not want to be notified on mentions.<br />
-`allowed_mentions_chat_list`: a list of SHA2-256 hashes of chat ids where we want to receive mentions.<br />
+#### PushNotificationRegistration
+
+`token_type`: the type of token. Currently supported is `APN_TOKEN` for Apple Push.
+
+`device_token`: the actual push notification token sent by `Firebase` or
+`APN` and `FIREBASE_TOKEN` for firebase.
+
+`installation_id`: the `installation_id` of the device.
+
+`access_token`: the access token that will be given to clients to send push notifications.
+
+`enabled`: whether the device wants to be sent push notifications.
+
+`version`: a monotonically increasing number identifying the current `PushNotificationRegistration`.
+Any time anything is changed in the record it MUST be increased by the client,
+otherwise the request will not be accepted.
+
+`allowed_key_list`: a list of `access_token` encrypted with the AES key
+generated by Diffie–Hellman between the publisher and the allowed contact.
+
+`blocked_chat_list`: a list of `SHA2-256` hashes of chat ids.
+Any chat id in this list will not trigger a notification.
+
+`unregister`: whether the account should be unregistered.
+
+`grant`: the grant for this specific server.
+
+`allow_from_contacts_only`: whether the client only wants
+push notifications from contacts.
+
+`apn_topic`: the APN topic for the push notification.
+
+`block_mentions`: whether the client does not want to be notified on mentions.
+
+`allowed_mentions_chat_list`: a list of SHA2-256 hashes of chat ids
+where we want to receive mentions.
 
 DATA DISCLOSED
+
 - Type of device owned by a given user.
 
 - The `FIREBASE` or `APN` push notification token,
@@ -448,48 +565,71 @@ DATA DISCLOSED
 
 - The number of contacts a client has, in case `allowed_key_list` is set.
 
-#### PushNotificationRegistrationResponse:
-`success`: whether the registration was successful<br />
-`error`: the error type, if any<br />
-`request_id`: the `SHAKE-256` hash of the `signature` of the request<br />
-`preferences`: the server stored preferences in case of an error<br />
+#### PushNotificationRegistrationResponse
+
+`success`: whether the registration was successful
+
+`error`: the error type, if any
+
+`request_id`: the `SHAKE-256` hash of the `signature` of the request
+
+`preferences`: the server stored preferences in case of an error
+
+#### ContactCodeAdvertisement
 
-#### ContactCodeAdvertisement:
 `push_notification_info`: the information for each device advertised
 
 DATA DISCLOSED
+
 - The chat key of the sender
 
-#### PushNotificationQuery:
+#### PushNotificationQuery
+
 `public_keys`: the `SHAKE-256` of the public keys the client is interested in
 
 DATA DISCLOSED
+
 - The hash of the public keys the client is interested in
 
-#### PushNotificationQueryInfo:
-`access_token`: the access token used to send a push notification<br />
-`installation_id`: the `installation_id` of the device associated with the `access_token`<br />
-`public_key`: the `SHAKE-256` of the public key associated with this `access_token` and `installation_id`.<br />
-`allowed_key_list`: a list of encrypted access tokens to be returned to the client in case there’s any filtering on public keys in place.<br />
-`grant`: the grant used to register with this server.<br />
-`version`: the version of the registration on the server.<br />
-`server_public_key`: the compressed public key of the server.<br />
+#### PushNotificationQueryInfo
 
-#### PushNotificationQueryResponse: 
-`info`: a list of `PushNotificationQueryInfo`.<br />
-`message_id`: the message id of the `PushNotificationQueryInfo` the server is replying to.<br />
-`success`: whether the query was successful.<br />
+`access_token`: the access token used to send a push notification
 
-#### PushNotification: 
-`access_token`: the access token used to send a push notification.<br />
-`chat_id`: the `SHAKE-256` of the `chat_id`.<br />
-`public_key`: the `SHAKE-256` of the compressed public key of the receiving client.<br />
-`installation_id`: the `installation_id` of the receiving client.<br />
-`message`: the encrypted message that is being notified on.<br />
-`type`: the type of the push notification, either `MESSAGE` or `MENTION`<br />
+`installation_id`: the `installation_id` of the device associated with the `access_token`.
+
+`public_key`: the `SHAKE-256` of the public key associated with this `access_token`
+and `installation_id`.
+
+`allowed_key_list`: a list of encrypted access tokens to be returned
+to the client in case there’s any filtering on public keys in place.
+
+`grant`: the grant used to register with this server.
+
+`version`: the version of the registration on the server.
+
+`server_public_key`: the compressed public key of the server.
+
+#### PushNotificationQueryResponse
+
+`info`: a list of `PushNotificationQueryInfo`.
+
+`message_id`: the message id of the `PushNotificationQueryInfo`
+the server is replying to.
+
+`success`: whether the query was successful.
+
+#### PushNotification
+
+`access_token`: the access token used to send a push notification.
+`chat_id`: the `SHAKE-256` of the `chat_id`.
+`public_key`: the `SHAKE-256` of the compressed public key of the receiving client.
+`installation_id`: the `installation_id` of the receiving client.
+`message`: the encrypted message that is being notified on.
+`type`: the type of the push notification, either `MESSAGE` or `MENTION`
 `author`: the `SHAKE-256` of the public key of the sender
 
 Data disclosed
+
 - The `SHAKE-256` hash of the `chat_id` the notification is to be sent for
 
 - The cypher text of the message
@@ -498,55 +638,75 @@ Data disclosed
 
 - The type of notification
 
-#### PushNotificationRequest:
-`requests`: a list of PushNotification<br />
+#### PushNotificationRequest
+
+`requests`: a list of PushNotification
 `message_id`: the [Status message id](../62/payloads.md)
 
 Data disclosed
+
 - The status `message_id` for which the notification is for
 
-#### PushNotificationResponse: 
-`message_id`: the `message_id` being notified on.<br />
+#### PushNotificationResponse
+
+`message_id`: the `message_id` being notified on.
 `reports`: a list of `PushNotificationReport`
 
-#### PushNotificationReport:
-`success`: whether the push notification was successful.<br />
-`error`: the type of the error in case of failure.<br />
-`public_key`: the public key of the user being notified.<br />
+#### PushNotificationReport
+
+`success`: whether the push notification was successful.
+`error`: the type of the error in case of failure.
+`public_key`: the public key of the user being notified.
 `installation_id`: the `installation_id` of the user being notified.
 
 ### Anonymous Mode
-In order to preserve privacy, the client MAY provide anonymous mode of operations to propagate information about the user. 
-A client in anonymous mode can register with the server using a key that is different from their chat key. 
-This will hide their real chat key. This public key is effectively a secret and 
-SHOULD only be disclosed to clients approved to notify a user. 
 
-- A client MAY advertise the access token on the [contact-code topic](../../waku/standards/application/53/x3dh.md) of the key generated. 
+In order to preserve privacy, the client MAY provide anonymous mode of operations
+to propagate information about the user.
+A client in anonymous mode can register with the server
+using a key that is different from their chat key.
+This will hide their real chat key. This public key is effectively a secret and
+SHOULD only be disclosed to clients approved to notify a user.
 
-- A client MAY share their public key contact updates in the [protobuf record](https://developers.google.com/protocol-buffers/). 
+- A client MAY advertise the access token on the
+[contact-code topic](../../waku/standards/application/53/x3dh.md)
+of the key generated.
 
-- A client receiving a push notification public key SHOULD listen to the contact code topic of the push notification public key for updates.
+- A client MAY share their public key contact updates in the
+[protobuf record](https://developers.google.com/protocol-buffers/).
 
-The method described above effectively does not share the identity of the sender nor the receiver to the server, but 
-MAY result in missing push notifications as the propagation of the secret is left to the client. 
-This can be mitigated by [device syncing](../62/payloads.md), but not completely addressed.
+- A client receiving a push notification public key
+SHOULD listen to the contact code topic of the push notification public key for updates.
+
+The method described above effectively does not share the identity of the sender
+nor the receiver to the server, but
+MAY result in missing push notifications
+as the propagation of the secret is left to the client.
+This can be mitigated by [device syncing](../62/payloads.md),
+but not completely addressed.
 
 ## Security/Privacy Considerations
-If anonymous mode is not used, when registering with a push notification service a client will disclose:
+
+If anonymous mode is not used,
+when registering with a push notification service a client will disclose:
+
 - The devices that will receive notifications.
 
 - The chat key.
 
 A client MAY disclose:
+
 - The hash of the `chat_id` they want to filter out.
 
-When running in anonymous mode, the client’s chat key is not disclosed. 
+When running in anonymous mode, the client’s chat key is not disclosed.
 
 When querying a push notification server a client will disclose:
-- That it is interested in sending push notification to another client, but
-querying client’s chat key is not disclosed.
+
+- That it is interested in sending push notification to another client,
+but querying client’s chat key is not disclosed.
 
 When sending a push notification a client will disclose:
+
 - The `shake-256` of the `chat_id`.
 
 ## Copyright
@@ -554,6 +714,7 @@ When sending a push notification a client will disclose:
 Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
 
 ## References
+
 1. [PUSH-NOTIFICATION-SERVER, Initial Specification](https://github.com/status-im/specs/blob/master/docs/raw/push-notification-server.md)
 2. [Push Notification, Apple Developer](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1)
 3. [Firebase](https://firebase.google.com)

status/README.md

@@ -1,4 +1,4 @@
 # Status RFCs
 
-Status is a communitication tool providing privacy features for the user.
-Specifcations can also be viewd at [Status](https://status.app/specs).
+Status is a communication tool providing privacy features for the user.
+Specifications can also be viewed at [Status](https://status.app/specs).

status/deprecated/3rd-party.md

@@ -0,0 +1,127 @@
+---
+title: 3RD-PARTY
+name: 3rd party
+status: deprecated
+description: This specification discusses 3rd party APIs that Status relies on.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Volodymyr Kozieiev <volodymyr@status.im>
+---
+
+## Abstract
+
+This specification discusses 3rd party APIs that Status relies on.  
+These APIs provide various capabilities, including:
+
+- communicating with the Ethereum network,  
+- allowing users to view address and transaction details on external websites,  
+- retrieving fiat/crypto exchange rates,  
+- obtaining information about collectibles,  
+- hosting the privacy policy.
+
+## Definitions
+
+| Term              | Description                                                                                           |
+|-------------------|-------------------------------------------------------------------------------------------------------|
+| Fiat money        | Currency established as money, often by government regulation, but without intrinsic value.           |
+| Full node         | A computer, connected to the Ethereum network, that enforces all Ethereum consensus rules.            |
+| Crypto-collectible| A unique, non-fungible digital asset, distinct from cryptocurrencies where tokens are identical.      |
+
+## Why 3rd Party APIs Can Be a Problem
+
+Relying on 3rd party APIs conflicts with Status’s censorship-resistance principle.
+Since Status aims to avoid suppression of information,  
+it is important to minimize reliance on 3rd parties that are critical to app functionality.
+
+## 3rd Party APIs Used by the Current Status App
+
+### Infura
+
+**What is it?**  
+Infura hosts a collection of Ethereum full nodes and provides an API  
+to access the Ethereum and IPFS networks without requiring a full node.
+
+**How Status Uses It**  
+Since Status operates on mobile devices,  
+it cannot rely on a local node.  
+Therefore, all Ethereum network communication happens via Infura.
+
+**Concerns**  
+Making an HTTP request can reveal user metadata,  
+which could be exploited in attacks if Infura is compromised.  
+Infura uses centralized hosting providers;  
+if these providers fail or cut off service,  
+Ethereum-dependent features in Status would be affected.
+
+### Etherscan
+
+**What is it?**  
+Etherscan is a service that allows users to explore the Ethereum blockchain  
+for transactions, addresses, tokens, prices,  
+and other blockchain activities.
+
+**How Status Uses It**  
+The Status Wallet allows users to view address and transaction details on Etherscan.
+
+**Concerns**  
+If Etherscan becomes unavailable,  
+users won’t be able to view address or transaction details through Etherscan.  
+However, in-app information will still be accessible.
+
+### CryptoCompare
+
+**What is it?**  
+CryptoCompare provides live crypto prices, charts, and analysis from major exchanges.
+
+**How Status Uses It**  
+Status regularly fetches crypto prices from CryptoCompare,  
+using this information to calculate fiat values  
+for transactions or wallet assets.
+
+**Concerns**  
+HTTP requests can reveal metadata,  
+which could be exploited if CryptoCompare is compromised.  
+If CryptoCompare becomes unavailable,  
+Status won’t be able to show fiat equivalents for crypto in the wallet.
+
+### Collectibles
+
+Various services provide information on collectibles:
+
+- [Service 1](https://api.pixura.io/graphql)  
+- [Service 2](https://www.etheremon.com/api)  
+- [Service 3](https://us-central1-cryptostrikers-prod.cloudfunctions.net/cards/)
+- [Service 4](https://api.cryptokitties.co/)  
+
+**Concerns**  
+HTTP requests can reveal metadata,  
+which could be exploited if these services are compromised.
+
+### Iubenda
+
+**What is it?**  
+Iubenda helps create compliance documents for websites and apps across jurisdictions.
+
+**How Status Uses It**  
+Status’s privacy policy is hosted on Iubenda.
+
+**Concerns**  
+If Iubenda becomes unavailable,  
+users will be unable to view the app's privacy policy.
+
+## Changelog
+
+| Version | Comment        |
+|---------|-----------------|
+| 0.1.0   | Initial release |
+
+## Copyright
+
+Copyright and related rights waived via CC0.
+
+## References
+
+- [GraphQL](https://api.pixura.io/graphql)  
+- [Etheremon](https://www.etheremon.com/api)  
+- [Cryptostrikers](https://us-central1-cryptostrikers-prod.cloudfunctions.net/cards/)
+- [Cryptokitties](https://api.cryptokitties.co/)  

status/deprecated/IPFS-gateway-for-sticker-Pack.md

@@ -0,0 +1,138 @@
+---
+title: IPFS-gateway-for-Sticker-Pack
+name: IPFS gateway for Sticker Pack
+status: deprecated
+description: This specification describes how Status uses the IPFS gateway to store stickers. 
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Gheorghe Pinzaru <gheorghe@status.im>
+---
+
+## Abstract
+
+This specification describes how Status uses the IPFS gateway  
+to store stickers.  
+The specification explores image format,  
+how a user uploads stickers,  
+and how an end user can see them inside the Status app.
+
+## Definition
+
+| Term             | Description                                                                            |
+|------------------|----------------------------------------------------------------------------------------|
+| **Stickers**     | A set of images which can be used to express emotions                                  |
+| **Sticker Pack** | ERC721 token which includes the set of stickers                                        |
+| **IPFS**         | P2P network used to store and share data, in this case, the images for the stickerpack |
+
+## Specification
+
+### Image format
+
+Accepted image file types are `PNG`, `JPG/JPEG` and `GIF`,
+with a maximum allowed size of 300kb.
+The minimum sticker image resolution is 512x512,
+and its background SHOULD be transparent.
+
+### Distribution
+
+The node implements sticker packs as [ERC721 token](https://eips.ethereum.org/EIPS/eip-721)
+and contain a set of stickers.
+The node stores these stickers inside the sticker pack as a set of hyperlinks pointing to IPFS storage.
+These hyperlinks are publicly available and can be accessed by any user inside the status chat.
+Stickers can be sent in chat only by accounts that own the sticker pack.
+
+### IPFS gateway
+
+At the moment of writing, the current main Status app uses the [Infura](https://infura.io/) gateway.
+However, clients could choose a different gateway or to run own IPFS node.
+Infura gateway is an HTTPS gateway,
+which based on an HTTP GET request with the multihash block will return the stored content at that block address.
+
+The node requires the use of a gateway to enable easy access to the resources over HTTP.
+The node stores each image of a sticker inside IPFS using a unique address that is
+derived from the hash of the file.
+This ensures that a file can't be overridden,
+and an end-user of the IPFS will receive the same file at a given address.
+
+### Security
+
+The IPFS gateway acts as an end-user of the IPFS
+and allows users of the gateway to access IPFS without connection to the P2P network.
+Usage of a gateway introduces potential risk for the users of that gateway provider.
+In case of a compromise in the security of the provider, meta information such as IP address,
+User-Agent and other of its users can be leaked.
+If the provider servers are unavailable the node loses access through the gateway to the IPFS network.
+
+### Status sticker usage
+
+When the app shows a sticker, the Status app makes an HTTP GET request to IPFS gateway using the hyperlink.
+
+To send a sticker in chat, a user of Status should buy or install a sticker pack.
+
+To be available for installation a Sticker Pack should be submitted to Sticker market by an author.
+
+#### Submit a sticker
+
+To submit a sticker pack, the author should upload all assets to IPFS.
+Then generate a payload including name, author, thumbnail,
+preview and a list of stickers in the [EDN format](https://github.com/edn-format/edn). Following this structure:
+``
+{meta {:name "Sticker pack name"
+       :author "Author Name"
+       :thumbnail "e30101701220602163b4f56c747333f43775fdcbe4e62d6a3e147b22aaf6097ce0143a6b2373"
+       :preview "e30101701220ef54a5354b78ef82e542bd468f58804de71c8ec268da7968a1422909357f2456"
+       :stickers [{:hash "e301017012207737b75367b8068e5bdd027d7b71a25138c83e155d1f0c9bc5c48ff158724495"}
+       {:hash "e301017012201a9cdea03f27cda1aede7315f79579e160c7b2b6a2eb51a66e47a96f47fe5284"}]}}
+``
+All asset fields, are contenthash fields as per [EIP 1577](https://eips.ethereum.org/EIPS/eip-1577).
+The node also uploads this payload to IPFS, and the node uses the IPFS address in the content field of the Sticker Market contract.
+See [Sticker Market spec](https://github.com/status-im/sticker-market/blob/651e88e5f38c690e57ecaad47f46b9641b8b1e27/docs/specification.md) for a detailed description of the contract.
+
+#### Install a sticker pack
+
+To install a sticker pack, the node fetches all sticker packs available in Sticker Market.
+The node needs the following steps to fetch all sticker packs:
+
+#### 1. Get total number of sticker packs
+
+Call `packCount()` on the sticker market contract, will return number of sticker pack registered as `uint256`.
+
+#### 2. Get sticker pack by id
+
+ID's are represented as `uint256` and are incremental from `0` to total number of sticker packs in the contract,
+received in the previous step.
+To get a sticker pack call `getPackData(sticker-pack-id)`, the return type is  `["bytes4[]" "address" "bool" "uint256" "uint256" "bytes"]`
+which represents the following fields: `[category owner mintable timestamp price contenthash]`.
+Price is the SNT value in wei set by sticker pack owner.
+The contenthash is the IPFS address described in the [submit description](#submit-a-sticker) above.
+Other fields specification could be found in [Sticker Market spec](https://github.com/status-im/sticker-market/blob/651e88e5f38c690e57ecaad47f46b9641b8b1e27/docs/specification.md)
+
+##### 3. Get owned sticker packs
+
+The current Status app fetches owned sticker packs during the open of any sticker view
+(a screen which shows a sticker pack, or the list of sticker packs).
+To get owned packs, get all owned tokens for the current account address,
+by calling `balanceOf(address)` where address is the address for the current account.
+This method returns a `uint256` representing the count of available tokens. Using `tokenOfOwnerByIndex(address,uint256)` method,
+with the address of the user and ID in form of a `uint256`
+which is an incremented int from 0 to the total number of tokens, gives the token id.
+To get the sticker pack id from a token call`tokenPackId(uint256)` where `uint256` is the token id.
+This method will return an `uint256` which is the id of the owned sticker pack.
+
+##### 4. Buy a sticker pack
+
+To buy a sticker pack call `approveAndCall(address,uint256,bytes)`
+where `address` is the address of buyer,`uint256` is the price and third parameters `bytes` is the callback  called if approved.
+In the callback, call `buyToken(uint256,address,uint256)`, first parameter is sticker pack id, second buyers address, and the last is the price.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [ERC721 Token Standard](https://eips.ethereum.org/EIPS/eip-721)
+- [Infura](https://infura.io/)
+- [EDN Format](https://github.com/edn-format/edn)
+- [EIP 1577](https://eips.ethereum.org/EIPS/eip-1577)
+- [Sticker Market Specification](https://github.com/status-im/sticker-market/blob/651e88e5f38c690e57ecaad47f46b9641b8b1e27/docs/specification.md)

status/deprecated/account.md

@@ -0,0 +1,461 @@
+---
+title: ACCOUNT
+name: Account
+status: deprecated
+description: This specification explains what a Status account is, and how a node establishes trust.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Corey Petty <corey@status.im>
+  - Oskar Thorén <oskar@status.im>
+  - Samuel Hawksby-Robinson <samuel@status.im>
+---
+
+## Abstract
+
+This specification explains what a Status account is,  
+and how a node establishes trust.
+
+## Introduction
+
+The core concept of an account in Status is a set of cryptographic keypairs.
+Namely, the combination of the following:
+
+1. a Whisper/Waku chat identity keypair
+1. a set of cryptocurrency wallet keypairs
+
+The node verifies or derives everything else associated with the contact from the above items, including:
+
+- Ethereum address (future verification, currently the same base keypair)
+- 3 word mnemonic name
+- identicon
+- message signatures
+
+## Initial Key Generation
+
+### Public/Private Keypairs
+
+- An ECDSA (secp256k1 curve) public/private keypair MUST be generated via a [BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki) derived path from a [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki) mnemonic seed phrase.
+- The default paths are defined as such:
+  - Whisper/Waku Chat Key (`IK`): `m/43'/60'/1581'/0'/0`  (post Multiaccount integration)
+    - following [EIP1581](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1581.md)
+    <!-- WE CURRENTLY DO NOT IMPLEMENT ENCRYPTION KEY, FOR FUTURE - C.P. -->
+    <!-- - DB encryption Key (`DBK`): `m/43'/60'/1581'/1'/0` (post Multiaccount integration) -->
+    <!-- - following [EIP1581](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1581.md) -->
+    - Status Wallet paths: `m/44'/60'/0'/0/i` starting at `i=0`
+      - following [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)
+      - NOTE: this (`i=0`) is also the current (and only) path for Whisper/Waku key before Multiaccount integration
+
+### X3DH Prekey bundle creation
+
+- Status follows the X3DH prekey bundle scheme that [Open Whisper Systems](https://en.wikipedia.org/wiki/Signal_Messenger#2013%E2%80%932018:_Open_Whisper_Systems) (not to be confused with the Whisper sub-protocol) outlines [in their documentation](https://signal.org/docs/specifications/x3dh/#the-x3dh-protocol) with the following exceptions:
+
+  - Status does not publish one-time keys `OPK` or perform DH including them, because there are no central servers in the Status implementation.
+- A client MUST create X3DH prekey bundles, each defined by the following items:
+  - Identity Key: `IK`
+  - Signed prekey: `SPK`
+  - Prekey signature: `Sig(IK, Encode(SPK))`
+  - Timestamp
+- These bundles are made available in a variety of ways, as defined in section 2.1.
+
+## Account Broadcasting
+
+- A user is responsible for broadcasting certain information publicly so that others may contact them.
+
+### X3DH Prekey bundles
+
+- A client SHOULD regenerate a new X3DH prekey bundle every 24 hours.  This MAY be done in a lazy way, such that a client that does not come online past this time period does not regenerate or broadcast bundles.
+- The current bundle SHOULD be broadcast on a Whisper/Waku topic specific to his Identity Key, `{IK}-contact-code`, intermittently.  This MAY be done every 6 hours.
+- A bundle SHOULD accompany every message sent.
+- TODO: retrieval of long-time offline users bundle via `{IK}-contact-code`
+
+## Optional Account additions
+
+### ENS Username
+
+- A user MAY register a public username on the Ethereum Name System (ENS).  This username is a user-chosen subdomain of the `stateofus.eth` ENS registration that maps to their Whisper/Waku identity key (`IK`).
+
+<!-- ### User Profile Picture
+- An account MAY edit the `IK` generated identicon with a chosen picture.  This picture will become part of the publicly broadcast profile of the account. -->
+
+<!-- TODO: Elaborate on wallet account and multiaccount -->
+<!-- TODO: Elaborate on security implications -->
+
+## Trust establishment
+
+**Trust establishment deals with users verifying they are communicating with who they think they are.**
+
+### Terms Glossary
+
+| term                      | description |
+| ------------------------- | ----------- |
+| privkey                   | ECDSA secp256k1 private key |
+| pubkey                    | ECDSA secp256k1 public key |
+| Whisper/Waku key          | pubkey for chat with HD derivation path m/43'/60'/1581'/0'/0 |
+
+### Contact Discovery
+
+#### Public channels
+
+- Public group channels in Status are a broadcast/subscription system.  All public messages are encrypted with a symmetric key derived from the channel name, `K_{pub,sym}`, which is publicly known.
+- A public group channel's symmetric key MUST creation must follow the [web3 API](https://web3js.readthedocs.io/en/1.0/web3-shh.html#generatesymkeyfrompassword)'s `web3.ssh.generateSymKeyFromPassword` function
+- In order to post to a public group channel, a client MUST have a valid account created.
+- In order to listen to a public group channel, a client must subscribe to the channel name.
+The sender of a message is derived from the message's signature.
+- Discovery of channel names is not currently part of the protocol, and is typically done out of band.
+If a channel name is used that has not been used, it will be created.
+- A client MUST sign the message otherwise it will be discarded by the recipients.
+- channel name specification:
+  - matches `[a-z0-9\-]`
+  - is not a public key
+
+#### Private 1:1 messages
+
+This can be done in the following ways:
+
+1. scanning a user generated QR code
+1. discovery through the Status app
+1. asynchronous X3DH key exchange
+1. public key via public channel listening
+    - `status-mobile/src/status_im/contact_code/core.cljs`
+1. contact codes
+1. decentralized storage (not implemented)
+1. Whisper/Waku
+
+### Initial Key Exchange
+
+#### Bundles
+
+- An X3DH prekey bundle is defined as ([code](https://github.com/status-im/status-go/messaging/chat/protobuf/encryption.pb.go)):
+
+  ```golang
+  Identity                // Identity key
+  SignedPreKeys           // a map of installation id to array of signed prekeys by that installation id
+  Signature               // Prekey signature
+  Timestamp               // When the bundle was lasted created locally
+  ```
+
+  - include BundleContainer
+- a new bundle SHOULD be created at least every 12 hours
+- a node only generates a bundle when it is used
+- a bundle SHOULD be distributed on the contact code channel. This is the Whisper and Waku topic `{IK}-contact-code`,
+where `IK` is the hex encoded public key of the user, prefixed with `0x`.
+The node encrypts the channel in the same way it encrypted public chats.
+
+### Contact Verification
+
+To verify that contact key information is as it should be, use the following.
+
+#### Identicon
+
+A low-poly identicon is deterministically generated from the Whisper/Waku chat public key.
+This can be compared out of band to ensure the receiver's public key is the one stored locally.
+
+#### 3 word pseudonym / Whisper/Waku key fingerprint
+
+Status generates a deterministic 3-word random pseudonym from the Whisper/Waku chat public key.
+This pseudonym acts as a human readable fingerprint to the Whisper/Waku chat public key.
+This name also shows when viewing a contact's public profile and in the chat UI.
+
+- implementation: [gfycat](https://github.com/status-im/status-mobile/tree/develop/src/status_im/utils/gfycat)
+
+#### ENS name
+
+Status offers the ability to register a mapping of a human readable subdomain of `stateofus.eth` to their Whisper/Waku chat public key.
+The user purchases this registration (currently by staking 10 SNT)
+and the node stores it on the Ethereum mainnet blockchain for public lookup.
+
+<!-- TODO: Elaborate on security implications -->
+
+<!-- TODO: Incorporate or cut below into proper spec
+
+### Possible Connection Breakdown
+
+possible connections
+- client - client (not really ever, this is facilitated through all other connections)
+    - personal chat
+        - ratcheted with X3DH
+    - private group chat
+        - pairwise ratcheted with X3DH
+    - public chat
+- client - mailserver (statusd + ???)
+    - a mailserver identifies itself by an [enode address](https://github.com/ethereum/wiki/wiki/enode-url-format) 
+- client - Whisper/Waku node (statusd)
+    - a node identifies itself by an enode address
+- client - bootnode (go-ethereum)
+    - a bootnode identifies itself by
+        - an enode address
+        - `NOTE: redezvous information here`
+- client - ENS registry (ethereum blockchain -> default to infura)
+- client - Ethereum RPC (custom go-ethereum RPC API -> default to infura API)
+- client - IPFS (Status hosted IPFS gateway -> defaults to ???)
+    - we have a status hosted IPFS gateway for pinning but it currently isn't used much.
+
+### Notes
+
+A user in the system is a public-private key pair using the Elliptic-Curve Cryptography secp256k1 that Ethereum uses.
+- A 3-word random name is derived from the public key using the following package
+    - `NOTE: need to find package`
+    - This provides an associated human-readble fingerprint to the user's public key
+- A user can optionally add additional layers on top of this keypair
+    - Chosen username
+    - ENS username
+
+All messages sent are encrypted with the public key of the destination and signed by the private key of the given user using the following scheme:
+- private chat
+    - X3DH is used to define shared secrets which is then double ratcheted
+- private group chat
+    - considered pairwise private chats 
+- public group chat
+    - the message is encrypted with a symmetric key derived from the chat name
+
+-->
+
+## Public Key Serialization
+
+Idiomatically known as "public key compression" and "public key decompression".
+
+The node SHOULD provide functionality for the serialization and deserialization of public / chat keys.
+
+For maximum flexibility, when implementing this functionality, the node MUST support public keys encoded in a range of encoding formats, detailed below.
+
+### Basic Serialization Example
+
+In the example of a typical hexadecimal encoded elliptical curve (EC) public key (such as a secp256k1 pk),
+
+```text
+0x04261c55675e55ff25edb50b345cfb3a3f35f60712d251cbaaab97bd50054c6ebc3cd4e22200c68daf7493e1f8da6a190a68a671e2d3977809612424c7c3888bc6
+```
+
+minor modification for compatibility and flexibility makes the key self-identifiable and easily parsable,
+
+```text
+fe70104261c55675e55ff25edb50b345cfb3a3f35f60712d251cbaaab97bd50054c6ebc3cd4e22200c68daf7493e1f8da6a190a68a671e2d3977809612424c7c3888bc6
+```
+
+EC serialization and compact encoding produces a much smaller string representation of the original key.
+
+```text
+zQ3shPyZJnxZK4Bwyx9QsaksNKDYTPmpwPvGSjMYVHoXHeEgB
+```
+
+### Public Key "Compression" Rationale
+
+Serialized and compactly encoded ("compressed") public keys have a number of UI / UX advantages
+over non-serialized less densely encoded public keys.
+
+Compressed public keys are smaller, and users may perceive them as less intimidating and less unnecessarily large.
+Compare the "compressed" and "uncompressed" version of the same public key from above example:
+
+- `0xe70104261c55675e55ff25edb50b345cfb3a3f35f60712d251cbaaab97bd50054c6ebc3cd4e22200c68daf7493e1f8da6a190a68a671e2d3977809612424c7c3888bc6`
+- `zQ3shPyZJnxZK4Bwyx9QsaksNKDYTPmpwPvGSjMYVHoXHeEgB`
+
+The user can transmit and share the same data, but at one third of the original size.
+136 characters uncompressed vs 49 characters compressed, giving a significant character length reduction of 64%.
+
+The user client app MAY use the compressed public keys throughout the user interface.
+For example in the `status-mobile` implementation of the user interface
+the following places could take advantage of a significantly smaller public key:  
+
+- `Onboarding` > `Choose a chat name`
+- `Profile` > `Header`
+- `Profile` > `Share icon` > `QR code popover`
+- `Invite friends` url from `Invite friends` button and `+ -button` > `Invite friends`
+- Other user `Profile details`
+- `Profile details` > `Share icon` > `QR code popover`
+
+In the case of QR codes a compressed public key can reduce the complexity of the derived codes:
+
+| Uncompressed |
+| --- |
+|![image](/status/deprecated/images/qr-code1-accountmd.png) |
+
+| Compressed |
+| --- |
+| ![image](/status/deprecated/images/qr-code2-accountmd.png)|
+
+### Key Encoding
+
+When implementing the pk de/serialization functionality, the node MUST use the [multiformats/multibase](https://github.com/multiformats/multibase)
+encoding protocol to interpret incoming key data and to return key data in a desired encoding.
+
+The node SHOULD support the following `multibase` encoding formats.
+
+```csv
+encoding,          code, description,                                              status
+identity,          0x00, 8-bit binary (encoder and decoder keeps data unmodified), default
+base2,             0,    binary (01010101),                                        candidate
+base8,             7,    octal,                                                    draft
+base10,            9,    decimal,                                                  draft
+base16,            f,    hexadecimal,                                              default
+base16upper,       F,    hexadecimal,                                              default
+base32hex,         v,    rfc4648 case-insensitive - no padding - highest char,     candidate
+base32hexupper,    V,    rfc4648 case-insensitive - no padding - highest char,     candidate
+base32hexpad,      t,    rfc4648 case-insensitive - with padding,                  candidate
+base32hexpadupper, T,    rfc4648 case-insensitive - with padding,                  candidate
+base32,            b,    rfc4648 case-insensitive - no padding,                    default
+base32upper,       B,    rfc4648 case-insensitive - no padding,                    default
+base32pad,         c,    rfc4648 case-insensitive - with padding,                  candidate
+base32padupper,    C,    rfc4648 case-insensitive - with padding,                  candidate
+base32z,           h,    z-base-32 (used by Tahoe-LAFS),                           draft
+base36,            k,    base36 [0-9a-z] case-insensitive - no padding,            draft
+base36upper,       K,    base36 [0-9a-z] case-insensitive - no padding,            draft
+base58btc,         z,    base58 bitcoin,                                           default
+base58flickr,      Z,    base58 flicker,                                           candidate
+base64,            m,    rfc4648 no padding,                                       default
+base64pad,         M,    rfc4648 with padding - MIME encoding,                     candidate
+base64url,         u,    rfc4648 no padding,                                       default
+base64urlpad,      U,    rfc4648 with padding,                                     default
+```
+
+**Note** this specification RECOMMENDs that implementations extend the standard `multibase` protocol
+to parse strings prepended with `0x` as `f` hexadecimal encoded bytes.
+
+Implementing this recommendation will allow the node to correctly interpret traditionally identified hexadecimal strings (e.g. `0x1337c0de`).
+
+*Example:*
+
+`0xe70102261c55675e55ff25edb50b345cfb3a3f35f60712d251cbaaab97bd50054c6ebc`
+
+SHOULD be interpreted as
+
+`fe70102261c55675e55ff25edb50b345cfb3a3f35f60712d251cbaaab97bd50054c6ebc`
+
+This specification RECOMMENDs that the consuming service of the node uses a compact encoding type,
+such as base64 or base58 to allow for as short representations of the key as possible.
+
+### Public Key Types
+
+When implementing the pk de/serialization functionality, The node MUST support the [multiformats/multicodec](https://github.com/multiformats/multicodec) key type identifiers for the following public key type.
+
+| Name               | Tag | Code   | Description                          |
+| ------------------ | --- | ------ | ------------------------------------ |
+| `secp256k1-pub`    | key | `0xe7` | Secp256k1 public key                 |
+
+For a public key to be identifiable to the node the public key data MUST be prepended with the relevant [multiformats/unsigned-varint](https://github.com/multiformats/unsigned-varint) formatted code.
+
+*Example:*
+
+Below is a representation of an deserialized secp256k1 public key.
+
+```text
+04
+26 | 1c | 55 | 67 | 5e | 55 | ff | 25
+ed | b5 | 0b | 34 | 5c | fb | 3a | 3f
+35 | f6 | 07 | 12 | d2 | 51 | cb | aa
+ab | 97 | bd | 50 | 05 | 4c | 6e | bc
+3c | d4 | e2 | 22 | 00 | c6 | 8d | af
+74 | 93 | e1 | f8 | da | 6a | 19 | 0a
+68 | a6 | 71 | e2 | d3 | 97 | 78 | 09
+61 | 24 | 24 | c7 | c3 | 88 | 8b | c6
+```
+
+The `multicodec` code for a secp256k1 public key is `0xe7`.
+
+After parsing the code `0xe7` as a `multiformats/uvarint`, the byte value is `0xe7 0x01`, prepending this to the public key results in the below representation.
+
+```text
+e7 | 01 | 04
+26 | 1c | 55 | 67 | 5e | 55 | ff | 25
+ed | b5 | 0b | 34 | 5c | fb | 3a | 3f
+35 | f6 | 07 | 12 | d2 | 51 | cb | aa
+ab | 97 | bd | 50 | 05 | 4c | 6e | bc
+3c | d4 | e2 | 22 | 00 | c6 | 8d | af
+74 | 93 | e1 | f8 | da | 6a | 19 | 0a
+68 | a6 | 71 | e2 | d3 | 97 | 78 | 09
+61 | 24 | 24 | c7 | c3 | 88 | 8b | c6
+```
+
+### De/Serialization Process Flow
+
+When implementing the pk de/serialization functionality, the node MUST be passed a `multicodec` identified public key,
+of the above supported types, encoded with a valid `multibase` identifier.
+
+This specification RECOMMENDs that the node also accept an encoding type parameter to encode the output data.
+This provides for the case where the user requires the de/serialization key to be in a different encoding to the encoding of the given key.
+
+#### Serialization Example
+
+A hexadecimal encoded secp256k1 public chat key typically is represented as below:
+
+```text
+0x04261c55675e55ff25edb50b345cfb3a3f35f60712d251cbaaab97bd50054c6ebc3cd4e22200c68daf7493e1f8da6a190a68a671e2d3977809612424c7c3888bc6
+```
+
+To be properly interpreted by the node for serialization the public key MUST be prepended with the `multicodec` `uvarint` code `0xea 0x01`
+and encoded with a valid `multibase` encoding, therefore giving the following:
+
+```text
+fea0104261c55675e55ff25edb50b345cfb3a3f35f60712d251cbaaab97bd50054c6ebc3cd4e22200c68daf7493e1f8da6a190a68a671e2d3977809612424c7c3888bc6
+```
+
+If adhering to the specification recommendation to provide the user with an output encoding parameter,
+the above string would be passed to the node with the following `multibase` encoding identifier.
+
+In this example the output encoding is defined as `base58 bitcoin`.
+
+```text
+z
+```
+
+The return value in this case would be
+
+```text
+zQ3shPyZJnxZK4Bwyx9QsaksNKDYTPmpwPvGSjMYVHoXHeEgB
+```
+
+Which after `multibase` decoding can be represented in bytes as below:
+
+```text
+e7 | 01 | 02
+26 | 1c | 55 | 67 | 5e | 55 | ff | 25
+ed | b5 | 0b | 34 | 5c | fb | 3a | 3f
+35 | f6 | 07 | 12 | d2 | 51 | cb | aa
+ab | 97 | bd | 50 | 05 | 4c | 6e | bc
+```
+
+#### Deserialization Example
+
+For the user, the deserialization process is exactly the same as serialization with the exception
+that the user MUST provide a serialized public key for deserialization. Else the deserialization algorithm will fail.
+
+For further guidance on the implementation of public key de/serialization consult the [`status-go` implementation and tests](https://github.com/status-im/status-go/blob/c9772325f2dca76b3504191c53313663ca2efbe5/api/utils_test.go).  
+
+## Security Considerations
+
+-
+
+## Changelog
+
+### Version 0.4
+
+Released [June 24, 2020](https://github.com/status-im/specs/commit/e98a9b76b7d4e1ce93e0b692e1521c2d54f72c59)
+
+- Added details of public key serialization and deserialization
+
+### Version 0.3
+
+Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+
+- Added language to include Waku in all relevant places
+- Change to keep `Mailserver` term consistent
+- Added clarification to Open Whisper Systems
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [BIP43](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki)
+- [BIP39](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)
+- [EIP1581](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1581.md)
+- [BIP44](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)
+- [Open Whisper Systems](https://en.wikipedia.org/wiki/Signal_Messenger#2013%E2%80%932018:_Open_Whisper_Systems)
+- [X3DH](https://signal.org/docs/specifications/x3dh/#the-x3dh-protocol)
+- [web3 API](https://web3js.readthedocs.io/en/1.0/web3-shh.html#generatesymkeyfrompassword)
+- [Protobuf encryption](https://github.com/status-im/status-go/messaging/chat/protobuf/encryption.pb.go)
+- [gfycat in Status](https://github.com/status-im/status-mobile/tree/develop/src/status_im/utils/gfycat)
+- [multiformats](https://github.com/multiformats/)
+- [status-go implementation and tests](https://github.com/status-im/status-go/blob/c9772325f2dca76b3504191c53313663ca2efbe5/api/utils_test.go)
+- [June 24, 2020 change commit](https://github.com/status-im/specs/commit/e98a9b76b7d4e1ce93e0b692e1521c2d54f72c59)
+- [May 22, 2020 change commit](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)

status/deprecated/client.md

@@ -0,0 +1,427 @@
+---
+title: CLIENT
+name: Client
+status: deprecated
+description: This specification describes how to write a Status client for communicating with other Status clients.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Adam Babik <adam@status.im>
+  - Andrea Maria Piana <andreap@status.im>
+  - Dean Eigenmann <dean@status.im>
+  - Corey Petty <corey@status.im>
+  - Oskar Thorén <oskar@status.im>
+  - Samuel Hawksby-Robinson <samuel@status.im>
+---
+
+## Abstract
+
+This specification describes how to write a Status client for communicating  
+with other Status clients.  
+This specification presents a reference implementation of the protocol
+used in a command-line client and a mobile app.
+
+This document consists of two parts.  
+The first outlines the specifications required to be a full Status client.  
+The second provides a design rationale and answers some common questions.
+
+## Introduction
+
+### Protocol layers
+
+Implementing a Status clients largely means implementing the following layers.
+Additionally, there are separate specifications for things like key management and account lifecycle.
+
+Other aspects, such as how a node uses IPFS for stickers or how the browser works, are currently underspecified.
+These specifications facilitate the implementation of a Status client for basic private communication.
+
+| Layer             | Purpose                        | Technology                   |
+| ----------------- | ------------------------------ | ---------------------------- |
+| Data and payloads | End user functionality         | 1:1, group chat, public chat |
+| Data sync         | Data consistency               | MVDS.                        |
+| Secure transport  | Confidentiality, PFS, etc      | Double Ratchet               |
+| Transport privacy | Routing, Metadata protection   | Waku / Whisper               |
+| P2P Overlay       | Overlay routing, NAT traversal | devp2p                       |
+
+### Protobuf
+
+[`protobuf`](https://developers.google.com/protocol-buffers/) is used in different layers, version `proto3` used is unless stated otherwise.
+
+## Components
+
+### P2P Overlay
+
+Status clients run on a public, permissionless peer-to-peer network, as specified by the devP2P
+network protocols. devP2P provides a protocol for node discovery which is in
+draft mode
+[here](https://github.com/ethereum/devp2p/blob/master/discv5/discv5.md). See
+more on node discovery and management in the next section.
+
+To communicate between Status nodes, the [RLPx Transport
+Protocol, v5](https://github.com/ethereum/devp2p/blob/master/rlpx.md) is used, which
+allows for TCP-based communication between nodes.
+
+On top of this RLPx-based subprotocols are ran, the client
+SHOULD NOT use [Whisper V6](https://eips.ethereum.org/EIPS/eip-627), the client
+SHOULD use [Waku V1](/waku/standards/legacy/6/waku1.md)
+for privacy-preserving messaging and efficient usage of a node's bandwidth.
+
+#### Node discovery and roles
+
+There are four types of node roles:
+
+1. `Bootstrap node`
+1. `Whisper/Waku relayer`
+1. `Mailserver` (servers and clients)
+1. `Mobile node` (Status Clients)
+
+A standard Status client MUST implement both `Whisper/Waku relayer` and `Mobile node` node types. The
+other node types are optional, but it is RECOMMEND to implement a `Mailserver`
+client mode, otherwise the user experience is likely to be poor.
+
+#### Bootstrapping
+
+Bootstrap nodes allow Status nodes to discover and connect to other Status nodes
+in the network.
+
+Currently, Status Gmbh provides the main bootstrap nodes, but anyone can
+run these provided they are connected to the rest of the Whisper/Waku network.
+
+Status maintains a list of production fleet bootstrap nodes in the following locations:
+
+**Hong Kong:**
+
+- `enode://6e6554fb3034b211398fcd0f0082cbb6bd13619e1a7e76ba66e1809aaa0c5f1ac53c9ae79cf2fd4a7bacb10d12010899b370c75fed19b991d9c0cdd02891abad@47.75.99.169:443`
+- `enode://23d0740b11919358625d79d4cac7d50a34d79e9c69e16831c5c70573757a1f5d7d884510bc595d7ee4da3c1508adf87bbc9e9260d804ef03f8c1e37f2fb2fc69@47.52.106.107:443`
+
+**Amsterdam:**
+
+- `enode://436cc6f674928fdc9a9f7990f2944002b685d1c37f025c1be425185b5b1f0900feaf1ccc2a6130268f9901be4a7d252f37302c8335a2c1a62736e9232691cc3a@178.128.138.128:443`
+- `enode://5395aab7833f1ecb671b59bf0521cf20224fe8162fc3d2675de4ee4d5636a75ec32d13268fc184df8d1ddfa803943906882da62a4df42d4fccf6d17808156a87@178.128.140.188:443`
+
+**Central US:**
+
+- `enode://32ff6d88760b0947a3dee54ceff4d8d7f0b4c023c6dad34568615fcae89e26cc2753f28f12485a4116c977be937a72665116596265aa0736b53d46b27446296a@34.70.75.208:443`
+- `enode://5405c509df683c962e7c9470b251bb679dd6978f82d5b469f1f6c64d11d50fbd5dd9f7801c6ad51f3b20a5f6c7ffe248cc9ab223f8bcbaeaf14bb1c0ef295fd0@35.223.215.156:443`
+
+These bootstrap nodes MAY change and are not guaranteed to stay this way forever
+and at some point circumstances might force them to change.
+
+#### Discovery
+
+A Status client MUST discover or have a list of peers to connect to. Status uses a
+light discovery mechanism based on a combination of [Discovery v5](https://github.com/ethereum/devp2p/blob/master/discv5/discv5.md) and
+[Rendezvous Protocol](https://github.com/libp2p/specs/tree/master/rendezvous),
+(with some [modifications](https://github.com/status-im/rendezvous#differences-with-original-rendezvous)).
+Additionally, some static nodes MAY also be used.
+
+A Status client MUST use at least one discovery method or use static nodes
+to communicate with other clients.
+
+Discovery V5 uses bootstrap nodes to discover other peers. Bootstrap nodes MUST support
+Discovery V5 protocol as well in order to provide peers. It is kademlia-based discovery mechanism
+and it might consume significant (at least on mobile) amount of network traffic to operate.
+
+In order to take advantage from simpler and more mobile-friendly peers discovery mechanism,
+i.e. Rendezvous protocol, one MUST provide a list of Rendezvous nodes which speak
+Rendezvous protocol. Rendezvous protocol is request-response discovery mechanism.
+It uses Ethereum Node Records (ENR) to report discovered peers.
+
+Both peers discovery mechanisms use topics to provide peers with certain capabilities.
+There is no point in returning peers that do not support a particular protocol.
+Status nodes that want to be discovered MUST register to Discovery V5 and/or Rendezvous
+with the `whisper` topic. Status nodes that are `Mailservers` and want to
+be discoverable MUST additionally register with the `whispermail` topic.
+
+It is RECOMMENDED to use both mechanisms but at the same time implement a structure
+called `PeerPool`. `PeerPool` is responsible for maintaining an optimal number of peers.
+For mobile nodes, there is no significant advantage to have more than 2-3 peers and one `Mailserver`.
+`PeerPool` can notify peers discovery protocol implementations that they should suspend
+their execution because the optimal number of peers is found. They should resume
+if the number of connected peers drops or a `Mailserver` disconnects.
+
+It is worth noticing that an efficient caching strategy MAY be of great use, especially,
+on mobile devices. Discovered peers can be cached as they rarely change and used
+when the client starts again. In such a case, there might be no need to even start
+peers discovery protocols because cached peers will satisfy the optimal number of peers.
+
+Alternatively, a client MAY rely exclusively on a list of static peers. This is the most efficient
+way because there are no peers discovery algorithm overhead introduced. The disadvantage
+is that these peers might be gone and without peers discovery mechanism, it won't be possible to find
+new ones.
+
+The current list of static peers is published on <https://fleets.status.im/>. `eth.prod` is the current
+group of peers the official Status client uses. The others are test networks.
+
+Finally, Waku node addresses can be retrieved by traversing
+the merkle tree found at [`fleets.status.im`](https://fleets.status.im), as described in [EIP-1459](https://eips.ethereum.org/EIPS/eip-1459#client-protocol).
+
+#### Mobile nodes
+
+A `Mobile node` is a Whisper and/or Waku node which connects to part of the respective Whisper
+and/or Waku network(s). A `Mobile node` MAY relay messages. See next section for more details on how
+to use Whisper and/or Waku to communicate with other Status nodes.
+
+### Transport privacy and Whisper / Waku usage
+
+Once a Whisper and/or Waku node is up and running there are some specific settings required
+to communicate with other Status nodes.
+
+See [WHISPER-USAGE](/status/deprecated/whisper-usage.md) and [WAKU-USAGE](/status/deprecated/waku-usage.md) for more details.
+
+For providing an offline inbox, see the complementary [WHISPER-MAILSERVER](/status/deprecated/whisper-mailserver.md) and [WAKU-MAILSERVER](/status/deprecated/waku-mailserver.md).
+
+### Secure Transport
+
+In order to provide confidentiality, integrity, authentication and forward
+secrecy of messages the node implements a secure transport on top of Whisper and Waku. This is
+used in 1:1 chats and group chats, but not for public chats. See [SECURE-TRANSPORT](/status/deprecated/secure-transport.md) for more.
+
+### Data Sync
+
+[MVDS](/vac/2/mvds.md) is used for 1:1 and group chats, however it is currently not in use for public chats.
+[Status payloads](#payloads-and-clients) are serialized and then wrapped inside an
+MVDS message which is added to an [MVDS payload](/vac/2/mvds.md#payloads),
+the node encrypts this payload (if necessary for 1-to-1 / group-chats) and sends it using
+Whisper or Waku which also encrypts it.
+
+### Payloads and clients
+
+On top of secure transport, various types of data sync clients and
+the node uses payload formats for things like 1:1 chat, group chat and public chat. These have
+various degrees of standardization. Please refer to [PAYLOADS](/status/deprecated/payloads.md) for more details.
+
+### BIPs and EIPs Standards support
+
+For a list of EIPs and BIPs that SHOULD be supported by Status client, please
+see [EIPS](/status/deprecated/eips.md).
+
+## Security Considerations
+
+See [Appendix A](#appendix-a-security-considerations)
+
+## Design Rationale
+
+P2P Overlay
+
+### Why devp2p? Why not use libp2p?
+
+At the time Status developed the main Status clients, devp2p was the most
+mature. However, in the future libp2p is likely to be used, as it'll
+provide us with multiple transports, better protocol negotiation, NAT traversal,
+etc.
+
+For very experimental bridge support, see the bridge between libp2p and devp2p
+in [Murmur](https://github.com/status-im/murmur).
+
+### What about other RLPx subprotocols like LES, and Swarm?
+
+Status is primarily optimized for resource restricted devices, and at present
+time light client support for these protocols are suboptimal. This is a work in
+progress.
+
+For better Ethereum light client support, see [Re-enable LES as
+option](https://github.com/status-im/status-go/issues/1025). For better Swarm
+support, see [Swarm adaptive
+nodes](https://github.com/ethersphere/SWIPs/pull/12).
+
+For transaction support, Status clients currently have to rely on Infura.
+
+Status clients currently do not offer native support for file storage.
+
+### Why do you use Whisper?
+
+Whisper is one of the [three parts](http://gavwood.com/dappsweb3.html) of the
+vision of Ethereum as the world computer, Ethereum and Swarm being the other
+two. Status was started as an encapsulation of and a clear window to this world
+computer.
+
+### Why do you use Waku?
+
+Waku is a direct upgrade and replacement for Whisper, the main motivation for
+developing and implementing Waku can be found in the [Waku specs](/waku/).
+
+>Waku was created to incrementally improve in areas that Whisper is lacking in,
+>with special attention to resource restricted devices. We specify the standard for
+>Waku messages in order to ensure forward compatibility of different Waku clients,
+>backwards compatibility with Whisper clients, as well as to allow multiple
+>implementations of Waku and its capabilities. We also modify the language to be more
+>unambiguous, concise and consistent.
+
+Considerable work has gone into the active development of Ethereum, in contrast Whisper
+is not currently under active development, and it has several drawbacks. Among others:
+
+- Whisper is very wasteful bandwidth-wise and doesn't appear to be scalable
+- Proof of work is a poor spam protection mechanism for heterogeneous devices
+- The privacy guarantees provided are not rigorous
+- There are no incentives to run a node
+
+Finding a more suitable transport privacy is an ongoing research effort,
+together with [Vac](https://vac.dev/vac-overview) and other teams in the space.
+
+### Why is PoW for Waku set so low?
+
+A higher PoW would be desirable, but this kills the battery on mobile phones,
+which is a prime target for Status clients.
+
+This means the network is currently vulnerable to DDoS attacks. Alternative
+methods of spam protection are currently being researched.
+
+### Why do you not use Discovery v5 for node discovery?
+
+At the time of implementing dynamic node discovery, Discovery v5 wasn't completed
+yet. Additionally, running a DHT on a mobile leads to slow node discovery, bad
+battery and poor bandwidth usage. Instead, each client can choose to turn on
+Discovery v5 for a short period until the node populates their peer list.
+
+For some further investigation, see
+[here](https://github.com/status-im/swarms/blob/master/ideas/092-disc-v5-research.md).
+
+### I heard something about `Mailservers` being trusted somehow?
+
+In order to use a `Mailserver`, a given node needs to connect to it directly, i.e. add the `Mailserver`
+as its peer and mark it as trusted.
+This means that the `Mailserver` is able to send direct p2p messages to the node instead of broadcasting them.
+Effectively, it knows the bloom filter of the topics the node is interested in,
+when it is online as well as many metadata like IP address.
+
+### Data sync
+
+#### Why is MVDS not used for public chats?
+
+Currently, public chats are broadcast-based, and there's no direct way of finding
+out who is receiving messages. Hence there's no clear group sync state context
+whereby participants can sync. Additionally, MVDS is currently not optimized for
+large group contexts, which means bandwidth usage will be a lot higher than
+reasonable. See [P2P Data Sync for Mobile](https://vac.dev/p2p-data-sync-for-mobile) for more.
+This is an active area of research.
+
+## Footnotes
+
+1. <https://github.com/status-im/status-protocol-go/>
+2. <https://github.com/status-im/status-console-client/>
+3. <https://github.com/status-im/status-mobile/>
+
+## Appendix A: Security considerations
+
+There are several security considerations to take into account when running Status.
+Chief among them are: scalability, DDoS-resistance and privacy.
+These also vary depending on what capabilities are used, such as `Mailserver`, light node, and so on.
+
+### Scalability and UX
+
+**Bandwidth usage:**
+
+In version 1 of Status, bandwidth usage is likely to be an issue.
+In Status version 1.1 this is partially addressed with Waku usage, see [the theoretical scaling model](https://github.com/vacp2p/research/tree/dcc71f4779be832d3b5ece9c4e11f1f7ec24aac2/whisper_scalability).
+
+**`Mailserver` High Availability requirement:**
+
+A `Mailserver` has to be online to receive messages for other nodes, this puts a high availability requirement on it.
+
+**Gossip-based routing:**
+
+Use of gossip-based routing doesn't necessarily scale.
+It means each node can see a message multiple times,
+and having too many light nodes can cause propagation probability that is too low.
+See [Whisper vs PSS](https://our.status.im/whisper-pss-comparison/) for more and a possible Kademlia based alternative.
+
+**Lack of incentives:**
+
+Status currently lacks incentives to run nodes, which means node operators are more likely to create centralized choke points.
+
+### Privacy
+
+**Light node privacy:**
+
+The main privacy concern with light nodes is that directly connected peers will know that a message originates from them (as it are the only ones it sends). This means nodes can make assumptions about what messages (topics) their peers are interested in.
+
+**Bloom filter privacy:**
+
+A user reveals which messages they are interested in, by setting only the topics they are interested in on the bloom filter.
+This is a fundamental trade-off between bandwidth usage and privacy,
+though the trade-off space is likely suboptimal in terms of the [Anonymity](https://eprint.iacr.org/2017/954.pdf) [trilemma](https://petsymposium.org/2019/files/hotpets/slides/coordination-helps-anonymity-slides.pdf).
+
+**`Mailserver client` privacy:**
+
+A `Mailserver client` has to trust a `Mailserver`, which means they can send direct traffic. This reveals what topics / bloom filter a node is interested in, along with its peerID (with IP).
+
+**Privacy guarantees not rigorous:**
+
+Privacy for Whisper or Waku hasn't been studied rigorously for various threat models like global passive adversary, local active attacker, etc. This is unlike e.g. Tor and mixnets.
+
+**Topic hygiene:**
+
+Similar to bloom filter privacy, using a very specific topic reveals more information. See scalability model linked above.
+
+### Spam resistance
+
+**PoW bad for heterogeneous devices:**
+
+Proof of work is a poor spam prevention mechanism. A mobile device can only have a very low PoW in order not to use too much CPU / burn up its phone battery. This means someone can spin up a powerful node and overwhelm the network.
+
+**`Mailserver` trusted connection:**
+
+A `Mailserver` has a direct TCP connection, which means they are trusted to send traffic. This means a malicious or malfunctioning `Mailserver` can overwhelm an individual node.
+
+### Censorship resistance
+
+**Devp2p TCP port blockable:**
+
+By default Devp2p runs on port `30303`, which is not commonly used for any other service. This means it is easy to censor, e.g. airport WiFi. This can be mitigated somewhat by running on e.g. port `80` or `443`, but there are still outstanding issues. See libp2p and Tor's Pluggable Transport for how this can be improved.
+
+See <https://github.com/status-im/status-mobile/issues/6351> for some discussion.
+
+## Acknowledgments
+
+Jacek Sieka
+
+## Changelog
+
+### Version 0.3
+
+Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+
+- Added that Waku SHOULD be used
+- Added that Whisper SHOULD NOT be used
+- Added language to include Waku in all relevant places
+- Change to keep `Mailserver` term consistent
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [Protobuf](https://developers.google.com/protocol-buffers/)
+- [Discv5](https://github.com/ethereum/devp2p/blob/master/discv5/discv5.md)
+- [RLPx Transport Protocol, v5](https://github.com/ethereum/devp2p/blob/master/rlpx.md)
+- [Whisper V6](https://eips.ethereum.org/EIPS/eip-627)
+- [Waku V1](/waku/standards/legacy/6/waku1.md)
+- [Rendezvous Protocol](https://github.com/libp2p/specs/tree/master/rendezvous)
+- [Rendezvous Protocol modifications](https://github.com/status-im/rendezvous#differences-with-original-rendezvous)
+- [Fleets Status](https://fleets.status.im)
+- [EIP-1459](https://eips.ethereum.org/EIPS/eip-1459#client-protocol)
+- [WHISPER-USAGE](/status/deprecated/whisper-usage.md)
+- [WAKU-USAGE](/status/deprecated/waku-usage.md)
+- [WHISPER-MAILSERVER](/status/deprecated/whisper-mailserver.md)
+- [WAKU-MAILSERVER](/status/deprecated/waku-mailserver.md)
+- [SECURE-TRANSPORT](/status/deprecated/secure-transport.md)
+- [MVDS](/vac/2/mvds.md)
+- [PAYLOADS](/status/deprecated/payloads.md)
+- [EIPS](/status/deprecated/eips.md)
+- [Murmur](https://github.com/status-im/murmur)
+- [Re-enable LES as option](https://github.com/status-im/status-go/issues/1025)
+- [Swarm adaptive nodes](https://github.com/ethersphere/SWIPs/pull/12)
+- [Whisper vs PSS](https://our.status.im/whisper-pss-comparison/)
+- [Waku specs](/waku/)
+- [Vac](https://vac.dev/vac-overview)
+- [theoretical scaling model](https://github.com/vacp2p/research/tree/dcc71f4779be832d3b5ece9c4e11f1f7ec24aac2/whisper_scalability)
+- [Anonymity](https://eprint.iacr.org/2017/954.pdf)
+- [trilemma](https://petsymposium.org/2019/files/hotpets/slides/coordination-helps-anonymity-slides.pdf)
+- [Whisper vs PSS](https://our.status.im/whisper-pss-comparison/)
+- [Discovery v5 research](https://github.com/status-im/swarms/blob/master/ideas/092-disc-v5-research.md)
+- [P2P Data Sync for Mobile](https://vac.dev/p2p-data-sync-for-mobile)
+- [Status protocol go](https://github.com/status-im/status-protocol-go/)
+- [Status console client](https://github.com/status-im/status-console-client/)
+- [Status mobile](https://github.com/status-im/status-mobile/)
+- [Status mobile issue 6351](https://github.com/status-im/status-mobile/issues/6351)

status/deprecated/dapp-browser-API-usage.md

@@ -0,0 +1,135 @@
+---
+title: Dapp browser API usage
+name: Dapp browser API usage
+status: deprecated
+description: This document describes requirements that an application must fulfill in order to provide a proper environment for Dapps running inside a browser.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+---
+
+## Abstract
+
+This document describes requirements that an application must fulfill in order to provide a proper environment for Dapps running inside a browser.
+A description of the Status Dapp API is provided, along with an overview of bidirectional communication underlying the API implementation.
+The document also includes a list of EIPs that this API implements.
+
+## Definitions
+
+| Term       | Description                                                                         |
+|------------|-------------------------------------------------------------------------------------|
+| **Webview**   | Platform-specific browser core implementation.                                    |
+| **Ethereum Provider** | A JS object (`window.ethereum`) injected into each web page opened in the browser providing web3 compatible provider. |
+| **Bridge** | A set of facilities allow bidirectional communication between JS code and the application. |
+
+## Overview
+
+The application should expose an Ethereum Provider object (`window.ethereum`) to JS code running inside the browser.
+It is important to have the `window.ethereum` object available before the page loads, otherwise Dapps might not work correctly.
+
+Additionally, the browser component should also provide bidirectional communication between JS code and the application.
+
+## Usage in Dapps
+
+Dapps can use the below properties and methods of `window.ethereum` object.
+
+### Properties
+
+#### `isStatus`
+
+Returns true. Can be used by the Dapp to find out whether it's running inside Status.
+
+#### `status`
+
+Returns a `StatusAPI` object. For now it supports one method: `getContactCode` that sends a `contact-code` request to Status.
+
+### Methods
+
+#### `isConnected`
+
+Similarly to Ethereum JS API [docs](https://github.com/ethereum/wiki/wiki/JavaScript-API#web3isconnected),
+it should be called to check if connection to a node exists. On Status, this fn always returns true, as once Status is up and running, node is automatically started.
+
+#### `scanQRCode`
+
+Sends a `qr-code` Status API request.
+
+#### `request`
+
+`request` method as defined by EIP-1193.
+
+### Unused
+
+Below are some legacy methods that some Dapps might still use.
+
+#### `enable` (DEPRECATED)
+
+Sends a `web3` Status API request. It returns a first entry in the list of available accounts.
+
+Legacy `enable` method as defined by [EIP1102](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1102.md).
+
+#### `send` (DEPRECATED)
+
+Legacy `send` method as defined by [EIP1193](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1193.md).
+
+#### `sendAsync` (DEPRECATED)
+
+Legacy `sendAsync` method as defined by [EIP1193](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1193.md).
+
+#### `sendSync` (DEPRECATED)
+
+Legacy `send` method.
+
+## Implementation
+
+Status uses a [forked version](https://github.com/status-im/react-native-webview) of [react-native-webview](https://github.com/react-native-community/react-native-webview)  to display web or dapps content.
+The fork provides an Android implementation of JS injection before page load.
+It is required in order to properly inject Ethereum Provider object.
+
+Status injects two JS scripts:
+
+- [provider.js](https://github.com/status-im/status-mobile/blob/develop/resources/js/provider.js): `window.ethereum` object
+- [webview.js](https://github.com/status-im/status-mobile/blob/develop/resources/js/webview.js): override for `history.pushState` used internally
+
+Dapps running inside a browser communicate with Status Ethereum node by means of a *bridge* provided by react-native-webview library.
+The bridge allows for bidirectional communication between browser and Status. In order to do so, it injects a special `ReactNativeWebview` object into each page it loads.
+
+On Status (React Native) end, `react-native-webview` library provides `WebView.injectJavascript` function
+on a webview component that allows to execute arbitrary code inside the webview.
+Thus it is possible to inject a function call passing Status node response back to the Dapp.
+
+Below is the table briefly describing what functions/properties are used. More details available in package [docs](https://github.com/react-native-community/react-native-webview/blob/master/docs/Guide.md#communicating-between-js-and-native).
+
+| Direction | Side | Method |
+|-----------|------|-----------|
+| Browser->Status | JS | `ReactNativeWebView.postMessage()`|
+| Browser->Status | RN | `WebView.onMessage()`|
+| Status->Browser | JS | `ReactNativeWebView.onMessage()`|
+| Status->Browser | RN | `WebView.injectJavascript()`|
+
+## Compatibility
+
+Status browser supports the following EIPs:
+
+- [EIP1102](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1102.md): `eth_requestAccounts` support
+- [EIP1193](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1193.md): `connect`, `disconnect`, `chainChanged`, and `accountsChanged` event support is not implemented
+
+## Changelog
+
+| Version | Comment |
+| :-----: | ------- |
+| 0.1.0 | Initial Release |
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [Ethereum JS API docs](https://github.com/ethereum/wiki/wiki/JavaScript-API#web3isconnected)
+- [EIP1102](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1102.md)
+- [EIP1193](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-1193.md)
+- [forked version](https://github.com/status-im/react-native-webview)
+- [react-native-webview](https://github.com/react-native-community/react-native-webview)
+- [provider.js](https://github.com/status-im/status-mobile/blob/develop/resources/js/provider.js)
+- [webview.js](https://github.com/status-im/status-mobile/blob/develop/resources/js/webview.js)
+- [docs](https://github.com/react-native-community/react-native-webview/blob/master/docs/Guide.md#communicating-between-js-and-native)

status/deprecated/eips.md

@@ -0,0 +1,286 @@
+---
+title: EIPS
+name: EIPS
+status: deprecated
+description: Status relation with the EIPs
+editor: Ricardo Guilherme Schmidt <ricardo3@status.im>
+contributors:
+- 
+---
+
+## Abstract
+
+This specification describes how Status relates with EIPs.
+
+## Introduction
+
+Status should follow all standards as possible.
+Whenever the Status app needs a feature, it should be first checked if there is a standard for that,
+if not, Status should propose a standard.
+
+### Support table
+
+|          | Status v0 | Status v1 | Other    | State    |
+|----------|-----------|-----------|----------| -------- |
+| BIP32    | N         | Y         | N        | `stable` |
+| BIP39    | Y         | Y         | Y        | `stable` |
+| BIP43    | N         | Y         | N        | `stable` |
+| BIP44    | N         | Y         | N        | `stable` |
+| EIP20    | Y         | Y         | Y        | `stable` |
+| EIP55    | Y         | Y         | Y        | `stable` |
+| EIP67    | P         | P         | N        | `stable` |
+| EIP137   | P         | P         | N        | `stable` |
+| EIP155   | Y         | Y         | Y        | `stable` |
+| EIP165   | P         | N         | N        | `stable` |
+| EIP181   | P         | N         | N        | `stable` |
+| EIP191   | Y?        | N         | Y        | `stable` |
+| EIP627   | Y         | Y         | N        | `stable` |
+| EIP681   | Y         | N         | Y        | `stable` |
+| EIP712   | P         | P         | Y        | `stable` |
+| EIP721   | P         | P         | Y        | `stable` |
+| EIP831   | N         | Y         | N        | `stable` |
+| EIP945   | Y         | Y         | N        | `stable` |
+| EIP1102  | Y         | Y         | Y        | `stable` |
+| EIP1193  | Y         | Y         | Y        | `stable` |
+| EIP1577  | Y         | P         | N        | `stable` |
+| EIP1581  | N         | Y         | N        | `stable` |
+| EIP1459  | N         |           | N        | `raw`    |
+
+## Components
+
+### BIP32 - Hierarchical Deterministic Wallets
+
+Support: Dependency.  
+[Reference](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)
+Description: Enable wallets to derive multiple private keys from the same seed.  
+Used for: Dependency of BIP39 and BIP43.  
+
+### BIP39 - Mnemonic code for generating deterministic keys
+
+Support: Dependency.  
+[Reference](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)
+Description: Enable wallet to create private key based on a safe seed phrase.
+Used for: Security and user experience.
+
+### BIP43 - Purpose Field for Deterministic Wallets
+
+Support: Dependency.  
+[Reference](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki)
+Description: Enable wallet to create private keys branched for a specific purpose.
+Used for: Dependency of BIP44, uses "ethereum" coin.
+
+### BIP44 - Multi-Account Hierarchy for Deterministic Wallets
+
+Support: Dependency.
+[Reference](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)
+Description: Enable wallet to derive multiple accounts in top of BIP39.  
+Used for: Privacy.  
+[Source code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/constants.cljs#L240)
+Observation: BIP44 don't solve privacy issues regarding the transparency of transactions, therefore directly connected addresses through a transactions can be identifiable by a "network reconnaissance attack" over transaction history, this attack together with leakage of information from centralized services, such as exchanges, would be fatal against the whole privacy of users, regardless of BIP44.  
+
+### EIP20 - Fungible Token
+
+Support: Full.  
+[Reference](https://eips.ethereum.org/EIPS/eip-20)
+Description: Enable wallets to use tokens based on smart contracts compliant with this standard.  
+Used for: Wallet feature.  
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/tokens.cljs)  
+
+### EIP55 - Mixed-case checksum address encoding
+
+Support: Full.  
+[Reference](https://eips.ethereum.org/EIPS/eip-55)
+Description: Checksum standard that uses lowercase and uppercase inside address hex value.  
+Used for: Sanity check of forms using ethereum address.  
+[Related](https://github.com/status-im/status-mobile/issues/4959) [Also](https://github.com/status-im/status-mobile/issues/8707)
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/eip55.cljs)
+
+### EIP67 - Standard URI scheme with metadata, value and byte code
+
+Support: Partial.  
+[Reference](https://github.com/ethereum/EIPs/issues/67)
+Description: A standard way of creating Ethereum URIs for various use-cases.  
+Used for: Legacy support.  
+[Issue](https://github.com/status-im/status-mobile/issues/875)  
+
+### EIP137 - Ethereum Domain Name Service - Specification
+
+Support: Partial.  
+[Reference](https://eips.ethereum.org/EIPS/eip-137)
+Description: Enable wallets to lookup ENS names.  
+Used for: User experience, as a wallet and identity feature, usernames.  
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/ens.cljs#L86)
+
+### EIP155 - Simple replay attack protection
+
+Support: Full.  
+[Reference](https://eips.ethereum.org/EIPS/eip-155)
+Description: Defined chainId parameter in the singed ethereum transaction payload.  
+Used for: Signing transactions, crucial to safety of users against replay attacks.  
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/core.cljs)
+
+### EIP165 - Standard Interface Detection
+
+Support: Dependency/Partial.  
+[Reference](https://eips.ethereum.org/EIPS/eip-165)
+Description: Standard interface for contract to answer if it supports other interfaces.  
+Used for: Dependency of ENS and EIP721.  
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/eip165.cljs)
+
+### EIP181 - ENS support for reverse resolution of Ethereum addresses
+
+Support: Partial.  
+[Reference](https://eips.ethereum.org/EIPS/eip-181)
+Description: Enable wallets to render reverse resolution of Ethereum addresses.  
+Used for: Wallet feature.  
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/ens.cljs#L86)
+
+### EIP191 - Signed Message
+
+Support: Full.  
+[Reference](https://eips.ethereum.org/EIPS/eip-191)
+Description: Contract signature standard, adds an obligatory padding to signed message to differentiate from Ethereum Transaction messages.  
+Used for: Dapp support, security, dependency of ERC712.  
+
+### EIP627 - Whisper Specification
+
+Support: Full.  
+[Reference](https://eips.ethereum.org/EIPS/eip-627)
+Description: format of Whisper messages within the ÐΞVp2p Wire Protocol.  
+Used for: Chat protocol.  
+
+### EIP681 - URL Format for Transaction Requests
+
+Support: Partial.  
+[Reference](https://eips.ethereum.org/EIPS/eip-681)
+Description: A link that pop up a transaction in the wallet.  
+Used for: Useful as QR code data for transaction requests, chat transaction requests and for dapp links to transaction requests.  
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/eip681.cljs)
+Related: [Issue #9183: URL Format for Transaction Requests (EIP681) is poorly supported](https://github.com/status-im/status-mobile/issues/9183) [Issue #9240](https://github.com/status-im/status-mobile/pull/9240) [Issue #9238](https://github.com/status-im/status-mobile/issues/9238) [Issue #7214](https://github.com/status-im/status-mobile/issues/7214) [Issue #7325](https://github.com/status-im/status-mobile/issues/7325) [Issue #8150](https://github.com/status-im/status-mobile/issues/8150)
+
+### EIP712 - Typed Signed Message
+
+Support: Partial.  
+[Reference](https://eips.ethereum.org/EIPS/eip-712)
+Description: Standardize types for contract signature, allowing users to easily inspect whats being signed.  
+Used for: User experience, security.  
+Related: [Isse #5461](https://github.com/status-im/status-mobile/issues/5461) [Commit](https://github.com/status-im/status-mobile/commit/ba37f7b8d029d3358c7b284f6a2383b9ef9526c9)
+
+### EIP721 - Non Fungible Token
+
+Support: Partial.  
+[Reference](https://eips.ethereum.org/EIPS/eip-721)
+Description: Enable wallets to use tokens based on smart contracts compliant with this standard.  
+Used for: Wallet feature.  
+Related: [Issue #8909](https://github.com/status-im/status-mobile/issues/8909)
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/erc721.cljs) [Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/tokens.cljs)  
+
+### EIP945 - Web 3 QR Code Scanning API
+
+Support: Full.  
+[Reference](https://github.com/ethereum/EIPs/issues/945)
+Used for: Sharing contactcode, reading transaction requests.  
+Related: [Issue #5870](https://github.com/status-im/status-mobile/issues/5870)
+
+### EIP1102 - Opt-in account exposure
+
+Support: Full.  
+[Reference](https://eips.ethereum.org/EIPS/eip-1102)
+Description: Allow users to opt-in the exposure of their ethereum address to dapps they browse.  
+Used for: Privacy, DApp support.  
+Related: [Issue #7985](https://github.com/status-im/status-mobile/issues/7985)
+
+### EIP1193 - Ethereum Provider JavaScript API
+
+Support: Full.  
+[Reference](https://eips.ethereum.org/EIPS/eip-1193)
+Description: Allows dapps to recognize event changes on wallet.  
+Used for: DApp support.  
+Related: [Issue #7246](https://github.com/status-im/status-mobile/pull/7246)
+
+### EIP1577 - contenthash field for ENS
+
+Support: Partial.  
+[Reference](https://eips.ethereum.org/EIPS/eip-1577)  
+Description: Allows users browse ENS domains using contenthash standard.  
+Used for: Browser, DApp support.  
+Related: [Isse #6688](https://github.com/status-im/status-mobile/issues/6688)
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/utils/contenthash.cljs) [Sourcecode](https://github.com/status-im/status-mobile/blob/develop/test/cljs/status_im/test/utils/contenthash.cljs#L5)  
+
+### EIP1581 - Non-wallet usage of keys derived from BIP-32 trees
+
+Support: Partial.  
+[Reference](https://eips.ethereum.org/EIPS/eip-1581)
+Description: Allow wallet to derive keys that are less sensible (non wallet).  
+Used for: Security (don't reuse wallet key) and user experience (don't request keycard every login).  
+Related: [Issue #9096](https://github.com/status-im/status-mobile/issues/9088) [Issue #9096](https://github.com/status-im/status-mobile/pull/9096)  
+[Sourcecode](https://github.com/status-im/status-mobile/blob/develop/src/status_im/constants.cljs#L242)
+
+### EIP1459 - Node Discovery via DNS
+
+Support: -
+[Reference](https://eips.ethereum.org/EIPS/eip-1459)
+Description: Allows the storing and retrieving of nodes through merkle trees stored in TXT records of a domain.
+Used for: Finding Waku nodes.
+Related: -
+Sourcecode: -
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [BIP32 - Hierarchical Deterministic Wallets](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki)
+- [BIP39 - Mnemonic code for generating deterministic keys](https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki)
+- [BIP43 - Purpose Field for Deterministic Wallets](https://github.com/bitcoin/bips/blob/master/bip-0043.mediawiki)
+- [BIP44 - Multi-Account Hierarchy for Deterministic Wallets](https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki)
+- [BIP44 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/constants.cljs#L240)
+- [EIP20 - Fungible Token](https://eips.ethereum.org/EIPS/eip-20)
+- [EIP20 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/tokens.cljs)
+- [EIP55 - Mixed-case checksum address encoding](https://eips.ethereum.org/EIPS/eip-55)
+- [EIP55 Related Issue 4959](https://github.com/status-im/status-mobile/issues/4959)
+- [EIP55 Related Issue 8707](https://github.com/status-im/status-mobile/issues/8707)
+- [EIP55 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/eip55.cljs)
+- [EIP67 - Standard URI scheme with metadata, value and byte code](https://github.com/ethereum/EIPs/issues/67)
+- [EIP67 Related Issue 875](https://github.com/status-im/status-mobile/issues/875)
+- [EIP137 - Ethereum Domain Name Service - Specification](https://eips.ethereum.org/EIPS/eip-137)
+- [EIP137 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/ens.cljs#L86)
+- [EIP155 - Simple replay attack protection](https://eips.ethereum.org/EIPS/eip-155)
+- [EIP155 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/core.cljs)
+- [EIP165 - Standard Interface Detection](https://eips.ethereum.org/EIPS/eip-165)
+- [EIP165 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/eip165.cljs)
+- [EIP181 - ENS support for reverse resolution of Ethereum addresses](https://eips.ethereum.org/EIPS/eip-181)
+- [EIP181 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/ens.cljs#L86)
+- [EIP191 - Signed Message](https://eips.ethereum.org/EIPS/eip-191)
+- [EIP627 - Whisper Specification](https://eips.ethereum.org/EIPS/eip-627)
+- [EIP681 - URL Format for Transaction Requests](https://eips.ethereum.org/EIPS/eip-681)
+- [EIP681 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/eip681.cljs)
+- [EIP681 Related Issue 9183](https://github.com/status-im/status-mobile/issues/9183)
+- [EIP681 Related Issue 9240](https://github.com/status-im/status-mobile/pull/9240)
+- [EIP681 Related Issue 9238](https://github.com/status-im/status-mobile/issues/9238)
+- [EIP681 Related Issue 7214](https://github.com/status-im/status-mobile/issues/7214)
+- [EIP681 Related Issue 7325](https://github.com/status-im/status-mobile/issues/7325)
+- [EIP681 Related Issue 8150](https://github.com/status-im/status-mobile/issues/8150)
+- [EIP712 - Typed Signed Message](https://eips.ethereum.org/EIPS/eip-712)
+- [EIP712 Related Issue 5461](https://github.com/status-im/status-mobile/issues/5461)
+- [EIP712 Related Commit](https://github.com/status-im/status-mobile/commit/ba37f7b8d029d3358c7b284f6a2383b9ef9526c9)
+- [EIP721 - Non Fungible Token](https://eips.ethereum.org/EIPS/eip-721)
+- [EIP721 Related Issue 8909](https://github.com/status-im/status-mobile/issues/8909)
+- [EIP721 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/erc721.cljs)
+- [EIP721 Source Code (Tokens)](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/tokens.cljs)
+- [EIP945 - Web 3 QR Code Scanning API](https://github.com/ethereum/EIPs/issues/945)
+- [EIP945 Related Issue 5870](https://github.com/status-im/status-mobile/issues/5870)
+- [EIP1102 - Opt-in account exposure](https://eips.ethereum.org/EIPS/eip-1102)
+- [EIP1102 Related Issue 7985](https://github.com/status-im/status-mobile/issues/7985)
+- [EIP1193 - Ethereum Provider JavaScript API](https://eips.ethereum.org/EIPS/eip-1193)
+- [EIP1193 Related Issue 7246](https://github.com/status-im/status-mobile/pull/7246)
+- [EIP1577 - contenthash field for ENS](https://eips.ethereum.org/EIPS/eip-1577)
+- [EIP1577 Related Issue 6688](https://github.com/status-im/status-mobile/issues/6688)
+- [EIP1577 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/utils/contenthash.cljs)
+- [EIP1577 Test Source Code](https://github.com/status-im/status-mobile/blob/develop/test/cljs/status_im/test/utils/contenthash.cljs#L5)
+- [EIP1581 - Non-wallet usage of keys derived from BIP-32 trees](https://eips.ethereum.org/EIPS/eip-1581)
+- [EIP1581 Related Issue 9088](https://github.com/status-im/status-mobile/issues/9088)
+- [EIP1581 Related Issue 9096](https://github.com/status-im/status-mobile/pull/9096)
+- [EIP1581 Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/constants.cljs#L242)
+- [EIP1459 - Node Discovery via DNS](https://eips.ethereum.org/EIPS/eip-1459)

status/deprecated/ethereum-usage.md

@@ -0,0 +1,237 @@
+---
+title: ETHEREUM-USAGE
+name: Status interactions with the Ethereum blockchain
+status: deprecated
+description: All interactions that the Status client has with the Ethereum blockchain.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+    - Andrea Maria Piana <andreap@status.im>
+---
+
+## Abstract
+
+This specification documents all the interactions that the Status client has
+with the [Ethereum](https://ethereum.org/developers/) blockchain.
+
+## Background
+
+All the interactions are made through [JSON-RPC](https://github.com/ethereum/wiki/wiki/JSON-RPC).
+Currently [Infura](https://infura.io/) is used.
+The client assumes high-availability,
+otherwise it will not be able to interact with the Ethereum blockchain.
+Status nodes rely on these Infura nodes
+to validate the integrity of the transaction and report a consistent history.
+
+Key handling is described [here](/status/deprecated/account.md)
+
+1. [Wallet](#wallet)
+2. [ENS](#ens)
+
+## Wallet
+
+The wallet in Status has two main components:
+
+1) Sending transactions
+2) Fetching balance
+
+In the section below are described the `RPC` calls made the nodes, with a brief
+description of their functionality and how it is used by Status.
+
+1.[Sending transactions](#sending-transactions)
+
+- [EstimateGas](#estimategas)
+- [PendingNonceAt](#pendingnonceat)
+- [SuggestGasPrice](#suggestgasprice)
+- [SendTransaction](#sendtransaction)
+
+2.[Fetching balance](#fetching-balance)
+
+- [BlockByHash](#blockbyhash)
+- [BlockByNumber](#blockbynumber)
+- [FilterLogs](#filterlogs)
+- [HeaderByNumber](#headerbynumber)
+- [NonceAt](#nonceat)
+- [TransactionByHash](#transactionbyhash)
+- [TransactionReceipt](#transactionreceipt)
+
+### Sending transactions
+
+#### EstimateGas
+
+EstimateGas tries to estimate the gas needed to execute a specific transaction
+based on the current pending state of the backend blockchain.
+There is no guarantee that this is the true gas limit requirement
+as other transactions may be added or removed by miners,
+but it should provide a basis for setting a reasonable default.
+
+```go
+func (ec *Client) EstimateGas(ctx context.Context, msg ethereum.CallMsg) (uint64, error)
+```
+
+[L499](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L499)
+
+#### PendingNonceAt
+
+`PendingNonceAt` returns the account nonce of the given account in the pending state.
+ This is the nonce that should be used for the next transaction.
+
+ ```go
+func (ec *Client) PendingNonceAt(ctx context.Context, account common.Address) (uint64, error)
+```
+
+[L440](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L440)
+
+#### SuggestGasPrice
+
+`SuggestGasPrice` retrieves the currently suggested gas price to allow a timely
+execution of a transaction.
+
+```go
+func (ec *Client) SuggestGasPrice(ctx context.Context) (*big.Int, error)
+```
+
+[L487](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L487)
+
+#### SendTransaction
+
+`SendTransaction` injects a signed transaction into the pending pool for execution.
+
+If the transaction was a contract creation use the TransactionReceipt method to get the
+contract address after the transaction has been mined.
+
+```go
+func (ec *Client) SendTransaction(ctx context.Context, tx *types.Transaction) error 
+```
+
+[L512](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L512)
+
+### Fetching balance
+
+A Status node fetches the current and historical [ECR20](https://eips.ethereum.org/EIPS/eip-20) and ETH balance for the user wallet address.
+Collectibles following the [ERC-721](https://eips.ethereum.org/EIPS/eip-721) are also fetched if enabled.
+
+A Status node supports by default the following [tokens](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/tokens.cljs). Custom tokens can be added by specifying the `address`, `symbol` and `decimals`.
+
+#### BlockByHash
+
+`BlockByHash` returns the given full block.
+
+It is used by status to fetch a given block which will then be inspected
+for transfers to the user address, both tokens and ETH.
+
+```go
+func (ec *Client) BlockByHash(ctx context.Context, hash common.Hash) (*types.Block, error)
+```
+
+[L78](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L78)
+
+#### BlockByNumber
+
+`BlockByNumber` returns a block from the current canonical chain. If number is nil, the
+latest known block is returned.
+
+```go
+func (ec *Client) BlockByNumber(ctx context.Context, number *big.Int) (*types.Block, error)
+```
+
+[L82](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L82)
+
+#### FilterLogs
+
+`FilterLogs` executes a filter query.
+
+Status uses this function to filter out logs, using the hash of the block
+and the address of interest, both inbound and outbound.
+
+```go
+func (ec *Client) FilterLogs(ctx context.Context, q ethereum.FilterQuery) ([]types.Log, error) 
+```
+
+[L377](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L377)
+
+#### NonceAt
+
+`NonceAt` returns the account nonce of the given account.
+
+```go
+func (ec *Client) NonceAt(ctx context.Context, account common.Address, blockNumber *big.Int) (uint64, error)
+```
+
+[L366](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L366)
+
+#### TransactionByHash
+
+`TransactionByHash` returns the transaction with the given hash,
+used to inspect those transactions made/received by the user.
+
+```go
+func (ec *Client) TransactionByHash(ctx context.Context, hash common.Hash) (tx *types.Transaction, isPending bool, err error)
+```
+
+[L202](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L202)
+
+#### HeaderByNumber
+
+`HeaderByNumber` returns a block header from the current canonical chain.
+
+```go
+func (ec *Client) HeaderByNumber(ctx context.Context, number *big.Int) (*types.Header, error) 
+```
+
+[L172](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L172)
+
+#### TransactionReceipt
+
+`TransactionReceipt` returns the receipt of a transaction by transaction hash.
+It is used in status to check if a token transfer was made to the user address.
+
+```go
+func (ec *Client) TransactionReceipt(ctx context.Context, txHash common.Hash) (*types.Receipt, error)
+```
+
+[L270](https://github.com/ethereum/go-ethereum/blob/26d271dfbba1367326dec38068f9df828d462c61/ethclient/ethclient.go#L270)
+
+## ENS
+
+All the interactions with `ENS` are made through the [ENS contract](https://github.com/ensdomains/ens)
+
+For the `stateofus.eth` username, one can be registered through these [contracts](https://github.com/status-im/ens-usernames)
+
+### Registering, releasing and updating
+
+- [Registering a username](https://github.com/status-im/ens-usernames/blob/77d9394d21a5b6213902473b7a16d62a41d9cd09/contracts/registry/UsernameRegistrar.sol#L113)
+- [Releasing a username](https://github.com/status-im/ens-usernames/blob/77d9394d21a5b6213902473b7a16d62a41d9cd09/contracts/registry/UsernameRegistrar.sol#L131)
+- [Updating a username](https://github.com/status-im/ens-usernames/blob/77d9394d21a5b6213902473b7a16d62a41d9cd09/contracts/registry/UsernameRegistrar.sol#L174)
+
+### Slashing
+
+Usernames MUST be in a specific format, otherwise they MAY be slashed:
+
+- They MUST only contain alphanumeric characters
+- They MUST NOT  be in the form `0x[0-9a-f]{5}.*` and have more than 12 characters
+- They MUST NOT be in the [reserved list](https://github.com/status-im/ens-usernames/blob/47c4c6c2058be0d80b7d678e611e166659414a3b/config/ens-usernames/reservedNames.js)
+- They MUST NOT be too short, this is dynamically set in the contract and can be checked against the [contract](https://github.com/status-im/ens-usernames/blob/master/contracts/registry/UsernameRegistrar.sol#L26)
+
+- [Slash a reserved username](https://github.com/status-im/ens-usernames/blob/77d9394d21a5b6213902473b7a16d62a41d9cd09/contracts/registry/UsernameRegistrar.sol#L237)
+- [Slash an invalid username](https://github.com/status-im/ens-usernames/blob/77d9394d21a5b6213902473b7a16d62a41d9cd09/contracts/registry/UsernameRegistrar.sol#L261)
+- [Slash a username too similar to an address](https://github.com/status-im/ens-usernames/blob/77d9394d21a5b6213902473b7a16d62a41d9cd09/contracts/registry/UsernameRegistrar.sol#L215)
+- [Slash a username that is too short](https://github.com/status-im/ens-usernames/blob/77d9394d21a5b6213902473b7a16d62a41d9cd09/contracts/registry/UsernameRegistrar.sol#L200)
+
+ENS names are propagated through `ChatMessage` and `ContactUpdate` [payload](/status/deprecated/payloads.md).
+A client SHOULD verify ens names against the public key of the sender on receiving the message against the [ENS contract](https://github.com/ensdomains/ens)
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [Ethereum Developers](https://ethereum.org/developers/)
+- [JSON-RPC](https://github.com/ethereum/wiki/wiki/JSON-RPC)
+- [Infura](https://infura.io/)
+- [Key Handling](/status/deprecated/account.md)
+- [ERC-20 Token Standard](https://eips.ethereum.org/EIPS/eip-20)
+- [ERC-721 Non-Fungible Token Standard](https://eips.ethereum.org/EIPS/eip-721)
+- [Supported Tokens Source Code](https://github.com/status-im/status-mobile/blob/develop/src/status_im/ethereum/tokens.cljs)
+- [go-ethereum](https://github.com/ethereum/go-ethereum/)
+- [ENS Contract](https://github.com/ensdomains/ens)

status/deprecated/group-chat.md

@@ -0,0 +1,162 @@
+---
+title: GROUP-CHAT
+name: Group Chat
+status: deprecated
+description: This document describes the group chat protocol used by the Status application.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Andrea Piana <andreap@status.im>
+---
+
+## Abstract
+
+This document describes the group chat protocol used by the Status application.
+The node uses pairwise encryption among members so a message is exchanged  
+between each participant, similarly to a one-to-one message.
+
+## Membership updates
+
+The node uses membership updates messages to propagate group chat membership changes.
+The protobuf format is described in the [PAYLOADS](/status/deprecated/payloads.md).
+Below describes each specific field.
+
+The protobuf messages are:
+
+```protobuf
+// MembershipUpdateMessage is a message used to propagate information
+// about group membership changes.
+message MembershipUpdateMessage {
+  // The chat id of the private group chat
+  string chat_id = 1;
+  // A list of events for this group chat, first 65 bytes are the signature, then is a 
+  // protobuf encoded MembershipUpdateEvent
+  repeated bytes events = 2;
+  // An optional chat message
+  ChatMessage message = 3;
+}
+
+message MembershipUpdateEvent {
+  // Lamport timestamp of the event as described in [Status Payload Specs](status-payload-specs.md#clock-vs-timestamp-and-message-ordering)
+  uint64 clock = 1;
+  // List of public keys of the targets of the action
+  repeated string members = 2;
+  // Name of the chat for the CHAT_CREATED/NAME_CHANGED event types
+  string name = 3;
+  // The type of the event
+  EventType type = 4;
+
+  enum EventType {
+    UNKNOWN = 0;
+    CHAT_CREATED = 1; // See [CHAT_CREATED](#chat-created)
+    NAME_CHANGED = 2; // See [NAME_CHANGED](#name-changed)
+    MEMBERS_ADDED = 3; // See [MEMBERS_ADDED](#members-added)
+    MEMBER_JOINED = 4; // See [MEMBER_JOINED](#member-joined)
+    MEMBER_REMOVED = 5; // See [MEMBER_REMOVED](#member-removed)
+    ADMINS_ADDED = 6; // See [ADMINS_ADDED](#admins-added)
+    ADMIN_REMOVED = 7; // See [ADMIN_REMOVED](#admin-removed)
+  }
+}
+```
+
+### Payload
+
+`MembershipUpdateMessage`:
+
+| Field | Name | Type | Description |
+| ----- | ---- | ---- | ---- |
+| 1 | chat-id | `string` | The chat id of the chat where the change is to take place |
+| 2 | events | See details | A list of events that describe the membership changes, in their encoded protobuf form |
+| 3 | message | `ChatMessage` | An optional message, described in [Message](/status/deprecated/payloads.md/#message) |
+
+`MembershipUpdateEvent`:
+
+| Field | Name | Type | Description |
+| ----- | ---- | ---- | ---- |
+| 1 | clock | `uint64` | The clock value of the event |
+| 2 | members | `[]string` | An optional list of hex encoded (prefixed with `0x`) public keys, the targets of the action |
+| 3 | name | `name` | An optional name, for those events that make use of it |
+| 4 | type | `EventType` | The type of event sent, described below |
+
+### Chat ID
+
+Each membership update MUST be sent with a corresponding `chatId`.
+The format of this chat ID MUST be a string of [UUID](https://tools.ietf.org/html/rfc4122),
+concatenated with the hex-encoded public key of the creator of the chat, joined by `-`.
+This chatId MUST be validated by all clients, and MUST be discarded if it does not follow these rules.
+
+### Signature
+
+The node calculates the signature for each event by encoding each `MembershipUpdateEvent` in its protobuf representation
+and prepending the bytes of the chatID, lastly the node signs the `Keccak256` of the bytes
+using the private key by the author and added to the `events` field of MembershipUpdateMessage.
+
+### Group membership event
+
+Any `group membership` event received MUST be verified by calculating the signature as per the method described above.
+The author MUST be extracted from it, if the verification fails the event MUST be discarded.
+
+#### CHAT_CREATED
+
+Chat `created event` is the first event that needs to be sent.
+Any event with a clock value lower than this MUST be discarded.
+Upon receiving this event a client MUST validate the `chatId`
+provided with the updates and create a chat with identified by `chatId` and named `name`.
+
+#### NAME_CHANGED
+
+`admins` use a `name changed` event to change the name of the group chat.
+Upon receiving this event a client MUST validate the `chatId` provided with the updates
+and MUST ensure the author of the event is an admin of the chat, otherwise the event MUST be ignored.
+If the event is valid the chat name SHOULD be changed to `name`.
+
+#### MEMBERS_ADDED
+
+`admins` use a `members added` event to add members to the chat.
+Upon receiving this event a client MUST validate the `chatId`
+provided with the updates and MUST ensure the author of the event is an admin of the chat, otherwise the event MUST be ignored.
+If the event is valid a client MUST update the list of members of the chat who have not joined, adding the `members` received.
+`members` is an array of hex encoded public keys.
+
+#### MEMBER_JOINED
+
+`members` use a `members joined` event to signal that they want to start receiving messages from this chat.
+Upon receiving this event a client MUST validate the `chatId` provided with the updates.
+If the event is valid a client MUST update the list of members of the chat who joined, adding the signer.
+Any `message` sent to the group chat should now include the newly joined member.
+
+#### ADMINS_ADDED
+
+`admins` use an `admins added` event to add make other admins in the chat.
+Upon receiving this event a client MUST validate the `chatId` provided with the updates,
+MUST ensure the author of the event is an admin of the chat
+and MUST ensure all `members` are already `members` of the chat, otherwise the event MUST be ignored.
+If the event is valid a client MUST update the list of admins of the chat, adding the `members` received.
+`members` is an array of hex encoded public keys.
+
+#### MEMBER_REMOVED
+
+`members` and/or `admins` use a `member-removed` event to leave or kick members of the chat.
+Upon receiving this event a client MUST validate the `chatId` provided with the updates, MUST ensure that:
+
+- If the author of the event is an admin, target can only be themselves or a non-admin member.
+- If the author of the event is not an admin, the target of the event can only be themselves.
+
+If the event is valid a client MUST remove the member from the list of `members`/`admins` of the chat,
+and no further message should be sent to them.
+
+#### ADMIN_REMOVED
+
+`Admins` use an `admin-removed` event to drop admin privileges.
+Upon receiving this event a client MUST validate the `chatId` provided with the updates,
+MUST ensure that the author of the event is also the target of the event.
+
+If the event is valid a client MUST remove the member from the list of `admins` of the chat.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [PAYLOADS](/status/deprecated/payloads.md)
+- [UUID](https://tools.ietf.org/html/rfc4122)

status/deprecated/keycard-usage-for-wallet-and-chat-keys.md

@@ -0,0 +1,303 @@
+---
+title: Keycard Usage for Wallet and Chat Keys
+name: Keycard Usage for Wallet and Chat Keys
+status: deprecated
+description: In this specification, we describe how Status communicates with Keycard to create, store and use multiaccount.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+   - Roman Volosovskyi <roman@status.im>
+---
+
+## Abstract
+
+In this specification, we describe how Status communicates with Keycard to create, store and use multiaccount.
+
+## Definitions
+
+| Term               | Description                                              |
+| ------------------ | -------------------------------------------------------- |
+| Keycard Hardwallet | [https://keycard.tech/docs/](https://keycard.tech/docs/) |
+|                    |                          |
+
+## Multiaccount creation/restoring
+
+### Creation and restoring via mnemonic
+
+1. `status-im.hardwallet.card/get-application-info`
+    request: `nil`
+    response: `{"initialized?" false}`
+2. `status-im.hardwallet.card/init-card`
+   request: `{:pin 123123}`
+   response:
+
+   ```clojure
+   {"password" "nEJXqf6VWbqeC5oN", 
+    "puk" "411810112887", 
+    "pin" "123123"}
+   ```
+
+3. `status-im.hardwallet.card/get-application-info`
+    request: `nil`
+    response:
+
+    ```clojure
+    {"free-pairing-slots" 5, 
+     "app-version" "2.2", 
+     "secure-channel-pub-key" "04e70d7af7d91b8cd23adbefdfc242c096adee6c1b5ad27a4013a8f926864c1a4f816b338238dc4a04226ab42f23672585c6dca03627885530643f1656ee69b025", 
+     "key-uid" "", 
+     "instance-uid" "9f149d438988a7af5e1a186f650c9328", 
+     "paired?" false, 
+     "has-master-key?" false, 
+     "initialized?" true}
+    ```
+
+4. `status-im.hardwallet.card/pair`
+   params: `{:password "nEJXqf6VWbqeC5oN"}`
+   response: `AAVefVX0kPGsxnvQV5OXRbRTLGI3k8/S27rpsq/lZrVR` (`pairing`)
+
+5. `status-im.hardwallet.card/generate-and-load-keys`
+
+ ```clojure
+    {:mnemonic "lift mansion moment version card type uncle sunny lock gather nerve math", 
+     :pairing "AAVefVX0kPGsxnvQV5OXRbRTLGI3k8/S27rpsq/lZrVR", 
+     :pin "123123"}
+    ```
+    response:
+    ```clojure
+    {"whisper-address" "1f29a1a60c8a12f80c397a91c6ae0323f420e609", 
+     "whisper-private-key" "123123123123123", 
+     "wallet-root-public-key" "04eb9d01990a106a65a6dfaa48300f72aecfeabe502d9f4f7aeaccb146dc2f16e2dec81dcec0a1a52c1df4450f441a48c210e1a73777c0161030378df22e4ae015", 
+     "encryption-public-key" "045ee42f012d72be74b31a28ce320df617e0cd5b9b343fad34fcd61e2f5dfa89ab23d880473ba4e95401a191764c7f872b7af92ea0d8c39462147df6f3f05c2a11", 
+     "wallet-root-address" "132dd67ff47cc1c376879c474fd2afd0f1eee6de", 
+     "whisper-public-key" "0450ad84bb95f32c64f4e5027cc11d1b363a0566a0cfc475c5653e8af9964c5c9b0661129b75e6e1bc6e96ba2443238e53e7f49f2c5f2d16fcf04aca4826765d46", 
+     "address" "bf93eb43fea2ce94bf3a6463c16680b56aa4a08a", 
+     "wallet-address" "7eee1060d8e4722d36c99f30ff8291caa3cfc40c", 
+     "key-uid" "472d8436ccedb64bcbd897bed5895ec3458b306352e1bcee377df87db32ef2c2", 
+     "wallet-public-key" "0495ab02978ea1f8b059140e0be5a87aad9b64bb7d9706735c47dda6e182fd5ca41744ca37583b9a10c316b01d4321d6c85760c61301874089acab041037246294", 
+     "public-key" "0465d452d12171711f32bb931f9ea26fe1b88fe2511a7909a042b914fde10a99719136365d506e2d1694fc14627f9d557da33865efc6001da3942fc1d4d2469ca1", 
+     "instance-uid" "9f149d438988a7af5e1a186f650c9328"}
+    ```
+
+### Multiaccount restoring via pairing
+This flow is required in case if a user want to pair a card with an existing multiaccount on it.
+1. `status-im.hardwallet.card/get-application-info` 
+    request: `nil`
+    response: 
+
+    ```clojure
+    {"free-pairing-slots" 4, 
+     "app-version" "2.2", 
+     "secure-channel-pub-key" "04e70d7af7d91b8cd23adbefdfc242c096adee6c1b5ad27a4013a8f926864c1a4f816b338238dc4a04226ab42f23672585c6dca03627885530643f1656ee69b025", 
+     "key-uid" "", 
+     "instance-uid" "9f149d438988a7af5e1a186f650c9328", 
+     "paired?" false, 
+     "has-master-key?" false, 
+     "initialized?" true}
+    ```
+2. `status-im.hardwallet.card/pair` 
+   params: `{:password "nEJXqf6VWbqeC5oN"}`
+   response: `AAVefVX0kPGsxnvQV5OXRbRTLGI3k8/S27rpsq/lZrVR` (`pairing`)
+   
+3. `status-im.hardwallet.card/generate-and-load-keys` 
+    ```clojure
+    {:mnemonic "lift mansion moment version card type uncle sunny lock gather nerve math", 
+     :pairing "AAVefVX0kPGsxnvQV5OXRbRTLGI3k8/S27rpsq/lZrVR", 
+     :pin "123123"}
+    ```
+    response:
+    ```clojure
+    {"whisper-address" "1f29a1a60c8a12f80c397a91c6ae0323f420e609", 
+     "whisper-private-key" "123123123123123123123", 
+     "wallet-root-public-key" "04eb9d01990a106a65a6dfaa48300f72aecfeabe502d9f4f7aeaccb146dc2f16e2dec81dcec0a1a52c1df4450f441a48c210e1a73777c0161030378df22e4ae015", 
+     "encryption-public-key" "045ee42f012d72be74b31a28ce320df617e0cd5b9b343fad34fcd61e2f5dfa89ab23d880473ba4e95401a191764c7f872b7af92ea0d8c39462147df6f3f05c2a11", 
+     "wallet-root-address" "132dd67ff47cc1c376879c474fd2afd0f1eee6de", 
+     "whisper-public-key" "0450ad84bb95f32c64f4e5027cc11d1b363a0566a0cfc475c5653e8af9964c5c9b0661129b75e6e1bc6e96ba2443238e53e7f49f2c5f2d16fcf04aca4826765d46", 
+     "address" "bf93eb43fea2ce94bf3a6463c16680b56aa4a08a", 
+     "wallet-address" "7eee1060d8e4722d36c99f30ff8291caa3cfc40c", 
+     "key-uid" "472d8436ccedb64bcbd897bed5895ec3458b306352e1bcee377df87db32ef2c2", 
+     "wallet-public-key" "0495ab02978ea1f8b059140e0be5a87aad9b64bb7d9706735c47dda6e182fd5ca41744ca37583b9a10c316b01d4321d6c85760c61301874089acab041037246294", 
+     "public-key" "0465d452d12171711f32bb931f9ea26fe1b88fe2511a7909a042b914fde10a99719136365d506e2d1694fc14627f9d557da33865efc6001da3942fc1d4d2469ca1", 
+     "instance-uid" "9f149d438988a7af5e1a186f650c9328"}
+   ```
+
+## Multiaccount unlocking
+
+1. `status-im.hardwallet.card/get-application-info`
+    params:
+
+    ```clojure
+    {:pairing nil, :on-success nil}
+    ```
+
+    response:
+
+    ```clojure
+    {"free-pairing-slots" 4, 
+     "app-version" "2.2", 
+     "secure-channel-pub-key" "04b079ac513d5e0ebbe9becbae1618503419f5cb59edddc7d7bb09ce0db069a8e6dec1fb40c6b8e5454f7e1fcd0bb4a0b9750256afb4e4390e169109f3ea3ba91d", 
+     "key-uid" "a5424fb033f5cc66dce9cbbe464426b6feff70ca40aa952c56247aaeaf4764a9", 
+     "instance-uid" "2268254e3ed7898839abe0b40e1b4200", 
+     "paired?" false, 
+     "has-master-key?" true, 
+     "initialized?" true}
+   ```
+
+2. `status-im.hardwallet.card/get-keys`
+    params:
+
+    ```clojure
+    {:pairing "ACEWbvUlordYWOE6M1Narn/AXICRltjyuKIAn4kkPXQG",
+     :pin "123123"}
+    ```
+
+    response:
+
+    ```clojure
+    {"whisper-address" "ec83f7354ca112203d2ce3e0b77b47e6e33258aa", 
+     "whisper-private-key" "123123123123123123123123",
+     "wallet-root-public-key" "0424a93fe62a271ad230eb2957bf221b4644670589f5c0d69bd11f3371034674bf7875495816095006c2c0d5f834d628b87691a8bbe3bcc2225269020febd65a19", 
+     "encryption-public-key" "0437eef85e669f800570f444e64baa2d0580e61cf60c0e9236b4108455ec1943f385043f759fcb5bd8348e32d6d6550a844cf24e57f68e9397a0f7c824a8caee2d", 
+     "wallet-root-address" "6ff915f9f31f365511b1b8c1e40ce7f266caa5ce", 
+     "whisper-public-key" "04b195df4336c596cca1b89555dc55dd6bb4c5c4491f352f6fdfae140a2349213423042023410f73a862aa188f6faa05c80b0344a1e39c253756cb30d8753f9f8324", 
+     "address" "73509a1bb5f3b74d0dba143705cd9b4b55b8bba1", 
+     "wallet-address" "2f0cc0e0859e7a05f319d902624649c7e0f48955", 
+     "key-uid" "a5424fb033f5cc66dce9cbbe464426b6feff70ca40aa952c56247aaeaf4764a9", 
+     "wallet-public-key" "04d6fab73772933215872c239787b2281f3b10907d099d04b88c861e713bd2b95883e0b1710a266830da29e76bbf6b87ed034ab139e36cc235a1b2a5b5ddfd4e91", 
+     "public-key" "0437eef85e669f800570f444e64baa2d0580e61cf60c0e9236b4108455ec1943f385043f759fcb5bd8348e32d6d6550a844cf24e57f68e9397a0f7c824a8caee2d", 
+     "instance-uid" "2268254e3ed7898839abe0b40e1b4200"}
+    ```
+
+3. `status-im.hardwallet.card/get-application-info`
+    params:
+
+    ```clojure
+    {:pairing "ACEWbvUlordYWOE6M1Narn/AXICRltjyuKIAn4kkPXQG"}
+    ```
+
+    response:
+
+    ```clojure
+    {"paired?" true, 
+     "has-master-key?" true, 
+     "app-version" "2.2", 
+     "free-pairing-slots" 4, 
+     "pin-retry-counter" 3, 
+     "puk-retry-counter" 5, 
+     "initialized?" true, 
+     "secure-channel-pub-key" "04b079ac513d5e0ebbe9becbae1618503419f5cb59edddc7d7bb09ce0db069a8e6dec1fb40c6b8e5454f7e1fcd0bb4a0b9750256afb4e4390e169109f3ea3ba91d", 
+     "key-uid" "a5424fb033f5cc66dce9cbbe464426b6feff70ca40aa952c56247aaeaf4764a9", 
+     "instance-uid" "2268254e3ed7898839abe0b40e1b4200"}
+    ```
+
+## Transaction signing
+
+1. `status-im.hardwallet.card/get-application-info`
+
+   params:
+
+   ```clojure
+   {:pairing "ALecvegKyOW4szknl01yYWx60GLDK5gDhxMgJECRZ+7h", 
+    :on-success :hardwallet/sign}
+   ```
+
+   response:
+
+   ```clojure
+    {"paired?" true, 
+     "has-master-key?" true, 
+     "app-version" "2.2", 
+     "free-pairing-slots" 4, 
+     "pin-retry-counter" 3, 
+     "puk-retry-counter" 5, 
+     "initialized?" true, 
+     "secure-channel-pub-key" "0476d11f2ccdad4e7779b95a1ce063d7280cb6c09afe2c0e48ca0c64ab9cf2b3c901d12029d6c266bfbe227c73a802561302b2330ac07a3270fc638ad258fced4a", 
+     "key-uid" "d5c8cde8085e7a3fcf95aafbcbd7b3cfe32f61b85c2a8f662f60e76bdc100718", 
+     "instance-uid" "e20e27bfee115b431e6e81b8e9dcf04c"}
+    ```
+
+2. `status-im.hardwallet.card/sign`
+   params:
+
+   ```clojure
+   {:hash "92fc7ef54c3e0c42de256b93fbf2c49dc6948ee089406e204dec943b7a0142a9", 
+    :pairing "ALecvegKyOW4szknl01yYWx60GLDK5gDhxMgJECRZ+7h", 
+    :pin "123123", 
+    :path "m/44'/60'/0'/0/0"}
+   ```
+
+   response: `5d2ca075593cf50aa34007a0a1df7df14a369534450fce4a2ae8d023a9d9c0e216b5e5e3f64f81bee91613318d01601573fdb15c11887a3b8371e3291e894de600`
+
+## Account derivation
+
+1. `status-im.hardwallet.card/verify-pin`
+    params:
+
+    ```clojure
+    {:pin "123123", 
+     :pairing "ALecvegKyOW4szknl01yYWx60GLDK5gDhxMgJECRZ+7h"}
+    ```
+
+    response: `3`
+1. `status-im.hardwallet.card/export-key`
+    params:
+
+    ```clojure
+    {:pin "123123", 
+     :pairing "ALecvegKyOW4szknl01yYWx60GLDK5gDhxMgJECRZ+7h", 
+     :path "m/44'/60'/0'/0/1"}
+    ```
+
+    response: `046d1bcd2310a5e0094bc515b0ec995a8cb59e23d564094443af10011b6c00bdde44d160cdd32b4b6341ddd7dc83a4f31fdf60ec2276455649ccd7a22fa4ea01d8` (account's `public-key`)
+
+## Reset pin
+
+1. `status-im.hardwallet.card/change-pin`
+    params:
+
+   ```clojure
+   {:new-pin "111111", 
+    :current-pin "222222", 
+    :pairing "AA0sKxPkN+jMHXZZeI8Rgz04AaY5Fg0CzVbm9189Khob"}
+   ```
+
+   response:
+   `true`
+
+## Unblock pin
+
+If user enters a wrong pin three times in a row a card gets blocked. The user can use puk code then to unblock the card and set a new pin.
+
+1. `status-im.hardwallet.card/unblock-pin`
+   params:
+
+   ```clojure
+   {:puk "120702722103", 
+    :new-pin "111111", 
+    :pairing "AIoQl0OtCL0/uSN7Ct1/FHRMEk/eM2Lrhn0bw7f8sgOe"}
+   ```
+
+   response
+   `true`
+
+## Status go calls
+
+In order to use the card in the app we need to use some parts of status-go API, specifically:
+
+1. [`SaveAccountAndLoginWithKeycard`](https://github.com/status-im/status-go/blob/b33ad8147d23a932064f241e575511d70a601dcc/mobile/status.go#L337) after multiaccount creation/restoring to store multiaccount and login into it
+2. [`LoginWithKeycard`](https://github.com/status-im/status-go/blob/b33ad8147d23a932064f241e575511d70a601dcc/mobile/status.go#L373) to log into already existing account
+3. [`HashTransaction`](https://github.com/status-im/status-go/blob/b33ad8147d23a932064f241e575511d70a601dcc/mobile/status.go#L492) and [`HashMessage`](https://github.com/status-im/status-go/blob/b33ad8147d23a932064f241e575511d70a601dcc/mobile/status.go#L520) for hashing transaction/message before signing
+4. [`SendTransactionWithSignature`](https://github.com/status-im/status-go/blob/b33ad8147d23a932064f241e575511d70a601dcc/mobile/status.go#L471) to send transaction
+
+## Where are the keys stored?
+
+1. When we create a regular multiaccount all its keys are stored on device and are encrypted via key which is derived from user's password. In case if account was created using keycard all keys are stored on the card and are retrieved from it during signing into multiaccount.
+2. When we create a regular multiaccount we also create a separate database for it and this database is encrypted using key which is derived from user's password. For a keycard account we use `encryption-public-key` (returned by `status-im.hardwallet.card/get-keys`/`status-im.hardwallet.card/generate-and-load-keys`) as a password.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [Keycard Hardwallet Documentation](https://keycard.tech/docs/)
+- [Keycard Codebase](https://github.com/status-im/status-go/blob/b33ad8147d23a932064f241e575511d70a601dcc/mobile/status.go)

status/deprecated/notifications.md

@@ -0,0 +1,52 @@
+---
+title: NOTIFICATIONS
+name: Notifications
+status: deprecated
+description: A client should implement local notifications to offer notifications for any event in the app without the privacy cost and dependency on third party services.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Eric Dvorsak <eric@status.im>
+---
+
+## Local Notifications
+
+A client should implement local notifications to offer notifications
+for any event in the app without the privacy cost and dependency on third party services.
+This means that the client should run a background service to continuously or periodically check for updates.
+
+### Android
+
+Android allows running services on the device. When the user enables notifications,
+the client may start a ``Foreground Service`,
+and display a permanent notification indicating that the service is running,
+as required by Android guidelines.
+The service will simply keep the app from being killed by the system when it is in the background.
+The client will then be able to run in the background
+and display local notifications on events such as receiving a message in a one to one chat.
+
+To facilitate the implementation of local notifications,
+a node implementation such as `status-go` may provide a specific `notification` signal.
+
+Notifications are a separate process in Android, and interaction with a notification generates an `Intent`.
+To handle intents, the `NewMessageSignalHandler` may use a `BroadcastReceiver`,
+in order to update the state of local notifications when the user dismisses or tap a notification.
+If the user taps on a notification, the `BroadcastReceiver` generates a new intent to open the app should use universal links to get the user to the right place.
+
+### iOS
+
+We are not able to offer local notifications on iOS because there is no concept of services in iOS.
+It offers background updates but they’re not consistently triggered, and cannot be relied upon.
+The system decides when the background updates are triggered and the heuristics aren't known.
+
+## Why is there no Push Notifications?
+
+Push Notifications, as offered by Apple and Google are a privacy concern,
+they require a centralized service that is aware of who the notification needs to be delivered to.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- None

status/deprecated/payloads.md

@@ -0,0 +1,386 @@
+---
+title: PAYLOADS
+name: Payloads
+status: deprecated
+description: Payload of messages in Status, regarding chat and chat-related use cases.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+- Adam Babik <adam@status.im>
+- Andrea Maria Piana <andreap@status.im>
+- Oskar Thorén <oskar@status.im>
+---
+
+## Abstract
+
+This specification describes how the payload of each message in Status looks like.
+It is primarily centered around chat and chat-related use cases.
+
+The payloads aims to be flexible enough to support messaging but also cases
+described in the [Status Whitepaper](https://status.im/whitepaper.pdf)
+as well as various clients created using different technologies.
+
+## Introduction
+
+This document describes the payload format and some special considerations.
+
+## Payload wrapper
+
+The node wraps all payloads in a [protobuf record](https://developers.google.com/protocol-buffers/):
+
+```protobuf
+message ApplicationMetadataMessage {
+  bytes signature = 1;
+  bytes payload = 2;
+
+  Type type = 3;
+
+  enum Type {
+    UNKNOWN = 0;
+    CHAT_MESSAGE = 1;
+    CONTACT_UPDATE = 2;
+    MEMBERSHIP_UPDATE_MESSAGE = 3;
+    PAIR_INSTALLATION = 4;
+    SYNC_INSTALLATION = 5;
+    REQUEST_ADDRESS_FOR_TRANSACTION = 6;
+    ACCEPT_REQUEST_ADDRESS_FOR_TRANSACTION = 7;
+    DECLINE_REQUEST_ADDRESS_FOR_TRANSACTION = 8;
+    REQUEST_TRANSACTION = 9;
+    SEND_TRANSACTION = 10;
+    DECLINE_REQUEST_TRANSACTION = 11;
+    SYNC_INSTALLATION_CONTACT = 12;
+    SYNC_INSTALLATION_ACCOUNT = 13;
+    SYNC_INSTALLATION_PUBLIC_CHAT = 14;
+    CONTACT_CODE_ADVERTISEMENT = 15;
+    PUSH_NOTIFICATION_REGISTRATION = 16;
+    PUSH_NOTIFICATION_REGISTRATION_RESPONSE = 17;
+    PUSH_NOTIFICATION_QUERY = 18;
+    PUSH_NOTIFICATION_QUERY_RESPONSE = 19;
+    PUSH_NOTIFICATION_REQUEST = 20;
+    PUSH_NOTIFICATION_RESPONSE = 21;
+  }
+}
+```
+
+`signature` is the bytes of the signed `SHA3-256` of the payload,
+signed with the key of the author of the message.
+The node needs the signature to validate authorship of the message,
+so that the message can be relayed to third parties.
+If a signature is not present, but an author is provided by a layer below,
+the message is not to be relayed to third parties, and it is considered plausibly deniable.
+
+`payload` is the protobuf encoded content of the message, with the corresponding `type` set.
+
+## Encoding
+
+The node encodes the payload using [Protobuf](https://developers.google.com/protocol-buffers)
+
+## Types of messages
+
+### Message
+
+The type `ChatMessage` represents a chat message exchanged between clients.
+
+#### Payload
+
+The protobuf description is:
+
+```protobuf
+message ChatMessage {
+  // Lamport timestamp of the chat message
+  uint64 clock = 1;
+  // Unix timestamps in milliseconds, currently not used as we use Whisper/Waku as more reliable, but here
+  // so that we don't rely on it
+  uint64 timestamp = 2;
+  // Text of the message
+  string text = 3;
+  // Id of the message that we are replying to
+  string response_to = 4;
+  // Ens name of the sender
+  string ens_name = 5;
+  // Chat id, this field is symmetric for public-chats and private group chats,
+  // but asymmetric in case of one-to-ones, as the sender will use the chat-id
+  // of the received, while the receiver will use the chat-id of the sender.
+  // Probably should be the concatenation of sender-pk & receiver-pk in alphabetical order
+  string chat_id = 6;
+
+  // The type of message (public/one-to-one/private-group-chat)
+  MessageType message_type = 7;
+  // The type of the content of the message
+  ContentType content_type = 8;
+
+  oneof payload {
+    StickerMessage sticker = 9;
+  }
+
+  enum MessageType {
+    UNKNOWN_MESSAGE_TYPE = 0;
+    ONE_TO_ONE = 1;
+    PUBLIC_GROUP = 2;
+    PRIVATE_GROUP = 3;
+    // Only local
+    SYSTEM_MESSAGE_PRIVATE_GROUP = 4;}
+  enum ContentType {
+    UNKNOWN_CONTENT_TYPE = 0;
+    TEXT_PLAIN = 1;
+    STICKER = 2;
+    STATUS = 3;
+    EMOJI = 4;
+    TRANSACTION_COMMAND = 5;
+    // Only local
+    SYSTEM_MESSAGE_CONTENT_PRIVATE_GROUP = 6;
+  }
+}
+```
+
+Payload
+
+| Field | Name | Type | Description |
+| ----- | ---- | ---- | ---- |
+| 1 | clock | `uint64` | The clock of the chat|
+| 2 | timestamp | `uint64` | The sender timestamp at message creation |
+| 3 | text | `string` | The content of the message |
+| 4 | response_to | `string` | The ID of the message replied to |
+| 5 | ens_name | `string` | The ENS name of the user sending the message |
+| 6 | chat_id | `string` | The local ID of the chat the message is sent to |
+| 7 | message_type | `MessageType` | The type of message, different for one-to-one, public or group chats |
+| 8 | content_type | `ContentType` | The type of the content of the message |
+| 9 | payload | `Sticker\|nil` | The payload of the message based on the content type |
+
+#### Content types
+
+A node requires content types for a proper interpretation of incoming messages. Not each message is plain text but may carry different information.
+
+The following content types MUST be supported:
+
+* `TEXT_PLAIN` identifies a message which content is a plaintext.
+
+There are other content types that MAY be implemented by the client:
+
+* `STICKER`
+* `STATUS`
+* `EMOJI`
+* `TRANSACTION_COMMAND`
+
+##### Mentions
+
+A mention MUST be represented as a string with the `@0xpk` format, where `pk` is the public key of the [user account](/status/deprecated/account.md) to be mentioned,
+within the `text` field of a message with content_type `TEXT_PLAIN`.
+A message MAY contain more than one mention.
+This specification RECOMMENDs that the application does not require the user to enter the entire pk.
+This specification RECOMMENDs that the application allows the user to create a mention
+by typing @ followed by the related ENS or 3-word pseudonym.
+This specification RECOMMENDs that the application provides the user auto-completion functionality to create a mention.
+For better user experience, the client SHOULD display a known [ens name or the 3-word pseudonym corresponding to the key](/status/deprecated/account.md#contact-verification) instead of the `pk`.
+
+##### Sticker content type
+
+A `ChatMessage` with `STICKER` `Content/Type` MUST also specify the ID of the `Pack` and
+the `Hash` of the pack, in the `Sticker` field of `ChatMessage`
+
+```protobuf
+message StickerMessage {
+  string hash = 1;
+  int32 pack = 2;
+}
+```
+
+#### Message types
+
+A node requires message types to decide how to encrypt a particular message
+and what metadata needs to be attached when passing a message to the transport layer.
+For more on this, see [WHISPER-USAGE](/status/deprecated/whisper-usage.md)
+and [WAKU-USAGE](/status/deprecated/waku-usage.md).
+
+<!-- TODO: This reference is a bit odd, considering the layer payloads should interact with is Secure Transport, and not Whisper/Waku. This requires more detail -->
+
+The following messages types MUST be supported:
+
+* `ONE_TO_ONE` is a message to the public group
+* `PUBLIC_GROUP` is a private message
+* `PRIVATE_GROUP` is a message to the private group.
+
+#### Clock vs Timestamp and message ordering
+
+If a user sends a new message before the messages sent
+while the user was offline are received,
+the newmessage is supposed to be displayed last in a chat.
+This is where the basic algorithm of Lamport timestamp would fall short
+as it's only meant to order causally related events.
+
+The status client therefore makes a "bid", speculating that it will beat the current chat-timestamp, s.t. the status client's
+Lamport timestamp format is: `clock = max({timestamp}, chat_clock + 1)`
+
+This will satisfy the Lamport requirement, namely: a -> b then T(a) < T(b)
+
+`timestamp` MUST be Unix time calculated, when the node creates the message, in milliseconds.
+This field SHOULD not be relied upon for message ordering.
+
+`clock` SHOULD be calculated using the algorithm of [Lamport timestamps](https://en.wikipedia.org/wiki/Lamport_timestamps).
+When there are messages available in a chat,
+the node calculates `clock`'s value based on the last received message in a particular chat: `max(timeNowInMs, last-message-clock-value + 1)`.
+If there are no messages, `clock` is initialized with `timestamp`'s value.
+
+Messages with a `clock` greater than `120` seconds over the Whisper/Waku timestamp SHOULD be discarded,
+in order to avoid malicious users to increase the `clock` of a chat arbitrarily.
+
+Messages with a `clock` less than `120` seconds under the Whisper/Waku timestamp
+might indicate an attempt to insert messages in the chat history which is not distinguishable from a `datasync` layer re-transit event.
+A client MAY mark this messages with a warning to the user, or discard them.
+
+The node uses `clock` value for the message ordering.
+The algorithm used, and the distributed nature of the system produces casual ordering, which might produce counter-intuitive results in some edge cases.
+For example, when a user joins a public chat and sends a message
+before receiving the exist messages, their message `clock` value might be lower
+and the message will end up in the past when the historical messages are fetched.
+
+#### Chats
+
+Chat is a structure that helps organize messages.
+It's usually desired to display messages only from a single recipient,
+or a group of recipients at a time and chats help to achieve that.
+
+All incoming messages can be matched against a chat.
+The below table describes how to calculate a chat ID for each message type.
+
+|Message Type|Chat ID Calculation|Direction|Comment|
+|------------|-------------------|---------|-------|
+|PUBLIC_GROUP|chat ID is equal to a public channel name; it should equal `chatId` from the message|Incoming/Outgoing||
+|ONE_TO_ONE|let `P` be a public key of the recipient; `hex-encode(P)` is a chat ID; use it as `chatId` value in the message|Outgoing||
+|user-message|let `P` be a public key of message's signature; `hex-encode(P)` is a chat ID; discard `chat-id` from message|Incoming|if there is no matched chat, it might be the first message from public key `P`; the node MAY discard the message or MAY create a new chat; Status official clients create a new chat|
+|PRIVATE_GROUP|use `chatId` from the message|Incoming/Outgoing|find an existing chat by `chatId`; if none is found, the user is not a member of that chat or the user hasn't joined that chat, the message MUST be discarded |
+
+### Contact Update
+
+`ContactUpdate` is a message exchange to notify peers that either the
+user has been added as a contact, or that information about the sending user have
+changed.
+
+```protobuf
+message ContactUpdate {
+  uint64 clock = 1;
+  string ens_name = 2;
+  string profile_image = 3;
+}
+```
+
+Payload
+
+| Field | Name | Type | Description |
+| ----- | ---- | ---- | ---- |
+| 1 | clock | `uint64` | The clock of the chat with the user |
+| 2 | ens_name | `string` | The ENS name if set |
+| 3 | profile_image | `string` | The base64 encoded profile picture of the user |
+
+#### Contact update
+
+A client SHOULD send a `ContactUpdate` to all the contacts each time:
+
+* The ens_name has changed
+* A user edits the profile image
+
+A client SHOULD also periodically send a `ContactUpdate` to all the contacts, the interval is up to the client,
+the Status official client sends these updates every 48 hours.
+
+### SyncInstallationContact
+
+The node uses `SyncInstallationContact` messages to synchronize in a best-effort the contacts to other devices.
+
+```protobuf
+message SyncInstallationContact {
+  uint64 clock = 1;
+  string id = 2;
+  string profile_image = 3;
+  string ens_name = 4;
+  uint64 last_updated = 5;
+  repeated string system_tags = 6;
+}
+```
+
+Payload
+
+| Field | Name | Type | Description |
+| ----- | ---- | ---- | ---- |
+| 1 | clock | `uint64` | clock value of the chat |
+| 2 | id | `string` | id of the contact synced |
+| 3 | profile_image | `string` |  `base64` encoded profile picture of the user |
+| 4 | ens_name | `string` | ENS name of the contact |
+| 5 | `array[string]` | Array of `system_tags` for the user, this can currently be: `":contact/added", ":contact/blocked", ":contact/request-received"`||
+
+### SyncInstallationPublicChat
+
+The node uses `SyncInstallationPublicChat` message to synchronize in a best-effort the public chats to other devices.
+
+```protobuf
+message SyncInstallationPublicChat {
+  uint64 clock = 1;
+  string id = 2;
+}
+```
+
+Payload
+
+| Field | Name | Type | Description |
+| ----- | ---- | ---- | ---- |
+| 1 | clock | `uint64` | clock value of the chat |
+| 2 | id | `string` | id of the chat synced |
+
+### PairInstallation
+
+The node uses `PairInstallation` messages to propagate information about a device to its paired devices.
+
+```protobuf
+message PairInstallation {
+  uint64 clock = 1;
+  string installation_id = 2;
+  string device_type = 3;
+  string name = 4;
+}
+```
+
+Payload
+
+| Field | Name | Type | Description |
+| ----- | ---- | ---- | ---- |
+| 1 | clock | `uint64` | clock value of the chat |
+| 2| installation_id | `string` | A randomly generated id that identifies this device |
+| 3 | device_type | `string` | The OS of the device `ios`,`android` or `desktop` |
+| 4 | name | `string` | The self-assigned name of the device |
+
+### MembershipUpdateMessage and MembershipUpdateEvent
+
+`MembershipUpdateEvent` is a message used to propagate information about group membership changes in a group chat.
+The details are in the [Group chats specs](/status/deprecated/group-chat.md).
+
+## Upgradability
+
+There are two ways to upgrade the protocol without breaking compatibility:
+
+* A node always supports accretion
+* A node does not support deletion of existing fields or messages, which might break compatibility
+
+## Security Considerations
+
+## Changelog
+
+### Version 0.3
+
+Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+
+* Added language to include Waku in all relevant places
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+[Status Whitepaper](https://status.im/whitepaper.pdf)  
+[protobuf record](https://developers.google.com/protocol-buffers/)  
+[Protobuf](https://developers.google.com/protocol-buffers)  
+[Status user account](/status/deprecated/account.md)  
+[ens name or the 3-word pseudonym corresponding to the key](deprecated/account/#contact-verification)  
+[WHISPER-USAGE](/status/deprecated/whisper-usage.md)  
+[WAKU-USAGE](/status/deprecated/waku-usage.md)  
+[Lamport timestamps](https://en.wikipedia.org/wiki/Lamport_timestamps)  
+[Group chats specs](/status/deprecated/group-chat.md)  
+[May 22, 2020 change commit](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)  

status/deprecated/push-notification-server.md

@@ -0,0 +1,753 @@
+---
+title: PUSH-NOTIFICATION-SERVER
+name: Push notification server
+status: deprecated
+description: Status provides a set of Push notification services that can be used to achieve this functionality.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Andrea Maria Piana <andreap@status.im>
+---
+
+## Reason
+
+Push notifications for iOS devices and some Android devices can only be implemented by relying on [APN service](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1) for iOS or [Firebase](https://firebase.google.com/).
+
+This is useful for Android devices that do not support foreground services
+or that often kill the foreground service.
+
+iOS only allows certain kind of applications to keep a connection open when in the
+background, VoIP for example, which current status client does not qualify for.
+
+Applications on iOS can also request execution time when they are in the [background](https://developer.apple.com/documentation/uikit/app_and_environment/scenes/preparing_your_ui_to_run_in_the_background/updating_your_app_with_background_app_refresh)
+but it has a limited set of use cases, for example it won't schedule any time
+if the application was force quit,
+and generally is not responsive enough to implement a push notification system.
+
+Therefore Status provides a set of Push notification services
+that can be used to achieve this functionality.
+
+Because this can't be safely implemented in a privacy preserving manner,
+clients MUST be given an option to opt-in to receiving and sending push notifications.
+They are disabled by default.
+
+## Requirements
+
+The party releasing the app MUST possess a certificate for the Apple Push Notification service
+and its has to run a [gorush](https://github.com/appleboy/gorush) publicly accessible server for sending the actual notification.
+The party releasing the app, Status in this case, needs to run its own [gorush](https://github.com/appleboy/gorush)
+
+## Components
+
+### Gorush instance
+
+A [gorush](https://github.com/appleboy/gorush) instance MUST be publicly available,
+this will be used only by push notification servers.
+
+### Push notification server
+
+A push notification server used by clients to register for receiving and sending push notifications.
+
+### Registering client
+
+A Status client that wants to receive push notifications
+
+### Sending client
+
+A Status client that wants to send push notifications
+
+## Registering with the push notification service
+
+A client MAY register with one or more Push Notification services of their choice.
+
+A `PNR message` (Push Notification Registration) MUST be sent to the [partitioned topic](status/deprecated/waku-usage/#partitioned-topic)
+for the public key of the node, encrypted with this key.
+
+The message MUST be wrapped in a [`ApplicationMetadataMessage`](status/deprecated/payload/#payload-wrapper) with type set to `PUSH_NOTIFICATION_REGISTRATION`.
+
+The marshaled protobuf payload MUST also be encrypted with AES-GCM
+using the Diffie–Hellman key generated from the client and server identity.
+
+This is done in order to ensure that the extracted key from the signature will be
+considered invalid if it can't decrypt the payload.
+
+The content of the message MUST contain the following [protobuf record](https://developers.google.com/protocol-buffers/):
+
+```protobuf
+message PushNotificationRegistration {
+  enum TokenType {
+    UNKNOWN_TOKEN_TYPE = 0;
+    APN_TOKEN = 1;
+    FIREBASE_TOKEN = 2;
+  }
+  TokenType token_type = 1;
+  string device_token = 2;
+  string installation_id = 3;
+  string access_token = 4;
+  bool enabled = 5;
+  uint64 version = 6;
+  repeated bytes allowed_key_list = 7;
+  repeated bytes blocked_chat_list = 8;
+  bool unregister = 9;
+  bytes grant = 10;
+  bool allow_from_contacts_only = 11;
+  string apn_topic = 12;
+  bool block_mentions = 13;
+  repeated bytes allowed_mentions_chat_list = 14;
+}
+```
+
+A push notification server will handle the message according to the following rules:
+
+- it MUST extract the public key of the sender from the signature and verify that
+  the payload can be decrypted successfully.
+- it MUST verify that `token_type` is supported
+- it MUST verify that `device_token` is non empty
+- it MUST verify that `installation_id` is non empty
+- it MUST verify that `version` is non-zero and greater than the currently stored version for the public key and installation id of the sender, if any
+- it MUST verify that `grant` is non empty and according to the [specs](#server-grant)
+- it MUST verify that `access_token` is a valid [`uuid`](https://tools.ietf.org/html/rfc4122)
+- it MUST verify that `apn_topic` is set if `token_type` is `APN_TOKEN`
+
+If the message can't be decrypted, the message MUST be discarded.
+
+If `token_type` is not supported, a response MUST be sent with `error` set to
+`UNSUPPORTED_TOKEN_TYPE`.
+
+If `token`,`installation_id`,`device_tokens`,`version` are empty, a response MUST
+be sent with `error` set to `MALFORMED_MESSAGE`.
+
+If the `version` is equal or less than the currently stored version, a response MUST
+be sent with `error` set to `VERSION_MISMATCH`.
+
+If any other error occurs the `error` should be set to `INTERNAL_ERROR`.
+
+If the response is successful `success` MUST be set to `true` otherwise a response MUST be sent with `success` set to `false`.
+
+`request_id` should be set to the `SHAKE-256` of the encrypted payload.
+
+The response MUST be sent on the [partitioned topic](status/deprecated/waku-usage.md#partitioned-topic) of the sender
+and MUST not be encrypted using the [secure transport](status/deprecated/secure-transport) to facilitate the usage of ephemeral keys.
+
+The payload of the response is:
+
+```protobuf
+message PushNotificationRegistrationResponse {
+  bool success = 1;
+  ErrorType error = 2;
+  bytes request_id = 3;
+
+  enum ErrorType {
+    UNKNOWN_ERROR_TYPE = 0;
+    MALFORMED_MESSAGE = 1;
+    VERSION_MISMATCH = 2;
+    UNSUPPORTED_TOKEN_TYPE = 3;
+    INTERNAL_ERROR = 4;
+  }
+}
+```
+
+The message MUST be wrapped in a [`ApplicationMetadataMessage`](status/deprecated/payloads.md#payload-wrapper) with type set to `PUSH_NOTIFICATION_REGISTRATION_RESPONSE`.
+
+A client SHOULD listen for a response sent on the [partitioned topic](status/deprecated/waku-usage/#partitioned-topic)
+that the key used to register.
+
+If `success` is `true` the client has registered successfully.
+
+If `success` is `false`:
+
+- If `MALFORMED_MESSAGE` is returned, the request SHOULD NOT be retried without ensuring that it is correctly formed.
+- If `INTERNAL_ERROR` is returned, the request MAY be retried, but the client MUST backoff exponentially
+
+A client MAY register with multiple Push Notification Servers in order to increase availability.
+
+A client SHOULD make sure that all the notification services they registered with have the same information about their tokens.
+
+If no response is returned the request SHOULD be considered failed and MAY be retried with the same server or a different one, but clients MUST exponentially backoff after each trial.
+
+If the request is successful the token SHOULD be [advertised](#advertising-a-push-notification-server) as described below
+
+### Query topic
+
+On successful registration the server MUST be listening to the topic derived from:
+
+```protobuf
+   0XHexEncode(Shake256(CompressedClientPublicKey))
+```
+
+Using the topic derivation algorithm described [here](status/deprecated/waku-usage/#public-chats)
+and listen for client queries.
+
+### Server grant
+
+A push notification server needs to demonstrate to a client that it was authorized
+by the client to send them push notifications. This is done by building
+a grant which is specific to a given client-server pair.
+The grant is built as follow:
+
+```protobuf
+   Signature(Keccak256(CompressedPublicKeyOfClient . CompressedPublicKeyOfServer . AccessToken), PrivateKeyOfClient)
+```
+
+When receiving a grant the server MUST be validate that the signature matches the registering client.
+
+## Re-registering with the push notification server
+
+A client SHOULD re-register with the node if the APN or FIREBASE token changes.
+
+When re-registering a client SHOULD ensure that it has the most up-to-date
+`PushNotificationRegistration` and increment `version` if necessary.
+
+Once re-registered, a client SHOULD advertise the changes.
+
+## Changing options
+
+This is handled in exactly the same way as re-registering above.
+
+## Unregistering from push notifications
+
+To unregister a client MUST send a `PushNotificationRegistration` request as described
+above with `unregister` set to `true`, or removing
+their device information.
+
+The server MUST remove all data about this user if `unregistering` is `true`,
+apart from the `hash` of the public key and the `version` of the last options,
+in order to make sure that old messages are not processed.
+
+A client MAY unregister from a server on explicit logout if multiple chat keys
+are used on a single device.
+
+## Advertising a push notification server
+
+Each user registered with one or more push notification servers SHOULD
+advertise periodically the push notification services that they have registered with for each device they own.
+
+```protobuf
+message PushNotificationQueryInfo {
+  string access_token = 1;
+  string installation_id = 2;
+  bytes public_key = 3;
+  repeated bytes allowed_user_list = 4;
+  bytes grant = 5;
+  uint64 version = 6;
+  bytes server_public_key = 7;
+}
+
+message ContactCodeAdvertisement {
+  repeated PushNotificationQueryInfo push_notification_info = 1;
+}
+```
+
+The message MUST be wrapped in a [`ApplicationMetadataMessage`](status/deprecated/payloads/#payload-wrapper) with type set to `PUSH_NOTIFICATION_QUERY_INFO`.
+
+If no filtering is done based on public keys,
+the access token SHOULD be included in the advertisement.
+Otherwise it SHOULD be left empty.
+
+This SHOULD be advertised on the [contact code topic](/status/deprecated/waku-usage.md#contact-code-topic)
+and SHOULD be coupled with normal contact-code advertisement.
+
+Every time a user register or re-register with a push notification service, their
+contact-code SHOULD be re-advertised.
+
+Multiple servers MAY be advertised for the same `installation_id` for redundancy reasons.
+
+## Discovering a push notification server
+
+To discover a push notification service for a given user, their [contact code topic](status/deprecated/waku-usage/#contact-code-topic)
+SHOULD be listened to.
+A mailserver can be queried for the specific topic to retrieve the most up-to-date
+contact code.
+
+## Querying the push notification server
+
+If a token is not present in the latest advertisement for a user, the server
+SHOULD be queried directly.
+
+To query a server a message:
+
+```protobuf
+message PushNotificationQuery {
+  repeated bytes public_keys = 1;
+}
+```
+
+The message MUST be wrapped in a [`ApplicationMetadataMessage`](status/deprecated/payloads/#payload-wrapper) with type set to `PUSH_NOTIFICATION_QUERY`.
+
+MUST be sent to the server on the topic derived from the hashed public key of the
+key we are querying, as [described above](#query-topic).
+
+An ephemeral key SHOULD be used and SHOULD NOT be encrypted using the [secure transport](status/deprecated/secure-transport.md).
+
+If the server has information about the client a response MUST be sent:
+
+```protobuf
+message PushNotificationQueryInfo {
+  string access_token = 1;
+  string installation_id = 2;
+  bytes public_key = 3;
+  repeated bytes allowed_user_list = 4;
+  bytes grant = 5;
+  uint64 version = 6;
+  bytes server_public_key = 7;
+}
+
+message PushNotificationQueryResponse {
+  repeated PushNotificationQueryInfo info = 1;
+  bytes message_id = 2;
+  bool success = 3;
+}
+```
+
+A `PushNotificationQueryResponse` message MUST be wrapped in a [`ApplicationMetadataMessage`](status/deprecated/payloads.md#payload-wrapper) with type set to `PUSH_NOTIFICATION_QUERY_RESPONSE`.
+
+Otherwise a response MUST NOT be sent.
+
+If `allowed_key_list` is not set `access_token` MUST be set and `allowed_key_list` MUST NOT
+be set.
+
+If `allowed_key_list` is set `allowed_key_list` MUST be set and `access_token` MUST NOT be set.
+
+If `access_token` is returned, the `access_token` SHOULD be used to send push notifications.
+
+If `allowed_key_list` are returned, the client SHOULD decrypt each
+token by generating an `AES-GCM` symmetric key from the Diffie–Hellman between the
+target client and itself
+If AES decryption succeeds it will return a valid [`uuid`](https://tools.ietf.org/html/rfc4122) which is what is used for access_token.
+The token SHOULD be used to send push notifications.
+
+The response MUST be sent on the [partitioned topic](status/deprecated/waku-usage/#partitioned-topic) of the sender
+and MUST not be encrypted using the [secure transport](status/deprecated/secure-transport.md) to facilitate
+the usage of ephemeral keys.
+
+On receiving a response a client MUST verify `grant` to ensure that the server
+has been authorized to send push notification to a given client.
+
+## Sending a push notification
+
+When sending a push notification, only the `installation_id` for the devices targeted
+by the message SHOULD be used.
+
+If a message is for all the user devices, all the `installation_id` known to the client MAY be used.
+
+The number of devices MAY be capped in order to reduce resource consumption.
+
+At least 3 devices SHOULD be targeted, ordered by last activity.
+
+For any device that a token is available, or that a token is successfully queried,
+a push notification message SHOULD be sent to the corresponding push notification server.
+
+```protobuf
+message PushNotification {
+  string access_token = 1;
+  string chat_id = 2;
+  bytes public_key = 3;
+  string installation_id = 4;
+  bytes message = 5;
+  PushNotificationType type = 6;
+  enum PushNotificationType {
+    UNKNOWN_PUSH_NOTIFICATION_TYPE = 0;
+    MESSAGE = 1;
+    MENTION = 2;
+  }
+  bytes author = 7;
+}
+
+message PushNotificationRequest {
+  repeated PushNotification requests = 1;
+  bytes message_id = 2;
+}
+```
+
+A `PushNotificationRequest` message MUST be wrapped in a [`ApplicationMetadataMessage`](/status/deprecated/payloads.md#payload-wrapper) with type set to `PUSH_NOTIFICATION_REQUEST`.
+
+Where `message` is the encrypted payload of the message and `chat_id` is the
+`SHAKE-256` of the `chat_id`.
+`message_id` is the id of the message
+`author` is the `SHAKE-256` of the public key of the sender.
+
+If multiple server are available for a given push notification, only one notification
+MUST be sent.
+
+If no response is received
+a client SHOULD wait at least 3 seconds, after which the request MAY be retried against a different server
+
+This message SHOULD be sent using an ephemeral key.
+
+On receiving the message, the push notification server MUST validate the access token.
+If the access token is valid, a notification MUST be sent to the gorush instance with the
+following data:
+
+```protobuf
+{
+  "notifications": [
+    {
+      "tokens": ["token_a", "token_b"],
+      "platform": 1,
+      "message": "You have a new message",
+      "data": {
+        "chat_id": chat_id,
+        "message": message,
+        "installation_ids": [installation_id_1, installation_id_2]
+      }
+    }
+  ]
+}
+```
+
+Where platform is `1` for IOS and `2` for Firebase, according to the [gorush documentation](https://github.com/appleboy/gorush)
+
+A server MUST return a response message:
+
+```protobuf
+message PushNotificationReport {
+  bool success = 1;
+  ErrorType error = 2;
+  enum ErrorType {
+    UNKNOWN_ERROR_TYPE = 0;
+    WRONG_TOKEN = 1;
+    INTERNAL_ERROR = 2;
+    NOT_REGISTERED = 3;
+  }
+  bytes public_key = 3;
+  string installation_id = 4;
+}
+
+message PushNotificationResponse {
+  bytes message_id = 1;
+  repeated PushNotificationReport reports = 2;
+}
+```
+
+A `PushNotificationResponse` message MUST be wrapped in a [`ApplicationMetadataMessage`](/status/deprecated/payloads.md#payload-wrapper) with type set to `PUSH_NOTIFICATION_RESPONSE`.
+
+Where `message_id` is the `message_id` sent by the client.
+
+The response MUST be sent on the [partitioned topic](/status/deprecated/waku-usage.md#partitioned-topic) of the sender
+and MUST not be encrypted using the [secure transport](/status/deprecated/secure-transport.md) to facilitate
+the usage of ephemeral keys.
+
+If the request is accepted `success` MUST be set to `true`.
+Otherwise `success` MUST be set to `false`.
+
+If `error` is `BAD_TOKEN` the client MAY query again the server for the token and
+retry the request.
+
+If `error` is `INTERNAL_ERROR` the client MAY retry the request.
+
+## Flow
+
+### Registration process
+
+- A client will generate a notification token through `APN` or `Firebase`.
+- The client will [register](#registering-with-the-push-notification-service) with one or more push notification server of their choosing.
+- The server should process the response and respond according to the success of the operation
+- If the request is not successful it might be retried, and adjusted according to the response. A different server can be also used.
+- Once the request is successful the client should [advertise](#advertising-a-push-notification-server) the new coordinates
+
+### Sending a notification
+
+- A client should prepare a message and extract the targeted installation-ids
+- It should retrieve the most up to date information for a given user, either by
+  querying a push notification server, a mailserver if not listening already to the given topic, or checking
+  the database locally
+- It should then [send](#sending-a-push-notification) a push notification according
+  to the rules described
+- The server should then send a request to the gorush server including all the required
+  information
+
+### Receiving a push notification
+
+- On receiving the notification, a client can open the right account by checking the
+  `installation_id` included. The `chat_id` MAY be used to open the chat if present.
+- `message` can be decrypted and presented to the user. Otherwise messages can be pulled from the mailserver if the `message_id` is no already present.
+
+## Protobuf description
+
+### PushNotificationRegistration
+
+`token_type`: the type of token. Currently supported is `APN_TOKEN` for Apple Push
+`device_token`: the actual push notification token sent by `Firebase` or `APN`
+and `FIREBASE_TOKEN` for firebase.
+`installation_id`: the [`installation_id`](/status/deprecated/account.md) of the device
+`access_token`: the access token that will be given to clients to send push notifications
+`enabled`: whether the device wants to be sent push notifications
+`version`: a monotonically increasing number identifying the current `PushNotificationRegistration`. Any time anything is changed in the record it MUST be increased by the client, otherwise the request will not be accepted.
+`allowed_key_list`: a list of `access_token` encrypted with the AES key generated
+ by Diffie–Hellman between the publisher and the allowed
+contact.
+`blocked_chat_list`: a list of `SHA2-256` hashes of chat ids.
+Any chat id in this list will not trigger a notification.
+`unregister`: whether the account should be unregistered
+`grant`: the grant for this specific server
+`allow_from_contacts_only`: whether the client only wants push notifications from contacts
+`apn_topic`: the APN topic for the push notification
+`block_mentions`: whether the client does not want to be notified on mentions
+`allowed_mentions_chat_list`:  a list of `SHA2-256` hashes of chat ids where we want to receive mentions
+
+#### Data disclosed
+
+- Type of device owned by a given user
+- The `FIREBASE` or `APN` push notification token
+- Hash of the chat_id a user is not interested in for notifications
+- The times a push notification record has been modified by the user
+- The number of contacts a client has, in case `allowed_key_list` is set
+
+### PushNotificationRegistrationResponse
+
+`success`: whether the registration was successful
+`error`: the error type, if any
+`request_id`: the `SHAKE-256` hash of the `signature` of the request
+`preferences`: the server stored preferences in case of an error
+
+### ContactCodeAdvertisement
+
+`push_notification_info`: the information for each device advertised
+
+Data disclosed
+
+- The chat key of the sender
+
+### PushNotificationQuery
+
+`public_keys`: the `SHAKE-256` of the public keys the client is interested in
+
+Data disclosed
+
+- The hash of the public keys the client is interested in
+
+### PushNotificationQueryInfo
+
+`access_token`: the access token used to send a push notification
+`installation_id`: the `installation_id` of the device associated with the `access_token`
+`public_key`: the `SHAKE-256` of the public key associated with this `access_token` and `installation_id`
+`allowed_key_list`: a list of encrypted access tokens to be returned
+to the client in case there's any filtering on public keys in place.
+`grant`: the grant used to register with this server.
+`version`: the version of the registration on the server.
+`server_public_key`: the compressed public key of the server.
+
+### PushNotificationQueryResponse
+
+`info`:  a list of `PushNotificationQueryInfo`.
+`message_id`: the message id of the `PushNotificationQueryInfo` the server is replying to.
+`success`: whether the query was successful.
+
+### PushNotification
+
+`access_token`: the access token used to send a push notification.
+`chat_id`: the `SHAKE-256` of the `chat_id`.
+`public_key`: the `SHAKE-256` of the compressed public key of the receiving client.
+`installation_id`: the installation id of the receiving client.
+`message`: the encrypted message that is being notified on.
+`type`: the type of the push notification, either `MESSAGE` or `MENTION`
+`author`: the `SHAKE-256` of the public key of the sender
+
+Data disclosed
+
+- The `SHAKE-256` of the `chat_id` the notification is to be sent for
+- The cypher text of the message
+- The `SHAKE-256` of the public key of the sender
+- The type of notification
+
+### PushNotificationRequest
+
+`requests`: a list of `PushNotification`
+`message_id`: the [status message id](/status/deprecated/payloads.md)
+
+Data disclosed
+
+- The status message id for which the notification is for
+
+### PushNotificationResponse
+
+`message_id`: the `message_id` being notified on.
+`reports`: a list of `PushNotificationReport`
+
+### PushNotificationReport
+
+`success`: whether the push notification was successful.
+`error`: the type of the error in case of failure.
+`public_key`: the public key of the user being notified.
+`installation_id`: the installation id of the user being notified.
+
+## Anonymous mode of operations
+
+An anonymous mode of operations MAY be provided by the client, where the
+responsibility of propagating information about the user is left to the client,
+in order to preserve privacy.
+
+A client in anonymous mode can register with the server using a key different
+from their chat key.
+This will hide their real chat key.
+
+This public key is effectively a secret and SHOULD only be disclosed to clients that you the user wants to be notified by.
+
+A client MAY advertise the access token on the contact-code topic of the key generated.
+A client MAY share their public key through [contact updates](/status/deprecated/payloads.md#contact-update)
+
+A client receiving a push notification public key SHOULD listen to the contact code
+topic of the push notification public key for updates.
+
+The method described above effectively does not share the identity of the sender
+nor the receiver to the server, but MAY result in missing push notifications as
+the propagation of the secret is left to the client.
+
+This can be mitigated by [device syncing](/status/deprecated/payloads.md), but not completely
+addressed.
+
+## Security considerations
+
+If no anonymous mode is used, when registering with a push notification service a client discloses:
+
+- The chat key
+- The devices that will receive notifications
+
+A client MAY disclose:
+
+- The hash of the chat_ids they want to filter out
+
+When running in anonymous mode, the client's chat key is not disclosed.
+
+When querying a push notification server a client will disclose:
+
+- That it is interested in sending push notification to another client,
+  but the querying client's chat key is not disclosed
+
+When sending a push notification a client discloses:
+
+- The `SHAKE-256` of the chat id
+
+[//]: This section can be removed, for now leaving it here in order to help with the
+review process. Point can be integrated, suggestion welcome.
+
+## FAQ
+
+### Why having ACL done at the server side and not the client?
+
+We looked into silent notification for
+[IOS](https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/pushing_background_updates_to_your_app) (android has no equivalent)
+but can't be used as it's expected to receive maximum 2/3 per hour, so not our use case. There
+are also issue when the user force quit the app.
+
+### Why using an access token?
+
+The access token is used to decouple the requesting information from the user from
+actually sending the push notification.
+
+Some ACL is necessary otherwise it would be too easy to spam users (it's still fairly
+trivial, but with this method you could allow only contacts to send you push notifications).
+
+Therefore your identity must be revealed to the server either when sending or querying.
+
+By using an access token we increase deniability, as the server would know
+who requested the token but not necessarily who sent a push notification.
+Correlation between the two can be trivial in some cases.
+
+This also allows a mode of use as we had before, where the server does not propagate
+info at all, and it's left to the user to propagate the token, through contact requests
+for example.
+
+### Why advertise with the bundle?
+
+Advertising with the bundle allows us to piggy-back on an already implemented behavior
+and save some bandwidth in cases where is not filtering by public keys
+
+### What's the  bandwidth impact for this?
+
+Generally speaking, for each 1-to-1 message and group chat message you will sending
+1 and `number of participants` push notifications. This can be optimized if
+multiple users are using the same push notification server. Queries have also
+a bandwidth impact but they are made only when actually needed
+
+### What's the information disclosed?
+
+The data disclosed with each message sent by the client is above, but for a summary:
+
+When you register with a push notification service you may disclose:
+
+1) Your chat key
+2) Which devices you have
+3) The hash of the chat_ids you want to filter out
+4) The hash of the public keys you are interested/not interested in
+
+When you query a notification service you may disclose:
+
+1) Your chat key
+2) The fact that you are interested in sending push notification to a given user
+
+Effectively this is fairly revealing if the user has a whitelist implemented.
+Therefore sending notification should be optional.
+
+### What prevents a user from generating a random key and getting an access token and spamming?
+
+Nothing really, that's the same as the status app as a whole. the only mechanism that prevents
+this is using a white-list as described above,
+but that implies disclosing your true identity to the push notification server.
+
+### Why not 0-knowledge proofs/quantum computing
+
+We start simple, we can iterate
+
+### How to handle backward/forward compatibility
+
+Most of the request have a target, so protocol negotiation can happen. We cannot negotiated
+the advertisement as that's effectively a broadcast, but those info should not change and we can
+always accrete the message.
+
+### Why ack_key?
+
+That's necessary to avoid duplicated push notifications and allow for the retry
+in case the notification is not successful.
+
+Deduplication of the push notification is done on the client side, to reduce a bit
+of centralization and also in order not to have to modify gorush.
+
+### Can I run my own node?
+
+Sure, the methods allow that
+
+### Can I register with multiple nodes for redundancy
+
+Yep
+
+### What does my node disclose?
+
+Your node will disclose the IP address is running from, as it makes an HTTP post to
+gorush. A waku adapter could be used, but please not now.
+
+### Does this have high-reliability requirements?
+
+The gorush server yes, no way around it.
+
+The rest, kind of, at least one node having your token needs to be up for you to receive notifications.
+But you can register with multiple servers (desktop, status, etc) if that's a concern.
+
+### Can someone else (i.e not status) run this?
+
+Push notification servers can be run by anyone. Gorush can be run by anyone I take,
+but we are in charge of the certificate, so they would not be able to notify status-clients.
+
+## Changelog
+
+### Version 0.1
+
+[Released](https://github.com/status-im/specs/commit/)
+
+- Initial version
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [APN Service](https://developer.apple.com/library/archive/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/APNSOverview.html#//apple_ref/doc/uid/TP40008194-CH8-SW1)
+- [Background Execution on iOS](https://developer.apple.com/documentation/uikit/app_and_environment/scenes/preparing_your_ui_to_run_in_the_background/updating_your_app_with_background_app_refresh)
+- [Firebase](https://firebase.google.com/)
+- [Gorush](https://github.com/appleboy/gorush)
+- [UUID Specification](https://tools.ietf.org/html/rfc4122)
+- [Secure Transport](/status/deprecated/secure-transport.md)
+- [Silent Notifications on iOS](https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/pushing_background_updates_to_your_app)
+- [Waku Usage](/status/deprecated/waku-usage.md)
+- [ENS Contract](https://github.com/ensdomains/ens)
+- [Payloads](/status/deprecated/payloads.md)

status/deprecated/secure-transport.md

@@ -0,0 +1,583 @@
+---
+title: SECURE-TRANSPORT
+name: Secure Transport
+status: deprecated
+description: This document describes how Status provides a secure channel between two peers, providing confidentiality, integrity, authenticity, and forward secrecy.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Andrea Maria Piana <andreap@status.im>
+  - Corey Petty <corey@status.im>
+  - Dean Eigenmann <dean@status.im>
+  - Oskar Thorén <oskar@status.im>
+  - Pedro Pombeiro <pedro@status.im>
+---
+
+## Abstract
+
+This document describes how Status provides a secure channel between two peers,
+and thus provide confidentiality, integrity, authenticity and forward secrecy.
+It is transport-agnostic and works over asynchronous networks.
+
+It builds on the [X3DH](https://signal.org/docs/specifications/x3dh/) and [Double Ratchet](https://signal.org/docs/specifications/doubleratchet/) specifications, with some adaptations to operate in a decentralized environment.
+
+## Introduction
+
+This document describes how nodes establish a secure channel,
+and how various conversational security properties are achieved.
+
+### Definitions
+
+- **Perfect Forward Secrecy** is a feature of specific key-agreement protocols
+which provide assurances that session keys will not be compromised even if the private keys of the participants are compromised.
+Specifically, past messages cannot be decrypted by a third-party who manages to get a hold of a private key.
+
+- **Secret channel** describes a communication channel where Double Ratchet algorithm is in use.
+
+### Design Requirements
+
+- **Confidentiality**: The adversary should not be able to learn what data is being exchanged between two Status clients.
+- **Authenticity**: The adversary should not be able to cause either endpoint of a Status 1:1 chat
+to accept data from any third party as though it came from the other endpoint.
+- **Forward Secrecy**: The adversary should not be able to learn
+what data was exchanged between two Status clients if, at some later time,
+the adversary compromises one or both of the endpoint devices.
+- **Integrity**: The adversary should not be able to cause either endpoint of a Status 1:1 chat
+to accept data that has been tampered with.
+
+All of these properties are ensured by the use of [Signal's Double Ratchet](https://signal.org/docs/specifications/doubleratchet/)
+
+### Conventions
+
+Types used in this specification are defined using [Protobuf](https://developers.google.com/protocol-buffers/).
+
+### Transport Layer
+
+[Whisper](status/deprecated/whisper-usage) and [Waku](status/deprecated/waku-usage) serves as the transport layers for the Status chat protocol.
+
+### User flow for 1-to-1 communications
+
+#### Account generation
+
+See [Account specification](status/deprecated/account)
+
+#### Account recovery
+
+If Alice later recovers her account, the Double Ratchet state information will not be available,
+so she is no longer able to decrypt any messages received from existing contacts.
+
+If an incoming message (on the same Whisper/Waku topic) fails to decrypt,
+the node replies a message with the current bundle, so that the node notifies the other end of the new device.
+Subsequent communications will use this new bundle.
+
+## Messaging
+
+All 1:1 and group chat messaging in Status is subject to end-to-end encryption
+to provide users with a strong degree of privacy and security.
+Public chat messages are publicly readable by anyone since there's no permission model
+for who is participating in a public chat.
+
+The rest of this document is purely about 1:1 and private group chat.
+Private group chat largely reduces to 1:1 chat, since there's a secure channel between each pair-wise participant.
+
+### End-to-end encryption
+
+End-to-end encryption (E2EE) takes place between two clients.
+The main cryptographic protocol is a [Status implementation](https://github.com/status-im/doubleratchet/) of the Double Ratchet protocol,
+which is in turn derived from the [Off-the-Record protocol](https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html), using a different ratchet.
+The transport protocol subsequently encrypt the message payload - Whisper/Waku (see section [Transport Layer](#transport-layer)) -, using symmetric key encryption.
+Furthermore, Status uses the concept of prekeys (through the use of [X3DH](https://signal.org/docs/specifications/x3dh/))
+to allow the protocol to operate in an asynchronous environment.
+It is not necessary for two parties to be online at the same time to initiate an encrypted conversation.
+
+Status uses the following cryptographic primitives:
+
+- Whisper/Waku
+  - AES-256-GCM
+  - ECIES
+  - ECDSA
+  - KECCAK-256
+- X3DH
+  - Elliptic curve Diffie-Hellman key exchange (secp256k1)
+  - KECCAK-256
+  - ECDSA
+  - ECIES
+- Double Ratchet
+  - HMAC-SHA-256 as MAC
+  - Elliptic curve Diffie-Hellman key exchange (Curve25519)
+  - AES-256-CTR with HMAC-SHA-256 and IV derived alongside an encryption key
+
+   The node achieves key derivation using HKDF.
+
+### Prekeys
+
+Every client initially generates some key material which is stored locally:
+
+- Identity keypair based on secp256k1 - `IK`
+- A signed prekey based on secp256k1 - `SPK`
+- A prekey signature - `Sig(IK, Encode(SPK))`
+
+More details can be found in the `X3DH Prekey bundle creation` section of [2/ACCOUNT](/status/deprecated/account.md#x3dh-prekey-bundles).
+
+Prekey bundles can be extracted from any user's messages,
+or found via searching for their specific topic, `{IK}-contact-code`.
+
+TODO: See below on bundle retrieval, this seems like enhancement and parameter for recommendation
+
+### Bundle retrieval
+
+<!-- TODO: Potentially move this completely over to [Trust Establishment](./status-account-spec.md) -->
+
+X3DH works by having client apps create and make available a bundle of prekeys (the X3DH bundle)
+that can later be requested by other interlocutors when they wish to start a conversation with a given user.
+
+In the X3DH specification, nodes typically use a shared server
+to store bundles and allow other users to download them upon request.
+Given Status' goal of decentralization,
+Status chat clients cannot rely on the same type of infrastructure
+and must achieve the same result using other means.
+By growing order of convenience and security, the considered approaches are:
+
+- contact codes;
+- public and one-to-one chats;
+- QR codes;
+- ENS record;
+- Decentralized permanent storage (e.g. Swarm, IPFS).
+- Whisper/Waku
+
+<!-- TODO: Comment, it isn't clear what we actually _do_. It seems as if this is exploring the problem space. From a protocol point of view, it might make sense to describe the interface, and then have a recommendation section later on that specifies what we do. See e.g. Signal's specs where they specify specifics later on.  -->
+
+Currently, only public and one-to-one message exchanges and Whisper/Waku is used to exchange bundles.
+
+Since bundles stored in QR codes or ENS records cannot be updated to delete already used keys,
+the approach taken is to rotate more frequently the bundle (once every 24 hours),
+which will be propagated by the app through the channel available.
+
+### 1:1 chat contact request
+
+There are two phases in the initial negotiation of a 1:1 chat:
+
+1. **Identity verification** (e.g., face-to-face contact exchange through QR code, Identicon matching).
+A QR code serves two purposes simultaneously - identity verification and initial bundle retrieval;
+1. **Asynchronous initial key exchange**, using X3DH.
+
+For more information on account generation and trust establishment, see [2/ACCOUNT](/status/deprecated/account.md)
+
+#### Initial key exchange flow (X3DH)
+
+[Section 3 of the X3DH protocol](https://signal.org/docs/specifications/x3dh/#sending-the-initial-message) describes the initial key exchange flow, with some additional context:
+
+- The users' identity keys `IK_A` and `IK_B` correspond to their respective Status chat public keys;
+- Since it is not possible to guarantee that a prekey will be used only once in a decentralized world,
+the one-time prekey `OPK_B` is not used in this scenario;
+- Nodes do not send Bundles to a centralized server, but instead served in a decentralized way as described in [bundle retrieval](#bundle-retrieval).
+
+Alice retrieves Bob's prekey bundle, however it is not specific to Alice. It contains:
+
+([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L12))
+
+``` protobuf
+// X3DH prekey bundle
+message Bundle {
+
+  bytes identity = 1;
+
+  map<string,SignedPreKey> signed_pre_keys = 2;
+
+  bytes signature = 4;
+
+  int64 timestamp = 5;
+}
+
+```golang
+- `identity`: Identity key `IK_B`
+- `signed_pre_keys`: Signed prekey `SPK_B` for each device, indexed by `installation-id`
+- `signature`: Prekey signature <i>Sig(`IK_B`, Encode(`SPK_B`))</i>
+- `timestamp`: When the bundle was created locally
+
+([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L5))
+
+``` protobuf
+message SignedPreKey {
+  bytes signed_pre_key = 1;
+  uint32 version = 2;
+}
+```
+
+The `signature` is generated by sorting `installation-id` in lexicographical order, and concatenating the `signed-pre-key` and `version`:
+
+`installation-id-1signed-pre-key1version1installation-id2signed-pre-key2-version-2`
+
+#### Double Ratchet
+
+Having established the initial shared secret `SK` through X3DH, it can be used to seed a Double Ratchet exchange between Alice and Bob.
+
+Please refer to the [Double Ratchet spec](https://signal.org/docs/specifications/doubleratchet/) for more details.
+
+The initial message sent by Alice to Bob is sent as a top-level `ProtocolMessage` ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L65))
+containing a map of `DirectMessageProtocol` indexed by `installation-id` ([protobuf](https://github.com/status-im/status-go/blob/1ac9dd974415c3f6dee95145b6644aeadf02f02c/services/shhext/chat/encryption.proto#L56)):
+
+``` protobuf
+message ProtocolMessage {
+
+  string installation_id = 2;
+
+  repeated Bundle bundles = 3;
+
+  // One to one message, encrypted, indexed by installation_id
+  map<string,DirectMessageProtocol> direct_message = 101;
+
+  // Public chats, not encrypted
+  bytes public_message = 102;
+
+}
+```
+
+- `bundles`: a sequence of bundles
+- `installation_id`: the installation id of the sender
+- `direct_message` is a map of `DirectMessageProtocol` indexed by `installation-id`
+- `public_message`: unencrypted public chat message.
+
+``` protobuf
+message DirectMessageProtocol {
+  X3DHHeader X3DH_header = 1;
+  DRHeader DR_header = 2;
+  DHHeader DH_header = 101;
+  // Encrypted payload
+  bytes payload = 3;
+}
+```
+
+```protobuf
+- `X3DH_header`: the `X3DHHeader` field in `DirectMessageProtocol` contains:
+
+    ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L47))
+    ``` protobuf
+    message X3DHHeader {
+      bytes key = 1;
+      bytes id = 4;
+    }
+    ```
+
+    - `key`: Alice's ephemeral key `EK_A`;
+    - `id`: Identifier stating which of Bob's prekeys Alice used, in this case Bob's bundle signed prekey.
+
+    Alice's identity key `IK_A` is sent at the transport layer level (Whisper/Waku);
+
+- `DR_header`: Double ratchet header ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L31)). Used when Bob's public bundle is available:
+    ``` protobuf
+    message DRHeader {
+      bytes key = 1;
+      uint32 n = 2;
+      uint32 pn = 3;
+      bytes id = 4;
+    }
+    ```
+    - `key`: Alice's current ratchet public key (as mentioned in [DR spec section 2.2](https://signal.org/docs/specifications/doubleratchet/#symmetric-key-ratchet));
+    - `n`: number of the message in the sending chain;
+    - `pn`: length of the previous sending chain;
+    - `id`: Bob's bundle ID.
+
+- `DH_header`: Diffie-Helman header (used when Bob's bundle is not available):
+    ([protobuf](https://github.com/status-im/status-go/blob/a904d9325e76f18f54d59efc099b63293d3dcad3/services/shhext/chat/encryption.proto#L42))
+    ``` protobuf
+    message DHHeader {
+      bytes key = 1;
+    }
+    ```
+    - `key`: Alice's compressed ephemeral public key.
+
+- `payload`:
+    - if a bundle is available, contains payload encrypted with the Double Ratchet algorithm;
+    - otherwise, payload encrypted with output key of DH exchange (no Perfect Forward Secrecy).
+```
+<!-- TODO: A lot of links to status-go, seems likely these should be updated to status-protocol-go -->
+
+## Security Considerations
+
+The same considerations apply as in [section 4 of the X3DH spec](https://signal.org/docs/specifications/x3dh/#security-considerations) and [section 6 of the Double Ratchet spec](https://signal.org/docs/specifications/doubleratchet/#security-considerations), with some additions detailed below.
+
+<!-- TODO: Add any additional context here not covered in the X3DH and DR specs -->
+
+<!--
+TODO: description here
+
+### --- Security  and Privacy Features
+#### Confidentiality (YES)
+> Only the intended recipients are able to read a message. Specifically, the message must not be readable by a server operator that is not a conversation participant
+
+- Yes.
+- There's a layer of encryption at Whisper as well as above with Double Ratchet
+- Relay nodes and Mailservers can only read a topic of a Whisper message, and nothing within the payload.
+
+#### Integrity (YES)
+> No honest party will accept a message that has been modified in transit.
+
+- Yes.
+- Assuming a user validates (TODO: Check this assumption) every message they are able to decrypt and validate its signature from the sender, then it is not able to be altered in transit.
+    * [igorm] i'm really not sure about it, Whisper provides a signature, but I'm not sure we check it anywhere (simple grepping didn't give anything)
+    * [andrea] Whisper checks the signature and a public key is derived from it, we check the public key is a meaningful public key. The pk itself is not in the content of the message for public chats/1-to-1 so potentially you could send a message from a random account without having access to the private key, but that would not be much of a deal, as you might just as easily create a random account)
+
+#### Authentication (YES)
+>  Each participant in the conversation receives proof of possession of a known long-term secret from all other participants that they believe to be participating in the conversation. In addition, each participant is able to verify that a message was sent from the claimed source
+
+- 1:1 --- one-to-one messages are encrypted with the recipient's public key, and digitally signed by the sender's.  In order to provide Perfect Forward Secrecy, we build on the X3DH and Double Ratchet specifications from Open Whisper Systems, with some adaptations to operate in a decentralized environment.
+- group --- group chat is pairwise
+- public --- A user subscribes to a public channel topic and the decryption key is derived from the topic name
+
+**TODO:** Need to verify that this is actually the case
+**TODO:** Fill in explicit details here
+
+#### Participant Consistency (YES?)
+> At any point when a message is accepted by an honest party, all honest parties are guaranteed to have the same view of the participant list
+
+- **TODO:** Need details here
+
+#### Destination Validation (YES?)
+> When a message is accepted by an honest party, they can verify that they were included in the set of intended recipients for the message.
+
+- Users are aware of the topic that a message was sent to, and that they have the ability to decrypt it.
+- 
+
+#### Forward Secrecy (PARTIAL)
+> Compromising all key material does not enable decryption of previously encrypted data
+
+- After first back and forth between two contacts with PFS enabled, yes.
+
+#### Backward Secrecy (YES)
+> Compromising all key material does not enable decryption of succeeding encrypted data
+
+- PFS requires both backward and forwards secrecy
+[Andrea: This is not true, (Perfect) Forward Secrecy does not imply backward secrecy (which is also called post-compromise security, as signal calls it, or future secrecy, it's not well defined). Technically this is a NO , double ratchet offers good Backward secrecy, but not perfect. Effectively if all the key material is compromised, any future message received will be also compromised (due to the hash ratchet), until a DH ratchet step is completed (i.e. the compromised party generate a new random key and ratchet)]
+
+#### Anonymity Preserving (PARTIAL)
+> Any anonymity features provided by the underlying transport privacy architecture are not undermined (e.g., if the transport privacy system provides anonymity, the conversation security level does not de-anonymize users by linking key identifiers).
+
+- by default, yes
+- ENS Naming system attaches an identifier to a given public key
+
+#### Speaker Consistency (PARTIAL)
+> All participants agree on the sequence of messages sent by each participant. A protocol might perform consistency checks on blocks of messages during the protocol, or after every message is sent.
+
+- We use Lamport timestamps for ordering of events.
+- In addition to this, we use local timestamps to attempt a more intuitive ordering. [Andrea: currently this was introduced as a regression during performance optimization and might result in out-of-order messages if sent across day boundaries, so I consider it a bug and not part of the specs (it does not make the order more intuitive, quite the opposite as it might result in causally related messages being out-of-order, but helps dividing the messages in days)]
+- Fundamentally, there's no single source of truth, nor consensus process for global ordering [Andrea: Global ordering does not need a consensus process i.e. if you order messages alphabetically, and you break ties consistently, you have global ordering, as all the participants will see the same ordering (as opposed to say order by the time the message was received locally),  of course is not useful, you want to have causal + global to be meaningful]
+
+TODO: Understand how this is different from Global Transcript
+[Andrea: This is basically Global transcript for a single participants, we offer global transcript]
+
+#### Causality Preserving (PARTIAL)
+> Implementations can avoid displaying a message before messages that causally precede it
+
+- Not yet, but in pipeline (data sync layer)
+
+[Andrea: Messages are already causally ordered, we don't display messages that are causally related out-of-order, that's already granted by lamport timestamps]
+
+TODO: Verify if this can be done already by looking at Lamport clock difference
+
+#### Global Transcript (PARTIAL)
+> All participants see all messages in the same order
+
+- See directly above
+
+[Andrea: messages are globally (total) ordered, so all participants see the same ordering]
+
+#### Message Unlinkability (NO)
+> If a judge is convinced that a participant authored one message in the conversation, this does not provide evidence that they authored other messages
+
+- Currently, the Status software signs every messages sent with the user's public key, thus making it unable to provide unlinkability.  
+- This is not necessary though, and could be built in to have an option to not sign. 
+- Side note: moot account allows for this but is a function of the anonymity set that uses it.  The more people that use this account the stronger the unlinkability.
+
+#### Message Repudiation (NO)
+> Given a conversation transcript and all cryptographic keys, there is no evidence that a given message was authored by any particular user
+
+- All messages are digitally signed by their sender.
+- The underlying transport, Whisper/Waku, does allow for unsigned messages, but we don't use it.
+
+#### Participant Repudiation (NO)
+> Given a conversation transcript and all cryptographic key material for all but one accused (honest) participant, there is no evidence that the honest participant was in a conversation with any of the other participants.
+
+### --- Group related features
+#### Computational Equality (YES)
+>  All chat participants share an equal computational load
+
+- One a message is sent, all participants in a group chat perform the same steps to retrieve and decrypt it. 
+- If proof of work is actually used at the Whisper layer (basically turned off in Status) then the sender would have to do additional computational work to send messages.
+
+#### Trust Equality (PARTIAL)
+> No participant is more trusted or takes on more responsibility than any other
+
+- 1:1 chats and public chats are equal
+- group chats have admins (on purpose)
+- Private Group chats have Administrators and Members.  Upon construction, the creator is made an admin. These groups have the following privileges:
+    - Admins:
+        - Add group members
+        - Promote group members to admin
+        - Change group name
+    - Members:
+        - Accept invitation to group
+        - Leave group
+    - Non-Members:
+        - Invited by admins show up as "invited" in group; this leaks contact information
+        - Invited people don't opt-in to being invited
+
+TODO: Group chat dynamics should have a documented state diagram
+TODO: create issues for identity leak of invited members as well as current members of a group showing up who have not accepted yet [Andrea: that's an interesting point, didn't think of that. Currently we have this behavior for 2 reasons, backward compatibility with previous releases, which had no concept of joining, and also because we rely on other peers to propagate group info, so we don't have a single-message point of failure (the invitation), the first can be addressed easily, the second is trickier, without giving up the propagation mechanism (if we choose to give this up, then it's trivial)]
+
+#### Subgroup Messaging (NO)
+> Messages can be sent to a subset of participants without forming a new conversation
+
+- This would require a new topic and either a new public chat or a new group chat
+[Andrea: This is a YES, as messages are pairwise encrypted, and client-side fanout, so anyone could potentially send a message only to a subset of the group]
+
+#### Contractible Membership (PARTIAL)
+> After the conversation begins, participants can leave without restarting the protocol
+
+- For 1:1, there is no way to ignore or block a user from sending you a message.  This is currently in the pipeline.
+- For public chats, Yes. A member simply stops subscribing to a specific topic and will no longer receive messages. 
+- For group chats: this assumes pairwise encryption OR key is renegotiated
+- This only currently works on the identity level, and not the device level.  A ghost device will have access to anything other devices have.
+[Andrea: For group chats, that's possible as using pairwise encryption, also with group chats (which use device-to-device encryption), ghost devices is a bit more complicated, in general, they don't have access to the messages you send, i.e. If I send a message from device A1 to the group chat and there is a ghost device A2, it will not be able to decrypt the content, but will see that a message has been sent (as only paired devices are kept in sync, and those are explicitly approved by the user). Messages that you receive are different, so a ghost device (A2) will potentially be able to decrypt the message, but A1 can detect the ghost device (in most cases, it's complicated :), the pfs docs describe multi-device support), for one-to-one ghost devices are undetectable]
+
+#### Expandable Membership (PARTIAL)
+> After the conversation begins, participants can join without restarting the protocol.
+
+- 1:1: no, only 1:1
+- private group: yes, since it is pair-wise, each person in the group just creates a pair with the new member
+- public: yes, as members of a public chat are only subscribing to a topic and receiving anyone sending messages to it. 
+
+### --- Usability and Adoption
+
+#### Out-of-Order Resilient (PARTIAL)
+> If a message is delayed in transit, but eventually arrives, its contents are accessible upon arrival
+
+- Due to asynchronous forward secrecy and no additional services, private keys might be rotated
+
+[Andrea: That's correct, in some cases if the message is delayed for too long, or really out-of-order, the specific message key might have been deleted, as we only keep the last 3000 message keys]
+[Igor: TTL of a Whisper message can expire, so any node-in-transit will drop it. Also, I believe we ignore messages with skewed timestamps]
+
+#### Dropped Message Resilient (PARTIAL)
+> Messages can be decrypted without receipt of all previous messages. This is desirable for asynchronous and unreliable network services
+
+- Public chats: yes, users are able to decrypt any message received at any time.
+- 1-to-1/group chat also, this is a YES in my opinion
+
+#### Asynchronous (PARTIAL)
+> Messages can be sent securely to disconnected recipients and received upon their next connection
+
+- The semantics around message reliability are currently poor
+    * [Igor: messages are stored on mailservers for way longer than TTL (30 days), but that requires Status infrastructure]
+- There's a TTL in Whisper and mailserver can deliver messages after the fact
+
+TODO: this requires more detail
+
+#### Multi-Device Support (YES)
+> A user can participate in the conversation using multiple devices at once. Each device must be able to send and receive messages. Ideally, all devices have identical views of the conversation. The devices might use a synchronized long-term key or distinct keys.
+
+- Yes
+- There is currently work being done to improve the syncing process between a user's devices. 
+
+#### No Additional Service (NO)
+> The protocol does not require any infrastructure other than the protocol participants. Specifically, the protocol must not require additional servers for relaying messages or storing any kind of key material.
+
+- The protocol requires Whisper/Waku relay servers and mailservers currently. 
+- The larger the number of Whisper/Waku relay servers, the better the transport security but there might be potential scaling problems.
+- Mailservers act to provide asynchronicity so users can retrieve messages after coming back from an offline period. 
+
+-->
+
+## Session management
+
+A node identifies a peer by two pieces of data:
+
+1) An `installation-id` which is generated upon creating a new account in the `Status` application
+2) Their identity Whisper/Waku key
+
+### Initialization
+
+A node initializes a new session once a successful X3DH exchange has taken place. Subsequent messages will use the established session until re-keying is necessary.
+
+### Concurrent sessions
+
+If a node creates two sessions concurrently between two peers, the one with the symmetric key first in byte order SHOULD be used, this marks that the other has expired.
+
+### Re-keying
+
+On receiving a bundle from a given peer with a higher version, the old bundle SHOULD be marked as expired and a new session SHOULD be established on the next message sent.
+
+### Multi-device support
+
+Multi-device support is quite challenging as there is not a central place
+where information on which and how many devices (identified by their respective `installation-id`) belongs to a whisper-identity / waku-identity.
+
+Furthermore, account recovery always needs to be taken into consideration,
+where a user wipes clean the whole device and the nodes loses all the information about any previous sessions.
+
+Taking these considerations into account, the way the network propagates multi-device information using x3dh bundles,
+which will contain information about paired devices as well as information about the sending device.
+
+This means that every time a new device is paired, the bundle needs to be updated and propagated with the new information,
+the user has the responsibility to make sure the pairing is successful.
+
+The method is loosely based on [Sesame](https://signal.org/docs/specifications/sesame/).
+
+### Pairing
+
+When a user adds a new account in the `Status` application, a new `installation-id` will be generated.
+The device should be paired as soon as possible if other devices are present.
+Once paired the contacts will be notified of the new device and it will be included in further communications.
+
+If a bundle received from the `IK` is different to the `installation-id`,
+the device will be shown to the user and will have to be manually approved, to a maximum of 3.
+Once that is done any message sent by one device will also be sent to any other enabled device.
+
+Once a user enables a new device, a new bundle will be generated which will include pairing information.
+
+The bundle will be propagated to contacts through the usual channels.
+
+Removal of paired devices is a manual step that needs to be applied on each device,
+and consist simply in disabling the device, at which point pairing information will not be propagated anymore.
+
+### Sending messages to a paired group
+
+When sending a message, the peer will send a message to other `installation-id` that they have seen.
+The node caps the number of devices to 3, ordered by last activity.
+The node sends messages using pairwise encryption, including their own devices.
+
+Account recovery
+
+Account recovery is no different from adding a new device, and it is handled in exactly the same way.
+
+### Partitioned devices
+
+In some cases (i.e. account recovery when no other pairing device is available, device not paired),
+it is possible that a device will receive a message that is not targeted to its own `installation-id`.
+In this case an empty message containing bundle information is sent back,
+which will notify the receiving end of including this device in any further communication.
+
+## Changelog
+
+### Version 0.3
+
+Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+
+- Added language to include Waku in all relevant places
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [X3DH](https://signal.org/docs/specifications/x3dh/)
+- [Double Ratchet](https://signal.org/docs/specifications/doubleratchet/)
+- [Protobuf](https://developers.google.com/protocol-buffers/)
+- [Whisper](/status/deprecated/whisper-usage.md)
+- [Waku](/status/deprecated/waku-usage.md)
+- [Account specification](/status/deprecated/account.md)
+- [Status implementation](https://github.com/status-im/doubleratchet/)
+- [Off-the-Record protocol](https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html)
+- [X3DH](https://signal.org/docs/specifications/x3dh/)
+- [ACCOUNT](/status/deprecated/account.md)
+- [Sesame](https://signal.org/docs/specifications/sesame/)
+- [May 22, 2020 commit change](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)

status/deprecated/waku-mailserver.md

@@ -0,0 +1,138 @@
+---
+title: WAKU-MAILSERVER
+name: Waku Mailserver
+status: deprecated
+description: Waku Mailserver is a specification that allows messages to be stored permanently and to allow the stored messages to be delivered to requesting client nodes, regardless if the messages are not available in the network due to the message TTL expiring.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Adam Babik <adam@status.im>
+  - Oskar Thorén <oskar@status.im>
+  - Samuel Hawksby-Robinson <samuel@status.im>
+---
+
+## Abstract
+
+Being mostly offline is an intrinsic property of mobile clients.
+They need to save network transfer and battery consumption to avoid spending too much money or constant charging.
+Waku protocol, on the other hand, is an online protocol.
+Messages are available in the Waku network only for short period of time calculate in seconds.
+
+Waku Mailserver is a specification that allows messages to be stored permanently
+and allows the stored messages to be delivered to requesting client nodes,
+regardless if the messages are not available in the network due to the message TTL expiring.
+
+## `Mailserver`
+
+From the network perspective, a `Mailserver` is just like any other Waku node.
+The only difference is that a `Mailserver` has the capability of archiving messages
+and delivering them to its peers on-demand.
+
+It is important to notice that a `Mailserver` will only handle requests from its direct peers
+and exchanged packets between a `Mailserver` and a peer are p2p messages.
+
+### Archiving messages
+
+A node which wants to provide `Mailserver` functionality MUST store envelopes from
+incoming message packets (Waku packet-code `0x01`). The envelopes can be stored in any
+format, however they MUST be serialized and deserialized to the Waku envelope format.
+
+A `Mailserver` SHOULD store envelopes for all topics to be generally useful for any peer,
+however for specific use cases it MAY store envelopes for a subset of topics.
+
+### Requesting messages
+
+In order to request historic messages, a node MUST send a packet P2P Request (`0x7e`) to a peer providing `Mailserver` functionality.
+This packet requires one argument which MUST be a Waku envelope.
+
+In the Waku envelope's payload section, there MUST be RLP-encoded information about the details of the request:
+
+```golang
+[ Lower, Upper, Bloom, Limit, Cursor ]
+```
+
+`Lower`: 4-byte wide unsigned integer (UNIX time in seconds; oldest requested envelope's creation time)  
+`Upper`: 4-byte wide unsigned integer (UNIX time in seconds; newest requested envelope's creation time)  
+`Bloom`: 64-byte wide array of Waku topics encoded in a bloom filter to filter envelopes  
+`Limit`: 4-byte wide unsigned integer limiting the number of returned envelopes  
+`Cursor`: an array of a cursor returned from the previous request (optional)
+
+The `Cursor` field SHOULD be filled in if a number of envelopes between `Lower` and `Upper` is greater than `Limit`
+so that the requester can send another request using the obtained `Cursor` value.
+What exactly is in the `Cursor` is up to the implementation.
+The requester SHOULD NOT use a `Cursor` obtained from one `Mailserver` in a request to another `Mailserver` because the format or the result MAY be different.
+
+The envelope MUST be encrypted with a symmetric key agreed between the requester and the `Mailserver`.
+
+### Receiving historic messages
+
+Historic messages MUST be sent to a peer as a packet with a P2P Message code (`0x7f`) followed by an array of Waku envelopes.
+
+In order to receive historic messages from a `Mailserver`, a node MUST trust the selected `Mailserver`,
+that is allowed to send packets with the P2P Message code. By default, the node discards such packets.
+
+Received envelopes MUST be passed through the Waku envelope pipelines
+so that they are picked up by registered filters and passed to subscribers.
+
+For a requester, to know that all messages have been sent by a `Mailserver`,
+it SHOULD handle P2P Request Complete code (`0x7d`). This code is followed by the following parameters:
+
+```golang
+[ RequestID, LastEnvelopeHash, Cursor ]
+```
+
+* `RequestID`: 32-byte wide array with a Keccak-256 hash of the envelope containing the original request  
+* `LastEnvelopeHash`: 32-byte wide array with a Keccak-256 hash of the last sent envelope for the request  
+* `Cursor`: an array of a cursor returned from the previous request (optional)
+
+If `Cursor` is not empty, it means that not all messages were sent due to the set `Limit` in the request.
+One or more consecutive requests MAY be sent with `Cursor` field filled in order to receive the rest of the messages.
+
+## Security considerations
+
+### Confidentiality
+
+The node encrypts all Waku envelopes. A `Mailserver` node can not inspect their contents.
+
+### Altruistic and centralized operator risk
+
+In order to be useful, a `Mailserver` SHOULD be online most of time.
+That means users either have to be a bit tech-savvy to run their own node,
+or rely on someone else to run it for them.
+
+Currently, one of Status's legal entities provides `Mailservers` in an altruistic manner,
+but this is suboptimal from a decentralization, continuance and risk point of view.
+Coming up with a better system for this is ongoing research.
+
+A Status client SHOULD allow the `Mailserver` selection to be customizable.
+
+### Privacy concerns
+
+In order to use a `Mailserver`, a given node needs to connect to it directly,
+i.e. add the `Mailserver` as its peer and mark it as trusted.
+This means that the `Mailserver` is able to send direct p2p messages to the node instead of broadcasting them.
+Effectively, it will have access to the bloom filter of topics that the user is interested in,
+when it is online as well as many metadata like IP address.
+
+### Denial-of-service
+
+Since a `Mailserver` is delivering expired envelopes and has a direct TCP connection with the recipient,
+the recipient is vulnerable to DoS attacks from a malicious `Mailserver` node.
+
+## Changelog
+
+### Version 0.1
+
+Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+
+* Created document
+* Forked from [whisper-mailserver](/status/deprecated/whisper-mailserver.md)
+* Change to keep `Mailserver` term consistent
+* Replaced Whisper references with Waku
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+* [May 22, 2020 change commit](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)

status/deprecated/waku-usage.md

@@ -0,0 +1,392 @@
+---
+title: WAKU-USAGE
+name: Waku Usage
+status: deprecated
+description: Status uses Waku to provide privacy-preserving routing and messaging on top of devP2P.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Adam Babik <adam@status.im>
+  - Corey Petty <corey@status.im>
+  - Oskar Thorén <oskar@status.im>
+  - Samuel Hawksby-Robinson <samuel@status.im>
+---
+
+## Abstract
+
+Status uses [Waku](/waku/standards/legacy/6/waku1.md) to provide privacy-preserving routing
+and messaging on top of devP2P.
+Waku uses topics to partition its messages,
+and these are leveraged for all chat capabilities.
+In the case of public chats, the channel name maps directly to its Waku topic.
+This allows anyone to listen on a single channel.
+
+Additionally, since anyone can receive Waku envelopes,
+it relies on the ability to decrypt messages to decide who is the correct recipient.
+Status nodes do not rely upon this property,
+and implement another secure transport layer on top of Whisper.
+
+## Reason
+
+Provide routing, metadata protection, topic-based multicasting and basic
+encryption properties to support asynchronous chat.
+
+## Terminology
+
+* *Waku node*: an Ethereum node with Waku V1 enabled
+* *Waku network*: a group of Waku nodes connected together through the internet connection and forming a graph
+* *Message*: a decrypted Waku message
+* *Offline message*: an archived envelope
+* *Envelope*: an encrypted message with metadata like topic and Time-To-Live
+
+## Waku packets
+
+| Packet Name          | Code | References |
+| -------------------- | ---: | --- |
+| Status               |    0 | [Status](status), [WAKU-1](/waku/standards/legacy/6/waku1.md#status) |
+| Messages             |    1 | [WAKU-1](/waku/standards/legacy/6/waku1.md#messages) |
+| Batch Ack            |   11 | Undocumented. Marked for Deprecation |
+| Message Response     |   12 | [WAKU-1](/waku/standards/legacy/6/waku1.md#batch-ack-and-message-response) |
+| Status Update        |   22 | [WAKU-1](/waku/standards/legacy/6/waku1.md#status-update) |
+| P2P Request Complete |  125 | [4/WAKU-MAILSERVER](/status/deprecated/waku-mailserver.md) |
+| P2P Request          |  126 | [4/WAKU-MAILSERVER](/status/deprecated/waku-mailserver.md), [WAKU-1](/waku/standards/legacy/6/waku1.md#p2p-request) |
+| P2P Messages         |  127 | [4/WAKU-MAILSERVER](/status/deprecated/waku-mailserver.md), [WAKU-1](/waku/standards/legacy/6/waku1.md#p2p-request-complete) |
+
+## Waku node configuration
+
+A Waku node must be properly configured to receive messages from Status clients.
+
+Nodes use Waku's Proof Of Work algorithm to deter denial of service and various spam/flood attacks against the Whisper network.
+The sender of a message must perform some work which in this case means processing time.
+Because Status' main client is a mobile client, this easily leads to battery draining and poor performance of the app itself.
+Hence, all clients MUST use the following Whisper node settings:
+
+* proof-of-work requirement not larger than `0.002` for payloads less than 50,000 bytes
+* proof-of-work requirement not larger than `0.000002` for payloads greater than or equal to 50,000 bytes
+* time-to-live not lower than `10` (in seconds)
+
+## Status
+
+Handshake is a RLP-encoded packet sent to a newly connected peer. It MUST start with a Status Code (`0x00`) and follow up with items:
+
+```golang
+[
+  [ pow-requirement-key pow-requirement ]
+  [ bloom-filter-key bloom-filter ]
+  [ light-node-key light-node ]
+  [ confirmations-enabled-key confirmations-enabled ]
+  [ rate-limits-key rate-limits ]
+  [ topic-interest-key topic-interest ]
+]
+```
+
+| Option Name             | Key    | Type     | Description | References |
+| ----------------------- | ------ | -------- | ----------- | --- |
+| `pow-requirement`       | `0x00` | `uint64` | minimum PoW accepted by the peer | [WAKU-1#pow-requirement](/waku/standards/legacy/6/waku1.md#pow-requirement-field) |
+| `bloom-filter`          | `0x01` | `[]byte` | bloom filter of Waku topic accepted by the peer | [WAKU-1#bloom-filter](/waku/standards/legacy/6/waku1.md#bloom-filter-field) |
+| `light-node`            | `0x02` | `bool`   | when true, the peer won't forward envelopes through the Messages packet. | [WAKU-1#light-node](/waku/standards/legacy/6/waku1.md#light-node) |
+| `confirmations-enabled` | `0x03` | `bool`   | when true, the peer will send message confirmations | [WAKU-1#confirmations-enabled-field](/waku/standards/legacy/6/waku1.md#confirmations-enabled-field) |
+| `rate-limits`           | `0x04` |          | See [Rate limiting](/waku/standards/legacy/6/waku1.md#rate-limits-field) | [WAKU-1#rate-limits](/waku/standards/legacy/6/waku1.md#rate-limits-field) |
+| `topic-interest`        | `0x05` | `[10000][4]byte` | Topic interest is used to share a node's interest in envelopes with specific topics. It does this in a more bandwidth considerate way, at the expense of some metadata protection. Peers MUST only send envelopes with specified topics. | [WAKU-1#topic-interest](/waku/standards/legacy/6/waku1.md#topic-interest-field), [the theoretical scaling model](https://github.com/vacp2p/research/tree/dcc71f4779be832d3b5ece9c4e11f1f7ec24aac2/whisper_scalability) |
+
+<!-- TODO Add `light-node` and `confirmations-enabled` links when https://github.com/vacp2p/specs/pull/128 is merged -->
+
+## Rate limiting
+
+In order to provide an optional very basic Denial-of-Service attack protection, each node SHOULD define its own rate limits.
+The rate limits SHOULD be applied on IPs, peer IDs, and envelope topics.
+
+Each node MAY decide to whitelist, i.e. do not rate limit, selected IPs or peer IDs.
+
+If a peer exceeds node's rate limits, the connection between them MAY be dropped.
+
+Each node SHOULD broadcast its rate limits to its peers using `rate limits` in `status-options` via packet code `0x00` or `0x22`. The rate limits is RLP-encoded information:
+
+```golang
+[ IP limits, PeerID limits, Topic limits ]
+```
+
+`IP limits`: 4-byte wide unsigned integer
+`PeerID limits`: 4-byte wide unsigned integer
+`Topic limits`: 4-byte wide unsigned integer
+
+The rate limits MAY also be sent as an optional parameter in the handshake.
+
+Each node SHOULD respect rate limits advertised by its peers. The number of packets SHOULD be throttled in order not to exceed peer's rate limits.
+If the limit gets exceeded, the connection MAY be dropped by the peer.
+
+## Keys management
+
+The protocol requires a key (symmetric or asymmetric) for the following actions:
+
+* signing & verifying messages (asymmetric key)
+* encrypting & decrypting messages (asymmetric or symmetric key).
+
+As nodes require asymmetric keys and symmetric keys to process incoming messages,
+they must be available all the time and are stored in memory.
+
+Keys management for PFS is described in [5/SECURE-TRANSPORT](/status/deprecated/secure-transport.md).
+
+The Status protocols uses a few particular Waku topics to achieve its goals.
+
+### Contact code topic
+
+Nodes use the contact code topic to facilitate the discovery of X3DH bundles so that the first message can be PFS-encrypted.
+
+Each user publishes periodically to this topic. If user A wants to contact user B, she SHOULD look for their bundle on this contact code topic.
+
+Contact code topic MUST be created following the algorithm below:
+
+```golang
+contactCode := "0x" + hexEncode(activePublicKey) + "-contact-code"
+
+var hash []byte = keccak256(contactCode)
+var topicLen int = 4
+
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+### Partitioned topic
+
+Waku is broadcast-based protocol. In theory, everyone could communicate using a single topic but that would be extremely inefficient.
+Opposite would be using a unique topic for each conversation, however,
+this brings privacy concerns because it would be much easier to detect whether and when two parties have an active conversation.
+
+Nodes use partitioned topics to broadcast private messages efficiently.
+By selecting a number of topic, it is possible to balance efficiency and privacy.
+
+Currently, nodes set the number of partitioned topics to `5000`. They MUST be generated following the algorithm below:
+
+```golang
+var partitionsNum *big.Int = big.NewInt(5000)
+var partition *big.Int = big.NewInt(0).Mod(publicKey.X, partitionsNum)
+
+partitionTopic := "contact-discovery-" + strconv.FormatInt(partition.Int64(), 10)
+
+var hash []byte = keccak256(partitionTopic)
+var topicLen int = 4
+
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+### Public chats
+
+A public chat MUST use a topic derived from a public chat name following the algorithm below:
+
+```golang
+var hash []byte
+hash = keccak256(name)
+
+topicLen = 4
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+<!-- NOTE: commented out as it is currently not used.  In code for potential future use. - C.P. Oct 8, 2019
+### Personal discovery topic
+
+ Personal discovery topic is used to ???
+
+A client MUST implement it following the algorithm below:
+```golang
+personalDiscoveryTopic := "contact-discovery-" + hexEncode(publicKey)
+
+var hash []byte = keccak256(personalDiscoveryTopic)
+var topicLen int = 4
+
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+Each Status Client SHOULD listen to this topic in order to receive ??? -->
+
+### Group chat topic
+
+Group chats does not have a dedicated topic.
+All group chat messages (including membership updates) are sent as one-to-one messages to multiple recipients.
+
+### Negotiated topic
+
+When a client sends a one to one message to another client, it MUST listen to their negotiated topic.
+This is computed by generating a diffie-hellman key exchange between two members
+and taking the first four bytes of the `SHA3-256` of the key generated.
+
+```golang
+
+sharedKey, err := ecies.ImportECDSA(myPrivateKey).GenerateShared(
+      ecies.ImportECDSAPublic(theirPublicKey),
+      16,
+      16,
+)
+
+
+hexEncodedKey := hex.EncodeToString(sharedKey)
+
+var hash []byte = keccak256(hexEncodedKey)
+var topicLen int = 4
+
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+A client SHOULD send to the negotiated topic only if it has received a message from all the devices included in the conversation.
+
+### Flow
+
+To exchange messages with client `B`, a client `A` SHOULD:
+
+* Listen to client's `B` Contact Code Topic to retrieve their bundle information, including a list of active devices
+* Send a message on client's `B` partitioned topic
+* Listen to the Negotiated Topic between `A` & `B`
+* Once client `A` receives a message from `B`, the Negotiated Topic SHOULD be used
+
+## Message encryption
+
+Even though, the protocol specifies an encryption layer that encrypts messages before passing them to the transport layer,
+Waku protocol requires each Waku message to be encrypted anyway.
+
+The node encrypts public and group messages using symmetric encryption, and creates the key from a channel name string.
+The implementation is available in [`shh_generateSymKeyFromPassword`](https://github.com/ethereum/go-ethereum/wiki/Whisper-v6-RPC-API#shh_generatesymkeyfrompassword) JSON-RPC method of go-ethereum Whisper implementation.
+
+The node encrypts one-to-one messages using asymmetric encryption.
+
+## Message confirmations
+
+Sending a message is a complex process where many things can go wrong.
+Message confirmations tell a node that a message originating from it has been seen by its direct peers.
+
+A node MAY send a message confirmation for any batch of messages received in a packet Messages Code (`0x01`).
+
+A node sends a message confirmation using Batch Acknowledge packet (`0x0b`) or Message Response packet (`0x0c`).
+
+The Batch Acknowledge packet is followed by a keccak256 hash of the envelopes batch data (raw bytes).
+
+The Message Response packet is more complex and is followed by a Versioned Message Response:
+
+```golang
+[ Version, Response]
+```
+
+`Version`: a version of the Message Response, equal to `1`,
+`Response`: `[ Hash, Errors ]` where `Hash` is a keccak256 hash of the envelopes batch data (raw bytes)
+for which the confirmation is sent and `Errors` is a list of envelope errors when processing the batch.
+A single error contains `[ Hash, Code, Description ]` where `Hash` is a hash of the processed envelope,
+`Code` is an error code and `Description` is a descriptive error message.
+
+The supported codes:
+`1`: means time sync error which happens when an envelope is too old
+or created in the future (the root cause is no time sync between nodes).
+
+The drawback of sending message confirmations is that it increases the noise in the network because for each sent message,
+one or more peers broadcast a corresponding confirmation. To limit that, both Batch Acknowledge packet (`0x0b`)
+and Message Response packet (`0x0c`) are not broadcast to peers of the peers, i.e. they do not follow epidemic spread.
+
+In the current Status network setup, only `Mailservers` support message confirmations.
+A client posting a message to the network and after receiving a confirmation can be sure that the message got processed by the `Mailserver`.
+If additionally, sending a message is limited to non-`Mailserver` peers,
+it also guarantees that the message got broadcast through the network and it reached the selected `Mailserver`.
+
+## Waku V1 extensions
+
+### Request historic messages
+
+Sends a request for historic messages to a `Mailserver`.
+The `Mailserver` node MUST be a direct peer and MUST be marked as trusted (using `waku_markTrustedPeer`).
+
+The request does not wait for the response.
+It merely sends a peer-to-peer message to the `Mailserver` and it's up to `Mailserver` to process it and start sending historic messages.
+
+The drawback of this approach is that it is impossible to tell which historic messages are the result of which request.
+
+It's recommended to return messages from newest to oldest.
+To move further back in time, use `cursor` and `limit`.
+
+#### wakuext_requestMessages
+
+**Parameters**:
+
+* Object - The message request object:
+  * `mailServerPeer` - `String`: `Mailserver`'s enode address.
+  * `from` - `Number` (optional): Lower bound of time range as unix timestamp, default is 24 hours back from now.
+  * `to` - `Number` (optional): Upper bound of time range as unix timestamp, default is now.
+  * `limit` - `Number` (optional): Limit the number of messages sent back, default is no limit.
+  * `cursor` - `String` (optional): Used for paginated requests.
+  * `topics` - `Array`: hex-encoded message topics.
+  * `symKeyID` - `String`: an ID of a symmetric key used to authenticate with the `Mailserver`, derived from the `Mailserver` password.
+
+**Returns**:
+`Boolean` - returns `true` if the request was sent.
+
+The above `topics` is then converted into a bloom filter and then and sent to the `Mailserver`.
+
+<!-- TODO: Clarify actual request with bloom filter to mailserver -->
+
+## Changelog
+
+### Version 0.1
+
+Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+
+* Created document
+* Forked from [3-whisper-usage](3-whisper-usage.md)
+* Change to keep `Mailserver` term consistent
+* Replaced Whisper references with Waku
+* Added [Status options](#status) section
+* Updated [Waku packets](#waku-packets) section to match Waku
+* Added that `Batch Ack` is marked for deprecation
+* Changed `shh_generateSymKeyFromPassword` to `waku_generateSymKeyFromPassword`
+  * [Exists here](https://github.com/status-im/status-go/blob/2d13ccf5ec3db7e48d7a96a7954be57edb96f12f/waku/api.go#L172-L175)
+  * [Exists here](https://github.com/status-im/status-go/blob/2d13ccf5ec3db7e48d7a96a7954be57edb96f12f/eth-node/bridge/geth/public_waku_api.go#L33-L36)
+* Changed `shh_markTrustedPeer` to `waku_markTrustedPeer`
+  * [Exists here](https://github.com/status-im/status-go/blob/2d13ccf5ec3db7e48d7a96a7954be57edb96f12f/waku/api.go#L100-L108)
+* Changed `shhext_requestMessages` to `wakuext_requestMessages`
+  * [Exists here](https://github.com/status-im/status-go/blob/2d13ccf5ec3db7e48d7a96a7954be57edb96f12f/services/wakuext/api.go#L76-L139)
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+* [Waku](waku)
+* [WAKU1](/waku/standards/legacy/6/waku1.md)
+* [WAKU-MAILSERVER](/status/deprecated/waku-mailserver.md)
+* [The theoretical scaling model](https://github.com/vacp2p/research/tree/dcc71f4779be832d3b5ece9c4e11f1f7ec24aac2/whisper_scalability)
+* [SECURE-TRANSPORT](/status/deprecated/secure-transport.md)
+* [May 22, 2020 commit](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+* [`shh_generateSymKeyFromPassword`](https://github.com/ethereum/go-ethereum/wiki/Whisper-v6-RPC-API#shh_generatesymkeyfrompassword)
+* [Key Change #1](https://github.com/status-im/status-go/blob/2d13ccf5ec3db7e48d7a96a7954be57edb96f12f/waku/api.go#L172-L175)
+* [Key Change #2](https://github.com/status-im/status-go/blob/2d13ccf5ec3db7e48d7a96a7954be57edb96f12f/eth-node/bridge/geth/public_waku_api.go#L33-L36)
+* [Key Change #3](https://github.com/status-im/status-go/blob/2d13ccf5ec3db7e48d7a96a7954be57edb96f12f/waku/api.go#L100-L108)
+* [Key Change #4](https://github.com/status-im/status-go/blob/2d13ccf5ec3db7e48d7a96a7954be57edb96f12f/services/wakuext/api.go#L76-L139)

status/deprecated/whisper-mailserver.md

@@ -0,0 +1,148 @@
+---
+title: WHISPER-MAILSERVER
+name: Whisper mailserver
+status: deprecated
+description: Whisper Mailserver is a Whisper extension that allows to store messages permanently and deliver them to the clients even though they are already not available in the network and expired.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Adam Babik <adam@status.im>
+  - Oskar Thorén <oskar@status.im>
+---
+
+## Abstract
+
+Being mostly offline is an intrinsic property of mobile clients.
+They need to save network transfer and battery consumption
+to avoid spending too much money or constant charging.
+Whisper protocol, on the other hand, is an online protocol.
+Messages are available in the Whisper network only for short period of time calculate in seconds.
+
+Whisper `Mailserver` is a Whisper extension that allows to store messages permanently
+and deliver them to the clients even though they are already not available in the network and expired.
+
+## `Mailserver`
+
+From the network perspective, `Mailserver` is just like any other Whisper node.
+The only difference is that it has a capability of archiving messages and delivering them to its peers on-demand.
+
+It is important to notice that `Mailserver` will only handle requests from its direct peers
+and exchanged packets between `Mailserver` and a peer are p2p messages.
+
+### Archiving messages
+
+A node which wants to provide `Mailserver` functionality MUST store envelopes
+from incoming message packets (Whisper packet-code `0x01`).
+The envelopes can be stored in any format,
+however they MUST be serialized and deserialized to the Whisper envelope format.
+
+A `Mailserver` SHOULD store envelopes for all topics to be generally useful for any peer,
+however for specific use cases it MAY store envelopes for a subset of topics.
+
+### Requesting messages
+
+In order to request historic messages, a node MUST send a packet P2P Request (`0x7e`) to a peer providing `Mailserver` functionality.
+This packet requires one argument which MUST be a Whisper envelope.
+
+In the Whisper envelope's payload section, there MUST be RLP-encoded information about the details of the request:
+
+```golang
+[ Lower, Upper, Bloom, Limit, Cursor ]
+```
+
+`Lower`: 4-byte wide unsigned integer (UNIX time in seconds; oldest requested envelope's creation time)  
+`Upper`: 4-byte wide unsigned integer (UNIX time in seconds; newest requested envelope's creation time)  
+`Bloom`: 64-byte wide array of Whisper topics encoded in a bloom filter to filter envelopes  
+`Limit`: 4-byte wide unsigned integer limiting the number of returned envelopes  
+`Cursor`: an array of a cursor returned from the previous request (optional)
+
+The `Cursor` field SHOULD be filled in
+if a number of envelopes between `Lower` and `Upper` is greater than `Limit`
+so that the requester can send another request using the obtained `Cursor` value.
+What exactly is in the `Cursor` is up to the implementation.
+The requester SHOULD NOT use a `Cursor` obtained from one `Mailserver` in a request to another `Mailserver`
+because the format or the result MAY be different.
+
+The envelope MUST be encrypted with a symmetric key agreed between the requester and `Mailserver`.
+
+### Receiving historic messages
+
+Historic messages MUST be sent to a peer as a packet with a P2P Message code (`0x7f`)
+followed by an array of Whisper envelopes.
+It is incompatible with the original Whisper spec (EIP-627) because it allows only a single envelope,
+however, an array of envelopes is much more performant.
+In order to stay compatible with EIP-627, a peer receiving historic message MUST handle both cases.
+
+In order to receive historic messages from a `Mailserver`, a node MUST trust the selected `Mailserver`,
+that is allowed to send packets with the P2P Message code. By default, the node discards such packets.
+
+Received envelopes MUST be passed through the Whisper envelope pipelines
+so that they are picked up by registered filters and passed to subscribers.
+
+For a requester, to know that all messages have been sent by `Mailserver`,
+it SHOULD handle P2P Request Complete code (`0x7d`). This code is followed by the following parameters:
+
+```golang
+[ RequestID, LastEnvelopeHash, Cursor ]
+```
+
+`RequestID`: 32-byte wide array with a Keccak-256 hash of the envelope containing the original request  
+`LastEnvelopeHash`: 32-byte wide array with a Keccak-256 hash of the last sent envelope for the request  
+`Cursor`: an array of a cursor returned from the previous request (optional)
+
+If `Cursor` is not empty, it means that not all messages were sent due to the set `Limit` in the request.
+One or more consecutive requests MAY be sent with `Cursor` field filled in order to receive the rest of the messages.
+
+## Security considerations
+
+### Confidentiality
+
+The node encrypts all Whisper envelopes. A `Mailserver` node can not inspect their contents.
+
+### Altruistic and centralized operator risk
+
+In order to be useful, a `Mailserver` SHOULD be online most of the time. That means
+users either have to be a bit tech-savvy to run their own node, or rely on someone
+else to run it for them.
+
+Currently, one of Status's legal entities provides `Mailservers` in an altruistic manner, but this is
+suboptimal from a decentralization, continuance and risk point of view. Coming
+up with a better system for this is ongoing research.
+
+A Status client SHOULD allow the `Mailserver` selection to be customizable.
+
+### Privacy concerns
+
+In order to use a `Mailserver`, a given node needs to connect to it directly,
+i.e. add the `Mailserver` as its peer and mark it as trusted.
+This means that the `Mailserver` is able to send direct p2p messages to the node instead of broadcasting them.
+Effectively, it will have access to the bloom filter of topics
+that the user is interested in,
+when it is online as well as many metadata like IP address.
+
+### Denial-of-service
+
+Since a `Mailserver` is delivering expired envelopes and has a direct TCP connection with the recipient,
+the recipient is vulnerable to DoS attacks from a malicious `Mailserver` node.
+
+## Changelog
+
+### Version 0.3
+
+Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+
+- Change to keep `Mailserver` term consistent
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [Whisper](https://eips.ethereum.org/EIPS/eip-627)
+- [EIP-627](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-627.md)
+- [SECURE-TRANSPORT](/status/deprecated/secure-transport.md)
+- [`shh_generateSymKeyFromPassword`](https://github.com/ethereum/go-ethereum/wiki/Whisper-v6-RPC-API#shh_generatesymkeyfrompassword)
+- [Whisper v6](https://eips.ethereum.org/EIPS/eip-627)
+- [Waku V0](/waku/deprecated/5/waku0.md)
+- [Waku V1](/waku/standards/legacy/6/waku1.md)
+- [May 22, 2020 change commit](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)

status/deprecated/whisper-usage.md

@@ -0,0 +1,401 @@
+---
+title: WHISPER-USAGE
+name: Whisper Usage
+status: deprecated
+description: Status uses Whisper to provide privacy-preserving routing and messaging on top of devP2P.
+editor: Filip Dimitrijevic <filip@status.im>
+contributors:
+  - Adam Babik <adam@status.im>
+  - Andrea Piana <andreap@status.im>
+  - Corey Petty <corey@status.im>
+  - Oskar Thorén <oskar@status.im>
+---
+
+## Abstract
+
+Status uses [Whisper](https://eips.ethereum.org/EIPS/eip-627) to provide
+privacy-preserving routing and messaging on top of devP2P.
+Whisper uses topics to partition its messages,
+and these are leveraged for all chat capabilities.
+In the case of public chats, the channel name maps directly to its Whisper topic.
+This allows anyone to listen on a single channel.
+
+Additionally, since anyone can receive Whisper envelopes,
+it relies on the ability to decrypt messages to decide who is the correct recipient.
+Status nodes do not rely upon this property,
+and implement another secure transport layer on top of Whisper.
+
+Finally, using an extension of Whisper provides the ability to do offline messaging.
+
+## Reason
+
+Provide routing, metadata protection, topic-based multicasting and basic
+encryption properties to support asynchronous chat.
+
+## Terminology
+
+* *Whisper node*: an Ethereum node with Whisper V6 enabled (in the case of go-ethereum, it's `--shh` option)
+* *Whisper network*: a group of Whisper nodes connected together through the internet connection and forming a graph
+* *Message*: a decrypted Whisper message
+* *Offline message*: an archived envelope
+* *Envelope*: an encrypted message with metadata like topic and Time-To-Live
+
+## Whisper packets
+
+| Packet Name | Code | EIP-627 | References |
+| --- | --: | --- | --- |
+| Status | 0 | ✔ | [Handshake](#handshake) |
+| Messages | 1 | ✔ | [EIP-627](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-627.md) |
+| PoW Requirement | 2 | ✔ | [EIP-627](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-627.md) |
+| Bloom Filter | 3 | ✔ | [EIP-627](https://github.com/ethereum/EIPs/blob/master/EIPS/eip-627.md) |
+| Batch Ack | 11 | 𝘅 | Undocumented |
+| Message Response | 12 | 𝘅 | Undocumented |
+| P2P Sync Request | 123 | 𝘅 | Undocumented |
+| P2P Sync Response | 124 | 𝘅 | Undocumented |
+| P2P Request Complete | 125 | 𝘅 | [4/WHISPER-MAILSERVER](/status/deprecated/whisper-mailserver.md) |
+| P2P Request | 126 | ✔ | [4/WHISPER-MAILSERVER](/status/deprecated/whisper-mailserver.md) |
+| P2P Messages | 127 | ✔/𝘅 (EIP-627 supports only single envelope in a packet) | [4/WHISPER-MAILSERVER](/status/deprecated/whisper-mailserver.md) |
+
+## Whisper node configuration
+
+A Whisper node must be properly configured to receive messages from Status clients.
+
+Nodes use Whisper's Proof Of Work algorithm to deter denial of service
+and various spam/flood attacks against the Whisper network.
+The sender of a message must perform some work which in this case means processing time.
+Because Status' main client is a mobile client, this easily leads to battery draining and poor performance of the app itself.
+Hence, all clients MUST use the following Whisper node settings:
+
+* proof-of-work requirement not larger than `0.002`
+* time-to-live not lower than `10` (in seconds)
+
+## Handshake
+
+Handshake is a RLP-encoded packet sent to a newly connected peer. It MUST start with a Status Code (`0x00`) and follow up with items:
+
+```golang
+[ protocolVersion, PoW, bloom, isLightNode, confirmationsEnabled, rateLimits ]
+```
+
+`protocolVersion`: version of the Whisper protocol
+`PoW`: minimum PoW accepted by the peer
+`bloom`: bloom filter of Whisper topic accepted by the peer
+`isLightNode`: when true, the peer won't forward messages
+`confirmationsEnabled`: when true, the peer will send message confirmations
+`rateLimits`: is `[ RateLimitIP, RateLimitPeerID, RateLimitTopic ]` where each values is an integer with a number of accepted packets per second per IP, Peer ID, and Topic respectively
+
+`bloom, isLightNode, confirmationsEnabled, and rateLimits` are all optional arguments in the handshake. However, if an optional field is specified, all optional fields preceding it MUST also be specified in order to be unambiguous.
+
+## Rate limiting
+
+In order to provide an optional very basic Denial-of-Service attack protection, each node SHOULD define its own rate limits.
+The rate limits SHOULD be applied on IPs, peer IDs, and envelope topics.
+
+Each node MAY decide to whitelist, i.e. do not rate limit, selected IPs or peer IDs.
+
+If a peer exceeds node's rate limits, the connection between them MAY be dropped.
+
+Each node SHOULD broadcast its rate limits to its peers using rate limits packet code (`0x14`). The rate limits is RLP-encoded information:
+
+```golang
+[ IP limits, PeerID limits, Topic limits ]
+```
+
+`IP limits`: 4-byte wide unsigned integer
+`PeerID limits`: 4-byte wide unsigned integer
+`Topic limits`: 4-byte wide unsigned integer
+
+The rate limits MAY also be sent as an optional parameter in the handshake.
+
+Each node SHOULD respect rate limits advertised by its peers.
+The number of packets SHOULD be throttled in order not to exceed peer's rate limits.
+If the limit gets exceeded, the connection MAY be dropped by the peer.
+
+## Keys management
+
+The protocol requires a key (symmetric or asymmetric) for the following actions:
+
+* signing & verifying messages (asymmetric key)
+* encrypting & decrypting messages (asymmetric or symmetric key).
+
+As nodes require asymmetric keys and symmetric keys to process incoming messages,
+they must be available all the time and are stored in memory.
+
+Keys management for PFS is described in [5/SECURE-TRANSPORT](/status/deprecated/whisper-mailserver.md).
+
+The Status protocols uses a few particular Whisper topics to achieve its goals.
+
+### Contact code topic
+
+Nodes use the contact code topic to facilitate the discovery of X3DH bundles so that the first message can be PFS-encrypted.
+
+Each user publishes periodically to this topic.
+If user A wants to contact user B, she SHOULD look for their bundle on this contact code topic.
+
+Contact code topic MUST be created following the algorithm below:
+
+```golang
+contactCode := "0x" + hexEncode(activePublicKey) + "-contact-code"
+
+var hash []byte = keccak256(contactCode)
+var topicLen int = 4
+
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+### Partitioned topic
+
+Whisper is broadcast-based protocol.
+In theory, everyone could communicate using a single topic but that would be extremely inefficient.
+Opposite would be using a unique topic for each conversation,
+however, this brings privacy concerns because it would be much easier to detect whether
+and when two parties have an active conversation.
+
+Nodes use partitioned topics to broadcast private messages efficiently.
+By selecting a number of topic, it is possible to balance efficiency and privacy.
+
+Currently, nodes set the number of partitioned topics to `5000`.
+They MUST be generated following the algorithm below:
+
+```golang
+var partitionsNum *big.Int = big.NewInt(5000)
+var partition *big.Int = big.NewInt(0).Mod(publicKey.X, partitionsNum)
+
+partitionTopic := "contact-discovery-" + strconv.FormatInt(partition.Int64(), 10)
+
+var hash []byte = keccak256(partitionTopic)
+var topicLen int = 4
+
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+### Public chats
+
+A public chat MUST use a topic derived from a public chat name following the algorithm below:
+
+```golang
+var hash []byte
+hash = keccak256(name)
+
+topicLen = 4
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+<!-- NOTE: commented out as it is currently not used.  In code for potential future use. - C.P. Oct 8, 2019
+### Personal discovery topic
+
+ Personal discovery topic is used to ???
+
+A client MUST implement it following the algorithm below:
+```golang
+personalDiscoveryTopic := "contact-discovery-" + hexEncode(publicKey)
+
+var hash []byte = keccak256(personalDiscoveryTopic)
+var topicLen int = 4
+
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+Each Status Client SHOULD listen to this topic in order to receive ??? -->
+
+<!-- NOTE: commented out as it is no longer valid as of V1. - C.P. Oct 8, 2019
+### Generic discovery topic
+
+Generic discovery topic is a legacy topic used to handle all one-to-one chats. The newer implementation should rely on [Partitioned Topic](#partitioned-topic) and [Personal discovery topic](#personal-discovery-topic).
+
+Generic discovery topic MUST be created following [Public chats](#public-chats) topic algorithm using string `contact-discovery` as a name. -->
+
+### Group chat topic
+
+Group chats does not have a dedicated topic.
+All group chat messages (including membership updates) are sent as one-to-one messages to multiple recipients.
+
+### Negotiated topic
+
+When a client sends a one to one message to another client, it MUST listen to their negotiated topic.
+This is computed by generating a diffie-hellman key exchange between two members
+and taking the first four bytes of the `SHA3-256` of the key generated.
+
+```golang
+
+sharedKey, err := ecies.ImportECDSA(myPrivateKey).GenerateShared(
+      ecies.ImportECDSAPublic(theirPublicKey),
+      16,
+      16,
+)
+
+
+hexEncodedKey := hex.EncodeToString(sharedKey)
+
+var hash []byte = keccak256(hexEncodedKey)
+var topicLen int = 4
+
+if len(hash) < topicLen {
+    topicLen = len(hash)
+}
+
+var topic [4]byte
+for i = 0; i < topicLen; i++ {
+    topic[i] = hash[i]
+}
+```
+
+A client SHOULD send to the negotiated topic only if it has received a message from all the devices included in the conversation.
+
+### Flow
+
+To exchange messages with client `B`, a client `A` SHOULD:
+
+* Listen to client's `B` Contact Code Topic to retrieve their bundle information, including a list of active devices
+* Send a message on client's `B` partitioned topic
+* Listen to the Negotiated Topic between `A` & `B`
+* Once client `A` receives a message from `B`, the Negotiated Topic SHOULD be used
+
+## Message encryption
+
+Even though, the protocol specifies an encryption layer that encrypts messages before passing them to the transport layer,
+Whisper protocol requires each Whisper message to be encrypted anyway.
+
+The node encrypts public and group messages using symmetric encryption, and creates the key from a channel name string.
+The implementation is available in [`shh_generateSymKeyFromPassword`](https://github.com/ethereum/go-ethereum/wiki/Whisper-v6-RPC-API#shh_generatesymkeyfrompassword) JSON-RPC method of go-ethereum Whisper implementation.
+
+The node encrypts one-to-one messages using asymmetric encryption.
+
+## Message confirmations
+
+Sending a message is a complex process where many things can go wrong.
+Message confirmations tell a node that a message originating from it has been seen by its direct peers.
+
+A node MAY send a message confirmation for any batch of messages received in a packet Messages Code (`0x01`).
+
+A node sends a message confirmation using Batch Acknowledge packet (`0x0b`) or Message Response packet (`0x0c`).
+
+The Batch Acknowledge packet is followed by a keccak256 hash of the envelopes batch data (raw bytes).
+
+The Message Response packet is more complex and is followed by a Versioned Message Response:
+
+```golang
+[ Version, Response]
+```
+
+`Version`: a version of the Message Response, equal to `1`,
+`Response`: `[ Hash, Errors ]` where `Hash` is a keccak256 hash of the envelopes batch data (raw bytes)
+for which the confirmation is sent and `Errors` is a list of envelope errors when processing the batch.
+A single error contains `[ Hash, Code, Description ]` where `Hash` is a hash of the processed envelope,
+`Code` is an error code and `Description` is a descriptive error message.
+
+The supported codes:
+`1`: means time sync error which happens when an envelope is too old
+or created in the future (the root cause is no time sync between nodes).
+
+The drawback of sending message confirmations is that it increases the noise in the network because for each sent message,
+one or more peers broadcast a corresponding confirmation.
+To limit that, both Batch Acknowledge packet (`0x0b`) and Message Response packet (`0x0c`) are not broadcast to peers of the peers,
+i.e. they do not follow epidemic spread.
+
+In the current Status network setup, only `Mailservers` support message confirmations.
+A client posting a message to the network and after receiving a confirmation can be sure that the message got processed by the `Mailserver`.
+If additionally, sending a message is limited to non-`Mailserver` peers,
+it also guarantees that the message got broadcast through the network and it reached the selected `Mailserver`.
+
+## Whisper / Waku bridging
+
+In order to maintain compatibility between Whisper and Waku nodes,
+a Status network that implements both Whisper and Waku messaging protocols
+MUST have at least one node that is capable of discovering peers and implements
+[Whisper v6](https://eips.ethereum.org/EIPS/eip-627),
+[Waku V0](/waku/deprecated/5/waku0.md) and
+[Waku V1](/waku/standards/legacy/6/waku1.md) specifications.
+
+Additionally, any Status network that implements both Whisper and Waku messaging protocols
+MUST implement bridging capabilities as detailed in
+[Waku V1#Bridging](/waku/standards/legacy/6/waku1.md#waku-whisper-bridging).  
+
+## Whisper V6 extensions
+
+### Request historic messages
+
+Sends a request for historic messages to a `Mailserver`.
+The `Mailserver` node MUST be a direct peer and MUST be marked as trusted (using `shh_markTrustedPeer`).
+
+The request does not wait for the response.
+It merely sends a peer-to-peer message to the `Mailserver`
+and it's up to `Mailserver` to process it and start sending historic messages.
+
+The drawback of this approach is that it is impossible to tell
+which historic messages are the result of which request.
+
+It's recommended to return messages from newest to oldest.
+To move further back in time, use `cursor` and `limit`.
+
+#### shhext_requestMessages
+
+**Parameters**:
+
+1. Object - The message request object:
+   * `mailServerPeer` - `String`: `Mailserver`'s enode address.
+   * `from` - `Number` (optional): Lower bound of time range as unix timestamp, default is 24 hours back from now.
+   * `to` - `Number` (optional): Upper bound of time range as unix timestamp, default is now.
+   * `limit` - `Number` (optional): Limit the number of messages sent back, default is no limit.
+   * `cursor` - `String` (optional): Used for paginated requests.
+   * `topics` - `Array`: hex-encoded message topics.
+   * `symKeyID` - `String`: an ID of a symmetric key used to authenticate with the `Mailserver`, derived from Mailserver password.
+
+**Returns**:
+`Boolean` - returns `true` if the request was sent.
+
+The above `topics` is then converted into a bloom filter and then and sent to the `Mailserver`.
+
+<!-- TODO: Clarify actual request with bloom filter to mailserver -->
+
+## Changelog
+
+### Version 0.3
+
+Released [May 22, 2020](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)
+
+* Added Whisper / Waku Bridging section
+* Change to keep `Mailserver` term consistent
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+* [Whisper](https://eips.ethereum.org/EIPS/eip-627)
+* [WHISPER-MAILSERVER](/status/deprecated/whisper-mailserver.md)
+* [SECURE-TRANSPORT](/status/deprecated/secure-transport.md)
+* [`shh_generateSymKeyFromPassword`](https://github.com/ethereum/go-ethereum/wiki/Whisper-v6-RPC-API#shh_generatesymkeyfrompassword)
+* [Whisper v6](https://eips.ethereum.org/EIPS/eip-627)
+* [Waku V0](/waku/deprecated/5/waku0.md)
+* [Waku V1](/waku/standards/legacy/6/waku1.md)
+* [May 22, 2020 change commit](https://github.com/status-im/specs/commit/664dd1c9df6ad409e4c007fefc8c8945b8d324e8)

status/raw/simple-scaling.md

@@ -1,6 +1,5 @@
 ---
-slug: 57
-title: 57/STATUS-Simple-Scaling
+title: STATUS-SIMPLE-SCALING
 name: Status Simple Scaling
 status: raw
 category: Informational
@@ -13,48 +12,68 @@ contributors:
 
 ## Abstract
 
-This document describes how to scale [56/STATUS-COMMUNITIES](../56/communities.md) as well as [55/STATUS-1TO1-CHAT](../55/1to1-chat.md)
+This document describes how to scale
+[56/STATUS-COMMUNITIES](../56/communities.md) as well as [55/STATUS-1TO1-CHAT](../55/1to1-chat.md)
 using Waku v2 protocol and components.
-It also adds a few new aspects, where more sophisticated components are not yet researched and evaluated.
+It also adds a few new aspects,
+where more sophisticated components are not yet researched and evaluated.
 
-> *Note:* (Parts of) this RFC will be deprecated in the future as we continue research to scale specific components
-in a way that aligns better with our principles of decentralization and protecting anonymity.
-This document informs about scaling at the current stage of research and shows it is practically possible.
+> *Note:* (Parts of) this RFC will be deprecated in the future
+as we continue research to scale specific components
+in a way that aligns better with our principles of decentralization and
+protecting anonymity.
+This document informs about scaling at the current stage of research and
+shows it is practically possible.
 Practical feasibility is also a core goal for us.
-We believe in incremental improvement, i.e. having a working decentralized scaling solution with trade-offs is better than a fully centralized solution.
+We believe in incremental improvement, i.e.
+having a working decentralized scaling solution with trade-offs
+is better than a fully centralized solution.
 
 ## Background and Motivation
 
-[56/STATUS-COMMUNITIES](../56/communities.md) as well as [55/STATUS-1TO1-CHAT](../55/1to1-chat.md) use Waku v2 protocols.
-Both use Waku content topics (see [23/WAKU2-TOPICS](../../waku/informational/23/topics.md)) for content based filtering.
+[56/STATUS-COMMUNITIES](../56/communities.md) as well as
+[55/STATUS-1TO1-CHAT](../55/1to1-chat.md) use Waku v2 protocols.
+Both use Waku content topics
+(see [23/WAKU2-TOPICS](../../waku/informational/23/topics.md))
+for content based filtering.
 
 Waku v2 currently has scaling limitations in two dimensions:
 
-1) Messages that are part of a specific content topic have to be disseminated in a single mesh network (i.e. pubsub topic).
+1) Messages that are part of a specific content topic
+have to be disseminated in a single mesh network (i.e. pubsub topic).
 This limits scaling the number of messages disseminated in a specific content topic,
 and by extension, the number of active nodes that are part of this content topic.
 
-2) Scaling a large set of content topics requires distributing these over several mesh networks (which this document refers to as pubsub topic shards).
+2) Scaling a large set of content topics requires distributing these over several
+mesh networks (which this document refers to as pubsub topic shards).
 
 This document focuses on the second scaling dimension.
 With the scaling solutions discussed in this document,
-each content topics can have a large set of active users, but still has to fit in a single pubsub mesh.
+each content topics can have a large set of active users,
+but still has to fit in a single pubsub mesh.
 
 > *Note:* While it is possible to use the same content topic name on several shards,
-each node that is interested in this content topic has to be subscribed to all respective shards, which does not scale.
-Splitting content topics in a more sophisticated and efficient way will be part of a future document.
+each node that is interested in this content topic
+has to be subscribed to all respective shards, which does not scale.
+Splitting content topics in a more sophisticated and
+efficient way will be part of a future document.
 
 ## Relay Shards
 
-Sharding the [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md) network is an integral part of scaling the Status app.
+Sharding the [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md)
+network is an integral part of scaling the Status app.
 
-[51/WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md) specifies shards clusters, which are sets of `1024` shards (separate pubsub mesh networks).
+[WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md)
+specifies shards clusters, which are sets of `1024` shards
+(separate pubsub mesh networks).
 Content topics specified by application protocols can be distributed over these shards.
 The Status app protocols are assigned to shard cluster `16`,
-as defined in [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/waku-RFC/informational/relay-static-shard-alloc.md).
+as defined in [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/master/informational/relay-static-shard-alloc.md).
 
-[WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md) specifies three sharding methods.
-This document uses *static sharding*, which leaves the distribution of content topics to application protocols,
+[WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md)
+specifies three sharding methods.
+This document uses *static sharding*,
+which leaves the distribution of content topics to application protocols,
 but takes care of shard discovery.
 
 The 1024 shards within the main Status shard cluster are allocated as follows.
@@ -69,7 +88,7 @@ The 1024 shards within the main Status shard cluster are allocated as follows.
 |    768 - 895  |   1:1 chat                       |
 |   896 - 1023  |   media and control msgs         |
 
-Shard indices are mapped to pubsub topic names as follows (specified in [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md)).
+Shard indices are mapped to pubsub topic names as follows (specified in [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md)).
 
 `/waku/2/rs/<cluster_id>/<shard_number>`
 
@@ -77,24 +96,27 @@ an example for the shard with index `18` in the Status shard cluster:
 
 `/waku/2/rs/16/18`
 
-In other words, the mesh network with the pubsub topic name `/waku/2/rs/16/18` carries messages associated with shard `18` in the Status shard cluster.
+In other words, the mesh network with the pubsub topic name `/waku/2/rs/16/18`,
+carries messages associated with shard `18` in the Status shard cluster.
 
 #### Implementation Suggestion
 
-The Waku implementation should offer an interface that allows Status nodes to subscribe to Status specific content topics like
+The Waku implementation should offer an interface that
+allows Status nodes to subscribe to Status specific content topics like
 
-```
+```yaml
 subscribe("/status/xyz", 16, 18)
 ```
 
 The shard cluster index `16` can be kept in the Status app configuration,
 so that Status nodes can simply use
 
-```
+```yaml
 subscribe("/status/xyz", 18)
 ```
 
-which means: connect to the `"status/xyz"` content topic on shard `18` within the Status shard cluster.
+which means: connect to the `"status/xyz"` content topic on shard `18`
+within the Status shard cluster.
 
 ### Status Communities
 
@@ -132,34 +154,40 @@ message CommunityDescription {
 }
 ```
 
-> *Note*: Currently, Status app has allocated shared cluster `16` in [52/WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/waku-RFC/informational/relay-static-shard-alloc.md).
+> *Note*: Currently, Status app has allocated shared cluster `16` in [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/master/informational/relay-static-shard-alloc.md).
 Status app could allocate more shard clusters, for instance to establish a test net.
 We could add the shard cluster index to the community description as well.
-The recommendation for now is to keep it as a configuration option of the Status app.
-
-> *Note*: Once this RFC moves forward, the new community description protobuf fields should be mentioned in [56/STATUS-COMMUNITIES](../56/communities.md).
+The recommendation for now,
+is to keep it as a configuration option of the Status app.
+> *Note*: Once this RFC moves forward,
+the new community description protobuf fields should be mentioned in [56/STATUS-COMMUNITIES](../56/communities.md).
 
 Status communities can be mapped to shards in two ways: static, and owner-based.
 
 #### Static Mapping
 
-With static mapping, communities are assigned a specific shard index within the Status shard cluster.
-This mapping is similar in nature to the shard cluster allocation in [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/waku-RFC/informational/relay-static-shard-alloc.md).
+With static mapping,
+communities are assigned a specific shard index within the Status shard cluster.
+This mapping is similar in nature to the shard cluster allocation in [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/master/informational/relay-static-shard-alloc.md).
 Shard indices allocated in that way are in the range `16 - 127`.
-The Status CC community uses index `16` (not to confuse with shard cluster index `16`, which is the Status shard cluster).
+The Status CC community uses index `16`
+(not to confuse with shard cluster index `16`, which is the Status shard cluster).
 
 #### Owner Mapping
 
 > *Note*: This way of mapping will be specified post-MVP.
 
-Community owners can choose to map their communities to any shard within the index range `128 - 767`.
+Community owners can choose to map their communities to any shard within
+the index range `128 - 767`.
 
 ### 1:1 Chat
 
-[55/STATUS-1TO1-CHAT](../55/1to1-chat.md) uses partitioned topics to map 1:1 chats to a set of 5000 content topics.
-This document extends this mapping to 8192 content topics that are, in turn, mapped to 128 shards in the index range of `768 - 895`.
+[55/STATUS-1TO1-CHAT](../55/1to1-chat.md)
+uses partitioned topics to map 1:1 chats to a set of 5000 content topics.
+This document extends this mapping to 8192 content topics that are, in turn,
+mapped to 128 shards in the index range of `768 - 895`.
 
-```
+```js
 contentPartitionsNum = 8192
 contentPartition = mod(publicKey, contentPartitionsNum)
 partitionContentTopic = "contact-discovery-" + contentPartition
@@ -175,74 +203,94 @@ shardIndex = 768 + mod(publicKey, shardNum)
 
 As described in [30/ADAPTIVE-NODES](../../waku/informational/30/adaptive-nodes.md),
 Waku supports a continuum of node types with respect to available resources.
-Infrastructure nodes are powerful nodes that have a high bandwidth connection and a high up-time.
+Infrastructure nodes are powerful nodes that have a high bandwidth connection and
+a high up-time.
 
 This document, which informs about simple ways of scaling Status over Waku,
 assumes the presence of a set of such infrastructure nodes in each shard.
-Infrastructure nodes are especially important for providing connectivity in the roll-out phase.
+Infrastructure nodes are especially important for
+providing connectivity in the roll-out phase.
 
-Infrastructure nodes are not limited to Status fleets, or nodes run by community owners.
+Infrastructure nodes are not limited to Status fleets, or
+nodes run by community owners.
 Anybody can run infrastructure nodes.
 
 ### Statically-Mapped Communities
 
-Infrastructure nodes are provided by the community owner, or by members of the respective community.
+Infrastructure nodes are provided by the community owner,
+or by members of the respective community.
 
 ### Owner-Mapped Communities
 
 Infrastructure nodes are part of a subset of the shards in the range `128 - 767`.
-Recommendations on choosing this subset will be added in a future version of this document.
+Recommendations on choosing this subset will be added
+in a future version of this document.
 
 Status fleet nodes make up a part of these infrastructure nodes.
 
 ### 1:1 chat
 
-Infrastructure nodes are part of a subset of the shards in the range `768 - 985` (similar to owner-mapped communities).
-Recommendations on choosing this subset will be added in a future version of this document.
+Infrastructure nodes are part of a subset of the shards in the range `768 - 985`
+(similar to owner-mapped communities).
+Recommendations on choosing this subset will be added
+in a future version of this document.
 
 Desktop clients can choose to only use filter and lightpush.
 
 > *Note*: Discussion: I'd suggest to set this as the default for the MVP.
-The load on infrastructure nodes would not be higher, because they have to receive and relay each message anyways.
+The load on infrastructure nodes would not be higher, because
+they have to receive and relay each message anyways.
 This comes as a trade-off to anonymity and decentralization,
 but can significantly improve scaling.
-We still have k-anonymity because several chat pairs are mapped into one content topic.
-We could improve on this in the future, and research the applicability of PIR (private information retrieval) techniques in the future.
+We still have k-anonymity because
+several chat pairs are mapped into one content topic.
+We could improve on this in the future, and research the applicability of PIR
+(private information retrieval) techniques in the future.
 
 ## Infrastructure Shards
 
-Waku messages are typically relayed in larger mesh networks comprised of nodes with varying resource profiles (see [30/ADAPTIVE-NODES](../../waku/informational/30/adaptive-nodes.md).
-To maximise scaling, relaying of specific message types can be dedicated to shards where only infrastructure nodes with very strong resource profiles relay messages.
+Waku messages are typically relayed in larger mesh networks
+comprised of nodes with varying resource profiles
+(see [30/ADAPTIVE-NODES](../../waku/informational/30/adaptive-nodes.md)).
+To maximise scaling, relaying of specific message types can be dedicated to shards
+where only infrastructure nodes with very strong resource profiles relay messages.
 This comes as a trade-off to decentralization.
 
 ## Control Message Shards
 
 To get the maximum scaling for select large communities for the Status scaling MVP,
-specific control messages that cause significant load (at a high user number) SHOULD be moved to a separate control message shard.
+specific control messages that cause significant load
+(at a high user number) SHOULD be moved to a separate control message shard.
 These control messages comprise:
 
 * community description
-* membership update 
+* membership update
 * backup
 * community request to join response
 * sync profile picture
 
-The relay functionality of control messages shards SHOULD be provided by infrastructure nodes.
+The relay functionality of control messages shards SHOULD
+be provided by infrastructure nodes.
 Desktop clients should use light protocols as the default for control message shards.
 Strong Desktop clients MAY opt in to support the relay network.
 
-Each large community (in the index range of `16 - 127`) can get its dedicated control message shard (in the index range `896 - 1023`) if deemed necessary.
+Each large community (in the index range of `16 - 127`)
+can get its dedicated control message shard
+(in the index range `896 - 1023`) if deemed necessary.
 The Status CC community uses shard `896` as its control message shard.
-This comes with trade-offs to decentralization and anonymity (see *Security Considerations* section).
+This comes with trade-offs to decentralization and anonymity
+(see *Security Considerations* section).
 
 ## Media Shards
 
-Similar to control messages, media-heavy communities should use separate media shards (in the index range `896 - 1023`) for disseminating messages with large media data.
+Similar to control messages, media-heavy communities should use separate media shards
+(in the index range `896 - 1023`) for disseminating messages with large media data.
 The Status CC community uses shard `897` as its media shard.
 
 ## Infrastructure-focused Community
 
-Large communities MAY choose to mainly rely on infrastructure nodes for *all* message transfers (not limited to control, and media messages).
+Large communities MAY choose to mainly rely on infrastructure nodes
+for *all* message transfers (not limited to control, and media messages).
 Desktop clients of such communities should use light protocols as the default.
 Strong Desktop clients MAY opt in to support the relay network.
 
@@ -254,24 +302,29 @@ Light protocols may be used to save bandwidth,
 at the (global) cost of not contributing to the network.
 Using light protocols is RECOMMENDED for resource restricted nodes,
 e.g. browsers,
-and devices that (temporarily) have a low bandwidth connection or a connection with usage-based billing.
+and devices that (temporarily)
+have a low bandwidth connection or a connection with usage-based billing.
 
 Light protocols comprise
 
 * [19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md) for sending messages
-* [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md) for requesting messages with specific attributes
-* [WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/peer-exchange/peer-exchange.md) for discovering peers
+* [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md)
+for requesting messages with specific attributes
+* [WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/master/standards/core/peer-exchange.md)
+for discovering peers
 
 ## Waku Archive
 
-Archive nodes are Waku nodes that offer the Waku archive service via the Waku store protocol ([13/WAKU2-STORE](../../waku/standards/core/13/store.md)).
+Archive nodes are Waku nodes that offer the Waku archive service via
+the Waku store protocol ([13/WAKU2-STORE](../../waku/standards/core/13/store.md)).
 They are part of a set of shards and store all messages disseminated in these shards.
 Nodes can request history messages via the [13/WAKU2-STORE](../../waku/standards/core/13/store.md).
 
 The store service is not limited to a Status fleet.
 Anybody can run a Waku Archive node in the Status shards.
 
-> *Note*: There is no specification for discovering archive nodes associated with specific shards yet.
+> *Note*: There is no specification for discovering archive nodes
+associated with specific shards yet.
 Nodes expect archive nodes to store all messages, regardless of shard association.
 
 The recommendation for the allocation of archive nodes to shards is similar to the
@@ -280,35 +333,46 @@ In fact, the archive service can be offered by infrastructure nodes.
 
 ## Discovery
 
-Shard discovery is covered by [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md).
-This allows the Status app to abstract from the discovery process and simply address shards by their index.
+Shard discovery is covered by [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md).
+This allows the Status app to abstract from the discovery process and
+simply address shards by their index.
 
 ### Libp2p Rendezvous and Circuit-Relay
 
 To make nodes behind restrictive NATs discoverable,
 this document suggests using [libp2p rendezvous](https://github.com/libp2p/specs/blob/master/rendezvous/README.md).
-Nodes can check whether they are behind a restrictive NAT using the [libp2p AutoNAT protocol](https://github.com/libp2p/specs/blob/master/autonat/README.md).
+Nodes can check whether they are behind a restrictive NAT using the
+[libp2p AutoNAT protocol](https://github.com/libp2p/specs/blob/master/autonat/README.md).
 
-> *Note:* The following will move into [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md), or [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md):
-Nodes behind restrictive NATs SHOULD not announce their publicly unreachable address via [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md) discovery.
+> *Note:* The following will move into [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md),
+or [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md):
+Nodes behind restrictive NATs SHOULD not announce their publicly unreachable address
+via [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md) discovery.
 
-It is RECOMMENDED that nodes that are part of the relay network also act as rendezvous points.
-This includes accepting register queries from peers, as well as answering rendezvous discover queries.
+It is RECOMMENDED that nodes that are part of the relay network also
+act as rendezvous points.
+This includes accepting register queries from peers,
+as well as answering rendezvous discover queries.
 Nodes MAY opt-out of the rendezvous functionality.
 
-To allow nodes to initiate connections to peers behind restrictive NATs (after discovery via rendezvous),
+To allow nodes to initiate connections to peers behind restrictive NATs
+(after discovery via rendezvous),
 it is RECOMMENDED that nodes that are part of the Waku relay network also offer
-[libp2p circuit relay](https://github.com/libp2p/specs/blob/6634ca7abb2f955645243d48d1cd2fd02a8e8880/relay/circuit-v2.md) functionality.
+[libp2p circuit relay](https://github.com/libp2p/specs/blob/6634ca7abb2f955645243d48d1cd2fd02a8e8880/relay/circuit-v2.md)
+functionality.
 
 To minimize the load on circuit-relay nodes, nodes SHOULD
 
 1) make use of the [limiting](https://github.com/libp2p/specs/blob/6634ca7abb2f955645243d48d1cd2fd02a8e8880/relay/circuit-v2.md#reservation)
 functionality offered by the libp2p circuit relay protocols, and
-2) use [DCUtR](https://github.com/libp2p/specs/blob/master/relay/DCUtR.md) to upgrade to a direct connection.
+2) use [DCUtR](https://github.com/libp2p/specs/blob/master/relay/DCUtR.md)
+to upgrade to a direct connection.
 
 Nodes that do not announce themselves at all and only plan to use light protocols,
-MAY use rendezvous discovery instead of or along-side [WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/peer-exchange/peer-exchange.md).
-For these nodes, rendezvous and [WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/peer-exchange/peer-exchange.md) offer the same functionality,
+MAY use rendezvous discovery instead of or along-side [WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/master/standards/core/peer-exchange.md).
+For these nodes, rendezvous and
+[WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/master/standards/core/peer-exchange.md)
+offer the same functionality,
 but return node sets sampled in different ways.
 Using both can help increasing connectivity.
 
@@ -321,116 +385,187 @@ Such nodes SHOULD, however, not register at circuit relays.
 Registering a namespace via [lib-p2p rendezvous](https://github.com/libp2p/specs/blob/master/rendezvous/README.md#interaction)
 is done via a register query:
 
-```
+```rs
 REGISTER{my-app, {QmA, AddrA}}
 ```
 
-The app name, `my-app` is used to encode a single shard in the form:
+The app name, `my-app` contains the encoding of a single shard in string form:
 
-```
-<rs (utf8 encoded)> | <2-byte shard cluster index> | <2-byte shard index>
+```rs
+"rs/"| to_string(<2-byte shard cluster index>) | "/" | to_string(<2-byte shard index>)
 ```
 
-Registering shard 2 in the Status shard cluster (with shard cluster index 16, see [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/waku-RFC/informational/relay-static-shard-alloc.md),
+The string conversion SHOULD remove leading zeros.
+
+> *Note:* Since the [ns](https://github.com/libp2p/specs/blob/master/rendezvous/README.md#protobuf)
+field is of type string, a more efficient byte encoding is not utilized.
+
+Registering shard 2 in the Status shard cluster (with shard cluster index 16,
+see [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/master/informational/relay-static-shard-alloc.md),
 the register query would look like
 
-```
-REGISTER{0x727300100002, {QmA, AddrA}}
+```rs
+REGISTER{"rs/16/2", {QmA, AddrA}}
 ```
 
-Participation in further shards is registered with further queries; one register query per shard.
-(0x7273 is the encoding of `rs`.)
+Participation in further shards is registered with further queries;
+one register query per shard.
 
 A discovery query for nodes that are part of this shard would look like
 
-```
-DISCOVER{ns: 0x727300100002}
+```rs
+DISCOVER{ns: "rs/16/2"}
 ```
 
 ## DoS Protection
 
-Hereunder we describe the "opt-in message signing for DoS prevention" solution, designed *ad hoc* for Status MVP.
+Hereunder we describe the "opt-in message signing for DoS prevention" solution,
+designed *ad hoc* for Status MVP.
 
-Since publishing messages to pubsub topics has no limits, anyone can publish messages at a very high rate and DoS the network.
-This would elevate the bandwidth consumption of all nodes subscribed to said pubsub topic, making it prohibitive (in terms of bandwidth) to be subscribed to it.
-In order to scale, we need some mechanism to prevent this from happening, otherwise all scaling efforts will be in vain.
-Since RLN is not ready yet, hereunder we describe a simpler approach designed *ad hoc* for Status use case, feasible to implement for the MVP and that validates some of the ideas that will evolve to solutions such as RLN.
+Since publishing messages to pubsub topics has no limits,
+anyone can publish messages at a very high rate and DoS the network.
+This would elevate the bandwidth consumption of all nodes subscribed
+to said pubsub topic, making it prohibitive (in terms of bandwidth)
+to be subscribed to it.
+In order to scale, we need some mechanism to prevent this from happening,
+otherwise all scaling efforts will be in vain.
+Since RLN is not ready yet,
+hereunder we describe a simpler approach designed *ad hoc* for Status use case,
+feasible to implement for the MVP and
+that validates some of the ideas that will evolve to solutions such as RLN.
 
-With this approach, certain pubsub topics can be optionally configured to only accept messages signed with a given key, that only trusted entities know.
-This key can be pre-shared among a set of participants, that are trusted to make fair usage of the network, publishing messages at a reasonable rate/size.
-Note that this key can be shared/reused among multiple participants, and only one key is whitelisted per pubsub topic.
-This is an opt-in solution that operators can choose to deploy in their shards (i.e. pubsub topics), but it's not enforced in the default one.
-Operators can freely choose how they want to generate, and distribute the public keys. It's also their responsibility to handle the private key, sharing it with only trusted parties and keeping proper custody of it.
+With this approach, certain pubsub topics can be optionally configured
+to only accept messages signed with a given key,
+that only trusted entities know.
+This key can be pre-shared among a set of participants,
+that are trusted to make fair usage of the network,
+publishing messages at a reasonable rate/size.
+Note that this key can be shared/reused among multiple participants, and
+only one key is whitelisted per pubsub topic.
+This is an opt-in solution that operators can choose to deploy in their shards
+(i.e. pubsub topics), but it's not enforced in the default one.
+Operators can freely choose how they want to generate, and
+distribute the public keys.
+It's also their responsibility to handle the private key,
+sharing it with only trusted parties and keeping proper custody of it.
 
 The following concepts are introduced:
-* `private-key-topic`: A private key of 32 bytes, that allows the holder to sign messages and it's mapped to a `protected-pubsub-topic`.
-* `app-message-hash`: Application `WakuMessage` hash, calculated as `sha256(concat(pubsubTopic, payload, contentTopic))` with all elements in bytes.
-* `message-signature`: ECDSA signature of `application-message-hash` using a given `private-key-topic`, 64 bytes.
+
+* `private-key-topic`: A private key of 32 bytes,
+that allows the holder to sign messages and it's mapped to a `protected-pubsub-topic`.
+* `app-message-hash`: Application `WakuMessage` hash,
+calculated as `sha256(concat(pubsubTopic, payload, contentTopic, timestamp, ephemeral))`
+ with all elements in bytes.
+* `message-signature`: ECDSA signature of `application-message-hash`
+using a given `private-key-topic`, 64 bytes.
 * `public-key-topic`: The equivalent public key of `private-key-topic`.
-* `protected-pubsub-topic`: Pubsub topic that only accepts messages that were signed with `private-key-topic`, where `verify(message-signature, app-message-hash, public-key-topic)` is only correct if the `message-signature` was produced by `private-key-topic`. See ECDSA signature verification algorithm.
+* `protected-pubsub-topic`: Pubsub topic that only accepts messages
+ that were signed with `private-key-topic`,
+where `verify(message-signature, app-message-hash, public-key-topic)`
+is only correct if the `message-signature` was produced by `private-key-topic`.
+See ECDSA signature verification algorithm.
 
 This solution introduces two roles:
-* Publisher: A node that knows the `private-key-topic` associated to `public-key-topic`, that can publish messages with a valid `message-signature` that are accepted and relayed by the nodes implementing this feature.
-* Relayer: A node that knows the `public-key-topic`, which can be used to verify if the messages were signed with the equivalent `private-key-topic`. It allows distinguishing valid from invalid messages which protect the node against DoS attacks, assuming that the users of the key send messages of a reasonable size and rate. Note that a node can validate messages and relay them or not without knowing the private key.
+
+* Publisher: A node that knows the `private-key-topic` associated to `public-key-topic`,
+that can publish messages with a valid `message-signature` that are accepted and
+relayed by the nodes implementing this feature.
+* Relayer: A node that knows the `public-key-topic`,
+which can be used to verify if the messages were signed with the equivalent `private-key-topic`.
+It allows distinguishing valid from invalid messages
+which protect the node against DoS attacks,
+assuming that the users of the key send messages of a reasonable size and rate.
+Note that a node can validate messages and
+relay them or not without knowing the private key.
 
 ### Design requirements (publisher)
 
-A publisher that wants to send messages that are relayed in the network for a given `protected-pubsub-topic` shall:
-* be able to sign messages with the `private-key-topic` configured for that topic, producing a ECDSA signature of 64 bytes using deterministic signing complying with RFC 6979.
-* include the signature of the `app-message-hash` (`message-signature`) that wishes to send in the `WakuMessage` `meta` field.
+A publisher that wants to send messages
+that are relayed in the network for a given `protected-pubsub-topic` shall:
 
-The `app-message-hash` of the message shall be calculated as the `sha256` hash of the following fields of the message:
+* be able to sign messages with the `private-key-topic` configured for that topic,
+producing a ECDSA signature of 64 bytes using
+deterministic signing complying with RFC 6979.
+* include the signature of the `app-message-hash` (`message-signature`)
+that wishes to send in the `WakuMessage` `meta` field.
 
-```
+The `app-message-hash` of the message shall be calculated as the `sha256` hash
+of the following fields of the message:
+
+```rs
 sha256(concat(pubsubTopic, payload, contentTopic, timestamp, ephemeral))
 ```
 
-Where fields are serialized into bytes using little-endian. Note that `ephemeral` is a boolean that is serialized to `0` if `false` and `1` if `true`.
+Where fields are serialized into bytes using little-endian.
+Note that `ephemeral` is a boolean that is serialized to `0` if `false` and
+`1` if `true`.
 
 ### Design requirements (relay)
 
 Requirements for the relay are listed below:
 
-* A valid `protected-pubsub-topic` shall be configured with a `public-key-topic`, (derived from a `private-key-topic`). Note that the relay does not need to know the private key.
-For simplicity, there is just one key per topic. Since this approach has clear privacy implications, this configuration is not part of the waku protocol, but of the application.
+* A valid `protected-pubsub-topic` shall be configured with a `public-key-topic`,
+(derived from a `private-key-topic`).
+ Note that the relay does not need to know the private key.
+For simplicity, there is just one key per topic.
+Since this approach has clear privacy implications,
+this configuration is not part of the waku protocol, but of the application.
 
 Requirements on the gossipsub validator:
-* Relay nodes should use the existing gossipsub validators that allow to `Accept` or `Reject` messages, according to the following criteria:
+
+* Relay nodes should use the existing gossipsub validators that allow to `Accept`
+or `Reject` messages, according to the following criteria:
 * If `timestamp` is not set (equals to 0) then `Reject` the message.
-* If the `timestamp` is `abs(current_timestamp-timestamp) > MessageWindowInSec` then `Reject` the message.
+* If the `timestamp` is `abs(current_timestamp-timestamp) > MessageWindowInSec`
+then `Reject` the message.
 * If `meta` is empty, `Reject` the message.
 * If `meta` exists but its size is different than 64 bytes, `Reject` the message.
-* If `meta` does not successfully verifies according to the ECDSA signature verification algorithm using `public-key-topic` and `app-message-hash`, then `Reject` the message.
+* If `meta` does not successfully verifies according to the ECDSA signature
+verification algorithm using `public-key-topic` and `app-message-hash`,
+then `Reject` the message.
 * If and only if all above conditions are met then `Accept` the message.
 
 Other requirements:
-* The node shall keep metrics on the messages validation output, `Accept` or `Reject`.
-* (Optional). To further strengthen DoS protection, gossipsub [scoring](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#extended-validators) can be used to trigger disconnections from peers sending multiple invalid messages. See `P4` penalty.
-This protects each peer from DoS, since this score is used to trigger disconnections from nodes attempting to DoS them.
 
+* The node shall keep metrics on the messages validation output,
+`Accept` or `Reject`.
+* (Optional). To further strengthen DoS protection,
+gossipsub [scoring](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#extended-validators)
+can be used to trigger disconnections from peers sending multiple invalid messages.
+See `P4` penalty.
+This protects each peer from DoS,
+since this score is used to trigger disconnections from nodes attempting to DoS them.
 
 ### Required changes
 
-This solution is designed to be backward compatible so that nodes validating messages can coexist in the same topic with other nodes that don't perform validation. But note that only nodes that perform message validation will be protected against DoS. Nodes wishing to opt-in this DoS protection feature shall:
-* Generate a `private-key-topic` and distribute it to a curated list of users, that are trusted to send messages at a reasonable rate.
-* Redeploy the nodes, adding a new configuration where a `protected-pubsub-topic` is configured with a `public-key-topic`, used to verify the messages being relayed.
+This solution is designed to be backward compatible so
+that nodes validating messages can coexist in the same topic
+with other nodes that don't perform validation.
+But note that only nodes that perform message validation
+will be protected against DoS.
+Nodes wishing to opt-in this DoS protection feature shall:
 
+* Generate a `private-key-topic` and distribute it to a curated list of users,
+that are trusted to send messages at a reasonable rate.
+* Redeploy the nodes, adding a new configuration
+where a `protected-pubsub-topic` is configured with a `public-key-topic`,
+used to verify the messages being relayed.
 
 ### Test vectors
 
-Relay nodes complying with this specification shall accept the following message in the configured pubsub topic.
+Relay nodes complying with this specification
+shall accept the following message in the configured pubsub topic.
 
 Given the following key pair:
 
-```
+```js
 private-key-topic = 5526a8990317c9b7b58d07843d270f9cd1d9aaee129294c1c478abf7261dd9e6
 public-key-topic = 049c5fac802da41e07e6cdf51c3b9a6351ad5e65921527f2df5b7d59fd9b56ab02bab736cdcfc37f25095e78127500da371947217a8cd5186ab890ea866211c3f6
 ```
 
-
 And the following message to send:
 
-```
+```js
 protected-pubsub-topic = pubsub-topic
 contentTopic = content-topic
 payload = 1A12E077D0E89F9CAC11FBBB6A676C86120B5AD3E248B1F180E98F15EE43D2DFCF62F00C92737B2FF6F59B3ABA02773314B991C41DC19ADB0AD8C17C8E26757B
@@ -440,19 +575,22 @@ ephemeral = true
 
 The message hash and meta (aka signature) are calculated as follows.
 
-```
+```js
 app-message-hash = 662F8C20A335F170BD60ABC1F02AD66F0C6A6EE285DA2A53C95259E7937C0AE9
 message.meta = 127FA211B2514F0E974A055392946DC1A14052182A6ABEFB8A6CD7C51DA1BF2E40595D28EF1A9488797C297EED3AAC45430005FB3A7F037BDD9FC4BD99F59E63
 ```
 
-Using `message.meta`, the relay node shall calculate the `app-message-hash` of the received message using `public-key-topic`, and with the values above, the signature should be verified, making the node `Accept` the message and relaying it to other nodes in the network.
+Using `message.meta`, the relay node shall calculate the `app-message-hash`
+of the received message using `public-key-topic`,
+and with the values above, the signature should be verified,
+making the node `Accept` the message and relaying it to other nodes in the network.
 
-## Owner-Mapped Communities
+## Owner Mapped Communities
 
 Basic idea:
 Tokenized load.
 
-### 1:1 Chat
+### 1 to 1 Chat
 
 An idea we plan to explore in the future:
 Map 1:1 chats to community shards, if both A and B are part of the respective community.
@@ -463,7 +601,8 @@ It could be rate-limited with RLN.
 
 This document makes several trade-offs to privacy and anonymity.
 Todo: elaborate.
-See [WAKU2-ADVERSARIAL-MODELS](https://github.com/waku-org/specs/blob/waku-RFC/informational/adversarial-models.md) for information on Waku Anonymity.
+See [WAKU2-ADVERSARIAL-MODELS](https://github.com/waku-org/specs/blob/master/informational/adversarial-models.md)
+for information on Waku Anonymity.
 
 ## Copyright
 
@@ -472,15 +611,15 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public
 ## References
 
 * [56/STATUS-COMMUNITIES](../56/communities.md)
-* [55/STATUS-1TO1-CHAT](.../55/1to1-chat.md)
-* [23/WAKU2-TOPICS](../../waku/informational/23/)
+* [55/STATUS-1TO1-CHAT](../55/1to1-chat.md)
+* [23/WAKU2-TOPICS](../../waku/informational/23/topics.md)
 * [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md)
-* [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md)
-* [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/waku-RFC/informational/relay-static-shard-alloc.md)
+* [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md)
+* [WAKU2-RELAY-STATIC-SHARD-ALLOC](https://github.com/waku-org/specs/blob/master/informational/relay-static-shard-alloc.md)
 * [30/ADAPTIVE-NODES](../../waku/informational/30/adaptive-nodes.md)
 * [19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md)
 * [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md)
-* [WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/peer-exchange/peer-exchange.md)
+* [WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/master/standards/core/peer-exchange.md)
 * [13/WAKU2-STORE](../../waku/standards/core/13/store.md)
 * [libp2p rendezvous](https://github.com/libp2p/specs/blob/master/rendezvous/README.md)
 * [libp2p AutoNAT protocol](https://github.com/libp2p/specs/blob/master/autonat/README.md)
@@ -490,8 +629,9 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public
 * [DCUtR](https://github.com/libp2p/specs/blob/master/relay/DCUtR.md)
 * [scoring](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#extended-validators)
 * [Circuit Relay](https://docs.libp2p.io/concepts/nat/circuit-relay/)
-* [WAKU2-ADVERSARIAL-MODELS](https://github.com/waku-org/specs/blob/waku-RFC/informational/adversarial-models.md)
+* [WAKU2-ADVERSARIAL-MODELS](https://github.com/waku-org/specs/blob/master/informational/adversarial-models.md)
 
 ## Informative
+
 * [Circuit Relay](https://docs.libp2p.io/concepts/nat/circuit-relay/)
-* [WAKU2-ENR](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/enr.md)
+* [WAKU2-ENR](https://github.com/waku-org/specs/blob/master/standards/core/enr.md)

status/raw/status-app-protocols.md

@@ -0,0 +1,415 @@
+---
+title: STATUS-PROTOCOLS
+name: Status Protocol Stack
+status: raw
+category: Standards Track
+description: Specifies the Status application protocol stack.
+editor: Hanno Cornelius <hanno@status.im>
+contributors: 
+- Jimmy Debe <jimmy@status.im>
+- Aaryamann Challani <p1ge0nh8er@proton.me>
+
+---
+
+## Abstract
+
+This specification describes the Status Application protocol stack.
+It focuses on elements and features in the protocol stack for all application-level functions:
+
+- functional scope (also _broadcast audience_)
+- content topic
+- ephemerality
+- end-to-end reliability layer
+- encryption layer
+- transport layer (Waku)
+
+It also introduces strategies to restrict resource usage, distribute large messages, etc.
+Application-level functions are out of scope and specified separately. See:
+
+- [55/STATUS-1TO1-CHAT](../55/1to1-chat.md)
+- [56/STATUS-COMMUNITIES](../56/communities.md)
+
+## Status protocol stack
+
+The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,
+“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and
+“OPTIONAL” in this document are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
+See the simplified diagram of the Status application protocol stack:
+
+|  |
+|---|
+| Status application layer  |
+| End-to-end reliability layer  |
+| Encryption layer |
+| Transport layer (Waku) |
+| |
+
+## Status application layer
+
+Application level functions are defined in the _application_ layer.
+Status currently defines functionality to support three main application features:
+
+- Status Communities, as specified in [56/STATUS-COMMUNITIES](../56/communities.md)
+- Status 1:1 Chat, as specified in [55/STATUS-1TO1-CHAT](../55/1to1-chat.md)
+- Status Private Group Chat, as specified in a subsection of [55/STATUS-1TO1-CHAT](../55/1to1-chat.md#negotiation-of-a-11-chat-amongst-multiple-participants-group-chat)
+
+<!-- TODO: list functions not related to main app features, such as user sync, backup, push notifications, etc. -->
+
+Each application-level function, regardless which feature set it supports, has the following properties:
+
+1. Functional scope
+2. Content topic
+3. Ephemerality
+
+### Functional Scope
+
+Each Status app-level message MUST define a functional scope.
+The functional scope MUST define the _minimum_ scope of the audience that should _participate_ in the app function the message is related to.
+In other words, it determines the minimum subset of Status app participants
+that should have access to messages related to that function.
+
+Note that the functional scope is distinct from the number of participants that is _addressed_ by a specific message.
+For example, a participant will address a 1:1 chat to only one other participant.
+However, since all users of the Status app MUST be able to participate in 1:1 chats,
+the functional scope of messages enabling 1:1 chats MUST be a global scope.
+Similarly, since private group chats can be set up between any subset of Status app users,
+the functional scope for messages related to private group chats MUST be global.
+Along the same principle, messages that originate within communities are of global interest
+for all users who have an interest in the Status Communities feature.
+Such messages MUST have a global functional scope,
+that can be accessed by any app users interested in communities.
+A different group of messages are addressed only to the participant that generated those messages itself.
+These _self-addressed_ messages MUST have a local functional scope.
+
+If we further make a distinction between "control" and "content" messages,
+we can distinguish five distinct functional scopes.
+
+All Status messages MUST have one of these functional scopes:
+
+#### Global general scope
+
+1. _Global control_: messages enabling the basic functioning of the app to control general features that all app users should be able to participate in. Examples include Contact Requests, global Status Updates, Group Chat Invites, etc.
+2. _Global content_: messages carrying user-generated content for global functions. Examples include 1:1 chat messages, images shared over private group chats, etc.
+
+#### Global community scope
+
+1. _Global community control_: messages enabling the basic functioning of the app to control features related to communities. Examples include Community Invites, Community Membership Updates, community Status Updates, etc.
+2. _Global community content_: messages carrying user-generated content for members of any community.
+
+> **Note:** a previous iteration of the Status Communities feature defined separate community-wide scopes for each community.
+However, this model was deprecated and all communities now operate on a global, shared scope.
+This implies that different communities will share shards on the routing layer.
+
+#### Local scope
+
+1. _Local_: messages related to functions that are only relevant to a single user. Also known as _self-addressed messages_. Examples include messages used to exchange information between app installations, such as User Backup and Sync messages.
+
+Note that the functional scope is a logical property of Status messages.
+It SHOULD however inform the underlying [transport layer sharding](#pubsub-topics-and-sharding) and [transport layer subscriptions](#subscribing).
+In general a Status client SHOULD subscribe to participate in:
+
+- all global functions
+- global community functions if it is interested in this feature, and
+- its own local functions.
+
+### Content topics
+
+Each Status app-level message MUST define a content topic that links messages in related app-level functions and sub-functions together.
+This MUST be based on the filter use cases for [transport layer subscriptions](#subscribing)
+and [retrieving historical messages](#retrieving-historical-messages).
+A content topic SHOULD be identical across all messages that are always part of the same filter use case (or always form part of the same content-filtered query criteria).
+In other words, the number of content topics defined in the app SHOULD match the number of filter use cases.
+For the sake of illustration, consider the following common content topic and filter use cases:
+
+- if all messages belonging to the same 1:1 chat are always filtered together, they SHOULD use the same content topic (see [55/STATUS-1TO1-CHAT](../55/1to1-chat.md))
+- if all messages belonging to the same Community are always filtered together, they SHOULD use the same content topic (see [56/STATUS-COMMUNITIES](../56/communities.md)).
+
+The app-level content topic MUST be populated in the `content_topic` field in the encapsulating Waku message (see [Waku messages](#waku-messages)).
+
+### Ephemerality
+
+Each Status app-level message MUST define its _ephemerality_.
+Ephemerality is a boolean value, set to `true` if a message is considered ephemeral.
+Ephemeral messages are messages emitted by the app that are transient in nature.
+They only have temporary "real-time" value
+and SHOULD NOT be stored and retrievable from historical message stores and sync caches.
+Similarly, ephemeral message delivery is best-effort in nature and SHOULD NOT be considered in message reliability mechanisms (see [End-to-end reliability layer](#end-to-end-reliability-layer)).
+
+An example of ephemeral messages would be periodic status update messages, indicating a particular user's online status.
+Since only a user's current online status is of value, there is no need to store historical status update messages.
+Since status updates are periodic, there is no strong need for end-to-end reliability as subsequent updates are always to follow.
+
+App-level messages that are considered ephemeral, MUST set the `ephemeral` field in the encapsulating Waku message to `true` (see [Waku messages](#waku-messages))
+
+## End-to-end reliability layer
+
+The end-to-end reliability layer contains the functions related to one of the two end-to-end reliability schemes defined for Status app messages:
+
+1. Minimum Viable protocol for Data Synchronisation, or MVDS (see [STATUS-MVDS-USAGE](./status-mvds.md))
+2. Scalable distributed log reliability (spec and a punchier name TBD, see the [original forum post announcement](https://forum.vac.dev/t/end-to-end-reliability-for-scalable-distributed-logs/293/16))
+
+Ephemeral messages SHOULD omit this layer.
+Non-ephemeral 1:1 chat messages SHOULD make use of MVDS to achieve reliable data synchronisation between the two parties involved in the communication.
+Non-ephemeral private group chat messages build on a set of 1:1 chat links
+and consequently SHOULD also make use of MVDS to achieve reliable data synchronisation between all parties involved in the communication.
+Non-ephemeral 1:1 and private group chat messages MAY make use of of [scalable distributed log reliability](https://forum.vac.dev/t/end-to-end-reliability-for-scalable-distributed-logs/293/16) in future.
+Since MVDS does not scale for large number of participants in the communication,
+non-ephemeral community messages MUST use scalable distributed log reliability as defined in this [original forum post announcement](https://forum.vac.dev/t/end-to-end-reliability-for-scalable-distributed-logs/293/16).
+The app MUST use a single channel ID per community.
+
+## Encryption layer
+
+The encryption layer wraps the Status App and Reliability layers in an encrypted payload.
+
+<!-- TODO: This section is TBD. We may want to design a way for Communities to use de-MLS in a separate spec and generally simplify Status encryption. -->
+
+## Waku transport layer
+
+The Waku transport layer contains the functions allowing Status protocols to use [10/WAKU2](../../waku/standards/core/10/waku2.md) infrastructure as transport.
+
+### Waku messages
+
+Each Status application message MUST be transformed to a [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md) with the following structure:
+
+```protobuf
+syntax = "proto3";
+
+message WakuMessage {
+  bytes payload = 1;
+  string content_topic = 2;
+  optional uint32 version = 3;
+  optional sint64 timestamp = 10;
+  optional bytes meta = 11;
+  optional bool ephemeral = 31;
+}
+```
+
+- `payload` MUST be set to the full encrypted payload received from the higher layers
+- `version` MUST be set to `1`
+- `ephemeral` MUST be set to `true` if the app-level message is ephemeral
+- `content_topic` MUST be set to the app-level content topic
+- `timestamp` MUST be set to the current Unix epoch timestamp (in nanosecond precision)
+
+### Pubsub topics and sharding
+
+All Waku messages are published to pubsub topics as defined in [23/WAKU2-TOPICS](../../waku/informational/23/topics.md).
+Since pubsub topics define a routing layer for messages,
+they can be used to shard traffic.
+The pubsub topic used for publishing a message depends on the app-level [functional scope](#functional-scope).
+
+#### Self-addressed messages
+
+The application MUST define at least one distinct pubsub topic for self-addressed messages.
+The application MAY define a set of more than one pubsub topic for self-addressed messages to allow traffic sharding for scalability.
+
+#### Global messages
+
+The application MUST define at least one distinct pubsub topic for global control messages and global content messages.
+The application MAY defined a set of more than one pubsub topic for global messages to allow traffic sharding for scalability.
+It is RECOMMENDED that separate pubsub topics be used for global control messages and global content messages.
+
+#### Community messages
+
+The application SHOULD define at least one distinct pubsub topic for global community control messages and global community content messages.
+The application MAY define a set of more than one pubsub topic for global community messages to allow traffic sharding for scalability.
+It is RECOMMENDED that separate pubsub topics be used for global community control messages and global community content messages.
+
+#### Large messages
+
+The application MAY define separate pubsub topics for large messages.
+These pubsub topics for large messages MAY be distinct for each functional scope.
+
+### Resource usage
+
+The application SHOULD use a range of Waku protocols to interact with the Waku transport layer.
+The specific set of Waku protocols used depend on desired functionality and resource usage profile for the specific client.
+Resources can be restricted in terms of bandwidth and computing resources.
+
+Waku protocols that are more appropriate for resource-restricted environments are often termed "light protocols".
+Waku protocols that consume more resources, but simultaneously contribute more to Waku infrastructure, are often termed "full protocols".
+The terms "full" and "light" is just a useful abstraction than a strict binary, though,
+and Status clients can operate along a continuum of resource usage profiles,
+each using the combination of "full" and "light" protocols most appropriate to match its environment and motivations.
+
+To simplify interaction with the selection of "full" and "light" protocols,
+Status clients MUST define a "full mode" and "light mode"
+to allow users to select whether their client would prefer "full protocols" or "light protocols" by default.
+Status Desktop clients are assumed to have more resources available and SHOULD use full mode by default.
+Status Mobile clients are assumed to operate with more resource restrictions and SHOULD use light mode by default.
+
+For the purposes of the rest of this document,
+clients in full mode will be referred to as "full clients" and
+clients in light mode will be referred to as "light clients".
+
+### Discovery
+
+The application MUST make use of at least one discovery method to discover and connect to Waku peers
+useful for the user functions specific to that instance of the application.
+
+The specific Waku discovery protocol used for discovery depends on the use case and resource-availability of the client.
+
+1. [EIP-1459: DNS-based discovery](https://eips.ethereum.org/EIPS/eip-1459) is useful for initial connection to bootstrap peers.
+2. [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md) allows decentralized discovery of Waku peers.
+3. [34/WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/315264c202e0973476e2f1e2d0b01bea4fe1ad31/standards/core/peer-exchange.md) allows requesting peers from a service node
+and is appropriate for resource-restricted discovery.
+
+All clients SHOULD use DNS-based discovery on startup
+to discover a set of bootstrap peers for initial connection.
+
+Full clients SHOULD use [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md) for continuous ambient peer discovery.
+
+Light clients SHOULD use [34/WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/315264c202e0973476e2f1e2d0b01bea4fe1ad31/standards/core/peer-exchange.md) to discover a set of service peers
+used by that instance of the application.
+
+### Subscribing
+
+The application MUST subscribe to receive the traffic necessary for minimal app operation
+and to enable the user functions specific to that instance of the application.
+
+The specific Waku protocol used for subscription depends on the resource-availability of the client:
+
+1. Filter client protocol, as specified in [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md), allows subscribing for traffic with content topic granularity and is appropriate for resource-restricted subscriptions.
+2. Relay protocol, as specified in [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md), allows subscribing to traffic only with pubsub topic granularity and therefore is more resource-intensive. Relay subscription also allows the application instance to contribute to the overall routing infrastructure, which adds to its overall higher resource usage but benefits the ecosystem.
+
+Full clients SHOULD use relay protocol as preferred method to subscribe to pubsub topics matching the scopes:
+
+1. Global control
+2. Global content
+3. Global community control, if the client has activated the Status Communities feature
+4. Global community content, if the client has activated the Status Communities feature
+
+Light clients SHOULD use filter protocol to subscribe only to the content topics relevant to the user.
+
+#### Self-addressed messages
+
+Status clients (full or light) MUST NOT subscribe to topics for messages with self-addressed scopes.
+See [Self-addressed messages](#self-addressed-messages-4).
+
+#### Large messages
+
+Status clients (full or light) SHOULD NOT subscribe to topics set aside for large messages.
+See [Large messages](#large-messages-4).
+
+### Publishing
+
+The application MUST publish user and app generated messages via the Waku transport layer.
+The specific Waku protocol used for publishing depends on the resource-availability of the client:
+
+1. Lightpush protocol, as specified in [19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md) allows publishing to a pubsub topic via an intermediate "full node" and is more appropriate for resource-restricted publishing.
+2. Relay protocol, as specified in [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md), allows publishing directly into the relay routing network and is therefore more resource-intensive.
+
+Full clients SHOULD use relay protocol to publish to pubsub topics matching the scopes:
+
+1. Global control
+2. Global content
+3. Global community control, if the client has activated the Status Communities feature
+4. Global community content, if the client has activated the Status Communities feature
+
+Light clients SHOULD use lightpush protocol to publish control and content messages.
+
+#### Self-addressed messages
+
+Status clients (full or light) MUST use lightpush protocol to publish self-addressed messages.
+See [Self-addressed messages](#self-addressed-messages-4).
+
+#### Large messages
+
+Status clients (full or light) SHOULD use lightpush protocols to publish to pubsub topics set aside for large messages.
+See [Large messages](#large-messages-4).
+
+### Retrieving historical messages
+
+Status clients SHOULD use the store query protocol, as specified in [WAKU2-STORE](https://github.com/waku-org/specs/blob/8fea97c36c7bbdb8ddc284fa32aee8d00a2b4467/standards/core/store.md), to retrieve historical messages relevant to the client from store service nodes in the network.
+
+Status clients SHOULD use [content filtered queries](https://github.com/waku-org/specs/blob/8fea97c36c7bbdb8ddc284fa32aee8d00a2b4467/standards/core/store.md#content-filtered-queries) with `include_data` set to `true`,
+to retrieve the full contents of historical messages that the client may have missed during offline periods,
+or to populate the local message database when the client starts up for the first time.
+
+#### Store queries for reliability
+
+Status clients MAY use periodic content filtered queries with `include_data` set to `false`,
+to retrieve only the message hashes of past messages on content topics relevant to the client.
+This can be used to compare the hashes available in the local message database with the hashes in the query response
+in order to identify possible missing messages.
+Once the Status client has identified a set of missing message hashes
+it SHOULD use [message hash lookup queries](https://github.com/waku-org/specs/blob/8fea97c36c7bbdb8ddc284fa32aee8d00a2b4467/standards/core/store.md#message-hash-lookup-queries) with `include_data` set to `true`
+to retrieve the full contents of the missing messages based on the hash.
+
+Status clients MAY use [presence queries](https://github.com/waku-org/specs/blob/8fea97c36c7bbdb8ddc284fa32aee8d00a2b4467/standards/core/store.md#presence-queries)
+to determine if one or more message hashes known to the client is present in the store service node.
+Clients MAY use this method to determine if a message that originated from the client
+has been successfully stored.
+
+#### Self-addressed messages
+
+Status clients (full or light) SHOULD use store queries (rather than subscriptions) to retrieve self-addressed messages relevant to that client.
+See [Self-addressed messages](#self-addressed-messages-4).
+
+#### Large messages
+
+Status clients (full or light) SHOULD use store queries (rather than subscriptions) to retrieve large messages relevant to that client.
+See [Large messages](#large-messages-4).
+
+### Providing services
+
+Status clients MAY provide service-side protocols to other clients.
+
+Full clients SHOULD mount
+the filter service protocol (see [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md))
+and lightpush service protocol (see [19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md))
+in order to provide light subscription and publishing services to other clients
+for each pubsub topic to which they have a relay subscription.
+
+Full clients SHOULD mount
+the peer exchange service protocol (see [34/WAKU2-PEER-EXCHANGE](https://github.com/waku-org/specs/blob/315264c202e0973476e2f1e2d0b01bea4fe1ad31/standards/core/peer-exchange.md))
+to provide light discovery services to other clients.
+
+Status clients MAY mount the store query protocol as service node (see [WAKU2-STORE](https://github.com/waku-org/specs/blob/8fea97c36c7bbdb8ddc284fa32aee8d00a2b4467/standards/core/store.md))
+to store historical messages and
+provide store services to other clients
+for each pubsub topic to which they have a relay subscription
+
+### Self-addressed messages
+
+Messages with a _local_ functional scope (see [Functional scope](#functional-scope)),
+also known as _self-addressed_ messages,
+MUST be published to a distinct pubsub topic or a distinct _set_ of pubsub topics
+used exclusively for messages with local scope (see [Pubsub topics and sharding](#pubsub-topics-and-sharding)).
+Status clients (full or light) MUST use lightpush protocol to publish self-addressed messages (see [Publishing](#publishing)).
+Status clients (full or light) MUST NOT subscribe to topics for messages with self-addressed scopes (see [Subscribing](#subscribing)).
+Status clients (full or light) SHOULD use store queries (rather than subscriptions) to retrieve self-addressed messages relevant to that client (see [Retrieving historical messages](#retrieving-historical-messages)).
+
+### Large messages
+
+The application MAY define separate pubsub topics for large messages.
+These pubsub topics for large messages MAY be distinct for each functional scope (see [Pubsub topics and sharding](#pubsub-topics-and-sharding)).
+Status clients (full or light) SHOULD use lightpush protocols to publish to pubsub topics set aside for large messages (see [Publishing](#publishing)).
+Status clients (full or light) SHOULD NOT subscribe to topics set aside for large messages (see [Subscribing](#subscribing)).
+Status clients (full or light) SHOULD use store queries (rather than subscriptions) to retrieve large messages relevant to that client (see [Retrieving historical messages](#retrieving-historical-messages)).
+
+#### Chunking
+
+The Status application MAY use a chunking mechanism to break down large payloads
+into smaller segments for individual Waku transport.
+The definition of a large message is up to the application.
+However, the maximum size for a [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md) payload is 150KB.
+Status application payloads that exceed this size MUST be chunked into smaller pieces
+and MUST be considered a "large message".
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+1. [55/STATUS-1TO1-CHAT](../55/1to1-chat.md)
+2. [56/STATUS-COMMUNITIES](../56/communities.md)
+3. [10/WAKU2](../../waku/standards/core/10/waku2.md)
+4. [11/WAKU2-RELAY](../../waku/standards/core/11/relay.md)
+5. [12/WAKU2-FILTER](../../waku/standards/core/12/filter.md)
+6. [14/WAKU2-MESSAGE](../../waku/standards/core/14/message.md)
+7. [23/WAKU2-TOPICS](../../waku/informational/23/topics.md)
+8. [19/WAKU2-LIGHTPUSH](../../waku/standards/core/19/lightpush.md)
+9. [Scalable distributed log reliability](https://forum.vac.dev/t/end-to-end-reliability-for-scalable-distributed-logs/293/16)
+10. [STATUS-MVDS-USAGE](./status-mvds.md)
+11. [WAKU2-STORE](https://github.com/waku-org/specs/blob/8fea97c36c7bbdb8ddc284fa32aee8d00a2b4467/standards/core/store.md)

status/raw/status-mvds.md

@@ -0,0 +1,129 @@
+---
+title: STATUS-MVDS-USAGE
+name: MVDS Usage in Status
+status: raw
+category: Best Current Practice
+description: Defines how MVDS protocol used by different message types in Status.
+editor: Kaichao Sun <kaichao@status.im>
+contributors:
+---
+
+## Abstract
+
+This document lists the types of messages that are using [MVDS](/vac/2/mvds.md)
+in the Status application.
+
+## Background
+
+Status app uses MVDS to ensure messages going through Waku
+are acknolwedged by the recipient.
+This is to ensure that the messages are not missed by any interested parties.
+
+## Message types
+
+Various Message Types contain distinct information defined by the app
+to facilitate convenient serialization and deserialization.
+
+E2E reliability is a feature that ensures messages are delivered to the recipient.
+This is initially achieved by using MVDS in Status.
+
+Chat Type specifies the category of chat that a message belongs to.
+It can be OneToOne (aka Direct Message), GroupChat, or CommunityChat.
+These are the three main types of chats in Status.
+
+| Message Type                                                               | Use MVDS                            | Need e2e reliability | Chat Type               |
+|----------------------------------------------------------------------------|-------------------------------------|----------------------|-------------------------|
+| ApplicationMetadataMessage_UNKNOWN                                         | No                                  | No                   | Not Applied             |
+| ApplicationMetadataMessage_CHAT_MESSAGE                                    | Yes for OneToOne & PrivateGroupChat | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_CONTACT_UPDATE                                  | Yes                                 | Yes                  | OneToOne                |
+| ApplicationMetadataMessage_MEMBERSHIP_UPDATE_MESSAGE                       | No                                  | Yes                  | CommunityChat           |
+| ApplicationMetadataMessage_SYNC_PAIR_INSTALLATION                          | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_DEPRECATED_SYNC_INSTALLATION                    | No                                  | No                   | Pair                    |
+| ApplicationMetadataMessage_REQUEST_ADDRESS_FOR_TRANSACTION                 | Yes for OneToOne                    | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_ACCEPT_REQUEST_ADDRESS_FOR_TRANSACTION          | Yes for OneToOne                    | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_DECLINE_REQUEST_ADDRESS_FOR_TRANSACTION         | Yes for OneToOne                    | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_REQUEST_TRANSACTION                             | Yes for OneToOne                    | Yes                  | OneToOne & GroupChat    |
+| ApplicationMetadataMessage_SEND_TRANSACTION                                | Yes for OneToOne                    | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_DECLINE_REQUEST_TRANSACTION                     | Yes for OneToOne                    | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_SYNC_INSTALLATION_CONTACT_V2                    | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_INSTALLATION_ACCOUNT                       | No                                  | No                   | Not Applied             |
+| ApplicationMetadataMessage_CONTACT_CODE_ADVERTISEMENT                      | No                                  | No                   | Not Applied             |
+| ApplicationMetadataMessage_PUSH_NOTIFICATION_REGISTRATION                  | No                                  | No                   | One & Group & Community |
+| ApplicationMetadataMessage_PUSH_NOTIFICATION_REGISTRATION_RESPONSE         | No                                  | No                   | One & Group & Community |
+| ApplicationMetadataMessage_PUSH_NOTIFICATION_QUERY                         | No                                  | No                   | One & Group & Community |
+| ApplicationMetadataMessage_PUSH_NOTIFICATION_QUERY_RESPONSE                | No                                  | No                   | One & Group & Community |
+| ApplicationMetadataMessage_PUSH_NOTIFICATION_REQUEST                       | No                                  | No                   | One & Group & Community |
+| ApplicationMetadataMessage_PUSH_NOTIFICATION_RESPONSE                      | No                                  | No                   | One & Group & Community |
+| ApplicationMetadataMessage_EMOJI_REACTION                                  | No                                  | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_GROUP_CHAT_INVITATION                           | Yes                                 | Yes                  | GroupChat               |
+| ApplicationMetadataMessage_CHAT_IDENTITY                                   | No                                  | No                   | OneToOne                |
+| ApplicationMetadataMessage_COMMUNITY_DESCRIPTION                           | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_INVITATION                            | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_REQUEST_TO_JOIN                       | No                                  | Yes                  | CommunityChat           |
+| ApplicationMetadataMessage_PIN_MESSAGE                                     | Yes for OneToOne & PrivateGroupChat | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_EDIT_MESSAGE                                    | Yes for OneToOne & PrivateGroupChat | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_STATUS_UPDATE                                   | No                                  | No                   | Not Applied             |
+| ApplicationMetadataMessage_DELETE_MESSAGE                                  | Yes for OneToOne & PrivateGroupChat | Yes                  | One & Group & Community |
+| ApplicationMetadataMessage_SYNC_INSTALLATION_COMMUNITY                     | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_ANONYMOUS_METRIC_BATCH                          | No                                  | No                   | Not Applied             |
+| ApplicationMetadataMessage_SYNC_CHAT_REMOVED                               | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_CHAT_MESSAGES_READ                         | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_BACKUP                                          | No                                  | No                   | Not Applied             |
+| ApplicationMetadataMessage_SYNC_ACTIVITY_CENTER_READ                       | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_ACTIVITY_CENTER_ACCEPTED                   | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_ACTIVITY_CENTER_DISMISSED                  | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_BOOKMARK                                   | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_CLEAR_HISTORY                              | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_SETTING                                    | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_COMMUNITY_MESSAGE_ARCHIVE_MAGNETLINK            | No                                  | No                   | CommunityChat           |
+| ApplicationMetadataMessage_SYNC_PROFILE_PICTURES                           | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_ACCOUNT                                    | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_ACCEPT_CONTACT_REQUEST                          | Yes                                 | Yes                  | OneToOne                |
+| ApplicationMetadataMessage_RETRACT_CONTACT_REQUEST                         | Yes                                 | Yes                  | OneToOne                |
+| ApplicationMetadataMessage_COMMUNITY_REQUEST_TO_JOIN_RESPONSE              | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_SYNC_COMMUNITY_SETTINGS                         | Yes                                 | Yes                  | CommunityChat           |
+| ApplicationMetadataMessage_REQUEST_CONTACT_VERIFICATION                    | Yes                                 | Yes                  | OneToOne                |
+| ApplicationMetadataMessage_ACCEPT_CONTACT_VERIFICATION                     | Yes                                 | Yes                  | OneToOne                |
+| ApplicationMetadataMessage_DECLINE_CONTACT_VERIFICATION                    | Yes                                 | Yes                  | OneToOne                |
+| ApplicationMetadataMessage_SYNC_TRUSTED_USER                               | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_VERIFICATION_REQUEST                       | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_CONTACT_REQUEST_DECISION                   | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_COMMUNITY_REQUEST_TO_LEAVE                      | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_SYNC_DELETE_FOR_ME_MESSAGE                      | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_SAVED_ADDRESS                              | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_COMMUNITY_CANCEL_REQUEST_TO_JOIN                | No                                  | Yes                  | CommunityChat           |
+| ApplicationMetadataMessage_CANCEL_CONTACT_VERIFICATION                     | Yes                                 | Yes                  | OneToOne                |
+| ApplicationMetadataMessage_SYNC_KEYPAIR                                    | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_SOCIAL_LINKS                               | No                                  | No                   | Not Applied             |
+| ApplicationMetadataMessage_SYNC_ENS_USERNAME_DETAIL                        | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_COMMUNITY_EVENTS_MESSAGE                        | No                                  | No                   | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_EDIT_SHARED_ADDRESSES                 | No                                  | No                   | CommunityChat           |
+| ApplicationMetadataMessage_SYNC_ACCOUNT_CUSTOMIZATION_COLOR                | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_ACCOUNTS_POSITIONS                         | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_COMMUNITY_PRIVILEGED_USER_SYNC_MESSAGE          | No                                  | No                   | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_SHARD_KEY                             | Yes                                 | Yes                  | CommunityChat           |
+| ApplicationMetadataMessage_SYNC_CHAT                                       | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_ACTIVITY_CENTER_DELETED                    | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_ACTIVITY_CENTER_UNREAD                     | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_ACTIVITY_CENTER_COMMUNITY_REQUEST_DECISION | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_SYNC_TOKEN_PREFERENCES                          | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_COMMUNITY_PUBLIC_SHARD_INFO                     | No                                  | No                   | CommunityChat           |
+| ApplicationMetadataMessage_SYNC_COLLECTIBLE_PREFERENCES                    | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_COMMUNITY_USER_KICKED                           | No                                  | No                   | CommunityChat           |
+| ApplicationMetadataMessage_SYNC_PROFILE_SHOWCASE_PREFERENCES               | Yes                                 | Yes                  | Pair                    |
+| ApplicationMetadataMessage_COMMUNITY_PUBLIC_STORENODES_INFO                | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_REEVALUATE_PERMISSIONS_REQUEST        | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_DELETE_COMMUNITY_MEMBER_MESSAGES                | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_UPDATE_GRANT                          | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_ENCRYPTION_KEYS_REQUEST               | No                                  | Yes                  | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_TOKEN_ACTION                          | No                                  | Weak Yes             | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_SHARED_ADDRESSES_REQUEST              | No                                  | No                   | CommunityChat           |
+| ApplicationMetadataMessage_COMMUNITY_SHARED_ADDRESSES_RESPONSE             | No                                  | No                   | CommunityChat           |
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [MVDS](/vac/2/mvds.md)

status/raw/url-data.md

@@ -0,0 +1,157 @@
+---
+title: STATUS-URL-DATA
+name: Status URL Data
+status: raw
+category: Standards Track
+tags:
+editor: Felicio Mununga <felicio@status.im>
+contributors:
+  - Aaryamann Challani <aaryamann@status.im>
+---
+
+## Abstract
+
+This document specifies serialization, compression, and
+encoding techniques used to transmit data within URLs in the context of Status protocols.
+
+## Motivation
+
+When sharing URLs,
+link previews often expose metadata to the websites behind those links.
+To reduce reliance on external servers for providing appropriate link previews,
+this specification proposes a standard method for encoding data within URLs.
+
+## Terminology
+
+- Community: Refer to [STATUS-COMMUNITIES](../56/communities.md)
+- Channel: Refer to terminology in [STATUS-COMMUNITIES](../56/communities.md)
+- User: Refer to terminology in [STATUS-COMMUNITIES](../56/communities.md)
+- Shard Refer to terminology in [WAKU2-RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md)
+
+## Wire Format
+
+```protobuf
+syntax = "proto3";
+
+message Community {
+    // Display name of the community
+    string display_name = 1;
+    // Description of the community
+    string description = 2;
+    // Number of members in the community
+    uint32 members_count = 3;
+    // Color of the community title
+    string color = 4;
+    // List of tag indices
+    repeated uint32 tag_indices = 5;
+}
+
+message Channel {
+    // Display name of the channel
+    string display_name = 1;
+    // Description of the channel
+    string description = 2;
+    // Emoji of the channel
+    string emoji = 3;
+    // Color of the channel title
+    string color = 4;
+    // Community the channel belongs to
+    Community community = 5;
+    // UUID of the channel
+    string uuid = 6;
+}
+
+message User {
+    // Display name of the user
+    string display_name = 1;
+    // Description of the user
+    string description = 2;
+    // Color of the user title
+    string color = 3;
+}
+
+message URLData {
+    // Community, Channel, or User
+    bytes content = 1;
+    uint32 shard_cluster = 2;
+    uint32 shard_index = 3;
+}
+```
+
+## Implementation
+
+The above wire format describes the data encoded in the URL.
+The data MUST be serialized, compressed, and encoded using the following standards:
+
+Encoding
+
+- [Base64url](https://datatracker.ietf.org/doc/html/rfc4648)
+
+### Compression
+
+- [Brotli](https://datatracker.ietf.org/doc/html/rfc7932)
+
+### Serialization
+
+- [Protocol buffers version 3](https://protobuf.dev/reference/protobuf/proto3-spec/)
+
+### Implementation Pseudocode
+
+Encoding
+
+Encoding the URL MUST be done in the following order:
+
+```protobuf
+raw_data = {User | Channel | Community}
+serialized_data = protobuf_serialize(raw_data)
+compressed_data = brotli_compress(serialized_data)
+encoded_url_data = base64url_encode(compressed_data)
+```
+
+The `encoded_url_data` is then used to generate a signature using the private key.
+
+#### Decoding
+
+Decoding the URL MUST be done in the following order:
+
+```protobuf
+url_data = base64url_decode(encoded_url_data)
+decompressed_data = brotli_decompress(url_data)
+deserialized_data = protobuf_deserialize(decompressed_data)
+raw_data = deserialized_data.content
+```
+
+The `raw_data` is then used to construct the appropriate data structure
+(User, Channel, or Community).
+
+### Example
+
+- See <https://github.com/status-im/status-web/pull/345/files>
+
+<!-- # (Further Optional Sections) -->
+
+## Discussions
+
+- See <https://github.com/status-im/status-web/issues/327>
+
+## Proof of concept
+
+- See <https://github.com/felicio/status-web/blob/825262c4f07a68501478116c7382862607a5544e/packages/status-js/src/utils/encode-url-data.compare.test.ts#L4>
+
+<!-- # Security Considerations -->
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+1. [Proposal Google Sheet](https://docs.google.com/spreadsheets/d/1JD4kp0aUm90piUZ7FgM_c2NGe2PdN8BFB11wmt5UZIY/edit?usp=sharing)
+2. [Base64url](https://datatracker.ietf.org/doc/html/rfc4648)
+3. [Brotli](https://datatracker.ietf.org/doc/html/rfc7932)
+4. [Protocol buffers version 3](https://protobuf.dev/reference/protobuf/proto3-spec/)
+5. [STATUS-URL-SCHEME](./url-scheme.md)
+
+<!-- ## informative
+
+A list of additional references. -->

status/raw/url-scheme.md

@@ -0,0 +1,72 @@
+---
+title: STATUS-URL-SCHEME
+name: Status URL Scheme
+status: raw
+category: Standards Track
+tags:
+editor: Felicio Mununga <felicio@status.im>
+contributors:
+---
+
+## Abstract
+
+This document describes URL scheme for previewing and
+deep linking content as well as for triggering actions.
+
+## Background / Rationale / Motivation
+
+### Requirements
+
+#### Related scope
+
+##### Features
+
+- Onboarding website
+- Link preview
+- Link sharing
+- Deep linking
+- Routing and navigation
+- Payment requests
+- Chat creation
+
+## Wire Format Specification / Syntax
+
+### Schemes
+
+- Internal `status-app://`
+- External `https://` (i.e. univers/deep links)
+
+### Paths
+
+| Name | Url | Description |
+| ----- | ---- | ---- |
+| User profile | `/u/<encoded_data>#<user_chat_key>` | Preview/Open user profile |
+| | `/u#<user_chat_key>` | |
+| | `/u#<ens_name>` | |
+| Community | `/c/<encoded_data>#<community_chat_key>` | Preview/Open community |
+| | `/c#<community_chat_key>` | |
+| Community channel | `/cc/<encoded_data>#<community_chat_key >`| Preview/Open community channel |
+| | `/cc/<channel_uuid>#<community_chat_key>` | |
+
+<!-- # Security/Privacy Considerations
+
+A standard track RFC in `stable` status MUST feature this section.
+A standard track RFC in `raw` or `draft` status SHOULD feature this section.
+Informational RFCs (in any state) may feature this section.
+If there are none, this section MUST explicitly state that fact.
+This section MAY contain additional relevant information,
+e.g. an explanation as to why there are no security consideration
+for the respective document. -->
+
+## Discussions
+
+- See <https://github.com/status-im/specs/pull/159>
+- See <https://github.com/status-im/status-web/issues/327>
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [STATUS-URL-DATA](./url-data.md)

vac/1/coss.md

@@ -4,44 +4,59 @@ title: 1/COSS
 name: Consensus-Oriented Specification System
 status: draft
 category: Best Current Practice
-editor: Oskar Thoren <oskarth@titanproxy.com>
+editor: Daniel Kaiser <danielkaiser@status.im>
 contributors:
+  - Oskar Thoren <oskarth@titanproxy.com>
   - Pieter Hintjens <ph@imatix.com>
   - André Rebentisch <andre@openstandards.de>
   - Alberto Barrionuevo <abarrio@opentia.es>
   - Chris Puttick <chris.puttick@thehumanjourney.net>
   - Yurii Rashkovskii <yrashk@gmail.com>
-  - Daniel Kaiser <danielkaiser@status.im>
+  - Jimmy Debe <jimmy@status.im>
 ---
 
-This document describes a consensus-oriented specification system (COSS) for building interoperable technical specifications.
-COSS is based on a lightweight editorial process that seeks to engage the widest possible range of interested parties and move rapidly to consensus through working code.
+This document describes a consensus-oriented specification system (COSS)
+for building interoperable technical specifications.
+COSS is based on a lightweight editorial process that
+seeks to engage the widest possible range of interested parties and
+move rapidly to consensus through working code.
 
-This specification is based on [Unprotocols 2/COSS](https://github.com/unprotocols/rfc/blob/master/2/README.md), used by the [ZeromMQ](https://rfc.zeromq.org/) project.
+This specification is based on [Unprotocols 2/COSS](https://github.com/unprotocols/rfc/blob/master/2/README.md),
+used by the [ZeromMQ](https://rfc.zeromq.org/) project.
 It is equivalent except for some areas:
 
-- recommending the use of a permissive licenses, such as CC0 (with the exception of this document);
+- recommending the use of a permissive licenses,
+such as CC0 (with the exception of this document);
 - miscellaneous metadata, editor, and format/link updates;
-- more inheritance from the [IETF Standards Process][https://www.rfc-editor.org/rfc/rfc2026.txt],
+- more inheritance from the [IETF Standards Process](https://www.rfc-editor.org/rfc/rfc2026.txt),
   e.g. using RFC categories: Standards Track, Informational, and Best Common Practice;
-- standards track specifications SHOULD follow a specific structure that both streamlines editing,
-  and helps implementers to quickly comprehend the specification
+- standards track specifications SHOULD
+follow a specific structure that both streamlines editing,
+and helps implementers to quickly comprehend the specification
 - specifications MUST feature a header providing specific meta information
+- raw specifications will not be assigned numbers
+- section explaining the [IFT](https://free.technology/)
+Request For Comments specification process managed by the Vac service department
 
 ## License
 
-Copyright (c) 2008-22 the Editor and Contributors.
+Copyright (c) 2008-26 the Editor and Contributors.
 
 This Specification is free software;
-you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation;
+you can redistribute it and/or
+modify it under the terms of the GNU General Public License
+as published by the Free Software Foundation;
 either version 3 of the License, or (at your option) any later version.
 
-This Specification is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
-without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+This specification is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY;
+without even the implied warranty of MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE.
 See the GNU General Public License for more details.
 
-You should have received a copy of the GNU General Public License along with this program;
-if not, see http://www.gnu.org/licenses.
+You should have received a copy of the GNU General Public License
+along with this program;
+if not, see [gnu.org](http://www.gnu.org/licenses).
 
 ## Change Process
 
@@ -49,28 +64,33 @@ This document is governed by the [1/COSS](./coss.md) (COSS).
 
 ## Language
 
-The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this document are to be interpreted as described in
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
+"SHOULD NOT", "RECOMMENDED",  "MAY", and
+"OPTIONAL" in this document are to be interpreted as described in
 [RFC 2119](http://tools.ietf.org/html/rfc2119).
 
 ## Goals
 
-The primary goal of COSS is to facilitate the process of writing, proving, and improving new technical specifications.
-A "technical specification" defines a protocol, a process, an API, a use of language, a methodology,
-or any other aspect of a technical environment that can usefully be documented for the purposes of technical or social interoperability.
+The primary goal of COSS is to facilitate the process of writing, proving, and
+improving new technical specifications.
+A "technical specification" defines a protocol, a process, an API, a use of language,
+a methodology, or any other aspect of a technical environment that
+can usefully be documented for the purposes of technical or social interoperability.
 
-COSS is intended to above all be economical and rapid, so that it is useful to small teams with little time to spend on more formal processes.
+COSS is intended to above all be economical and rapid,
+so that it is useful to small teams with little time to spend on more formal processes.
 
 Principles:
 
-* We aim for rough consensus and running code; [inspired by the IETF Tao](https://www.ietf.org/about/participate/tao/).
-* Specifications are small pieces, made by small teams.
-* Specifications should have a clearly responsible editor.
-* The process should be visible, objective, and accessible to anyone.
-* The process should clearly separate experiments from solutions.
-* The process should allow deprecation of old specifications.
-
-Specifications should take minutes to explain, hours to design, days to write, weeks to prove, months to become mature, and years to replace.
+- We aim for rough consensus and running code; [inspired by the IETF Tao](https://www.ietf.org/about/participate/tao/).
+- Specifications are small pieces, made by small teams.
+- Specifications should have a clearly responsible editor.
+- The process should be visible, objective, and accessible to anyone.
+- The process should clearly separate experiments from solutions.
+- The process should allow deprecation of old specifications.
 
+Specifications should take minutes to explain, hours to design, days to write,
+weeks to prove, months to become mature, and years to replace.
 Specifications have no special status except that accorded by the community.
 
 ## Architecture
@@ -78,31 +98,54 @@ Specifications have no special status except that accorded by the community.
 COSS is designed around fast, easy to use communications tools.
 Primarily, COSS uses a wiki model for editing and publishing specifications texts.
 
-* The *domain* is the conservancy for a set of specifications in a certain area.
-* Each domain is implemented as an Internet domain, hosting a wiki and optionally other communications tools.
-* Each specification is a set of wiki pages, together with comments, attached files, and other resources.
-* Important specifications may also exist as subdomains, i.e. child wikis.
+- The *domain* is the conservancy for a set of specifications.
+- The *domain* is implemented as an Internet domain.
+- Each specification is a document together with references and attached resources.
+- A *sub-domain* is a initiative under a specific domain.
 
-Individuals can become members of the domain by completing the necessary legal clearance.
-The copyright, patent, and trademark policies of the domain must be clarified in an Intellectual Property policy that applies to the domain.
+Individuals can become members of the *domain*
+by completing the necessary legal clearance.
+The copyright, patent, and trademark policies of the domain must be clarified
+in an Intellectual Property policy that applies to the domain.
 
-Specifications exist as multiple pages, one page per version of the specification (see "Branching and Merging", below), which may be assigned URIs that include an incremental number.
-Thus, we refer to a specification by specifying its domain, number, and short name.
-New versions of the same specification will have new numbers.
+Specifications exist as multiple pages, one page per version,
+(discussed below in "Branching and Merging"),
+which should be assigned URIs that MAY include an number identifier.
+
+Thus, we refer to new specifications by specifying its domain,
+its sub-domain and short name.
+The syntax for a new specification reference is:
+
+    <domain>/<sub-domain>/<shortname>
+
+For example, this specification should be **rfc.vac.dev/vac/COSS**,
+if the status were **raw**.
+
+A number will be assigned to the specification when obtaining **draft** status.
+New versions of the same specification will be assigned a new number.
 The syntax for a specification reference is:
 
-    <domain>/spec/<number>/<shortname>
+    <domain>/<sub-domain>/<number>/<shortname>
 
-For example, this specification is **rfc.vac.dev/spec/1/COSS**.
-The short form **1/COSS** may be used when referring to the specification from other specifications in the same domain.
+For example, this specification is **rfc.vac.dev/vac/1/COSS**.
+The short form **1/COSS** may be used when referring to the specification
+from other specifications in the same domain.
 
-Every specification (including branches) carries a different number.
+Specifications (excluding raw specifications)
+carries a different number including branches.
 
 ## COSS Lifecycle
 
-Every specification has an independent lifecycle that documents clearly its current status.
+Every specification has an independent lifecycle that
+documents clearly its current status.
+For a specification to receive a lifecycle status,
+a new specification SHOULD be presented by the team of the sub-domain.
+After discussion amongst the contributors has reached a rough consensus,
+as described in [RFC7282](https://www.rfc-editor.org/rfc/rfc7282.html),
+the specification MAY begin the process to upgrade it's status.
 
-A specification has six possible states that reflect its maturity and contractual weight:
+A specification has five possible states that reflect its maturity and
+contractual weight:
 
 ![Lifecycle diagram](./images/lifecycle.png)
 
@@ -110,79 +153,103 @@ A specification has six possible states that reflect its maturity and contractua
 
 All new specifications are **raw** specifications.
 Changes to raw specifications can be unilateral and arbitrary.
-Those seeking to implement a raw specification should ask for it to be made a draft specification.
+A sub-domain MAY use the **raw** status for new specifications
+that live under their domain.
 Raw specifications have no contractual weight.
 
 ### Draft Specifications
 
-When raw specifications can be demonstrated, they become **draft** specifications.
+When raw specifications can be demonstrated,
+they become **draft** specifications and are assigned numbers.
 Changes to draft specifications should be done in consultation with users.
 Draft specifications are contracts between the editors and implementers.
 
 ### Stable Specifications
 
 When draft specifications are used by third parties, they become **stable** specifications.
-Changes to stable specifications should be restricted to cosmetic ones, errata and clarifications.
+Changes to stable specifications should be restricted to cosmetic ones,
+errata and clarifications.
 Stable specifications are contracts between editors, implementers, and end-users.
 
 ### Deprecated Specifications
 
-When stable specifications are replaced by newer draft specifications, they become **deprecated** specifications.
-Deprecated specifications should not be changed except to indicate their replacements, if any.
+When stable specifications are replaced by newer draft specifications,
+they become **deprecated** specifications.
+Deprecated specifications should not be changed except
+to indicate their replacements, if any.
 Deprecated specifications are contracts between editors, implementers and end-users.
 
 ### Retired Specifications
 
-When deprecated specifications are no longer used in products, they become **retired** specifications.
+When deprecated specifications are no longer used in products,
+they become **retired** specifications.
 Retired specifications are part of the historical record.
 They should not be changed except to indicate their replacements, if any.
 Retired specifications have no contractual weight.
 
 ### Deleted Specifications
 
-Deleted specifications are those that have not reached maturity (stable) and were discarded.
+Deleted specifications are those that have not reached maturity (stable) and
+were discarded.
 They should not be used and are only kept for their historical value.
 Only Raw and Draft specifications can be deleted.
 
 ## Editorial control
 
 A specification MUST have a single responsible editor,
-the only person who SHALL change the status of the specification through the lifecycle stages.
+the only person who SHALL change the status of the specification
+through the lifecycle stages.
 
 A specification MAY also have additional contributors who contribute changes to it.
 It is RECOMMENDED to use a process similar to [C4 process](https://github.com/unprotocols/rfc/blob/master/1/README.md)
 to maximize the scale and diversity of contributions.
 
-Unlike the original C4 process however, it is RECOMMENDED to use CC0 as a more permissive license alternative.
+Unlike the original C4 process however,
+it is RECOMMENDED to use CC0 as a more permissive license alternative.
 We SHOULD NOT use GPL or GPL-like license.
 One exception is this specification, as this was the original license for this specification.
 
-The editor is responsible for accurately maintaining the state of specifications and for handling all comments on the specification.
+The editor is responsible for accurately maintaining the state of specifications,
+for retiring different versions that may live in other places and
+for handling all comments on the specification.
 
 ## Branching and Merging
 
 Any member of the domain MAY branch a specification at any point.
-This is done by copying the existing text, and creating a new specification with the same name and content, but a new number.
+This is done by copying the existing text, and
+creating a new specification with the same name and content, but a new number.
+Since **raw** specifications are not assigned a number,
+branching by any member of a sub-domain MAY differentiate specifications
+based on date, contributors, or
+version number within the document.
 The ability to branch a specification is necessary in these circumstances:
 
-* To change the responsible editor for a specification, with or without the cooperation of the current responsible editor.
-* To rejuvenate a specification that is stable but needs functional changes.
-  This is the proper way to make a new version of a specification that is in stable or deprecated status.
-* To resolve disputes between different technical opinions.
+- To change the responsible editor for a specification,
+with or without the cooperation of the current responsible editor.
+- To rejuvenate a specification that is stable but needs functional changes.
+This is the proper way to make a new version of a specification
+that is in stable or deprecated status.
+- To resolve disputes between different technical opinions.
 
 The responsible editor of a branched specification is the person who makes the branch.
 
-Branches, including added contributions, are derived works and thus licensed under the same terms as the original specification.
-This means that contributors are guaranteed the right to merge changes made in branches back into their original specifications.
+Branches, including added contributions, are derived works and
+thus licensed under the same terms as the original specification.
+This means that contributors are guaranteed the right to merge changes made in branches
+back into their original specifications.
 
-Technically speaking, a branch is a *different* specification, even if it carries the same name.
+Technically speaking, a branch is a *different* specification,
+even if it carries the same name.
 Branches have no special status except that accorded by the community.
 
 ## Conflict resolution
 
-COSS resolves natural conflicts between teams and vendors by allowing anyone to define a new specification.
-There is no editorial control process except that practised by the editor of a new specification.
-The administrators of a domain (moderators) may choose to interfere in editorial conflicts,
+COSS resolves natural conflicts between teams and
+vendors by allowing anyone to define a new specification.
+There is no editorial control process except
+that practised by the editor of a new specification.
+The administrators of a domain (moderators)
+may choose to interfere in editorial conflicts,
 and may suspend or ban individuals for behaviour they consider inappropriate.
 
 ## Specification Structure
@@ -190,7 +257,8 @@ and may suspend or ban individuals for behaviour they consider inappropriate.
 ### Meta Information
 
 Specifications MUST contain the following metadata.
-It is RECOMMENDED that specification metadata is specified as a YAML header (where possible).
+It is RECOMMENDED that specification metadata is specified as a YAML header
+(where possible).
 This will enable programmatic access to specification metadata.
 
 | Key              | Value                | Type   | Example                                                                                                                                                                                                                             |
@@ -201,28 +269,60 @@ This will enable programmatic access to specification metadata.
 | **category**     | category             | string | Best Current Practice                                                                                                                                                                                                                            |
 | **tags**         | 0 or several tags    | list   | waku-application, waku-core-protocol                                                                                                                                                                                                |
 | **editor**       | editor name/email    | string | Oskar Thoren <oskarth@titanproxy.com>                                                                                                                                                                                                      |
-| **contributors** | contributors         | list   | - Pieter Hintjens <ph@imatix.com><br> - André Rebentisch <andre@openstandards.de><br> - Alberto Barrionuevo <abarrio@opentia.es><br> - Chris Puttick <chris.puttick@thehumanjourney.net><br> - Yurii Rashkovskii <yrashk@gmail.com> |
+| **contributors** | contributors         | list   | - Pieter Hintjens <ph@imatix.com> - André Rebentisch <andre@openstandards.de> - Alberto Barrionuevo <abarrio@opentia.es> - Chris Puttick <chris.puttick@thehumanjourney.net> - Yurii Rashkovskii <yrashk@gmail.com> |
 
-### Specification Template
+### IFT/Vac RFC Process
 
-Standards Track specifications SHOULD be based on the [Vac RFC template](./images/template.md).
+> [!Note]
+This section is introduced to allow contributors to understand the IFT
+(Institute of Free Technology) Vac RFC specification process.
+Other organizations may make changes to this section according to their needs.
+
+Vac is a department under the IFT organization that provides RFC (Request For Comments)
+specification services.
+This service works to help facilitate the RFC process, assuring standards are followed.
+Contributors within the service SHOULD assist a *sub-domain* in creating a new specification,
+editing a specification, and
+promoting the status of a specification along with other tasks.
+Once a specification reaches some level of maturity by rough consensus,
+the specification SHOULD enter the [Vac RFC](https://rfc.vac.dev/) process.
+Similar to the IETF working group adoption described in [RFC6174](https://www.rfc-editor.org/rfc/rfc6174.html),
+the Vac RFC process SHOULD facilitate all updates to the specification.
+
+Specifications are introduced by projects,
+under a specific *domain*, with the intention of becoming technically mature documents.
+The IFT domain currently houses the following projects:
+
+- [Status](https://status.app/)
+- [Waku](https://waku.org/)
+- [Codex](https://codex.storage/)
+- [Nimbus](https://nimbus.team/)
+- [Nomos](https://nomos.tech/)
+
+When a specification is promoted to *draft* status,
+the number that is assigned MAY be incremental
+or by the *sub-domain* and the Vac RFC process.
+Standards track specifications MUST be based on the
+[Vac RFC template](../template.md) before obtaining a new status.
+All changes, comments, and contributions SHOULD be documented.
 
 ## Conventions
 
 Where possible editors and contributors are encouraged to:
 
-* Refer to and build on existing work when possible, especially IETF specifications.
-* Contribute to existing specifications rather than reinvent their own.
-* Use collaborative branching and merging as a tool for experimentation.
-* Use Semantic Line Breaks: https://sembr.org/.
+- Refer to and build on existing work when possible, especially IETF specifications.
+- Contribute to existing specifications rather than reinvent their own.
+- Use collaborative branching and merging as a tool for experimentation.
+- Use Semantic Line Breaks: [sembr](https://sembr.org/).
 
 ## Appendix A. Color Coding
 
-It is RECOMMENDED to use color coding to indicate specification's status. Color coded specifications SHOULD use the following color scheme:
+It is RECOMMENDED to use color coding to indicate specification's status.
+Color coded specifications SHOULD use the following color scheme:
 
-* ![raw](https://raw.githubusercontent.com/unprotocols/rfc/master/2/raw.svg)
-* ![draft](https://raw.githubusercontent.com/unprotocols/rfc/master/2/draft.svg)
-* ![stable](https://raw.githubusercontent.com/unprotocols/rfc/master/2/stable.svg)
-* ![deprecated](https://raw.githubusercontent.com/unprotocols/rfc/master/2/deprecated.svg)
-* ![retired](https://raw.githubusercontent.com/unprotocols/rfc/master/2/retired.svg)
-* ![deleted](https://raw.githubusercontent.com/unprotocols/rfc/master/2/deleted.svg)
+- ![raw](https://raw.githubusercontent.com/unprotocols/rfc/master/2/raw.svg)
+- ![draft](https://raw.githubusercontent.com/unprotocols/rfc/master/2/draft.svg)
+- ![stable](https://raw.githubusercontent.com/unprotocols/rfc/master/2/stable.svg)
+- ![deprecated](https://raw.githubusercontent.com/unprotocols/rfc/master/2/deprecated.svg)
+- ![retired](https://raw.githubusercontent.com/unprotocols/rfc/master/2/retired.svg)
+- ![deleted](https://raw.githubusercontent.com/unprotocols/rfc/master/2/deleted.svg)

vac/2/images/batch.msc

@@ -0,0 +1,14 @@
+# Alice and Bob: batch data sync
+msc {
+  hscale="2", wordwraparcs=on;
+
+  alice [label="Alice"],
+  bob [label="Bob"];
+
+  --- [label="batch data sync"];
+  alice => alice [label="add messages to payload state"];
+  alice >> bob [label="send payload with messages"];
+
+  bob => bob [label="add acks to payload state"];
+  bob >> alice [label="send payload with acks"];
+}

vac/2/images/interactive.msc

@@ -0,0 +1,20 @@
+# Alice and Bob: interactive data sync
+msc {
+  hscale="2", wordwraparcs=on;
+
+  alice [label="Alice"],
+  bob [label="Bob"];
+
+  --- [label="interactive data sync"];
+  alice => alice [label="add offers to payload state"];
+  alice >> bob [label="send payload with offers"];
+    
+  bob => bob [label="add requests to payload state"];
+  bob >> alice [label="send payload with requests"];
+  
+  alice => alice [label="add requested messages to state"];
+  alice >> bob [label="send payload with messages"];
+  
+  bob => bob [label="add acks to payload state"];
+  bob >> alice [label="send payload with acks"];
+}

vac/2/mvds.md

@@ -9,9 +9,14 @@ contributors:
   - Oskar Thorén <oskarth@titanproxy.com>
 ---
 
-In this specification, we describe a minimum viable protocol for data synchronization inspired by the Bramble Synchronization Protocol[^1]. This protocol is designed to ensure reliable messaging between peers across an unreliable peer-to-peer (P2P) network where they may be unreachable or unresponsive.
+In this specification, we describe a minimum viable protocol for
+data synchronization inspired by the Bramble Synchronization Protocol[^1].
+This protocol is designed to ensure reliable messaging
+between peers across an unreliable peer-to-peer (P2P) network where
+they may be unreachable or unresponsive.
 
-We present a reference implementation[^2] including a simulation to demonstrate its performance.
+We present a reference implementation[^2]
+including a simulation to demonstrate its performance.
 
 ## Definitions
 
@@ -25,7 +30,11 @@ We present a reference implementation[^2] including a simulation to demonstrate
 
 ### Secure Transport
 
-This specification does not define anything related to the transport of packets. It is assumed that this is abstracted in such a way that any secure transport protocol could be easily implemented. Likewise, properties such as confidentiality, integrity, authenticity and forward secrecy are assumed to be provided by a layer below.
+This specification does not define anything related to the transport of packets.
+It is assumed that this is abstracted in such a way that
+any secure transport protocol could be easily implemented.
+Likewise, properties such as confidentiality, integrity, authenticity and
+forward secrecy are assumed to be provided by a layer below.
 
 ### Payloads
 
@@ -50,22 +59,29 @@ message Message {
 }
 ```
 
-*The payload field numbers are kept more "unique" to ensure no overlap with other protocol buffers.*
+*The payload field numbers are kept more "unique" to*
+*ensure no overlap with other protocol buffers.*
 
 Each payload contains the following fields:
 
-- **Acks:** This field contains a list (can be empty) of `message identifiers` informing the recipient that sender holds a specific message.
-- **Offers:** This field contains a list (can be empty) of `message identifiers` that the sender would like to give to the recipient.
-- **Requests:** This field contains a list (can be empty) of `message identifiers` that the sender would like to receive from the recipient.
+- **Acks:** This field contains a list (can be empty)
+of `message identifiers` informing the recipient that sender holds a specific message.
+- **Offers:** This field contains a list (can be empty)
+of `message identifiers` that the sender would like to give to the recipient.
+- **Requests:** This field contains a list (can be empty)
+of `message identifiers` that the sender would like to receive from the recipient.
 - **Messages:** This field contains a list of messages (can be empty).
 
-**Message Identifiers:** Each `message` has a message identifier calculated by hashing the `group_id`, `timestamp` and `body` fields as follows:
+**Message Identifiers:** Each `message` has a message identifier calculated by
+hashing the `group_id`, `timestamp` and `body` fields as follows:
 
-```
+```js
 HASH("MESSAGE_ID", group_id, timestamp, body);
 ```
 
-**Group Identifiers:** Each `message` is assigned into a **group** using the `group_id` field, groups are independent synchronization contexts between peers.
+**Group Identifiers:** Each `message` is assigned into a **group**
+using the `group_id` field,
+groups are independent synchronization contexts between peers.
 
 The current `HASH` function used is `sha256`.
 
@@ -73,50 +89,68 @@ The current `HASH` function used is `sha256`.
 
 ### State
 
-We refer to `state` as set of records for the types `OFFER`, `REQUEST` and `MESSAGE` that every node SHOULD store per peer. `state` MUST NOT contain `ACK` records as we do not retransmit those periodically. The following information is stored for records:
+We refer to `state` as set of records for the types `OFFER`, `REQUEST` and
+`MESSAGE` that every node SHOULD store per peer.
+`state` MUST NOT contain `ACK` records as we do not retransmit those periodically.
+The following information is stored for records:
 
- - **Type** - Either `OFFER`, `REQUEST` or `MESSAGE`
- - **Send Count** - The amount of times a record has been sent to a peer.
- - **Send Epoch** - The next epoch at which a record can be sent to a peer.
+- **Type** - Either `OFFER`, `REQUEST` or `MESSAGE`
+- **Send Count** - The amount of times a record has been sent to a peer.
+- **Send Epoch** - The next epoch at which a record can be sent to a peer.
 
 ### Flow
 
-A maximum of one payload SHOULD be sent to peers per epoch, this payload contains all `ACK`, `OFFER`, `REQUEST` and `MESSAGE` records for the specific peer. Payloads are created every epoch, containing reactions to previously received records by peers or new records being sent out by nodes. 
+A maximum of one payload SHOULD be sent to peers per epoch,
+this payload contains all `ACK`, `OFFER`, `REQUEST` and
+`MESSAGE` records for the specific peer.
+Payloads are created every epoch,
+containing reactions to previously received records by peers or
+new records being sent out by nodes.
 
-Nodes MAY have two modes with which they can send records: `BATCH` and `INTERACTIVE` mode. The following rules dictate how nodes construct payloads every epoch for any given peer for both modes.
+Nodes MAY have two modes with which they can send records:
+`BATCH` and `INTERACTIVE` mode.
+The following rules dictate how nodes construct payloads
+every epoch for any given peer for both modes.
 
 > ***NOTE:** A node may send messages both in interactive and in batch mode.*
 
 #### Interactive Mode
 
- - A node initially offers a `MESSAGE` when attempting to send it to a peer. This means an `OFFER` is added to the next payload and state for the given peer.
- - When a node receives an `OFFER`, a `REQUEST` is added to the next payload and state for the given peer. 
- - When a node receives a `REQUEST` for a previously sent `OFFER`, the `OFFER` is removed from the state and the corresponding `MESSAGE` is added to the next payload and state for the given peer.
- - When a node receives a `MESSAGE`, the `REQUEST` is removed from the state and an `ACK` is added to the next payload for the given peer.
- - When a node receives an `ACK`, the `MESSAGE` is removed from the state for the given peer.
- - All records that require retransmission are added to the payload, given `Send Epoch` has been reached.
+- A node initially offers a `MESSAGE` when attempting to send it to a peer.
+This means an `OFFER` is added to the next payload and state for the given peer.
+- When a node receives an `OFFER`, a `REQUEST` is added to the next payload and
+state for the given peer.
+- When a node receives a `REQUEST` for a previously sent `OFFER`,
+the `OFFER` is removed from the state and
+the corresponding `MESSAGE` is added to the next payload and
+state for the given peer.
+- When a node receives a `MESSAGE`, the `REQUEST` is removed from the state and
+an `ACK` is added to the next payload for the given peer.
+- When a node receives an `ACK`,
+the `MESSAGE` is removed from the state for the given peer.
+- All records that require retransmission are added to the payload,
+given `Send Epoch` has been reached.
 
-<p align="center">
-    <img src="../assets/mvds/interactive.png" />
-    <br />
-    Figure 1: Delivery without retransmissions in interactive mode.
-</p>
+![notification](./images/interactive.png)
+
+Figure 1: Delivery without retransmissions in interactive mode.
 
 #### Batch Mode
 
- 1. When a node sends a `MESSAGE`, it is added to the next payload and the state for the given peer.
- 2. When a node receives a `MESSAGE`, an `ACK` is added to the next payload for the corresponding peer.
- 3. When a node receives an `ACK`, the `MESSAGE` is removed from the state for the given peer.
- 4. All records that require retransmission are added to the payload, given `Send Epoch` has been reached.
+1. When a node sends a `MESSAGE`,
+it is added to the next payload and the state for the given peer.
+2. When a node receives a `MESSAGE`,
+an `ACK` is added to the next payload for the corresponding peer.
+3. When a node receives an `ACK`,
+the `MESSAGE` is removed from the state for the given peer.
+4. All records that require retransmission are added to the payload,
+given `Send Epoch` has been reached.
 
 <!-- diagram -->
 
-<p align="center">
-    <img src="../assets/mvds/batch.png" />
-    <br />
-    Figure 2: Delivery without retransmissions in batch mode.
-</p>
+![notification](./images/batch.png)
 
+Figure 2: Delivery without retransmissions in batch mode.
 
 > ***NOTE:** Batch mode is higher bandwidth whereas interactive mode is higher latency.*
 
@@ -124,21 +158,28 @@ Nodes MAY have two modes with which they can send records: `BATCH` and `INTERACT
 
 ### Retransmission
 
-The record of the type `Type` SHOULD be retransmitted every time `Send Epoch` is smaller than or equal to the current epoch.
+The record of the type `Type` SHOULD be retransmitted
+every time `Send Epoch` is smaller than or equal to the current epoch.
 
-`Send Epoch` and `Send Count` MUST be increased every time a record is retransmitted. Although no function is defined on how to increase `Send Epoch`, it SHOULD be exponentially increased until reaching an upper bound where it then goes back to a lower epoch in order to prevent a record's `Send Epoch`'s from becoming too large.
+`Send Epoch` and `Send Count` MUST be increased every time a record is retransmitted.
+Although no function is defined on how to increase `Send Epoch`,
+it SHOULD be exponentially increased until reaching an upper bound
+where it then goes back to a lower epoch in order to
+prevent a record's `Send Epoch`'s from becoming too large.
 
-> ***NOTE:** We do not retransmission `ACK`s as we do not know when they have arrived, therefore we simply resend them every time we receive a `MESSAGE`.*
+> ***NOTE:** We do not retransmission `ACK`s as we do not know when they have arrived,
+therefore we simply resend them every time we receive a `MESSAGE`.*
 
 ## Formal Specification
 
 MVDS has been formally specified using TLA+: <https://github.com/vacp2p/formalities/tree/master/MVDS>.
 
 ## Acknowledgments
- - Preston van Loon
- - Greg Markou
- - Rene Nayman
- - Jacek Sieka
+
+- Preston van Loon
+- Greg Markou
+- Rene Nayman
+- Jacek Sieka
 
 ## Copyright
 

vac/25/libp2p-dns-discovery.md

@@ -7,44 +7,56 @@ editor: Hanno Cornelius <hanno@status.im>
 contributors:
 ---
 
-`25/LIBP2P-DNS-DISCOVERY` specifies a scheme to implement [`libp2p`](https://libp2p.io/) peer discovery via DNS for Waku v2.
-The generalised purpose is to retrieve an arbitrarily long, authenticated, updateable list of [`libp2p` peers](https://docs.libp2p.io/concepts/peer-id/) to bootstrap connection to a `libp2p` network.
-Since [`10/WAKU2`](https://rfc.vac.dev/spec/10/) currently specifies use of [`libp2p` peer identities](https://docs.libp2p.io/concepts/peer-id/),
-this method is suitable for a new Waku v2 node to discover other Waku v2 nodes to connect to.
+`25/LIBP2P-DNS-DISCOVERY` specifies a scheme to implement [`libp2p`](https://libp2p.io/)
+peer discovery via DNS for Waku v2.
+The generalised purpose is to retrieve an arbitrarily long, authenticated,
+updateable list of [`libp2p` peers](https://docs.libp2p.io/concepts/peer-id/)
+to bootstrap connection to a `libp2p` network.
+Since [`10/WAKU2`](../../waku/standards/core/10/waku2.md)
+currently specifies use of [`libp2p` peer identities](https://docs.libp2p.io/concepts/peer-id/),
+this method is suitable for a new Waku v2 node
+to discover other Waku v2 nodes to connect to.
 
 This specification is largely based on [EIP-1459](https://eips.ethereum.org/EIPS/eip-1459),
 with the only deviation being the type of address being encoded (`multiaddr` vs `enr`).
-Also see [this earlier explainer](https://vac.dev/dns-based-discovery) for more background on the suitability of DNS based discovery for Waku v2.
+Also see [this earlier explainer](https://vac.dev/dns-based-discovery)
+for more background on the suitability of DNS based discovery for Waku v2.
 
-# List encoding
+## List encoding
 
 The peer list MUST be encoded as a [Merkle tree](https://www.wikiwand.com/en/Merkle_tree).
-EIP-1459 specifies [the URL scheme](https://eips.ethereum.org/EIPS/eip-1459#specification) to refer to such a DNS node list.
+EIP-1459 specifies [the URL scheme](https://eips.ethereum.org/EIPS/eip-1459#specification)
+to refer to such a DNS node list.
 This specification uses the same approach, but with a `matree` scheme:
 
-```
+```yaml
 matree://<key>@<fqdn>
 ```
 
 where
+
 - `matree` is the selected `multiaddr` Merkle tree scheme
 - `<fqdn>` is the fully qualified domain name on which the list can be found
-- `<key>` is the base32 encoding of the compressed 32-byte binary public key that signed the list.
+- `<key>` is the base32 encoding of the compressed 32-byte binary public key
+that signed the list.
 
 The example URL from EIP-1459, adapted to the above scheme becomes:
 
-```
+```yaml
 matree://AM5FCQLWIZX2QFPNJAP7VUERCCRNGRHWZG3YYHIUV7BVDQ5FDPRT2@peers.example.org
 ```
 
 Each entry within the Merkle tree MUST be contained within a [DNS TXT record](https://www.rfc-editor.org/rfc/rfc1035.txt)
 and stored in a subdomain (except for the base URL `matree` entry).
-The content of any TXT record MUST be small enough to fit into the 512-byte limit imposed on UDP DNS packets,
+The content of any TXT record
+MUST be small enough to fit into the 512-byte limit imposed on UDP DNS packets,
 which limits the number of hashes that can be contained within a branch entry.
-The subdomain name for each entry is the base32 encoding of the abbreviated keccak256 hash of its text content.
-See [this example](https://eips.ethereum.org/EIPS/eip-1459#dns-record-structure) of a fully populated tree for more information.
+The subdomain name for each entry
+is the base32 encoding of the abbreviated keccak256 hash of its text content.
+See [this example](https://eips.ethereum.org/EIPS/eip-1459#dns-record-structure)
+of a fully populated tree for more information.
 
-# Entry types
+## Entry types
 
 The following entry types are derived from [EIP-1459](https://eips.ethereum.org/EIPS/eip-1459)
 and adapted for use with `multiaddrs`:
@@ -53,11 +65,12 @@ and adapted for use with `multiaddrs`:
 
 The tree root entry MUST use the following format:
 
-```
+```yaml
 matree-root:v1 m=<ma-root> l=<link-root> seq=<sequence number> sig=<signature>
 ```
 
 where
+
 - `ma-root` and `link-root` refer to the root hashes of subtrees
 containing `multiaddrs` and links to other subtrees, respectively
 - `sequence-number` is the tree's update sequence number.
@@ -71,11 +84,12 @@ encoded as URL-safe base64
 
 Branch entries MUST take the format:
 
-```
+```yaml
 matree-branch:<h₁>,<h₂>,...,<hₙ>
 ```
 
 where
+
 - `<h₁>,<h₂>,...,<hₙ>` are the hashes of other subtree entries
 
 ## Leaf entries
@@ -87,7 +101,7 @@ There are two types of leaf entries:
 For the subtree pointed to by `link-root`,
 leaf entries MUST take the format:
 
-```
+```yaml
 matree://<key>@<fqdn>
 ```
 
@@ -98,37 +112,42 @@ which links to a different list located in another domain.
 For the subtree pointed to by `ma-root`,
 leaf entries MUST take the format:
 
-```
+```yaml
 ma:<multiaddr>
 ```
 
 which contains the `multiaddr` of a `libp2p` peer.
 
-# Client protocol
+## Client protocol
 
-A client MUST adhere to the [client protocol](https://eips.ethereum.org/EIPS/eip-1459#client-protocol) as specified in EIP-1459,
+A client MUST adhere to the [client protocol](https://eips.ethereum.org/EIPS/eip-1459#client-protocol)
+as specified in EIP-1459,
 and adapted for usage with `multiaddr` entry types below:
 
 To find nodes at a given DNS name a client MUST perform the following steps:
-1. Resolve the TXT record of the DNS name and check whether it contains a valid `matree-root:v1` entry.
+
+1. Resolve the TXT record of the DNS name and
+check whether it contains a valid `matree-root:v1` entry.
 2. Verify the signature on the root against the known public key
-and check whether the sequence number is larger than or equal to any previous number seen for that name.
+and check whether the sequence number is larger than or
+equal to any previous number seen for that name.
 3. Resolve the TXT record of a hash subdomain indicated in the record
 and verify that the content matches the hash.
 4. If the resolved entry is of type:
-	- `matree-branch`: parse the list of hashes and continue resolving them (step 3).
-	- `ma`: import the `multiaddr` and add it to a local list of discovered nodes.
 
-# Copyright
+- `matree-branch`: parse the list of hashes and continue resolving them (step 3).
+- `ma`: import the `multiaddr` and add it to a local list of discovered nodes.
+
+## Copyright
 
 Copyright and related rights waived via
 [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
 
-# References
+## References
 
-1. [`10/WAKU2`](https://rfc.vac.dev/spec/10/)
+1. [`10/WAKU2`](../../waku/standards/core/10/waku2.md)
 1. [EIP-1459: Client Protocol](https://eips.ethereum.org/EIPS/eip-1459#client-protocol)
-1. [EIP-1459: Node Discovery via DNS ](https://eips.ethereum.org/EIPS/eip-1459)
+1. [EIP-1459: Node Discovery via DNS](https://eips.ethereum.org/EIPS/eip-1459)
 1. [`libp2p`](https://libp2p.io/)
 1. [`libp2p` peer identity](https://docs.libp2p.io/concepts/peer-id/)
 1. [Merkle trees](https://www.wikiwand.com/en/Merkle_tree)

vac/3/remote-log.md

@@ -8,7 +8,8 @@ contributors:
   - Dean Eigenmann <dean@status.im>
 ---
 
-A remote log is a replication of a local log. This means a node can read data that originally came from a node that is offline.
+A remote log is a replication of a local log.
+This means a node can read data that originally came from a node that is offline.
 
 This specification is complemented by a proof of concept implementation[^1].
 
@@ -112,7 +113,12 @@ message RemoteLog {
 
 <!-- TODO: Better name for Pair, Mapping? -->
 
-<!-- TODO: Consider making more useful in conjunction with metadata field. It makes sense to explicitly list what sequence a message is <local hash, remote hash, data, seqid> this way I can easily sync a messages prior or after a specific number. To enable this to be dynamic it might make sense to add page info so that I am aware which page I can find seqid on -->
+<!-- TODO: Consider making more useful in conjunction with metadata field.
+It makes sense to explicitly list what sequence a message is <local hash,
+remote hash, data, seqid> this way I can easily sync a messages prior or
+after a specific number.
+To enable this to be dynamic it might make sense to add page info so
+that I am aware which page I can find seqid on -->
 
 ## Synchronization
 
@@ -122,12 +128,13 @@ There are four fundamental roles:
 
 1. Alice
 2. Bob
-2. Name system (NS)
-3. Content-addressed storage (CAS)
+3. Name system (NS)
+4. Content-addressed storage (CAS)
 
 The *remote log* protobuf is what is stored in the name system.
 
-"Bob" can represent anything from 0 to N participants. Unlike Alice, Bob only needs read-only access to NS and CAS.
+"Bob" can represent anything from 0 to N participants. Unlike Alice,
+Bob only needs read-only access to NS and CAS.
 
 <!-- TODO: Document random node as remote log -->
 <!-- TODO: Document how to find initial remote log (e.g. per sync contexts -->
@@ -136,11 +143,7 @@ The *remote log* protobuf is what is stored in the name system.
 
 <!-- diagram -->
 
-<p align="center">
-    <img src="./images/remote-log.png" />
-    <br />
-    Figure 1: Remote log data synchronization.
-</p>
+![notification](./images/remote-log.png)
 
 <!-- Document the flow wrt operations -->
 
@@ -157,7 +160,7 @@ modes:
 
 **Data format:**
 
-```
+```yaml
 | H1_3 | H2_3 |
 | H1_2 | H2_2 |
 | H1_1 | H2_1 |
@@ -177,7 +180,7 @@ A remote log MAY also choose to embed the wire payloads that corresponds to the
 native hash. This bypasses the need for a dedicated CAS and additional
 round-trips, with a trade-off in bandwidth usage.
 
-```
+```yaml
 | H1_3 | | C_3 |
 | H1_2 | | C_2 |
 | H1_1 | | C_1 |
@@ -198,13 +201,16 @@ log. The latter is useful for things like backups on durable storage.
 The pointer to the 'next page' is another remote log entry, at a previous point
 in time.
 
-<!-- TODO: Determine requirement re overlapping, adjacent, and/or missing entries -->
+<!-- TODO: Determine requirement re overlapping, adjacent, 
+and/or missing entries -->
 
 <!-- TODO: Document message ordering append only requirements -->
 
 ### Interaction with MVDS
 
-[vac.mvds.Message](../2/mvds.md/#payloads) payloads are the only payloads that MUST be uploaded. Other messages types MAY be uploaded, depending on the implementation.
+[vac.mvds.Message](../2/mvds.md/#payloads) payloads are the only payloads
+that MUST be uploaded.
+Other messages types MAY be uploaded, depending on the implementation.
 
 ## Acknowledgments
 

vac/32/rln-v1.md

@@ -2,39 +2,57 @@
 slug: 32
 title: 32/RLN-V1
 name: Rate Limit Nullifier
-status: raw
-editor: Rasul Ibragimov <curryrasul@gmail.com>
+status: draft
+editor: Aaryamann Challani <p1ge0nh8er@proton.me>
 contributors:
 - Barry Whitehat <barrywhitehat@protonmail.com>
 - Sanaz Taheri <sanaz@status.im>
 - Oskar Thorén <oskarth@titanproxy.com>
 - Onur Kilic <onurkilic1004@gmail.com>
 - Blagoj Dimovski <blagoj.dimovski@yandex.com>
+- Rasul Ibragimov <curryrasul@gmail.com>
 ---
 
 ## Abstract
 
-The following specification covers the RLN construct as well as some auxiliary libraries useful for interacting with it.
-Rate limiting nullifier (RLN) is a construct based on zero-knowledge proofs that provides an anonymous rate-limited signaling/messaging framework suitable for decentralized (and centralized) environments.
+The following specification covers the RLN construct
+as well as some auxiliary libraries useful for interacting with it.
+Rate limiting nullifier (RLN) is a construct based on zero-knowledge proofs that
+provides an anonymous rate-limited signaling/messaging framework
+suitable for decentralized (and centralized) environments.
 Anonymity refers to the unlinkability of messages to their owner.
 
 ## Motivation
 
-RLN guarantees a messaging rate is enforced cryptographically while preserving the anonymity of the message owners.
-A wide range of applications can benefit from RLN and provide desirable security features.
-For example, an e-voting system can integrate RLN to contain the voting rate while protecting the voters-vote unlinkability.
-Another use case is to protect an anonymous messaging system against DDoS and spam attacks by containing messaging rate of users.
+RLN guarantees a messaging rate is enforced cryptographically
+while preserving the anonymity of the message owners.
+A wide range of applications can benefit from RLN and
+provide desirable security features.
+For example,
+an e-voting system can integrate RLN to contain the voting rate while
+protecting the voters-vote unlinkability.
+Another use case is to protect an anonymous messaging system against DDoS and
+spam attacks by constraining messaging rate of users.
 This latter use case is explained in [17/WAKU2-RLN-RELAY RFC](../../waku/standards/core/17/rln-relay.md).
 
+## Wire Format Specification
 
-## Flow
+The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,
+“SHOULD NOT”, “RECOMMENDED”, “MAY”, and
+“OPTIONAL” in this document are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
 
-The users participate in the protocol by first registering to an application-defined group referred by the _membership group_.
+### Flow
+
+The users participate in the protocol by
+first registering to an application-defined group referred by the _membership group_.
 Registration to the group is mandatory for signaling in the application.
-After registration, group members can generate Zero-knowledge Proof of membership for their signals and can participate in the application.
-Usually, the membership requires a financial or social stake which
-is beneficial for the prevention of Sybil attacks and double-signaling.
-Group members are allowed to send one signal per external nullifier (an identifier that groups signals and can be thought of as a voting booth).
+After registration, group members can generate a zero-knowledge proof of membership
+for their signals and can participate in the application.
+Usually, the membership requires a financial or
+social stake which is beneficial for the prevention
+of inclusion of Sybils within the _membership group_.
+Group members are allowed to send one signal per external nullifier
+(an identifier that groups signals and can be thought of as a voting booth).
 If a user generates more signals than allowed,
 the user risks being slashed - by revealing his membership secret credentials.
 If the financial stake is put in place, the user also risks his stake being taken.
@@ -45,95 +63,118 @@ Generally the flow can be described by the following steps:
 2. Signaling
 3. Verification and slashing
 
+### Registration
 
-## Registration
+Depending on the application requirements,
+the registration can be implemented in different ways, for example:
 
-Depending on the application requirements, the registration can be implemented in different ways, for example:
 - centralized registrations, by using a central server
 - decentralized registrations, by using a smart contract
 
-What is important is that the users' identity commitments (explained in section [User Indetity](#user-identity)) are stored in a Merkle tree,
+The users' identity commitments
+(explained in section [User Identity](#user-identity)) are stored in a Merkle tree,
 and the users can obtain a Merkle proof proving that they are part of the group.
 
 Also depending on the application requirements,
 usually a financial or social stake is introduced.
+An example for financial stake is:
 
-An example for financial stake is: For each registration a certain amount of ETH is required.
-An example for social stake is using InterRep as a registry -
+For each registration a certain amount of ETH is required.
+An example for social stake is using [Interep](https://interep.link/) as a registry,
 users need to prove that they have a highly reputable social media account.
 
-### Implementation notes
+#### Implementation notes
 
-#### User identity
+##### User identity
 
 The user's identity is composed of:
 
-```
+```js
 {
     identity_secret: [identity_nullifier, identity_trapdoor],
     identity_secret_hash: poseidonHash(identity_secret),
     identity_commitment: poseidonHash([identity_secret_hash])
 }
+
 ```
 
-For registration, the user needs to submit their `identity_commitment` (along with any additional registration requirements) to the registry.
-Upon registration, they should receive `leaf_index` value which represents their position in the Merkle tree.
+For registration, the user MUST submit their `identity_commitment`
+(along with any additional registration requirements) to the registry.
+Upon registration, they SHOULD receive `leaf_index` value
+which represents their position in the Merkle tree.
 Receiving a `leaf_index` is not a hard requirement and is application specific.
-The other way around is the users calculating the `leaf_index` themselves upon successful registration.
+The other way around is
+the users calculating the `leaf_index` themselves upon successful registration.
 
-## Signaling
+### Signaling
 
 After registration,
-the users can participate in the application by sending signals to the other participants in a decentralised manner or to a centralised server.
+the users can participate in the application by
+sending signals to the other participants in a decentralised manner or
+to a centralised server.
 Along with their signal,
-they need to generate a ZK-Proof by using the circuit with the specification described above.
+they MUST generate a zero-knowledge proof by
+using the circuit with the specification described above.
 
 For generating a proof,
 the users need to obtain the required parameters or compute them themselves,
-depending on the application implementation and client libraries supported by the application.
-For example the users can store the membership Merkle tree on their end and
+depending on the application implementation and
+client libraries supported by the application.
+For example,
+the users MAY store the membership Merkle tree on their end and
 generate a Merkle proof whenever they want to generate a signal.
 
-### Implementation notes
+#### Implementation Notes
 
-#### Signal hash
+##### Signal hash
 
-The signal hash can be generated by hashing the raw signal (or content) using the `keccak256` hash function.
+The signal hash can be generated by hashing the raw signal (or content)
+using the `keccak256` hash function.
 
-#### External nullifier
+##### External nullifier
 
-The external nullifier MUST be computed as the Poseidon hash of the current epoch (e.g. a value equal to or derived from the current UNIX timestamp divided by the epoch length) and the RLN identifier.
+The external nullifier MUST be computed as the Poseidon hash of the current epoch
+(e.g. a value equal to or
+derived from the current UNIX timestamp divided by the epoch length)
+and the RLN identifier.
+
+```js
+
+external_nullifier = poseidonHash([epoch, rln_identifier]);
 
-```
-external_nullifier = poseidonHash([epoch, rln_identifier])
 ```
 
-####  Obtaining Merkle proof
+##### Obtaining Merkle proof
 
-The Merkle proof should be obtained locally or from a trusted third party.
+The Merkle proof SHOULD be obtained locally or from a trusted third party.
 By using the [incremental Merkle tree algorithm](https://github.com/appliedzkp/incrementalquintree/blob/master/ts/IncrementalQuinTree.ts),
 the Merkle can be obtained by providing the `leaf_index` of the `identity_commitment`.
 The proof (`Merkle_proof`) is composed of the following fields:
 
-```
+```js
+
 {
-    root: bigint
-    indices: number[]
+    root: bigint,
+    indices: number[],
     path_elements: bigint[][]
 }
+
 ```
 
-1. **root** - The root of membership group Merkle tree at the time of publishing the message
-2. **indices** - The index fields of the leafs in the Merkle tree - used by the Merkle tree algorithm for verification
-3. **path_elements** - Auxiliary data structure used for storing the path to the leaf - used by the Merkle proof algorithm for verificaton
+1. **root** - The root of membership group Merkle tree
+at the time of publishing the message
+2. **indices** - The index fields of the leafs in the Merkle tree -
+used by the Merkle tree algorithm for verification
+3. **path_elements** - Auxiliary data structure used for storing the path
+to the leaf - used by the Merkle proof algorithm for verificaton
 
-
-#### Generating proof
+##### Generating proof
 
 For proof generation,
-the user need to submit the following fields to the circuit:
+the user MUST submit the following fields to the circuit:
+
+```js
 
-```
 {
     identity_secret: identity_secret_hash,
     path_elements: Merkle_proof.path_elements,
@@ -141,66 +182,74 @@ the user need to submit the following fields to the circuit:
     x: signal_hash,
     external_nullifier: external_nullifier
 }
+
 ```
 
-
-#### Calculating output
+##### Calculating output
 
 The proof output is calculated locally,
-in order for the required fields for proof verification to be sent along with the proof.
+in order for the required fields for proof verification
+to be sent along with the proof.
 The proof output is composed of the `y` share of the secret equation and the `internal_nullifier`.
-The `internal_nullifier` represents a unique fingerprint of a user for a given `epoch` and app.
+The `internal_nullifier` represents a unique fingerprint of a user
+for a given `epoch` and app.
 The following fields are needed for proof output calculation:
 
-```
+```js
 {
     identity_secret_hash: bigint, 
     external_nullifier: bigint,
-    x: bigint, 
+    x: bigint
 }
+
 ```
 
 The output `[y, internal_nullifier]` is calculated in the following way:
 
-```
-a_0 = identity_secret_hash
-a_1 = poseidonHash([a0, external_nullifier])
+```js
 
-y = a_0 + x * a_1
+a_0 = identity_secret_hash;
+a_1 = poseidonHash([a0, external_nullifier]);
+
+y = a_0 + x * a_1;
+
+internal_nullifier = poseidonHash([a_1]);
 
-internal_nullifier = poseidonHash([a_1])
 ```
 
 It relies on the properties of the [Shamir's Secret sharing scheme](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).
 
-#### Sending the output message
+##### Sending the output message
 
 The user's output message (`output_message`),
-containing the signal should contain the following fields at minimum:
+containing the signal SHOULD contain the following fields at minimum:
+
+```js
 
-```
 {
-    signal: signal, # non-hashed signal
+    signal: signal, # non-hashed signal,
     proof: zk_proof,
     internal_nullifier: internal_nullifier,
-    x: x, # signal_hash
+    x: x, # signal_hash,
     y: y,
     rln_identifier: rln_identifier
 }
+
 ```
 
 Additionally depending on the application,
-the following fields might be required:
+the following fields MAY be required:
+
+```js
 
-```
 {
     root: Merkle_proof.root,
     epoch: epoch
 }
+
 ```
 
-
-## Verification and slashing
+### Verification and slashing
 
 The slashing implementation is dependent on the type of application.
 If the application is implemented in a centralised manner,
@@ -209,19 +258,23 @@ the slashing will be implemented only on the server.
 Otherwise if the application is distributed,
 the slashing will be implemented on each user's client.
 
-### Implementation notes
+#### Notes from Implementation
 
-Each user of the protocol (server or otherwise) will need to store metadata for each message received by each user,
+Each user of the protocol
+(server or otherwise) MUST store metadata for each message received by each user,
 for the given `epoch`.
 The data can be deleted when the `epoch` passes.
-Storing metadata is required, so that if a user sends more than one unique signal per `epoch`,
+Storing metadata is REQUIRED,
+so that if a user sends more than one unique signal per `epoch`,
 they can be slashed and removed from the protocol.
-The metadata stored contains the `x`, `y` shares and the `internal_nullifier` for the user for each message.
+The metadata stored contains the `x`, `y` shares and
+the `internal_nullifier` for the user for each message.
 If enough such shares are present, the user's secret can be retreived.
 
 One way of storing received metadata (`messaging_metadata`) is the following format:
 
-```
+```js
+
 {
     [external_nullifier]: {
         [internal_nullifier]: {
@@ -230,33 +283,41 @@ One way of storing received metadata (`messaging_metadata`) is the following for
         }
     }
 }
+
 ```
 
-#### Verification
+##### Verification
 
 The output message verification consists of the following steps:
+
 - `external_nullifier` correctness
 - non-duplicate message check
-- `zk_proof` verification
+- `zk_proof` zero-knowledge proof verification
 - spam verification
 
 **1. `external_nullifier` correctness**
-Upon received `output_message`, first the `epoch` and `rln_identifier` fields are checked,
+Upon received `output_message`,
+first the `epoch` and `rln_identifier` fields are checked,
 to ensure that the message matches the current `external_nullifier`.
-If the `external_nullifier` is correct the verification continues, otherwise, the message is discarded.
+If the `external_nullifier` is correct the verification continues, otherwise,
+the message is discarded.
 
 **2. non-duplicate message check**
 The received message is checked to ensure it is not duplicate.
-The duplicate message check is performed by verifying that the `x` and `y` fields do not exist in the `messaging_metadata` object.
-If the `x` and `y` fields exist in the `x_shares` and `y_shares` array for the `external_nullifier` and
+The duplicate message check is performed by verifying that the `x` and `y`
+fields do not exist in the `messaging_metadata` object.
+If the `x` and `y` fields exist in the `x_shares` and
+`y_shares` array for the `external_nullifier` and
 the `internal_nullifier` the message can be considered as a duplicate.
 Duplicate messages are discarded.
 
 **3. `zk_proof` verification**
 
-The `zk_proof` should be verified by providing the `zk_proof` field to the circuit verifier along with the `public_signal`:
+The `zk_proof` SHOULD be verified by providing the `zk_proof` field
+to the circuit verifier along with the `public_signal`:
+
+```js
 
-```
 [
     y,
     Merkle_proof.root,
@@ -264,44 +325,54 @@ The `zk_proof` should be verified by providing the `zk_proof` field to the circu
     x, # signal_hash
     external_nullifier
 ]
+
 ```
 
 If the proof verification is correct,
 the verification continues, otherwise the message is discarded.
 
 **4. Double signaling verification**
+After the proof is verified the `x`, and
+`y` fields are added to the `x_shares` and `y_shares`
+arrays of the `messaging_metadata` `external_nullifier` and
+`internal_nullifier` object.
+If the length of the arrays is equal to the signaling threshold (`limit`),
+the user can be slashed.
 
-After the proof is verified the `x`, and `y` fields are added to the `x_shares` and `y_shares` arrays of the `messaging_metadata` `external_nullifier` and `internal_nullifier` object.
-If the length of the arrays is equal to the signaling threshold (`limit`), the user can be slashed.
+##### Slashing
 
-#### Slashing
-
-After the verification, the user can be slashed if two different shares are present to reconstruct their `identity_secret_hash` from `x_shares` and `y_shares` fields,
-for their `internal_nullifier`.
+After the verification,
+the user SHOULD be slashed if two different shares are present
+to reconstruct their `identity_secret_hash` from `x_shares` and
+`y_shares` fields, for their `internal_nullifier`.
 The secret can be retreived by the properties of the Shamir's secret sharing scheme.
 In particular the secret (`a_0`) can be retrieved by computing [Lagrange polynomials](https://en.wikipedia.org/wiki/Lagrange_polynomial).
 
 After the secret is retreived,
-the user's `identity_commitment` can be generated from the secret and it can be used for removing the user from the membership Merkle tree (zeroing out the leaf that contains the user's `identity_commitment`).
-Additionally, depending on the application the `identity_secret_hash` can be used for taking the user's provided stake.
+the user's `identity_commitment` SHOULD be generated from the secret and
+it can be used for removing the user from the membership Merkle tree
+(zeroing out the leaf that contains the user's `identity_commitment`).
+Additionally, depending on the application the `identity_secret_hash`
+MAY be used for taking the user's provided stake.
 
-## Technical overview
+### Technical overview
 
-The main RLN construct is implemented using a [ZK-SNARK](https://z.cash/technology/zksnarks/) circuit.
-However, it is helpful to describe the other necessary outside components for interaction with the circuit,
+The main RLN construct is implemented using a
+[ZK-SNARK](https://z.cash/technology/zksnarks/) circuit.
+However, it is helpful to describe
+the other necessary outside components for interaction with the circuit,
 which together with the ZK-SNARK circuit enable the above mentioned features.
 
-
-### Terminology
+#### Terminology
 
 | Term                      | Description                                                                         |
 |---------------------------|-------------------------------------------------------------------------------------|
-| **ZK-SNARK**    | https://z.cash/technology/zksnarks/              |
+| **ZK-SNARK**    | [zksnarks](https://z.cash/technology/zksnarks/)              |
 | **Stake**                 | Financial or social stake required for registering in the RLN applications.  Common stake examples are: locking cryptocurrency (financial), linking reputable social identity. |
 | **Identity secret**       | An array of two unique random components (identity nullifier and identity trapdoor), which must be kept private by the user. Secret hash and identity commitment are derived from this array.        |
 | **Identity nullifier**    | Random 32 byte value used as component for identity secret generation.              |
 | **Identity trapdoor**     | Random 32 byte value used as component for identity secret generation.              |
-| **Identity secret hash**  | The hash of the identity secret, obtained using the Poseidon hash function. It is used for deriving the identity commitment of the user, and as a private input for zk proof generation. The secret hash should be kept private by the user.                            |
+| **Identity secret hash**  | The hash of the identity secret, obtained using the Poseidon hash function. It is used for deriving the identity commitment of the user, and as a private input for zero-knowledge proof generation. The secret hash should be kept private by the user.                            |
 | **Identity commitment**   | Hash obtained from the `Identity secret hash` by using the poseidon hash function. It is used by the users for registering in the protocol.                                       |
 | **Signal**                | The message generated by a user. It is an arbitrary bit string that may represent a chat message, a URL request, protobuf message, etc. |
 | **Signal hash**           | Keccak256 hash of the signal modulo circuit's field characteristic, used as an input in the RLN circuit. |
@@ -309,8 +380,7 @@ which together with the ZK-SNARK circuit enable the above mentioned features.
 | **RLN membership tree**   | Merkle tree data structure, filled with identity commitments of the users. Serves as a data structure that ensures user registrations.   |
 | **Merkle proof**          | Proof that a user is member of the RLN membership tree.    |
 
-
-### RLN ZK-Circuit specific terms
+#### RLN Zero-Knowledge Circuit specific terms
 
 | Term           | Description                                                       |
 |---------------------------|-------------------------------------------------------------------------------------|
@@ -321,49 +391,56 @@ which together with the ZK-SNARK circuit enable the above mentioned features.
 | **External nullifier**    | Poseidon hash of [Epoch, RLN Identifier]. An identifier that groups signals and can be thought of as a voting booth.  |
 | **Internal nullifier**    | Poseidon hash of [A1]. This field ensures that a user can send only one valid signal per external nullifier without risking being slashed. Public input of the circuit.   |
 
+#### Zero-Knowledge Circuits specification
 
-
-### ZK Circuits specification
-
-Anonymous signaling with a controlled rate limit is enabled by proving that the user is part of a group which has high barriers to entry (form of stake) and
+Anonymous signaling with a controlled rate limit
+is enabled by proving that the user is part of a group
+which has high barriers to entry (form of stake) and
 enabling secret reveal if more than 1 unique signal is produced per external nullifier.
-The membership part is implemented using membership [Merkle trees](https://en.wikipedia.org/wiki/Merkle_tree) and Merkle proofs,
+The membership part is implemented using
+membership [Merkle trees](https://en.wikipedia.org/wiki/Merkle_tree) and Merkle proofs,
 while the secret reveal part is enabled by using the Shamir's Secret Sharing scheme.
-Essentially the protocol requires the users to generate zero-knowledge proof to be able to send signals and participate in the application.
+Essentially the protocol requires the users to generate zero-knowledge proof
+to be able to send signals and
+participate in the application.
 The zero knowledge proof proves that the user is member of a group,
-but also enforces the user to share part of their secret for each signal in an external nullifier.
+but also enforces the user to share part of their secret
+for each signal in an external nullifier.
 The external nullifier is usually represented by timestamp or a time interval.
 It can also be thought of as a voting booth in voting applications.
 
-The ZK Circuit is implemented using a [Groth-16 ZK-SNARK](https://eprint.iacr.org/2016/260.pdf),
+The zero-knowledge Circuit is implemented using a [Groth-16 ZK-SNARK](https://eprint.iacr.org/2016/260.pdf),
 using the [circomlib](https://docs.circom.io/) library.
 
-
-#### System parameters
+##### System parameters
 
 - `DEPTH` - Merkle tree depth
 
+##### Circuit parameters
 
-#### Circuit parameters
+###### Public Inputs
 
-**Public Inputs**
 - `x`
 - `external_nullifier`
 
-**Private Inputs**
-* `identity_secret_hash`
-* `path_elements` - rln membership proof component
-* `identity_path_index` - rln membership proof component
+###### Private Inputs
+
+- `identity_secret_hash`
+- `path_elements` - rln membership proof component
+- `identity_path_index` - rln membership proof component
+
+###### Outputs
 
-**Outputs**
 - `y`
 - `root` - the rln membership tree root
 - `internal_nullifier`
 
-#### Hash function
+##### Hash function
 
-Canonical [Poseidon hash implementation](https://eprint.iacr.org/2019/458.pdf) is used,
-as implemented in the [circomlib library](https://github.com/iden3/circomlib/blob/master/circuits/poseidon.circom), according to the Poseidon paper.
+Canonical [Poseidon hash implementation](https://eprint.iacr.org/2019/458.pdf)
+is used,
+as implemented in the [circomlib library](https://github.com/iden3/circomlib/blob/master/circuits/poseidon.circom),
+according to the Poseidon paper.
 This Poseidon hash version (canonical implementation) uses the following parameters:
 
 | Hash inputs | `t` | `RF` | `RP`|
@@ -376,56 +453,72 @@ This Poseidon hash version (canonical implementation) uses the following paramet
 |6 | 7 | 8 | 63|
 |7 | 8 | 8 | 64|
 |8 | 9 | 8 | 63|
- 
 
-#### Membership implementation
+##### Membership implementation
 
-For a valid signal, a user's `identity_commitment` (more on identity commitments below) must exist in identity membership tree.
+For a valid signal, a user's `identity_commitment`
+(more on identity commitments below) must exist in identity membership tree.
 Membership is proven by providing a membership proof (witness).
-The fields from the membership proof required for the verification are:
+The fields from the membership proof REQUIRED for the verification are:
 `path_elements` and `identity_path_index`.
 
-[IncrementalQuinTree](https://github.com/appliedzkp/incrementalquintree) algorithm is used for constructing the Membership Merkle tree.
+[IncrementalQuinTree](https://github.com/appliedzkp/incrementalquintree)
+algorithm is used for constructing the Membership Merkle tree.
 The circuits are reused from this repository.
 You can find out more details about the IncrementalQuinTree algorithm [here](https://ethresear.ch/t/gas-and-circuit-constraint-benchmarks-of-binary-and-quinary-incremental-Merkle-trees-using-the-poseidon-hash-function/7446).
 
-### Slashing and Shamir's Secret Sharing
+#### Slashing and Shamir's Secret Sharing
 
 Slashing is enabled by using polynomials and [Shamir's Secret sharing](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).
-In order to produce a valid proof, `identity_secret_hash` as a private input to the circuit.
+In order to produce a valid proof,
+`identity_secret_hash` as a private input to the circuit.
 Then a secret equation is created in the form of:
 
-```
-y = a_0 + x * a_1,
+```js
+
+y = a_0 + x * a_1;
+
 ```
 
 where `a_0` is the `identity_secret_hash` and `a_1 = hash(a_0, external nullifier)`.
 Along with the generated proof,
-the users need to provide a `(x, y)` share which satisfies the line equation,
+the users MUST provide a `(x, y)` share which satisfies the line equation,
 in order for their proof to be verified.
 `x` is the hashed signal, while the `y` is the circuit output.
-With more than one pair of unique shares, anyone can derive `a_0`, i.e. the `identity_secret_hash` .
+With more than one pair of unique shares, anyone can derive `a_0`, i.e. the `identity_secret_hash`.
 The hash of a signal will be the evaluation point `x`.
-In this way, a member who sends more than one unique signal per `external_nullifier` risks their identity secret being revealed.
+In this way,
+a member who sends more than one unique signal per `external_nullifier`
+risks their identity secret being revealed.
 
-Note that shares used in different epochs and different RLN apps cannot be used to derive the identity secret hash.
+Note that shares used in different epochs and
+different RLN apps cannot be used to derive the `identity_secret_hash`.
 
-Thanks to the `external_nullifier` definition, also shares computed from same secret within same epoch but in different RLN apps cannot be used to derive the identity secret hash.
+Thanks to the `external_nullifier` definition,
+also shares computed from same secret within same epoch but
+in different RLN apps cannot be used to derive the identity secret hash.
 
-The `rln_identifier` is a random value from a finite field,
-unique per RLN app,
-and is used for additional cross-application security - to protect the user secrets being compromised if they use the same credentials accross different RLN apps.
+The `rln_identifier` is a random value from a finite field, unique per RLN app,
+and is used for additional cross-application security -
+to protect the user secrets being compromised if they use
+the same credentials accross different RLN apps.
 If `rln_identifier` is not present,
-the user uses the same credentials and sends a different message for two different RLN apps using the same `external_nullifier`,
-then their user signals can be grouped by the `internal_nullifier` which could lead the user's secret revealed.
-This is because two separate signals under the same `internal_nullifier` can be treated as rate limiting violation.
+the user uses the same credentials and
+sends a different message for two different RLN apps using the same `external_nullifier`,
+then their user signals can be grouped by the `internal_nullifier`
+which could lead the user's secret revealed.
+This is because two separate signals under the same `internal_nullifier`
+can be treated as rate limiting violation.
 With adding the `rln_identifier` field we obscure the `internal_nullifier`,
-so this kind of attack can be hardened because we don't have the same `internal_nullifier` anymore.
+so this kind of attack can be hardened because
+we don't have the same `internal_nullifier` anymore.
 
-### Identity credentials generation
+#### Identity credentials generation
 
-In order to be able to generate valid proofs, the users need to be part of the identity membership Merkle tree.
-They are part of the identity membership Merkle tree if their `identity_commitment` is placed in a leaf in the tree.
+In order to be able to generate valid proofs,
+the users MUST be part of the identity membership Merkle tree.
+They are part of the identity membership Merkle tree if
+their `identity_commitment` is placed in a leaf in the tree.
 
 The identity credentials of a user are composed of:
 
@@ -433,132 +526,164 @@ The identity credentials of a user are composed of:
 - `identity_secret_hash`
 - `identity_commitment`
 
-#### `identity_secret`
+##### `identity_secret`
 
 The `identity_secret` is generated in the following way:
 
-```
-identity_nullifier = random_32_byte_buffer
-identity_trapdoor = random_32_byte_buffer
-identity_secret = [identity_nullifier, identity_trapdoor]
-```
+```js
 
-The same secret should not be used accross different protocols,
-because revealing the secret at one protocol could break privacy for the user in the other protocols.
-
-#### `identity_secret_hash`
-
-The `identity_secret_hash` is generated by obtaining a Poseidon hash of the `identity_secret` array:
+identity_nullifier = random_32_byte_buffer;
+identity_trapdoor = random_32_byte_buffer;
+identity_secret = [identity_nullifier, identity_trapdoor];
 
 ```
-identity_secret_hash = poseidonHash(identity_secret)
+
+The same secret SHOULD NOT be used accross different protocols,
+because revealing the secret at one protocol
+could break privacy for the user in the other protocols.
+
+##### `identity_secret_hash`
+
+The `identity_secret_hash` is generated by obtaining a Poseidon hash
+of the `identity_secret` array:
+
+```js
+
+identity_secret_hash = poseidonHash(identity_secret);
+
 ```
 
-#### `identity_commitment`
+##### `identity_commitment`
 
 The `identity_commitment` is generated by obtaining a Poseidon hash of the `identity_secret_hash`:
 
-```
-identity_commitment = poseidonHash([identity_secret_hash])
+```js
+
+identity_commitment = poseidonHash([identity_secret_hash]);
+
 ```
 
+### Appendix A: Security Considerations
 
-## Appendix A: Security considerations
-
-RLN is an experimental and still un-audited technology. This means that the circuits have not been yet audited.
+RLN is an experimental and still un-audited technology.
+This means that the circuits have not been yet audited.
 Another consideration is the security of the underlying primitives.
 zk-SNARKS require a trusted setup for generating a prover and verifier keys.
-The standard for this is to use trusted [Multi-Party Computation (MPC)](https://en.wikipedia.org/wiki/Secure_multi-party_computation) ceremony,
-which requires two phases.
+The standard for this is to use trusted
+[Multi-Party Computation (MPC)](https://en.wikipedia.org/wiki/Secure_multi-party_computation)
+ ceremony, which requires two phases.
 Trusted MPC ceremony has not yet been performed for the RLN circuits.
 
-### SSS security assumptions
+#### SSS Security Assumptions
 
-Shamir-Secret Sharing requires polynomial coefficients to be independent of each other.
-However, `a_1` depends on `a_0` through the Poseidon hash algorithm. 
-Due to the design of Poseidon, it is possible to [attack](https://github.com/Rate-Limiting-Nullifier/rln-circuits/pull/7#issuecomment-1416085627) the protocol.  
-It was decided *not* to change the circuits design, since at the moment the attack is infeasible. Therefore, implementers must be aware that the current version provides approximately 160-bit security and not 254. 
+Shamir-Secret Sharing requires polynomial coefficients
+to be independent of each other.
+However, `a_1` depends on `a_0` through the Poseidon hash algorithm.
+Due to the design of Poseidon,
+it is possible to
+[attack](https://github.com/Rate-Limiting-Nullifier/rln-circuits/pull/7#issuecomment-1416085627)
+the protocol.  
+It was decided _not_ to change the circuits design,
+since at the moment the attack is infeasible.
+Therefore, implementers must be aware that the current version
+provides approximately 160-bit security and not 254.
 Possible improvements:
-* [change the circuit](https://github.com/Rate-Limiting-Nullifier/rln-circuits/pull/7#issuecomment-1416085627) to make coefficients independent;
-* switch to other hash function (Keccak, SHA);
 
-## Appendix B: Identity scheme choice
+- [change the circuit](https://github.com/Rate-Limiting-Nullifier/rln-circuits/pull/7#issuecomment-1416085627)
+to make coefficients independent;
+- switch to other hash function (Keccak, SHA);
 
-The hashing scheme used is based on the design decisions which also include the Semaphore circuits.
+### Appendix B: Identity Scheme Choice
+
+The hashing scheme used is based on the design decisions
+which also include the Semaphore circuits.
 Our goal was to ensure compatibility of the secrets for apps that use Semaphore and
 RLN circuits while also not compromising on security because of using the same secrets.
 
-For example let's say there is a voting app that uses Semaphore,
+For example, let's say there is a voting app that uses Semaphore,
 and also a chat app that uses RLN.
-The UX would be better if the users would not need to care about complicated identity management (secrets and commitments) t
-hey use for each app, and it would be much better if they could use a single id commitment for this.
+The UX would be better if
+the users would not need to care about complicated identity management
+(secrets and commitments) they use for each app,
+and it would be much better if they could use a single id commitment for this.
 Also in some cases these kind of dependency is required -
 RLN chat app using Interep as a registry (instead of using financial stake).
-One potential concern about this interoperability is a slashed user on the RLN app side
-having their security compromised on the semaphore side apps as well.
-I.e obtaining the user's secret, anyone would be able to generate valid semaphore proofs as the slashed user.
-We don't want that, and we should keep user's app specific security threats in the domain of that app alone.
+One potential concern about this interoperability is a slashed user
+on the RLN app side having their security compromised
+on the semaphore side apps as well.
+i.e. obtaining the user's secret,
+anyone would be able to generate valid semaphore proofs as the slashed user.
+We don't want that,
+and we should keep user's app specific security threats
+in the domain of that app alone.
 
-To achieve the above interoperability UX while preventing the shared app security model
+To achieve the above interoperability UX
+while preventing the shared app security model
 (i.e slashing user on an RLN app having impact on Semaphore apps),
 we had to do the follow in regard the identity secret and identity commitment:
 
-```
-identity_secret = [identity_nullifier, identity_trapdoor]
-identity_secret_hash = poseidonHash(identity_secret)
-identity_commitment = poseidonHash([identity_secret_hash])
+```js
+
+identity_secret = [identity_nullifier, identity_trapdoor];
+identity_secret_hash = poseidonHash(identity_secret);
+identity_commitment = poseidonHash([identity_secret_hash]);
+
 ```
 
 Secret components for generating Semaphore proof:
 
-```
-identity_nullifier
-identity_trapdoor
-```
+- `identity_nullifier`
+- `identity_trapdoor`
 
 Secret components for generting RLN proof:
 
-```
-identity_secret_hash
-```
+- `identity_secret_hash`
 
-When a user is slashed on the RLN app side, their identity secret hash is revealed.
-However a semaphore proof can't be generated because we do not know the user's nullifier and trapdoor.
+When a user is slashed on the RLN app side, their `identity_secret_hash` is revealed.
+However, a semaphore proof can't be generated because
+we do not know the user's `identity_nullifier` and `identity_trapdoor`.
 
 With this design we achieve:
 
-identity commitment (Semaphore) == identity commitment (RLN)
+`identity_commitment` (Semaphore) == `identity_commitment` (RLN)
 secret (semaphore) != secret (RLN).
 
-This is the only option we had for the scheme in order to satisfy the properties described above.
+This is the only option we had for the scheme
+in order to satisfy the properties described above.
 
-Also for RLN we do a single secret component input for the circuit.
+Also, for RLN we do a single secret component input for the circuit.
 Thus we need to hash the secret array (two components) to a secret hash,
 and we use that as a secret component input.
 
-## Appendix C: Auxiliary tooling
+### Appendix C: Auxiliary Tooling
 
-There are few additional tools implemented for easier integrations and usage of the RLN protocol.
+There are few additional tools implemented for easier integrations and
+usage of the RLN protocol.
 
-[`zerokit`](https://github.com/vacp2p/zerokit) is a set of Zero Knowledge modules, written in Rust and designed to be used in many different environments.
+[`zerokit`](https://github.com/vacp2p/zerokit) is a set of Zero Knowledge modules,
+written in Rust and designed to be used in many different environments.
 Among different modules, it supports `Semaphore` and `RLN`.
 
-[`zk-kit`](https://github.com/appliedzkp/zk-kit) is a typescript library which exposes APIs for identity credentials generation,
+[`zk-kit`](https://github.com/appliedzkp/zk-kit)
+is a typescript library which exposes APIs for identity credentials generation,
 as well as proof generation.
 It supports various protocols (`Semaphore`, `RLN`).
 
-[`zk-keeper`](https://github.com/akinovak/zk-keeper) is a browser plugin which allows for safe credential storing and proof generation.
-You can think of MetaMask for ZK-Proofs.
+[`zk-keeper`](https://github.com/akinovak/zk-keeper)
+is a browser plugin which allows for safe credential storing and
+proof generation.
+You can think of MetaMask for zero-knowledge proofs.
 It uses `zk-kit` under the hood.
 
-## Appendix D: Example usage
+### Appendix D: Example Usage
 
 The following examples are code snippets using the `zerokit` RLN module.
 The examples are written in [rust](https://www.rust-lang.org/).
 
-### Creating a RLN object
+#### Creating a RLN Object
 
 ```rust
+
 use rln::protocol::*;
 use rln::public::*;
 use std::io::Cursor;
@@ -569,42 +694,50 @@ let tree_height = 20;
 let resources = Cursor::new("../zerokit/rln/resources/tree_height_20/");
 // We create a new RLN instance
 let mut rln = RLN::new(tree_height, resources);
+
 ```
 
-### Generating identity credentials
+#### Generating Identity Credentials
 
 ```rust
+
 // We generate an identity tuple
 let mut buffer = Cursor::new(Vec::<u8>::new());
 rln.extended_key_gen(&mut buffer).unwrap();
 // We deserialize the keygen output to obtain
 // the identiy_secret and id_commitment
 let (identity_trapdoor, identity_nullifier, identity_secret_hash, id_commitment) = deserialize_identity_tuple(buffer.into_inner());
+
 ```
 
-### Adding ID commitment to the RLN Merkle tree
+#### Adding ID Commitment to the RLN Merkle Tree
 
 ```rust
+
 // We define the tree index where id_commitment will be added
 let id_index = 10;
 // We serialize id_commitment and pass it to set_leaf
 let mut buffer = Cursor::new(serialize_field_element(id_commitment));
 rln.set_leaf(id_index, &mut buffer).unwrap();
+
 ```
 
-### Setting epoch and signal
+#### Setting Epoch and Signal
 
 ```rust
+
 // We generate epoch from a date seed and we ensure is
 // mapped to a field element by hashing-to-field its content
 let epoch = hash_to_field(b"Today at noon, this year");
 // We set our signal 
 let signal = b"RLN is awesome";
+
 ```
 
-### Generating proof
+#### Generating Proof
 
 ```rust
+
 // We prepare input to the proof generation routine
 let proof_input = prepare_prove_input(identity_secret, id_index, epoch, signal);
 // We generate a RLN proof for proof_input
@@ -614,21 +747,25 @@ rln.generate_rln_proof(&mut in_buffer, &mut out_buffer)
     .unwrap();
 // We get the public outputs returned by the circuit evaluation
 let proof_data = out_buffer.into_inner();
+
 ```
 
-### Verifiying proof
+#### Verifiying Proof
 
 ```rust
+
 // We prepare input to the proof verification routine
 let verify_data = prepare_verify_input(proof_data, signal);
-// We verify the zk-proof against the provided proof values
+// We verify the zero-knowledge proof against the provided proof values
 let mut in_buffer = Cursor::new(verify_data);
 let verified = rln.verify(&mut in_buffer).unwrap();
 // We ensure the proof is valid
 assert!(verified);
+
 ```
 
-For more details please visit the [`zerokit`](https://github.com/vacp2p/zerokit) library.
+For more details please visit the
+[`zerokit`](https://github.com/vacp2p/zerokit) library.
 
 ## Copyright
 
@@ -636,17 +773,29 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public
 
 ## References
 
-- [1] https://medium.com/privacy-scaling-explorations/rate-limiting-nullifier-a-spam-protection-mechanism-for-anonymous-environments-bbe4006a57d
-- [2] https://github.com/appliedzkp/zk-kit
-- [3] https://github.com/akinovak/zk-keeper
-- [4] https://z.cash/technology/zksnarks/
-- [5] https://en.wikipedia.org/wiki/Merkle_tree
-- [6] https://eprint.iacr.org/2016/260.pdf
-- [7] https://docs.circom.io/
-- [8] https://eprint.iacr.org/2019/458.pdf
-- [9] https://github.com/appliedzkp/incrementalquintree
-- [10] https://ethresear.ch/t/gas-and-circuit-constraint-benchmarks-of-binary-and-quinary-incremental-merkle-trees-using-the-poseidon-hash-function/7446
-- [11] https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
-- [12] https://research.nccgroup.com/2020/06/24/security-considerations-of-zk-snark-parameter-multi-party-computation/
-- [13] https://github.com/Rate-Limiting-Nullifier/rln-circuits/
-- [14] https://rate-limiting-nullifier.github.io/rln-docs/
+- [17/WAKU2-RLN-RELAY RFC](../../waku/standards/core/17/rln-relay.md)
+- [Interep](https://interep.link/)
+- [incremental Merkle tree algorithm](https://github.com/appliedzkp/incrementalquintree/blob/master/ts/IncrementalQuinTree.ts)
+- [Shamir's Secret sharing scheme](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing)
+- [Lagrange polynomials](https://en.wikipedia.org/wiki/Lagrange_polynomial)
+- [ZK-SNARK](https://z.cash/technology/zksnarks/)
+- [Merkle trees](https://en.wikipedia.org/wiki/Merkle_tree)
+- [Groth-16 ZK-SNARK](https://eprint.iacr.org/2016/260.pdf)
+- [circomlib](https://docs.circom.io/)
+- [Poseidon hash implementation](https://eprint.iacr.org/2019/458.pdf)
+- [circomlib library](https://github.com/iden3/circomlib/blob/master/circuits/poseidon.circom)
+- [IncrementalQuinTree](https://github.com/appliedzkp/incrementalquintree)
+- [IncrementalQuinTree algorithm](https://ethresear.ch/t/gas-and-circuit-constraint-benchmarks-of-binary-and-quinary-incremental-Merkle-trees-using-the-poseidon-hash-function/7446)
+- [Multi-Party Computation (MPC)](https://en.wikipedia.org/wiki/Secure_multi-party_computation)
+- [Poseidon hash attack](https://github.com/Rate-Limiting-Nullifier/rln-circuits/pull/7#issuecomment-1416085627)
+- [zerokit](https://github.com/vacp2p/zerokit)
+- [zk-kit](https://github.com/appliedzkp/zk-kit)
+- [zk-keeper](https://github.com/akinovak/zk-keeper)
+- [rust](https://www.rust-lang.org/)
+
+### Informative
+
+- [1] [privacy-scaling-explorations](https://medium.com/privacy-scaling-explorations/rate-limiting-nullifier-a-spam-protection-mechanism-for-anonymous-environments-bbe4006a57d)
+- [2] [security-considerations-of-zk-snark-parameter-multi-party-computation](https://research.nccgroup.com/2020/06/24/)security-considerations-of-zk-snark-parameter-multi-party-computation/
+- [3] [rln-circuits](https://github.com/Rate-Limiting-Nullifier/rln-circuits/)
+- [4] [rln docs](https://rate-limiting-nullifier.github.io/rln-docs/)

vac/4/mvds-meta.md

@@ -10,15 +10,22 @@ contributors:
   - Oskar Thorén <oskarth@titanproxy.com>
 ---
 
-In this specification, we describe a method to construct message history that will aid the consistency guarantees of [2/MVDS](../2/mvds.md). Additionally, we explain how data sync can be used for more lightweight messages that do not require full synchronization.
+In this specification, we describe a method to construct message history that
+will aid the consistency guarantees of [2/MVDS](../2/mvds.md).
+Additionally,
+we explain how data sync can be used for more lightweight messages that
+do not require full synchronization.
 
 ## Motivation
 
-In order for more efficient synchronization of conversational messages, information should be provided allowing a node to more effectively synchronize the dependencies for any given message.
+In order for more efficient synchronization of conversational messages,
+information should be provided allowing a node to more effectively synchronize
+the dependencies for any given message.
 
 ## Format
 
-We introduce the metadata message which is used to convey information about a message and how it SHOULD be handled.
+We introduce the metadata message which is used to convey information about a message
+and how it SHOULD be handled.
 
 ```protobuf
 package vac.mvds;
@@ -29,7 +36,8 @@ message Metadata {
 }
 ```
 
-Nodes MAY transmit a `Metadata` message by extending the MVDS [message](../2/mvds.md/#payloads) with a `metadata` field.
+Nodes MAY transmit a `Metadata` message by extending the MVDS [message](../2/mvds.md/#payloads)
+with a `metadata` field.
 
 ```diff
 message Message {
@@ -44,37 +52,53 @@ message Message {
 
 | Name                   |   Description                                                                                                                    |
 | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
-| `parents`               |   list of parent [`message identifier`s](../2/mvds.md/#payloads) for the specific message. |            
+| `parents`               |   list of parent [`message identifier`s](../2/mvds.md/#payloads) for the specific message. |
 | `ephemeral`         |   indicates whether a message is ephemeral or not.                                                             |
 
 ## Usage
 
 ### `parents`
 
-This field contains a list of parent [`message identifier`s](../2/mvds.md/#payloads) for the specific message. It MUST NOT contain any messages as parent whose `ack` flag was set to `false`. This establishes a directed acyclic graph (DAG)[^2] of persistent messages.
+This field contains a list of parent [`message identifier`s](../2/mvds.md/#payloads)
+for the specific message.
+It MUST NOT contain any messages as parent whose `ack` flag was set to `false`.
+This establishes a directed acyclic graph (DAG)[^2] of persistent messages.
 
-Nodes MAY buffer messages until dependencies are satisfied for causal consistency[^3], they MAY also pass the messages straight away for eventual consistency[^4].
+Nodes MAY buffer messages until dependencies are satisfied for causal consistency[^3],
+they MAY also pass the messages straight away for eventual consistency[^4].
 
-A parent is any message before a new message that a node is aware of that has no children.
+A parent is any message before a new message that
+a node is aware of that has no children.
 
-The number of parents for a given message is bound by [0, N], where N is the number of nodes participating in the conversation, therefore the space requirements for the `parents` field is O(N).
+The number of parents for a given message is bound by [0, N],
+where N is the number of nodes participating in the conversation,
+therefore the space requirements for the `parents` field is O(N).
 
-If a message has no parents it is considered a root. There can be multiple roots, which might be disconnected, giving rise to multiple DAGs.
+If a message has no parents it is considered a root.
+There can be multiple roots, which might be disconnected,
+giving rise to multiple DAGs.
 
 ### `ephemeral`
 
-When the `ephemeral` flag is set to `false`, a node MUST send an acknowledgment when they have received and processed a message. If it is set to `true`, it SHOULD NOT send any acknowledgment. The flag is `false` by default.
+When the `ephemeral` flag is set to `false`,
+a node MUST send an acknowledgment when they have received and processed a message.
+If it is set to `true`, it SHOULD NOT send any acknowledgment.
+The flag is `false` by default.
 
-Nodes MAY decide to not persist ephemeral messages, however they MUST NOT be shared as part of the message history.
+Nodes MAY decide to not persist ephemeral messages,
+however they MUST NOT be shared as part of the message history.
 
-Nodes SHOULD send ephemeral messages in batch mode. As their delivery is not needed to be guaranteed.
+Nodes SHOULD send ephemeral messages in batch mode.
+As their delivery is not needed to be guaranteed.
 
 ## Copyright
 
 Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
 
 ## Footnotes
-[^1]: [2/MVDS](../2/mvds.md)
-[^2]: <https://en.wikipedia.org/wiki/Directed_acyclic_graph>
-[^3]: Jepsen. [Causal Consistency](https://jepsen.io/consistency/models/causal). Jepsen, LLC.
-[^4]: <https://en.wikipedia.org/wiki/Eventual_consistency>
+
+1: [2/MVDS](../2/mvds.md)
+2: [directed_acyclic_graph](https://en.wikipedia.org/wiki/Directed_acyclic_graph)
+3: Jepsen. [Causal Consistency](https://jepsen.io/consistency/models/causal)
+Jepsen, LLC.
+4: <https://en.wikipedia.org/wiki/Eventual_consistency>

vac/48/rln-interep-spec.md

@@ -1,109 +0,0 @@
----
-slug: 48
-title: 48/RLN-INTEREP-SPEC
-name: Interep as group management for RLN
-status: raw
-category:  
-tags: rln
-editor: Aaryamann Challani <aaryamann@status.im>
-contributors:
----
-
-## Abstract
-
-This spec integrates [Interep](https://interep.link) into the [RLN](../32/rln-v1.md) spec. 
-Interep is a group management protocol that allows for the creation of groups of users and the management of their membership. 
-It is used to manage the membership of the RLN group.
-
-Interep ties in web2 identities with reputation, and sorts the users into groups based on their reputation score.
-For example, a GitHub user with over 100 followers is considered to have "gold" reputation.
-
-Interep uses [Semaphore](https://semaphore.appliedzkp.org/) under the hood to allow anonymous signaling of membership in a group.
-Therefore, a user with a "gold" reputation can prove the existence of their membership without revealing their identity.
-
-RLN is used for spam prevention, and Interep is used for group management.
-
-By using Interep with RLN, we allow users to join RLN membership groups without the need for on-chain financial stake.
-
-## Motivation
-
-To have Sybil-Resistant group management, there are [implementations](https://github.com/vacp2p/rln-contract) of RLN which make use of financial stake on-chain.
-However, this is not ideal because it reduces the barrier of entry for honest participants.
-
-In this case, honest participants will most likely have a web2 identity accessible to them, which can be used for joining an Interep reputation group.
-By modifying the RLN spec to use Interep, we can have Sybil-Resistant group management without the need for on-chain financial stake.
-
-Since RLN and Interep both use Semaphore-style credentials, it is possible to use the same set of credentials for both.
-
-## Functional Operation
-
-Using Interep with RLN involves the following steps -
-
-1. Generate Semaphore credentials 
-2. Verify reputation and join Interep group
-3. Join RLN membership group via interaction with Smart Contract, by passing a proof of membership to the Interep group
-
-### 1. Generate Semaphore credentials
-
-Semaphore credentials are generated in a standard way, depicted in the [Semaphore documentation](https://semaphore.appliedzkp.org/docs/guides/identities#create-deterministic-identities).
-
-### 2. Verify reputation and join Interep group
-
-Using the Interep app deployed on [Goerli](https://goerli.interep.link/), the user can check their reputation tier and join the corresponding group.
-This results in a transaction to the Interep contract, which adds them to the group.
-
-### 3. Join RLN membership group
-
-Instead of sending funds to the RLN contract to join the membership group, the user can send a proof of membership to the Interep group.
-This proof is generated by the user, and is verified by the contract.
-The contract ensures that the user is a member of the Interep group, and then adds them to the RLN membership group.
-
-Following is the modified signature of the register function in the RLN contract -
-
-```solidity
-    /// @param groupId: Id of the group.
-    /// @param signal: Semaphore signal.
-    /// @param nullifierHash: Nullifier hash.
-    /// @param externalNullifier: External nullifier.
-    /// @param proof: Zero-knowledge proof.
-    /// @param idCommitment: ID Commitment of the member.
-    function register(
-        uint256 groupId,
-        bytes32 signal,
-        uint256 nullifierHash,
-        uint256 externalNullifier,
-        uint256[8] calldata proof,
-        uint256 idCommitment
-    )
-```
-
-## Verification of messages
-
-Messages are verified the same way as in the [RLN spec](../32/rln-v1.md/#verification).
-
-## Slashing
-
-The slashing mechanism is the same as in the [RLN spec](../32/rln-v1.md/#slashing).
-It is important to note that the slashing may not have the intended effect on the user, since the only consequence is that they cannot send messages.
-This is due to the fact that the user can send a identity commitment in the registration to the RLN contract, which is different than the one used in the Interep group.
-
-## Proof of Concept
-
-A proof of concept is available at [vacp2p/rln-interp-contract](https://github.com/vacp2p/rln-interep-contract) which integrates Interep with RLN.
-
-## Security Considerations
-
-1. As mentioned in [Slashing](#slashing), the slashing mechanism may not have the intended effect on the user.
-2. This spec inherits the security considerations of the [RLN spec](../32/rln-v1.md/#security-considerations).
-3. This spec inherits the security considerations of [Interep](https://docs.interep.link/).
-4. A user may make multiple registrations using the same Interep proofs but different identity commitments. The way to mitigate this is to check if the nullifier hash has been detected previously in proof verification.
-
-## References
-
-1. [RLN spec](../32/rln-v1.md)
-2. [Interep](https://interep.link)
-3. [Semaphore](https://semaphore.appliedzkp.org/)
-4. [Decentralized cloudflare using Interep](https://ethresear.ch/t/decentralised-cloudflare-using-rln-and-rich-user-identities/10774)
-5. [Interep contracts](https://github.com/interep-project/contracts)
-6. [RLN contract](https://github.com/vacp2p/rln-contract)
-7. [RLNP2P](https://rlnp2p.vac.dev/)

vac/70/eth-secpm.md

@@ -1,235 +0,0 @@
----
-slug: 70
-title: 70/ETH-SECPM
-name: Private 1:1 messages over Ethereum
-status: raw
-category: Standards Track
-tags:
-editor: Ramses Fernandez <ramses@status.im>
-contributors:
----
-
-## Abstract
-This document specifies an Ethereum-based private messaging service. 
-This proposal is built upon this [model](../../waku/standards/application/20/toy-eth-pm.md) and 
-amends the limitations of the latter concerning forward privacy and authentication. 
-The document is still work in progress. 
-Next steps will include a description of how to implement the different functions and algorithms in terms of the Noise framework.
-
-## Background
-
-Alice wants to send an encrypted message to Bob. 
-Here Bob is the only individual able to decrypt the message.
-Alice has access to Bob’s Ethereum address.
-
-## Theory and Description of the Protocol
-
-The proposed protocol must adhere to the following design requirements:
--   Alice knows Bob’s Ethereum address.
--   Bob is willing to participate in the protocol, and publishes his public key.
--   Bob’s ownership of his public key is verifiable,
--   Alice wants to send message M to Bob.
--   An eavesdropper cannot read M’s content even if she is storing it or relaying it.
-
-The specification is based on the noise protocol framework.
-It corresponds to the double ratchet scheme combined with the X3DH algorithm, which will be used to initialize the former. 
-We chose to express the protocol in noise to be be able to use the noise streamlined implementation and proving features.
-The X3DH algorithm provides both authentication and forward secrecy, as stated in the [X3DH specification](https://signal.org/docs/specifications/x3dh/).
-
-## High level description
-This protocol will consist of several stages:
-
-1.  Key setting for X3DH: this step will produce prekey bundles for Bob which will be fed into X3DH. It will also allow Alice to generate the keys required to run the X3DH algorithm correctly.
-2.  Execution of X3DH: This step will output a common secret key SK together with an additional data vector AD. Both will be used in the Double Ratchet algorithm initialization.
-3.  Execution of the Double Ratchet algorithm for forward secure, authenticated communications, using the common secret key SK, obtained from X3DH, as a root key.
-
-## Cryptographic functions required
--   XEd448 for digital signatures involved in the X3DH key generation.
--   SHA512 for hashing and the generation of HMACs.
--   AES256-CBC for the encryption/decryption of messages.
-
-## Considerations on the X3DH initialization
-This scheme requires working on specific elliptic curves which differ from those used by Ethereum. 
-To be precise, Ethereum makes use of the curve secp256k1, whereas X3DH requires either X25519 or X448. For security reasons one must work on the curve X448.
-
-Bob and Alice must define a key pair (ik, IK) where:
--   The key ik must be kept secret,
--   and the key IK is public.
-
-Bob will not be able to use his Ethereum public key during this stage due to incompatibilities with the involved elliptic curves, therefore it will be required to generate new keys. 
-This can be done using the basepoint $G$ for X448 and $ik \in \mathbb{Z}_p$ a random integer:
-
-$$ IK = ik \cdot G $$
-
-The scheme X3DH will also require the generation of a public key SPK which will be generated repeating the above process: one takes $spk \in \mathbb{Z}_p$ a secret random integer and computes:
-
-$$ SPK = spk \cdot G $$
-
-SPK is a public key generated and stored at medium-term. 
-It is called a signed prekey because Bob also needs to store a public key certificate of SPK using IK. 
-Both signed prekey and the certificate must undergo periodic replacement, 
-a process that entails the generation of a fresh signed prekey. 
-After replacing the key, 
-Bob keeps the old private key of SPK for some interval, dependant on the implementation.
-This allows Bob to decrypt delayed messages. 
-It is important that Bob does not reuse SPKs. 
-This action is pivotal for ensuring forward secrecy, as these keys are integral for recalculating the shared secret employed in decrypting historical messages.
-
-It will be required to sign SPK for authentication. Following the specification of X3DH, one will use the digital signature scheme XEd448 and define:
-
-$$ SigSPK = XEd448(ik, Encode(SPK)) $$
-
-A final step requires the definition of a  _prekey bundle_  given by the tuple
-
-$$ prekey\_bundle = (IK, SPK, SigSPK, \{OPK_i\}_i) $$
-
-Where the different one-time keys OPK are points in X448 generated from a random integer $opk \in \mathbb{Z}_p$ and computed by performing
-
-$$ OPK = opk\cdot G $$
-
-Before sending an initial message to Bob, Alice will generate an AD vector as described in the documentation:
-
-$$ AD = Encode(IK_A)|| Encode(IK_B) $$
-
-Alice will also need to generate ephemeral key pairs (ek, EK) following the above mechanisms, that is: ek is a random integer modulo p, and EK is the associated public key obtained from the product
-
-$$ EK = ek \cdot G $$
-
-The function Encode() transforms an X448 public key into a byte sequence. 
-The recommended encoding consists of a single-byte constant to represent the type of curve, followed by little-endian encoding of the u-coordinate. 
-This is specified in the [RFC 7748](http://www.ietf.org/rfc/rfc7748.txt) on elliptic curves for security.
-
-## Using X3DH in Double Ratchet
-
-According to [Signal specifications](https://signal.org/docs/specifications/doubleratchet/) 
-this specification uses the double ratchet in combination with X3DH using the following data as initialization for the former:
-
--   The SK output from X3DH becomes the SK input of the double ratchet. See section 3.3 of [Signal Specification](https://signal.org/docs/specifications/doubleratchet/) for a detailed description.
--   The AD output from X3DH becomes the AD input of the double ratchet. See sections 3.4 and 3.5 of  [Signal Specification](https://signal.org/docs/specifications/doubleratchet/)  for a detailed description.
--   Bob’s signed prekey SigSPKB from X3DH is used as Bob’s initial ratchet public key of the double ratchet.
-
-Once this initialization has been set, Alice and Bob can start exchanging messages with forward secrecy and authentication.
-
-## Specification as a Noise protocol
-
-X3DH has three phases:
-
-1.  Bob publishes his identity key and prekeys to a server, or dedicated smart contract.
-2.  Alice fetches a "prekey bundle" from the server, and uses it to send an initial message to Bob.
-3.  Bob receives and processes Alice's initial message.
-
-One observes that, at the beginning of the protocol, the receiver gets the public key through a server, a smart contract in our situation, together with an encrypted ephemeral key. 
-This corresponds to the Noise pattern  **IX**:
-
-→ e, s \
-← e, s, es, se, ee
-
-The Diffie-Hellman ratchet is run using the valid private key of the receiver in combination with the valid public included in the message coming from the sender. 
-This process is encoded, in Noise terms, as the DH() function. 
-This function will have inputs the secret key of the user running the function, and the public key of the external user. 
-Receiver and sender MUST generate valid key pairs, i.e. points of the X448, using the Noise function GENERATE_KEYPAIR().
-
-The Key Derivation Function (KDF) ratchet and the associated encryption protocols used by the double ratchet are also included by the Noise framework: 
-SHA256 for the KDF and AES256 for AEAD encryption.
-
-Consequently, according to the Noise framework specifications, the X3DH algorithm is encoded as  **Noise_IX_448_AES256GCM_SHA256**
-
-## Retrieving information
-
-### Static data
-
-Some data, such as the key pairs (ik, IK) for Alice and Bob, do not need to be regenerated after a period of time. 
-Therefore the public keys IK can be stored in long-term storage solutions, such as a dedicated smart contract which outputs such a key pair when receiving an Ethereum wallet address.
-
-### Ephemeral data
-
-Storing ephemeral data on Ethereum can be done using a combination of on-chain and off-chain solutions. 
-This approach provides an efficient solution to the problem of storing updatable data in Ethereum.
-1. Ethereum can store a reference or a hash that points to the off-chain data.
-2. Off-chain solutions can include systems like IPFS, traditional cloud storage solutions, or decentralized storage networks such as a [Swarm](https://www.ethswarm.org). 
-In any case, the user stores the associated IPFS hash, URL or reference in Ethereum.
-
-The fact of a user not updating the ephemeral information can be understood as Bob not willing to participate in any communication.
-
-### Interaction with Ethereum
-
-Storing static data is done using a dedicated smart contract *PublicKeyStorage* which associates the Ethereum wallet address of a user with his public key.
-This mapping is done by PublicKeyStorage using a *publicKeys* function, or a *setPublicKey* function.
-This mapping is done if the user passed an authorization process.
-A user who wants to retrieve a public key associated with a specific wallet address calls a function *getPublicKey*.
-The user provides the wallet address as the only input parameter for *getPublicKey*.
-The function outputs the associated public key from the smart contract.
-
-## Extension to group chat
-
-### 1-to-1 version
-
-In order to extend the protocol to a group chat, this document specifies using an Asynchronous Distributed Key Generation (ADKG) to replace the X3DH step in the previous combination X3DH + Double Ratchet.
-
-Distributed Key Generation (DKG) is a method for initiating threshold cryptosystems in a decentralized manner, all without the need for a trusted third party. 
-DKG serves as a fundamental component for numerous decentralized protocols, including systems like randomness beacons, threshold signatures, Byzantine consensus, and multiparty computation.
-
-Most DKG protocols assume synchronous networks. 
-Asynchronous DKG (ADKG) has been studied only recently and the state-of-the-art high-threshold ADKG protocols is very inefficient compared to its low-threshold counterpart. 
-
-Here low-threshold means that the reconstruction threshold is set to be one higher than the number of corrupt nodes, 
-whereas high-threshold protocols admit reconstruction thresholds much higher than the number of malicious nodes.
-
-Existing ADKG constructions tend to become inefficient when the reconstruction threshold surpasses one-third of the total nodes. 
-In this proposal we suggest using the scheme by [Kokoris-Kogias et al.](https://eprint.iacr.org/2022/1389) which is designed for $n = 3t + 1$ nodes. 
-
-This protocol can withstand the presence of up to t malicious nodes and can adapt to any reconstruction threshold in $l \in [t, n-t-1]$. 
-The key point of the proposal is an asynchronous method for securely distributing a random polynomial of degree $l\geq t$. 
-The proposal includes [Python and Rust implementations](https://github.com/sourav1547/htadkg).
-
-The DKG suggested makes assumes the existence of a PKI. 
-In case of requiring removing such assumption, one can replace the VSS scheme with the [Alhaddad et al.](https://eprint.iacr.org/2021/118) at the price of increasing the complexity.
-
-The output of the DKG may be an integer (modulo a prime), 
-meaning that one should apply a KDF to that output 
-in order to obtain a result which could be used as an input for the double ratchet.
-
-One observes that using an ADKG allows a set of users, 
-which want to define a group chat, 
-defining a common secret key which will be used as a root key for the double ratchet. 
-Using an ADKG defines a room key, 
-which essentially defines the group itself.
-
-
-This approach share similarities with the point of view of [Farcaster](https://github.com/farcasterxyz/protocol/discussions/99).
-
-Once the double ratchet is initialized, 
-the communication in this group is 1-to-1, 
-meaning that group member C cannot see the messages between group members A and B. 
-The fact of defining a room key makes impossible for outsiders to communicate with group members if the latter are not willing to.
-
-### n-to-n version
-
-Using the above approach leads to a situation where a group of users can set a group for 1-to-1 messages,
-meaning that any group member external to a communication between any other two members will not be able to read the contents of the messages.
-
-An approach to generalize this situation to the setting of a group of users exchanging messages without any kind of restriction is using asynchronous ratcheting trees, as suggested in the proposal from [Cohn-Gordon et al.](https://eprint.iacr.org/2017/666) where a group of people can derive a shared secret key even in the event of if no two users are ever online at the same time. 
-The proposal suggested provides both forward secrecy and post-compromise security. 
-The shared key can be then used in any symmetric encryption scheme, such as AES256.
-
-## Privacy and Security Considerations
-
-- For the information retrieval, the algorithm MUST include a access control mechanisms to restrict who can call the set and get functions.
-- One SHOULD include event logs to track changes in public keys.
-- The curve X448 MUST be chosen as the elliptic curve, since it offers a higher security level: 224-bit security instead of the 128-bit security provided by X25519.
-- Concerning the hardness of the ADKG, the proposal lies on the Discrete Logarithm assumption.
-
-## Copyright
-
-Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
-
-## References
-
-- [model](../../waku/standards/application/20/toy-eth-pm.md)
-- https://signal.org/docs/specifications/x3dh/
-- https://signal.org/docs/specifications/doubleratchet/
-- https://eprint.iacr.org/2022/1389
-- https://github.com/sourav1547/htadkg
-- https://github.com/farcasterxyz/protocol/discussions/99
-
-

vac/README.md

@@ -1,9 +1,9 @@
 # Vac RFCs
 
-Vac builds public good protocols for the decentralise web.
+Vac builds public good protocols for the decentralised web.
 Vac acts as a custodian for the protocols that live in the RFC-Index repository.
 With the goal of widespread adoption,
-Vac will make sure the protocols adhere to the set of principles, 
-including but not limited to liberty, security, privacy, decentralisation, and inclusivity.
+Vac will make sure the protocols adhere to a set of principles,
+including but not limited to liberty, security, privacy, decentralisation and inclusivity.
 
 To learn more, visit [Vac Research](https://vac.dev/)

vac/raw/README.md

@@ -0,0 +1,4 @@
+# Vac Raw Specifications
+
+All Vac specifications that have not reached **draft** status will live in this repository.
+To learn more about **raw** specifications, take a look at [1/COSS](../1/coss.md).

vac/raw/consensus-hashgraphlike.md

@@ -0,0 +1,252 @@
+---
+title: HASHGRAPHLIKE CONSENSUS
+name: Hashgraphlike Consensus Protocol
+status: raw
+category: Standards Track
+tags: 
+editor: Ugur Sen [ugur@status.im](mailto:ugur@status.im)
+contributors: seemenkina [ekaterina@status.im](mailto:ekaterina@status.im)
+---
+## Abstract
+
+This document specifies a scalable, decentralized, and Byzantine Fault Tolerant (BFT)
+consensus mechanism inspired by Hashgraph, designed for binary decision-making in P2P networks.
+
+## Motivation
+
+Consensus is one of the essential components of decentralization.
+In particular, in the decentralized group messaging application is used for
+binary decision-making to govern the group.
+Therefore, each user contributes to the decision-making process.
+Besides achieving decentralization, the consensus mechanism MUST be strong:
+
+- Under the assumption of at least `2/3` honest users in the network.
+
+- Each user MUST conclude the same decision and scalability:
+message propagation in the network MUST occur within `O(log n)` rounds,
+where `n` is the total number of peers,
+in order to preserve the scalability of the messaging application.
+
+## Format Specification
+
+The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,
+“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document
+are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
+
+## Flow
+
+Any user in the group initializes the consensus by creating a proposal.
+Next, the user broadcasts the proposal to the whole network.
+Upon each user receives the proposal, validates the proposal,
+adds its vote as yes or no and with its signature and timestamp.
+The user then sends the proposal and vote to a random peer in a P2P setup,
+or to a subscribed gossipsub channel if gossip-based messaging is used.
+Therefore, each user first validates the signature and then adds its new vote.
+Each sending message counts as a round.
+After `log(n)` rounds all users in the network have the others vote
+if at least `2/3` number of users are honest where honesty follows the protocol.
+
+In general, the voting-based consensus consists of the following phases:
+
+1. Initialization of voting
+2. Exchanging votes across the rounds
+3. Counting the votes
+
+### Assumptions
+
+- The users in the P2P network can discover the nodes or they are subscribing same channel in a gossipsub.
+- We MAY have non-reliable (silent) nodes.
+- Proposal owners MUST know the number of voters.
+
+## 1. Initialization of voting
+
+A user initializes the voting with the proposal payload which is
+implemented using [protocol buffers v3](https://protobuf.dev/) as follows:
+
+```bash
+syntax = "proto3";
+
+package vac.voting;
+
+message Proposal {
+  string name = 10;                  // Proposal name
+  string payload = 11;               // Proposal description
+  uint32 proposal_id = 12;           // Unique identifier of the proposal
+  bytes proposal_owner = 13;         // Public key of the creator 
+  repeated Votes = 14;               // Vote list in the proposal
+  uint32 expected_voters_count = 15; // Maximum number of distinct voters
+  uint32 round = 16;                 // Number of Votes 
+  uint64 timestamp = 17;             // Creation time of proposal
+  uint64 expiration_time = 18;       // The time interval that the proposal is active.  
+  bool liveness_criteria_yes = 19;   // Shows how managing the silent peers vote
+}
+
+message Vote {
+  uint32 vote_id = 20;            // Unique identifier of the vote
+  bytes vote_owner = 21;          // Voter's public key
+  uint32 proposal_id = 22;        // Linking votes and proposals
+  int64 timestamp = 23;           // Time when the vote was cast
+  bool vote = 24;                 // Vote bool value (true/false)
+  bytes parent_hash = 25;         // Hash of previous owner's Vote
+  bytes received_hash = 26;       // Hash of previous received Vote
+  bytes vote_hash = 27;           // Hash of all previously defined fields in Vote
+  bytes signature = 28;           // Signature of vote_hash
+}
+
+```
+
+To initiate a consensus for a proposal,
+a user MUST complete all the fields in the proposal, including attaching its `vote`
+and the `payload` that shows the purpose of the proposal.
+Notably, `parent_hash` and `received_hash` are empty strings because there is no previous or received hash.
+Then the initialization section ends when the user who creates the proposal sends it
+to the random peer from the network or sends it to the proposal to the specific channel.
+
+## 2. Exchanging votes across the peers
+
+Once the peer receives the proposal message `P_1` from a 1-1 or a gossipsub channel does the following checks:
+
+1. Check the signatures of the each votes in proposal, in particular for proposal `P_1`,
+verify the signature of `V_1` where `V_1 = P_1.votes[0]` with `V_1.signature` and `V_1.vote_owner`
+2. Do `parent_hash` check: If there are repeated votes from the same sender,
+check that the hash of the former vote is equal to the `parent_hash` of the later vote.
+3. Do `received_hash` check: If there are multiple votes in a proposal, check that the hash of a vote is equal to the `received_hash` of the next one.
+4. After successful verification of the signature and hashes, the receiving peer proceeds to generate `P_2` containing a new vote `V_2` as following:
+
+   4.1. Add its public key as `P_2.vote_owner`.
+
+   4.2. Set `timestamp`.
+
+   4.3. Set boolean `vote`.
+
+   4.4. Define `V_2.parent_hash = 0` if there is no previous peer's vote, otherwise hash of previous owner's vote.
+
+   4.5. Set `V_2.received_hash = hash(P_1.votes[0])`.
+  
+   4.6. Set `proposal_id` for the `vote`.
+  
+   4.7. Calculate `vote_hash` by hash of all previously defined fields in Vote:
+  `V_2.vote_hash = hash(vote_id, owner, proposal_id, timestamp, vote, parent_hash, received_hash)`
+
+   4.8. Sign `vote_hash` with its private key corresponding the public key as `vote_owner` component then adds `V_2.vote_hash`.
+
+5. Create `P_2` with by adding `V_2` as follows:
+  
+   5.1. Assign `P_2.name`, `P_2.proposal_id`, and `P_2.proposal_owner` to be identical to those in `P_1`.
+  
+   5.2. Add the `V_2` to the `P_2.Votes` list.
+  
+   5.3. Increase the round by one, namely `P_2.round = P_1.round + 1`.
+  
+   5.4. Verify that the proposal has not expired by checking that: `P_2.timestamp - current_time < P_1.expiration_time`.
+    If this does not hold, other peers ignore the message.
+
+After the peer creates the proposal `P_2` with its vote `V_2`,
+sends it to the random peer from the network or
+sends it to the proposal to the specific channel.
+
+## 3. Determining the result
+
+Because consensus depends on meeting a quorum threshold,
+each peer MUST verify the accumulated votes to determine whether the necessary conditions have been satisfied.
+The voting result is set YES if the majority of the `2n/3` from the distinct peers vote YES.
+
+To verify, the `findDistinctVoter` method processes the proposal by traversing its `Votes` list to determine the number of unique voters.
+
+If this method returns true, the peer proceeds with strong validation,
+which ensures that if any honest peer reaches a decision,
+no other honest peer can arrive at a conflicting result.
+
+1. Check each `signature` in the vote as shown in the [Section 2](#2-exchanging-votes-across-the-peers).
+
+2. Check the `parent_hash` chain if there are multiple votes from the same owner namely `vote_i` and `vote_i+1` respectively,
+the parent hash of `vote_i+1` should be the hash of `vote_i`
+
+3. Check the `previous_hash` chain, each received hash of `vote_i+1` should be equal to the hash of `vote_i`.
+
+4. Check the `timestamp` against the replay attack.
+In particular, the `timestamp` cannot be the old in the determined threshold.
+
+5. Check that the liveness criteria defined in the Liveness section are satisfied.
+
+If a proposal is verified by all the checks,
+the `countVote` method counts each YES vote from the list of Votes.
+
+## 4. Properties
+
+The consensus mechanism satisfies liveness and security properties as follows:
+
+### Liveness
+
+Liveness refers to the ability of the protocol to eventually reach a decision when sufficient honest participation is present.
+In this protocol, if `n > 2` and more than `n/2` of the votes among at least `2n/3` distinct peers are YES,
+then the consensus result is defined as YES; otherwise, when `n ≤ 2`, unanimous agreement (100% YES votes) is required.
+
+The peer calculates the result locally as shown in the [Section 3](#3-determining-the-result).
+From the [hashgraph property](https://hedera.com/learning/hedera-hashgraph/what-is-hashgraph-consensus),
+if a node could calculate the result of a proposal,
+it implies that no peer can calculate the opposite of the result.
+Still, reliability issues can cause some situations where peers cannot receive enough messages,
+so they cannot calculate the consensus result.
+
+Rounds are incremented when a peer adds and sends the new proposal.
+Calculating the required number of rounds, `2n/3` from the distinct peers' votes is achieved in two ways:
+
+1. `2n/3` rounds in pure P2P networks
+2. `2` rounds in gossipsub
+
+Since the message complexity is `O(1)` in the gossipsub channel,
+in case the network has reliability issues,
+the second round is used for the peers cannot receive all the messages from the first round.
+
+If an honest and online peer has received at least one vote but not enough to reach consensus,
+it MAY continue to propagate its own vote — and any votes it has received — to support message dissemination.
+This process can continue beyond the expected round count,
+as long as it remains within the expiration time defined in the proposal.
+The expiration time acts as a soft upper bound to ensure that consensus is either reached or aborted within a bounded timeframe.
+
+#### Equality of votes
+
+An equality of votes occurs when verifying at least `2n/3` distinct voters and
+applying `liveness_criteria_yes` the number of YES and NO votes is equal.
+
+Handling ties is an application-level decision. The application MUST define a deterministic tie policy:
+
+RETRY: re-run the vote with a new proposal_id, optionally adjusting parameters.
+
+REJECT: abort the proposal and return voting result as NO.
+
+The chosen policy SHOULD be consistent for all peers via proposal's `payload` to ensure convergence on the same outcome.
+
+### Silent Node Management
+
+Silent nodes are the nodes that not participate the voting as YES or NO.
+There are two possible counting votes for the silent peers.
+
+1. **Silent peers means YES:**
+Silent peers counted as YES vote, if the application prefer the strong rejection for NO votes.
+2. **Silent peers means NO:**
+Silent peers counted as NO vote, if the application prefer the strong acception for NO votes.
+
+The proposal is set to default true, which means silent peers' votes are counted as YES namely `liveness_criteria_yes` is set true by default.
+
+### Security
+
+This RFC uses cryptographic primitives to prevent the
+malicious behaviours as follows:
+
+- Vote forgery attempt: creating unsigned invalid votes
+- Inconsistent voting: a malicious peer submits conflicting votes (e.g., YES to some peers and NO to others)
+in different stages of the protocol, violating vote consistency and attempting to undermine consensus.
+- Integrity breaking attempt: tampering history by changing previous votes.
+- Replay attack: storing the old votes to maliciously use in fresh voting.
+
+## 5. Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/)
+
+## 6. References
+
+- [Hedera Hashgraph](https://hedera.com/learning/hedera-hashgraph/what-is-hashgraph-consensus)
+- [Gossip about gossip](https://docs.hedera.com/hedera/core-concepts/hashgraph-consensus-algorithms/gossip-about-gossip)
+- [Simple implementation of hashgraph consensus](https://github.com/conanwu777/hashgraph)

vac/raw/decentralized-messaging-ethereum.md

@@ -0,0 +1,889 @@
+---
+title: ETH-DCGKA
+name: Decentralized Key and Session Setup for Secure Messaging over Ethereum
+status: raw
+category: informational
+editor: Ramses Fernandez-Valencia <ramses@status.im>
+contributors:
+---
+
+## Abstract
+
+This document introduces a decentralized group messaging protocol
+using Ethereum adresses as identifiers.
+It is based in the proposal
+[DCGKA](https://eprint.iacr.org/2020/1281) by Weidner et al.
+It includes also approximations to overcome limitations related to using PKI and
+the multi-device setting.
+
+## Motivation
+
+The need for secure communications has become paramount.
+Traditional centralized messaging protocols are susceptible to various security
+threats, including unauthorized access, data breaches, and single points of
+failure.
+Therefore a decentralized approach to secure communication becomes increasingly
+relevant, offering a robust solution to address these challenges.
+
+Secure messaging protocols used should have the following key features:
+
+1. **Asynchronous Messaging:** Users can send messages even if the recipients
+are not online at the moment.
+
+2. **Resilience to Compromise:** If a user's security is compromised,
+the protocol ensures that previous messages remain secure through forward
+secrecy (FS). This means that messages sent before the compromise cannot be
+decrypted by adversaries. Additionally, the protocol maintains post-compromise
+security (PCS) by regularly updating keys, making it difficult for adversaries
+to decrypt future communication.
+
+3. **Dynamic Group Management:** Users can easily add or remove group members
+at any time, reflecting the flexible nature of communication within the app.
+
+In this field, there exists a *trilemma*, similar to what one observes in
+blockchain, involving three key aspects:
+
+1. security,
+2. scalability, and
+3. decentralization.
+
+For instance, protocols like the [MLS](https://messaginglayersecurity.rocks)
+perform well in terms of scalability and security.
+However, they falls short in decentralization.
+
+Newer studies such as [CoCoa](https://eprint.iacr.org/2022/251)
+improve features related to security and scalability,
+but they still rely on servers, which may not be fully trusted though they are necessary.
+
+On the other hand,
+older studies like [Causal TreeKEM](https://mattweidner.com/assets/pdf/acs-dissertation.pdf)
+exhibit decent scalability (logarithmic)
+but lack forward secrecy and have weak post-compromise security (PCS).
+
+The creators of [DCGKA](https://eprint.iacr.org/2020/1281) introduce a decentralized,
+asynchronous secure group messaging protocol that supports dynamic groups.
+This protocol operates effectively on various underlying networks
+without strict requirements on message ordering or latency.
+It can be implemented in peer-to-peer or anonymity networks,
+accommodating network partitions, high latency links, and
+disconnected operation seamlessly.
+Notably, the protocol doesn't rely on servers or
+a consensus protocol for its functionality.
+
+This proposal provides end-to-end encryption with forward secrecy and
+post-compromise security,
+even when multiple users concurrently modify the group state.
+
+## Theory
+
+### Protocol overview
+
+This protocol makes use of ratchets to provide FS
+by encrypting each message with a different key.
+
+In the figure one can see the ratchet for encrypting a sequence of messages.
+The sender requires an initial update secret `I_1`, which is introduced in a PRG.
+The PRG will produce two outputs, namely a symmetric key for AEAD encryption, and
+a seed for the next ratchet state.
+The associated data needed in the AEAD encryption includes the message index `i`.
+The ciphertext `c_i` associated to message `m_i`
+is then broadcasted to all group members.
+The next step requires deleting `I_1`, `k_i` and any old ratchet state.
+
+After a period of time the sender may replace the ratchet state with new update secrets
+`I_2`, `I_3`, and so on.
+
+To start a post-compromise security update,
+a user creates a new random value known as a seed secret and
+shares it with every other group member through a secure two-party channel.
+Upon receiving the seed secret,
+each group member uses it to calculate an update secret for both the sender's ratchet
+and their own.
+Additionally, the recipient sends an unencrypted acknowledgment to the group
+confirming the update.
+Every member who receives the acknowledgment updates
+not only the ratchet for the original sender but
+also the ratchet for the sender of the acknowledgment.
+Consequently, after sharing the seed secret through `n - 1` two-party messages and
+confirming it with `n - 1` broadcast acknowledgments,
+every group member has derived an update secret and updated their ratchet accordingly.
+
+When removing a group member,
+the user who initiates the removal conducts a post-compromise security update
+by sending the update secret to all group members except the one being removed.
+To add a new group member,
+each existing group member shares the necessary state with the new user,
+enabling them to derive their future update secrets.
+
+Since group members may receive messages in various orders,
+it's important to ensure that each sender's ratchet is updated consistently
+with the same sequence of update secrets at each group member.
+
+The network protocol used in this scheme ensures that messages from the same sender
+are processed in the order they were sent.
+
+### Components of the protocol
+
+This protocol relies in 3 components:
+authenticated causal broadcast (ACB),
+decentralized group membership (DGM) and
+2-party secure messaging (2SM).
+
+#### Authenticated causal broadcast
+
+A causal order is a partial order relation `<` on messages.
+Two messages `m_1` and `m_2` are causally ordered, or
+`m_1` causally precedes `m_2`
+(denoted by `m_1 < m_2`), if one of the following contiditions hold:
+
+1. `m_1` and `m_2` were sent by the same group member, and
+`m_1` was sent before `m_2`.
+2. `m_2` was sent by a group member U, and `m_1` was received and
+processed by `U` before sending `m_2`.
+3. There exists `m_3` such that `m_1 < m_3` and `m_3 < m_2`.
+
+Causal broadcast requires that before processing `m`, a group member must
+process all preceding messages `{m' | m' < m}`.
+
+The causal broadcast module used in this protocol authenticates the sender of
+each message, as well as its causal ordering metadata, using a digital
+signature under the sender’s identity key.
+This prevents a passive adversary from impersonating users or affecting
+causally ordered delivery.
+
+#### Decentralized group membership
+
+This protocol assumes the existence of a decentralized group membership
+function (denoted as DGM) that takes a set of membership change messages and
+their causal order relantionships, and returns the current set of group
+members’ IDs. It needs to be deterministic and depend only on causal order, and
+not exact order.
+
+#### 2-party secure messaging (2SM)
+
+This protocol makes use of bidirectional 2-party secure messaging schemes,
+which consist of 3 algorithms: `2SM-Init`, `2SM-Send` and `2SM-Receive`.
+
+##### Function 2SM-Init
+
+This function takes two IDs as inputs:
+`ID1` representing the local user and `ID2` representing the other party.
+It returns an initial protocol state `sigma`.
+The 2SM protocol relies on a Public Key Infrastructure (PKI) or
+a key server to map these IDs to their corresponding public keys.
+In practice, the PKI should incorporate ephemeral prekeys.
+This allows users to send messages to a new group member,
+even if that member is currently offline.
+
+##### Function 2SM-Send
+
+This function takes a state `sigma` and a plaintext `m` as inputs, and returns
+a new state `sigma’` and a ciphertext `c`.
+
+##### Function 2SM-Receive
+
+This function takes a state `sigma` and a ciphertext `c`, and
+returns a new state `sigma’` and a plaintext `m`.
+
+This function takes a state `sigma` and a ciphertext `c`, and returns a new
+state `sigma’` and a plaintext `m`.
+
+#### Function 2SM Syntax
+
+The variable `sigma` denotes the state consisting in the variables below:
+
+```text
+sigma.mySks[0] = sk
+sigma.nextIndex = 1 
+sigma.receivedSk = empty_string
+sigma.otherPk = pk`<br> 
+sigma.otherPksender = “other”
+sigma.otherPkIndex = 0
+
+```
+
+#### 2SM-Init
+
+On input a key pair `(sk, pk)`, this functions otuputs a state `sigma`.
+
+#### 2SM-Send
+
+This function encrypts the message `m` using `sigma.otherPk`, which represents
+the other party’s current public key.
+This key is determined based on the last public key generated for the other
+party or the last public key received from the other party,
+whichever is more recent. `sigma.otherPkSender` is set to `me` in the former
+case and `other` in the latter case.
+
+Metadata including `otherPkSender` and `otherPkIndex` are included in the
+message to indicate which of the recipient’s public keys is being utilized.
+
+Additionally, this function generates a new key pair for the local user,
+storing the secret key in `sigma.mySks` and sending the public key.
+Similarly, it generates a new key pair for the other party,
+sending the secret key (encrypted) and storing the public key in
+`sigma.otherPk`.
+
+```text
+sigma.mySks[sigma.nextIndex], myNewPk) = PKE-Gen()
+(otherNewSk, otherNewPk) = PKE-Gen()
+plaintext = (m, otherNewSk, sigma`.nextIndex, myNewPk)
+msg = (PKE-Enc(sigma.otherPk, plaintext), sigma.otherPkSender, sigma.otherPkIndex)
+sigma.nextIndex++
+(sigma.otherPk, sigma.otherPkSender, sigma.otherPkIndex) = (otherNewPk, "me", empty_string)
+return (sigma`, msg)
+
+```
+
+#### 2SM-Receive
+
+This function utilizes the metadata of the message `c` to determine which
+secret key to utilize for decryption, assigning it to `sk`.
+If the secret key corresponds to one generated by ourselves,
+that secret key along with all keys with lower index are deleted.
+This deletion is indicated by `sigma.mySks[≤ keyIndex] = empty_string`.
+Subsequently, the new public and secret keys contained in the message are
+stored.
+
+```text
+(ciphertext, keySender, keyIndex) = c
+if keySender = "other" then 
+sk = sigma.mySks[keyIndex] 
+sigma.mySks[≤ keyIndex] = empty_string
+else sk = sigma.receivedSk
+(m, sigma.receivedSk, sigma.otherPkIndex, sigma.otherPk) = PKE-Dec(sk, ciphertext)
+sigma.otherPkSender = "other"
+return (sigma, m)
+
+```
+
+### PKE Syntax
+
+The required PKE that MUST be used is ElGamal with a 2048-bit modulus `p`.
+
+#### Parameters
+
+The following parameters must be used:
+
+```text
+p = 308920927247127345254346920820166145569
+g = 2
+
+```
+
+#### PKE-KGen
+
+Each user `u` MUST do the following:
+
+```text
+PKE-KGen():
+a = randint(2, p-2)
+pk = (p, g, g^a)
+sk = a
+return (pk, sk)
+
+```
+
+#### PKE-Enc
+
+A user `v` encrypting a message `m` for `u` MUST follow these steps:
+
+```text
+PKE-Enc(pk):
+k = randint(2, p-2)
+eta = g^k % p
+delta = m * (g^a)^k % p
+return ((eta, delta))
+
+```
+
+#### PKE-Dec
+
+The user `u` recovers a message `m` from a ciphertext `c`
+by performing the following operations:
+
+```text
+PKE-Dec(sk):
+mu = eta^(p-1-sk) % p
+return ((mu * delta) % p)
+
+```
+
+### DCGKA Syntax
+
+#### Auxiliary functions
+
+There exist 6 functions that are auxiliary for the rest of components of the
+protocol, namely:
+
+#### init
+
+This function takes an `ID` as input and returns its associated initial state,
+denoted by `gamma`:
+
+```text
+gamma.myId = ID
+gamma.mySeq = 0
+gamma.history = empty
+gamma.nextSeed = empty_string
+gamma.2sm[·] = empty_string
+gamma.memberSecret[·, ·, ·] = empty_string
+gamma.ratchet[·] = empty_string
+return (gamma)
+
+```
+
+#### encrypt-to
+
+Upon reception of the recipient’s `ID` and a plaintext, it encrypts a direct
+message for another group member.
+Should it be the first message for a particular `ID`,
+then the `2SM` protocol state is initialized and stored in
+`gamma.2sm[recipient.ID]`.
+One then uses `2SM_Send` to encrypt the message and store the updated protocol
+in `gamma`.
+
+```text
+if gamma.2sm[recipient_ID] = empty_string then
+ gamma.2sm[recipient_ID] = 2SM_Init(gamma.myID, recipient_ID)
+(gamma.2sm[recipient_ID], ciphertext) = 2SM_Send(gamma.2sm[recipient_ID], plaintext)
+return (gamma, ciphertext)
+
+```
+
+#### decrypt-from
+
+After receiving the sender’s `ID` and a ciphertext, it behaves as the reverse
+function of `encrypt-to` and has a similar initialization:
+
+```text
+if gamma.2sm[sender_ID] = empty_string then
+gamma.2sm[sender_ID] = 2SM_Init(gamma.myID, sender_ID)
+(gamma.2sm[sender_ID], plaintext) = 2SM_Receive(gamma.2sm[sender_ID], ciphertext)
+return (gamma, plaintext)
+
+```
+
+#### update-ratchet
+
+This function generates the next update secret `I_update` for the group member
+`ID`.
+The ratchet state is stored in `gamma.ratchet[ID]`.
+It is required to use a HMAC-based key derivation function HKDF to combine the
+ratchet state with an input, returning an update secret and a new ratchet
+state.
+
+```text
+(updateSecret, gamma.ratchet[ID]) = HKDF(gamma.ratchet[ID], input)
+return (gamma, updateSecret)
+
+```
+
+#### member-view
+
+This function calculates the set of group members
+based on the most recent control message sent by the specified user `ID`.
+It filters the group membership operations
+to include only those observed by the specified `ID`, and
+then invokes the DGM function to generate the group membership.
+
+```text
+ops = {m in gamma.history st. m was sent or acknowledged by ID}
+return DGM(ops)
+
+```
+
+#### generate-seed
+
+This functions generates a random bit string and
+sends it encrypted to each member of the group using the `2SM` mechanism.
+It returns the updated protocol state and
+the set of direct messages (denoted as `dmsgs`) to send.
+
+```text
+gamma.nextSeed = random.randbytes()
+dmsgs = empty
+for each ID in recipients:
+(gamma, msg) = encrypt-to(gamma, ID, gamma.nextSeed)
+dmsgs = dmsgs + (ID, msg)
+return (gamma, dmsgs)
+
+```
+
+### Creation of a group
+
+A group is generated in a 3 steps procedure:
+
+1. A user calls the `create` function and broadcasts a control message of type
+*create*.
+2. Each receiver of the message processes the message and broadcasts an *ack*
+control message.
+3. Each member processes the *ack* message received.
+
+#### create
+
+This function generates a *create* control message and calls `generate-seed` to
+define the set of direct messages that need to be sent.
+Then it calls `process-create` to process the control message for this user.
+The function `process-create` returns a tuple including an updated state gamma
+and an update secret `I`.
+
+```text
+control = (“create”, gamma.mySeq, IDs)
+(gamma, dmsgs) = generate-seed(gamma, IDs)
+(gamma, _, _, I, _) = process-create(gamma, gamma.myId, gamma.mySeq, IDs, empty_string)
+return (gamma, control, dmsgs, I)
+
+```
+
+#### process-seed
+
+This function initially employs `member-view` to identify the users who were
+part of the group when the control message was dispatched.
+Then, it attempts to acquire the seed secret through the following steps:
+
+1. If the control message was dispatched by the local user, it uses the most
+recent invocation of `generate-seed` stored the seed secret in
+`gamma.nextSeed`.
+2. If the `control` message was dispatched by another user, and the local user
+is among its recipients, the function utilizes `decrypt-from` to decrypt the
+direct message that includes the seed secret.
+3. Otherwise, it returns an `ack` message without deriving an update secret.
+
+Afterwards, `process-seed` generates separate member secrets for each group
+member from the seed secret by combining the seed secret and
+each user ID using HKDF.
+The secret for the sender of the message is stored in `senderSecret`, while
+those for the other group members are stored in `gamma.memberSecret`.
+The sender's member secret is immediately utilized to update their KDF ratchet
+and compute their update secret `I_sender` using `update-ratchet`.
+If the local user is the sender of the control message, the process is
+completed, and the update secret is returned.
+However, if the seed secret is received from another user, an `ack` control
+message is constructed for broadcast, including the sender ID and sequence
+number of the message being acknowledged.
+
+The final step computes an update secret `I_me` for the local user invoking the
+`process-ack` function.
+
+```text
+recipients = member-view(gamma, sender) - {sender}
+if sender =  gamma.myId then seed = gamma.nextSeed; gamma.nextSeed =
+empty_string
+else if  gamma.myId in recipients then (gamma, seed) = decrypt-from(gamma,
+sender, dmsg)
+else
+return (gamma, (ack, ++gamma.mySeq, (sender, seq)), empty_string ,
+empty_string , empty_string)
+
+for ID in recipients do gamma.memberSecret[sender, seq, ID] = HKDF(seed, ID)
+senderSecret = HKDF(seed, sender)
+(gamma, I_sender) = update-ratchet(gamma, sender, senderSecret)
+if sender = gamma.myId then return (gamma, empty_string , empty_string ,
+I_sender, empty_string)
+control = (ack, ++gamma.mySeq, (sender, seq))
+members = member-view(gamma, gamma.myId)
+forward = empty
+for ID in {members - (recipients + {sender})}
+    s = gamma.memberSecret[sender, seq, gamma.myId]
+    (gamma, msg) = encrypt-to(gamma, ID, s)
+    forward = forward + {(ID, msg)}
+    (gamma, _, _, I_me, _) = process-ack(gamma, gamma.myId, gamma.mySeq, 
+    (sender, seq), empty_string)
+    return (gamma, control, forward, I_sender, I_me)
+
+```
+
+#### process-create
+
+This function is called by the sender and each of the receivers of the `create`
+control message.
+First, it records the information from the create message in the
+`gamma.history+ {op}`, which is used to track group membership changes. Then,
+it proceeds to call `process-seed`.
+
+```text
+op = (”create”, sender, seq, IDs)
+gamma.history = gamma.history + {op}
+return (process-seed(gamma, sender, seq, dmsg))
+
+```
+
+#### process-ack
+
+This function is called by those group members once they receive an ack
+message.
+In `process-ack`, `ackID` and `ackSeq` are the sender and sequence number of
+the acknowledged message.
+Firstly, if the acknowledged message is a group membership operation, it
+records the acknowledgement in `gamma.history`.
+
+Following this, the function retrieves the relevant member secret from
+`gamma.memberSecret`, which was previously obtained from the seed secret
+contained in the acknowledged message.
+
+Finally, it updates the ratchet for the sender of the `ack` and returns the
+resulting update secret.
+
+```text
+if (ackID, ackSeq) was a create / add / remove then
+op = ("ack", sender, seq, ackID, ackSeq)
+gamma.history = gamma.history + {op}`
+s = gamma.memberSecret[ackID, ackSeq, sender]
+gamma.memberSecret[ackID, ackSeq, sender] = empty_string
+if (s = empty_string) & (dmsg = empty_string) then return (gamma, empty_string,
+empty_string, empty_string, empty_string)
+if (s = empty_string) then (gamma, s) = decrypt-from(gamma, sender, dmsg)
+(gamma, I) = update-ratchet(gamma, sender, s)
+return (gamma, empty_string, empty_string, I, empty_string)
+
+```
+
+The HKDF function MUST follow RFC 5869 using the hash function SHA256.
+
+### Post-compromise security updates and group member removal
+
+The functions `update` and `remove` share similarities with `create`:
+they both call the function `generate-seed` to encrypt a new seed secret for
+each group member.
+The distinction lies in the determination of the group members using `member
+view`.
+In the case of `remove`, the user being removed is excluded from the recipients
+of the seed secret.
+Additionally, the control message they construct is designated with type
+`update` or `remove` respectively.
+
+Likewise, `process-update` and `process-remove` are akin to `process-create`.
+The function `process-update` skips the update of `gamma.history`,
+whereas `process-remove` includes a removal operation in the history.
+
+#### update
+
+```text
+control = ("update", ++gamma.mySeq, empty_string)
+recipients = member-view(gamma, gamma.myId) - {gamma.myId}
+(gamma, dmsgs) = generate-seed(gamma, recipients)
+(gamma, _, _, I , _) = process-update(gamma, gamma.myId, gamma.mySeq,
+empty_string, empty_string)
+return (gamma, control, dmsgs, I)
+
+```
+
+#### remove
+
+```text
+control = ("remove", ++gamma.mySeq, empty)
+recipients = member-view(gamma, gamma.myId) - {ID, gamma.myId}
+(gamma, dmsgs) = generate-seed(gamma, recipients)
+(gamma, _, _, I , _) = process-update(gamma, gamma.myId, gamma.mySeq, ID,
+empty_string)
+return (gamma, control, dmsgs, I)
+
+```
+
+#### process-update
+
+`return process-seed(gamma, sender, seq, dmsg)`
+
+#### process-remove
+
+```text
+op = ("remove", sender, seq, removed)
+gamma.history = gamma.history + {op}
+return process-seed(gamma, sender, seq, dmsg)
+
+```
+
+### Group member addition
+
+#### add
+
+When adding a new group member, an existing member initiates the process by
+invoking the `add` function and providing the ID of the user to be added.
+This function prepares a control message marked as `add` for broadcast to the
+group. Simultaneously, it creates a welcome message intended for the new member
+as a direct message.
+This `welcome` message includes the current state of the sender's KDF ratchet,
+encrypted using `2SM`, along with the history of group membership operations
+conducted so far.
+
+```text
+control = ("add", ++gamma.mySeq, ID)
+(gamma, c) = encrypt-to(gamma, ID, gamma.ratchet[gamma.myId])
+op = ("add", gamma.myId, gamma.mySeq, ID)
+welcome = (gamma.history + {op}, c)
+(gamma, _, _, I, _) = process-add(gamma, gamma.myId, gamma.mySeq, ID, empty_string)
+return (gamma, control, (ID, welcome), I)
+
+```
+
+#### process-add
+
+This function is invoked by both the sender and each recipient of an `add`
+message, which includes the new group member. If the local user is the newly
+added member, the function proceeds to call `process-welcome` and then exits.
+Otherwise, it extends `gamma.history` with the `add` operation.
+
+Line 5 determines whether the local user was already a group member at the time
+the `add` message was sent; this condition is typically true but may be false
+if multiple users were added concurrently.
+
+On lines 6 to 8, the ratchet for the sender of the *add* message is updated
+twice. In both calls to `update-ratchet`, a constant string is used as the
+ratchet input instead of a random seed secret.
+
+The value returned by the first ratchet update is stored in
+`gamma.memberSecret` as the added user’s initial member secret. The result of
+the second ratchet update becomes `I_sender`, the update secret for the sender
+of the `add` message. On line 10, if the local user is the sender, the update
+secret is returned.
+
+If the local user is not the sender, an acknowledgment for the `add` message is
+required.
+Therefore, on line 11, a control message of type `add-ack` is constructed for
+broadcast.
+Subsequently, in line 12 the current ratchet state is encrypted using `2SM` to
+generate a direct message intended for the added user, allowing them to decrypt
+subsequent messages sent by the sender.
+Finally, in lines 13 to 15, `process-add-ack` is called to calculate the local
+user’s update secret (`I_me`), which is then returned along with `I_sender`.
+
+```text
+if added = gamma.myId then return process-welcome(gamma, sender, seq, dmsg)
+op = ("add", sender, seq, added)
+gamma.history = gamma.history + {op}
+if gamma.myId in member-view(gamma, sender) then
+    (gamma, s) = update-ratchet(gamma, sender, "welcome")
+    gamma.memberSecret[sender, seq, added] = s
+    (gamma, I_sender) = update-ratchet(gamma, sender, "add")
+    else I_sender = empty_string
+    if sender = gamma.myId then return (gamma, empty_string, empty_string,
+    I_sender, empty_string)
+    control = ("add-ack", ++gamma.mySeq, (sender, seq))
+    (gamma, c) = encrypt-to(gamma, added, ratchet[gamma.myId])
+    (gamma, _, _, I_me, _) = process-add-ack(gamma, gamma.myId, gamma.mySeq,
+    (sender, seq), empty_string)
+    return (gamma, control, {(added, c)}, I_sender, I_me)
+
+```
+
+#### process-add-ack
+
+This function is invoked by both the sender and each recipient of an `add-ack`
+message, including the new group member. Upon lines 1–2, the acknowledgment is
+added to `gamma.history`, mirroring the process in `process-ack`.
+If the current user is the new group member, the `add-ack` message includes the
+direct message constructed in `process-add`; this direct message contains the
+encrypted ratchet state of the sender of the `add-ack`, then it is decrypted on
+lines 3–5.
+
+Upon line 6, a check is performed to check if the local user was already a
+group member at the time the `add-ack` was sent. If affirmative, a new update
+secret `I` for the sender of the `add-ack` is computed on line 7 by invoking
+`update-ratchet` with the constant string `add`.
+
+In the scenario involving the new member,  the ratchet state was recently
+initialized on line 5. This ratchet update facilitates all group members,
+including the new addition, to derive each member’s update by obtaining any
+update secret from before their inclusion.
+
+```text
+op = ("ack", sender, seq, ackID, ackSeq)
+gamma$.history = gamma.history + {op}
+if dmsg != empty_string then
+    (gamma, s) = decrypt-from(gamma, sender, dmsg)
+    gamma.ratchet[sender] = s
+if gamma.myId in member-view(gamma, sender) then
+    (gamma, I) = update-ratchet(gamma, sender, "add")
+    return (gamma, empty_string, empty_string, I, empty_string)
+else return (gamma, empty_string, empty_string, empty_string, empty_string)
+
+```
+
+#### process-welcome
+
+This function serves as the second step called by a newly added group member.
+In this context, `adderHistory` represents the adding user’s copy of
+`gamma.history` sent in their welcome message, which is utilized to initialize
+the added user’s history.
+Here, `c` denotes the ciphertext of the adding user’s ratchet state, which is
+decrypted on line 2 using `decrypt-from`.
+
+Once `gamma.ratchet[sender]` is initialized, `update-ratchet` is invoked twice
+on lines 3 to 5 with the constant strings `welcome` and `add` respectively.
+These operations mirror the ratchet operations performed by every other group
+member in `process-add`.
+The outcome of the first `update-ratchet` call becomes the first member secret
+for the added user,
+while the second call returns `I_sender`, the update secret for the sender of
+the add operation.
+
+Subsequently, the new group member constructs an *ack* control message to
+broadcast on line 6 and calls `process-ack` to compute their initial update
+secret I_me. The function `process-ack` reads from `gamma.memberSecret` and
+passes it to `update-ratchet`. The previous ratchet state for the new member is
+the empty string `empty`, as established by `init`, thereby initializing the
+new member’s ratchet.
+Upon receiving the new member’s `ack`, every other group member initializes
+their copy of the new member’s ratchet in a similar manner.
+
+By the conclusion of `process-welcome`, the new group member has acquired
+update secrets for themselves and the user who added them.
+The ratchets for other group members are initialized by `process-add-ack`.
+
+```text
+gamma.history = adderHistory
+(gamma, gamma.ratchet[sender]) = decrypt-from(gamma, sender, c)
+(gamma, s) = update-ratchet(gamma, sender, "welcome")
+gamma.memberSecret[sender, seq, gamma.myId] = s
+(gamma, I_sender) = update-ratchet(gamma, sender, "add")
+control = ("ack", ++gamma.mySeq, (sender, seq))
+(gamma, _, _, I_me, _) = process-ack(gamma, gamma.myId, gamma.mySeq, (sender,
+seq), empty_string)
+return (gamma, control, empty_string , I_sender, I_me)
+
+```
+
+## Privacy Considerations
+
+### Dependency on PKI
+
+The [DCGKA](https://eprint.iacr.org/2020/1281) proposal presents some
+limitations highlighted by the authors.
+Among these limitations one finds the requirement of a PKI (or a key server)
+mapping IDs to public keys.
+
+One method to overcome this limitation is adapting the protocol SIWE (Sign in
+with Ethereum) so a user `u_1` who wants to start a communication with a user
+`u_2` can interact with latter’s wallet to request a public key using an
+Ethereum address as `ID`.
+
+#### SIWE
+
+The [SIWE](https://docs.login.xyz/general-information/siwe-overview) (Sign In
+With Ethereum) proposal was a suggested standard for leveraging Ethereum to
+authenticate and authorize users on web3 applications.
+Its goal is to establish a standardized method for users to sign in to web3
+applications using their Ethereum address and private key,
+mirroring the process by which users currently sign in to web2 applications
+using their email and password.
+Below follows the required steps:
+
+1. A server generates a unique Nonce for each user intending to sign in.
+2. A user initiates a request to connect to a website using their wallet.
+3. The user is presented with a distinctive message that includes the Nonce and
+details about the website.
+4. The user authenticates their identity by signing in with their wallet.
+5. Upon successful authentication, the user's identity is confirmed or
+approved.
+6. The website grants access to data specific to the authenticated user.
+
+#### Our approach
+
+The idea in the [DCGKA](https://eprint.iacr.org/2020/1281) setting closely
+resembles the procedure outlined in SIWE. Here:
+
+1. The server corresponds to user D1,who initiates a request (instead of
+generating a nonce) to obtain the public key of user D2.
+2. Upon receiving the request, the wallet of D2 send the request to the user,
+3. User D2 receives the request from the wallet, and decides whether accepts or
+rejects.
+4. The wallet and responds with a message containing the requested public key
+in case of acceptance by D2.
+
+This message may be signed, allowing D1 to verify that the owner of the
+received public key is indeed D2.
+
+### Multi-device setting
+
+One may see the set of devices as a group and create a group key for internal
+communications.
+One may use treeKEM for instance, since it provides interesting properties like
+forward secrecy and post-compromise security.
+All devices share the same `ID`, which is held by one of them, and from other
+user’s point of view, they would look as a single user.
+
+Using servers, like in the paper
+[Multi-Device for Signal](https://eprint.iacr.org/2019/1363), should be
+avoided; but this would imply using a particular device as receiver and
+broadcaster within the group.
+There is an obvious drawback which is having a single device working as a
+“server”. Should this device be attacked or without connection, there should be
+a mechanism for its revocation and replacement.
+
+Another approach for communications between devices could be using the keypair
+of each device. This could open the door to use UPKE, since keypairs should be
+regenerated frequently.
+
+Each time a device sends a message, either an internal message or an external
+message, it needs to replicate and broadcast it to all devices in the group.
+
+The mechanism for the substitution of misbehaving leader devices follows:
+
+1. Each device within a group knows the details of other leader devices. This
+information may come from metadata in received messages, and is replicated by
+the leader device.
+2. To replace a leader, the user should select any other device within its
+group and use it to send a signed message to all other users.
+3. To get the ability to sign messages, this new leader should request the
+keypair associated to the ID to the wallet.
+4. Once the leader has been changed, it revocates access from DCGKA to the
+former leader using the DCGKA protocol.
+5. The new leader starts a key update in DCGKA.
+
+Not all devices in a group should be able to send messages to other users. Only
+the leader device should be in charge of sending and receiving messages.
+To prevent other devices from sending messages outside their group, a
+requirement should be signing each message. The keys associated to the `ID`
+should only be in control of the leader device.
+
+The leader device is in charge of setting the keys involved in the DCGKA. This
+information must be replicated within the group to make sure it is updated.
+
+To detect missing messages or potential misbehavior, messages must include a
+counter.
+
+### Using UPKE
+
+Managing the group of devices of a user can be done either using a group key
+protocol such as treeKEM or using the keypair of each device.
+Setting a common key for a group of devices under the control of the same actor
+might be excessive, furthermore it may imply some of the problems one can find
+in the usual setting of a group of different users;
+for example: one of the devices may not participate in the required updating
+processes, representing a threat for the group.
+
+The other approach to managing the group of devices is using each device’s
+keypair, but it would require each device updating these materia frequently,
+something that may not happens.
+
+[UPKE](https://eprint.iacr.org/2022/068) is a form of asymetric cryptography
+where any user can update any other user’s key pair by running an update
+algorithm with (high-entropy) private coins. Any sender can initiate a *key
+update* by sending a special update ciphertext.
+This ciphertext updates the receiver’s public key and also, once processed by
+the receiver, will update their secret key.
+
+To the best of my knowledge, there exists several efficient constructions both
+[UPKE from ElGamal](https://eprint.iacr.org/2019/1189) (based in the DH
+assumption) and [UPKE from Lattices]((https://eprint.iacr.org/2023/1400))
+(based in lattices).
+None of them have been implemented in a secure messaging protocol, and this
+opens the door to some novel research.
+
+## Copyright
+
+Copyright and related rights waived via
+[CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [DCGKA](https://eprint.iacr.org/2020/1281)
+- [MLS](https://messaginglayersecurity.rocks)
+- [CoCoa](https://eprint.iacr.org/2022/251)
+- [Causal TreeKEM](https://mattweidner.com/assets/pdf/acs-dissertation.pdf)
+- [SIWE](https://docs.login.xyz/general-information/siwe-overview)
+- [Multi-device for Signal](https://eprint.iacr.org/2019/1363)
+- [UPKE](https://eprint.iacr.org/2022/068)
+- [UPKE from ElGamal](https://eprint.iacr.org/2019/1189)
+- [UPKE from Lattices](https://eprint.iacr.org/2023/1400)

vac/raw/eth-mls-offchain.md

@@ -0,0 +1,436 @@
+---
+title: ETH-MLS-OFFCHAIN
+name: Secure channel setup using decentralized MLS and Ethereum accounts
+status: raw
+category: Standards Track
+tags:
+editor: Ugur Sen [ugur@status.im](mailto:ugur@status.im)
+contributors: seemenkina [ekaterina@status.im](mailto:ekaterina@status.im)
+
+---
+
+## Abstract
+
+The following document specifies Ethereum authenticated scalable
+and decentralized secure group messaging application by
+integrating Message Layer Security (MLS) backend.
+Decentralization refers each user is a node in P2P network and
+each user has voice for any changes in group.
+This is achieved by integrating a consensus mechanism.
+Lastly, this RFC can also be referred to as de-MLS,
+decentralized MLS, to emphasize its deviation
+from the centralized trust assumptions of traditional MLS deployments.
+
+## Motivation
+
+Group messaging is a fundamental part of digital communication,
+yet most existing systems depend on centralized servers,
+which introduce risks around privacy, censorship, and unilateral control.
+In restrictive settings, servers can be blocked or surveilled;
+in more open environments, users still face opaque moderation policies,
+data collection, and exclusion from decision-making processes.
+To address this, we propose a decentralized, scalable peer-to-peer
+group messaging system where each participant runs a node, contributes
+to message propagation, and takes part in governance autonomously.
+Group membership changes are decided collectively through a lightweight
+partially synchronous, fault-tolerant consensus protocol without a centralized identity.
+This design enables truly democratic group communication and is well-suited
+for use cases like activist collectives, research collaborations, DAOs, support groups,
+and decentralized social platforms.
+
+## Format Specification
+
+The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,
+“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document
+are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
+
+### Assumptions
+
+- The nodes in the P2P network can discover other nodes or will connect to other nodes when subscribing to same topic in a gossipsub.
+- We MAY have non-reliable (silent) nodes.
+- We MUST have a consensus that is lightweight, scalable and finalized in a specific time.
+
+## Roles
+
+The three roles used in de-MLS is as follows:
+
+- `node`: Nodes are participants in the network that are not currently members
+of any secure group messaging session but remain available as potential candidates for group membership.
+- `member`: Members are special nodes in the secure group messaging who
+obtains current group key of secure group messaging.
+Each node is assigned a unique identity represented as a 20-byte value named `member id`.
+- `steward`: Stewards are special and transparent members in the secure group
+messaging who organize the changes by releasing commit messages upon the voted proposals.
+There are two special subsets of steward as epoch and backup steward,
+which are defined in the section de-MLS Objects.
+
+## MLS Background
+
+The de-MLS consists of MLS backend, so the MLS services and other MLS components
+are taken from the original [MLS specification](https://datatracker.ietf.org/doc/rfc9420/), with or without modifications.
+
+### MLS Services
+
+MLS is operated in two services authentication service (AS) and delivery service (DS).
+Authentication service enables group members to authenticate the credentials presented by other group members.
+The delivery service routes MLS messages among the nodes or
+members in the protocol in the correct order and
+manage the `keyPackage` of the users where the `keyPackage` is the objects
+ that provide some public information about a user.
+
+### MLS Objects
+
+Following section presents the MLS objects and components that used in this RFC:
+
+`Epoch`: Time intervals that changes the state that is defined by members,
+section 3.4 in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/).
+
+`MLS proposal message:` Members MUST receive the proposal message prior to the
+corresponding commit message that initiates a new epoch with key changes,
+in order to ensure the intended security properties, section 12.1 in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/).
+Here, the add and remove proposals are used.
+
+`Application message`: This message type used in arbitrary encrypted communication between group members.
+This is restricted by [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) as if there is pending proposal,
+the application message should be cut.
+Note that: Since the MLS is based on servers, this delay between proposal and commit messages are very small.
+
+`Commit message:` After members receive the proposals regarding group changes,
+the committer, who may be any member of the group, as specified in  [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/),
+generates the necessary key material for the next epoch, including the appropriate welcome messages
+for new joiners and new entropy for removed members. In this RFC, the committers only MUST be stewards.
+
+### de-MLS Objects
+
+This section presents the de-MLS objects:
+
+`Voting proposal`: Similar to MLS proposals, but processed only if approved through a voting process.
+They function as application messages in the MLS group,
+allowing the steward to collect them without halting the protocol.
+There are three types of `voting proposal` according to the type of consensus as in shown Consensus Types section,
+these are, `commit proposal`, `steward election proposal` and `emergency criteria proposal`.
+
+`Epoch steward`: The steward assigned to commit in `epoch E` according to the steward list.
+Holds the primary responsibility for creating commit in that epoch.
+
+`Backup steward`: The steward next in line after the `epoch steward` on the `steward list` in `epoch E`.
+Only becomes active if the `epoch steward` is malicious or fails,
+in which case it completes the commitment phase.
+If unused in `epoch E`, it automatically becomes the `epoch steward` in `epoch E+1`.
+
+`Steward list`: It is an ordered list that contains the `member id`s of authorized stewards.
+Each steward in the list becomes main responsible for creating the commit message when its turn arrives,
+according to this order for each epoch.
+For example, suppose there are two stewards in the list `steward A` first and `steward B` last in the list.
+`steward A` is responsible for creating the commit message for first epoch.
+Similarly, `steward B` is for the last epoch.
+Since the `epoch steward` is the primary committer for an epoch,
+it holds the main responsibility for producing the commit.
+However, other stewards MAY also generate a commit within the same epoch to preserve liveness
+in case the epoch steward is inactive or slow.
+Duplicate commits are not re-applied and only the single valid commit for the epoch is accepted by the group,
+as in described in section filtering proposals against the multiple comitting.
+
+Therefore, if a malicious steward occurred, the `backup steward` will be charged with committing.
+Lastly, the size of the list named as `sn`, which also shows the epoch interval for steward list determination.
+
+## Flow
+
+General flow is as follows:
+
+- A steward initializes a group just once, and then sends out Group Announcements (GA) periodically.
+- Meanwhile, each `node` creates and sends their `credential` includes `keyPackage`.
+- Each `member` creates `voting proposals` sends them to from MLS group during `epoch E`.
+- Meanwhile, the `steward` collects finalized `voting proposals` from MLS group and converts them into
+`MLS proposals` then sends them with corresponding `commit messages`
+- Evantually, with the commit messages, all members starts the next `epoch E+1`.
+
+## Creating Voting Proposal
+
+A `member` MAY initializes the voting with the proposal payload
+which is implemented using [protocol buffers v3](https://protobuf.dev/) as follows:
+
+```protobuf
+
+syntax = "proto3";
+
+message Proposal {
+string name = 10;                 // Proposal name
+string payload = 11;              // Describes the what is voting fore 
+int32 proposal_id = 12;           // Unique identifier of the proposal
+bytes proposal_owner = 13;        // Public key of the creator
+repeated Vote votes = 14;         // Vote list in the proposal
+int32 expected_voters_count = 15; // Maximum number of distinct voters
+int32 round = 16;                 // Number of Votes
+int64 timestamp = 17;             // Creation time of proposal
+int64 expiration_time = 18;       // Time interval that the proposal is active
+bool liveness_criteria_yes = 19;  // Shows how managing the silent peers vote
+}
+```
+
+```bash
+message Vote {
+int32 vote_id = 20;             // Unique identifier of the vote
+bytes vote_owner = 21;          // Voter's public key
+int64 timestamp = 22;           // Time when the vote was cast
+bool vote = 23;                 // Vote bool value (true/false)
+bytes parent_hash = 24;         // Hash of previous owner's Vote
+bytes received_hash = 25;       // Hash of previous received Vote
+bytes vote_hash = 26;           // Hash of all previously defined fields in Vote
+bytes signature = 27;           // Signature of vote_hash
+}
+```
+
+The voting proposal MAY include adding a `node` or removing a `member`.
+After the `member` creates the voting proposal,
+it is emitted to the network via the MLS `Application message` with a lightweight,
+epoch based voting such as [hashgraphlike consensus.](https://github.com/vacp2p/rfc-index/blob/consensus-hashgraph-like/vac/raw/consensus-hashgraphlike.md)
+This consensus result MUST be finalized within the epoch as YES or NO.
+
+If the voting result is YES, this points out the voting proposal will be converted into
+the MLS proposal by the `steward` and following commit message that starts the new epoch.
+
+## Creating welcome message
+
+When a MLS `MLS proposal message` is created by the `steward`,
+a `commit message` SHOULD follow,
+as in section 12.04 [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) to the members.
+In order for the new `member` joining the group to synchronize with the current members
+who received the `commit message`,
+the `steward` sends a welcome message to the node as the new `member`,
+as in section 12.4.3.1. [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/).
+
+## Single steward
+
+To naive way to create a decentralized secure group messaging is having a single transparent `steward`
+who only applies the changes regarding the result of the voting.
+
+This is mostly similar with the general flow and specified in voting proposal and welcome message creation sections.
+
+1. Each time a single `steward` initializes a group with group parameters with parameters
+as in section 8.1. Group Context in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/).
+2. `steward` creates a group anouncement (GA) according to the previous step and
+broadcast it to the all network periodically. GA message is visible in network to all `nodes`.
+3. The each `node` who wants to be a `member` needs to obtain this anouncement and create `credential`
+includes `keyPackage` that is specified in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) section 10.
+4. The `node` send the `KeyPackages` in plaintext with its signature with current `steward` public key which
+anounced in welcome topic. This step is crucial for security, ensuring that malicious nodes/stewards
+cannot use others' `KeyPackages`.
+It also provides flexibility for liveness in multi-steward settings,
+allowing more than one steward to obtain `KeyPackages` to commit.
+5. The `steward` aggregates all `KeyPackages` utilizes them to provision group additions for new members,
+based on the outcome of the voting process.
+6. Any `member` start to create `voting proposals` for adding or removing users,
+and present them to the voting in the MLS group as an application message.
+
+However, unlimited use of `voting proposals` within the group may be misused by
+malicious or overly active members.
+Therefore, an application-level constraint can be introduced to limit the number
+or frequency of proposals initiated by each member to prevent spam or abuse.
+7. Meanwhile, the `steward` collects finalized `voting proposals` with in epoch `E`,
+that have received affirmative votes from members via application messages.
+Otherwise, the `steward` discards proposals that did not receive a majority of "YES" votes.
+Since voting proposals are transmitted as application messages, omitting them does not affect
+the protocol’s correctness or consistency.
+8. The `steward` converts all approved `voting proposals` into
+corresponding `MLS proposals` and `commit message`, and
+transmits both in a single operation as in [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) section 12.4,
+including welcome messages for the new members.
+Therefore, the `commit message` ends the previous epoch and create new ones.
+9. The `members` applied the incoming `commit message` by checking the signatures and `voting proposals`
+and synchronized with the upcoming epoch.
+
+## Multi stewards
+
+Decentralization has already been achieved in the previous section.
+However, to improve availability and ensure censorship resistance,
+the single steward protocol is extended to a multi steward architecture.
+In this design, each epoch is coordinated by a designated steward,
+operating under the same protocol as the single steward model.
+Thus, the multi steward approach primarily defines how steward roles
+rotate across epochs while preserving the underlying structure and logic of the original protocol.
+Two variants of the multi steward design are introduced to address different system requirements.
+
+### Consensus Types
+
+Consensus is agnostic with its payload; therefore, it can be used for various purposes.
+Note that each message for the consensus of proposals is an `application message` in the MLS object section.
+It is used in three ways as follows:
+
+1. `Commit proposal`:  It is the proposal instance that is specified in Creating Voting Proposal section
+with `Proposal.payload` MUST show the commit request from `members`.
+Any member MAY create this proposal in any epoch and `epoch steward` MUST collect and commit YES voted proposals.
+This is the only proposal type common to both single steward and multi steward designs.
+2. `Steward election proposal`: This is the process that finalizes the `steward list`,
+which sets and orders stewards responsible for creating commits over a predefined number of range in (`sn_min`,`sn_max`).
+The validity of the choosen `steward list` ends when the last steward in the list (the one at the final index) completes its commit.
+At that point, a new `steward election proposal` MUST be initiated again by any member during the corresponding epoch.
+The `Proposal.payload` field MUST represent the ordered identities of the proposed stewards.
+Each steward election proposal MUST be verified and finalized through the consensus process
+so that members can identify which steward will be responsible in each epoch
+and detect any unauthorized steward commits.
+3. `Emergency criteria proposal`: If there is a malicious member or steward,
+this event MUST be voted on to finalize it.
+If this returns YES, the next epoch MUST include the removal of the member or steward.
+In a specific case where a steward is removed from the group, causing the total number of stewards to fall below `sn_min`,  
+it is required to repeat the `steward election proposal`.
+`Proposal.payload` MUST consist of the evidence of the dishonesty as described in the Steward violation list,
+and the identifier of the malicious member or steward.
+This proposal can be created by any member in any epoch.
+
+The order of consensus proposal messages is important to achieving a consistent result.
+Therefore, messages MUST be prioritized by type in the following order, from highest to lowest priority:
+
+- `Emergency criteria proposal`
+
+- `Steward election proposal`
+
+- `Commit proposal`
+
+This means that if a higher-priority consensus proposal is present in the network,
+lower-priority messages MUST be withheld from transmission until the higher-priority proposals have been finalized.
+
+### Steward list creation
+
+The `steward list` consists of steward nominees who will become actual stewards if the `steward election proposal` is finalized with YES,
+is arbitrarily chosen from `member` and OPTIONALLY adjusted depending on the needs of the implementation.
+The `steward list` size, defined by the minimum `sn_min` and maximum `sn_max` bounds,
+is determined at the time of group creation.
+The `sn_min` requirement is applied only when the total number of members exceeds `sn_min`;
+if the number of available members falls below this threshold,
+the list size automatically adjusts to include all existing members.
+
+The actual size of the list MAY vary within this range as `sn`, with the minimum value being at least 1.
+
+The index of the slots shows epoch info and value of index shows `member id`s.
+The next in line steward for the `epoch E` is named as `epoch steward`, which has index E.
+And the subsequent steward in the `epoch E` is named as the `backup steward`.
+For example, let's assume steward list is (S3, S2, S1) if in the previous epoch the roles were
+(`backup steward`: S2, `epoch steward`: S1), then in the next epoch they become
+(`backup steward`: S3, `epoch steward`: S2) by shifting.
+
+If the `epoch steward` is honest, the `backup steward` does not involve the process in epoch,
+and the `backup steward` will be the `epoch steward` within the `epoch E+1`.
+
+If the `epoch steward` is malicious, the `backup steward` is involved in the commitment phase in `epoch E`
+and the former steward becomes the `backup steward` in `epoch E`.
+
+Liveness criteria:
+
+Once the active `steward list` has completed its assigned epochs,
+
+members MUST proceed to elect the next set of stewards
+(which MAY include some or all of the previous members).
+This election is conducted through a type 2 consensus procedure, `steward election proposal`.
+
+A `Steward election proposal` is considered valid only if the resulting `steward list`
+is produced through a deterministic process that ensures an unbiased distribution of steward assignments,
+since allowing bias could enable a malicious participant to manipulate the list
+and retain control within a favored group for multiple epochs.
+
+The list MUST consist of at least `sn_min` members, including retained previous stewards,
+sorted according to the ascending value of `SHA256(epoch E || member id || group id)`,
+where `epoch E` is the epoch in which the election proposal is initiated,
+and `group id` for shuffling the list across the different groups.
+Any proposal with a list that does not adhere to this generation method MUST be rejected by all members.
+
+We assume that there are no recurring entries in `SHA256(epoch E || member id || group id)`, since the SHA256 outputs are unique
+when there is no repetition in the `member id` values, against the conflicts on sorting issues.
+
+### Multi steward with big consensuses
+
+In this model, all group modifications, such as adding or removing members,
+must be approved through consensus by all participants,
+including the steward assigned for `epoch E`.
+A configuration with multiple stewards operating under a shared consensus protocol offers
+increased decentralization and stronger protection against censorship.
+However, this benefit comes with reduced operational efficiency.
+The model is therefore best suited for small groups that value
+decentralization and censorship resistance more than performance.
+
+To create a multi steward with a big consensus,
+the group is initialized with a single steward as specified as follows:
+
+1. The steward initialized the group with the config file.
+This config file MUST contain (`sn_min`,`sn_max`) as the `steward list` size range.
+2. The steward adds the members as a centralized way till the number of members reaches the `sn_min`.
+Then, members propose lists by voting proposal with size `sn`
+as a consensus among all members, as mentioned in the consensus section 2, according to the checks:
+the size of the proposed list `sn` is in the interval (`sn_min`,`sn_max`).
+Note that if the total number of members is below `sn_min`,
+then the steward list size MUST be equal to the total member count.
+3. After the voting proposal ends up with a `steward list`,
+and group changes are ready to be committed as specified in single steward section
+with a difference which is members also check the committed steward is `epoch steward` or `backup steward`,
+otherwise anyone can create `emergency criteria proposal`.
+4. If the `epoch steward` violates the changing process as mentioned in the section Steward violation list,
+one of the members MUST initialize the `emergency criteria proposal` to remove the malicious Steward.
+Then `backup steward` fulfills the epoch by committing again correctly.
+
+A large consensus group provides better decentralization, but it requires significant coordination,
+which MAY not be suitable for groups with more than 1000 members.
+
+### Multi steward with small consensuses
+
+The small consensus model offers improved efficiency with a trade-off in decentralization.
+In this design, group changes require consensus only among the stewards, rather than all members.
+Regular members participate by periodically selecting the stewards by `steward election proposal`
+but do not take part in commit decision by `commit proposal`.
+This structure enables faster coordination since consensus is achieved within a smaller group of stewards.
+It is particularly suitable for large user groups, where involving every member in each decision would be impractical.
+
+The flow is similar to the big consensus including the `steward list` finalization with all members consensus
+only the difference here, the commit messages requires `commit proposal` only among the stewards.
+
+## Filtering proposals against the multiple comitting
+
+Since stewards are allowed to produce a commit even when they are not the designated `epoch steward`,
+multiple commits may appear within the same epoch, often reflecting recurring versions of the same proposal.
+To ensure a consistent outcome, the valid commit for the epoch SHOULD be selected as the one derived
+from the longest proposal chain, ordered by the ascending value of each proposal as `SHA256(proposal)`.
+All other cases, such as invalid commits or commits based on proposals that were not approved through voting,
+can be easily detected and discarded by the members.
+
+## Steward violation list
+
+A steward’s activity is called a violation if the action is one or more of the following:
+
+1. Broken commit: The steward releases a different commit message from the voted `commit proposal`.
+This activity is identified by the `members` since the [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/) provides the methods
+that members can use to identify the broken commit messages that are possible in a few situations,
+such as commit and proposal incompatibility. Specifically, the broken commit can arise as follows:
+    1. The commit belongs to the earlier epoch.
+    2. The commit message should equal the latest epoch
+    3. The commit needs to be compatible with the previous epoch’s `MLS proposal`.
+2. Broken MLS proposal: The steward prepares a different `MLS proposal` for the corresponding `voting proposal`.
+This activity is identified by the `members` since both `MLS proposal` and `voting proposal` are visible
+and can be identified by checking the hash of `Proposal.payload` and `MLSProposal.payload` is the same as RFC9240 section 12.1. Proposals.
+3. Censorship and inactivity: The situation where there is a voting proposal that is visible for every member,
+and the Steward does not provide an MLS proposal and commit.
+This activity is again identified by the `members`since `voting proposals` are visible to every member in the group,
+therefore each member can verify that there is no `MLS proposal` corresponding to `voting proposal`.
+
+## Security Considerations
+
+In this section, the security considerations are shown as de-MLS assurance.
+
+1. Malicious Steward: A Malicious steward can act maliciously,
+as in the Steward violation list section.
+Therefore, de-MLS enforces that any steward only follows the protocol under the consensus order
+and commits without emergency criteria application.
+2. Malicious Member: A member is only marked as malicious
+when the member acts by releasing a commit message.
+3. Steward list election bias: Although SHA256 is used together with two global variables
+to shuffle stewards in a deterministic and verifiable manner,
+this approach only minimizes election bias; it does not completely eliminate it.
+This design choice is intentional, in order to preserve the efficiency advantages provided by the MLS mechanism.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/)
+
+### References
+
+- [MLS RFC 9420](https://datatracker.ietf.org/doc/rfc9420/)
+- [Hashgraphlike Consensus](https://github.com/vacp2p/rfc-index/blob/consensus-hashgraph-like/vac/raw/consensus-hashgraphlike.md)
+- [vacp2p/de-mls](https://github.com/vacp2p/de-mls)

vac/raw/gossipsub-tor-push.md

@@ -1,6 +1,5 @@
 ---
-slug: 46
-title: 46/GOSSIPSUB-TOR-PUSH
+title: GOSSIPSUB-TOR-PUSH
 name: Gossipsub Tor Push
 status: raw
 category: Standards Track
@@ -19,21 +18,31 @@ Tor Push adds sender identity protection to gossipsub.
 **Protocol identifier**: /meshsub/1.1.0
 
 Note: Gossipsub Tor Push does not have a dedicated protocol identifier.
-It uses the same identifier as gossipsub and works with all [pubsub](https://github.com/libp2p/specs/tree/master/pubsub) based protocols.
-This allows nodes that are oblivious to Tor Push to process messages received via Tor Push.
+It uses the same identifier as gossipsub and
+works with all [pubsub](https://github.com/libp2p/specs/tree/master/pubsub)
+based protocols.
+This allows nodes that are oblivious to Tor Push to process messages received via
+Tor Push.
 
 ## Background
 
 Without extensions, [libp2p gossipsub](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
 does not protect sender identities.
 
-A possible design of an anonymity extension to gossipsub is pushing messages through an anonymization network before they enter the gossipsub network.
+A possible design of an anonymity extension to gossipsub
+is pushing messages through an anonymization network
+before they enter the gossipsub network.
 [Tor](https://www.torproject.org/) is currently the largest anonymization network.
 It is well researched and works reliably.
-Basing our solution on Tor both inherits existing security research, as well as allows for a quick deployment.
+Basing our solution on Tor both inherits existing security research,
+as well as allows for a quick deployment.
 
-Using the anonymization network approach, even the first gossipsub node that relays a given message cannot link the message to its sender (within a relatively strong adversarial model).
-Taking the low bandwidth overhead and the low latency overhead into consideration, Tor offers very good anonymity properties.
+Using the anonymization network approach,
+even the first gossipsub node that relays a given message
+cannot link the message to its sender
+(within a relatively strong adversarial model).
+Taking the low bandwidth overhead and the low latency overhead into consideration,
+Tor offers very good anonymity properties.
 
 ## Functional Operation
 
@@ -45,17 +54,20 @@ because Tor Push uses the same Protocol ID as gossipsub.
 Messages are sent over Tor via [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928).
 Tor Push uses a dedicated libp2p context to prevent information leakage.
 To significantly increase resilience and mitigate circuit failures,
-Tor Push establishes several connections, each to a different randomly selected gossipsub node.
+Tor Push establishes several connections,
+each to a different randomly selected gossipsub node.
 
 ## Specification
 
-This section specifies the format of Tor Push messages, as well as how Tor Push messages are received and sent, respectively.
+This section specifies the format of Tor Push messages,
+as well as how Tor Push messages are received and sent, respectively.
 
 ### Wire Format
 
-The wire format of a Tor Push message corresponds verbatim to a typical [libp2p pubsub message](https://github.com/libp2p/specs/tree/master/pubsub#the-message).
+The wire format of a Tor Push message corresponds verbatim to a typical
+[libp2p pubsub message](https://github.com/libp2p/specs/tree/master/pubsub#the-message).
 
-```
+```protobuf
 message Message {
   optional string from = 1;
   optional bytes data = 2;
@@ -68,12 +80,15 @@ message Message {
 
 ### Receiving Tor Push Messages
 
-Any node supporting a protocol with ID `/meshsub/1.1.0` (e.g. gossipsub), can receive Tor Push messages.
-Receiving nodes are oblivious to Tor Push and will process incoming messages according to the respective `meshsub/1.1.0` specification.
+Any node supporting a protocol with ID `/meshsub/1.1.0` (e.g. gossipsub),
+can receive Tor Push messages.
+Receiving nodes are oblivious to Tor Push and
+will process incoming messages according to the respective `meshsub/1.1.0` specification.
 
 ### Sending Tor Push Messages
 
-In the following, we refer to nodes sending Tor Push messages as Tp-nodes (Tor Push nodes).
+In the following, we refer to nodes sending Tor Push messages as Tp-nodes
+(Tor Push nodes).
 
 Tp-nodes MUST setup a separate libp2p context, i.e. [libp2p switch](https://docs.libp2p.io/concepts/multiplex/switch/),
 which MUST NOT be used for any purpose other than Tor Push.
@@ -82,29 +97,38 @@ The Tp-context MUST NOT share any data, e.g. peer lists, with the default contex
 
 Tp-peers are peers a Tp-node plans to send Tp-messages to.
 Tp-peers MUST support `/meshsub/1.1.0`.
-For retrieving Tp-peers, Tp-nodes SHOULD use an ambient peer discovery method that retrieves a random peer sample (from the set of all peers), e.g. [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md).
+For retrieving Tp-peers,
+Tp-nodes SHOULD use an ambient peer discovery method
+that retrieves a random peer sample (from the set of all peers),
+e.g. [33/WAKU2-DISCV5](../../waku/standards/core/33/discv5.md).
 
-Tp-nodes MUST establish a connection as described in sub-section [Tor Push Connection Establishment](#connection-establishment) to at least one Tp-peer.
-To significantly increase resilience, Tp-nodes SHOULD establish Tp-connections to `D` peers,
+Tp-nodes MUST establish a connection as described in sub-section
+[Tor Push Connection Establishment](#connection-establishment) to at least one Tp-peer.
+To significantly increase resilience,
+Tp-nodes SHOULD establish Tp-connections to `D` peers,
 where `D` is the [desired gossipsub out-degree](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.0.md#parameters),
 with a default value of `8`.
 
 Each Tp-message MUST be sent via the Tp-context over at least one Tp-connection.
-To increase resilience, Tp-messages SHOULD be sent via the Tp-context over all available Tp-connections.
+To increase resilience,
+Tp-messages SHOULD be sent via the Tp-context over all available Tp-connections.
 
 Control messages of any kind, e.g. gossipsub graft, MUST NOT be sent via Tor Push.
 
 #### Connection Establishment
 
-Tp-nodes establish a `/meshsub/1.1.0` connection to tp-peers via [SOCKS5](https://www.rfc-editor.org/rfc/rfc1928) over [Tor](https://www.torproject.org/).
+Tp-nodes establish a `/meshsub/1.1.0` connection to tp-peers via
+[SOCKS5](https://www.rfc-editor.org/rfc/rfc1928) over [Tor](https://www.torproject.org/).
 
-Establishing connections, which in turn establishes the respective Tor circuits, can be done ahead of time.
+Establishing connections, which in turn establishes the respective Tor circuits,
+can be done ahead of time.
 
 #### Epochs
 
 Tor Push introduces epochs.
 The default epoch duration is 10 minutes.
-(We might adjust this default value based on experiments and evaluation in future versions of this document.
+(We might adjust this default value based on experiments and
+evaluation in future versions of this document.
 It seems a good trade-off between traceablity and circuit building overhead.)
 
 For each epoch, the Tp-context SHOULD be refreshed, which includes
@@ -113,7 +137,9 @@ For each epoch, the Tp-context SHOULD be refreshed, which includes
 * Tp-peer list
 * connections to Tp-peers
 
-Both Tp-peer selection for the next epoch and establishing connections to the newly selected peers SHOULD be done during the current epoch
+Both Tp-peer selection for the next epoch and
+establishing connections to the newly selected peers
+SHOULD be done during the current epoch
 and be completed before the new epoch starts.
 This avoids adding latency to message transmission.
 
@@ -121,42 +147,54 @@ This avoids adding latency to message transmission.
 
 ### Fingerprinting Attacks
 
-Protocols that feature distinct patterns are prone to fingerprinting attacks when using them over Tor Push.
+Protocols that feature distinct patterns are prone to fingerprinting attacks
+when using them over Tor Push.
 Both malicious guards and exit nodes could detect these patterns
 and link the sender and receiver, respectively, to transmitted traffic.
-As a mitigation, such protocols can introduce dummy messages and/or padding to hide patterns.
+As a mitigation, such protocols can introduce dummy messages and/or
+padding to hide patterns.
 
 ### DoS
 
 #### General DoS against Tor
 
-Using untargeted DoS to prevent Tor Push messages from entering the gossipsub network would cost vast resources,
-because Tor Push transmits messages over several circuits and the Tor network is well established.
+Using untargeted DoS to prevent Tor Push messages
+from entering the gossipsub network would cost vast resources,
+because Tor Push transmits messages over several circuits and
+the Tor network is well established.
 
 #### Targeting the Guard
 
-Denying the service of a specific guard node blocks Tp-nodes using the respective guard.
+Denying the service of a specific guard node
+blocks Tp-nodes using the respective guard.
 Tor guard selection will replace this guard [TODO elaborate].
-Still, messages might be delayed during this window which might be critical to certain applications.
+Still, messages might be delayed during this window
+which might be critical to certain applications.
 
 #### Targeting the Gossipsub Network
 
 Without sophisticated rate limiting (for example using [17/WAKU2-RLN-RELAY](../../waku/standards/core/17/rln-relay.md)),
 attackers can spam the gossipsub network.
 It is not enough to just block peers that send too many messages,
-because these messages might actually come from a Tor exit node that many honest Tp-nodes use.
-Without Tor Push, protocols on top of gossipsub could block peers if they exceed a certain message rate.
+because these messages might actually come from a Tor exit node
+that many honest Tp-nodes use.
+Without Tor Push,
+protocols on top of gossipsub could block peers
+if they exceed a certain message rate.
 With Tor Push, this would allow the reputation-based DoS attack described in
 [Bitcoin over Tor isn't a Good Idea](https://ieeexplore.ieee.org/abstract/document/7163022).
 
 #### Peer Discovery
 
-The discovery mechanism could be abused to link requesting nodes to their Tor connections to discovered nodes.
+The discovery mechanism could be abused to link requesting nodes
+to their Tor connections to discovered nodes.
 An attacker that controls both the node that responds to a discovery query,
 and the node who’s ENR the response contains,
-can link the requester to a Tor connection that is expected to be opened to the node represented by the returned ENR soon after.
+can link the requester to a Tor connection
+that is expected to be opened to the node represented by the returned ENR soon after.
 
-Further, the discovery mechanism (e.g. discv5) could be abused to distribute disproportionately many malicious nodes.
+Further, the discovery mechanism (e.g. discv5)
+could be abused to distribute disproportionately many malicious nodes.
 For instance if p% of the nodes in the network are malicious,
 an attacker could manipulate the discovery to return malicious nodes with 2p% probability.
 The discovery mechanism needs to be resilient against this attack.
@@ -164,8 +202,11 @@ The discovery mechanism needs to be resilient against this attack.
 ### Roll-out Phase
 
 During the roll-out phase of Tor Push, during which only a few nodes use Tor Push,
-attackers can narrow down the senders of Tor messages to the set of gossipsub nodes that do not originate messages.
-Nodes who want anonymity guarantees even during the roll-out phase can use separate network interfaces for their default context and Tp-context, respectively.
+attackers can narrow down the senders of Tor messages
+to the set of gossipsub nodes that do not originate messages.
+Nodes who want anonymity guarantees even during the roll-out phase
+can use separate network interfaces for their default context and
+Tp-context, respectively.
 For the best protection, these contexts should run on separate physical machines.
 
 ## Copyright

vac/raw/images/test.txt

@@ -0,0 +1 @@
+

vac/raw/noise-x3dh-double-ratchet.md

@@ -0,0 +1,345 @@
+---
+title: NOISE-X3DH-DOUBLE-RATCHET
+name: Secure 1-to-1 channel setup using X3DH and the double ratchet
+status: raw
+category: Standards Track
+tags:
+editor: Ramses Fernandez <ramses@status.im>
+contributors:
+---
+
+## Motivation
+
+The need for secure communications has become paramount.
+This specification outlines a protocol describing a
+secure 1-to-1 comunication channel between 2 users. The
+main components are the X3DH key establishment mechanism,
+combined with the double ratchet. The aim of this
+combination of schemes is providing a protocol with both
+forward secrecy and post-compromise security.
+
+## Theory
+
+The specification is based on the noise protocol framework.
+It corresponds to the double ratchet scheme combined with
+the X3DH algorithm, which will be used to initialize the former.
+We chose to express the protocol in noise to be be able to use
+the noise streamlined implementation and proving features.
+The X3DH algorithm provides both authentication and forward
+secrecy, as stated in the
+[X3DH specification](https://signal.org/docs/specifications/x3dh/).
+
+This protocol will consist of several stages:
+
+1. Key setting for X3DH: this step will produce
+prekey bundles for Bob which will be fed into X3DH.
+It will also allow Alice to generate the keys required
+to run the X3DH algorithm correctly.
+2. Execution of X3DH: This step will output
+a common secret key `SK` together with an additional
+data vector `AD`. Both will be used in the double
+ratchet algorithm initialization.
+3. Execution of the double ratchet algorithm
+for forward secure, authenticated communications,
+using the common secret key `SK`, obtained from X3DH, as a root key.
+
+The protocol assumes the following requirements:
+
+- Alice knows Bob’s Ethereum address.
+- Bob is willing to participate in the protocol,
+and publishes his public key.
+- Bob’s ownership of his public key is verifiable,
+- Alice wants to send message M to Bob.
+- An eavesdropper cannot read M’s content
+even if she is storing it or relaying it.
+
+## Syntax
+
+### Cryptographic suite
+
+The following cryptographic functions MUST be used:
+
+- `X488` as Diffie-Hellman function `DH`.
+- `SHA256` as KDF.
+- `AES256-GCM` as AEAD algorithm.
+- `SHA512` as hash function.
+- `XEd448` for digital signatures.
+
+### X3DH initialization
+
+This scheme MUST work on the curve curve448.
+The X3DH algorithm corresponds to the IX pattern in Noise.
+
+Bob and Alice MUST define personal key pairs
+`(ik_B, IK_B)` and `(ik_A, IK_A)` respectively where:
+
+- The key `ik` must be kept secret,
+- and the key `IK` is public.
+
+Bob MUST generate new keys using
+`(ik_B, IK_B) = GENERATE_KEYPAIR(curve = curve448)`.
+
+Bob MUST also generate a public key pair
+`(spk_B, SPK_B) = GENERATE_KEYPAIR(curve = curve448)`.
+
+`SPK` is a public key generated and stored at medium-term.
+Both signed prekey and the certificate MUST
+undergo periodic replacement.
+After replacing the key,
+Bob keeps the old private key of `SPK`
+for some interval, dependant on the implementation.
+This allows Bob to decrypt delayed messages.
+
+Bob MUST sign `SPK` for authentication:
+`SigSPK = XEd448(ik, Encode(SPK))`
+
+A final step requires the definition of
+`prekey_bundle = (IK, SPK, SigSPK, OPK_i)`
+
+One-time keys `OPK` MUST be generated as
+`(opk_B, OPK_B) = GENERATE_KEYPAIR(curve = curve448)`.
+
+Before sending an initial message to Bob,
+Alice MUST generate an AD: `AD = Encode(IK_A) || Encode(IK_B)`.
+
+Alice MUST generate ephemeral key pairs
+`(ek, EK) = GENERATE_KEYPAIR(curve = curve448)`.
+
+The function `Encode()` transforms a
+curve448 public key into a byte sequence.
+This is specified in the [RFC 7748](http://www.ietf.org/rfc/rfc7748.txt)
+on elliptic curves for security.
+
+One MUST consider `q = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885`
+for digital signatures with `(XEd448_sign, XEd448_verify)`:
+
+```text
+XEd448_sign((ik, IK), message):
+    Z = randbytes(64)  
+    r = SHA512(2^456 - 2 || ik || message || Z )
+    R = (r * convert_mont(5)) % q
+    h = SHA512(R || IK || M)
+    s = (r + h * ik) % q
+    return (R || s)
+```
+
+```text
+XEd448_verify(u, message, (R || s)):
+    if (R.y >= 2^448) or (s >= 2^446): return FALSE
+    h = (SHA512(R || 156326 || message)) % q
+    R_check = s * convert_mont(5) - h * 156326
+    if R == R_check: return TRUE
+    return FALSE 
+```
+
+```text
+convert_mont(u):
+    u_masked = u % mod 2^448
+    inv = ((1 - u_masked)^(2^448 - 2^224 - 3)) % (2^448 - 2^224 - 1)
+    P.y = ((1 + u_masked) * inv)) % (2^448 - 2^224 - 1)
+    P.s = 0
+    return P
+```
+
+### Use of X3DH
+
+This specification combines the double ratchet
+with X3DH using the following data as initialization for the former:
+
+- The `SK` output from X3DH becomes the `SK`
+input of the double ratchet. See section 3.3 of
+[Signal Specification](https://signal.org/docs/specifications/doubleratchet/)
+for a detailed description.
+- The `AD` output from X3DH becomes the `AD`
+input of the double ratchet. See sections 3.4 and 3.5 of
+[Signal Specification](https://signal.org/docs/specifications/doubleratchet/)
+for a detailed description.
+- Bob’s signed prekey `SigSPKB` from X3DH is used as Bob’s
+initial ratchet public key of the double ratchet.
+
+X3DH has three phases:
+
+1. Bob publishes his identity key and prekeys to a server,
+a network, or dedicated smart contract.
+2. Alice fetches a prekey bundle from the server,
+and uses it to send an initial message to Bob.
+3. Bob receives and processes Alice's initial message.
+
+Alice MUST perform the following computations:
+
+```text
+dh1 = DH(IK_A, SPK_B, curve = curve448)
+dh2 = DH(EK_A, IK_B, curve = curve448)
+dh3 = DH(EK_A, SPK_B)
+SK = KDF(dh1 || dh2 || dh3)
+```
+
+Alice MUST send to Bob a message containing:
+
+- `IK_A, EK_A`.
+- An identifier to Bob's prekeys used.
+- A message encrypted with AES256-GCM using `AD` and `SK`.
+
+Upon reception of the initial message, Bob MUST:
+
+1. Perform the same computations above with the `DH()` function.
+2. Derive `SK` and construct `AD`.
+3. Decrypt the initial message encrypted with `AES256-GCM`.
+4. If decryption fails, abort the protocol.
+
+### Initialization of the double datchet
+
+In this stage Bob and Alice have generated key pairs
+and agreed a shared secret `SK` using X3DH.
+
+Alice calls `RatchetInitAlice()` defined below:
+
+```text
+RatchetInitAlice(SK, IK_B):
+    state.DHs = GENERATE_KEYPAIR(curve = curve448)
+    state.DHr = IK_B
+    state.RK, state.CKs = HKDF(SK, DH(state.DHs, state.DHr)) 
+    state.CKr = None
+    state.Ns, state.Nr, state.PN = 0
+    state.MKSKIPPED = {}
+```
+
+The HKDF function MUST be the proposal by
+[Krawczyk and Eronen](http://www.ietf.org/rfc/rfc5869.txt).
+In this proposal `chaining_key` and `input_key_material`
+MUST be replaced with `SK` and the output of `DH` respectively.
+
+Similarly, Bob calls the function `RatchetInitBob()` defined below:
+
+```text
+RatchetInitBob(SK, (ik_B,IK_B)):
+    state.DHs = (ik_B, IK_B)
+    state.Dhr = None
+    state.RK = SK
+    state.CKs, state.CKr = None
+    state.Ns, state.Nr, state.PN = 0
+    state.MKSKIPPED = {}
+```
+
+### Encryption
+
+This function performs the symmetric key ratchet.
+
+```text
+RatchetEncrypt(state, plaintext, AD):
+   state.CKs, mk = HMAC-SHA256(state.CKs)
+   header = HEADER(state.DHs, state.PN, state.Ns)
+   state.Ns = state.Ns + 1
+   return header, AES256-GCM_Enc(mk, plaintext, AD || header)
+```
+
+The `HEADER` function creates a new message header
+containing the public key from the key pair output of the `DH`function.
+It outputs the previous chain length `pn`,
+and the message number `n`.
+The returned header object contains ratchet public key
+`dh` and integers `pn` and `n`.
+
+### Decryption
+
+The function `RatchetDecrypt()` decrypts incoming messages:
+
+```text
+RatchetDecrypt(state, header, ciphertext, AD):
+    plaintext = TrySkippedMessageKeys(state, header, ciphertext, AD)
+    if plaintext != None:
+        return plaintext
+    if header.dh != state.DHr:
+        SkipMessageKeys(state, header.pn)
+        DHRatchet(state, header)
+    SkipMessageKeys(state, header.n)
+    state.CKr, mk = HMAC-SHA256(state.CKr)
+    state.Nr = state.Nr + 1
+    return AES256-GCM_Dec(mk, ciphertext, AD || header)
+```
+
+Auxiliary functions follow:
+
+```text
+DHRatchet(state, header):
+    state.PN = state.Ns
+    state.Ns = state.Nr = 0
+    state.DHr = header.dh
+    state.RK, state.CKr = HKDF(state.RK, DH(state.DHs, state.DHr))
+    state.DHs = GENERATE_KEYPAIR(curve = curve448)
+    state.RK, state.CKs = HKDF(state.RK, DH(state.DHs, state.DHr))
+```
+
+```text
+SkipMessageKeys(state, until):
+    if state.NR + MAX_SKIP < until:
+        raise Error
+    if state.CKr != none:
+        while state.Nr < until:
+            state.CKr, mk = HMAC-SHA256(state.CKr)
+            state.MKSKIPPED[state.DHr, state.Nr] = mk
+            state.Nr = state.Nr + 1
+```
+
+```text
+TrySkippedMessageKey(state, header, ciphertext, AD):
+    if (header.dh, header.n) in state.MKSKIPPED:
+        mk = state.MKSKIPPED[header.dh, header.n]
+        delete state.MKSKIPPED[header.dh, header.n]
+        return AES256-GCM_Dec(mk, ciphertext, AD || header)
+    else: return None
+```
+
+## Information retrieval
+
+### Static data
+
+Some data, such as the key pairs `(ik, IK)` for Alice and Bob,
+MAY NOT be regenerated after a period of time.
+Therefore the prekey bundle MAY be stored in long-term
+storage solutions, such as a dedicated smart contract
+which outputs such a key pair when receiving an Ethereum wallet
+address.
+
+Storing static data is done using a dedicated
+smart contract `PublicKeyStorage` which associates
+the Ethereum wallet address of a user with his public key.
+This mapping is done by `PublicKeyStorage`
+using a `publicKeys` function, or a `setPublicKey` function.
+This mapping is done if the user passed an authorization process.
+A user who wants to retrieve a public key associated
+with a specific wallet address calls a function `getPublicKey`.
+The user provides the wallet address as the only
+input parameter for `getPublicKey`.
+The function outputs the associated public key
+from the smart contract.
+
+### Ephemeral data
+
+Storing ephemeral data on Ethereum MAY be done using
+a combination of on-chain and off-chain solutions.
+This approach provides an efficient solution to
+the problem of storing updatable data in Ethereum.
+
+1. Ethereum stores a reference or a hash
+that points to the off-chain data.
+2. Off-chain solutions can include systems like IPFS,
+traditional cloud storage solutions, or
+decentralized storage networks such as a
+[Swarm](https://www.ethswarm.org).
+
+In any case, the user stores the associated
+IPFS hash, URL or reference in Ethereum.
+
+The fact of a user not updating the ephemeral information
+can be understood as Bob not willing to participate in any
+communication.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [The Double Ratchet Algorithm](https://signal.org/docs/specifications/doubleratchet/)
+- [The X3DH Key Agreement Protocol](https://signal.org/docs/specifications/x3dh/)

vac/raw/rln-interep-spec.md

@@ -0,0 +1,140 @@
+---
+title: RLN-INTEREP-SPEC
+name: Interep as group management for RLN
+status: raw
+category:  
+tags: rln
+editor: Aaryamann Challani <p1ge0nh8er@proton.me>
+contributors:
+---
+
+## Abstract
+
+This spec integrates [Interep](https://interep.link)
+into the [RLN](../32/rln-v1.md) spec.
+Interep is a group management protocol
+that allows for the creation of groups of users and
+the management of their membership.
+It is used to manage the membership of the RLN group.
+
+Interep ties in web2 identities with reputation, and
+sorts the users into groups based on their reputation score.
+For example, a GitHub user with over 100 followers is considered to have "gold" reputation.
+
+Interep uses [Semaphore](https://semaphore.appliedzkp.org/)
+under the hood to allow anonymous signaling of membership in a group.
+Therefore, a user with a "gold" reputation can prove the existence
+of their membership without revealing their identity.
+
+RLN is used for spam prevention, and Interep is used for group management.
+
+By using Interep with RLN,
+we allow users to join RLN membership groups
+without the need for on-chain financial stake.
+
+## Motivation
+
+To have Sybil-Resistant group management,
+there are [implementations](https://github.com/vacp2p/rln-contract)
+of RLN which make use of financial stake on-chain.
+However, this is not ideal because it reduces the barrier of entry for honest participants.
+
+In this case,
+honest participants will most likely have a web2 identity accessible to them,
+which can be used for joining an Interep reputation group.
+By modifying the RLN spec to use Interep,
+we can have Sybil-Resistant group management
+without the need for on-chain financial stake.
+
+Since RLN and Interep both use Semaphore-style credentials,
+it is possible to use the same set of credentials for both.
+
+## Functional Operation
+
+Using Interep with RLN involves the following steps -
+
+1. Generate Semaphore credentials
+2. Verify reputation and join Interep group
+3. Join RLN membership group via interaction with Smart Contract,
+by passing a proof of membership to the Interep group
+
+### 1. Generate Semaphore credentials
+
+Semaphore credentials are generated in a standard way,
+depicted in the [Semaphore documentation](https://semaphore.appliedzkp.org/docs/guides/identities#create-deterministic-identities).
+
+### 2. Verify reputation and join Interep group
+
+Using the Interep app deployed on [Goerli](https://goerli.interep.link/),
+the user can check their reputation tier and join the corresponding group.
+This results in a transaction to the Interep contract, which adds them to the group.
+
+### 3. Join RLN membership group
+
+Instead of sending funds to the RLN contract to join the membership group,
+the user can send a proof of membership to the Interep group.
+This proof is generated by the user, and
+is verified by the contract.
+The contract ensures that the user is a member of the Interep group, and
+then adds them to the RLN membership group.
+
+Following is the modified signature of the register function
+in the RLN contract -
+
+```solidity
+    /// @param groupId: Id of the group.
+    /// @param signal: Semaphore signal.
+    /// @param nullifierHash: Nullifier hash.
+    /// @param externalNullifier: External nullifier.
+    /// @param proof: Zero-knowledge proof.
+    /// @param idCommitment: ID Commitment of the member.
+    function register(
+        uint256 groupId,
+        bytes32 signal,
+        uint256 nullifierHash,
+        uint256 externalNullifier,
+        uint256[8] calldata proof,
+        uint256 idCommitment
+    )
+```
+
+## Verification of messages
+
+Messages are verified the same way as in the [RLN spec](../32/rln-v1.md/#verification).
+
+## Slashing
+
+The slashing mechanism is the same as in the [RLN spec](../32/rln-v1.md/#slashing).
+It is important to note that the slashing
+may not have the intended effect on the user,
+since the only consequence is that they cannot send messages.
+This is due to the fact that the user
+can send a identity commitment in the registration to the RLN contract,
+which is different than the one used in the Interep group.
+
+## Proof of Concept
+
+A proof of concept is available at
+[vacp2p/rln-interp-contract](https://github.com/vacp2p/rln-interep-contract)
+which integrates Interep with RLN.
+
+## Security Considerations
+
+1. As mentioned in [Slashing](#slashing),
+the slashing mechanism may not have the intended effect on the user.
+2. This spec inherits the security considerations of the [RLN spec](../32/rln-v1.md/#security-considerations).
+3. This spec inherits the security considerations of [Interep](https://docs.interep.link/).
+4. A user may make multiple registrations using the same Interep proofs but
+different identity commitments.
+The way to mitigate this is to check if the nullifier hash has been detected
+previously in proof verification.
+
+## References
+
+1. [RLN spec](../32/rln-v1.md)
+2. [Interep](https://interep.link)
+3. [Semaphore](https://semaphore.appliedzkp.org/)
+4. [Decentralized cloudflare using Interep](https://ethresear.ch/t/decentralised-cloudflare-using-rln-and-rich-user-identities/10774)
+5. [Interep contracts](https://github.com/interep-project/contracts)
+6. [RLN contract](https://github.com/vacp2p/rln-contract)
+7. [RLNP2P](https://rlnp2p.vac.dev/)

vac/raw/rln-stealth-commitments.md

@@ -0,0 +1,126 @@
+---
+title: RLN-STEALTH-COMMITMENTS
+name: RLN Stealth Commitment Usage
+category: Standards Track
+editor: Aaryamann Challani <p1ge0nh8er@proton.me>
+contributors:
+- Jimmy Debe <jimmy@status.im>
+---
+
+## Abstract
+
+This specification describes the usage of stealth commitments
+to add prospective users to a network-governed
+[32/RLN-V1](./32/rln-v1.md) membership set.
+
+## Motivation
+
+When [32/RLN-V1](./32/rln-v1.md) is enforced in [10/Waku2](../waku/standards/core/10/waku2.md),
+all users are required to register to a membership set.
+The membership set will store user identities
+allowing the secure interaction within an application.
+Forcing a user to do an on-chain transaction
+to join a membership set is an onboarding friction,
+and some projects may be opposed to this method.
+To improve the user experience,
+stealth commitments can be used by a counterparty
+to register identities on the user's behalf,
+while maintaining the user's anonymity.
+
+This document specifies a privacy-preserving mechanism,
+allowing a counterparty to utilize [32/RLN-V1](./32/rln-v1.md)
+to register an `identityCommitment` on-chain.
+Counterparties will be able to register members
+to a RLN membership set without exposing the user's private keys.
+
+## Background
+
+The [32/RLN-V1](./32/rln-v1.md) protocol,
+consists of a smart contract that stores a `idenitityCommitment`
+in a membership set.
+In order for a user to join the membership set,
+the user is required to make a transaction on the blockchain.
+A set of public keys is used to compute a stealth commitment for a user,
+as described in [ERC-5564](https://eips.ethereum.org/EIPS/eip-5564).
+This specification is an implementation of the
+[ERC-5564](https://eips.ethereum.org/EIPS/eip-5564) scheme,
+tailored to the curve that is used in the [32/RLN-V1](./32/rln-v1.md) protocol.
+
+This can be used in a couple of ways in applications:
+
+1. Applications can add users
+to the [32/RLN-V1](./32/rln-v1.md) membership set in a batch.
+2. Users of the application
+can register other users to the [32/RLN-V1](./32/rln-v1.md) membership set.
+
+This is useful when the prospective user does not have access to funds
+on the network that [32/RLN-V1](./32/rln-v1.md) is deployed on.
+
+## Wire Format Specification
+
+The two parties, the requester and the receiver,
+MUST exchange the following information:
+
+```protobuf
+
+message Request {
+  // The spending public key of the requester
+  bytes spending_public_key = 1;
+
+  // The viewing public key of the requester
+  bytes viewing_public_key = 2;
+}
+```
+
+### Generate Stealth Commitment
+
+The application or user SHOULD generate a `stealth_commitment`
+after a request to do so is received.
+This commitment MAY be inserted into the corresponding application membership set.
+
+Once the membership set is updated,
+the receiver SHOULD exchange the following as a response to the request:
+
+```protobuf
+
+message Response {
+  
+  // The used to check if the stealth_commitment belongs to the requester
+  bytes view_tag = 2;
+
+  // The stealth commitment for the requester
+  bytes stealth_commitment = 3;
+
+  // The ephemeral public key used to generate the commitment
+  bytes ephemeral_public_key = 4;
+
+}
+
+```
+
+The receiver MUST generate an `ephemeral_public_key`,
+`view_tag` and `stealth_commitment`.
+This will be used to check the stealth commitment
+used to register to the membership set,
+and the user MUST be able to check ownership with their `viewing_public_key`.
+
+## Implementation Suggestions
+
+An implementation of the Stealth Address scheme is available in the
+[erc-5564-bn254](https://github.com/rymnc/erc-5564-bn254) repository,
+which also includes a test to generate a stealth commitment for a given user.
+
+## Security/Privacy Considerations
+
+This specification inherits the security and privacy considerations of the
+[Stealth Address](https://eips.ethereum.org/EIPS/eip-5564) scheme.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [10/Waku2](../waku/standards/core/10/waku2.md)
+- [32/RLN-V1](./32/rln-v1.md)
+- [ERC-5564](https://eips.ethereum.org/EIPS/eip-5564)

vac/raw/rln-v2.md

@@ -1,6 +1,5 @@
 ---
-slug: 58
-title: 58/RLN-V2
+title: RLN-V2
 name: Rate Limit Nullifier V2
 status: raw
 editor: Rasul Ibragimov <curryrasul@gmail.com>
@@ -10,17 +9,26 @@ contributors:
 
 ## Abstract
 
-The protocol specified in this document is an improvement of [32/RLN-V1](../32/rln-v1.md), being more general construct, that allows to set various limits for an epoch (it's 1 message per epoch in [32/RLN-V1](../32/rln-v1.md)) while remaining almost as simple as it predecessor. 
-Moreover, it allows to set different rate-limits for different RLN app users based on some public data, e.g. stake or reputation.
+The protocol specified in this document is an improvement of [32/RLN-V1](../32/rln-v1.md),
+being more general construct, that allows to set various limits for an epoch
+(it's 1 message per epoch in [32/RLN-V1](../32/rln-v1.md))
+while remaining almost as simple as it predecessor.
+Moreover, it allows to set different rate-limits
+for different RLN app users based on some public data,
+e.g. stake or reputation.
 
 ## Motivation
 
-The main goal of this RFC is to generalize [32/RLN-V1](../32/rln-v1.md) and expand its applications. 
+The main goal of this RFC is to generalize [32/RLN-V1](../32/rln-v1.md) and
+expand its applications.
 There are two different subprotocols based on this protocol:
+
 * RLN-Same - RLN with the same rate-limit for all users;
 * RLN-Diff - RLN that allows to set different rate-limits for different users.
 
-It is important to note that by using a large epoch limit value, users will be able to remain anonymous, because their `internal_nullifiers` will not be repeated until they exceed the limit.
+It is important to note that by using a large epoch limit value,
+users will be able to remain anonymous,
+because their `internal_nullifiers` will not be repeated until they exceed the limit.
 
 ## Flow
 
@@ -30,11 +38,13 @@ As in [32/RLN-V1](../32/rln-v1.md), the general flow can be described by three s
 2. Signaling
 3. Verification and slashing
 
-The two sub-protocols have different flows, and hence are defined separately.
+The two sub-protocols have different flows, and
+hence are defined separately.
 
 ### Important note
 
-All terms and parameters used remain the same as in [32/RLN-V1](../32/rln-v1.md), more details [here](../32/rln-v1.md/#technical-overview)
+All terms and parameters used remain the same as in [32/RLN-V1](../32/rln-v1.md),
+more details [here](../32/rln-v1.md/#technical-overview)
 
 ## RLN-Same flow
 
@@ -42,13 +52,11 @@ All terms and parameters used remain the same as in [32/RLN-V1](../32/rln-v1.md)
 
 The registration process in the RLN-Same subprotocol does not differ from [32/RLN-V1](../32/rln-v1.md).
 
-### Signalling
-
-#### Proof generation
+Signalling
 
 For proof generation, the user needs to submit the following fields to the circuit:
 
-```
+```js
 {
     identity_secret: identity_secret_hash,
     path_elements: Merkle_proof.path_elements,
@@ -60,11 +68,11 @@ For proof generation, the user needs to submit the following fields to the circu
 }
 ```
 
-#### Calculating output
+Calculating output
 
 The following fields are needed for proof output calculation:
 
-```
+```js
 {
     identity_secret_hash: bigint, 
     external_nullifier: bigint,
@@ -75,7 +83,7 @@ The following fields are needed for proof output calculation:
 
 The output `[y, internal_nullifier]` is calculated in the following way:
 
-```
+```js
 a_0 = identity_secret_hash
 a_1 = poseidonHash([a0, external_nullifier, message_id])
 
@@ -86,29 +94,36 @@ internal_nullifier = poseidonHash([a_1])
 
 ## RLN-Diff flow
 
-### Registration
+Registration
 
-**id_commitment** in [32/RLN-V1](../32/rln-v1.md) is equal to `poseidonHash(identity_secret)`. 
-The goal of RLN-Diff is to set different rate-limits for different users. 
-It follows that **id_commitment** must somehow depend on the `user_message_limit` parameter, where 0 <= `user_message_limit` <= `message_limit`. 
+**id_commitment** in [32/RLN-V1](../32/rln-v1.md) is equal to `poseidonHash(identity_secret)`.
+The goal of RLN-Diff is to set different rate-limits for different users.
+It follows that **id_commitment** must somehow depend
+on the `user_message_limit` parameter,
+where 0 <= `user_message_limit` <= `message_limit`.
 There are few ways to do that:
-1. Sending `identity_secret_hash` = `poseidonHash(identity_secret, userMessageLimit)` and zk proof that `user_message_limit` is valid (is in the right range). 
-This approach requires zkSNARK verification, which is an expensive operation on the blockchain.
-2. Sending the same `identity_secret_hash` as in [32/RLN-V1](../32/rln-v1.md) (`poseidonHash(identity_secret)`) and a user_message_limit publicly to a server or smart-contract where `rate_commitment` = `poseidonHash(identity_secret_hash, userMessageLimit)` is calculated. 
-The leaves in the membership Merkle tree would be the rate_commitments of the users. 
-This approach requires additional hashing in the Circuit, but it eliminates the need for zk proof verification for the registration.
 
-Both methods are correct, and the choice of the method is left to the implementer. 
+1. Sending `identity_secret_hash` = `poseidonHash(identity_secret, userMessageLimit)`
+and zk proof that `user_message_limit` is valid (is in the right range).
+This approach requires zkSNARK verification,
+which is an expensive operation on the blockchain.
+2. Sending the same `identity_secret_hash` as in [32/RLN-V1](../32/rln-v1.md)
+(`poseidonHash(identity_secret)`) and a user_message_limit publicly to a server
+ or smart-contract where
+`rate_commitment` = `poseidonHash(identity_secret_hash, userMessageLimit)` is calculated.
+The leaves in the membership Merkle tree would be the rate_commitments of the users.
+This approach requires additional hashing in the Circuit, but
+it eliminates the need for zk proof verification for the registration.
+
+Both methods are correct, and the choice of the method is left to the implementer.
 It is recommended to use second method for the reasons already described.
 The following flow description will also be based on the second method.
 
-### Signalling
-
-#### Proof generation
+Signalling
 
 For proof generation, the user need to submit the following fields to the circuit:
 
-```
+```js
 {
     identity_secret: identity_secret_hash,
     path_elements: Merkle_proof.path_elements,
@@ -120,76 +135,92 @@ For proof generation, the user need to submit the following fields to the circui
 }
 ```
 
-#### Calculating output
+Calculating output
 
 The Output is calculated in the same way as the RLN-Same sub-protocol.
 
 ### Verification and slashing
 
 Verification and slashing in both subprotocols remain the same as in [32/RLN-V1](../32/rln-v1.md).
-The only difference that may arise is the `message_limit` check in RLN-Same, since it is now a public input of the Circuit.
+The only difference that may arise is the `message_limit` check in RLN-Same,
+since it is now a public input of the Circuit.
 
 ### ZK Circuits specification
 
-The design of the [32/RLN-V1](../32/rln-v1.md) circuits is different from the circuits of this protocol. 
+The design of the [32/RLN-V1](../32/rln-v1.md) circuits
+is different from the circuits of this protocol.
 RLN-v2 requires additional algebraic constraints.
 The membership proof and Shamir's Secret Sharing constraints remain unchanged.
 
 The ZK Circuit is implemented using a [Groth-16 ZK-SNARK](https://eprint.iacr.org/2016/260.pdf),
-using the [circomlib](https://docs.circom.io/) library. 
+using the [circomlib](https://docs.circom.io/) library.
 Both schemes contain compile-time constants/system parameters:
-* DEPTH - depth of membership Merkle tree
-* LIMIT_BIT_SIZE - bit size of `limit` numbers, e.g. for the 16 - maximum `limit` number is 65535.
 
-The main difference of the protocol is that instead of a new polynomial (a new value `a_1`) for a new epoch, a new polynomial is generated for each message. 
-The user assigns an identifier to each message; the main requirement is that this identifier be in the range from 1 to `limit`. 
+* DEPTH - depth of membership Merkle tree
+* LIMIT_BIT_SIZE - bit size of `limit` numbers,
+e.g. for the 16 - maximum `limit` number is 65535.
+
+The main difference of the protocol is that instead of a new polynomial
+(a new value `a_1`) for a new epoch, a new polynomial is generated for each message.
+The user assigns an identifier to each message;
+the main requirement is that this identifier be in the range from 1 to `limit`.
 This is proven using range constraints.
 
 ### RLN-Same circuit
 
 #### Circuit parameters
 
-**Public Inputs**
-- `x`
-- `external_nullifier`
-- `message_limit` - limit per epoch
+Public Inputs
 
-**Private Inputs**
-- `identity_secret_hash`
-- `path_elements` 
-- `identity_path_index`
-- `message_id`
+* `x`
+* `external_nullifier`
+* `message_limit` - limit per epoch
 
-**Outputs**
-- `y`
-- `root`
-- `internal_nullifier`
+Private Inputs
+
+* `identity_secret_hash`
+* `path_elements`
+* `identity_path_index`
+* `message_id`
+
+Outputs
+
+* `y`
+* `root`
+* `internal_nullifier`
 
 ### RLN-Diff circuit
 
-In the RLN-Diff scheme, instead of the public parameter `message_limit`, a parameter is used that is set for each user during registration (`user_message_limit`); the `message_id` value is compared to it in the same way as it is compared to `message_limit` in the case of RLN-Same.
+In the RLN-Diff scheme, instead of the public parameter `message_limit`,
+a parameter is used that is set for each user during registration (`user_message_limit`);
+the `message_id` value is compared to it in the same way
+as it is compared to `message_limit` in the case of RLN-Same.
 
-#### Circuit parameters
+Circuit parameters
 
-**Public Inputs**
-- `x`
-- `external_nullifier`
+Public Inputs
 
-**Private Inputs**
-- `identity_secret_hash`
-- `path_elements`
-- `identity_path_index`
-- `message_id`
-- `user_message_limit`
+* `x`
+* `external_nullifier`
 
-**Outputs**
-- `y`
-- `root`
-- `internal_nullifier`
+Private Inputs
+
+* `identity_secret_hash`
+* `path_elements`
+* `identity_path_index`
+* `message_id`
+* `user_message_limit`
+
+Outputs
+
+* `y`
+* `root`
+* `internal_nullifier`
 
 ## Appendix A: Security considerations
 
-Although there are changes in the circuits, this spec inherits all the security considerations of [32/RLN-V1](../32/rln-v1.md).
+Although there are changes in the circuits,
+this spec inherits all the security considerations of [32/RLN-V1](../32/rln-v1.md).
 
 ## Copyright
 
@@ -197,6 +228,6 @@ Copyright and related rights waived via [CC0](https://creativecommons.org/public
 
 ## References
 
-- [1](https://zkresear.ch/t/rate-limit-nullifier-v2-circuits/102)
-- [2](https://github.com/Rate-Limiting-Nullifier/rln-circuits-v2)
-- [3](../32/rln-v1.md/#technical-overview)
+* [1](https://zkresear.ch/t/rate-limit-nullifier-v2-circuits/102)
+* [2](https://github.com/Rate-Limiting-Nullifier/rln-circuits-v2)
+* [3](../32/rln-v1.md/#technical-overview)

vac/raw/sds.md

@@ -0,0 +1,495 @@
+---
+title: SDS
+name: Scalable Data Sync protocol for distributed logs
+status: raw
+editor: Hanno Cornelius <hanno@status.im>
+contributors:
+  - Akhil Peddireddy <akhil@status.im>
+---
+
+## Abstract
+
+This specification introduces the Scalable Data Sync (SDS) protocol
+to achieve end-to-end reliability
+when consolidating distributed logs in a decentralized manner.
+The protocol is designed for a peer-to-peer (p2p) topology
+where an append-only log is maintained by each member of a group of nodes
+who may individually append new entries to their local log at any time and
+is interested in merging new entries from other nodes in real-time or close to real-time
+while maintaining a consistent order.
+The outcome of the log consolidation procedure is
+that all nodes in the group eventually reflect in their own logs
+the same entries in the same order.
+The protocol aims to scale to very large groups.
+
+## Motivation
+
+A common application that fits this model is a p2p group chat (or group communication),
+where the participants act as log nodes
+and the group conversation is modelled as the consolidated logs
+maintained on each node.
+The problem of end-to-end reliability can then be stated as
+ensuring that all participants eventually see the same sequence of messages
+in the same causal order,
+despite the challenges of network latency, message loss,
+and scalability present in any communications transport layer.
+The rest of this document will assume the terminology of a group communication:
+log nodes being the _participants_ in the group chat
+and the logged entries being the _messages_ exchanged between participants.
+
+## Design Assumptions
+
+We make the following simplifying assumptions for a proposed reliability protocol:
+
+* **Broadcast routing:**
+Messages are broadcast disseminated by the underlying transport.
+The selected transport takes care of routing messages
+to all participants of the communication.
+* **Store nodes:**
+There are high-availability caches (a.k.a. Store nodes)
+from which missed messages can be retrieved.
+These caches maintain the full history of all messages that have been broadcast.
+This is an optional element in the protocol design,
+but improves scalability by reducing direct interactions between participants.
+* **Message ID:**
+Each message has a globally unique, immutable ID (or hash).
+Messages can be requested from the high-availability caches or
+other participants using the corresponding message ID.
+* **Participant ID:**
+Each participant has a globally unique, immutable ID
+visible to other participants in the communication.
+* **Sender ID:**
+The **Participant ID** of the original sender of a message,
+often coupled with a **Message ID**.
+
+## Wire protocol
+
+The keywords “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”,
+“SHOULD NOT”, “RECOMMENDED”, “MAY”, and
+ “OPTIONAL” in this document are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
+
+### Message
+
+Messages MUST adhere to the following meta structure:
+
+```protobuf
+syntax = "proto3";
+
+message HistoryEntry {
+  string message_id = 1; // Unique identifier of the SDS message, as defined in `Message`
+  optional bytes retrieval_hint = 2; // Optional information to help remote parties retrieve this SDS message; For example, A Waku deterministic message hash or routing payload hash
+
+  optional string sender_id = 3; // Participant ID of original message sender. Only populated if using optional SDS Repair extension
+}
+
+message Message {
+  string sender_id = 1;           // Participant ID of the message sender
+  string message_id = 2;          // Unique identifier of the message
+  string channel_id = 3;          // Identifier of the channel to which the message belongs
+  optional uint64 lamport_timestamp = 10;    // Logical timestamp for causal ordering in channel
+  repeated HistoryEntry causal_history = 11;  // List of preceding message IDs that this message causally depends on. Generally 2 or 3 message IDs are included.
+  optional bytes bloom_filter = 12;         // Bloom filter representing received message IDs in channel
+
+  repeated HistoryEntry repair_request = 13; // Capped list of history entries missing from sender's causal history. Only populated if using the optional SDS Repair extension.
+
+  optional bytes content = 20;             // Actual content of the message
+}
+```
+
+The sending participant MUST include its own globally unique identifier in the `sender_id` field.
+In addition, it MUST include a globally unique identifier for the message in the `message_id` field,
+likely based on a message hash.
+The `channel_id` field MUST be set to the identifier of the channel of group communication
+that is being synchronized.
+For simple group communications without individual channels,
+the `channel_id` SHOULD be set to `0`.
+The `lamport_timestamp`, `causal_history` and
+`bloom_filter` fields MUST be set according to the [protocol steps](#protocol-steps)
+set out below.
+These fields MAY be left unset in the case of [ephemeral messages](#ephemeral-messages).
+The message `content` MAY be left empty for [periodic sync messages](#periodic-sync-message),
+otherwise it MUST contain the application-level content
+
+> **_Note:_** Close readers may notice that,
+outside of filtering messages originating from the sender itself,
+the `sender_id` field is not used for much.
+Its importance is expected to increase once a p2p retrieval mechanism is added to SDS,
+as is planned for the protocol.
+
+### Participant state
+
+Each participant MUST maintain:
+
+* A Lamport timestamp for each channel of communication,
+initialized to current epoch time in millisecond resolution.
+The Lamport timestamp is increased as described in the [protocol steps](#protocol-steps)
+to maintain a logical ordering of events while staying close to the current epoch time.
+This allows the messages from new joiners to be correctly ordered with other recent messages,
+without these new participants first having to synchronize past messages to discover the current Lamport timestamp.
+* A bloom filter for received message IDs per channel.
+The bloom filter SHOULD be rolled over and
+recomputed once it reaches a predefined capacity of message IDs.
+Furthermore,
+it SHOULD be designed to minimize false positives through an optimal selection of
+size and hash functions.
+* A buffer for unacknowledged outgoing messages
+* A buffer for incoming messages with unmet causal dependencies
+* A local log (or history) for each channel,
+containing all message IDs in the communication channel,
+ordered by Lamport timestamp.
+
+Messages in the unacknowledged outgoing buffer can be in one of three states:
+
+1. **Unacknowledged** - there has been no acknowledgement of message receipt
+by any participant in the channel
+2. **Possibly acknowledged** - there has been ambiguous indication that the message
+has been _possibly_ received by at least one participant in the channel
+3. **Acknowledged** - there has been sufficient indication that the message
+has been received by at least some of the participants in the channel.
+This state will also remove the message from the outgoing buffer.
+
+### Protocol Steps
+
+For each channel of communication,
+participants MUST follow these protocol steps to populate and interpret
+the `lamport_timestamp`, `causal_history` and `bloom_filter` fields.
+
+#### Send Message
+
+Before broadcasting a message:
+
+* the participant MUST set its local Lamport timestamp
+to the maximum between the current value + `1`
+and the current epoch time in milliseconds.
+In other words the local Lamport timestamp is set to `max(timeNowInMs, current_lamport_timestamp + 1)`.
+* the participant MUST include the increased Lamport timestamp in the message's `lamport_timestamp` field.
+* the participant MUST determine the preceding few message IDs in the local history
+and include these in an ordered list in the `causal_history` field.
+The number of message IDs to include in the `causal_history` depends on the application.
+We recommend a causal history of two message IDs.
+* the participant MAY include a `retrieval_hint` in the `HistoryEntry`
+for each message ID in the `causal_history` field.
+This is an application-specific field to facilitate retrieval of messages,
+e.g. from high-availability caches.
+* the participant MUST include the current `bloom_filter`
+state in the broadcast message.
+
+After broadcasting a message,
+the message MUST be added to the participant’s buffer
+of unacknowledged outgoing messages.
+
+#### Receive Message
+
+Upon receiving a message,
+
+* the participant SHOULD ignore the message if it has a `sender_id` matching its own.
+* the participant MAY deduplicate the message by comparing its `message_id` to previously received message IDs.
+* the participant MUST [review the ACK status](#review-ack-status) of messages
+in its unacknowledged outgoing buffer
+using the received message's causal history and bloom filter.
+* if the message has a populated `content` field,
+the participant MUST include the received message ID in its local bloom filter.
+* the participant MUST verify that all causal dependencies are met
+for the received message.
+Dependencies are met if the message IDs in the `causal_history` of the received message
+appear in the local history of the receiving participant.
+
+If all dependencies are met and the message has a populated `content` field,
+the participant MUST [deliver the message](#deliver-message).
+If dependencies are unmet,
+the participant MUST add the message to the incoming buffer of messages
+with unmet causal dependencies.
+
+#### Deliver Message
+
+Triggered by the [Receive Message](#receive-message) procedure.
+
+If the received message’s Lamport timestamp is greater than the participant's
+local Lamport timestamp,
+the participant MUST update its local Lamport timestamp to match the received message.
+The participant MUST insert the message ID into its local log,
+based on Lamport timestamp.
+If one or more message IDs with the same Lamport timestamp already exists,
+the participant MUST follow the [Resolve Conflicts](#resolve-conflicts) procedure.
+
+#### Resolve Conflicts
+
+Triggered by the [Deliver Message](#deliver-message) procedure.
+
+The participant MUST order messages with the same Lamport timestamp
+in ascending order of message ID.
+If the message ID is implemented as a hash of the message,
+this means the message with the lowest hash would precede
+other messages with the same Lamport timestamp in the local log.
+
+#### Review ACK Status
+
+Triggered by the [Receive Message](#receive-message) procedure.
+
+For each message in the unacknowledged outgoing buffer,
+based on the received `bloom_filter` and `causal_history`:
+
+* the participant MUST mark all messages in the received `causal_history` as **acknowledged**.
+* the participant MUST mark all messages included in the `bloom_filter`
+as **possibly acknowledged**.
+If a message appears as **possibly acknowledged** in multiple received bloom filters,
+the participant MAY mark it as acknowledged based on probabilistic grounds,
+taking into account the bloom filter size and hash number.
+
+#### Periodic Incoming Buffer Sweep
+
+The participant MUST periodically check causal dependencies for each message
+in the incoming buffer.
+For each message in the incoming buffer:
+
+* the participant MAY attempt to retrieve missing dependencies from the Store node
+(high-availability cache) or other peers.
+It MAY use the application-specific `retrieval_hint` in the `HistoryEntry` to facilitate retrieval.
+* if all dependencies of a message are met,
+the participant MUST proceed to [deliver the message](#deliver-message).
+
+If a message's causal dependencies have failed to be met
+after a predetermined amount of time,
+the participant MAY mark them as **irretrievably lost**.
+
+#### Periodic Outgoing Buffer Sweep
+
+The participant MUST rebroadcast **unacknowledged** outgoing messages
+after a set period.
+The participant SHOULD use distinct resend periods for **unacknowledged** and
+**possibly acknowledged** messages,
+prioritizing **unacknowledged** messages.
+
+#### Periodic Sync Message
+
+For each channel of communication,
+participants SHOULD periodically send sync messages to maintain state.
+These sync messages:
+
+* MUST be sent with empty content
+* MUST include a Lamport timestamp increased to `max(timeNowInMs, current_lamport_timestamp + 1)`,
+where `timeNowInMs` is the current epoch time in milliseconds.
+* MUST include causal history and bloom filter according to regular message rules
+* MUST NOT be added to the unacknowledged outgoing buffer
+* MUST NOT be included in causal histories of subsequent messages
+* MUST NOT be included in bloom filters
+* MUST NOT be added to the local log
+
+Since sync messages are not persisted,
+they MAY have non-unique message IDs without impacting the protocol.
+To avoid network activity bursts in large groups,
+a participant MAY choose to only send periodic sync messages
+if no other messages have been broadcast in the channel after a random backoff period.
+
+Participants MUST process the causal history and bloom filter of these sync messages
+following the same steps as regular messages,
+but MUST NOT persist the sync messages themselves.
+
+#### Ephemeral Messages
+
+Participants MAY choose to send short-lived messages for which no synchronization
+or reliability is required.
+These messages are termed _ephemeral_.
+
+Ephemeral messages SHOULD be sent with `lamport_timestamp`, `causal_history`, and
+`bloom_filter` unset.
+Ephemeral messages SHOULD NOT be added to the unacknowledged outgoing buffer
+after broadcast.
+Upon reception,
+ephemeral messages SHOULD be delivered immediately without buffering for causal dependencies
+or including in the local log.
+
+### SDS Repair (SDS-R)
+
+SDS Repair (SDS-R) is an optional extension module for SDS,
+allowing participants in a communication to collectively repair any gaps in causal history (missing messages)
+preferably over a limited time window.
+Since SDS-R acts as coordinated rebroadcasting of missing messages,
+which involves all participants of the communication,
+it is most appropriate in a limited use case for repairing relatively recent missed dependencies.
+It is not meant to replace mechanisms for long-term consistency,
+such as peer-to-peer syncing or the use of a high-availability centralised cache (Store node).
+
+#### SDS-R message fields
+
+SDS-R adds the following fields to SDS messages:
+
+* `sender_id` in `HistoryEntry`:
+the original message sender's participant ID.
+This is used to determine the group of participants who will respond to a repair request.
+* `repair_request` in `Message`:
+a capped list of history entries missing for the message sender
+and for which it's requesting a repair.
+
+#### SDS-R participant state
+
+SDS-R adds the following to each participant state:
+
+* Outgoing **repair request buffer**:
+a list of locally missing `HistoryEntry`s
+each mapped to a future request timestamp, `T_req`,
+after which this participant will request a repair if at that point the missing dependency has not been repaired yet.
+`T_req` is computed as a pseudorandom backoff from the timestamp when the dependency was detected missing.
+[Determining `T_req`](#determine-t_req) is described below.
+We RECOMMEND that the outgoing repair request buffer be chronologically ordered in ascending order of `T_req`.
+
+* Incoming **repair request buffer**:
+a list of locally available `HistoryEntry`s
+that were requested for repair by a remote participant
+AND for which this participant might be an eligible responder,
+each mapped to a future response timestamp, `T_resp`,
+after which this participant will rebroadcast the corresponding requested `Message` if at that point no other participant had rebroadcast the `Message`.
+`T_resp` is computed as a pseudorandom backoff from the timestamp when the repair was first requested.
+[Determining `T_resp`](#determine-t_resp) is described below.
+We describe below how a participant can [determine if they're an eligible responder](#determine-response-group) for a specific repair request.
+
+* Augmented local history log:
+for each message ID kept in the local log for which the participant could be a repair responder,
+the full SDS `Message` must be cached rather than just the message ID,
+in case this participant is called upon to rebroadcast the message.
+We describe below how a participant can [determine if they're an eligible responder](#determine-response-group) for a specific message.
+
+**_Note:_** The required state can likely be significantly reduced in future by simply requiring that a responding participant should _reconstruct_ the original `Message` when rebroadcasting, rather than the simpler, but heavier,
+requirement of caching the entire received `Message` content in local history.
+
+#### SDS-R global state
+
+For a specific channel (that is, within a specific SDS-controlled communication)
+the following SDS-R configuration state SHOULD be common for all participants in the conversation:
+
+* `T_min`: the _minimum_ time period to wait before a missing causal entry can be repaired.
+We RECOMMEND a value of at least 30 seconds.
+* `T_max`: the _maximum_ time period over which missing causal entries can be repaired.
+We RECOMMEND a value of between 120 and 600 seconds.
+
+Furthermore, to avoid a broadcast storm with multiple participants responding to a repair request,
+participants in a single channel MAY be divided into discrete response groups.
+Participants will only respond to a repair request if they are in the response group for that request.
+The global `num_response_groups` variable configures the number of response groups for this communication.
+Its use is described below.
+A reasonable default value for `num_response_groups` is one response group for every `128` participants.
+In other words, if the (roughly) expected number of participants is expressed as `num_participants`, then
+`num_response_groups = num_participants div 128 + 1`.
+In other words, if there are fewer than 128 participants in a communication,
+they will all belong to the same response group.
+
+We RECOMMEND that the global state variables `T_min`, `T_max` and `num_response_groups`
+be set _statically_ for a specific SDS-R application,
+based on expected number of group participants and volume of traffic.
+
+**_Note:_** Future versions of this protocol will recommend dynamic global SDS-R variables,
+based on the current number of participants.
+
+#### SDS-R send message
+
+SDS-R adds the following steps when sending a message:
+
+Before broadcasting a message,
+
+* the participant SHOULD populate the `repair_request` field in the message
+with _eligible_ entries from the outgoing repair request buffer.
+An entry is eligible to be included in a `repair_request`
+if its corresponding request timestamp, `T_req`, has expired (in other words,
+`T_req <= current_time`).
+The maximum number of repair request entries to include is up to the application.
+We RECOMMEND that this quota be filled by the eligible entries from the outgoing repair request buffer with the lowest `T_req`.
+We RECOMMEND a maximum of 3 entries.
+If there are no eligible entries in the buffer,
+this optional field MUST be left unset.
+
+#### SDS-R receive message
+
+On receiving a message,
+
+* the participant MUST remove entries matching the received message ID from its _outgoing_ repair request buffer.
+This ensures that the participant does not request repairs for dependencies that have now been met.
+* the participant MUST remove entries matching the received message ID from its _incoming_ repair request buffer.
+This ensures that the participant does not respond to repair requests that another participant has already responded to.
+* the participant SHOULD add any unmet causal dependencies to its outgoing repair request buffer against a unique `T_req` timestamp for that entry.
+It MUST compute the `T_req` for each such HistoryEntry according to the steps outlined in [_Determine T_req_](#determine-t_req).
+* for each item in the `repair_request` field:
+  * the participant MUST remove entries matching the repair message ID from its own outgoing repair request buffer.
+  This limits the number of participants that will request a common missing dependency.
+  * if the participant has the requested `Message` in its local history _and_ is an eligible responder for the repair request,
+  it SHOULD add the request to its incoming repair request buffer against a unique `T_resp` timestamp for that entry.
+  It MUST compute the `T_resp` for each such repair request according to the steps outlined in [_Determine T_resp_](#determine-t_resp).
+  It MUST determine if it's an eligible responder for a repair request according to the steps outlined in [_Determine response group_](#determine-response-group).
+
+#### Determine T_req
+
+A participant determines the repair request timestamp, `T_req`,
+for a missing `HistoryEntry` as follows:
+
+```text
+T_req = current_time + hash(participant_id, message_id) % (T_max - T_min) + T_min
+```
+
+where `current_time` is the current timestamp,
+`participant_id` is the participant's _own_ participant ID
+(not the `sender_id` in the missing `HistoryEntry`),
+`message_id` is the missing `HistoryEntry`'s message ID,
+and `T_min` and `T_max` are as set out in [SDS-R global state](#sds-r-global-state).
+
+This allows `T_req` to be pseudorandomly and linearly distributed as a backoff of between `T_min` and `T_max` from current time.
+
+> **_Note:_** placing `T_req` values on an exponential backoff curve will likely be more appropriate and is left for a future improvement.
+
+#### Determine T_resp
+
+A participant determines the repair response timestamp, `T_resp`,
+for a `HistoryEntry` that it could repair as follows:
+
+```text
+distance = hash(participant_id) XOR hash(sender_id)
+T_resp = current_time + distance*hash(message_id) % T_max
+```
+
+where `current_time` is the current timestamp,
+`participant_id` is the participant's _own_ (local) participant ID,
+`sender_id` is the requested `HistoryEntry` sender ID,
+`message_id` is the requested `HistoryEntry` message ID,
+and `T_max` is as set out in [SDS-R global state](#sds-r-global-state).
+
+We first calculate the logical `distance` between the local `participant_id` and
+the original `sender_id`.
+If this participant is the original sender, the `distance` will be `0`.
+It should then be clear that the original participant will have a response backoff time of `0`,
+making it the most likely responder.
+The `T_resp` values for other eligible participants will be pseudorandomly and
+linearly distributed as a backoff of up to `T_max` from current time.
+
+> **_Note:_** placing `T_resp` values on an exponential backoff curve will likely be more appropriate and
+is left for a future improvement.
+
+#### Determine response group
+
+Given a message with `sender_id` and `message_id`,
+a participant with `participant_id` is in the response group for that message if
+
+```text
+hash(participant_id, message_id) % num_response_groups == hash(sender_id, message_id) % num_response_groups
+```
+
+where `num_response_groups` is as set out in [SDS-R global state](#sds-r-global-state).
+This ensures that a participant will always be in the response group for its own published messages.
+It also allows participants to determine immediately on first reception of a message or
+a history entry if they are in the associated response group.
+
+#### SDS-R incoming repair request buffer sweep
+
+An SDS-R participant MUST periodically check if there are any incoming requests in the **incoming** repair request buffer* that is due for a response.
+For each item in the buffer,
+the participant SHOULD broadcast the corresponding `Message` from local history
+if its corresponding response timestamp, `T_resp`, has expired
+(in other words, `T_resp <= current_time`).
+
+#### SDS-R Periodic Sync Message
+
+If the participant is due to send a periodic sync message,
+it SHOULD send the message according to [SDS-R send message](#sds-r-send-message)
+if there are any eligible items in the outgoing repair request buffer,
+regardless of whether other participants have also recently broadcast a Periodic Sync message.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

vac/raw/zerokit-api.md

@@ -0,0 +1,405 @@
+---
+title: Zerokit-API
+name: Zerokit API
+status: raw
+category: Standards Track
+tags: [zerokit, rln, api]
+editor:
+contributors:
+---
+
+## Abstract
+
+This document specifies the Zerokit API, an implementation of the RLN-V2 protocol.
+The specification covers the unified interface exposed through native Rust,
+C-compatible Foreign Function Interface (FFI) bindings,
+and WebAssembly (WASM) bindings.
+
+## Motivation
+
+The main goal of this RFC is to define the API contract,
+serialization formats,
+and architectural guidance for integrating the Zerokit library
+across all supported platforms.
+Zerokit is the reference implementation of the RLN-V2 protocol.
+
+## Format Specification
+
+The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”,
+“SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document
+are to be interpreted as described in [2119](https://www.ietf.org/rfc/rfc2119.txt).
+
+### Important Note
+
+All terms and parameters used remain the same as in [32/RLN-V1](../32/rln-v1.md).
+More details are available in the [technical overview](../32/rln-v1.md#technical-overview).
+
+### Architecture Overview
+
+Zerokit follows a layered architecture where
+the core RLN logic is implemented once in Rust and
+exposed through platform-specific bindings.
+The protocol layer handles zero-knowledge proof generation and verification,
+Merkle tree operations,
+and cryptographic primitives.
+This core is wrapped by three interface layers:
+native Rust for direct library integration,
+FFI for C-compatible bindings consumed by languages (such as C and Nim),
+and WASM for browser and Node.js environments.
+All three interfaces maintain functional parity and
+share identical serialization formats for inputs and outputs.
+
+```text
+      ┌─────────────────────────────────────────────────────┐
+      │                  Application Layer                  │
+      └──────────┬───────────────┬───────────────┬──────────┘
+                 │               │               │
+          ┌──────▼───────┐ ┌─────▼─────┐ ┌───────▼─────┐
+          │    FFI API   │ │ WASM API  │ │   Rust API  │
+          │   (C/Nim/..) │ │ (Browser) │ │   (Native)  │
+          └──────┬───────┘ └─────┬─────┘ └───────┬─────┘
+                 └───────────────┼───────────────┘
+                                 │
+                       ┌─────────▼─────────┐
+                       │   RLN Protocol    │
+                       │   (Rust Core)     │
+                       └───────────────────┘
+```
+
+### Supported Features
+
+Zerokit provides compile-time feature flags that
+control Merkle tree storage backends,
+operational modes,
+and parallelization.
+
+#### Merkle Tree Backends
+
+`fullmerkletree` allocates the complete tree structure in memory.
+This backend provides the fastest performance but consumes the most memory.
+
+`optimalmerkletree` uses sparse HashMap storage that only allocates nodes as needed.
+This backend balances performance and memory efficiency.
+
+`pmtree` persists the tree to disk using a sled database.
+This backend enables state durability across process restarts.
+
+#### Operational Modes
+
+`stateless` disables the internal Merkle tree.
+Applications MUST provide the Merkle root and
+membership proof externally when generating proofs.
+
+When `stateless` is not enabled,
+the library operates in stateful mode and
+requires one of the Merkle tree backends.
+
+#### Parallelization
+
+`parallel` enables rayon-based parallel computation for
+proof generation and tree operations.
+
+This flag SHOULD be enabled for end-user clients where
+fastest individual proof generation time is required.
+For server-side proof services handling multiple concurrent requests,
+this flag SHOULD be disabled and
+applications SHOULD use dedicated worker threads per proof instead.
+The worker thread approach provides significantly higher throughput for
+concurrent proof generation.
+
+## The API
+
+### Overview
+
+The API exposes functional interfaces with strongly-typed parameters.
+All three platform bindings share the same function signatures,
+differing only in language-specific conventions.
+Function signatures documented below are from the Rust perspective.
+
+- Rust: <https://github.com/vacp2p/zerokit/blob/master/rln/src/public.rs>
+- FFI: <https://github.com/vacp2p/zerokit/tree/master/rln/src/ffi>
+- WASM: <https://github.com/vacp2p/zerokit/tree/master/rln-wasm>
+
+### Initialization
+
+`RLN::new(tree_depth, tree_config)` creates a new RLN instance by loading circuit resources from the default folder.
+The `tree_config` parameter accepts multiple types via the `TreeConfigInput` trait: a JSON string,
+a direct config object (with pmtree feature), or an empty string for defaults.
+Not available in WASM. Not available when `stateless` feature is enabled.
+
+`RLN::new()` creates a new stateless RLN instance by loading circuit resources from the default folder.
+Only available when `stateless` feature is enabled. Not available in WASM.
+
+`RLN::new_with_params(tree_depth, zkey_data, graph_data, tree_config)` creates a new RLN instance
+with pre-loaded circuit parameters passed as byte vectors.
+The `tree_config` parameter accepts multiple types via the `TreeConfigInput` trait.
+Not available in WASM. Not available when `stateless` feature is enabled.
+
+`RLN::new_with_params(zkey_data, graph_data)` creates a new stateless RLN instance with pre-loaded circuit parameters.
+Only available when `stateless` feature is enabled. Not available in WASM.
+
+`RLN::new_with_params(zkey_data)` creates a new stateless RLN instance for WASM with pre-loaded zkey data.
+Graph data is not required as witness calculation is handled externally in WASM environments.
+Only available in WASM with `stateless` feature enabled.
+
+### Key Generation
+
+`keygen()` generates a random identity keypair returning `(identity_secret, id_commitment)`.
+
+`seeded_keygen(seed)` generates a deterministic identity keypair
+from a seed returning `(identity_secret, id_commitment)`.
+
+`extended_keygen()` generates a random extended identity keypair
+returning `(identity_trapdoor, identity_nullifier, identity_secret, id_commitment)`.
+
+`extended_seeded_keygen(seed)` generates a deterministic extended identity keypair
+from a seed returning `(identity_trapdoor, identity_nullifier, identity_secret, id_commitment)`.
+
+### Merkle Tree Management
+
+All tree management functions are only available when
+`stateless` feature is NOT enabled.
+
+`set_tree(tree_depth)` initializes the internal Merkle tree with the specified depth.
+Leaves are set to the default zero value.
+
+`set_leaf(index, leaf)` sets a leaf value at the specified index.
+
+`get_leaf(index)` returns the leaf value at the specified index.
+
+`set_leaves_from(index, leaves)` sets multiple leaves starting from the specified index.
+Updates `next_index` to `max(next_index, index + n)`.
+If n leaves are passed, they will be set at positions `index`, `index+1`, ..., `index+n-1`.
+
+`init_tree_with_leaves(leaves)` resets the tree state to default and initializes it
+with the provided leaves starting from index 0.
+This resets the internal `next_index` to 0 before setting the leaves.
+
+`atomic_operation(index, leaves, indices)` atomically inserts leaves starting from index
+and removes leaves at the specified indices.
+Updates `next_index` to `max(next_index, index + n)` where n is the number of leaves inserted.
+
+`set_next_leaf(leaf)` sets a leaf at the next available index and increments `next_index`.
+The leaf is set at the current `next_index` value, then `next_index` is incremented.
+
+`delete_leaf(index)` sets the leaf at the specified index to the default zero value.
+Does not change the internal `next_index` value.
+
+`leaves_set()` returns the number of leaves that have been set in the tree.
+
+`get_root()` returns the current Merkle tree root.
+
+`get_subtree_root(level, index)` returns the root of a subtree at the specified level and index.
+
+`get_merkle_proof(index)` returns the Merkle proof for the leaf at the specified index as `(path_elements, identity_path_index)`.
+
+`get_empty_leaves_indices()` returns indices of leaves set to zero up to the final leaf that was set.
+
+`set_metadata(metadata)` stores arbitrary metadata in the RLN object for application use.
+This metadata is not used by the RLN module.
+
+`get_metadata()` returns the metadata stored in the RLN object.
+
+`flush()` closes the connection to the Merkle tree database.
+Should be called before dropping the RLN object when using persistent storage.
+
+### Witness Construction
+
+`RLNWitnessInput::new(identity_secret, user_message_limit, message_id, path_elements, identity_path_index, x, external_nullifier)` constructs
+a witness input for proof generation. Validates that `message_id < user_message_limit`.
+
+### Witness Calculation
+
+For native (non-WASM) environments, witness calculation is handled internally by the proof generation functions.
+The circuit witness is computed from the `RLNWitnessInput` and passed to the zero-knowledge proof system.
+
+For WASM environments, witness calculation must be performed externally using a JavaScript witness calculator.
+The workflow is:
+
+1. Create a `WasmRLNWitnessInput` with the required parameters
+2. Export to JSON format using `toBigIntJson()` method
+3. Pass the JSON to an external JavaScript witness calculator
+4. Use the calculated witness with `generate_rln_proof_with_witness`
+
+The witness calculator computes all intermediate values required by the RLN circuit.
+
+### Proof Generation
+
+`generate_zk_proof(witness)` generates a Groth16 zkSNARK proof from a witness.
+Extract proof values separately using `proof_values_from_witness`.
+Not available in WASM.
+
+`generate_rln_proof(witness)` generates a complete RLN proof returning both the zkSNARK proof and proof values as `(proof, proof_values)`.
+This combines proof generation and proof values extraction.
+Not available in WASM.
+
+`generate_rln_proof_with_witness(calculated_witness, witness)` generates an RLN proof using
+a pre-calculated witness from an external witness calculator.
+The `calculated_witness` should be a `Vec<BigInt>` obtained from the external witness calculator.
+Returns `(proof, proof_values)`.
+This is the primary proof generation method for WASM where witness calculation is handled by JavaScript.
+
+### Proof Verification
+
+`verify_zk_proof(proof, proof_values)` verifies only the zkSNARK proof without root or signal validation.
+Returns `true` if the proof is valid.
+
+`verify_rln_proof(proof, proof_values, x)` verifies the proof against the internal Merkle tree root and
+validates that `x` matches the proof signal.
+Returns an error if verification fails (invalid proof, invalid root, or invalid signal).
+Only available when `stateless` feature is NOT enabled.
+
+`verify_with_roots(proof, proof_values, x, roots)` verifies the proof against a set of acceptable roots and
+validates the signal.
+If the roots slice is empty, root verification is skipped. Returns an error if verification fails.
+
+### Slashing
+
+`recover_id_secret(proof_values_1, proof_values_2)` recovers the identity secret from two proof values
+that share the same external nullifier.
+Used to detect and penalize rate limit violations.
+
+### Hash Utilities
+
+`poseidon_hash(inputs)` computes the Poseidon hash of the input field elements.
+
+`hash_to_field_le(input)` hashes arbitrary bytes to a field element using little-endian byte order.
+
+`hash_to_field_be(input)` hashes arbitrary bytes to a field element using big-endian byte order.
+
+### Serialization Utilities
+
+`rln_witness_to_bytes_le` / `rln_witness_to_bytes_be` serializes an RLN witness to bytes.
+
+`bytes_le_to_rln_witness` / `bytes_be_to_rln_witness` deserializes bytes to an RLN witness.
+
+`rln_proof_to_bytes_le` / `rln_proof_to_bytes_be` serializes an RLN proof to bytes.
+
+`bytes_le_to_rln_proof` / `bytes_be_to_rln_proof` deserializes bytes to an RLN proof.
+
+`rln_proof_values_to_bytes_le` / `rln_proof_values_to_bytes_be` serializes proof values to bytes.
+
+`bytes_le_to_rln_proof_values` / `bytes_be_to_rln_proof_values` deserializes bytes to proof values.
+
+`fr_to_bytes_le` / `fr_to_bytes_be` serializes a field element to 32 bytes.
+
+`bytes_le_to_fr` / `bytes_be_to_fr` deserializes 32 bytes to a field element.
+
+`vec_fr_to_bytes_le` / `vec_fr_to_bytes_be` serializes a vector of field elements to bytes.
+
+`bytes_le_to_vec_fr` / `bytes_be_to_vec_fr` deserializes bytes to a vector of field elements.
+
+### WASM-Specific Notes
+
+WASM bindings wrap the Rust API with JavaScript-compatible types. Key differences:
+
+- Field elements are wrapped as `WasmFr` with `fromBytesLE`, `fromBytesBE`, `toBytesLE`, `toBytesBE` methods.
+- Vectors of field elements use `VecWasmFr` with `push`, `get`, `length` methods.
+- Identity generation uses `Identity.generate()` and `Identity.generateSeeded(seed)` static methods.
+- Extended identity uses `ExtendedIdentity.generate()` and `ExtendedIdentity.generateSeeded(seed)`.
+- Witness input uses `WasmRLNWitnessInput` constructor and `toBigIntJson()` for witness calculator integration.
+- Proof generation requires external witness calculation via `generateRLNProofWithWitness(calculatedWitness, witness)`.
+- When `parallel` feature is enabled, call `initThreadPool()` to initialize the thread pool.
+
+### FFI-Specific Notes
+
+FFI bindings use C-compatible types with the `ffi_` prefix. Key differences:
+
+- Field elements are wrapped as `CFr` with corresponding conversion functions.
+- Results use `CResult` or `CBoolResult` structs with `ok` and `err` fields.
+- Memory must be explicitly freed using `ffi_*_free` functions.
+- Vectors use `repr_c::Vec` with `ffi_vec_*` helper functions.
+- Configuration is passed via file path to a JSON configuration file.
+
+## Usage Patterns
+
+This section describes common deployment scenarios and
+the recommended API combinations for each.
+
+### Stateful with Changing Root
+
+Applies when membership changes over time with members joining and slashing continuously.
+
+Applications MUST maintain a sliding window of recent roots externally.
+When members are added or removed via `set_leaf`, `delete_leaf`, or `atomic_operation`,
+capture the new root using `get_root` and append it to the history buffer.
+Verify incoming proofs using `verify_with_roots` with the root history buffer,
+accepting proofs valid against any recent root.
+
+The window size depends on network propagation delays and epoch duration.
+
+### Stateful with Fixed Root
+
+Applies when membership is established once and remains static during operation.
+
+Initialize the tree using `init_tree_with_leaves` with the complete membership set.
+No root history is required.
+Verify proofs using `verify_rln_proof` which checks against the internal tree root directly.
+
+### Stateless
+
+Applies when membership state is managed externally,
+such as by a smart contract or relay network.
+
+Enable the `stateless` feature flag.
+Obtain Merkle proofs and valid roots from the external source.
+Pass externally provided `path_elements` and `identity_path_index` to `RLNWitnessInput::new`.
+Verify using `verify_with_roots` with externally provided roots.
+
+### WASM Browser Integration
+
+WASM environments require external witness calculation.
+Use `WasmRLNWitnessInput::toBigIntJson()` to export the witness for
+JavaScript witness calculators,
+then pass the result to `generateRLNProofWithWitness`.
+
+When `parallel` feature is enabled,
+call `initThreadPool()` before proof operations.
+This requires COOP/COEP headers for SharedArrayBuffer support.
+
+#### Epoch and Rate Limit Configuration
+
+The external nullifier is computed as `poseidon_hash([epoch, rln_identifier])`.
+Each application SHOULD use a unique `rln_identifier` to
+prevent cross-application nullifier collisions.
+
+The `user_message_limit` in the rate commitment determines messages allowed per epoch.
+The `message_id` must be less than `user_message_limit` and
+should increment with each message.
+Applications MUST persist the `message_id` counter to avoid violations after restarts.
+
+## Security/Privacy Considerations
+
+The security of Zerokit depends on the correct implementation of the RLN-V2 protocol
+and the underlying zero-knowledge proof system.
+Applications MUST ensure that:
+
+- Identity secrets are kept confidential and never transmitted or logged
+- The `message_id` counter is properly persisted to prevent accidental rate limit violations
+- External nullifiers are constructed correctly to prevent cross-application attacks
+- Merkle tree roots are validated when using stateless mode
+- Circuit parameters (zkey and graph data) are obtained from trusted sources
+
+When using the `parallel` feature in WASM,
+applications MUST serve content with appropriate COOP/COEP headers to
+enable SharedArrayBuffer support securely.
+
+The slashing mechanism exposes identity secrets when rate limits are violated.
+Applications SHOULD educate users about this risk and
+implement safeguards to prevent accidental violations.
+
+## References
+
+### Normative
+
+- [32/RLN-V1](../32/rln-v1.md) - Rate Limit Nullifier V1 specification
+
+### Informative
+
+- [Zerokit GitHub Repository](https://github.com/vacp2p/zerokit) - Reference implementation
+- [RLN-V2 Specification](./rln-v2.md) - Rate Limit Nullifier V2 protocol
+- [Sled Database](https://sled.rs) - Embedded database used for persistent Merkle tree storage
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

vac/template.md

@@ -1,15 +1,15 @@
 ---
 slug: XX
-title: XX/(WAKU2|LOGOS|CODEX|*)-TEMPLATE
-name: (Waku v2 | Logos | Codex) RFC Template
-status: (raw|draft|stable)
-category: (Standards Track|Informational|Best Current Practice)
+title: TEMPLATE
+name: RFC Template
+status: raw/draft/stable/deprecated
+category: Standards Track/Informational/Best Current Practice
 tags: an optional list of tags, not standard
 editor: Daniel Kaiser <danielkaiser@status.im>
 contributors:
 ---
 
-# (Info, remove this section)
+## (Info, remove this section)
 
 This section contains meta info about writing RFCs.
 This section (including its subsections) MUST be removed.
@@ -23,60 +23,69 @@ The `tags` metadata SHOULD contain a list of tags if applicable.
 Currently identified tags comprise
 
 * `waku/core-protocol` for Waku protocol definitions (e.g. store, relay, light push),
-* `waku/application` for applications built on top of Waku protocol (e.g. eth-dm, toy-chat),
+* `waku/application` for applications built on top of Waku protocol
+(e.g. eth-dm, toy-chat),
 
+## Abstract
 
-# Abstract
+## Background / Rationale / Motivation
 
+This section serves as an introduction providing background information and
+a motivation/rationale for why the specified protocol is useful.
 
-# Background / Rationale / Motivation
-
-This section serves as an introduction providing background information and a motivation/rationale for why the specified protocol is useful.
-
-# Theory / Semantics
+## Theory / Semantics
 
 A standard track RFC in `stable` status MUST feature this section.
 A standard track RFC in `raw` or `draft` status SHOULD feature this section.
 This section SHOULD explain in detail how the proposed protocol works.
 It may touch on the wire format where necessary for the explanation.
-This section MAY also specify endpoint behaviour when receiving specific messages, e.g. the behaviour of certain caches etc.
+This section MAY also specify endpoint behaviour when receiving specific messages,
+e.g. the behaviour of certain caches etc.
 
-# Wire Format Specification / Syntax
+## Wire Format Specification / Syntax
 
 A standard track RFC in `stable` status MUST feature this section.
 A standard track RFC in `raw` or `draft` status SHOULD feature this section.
-This section SHOULD not contain explanations of semantics and focus on concisely defining the wire format.
+This section SHOULD not contain explanations of semantics and
+focus on concisely defining the wire format.
 Implementations MUST adhere to these exact formats to interoperate with other implementations.
 It is fine, if parts of the previous section that touch on the wire format are repeated.
-The purpose of this section is having a concise definition of what an implementation sends and accepts.
-Parts that are not specified here are considered implementation details. Implementors are free to decide on how to implement these details.
-An optional *implementation suggestions* section may provide suggestions on how to approach implementation details, and, if available, point to existing implementations for reference.
+The purpose of this section is having a concise definition
+of what an implementation sends and accepts.
+Parts that are not specified here are considered implementation details.
+Implementors are free to decide on how to implement these details.
+An optional *implementation suggestions* section may provide suggestions
+on how to approach implementation details, and,
+if available, point to existing implementations for reference.
 
-# Implementation Suggestions (optional)
+## Implementation Suggestions (optional)
 
+## (Further Optional Sections)
 
-# (Further Optional Sections)
-
-
-# Security/Privacy Considerations
+## Security/Privacy Considerations
 
 A standard track RFC in `stable` status MUST feature this section.
 A standard track RFC in `raw` or `draft` status SHOULD feature this section.
 Informational RFCs (in any state) may feature this section.
 If there are none, this section MUST explicitly state that fact.
-This section MAY contain additional relevant information, e.g. an explanation as to why there are no security consideration for the respective document.
+This section MAY contain additional relevant information,
+e.g. an explanation as to why there are no security consideration
+for the respective document.
 
-# Copyright
+## Copyright
 
 Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
 
-# References
+## References
 
 References MAY be subdivided into normative and informative.
 
 ## normative
-A list of references that MUST be read to fully understand and/or implement this protocol.
+
+A list of references that MUST be read to fully understand and/or
+implement this protocol.
 See [RFC3967 Section 1.1](https://datatracker.ietf.org/doc/html/rfc3967#section-1.1).
 
 ## informative
+
 A list of additional references.

waku/README.md

@@ -1,5 +1,7 @@
-## Waku RFCs
+# Waku RFCs
 
-Waku builds a family of privacy-preserving, censorship-resistant communication protocols for web3 applications.
+Waku builds a family of privacy-preserving,
+censorship-resistant communication protocols for web3 applications.
 
-Contributors can visit [Waku RFCs](https://github.com/waku-org/specs) for new Waku specifications under discussion.
+Contributors can visit [Waku RFCs](https://github.com/waku-org/specs)
+for new Waku specifications under discussion.

waku/deprecated/16/rpc.md

@@ -2,20 +2,24 @@
 slug: 16
 title: 16/WAKU2-RPC
 name: Waku v2 RPC API
-status: draft
+status: deprecated
 tags: waku-core
 editor: Hanno Cornelius <hanno@status.im>
 ---
 
 ## Introduction
 
-This specification describes the JSON-RPC API that Waku v2 nodes MAY adhere to. Refer to the [Waku v2 specification](../10/waku2.md) for more information on Waku v2.
+This specification describes the JSON-RPC API that Waku v2 nodes MAY adhere to.
+Refer to the [Waku v2 specification](../10/waku2.md)
+for more information on Waku v2.
 
 ## Wire Protocol
 
 ### Transport
 
-Nodes SHOULD expose an accessible [JSON-RPC](https://www.jsonrpc.org/specification) API. The JSON-RPC version SHOULD be `2.0`. Below is an example request:
+Nodes SHOULD expose an accessible
+[JSON-RPC](https://www.jsonrpc.org/specification) API.
+The JSON-RPC version SHOULD be `2.0`. Below is an example request:
 
 ```json
 {
@@ -37,7 +41,10 @@ Nodes SHOULD expose an accessible [JSON-RPC](https://www.jsonrpc.org/specificati
 
 ### Types
 
-In this specification, the primitive types `Boolean`, `String`, `Number` and `Null`, as well as the structured types `Array` and `Object`, are to be interpreted according to the [JSON-RPC specification](https://www.jsonrpc.org/specification#conventions). It also adopts the same capitalisation conventions.
+In this specification, the primitive types `Boolean`, `String`,
+`Number` and `Null`, as well as the structured types `Array` and `Object`,
+are to be interpreted according to the [JSON-RPC specification](https://www.jsonrpc.org/specification#conventions).
+It also adopts the same capitalisation conventions.
 
 The following structured types are defined for use throughout the document:
 
@@ -57,23 +64,27 @@ Refer to [`Waku Message` specification](../14/message.md) for more information.
 
 ## Method naming
 
-The JSON-RPC methods in this document are designed to be mappable to HTTP REST endpoints. Method names follow the pattern `<method_type>_waku_<protocol_version>_<api>_<api_version>_<resource>`
+The JSON-RPC methods in this document are designed to be mappable to HTTP REST endpoints.
+Method names follow the pattern `<method_type>_waku_<protocol_version>_<api>_<api_version>_<resource>`
 
-- `<method_type>`: prefix of the HTTP method type that most closely matches the JSON-RPC function. Supported `method_type` values are `get`, `post`, `put`, `delete` or `patch`.
+- `<method_type>`:
+prefix of the HTTP method type that most closely matches the JSON-RPC function.
+Supported `method_type` values are `get`, `post`, `put`, `delete` or `patch`.
 - `<protocol_version>`: Waku version. Currently **v2**.
 - `<api>`: one of the listed APIs below, e.g. `store`, `debug`, or `relay`.
 - `<api_version>`: API definition version. Currently **v1** for all APIs.
 - `<resource>`: the resource or resource path being addressed
 
-The method `post_waku_v2_relay_v1_message`, for example, would map to the HTTP REST endpoint `POST /waku/v2/relay/v1/message`.
+The method `post_waku_v2_relay_v1_message`, for example,
+would map to the HTTP REST endpoint `POST /waku/v2/relay/v1/message`.
 
 ## Debug API
 
-### Types
+Types
 
 The following structured types are defined for use on the Debug API:
 
-#### WakuInfo
+### WakuInfo
 
 `WakuInfo` is an `Object` containing the following fields:
 
@@ -82,9 +93,7 @@ The following structured types are defined for use on the Debug API:
 | `listenAddresses` | `Array`[`String`] | mandatory | Listening addresses of the node |
 | `enrUri` | `String` | optional | ENR URI of the node |
 
-#### WakuInfo
-
-### `get_waku_v2_debug_v1_info`
+`get_waku_v2_debug_v1_info`
 
 The `get_waku_v2_debug_v1_info` method retrieves information about a Waku v2 node
 
@@ -96,94 +105,120 @@ none
 
 - [**`WakuInfo`**](#wakuinfo) - information about a Waku v2 node
 
-
 ### `get_waku_v2_debug_v1_version`
 
-The `get_waku_v2_debug_v1_version` method retrieves the version of a Waku v2 node as a string.
+The `get_waku_v2_debug_v1_version` method retrieves the version of a Waku v2 node
+as a string.
 The version SHOULD follow [semantic versioning](https://semver.org/).
 In case the node's current build is based on a git commit between semantic versions,
-the retrieved version string MAY contain the git commit hash alone or in combination with the latest semantic version.
+the retrieved version string MAY contain the git commit hash alone or
+in combination with the latest semantic version.
 
-#### Parameters
+Parameters
 
 none
 
-#### Response
+Response
 
 - **`string`** - represents the version of a Waku v2 node
 
-
 ## Relay API
 
-Refer to the [Waku Relay specification](../11/relay.md) for more information on the relaying of messages.
+Refer to the [Waku Relay specification](../11/relay.md)
+for more information on the relaying of messages.
 
-### `post_waku_v2_relay_v1_message`
+`post_waku_v2_relay_v1_message`
 
-The `post_waku_v2_relay_v1_message` method publishes a message to be relayed on a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor)
+The `post_waku_v2_relay_v1_message` method publishes a message to be relayed on a
+[PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor)
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `topic` | `String` | mandatory | The [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) being published on |
 | `message` | [`WakuMessage`](#wakumessage) | mandatory | The `message` being relayed |
 
-#### Response
+Response
 
-- **`Bool`** - `true` on success or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Bool`** -
+`true` on success or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
-### `post_waku_v2_relay_v1_subscriptions`
+`post_waku_v2_relay_v1_subscriptions`
 
-The `post_waku_v2_relay_v1_subscriptions` method subscribes a node to an array of [PubSub `topics`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
+The `post_waku_v2_relay_v1_subscriptions` method subscribes a node to an array of
+[PubSub `topics`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `topics` | `Array`[`String`] | mandatory | The [PubSub `topics`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) being subscribed to |
 
-#### Response
+Response
 
-- **`Bool`** - `true` on success or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Bool`** -
+`true` on success or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
-### `delete_waku_v2_relay_v1_subscriptions`
+`delete_waku_v2_relay_v1_subscriptions`
 
-The `delete_waku_v2_relay_v1_subscriptions` method unsubscribes a node from an array of [PubSub `topics`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
+The `delete_waku_v2_relay_v1_subscriptions` method unsubscribes a node from an array
+ of [PubSub `topics`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `topics` | `Array`[`String`] | mandatory | The [PubSub `topics`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) being unsubscribed from |
 
-#### Response
+Response
 
-- **`Bool`** - `true` on success or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Bool`** -
+`true` on success or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
-### `get_waku_v2_relay_v1_messages`
+`get_waku_v2_relay_v1_messages`
 
-The `get_waku_v2_relay_v1_messages` method returns a list of messages that were received on a subscribed [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) after the last time this method was called. The server MUST respond with an [error](https://www.jsonrpc.org/specification#error_object) if no subscription exists for the polled `topic`. If no message has yet been received on the polled `topic`, the server SHOULD return an empty list. This method can be used to poll a `topic` for new messages.
+The `get_waku_v2_relay_v1_messages` method returns a list of messages
+that were received on a subscribed
+[PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor)
+after the last time this method was called.
+The server MUST respond with an [error](https://www.jsonrpc.org/specification#error_object)
+if no subscription exists for the polled `topic`.
+If no message has yet been received on the polled `topic`,
+the server SHOULD return an empty list.
+This method can be used to poll a `topic` for new messages.
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `topic` | `String` | mandatory | The [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) to poll for the latest messages |
 
-#### Response
+Response
 
-- **`Array`[[`WakuMessage`](#wakumessage)]** - the latest `messages` on the polled `topic` or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Array`[[`WakuMessage`](#wakumessage)]** -
+the latest `messages` on the polled `topic` or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
 ## Relay Private API
 
-The Private API provides functionality to encrypt/decrypt `WakuMessage` payloads using either symmetric or asymmetric cryptography. This allows backwards compatibility with [Waku v1 nodes](../6/waku1.md).
-It is the API client's responsibility to keep track of the keys used for encrypted communication. Since keys must be cached by the client and provided to the node to encrypt/decrypt payloads, a Private API SHOULD NOT be exposed on non-local or untrusted nodes.
+The Private API provides functionality to encrypt/decrypt `WakuMessage` payloads
+using either symmetric or asymmetric cryptography.
+This allows backwards compatibility with [Waku v1 nodes](../../legacy/6/waku1.md).
+It is the API client's responsibility to keep track of the keys
+used for encrypted communication.
+Since keys must be cached by the client and
+provided to the node to encrypt/decrypt payloads,
+a Private API SHOULD NOT be exposed on non-local or untrusted nodes.
 
-### Types
+Types
 
 The following structured types are defined for use on the Private API:
 
-#### KeyPair
+### KeyPair
 
 `KeyPair` is an `Object` containing the following fields:
 
@@ -194,33 +229,40 @@ The following structured types are defined for use on the Private API:
 
 ### `get_waku_v2_private_v1_symmetric_key`
 
-Generates and returns a symmetric key that can be used for message encryption and decryption.
+Generates and returns a symmetric key that can be used for message encryption and
+decryption.
 
-#### Parameters
+Parameters
 
 none
 
-#### Response
+Response
+
 - **`String`** - A new symmetric key as hex encoded data string
 
 ### `get_waku_v2_private_v1_asymmetric_keypair`
 
-Generates and returns a public/private key pair that can be used for asymmetric message encryption and decryption.
+Generates and returns a public/private key pair
+that can be used for asymmetric message encryption and decryption.
 
-#### Parameters
+Parameters
 
 none
 
-#### Response
+Response
+
 - **[`KeyPair`](#keypair)** - A new public/private key pair as hex encoded data strings
 
-### `post_waku_v2_private_v1_symmetric_message`
+`post_waku_v2_private_v1_symmetric_message`
 
-The `post_waku_v2_private_v1_symmetric_message` method publishes a message to be relayed on a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor). 
+The `post_waku_v2_private_v1_symmetric_message` method publishes a message
+to be relayed on a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
 
-Before being relayed, the message payload is encrypted using the supplied symmetric key. The client MUST provide a symmetric key.
+Before being relayed,
+the message payload is encrypted using the supplied symmetric key.
+The client MUST provide a symmetric key.
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
@@ -228,17 +270,22 @@ Before being relayed, the message payload is encrypted using the supplied symmet
 | `message` | [`WakuMessage`](#wakumessage) | mandatory | The (unencrypted) `message` being relayed |
 | `symkey` | `String` | mandatory | The hex encoded symmetric key to use for payload encryption. This field MUST be included if symmetric key cryptography is selected |
 
-#### Response
+Response
 
-- **`Bool`** - `true` on success or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Bool`** -
+`true` on success or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
-### `post_waku_v2_private_v1_asymmetric_message`
+`post_waku_v2_private_v1_asymmetric_message`
 
-The `post_waku_v2_private_v1_asymmetric_message` method publishes a message to be relayed on a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor). 
+The `post_waku_v2_private_v1_asymmetric_message` method publishes a message
+to be relayed on a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
 
-Before being relayed, the message payload is encrypted using the supplied public key. The client MUST provide a public key.
+Before being relayed,
+the message payload is encrypted using the supplied public key.
+The client MUST provide a public key.
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
@@ -246,66 +293,88 @@ Before being relayed, the message payload is encrypted using the supplied public
 | `message` | [`WakuMessage`](#wakumessage) | mandatory | The (unencrypted) `message` being relayed |
 | `publicKey` | `String` | mandatory | The hex encoded public key to use for payload encryption. This field MUST be included if asymmetric key cryptography is selected |
 
-#### Response
+Response
 
-- **`Bool`** - `true` on success or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Bool`** -
+`true` on success or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
 ### `get_waku_v2_private_v1_symmetric_messages`
 
-The `get_waku_v2_private_v1_symmetric_messages` method decrypts and returns a list of messages that were received on a subscribed [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) after the last time this method was called. The server MUST respond with an [error](https://www.jsonrpc.org/specification#error_object) if no subscription exists for the polled `topic`. If no message has yet been received on the polled `topic`, the server SHOULD return an empty list. This method can be used to poll a `topic` for new messages.
+The `get_waku_v2_private_v1_symmetric_messages` method decrypts and
+returns a list of messages that were received on a subscribed
+[PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor)
+after the last time this method was called.
+The server MUST respond with an [error](https://www.jsonrpc.org/specification#error_object)
+if no subscription exists for the polled `topic`.
+If no message has yet been received on the polled `topic`,
+the server SHOULD return an empty list.
+This method can be used to poll a `topic` for new messages.
 
-Before returning the messages, the server decrypts the message payloads using the supplied symmetric key. The client MUST provide a symmetric key.
+Before returning the messages,
+the server decrypts the message payloads using the supplied symmetric key.
+The client MUST provide a symmetric key.
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `topic` | `String` | mandatory | The [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) to poll for the latest messages |
 | `symkey` | `String` | mandatory | The hex encoded symmetric key to use for payload decryption. This field MUST be included if symmetric key cryptography is selected |
 
-#### Response
+Response
 
-- **`Array`[[`WakuMessage`](#wakumessage)]** - the latest `messages` on the polled `topic` or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Array`[[`WakuMessage`](#wakumessage)]** -
+the latest `messages` on the polled `topic` or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
-### `get_waku_v2_private_v1_asymmetric_messages`
+`get_waku_v2_private_v1_asymmetric_messages`
 
-The `get_waku_v2_private_v1_asymmetric_messages` method decrypts and returns a list of messages that were received on a subscribed [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) after the last time this method was called. The server MUST respond with an [error](https://www.jsonrpc.org/specification#error_object) if no subscription exists for the polled `topic`. If no message has yet been received on the polled `topic`, the server SHOULD return an empty list. This method can be used to poll a `topic` for new messages.
+The `get_waku_v2_private_v1_asymmetric_messages` method decrypts and
+returns a list of messages that were received on a subscribed [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor)
+after the last time this method was called.
+The server MUST respond with an [error](https://www.jsonrpc.org/specification#error_object)
+if no subscription exists for the polled `topic`.
+If no message has yet been received on the polled `topic`,
+the server SHOULD return an empty list.
+This method can be used to poll a `topic` for new messages.
 
-Before returning the messages, the server decrypts the message payloads using the supplied private key. The client MUST provide a private key.
+Before returning the messages,
+the server decrypts the message payloads using the supplied private key.
+The client MUST provide a private key.
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `topic` | `String` | mandatory | The [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor) to poll for the latest messages |
 | `privateKey` | `String` | mandatory | The hex encoded private key to use for payload decryption. This field MUST be included if asymmetric key cryptography is selected |
 
-#### Response
-
-- **`Array`[[`WakuMessage`](#wakumessage)]** - the latest `messages` on the polled `topic` or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+Response
 
+- **`Array`[[`WakuMessage`](#wakumessage)]** -
+the latest `messages` on the polled `topic` or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
 ## Store API
 
-Refer to the [Waku Store specification](../13/store.md) for more information on message history retrieval.
-
-### Types
+Refer to the [Waku Store specification](../13/store.md)
+for more information on message history retrieval.
 
 The following structured types are defined for use on the Store API:
 
-#### StoreResponse
+### StoreResponse
 
 `StoreResponse` is an `Object` containing the following fields:
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `messages` | `Array`[[`WakuMessage`](#wakumessage)] | mandatory | Array of retrieved historical messages |
-| `pagingOptions` | [`PagingOptions`](#pagingOptions) | [conditional](#get_waku_v2_store_v1_messages) | Paging information from which to resume further historical queries |
-
+| `pagingOptions` | [`PagingOptions`](#pagingoptions) | [conditional](#get_waku_v2_store_v1_messages) | Paging information from which to resume further historical queries |
 
 #### PagingOptions
 
-`PagingOptions` is an `Object` containing the following fields:
+`pagingOptions` is an `Object` containing the following fields:
 
 | Field |       Type        | Inclusion | Description                                                                                                                                                                                                                                                              |
 | ----: |:-----------------:| :---: |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -322,7 +391,7 @@ The following structured types are defined for use on the Store API:
 | `digest` | `String` | mandatory | A hash for the message at this [`Index`](#index)                                          |
 | `receivedTime` | `Number` | mandatory | UNIX timestamp in nanoseconds at which the message at this [`Index`](#index) was received |
 
-#### ContentFilter
+ContentFilter
 
 `ContentFilter` is an `Object` containing the following fields:
 
@@ -330,11 +399,19 @@ The following structured types are defined for use on the Store API:
 | ----: | :---: | :---: |----------- |
 | `contentTopic` | `String` | mandatory | The content topic of a [`WakuMessage`](#wakumessage) |
 
-### `get_waku_v2_store_v1_messages`
+`get_waku_v2_store_v1_messages`
 
-The `get_waku_v2_store_v1_messages` method retrieves historical messages on specific content topics. This method MAY be called with [`PagingOptions`](#pagingoptions), to retrieve historical messages on a per-page basis. If the request included [`PagingOptions`](#pagingoptions), the node MUST return messages on a per-page basis and include [`PagingOptions`](#pagingoptions) in the response. These [`PagingOptions`](#pagingoptions) MUST contain a `cursor` pointing to the [`Index`](#index) from which a new page can be requested.
+The `get_waku_v2_store_v1_messages` method retrieves historical messages
+on specific content topics.
+This method MAY be called with [`PagingOptions`](#pagingoptions),
+to retrieve historical messages on a per-page basis.
+If the request included [`PagingOptions`](#pagingoptions),
+the node MUST return messages on a per-page basis and
+include [`PagingOptions`](#pagingoptions) in the response.
+These [`PagingOptions`](#pagingoptions) MUST contain a `cursor` pointing
+to the [`Index`](#index) from which a new page can be requested.
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
@@ -344,19 +421,21 @@ The `get_waku_v2_store_v1_messages` method retrieves historical messages on spec
 | `endTime` | `Number` | optional |  The inclusive upper bound on the [`timestamp`](../14/message.md/#message-attributes) of queried [`WakuMessage`s](#wakumessage). This field holds the Unix epoch time in nanoseconds as a 64-bits integer value. |
 | `pagingOptions` | [`PagingOptions`](#pagingoptions) | optional | Pagination information |
 
-#### Response
+Response
 
-- [**`StoreResponse`**](#storeresponse) - the response to a `query` for historical messages.
+- [**`StoreResponse`**](#storeresponse) -
+the response to a `query` for historical messages.
 
 ## Filter API
 
-Refer to the [Waku Filter specification](../12/filter.md) for more information on content filtering.
+Refer to the [Waku Filter specification](../12/filter.md)
+for more information on content filtering.
 
-### Types
+Types
 
 The following structured types are defined for use on the Filter API:
 
-#### ContentFilter
+### ContentFilter
 
 `ContentFilter` is an `Object` containing the following fields:
 
@@ -366,57 +445,73 @@ The following structured types are defined for use on the Filter API:
 
 ### `post_waku_v2_filter_v1_subscription`
 
-The `post_waku_v2_filter_v1_subscription` method creates a subscription in a [light node](../12/filter.md/#rationale) for messages that matches a content filter and, optionally, a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
+The `post_waku_v2_filter_v1_subscription` method creates a subscription in a
+[light node](../12/filter.md/#rationale) for messages that matches a content filter
+and, optionally, a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `contentFilters` | `Array`[[`ContentFilter`](#contentfilter)] | mandatory | Array of content filters being subscribed to |
 | `topic` | `String` | optional | Message topic |
 
-#### Response
+Response
 
-- **`Bool`** - `true` on success or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Bool`** - `true` on success or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
-### `delete_waku_v2_filter_v1_subscription`
+`delete_waku_v2_filter_v1_subscription`
 
-The `delete_waku_v2_filter_v1_subscription` method removes subscriptions in a [light node](../12/filter.md/#rationale) matching a content filter and, optionally, a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
+The `delete_waku_v2_filter_v1_subscription` method removes subscriptions
+in a [light node](../12/filter.md/#rationale) matching a content filter and,
+optionally, a [PubSub `topic`](https://github.com/libp2p/specs/blob/master/pubsub/README.md#the-topic-descriptor).
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `contentFilters` | `Array`[[`ContentFilter`](#contentfilter)] | mandatory | Array of content filters being unsubscribed from |
 | `topic` | `String` | optional | Message topic |
 
-#### Response
+Response
 
-- **`Bool`** - `true` on success or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Bool`** -
+`true` on success or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
 ### `get_waku_v2_filter_v1_messages`
 
-The `get_waku_v2_filter_v1_messages` method returns a list of messages that were received on a subscribed content `topic` after the last time this method was called. The server MUST respond with an [error](https://www.jsonrpc.org/specification#error_object) if no subscription exists for the polled content `topic`. If no message has yet been received on the polled content `topic`, the server SHOULD respond with an empty list. This method can be used to poll a content `topic` for new messages.
+The `get_waku_v2_filter_v1_messages` method returns a list of messages
+that were received on a subscribed content `topic`
+after the last time this method was called.
+The server MUST respond with an
+[error](https://www.jsonrpc.org/specification#error_object)
+if no subscription exists for the polled content `topic`.
+If no message has yet been received on the polled content `topic`,
+the server SHOULD respond with an empty list.
+This method can be used to poll a content `topic` for new messages.
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `contentTopic` | `String` | mandatory | The content topic to poll for the latest messages |
 
-#### Response
+Response
 
-- **`Array`[[`WakuMessage`](#wakumessage)]** - the latest `messages` on the polled content `topic` or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+- **`Array`[[`WakuMessage`](#wakumessage)]** -
+the latest `messages` on the polled content `topic` or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
 ## Admin API
 
-The Admin API provides privileged accesses to the internal operations of a Waku v2 node.
-
-### Types
+The Admin API provides privileged accesses
+to the internal operations of a Waku v2 node.
 
 The following structured types are defined for use on the Admin API:
 
-#### WakuPeer
+### WakuPeer
 
 `WakuPeer` is an `Object` containing the following fields:
 
@@ -428,13 +523,19 @@ The following structured types are defined for use on the Admin API:
 
 ### `get_waku_v2_admin_v1_peers`
 
-The `get_waku_v2_admin_v1_peers` method returns an array of peers registered on this node. Since a Waku v2 node may open either continuous or ad hoc connections, depending on the negotiated protocol, these peers may have different connected states. The same peer MAY appear twice in the returned array, if it is registered for more than one protocol.
+The `get_waku_v2_admin_v1_peers` method returns an array of peers
+registered on this node.
+Since a Waku v2 node may open either continuous or ad hoc connections,
+depending on the negotiated protocol,
+these peers may have different connected states.
+The same peer MAY appear twice in the returned array,
+if it is registered for more than one protocol.
 
-#### Parameters
+Parameters
 
-none
+- none
 
-#### Response
+Response
 
 - **`Array`[[`WakuPeer`](#wakupeer)]** - Array of peers registered on this node
 
@@ -442,30 +543,36 @@ none
 
 The `post_waku_v2_admin_v1_peers` method connects a node to a list of peers.
 
-#### Parameters
+Parameters
 
 | Field | Type | Inclusion | Description |
 | ----: | :---: | :---: |----------- |
 | `peers` | `Array`[`String`] | mandatory | Array of peer `multiaddrs` to connect to. Each `multiaddr` must contain the [location and identity addresses](https://docs.libp2p.io/concepts/addressing/) of a peer. |
 
-#### Response
-
-- **`Bool`** - `true` on success or an [error](https://www.jsonrpc.org/specification#error_object) on failure.
+Response
 
+- **`Bool`** -
+`true` on success or
+an [error](https://www.jsonrpc.org/specification#error_object) on failure.
 
 ## Example usage
 
-### Store API
+Store API
 
-#### `get_waku_v2_store_v1_messages`
+### `get_waku_v2_store_v1_messages`
 
-This method is part of the `store` API and the specific resources to retrieve are (historical) `messages`. The protocol (`waku`) is on `v2`, whereas the Store API definition is on `v1`.
+This method is part of the `store` API and
+the specific resources to retrieve are (historical) `messages`.
+The protocol (`waku`) is on `v2`, whereas the Store API definition is on `v1`.
 
-1. `get` *all* the historical messages for content topic **"/waku/2/default-content/proto"**; no paging required
+1.`get` *all* the historical messages for content topic
+**"/waku/2/default-content/proto"**; no paging required
 
 #### Request
 
-```curl -d '{"jsonrpc":"2.0","id":"id","method":"get_waku_v2_store_v1_messages", "params":["", [{"contentTopic":"/waku/2/default-content/proto"}]]}' --header "Content-Type: application/json" http://localhost:8545```
+```curl
+curl -d '{"jsonrpc":"2.0","id":"id","method":"get_waku_v2_store_v1_messages", "params":["", [{"contentTopic":"/waku/2/default-content/proto"}]]}' --header "Content-Type: application/json" http://localhost:8545
+```
 
 ```jsonrpc
 {
@@ -481,7 +588,7 @@ This method is part of the `store` API and the specific resources to retrieve ar
 }
 ```
 
-#### Response
+Response
 
 ```jsonrpc
 {
@@ -513,11 +620,16 @@ This method is part of the `store` API and the specific resources to retrieve ar
 
 ---
 
-2. `get` a single page of historical messages for content topic **"/waku/2/default-content/proto"**; 2 messages per page, backward direction. Since this is the initial query, no `cursor` is provided, so paging will be performed from the end of the list.
+2.`get` a single page of historical messages for content topic **"/waku/2/default-content/proto"**;
+2 messages per page, backward direction.
+Since this is the initial query, no `cursor` is provided,
+so paging will be performed from the end of the list.
 
-#### Request
+Request
 
-```curl -d '{"jsonrpc":"2.0","id":"id","method":"get_waku_v2_store_v1_messages", "params":[ "", [{"contentTopic":"/waku/2/default-content/proto"}],{"pageSize":2,"forward":false}]}' --header "Content-Type: application/json" http://localhost:8545```
+```curl
+curl -d '{"jsonrpc":"2.0","id":"id","method":"get_waku_v2_store_v1_messages", "params":[ "", [{"contentTopic":"/waku/2/default-content/proto"}],{"pageSize":2,"forward":false}]}' --header "Content-Type: application/json" http://localhost:8545
+```
 
 ```jsonrpc
 {
@@ -537,7 +649,7 @@ This method is part of the `store` API and the specific resources to retrieve ar
 }
 ```
 
-#### Response
+Response
 
 ```jsonrpc
 {
@@ -571,11 +683,14 @@ This method is part of the `store` API and the specific resources to retrieve ar
 
 ---
 
-3. `get` the next page of historical messages for content topic **"/waku/2/default-content/proto"**, using the cursor received above; 2 messages per page, backward direction.
+3.`get` the next page of historical messages for content topic **"/waku/2/default-content/proto"**,
+using the cursor received above; 2 messages per page, backward direction.
 
-#### Request
+Request
 
-```curl -d '{"jsonrpc":"2.0","id":"id","method":"get_waku_v2_store_v1_messages", "params":[ "", [{"contentTopic":"/waku/2/default-content/proto"}],{"pageSize":2,"cursor":{"digest":"abcdef","receivedTime":1605887187000000000},"forward":false}]}' --header "Content-Type: application/json" http://localhost:8545```
+```curl
+curl -d '{"jsonrpc":"2.0","id":"id","method":"get_waku_v2_store_v1_messages", "params":[ "", [{"contentTopic":"/waku/2/default-content/proto"}],{"pageSize":2,"cursor":{"digest":"abcdef","receivedTime":1605887187000000000},"forward":false}]}' --header "Content-Type: application/json" http://localhost:8545
+```
 
 ```jsonrpc
 {
@@ -599,7 +714,7 @@ This method is part of the `store` API and the specific resources to retrieve ar
 }
 ```
 
-#### Response
+Response
 
 ```jsonrpc
 {

waku/deprecated/18/swap.md

@@ -0,0 +1,263 @@
+---
+slug: 18
+title: 18/WAKU2-SWAP
+name: Waku SWAP Accounting
+status: deprecated
+editor: Oskar Thorén <oskarth@titanproxy.com>
+contributor: Ebube Ud <ebube@status.im>
+---
+
+## Abstract
+
+This specification outlines how we do accounting and settlement based on the provision
+and usage of resources, most immediately bandwidth usage and/or
+storing and retrieving of Waku message.
+This enables nodes to cooperate and efficiently share resources,
+and in the case of unequal nodes to settle the difference
+through a relaxed payment mechanism in the form of sending cheques.
+
+**Protocol identifier***: `/vac/waku/swap/2.0.0-beta1`
+
+## Motivation
+
+The Waku network makes up a service network, and
+some nodes provide a useful service to other nodes.
+We want to account for that, and when imbalances arise, settle this.
+The core of this approach has some theoretical backing in game theory, and
+variants of it have practically been proven to work in systems such as Bittorrent.
+The specific model use was developed by the Swarm project
+(previously part of Ethereum), and
+we re-use contracts that were written for this purpose.
+
+By using a delayed payment mechanism in the form of cheques,
+a barter-like mechanism can arise, and
+nodes can decide on their own policy
+as opposed to be strictly tied to a specific payment scheme.
+Additionally, this delayed settlement eases requirements
+on the underlying network in terms of transaction speed or costs.
+
+Theoretically, nodes providing and using resources over a long,
+indefinite, period of time can be seen as an iterated form of
+[Prisoner's Dilemma (PD)](https://en.wikipedia.org/wiki/Prisoner%27s_dilemma).
+Specifically, and more intuitively,
+since we have a cost and benefit profile for each provision/usage
+(of Waku Message's, e.g.), and
+the pricing can be set such that mutual cooperation is incentivized,
+this can be analyzed as a form of donations game.
+
+## Game Theory - Iterated prisoner's dilemma / donation game
+
+What follows is a sketch of what the game looks like between two nodes.
+We can look at it as a special case of iterated prisoner's dilemma called a
+[Donation game](https://en.wikipedia.org/wiki/Prisoner%27s_dilemma#Special_case:_donation_game)
+where each node can cooperate with some benefit `b` at a personal cost `c`,
+where `b>c`.
+
+From A's point of view:
+
+A/B | Cooperate | Defect
+-----|----------|-------
+Cooperate | b-c | -c
+Defect | b | 0
+
+What this means is that if A and B cooperates,
+A gets some benefit `b` minus a cost `c`.
+If A cooperates and B defects she only gets the cost,
+and if she defects and B cooperates A only gets the benefit.
+If both defect they get neither benefit nor cost.
+
+The generalized form of PD is:
+
+A/B | Cooperate | Defect
+-----|----------|-------
+Cooperate | R | S
+Defect | T | P
+
+With R=reward, S=Sucker's payoff, T=temptation, P=punishment
+
+And the following holds:
+
+- `T>R>P>S`
+- `2R>T+S`
+
+In our case, this means `b>b-c>0>-c` and `2(b-c)> b-c` which is trivially true.
+
+As this is an iterated game with no clear finishing point in most circumstances,
+a tit-for-tat strategy is simple, elegant and functional.
+To be more theoretically precise,
+this also requires reasonable assumptions on error rate and discount parameter.
+This captures notions such as
+"does the perceived action reflect the intended action" and
+"how much do you value future (uncertain) actions compared to previous actions".
+See [Axelrod - Evolution of Cooperation (book)](https://en.wikipedia.org/wiki/The_Evolution_of_Cooperation)
+for more details.
+In specific circumstances,
+nodes can choose slightly different policies if there's a strong need for it.
+A policy is simply how a node chooses to act given a set of circumstances.
+
+A tit-for-tat strategy basically means:
+
+- cooperate first (perform service/beneficial action to other node)
+- defect when node stops cooperating (disconnect and similar actions),
+i.e. when it stops performing according to set parameters re settlement
+- resume cooperation if other node does so
+
+This can be complemented with node selection mechanisms.
+
+## SWAP protocol overview
+
+We use SWAP for accounting and
+settlement in conjunction with other request/reply protocols in Waku v2,
+where accounting is done in a pairwise manner.
+It is an acronym with several possible meanings (as defined in the Book
+of Swarm), for example:
+
+- service wanted and provided
+- settle with automated payments
+- send waiver as payment
+- start without a penny
+
+This approach is based on communicating payment thresholds and
+sending cheques as indications of later payments.
+Communicating payment thresholds MAY be done out-of-band or as part of the handshake.
+Sending cheques is done once payment threshold is hit.
+
+See [Book of Swarm](https://web.archive.org/web/20210126130038/https://gateway.ethswarm.org/bzz/latest.bookofswarm.eth)
+section 3.2. on Peer-to-peer accounting etc., for more context and details.
+
+### Accounting
+
+Nodes perform their own accounting for each relevant peer
+based on some "volume"/bandwidth metric.
+For now we take this to mean the number of `WakuMessage`s exchanged.
+
+Additionally, a price is attached to each unit.
+Currently, this is simply a "karma counter" and equal to 1 per message.
+
+Each accounting balance SHOULD be w.r.t. to a given protocol it is accounting for.
+
+NOTE: This may later be complemented with other metrics,
+either as part of SWAP or more likely outside of it.
+For example, online time can be communicated and
+attested to as a form of enhanced quality of service to inform peer selection.
+
+### Flow
+
+Assuming we have two store nodes,
+one operating mostly as a client (A) and another as server (B).
+
+1. Node A performs a handshake with B node.
+B node responds and both nodes communicate their payment threshold.
+2. Node A and B creates an accounting entry for the other peer,
+keep track of peer and current balance.
+3. Node A issues a `HistoryRequest`, and B responds with a `HistoryResponse`.
+Based on the number of WakuMessages in the response,
+both nodes update their accounting records.
+4. When payment threshold is reached,
+Node A sends over a cheque to reach a neutral balance.
+Settlement of this is currently out of scope,
+but would occur through a SWAP contract (to be specified).
+(mock and hard phase).
+5. If disconnect threshold is reached, Node B disconnects Node A (mock and hard phase).
+
+Note that not all of these steps are mandatory in initial stages,
+see below for more details.
+For example, the payment threshold MAY initially be set out of bounds,
+and policy is only activated in the mock and hard phase.
+
+### Protobufs
+
+We use protobuf to specify the handshake and signature.
+This current protobuf is a work in progress.
+This is needed for mock and hard phase.
+
+A handshake gives initial information about payment thresholds and
+possibly other information.
+A cheque is best thought of as a promise to pay at a later date.
+
+```protobuf
+
+message Handshake {
+    bytes payment_threshold = 1;
+}
+
+// TODO Signature?
+// Should probably be over the whole Cheque type
+message Cheque {
+    bytes beneficiary = 1;
+    // TODO epoch time or block time?
+    uint32 date = 2;
+    // TODO ERC20 extension?
+    // For now karma counter
+    uint32 amount = 3;
+}
+
+```
+
+## Incremental integration and roll-out
+
+To incrementally integrate this into Waku v2,
+we have divided up the roll-out into three phases:
+
+- Soft - accounting only
+- Mock - send mock cheques and take word for it
+- Hard Test - blockchain integration and deployed to public testnet
+(Goerli, Optimism testnet or similar)
+- Hard Main - deployed to a public mainnet
+
+An implementation MAY support any of these phases.
+
+### Soft phase
+
+In the soft phase only accounting is performed, without consequence for the
+peers. No disconnect or sending of cheques is performed at this tage.
+
+SWAP protocol is performed in conjunction with another request-reply protocol
+to account for its usage.
+It SHOULD be done for [13/WAKU2-STORE](../../core/13/store.md)
+and it MAY be done for other request/reply protocols.
+
+A client SHOULD log accounting state per peer
+and SHOULD indicate when a peer is out of bounds (either of its thresholds met).
+
+### Mock phase
+
+In the mock phase, we send mock cheques and send cheques/disconnect peers as appropriate.
+
+- If a node reaches a disconnect threshold,
+which MUST be outside the payment threshold, it SHOULD disconnect the other peer.
+- If a node is within payment balance, the other node SHOULD stay connected to it.
+- If a node receives a valid Cheque it SHOULD update its internal accounting records.
+- If any node behaves badly, the other node is free to disconnect and
+pick another node.
+  - Peer rating is out of scope of this specification.
+
+### Hard phase
+
+In the hard phase, in addition to sending cheques and activating policy, this is
+done with blockchain integration on a public testnet. More details TBD.
+
+This also includes settlements where cheques can be redeemed.
+
+## Copyright
+
+Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+1. [Prisoner's Dilemma](https://en.wikipedia.org/wiki/Prisoner%27s_dilemma)
+2. [Axelrod - Evolution of Cooperation (book)](https://en.wikipedia.org/wiki/The_Evolution_of_Cooperation)
+3. [Book of Swarm](https://web.archive.org/web/20210126130038/https://gateway.ethswarm.org/bzz/latest.bookofswarm.eth)
+4. [13/WAKU2-STORE](../../core/13/store.md)
+
+<!--
+
+General TODOs:
+
+- Find new link for book of swarm
+- Illustrate payment and disconnection thresholds (mscgen not great for this?)
+- Elaborate on how accounting works with amount in the context of e.g. store
+- Illustrate flow
+- Specify chequeboo
+
+-->

waku/deprecated/5/waku0.md

@@ -11,11 +11,25 @@ contributors:
   - Kim De Mey <kimdemey@status.im>
 ---
 
-This specification describes the format of Waku messages within the ÐΞVp2p Wire Protocol. This spec substitutes [EIP-627](https://eips.ethereum.org/EIPS/eip-627). Waku is a fork of the original Whisper protocol that enables better usability for resource restricted devices, such as mostly-offline bandwidth-constrained smartphones. It does this through (a) light node support, (b) historic messages (with a mailserver) (c) expressing topic interest for better bandwidth usage and (d) basic rate limiting.
+This specification describes the format of Waku messages within the ÐΞVp2p Wire Protocol.
+This spec substitutes [EIP-627](https://eips.ethereum.org/EIPS/eip-627).
+Waku is a fork of the original Whisper protocol that enables better usability
+for resource restricted devices,
+such as mostly-offline bandwidth-constrained smartphones.
+It does this through (a) light node support,
+(b) historic messages (with a mailserver)
+(c) expressing topic interest for better bandwidth usage and
+(d) basic rate limiting.
 
 ## Motivation
 
-Waku was created to incrementally improve in areas that Whisper is lacking in, with special attention to resource restricted devices. We specify the standard for Waku messages in order to ensure forward compatibility of different Waku clients, backwards compatibility with Whisper clients, as well as to allow multiple implementations of Waku and its capabilities. We also modify the language to be more unambiguous, concise and consistent.
+Waku was created to incrementally improve in areas that Whisper is lacking in,
+with special attention to resource restricted devices.
+We specify the standard for Waku messages
+in order to ensure forward compatibility of different Waku clients,
+backwards compatibility with Whisper clients,
+as well as to allow multiple implementations of Waku and its capabilities.
+We also modify the language to be more unambiguous, concise and consistent.
 
 ## Definitions
 
@@ -29,23 +43,47 @@ Waku was created to incrementally improve in areas that Whisper is lacking in, w
 
 ### Use of DevP2P
 
-For nodes to communicate, they MUST implement devp2p and run RLPx. They MUST have some way of connecting to other nodes. Node discovery is largely out of scope for this spec, but see the appendix for some suggestions on how to do this.
+For nodes to communicate, they MUST implement devp2p and run RLPx.
+They MUST have some way of connecting to other nodes.
+Node discovery is largely out of scope for this spec,
+but see the appendix for some suggestions on how to do this.
 
 ### Gossip based routing
 
-In Whisper, messages are gossiped between peers. Whisper is a form of rumor-mongering protocol that works by flooding to its connected peers based on some factors. Messages are eligible for retransmission until their TTL expires. A node SHOULD relay messages to all connected nodes if an envelope matches their PoW and bloom filter settings. If a node works in light mode, it MAY choose not to forward envelopes. A node MUST NOT send expired envelopes, unless the envelopes are sent as a [mailserver](./mailserver.md) response. A node SHOULD NOT send a message to a peer that it has already sent before.
+In Whisper, messages are gossiped between peers.
+Whisper is a form of rumor-mongering protocol
+that works by flooding to its connected peers based on some factors.
+Messages are eligible for retransmission until their TTL expires.
+A node SHOULD relay messages to all connected nodes
+if an envelope matches their PoW and bloom filter settings.
+If a node works in light mode, it MAY choose not to forward envelopes.
+A node MUST NOT send expired envelopes,
+unless the envelopes are sent as a [mailserver](./mailserver.md) response.
+A node SHOULD NOT send a message to a peer that it has already sent before.
 
 ## Wire Specification
 
 ### Use of RLPx transport protocol
 
-All Waku messages are sent as devp2p RLPx transport protocol, version 5[^1] packets. These packets MUST be RLP-encoded arrays of data containing two objects: packet code followed by another object (whose type depends on the packet code).  See [informal RLP spec](https://github.com/ethereum/wiki/wiki/RLP) and the [Ethereum Yellow Paper, appendix B](https://ethereum.github.io/yellowpaper/paper.pdf) for more details on RLP.
+All Waku messages are sent as devp2p RLPx transport protocol,
+version 5[^1] packets.
+These packets MUST be RLP-encoded arrays of data containing two objects:
+packet code followed by another object (whose type depends on the packet code).
+ See [informal RLP spec](https://github.com/ethereum/wiki/wiki/RLP) and
+the [Ethereum Yellow Paper, appendix B](https://ethereum.github.io/yellowpaper/paper.pdf)
+for more details on RLP.
 
-Waku is a RLPx subprotocol called `waku` with version `0`. The version number corresponds to the major version in the header spec. Minor versions should not break compatibility of `waku`, this would result in a new major. (Some exceptions to this apply in the Draft stage of where client implementation is rapidly change).
+Waku is a RLPx subprotocol called `waku` with version `0`.
+The version number corresponds to the major version in the header spec.
+Minor versions should not break compatibility of `waku`,
+this would result in a new major.
+(Some exceptions to this apply in the Draft stage
+of where client implementation is rapidly change).
 
 ### ABNF specification
 
-Using [Augmented Backus-Naur form (ABNF)](https://tools.ietf.org/html/rfc5234) we have the following format:
+Using [Augmented Backus-Naur form (ABNF)](https://tools.ietf.org/html/rfc5234)
+we have the following format:
 
 ```abnf
 ; Packet codes 0 - 127 are reserved for Waku protocol
@@ -129,21 +167,23 @@ p2p-message = 1*waku-envelope
 packet-format = "[" packet-code packet-format "]"
 
 required-packet = 0 status /
-                  1 messages /
-		  22 status-update /
+1 messages /
+22 status-update /
 
 optional-packet = 126 p2p-request / 127 p2p-message
 
 packet = "[" required-packet [ optional-packet ] "]"
 ```
 
-All primitive types are RLP encoded. Note that, per RLP specification, integers are encoded starting from `0x00`.
+All primitive types are RLP encoded. Note that, per RLP specification,
+integers are encoded starting from `0x00`.
 
 ### Packet Codes
 
 The message codes reserved for Waku protocol: 0 - 127.
 
-Messages with unknown codes MUST be ignored without generating any error, for forward compatibility of future versions.
+Messages with unknown codes MUST be ignored without generating any error,
+for forward compatibility of future versions.
 
 The Waku sub-protocol MUST support the following packet codes:
 
@@ -170,17 +210,25 @@ The Status message serves as a Waku handshake and peers MUST exchange this
 message upon connection. It MUST be sent after the RLPx handshake and prior to
 any other Waku messages.
 
-A Waku node MUST await the Status message from a peer before engaging in other Waku protocol activity with that peer.
-When a node does not receive the Status message from a peer, before a configurable timeout, it SHOULD disconnect from that peer.
+A Waku node MUST await the Status message from a peer
+before engaging in other Waku protocol activity with that peer.
+When a node does not receive the Status message from a peer,
+before a configurable timeout, it SHOULD disconnect from that peer.
 
 Upon retrieval of the Status message, the node SHOULD validate the message
 received and validated the Status message. Note that its peer might not be in
 the same state.
 
 When a node is receiving other Waku messages from a peer before a Status
-message is received, the node MUST ignore these messages and SHOULD disconnect from that peer. Status messages received after the handshake is completed MUST also be ignored.
+message is received,
+the node MUST ignore these messages and SHOULD disconnect from that peer.
+Status messages received after the handshake is completed MUST also be ignored.
 
-The status message MUST contain an association list containing various options. All options within this association list are OPTIONAL, ordering of the key-value pairs is not guaranteed and therefore MUST NOT be relied on. Unknown keys in the association list SHOULD be ignored.
+The status message MUST contain an association list containing various options.
+All options within this association list are OPTIONAL,
+ordering of the key-value pairs is not guaranteed and
+therefore MUST NOT be relied on.
+Unknown keys in the association list SHOULD be ignored.
 
 #### Messages
 
@@ -188,87 +236,130 @@ This packet is used for sending the standard Waku envelopes.
 
 #### Status Update
 
-The Status Update message is used to communicate an update of the settings of the node.
+The Status Update message is used to communicate an update
+of the settings of the node.
 The format is the same as the Status message, all fields are optional.
-If none of the options are specified the message MUST be ignored and considered a noop.
-Fields that are omitted are considered unchanged, fields that haven't changed SHOULD not 
-be transmitted.
+If none of the options are specified the message MUST be ignored and
+considered a noop.
+Fields that are omitted are considered unchanged,
+fields that haven't changed SHOULD not be transmitted.
 
-**PoW Requirement update**
+##### PoW Requirement update
 
-When PoW is updated, peers MUST NOT deliver the sender envelopes with PoW lower than specified in this message.
+When PoW is updated, peers MUST NOT deliver the sender envelopes
+with PoW lower than specified in this message.
 
-PoW is defined as average number of iterations, required to find the current BestBit (the number of leading zero bits in the hash), divided by message size and TTL:
+PoW is defined as average number of iterations,
+required to find the current BestBit
+(the number of leading zero bits in the hash), divided by message size and TTL:
 
-	PoW = (2**BestBit) / (size * TTL)
+> PoW = (2**BestBit) / (size * TTL)
 
 PoW calculation:
 
-	fn short_rlp(envelope) = rlp of envelope, excluding env_nonce field.
-	fn pow_hash(envelope, env_nonce) = sha3(short_rlp(envelope) ++ env_nonce)
-	fn pow(pow_hash, size, ttl) = 2**leading_zeros(pow_hash) / (size * ttl)
+```rust
+ fn short_rlp(envelope) = rlp of envelope, excluding env_nonce field.
+ fn pow_hash(envelope, env_nonce) = sha3(short_rlp(envelope) ++ env_nonce)
+ fn pow(pow_hash, size, ttl) = 2**leading_zeros(pow_hash) / (size * ttl)
+```
 
-where size is the size of the RLP-encoded envelope, excluding `env_nonce` field (size of `short_rlp(envelope)`).
+where size is the size of the RLP-encoded envelope,
+excluding `env_nonce` field (size of `short_rlp(envelope)`).
 
-**Bloom filter update**
+##### Bloom filter update
 
-The bloom filter is used to identify a number of topics to a peer without compromising (too much) privacy over precisely what topics are of interest. Precise control over the information content (and thus efficiency of the filter) may be maintained through the addition of bits.
+The bloom filter is used to identify a number of topics
+to a peer without compromising (too much)
+privacy over precisely what topics are of interest.
+Precise control over the information content (and thus efficiency of the filter)
+may be maintained through the addition of bits.
 
-Blooms are formed by the bitwise OR operation on a number of bloomed topics. The bloom function takes the topic and projects them onto a 512-bit slice. At most, three bits are marked for each bloomed topic.
+Blooms are formed by the bitwise OR operation on a number of bloomed topics.
+The bloom function takes the topic and projects them onto a 512-bit slice.
+At most, three bits are marked for each bloomed topic.
 
-The projection function is defined as a mapping from a 4-byte slice S to a 512-bit slice D; for ease of explanation, S will dereference to bytes, whereas D will dereference to bits.
+The projection function is defined as a mapping from a 4-byte slice S
+to a 512-bit slice D; for ease of explanation, S will dereference to bytes,
+whereas D will dereference to bits.
 
-	LET D[*] = 0
-	FOREACH i IN { 0, 1, 2 } DO
-	LET n = S[i]
-	IF S[3] & (2 ** i) THEN n += 256
-	D[n] = 1
-	END FOR
+```python
+ LET D[*] = 0
+ FOREACH i IN { 0, 1, 2 } DO
+ LET n = S[i]
+ IF S[3] & (2 ** i) THEN n += 256
+ D[n] = 1
+ END FOR
+```
 
-A full bloom filter (all the bits set to 1) means that the node is to be considered a `Full Node` and it will accept any topic.
+A full bloom filter (all the bits set to 1)
+means that the node is to be considered a `Full Node` and it will accept any topic.
 
-If both Topic Interest and bloom filter are specified, Topic Interest always takes precedence and bloom filter MUST be ignored.
+If both Topic Interest and bloom filter are specified,
+Topic Interest always takes precedence and bloom filter MUST be ignored.
 
-If only bloom filter is specified, the current Topic Interest MUST be discarded and only the updated bloom filter MUST be used when forwarding or posting envelopes.
+If only bloom filter is specified, the current Topic Interest MUST be discarded and
+only the updated bloom filter MUST be used when forwarding or posting envelopes.
 
-A bloom filter with all bits set to 0 signals that the node is not currently interested in receiving any envelope.
+A bloom filter with all bits set to 0 signals
+that the node is not currently interested in receiving any envelope.
 
-**Topic Interest update**
+##### Topic Interest update
 
-This packet is used by Waku nodes for sharing their interest in messages with specific topics. It does this in a more bandwidth considerate way, at the expense of some metadata protection. Peers MUST only send envelopes with specified topics.
+This packet is used by Waku nodes for sharing their interest
+in messages with specific topics.
+It does this in a more bandwidth considerate way,
+at the expense of some metadata protection.
+Peers MUST only send envelopes with specified topics.
 
+It is currently bounded to a maximum of 10000 topics.
+If you are interested in more topics than that,
+this is currently underspecified and likely requires updating it.
+The constant is subject to change.
 
-It is currently bounded to a maximum of 10000 topics. If you are interested in more topics than that, this is currently underspecified and likely requires updating it. The constant is subject to change.
+If only Topic Interest is specified,
+the current bloom filter MUST be discarded and
+only the updated Topic Interest MUST be used when forwarding or posting envelopes.
 
-If only Topic Interest is specified, the current bloom filter MUST be discarded and only the updated Topic Interest MUST be used when forwarding or posting envelopes.
+An empty array signals that the node
+is not currently interested in receiving any envelope.
 
-An empty array signals that the node is not currently interested in receiving any envelope.
-
-**Rate Limits update**
+##### Rate Limits update
 
 This packet is used for informing other nodes of their self defined rate limits.
 
-In order to provide basic Denial-of-Service attack protection, each node SHOULD define its own rate limits. The rate limits SHOULD be applied on IPs, peer IDs, and envelope topics.
+In order to provide basic Denial-of-Service attack protection,
+each node SHOULD define its own rate limits.
+The rate limits SHOULD be applied on IPs, peer IDs, and envelope topics.
 
 Each node MAY decide to whitelist, i.e. do not rate limit, selected IPs or peer IDs.
 
 If a peer exceeds node's rate limits, the connection between them MAY be dropped.
 
-Each node SHOULD broadcast its rate limits to its peers using the rate limits packet. The rate limits MAY also be sent as an optional parameter in the handshake.
+Each node SHOULD broadcast its rate limits to its peers using the rate limits packet.
+The rate limits MAY also be sent as an optional parameter in the handshake.
 
-Each node SHOULD respect rate limits advertised by its peers. The number of packets SHOULD be throttled in order not to exceed peer's rate limits. If the limit gets exceeded, the connection MAY be dropped by the peer.
+Each node SHOULD respect rate limits advertised by its peers.
+The number of packets SHOULD be throttled in order not to exceed peer's rate limits.
+If the limit gets exceeded, the connection MAY be dropped by the peer.
 
-**Message Confirmations update**
+##### Message Confirmations update
 
-Message confirmations tell a node that a message originating from it has been received by its peers, allowing a node to know whether a message has or has not been received.
+Message confirmations tell a node that a message originating
+from it has been received by its peers,
+allowing a node to know whether a message has or has not been received.
 
-A node MAY send a message confirmation for any batch of messages received with a packet Messages Code.
+A node MAY send a message confirmation for any batch of messages
+received with a packet Messages Code.
 
-A message confirmation is sent using Batch Acknowledge packet or Message Response packet. The Batch Acknowledge packet is followed by a keccak256 hash of the envelopes batch data.
+A message confirmation is sent using Batch Acknowledge packet or
+Message Response packet.
+The Batch Acknowledge packet is followed by a keccak256 hash
+of the envelopes batch data.
 
 The current `version` of the message response is `1`.
 
-Using [Augmented Backus-Naur form (ABNF)](https://tools.ietf.org/html/rfc5234) we have the following format:
+Using [Augmented Backus-Naur form (ABNF)](https://tools.ietf.org/html/rfc5234)
+we have the following format:
 
 ```abnf
 ; a version of the Message Response
@@ -294,159 +385,268 @@ confirmation = "[" version response "]"
 ```
 
 The supported codes:
-`1`: means time sync error which happens when an envelope is too old or created in the future (the root cause is no time sync between nodes).
-
-The drawback of sending message confirmations is that it increases the noise in the network because for each sent message, a corresponding confirmation is broadcast by one or more peers.
+`1`: means time sync error which happens when an envelope is too old or
+created in the future (the root cause is no time sync between nodes).
 
+The drawback of sending message confirmations
+is that it increases the noise in the network because for each sent message,
+a corresponding confirmation is broadcast by one or more peers.
 
 #### P2P Request
 
-This packet is used for sending Dapp-level peer-to-peer requests, e.g. Waku Mail Client requesting old messages from the [Waku Mail Server](./mailserver.md).
+This packet is used for sending Dapp-level peer-to-peer requests,
+e.g. Waku Mail Client requesting old messages from the [Waku Mail Server](./mailserver.md).
 
 #### P2P Message
 
-This packet is used for sending the peer-to-peer messages, which are not supposed to be forwarded any further. E.g. it might be used by the Waku Mail Server for delivery of old (expired) messages, which is otherwise not allowed.
-
+This packet is used for sending the peer-to-peer messages,
+which are not supposed to be forwarded any further.
+E.g. it might be used by the Waku Mail Server for delivery of old
+(expired) messages, which is otherwise not allowed.
 
 ### Payload Encryption
 
-Asymmetric encryption uses the standard Elliptic Curve Integrated Encryption Scheme with SECP-256k1 public key.
+Asymmetric encryption uses the standard Elliptic Curve Integrated Encryption Scheme
+with SECP-256k1 public key.
 
 Symmetric encryption uses AES GCM algorithm with random 96-bit nonce.
 
 ### Packet code Rationale
 
-Packet codes `0x00` and `0x01` are already used in all Waku / Whisper versions. Packet code `0x02` and `0x03` were previously used in Whisper but are deprecated as of Waku v0.4
+Packet codes `0x00` and `0x01` are already used in all Waku / Whisper versions.
+Packet code `0x02` and `0x03` were previously used in Whisper but
+are deprecated as of Waku v0.4
 
 Packet code `0x22` is used to dynamically change the settings of a node.
 
-Packet codes `0x7E` and `0x7F` may be used to implement Waku Mail Server and Client. Without P2P messages it would be impossible to deliver the old messages, since they will be recognized as expired, and the peer will be disconnected for violating the Whisper protocol. They might be useful for other purposes when it is not possible to spend time on PoW, e.g. if a stock exchange will want to provide live feed about the latest trades.
+Packet codes `0x7E` and `0x7F` may be used to implement Waku Mail Server and Client.
+Without P2P messages it would be impossible to deliver the old messages,
+since they will be recognized as expired,
+and the peer will be disconnected for violating the Whisper protocol.
+They might be useful for other purposes
+when it is not possible to spend time on PoW,
+e.g. if a stock exchange will want to provide live feed about the latest trades.
 
 ## Additional capabilities
 
-Waku supports multiple capabilities. These include light node, rate limiting and bridging of traffic. Here we list these capabilities, how they are identified, what properties they have and what invariants they must maintain.
+Waku supports multiple capabilities.
+These include light node, rate limiting and bridging of traffic.
+Here we list these capabilities, how they are identified,
+what properties they have and what invariants they must maintain.
 
-Additionally there is the capability of a mailserver which is documented in its on [specification](mailserver.md).
+Additionally there is the capability of a mailserver
+which is documented in its on [specification](mailserver.md).
 
 ### Light node
 
-The rationale for light nodes is to allow for interaction with waku on resource restricted devices as bandwidth can often be an issue.
+The rationale for light nodes is to allow for interaction with waku
+on resource restricted devices as bandwidth can often be an issue.
 
-Light nodes MUST NOT forward any incoming messages, they MUST only send their own messages. When light nodes happen to connect to each other, they SHOULD disconnect. As this would result in messages being dropped between the two.
+Light nodes MUST NOT forward any incoming messages,
+they MUST only send their own messages.
+When light nodes happen to connect to each other,
+they SHOULD disconnect.
+As this would result in messages being dropped between the two.
 
 Light nodes are identified by the `light_node` value in the status message.
 
 ### Accounting for resources (experimental)
 
-Nodes MAY implement accounting, keeping track of resource usage. It is heavily inspired by Swarm's [SWAP protocol](https://www.bokconsulting.com.au/wp-content/uploads/2016/09/tron-fischer-sw3.pdf), and works by doing pairwise accounting for resources.
+Nodes MAY implement accounting, keeping track of resource usage.
+It is heavily inspired by
+Swarm's [SWAP protocol](https://www.bokconsulting.com.au/wp-content/uploads/2016/09/tron-fischer-sw3.pdf),
+and works by doing pairwise accounting for resources.
 
-Each node keeps track of resource usage with all other nodes. Whenever an envelope is received from a node that is expected (fits bloom filter or topic interest, is legal, etc) this is tracked.
+Each node keeps track of resource usage with all other nodes.
+Whenever an envelope is received from a node that is expected
+(fits bloom filter or topic interest, is legal, etc) this is tracked.
 
-Every epoch (say, every minute or every time an event happens) statistics SHOULD be aggregated and saved by the client:
+Every epoch (say, every minute or every time an event happens)
+statistics SHOULD be aggregated and saved by the client:
 
 | peer  | sent | received |
 |-------|------|----------|
 | peer1 | 0    | 123 |
 | peer2 | 10   | 40  |
 
-In later versions this will be amended by nodes communication thresholds, settlements and disconnect logic.
+In later versions this will be amended by nodes communication thresholds,
+settlements and disconnect logic.
 
 ## Upgradability and Compatibility
 
 ### General principles and policy
 
-These are policies that guide how we make decisions when it comes to upgradability, compatibility, and extensibility:
+These are policies that guide how we make decisions when it comes to upgradability,
+compatibility, and extensibility:
 
 1. Waku aims to be compatible with previous and future versions.
 
-2. In cases where we want to break this compatibility, we do so gracefully and as a single decision point.
+2. In cases where we want to break this compatibility, we do so gracefully and
+as a single decision point.
+
+3. To achieve this,
+we employ the following two general strategies:
 
-3. To achieve this, we employ the following two general strategies:
 - a) Accretion (including protocol negotiation) over changing data
-- b) When we want to change things, we give it a new name (for example, a version number).
+- b) When we want to change things, we give it a new name
+(for example, a version number).
 
 Examples:
 
-- We enable bridging between `shh/6` and `waku/0` until such a time as when we are ready to gracefully drop support for `shh/6` (1, 2, 3).
-- When we add parameter fields, we (currently) do so by accreting them in a list, so old clients can ignore new fields (dynamic list) and new clients can use new capabilities (1, 3).
-- To better support (2) and (3) in the future, we will likely release a new version that gives better support for open, growable maps (association lists or native map type) (3)
-- When we we want to provide a new set of messages that have different requirements, we do so under a new protocol version and employ protocol versioning. This is a form of accretion at a level above - it ensures a client can support both protocols at once and drop support for legacy versions gracefully. (1,2,3)
+- We enable bridging between `shh/6` and
+`waku/0` until such a time as when we are ready to gracefully drop support
+for `shh/6` (1, 2, 3).
+- When we add parameter fields, we (currently) do so by accreting them in a list,
+so old clients can ignore new fields (dynamic list)
+and new clients can use new capabilities (1, 3).
+- To better support (2) and (3) in the future,
+we will likely release a new version that gives better support for open,
+growable maps (association lists or native map type) (3)
+- When we we want to provide a new set of messages that have different requirements,
+we do so under a new protocol version and employ protocol versioning.
+This is a form of accretion at a level above -
+it ensures a client can support both protocols at once and
+drop support for legacy versions gracefully. (1,2,3)
 
 ### Backwards Compatibility
 
-Waku is a different subprotocol from Whisper so it isn't directly compatible. However, the data format is the same, so compatibility can be achieved by the use of a bridging mode as described below. Any client which does not implement certain packet codes should gracefully ignore the packets with those codes. This will ensure the forward compatibility.
+Waku is a different subprotocol from Whisper so it isn't directly compatible.
+However, the data format is the same,
+so compatibility can be achieved by the use of a bridging mode as described below.
+Any client which does not implement certain packet codes
+should gracefully ignore the packets with those codes.
+This will ensure the forward compatibility.
 
 ### Waku-Whisper bridging
 
-`waku/0` and `shh/6` are different DevP2P subprotocols, however they share the same data format making their envelopes compatible. This means we can bridge the protocols naively, this works as follows.
+`waku/0` and `shh/6` are different DevP2P subprotocols,
+however they share the same data format making their envelopes compatible.
+This means we can bridge the protocols naively, this works as follows.
 
 **Roles:**
+
 - Waku client A, only Waku capability
 - Whisper client B, only Whisper capability
 - WakuWhisper bridge C, both Waku and Whisper capability
 
 **Flow:**
+
 1. A posts message; B posts message.
 2. C picks up message from A and B and relays them both to Waku and Whisper.
 3. A receives message on Waku; B on Whisper.
 
-**Note**: This flow means if another bridge C1 is active, we might get duplicate relaying for a message between C1 and C2. I.e. Whisper(<>Waku<>Whisper)<>Waku, A-C1-C2-B. Theoretically this bridging chain can get as long as TTL permits.
+**Note**: This flow means if another bridge C1 is active,
+we might get duplicate relaying for a message between C1 and C2.
+I.e. Whisper(<>Waku<>Whisper)<>Waku, A-C1-C2-B.
+Theoretically this bridging chain can get as long as TTL permits.
 
 ### Forward Compatibility
 
-It is desirable to have a strategy for maintaining forward compatibility between `waku/0` and future version of waku. Here we outline some concerns and strategy for this.
+It is desirable to have a strategy for maintaining forward compatibility
+between `waku/0` and future version of waku.
+Here we outline some concerns and strategy for this.
 
-- **Connecting to nodes with multiple versions:** The way this SHOULD be accomplished in the future is by negotiating the versions of subprotocols, within the `hello` message nodes transmit their capabilities along with a version. As suggested in [EIP-8](https://eips.ethereum.org/EIPS/eip-8), if a node connects that has a higher version number for a specific capability, the node with a lower number SHOULD assume backwards compatibility. The node with the higher version will decide if compatibility can be assured between versions, if this is not the case it MUST disconnect.
-- **Adding new packet codes:** New packet codes can be added easily due to the available packet codes. Unknown packet codes SHOULD be ignored. Upgrades that add new packet codes SHOULD implement some fallback mechanism if no response was received for nodes that do not yet understand this packet.
-- **Adding new options in `status-options`:** New options can be added to the `status-options` association list in the `status` and `status-update` packet as options are OPTIONAL and unknown option keys SHOULD be ignored. A node SHOULD NOT disconnect from a peer when receiving `status-options` with unknown option keys.
+- **Connecting to nodes with multiple versions:**
+The way this SHOULD be accomplished in the future
+is by negotiating the versions of subprotocols,
+within the `hello` message nodes transmit their capabilities along with a version.
+As suggested in [EIP-8](https://eips.ethereum.org/EIPS/eip-8),
+if a node connects that has a higher version number for a specific capability,
+the node with a lower number SHOULD assume backwards compatibility.
+The node with the higher version
+will decide if compatibility can be assured between versions,
+if this is not the case it MUST disconnect.
+- **Adding new packet codes:**
+New packet codes can be added easily due to the available packet codes.
+Unknown packet codes SHOULD be ignored.
+Upgrades that add new packet codes SHOULD implement some fallback mechanism
+if no response was received for nodes that do not yet understand this packet.
+
+- **Adding new options in `status-options`:**
+New options can be added to the `status-options` association list
+in the `status` and `status-update` packet as options are OPTIONAL and
+unknown option keys SHOULD be ignored.
+A node SHOULD NOT disconnect from a peer
+when receiving `status-options` with unknown option keys.
 
 ## Appendix A: Security considerations
 
-There are several security considerations to take into account when running Waku. Chief among them are: scalability, DDoS-resistance and privacy. These also vary depending on what capabilities are used. The security considerations for extra capabilities such as [mailservers](./mailserver.md#security-considerations) can be found in their respective specifications.
+There are several security considerations to take into account when running Waku.
+Chief among them are: scalability, DDoS-resistance and privacy.
+These also vary depending on what capabilities are used.
+The security considerations for extra capabilities such as [mailservers](./mailserver.md#security-considerations)
+can be found in their respective specifications.
 
 ### Scalability and UX
 
 **Bandwidth usage:**
 
-In version 0 of Waku, bandwidth usage is likely to be an issue. For more investigation into this, see the theoretical scaling model described [here](https://github.com/vacp2p/research/tree/dcc71f4779be832d3b5ece9c4e11f1f7ec24aac2/whisper_scalability).
+In version 0 of Waku, bandwidth usage is likely to be an issue.
+For more investigation into this,
+see the theoretical scaling model described [here](https://github.com/vacp2p/research/tree/dcc71f4779be832d3b5ece9c4e11f1f7ec24aac2/whisper_scalability).
 
 **Gossip-based routing:**
 
-Use of gossip-based routing doesn't necessarily scale. It means each node can see a message multiple times, and having too many light nodes can cause propagation probability that is too low. See [Whisper vs PSS](https://our.status.im/whisper-pss-comparison/) for more and a possible Kademlia based alternative.
+Use of gossip-based routing doesn't necessarily scale.
+It means each node can see a message multiple times,
+and having too many light nodes can cause propagation probability that is too low.
+See [Whisper vs PSS](https://our.status.im/whisper-pss-comparison/)
+for more and a possible Kademlia based alternative.
 
 **Lack of incentives:**
 
-Waku currently lacks incentives to run nodes, which means node operators are more likely to create centralized choke points.
+Waku currently lacks incentives to run nodes,
+which means node operators are more likely to create centralized choke points.
 
 ### Privacy
 
 **Light node privacy:**
 
-The main privacy concern with light nodes is that directly connected peers will know that a message originates from them (as it are the only ones it sends). This means nodes can make assumptions about what messages (topics) their peers are interested in.
+The main privacy concern with light nodes
+is that directly connected peers will know that a message originates from them
+(as it are the only ones it sends).
+This means nodes can make assumptions about what messages (topics)
+their peers are interested in.
 
 **Bloom filter privacy:**
 
-By having a bloom filter where only the topics you are interested in are set, you reveal which messages you are interested in. This is a fundamental tradeoff between bandwidth usage and privacy, though the tradeoff space is likely suboptimal in terms of the [Anonymity](https://eprint.iacr.org/2017/954.pdf) [trilemma](https://petsymposium.org/2019/files/hotpets/slides/coordination-helps-anonymity-slides.pdf).
+By having a bloom filter where only the topics you are interested in are set,
+you reveal which messages you are interested in.
+This is a fundamental tradeoff between bandwidth usage and privacy,
+though the tradeoff space is likely suboptimal in terms of the
+[Anonymity](https://eprint.iacr.org/2017/954.pdf) [trilemma](https://petsymposium.org/2019/files/hotpets/slides/coordination-helps-anonymity-slides.pdf).
 
 **Privacy guarantees not rigorous:**
 
-Privacy for Whisper / Waku haven't been studied rigorously for various threat models like global passive adversary, local active attacker, etc. This is unlike e.g. Tor and mixnets.
+Privacy for Whisper / Waku haven't been studied rigorously for various threat models
+like global passive adversary, local active attacker, etc.
+This is unlike e.g. Tor and mixnets.
 
 **Topic hygiene:**
 
-Similar to bloom filter privacy, if you use a very specific topic you reveal more information. See scalability model linked above.
+Similar to bloom filter privacy,
+if you use a very specific topic you reveal more information.
+See scalability model linked above.
 
 ### Spam resistance
 
 **PoW bad for heterogeneous devices:**
 
-Proof of work is a poor spam prevention mechanism. A mobile device can only have a very low PoW in order not to use too much CPU / burn up its phone battery. This means someone can spin up a powerful node and overwhelm the network.
+Proof of work is a poor spam prevention mechanism.
+A mobile device can only have a very low PoW
+in order not to use too much CPU / burn up its phone battery.
+This means someone can spin up a powerful node and overwhelm the network.
 
 ### Censorship resistance
 
 **Devp2p TCP port blockable:**
 
-By default Devp2p runs on port `30303`, which is not commonly used for any other service. This means it is easy to censor, e.g. airport WiFi. This can be mitigated somewhat by running on e.g. port `80` or `443`, but there are still outstanding issues. See libp2p and Tor's Pluggable Transport for how this can be improved.
+By default Devp2p runs on port `30303`,
+which is not commonly used for any other service.
+This means it is easy to censor, e.g. airport WiFi.
+This can be mitigated somewhat by running on e.g. port `80` or `443`,
+but there are still outstanding issues.
+See libp2p and Tor's Pluggable Transport for how this can be improved.
 
 ## Appendix B: Implementation Notes
 
@@ -461,17 +661,22 @@ By default Devp2p runs on port `30303`, which is not commonly used for any other
 
 Notes useful for implementing Waku mode.
 
- 1. Avoid duplicate envelopes
+- Avoid duplicate envelopes:
 
-	To avoid duplicate envelopes, only connect to one Waku node. Benign duplicate envelopes is an intrinsic property of Whisper which often leads to a N factor increase in traffic, where N is the number of peers you are connected to.
+To avoid duplicate envelopes, only connect to one Waku node.
+Benign duplicate envelopes is an intrinsic property of Whisper
+which often leads to a N factor increase in traffic,
+where N is the number of peers you are connected to.
 
- 2. Topic specific recommendations
+- Topic specific recommendations -
 
-	Consider partition topics based on some usage, to avoid too much traffic on a single topic.
+Consider partition topics based on some usage,
+to avoid too much traffic on a single topic.
 
 ### Node discovery
 
-Resource restricted devices SHOULD use [EIP-1459](https://eips.ethereum.org/EIPS/eip-1459) to discover nodes.
+Resource restricted devices SHOULD use
+[EIP-1459](https://eips.ethereum.org/EIPS/eip-1459) to discover nodes.
 
 Known static nodes MAY also be used.
 
@@ -487,16 +692,21 @@ Released [April 21,2020](https://github.com/vacp2p/specs/commit/9e650995f2417984
 
 Released [March 17,2020](https://github.com/vacp2p/specs/commit/7b9dc562bc50c6bb844ac575cb221ec9cda2530a)
 
-- Clarify the preferred way of handling unknown keys in the `status-options` association list.
-- Correct spec/implementation mismatch: Change RLP keys to be the their int values in order to reflect production behavior
+- Clarify the preferred way of handling unknown keys
+in the `status-options` association list.
+- Correct spec/implementation mismatch:
+Change RLP keys to be the their int values in order to reflect production behavior
 
 ### Version 0.4
 
 Released [February 21, 2020](https://github.com/vacp2p/specs/commit/17bd066e317bbe33af07146b721d73f24de47e88).
 
 - Simplify implementation matrix with latest state
-- Introduces a new required packet code Status Code (`0x22`) for communicating option changes
-- Deprecates the following packet codes: PoW Requirement (`0x02`), Bloom Filter (`0x03`), Rate limits (`0x20`), Topic interest (`0x21`) - all superseded by the new Status Code (`0x22`)
+- Introduces a new required packet code Status Code (`0x22`)
+for communicating option changes
+- Deprecates the following packet codes:
+PoW Requirement (`0x02`), Bloom Filter (`0x03`), Rate limits (`0x20`),
+Topic interest (`0x21`) - all superseded by the new Status Code (`0x22`)
 - Increased `topic-interest` capacity from 1000 to 10000
 
 ### Version 0.3
@@ -506,7 +716,8 @@ Released [February 13, 2020](https://github.com/vacp2p/specs/commit/73138d6ba954
 - Recommend DNS based node discovery over other Discovery methods.
 - Mark spec as Draft mode in terms of its lifecycle.
 - Simplify Changelog and misc formatting.
-- Handshake/Status message not compatible with shh/6 nodes; specifying options as association list.
+- Handshake/Status message not compatible with shh/6 nodes;
+specifying options as association list.
 - Include topic-interest in Status handshake.
 - Upgradability policy.
 - `topic-interest` packet code.
@@ -522,7 +733,8 @@ Released [December 10, 2019](https://github.com/vacp2p/specs/blob/waku-0.2.0/wak
 - More details on handshake modifications.
 - Accounting for resources mode (experimental)
 - Appendix with security considerations: scalability and UX, privacy, and spam resistance.
-- Appendix with implementation notes and implementation matrix across various clients with breakdown per capability.
+- Appendix with implementation notes and
+implementation matrix across various clients with breakdown per capability.
 - More details on handshake and parameters.
 - Describe rate limits in more detail.
 - More details on mailserver and mail client API.
@@ -549,7 +761,6 @@ confirmations-enabled and rate-limits
 
 Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
 
-
 ## Footnotes
 
 [^1]: Felix Lange et al. [The RLPx Transport Protocol](https://github.com/ethereum/devp2p/blob/master/rlpx.md). Ethereum.

waku/deprecated/README.md

@@ -1,6 +1,7 @@
-## Deprecated RFCs 
+# Deprecated RFCs
 
 Deprecated specifications are no longer used in Waku products.
-This subdirectory is for achrive purpose and 
+This subdirectory is for achrive purpose and
 should not be used in production ready implementations.
-Visit [Waku RFCs](https://github.com/waku-org/specs) for new Waku specifications under discussion.
+Visit [Waku RFCs](https://github.com/waku-org/specs)
+for new Waku specifications under discussion.

waku/deprecated/fault-tolerant-store.md

@@ -0,0 +1,115 @@
+---
+slug: 21
+title: 21/WAKU2-FAULT-TOLERANT-STORE
+name: Waku v2 Fault-Tolerant Store
+status: deleted
+editor: Sanaz Taheri <sanaz@status.im>
+contributors:
+---
+
+ The reliability of [13/WAKU2-STORE](../../core/13/store.md)
+protocol heavily relies on the fact that full nodes i.e.,
+those who persist messages have high availability and
+uptime and do not miss any messages.
+If a node goes offline,
+then it will risk missing all the messages transmitted
+in the network during that time.
+In this specification,
+we provide a method that makes the store protocol resilient
+in presence of faulty nodes.
+Relying on this method,
+nodes that have been offline for a time window will be able to fix the gap
+in their message history when getting back online.
+Moreover, nodes with lower availability and
+uptime can leverage this method to reliably provide the store protocol services
+as a full node.
+
+## Method description
+
+ As the first step
+towards making the [13/WAKU2-STORE](../../core/13/store.md) protocol fault-tolerant,
+we introduce a new type of time-based query through which nodes fetch message history
+from each other based on their desired time window.
+This method operates based on the assumption that the querying node
+knows some other nodes in the store protocol
+which have been online for that targeted time window.  
+
+## Security Consideration
+
+The main security consideration to take into account
+while using this method is that a querying node
+has to reveal its offline time to the queried node.
+This will gradually result in the extraction of the node's activity pattern
+which can lead to inference attacks.
+
+## Wire Specification
+
+We extend the [HistoryQuery](../../core/13/store.md/#payloads) protobuf message
+with two fields of `start_time` and `end_time` to signify the time range to be queried.
+
+### Payloads
+
+```diff
+syntax = "proto3";
+
+message HistoryQuery {
+  // the first field is reserved for future use
+  string pubsubtopic = 2;
+  repeated ContentFilter contentFilters = 3;
+  PagingInfo pagingInfo = 4;
+  + sint64 start_time = 5;
+  + sint64 end_time = 6;
+}
+
+```
+  
+### HistoryQuery
+
+RPC call to query historical messages.
+
+- `start_time`:
+this field MAY be filled out to signify the starting point of the queried time window.
+This field holds the Unix epoch time in nanoseconds.  
+The `messages` field of the corresponding
+[`HistoryResponse`](../../core/13/store.md/#HistoryResponse)
+MUST contain historical waku messages whose
+[`timestamp`](../../core/14/message.md/#Payloads)
+is larger than or equal to the `start_time`.
+- `end_time`:
+this field MAY be filled out to signify the ending point of the queried time window.
+This field holds the Unix epoch time in nanoseconds.
+The `messages` field of the corresponding
+[`HistoryResponse`](../../core/13/store.md/#HistoryResponse)
+MUST contain historical waku messages whose
+[`timestamp`](../../core/14/message.md/#Payloads) is less than or equal to the `end_time`.
+
+A time-based query is considered valid if
+its `end_time` is larger than or equal to the `start_time`.
+Queries that do not adhere to this condition will not get through e.g.
+an open-end time query in which the `start_time` is given but
+no  `end_time` is supplied is not valid.
+If both `start_time` and
+`end_time` are omitted then no time-window filter takes place.
+
+In order to account for nodes asynchrony, and
+assuming that nodes may be out of sync for at most 20 seconds
+(i.e., 20000000000 nanoseconds),
+the querying nodes SHOULD add an offset of 20 seconds to their offline time window.
+That is if the original window is [`l`,`r`]
+then the history query SHOULD be made for `[start_time: l - 20s, end_time: r + 20s]`.
+
+Note that `HistoryQuery` preserves `AND` operation among the queried attributes.
+As such, the `messages` field of the corresponding
+[`HistoryResponse`](../../core/13/store.md/#HistoryResponse)
+MUST contain historical waku messages that satisfy the indicated  `pubsubtopic` AND
+`contentFilters` AND the time range [`start_time`, `end_time`].
+
+## Copyright
+
+Copyright and related rights waived via
+[CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+
+## References
+
+- [13/WAKU2-STORE](../../core/13/store.md)
+- [`timestamp`](../../standards/core/14/message.md/#Payloads)

waku/informational/22/toy-chat.md

@@ -19,12 +19,14 @@ This protocol is mainly used to:
 
 Currently, all main Waku v2 implementations support the toy chat protocol:
 [nim-waku](https://github.com/status-im/nim-waku/blob/master/examples/v2/chat2.nim),
-js-waku ([NodeJS](https://github.com/status-im/js-waku/tree/main/examples/cli-chat) and [web](https://github.com/status-im/js-waku/tree/main/examples/web-chat))
+js-waku ([NodeJS](https://github.com/status-im/js-waku/tree/main/examples/cli-chat)
+ and [web](https://github.com/status-im/js-waku/tree/main/examples/web-chat))
 and [go-waku](https://github.com/status-im/go-waku/tree/master/examples/chat2).
 
-Note that this is completely separate from the protocol the Status app is using for its chat functionality.
+Note that this is completely separate from the protocol the Status app
+is using for its chat functionality.
 
-# Design
+## Design
 
 The chat protocol enables sending and receiving messages in a chat room.
 There is currently only one chat room, which is tied to the content topic.
@@ -32,7 +34,7 @@ The messages SHOULD NOT be encrypted.
 
 The `contentTopic` MUST be set to `/toy-chat/2/huilong/proto`.
 
-# Payloads
+## Payloads
 
 ```protobuf
 syntax = "proto3";
@@ -48,6 +50,6 @@ message Chat2Message {
 - `nick`: The nickname of the user sending the message,
 - `payload`: The text of the messages, UTF-8 encoded.
 
-# Copyright
+## Copyright
 
 Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).

waku/informational/23/topics.md

@@ -8,20 +8,21 @@ editor: Oskar Thoren <oskarth@titanproxy.com>
 contributors:
   - Hanno Cornelius <hanno@status.im>
   - Daniel Kaiser <danielkaiser@status.im>
+  - Filip Dimitrijevic <filip@status.im>
 ---
 
 This document outlines recommended usage of topic names in Waku v2.
-In [10/WAKU2 spec](../../standards/core/10/waku2.md) there are two types of topics:
+In [10/WAKU2 spec](/waku/standards/core/10/waku2.md) there are two types of topics:
 
-- pubsub topics, used for routing
+- Pubsub topics, used for routing
 - Content topics, used for content-based filtering
 
-
 ## Pubsub Topics
 
-Pubsub topics are used for routing of messages (see [11/WAKU2-RELAY](../../standards/core/11/relay.md)),
-and can be named implicitly by Waku sharding (see [RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md)).
-This document comprises recommendations for explicitly naming pubsub topics (e.g. when choosing *named sharding* as specified in [RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md)).
+Pubsub topics are used for routing of messages (see [11/WAKU2-RELAY](/waku/standards/core/11/relay.md)),
+and can be named implicitly by Waku sharding (see [RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md)).
+This document comprises recommendations for explicitly naming pubsub topics
+(e.g. when choosing *named sharding* as specified in [RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md)).
 
 ### Pubsub Topic Format
 
@@ -29,26 +30,32 @@ Pubsub topics SHOULD follow the following structure:
 
 `/waku/2/{topic-name}`
 
-This namespaced structure makes compatibility, discoverability, and automatic handling of new topics easier.
+This namespaced structure makes compatibility, discoverability,
+and automatic handling of new topics easier.
 
-The first two parts indicate
+The first two parts indicate:
 
 1) it relates to the Waku protocol domain, and
 2) the version is 2.
 
-If applicable, it is RECOMMENDED to structure `{topic-name}` in a hierarchical way as well.
+If applicable, it is RECOMMENDED to structure `{topic-name}`
+in a hierarchical way as well.
 
 > *Note*: In previous versions of this document, the structure was `/waku/2/{topic-name}/{encoding}`.
 The now deprecated `/{encoding}` was always set to `/proto`,
-which indicated that the [data field](../../standards/core/11/RELAY.md/#protobuf-definition) in pubsub is serialized/encoded as protobuf.
+which indicated that the [data field](/waku/standards/core/11/relay.md#protobuf-definition)
+in pubsub is serialized/encoded as protobuf.
 The inspiration for this format was taken from
 [Ethereum 2 P2P spec](https://github.com/ethereum/eth2.0-specs/blob/dev/specs/phase0/p2p-interface.md#topics-and-messages).
-However, because the payload of messages transmitted over [11/WAKU2-RELAY](../../standards/core/11/relay.md) must be a [14/WAKU2-MESSAGE](../../standards/core/14/message.md),
+However, because the payload of messages transmitted over [11/WAKU2-RELAY](/waku/standards/core/11/relay.md)
+must be a [14/WAKU2-MESSAGE](/waku/standards/core/14/message.md),
 which specifies the wire format as protobuf,`/proto` is the only valid encoding.
 This makes the `/proto` indication obsolete.
-The encoding of the `payload` field of a Waku Message is indicated by the `/{encoding}` part of the content topic name.
+The encoding of the `payload` field of a WakuMessage
+is indicated by the `/{encoding}` part of the content topic name.
 Specifying an encoding is only significant for the actual payload/data field.
-Waku preserves this option by allowing to specify an encoding for the WakuMessage payload field as part of the content topic name.
+Waku preserves this option by allowing to specify an encoding
+for the WakuMessage payload field as part of the content topic name.
 
 ### Default PubSub Topic
 
@@ -56,25 +63,27 @@ The Waku v2 default pubsub topic is:
 
 `/waku/2/default-waku/proto`
 
-The `{topic name}` part is `default-waku/proto`, which indicates it is default topic for exchanging WakuMessages;
+The `{topic name}` part is `default-waku/proto`,
+which indicates it is default topic for exchanging WakuMessages;
 `/proto` remains for backwards compatibility.
 
 ### Application Specific Names
 
 Larger apps can segregate their pubsub meshes using topics named like:
 
-```
+```text
 /waku/2/status/
 /waku/2/walletconnect/
 ```
 
-This indicates that these networks carry WakuMessages, but for different domains completely.
+This indicates that these networks carry WakuMessages,
+but for different domains completely.
 
 ### Named Topic Sharding Example
 
-The following is an example of named sharding, as specified in [RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md).
+The following is an example of named sharding, as specified in [RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md).
 
-```
+```text
 waku/2/waku-9_shard-0/
 ...
 waku/2/waku-9_shard-9/
@@ -86,16 +95,19 @@ This indicates explicitly that the network traffic has been partitioned into 10
 
 The other type of topic that exists in Waku v2 is a content topic.
 This is used for content based filtering.
-See [14/WAKU2-MESSAGE spec](../../standards/core/14/message.md) for where this is specified.
+See [14/WAKU2-MESSAGE spec](/waku/standards/core/14/message.md)
+for where this is specified.
 Note that this doesn't impact routing of messages between relaying nodes,
-but it does impact how request/reply protocols such as 
-[12/WAKU2-FILTER](../../standards/core/14/filter.md) and [13/WAKU2-STORE](../../standards/core/13/store.md) are used.
+but it does impact using request/reply protocols such as
+[12/WAKU2-FILTER](/waku/standards/core/12/filter.md) and
+[13/WAKU2-STORE](/waku/standards/core/13/store.md).
 
 This is especially useful for nodes that have limited bandwidth,
 and only want to pull down messages that match this given content topic.
 
 Since all messages are relayed using the relay protocol regardless of content topic,
-you MAY use any content topic you wish without impacting how messages are relayed.
+you MAY use any content topic you wish
+without impacting how messages are relayed.
 
 ### Content Topic Format
 
@@ -110,20 +122,44 @@ As an example, here's the content topic used for an upcoming testnet:
 
 ### Content Topic Naming Recommendations
 
-Application names should be unique to avoid conflicting issues with other protocols.
-Applications should specify their version (if applicable) in the version field.
+Application names SHOULD be unique to avoid conflicting issues with other protocols.
+Application version (if applicable) SHOULD be specified in the version field.
 The `{content-topic-name}` portion of the content topic is up to the application,
 and depends on the problem domain.
-It can be hierarchical, for instance to separate content, or to indicate different bandwidth and privacy guarantees.
-The encoding field indicates the serialization/encoding scheme for the [WakuMessage payload](../../standards/core/14/message.md/#payloads) field.
+It can be hierarchical, for instance to separate content, or
+to indicate different bandwidth and privacy guarantees.
+The encoding field indicates the serialization/encoding scheme
+for the [WakuMessage payload](/waku/standards/core/14/message.md#payloads) field.
+
+### Content Topic usage guidelines
+
+Applications SHOULD be mindful while designing/using content topics
+so that a bloat of content-topics does not happen.
+A content-topic bloat causes performance degradation in Store
+and Filter protocols while trying to retrieve messages.
+
+Store queries have been noticed to be considerably slow
+(e.g doubling of response-time when content-topic count is increased from 10 to 100)
+when a lot of content-topics are involved in a single query.
+Similarly, a number of filter subscriptions increase,
+which increases complexity on client side to maintain
+and manage these subscriptions.
+
+Applications SHOULD analyze the query/filter criteria for fetching messages from the network
+and select/design content topics to match such filter criteria.
+e.g: even though applications may want to segregate messages into different sets
+based on some application logic,
+if those sets of messages are always fetched/queried together from the network,
+then all those messages SHOULD use a single content-topic.
 
 ## Differences with Waku v1
 
-In [5/WAKU1](../../deprecated/5/waku0.md) there is no actual routing.
+In [5/WAKU1](/waku/deprecated/5/waku0.md) there is no actual routing.
 All messages are sent to all other nodes.
-This means that we are implicitly using the same pubsub topic that would be something like:
+This means that we are implicitly using the same pubsub topic
+that would be something like:
 
-```
+```text
 /waku/1/default-waku/rlp
 ```
 
@@ -131,23 +167,25 @@ Topics in Waku v1 correspond to Content Topics in Waku v2.
 
 ### Bridging Waku v1 and Waku v2
 
-To bridge Waku v1 and Waku v2 we have a [15/WAKU-BRIDGE](../../standards/core/15/bridge.md).
+To bridge Waku v1 and Waku v2 we have a [15/WAKU-BRIDGE](/waku/standards/core/15/bridge.md).
 For mapping Waku v1 topics to Waku v2 content topics,
 the following structure for the content topic SHOULD be used:
 
-```
+```text
 /waku/1/<4bytes-waku-v1-topic>/rfc26
 ```
 
-The `<4bytes-waku-v1-topic>` SHOULD be the lowercase hex representation of the 4-byte Waku v1 topic.
+The `<4bytes-waku-v1-topic>` SHOULD be the lowercase hex representation
+of the 4-byte Waku v1 topic.
 A `0x` prefix SHOULD be used.
-`/rfc26` indicates that the bridged content is encoded according to RFC [26/WAKU2-PAYLOAD](../../standards/application/26/payload.md).
-See [15/WAKU-BRIDGE](../../standards/core/15/bridge.md) for a description of the bridged fields.
+`/rfc26` indicates that the bridged content is encoded according to RFC [26/WAKU2-PAYLOAD](/waku/standards/application/26/payload.md).
+See [15/WAKU-BRIDGE](/waku/standards/core/15/bridge.md)
+for a description of the bridged fields.
 
 This creates a direct mapping between the two protocols.
 For example:
 
-```
+```text
 /waku/1/0x007f80ff/rfc26
 ```
 
@@ -158,13 +196,13 @@ Copyright and related rights waived via
 
 ## References
 
-* [10/WAKU2 spec](../../standards/core/10/waku2.md)
-* [11/WAKU2-RELAY](../../standards/core/11/relay.md)
-* [RELAY-SHARDING](https://github.com/waku-org/specs/blob/waku-RFC/standards/core/relay-sharding.md)
-* [Ethereum 2 P2P spec](https://github.com/ethereum/eth2.0-specs/blob/dev/specs/phase0/p2p-interface.md#topics-and-messages)
-* [14/WAKU2-MESSAGE](../../standards/core/14/message.md)
-* [12/WAKU2-FILTER](../../standards/core/14/filter.md)
-* [13/WAKU2-STORE](../../standards/core/13/store.md)
-* [6/WAKU1](../../deprecated/5/waku0.md)
-* [15/WAKU-BRIDGE](../../standards/core/15/bridge.md)
-* [26/WAKU-PAYLOAD](../../standards/application/26/payload.md)
+- [10/WAKU2 spec](/waku/standards/core/10/waku2.md)
+- [11/WAKU2-RELAY](/waku/standards/core/11/relay.md)
+- [RELAY-SHARDING](https://github.com/waku-org/specs/blob/master/standards/core/relay-sharding.md)
+- [Ethereum 2 P2P spec](https://github.com/ethereum/eth2.0-specs/blob/dev/specs/phase0/p2p-interface.md#topics-and-messages)
+- [14/WAKU2-MESSAGE](/waku/standards/core/14/message.md)
+- [12/WAKU2-FILTER](/waku/standards/core/12/filter.md)
+- [13/WAKU2-STORE](/waku/standards/core/13/store.md)
+- [6/WAKU1](/waku/deprecated/5/waku0.md)
+- [15/WAKU-BRIDGE](/waku/standards/core/15/bridge.md)
+- [26/WAKU-PAYLOAD](/waku/standards/application/26/payload.md)

waku/informational/27/peers.md

@@ -5,26 +5,35 @@ name: Waku v2 Client Peer Management Recommendations
 status: draft
 editor: Hanno Cornelius <hanno@status.im>
 contributors:
+ - Filip Dimitrijevic <filip@status.im>
 ---
 
-`27/WAKU2-PEERS` describes a recommended minimal set of peer storage and peer management features to be implemented by Waku v2 clients.
+`27/WAKU2-PEERS` describes a recommended minimal set of peer storage and
+peer management features to be implemented by Waku v2 clients.
 
-In this context, peer _storage_ refers to a client's ability to keep track of discovered or statically-configured peers and their metadata.
+In this context, peer _storage_ refers to a client's ability to keep track of discovered
+or statically-configured peers and their metadata.
 It also deals with matters of peer _persistence_,
 or the ability to store peer data on disk to resume state after a client restart.
 
-Peer _management_ is a closely related concept and refers to the set of actions a client MAY choose to perform based on its knowledge of its connected peers,
-e.g. triggering reconnects/disconnects, keeping certain connections alive, etc.
+Peer _management_ is a closely related concept and
+refers to the set of actions a client MAY choose to perform
+based on its knowledge of its connected peers,
+e.g. triggering reconnects/disconnects,
+keeping certain connections alive, etc.
 
 ## Peer store
 
-The peer store SHOULD be an in-memory data structure where information about discovered or configured peers are stored.
-It SHOULD be considered the main source of truth for peer-related information in a Waku v2 client.
+The peer store SHOULD be an in-memory data structure
+where information about discovered or configured peers are stored.
+It SHOULD be considered the main source of truth
+for peer-related information in a Waku v2 client.
 Clients MAY choose to persist this store on-disk.
 
 ### Tracked peer metadata
 
-It is RECOMMENDED that a Waku v2 client tracks at least the following information about each of its peers in a peer store:
+It is RECOMMENDED that a Waku v2 client tracks at least the following information
+about each of its peers in a peer store:
 
 | Metadata | Description  |
 | --- | --- |
@@ -36,16 +45,19 @@ It is RECOMMENDED that a Waku v2 client tracks at least the following informatio
 
 ### Peer connectivity
 
-A Waku v2 client SHOULD track _at least_ the following connectivity states for each of its peers:
- - **`NotConnected`**: The peer has been discovered or configured on this client,
+A Waku v2 client SHOULD track _at least_ the following connectivity states
+for each of its peers:
+
+- **`NotConnected`**: The peer has been discovered or configured on this client,
  but no attempt has yet been made to connect to this peer.
  This is the default state for a new peer.
- - **`CannotConnect`**: The client attempted to connect to this peer, but failed.
- - **`CanConnect`**: The client was recently connected to this peer and disconnected gracefully.
- - **`Connected`**: The client is actively connected to this peer.
+- **`CannotConnect`**: The client attempted to connect to this peer, but failed.
+- **`CanConnect`**: The client was recently connected to this peer and
+disconnected gracefully.
+- **`Connected`**: The client is actively connected to this peer.
 
 This list does not preclude clients from tracking more advanced connectivity metadata,
-such as a peer's blacklist status (see [`18/WAKU2-SWAP`](../../standards/application/18/swap.md)).
+such as a peer's blacklist status (see [`18/WAKU2-SWAP`](/waku/deprecated/18/swap.md)).
 
 ### Persistence
 
@@ -55,30 +67,40 @@ Peer persistence MAY be used to resume peer connections after a client restart.
 
 ## Peer management
 
-Waku v2 clients will have different requirements when it comes to managing the peers tracked in the [**peer store**](#peer-store).
+Waku v2 clients will have different requirements
+when it comes to managing the peers tracked in the [**peer store**](#peer-store).
 It is RECOMMENDED that clients support:
+
 - [automatic reconnection](#reconnecting-peers) to peers under certain conditions
 - [connection keep-alive](#connection-keep-alive)
 
 ### Reconnecting peers
 
-A Waku v2 client MAY choose to reconnect to previously connected, managed peers under certain conditions.
+A Waku v2 client MAY choose to reconnect to previously connected,
+managed peers under certain conditions.
 Such conditions include, but are not limited to:
-- Reconnecting to all `relay`-capable peers after a client restart. This will require [persistent peer storage](#persistence).
+
+- Reconnecting to all `relay`-capable peers after a client restart.
+This will require [persistent peer storage](#persistence).
 
 If a client chooses to automatically reconnect to previous peers,
-it MUST respect the [backing off period](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#prune-backoff-and-peer-exchange) specified for GossipSub v1.1 before attempting to reconnect.
+it MUST respect the
+[backing off period](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#prune-backoff-and-peer-exchange)
+specified for GossipSub v1.1 before attempting to reconnect.
 This requires keeping track of the [last time each peer was disconnected](#tracked-peer-metadata).
 
 ### Connection keep-alive
 
 A Waku v2 client MAY choose to implement a keep-alive mechanism to certain peers.
 If a client chooses to implement keep-alive on a connection,
-it SHOULD do so by sending periodic [libp2p pings](https://docs.libp2p.io/concepts/protocols/#ping) as per `10/WAKU2` [client recommendations](../../standards/core/10/WAKU2.md/#recommendations-for-clients).
-The recommended period between pings SHOULD be _at most_ 50% of the shortest idle connection timeout for the specific client and transport.
+it SHOULD do so by sending periodic [libp2p pings](https://docs.libp2p.io/concepts/fundamentals/protocols/#ping)
+as per `10/WAKU2` [client recommendations](/waku/standards/core/10/waku2.md#recommendations-for-clients).
+The recommended period between pings SHOULD be _at most_ 50%
+of the shortest idle connection timeout for the specific client and transport.
 For example, idle TCP connections often times out after 10 to 15 minutes.
 
-> **Implementation note:** the `nim-waku` client currently implements a keep-alive mechanism every `5 minutes`,
+> **Implementation note:**
+the `nim-waku` client currently implements a keep-alive mechanism every `5 minutes`,
 in response to a TCP connection timeout of `10 minutes`.
 
 ## Copyright
@@ -91,9 +113,9 @@ Copyright and related rights waived via
 - [`Peer ID`](https://docs.libp2p.io/concepts/peer-id/)
 - [`multiaddrs`](https://docs.libp2p.io/concepts/addressing/)
 - [`protocol IDs`](https://docs.libp2p.io/concepts/protocols/#protocol-ids)
-- [`11/WAKU2-RELAY`](../../standards/core/11/relay.md)
-- [`13/WAKU2-STORE`](../../standards/core/13/store.md)
-- [`18/WAKU2-SWAP`](../../standards/application/18/swap.md)
-- [backing off period](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#prune-backoff-and-peer-exchange)
-- [libp2p pings](https://docs.libp2p.io/concepts/protocols/#ping)
-- [`10/WAKU2` client recommendations](https://rfc.vac.dev/spec/10/#recommendations-for-clients)
+- [`11/WAKU2-RELAY`](/waku/standards/core/11/relay.md)
+- [`13/WAKU2-STORE`](/waku/standards/core/13/store.md)
+- [`18/WAKU2-SWAP`](/waku/deprecated/18/swap.md)
+- [backing off period](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md/#prune-backoff-and-peer-exchange)
+- [libp2p pings](https://docs.libp2p.io/concepts/fundamentals/protocols/#ping)
+- [`10/WAKU2` client recommendations](/waku/standards/core/10/waku2.md#recommendations-for-clients)

waku/informational/29/config.md

@@ -5,13 +5,15 @@ name: Waku v2 Client Parameter Configuration Recommendations
 status: draft
 editor: Hanno Cornelius <hanno@status.im>
 contributors:
+ - Filip Dimitrijevic <filip@status.im>
 ---
 
-`29/WAKU2-CONFIG` describes the RECOMMENDED values to assign to configurable parameters for Waku v2 clients.
+`29/WAKU2-CONFIG` describes the RECOMMENDED values
+to assign to configurable parameters for Waku v2 clients.
 Since Waku v2 is built on [libp2p](https://github.com/libp2p/specs),
 most of the parameters and reasonable defaults are derived from there.
 
-Waku v2 relay messaging is specified in [`11/WAKU2-RELAY`](../../standards/core/11/relay.md),
+Waku v2 relay messaging is specified in [`11/WAKU2-RELAY`](/waku/standards/core/11/relay.md),
 a minor extension of the [libp2p GossipSub protocol](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md).
 GossipSub behaviour is controlled by a series of adjustable parameters.
 Waku v2 clients SHOULD configure these parameters to the recommended values below.
@@ -25,7 +27,7 @@ We repeat them here with RECOMMMENDED values for `11/WAKU2-RELAY` implementation
 |----------------------|-------------------------------------------------------|-------------------|
 | `D`                  | The desired outbound degree of the network            | 6                 |
 | `D_low`              | Lower bound for outbound degree                       | 4                 |
-| `D_high`             | Upper bound for outbound degree                       | 8                |
+| `D_high`             | Upper bound for outbound degree                       | 8                 |
 | `D_lazy`             | (Optional) the outbound degree for gossip emission    | `D`               |
 | `heartbeat_interval` | Time between heartbeats                               | 1 second          |
 | `fanout_ttl`         | Time-to-live for each topic's fanout state            | 60 seconds        |
@@ -35,8 +37,10 @@ We repeat them here with RECOMMMENDED values for `11/WAKU2-RELAY` implementation
 
 ## GossipSub v1.1 parameters
 
-GossipSub v1.1 extended GossipSub v1.0 and introduced [several new parameters](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#overview-of-new-parameters).
-We repeat the global parameters here with RECOMMMENDED values for `11/WAKU2-RELAY` implementations.
+GossipSub v1.1 extended GossipSub v1.0 and
+introduced [several new parameters](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#overview-of-new-parameters).
+We repeat the global parameters here
+with RECOMMMENDED values for `11/WAKU2-RELAY` implementations.
 
 | Parameter      | Description                                                            | RECOMMENDED value |
 |----------------|------------------------------------------------------------------------|-------------------|
@@ -46,12 +50,15 @@ We repeat the global parameters here with RECOMMMENDED values for `11/WAKU2-RELA
 | `D_score`      | Number of peers to retain by score when pruning from oversubscription  | `D_low`           |
 | `D_out`        | Number of outbound connections to keep in the mesh.                    | `D_low` - 1       |
 
-`11/WAKU2-RELAY` clients SHOULD implement a peer scoring mechanism with the parameter constraints as [specified by libp2p](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#overview-of-new-parameters).
+`11/WAKU2-RELAY` clients SHOULD implement a peer scoring mechanism
+with the parameter constraints as
+[specified by libp2p](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#overview-of-new-parameters).
 
 ## Other configuration
 
 The following behavioural parameters are not specified by `libp2p`,
-but nevertheless describes constraints that `11/WAKU2-RELAY` clients MAY choose to implement.
+but nevertheless describes constraints that `11/WAKU2-RELAY` clients
+MAY choose to implement.
 
 | Parameter          | Description                                                               | RECOMMENDED value |
 |--------------------|---------------------------------------------------------------------------|-------------------|
@@ -68,7 +75,7 @@ Copyright and related rights waived via
 ## References
 
 - [libp2p](https://github.com/libp2p/specs)
-- [11/WAKU2-RELAY](../../standards/core/11/relay.md)
+- [11/WAKU2-RELAY](/waku/standards/core/11/relay.md)
 - [libp2p GossipSub protocol](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/README.md)
 - [corresponding libp2p specification](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.0.md#parameters)
 - [several new parameters](https://github.com/libp2p/specs/blob/master/pubsub/gossipsub/gossipsub-v1.1.md#overview-of-new-parameters)

waku/informational/30/adaptive-nodes.md

@@ -5,13 +5,16 @@ name: Adaptive nodes
 status: draft
 editor: Oskar Thorén <oskarth@titanproxy.com>
 contributors:
+ - Filip Dimitrijevic <filip@status.im>
 ---
 
 This is an informational spec that show cases the concept of adaptive nodes.
 
 ## Node types - a continuum
 
-We can look at node types as a continuum, from more restricted to less restricted, fewer resources to more resources.
+We can look at node types as a continuum,
+from more restricted to less restricted,
+fewer resources to more resources.
 
 ![Node types - a continuum](./images/adaptive_node_continuum2.png)
 
@@ -29,11 +32,13 @@ Some examples:
 - Desktop: download, leave in background, contribute somewhat
 - Cluster: expensive, upkeep, but can contribute a lot
 
-These are also illustrative, so a node in a browser in certain environment might contribute similarly to Desktop.
+These are also illustrative,
+so a node in a browser in certain environment might contribute similarly to Desktop.
 
 ### Adaptive nodes
 
-We call these nodes *adaptive nodes* to highlights different modes of contributing, such as:
+We call these nodes *adaptive nodes* to highlights different modes of contributing,
+such as:
 
 - Only leeching from the network
 - Relaying messages for one or more topics
@@ -55,11 +60,18 @@ Each node can choose which protocols to support, depending on its resources and
 
 ![Protocol selection](./images/adaptive_node_protocol_selection2.png)
 
-In the case of protocols like [11/WAKU2-RELAY](../../standards/core/11/relay.md) etc (12, 13, 19, 21) these correspond to Libp2p protocols.
+Protocols like [11/WAKU2-RELAY](/waku/standards/core/11/relay.md),
+as well as [12], [13], [19], and [21], correspond to libp2p protocols.
 
-However, other protocols like 16/WAKU2-RPC (local HTTP JSON-RPC), 25/LIBP2P-DNS-DISCOVERY, Discovery v5 (DevP2P) or interfacing with distributed storage, are running on different network stacks.
+However, other protocols like 16/WAKU2-RPC
+(local HTTP JSON-RPC), 25/LIBP2P-DNS-DISCOVERY,
+Discovery v5 (DevP2P) or interfacing with distributed storage,
+are running on different network stacks.
 
-This is in addition to protocols that specify payloads, such as 14/WAKU2-MESSAGE, 26/WAKU2-PAYLOAD, or application specific ones. As well as specs that act more as recommendations, such as 23/WAKU2-TOPICS or 27/WAKU2-PEERS.
+This is in addition to protocols that specify payloads, such as 14/WAKU2-MESSAGE,
+26/WAKU2-PAYLOAD, or application specific ones.
+As well as specs that act more as recommendations,
+such as 23/WAKU2-TOPICS or 27/WAKU2-PEERS.
 
 ## Waku network visualization
 
@@ -67,36 +79,47 @@ We can better visualize the network with some illustrative examples.
 
 ### Topology and topics
 
-The first one shows an example topology with different PubSub topics for the relay protocol.
+This illustration shows an example topology with different PubSub topics
+for the relay protocol.
 
 ![Waku Network visualization](./images/adaptive_node_network_topology_protocols2.png)
 
 ### Legend
 
+This illustration shows an example of content topics a node is interested in.
+
 ![Waku Network visualization legend](./images/adaptive_node_network_topology_protocols_legend.png)
 
-The dotted box shows what content topics (application-specific) a node is interested in.
+The dotted box shows what content topics (application-specific)
+a node is interested in.
 
 A node that is purely providing a service to the network might not care.
 
-In this example, we see support for toy chat, a topic in Waku v1 (Status chat), WalletConnect, and SuperRare community.
+In this example, we see support for toy chat,
+a topic in Waku v1 (Status chat), WalletConnect, and SuperRare community.
 
 ### Auxiliary network
 
 This is a separate component with its own topology.
 
-Behavior and interaction with other protocols specified in Vac RFCs, e.g. 25/LIBP2P-DNS-DISCOVERY, 15/WAKU-BRIDGE, etc.
+Behavior and interaction with other protocols specified in Vac RFCs,
+e.g. [25/LIBP2P-DNS-DISCOVERY](/vac/25/libp2p-dns-discovery.md)
+and [15/WAKU-BRIDGE](/waku/standards/core/15/bridge.md).
 
 ### Node Cross Section
 
-This one shows a cross-section of nodes in different dimensions and shows how the connections look different for different protocols.
+This one shows a cross-section of nodes in different dimensions and
+shows how the connections look different for different protocols.
 
 ![Node Cross Section](./images/adaptive_node_cross_section2.png)
 
 ## Copyright
 
-Copyright and related rights waived via [CC0](https://creativecommons.org/publicdomain/zero/1.0/).
+Copyright and related rights waived via
+[CC0](https://creativecommons.org/publicdomain/zero/1.0/).
 
 ## References
 
-- [11/WAKU2-RELAY](../../standards/core/11/relay.md)
+- [11/WAKU2-RELAY](/waku/standards/core/11/relay.md)
+- [25/LIBP2P-DNS-DISCOVERY](/vac/25/libp2p-dns-discovery.md)
+- [15/WAKU-BRIDGE](/waku/standards/core/15/bridge.md)