From 1a44eb5613aa56a2eec621b08f01f4ecab828cf4 Mon Sep 17 00:00:00 2001
From: vaultec81 <47548474+vaultec81@users.noreply.github.com>
Date: Wed, 23 Dec 2020 11:12:06 -0800
Subject: [PATCH] add SCP-004.md

---
 scps/SCP-004.md | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 scps/SCP-004.md

diff --git a/scps/SCP-004.md b/scps/SCP-004.md
new file mode 100644
index 0000000..65abd88
--- /dev/null
+++ b/scps/SCP-004.md
@@ -0,0 +1,29 @@
+## SCP-004: Discovery keys
+
+**Goals**:
+* Provide a first line of privacy for databases wanting to be kept private.
+* Prevent snooping of database activities, more censorship resistance. 
+* More privacy of nodes storing a orbit-db database
+
+**Definitions:**
+* Discovery Key: A unique key used to address an orbitdb database without disclosing the original database address. Similar to I2P's daily floodfill key rotation. 
+* Shared Secret: Private key shared among authorized nodes.
+* Key Rotation: When the discovery key is changed to a unique but deterministic value. Can be done via time based cycles or modifying a shared salt value.
+* Key Salt: 
+
+
+**Pubsub Discovery**
+is defined as the ability to correlate a pubsub channel name with a database address. By default orbitdb makes this apparent by setting the pubsub channel name the same as the database. By disclosing this information an adversary can easily determine which nodes are interested in what orbitdb databases.
+
+
+**Pubsub Secrecy** 
+is defined as the secrecy of messages sent in the pubsub channel. Pubsubs messages can range of custom P2P calls to syncing database information from one node to another. It is best to have a first layer of encryption to protect these messages if the use case requires secrecy.
+
+### Flow
+1. Orbitdb database is started/created.
+2. Discovery key is created by hashing the database address & additional salt if any -> Discovery key.
+3. Shared secret is generated by hashing database address with a slightly different alogrithmn to be different value than the discovery key.
+4. All peers subscribe to the discovery key via pubsub. All peers encrypt/decrypt pubsub messages using the shared secret.
+
+### Notes
+[[1](https://datprotocol.github.io/how-dat-works/#discovery-keys)]: `https://datprotocol.github.io/how-dat-works/#discovery-keys` Dat protocol (also known as hypercore) already has implemented discovery keys for "dat repos"
\ No newline at end of file