-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NIP-44: Encrypted Direct Message (Versioned), replaces NIP-4 #574
Conversation
What if this NIP also included:
I think these two small measures will reduce metadata leak to basically zero in normal times and also reduce bandwidth significantly. |
minor comments, looks great |
if we make AUTH (NIP-42) mandatory then we can drop NIP-59 #468 completely because there is no use for it. |
making AUTH mandatory is a nonstarter, imo. also the disclaimers in this nip are misleading. if metadata is not a concern (and there's no reason we should blanket assume that it is), there is no need to use AUTH. i can think of many good reasons why you definitely want metadata to be present in this shared-custody data also, there are other solutions ... it would be easy to gift-wrap (nip59?) or to have a system send spurious messages regularly to preventing harvesting of this info. the enryption provided in this leaks the sender and the recipient public keys. that's the only disclaimer we need. it is correctly done now and scaring people away from using it isn't the right move. |
We got to pick one option or the other to stop metadata leaks with this. Option 1: Make NIP-42 mandatory and explicit relay signaling in the profile. Option 2 wastes compute and bandwidth resources but less restrictive. But we have to do either one and close this topic for a while. one more. I am new to this NIP process. Shouldn't @earonesty name be on the NIP-44 since he started this discussion and did initial work? |
i don't care, in the slightest, if my name is on it. i understand the tradeoffs and i think good decisions are being made, and it basically aligns with what i need. i think metadata "leakage" (if it can be called that), is outside the purview of this nip, and it should just be made clear that sender public key info is visible and that additional tags should not be used on these messages.
metadata is not "leaked" ... this is a conversation that the sender can decrypt later, because nostr is an censorship resistant data store, and users want to be able to move between clients and see their outbounds too. (technically recipient information doesn't matter and cannot matter) |
I like this NIP. I think it makes the right decisions. We can't do forward-secrecy or metadata secrecy in nostr without a lot of other junk (if at all) and we need a better but still simple DM system.
I like this. I could specify my personal relay that doesn't allow anybody to read back what was written.
Don't put me as an author. I didn't think you were going to, but just for clarity. |
NIP-59 handle metadata secrecy elegantly and very well. It does exactly what nostr should do. We just need to update NIP-59 to specify that it uses NIP-44 encryption instead of NIP-04 and now we've got the building blocks of a a lot of great protocols! |
@paulmillr Do you have an working example of the padding oracle attack? |
Question, how does this perform against on-the-fly modifications of the public key, signature and content? If Why not pass that data into Poly1305 as AAD, so it's protected from being modified? |
@iloveyumyumshrimpnoodles how would poly1305 protect anything in this case? mallory's new ciphertext would include new poly authentication tag as well. It would validate properly. |
at this point Mallory has changed the entire message to something she felt like sending it is just a message from Mallory now she might as well just posted it from the outset If she's changing the content and the public key and the event hash and everything |
Ah yeah, true. |
simple feature. instead of signing with his public key, a client signs with ( |
Stealth addresses are hard and require complicated analysis to ensure discrete logarithm problem is not stupidly solvable. i've been around an audit of one such system. Better to not have it in the initial release. |
i would hope that signing with a tweaked private key even if everyone knows how you tweaked it, cant possibly be broken or basically all derivations are broken |
Sorry, @paulmillr, I forgot to answer #574 (comment). I think "gift wrap" and all the other similar proposals that use random keys or anonymous keys are bad because for the incentives to work on Nostr relays ultimately will have to know something about who is writing to their database, so these solutions won't scale or may require additional complexities (despite already being complex and resource-intensive for clients). |
How do you feel about including #574 (comment) in the NIP? |
Before merge, I also want to have a second opinion from someone experienced, who can do security evaluation / audit. If anyone knows such people, it would massively help. |
Is metadata leakage and cryptographic security 2 several problems? Can we solve them independently? Of course, some good designs might solve them at once, but it's not a good mentality to have to solve them at once. If we can solve one without making the other worse, client developers will catch up faster. Recently I don't even have time to carefully evaluate this NIP despite Blowater is mainly focusing on DM. |
Thinking again about this, I think people won't switch easily, so it may be better to try to implement SimpleX instead? Even though it is too complicated, someone can take an OpenSats grant and write a SimpleX JS library and libraries for other languages, lobby the SimpleX people to enable websocket support on their servers or write a separate implementation, and allow easily hosting paid SimpleX relays or community whitelisted SimpleX relays, then we have a solid feature to build upon (assuming SimpleX is actually good). |
I strongly suggest we finalize NIP-44, explicitly state our threat model, do some sort of audit of the result scheme, and release it to public. This is because Simplex is extremely complicated. I will open a separate discussion with regards to Simplex estimates and amount of work, it's likely 100x more than finalizing NIP-44. Regarding "people won't switch easily" - on a contrary, I don't think so. We just need to sell it. If it's too complex, then yes, they won't switch. If it's as simple as it gets, then switching should take no time. It's important to understand that, in the worst case, all the primitives (xchacha, whatever) are still available in extremely popular libsodium, which works on all platforms. So, it's good. For JS i've released noble-ciphers, so it's good too. To reiterate deficiencies of NIP4: 1) cbc padding oracle attacks 2) multi-user security of AES is shit 3) cross-platform key reuse, it's easy to accidentally leak private key 4) and aes key not being IND. Maybe 4 is minor. 1 and 2 are medium. 3 is really bad, since nostr uses one key for everything. @BlowaterNostr metadata leakage of some sort always happens. It happens in signal, it happens in tor, it happens everywhere. The best we can do is minimize it. I think fiatjaf's solution would radically decrease leakage, so it's cool. |
SimpleX discussion => #658 |
we're using the sha256(shared secret) to sign/encrypt messages. but are otherwise using nip-44 for encryption. that prevents metadata leakage better than most of the above. and its plausibly deniable. and it's understandable/easy to use. i really would like something in nip-44 that mentions that this is an easy option to add "metadata free dm's" to any nostr client |
how so? |
|
||
1. Alice authenticates on `wss://nostr.example.com` using NIP-42. This would mean sending and receiving | ||
messages would only be available to proper, authenticated users. | ||
2. On success, Alice creates NIP-65 event specifying `wss://nostr.example.com` as her preferred relay. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about mentioning that these are Alice's read
relays, the ones she reads from (in case she uses relays for just read or just write, instead of both).
... or better yet, since people are concerned about metadata, we extend NIP-65 to add a flag indicating a DM relay. That way it would be possible for people concerned with metadata leakage to setup a personal relay for receiving DMs and be confident that those DMs are not being read by interlopers (at least the receipient is confident it doesn't leak from their specified read relay, but not that the sender didn't put it elsewhere; and the sender can't really be confident of this, so this is not much of a solution for metadata leakage but it helps a smidgen).
Folks, I can't find a reliable xchacha20 implementation for Android. Do you have any tips? It's going to be hard to support this PR if the cryptographic function is not easily available in all languages. :( |
@vitorpamplona libsodium is available on all platforms. |
To clarify, in libsodium the function is called |
I got it to work with one of the bindings: #468 (comment) 3/4 of the libs I tested were crashing for no reason. Things are still very raw. |
we're using a variant of this in arcade, running on android. it doesn't use chacha, but it does the "right thing" for aes. (new salt, new key per message): https://github.com/ArcadeLabsInc/arclib/blob/9857e1ae1558b9e265c1461a53d281ecbe4fae77/src/ident.ts#L107 works fine in react/ios/andriod and is def better than nip04. also we support blinded-dms as well (no metadata leaks) on android i had various problems using GCM and chacha, so this is where i left it |
your solution is still:
Which problems, exactly? |
Dropping an idea I had around metadata concerns that would not alter this NIP as proposed, because if this is more cryptographically sound than NIP04, it should move forward on that basis alone. Metadata can be addressed in a separate NIP, using this one as a dependency to keep those concerns separated. "Chaum Chat" The objection to ephemeral conversation keys ties back to paid relays not allowing writes for new keys. With all he stupidity being pushed by NGO's to use ECash in representing custodial Bitcoin, why not re-purpose those libraries into something useful, like relay access tokens? An additive NIP for paid relays could define how clients receive ECash instead of a whitelisting, with the ECash then being used for the whitelisting of keys. Additionally, free relays could reward ECash to identity keys based on reputation, to keep rate limits loose without abuse. This process would decouple identity keys and their ephemeral children from the Lightning payment. Since's it's only for service access, there's no dishonest NGO narrative of it enhancing the security/privacy of Bitcoin transactions themselves. It also serves as a demonstration of how ECash should be used. |
I can't evaluate the merits of this idea without a full description. But I am happy to do so if you decide to make a NIP for it. It feels like Large Group chats (~1,000+ people) could use this Ecash allowlist idea. |
Correct me if I am wrong, but I have a question regarding this NIP as well as NIP-04. So the ECDH part involves computation using the private key. Where exactly should this computation Ideally, users should be able to store their private key in an extension wallet such as Metamask of Ethereum. But Metamask won't let a Dapp export your private key for an ECDH computation. For Nostr, idealy it should be same—web app can't touch your private key directly. Maybe we should have a Nostr wallet which does signature and ECDH computation within the wallet instead of exporting it to a web app. Thoughts? |
Of course. That was one of ideas behind getConversationKey. It can be abstracted in a proper way. |
I've created a new version of this PR at #715, @paulmillr please let me know if you'd like to close this PR or incorporate those changes into this one. |
Closing this since the conversation is continuing at #715 |
Simple solution that fixes broken cryptography and introduces versioning. Preview, PR to nostr-tools
tl;dr
xchacha(key: sha256(ecdh(userPriv, partnerPub)), nonce: random(24)).encrypt(message)
Benchmark
Round-trip of encrypting-decrypting a basic event with "hello" message, on Apple M2.
The goals
NIP4 was bad, because it used AES-CBC with non-hashed, non-IND ECDH key, was not versioned, did not have relay signalling.
Because it's simple, the protocol would not be as good as Signal or others. It's okay, because nostr is public DM system. Ideally you'll exchange Signal (etc) credentials in nostr DMs. If you think the approach is wrong, write down your thoughts in this thread.
Rationale
Out-of-scope
Questions
content
be hex string, or CSV base64 string?02
to B ingetSharedSecret(privkeyA, '02' + pubkeyB)
?Live code: #574