Encrypted Chat Master Thread

[staab]

I'm creating this thread to organize the work being done on killing NIP-04. See this survey of past work for a more thorough background on the various approaches attempted at fixing DMs.

Right now we have four different components in the works:

1. A new encryption standard: NIP-44: Encrypted Direct Message (Versioned), replaces NIP-4 #574 (original) Introduce NIP-44 encryption standard #715 (my version) NIP44 encryption standard, revision 3 #746 (current version) — @paulmillr is finalizing this and getting an audit. I'm working on PRs to alby and nos2x.
2. A standard for wrapping arbitrary events: NIP-59 Gift Wrap #468 (original) Introduce NIP-59 gift wrap #716 (my version) — this is a common dependency of the two group chat proposals below. I think it would be cleaner to split it out, but it's not strictly necessary right now.
3. A new standard for DMs and small group chats: NIP-17 (old 24) Sealed Gift-Wrapped Messages for Private DMs and Small Group Chats #686
4. A proposal for larger group chats: NIP-112: Encrypted Group Events #580 (original) Add NIP-87 private groups #706 (my version)

We should try to merge these in the order specified above. The last one can be ignored until the other three are figured out. I'm not picky about which PR gets merged (original vs modified), @paulmillr and @v0l are free to incorporate my changes and I'll close my PRs.

I apologize for moving stuff around so much, but let's get to consensus on this stuff so we can reclaim our sanity.

[w3irdrobot]

I've been wondering recently if there was a way to utilize MLS and use nostr relays as the "delivery service." just a thought. been wanting to build something myself but haven't had the time.

[paulmillr]

MLS is too complicated. Just glance over all tiny details of it. It's terrible for nostr.

[staab]

From the swimlane diagram near the top this looks a lot like #580 and #706 for key exchange, with an abstract AS and relays as the DS. I'll keep reading.

Edit:

the AS is invested with a large amount of trust and the compromise of one of its functionalities could allow an adversary to, among other things, impersonate group members.

It looks like the AS is for binding keys to identities, which we don't really have (unless you count NIP 05). This is a separate issue, and an important one, but can be ignored for our purposes here.

[jb55]

On Fri, Aug 11, 2023 at 11:02:39AM -0700, Paul Miller wrote: MLS is too complicated. Just glance over all tiny details of it. It's terrible for nostr.

I got the same impression

[staab]

Does anyone know about this: https://www.nobsbitcoin.com/imp-chat-mobile-app-to-bring-private-group-messaging-to-nostr/?

[paulmillr]

It's not good that they did not discuss this in the threads before making a blog post.

Authenticated Encryption/Authenticated Decryption (AEAD) via Poly1305/Salsa/Chacha encryption algorithms

Seems like they don't know what they're doing.

[staab]

Seems like they don't know what they're doing.

WRT to the encryption scheme or the process? Seems like it could be another hasty bid for the HRF bounty.

[paulmillr]

encryption, yeah

[manimejia]

@staab do you have a write up of your "groups as npub" idea? I think this architecture deserves real consideration for inclusion here. It's ability to handle "groups of users" with the same toolset as "individual users" adds real value to the create/manage/join/contribute/leave group workflows.

[staab]

Just #706 and https://yakihonne.com/article/naddr1qqwkzttswfhhqmmnv9kz6en0wgkhqunfweshgefdvaex7atswvpzp978pfzrv6n9xhq5tvenl9e74pklmskh4xw6vxxyp3j8qkke3cezqvzqqqr4guuvl8xr

[staab]

Now that NIP 44 is merged things are getting easier to track, closing this.