nostr:npub1zuuajd7u3sx8xu92yav9jwxpr839cs0kc3q6t56vd5u9q033xmhsk6c2uc how would you rate the following on two dimensions: privacy (worst, ok, best), and complexity/effort to build (t-shirt size: XS, S, M, L, XL)
nip-04
nip-17
giftwrap (not sure if this signal approach)
MLS
Nip04 worst XS
Nip17 ok S (this is gift wrap)
nostr:npub1g53mukxnjkcmr94fhryzkqutdz2ukq4ks0gvy5af25rgmwsl4ngq43drvk signal stuff good M/L
MLS best L/XL
The problem with this is that only MLS has the ability to do groups of any meaningful size. All the others are 1-to-1 only.
Great insight
So Signal uses double ratchet, and not MLS? How does signal achieve groups if signal does not use MLS?
Signal uses the signal protocol which has the famous “double ratchet” which is just two separate key derivation functions combined in a novel way.
Signal can only do groups by pair-wise encrypting each message to each participant. E.g. you send a message in a group of 5 people (incl you) and you have to individually encrypt your message to each of the other 4 participants (because you only have shared state with each group member) and send each message to relays.
MLS uses a binary tree structure of keys. In a sense, it has more than 2 ratchets but that's not really the point - more ratchets isn't necessarily better. The important part about MLS is that the group's shared state (incl who is in it) is cryptographically guaranteed at all times. And there are ways to use this shared group state (and keys) to encrypt group messages once that can be decrypted by the entire group. So it's SUPER efficient with very large groups. It also gives you that state guarantee.
The MLS protocol was designed several years after Signal (and is someone influenced by the Signal protocol's design).
I started out by trying to solve this with the signal protocol but the response on my initial NIP was that groups were critically important, so I went back to the drawing board and I'm happy I did.
