Some thoughts *before* I read the draft NIP.

I think we should propose an #MLS cipher suite that uses secp256k1 and reserve an identifier for it. That way we it can use libsecp256k1.

The secp256k1 curve can be used for both key exchange (xonly?) and (BIP340 schnorr) signatures. This curve is not yet listed under the recommended MLS Cipher Suites.

By carefully picking the other parameters it may be easier for Bitcoin signing devices to keep your chats ultra secure. And if a nostr client is already using some Bitcoin related library, then it's great if it already has the required ciphers.

Meanwhile rfc9420 has a mandatory-to-implement cipher suite MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519. This is useful for interoperability with other social networks, but that seems low priority to me compared to being simple to implement. And with respect to not adding more dependencies and not increasing the attack surface of cryptographic implementation errors.

MLS supports switching ciphers for existing groups, so we can always add compatibility later. Or secp256k1-pill the other networks :-)

For the hash function sha256 makes the most sense.

For AEAD ChaCha20Poly1305 is used in BIP324 (encrypted p2p transport) as well as the Stratum v2 noise protocol.

Not sure what to pick for the Key Encapsulation Mechanism (KEM), or maybe that's already covered by ChaCha20Poly1305?

So CipherSuite name MLS_256_???_CHACHA20POLY1305_SHA256_Secp256k1.