Nostr Web Client

I just started using nostr:npub1tm99pgz2lth724jeld6gzz6zv48zy6xp4n9xu5uqrwvx9km54qaqkkxn72 today and it has group chats. nostr:npub1h0uj825jgcr9lzxyp37ehasuenq070707pj63je07n8mkcsg3u0qnsrwx8 also has group chat. I think the group chats in 0xChat are public while the ones in keychat are private.

Keychat 1y ago

We plan to support three types of encrypted group chats: small group, medium group, and large group.

When a member sends a message in a small group, they are essentially sending a one-on-one message to every other group member.

This group chat mode offers the best security, but it supports fewer group members.

This was the approach used by Signal for group chats a few years ago, and we regret that Signal has abandoned this model to accommodate more members. Signal should have retained this model and added the current sender key group mode as well.

Next week, we may release a Keychat version that supports medium groups. Compared to small groups, it will lose some backward secrecy capabilities, but it can support more group members.

Later, we will consider using the message layer security protocol to build large groups.

Reply to this note

Please Login to reply.

Discussion

VictorieeMan 1y ago

Sounds good.

Nathan Day 1y ago

Doesn't MLS cover all bases?

Keychat 1y ago

No, MLS is suitable for large-scale group chats but not for one-on-one chats and small group chats.

If MLS is used for one-on-one chats, in order to achieve forward secrecy and backward secrecy, MLS requires a special message to update the group key, and then the normal message can be sent.

However, in the Signal protocol, the content needed to update the encryption key is attached to the normal message.

JeffG 1y ago

That’s misleading. There is a “message” that is sent between clients to ratchet the group forward and provide forward secrecy between epochs (when the full ratchet tree is refreshed), however the user doesn’t have to think about that at all and happens on a regular basis in any normal 1-1 or group chat.

There is also another layer of forward secrecy that is provided by the message keys themselves (basically using the same mechanic as Signal).

Keychat 1y ago

Fact 1 :

In one-on-one chat mode, the Signal protocol does not require an additional message (regardless of what it is called, to the relay it's just a note) to operate the DH ratchet and achieve backward secrecy of messages.

Fact 2:

MLS protocol requires such a message (regardless of what it is called, to the relay it's just a note) to update the ratchet tree to achieve backward secrecy of messages.

Our opinion:

We believe this is a key difference, especially from the relay's perspective, as Signal is more efficient in one-on-one chat mode.

Signal protocol is designed ofor one-on-one chats, whereas the MLS protocol is designed for large-scale group chats.

JeffG 1y ago

Ok. We’ll just have to agree to disagree.

Do you all have a spec or draft NIP about what events you’re using and how they’re structured?

JeffG 1y ago

Yes. It does cover all three. In a highly efficient way, without any central coordinator or server.

Matt Black 1y ago

Amazing, any plans to add iOS / desktop any time soon?