Nostr Web Client

Thanks.

This scheme does NOT have forwarded Secrecy of the receiver, right?

I guess there is forward Secrecy for the sender due to the ephemeral key of the gift wrap. But the receiver has only a single long term static key.

Max 2y ago

And as soon as your backup scheme is used, there is no forward secrecy anymore anyhow.

Reply to this note

Please Login to reply.

Discussion

Vitor Pamplona 2y ago

Is that true? I was hoping the link between the keys remained offline. The secrecy would only break if the attacker got the main key and the backup key.

Max 2y ago

Ah, so the main key does a gift wrap to send the backup to a new pubkey, thats why the relationship between these two keys is private?

Max 2y ago

And thus even if the main key leaks, the backup keys are not known.

Vitor Pamplona 2y ago

And if you need to access the backups just giftwrap them with yet another key so that they backup key never leaves the backup client.

Max 2y ago

Ok, thanks.

So, is it correct that the sender has forward secrecy, the receiver does not?

Vitor Pamplona 2y ago

I think so. Maybe the better way is that we haven't been able to figure out a way to do it yet.

Vitor Pamplona 2y ago

Yep, the main key doesn't have any gift wrap to recover from.