Replying to Avatar ChipTuner

> That is why NOSTR is great, has hundreds of volunteer relays that make difficult to track incoming messages and dozens of different clients to retrieve them that are E2EE without cryptographic doubt.

Most public relays sync notes so private messages are extremely easy to track. You could just connect to one of the larger relays and listen for all notes by and npub hoovering all private dms. That's a massive hit to privacy. Gift wrapping helps, but does not guarantee this information won't get leaked when a single npub keeps requesting certain notes. On top of that if a client is using nip46 and possibly connected via relays, that same hoover can see when you attempted to decrypt a given note. Cloudflare proxying is also used for a majority of big relays. Most users will be connecting via clearnet and standard TLS connections leaking traffic and IP addresses.

We are still working on better ways of improving forward secrecy because I believe there is still a possibility of ciphertext attacks with as much data that is available for a given user.

Speaking as the author of the C reference for nip04 and 44 encryption.
Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

plaintext attacks can only be possible if the message nonces are weak

reuse of a nonce is absolutely out, as it enables a plaintext attack

giftwraps already provide forward secrecy if the relay does not provide access to the events without auth proving the client is involved in the message exchange

what we are missing at this point is good support of nip-65 mailbox support and delete event support

Reply to this note

Please Login to reply.

Discussion

Avatar
ChipTuner 1y ago

I'm speaking strictly to ciphertext attacks, where the content is highly predictable, nonce is known because it's public, and 1/2 of the shared key is available, although I doubt that's useful but still worth considering.

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1y ago

all of those things depend on repeating nonces, or as you mention, repeating pubkeys

these are very easy to avoid, but maybe there is some programming languages that still make it complicated to access a strong CSPRNG

more than a few instances in the history of bitcoin where dodgy entropy led to wallets being cracked and UTXOs stolen

very often, propagandistic, opportunistic, manipulative "study" articles

to avoid being in such a story make sure you understand the mechanisms well enough to know where it has weaknesses

strong entropy, private random number generation is really central to all of the security of these things, just make sure you know the quality of entropy you are using before you inflict this shit on users haha