We've discussed this on GitHub for most of 2023. If you've had any comments or suggestions, you could have voiced them. This is a community effort. Don't like it? Build something better.
Correct! Threat of "Harvest now, decrypt later" is real.
Ask other cryptographers what they think about NIP-04. NIP-44 took many weeks of work by different people and an audit by an indie company. It's the first step. We can add one feature at a time, since we have versioning now. FS is also not "everything": even with it, all signal messages would be decrypted by a powerful quantum computer.
https://github.com/paulmillr/nip44 => all good. If your nostr client doesn't see a valid URL in the post, create a bug report.
The goal is to add more features later. FS does not protect against quantum computers, which will decrypt all previous signal conversations. FS does not protect against metadata leakage, which is present in both nostr and signal.
Signal is cool, but do you know what is cooler? Chatting on decentralized social network. We’ve implemented and audited end-to-end encrypted direct messaging for nostr.
Thanks to Jon (npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn), OpenSats, Michael (npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c), ekzyis (npub16x07c4qz05yhqe2gy2q2u9ax359d2lc0tsh6wn3y70dmk8nv2j2s96s89d), Vitor (npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z), Cure53, Matthew Green and everyone else involved.
https://github.com/nostr-protocol/nips/blob/master/44.md, https://github.com/paulmillr/nip44
Signal is upgrading all conversations to a combination of X25519 and CRYSTALS-Kyber. Probably the first large-scale deployment of Kyber. https://signal.org/blog/pqxdh/
Someone published NPM fork of noble-curves that sent private keys to a server in China. Be careful and check for typos https://blog.phylum.io/typosquat-of-popular-ethereum-package-steals-private-keys/
Ever wanted a privacy-focused nostr web client? http://nostr.spa (https://paulmillr.com/demos/nostr) got you covered! It’s simple, open-source, and does not require a private key. You can even send messages, pre-signed somewhere else.
Announcing noble-ciphers: tiny 0-dependency cryptographic library, implementing Salsa20, ChaCha, Poly1305, AES-SIV and others. Bonus: a reasonable wrapper around native WebCrypto's AES. Check out its README for some insights: https://github.com/paulmillr/noble-ciphers
New noble cryptography releases are out:
- NPM provenance is now used for transparent builds, to strengthen supply chain security [1]
- ed25519 and ed448 now provide non-repudiation (Strongly Binding Signatures). The feature is not present in most other libraries [2]
- tweetnacl users (including DJB's C version): it's time to switch away. It does not provide SUF-CMA, meaning, in some circumstances, the signatures are malleable [3]
1.https://github.blog/2023-04-19-introducing-npm-package-provenance/
3.https://blog.cryptographyengineering.com/euf-cma-and-suf-cma/
Twitter launched encrypted* DMs for verified accounts.
* No sync
* No group chats
* No attachments
* No timers
* Vulnerable to MITM
* No reporting (msg franking)
* No Forward Secrecy
* No Key Transparency
* Private keys are NOT erased after web logout
https://help.twitter.com/en/using-twitter/encrypted-direct-messages
Elliptic curve calculator just got a new big update:
1. Select a curve, including NIST, ed448, BLS
2. Create custom curves
3. Add and multiply points
4. Sign messages with different hashes
The demo works offline. It’s great for learning! Check it out:
4KB cryptography. Does that sound safe? Because it should.
Announcing v2 of single-feature modules noble secp256k1 and noble ed25519. secp is just 430 lines of code (4KB gzipped), ed is only 330 lines (3.3KB gzipped) — 4x smaller than previous versions.
Tweetnacl was a great idea. Smaller attack surface means less things that could go wrong. New libraries develop the concept further: there are tons of comments everywhere, describing how things work - makes it much easier for cryptography newcomers to read.
@npub1teawtzxh6y02cnp9jphxm2q8u6xxfx85nguwg6ftuksgjctvavvqnsgq5u Verifying My Public Key: "paulmillr"
Hello, world. Message made with #noble-crypto