Semisol on Nostr: For a viable encryption scheme for Nostr we need: 1. plausible deniability: it is not ...
For a viable encryption scheme for Nostr we need:
1. plausible deniability: it is not possible to prove a message was sent by someone
2. sender privacy: the sender must not be known to anyone including relays
3. recipient privacy: the recipient must not be known to anyone including relays
4. DoS resistant: clients should be able to tolerate an attacker creating as many events as they want in an attempt to disrupt communication
5. relay filtering compatible: relays must be able to implement measures to filter event floods to some extent to assist with 4.
6. restricted-write relay compatible: the scheme must allow a way for relays with a restricted writer set to be able to be used as an outbox or inbox
7. post-compromise security: the protocol must be able to recover in a reasonable amount of time from a total leak of client state assuming the master private key is not (signer/extension)
8. forward secrecy: the protocol must not leak any messages before compromise if one of the master private keys, or both, are compromised
Gift wraps fail 1, 3, 4, 5, and 8. 7 is not applicable
The proposed DR scheme fails 1, 3, 4 and 5.
My proposed scheme passes all of them, but 7 still needs to be fully validated.
1. plausible deniability: it is not possible to prove a message was sent by someone
2. sender privacy: the sender must not be known to anyone including relays
3. recipient privacy: the recipient must not be known to anyone including relays
4. DoS resistant: clients should be able to tolerate an attacker creating as many events as they want in an attempt to disrupt communication
5. relay filtering compatible: relays must be able to implement measures to filter event floods to some extent to assist with 4.
6. restricted-write relay compatible: the scheme must allow a way for relays with a restricted writer set to be able to be used as an outbox or inbox
7. post-compromise security: the protocol must be able to recover in a reasonable amount of time from a total leak of client state assuming the master private key is not (signer/extension)
8. forward secrecy: the protocol must not leak any messages before compromise if one of the master private keys, or both, are compromised
Gift wraps fail 1, 3, 4, 5, and 8. 7 is not applicable
The proposed DR scheme fails 1, 3, 4 and 5.
My proposed scheme passes all of them, but 7 still needs to be fully validated.