Apart from the shared secret issue, one thing not addressed here is sender authentication.
Assuming the encryption key is `S' = w * Q2`, since the sender signs with the ephemeral key `w`, unless the recipient can somehow verify that `w` belongs to the intended counterparty, the recipient has no way of authenticating the sender.
Anyone who correctly guesses one of the participants of the silent inbox (e.g. a relay operator would be able to trivially figure this out in many cases) can send a DM to that participant with an ephemeral private key of their own, pretending to be the other participant.
shafemtol /
npub1mh…anahj
2023-06-06 02:43:53
in reply to nevent1q…x3u6
Author Public Key
npub1mh94j7j7nwvzl7kwcg70fhxe67kdy50fccakmueq9jjf77zmc25svanahjPublished at
2023-06-06 02:43:53Event JSON
{
"id": "1a6bc865109f10c486ebc006c54cb184dac5d8b10538768a8995db93dcef264a",
"pubkey": "ddcb597a5e9b982ffacec23cf4dcd9d7acd251e9c63b6df3202ca49f785bc2a9",
"created_at": 1686012233,
"kind": 1,
"tags": [
[
"e",
"c28b5d3225ea99f426538aabecde635ca07bbc51928c4ba8431a53156a53a334",
"",
"root"
],
[
"p",
"50d94fc2d8580c682b071a542f8b1e31a200b0508bab95a33bef0855df281d63"
]
],
"content": "Apart from the shared secret issue, one thing not addressed here is sender authentication.\n\nAssuming the encryption key is `S' = w * Q2`, since the sender signs with the ephemeral key `w`, unless the recipient can somehow verify that `w` belongs to the intended counterparty, the recipient has no way of authenticating the sender.\n\nAnyone who correctly guesses one of the participants of the silent inbox (e.g. a relay operator would be able to trivially figure this out in many cases) can send a DM to that participant with an ephemeral private key of their own, pretending to be the other participant.",
"sig": "ec4610258f1d130695cc306bafdaff800505257dd3c1a30b087b24429e69352ba69c550877af5740db060d8ee57c2dd2df384291ddd7d7cdd4838afeb7dad97b"
}