Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NIP44 encryption standard, revision 3 #746

Merged
merged 4 commits into from
Dec 20, 2023

Conversation

paulmillr
Copy link
Contributor

@paulmillr paulmillr commented Aug 27, 2023

https://github.com/paulmillr/nip44

Goals

  • IND-CCA2 security
  • Metadata will always leak because of nostr architecture, but it can be minimized

Why NIP-04 was bad

  1. Unhashed ECDH exposes some curves to Cheon's attack 1, which allows an attacker to learn private key structure when doing continuous diffie-hellman operations. Hashing converts decisional oracle into a computational oracle, which is harder.
  2. CBC IVs should not only be unrepeatable, they must be unpredictable. Predictable IV leads to Chosen Plaintext Attack. There are real exploits 2.
  3. CBC with reused key has 96-bit nonces and loses 6 bits of security for every magnitude. 10**4 (10K) messages would bring archive security of the scheme to 72 bits. 72 bits is very low. For example, BTC has been doing 2^67 hashes/sec as per early 2023. Advanced adversaries have a lot of resources to break the scheme
  4. CBC has continuously been exploited by Padding Oracle attack. We can't expect all implementations to have proper padding check
  5. AES was modeled as ideal cipher. Ideal ciphers don't care about non-random keys. However, AES is not an ideal cipher 3. Having a non-IND key, as in NIP4, exposes it to all kinds of unknown attacks, and reducing security of overall scheme

Footnotes

  1. Kozaki, Kutsuma, Matsuo; Remarks on Cheon’s Algorithms

  2. https://derekwill.com/2021/01/01/aes-cbc-mode-chosen-plaintext-attack/

  3. "AES-256 can not serve as a replacement for an ideal cipher", Biryukov-Khovratovich; Related-key Cryptanalysis of the Full AES-192 and AES-256

@vitorpamplona
Copy link
Collaborator

If this is different than v1, can we do a v2 instead? We made versions because of these types of evolutions.

@paulmillr
Copy link
Contributor Author

The old, non-secure revision was never merged into NIP repo, nor was it finalized, nor was it reviewed for security by outside auditors.

Some people implemented JSON-stringified revision, instead of concatenated one. What about them?

I don't mind switching to version: 2, if other contributors agree, however, I do mind on describing old NIP44 revision as version: 1 in this document. If we switch to v2, I suggest we omit v1 altogether.

@mikedilger
Copy link
Contributor

I don't think it needs a version bump. We are pre-versioning still. Maybe in our experimental code we should be using version 0.

@vitorpamplona
Copy link
Collaborator

vitorpamplona commented Aug 27, 2023

I expect versions 3, 4, 5 to follow quickly after 2. So, I don't see any reason to keep replacing v1 all the time. Yes, we already did with the JSON stuff, but the WHOLE POINT of making a versioned standard is to afford these changes without breaking the past. I don't understand why proposing a versioned payload if we are not going to use the versions. The fact that hasn't been merged is irrelevant.

@fiatjaf
Copy link
Member

fiatjaf commented Aug 27, 2023

If there are events floating around using v1 out there this should be v2, but yes, let's just not describe v1 in the spec.

@vitorpamplona
Copy link
Collaborator

There are over 5K GiftWraps with v1 already, growing steadily every day. So, please let's use what we built and start v2.

@paulmillr
Copy link
Contributor Author

The fact that hasn't been merged is irrelevant

Of course, but the fact that the scheme has not been audited or reviewed is relevant. Do you think anyone should deploy any e2ee dm scheme without that?

I expect versions 3, 4, 5 to follow quickly after 2

That would mean any nostr client would need to bring a huge amount of different crypto primitives if they would be different.

@vitorpamplona
Copy link
Collaborator

That would mean any nostr client would need to bring a huge amount of different crypto primitives if they would be different.

Yep. They will no matter what happens. There are always messages in the past that must be recovered. So, all clients will likely implement all versions no matter what we do here. That's the curse of signing things that will last forever.

They can always choose to implement just the most recent ones at the cost of making users angry for not recovering older ones.

@paulmillr
Copy link
Contributor Author

In any case, with or without v2 designation, don't implement this until nostr hires someone to do an external security audit. Preferably, even two different companies.

@vitorpamplona
Copy link
Collaborator

vitorpamplona commented Aug 27, 2023

In any case, with or without v2 designation, don't implement this until nostr hires someone to do an external security audit. Preferably, even two different companies.

This is going to take time. Even more reasons to keep v1 and v2 separate. We can keep testing v1 and when v2 is ready, we all switch. Maybe name it a V2-DRAFT?

@mikedilger
Copy link
Contributor

There are over 5K GiftWraps with v1 already, growing steadily every day. So, please let's use what we built and start v2.

Fine. I did not know that.

I have 3 or 4 versions of code to deal with encrypted private keys, and that NIP isn't accepted either.

@fiatjaf
Copy link
Member

fiatjaf commented Aug 28, 2023

In any case, with or without v2 designation, don't implement this until nostr hires someone to do an external security audit. Preferably, even two different companies.

How do we do this?

@paulmillr
Copy link
Contributor Author

Ping an auditor or two, discuss the terms and scope. I've did this in the past. If you can secure the funding, I can talk to someone again.

@staab
Copy link
Member

staab commented Aug 28, 2023

@paulmillr maybe you could apply to OpenSats to get a grant to cover this?

@staab
Copy link
Member

staab commented Aug 28, 2023

I do think we should keep this as v1 and get it merged. A full security audit is going to take some time — v1 is much better than NIP 04, which will allow us to keep innovating on nostr while these details get figured out. Shall I re-open #715 and we can look at merging it?

@paulmillr
Copy link
Contributor Author

What's the rush? It's not like people don't have a place to chat right now. Proper encryption is complicated. If you want to speed-up things, let's hire an auditor and maybe a second protocol designer to help developing the scheme further.

People are going to get killed if this is not right and nostr becomes popular. Do you want people to get killed because you want your client to "get DMs first"?

@staab
Copy link
Member

staab commented Aug 28, 2023

You can't prevent people from building on NIP 04 by not merging this proposal.

@vitorpamplona
Copy link
Collaborator

What's the rush?

It's not about rush. Perfection is the enemy of the good. If the first version is good enough (and better than NIP-04), we should move forward until this one gets ready. Most clients are still doing NIP-04, which I think by now we all agree is not secure and must be replaced.

@paulmillr
Copy link
Contributor Author

paulmillr commented Aug 28, 2023

There is software that could get released and iterated asap. There is software that should not. BIP340, which nostr exclusively uses for cryptography, was in development for 1.5+ years. Smart contracts and protocols that are responsible for tens of millions of dollars have thorough security practices and months of testing.

We've started the discussion in february. The whole thing could have been iterated, released and audited in maybe 4 weeks. If you really want the proper standard out, everyone should get their act together and:

  1. Write new implementation in every language (takes 2-5 hours)
  2. Ask security people they know to review the scheme
  3. Organize grants, donations, or just money for security audit
  4. Engage well-known security firm to check the scheme
  5. Communicate with client developers to push a new NIP44 DMs on all platforms.

Easily doable by the end of september! This is not about perfection: it is user security, their private chats, and I see a lack of motivation for building secure DM system. I just see the motivation for "getting something out". Properly audited scheme does not need to be "iterated on". It's likely to last for 5-15 years.

@staab
Copy link
Member

staab commented Aug 29, 2023

I see a lack of motivation for building secure DM system

I don't think this is fair. In February no one was working full time on this. A few weeks ago I opened those various PRs (now that I have funding) because I was committing myself to pushing new DMs through. Unfortunately, I have zero experience in this area, so the best I can do is ask for action items and nag people to do them.

That being the case, would you be willing to take the lead on this? Let me know if there's anything I can help with.

And back to the topic at hand — merging the current draft. I honestly don't see a downside. When a new, harder form of encryption is available, all it will take is a large client (for example Amethyst, Snort, or Coracle) beginning to sign messages with the new version to force others to support it. Unless NIP 44 v1 is not better than NIP 04 at all?

@paulmillr
Copy link
Contributor Author

I honestly don't see a downside

  1. It is not secure
  2. All clients and libraries would need to implement both versions for the foreseeable future, which means more dependencies, more code to audit, more bloat.

As you've correctly mentioned, we can't force anyone to add or not add something to their clients. Some year-2025 clients would implement v1, some would do v2, there will need to be interoperability between them. That's a huge mess! Bloat is bad. Bloat in immutable systems is terrible.

Unless NIP 44 v1 is not better than NIP 04 at all

There was no independent cryptanalysis of the previous revision, so we can't know for sure if it's okay at all. NIP 04 is terrible and should be immediately market as "not secure".

would you be willing to take the lead on this

Yes, but not the funding part. I don't want to touch the money just to move them to auditors. I can connect pieces, but can someone else please do opensats (etc).

@staab
Copy link
Member

staab commented Aug 29, 2023

NIP 04 is terrible and should be immediately market as "not secure".

I just don't see this happening without an alternative. You're asking all clients to just drop support for DMs. Not saying we shouldn't, that's just a very big ask. You're right about bloat, that is a real downside, but it makes it possible to drop support for NIP 04. But I guess if we don't know 44 is any good, then it's not an improvement.

Anyhow, I'll talk to the OpenSats committee. I don't want to administer the funds either, but maybe we can get someone there to do it.

@paulmillr
Copy link
Contributor Author

You're asking all clients to just drop support for DMs

Not really, i'm just asking to mark the standard "not secure". I don't think any client would drop existing DMs just after that.

@paulmillr
Copy link
Contributor Author

We could just add risk disclaimers and a notice that a new standard is cooking. We will need to deprecate the standard at some point and why not now.

@staab
Copy link
Member

staab commented Aug 29, 2023

Ok, I don't think that solves the problem, but we might as well.

Just for completeness, is there no off-the-shelf standard we could use? It seems like a fairly simple problem that should have been solved at this point. Is nostr really in unexplored territory such that we need to invent a new cryptographic primitive?

@vitorpamplona
Copy link
Collaborator

We could just add risk disclaimers and a notice that a new standard is cooking.

Yes, let's add these disclaimers and notices on v1.

We will need to deprecate the standard at some point and why not now.

Can can definitely deprecate it once we have a better solution everyone agrees with. We can't deprecate something without an alternative ready to go.

@paulmillr
Copy link
Contributor Author

paulmillr commented Aug 29, 2023

is there no off-the-shelf standard we could use

No.

It's popular to use Signal's axolotl ratchet, but it still needs to be integrated into nostr system. That itself takes time and is not too simple.

fairly simple problem that should have been solved at this point

The closest we get to an open standard is MLS from RFC9420, for group chats. But it's also very complicated.

@water783
Copy link

Excuse me for asking, is it appropriate to release nip44 v1 on the client side now? I've implemented nip44 v1 and sealed dm, but after seeing your discussions, I'm a bit torn.

@vitorpamplona
Copy link
Collaborator

vitorpamplona commented Dec 20, 2023

It's great that it has been merged. But as we move forward with this, somebody should just rewrite this NIP to remove all of the cybersecurity jargon, the past experiment information, justification of choices, etc and make it extremely simple for normies to implement.

The two paragraphs below for instance don't have a place in this NIP. This NIP is just a basic encryption scheme. It shouldn't define relay behaviors and or client behaviors. Those two should be written in the NIPs that use this encryption.

Lack of forward secrecy is partially mitigated: 1) the messages should only be stored on relays, specified by the user, instead of a set of all public relays 2) the relays are supposed to regularly delete older messages.

For risky situations, users should chat in specialized E2EE messaging software and limit use of nostr to exchanging contacts.

@paulmillr
Copy link
Contributor Author

@vitorpamplona on its own, the scheme may seem shitty to an outsider, a security-conscious person, who's looking to implement the NIP in their product. There have been questions, asked by auditors. These questions need to be answered.

If you don't like it in the beginning, maybe moving it to the end is ok. If we leave these out, people would think the scheme is bad, and they need to create and implement their own. A person would look at this and think "why the f did they use hmac instead of perfectly normal standard chapoly?".

I have ensured:

  • the example "pythonic" pseudocode is provided in the specification
  • very descriptive test vectors for all the edge cases are provided
  • links to implementations in 3 different languages are included

and believe "normies" can implement the scheme easily.

@paulmillr
Copy link
Contributor Author

Also it's obvious that people would use NIP-44 to implement homebrew encryption schemes for their files, servers, and all kinds of non-nostr cases, because it's "audited". That's why it's important to mention the scheme can't be used without a signature scheme (NIP-01).

@staab
Copy link
Member

staab commented Dec 20, 2023

I agree the spec could be cleaned up and organized better as a follow-up, but having read the audit report a lot of these extra caveats are important to include.

@vitorpamplona
Copy link
Collaborator

vitorpamplona commented Dec 20, 2023

@vitorpamplona on its own, the scheme may seem shitty to an outsider, a security-conscious person, who's looking to implement the NIP in their product. There have been questions, asked by auditors. These questions need to be answered.

Sorry, I didn't intend to be disrespectful to the work done. Yes, those questions must be answered. I would just argue that the NIP itself should NOT be the place to have that level of discussion. We have it now because we are all going through it for the first time, but new devs just want to know how to code to get on with their lives. They are never going to ask "why hmac instead chapoly?". They just want to follow what everyone is doing, trust this is the best we can get, and integrate as fast as possible.

"normies" can implement the scheme easily.

No, sorry. The "normies" we want to target can't even read the text as is, much less understand what it means. Frankly, I don't even understand the meaning of half of the decisions here. We are not dumb, we just have 1000s of other things to do in our day to be bothered by unnecessary complexity. :)

We got buttons to move 2px left. That's what we do. And that's the people you want reading and coding your stuff :)

I have ensured:
the example "pythonic" pseudocode is provided in the specification
very descriptive test vectors for all the edge cases are provided
links to implementations in 3 different languages are included

These are great and should stay. We just to simplify the text to get them there.

@ekzyis
Copy link

ekzyis commented Dec 20, 2023

but new devs just want to know how to code to get on with their lives. [...] they just want to follow what everyone is doing, trust this is the best we can get, and integrate as fast as possible.

Isn't this the point of libraries? New devs shouldn't have to look at this NIP at all. Imo, this NIP is only for people creating NIP44 libraries in all kind of languages for other people to use. App developers should just use the libraries and look at the documentation of these libraries. I think we definitely don't want app devs to implement crypto stuff. That should be done by people with experience in that area.

The "normies" we want to target can't even read the text as is, much less understand what it means. Frankly, I don't even understand the meaning of half of the decisions here. We are not dumb, we just have 1000s of other things to do in our day to be bothered by unnecessary complexity. :)

I hear you. But you don't need to understand what's going on here. You should just use a library and look at the documentation of that library. Libraries should be easy to use. This spec doesn't have to be easy to understand (dumbed down) for everyone. At least that's my opinion.

@paulmillr
Copy link
Contributor Author

paulmillr commented Dec 20, 2023

The "normies" we want to target can't even read the text as is, much less understand what it means. Frankly, I don't even understand the meaning of half of the decisions here

They will understand the meaning of part relevant to them, I think it’s simple enough. part which lists cryptography justification is not for them.

You’re saying it should not be in NIP, but where should it be then? In github discussions? I don’t like reliance on github: think “banned” countries. In nostr? Nostr isn't permanent storage AFAIR, and provides no guarantees as for the data availability.

@paulmillr paulmillr deleted the NIP-44 branch December 20, 2023 17:34
@vitorpamplona
Copy link
Collaborator

vitorpamplona commented Dec 20, 2023

You’re saying it should not be in NIP, but where should it be then? In github discussions?

I don't know, but It could be a habla.news post. NIP04 doesn't have any discussion in it. It all happened in GH issues and other forums. I think there is space for an amazing Blog post that explains most of the decisions made here in detail, in ways that people who are deep into the weeds can try to poke holes in the logic.

You should just use a library and look at the documentation of that library.

Sure, but one of the goals of Nostr is decentralization. Even NIP44 libraries should be very easy to code and verify (with @paulmillr's vectors). NIP-44 doesn't develop any new crypto prmitive. It just merges existing concepts. That merge work should be easy to do.

The bigger the amount of implementers, the stronger the understanding of the crypto protections and weaknesses made here.

I definitely do not want just 3-5 libs that everyone uses and no one questions anymore.

@paulmillr
Copy link
Contributor Author

Habla.news is centralized and alive today, and could be dead tomorrow. Nostr specs will likely be copied over and over. It's a git repo and a bunch of markdown files, easily hosted anywhere.

As an example of the discussion behavior, see BIP340.

The bigger the amount of implementers, the stronger the understanding of the crypto protections and weaknesses made here.

Of course. And we would save 40 hours for each crypto implementer out there with their research effort.

@vitorpamplona
Copy link
Collaborator

Habla.news is centralized

What do you mean? Habla is just another Nostr client. It saves your post in your Nostr relays. You can read the post on Amethyst and many clients right now.

@paulmillr
Copy link
Contributor Author

Understood.

But there have been efforts on relay clean-ups, haven't there? Like, deleting old events, of something. Where are guarantees the post will "live" on nostr?

@vitorpamplona
Copy link
Collaborator

vitorpamplona commented Dec 20, 2023

Nothing "lives" on Nostr, just like nothing lives in the "cloud". Things live in your personal devices and are temporarily stored in relays/servers until those are taken out. If you have your blog post in your device, then it's just a matter of rebroadcasting the event when the relay you were using goes bust.

That being said, I don't think many relays are deleting old posts at all. I can still find all my posts since 2 years ago. Some relays exist as long-term archives (like a.nos.lol) but I assume that if you are not paying to help them secure the storage, that will probably not stay there for more than a decade.

@mikedilger
Copy link
Contributor

mikedilger commented Dec 20, 2023

Warning unrecommended: deprecated in favor of NIP-44

NIP-44 doesn't replace NIP-04. It defines an encryption scheme, but outside of any contextualization. NIP-04 has a contextual usage: a kind-4 event and information as to what the tags should be.

So if we stop using NIP-04, we currently have nothing to replace it with. In particular there is no new kind number. Kind-44 is channel mute user. We can't use kind-4 without existing clients failing.

@paulmillr
Copy link
Contributor Author

Kind-44 is channel mute user

Huh? People in this thread allegedly used kind: 44 for DMs.

@d-krause
Copy link

My 2 sats. @paulmillr - excellent work! It's fine as it is, the code and the NIP. I am implementing it now in my project. There will be no NIP4 messages in my app, only NIP44! - Coming before the new year.

The language in the NIP should stay there as it is. The community should not attempt to "dumb things down". Give readers the benefit of the doubt and don't try to hand hold them.

@mikedilger
Copy link
Contributor

NIP-17 using giftwraps of rumors will replace NIP-04: #686
But it is not merged yet. So I'm just saying, dropping this encryption into NIP-04 events is not how we proceed, but people might be confused into thinking that it is, given the current state of what is merged and what is not yet merged. And anything that says NIP-44 replaces NIP-04 might need a bit more clarity.

@vitorpamplona
Copy link
Collaborator

dropping this encryption into NIP-04 events is not how we proceed

Yes, let's not do that.

Though I understand the confusion. NIP-04 is both a DM spec and an encryption spec other NIPs use. NIP-44 is just the encryption spec and not a DM spec.

@paulmillr
Copy link
Contributor Author

Please add these clarifications into the spec, because people will - very likely - use kind: 44.

@staab
Copy link
Member

staab commented Dec 20, 2023

New PR: #939

@staab
Copy link
Member

staab commented Dec 20, 2023

@paulmillr what's the status of the implementation at https://github.com/paulmillr/nip44/tree/post-audit? neither branch is really synced with main. Which branch should we be looking at? I saw you made a commit yesterday so I assume it's still a WIP.

@paulmillr
Copy link
Contributor Author

@staab it's all in main branch now, and is relevant.

@monlovesmango
Copy link
Member

FYI I opened a PR to update NIP07 with nip44 calls: #940

@staab
Copy link
Member

staab commented Dec 20, 2023

@paulmillr is there an npm package yet?

@staab
Copy link
Member

staab commented Dec 20, 2023

Oh, wait, sorry, ignore me, I'm adding it to nostr-tools

@paulmillr
Copy link
Contributor Author

@jb55 you aren't happy with this merged, are you?

@jb55
Copy link
Contributor

jb55 commented Dec 21, 2023

huh? why would I not be happy? I am mostly indifferent.

@paulmillr
Copy link
Contributor Author

You’ve mentioned “We now have more breakage between clients though. yay?” - seemed like a complaint. 🤷‍♂️

As for your question “how does it reduce metadata leakage”, the answer is simple: padding helps a lot, esp with small messages.

before it was “yes” => 3b ciphertext, which is really bad.

Can’t reply on nostr, because my client doesn’t see your post there

@jb55
Copy link
Contributor

jb55 commented Dec 22, 2023

it's not really a complaint, more just "meh". DM privacy is more important to fix imo, just replacing nip04 with this isn't that interesting and just causes unncessary implementation incompatibility and pain. Will be happy to see this when combined with a real privacy solution, whether that is giftwrap or some scheme that sends notes in a different way.

@ekzyis
Copy link

ekzyis commented Dec 30, 2023

just replacing nip04 with this isn't that interesting and just causes unncessary implementation incompatibility and pain

"isn't that interesting" - "unnecessary implementation incompatibility and pain"

That also sounds like complaints to me, tbh. Complaining that NIP-44 wasn't necessary, to be specific.

I don't think NIP-44 was unnecessary as explained by @paulmillr. Before, the ciphertext was able to leak all information about the plaintext given the correct circumstance (which a adversary serious enough could engineer). And nostr wants to protect the security and privacy of individuals who are targeted the most and thus need it the most, right?

Now, with proper cryptographic padding, at least this is no longer the case. I don't think that's "unnecessary" or "not interesting". I think or hope that NIP-44 is the necessary foundation for a lot of other serious cryptography in nostr.

Will be happy to see this when combined with a real privacy solution, whether that is giftwrap or some scheme that sends notes in a different way.

I am also looking forward to this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants