Nostr notes by paulmillr

Falcon is 4+ weeks of full time work. It's also unreliable ...

2025-08-29T01:10:20+02:00

In reply to nevent1q…3d97
_________________________

Falcon is 4+ weeks of full time work. It's also unreliable while being implemented, due to the fact it needs floating point math. Maybe fips 206 will fix quirks.

noble cryptography v2 is out. Improvements include Schnorr ...

2025-08-27T12:34:42+02:00

noble cryptography v2 is out. Improvements include Schnorr implementation in 5kb noble-secp256k1, hybrid pq algorithms, OPRFs, friendly wrappers around native WebCrypto, better security, and much more.

Live on GitHub, NPM & JSR.

Low-level - yes, it's a good idea to use it for a media.

2025-07-10T19:49:02+02:00

In reply to nevent1q…6jxl
_________________________

Low-level - yes, it's a good idea to use it for a media.

Nostr event nevent1qqspej4hglp9xaqlwsua6u3j4uk35c8umkasjw7u6xfvxcqen06fwfczyp7tz0x7qecwty8s9jlfag8u78s9ak79ej9yp9e3lf2rv3qps8836wytzke

2024-06-07T00:29:10+02:00

#WeAreAllFiatjaf

Announcing noble-post-quantum: minimal JS implementation of ...

2024-04-13T17:04:48+02:00

Announcing noble-post-quantum: minimal JS implementation of ML-KEM, ML-DSA and SLH-DSA.

Also known as Kyber, Dilithium and SPHINCS+. Only 2000 lines of code - great learning resource for anyone who’s messing with PQ stuff.

Check out README for algorithm comparison and usage guidelines. https://github.com/paulmillr/noble-post-quantum

I have it in noble-curves readme ...

2024-01-07T08:02:34+01:00

In reply to nevent1q…36yc
_________________________

I have it in noble-curves readme https://github.com/paulmillr/noble-curves#weierstrass-short-weierstrass-curve

2023 progress on JS cryptography: - noble-hashes: 400K => 1.7M ...

2023-12-31T20:53:51+01:00

2023 progress on JS cryptography:

- noble-hashes: 400K => 1.7M downloads per week
- noble-curves: ~0 => 0.9M, got 2 audits
- noble-ciphers: 0 => 25K
- Finally adopted by ProtonMail, MetаMасk, Rainbow, Rabby, ethers, web3.js, viem

Takes time, but we’re getting there.

sphincs looks good, kyber not quite. I think Signal's ...

2023-12-21T22:18:36+01:00

In reply to nevent1q…ytdw
_________________________

sphincs looks good, kyber not quite. I think Signal's decision is proper and other should follow, because it's hybrid. In the end, everything is a placeholder, and the only question is: "for how long?".

Please check out this writing ...

2023-12-21T17:07:27+01:00

In reply to nevent1q…llst
_________________________

Please check out this writing https://blog.cryptographyengineering.com/2020/07/10/a-few-thoughts-about-signals-secure-value-recovery/

> We're sacrificing almost all the values we stand for ...

2023-12-21T16:54:04+01:00

In reply to nevent1q…h73m
_________________________

> We're sacrificing almost all the values we stand for

I'm not sure what are you talking about. SimpleX is not a silver bullet. It's trivially decrypt-able by quantum computers. It's also not popular, which means, if/when it becomes popular, only then we'll see how it holds up.

Again - if you think simplex would work - go ahead and implement it. If you can convince the community your solution is better, everyone will switch to it.

nostr is open for everyone. We're just a bunch of folks who've spent some time on the issue we thought was important. No one paid us for it.

It's possible to deduce who messages whom (timing / ...

2023-12-21T16:38:05+01:00

In reply to nevent1q…tz72
_________________________

It's possible to deduce who messages whom (timing / correlation attack). All user contacts are uploaded to Signal servers (they say it's stored in SGX - which may be broken). Groups also store some data on Signal servers. And - most important - Signal relies on phone numbers.

https://github.com/paulmillr/nip44

2023-12-21T16:34:01+01:00

In reply to nevent1q…87hx
_________________________

https://github.com/paulmillr/nip44

Also there's a separate "gift wrap" NIP which seems ...

2023-12-21T16:33:38+01:00

In reply to nevent1q…zx3z
_________________________

Also there's a separate "gift wrap" NIP which seems to solve the problem.

It's not as good as Signal for now - but it's open and ...

2023-12-21T16:32:51+01:00

In reply to nevent1q…42ss
_________________________

It's not as good as Signal for now - but it's open and permissionless.

I think we can eat some share of other messengers, yes. It's ...

2023-12-21T16:32:39+01:00

In reply to nevent1q…je3u
_________________________

I think we can eat some share of other messengers, yes. It's not as good as Signal for now - but it's open and permissionless.

It was discussed. SimpleX is extremely complicated. It's ...

2023-12-21T16:30:33+01:00

In reply to nevent1q…e2v3
_________________________

It was discussed. SimpleX is extremely complicated. It's barely maintained. For example, for JS there is https://github.com/simplex-chat/simplexmq-js - but as per SimpleX founder words, it's abandoned and represents less than 5% of required code.

For comparison, full NIP-44 js implementation fits in just ~100 lines.

SimpleX is not a solution for nostr. Integrating simplex server functionality into relays is also extremely complicated. If you think you can do this - submit a proposal, and write some code, but it doesn't seem to be worth it.

He consulted on some ideas, yes.

2023-12-21T16:25:22+01:00

In reply to nevent1q…6qme
_________________________

He consulted on some ideas, yes.

The problem you're mentioning (metadata leakage) can't be ...

2023-12-21T16:24:54+01:00

In reply to nevent1q…zx3z
_________________________

The problem you're mentioning (metadata leakage) can't be solved by cryptography alone.

It's solved separately by specifying which relays can be responsible for your DMs. You will set up a preferred DM relay and only this relay would be used for all chats.

Yes, the audit requests have been incorporated into the current ...

2023-12-20T23:41:09+01:00

In reply to nevent1q…7avs
_________________________

Yes, the audit requests have been incorporated into the current version.

There is no certainty. Two words for you: Cheon's attack.

2023-12-20T23:24:10+01:00

In reply to nevent1q…w730
_________________________

There is no certainty. Two words for you: Cheon's attack.

We've discussed this on GitHub for most of 2023. If ...

2023-12-20T20:36:19+01:00

In reply to nevent1q…6zdg
_________________________

We've discussed this on GitHub for most of 2023. If you've had any comments or suggestions, you could have voiced them. This is a community effort. Don't like it? Build something better.

Correct! Threat of "Harvest now, decrypt later" is real.

2023-12-20T20:30:10+01:00

In reply to nevent1q…e600
_________________________

Correct! Threat of "Harvest now, decrypt later" is real.

Ask other cryptographers what they think about NIP-04. NIP-44 ...

2023-12-20T20:11:47+01:00

In reply to nevent1q…gee0
_________________________

Ask other cryptographers what they think about NIP-04. NIP-44 took many weeks of work by different people and an audit by an indie company. It's the first step. We can add one feature at a time, since we have versioning now. FS is also not "everything": even with it, all signal messages would be decrypted by a powerful quantum computer.

https://github.com/paulmillr/nip44 => all good. If your nostr ...

2023-12-20T20:04:42+01:00

In reply to nevent1q…zwlj
_________________________

https://github.com/paulmillr/nip44 => all good. If your nostr client doesn't see a valid URL in the post, create a bug report.

The goal is to add more features later. FS does not protect ...

2023-12-20T19:48:26+01:00

In reply to nevent1q…6sa9
_________________________

The goal is to add more features later. FS does not protect against quantum computers, which will decrypt all previous signal conversations. FS does not protect against metadata leakage, which is present in both nostr and signal.

Signal is cool, but do you know what is cooler? Chatting on ...

2023-12-20T19:37:03+01:00

Signal is cool, but do you know what is cooler? Chatting on decentralized social network. We’ve implemented and audited end-to-end encrypted direct messaging for nostr.  

 Thanks to Jon (npub1jlrs53pkdfjnts29kveljul2sm0actt6n8dxrrzqcersttvcuv3qdjynqn), OpenSats, Michael (npub1acg6thl5psv62405rljzkj8spesceyfz2c32udakc2ak0dmvfeyse9p35c), ekzyis (npub16x07c4qz05yhqe2gy2q2u9ax359d2lc0tsh6wn3y70dmk8nv2j2s96s89d), Vitor (npub1gcxzte5zlkncx26j68ez60fzkvtkm9e0vrwdcvsjakxf9mu9qewqlfnj5z), Cure53, Matthew Green and everyone else involved.

 https://github.com/nostr-protocol/nips/blob/master/44.md, https://github.com/paulmillr/nip44

Signal is upgrading all conversations to a combination of X25519 ...

2023-09-22T00:17:09+02:00

Signal is upgrading all conversations to a combination of X25519 and CRYSTALS-Kyber. Probably the first large-scale deployment of Kyber. https://signal.org/blog/pqxdh/

Someone published NPM fork of noble-curves that sent private keys ...

2023-08-12T18:12:08+02:00

Someone published NPM fork of noble-curves that sent private keys to a server in China. Be careful and check for typos https://blog.phylum.io/typosquat-of-popular-ethereum-package-steals-private-keys/

Ever wanted a privacy-focused nostr web client? http://nostr.spa ...

2023-07-11T02:28:16+02:00

Ever wanted a privacy-focused nostr web client? http://nostr.spa (https://paulmillr.com/demos/nostr) got you covered! It’s simple, open-source, and does not require a private key. You can even send messages, pre-signed somewhere else.

Announcing noble-ciphers: tiny 0-dependency cryptographic ...

2023-06-29T02:47:43+02:00

Announcing noble-ciphers: tiny 0-dependency cryptographic library, implementing Salsa20, ChaCha, Poly1305, AES-SIV and others. Bonus: a reasonable wrapper around native WebCrypto's AES. Check out its README for some insights: https://github.com/paulmillr/noble-ciphers

New noble cryptography releases are out: - NPM provenance is now ...

2023-06-03T17:24:02+02:00

New noble cryptography releases are out:

- NPM provenance is now used for transparent builds, to strengthen supply chain security [1]
- ed25519 and ed448 now provide non-repudiation (Strongly Binding Signatures). The feature is not present in most other libraries [2]
- tweetnacl users (including DJB's C version): it's time to switch away. It does not provide SUF-CMA, meaning, in some circumstances, the signatures are malleable [3]

1.https://github.blog/2023-04-19-introducing-npm-package-provenance/
2. https://csrc.nist.gov/csrc/media/Presentations/2023/crclub-2023-03-08/images-media/20230308-crypto-club-slides--taming-the-many-EdDSAs.pdf
3.https://blog.cryptographyengineering.com/euf-cma-and-suf-cma/

Twitter launched encrypted* DMs for verified accounts. * No sync ...

2023-05-11T11:50:35+02:00

Twitter launched encrypted* DMs for verified accounts.

* No sync
* No group chats
* No attachments
* No timers
* Vulnerable to MITM
* No reporting (msg franking)
* No Forward Secrecy
* No Key Transparency
* Private keys are NOT erased after web logout

https://help.twitter.com/en/using-twitter/encrypted-direct-messages

Elliptic curve calculator just got a new big update: 1. Select a ...

2023-04-13T14:16:33+02:00

Elliptic curve calculator just got a new big update:

1. Select a curve, including NIST, ed448, BLS
2. Create custom curves
3. Add and multiply points
4. Sign messages with different hashes

The demo works offline. It’s great for learning! Check it out:

https://paulmillr.com/noble/

4KB cryptography. Does that sound safe? Because it should. ...

2023-03-24T11:58:20+01:00

4KB cryptography. Does that sound safe? Because it should.

Announcing v2 of single-feature modules noble secp256k1 and noble ed25519. secp is just 430 lines of code (4KB gzipped), ed is only 330 lines (3.3KB gzipped) — 4x smaller than previous versions.

Tweetnacl was a great idea. Smaller attack surface means less things that could go wrong. New libraries develop the concept further: there are tons of comments everywhere, describing how things work - makes it much easier for cryptography newcomers to read.

https://github.com/paulmillr/noble-secp256k1
https://github.com/paulmillr/noble-ed25519

Nostr event nevent1qqspet4msdn46h2aak456cerdennuvfncrg87jun0xe2rjqrw0z39aqzyp7tz0x7qecwty8s9jlfag8u78s9ak79ej9yp9e3lf2rv3qps8836j4e077

2023-02-17T15:11:02+01:00

@npub1teawtzxh6y02cnp9jphxm2q8u6xxfx85nguwg6ftuksgjctvavvqnsgq5u Verifying My Public Key: "paulmillr"

Nostr event nevent1qqsqmapmfut566fsucw42dajc04f00qdksxeld6ky8wgnv0vqcsspnszyp7tz0x7qecwty8s9jlfag8u78s9ak79ej9yp9e3lf2rv3qps8836vfp6yt

2023-02-16T23:10:57+01:00

Hello, world. Message made with #noble-crypto