Nostr notes by shafemtol

I guess that's the end of my attempts to do the exact ...

2024-05-04T17:30:34Z

In reply to nevent1q…lm95
_________________________

I guess that's the end of my attempts to do the exact opposite 🙃

quoting note154f…0hss
Exploring a method to reduce the risk of block storms on Bitcoin testnet

Mining block 820132 took 98 minutes. In the next 3 minutes, 3 ...

2023-12-07T15:30:04Z

Mining block 820132 took 98 minutes. In the next 3 minutes, 3 blocks followed. https://stacker.news/items/342425

Apart from the shared secret issue, one thing not addressed here ...

2023-06-06T00:43:53Z

In reply to nevent1q…x3u6
_________________________

Apart from the shared secret issue, one thing not addressed here is sender authentication.

Assuming the encryption key is `S' = w * Q2`, since the sender signs with the ephemeral key `w`, unless the recipient can somehow verify that `w` belongs to the intended counterparty, the recipient has no way of authenticating the sender.

Anyone who correctly guesses one of the participants of the silent inbox (e.g. a relay operator would be able to trivially figure this out in many cases) can send a DM to that participant with an ephemeral private key of their own, pretending to be the other participant.

What you could do is hash the shared secret curve point `S` ...

2023-06-04T21:49:17Z

In reply to nevent1q…pk5c
_________________________

What you could do is hash the shared secret curve point `S` (preferably using a tagged hash function) into a shared private key `r`, then use the corresponding public key `R = r * G` for the `p` tag. This would not leak the actual shared secret.

Maybe something's missing in the pictures. Note that I'm ...

2023-06-04T21:38:41Z

In reply to nevent1q…lhea
_________________________

Maybe something's missing in the pictures. Note that I'm not talking about decrypting *silent inbox* DMs. Here's an example of it going wrong as I understand it:

First, Alice (keypair p1, Q1) sends Bob (keypair p2, Q2) a *regular* NIP-04 DM (no silent inbox).

NIP-04 uses shared secret `S = p1 * Q2 = p2 * Q1` to encrypt the message. In NIP-04, this is given in the example code as:

`let sharedPoint = secp.getSharedSecret(ourPrivateKey, '02' + theirPublicKey)`

Eve also picks up this DM. She sees that Alice sent Bob a DM of a certain length at a certain point in time. She can't decrypt it yet, but stores it in her collection for later.

Next, they Bob decides to try using a silent inbox. This time, Bob sends a message to Alice.

Silent inbox uses shared secret `S = p1 * Q2 = p2 * Q1` (from the picture titled "Shared Secrets").

Bob constructs the event using an ephemeral key `w`, encrypting to `Q1` (I presume using `w * Q1` as the NIP-04 encryption key, but this is not relevant to the attack). She puts `S` in the `p` tag of the event and signs it (from the picture titled "Send and receive flow").

Eve also picks up this DM. She doesn't yet know its sender or recipient, but she reads the `p` tag and starts trying to decrypt the DMs she's got in her collection one by one, using the contents of the `p` tag as the shared secret.

One of the DMs does decrypt to a valid message, namely the first, regular, DM from Alice to Bob. Eve can now decrypt every past and future regular (not silent inbox) DM between Alice and Bob. Furthermore, while Eve can not decrypt silent inbox messages due to the use of different encryption keys here, she learns that the silent inbox in question belongs to Alice and Bob and can see the length and timing of each message going to it.

NIP-92: Rendezvous Beacons (draft; ...

2023-06-04T17:32:09Z

In reply to nevent1q…8utl
_________________________

NIP-92: Rendezvous Beacons (draft; https://github.com/nostr-protocol/nips/pull/333 ) enables anonymous establishment of communication between two parties, addressing the issue of receiving messages from unknown contacts.

A shared secret is derived using ECDH like in NIP-04, but this shared secret is only used through *tagged hashes*, with a different tag (not to be confused with nostr tags) for each purpose.

From the shared secret, a *rendezvous keypair* is established, where the sender knows the private key and the recipient knows the public key. This is done by tweaking the sender's key (an ephemeral key in the case of NIP-92) using a tweak value derived from the shared secret.

I'd be uneasy about a supposed "shared secret" being ...

2023-06-04T17:02:31Z

In reply to nevent1q…x3u6
_________________________

I'd be uneasy about a supposed "shared secret" being put in a public `p` tag.

Indeed, AIUI, using a silent inbox as presented here completely breaks the security of any past and future regular NIP-04 DMs between the same parties, because the same "shared secret" used for encryption in regular NIP-04 DMs is being used publicly in the silent inbox. An attacker doing trial and error decryption of NIP-04 DMs would be able to decrypt all regular DMs between the two, as well as deanonymize the silent inbox.

Seems like Binance has currently queued up at least 5 blocks ...

2023-05-09T04:35:29Z

Seems like Binance has currently queued up at least 5 blocks worth of panic consolidation transactions in the mempool at 201 sat/vB for a total of at least 10 BTC in transaction fees. https://mempool.space/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h

Twitter didn't have retweets originally, they introduced a ...

2023-05-09T02:04:53Z

In reply to nevent1q…s2q2
_________________________

Twitter didn't have retweets originally, they introduced a retweet feature in 2009. The "RT @twitterhandle" form started as a convention among users a year or two earlier. Twitter may have implemented their APIs in a backwards-compatible way by presenting their later implementation of retweet as such to older clients, though I'm pretty sure their internal representation of a retweet would be different.

Some of the inputs don't even cover the cost of including ...

2023-05-09T01:18:33Z

In reply to nevent1q…qnte
_________________________

Some of the inputs don't even cover the cost of including them!

Since nostr uses Schnorr signatures, it already supports n-of-n ...

2023-03-23T06:11:24Z

In reply to nevent1q…0mxc
_________________________

Since nostr uses Schnorr signatures, it already supports n-of-n multisig. Though in this case I guess you're thinking of something where not all users need to sign?

Maybe not (see: Deniable authentication)

2023-03-23T02:33:17Z

In reply to nevent1q…jtz3
_________________________

Maybe not (see: Deniable authentication)

I don't like the concept of duplicating the original event ...

2023-03-22T15:06:37Z

I don't like the concept of duplicating the original event and putting its json in the content. There's a lot of duplication and it's not trivial for a relay to deduplicate as the original event can be serialized in countless different ways.

Rather have the relay optionally send the original event alongside the (first) repost event.

Not gonna compromise my on-chain privacy for the sake of keeping ...

2023-03-21T12:55:53Z

In reply to nevent1q…jv2g
_________________________

Not gonna compromise my on-chain privacy for the sake of keeping some pocket money secure. Sorry not sorry.

Relays shouldn't have to be trusted. It's not really true ...

2023-03-19T19:35:32Z

In reply to nevent1q…5j9v
_________________________

Relays shouldn't have to be trusted.

It's not really true that you need a full node to verify OTS timestamps, you can use an SPV-like trust model where you just have the Bitcoin block headers and check their POW. The headers are just 80 bytes per block.

NIP-03: OpenTimestamps Attestations for Events

2023-03-19T18:27:36Z

In reply to nevent1q…85ja
_________________________

NIP-03: OpenTimestamps Attestations for Events

With confidential amounts you'd have better anonymity ...

2023-03-15T15:12:15Z

In reply to nevent1q…9pgg
_________________________

With confidential amounts you'd have better anonymity guarantees. With public denominations, each denomination effectively has its own anonymity set, which might especially affect user anonymity when different denominations are combined, and the issuer knows a per-denomination lower bound on a user's funds and upper bound on amounts being transferred between users.

I'm still trying to wrap my head around the cryptography needed for confidential amounts. I think each token has to be bigger by some constant factor, but each user only needs to store a single token. And someone might have a single token worth 4.2 BTC and remain in the same anonymity set as someone with a balance of 69 sat.

UX-wise there should be no difference, but it could be made insanely private, with the issuer not even knowing whether a particular user is sending, receiving or just renewing a token.

When the client adds `"nip05valid":true` to the public ...

2023-03-15T11:21:15Z

When the client adds `"nip05valid":true` to the public profile 🎖️

Cashu tokens are still power-of-2 denominations, right? Wen ...

2023-03-15T10:51:22Z

In reply to nevent1q…uecm
_________________________

Cashu tokens are still power-of-2 denominations, right?

Wen confidential amounts?

Idea: Relay that only serves events that are slightly corrupted ...

2023-03-12T20:49:56Z

Idea: Relay that only serves events that are slightly corrupted in different ways, if your client accepts any of them, it's broken

#[0]

Ok, apparently this is just some weird font thing I'm seeing ...

2023-03-12T20:37:54Z

In reply to nevent1q…qfxy
_________________________

Ok, apparently this is just some weird font thing I'm seeing on some clients as well as in the Flamingo extension, it is actually an 'x'.

Why is there no client that lets me put a plain old 'x' ...

2023-03-12T20:34:48Z

Why is there no client that lets me put a plain old 'x' in between two digits? Like, 0x1 what? #nostr

(that is 22 in hexadecimal, or 34 in base 10, of course)

2023-03-12T20:29:57Z

In reply to nevent1q…3k7q
_________________________

(that is 22 in hexadecimal, or 34 in base 10, of course)

The current specs could be much better even if sticking to ...

2023-03-12T19:47:42Z

In reply to nevent1q…m9d4
_________________________

The current specs could be much better even if sticking to "human language". E.g., nowhere does NIP-01 say that created_at must be an integer, yet to #[2] that is apparently obvious. All NIP-01 says is that it's a unix timestamp in seconds. Go to the Wikipedia page for Unix time, and you'll see several non-integer examples.

Test vectors that cover all kinds of corner cases would definitely help.

It's not so fun when you just want to type plaintext but ...

2023-03-12T19:30:43Z

In reply to nevent1q…qq7f
_________________________

It's not so fun when you just want to type plaintext but random clients absolutely want to imagine it's markdown and completely butcher your note. I'd be mostly fine with it if they'd stick to only modifying the style and not the text itself. Cf. #[2]

JCS, although more complicated than binary, is a well-specified ...

2023-03-12T19:04:10Z

In reply to nevent1q…379n
_________________________

JCS, although more complicated than binary, is a well-specified JSON serialization form. Luckily, for hashing, nostr only relies on a few types (list, integer, string), which are not the most complicated parts of JCS, and it seems that most client implementations happen to be compatible with JCS for these types, at least for most notes. The most complicated part here is that there are 22 characters that require specific escape sequences when encoding strings.

Unfortunately it appears that some devs really really really REALLY want to use a generic JSON library to generate things that look like JSON even when they know that this results in critical bugs.

In some cases, the spec really needs to be more clear. ...

2023-03-12T18:16:37Z

In some cases, the spec really needs to be more clear. https://github.com/nostr-protocol/nips/issues/354 #nostr

#[0]

If you want public broadcast that's resistant to jamming from ...

2023-03-10T07:53:17Z

In reply to nevent1q…6za7
_________________________

If you want public broadcast that's resistant to jamming from someone with the same transmission capability as the broadcaster, I think it gets difficult. I don't have too much knowledge about radio stuff, but something I can imagine working to some extent in theory is very short bursts at changing frequencies across a wide spectrum. A jammer would have to hit the right frequencies at the right time to be efficient, but unless close to the broadcaster, their timing would differ depending on receiver location. It gets more difficult to avoid interference between multiple legitimate broadcasters at different locations, though.

A hardware-based solution might be receivers with multiple antennas, where the signals from the different antennas are continuously automatically tuned and combined in such a way that the signal from the identified broadcaster is amplified compared to any source of noise. I don't know the specifics, but I believe certain satellite receivers work like this, consisting of a large array of small antennas. Again, there would have to be a difference in location between the broadcaster and the jammer.

I see value in doing secure messaging over nostr rather than a ...

2023-03-09T11:41:26Z

In reply to nevent1q…zr5s
_________________________

I see value in doing secure messaging over nostr rather than a separate network. With a network dedicated to secure messaging, you lose the effect of blending in with other types of use and thus leak more information to your network provider about your types of activity.

I do in fact see the public nature of relays as a potentially good thing for the core design of secure message delivery, as you're forced to minimize the trust in put in relays. The issue of trusting relays with traffic information (who sends and receives what) can be solved with separate solutions, used by users/clients that want better anonymity without affecting messaging compatibility with other users/clients.

I wouldn't see the issue of relays wanting to know the identity of its users specifically as a hindrance to secure messaging on nostr, but rather a problem that should be solved in and of itself. And as I mentioned in https://github.com/nostr-protocol/nips/pull/306 I think it can be solved with anonymous tokens based on blind signatures.

Excluding Satoshi? ...

2023-03-09T09:44:17Z

In reply to nevent1q…u3a5
_________________________

Excluding Satoshi?

I think public broadcast standards mostly rely on most people ...

2023-03-09T09:10:41Z

In reply to nevent1q…rxgm
_________________________

I think public broadcast standards mostly rely on most people being unwilling to go to the trouble of setting up high-power transmission equipment in order to interfere with public broadcasts in a way that's probably not too hard for some government agency to track down.

NIP-92: Rendezvous Beacons (draft) ...

2023-03-08T06:26:34Z

NIP-92: Rendezvous Beacons (draft) https://github.com/nostr-protocol/nips/pull/333 #nostr

Successfully mined another preventive #testnet block at height ...

2023-03-07T04:00:44Z

Successfully mined another preventive #testnet block at height 2423230. Next block came 32 min later, would have been 12 min after a "normal" block 2423230. If so, no block storm would occur even without a preventive block. But would have been a close call. #[0]

I proposed a NIP for just that kind of tag: #[2]

2023-03-07T00:23:46Z

In reply to nevent1q…lrhw
_________________________

I proposed a NIP for just that kind of tag: #[2]

The Flamingo signing extension shows you the follow list before ...

2023-03-06T06:54:20Z

In reply to nevent1q…mc6r
_________________________

The Flamingo signing extension shows you the follow list before you sign it. Unfortunately it's just a list of npubs, but at least you'd notice if the list is considerably shorter than expected.

I was thinking about the quality impact on a global feed. In any ...

2023-03-06T06:45:13Z

In reply to nevent1q…l3d6
_________________________

I was thinking about the quality impact on a global feed. In any case, a more refined filter on the client side is also an option.

Was just thinking about this. #[2] Some users follow a _lot_ of ...

2023-03-06T05:20:08Z

In reply to nevent1q…c0sh
_________________________

Was just thinking about this.

#[2]

Some users follow a _lot_ of others, though, and might have a higher risk of following spam/impersonation accounts. As a refinement, maybe you could score each follow by dividing by the paid user's total follow count, and only include users with a follow score above a certain level, e.g. 1/200. And/or disregard the follows of users who follow identified spammers/impersonators.

I had to look up the claim about the difference in difficulty ...

2023-03-06T04:42:50Z

In reply to nevent1q…cgft
_________________________

I had to look up the claim about the difference in difficulty scale, because that was new to me, and I've been using the same code for testnet bits/target/difficulty calculations as those for mainnet.

The statement was added here, in January 2011: https://en.bitcoin.it/w/index.php?title=Testnet&diff=2244&oldid=2212

Testnet3 genesis was in February 2011: https://mempool.space/testnet/block/0

Within the current difficulty period on testnet3, I can find no regular-difficulty block that has a hash outside the supposed target using mainnet bits/target/difficulty calculations. The difficulty scale must have been different on testnet versions 1 and 2, but changed to the mainnet scale in version 3.

It's not a block storm, just someone modifying the timestamps ...

2023-03-06T03:40:59Z

In reply to nevent1q…4gqt
_________________________

It's not a block storm, just someone modifying the timestamps of their blocks into the future to get to mine at difficulty 1. mempool.space shows future-timestamp blocks as mined "just now".

They're limited by the 2-hour rule, no big deal. But we're approaching a difficulty adjustment, and if they happen to be doing this on the last block in this difficulty period, they will trigger a block storm.

Better fire up my storm-blocking miner again... #[4]

Ok, by 'clients' I mean snort.social, and by ...

2023-03-06T01:41:37Z

In reply to nevent1q…wkd8
_________________________

Ok, by 'clients' I mean snort.social, and by 'removing' I mean default disabled in settings. I'd be fine with DM functionality treated similarly.

I see clients are removing likes/reactions. How about removing ...

2023-03-06T01:18:33Z

I see clients are removing likes/reactions. How about removing something actually harmful like NIP-04 DMs? That would be something.

Some of the relays I had in my profile are unusable over Tor. I ...

2023-03-06T01:16:12Z

Some of the relays I had in my profile are unusable over Tor. I removed them, hopefully my posts are still reaching most of the network.

This is why we can't have nice things ...

2023-03-03T03:56:53Z

This is why we can't have nice things

I have created an issue on NIP-08's failure to specify ...

2023-03-02T23:18:11Z

In reply to nevent1q…ecq2
_________________________

I have created an issue on NIP-08's failure to specify correct behavior here: https://github.com/nostr-protocol/nips/issues/319 #nostr

Results on generating notes: - astral.ninja: 💩 fail #[2] - ...

2023-03-02T20:51:54Z

In reply to nevent1q…sq4s
_________________________

Results on generating notes:
- astral.ninja: 💩 fail #[2]
- coracle.social: 💩 fail #[3]
- iris.to: 💩 fail #[4]
- snort.social: 💩 fail #[5]

They *all* fail to avoid creating false-positive NIP-08 mentions. This is a failure of NIP-08: It does not specify how to actually create a message with the plaintext `#[x]` (where x is a number) in it if the event has tags. #nostr

Testing reply from snort.social: #[0] #[1] #[9]

2023-03-02T20:40:30Z

In reply to nevent1q…sq4s
_________________________

Testing reply from snort.social: #[0] #[1] #[9]

Testing reply from iris.to: #[0] #[1] #[9]

2023-03-02T20:37:59Z

In reply to nevent1q…sq4s
_________________________

Testing reply from iris.to: #[0] #[1] #[9]

Testing reply from coracle.social: #[0] #[1] #[9]

2023-03-02T20:37:01Z

In reply to nevent1q…rclv
_________________________

Testing reply from coracle.social: #[0] #[1] #[9]

Testing reply from astral.ninja: #[0] #[1] #[9]

2023-03-02T20:33:51Z

In reply to nevent1q…mxsj
_________________________

Testing reply from astral.ninja: #[0] #[1] #[9]

Results on viewing: - astral.ninja: 🤙 pass - coracle.social: ...

2023-03-02T20:29:32Z

In reply to nevent1q…sq4s
_________________________

Results on viewing:
- astral.ninja: 🤙 pass
- coracle.social: 🤙 pass
- iris.to: 💩 fail, removes part of the text, shows as `0 9`
- snort.social: 💩 fail, highlights text in bold red and appends question marks

astral.ninja to the rescue, coracle.social now works after I ...

2023-03-02T20:18:19Z

In reply to nevent1q…mpff
_________________________

astral.ninja to the rescue, coracle.social now works after I re-added the relays without trailing slash

coracle.social seems to fail on relay URLs with a trailing slash. ...

2023-03-02T19:19:31Z

coracle.social seems to fail on relay URLs with a trailing slash. My profile there is outdated and shows none of my posts, presumably because it refuses to connect to the relays declared in my profile. And snort.social adds a trailing slash to the URL of every relay I add to my profile 💩

Testing how clients deal with undefined parts of NIP-08: #[0] ...

2023-03-02T18:31:14Z

Testing how clients deal with undefined parts of NIP-08: #[0] #[9]

Clients could improve their cut-off functionality by having some ...

2023-03-02T17:31:29Z

In reply to nevent1q…3776
_________________________

Clients could improve their cut-off functionality by having some extra tolerance. If length is greater than cut-off + tolerance, then it's shortened to the cut-off length.

Trying to understand the cryptography behind WabiSabi for like ...

2023-03-02T03:08:13Z

Trying to understand the cryptography behind WabiSabi for like the fifth time

This broke my internet connection

2023-03-01T03:30:09Z

In reply to nevent1q…zznf
_________________________

This broke my internet connection

Assuming the best option initially would be not trying to host ...

2023-03-01T02:56:19Z

In reply to nevent1q…uzv9
_________________________

Assuming the best option initially would be not trying to host git repos themselves on nostr, but repository metadata (description, repository URL, branch hashes) and an issue tracking system to begin with.

Or rather, I'd like the whole event shown in human-readable ...

2023-03-01T02:45:48Z

In reply to nevent1q…lkll
_________________________

Or rather, I'd like the whole event shown in human-readable format, falling back to the json values for things it doesn't know how to parse.

Using Flamingo right now. Its signing dialog is very limited, it ...

2023-03-01T02:39:05Z

In reply to nevent1q…xeaz
_________________________

Using Flamingo right now. Its signing dialog is very limited, it only shows the `content` part of the event, with newlines replaced with spaces for some reason. For events without content it just shows a blank dialog. I would want it to show the whole event to be signed in json format. Otherwise it seems to be working well.

Any reasonably sane email client will not load remote content by ...

2023-02-28T17:28:56Z

In reply to nevent1q…lnf3
_________________________

Any reasonably sane email client will not load remote content by default. Nostr DM clients need to behave similarly. Some email clients might load external content through a dedicated proxy. That is also problematic as it lets the sender know exactly when the email is opened.

Results: iris.to and coracle.social display the image, ...

2023-02-28T16:56:12Z

In reply to nevent1q…43wg
_________________________

Results: iris.to and coracle.social display the image, snort.social fails (doesn't strip off the fragment before sending the URL to its image proxy, guessing the proxy itself doesn't remove it either).

Testing .png URL with fragment ...

2023-02-28T16:45:58Z

In reply to nevent1q…f4jc
_________________________

Testing .png URL with fragment

Regarding referrer, browsers send the `Origin` header on ...

2023-02-28T16:10:48Z

In reply to nevent1q…d6z2
_________________________

Regarding referrer, browsers send the `Origin` header on WebSocket connections, revealing the domain name of the client app. Other resources can be loaded without referrer/origin through `Referrer-Policy`. This does not affect the WebSocket `Origin` header.

I did some testing and found a trick: Put the WebSocket client in a sandboxed iframe.

Demo here: https://sha.femtol.net/dev-tests/ws-origin/iframe-sandbox.html (use the browser's network console).

Tested and works on both Firefox and Chromium. It might not work on older Firefox browsers, though.

Test without fragment ...

2023-02-28T13:03:23Z

In reply to nevent1q…f4jc
_________________________

Test without fragment

Test https://void.cat/d/HUBDjrsgNcc4YH7Htv9HMc.webp#1

2023-02-28T12:09:40Z

Test

NIP-93: Secret Events (draft) ...

2023-02-27T22:56:23Z

NIP-93: Secret Events (draft)
https://github.com/nostr-protocol/nips/pull/306

Nothing too exciting in this particular NIP, just intended a small building block. #nostr

The proxy could pass the challenge and response to and from the ...

2023-02-27T12:06:08Z

In reply to nevent1q…3cx7
_________________________

The proxy could pass the challenge and response to and from the client through some protocol extension (client/user would still have to trust proxy not to abuse the authenticated session).

I'd rather like to see an anonymous solution, though, like some kind of usage tokens based on blind signatures.

The NIPs don't seem to be fully consistent in its use: | kind ...

2023-02-26T21:05:14Z

In reply to nevent1q…yf62
_________________________

The NIPs don't seem to be fully consistent in its use:

| kind | description | NIP | content | note |
|-------|-----------------|-----|---------|------|
| 0 | Metadata | 1 | Yes | - |
| 1 | Text Note | 1 | Yes | Yes |
| 2 | Recommend Relay | 1 | Yes | - |
| 3 | Contacts | 2 | ignored | - |
| 4 | Encrypted DMs | 4 | Yes | - |
| 5 | Event Deletion | 9 | MAY | - |
| 7 | Reaction | 25 | Yes | Yes |
| 8 | Badge Award | 58 | - | - |
| 40-42 | Chat | 28 | Yes | - |
| 43-44 | Chat | 28 | may | - |
| 1984 | Reporting | 56 | MAY | Yes |
| 9734 | Zap Request | 57 | MAY | Yes |
| 9735 | Zap | 57 | No | Yes |
| 10002 | Relay List Meta | 65 | No | - |
| 22242 | Client Auth | 42 | - | - |
| 24133 | Nostr Connect | 46 | Yes | - |
| 30008 | Profile Badges | 58 | - | - |
| 30009 | Badge Def | 58 | - | - |
| 30023 | Long-form | 23 | Yes | - |

Ideas on anonymous delivery of secret events ...

2023-02-26T16:50:21Z

Ideas on anonymous delivery of secret events
https://github.com/shafemtol/nostr-secure-messaging/blob/main/anonymous-delivery.md #nostr

Working on it 🤙

2023-02-26T15:32:22Z

In reply to nevent1q…3jv5
_________________________

Working on it 🤙

Having scanned through all of the NIPs, I'm still not sure ...

2023-02-25T23:26:00Z

Having scanned through all of the NIPs, I'm still not sure exactly what is meant by a "note". All notes are events, but I'm guessing not all events are to be called notes? #nostr

> Including a recent block hash is a proof of absence, meaning ...

2023-02-24T11:44:59Z

In reply to nevent1q…ykkz
_________________________

> Including a recent block hash is a proof of absence, meaning that the note cannot have been created before that block was mined. It proofs the lower bound, that the message is older than that block. The attacker can include a very old blockhash years after it was mined.

I think you're missing the idea here. The point is exactly to prove that a note's id was created after a certain block was mined. But the block is not chosen by the attacker. It must match a set of recent blocks by the filtering client. The client is only interested in recent notes, not historical ones. By using a filter as provided in the example, the client is guaranteed (by the promised behavior of any relay that follows NIP-01 + NIP-12) that any notes returned were created after the list of block hashes chosen by the client.

Proof of freshness does not solve the case where an attacker concentrates PoW on creating notes targeting a very old block hash. For that case, you can combine this NIP with an opentimestamps proof as you mentioned.

https://github.com/nostr-protocol/nips/pull/296#issuecomment-1443568647

NIP: Proof of Freshness ...

2023-02-24T06:21:36Z

NIP: Proof of Freshness
https://github.com/nostr-protocol/nips/pull/296 #nostr

Going down the rabbit hole of secure, private DMs. I think a good ...

2023-02-23T21:39:28Z

Going down the rabbit hole of secure, private DMs. I think a good design will require multiple smaller, composable NIPs. #nostr

A preventive block was successfully mined at height 2421214. The ...

2023-02-23T20:25:57Z

A preventive block was successfully mined at height 2421214. The two blocks that followed had an interval of 31 minutes between them.

If those blocks had been mined at the same rate without the preventive block, there would have been another block storm! #bitcoin #testnet #[0]

These are the concerns and edge cases I can think of regarding a ...

2023-02-22T20:41:19Z

In reply to nevent1q…2zte
_________________________

These are the concerns and edge cases I can think of regarding a soft fork to set a maximum timestamp limit on block 2015:

## Can a maximum timestamp requirement of prev timestamp + 20 min conflict with the minimum timestamp requirement of prev mediantime + 1 sec, making it impossible to mine a new block on top of the latest one?

No, because prev mediantime can not be greater than prev timestamp. The mediantime of a block is the median of the timestamps of that block and the 10 before it. Because that block itself must have a timestamp greater than the median of the 11 blocks before it, it must have a timestamp greater than that of at least 6 of those blocks. It follows that it must have a timestamp greater than at least 5 of the 10 blocks before it. Thus, its timestamp can only be set so low as to also define the block's own mediantime.

## Could non-upgraded miners run off in a chain split?

Yes, if they start a block storm. But they would reorg and join the upgraded chain as soon as the upgraded chain finds block 2015. This is because the non-upgraded chain would all consist of difficulty-1 blocks for the next 2017 blocks (and then increasing by no more than 4x for every difficulty period after that). That is, the blocks do not make a heavy chain. Even if the non-upgraded chain had more hashing power in theory, they would be limited by the rate of new blocks having to be sent across the network.

## Could the chain stop at block 2014 for hours because all ASIC miners left?

This is a possibility. Is it worse than a block storm, though? Not everyone has their own ASIC miner, but renting some ASIC time shouldn't be too hard or expensive (should cost no more than about 40 cents per expected block at the current difficulty and BTC price).

So, kind 6 was NIP-18, but it got removed because it wasn't ...

2023-02-22T18:30:06Z

In reply to nevent1q…286e
_________________________

So, kind 6 was NIP-18, but it got removed because it wasn't being implemented as specified: https://github.com/nostr-protocol/nips/issues/173

Quoting works by regular text notes with mentions of other notes embedded in the text body. I would have assumed reposts were the same but with no other text in the body.

Apparently a boost/repost is kind 6, which I can't find ...

2023-02-22T18:05:59Z

In reply to nevent1q…7r5q
_________________________

Apparently a boost/repost is kind 6, which I can't find mention of in the NIPs? And snort includes the reposted event in full as stringified JSON in the content field, while iris leaves the content field blank?

ChatGPT seems to be excellent at breaking down code and ...

2023-02-22T17:47:17Z

In reply to nevent1q…7a3e
_________________________

ChatGPT seems to be excellent at breaking down code and explaining exactly what each part does. I'm curious: would it be able to explain why this command works on a pruned node?

Looks like the address it gave in the example there is completely ...

2023-02-22T17:30:40Z

In reply to nevent1q…dxxq
_________________________

Looks like the address it gave in the example there is completely made up, getting "invalid address". Did I transcribe it correctly? 1F5MsWgRyxA6lekVMrhKmUsPJdQaYjP9sm

The method I'm exploring is to try to force the mining of the ...

2023-02-22T17:18:42Z

In reply to nevent1q…eeau
_________________________

The method I'm exploring is to try to force the mining of the last block in a difficulty adjustment to happen at full difficulty for as long as possible, to maximize the chance that a full-difficulty block is found before difficulty drops to 1.

Last block storm was triggered on Oct 31, it might take a few months to see if this method is effective.

The triggering block, at height 2378879, seems to have been _deliberately_ set 20 minutes ahead of actual time. Its timestamp is exactly 20 min 1 sec after the previous block, and 20 min 3 sec _after_ the _following_ block.

Deliberate attacks might still succeed in triggering block storms.

By the way, #[3] , you say that a fix would require a hard fork. ...

2023-02-22T16:33:14Z

In reply to nevent1q…n37u
_________________________

By the way, #[3] , you say that a fix would require a hard fork. Is that a common belief?

A simple soft fork* would be to require that the last block in a difficulty adjustment period has a timestamp no greater than 20 minutes after the previous block.

__
* A soft fork in the sense that it only restricts consensus rules. Miners that don't implement the change might get their block invalidated by this. But such a block would be a difficulty-1 block, so no big deal.

Background on Bitcoin testnet block storms by #[2]: ...

2023-02-22T16:18:47Z

In reply to nevent1q…eeau
_________________________

Background on Bitcoin testnet block storms by #[2]: https://blog.lopp.net/the-block-storms-of-bitcoins-testnet/

Exploring a method to reduce the risk of block storms on Bitcoin ...

2023-02-22T16:12:36Z

Exploring a method to reduce the risk of block storms on Bitcoin testnet

There you have it. #777777 2023-02-22T09:58:27Z UpdateTip: new ...

2023-02-22T10:04:25Z

There you have it. #777777

2023-02-22T09:58:27Z UpdateTip: new best=00000000000000000005d35085cbcb510c14917f928aaa45facb0c0d24d471ce height=777777 version=0x2feaa000 log2_work=94.018808 tx=807684568 date='2023-02-22T09:58:09Z' progress=1.000000 cache=139.8MiB(1043516txo)

His client mangled the npub in the plaintext as per NIP-08, your ...

2023-02-20T20:21:23Z

In reply to nevent1q…msxu
_________________________

His client mangled the npub in the plaintext as per NIP-08, your client might show the mangled part as "@jimmysong". If you replace that text with the npub, you should be able to verify it.

NIP-04 is absolutely nowhere near what Bitmessage did. A major ...

2023-02-20T19:05:09Z

In reply to nevent1q…zfa9
_________________________

NIP-04 is absolutely nowhere near what Bitmessage did. A major goal of Bitmessage is to provide anonymity and hide almost all metadata. NIP-04 does absolutely nothing to hide the metadata, the metadata is completely public to everyone (unlike almost every other communications protocol/platform where this is usually only visible to some centralized third party).

In Bitmessage, messages do not have any address label. Apart from a timestamp, every message is an opaque blob to everyone except the sender and recipient. All messages are broadcast through the peer-to-peer network to every participant, who each simply tries to decrypt every single message they receive with their private key. This means the recipient of a message has the full anonymity set of all Bitmessage users.

In comparison, NIP-04 DMs is Babbys First Crypto Project (and was AFAICT not meant to be much more):
- Metadata like sender and recipient is provided in the clear in each message. The messages are public. Everyone can see who DMs whom when and how long the messages are.
- Sender sends the DM directly to one or more relays, recipient receives DM by asking relays for messages matching their pubkey. Relays may be able to learn some extra information about the sender and recipient, such as IP address, browser, operating system, and usage patterns.
- The encryption itself has issues like non-uniform AES key.

To address the last point, in order to retain previously received ...

2023-02-20T10:16:00Z

In reply to nevent1q…3qsq
_________________________

To address the last point, in order to retain previously received zaps, maybe one could define a new event type for explicitly authorizing old zaps via `e` tags and/or old `nostrPubkey`s via `p` tags, in the 10000-19999 (replaceable) or 30000-39999 (parameterized replaceable) range. #nostr

Issues with #nostr NIP-57 Lightning Zaps: - Can be faked, as ...

2023-02-20T09:53:49Z

Issues with #nostr NIP-57 Lightning Zaps:
- Can be faked, as noted in the NIP itself
- Includes payment info that may aid LN surveillance entities, for no good reason (see above)
- If you later change your LNURL server or your LNURL server changes the `nostrPubkey` key for whatever reason, you lose all previously received zaps as the old zap notes can no longer be validated

Indeed, you'd need to reconstruct some of the data, though. I ...

2023-02-19T16:45:16Z

In reply to nevent1q…fpu8
_________________________

Indeed, you'd need to reconstruct some of the data, though. I have the bolt11 invoice, which is needed for the zap note, but not the description, which also goes into the zap note and must hash to the bolt11 description hash. The description is supposed to be the zap request, which is signed by the sender's nostr key (I'm not sure if such a thing was even created in this instance), while the zap note is signed by the recipient.

My biggest gripe with NIP-04 is that all DM metadata is public, ...

2023-02-19T16:25:30Z

In reply to nevent1q…9d0r
_________________________

My biggest gripe with NIP-04 is that all DM metadata is public, including sender and recipient: #[5]

So I checked your lnurl-pay endpoint, and it doesn't include ...

2023-02-19T15:30:41Z

In reply to nevent1q…6she
_________________________

So I checked your lnurl-pay endpoint, and it doesn't include the NIP-57 fields `allowsNostr` and `nostrPubkey`. So no zap support, just regular lnurl-pay. But apparently that doesn't stop #snort from calling it a zap and then doing absolutely nothing on payment 🤪

I zapped 1000 sats, the LN payment went through, but no feedback ...

2023-02-19T15:12:56Z

In reply to nevent1q…v9rg
_________________________

I zapped 1000 sats, the LN payment went through, but no feedback on my nostr client, did it do anything?

Zaps are defined by NIP-57, apparently it records the bolt11 ...

2023-02-19T14:30:05Z

In reply to nevent1q…nmjm
_________________________

Zaps are defined by NIP-57, apparently it records the bolt11 invoice and preimage in a public nostr event. So not as private.

IMHO, the current NIP-04 DM stuff should be killed with fire. The ...

2023-02-19T11:41:49Z

In reply to nevent1q…yyw4
_________________________

IMHO, the current NIP-04 DM stuff should be killed with fire. The less integrated it is with other functionality, the better.

I think "aspects" is a good term for this feature.

2023-02-19T05:43:58Z

In reply to nevent1q…c68d
_________________________

I think "aspects" is a good term for this feature.

Apparently snort defined only a single hashtag for this message, ...

2023-02-19T05:31:04Z

In reply to nevent1q…a7w3
_________________________

Apparently snort defined only a single hashtag for this message, according to the json output. Does it only ever add one tag per message, or was there some other issue with the second hashtag? #Nostr #hashtag #test

I do like the idea of "personas" (I would maybe call them ...

2023-02-19T05:19:55Z

In reply to nevent1q…c22j
_________________________

I do like the idea of "personas" (I would maybe call them something else, maybe "personal topics"?)

This could be implemented per NIP-12 in combination with a new tag type for this feature. Or, if we make it a convention, just plain #hashtags.

I learned about silent.link from CD77. Very exciting project. ...

2023-02-19T03:06:33Z

In reply to nevent1q…t7u3
_________________________

I learned about silent.link from CD77. Very exciting project. Looks like (for low usage) the data price can be quite decent as well in certain areas.

One issue I have with it is that you'd ideally have to use this on a phone whose IMEIs are not tied to your identity (so no KYC SIMs ever used on it).

They said on CD77 that the physical-SIM and eSIM IMEIs are different and thus the network operator cannot easily link these, but from what I've seen, the two IMEIs seem to be adjacent (apart from the final Luhn checksum digit), e.g:
- 004101846898885
- 004101846898893
So it seems they would be trivially linkable.

Are there devices where these IMEIs are at least somewhat unrelated?