ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ's avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ me@mleku.dev 1 year ago
i'm not sure you understand the function of encryption nonces, they ensure that for every message the secret is effectively a new one... there is zero chance of a plaintext attack in this, so long as the quality of the entropy of the nonce is adequate i agree that there should be padding but i don't think it should be the stupid "pad out to next power of 2" of nip-44 is retarded it should just be a random amount extra and you just put a zero byte at the end of the actual string and fill the rest with garbage... i've written what i think is an adequate message length obfuscation method on indra so, yeah, no, there is zero risk of a plaintext attack even if people keep saying "hi" over and over again in their messages the nip-44 scheme is seriously wasteful of data size with its power of two scheme, and doesn't really help anything, and it doesn't matter if the padding is noise or spaces because it's already obscured by the combination of the shared secret combined with the nonce auth and not letting users see other people's messages solves way more problems than this retarded complicated nip-44 scheme, that is also wasteful of data size
↑ Parent

Replies (3)

ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ's avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ me@mleku.dev 1 year ago
this is why i'm so mad about people not understanding the point of nip-42 and it's centrally about the fucking DM privacy!!!! plaintext attacks are not a real threat not being able to read your own messages is a real threat to usability verifying that relays are properly gating access to DMs is easy and cheap and is easy to stop any attempts to game this and appear that you are not giving them away yes, relays have privilege to see them of course, but this is far better than opening up the whole world to see it nip-44 is not solving any real problems for DMs compared to having auth
1 replies ↓
Vitor Pamplona's avatar
Vitor Pamplona _@vitorpamplona.com 1 year ago
Feel free to offer better padding. Padding was discussed at length before and after nip44 and directly audited by the firm. No one has proposed anything better yet. I strongly disagree with your "zero risk of plain text attack". There are folks here, with money, whose sole goal is to break our encryption.