Oddbean new post about | logout
ChipTuner | 4 months ago (raw) | root | parent | reply | flag 
 I guess what I'm trying to say is, from a libraries' perspective, there is no way (unless the caller tells me) for me to know what the proper sign is. It will just happily decrypt garbage and return it to the user. I can't know if the decrypted data is correct. In nip44 we can check the MAC, but for nip04 you just have to hope for the best??
mleku | 4 months ago (raw) | root | parent | reply | flag 
 all events have a MAC in fact, the presence of it in NIP-44 is redundant, that's what the event signature is

it doesn't have to authenticate on the plaintext after you decrypt it, if you already certified the ciphertext

this is another retarded element of nip-44
ChipTuner | 4 months ago (raw) | root | parent | reply | flag 
 But I still can't know if the decrypted plaintext is correct. That's what I'm saying. The signature tells me nothing about the plaintext
mleku | 4 months ago (raw) | root | parent | reply | flag +1 
 yes, this is correct, you would have to have a sentinel to enable this, the first byte even it could be, or maybe better first 4 bytes to eliminate the chances of decrypting the same by both
mleku | 4 months ago (raw) | root | parent | reply | flag 
 also, yes, you don't need that bit for signature verification, that's one of the neat things about Schnorr signatures

but it does not apply to ECDH
mleku | 4 months ago (raw) | root | parent | reply | flag 
 two points though

one, having to decrypt the whole message and then discover you need to flip the bit is wasteful of computation and time

two, it still doesn't fix the problem of two 3 key users with software imputing 2 keys