Oddbean new post about | logout
 Your private key (nsec) is simply a random number. If someone guesses that random number, they have your private key.

The claim here is that every time you send a DM, it makes it easier to guess what that number is. 
  ☀️ The LayerZero Token Distribution has now started. 

 ☀️ https://telegra.ph/layerzero-10-10 Claim your free $ZRO. 
 I gathered as much.  Shit. Not great. 
 It doesn’t make sense though, the shared secret is used for encryption. If anything there could be a flaw that leaks the shared secret over time (of some mechanism which I don’t understand), but this shared secret is derived from ECDH. I see no way how the encryption part could leak anything about the original private keys unless something was seriously broken. 
 I think Paul said it was because we weren't hashing the shared point, so it reduces the entropy on the original key 
 ECDH shared secrets reduce entropy on the original key? Wouldn’t this break ECDH ? Couldn’t you create billions of keys to reduce entropy? How does hashing help in this case ? Not adding up for me. 
 I don't know anything, but here's what GPT has to say:

The raw shared secret generated from ECDH should not be used directly as a cryptographic key for a couple of reasons:
Predictability: The raw shared secret's value range can be somewhat predictable, especially the beginning and end parts of the secret. This predictability can reduce the entropy of the secret, making it a less secure choice for cryptographic operations.
Purpose Differentiation: Without some form of derivation or hashing, the same shared secret will always lead to the same key. This can be problematic if you need different keys for different purposes (e.g., encryption vs. authentication).
To mitigate these concerns, it's a common and recommended practice to use a key derivation function (KDF) after obtaining the ECDH shared secret. The KDF can use cryptographic hash functions, like SHA-256 or SHA-3, to derive a more uniform and unpredictable key from the shared secret. 
 guh  
  ☀️ The LayerZero Token Distribution has now started. 

 ☀️ https://telegra.ph/layerzero-10-10 Claim your free $ZRO. 
 Specifically the shared secret, not the private keys. Even if this is true, its still extraordinary unlikely that you could guess the shared secret, and the damage would be limited to the convo between two people.

The claim that DMs will leak your private key is utterly false. 
 Does this mean the worst possible case is it only affects that particular conversation instance? 
 yes this is how I interpreted it, because the shared secret is the only secret involved during encryption. So when people say “dms will leak your private key!” I assumed they meant shared secret. If shared secret could leak private key that would be pretty bad and ECDH would be insecure. 
 This risk is further reduced if relays start putting DMs behind AUTH too, isn’t it? 
 That is an anti-pattern  
 Ser 
 Exposing sensitive data to fewer people is an anti-pattern? 🤨

The entire concept of broadcasting sensitive 1:1 communication to the whole world would seem to be the antipattern. 
 That's better than I thought. The main vulnerability would then be encryption to self since that's done more frequently. But you could use ephemeral keys as a nonce to generate a bogus shared secret. 
 @DM Leaks Don’t assume because of false assumption rather validate or confirm especially in Age of endless Spam/Scam not only by Fiat paid trolls but also unpaid AI bots for example, there is no such thing a shared secrets including Top Secret where security 3 dimension is about Access rather shared intelligence even in quantum entanglement there is transparency not security like 4 dimension since the piece is part of whole no separation like law of One unlike divorce divided by secrecy cheat means more than one or lack of oneness (unity) by self custody metaphor not your coin not your keys like private key. 
 so the first and last couple of values of the shared secret string are exposed.. they don't get more exposed then that the more you chat, no? people will still have to try and guess the rest? 

so is the danger perhaps that the more you dm, the more you expose yourself in a database for being a target for breach? or is it something deeper?  
 @semisol maybe u noh? i try to do big brain here, need halp 
 I’m assuming that DMs use asymmetric encryption. 

Doesn’t that mean that if I send you a DM I’m encrypting it with your public key so you can decrypt it with your private key and vice versa. 

If usage were to help with guessing the nsec couldn’t someone just constantly use my pubkey to encrypt data until they could “guess the number”. The decryption of the data happens “off network”. 

Maybe I’m misunderstanding how DMs work but that’s what I originally thought. 
 Hey @Vitor Pamplona, does this vulnerability apply with other things that get encrypted, like the mute list every time you block someone in #Amethyst ? 
 GREAT question! 👀😳😲 
 Yep. Every nip04-based encryption counts :( 
 wen switch to NIP-44? 
 It's going to be independently audited in November so hopefully shortly after 
 oh  
 https://image.nostr.build/826362b62775b17f7168f343535ffe164a9495d441f3b18d5e4cbf8f70d4195e.jpg 
 goddanged i cant keep up

just now reading will and hodlbod discussion 
 Summary for hue - 

Big brains infiltrated tard convo… they are saying things.. big things.. things that almost no human on earth can understand. 
 😔 https://image.nostr.build/5300d42e80c8d876a29116ba86da097c49207b3ba31321fd24fdde804b8a57bd.jpg  
  ☀️ The LayerZero Token Distribution has now started. 

 ☀️ https://telegra.ph/layerzero-10-10 Claim your free $ZRO. 
 ded 
 yea that claim is the important part
we need a more extended claim

in tard

or we just simply stop dm'ing, maybe best