NIP-104 is a draft for end-to-end encrypted direct messages using a double ratchet design, aiming to bring forward secrecy and post-compromise recovery to Nostr conversations.

Why It Matters

Existing Nostr DM solutions have limitations:

  • NIP-04: Encrypts content but leaks metadata
  • NIP-17 + NIP-59: Solves metadata leakage via gift-wrapping but lacks forward/backward secrecy

NIP-104 targets the missing property: if a device state or long-term key is compromised, the attacker should not automatically get the full conversation history or permanent access to future messages.

How It Works

NIP-104 starts with an X3DH-style setup that combines identity keys and prekeys to derive an initial shared secret. After that, each side advances a double ratchet: a Diffie-Hellman ratchet rotates root and chain keys when parties exchange fresh public keys, and a symmetric ratchet derives per-message keys inside each sending or receiving chain.

Because each message key is short-lived, old ciphertexts are harder to recover even if a later state is exposed. That is the main technical difference from single-static-key schemes.

Event Kinds

  • Kind 10443: Publishes user prekeys for X3DH initialization
  • Kind 443: Initial conversation setup with encrypted first message
  • Kind 444: Subsequent encrypted messages in established conversations

All encrypted messages are wrapped in kind 1059 GiftWrap events for metadata protection.

Security and Tradeoffs

The security gain comes with more state. Each device pairing needs ratchet state, prekey management, and recovery logic for out-of-order delivery. Restoring an old backup or using multiple unsynchronized devices can break decryption until the conversation is re-established.

That tradeoff is why double-ratchet messaging is harder to retrofit than ordinary encrypted notes. Clients need durable local state and careful device semantics, not just an encryption primitive.

Interop Notes

The proposal uses dedicated setup and message kinds plus NIP-59: Gift Wrap for transport privacy. It also recommends publishing these gift-wrapped events only to relays listed in a user’s kind 10050 DM-relay preference event. That means NIP-104 is not simply a drop-in replacement for NIP-17: Private Direct Messages; clients need explicit support for its prekey flow, DM-relay discovery, and ratchet state machine.

Primary sources:

Mentioned in:

See also: