NIP-104 defines end-to-end encrypted direct messages using a double ratchet protocol (based on Signal’s architecture), providing forward secrecy and post-compromise security for Nostr conversations.

Why It Matters

Existing Nostr DM solutions have limitations:

  • NIP-04: Encrypts content but leaks metadata
  • NIP-17 + NIP-59: Solves metadata leakage via gift-wrapping but lacks forward/backward secrecy

NIP-104 completes the picture: if a user’s private key is compromised, attackers cannot read past messages (forward secrecy) or continue reading future messages indefinitely (post-compromise security).

How It Works

Initial Setup (X3DH)

Two parties perform an extended triple Diffie-Hellman exchange using identity keys and prekeys to derive an initial shared root key.

The Double Ratchet

  1. DH Ratchet: Each time parties exchange messages, new Diffie-Hellman keys are generated, producing new root keys and chain keys
  2. Symmetric Ratchet: Separate sending and receiving chains derive individual message keys for each message

This continuous key rotation ensures that compromising one key reveals minimal message content.

Event Kinds

  • Kind 442: Publishes user prekeys for X3DH initialization
  • Kind 443: Initial conversation setup with encrypted first message
  • Kind 444: Subsequent encrypted messages in established conversations

All encrypted messages are wrapped in kind 1059 GiftWrap events for metadata protection.

Key Tags

  • p - Recipient’s public key
  • prekey - Recipient’s prekey for DH calculation
  • dh_sending - Current DH sending public key
  • current_index - Message number in the chain
  • previous_length - Length of previous message chain

Limitations

Messages work per device-client pairing. Syncing across multiple devices requires separate initialization for each device, a tradeoff for enhanced security.

Primary sources:

Mentioned in:

See also: