Privacy in mostro

[bilthon]

Summary

Nostr's operation results in the leakage of some metadata about trades to external observers. Although identities in Nostr are pseudonymous, making an effort to cover these tracks would be beneficial.

The Problem

Mostro currently communicates with a mix of messages of kind 3000 and kind 4. Kind 3000 are replaceable notes used to post orders. These are akin to posting messages in a public board. The information in them is public and they're always issued by mostro so there's not much to protect there. But these order notes are preceded by direct messages (DMs) of kind 4 that carry the order information. Similarly when an order is taken, a DM to mostro is issued by the taker, and subsequently more DMs are sent from mostro to the order maker.

The kind 4 messages are meant to be direct messages, and while the contents of the message are encrypted, an external observer does get the public key information, meaning it is known who communicated to whom. A simple time correlation between these DMs and the order state changes would allow an attacker to infer the Nostr identities of buyer and seller.

Using only relays that support NIP-42 (authenticated messages) could minimize this information leak. However, a motivated attacker could still gather information by setting up one or multiple relays.

Ephemeral Identities

A proposed solution involves creating ephemeral identities for both the buyer and seller. These identities would last for the duration of the trade and be discarded afterward. By taking advantage of the fact that identities in Nostr are simply private/public key pairs and relatively cheap to create, the real traders' public keys can be masked.

The root identity of each party can still be communicated to Mostro to maintain the reputation system, but this information would be contained within the encrypted payload of each message.

[grunch]

Agree, we should work in favor to this proposal the only way of work, all clients should implement this because if a seller creates an order using an ephemeral identity and the buyer is not, it will compromise the seller privacy

[Camilojdl]

🔥🔥🔥

[arkanoider]

Seems a good and possible improvement on privacy side.
I was thinkin about a possible flow of the messages...have you yet something in mind? @bilthon
Ephemeral identities should be generated by mostro?

[bilthon]

I think they should be created by clients, which would use these throwaway keys to sign & encrypt the kind 4 nostr messages that are sent to mostro. This would work kind of like an onion package. I thought to extend the message payload in order to have something like an npub field in which each party (buyer/seller) would inform mostro about their true identity.

I see @grunch already implemented something in mostro, my rust is not that good to follow along though, so maybe he'd be better positioned to explain.

I could be wrong but I don't think anything about the current message flow has to change.

[grunch]

everything should be working the same, but if your client wants to implement ephemetal identities, you should create a new identity when create a new order and when the counterpart take it (takebuy/takesell), and the real identity should be sent on the message on the pubkey field as you can see here in Message

https://docs.rs/mostro-core/latest/mostro_core/struct.Message.html

for now is optional but probably we should make it mandatory

[bilthon]

Just to add here that even with this in place, we would still have network level attacks that could be used to de-anonymize users. But maybe this is something better handled by the users themselves by using VPNs or TOR.

[grunch]

yes, we will recommend to use tor

[grunch]

I already merged this, now we need to implement it on clients