Welcome to Zorya.Theta.Privacy

NAK The Nostr MultiPurpose Tooling

nak is a command-line tool designed for various interactions with the Nostr protocol. It is described as a “Nostr army knife” because of its versatility.

Some of the functionalities ‘NAK’ offers:

  • Creating and Signing Events: nak can create Nostr events with custom content and tags, and sign them using specified keys. It can also create events with a Proof-of-Work target. The tool supports keys in hex, nsec or ncryptsec formats.
  • Publishing Events: It allows publishing events to one or more relays.
  • Querying Relays: nak can query multiple relays for events based on criteria such as kind, tag, and limit. It can also fetch all quoted events by a given pubkey within a specific time frame.
  • Decoding and Encoding: The tool can decode NIP19 codes such as note1 and nevent1 and encode them back, including adding relay hints.
  • Fetching Events: It can fetch events using relay and author hints from nevent1 codes and pretty-print them.
  • Republishing Events: nak can republish an event from one relay to multiple others.
  • Verifying Events: nak can verify the validity of an event.
  • Collaborative Signing: It supports collaborative signing of events using musig2, involving multiple parties.
  • Key Management: nak can generate private keys, encrypt keys using NIP-49, decrypt keys, and derive public keys from private keys.
  • Remote Signing: The tool can sign events using a remote NIP-46 bunker or a NIP-49 encrypted key.
  • Relay Management: nak can interact with a relay’s NIP-86 management API, for example, to allow a specific pubkey. It can also start a local bunker.
  • Working with Timestamps: The tool enables creation of NIP-70 protected events with custom timestamps and multi-value tags.
  • Data Retrieval: nak can download large amounts of data from a relay by paginating requests.
  • Local Relay: It can run a local relay for test purposes.
  • Downloading torrents: nak can download a NIP-35 torrent from a nevent.
  • Watching Livestreams: It supports watching NIP-53 livestreams by fetching the stream URL from an event.
  • Downloading jq functions: It allows downloading helpful jq functions for handling Nostr events.
  • Contributing: It facilitates contributing patches using NIP-34.

nak is designed to be a comprehensive tool for interacting with the Nostr network, offering a wide range of functionalities from basic event creation and publishing to more advanced features like collaborative signing and relay management.

Event Creation:

  • Basic Event Creation: nak can create a basic Nostr event using the nak event command, signing it with a default key. It requires a JSON object that includes fields such as id, pubkey, created_at, kind, tags, content, and sig.
  • Custom Content and Tags: Users can create custom events by specifying content and tags using the --sec (secret key), -c (content), and --tag options.
  • Multiple Relay Publishing: Events can be published to multiple relays by specifying the relay addresses after the nak event command. For example: nak event --sec 02 -c ' good morning ' --tag t=gm nostr-pub.wellorder.net relay.damus.io.
  • Signing with Different Keys: nak can sign events using a secret key provided with the --sec option, which can be in hex, nsec, or ncryptsec format. The key can be provided directly or read from an environment variable.
  • NIP-49 Encrypted Keys: nak can use keys encrypted with NIP-49 for signing events.
  • Remote Signing with NIP-46: nak can sign events using a remote NIP-46 bunker.
  • Collaborative Signing with Musig2: nak supports collaborative event signing with multiple parties using musig2.
  • Setting Event Timestamp: nak can create events with a specific timestamp using the --ts option, including relative times like “two weeks ago”.
  • Proof of Work: nak can create events with a Proof of Work (PoW) target using the --pow option.
  • NIP-70 Protected Events: nak can generate NIP-70 protected events with multi-value tags.

Event Verification:

  • nak includes a verify command to check the validity of an event. This command takes an event JSON string as input and outputs whether the event is valid. It checks the signature and other properties of the event.
  • The verify command will return an error if an event is not valid. For example, an invalid event id will produce an error such as invalid .id, expected 05bd99d54cb835f427e0092c4275ee44c7ff51219eff417c19f70c9e2c53ad5a, got 05bd99d54cb835f327e0092c4275ee44c7ff51219eff417c19f70c9e2c53ad5a.

In all means, nak provides a range of functionalities for creating and verifying Nostr events, including customisation of content, tags, keys, and other event properties, as well as utilizing remote signing and collaborative signing methods.

The nak tool incorporates several security features, including:

  • Key Generation: nak can generate private keys.
  • Key Encryption and Decryption: It supports encrypting and decrypting keys using NIP-49. This allows for the secure storage of private keys by encrypting them with a password.
  • Remote Signing via Bunkers: nak can sign events using a remote NIP-46 bunker. This enables users to keep their private keys separate from the devices used to create events.
  • Encrypted Key Signing: The tool can sign events using NIP-49 encrypted keys.
  • Collaborative Signing: nak supports collaborative signing of events using musig2, which involves multiple parties.
  • Event Verification: The tool can verify if an event is valid.
  • Relay Management API Interaction: nak can interact with a relay’s NIP-86 management API, though the specific example given in the source did not work as intended.
  • Environment Variable for Keys: nak can use a private key given as an environment variable. This allows for flexibility in how private keys are managed and accessed.

These features aim to ensure the security of private keys and the overall integrity of nostr events created and managed using the nak tool.

The primary purpose of NIP-49 is to define a method for clients to encrypt and decrypt a user’s private key using a password. This enhances the security of private keys by ensuring they are not stored in plain text.

A synopsis of the key aspects of NIP-49:

  • Private Key Encryption: NIP-49 specifies how to encrypt a user’s private key with a password. This is crucial because passwords themselves are not suitable as cryptographic keys and need to undergo a key derivation process.
  • Key Derivation: The specification uses the scrypt key derivation function to generate a symmetric key from the user’s password. Scrypt is memory-hard, making it resistant to brute-force attacks.
    • Before using the password in scrypt, it must be unicode normalised to NFKC format.
    • Scrypt uses a salt and a log_n parameter, which controls the computational cost (memory and time) of key derivation. A larger log_n offers better protection but takes longer.
  • Symmetric Encryption: The derived symmetric key is used with the XChaCha20-Poly1305 algorithm to encrypt the private key. This algorithm is favored by cryptographers and is widely available.
  • Encryption Process: The encryption process involves several steps:
    • A key security byte indicates if the key has been handled securely.
    • A 24-byte random nonce is generated.
    • The private key, the key security byte, and the nonce are used as input to the XChaCha20-Poly1305 algorithm with the derived symmetric key.
    • The encrypted private key is then bech32 encoded using the prefix ’ncryptsec’.
  • Decryption Process: The decryption process reverses the encryption, using the password to derive the symmetric key, and then using this key to decrypt the private key.
  • Non-Deterministic Encryption: The encryption process is non-deterministic due to the use of a random nonce, meaning the same private key and password can produce a different encrypted key each time.
  • Security Recommendations: NIP-49 advises against publishing encrypted private keys to Nostr, as amassing many encrypted keys could make cracking easier. It also recommends zeroing out memory of passwords and private keys to ensure security.

NIP-49 provides a method for safeguarding private keys through encryption using a password, a key derivation function, and a strong encryption algorithm. This is designed to enhance the security of private keys used with the Nostr protocol. The nak tool implements this specification, allowing users to encrypt and decrypt private keys.

The nak command-line tool offers a variety of functionalities for interacting with the Nostr protocol. Here are the three key functionalities:

  • Event Creation and Signing: nak can create Nostr events with custom content and tags, and sign them using specified keys. It supports keys in various formats such as hex, nsec, or ncryptsec. The tool allows for publishing events to multiple relays, customising content, adding tags, and setting timestamps. Additionally, nak can generate events with a Proof-of-Work target and create NIP-70 protected events.
  • Key Management: nak can generate private keys and encrypt or decrypt keys using NIP-49. This allows users to securely store their private keys by encrypting them with a password. It can also derive public keys from private keys. The tool also supports signing events using keys encrypted with NIP-49.
  • Querying and Fetching Events: nak can query multiple relays for events based on criteria like kind, tag, and limit, and can fetch events using relay and author hints from nevent1 codes. It can also download large amounts of data from a relay by paginating requests. Furthermore, nak can fetch all quoted events by a given pubkey within a specific time frame.

The use of scrypt and XChaCha20-Poly1305 in NIP-49 offers several advantages for private key encryption:

  • Scrypt for Key Derivation:

    • Memory Hardness: Scrypt is a password-based key derivation function that is designed to be maximally memory hard. This means that it requires a large amount of memory to compute, making it significantly more resistant to brute-force attacks compared to other key derivation functions that are less memory intensive. This is important because it makes it much harder for an attacker to try a large number of passwords to decrypt the private key.
    • Slow Irreversible Algorithm: Scrypt is a slow, irreversible algorithm. The slowness is designed to hinder brute-force attempts to decrypt keys by trying many passwords. The irreversibility means that it’s computationally infeasible to reverse the process and obtain the original password from the derived key.
    • Customisable Security: The log_n parameter in scrypt allows users to adjust the computational cost (memory and time) of the key derivation process. A higher log_n value increases the number of rounds, thus requiring more memory and time, but also offering better protection against attacks. This allows for balancing security and performance depending on the user’s needs.
    • Strong Key Derivation: It ensures that the encryption key derived from the password has a uniform distribution of bits making it suitable for use in symmetric encryption algorithms. It also ensures that the key has a suitable level of randomness.
    • Cryptographer Approved: Scrypt has been indicated by several cryptographers to be better than Argon2, which won a password hashing competition in 2015.

  • XChaCha20-Poly1305 for Encryption:

    • Strong Symmetric Encryption: XChaCha20-Poly1305 is a robust symmetric encryption algorithm that is favoured by cryptographers for its security and performance.
    • Alternative to AES: It’s typically favored over AES (Advanced Encryption Standard) and is considered less associated with the U.S. government, which is an advantage for those who have concerns over the US government’s influence on cryptographic standards.
    • Widespread Usage: XChaCha20-Poly1305, and it’s earlier variant without the ‘X’, is widely used in applications like TLS and OpenSSH, indicating its reliability and security.
    • Availability: The algorithm is available in most modern cryptography libraries, making it easy to implement across different platforms and software.

The combination of scrypt and XChaCha20-Poly1305 in NIP-49 provides a secure and robust method for private key encryption. Scrypt’s memory hardness and slow derivation process protect against brute-force password attacks, while XChaCha20-Poly1305 ensures strong encryption of the private key itself. These choices contribute to a high level of security for private keys when used with the Nostr protocol and implemented in tools like nak.

Full Details and Overview of NAK Here NIP-49 - Private Key Encryption