nip-ab: clarify transcript_hash role and fix protocol diagram#346
Merged
tlongwell-block merged 1 commit intomainfrom Apr 17, 2026
Merged
nip-ab: clarify transcript_hash role and fix protocol diagram#346tlongwell-block merged 1 commit intomainfrom
tlongwell-block merged 1 commit intomainfrom
Conversation
jmecom
approved these changes
Apr 17, 2026
tlongwell-block
force-pushed
the
fix/nip-ab-spec-mitm-framing
branch
from
04b9803 to
9b78f5a
Compare
The spec language incorrectly implied that the transcript hash prevents MITM attacks. In practice, source sends the payload immediately after sas-confirm without waiting for acknowledgment, so the transcript hash is a detection mechanism (session corruption / replay), not a prevention gate. MITM prevention relies on the user's visual SAS comparison on the source device before the source confirms. Addresses feedback from internal security review (Jordan Mecom).
tlongwell-block
force-pushed
the
fix/nip-ab-spec-mitm-framing
branch
from
9b78f5a to
c8da858
Compare
tlongwell-block
added a commit
that referenced
this pull request
Apr 17, 2026
* origin/main: nip-ab: clarify transcript_hash role and fix protocol diagram (#346) chore: fix deprecation warnings and decompose AgentsView (#347) chore: improve thread panel inline replies and nesting behavior (#339) feat: NIP-AB device pairing — Phase 2 (desktop + mobile UI) (#343) fix(huddle): prevent phantom huddle from late-arriving relay events (#344) perf(tts): reduce Kokoro time-to-first-audio with session warmup and threading (#342)
tlongwell-block
added a commit
that referenced
this pull request
Apr 17, 2026
Model changes: - Split Target_Receives_Payload into Target_Buffers_Payload (opaque ciphertext, linear TgtCanBuffer gate) + Target_Decrypts_Payload (senc pattern match gated on TgtTransferring). Faithfully captures #346's dual-consent buffering semantics. - New lemmas: injective_target_source_agreement, target_decrypts_payload_only_after_dual_consent, decryption_requires_prior_buffering, executable_payload_buffered_before_approval - Renamed TgtReadyPayload -> TgtTransferring, TargetReceivedPayload -> TargetDecryptedPayload for spec alignment - Added SAS abstraction comment, transcript hash detection-not- prevention note Spec changes: - SAS denial is now MUST-abort (primary MITM defense) - SHOULD->MUST for SAS prompt text and secure storage - Added payload zeroization requirement - Tightened protocol_error to exclude peer-triggered responses (anti-oracle) - Clarified decrypt ambiguity: implementations may NIP-44-decrypt for type routing but MUST NOT extract payload field before dual consent; recommends ciphertext buffering as safest strategy - Defense-in-depth scoped to session establishment, not payload confidentiality - All 16 lemmas named in Formal Verification section with precise descriptions and explicit no-compromise preconditions - Expanded abstractions list to 11 categories All 16 lemmas verified by Tamarin Prover (14.5s).
This was referenced Apr 17, 2026
Draft
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses feedback from internal security review on the NIP-AB spec (#333).
Changes (spec only, no code):
AwaitingConfirmationnow explicitly accepts earlypayload(buffered until user confirms SAS), resolving a contradiction with the out-of-order discard rule.sas-confirm+payloadimmediately after local SAS confirmation, with no wait for target.sas_mismatchbroadened to cover transcript hash verification failures.sas-confirm, separate target confirmation, and immediate payload send.cc @jmecom