Edit by @prolic: I leave the original ticket description, but before anyone gets shocked, TLRD: NIP44 is all good - The findings presented here stem from a misunderstanding of the original NIP44 document. Clarification has been tried to get appended here.

NIP-44 Implementations: Analyzing the Inconsistencies

NIP-44, which governs encrypted messaging in Nostr, mandates the use of Elliptic-curve Diffie–Hellman (ECDH) with the specific function secp256k1_ecdh. Extensive test vectors for NIP-44 are available here.

However, an examination of various NIP-44 implementations across multiple languages reveals significant inconsistencies:

C

• usage
• implementation is correct
• does not seem to test agains official test-vectors

F#

• usage
• implemented in NBitcoin
• the implementation is NOT correct
• tests against official test-vectors

Go

• usage
• implemented in dcrd
• the implementation is NOT correct
• does not test against official test-vectors

JavaScript

• usage
• implemented in noble-curves
• the implementation is NOT correct
• tests against official test-vectors

Kotlin

• usage
• the implementation is NOT correct
• tests against official test-vectors

Rust

• usage
• the implementation is correct (edited)
• does not test against official test-vectors

Swift

• usage
• implementation is correct
• tests against official test-vectors (which is weird!)

Summary of Findings

Only two implementations (C and Swift) are correct, while others mistakenly use secp256k1_ec_pubkey_tweak_mul instead of secp256k1_ecdh.

Since the JavaScript implementation is incorrect but passes the provided test vectors (verified locally), it's likely that the test vectors were generated using this flawed implementation. Interestingly, the Swift implementation, which is correct, still passes these test vectors — this discrepancy is worth investigating further, as it might indicate failing tests when run locally.

Why Does This Matter?

If these discrepancies persist, encrypted messaging under NIP-44 in Nostr will lack true standardization. Although the protocol may be officially standardized, clients will not be interoperable, depending on the libraries they use. Additionally, there could be other broken implementations in various Nostr clients that haven't been identified yet.