NIP-44 (Versioned Encryption)

NIP-44 is the Nostr Improvement Proposal that defines versioned, keypair-based encryption for event payloads. It exists to replace the legacy NIP-04 direct-message encryption, which had known weaknesses, and is the cryptographic primitive that newer private-messaging standards build on. The specification is careful to scope itself: it defines only how bytes are encrypted, not how messages are structured or which event kinds carry them.

How version 2 works

The currently deployed version (0x02) derives a shared secret via ECDH scalar multiplication, then expands it with HKDF-SHA256. Symmetric encryption uses ChaCha20, chosen for speed and resistance to multi-key attacks, and integrity is protected by HMAC-SHA256 (preferred over polynomial MACs, which are easier to forge). A custom power-of-two padding scheme pads plaintext to a minimum of 32 bytes, reducing length leakage on short messages, and the result is Base64-encoded. The leading version byte lets the scheme evolve without breaking older clients.

What it does not protect

The authors are explicit about limits. NIP-44 provides no deniability, no forward secrecy, no post-compromise security, and no post-quantum security. It also does not hide metadata: the created_at timestamp and event structure remain public unless an outer protocol conceals them. That metadata gap is exactly what gift-wrapping and private-message standards address on top of NIP-44.

For sovereign Bitcoiners running their own clients and relays, understanding this primitive clarifies what private Nostr messaging actually guarantees. See NIP-59 (Gift Wrap) for the metadata-hiding layer and NIP-17 (Private Direct Messages) for the full DM stack that consumes it.