Grant Submission: Development of NymCHAT

General

NymCHAT is an app that enables users to send fully anonymous encrypted messages by leveraging Nym’s Mixnet with a Public “Dead Drop” SURB Registry.

In this 12 week project, I will deliver a functional android application MVP that allows users to send and receive fully encrypted messages anonymously. I have already begun development, with a working prototype on github: GitHub - code-zm/nymChat: Python Messaging Client for secure communication through the Nym Mixnet.

I require little to no assistance but I am open to collaboration. It would be beneficial to be bouncing ideas off of an expert on the team to ensure I make the proper design decisions. I can do all the heavy lifting.

Problem it Solves

This project addresses the need for a truly secure, anonymous messaging platform. With a free & open source app leveraging Nym’s Mixnet, users around the world will be able to communicate privately.

Developer

code-zm (23 years old, USA, software developer, undergraduate cybersecurity student)

Plan

Costs

Undergraduate Developer Salary: ~30 Hours/week @ $20/hour for 12 weeks

  • $7,200 USD (~72,000 NYM) ($2,400/month)

SURB Registry Remote Hosting + Protections

  • $150 USD (~1,500 NYM)

TOTAL: $7,350 USD (~73,500 NYM)

Benefits for NYM

This project will serve as a showcase of Nym’s Mixnet technology by expanding it’s use case to messaging. It will highlight one of the many real world application’s of Nym’s technology, attracting new community members, privacy advocates, developers, and investors in the process.

Most importantly, it will provide true anonymous communication. This will empower people with privacy in a world where surveillance and censorship is rampant. This system could provide a safe haven for activists, journalists, and the average person who cares about their online privacy.

Future Development

Following the successful delivery of the Android version, I will apply for another grant to develop the iOS version as well as extending the app’s capabilites. Future updates could include a decentralizing the SURB registry, groupchats, file sharing, integration with NymVPN, etc.

Feel free to ask any questions, thanks!
code-zm

4 Likes

Great to see this idea progressing. I have a few responses:

  • what does the implement SURBs step from w1&2 refer to? SURBs are already implemented in the standalone nym-client which I think you’ll be using.
  • why an Android app first, rather than desktop?
  • which client package do you plan to use for this? The standalone nym-client from the nymChat python code works on a desktop environment with SURBs enabled, but I dont think this will work on a phone. So you might need to use one of the SDKs via FFI.
  • Will there be a CLI interface?
2 Likes
  • implement SURBs step from w1&2 - The current prototype does not reply using the SURBs, all messages are simply directed to the recipient Nym address. implement SURBs in w1&2 refers to creating the logic to handle SURB → SURB replies as well as integration with the address book.

  • why Android first? - I chose to develop the mobile app first because I believe this is the best way to reach the ‘average’ person. If the team thinks a solid desktop version would be better suited as a starting point, I am open to it.

  • I will use the PyO3 python package with the Rust-SDK to ensure it works on mobile. I am not set on which client package I will use.

  • I don’t have plans for a CLI version currently, but I would be interested in creating one. With more time, I’d like to create a version for each platform: Windows, Linux, MacOS, Android, and iOS.

Let me know what you think about developing on mobile or desktop first!
Thank you for the questions, they help me refine my ideas.

2 Likes

I will use the PyO3 python package with the Rust-SDK to ensure it works on mobile.

Awesome, I was looking at the potential for building some Python FFI the other day. I just haven’t had time yet to create a set of bindings yet myself. Great to see!

I am not set on which client package I will use.

The mixnet module should suffice I think, since you’re building from the ground up. You could also look at the TcpProxy module as well though perhaps, depending on how you’d like to approach it.

I chose to develop the mobile app first because I believe this is the best way to reach the ‘average’ person. If the team thinks a solid desktop version would be better suited as a starting point, I am open to it.

Not necessarily! Since you’re using the Rust SDK + bindings I think that should be fine. Partially just curiosity. An Android chat app would be cool.

implement SURBs step from w1&2 - The current prototype does not reply using the SURBs, all messages are simply directed to the recipient Nym address. implement SURBs in w1&2 refers to creating the logic to handle SURB → SURB replies as well as integration with the address book.

If you’re using the Rust SDK then it has SURBs baked in already, so you can just use the normal send and reply functions. See here for an example: Anonymous Replies with SURBs (Single Use Reply Blocks) – Nym Docs

4 Likes

Updated Scope for MVP

My proposal remains the same. However, I have decided to reduce the initial scope of the project to ensure it does not get out of hand. My main long term goals remain the same: user search, local PGP, file sharing, group chats, and iOS / Android apps.

TkInter GUI Miniapp

I will keep the front end in TkInter for simplicity. The back end will serve as a baseline for future development in React Native. I do not have experience shipping full stack apps yet but I am eager to learn. This reduced scope will be a benefit in the long run, allowing me to focus on creating a truly secure system before moving on to mobile development.

Goals of MVP

  • SURB Registry

    • a public nym-client instance which receives and stores SURBs, ephemeral public keys, and sender tags.
    • clients send queries to publish their SURBs or retrieve others
  • Encrypted messaging

    • Using rust python FFI for all nym-client interactions
    • PGP for encryption, decryption, and signing
    • ephemeral session keys for forward secrecy
  • Contacts

    • Local SQLite database
    • Stores name & PGP public key
  • GUI

    • Using CustomTkInter
    • Cross Platform for GNU Linux / Windows

Updated Design


Link: Blocks And Arrows

Updated Roadmap

Week 1 - Modularize existing code, start working on encryption
Week 2 - Implement PGP + Ephemeral Key Encryption
Week 3 - Rust Python FFI for nym-client interactions
Week 4 - Public SURB Registry
Week 5 - Public SURB Registry
Week 6 - Client user discovery
Week 7 - Tests + Demo video
Week 8 - Debug + Optimize
Week 9 - Stress test SURB Registry
Week 10 - Community test
Week 11 - Review feedback, make any final changes
Week 12 - Release official GUI + documentation / tutorials

Let me know if you have any questions, I am eager to hear back from the team regarding this!

Thanks,
code-zm

1 Like

This overall looks good to me. I have 2 suggestions/questions:

  1. as per the conversation in the element chat, perhaps there might be more modern crypto libraries/approaches to take over pgp. It might be worth looking into alternatives now instead of having to swap it out for something else in the future.
  2. Is the work in weeks 1 -3 necessary to begin the SURB registry work? If not, since this is the biggest unproven aspect of the app architecture here (in that no one has built one yet) I would suggest initially focusing on that, since that might dictate other aspects of the design space for the rest of the app.
2 Likes

Updated Cryptography

It’s been suggested by a few people now to use something other than PGP. Though it’s technically still a viable option, there are problems with PGP regarding authentication. (Harry wrote a research paper on this!)
https://arxiv.org/pdf/2008.06913

Harry pointed me to the IETF’s MLS protocol instead. I looked into it and have no objections. It provides better security and is scalable for large groups. This will come in handy when working on group chats in the future.
I will be using the OpenMLS Rust Library integrated into Python with PyO3.

Refined Roadmap

You’re right, I’ve updated the roadmap to reflect this. Thank you for the suggestion!

Week 1 - Public SURB Registry
Week 2 - Public SURB Registry
Week 3 - Client user discovery
Week 4 - Tests + Demo video
Week 5 - Modularize existing code, start working on FFI
Week 6 - Rust Python FFI for MLS cryptography
Week 7 - Rust Python FFI for nym-client interactions
Week 9 - Stress Tests
Week 8 - Debug + Optimize
Week 10 - Community test
Week 11 - Review feedback, make any final changes
Week 12 - Release official GUI + documentation / tutorials

1 Like

I will be using the OpenMLS Rust Library integrated into Python with PyO3.

Great

You’re right, I’ve updated the roadmap to reflect this. Thank you for the suggestion!

Any time!

Week 3 - Client user discovery

This is also going to be an interesting question regarding client address longevity and ‘updating’ your contact. Happy to chat through if you have ideas or questions here.

1 Like

hey @code-zm, great stuff, really excited to see the the project fully laid out. All that’s left now are the details of your grant!

I am happy to greenlight 80k NYM tokens for 3 months, as per your roadmap and proposal. Please provide updates here as you hit your milestones, and let @max-nym or I know if you have any questions.

Looking forward to using NymCHAT!

1 Like

Thanks @sudonym and all of the NYM team! This is huge for me and will help springboard my career in Cybersecurity / SWE! :slight_smile: I have university finals coming up, but will begin development immediately after. (Dec. 11th)

Excited to build the future of messaging with NYM!

2 Likes