From 2ff3bff2cc178e2dcd7c0536a016b2d2800a55af Mon Sep 17 00:00:00 2001 From: Clawd Date: Fri, 20 Feb 2026 19:29:03 -0800 Subject: docs: update README for zero-dependency implementation --- README.md | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) (limited to 'README.md') diff --git a/README.md b/README.md index 4134431..8d42710 100644 --- a/README.md +++ b/README.md @@ -8,15 +8,15 @@ go get code.northwest.io/nostr ## Why This Library? -**1 dependency.** That's it. +**Zero dependencies.** -Other Nostr libraries pull in 30+ dependencies. This one has exactly one direct dependency: `btcec` for Schnorr signatures (required by the protocol). +Other Nostr libraries pull in 30+ dependencies. This one has none. The secp256k1 cryptography is implemented in pure Go, embedded in the library. ``` -require github.com/btcsuite/btcd/btcec/v2 v2.3.4 +require (nothing) ``` -No WebSocket libraries, no logging frameworks, no kitchen sink. Just the core protocol. +No external crypto libraries, no WebSocket libraries, no logging frameworks, no kitchen sink. Just the core protocol. ## What's Included @@ -31,6 +31,20 @@ No WebSocket libraries, no logging frameworks, no kitchen sink. Just the core pr This is a minimal core library. It implements NIP-01 and the basics. It doesn't implement every NIP, handle connection pooling, or manage relay discovery. Build that yourself, or don't. +## Cryptography + +This library uses an internal pure-Go implementation of secp256k1 and BIP-340 Schnorr signatures. + +**Tradeoffs:** + +- ✅ Zero dependencies, fully auditable +- ✅ Passes all BIP-340 test vectors +- ✅ Interoperable with btcec/bitcoin implementations +- ⚠️ **Not constant-time** — uses Go's `math/big`, which has variable-time operations +- ⚠️ ~10x slower than btcec (still fast enough for typical Nostr usage) + +For applications signing thousands of events per second or with strict timing-attack threat models, consider a library backed by btcec or libsecp256k1. + ## Usage ```go -- cgit v1.2.3