Hacker News new | past | comments | ask | show | jobs | submit login
Why we need wide adoption of social recovery wallets (vitalik.ca)
128 points by fbrusch 6 days ago | hide | past | favorite | 43 comments

This quote would be illuminating in other crypto discussions on this forum, highlighting a common misunderstanding.

> To me, the goal of crypto was never to remove the need for all trust. Rather, the goal of crypto is to give people access to cryptographic and economic building blocks that give people more choice in whom to trust, and furthermore allow people to build more constrained forms of trust: giving someone the power to do some things on your behalf without giving them the power to do everything.

Satoshi also eludes to this in the whitepaper:

> Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers.

eludes -> alludes

Dark Crystal [0] is such a social key management system. It utilizes Shamir's secret sharing over a variety of distributed protocols (like scuttlebutt or briar) to allow you to break your secret (i.e. private key) up into "shards" and share them with your friends. Then when it's needed, you can retrieve it by having a subset of those friends submit their shard.

[0] https://darkcrystal.pw/

Somewhat OT but it's a shame the improvements on Shamir's Secret Sharing are rare to find in the wild and everyone still goes straight to SSS. Despite having some neat cryptographic guarantees there's still a few downsides to the scheme which first he first described in the 70's(!)

Adept Secret Sharing (ADSS) by Bellare, Dai and Rogaway is a significant advance, hope more people consider it in future.

Though I don't think there is many implementations around.


Interesting, thanks for pointing this out! Do you have any insights on how hard it is to implement? I'm not familiar enough with ADSS to tell whether it's worth the innovation token. [0]

[0]: https://mcfunley.com/choose-boring-technology

> whether it's worth the innovation token

That's a fair call, Shamir's secret sharing is pleasantly simple to use and understand.

Read the paper a while ago now but the scheme is still all fundamentally built on SSS, the auth, error checking and privacy layers are on top, so it's not a complete rework of what currently exists, more just some additions. Quite sure people have written some (perhaps all?) of these extras already in concert with regular secret sharing.

Am I understanding it correctly?

It's like a 'reset trade' button you can press and if most of your guardians approve, then they can reset your pubkey preventing the crypto from leaving your vault?

Sounds like a good idea, and could make people feel a lot more secure with their crypto. Definitely a tradeoff a lot of people would gladly take. You must admit it would be cool as hell to have a physical version of a key to turn simultaneously with your business partner to let your funds flow out somewhere.

This is my only real anxiety with the crypto I hold, and a good solution.

It's more like a password reset. When setting up your account, you can specify 5 friends to act as guardians.

If you ever forget your password (key), you generate a new secret key and you get 3 of the 5 friends to sign it. The new key then replaces your old key.

How is it different from having a private key + mnemonic phrase split between three persons? Once you have your private key stolen, you can recover your mnemonic phrase and transfer your funds to another wallet. Of course, this needs to happen before the thief can do the same, but this is not different from the proposed "social recovery wallet".

The problem is that transactions are a one-time, irreversible operation. I wonder if it would be possible to:

a) create wallets with an unchangeable per-transaction spending limit;

b) with the need to have transactions above a set amount to be confirmed after a set amount of time, with an email or other type of messaging sent between first and second confirmation.

(edit): The messaging part is impossible, as the blockchain cannot be aware if the message was actually sent- the miner could say it was and there's no check. But an app could observe the blockchain and notify the wallet owner of the transaction request.

One important difference: you can set the quorum.

If you just take a key (or phrase) and split it between 5 trusted folks, there's no way to say "a quorum of 3 people must be present to get my key back".

I believe it just depends on how you split it, right? You can split it so that each subgroup of three out of the five can reconstruct the entire phrase.

Slight change to the idea above:

- wallet with a daily limit for transactions that don't need a second confirmation a day apart.

- need for a second confirmation one day apart for transactions over said limit.

- "social recovery key" able to immediately bypass all limits.

So for daily use you can set your limit in such a way that you can perform immediate transactions. Bigger transactions (such as all your money) need to be confirmed a second time after 24 hours. During that time, a transaction request is written on the blockchain and can be observed by your wallet app. If someone steals your private key they can only transfer amounts within the daily limit, or trigger a warning by attempting to transfer more. If your private key is stolen, you can use a "social recovery key" that bypasses all limits and can be used to transfer your entire amount to a new wallet. What do you think?

> You can split it so that each subgroup of the five can reconstruct the entire phrase.

How? Example: Split a secret phrase ("correct horse battery staple") between 4 friends with a quorum of 2.

- Alice: correct

- Bob: horse

- Carol: battery

- Dave: staple

Great! But that's a quorum of 4. How do we reduce it to 2? Each person needs two words:

- Alice: correct horse

- Bob: battery staple

- Carol: correct horse

- Dave: battery staple

But what if Alice and Carol want to get the secret? Or Bob and Dave? Well, each person needs the entire secret.

- Alice: correct horse battery staple

- Bob: correct horse battery staple

- Carol: correct horse battery staple

- Dave: correct horse battery staple

...but now the quorum is 1, and all of them just have a copy of your secret. If you want to be able to have arbitrary quorums, you need cryptography.

Secret phrases are (typically) made of between 12 and 24 words.

Please try the above examples with 12 or 24 words if you think that will make it easier. Example:

Secret: either "a b c d e f g h i j k l" or "a b c d e f g h i j k l m n o p q r s t u v w x"

Participants: Alice, Bob, Carol, Dave

Quorum: 2

Which parts of the secret does each participant receive? Every combination of participant pairs must be able to recreate the full secret No single participant may have the full secret.


HN won't let me reply to the below comment so I'll copy and paste here:

> It's actually trivially possible [...] for [...] very long (60 words+) passphrases.

It is not. It doesn't matter if your passphrases is 6000 words, you can't have 4 participants with a quorum of 2.

> https://iancoleman.io/slip39/

This uses the exact cryptography that I said you'd need. This isn't just "mnemonic phrase split between three person's", it's literally Shamir's Secret Sharing.

It's actually trivially possible but the entropy for each shard will be abysmally low, requiring very long (60 words+) passphrases. So you're right, there's no trivial way (by hand) to split a 24 passphrase in 5 shards. However, it feels like a detail: such sharding is possible even if it's not trivial:


Sorry, but what's wrong (apart the low entropy of each shard) with:

  Al  Bob  Car Dav
a: - x x x

b: x - x x

c: x x - x

d: x x x -

e: - x x x

f: x - x x


Clever! I hadn't considered that.

I think institutions here could play a key role in the future. There may will be many institutions offering this service somehow, competing with each other, and they will have to prove how trustworthy they are, maybe with algorithms or avoiding hacks/leakages.

Over time we would have some trustworthy new institutions where people could backup a piece of their key.

But I think it's a whole new set of problems, right? What if banks end up playing this role? it would be funny haha.

I can do even funnier scenarios. What if the institutions would actually store the crypto and promise to give it back to you when you need it? and what if the document stating that you have crypto in the institution itself could be used as a means of payment? I mean, Instead of making an expensive and slow on-chain transaction, we just agree that you give me the documentation that the institution gives the crypto to me instead of you. But wait, it gets even better. The institution could give you a discount or even pay you if you let the institution to lend the crypto forwards.

Oh, but wait... That sounds awfully lot like our current fractional reserve banking. Without any of the regulatory oversight and monetary policy aimed to regulate the money supply. Wonder what could go wrong?

All roads lead to banks.

Not in the slightest. Banks rent-seek on a fundamental part of a functioning economy: issuing credit. They have a privilege to print money for free, which they then "lend" at market rates. There's nothing "inevitable" about this, this is just how things were set up by the people in power.

In his article, Vitalik claims Electrum’s cosigner model isn’t good enough, without mentioning it by name. Cosigner already provides configurable N of M multisig the countersigners of which are user selectable. These are likely to be major financial institutions in the long run. The cosigner model readily provides user-friendly, credit card style spending limits. It can put spending limits on your bitcoin, and it can get you your coins back if you lose your wallet. It does all this without forcing users to interact with “smart contracts”.

I have no choice but to conclude “social sharing” is the Rube Goldberg machine variant of Electrum’s cosigner model, and its primary function is to promote Ethereum.

> In his article, Vitalik claims Electrum’s cosigner model isn’t good enough, without mentioning it by name.

He says multisig has been very successful for organizations like the Ethereum Foundation, but suggests that it's possible to better for individuals. You are free to choose something that reduces to N-of-M, if you want to trust financial institutions, family/friends, and/or (mostly) yourself.

If I'm understanding what he writes correctly, it's somewhat similar to a "1 OR 4-of-7" multisig concept. Fairly sure this is supported by the Bitcoin protocol, although I don't think any wallets support it. There might be additional options you can implement on Ethereum that might be harder (read: require protocol upgrades) on Bitcoin. Time delays, maximum spend amounts (with exceptions), etc.

Also, I'm not sure why you're calling it the "Electrum cosigner" model. I thought multisig was a feature of the Bitcoin protocol, and not of the Electrum client?

> If I'm understanding what he writes correctly, it's somewhat similar to a "1 OR 4-of-7" multisig concept.

I can’t see any difference between the 4 of 7 countersigners under “social sharing” and the 4 of 7 countersigners in an Electrum cosigner arrangement. In both cases the countersigners are user selectable and can collude to steal your funds. You must place high amounts of trust in the countersigners in both cases, which means it isn’t really going to scale without credible financial institutions becoming involved there.

At a certain point, both protocols evolve into a more egalitarian form of banking, where the “bank” itself is distributed across trusted countersigners.

There is really no practical difference between Electrum’s cosigner model and “social sharing” here. If the entire point of countersigners is to protect stored value against theft, 1 OR N-of-M is purely a liability. It is only a UX upgrade when small amounts of funds are at risk, in which case you could elect to do a 1-of-2 cosigner multisig, anyway.

> Also, I'm not sure why you're calling it the "Electrum cosigner" model. I thought multisig was a feature of the Bitcoin protocol, and not of the Electrum client?

Electrum has shipped this feature since c. 2013, and the author of Electrum deserves recognition for pioneering the field. Granted it’s not surprising to see the prior art — particularly directly competitive, free and open source prior art — going uncited in this context. This type of shameless self-promotion is rampant in the modern cryptocurrency space, and it tends to leave the general public ignorant of legitimate “off-the-shelf” alternatives. It’s analogous to scaremongering against medical cannabis while backhandedly championing an in-house synthetic THC product. Unfortunately the majority of participants in this space are far too blinded by greed to care.

The use of cryptocurrency for anything other than investments has been hindered the UX compared to the traditional financial system. But, how much additional effort would someone have to expend to maintain a list of guardians compared to maintaining an account in a traditional banking system?

What if banks offered guardian services? They could even call it something like “custodian services.”


Writing the private key on a paper and storing it in a bank vault could also be an option.

What about wide adoption of "social recovery digital identities"? It should be possible to create an online identity that is vouched for by other users in the (decentralised) system. You could then tie your digital wallet to this, but also other less critical online assets like your Twitter account.

Most attacks against this system could be mitigated by having time-locks on the various assets which begin when the recovery process is started. In particular, if some of your friends are tricked into starting the recovery process, that should be published somewhere (in a pseudonymised form) so you can intervene and get them to stop before the time-lock opens.

I think this was the vision of Keybase before they flipped.

What do you mean by flipped? I haven't been following too closely.

Loss of bitcoin is the primary reason why Bitcoin will be outperforming gold in the long term. The supply is shrinking faster than gold. However that doesn't really explain the bubbles. If you can somehow implement effective recovery wallets the value of Bitcoin will rise much more slowly.

I am scared of hardware wallets as there is nothing to fix if it breaks. I want a backup system that is always recoverable.

Any ideas for a good strategy? Duplication on hardware level?

Every hardware wallet gives you a secret key to write down. That’s your backup if/when the device breaks.

Funny, nobody has stolen any money from my bank account and it's not something I ever worry about.

Sounds like solving for problems created by other problems ...

Not a too original counterargument, but: whenever anyone starts creating more money that you hold, the value of what you have gets smaller.

First, currency is mostly used as a medium of exchange. If you are worried about devaluation, then don't sit on it. Exchange it for something else. Anything. That's easy.

And it's usually better to hold some kind of currency which can be exchanged all over the world, than Magic Monopoly Money.

It's even easier to hold the currency, but unfortunately you can't because its value is reduced by others. You are pretty much forced to do these "easy" things, I'd rather not have anything to do with it until I actually want to.

It's not magic, it's just cryptography.

Every wallet is already a social recovery wallet if you can convince enough people to make an exception and fork the coin :)

The company behind the most popular Ethereum client was unable to make that happen when they lost $100M.

They just didn't convince enough people

Exactly. Apparently the community feels Ethereum has grown up since 2016, and the time to hard-fork for these sorts of issues has passed.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact