Hacker News new | past | comments | ask | show | jobs | submit login
Tell HN: I came up with an interesting way to do decentralized account recovery
131 points by jrpt on July 10, 2019 | hide | past | favorite | 111 comments
Thought I'd share this with the HN community.

Link to the Escrovery paper: https://github.com/pickhardt/escrovery/blob/master/escrovery...

I came up with an interesting way to do totally decentralized account recovery. Why might this be useful? Suppose you have some account on Bitcoin, Ethereum, etc and you lose your secret key. Worse, you also lose (or never had) any way to recover it.

Escrovery gives you a way to recover it, and without simply using a centralized service like Coinbase or needing secret shares from k of n friends. This could also be used as a recovery method with self-sovereign identities.

The way it works it using escrowed payments to deter malicious recovery attempts. Any user may make an Escrovery challenge to recover any account by first placing an amount of money in escrow. If the original account owner responds to the challenge in a certain amount of time, they earn the escrow. Otherwise, the challenger takes ownership of the account and recovers their escrow.

The main limitation is that it requires users to be regularly active in checking for challenges to their account. For some use cases, this would be fine. For others, perhaps it wouldn't work.




OK, I bid $50 to recover Satoshi's original account. Presumably he/she/they won't respond and I'll get a million bitcoin.

More generally, you'd want to make small bids against every account that's been idle for a while.

This has the flavor of https://en.wikipedia.org/wiki/Adverse_possession for land. It's socially good that land doesn't stay in limbo forever, but bitcoin being in limbo is a key feature of the economy.


It seems like you could solve the 'small bids' problem by having a minimum bid size. That bid size could be proportional to the value of the account. E.g. the minimum recovery bid for an account is 5% of it's value.

EDIT: In fact, why not make it a huge percentage of the account value. Even 100%. If you had to bid 100% of the account value to recover it, almost nobody who wasn't the real account owner would take that risk. And the real account holder, being that they knew for sure they would get it back, could presumably find a way to raise money from friends/family/loans to acquire enough capital to make the bid.

EDIT2: In second fact...why not make the lockup period adjustable based on the size of the bid relative to the account value (within limits)? If you bid 50% of the account value, you wait 2x the lockup period. If you bid 200%, you wait 1/2 of the lockup period. You'd need to have a hard minimum lockup of say, 1 month. But in this way, if you were the true account owner, you could bid way more than your account value to get it back pretty quickly, while also ensuring that people that couldn't raise as much capital could get their money back eventually.


It still doesn't solve the problem that you could presume Satoshi is dead, and bid a million dollars. Odds are better than the startup lottery. I guess there has to be a service that monitors if someone is brute forcing the system.


If someone is dead and no one else is going to get the coins otherwise, what exactly is the harm in that scenario?


I would hate to be in a situation where anyone could profit billions of dollars if I die or can't access a computer. People have certainly been murdered for less money than that.


With this in place, if you know someone has a dozen bitcoins, you can literally just kill them, claim their wallet, and retire with the money.


You are putting a huge incentive on DOXing people. If you know when an account holder dies or goes on vacation and others don't, you can take all their money.


I think it's the other way around. No harm happens if the coins are unclaimed. They're out of circulation, similar to what happens when countries destroy currency.

Satoshi has effectively 380 tons of gold worth of btc.

His wealth is about 1/10 the amount stored in Fort Knox. And that's just one guy. What of the criminal empires and corrupt politicians who have their wealth stashed away in wallets? There's easily hundreds of billions of dollars of lost money out there.

All that money going back into the system destabilizes it. Imagine someone saves up all their lives for 10 btc, then some guy just drops 1000 btc on a house like it was nothing. Pretty soon, there's inflation, and the prices (vs other currencies) plummet.

This is all theoretical, but the reality is that there's no harm if nobody gets the coins.


The big problem AFAICT is, how does the account holder get notified?

If you have a deterministic link between the account holder and e.g. an email address, you can just do normal recovery.

If the recovery attempt gets posted to a public place, then HFT-style actors can arb the system by bidding 99.99% of the holdings in the account, for all accounts everywhere.


1. Bid 20% of the value for your account, pretending that you lost the key. 2. HFT-style actor bids 21% (or 99%, or whatever). 3. Resolve all challenges because the key wasn't actually lost, get your original bid back, and get the actor's bid.


Seems like this is the only solution that works, since it makes it a zero-sum game. I like it, good braining.

The resulting cat-and-mouse game would double as a replacement for SatoshiDice. Also, it'd let the network clean up dust and recover money sent to invalid addresses.


It's a good strategy. But then you need there to be a stable equilibrium state that doesn't cost people too much money, not sure if the present system has that?


Q - What about front-running the challenge? ("HFT-style actors")

A - It uses a two-phase commit and reveal procedure to prevent front-running, like was used with name registration on Namecoin.


It's posted to a public place, and you just have a notification service that you can sign up to.

"When this public address gets bid on, send an alert to this email and phone number".


If you enabled this feature you could have a process check for you at an interval.


Large amounts of "hoarded" money causes a deflation, already a structural issue with a system like bitcoin, and can compound itself by reducing liquidity.

In fact that was the bigger, more dangerous consequence of the 2008 financial crisis. So when I saw opposition to the bailouts I was annoyed: not because those opponents' arguments were necessarily wrong (some were, some weren't) but because mostly even the people whose theory was correct were working about the wrong problem.


> Large amounts of "hoarded" money causes a deflation, already a structural issue with a system like bitcoin

It feels wrong to call deflation an issue with bitcoin when that is arguably the main reason anyone buys it.


The problem is people buy but rarely actually use bitcoin. This means the price collapses whenever a major holder tries to cash in.

The basic math is you only get a net ROI across all users when someone derives some value from the act of using bitcoin. As a currency that’s either from efficient transactions or as a stable store of value. Otherwise it’s an inefficient pyramid scheme where case inflows = cash outflows - mining costs.

PS: By contrast bonds can retain a high percentage of their value after a massive sale because they become more appealing as the price drops as they have some underlying value.


Well frankly that in itself should be be a huge red flag to the buyers as it doesn't add up.

Everybody who does the math gives stock investors shit for doing worse than random strategy but then you see what the amateurs do when they play at "investing" (really speculation but it is considered rude to call it what it really is) like beanie babies or baseball cards. And even they are geniuses compared to those who try lotto tickets, race tracks, and slot machines.


Why is it a structural issue? Decimal places can be added if it's a question of having tradeable units, and over time avg losses will be predictable and not affect price much.


Because the prior division means that allocation becomes increasingly disalligned with actual values.

If "once accepted a pizza for bitcoin and forgot to convert it" quanities becomes worth a luxury car later no matter how much you sub divide it people are discouraged from actually using it as a currency and instead exchanging directly to avoid the future losses. Except that when everyone does that it becomes worthless because nobody is using it to exchange anything - the source of its value.


Predictable and known price fluctuations are not an issue for commerce. Their effects can be reliably factored into the transaction. Only wild and unpredictable changes in price create challenges.


> Large amounts of "hoarded" money causes a deflation

That’s interesting statement. In modern economy there is no such thing as “hoarded” money. Even if you are all cash, you have that money in bank which is landing it out and putting it to work. So I am not sure how this statement could make sense.


Off topic, but thanks for the reference to adverse possession. Watched a video about a restored stone house in a ghost village in the Italian Alps, and the buyers had to hunt down the owners who had abandoned their houses/land more than a century ago to emigrate to the US. https://www.youtube.com/watch?v=NB3e8xwu_Do


In their implementation, it appears you'd need to create an account by calling the contract https://github.com/pickhardt/escrovery/blob/master/contracts...

So it wouldn't work with existing accounts/addresses.


That just moves the problem away from existing accounts/wallets like Satoshi's without really affecting the logic for future large inactive accounts.


«Presumably he/she/they won't respond and I'll get a million bitcoin»

Well, presumably Satoshi intended to abandon his keys, therefore they wouldn't have used the scheme in the first place. In general I think the scheme would be more useful with a long claim period, eg. the original owner could be given a month, or more to claim back his account.


Regarding adverse possession, do you know what the justification is for such a heavy-handed approach?

The theory I see mentioned there is:

> Because of the doctrine of adverse possession, a landowner can be secure in title to his land. Otherwise, long-lost heirs of any former owner, possessor or lien holder of centuries past could come forward with a legal claim on the property.

But I don't see why they wouldn't exclude the actual owner from this and limit it to just former owners/heirs/etc... and frankly it seems even those should only have to go through this process once before they're recognized as the current owners and not have to put up with this possibility again.


You mistakenly assume that the actual owner can always be identified. Part of the point of adverse possession law is to moot cases of "the McCoys and the Hatfields both claim they owned this land 100 years ago and nobody can offer substantive proof as to which is right (and in the meantime the Johnsons have been living there for six generations)".


Well then why not limit it to cases where there's no proof? I seriously don't see why someone with proof of ownership losing their property is necessary to solve any other problem.


> Well then why not limit it to cases where there's no proof?

Because abandonment of real property is a real phenomenon with externalized costs, so resolving disputed against an owner that has effectively abandoned real property was itself viewed as desirable. The time and openness of possession requirements mean that, in practice, adverse possession doesn't adversely impact anyone who hasn't effectively abandoned property.


Because you can have many concurrent proofs of ownership. For example someone sells a land twice, the first buyer leaves for 20 years and them come back with a better proof of ownership than the farmer that worked there 19 years.


But in your case the second buyer has proof too. The law says they still own it even if they don't have proof and even if the first one does. Why is that necessary?


He has a proof of ownership. It is just that the only way to discover that his proof is invalid if when the first owner contest it.


> But I don't see why they wouldn't exclude the actual owner from this and limit it to just former owners/heirs/etc

They are referring to potential actual owners: the heirs of a past owner are relevant because of their putative inheritance of actual ownership. Adverse possession settles claims on favor of the putative owner openly occupying property for the required period over other putative owners.


I get that. By "actual owner" I just meant whoever's name is provably with the title... you get what I mean.


Which title? By which bank? Country?

What about when there was a war and Jews want to go back to Poland to their house?

What if a native American or a Palestinian descendant wants to go back?

Do we count heirs over bank deeds?


Also it is a matter of ownership and its justification. Part of the implied bargin is the responsibility over the land to be its steward in /some/ sense. Ownership isn't unconditional and society would rather have someone making some use of it than an irresponsible owner who leaves it useless and only comes back to stop those from making it useful.

If their abdication was forced by the claimanint said claims the absense is far more justified but that gets into other concepts like damages and the fact they never intended to let it lapse but were forced to.


Satoshi didn't participate in a system featuring an implementation of "escrovery". See 4.3.


The biggest issue here is failing to relate to your intended audience. (IMHO)

The type of people that lose their secret keys are the type that don't know to back them up in the first place.

They would never know to look for a service like this, and if they did, they would at that point also likely understand the value of their private key, and come up with a means to keep it.

The biggest problem with this whole project is the fact that people need to trust you with total control of their money.

That's a big ask .. and that you're asking them to trust their money to your coding skills, that you're going to pile lots of private keys in one place (making you a target), and crossing your fingers you don't run across persons smarter than yourself.

If you get even a few people to use this service, it's going to end perilously.


The smart contract required is not particularly complex, and once it's been vetted and running, bugs cannot be introduced later.


Interesting from a game theory perspective. In that context it seems like the discussion so far is making a fundamental error in figuring out how it would work, by assuming that the escrow amount would be some small fraction of the total recovery amount.

The correct way to do it would be to make it so the escrow amount is the same as the amount to be recovered or even more, and for the service to return that full amount plus the keys to the account upon a successful challenge.

So if you're the account holder, and you're sure you are, and sure you've just lost the keys, bricked the hard drive, whatever, you know for sure that you're going to win the challenge. The only issue is being forced to come up with the initial funds to make the challenge, which isn't too hard to do.

But for the speculative challenger that everyone's hypothesizing, they'd have to risk a substantial amount of money for a relatively small payoff. The larger the escrow amount the more unfavorable the bet looks to a challenger, it wouldn't take much to make the entire concept of a nefarious challenger obviously unworkable.


> The only issue is being forced to come up with the initial funds to make the challenge, which isn't too hard to do.

That fully depends on the person. Suppose I mined Bitcoin in college when it was still rather young and amassed a ton of BTC, but then lost my wallet at some point.

Many years later, BTC is worth a great deal more than when I was mining. Perhaps my wallet is now valued at tens (or hundreds) of thousands of dollars. Depending on my life scenario, I may not have that amount in liquid assets to put toward making the challenge.


Indeed, but it’s not hard to imagine that a service would exist to temporarily lend you that money for a percentage of the wallet value. And assuming the company is credible, you’d probably be happy to get 90% of that BTC back rather than nothing.


You would probably be happy to get 25% back, but you'd need to have collateral to get someone to go for it.


I would worry about rich people being able to use this nefariously. For example, I could make Escrovery requests for a whole lot of bitcoin accounts with large balances (which I can see on the blockchain) and just hope that enough of them don't respond in time to make the costs worthwhile. If for example the escrow fee is 1% of the value of the wallet, and I do it for 100 accounts of roughly similar value, I only need 1 of the 100 to not respond to break even, and 2 of them to come out ahead.

So it will be very important to set the escrow value high enough to prevent this but low enough so that people who have legitimately lost their account can still recover their own accounts.


Users could probably select their own escrow, right?

For me, I'm not tying up the majority of my net worth in a single crypto. I could set an escrow at double the value of my wallet. It's highly unlikely that I do lose my secret key, and if I do, it'll be a huge pain to come up with the escrow, but it'd be doable.

And of course, you could probably set a cap so that even an in extreme spike of values, the escrow won't ever reach an amount that's infeasible for you.


I'd assume that doing this would rarely (but sometimes) be successful, but that alternately, there will be people putting large accounts out there in order to tempt this sort of speculation, and that side wouldn't be risking anything other than being forced to hold assets in bitcoin.

It'd wash out in the end.

Those 99 that didn't work out gave everyone you tried it on a 1% return.


I also worry users would be vulnerable to attacks from malicious individuals who know they lost their key.


There's some more subtlety to this "what if you're too poor to initiate a recovery" idea. Suppose I know a person with $10k of crypto lost their key which requires a 50% escrow for recovery, but they haven't yet initiated a recovery. What stops me (a well funded adversary) from sending over another $490k of my own funds so that the recovery escrow amount is now $250k, well outside what the original owner can put down?

Other than that, I generally think it's a really bad idea to have a decentralised currency require constant checking in in order to keep your funds. I could imagine situations where users are being monitored by an adversary, and having to quickly intervene with a recovery action would compromise their privacy or anonymity. For me it to be even remotely sensible, the escrow time should probably be several years.

Also, it's much easier to make someone loose access to their keys than it is to make them tell you their keys. What if I just steal their laptop that I know contains keys? That's much lower risk thing than beating someone up for private keys. It's much easier to "accidentally" make someone lose their keys while making it look like it wasn't about crypto at all anyway. What if the person holding the crypto doesn't want to go to the authorities or the authorities don't feel that protecting crypto is important. This is a much, much lower bar than kidnapping.


Scuttlebutt (decentralized social network / protocol) has a tool specifically for this. It's called Dark Crystal. the basic summary is that your secreted gets securely divided among your friends. none of them can read it, but if you get enough of them to send their "shards" back to you you can rebuild the "crystal" and recover your secret.

The web site isn't great but... https://darkcrystal.pw/

and here, of course, is the Scuttlebutt site: https://www.scuttlebutt.nz/


> Scuttlebutt (decentralized social network / protocol) has a tool specifically for this. It's called Dark Crystal. the basic summary is that your secreted gets securely divided among your friends. none of them can read it, but if you get enough of them to send their "shards" back to you you can rebuild the "crystal" and recover your secret.

> The web site isn't great but... https://darkcrystal.pw/

> and here, of course, is the Scuttlebutt site: https://www.scuttlebutt.nz/

Sounds like a variant of Shamir's Secret Sharing [1]. Here are some other variants of secret sharing mentioned [2].

[1] https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

[2] https://en.wikipedia.org/wiki/Secret_sharing


It was mentioned in the post:

> without simply using a centralized service like Coinbase or needing secret shares from k of n friends.


Yup, jrpt already mentioned it. This is called Shamir's Secret Sharing Scheme. There is a handy CLI tool implementing it: http://point-at-infinity.org/ssss/ This is what's Satoshi's treasure hunt uses (have to find 400 of 1000(?) keys to win the 1 million USD prize)


Yep, installable on pretty much any Linux machine

  dnf (or apt) install ssss


> Dark Crystal

Is there any white paper or something similar?


I suppose it's fair game to rathole on Bitcoin because OP was the first to mention it....

It would have been interesting if Bitcoin had included a rule that coins must move every 100,000 blocks or so (about two years) or else were gradually returned to the pool of unmined bitcoin. Only gradual would help increase the chance that a half-asleep holder might notice a slow drain and do something about it, and it would reduce mining windfalls from thousands of coins returning all at once in a certain block. Lost or abandoned bitcoin would eventually return to circulation, and holders would better understand from the outset that preserving their keys was an active responsibility.


I like that idea. Although, I'd imagine that most wallet software would then automatically send itself a transaction periodically to prevent it's Bitcoin from being reclaimed.

If lots of wallets did that then it would likely clog up the blockchain with lots of people sending money to themselves. But that wouldn't be a problem if Bitcoin was actually scalable.


Good point on the churn, but perhaps it's not a fatal problem. In fact, it might encourage faster adoption of more space-efficient schemes like Segwit, which is one of many ways to improve scalability.


What if an attacker covertly steals the victim's secret key/credential and then deletes it from the victim's device?

Maybe the victim thinks they accidentally deleted the key or whatever ("oops, my hard drive failed"). The victim then goes to recover their account, thinking that there will be no problem because nobody can possibly challenge them. Then the attacker denies their claim and doubles their winnings!

What makes this especially bad is that the victim's second loss is likely to affect them more than their first loss. Most people aren't going to put their retirement savings or paycheck in Bitcoin - it's more likely to be discretionary income that isn't going to kill them if they lose it. The escrow money is less likely to be discretionary income - it'll be real money, not funny money that has been sitting in their Bitcoin wallet for 5 years.

So now the victim is in a really bad position and the attacker has significant leverage over them. "Hey victim, I'll give you your life savings back if you do insert_illegal_thing_here for me."


The escrow amount wouldn't be the same as the amount in the original account, it'd be a token amount.


Plenty of comments now describing the fallout of token amounts.


What is the mechanism by which you resolve multiple challenges against an account? Do you always go with the challenge which was issued first?

The only failure mode I see is that you can effectively "bet" a small amount of bitcoin regularly that someone will lose access to their account (or stop checking in) to gain access to it.


is this how it more or less works?

1. someone makes a claim on my account, which costs them money.

2. i am notified of this.

3. I approve or deny the claim.

4. If denied, I get to keep the money submitted with the claim.

5. If approved or nothing is done within an amount of time, the account is awarded to the claimant?


There's not really a function like 'approving the claim' if you're the owner making a recovery claim you have no access to the wallet/address to respond and approval is based on time. The only active thing as an account owner is responding to (denying) claims against the account.


This is kinda offtopic but I really wish that any services that allowed for account recovery also had a way to disable it.


I agree, there are a lot of things that I prefer other people don't have access to more than I need to regain access to after losing it.

I don't care a lot about my old emails, but I care if someone else has access to my old emails.


I've never thought about this, but now that you mention it, I think is a great idea.


A service I'm building has this option. Puts protection against SIM/email jacking or social engineering into the hands of the customer if they feel capable.


So squatters rights for accounts?

One aspect about squatters rights is that someone presumably has to put the time and effort in (depends on the law) and couldn't just squat all over the place and just get all the things.

E-squatters rights as we see here seems like it could be heavily gamed / abused, and may simply not be an option for someone who is poor, meanwhile someone who is not poor gets their stuff.

The only thing that happened here is someone put up some money in escrow, that really seems like a poor way to judge ownership.


Maybe to avoid the issue with the user having to actively check for challenges, you can only allow challenges if the account is inactive (no deposits or withdrawals in the last x days). Then as a user, you could set up something which would automatically deposit money into your account/wallet periodically (or just send your income there regularly), and if you ever need to recover your account, stop all deposits to the account and wait a few days.


That would allow someone to maliciously DDOS the whole recovery process by sending tiny amounts at whatever interval to any account.


You could have some minimum amount, so you have to have $100 deposited in the last week, making it prohibitively expensive to DOS, but still work for accounts you are actively using. I don't think there would be much incentive to DOS someone anyways, you would have to know that they lost their password for it to be effective.


Maybe that does limit the potential uses for accounts though. Long term cold wallets like exchanges wouldn't generally have lots of in and out flows for example or people using the coin in poor countries might never have a total in/out flow of $100 despite using a coin for most of their daily life.


This is an interesting idea. There are some similarities with the secondary-key, time-locked "Vault" proposal for handling key-theft of Möser, Eyal, Sirer:

http://hackingdistributed.com/2016/02/26/how-to-implement-se...

(There's also a slight similarity to the 'Fomo3D' blockchain game, where someone who can manage to be 'last to act' can win a large pot.)

Practically, the need to stay aware of challenges, and answer them, introduces some new costs & risks. For example:

* A user might want to have a bit of sentinel software watching-for & responding to challenges, to lower the burden on their attention/time. But then that sentinel itself becomes a regularly-online, potentially-compromisable key location. And, an attacker who can force a sentinel-outage may be able to sneak away with funds via a timely challenge.

* A user who has a secure, offline key might nonetheless have their online systems temporarily compromised by an attacker. A challenge procedure could then prompt the target to move their offline key onto a compromised system, to answer the challenge, but then lose funds that otherwise were not at risk.

That said, there might still be situations where these concerns are acceptable, perhaps in combination with further refinements (along the lines of the `Vault` idea or other tuned tradeoffs between things like amounts, timing, and number of involved keys).

A bit more darkly, I know you've more-or-less ruled out security against physical attack as a goal, but it strikes me that this system may offer an edge to attackers who can precisely time their ability to kidnap/incapacitate/kill a target. By knowing first, and exactly when, a target won't be able to respond to a challenge, the attacker can be first to claim the unprotected funds. This timing-based aspect has some similarities to the old idea of "assassination markets", where being able to precisely time a death is what lets an anonymous perpetrator collect a bounty. See:

https://en.wikipedia.org/wiki/Assassination_market


One aspect of this is that it incentivizes Denial-of-Service attacks. It would allow any attacker to directly convert a DoS attack into money. Imagine that the 5 largest ISPs in the United States decided to surveil Bitcoin usage on their network and and record a list of probable addresses for their users (BTC has no transport encryption in its P2P layer). Then, all 5 decide to collude and block the Bitcoin P2P protocol for a week. How much BTC would they earn by doing this? It's a contrived example, but DoS is a common weakness in cryptocurrency protocols in addition to being fairly easy to execute in a typical network context to individual targets. In effect, instead of authorizing transactions based on ECDSA, you're relying upon key liveness which is a much weaker thing to rely upon and would incentivize large amounts of fraud and abuse.


I've thought of exactly this same thing. It would need to be implimented as a fork of bitcoin, and would need a new transaction type.

If no transactions are made from the target account after say 5 years, then the balance would transfer from the target to the initiator.

I couldn't figure out how to prevent miners from just targeting bunches of inactive accounts though... of course it's the miners you want to get on board, so maybe it's a good thing?

You'd have to balance paying miners an immediate commission for including this transaction against the 5 year wait and gamble they would otherwise have.


"Any user may make an Escrovery challenge to recover any account by first placing an amount of money in escrow. If the original account owner responds to the challenge in a certain amount of time, they earn the escrow. Otherwise, the challenger takes ownership of the account and recovers their escrow."

Are you thinking the response has to be the same amount? What if challenger puts down $1M - do I have to match the amount? Or will $1 work?

What would the time period be? What if I miss the notification or the email?

With some refinement and supporting systems, maybe this could work for some economies.


Surprised that no one has mentioned the problem with actual death. Anyone can take dead person's account and there's nothing a dead person can do. You could argue that if the dead person hasn't passed them on to an heir that it's better to put the coins back into circulation. But giving it to the first-comer seems strange and likely to go to someone already with large resources.


I know an interesting way to do decentralized account recovery:

Shamir's Key Sharing + trusted parties (friends, family), and your fragmented private key.

https://en.wikipedia.org/wiki/Secret_sharing

You need n of m of the fragments to reconstitute the key so if someone loses a fragment, you'll be okay. Cryptography is fun!


Another decentralized option is that you can use Dark Crystal (https://darkcrystal.pw) which allows you to shard your secret using Shamir's Secret Sharing (Cryptographic encode your secret into several pieces that you can share with your social network...in this case your Scuttlebutt friends).


Account recovery on Ethereum will be easier with contract-based accounts. Essentially your ether is stored in a smart contract rather than a single private key. The benefit of this is that you can now have multiple keys with different levels of privileges to your funds, kind of like ACLs.


I'm confused as to what problem you are solving. If this is to recover a centralized account like FB, having them add 2FA is far simpler in every way. FB is already centralized and not anonymous so making its recovery decentralized and anonymous makes no sense.

You specifically call out that Bitcoin has no account recovery and > 20% are lost forever. You never talk about how someone might recover a bitcoin private key. So how does this work for Bitcoin or any other crypto?

Even if it did work, it doesn't solve the issue of the initial person being able to set a value on their account and the price a challenge you must offer. If there is a $1B account, someone can easily just make $0.01 challenges all day long. Now that this is luckily decentralized, I can run a node and catch an unsophisticated user's IP after a bit of monitoring. Now I only need to physically locate them and EMP their house and the $1B is mine. There is far too much hand waving in this idea and paper to be taken seriously.


I actually said in the paper that accounts can enable/disable it, and customize their price and duration depending on their use case. Also, I said that it's not secure against kidnapping, jailing, etc. but if someone's willing to physically attack you, they may also be willing to steal your laptop or beat you up to get your keys already: https://www.xkcd.com/538/


The difference is that crypto is somewhat pseudonymous. This scheme forces me to connect to this system constantly or lose my "account". I can never go cold storage. I have to put out a homing beacon at a high frequency which creates a new attack vector.


Can you answer to this point?

> You never talk about how someone might recover a bitcoin private key.

I skimmed the paper and it sounds like this doesn’t help with bitcoin but requires its own blockchain or smart contract.


You don't actually recover the key, which is cryptographically impossible. You just get ownership of the account.

Perhaps you can do it with Bitcoin's scriptSig, but it's easier to do it with a cryptocurrency like Ethereum. Or if you're designing a new system you might consider making it a part of the system.


Ownership of the account is determined by possession of the private key. Only the one with the key can spend from the account.

In Bitcoin the way to implement this would be by transferring any funds in the account first to a time-locked escrow account and then to a new account for which the challenger possesses the key. It's doable but probably not worthwhile; IMHO the effort would be better spent on ensuring that you don't lose the key in the first place.


An easier solution would be for challenger to supply a new account id, and if claim is successful, all the funds are transferred there. This can all be done via smart contract. Brilliant idea, love it!


How can the funds be transferred if I still have the private key? Again, the question is who controls the keys? How can I still have my keys but the smart contract can transfer the "account" to a claimant that may or may not be me?


You don't need to know the private key to move money if the network agrees that you don't need to know the private key to move money.


The amount staked probably needs to be a % of the target account value to avoid spam.


It needs to be pretty high too because the escrow percentage basically sets the breakeven rate of attackers. Find N accounts that qualify for this with roughly equal values, submit false claims into the escrow, if more then Y% go through (where Y is the percentage required to make a claim) the attacker breaks even or better.

On the perverse side OP actually wants a bit of spam because only a fraction of the escrow is awarded to the wallet on a successful response according to the paper, the rest is going somewhere, likely going into OPs accounts if I had a guess.

There's 3 sides to the optimization of the escrow percentage required for a challenge: 1) you want it high enough to discourage loads of spurious challenges, 2) account owners want it low enough to make recovery feasible without raising tons of money to dump into escrow, and 3) OP wants plenty of money flowing through the recovery contract since they're getting a cut of failed/invalid recovery attempts.


Problem for me is that I don't re-use addresses.

Even with a mnemonic phrase for Hiercharchical Deterministic address sequences being recovered, how would your system or me know which address the funds are being associated with?


Actually, the proper way to restore accounts is:

Have M of N existing private keys sign that a new public key can be given X rights. (Usually M should be 1 or 2 depending on security.)

This certificate can be posted in a “keybase” style merkle tree or just send the latest one to whatever gatekeepers check it.

You can also have one MASTER key (derived from a passphrase you know or store somewhere privately, or in a secure enclave unlocked with biometrics) that is required in order to do any really sensitive operation like adding or removing access to resource X (eg your identity somewhere) for a new public key.

So you can give K > M public keys to K friends and if you lose ALL YOUR DEVICES then simply get M friends together and togethee with your MASTER KEY you can grant access to a new public key to recover all your stuff.


Interesting proposal.

It seems to increase the value of a 51% attack - steal any escrovery-protected funds by challenging and then keeping the response off the chain.


Very interesting idea. It's pretty simple to implement in ethereum contract wallets such as Universal Login or Gnosis Safe.


To answer some common questions:

Q - How much do you have to put in escrow to recover an account?

A - It's up to the user but they'll probably set it at a percent of the amount at stake. Or if it's a self-sovereign identity then it'd vary based on how important the account is to the person.

Q - What if you're too poor to initiate a recovery?

A - See the earlier question; the amount is configurable but would likely scale with the account size.

Q - What if I go on vacation?

A - You should be able to enable/disable this as a recovery process, and also configure the duration. So if you go on a month vacation, perhaps set your recovery duration to two months, or disable it entirely while on vacation.

Q - If multiple challenges, do you go with the challenge issued first?

A - Yes.

Q - Can't someone just make Escrovery requests for a whole lot of accounts and hope to earn enough back to make it worthwhile?

A - Profitability would depend on the amount you have to put into escrow and the percent of accounts that are lost. You want to set the amount accordingly so that isn't profitable.

Q - Can I use it to steal Satoshi's account now?

A - Since it didn't exist back then, no. In fact, it'll likely never be default on Bitcoin, but could be opt-in with smart contracts on something like Ethereum. One could also build it into other decentralized systems, for instance a decentralized and self-sovereign identity system that wants to have an account recovery mechanism.

Q - Can't I just attack/kidnap/detain the person for their challenge duration to steal their account?

A - It's not secure against kidnapping, jailing, etc. but if someone's willing to physically attack you, they're likely also willing to steal your laptop or beat you up to get your keys already: https://www.xkcd.com/538/

Q - What about front-running the challenge?

A - It uses a two-phase commit and reveal procedure to prevent front-running, like was used with name registration on Namecoin.


It's an interesting idea but ultimately it doesn't work in the real world. It simply incentivizes too much fraud.

There are simply too many real-world corner cases that will fail. What if someone dies? Can you go and raid people's accounts before their estate's executors can find them?

If used for something like unclaimed money from the state, it's a very easy way for people to fraudulently make an enormous amount of money.


> Q - What if I go on vacation?

> A - You should be able to enable/disable this as a recovery process

What if I'm, say, injured in a car accident and unconscious for 2 weeks, and didn't update the time or disable this? I'll just wake up to the gift of losing my possessions as well?


Can a user make honeypot accounts? They'd have $1 in them and a $5 recovery fee and a bot that accepts challenges. Nice way to earn a few bucks off thieves.


how do you recover the secret key? you got to save it somewhere first, right?


you should build out a wrapped ethereum smart contract version of this


What process leads to a PDF of such low quality? Was that printed and scanned?


It gets squeezed by Github's display and the scaling isn't great for some reason. Click download and it looks fine.


I'm not sure what you're talking about -- it's perfectly fine to me.


What if I’m poor?


Then don't try to steal accounts? And also that means you have less of a chance of being kidnapped and prevented from responding to the challenge


"In decentralized systems like Bitcoin or Ethereum, when a user loses their secret key, they lose their entire account. Existing methods of account recovery either give up decentralization or require persistence of information by the user. Instead, this paper introduces Escrovery, a method of account recovery in trustless systems that is decentralized, non-persistent, anonymous, and secure. Escrovery uses escrowed payments to deter malicious recovery attempts. Any user may make an Escrovery challenge to recover any account by first placing an amount of money in escrow. If the original account owner responds to the challenge in a certain amount of time, they earn the escrow. Otherwise, the challenger takes ownership of the account and recovers their escrow."

Ouch. End up in prison for wire fraud, lose all your BTC in the process cause you can't respond to the challenge. And you only figure it out years later after you got free from prison. It might be vulnerable to (other) forms of (D)DoS as well.

Let us assume the owner of the BTC deceased and took their secret key with them to the grave. Who'd be the rightful owner of the BTC? I'd say the family (who exactly and how much differs per jurisdiction!). So if you want to assure that is possible, all you need is e.g. a notary or apply shamir's secret sharing with multiple family members (arguably a poor man's notary though it has its own advantages and disadvantages e.g. a notary can conspire against you but so can family members; for a notary there's much more at stake I suppose given its their profession and credibility at stake). These solutions are less complex, and rely on your own responsibility to implement correctly. Which, to be fair, also has its pros and cons.


Could you explain how this would be wire fraud?


That was just an example of someone who legitimately got busted. It could be any crime (depending on the timeout). Heck if the timeout is too short perhaps you were on retraite or vacation or something.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: