top of page
  • Mark Ryan

Who Can You Trust & Are You Sure?

Custodial vs Non-Custodial Solutions

One of the usability difficulties with cryptocurrency is that owners are responsible for safely maintaining their private keys. The bottom line is that if you store your assets in a Bitcoin or Ethereum account and you forget your private key (or seed phrase) for that account, then you have lost your assets. Millions, probably billions and billions of dollars of assets have been lost in this way.

One way to avoid this situation is not to hold your key yourself, but rely on a professional intermediary like Binance or Coinbase to hold it for you. This is called a custodial solution, since the intermediary has custody of your assets. However, this is not very secure either.

A famous crypto exchange called Mt. Gox incurred the loss or theft of hundreds of thousands of their clients’ Bitcoins, and ceased operation. Modern exchanges like Binance and Coinbase probably have better defences in place and are more resistant to hacker attacks, but they may be vulnerable to other kinds of issues, such as government seizures.

Most people therefore want to retain custody of their cryptocurrency assets, and therefore have to worry about the security of their private key. As the saying goes, “Not your keys? Not your coins.” Security of your private keys boils down to two requirements: no-one besides you can access your keys; and you really can access them when you need them.

Unfortunately, these two requirements are pulling in opposite directions. If you make it really hard for an adversary to access your keys (taking perhaps highly elaborate precautions), then it becomes harder for you to access them too.

Social Recovery

Social recovery wallets are a very elegant proposal to address the problem that you may lose access to your keys, made by Vitalik Buterin. It allows you to nominate friends that can help you recover your assets if you lose your private key. The idea is that instead of storing your assets in an account for which you hold the private key, you create a smart contract account to store the assets. You will still have an account with a private key, but instead of holding the assets directly, that account has the right to access the assets on your smart contract account. If you lose your private key, you can create a new account with a new private key, and with the help of your friends you can register the new account on your smart contract to access your assets.

Let’s see this as an example.

Alice has some crypto assets, so she creates a smart contract C that holds them, and she creates an account A for which she has the private key. The contract C is configured to allow the holder of A to access the assets. Alice has friends Xavier, Yvonne, and Zandra, who respectively own and have the private keys for accounts X, Y and Z. Alice enables her friends as helpers, which she can use in the event that she loses her private key.

The logic of the smart contract C is thus as follows:

  • There is a variable in the smart contract, called owner. The account in this variable can access the funds.

  • The holders of accounts X, Y and Z can jointly set the owner to any other account.

Initially, the owner is set to A. Thus, Alice as the holder of account A can access the funds. If Alice loses the private key for A, she can create a new account B, and ask X, Y and Z to update the smart contract so that the new owner is B. In this way, she recovers access to her funds.

Of course, this example is probably simpler than it should be. Xavier, Yvonne and Zandra might not be available when Alice wants them, or they may have forgotten their own keys. So Alice could arrange the logic using a threshold system: she could nominate five friends, and stipulate that any three of the five are required in order to update the owner variable. Another issue is that Alice may want to protect against the possibility that her friends could conspire to change the owner to an address of their choice, so that they can steal her money. The logic of the social recovery contract can be designed to mitigate this risk too. Smart contracts allow arbitrary conditions to be specified, so Alice can create whatever access rules she likes.

Do social recovery wallets solve the problem of losing access to your crypto keys?

Not quite.

What happens if one of Alice’s friends loses their keys?

That problem is somewhat mitigated by the threshold solution; Alice can ask her other friends.

But suppose several of Alice’s friends have lost their keys, and there is no longer a threshold number of them that can help her?

Well, perhaps the friends have also used social recovery wallets, and when Alice appeals to them, they can in turn appeal to their friends. This might work, provided the network of friends is wide enough, and there are not too many short cycles in the “friends graph”. But the solution is fundamentally limited.

Imagine a world in which everyone has lost their keys. Then no social recovery can take place.

Social recovery wallets help spread the risk of key loss, but they cannot mitigate it completely, because a core principle of smart contracts is that private-key accounts are the only accounts that can initiate transactions. So the ability to recover private keys is essential, and social recovery wallets can’t substitute for that.

The Solution: PAD Recovery

PAD Recovery is a system that addresses the problem of key loss. Similar to the social recovery wallet concept, it allows a user Alice to nominate friends who can help in a situation where the user has lost their key or seed phrase. Unlike social recovery wallets, the idea is that Alice can recover the lost secret directly.

PAD Recovery works by encrypting the private key or seed phrase using threshold-based cryptography, so that a given number of the user’s friends can jointly decrypt a secret which in turn enables the user to decrypt their key. Like social wallets, Alice has to be careful to choose friends that won’t abuse her trust, by conspiring against her. As in social recovery wallets, she can mitigate this risk by avoiding telling them who else is in her nominated group of friends. But PAD Recovery has an interesting take on another way to deal with this risk.

PAD Recovery is based on PAD, which stands for Privacy-Preserving Accountable Decryption.

PAD is a way in which decryption operations can be forced to be recorded on a ledger, making them transparent, or accountable. This means that it’s impossible to get a decryption without recording the decryption event on the blockchain, and thus alerting relevant parties.

In the case of PAD Recovery, Alice can be notified whenever decryptions of her seed phrase or private key are made. PAD can be configured so there is a time-delay between decryption requests and the decryption taking place. So Alice can ensure that she gets notified whenever her friends try to decrypt her key, and if this was not being done on her request, she can take action to prevent it.

Thus, PAD Recovery is complementary to social recovery wallets. Both of them are useful to ensure that your private keys will be available when you need them.

If you would like to keep up to date with the PAD team and the development of PAD Recovery, follow us on our social media channels:

Twitter: @PADtech_team

LinkedIn: PAD Tech

bottom of page