Abstract
We present a novel approach for blockchain asset owners to reclaim their funds in case of accidental private-key loss or transfer to a mistyped address. Our solution can be deployed upon failure or absence of proactively implemented backup mechanisms, such as secret sharing and cold storage. The main advantages against previous proposals is it does not require any prior action from users and works with both single-key and multi-sig accounts. We achieve this by a 3-phase \(Commit() \rightarrow Reveal() \rightarrow Claim() - or - Challenge()\) smart contract that enables accessing funds of addresses for which the spending key is not available. We provide an analysis of the threat and incentive models and formalize the concept of reactive KEy-Loss Protection (KELP).
P. Chatzigiannis—Did part of this work during an internship at Novi Financial/Facebook Research.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Note that com can be implemented with any reasonable and efficient commitment scheme i.e., via HMACs, but typically a regular hash function is already available as part of the underlying blockchain’s instruction set.
- 2.
More proactive ways to issue challenges include for example an intelligent wallet that learns its owner’s behaviour (frequency of use), so that it can distinguish between the state in which a user simply hasn’t logged in for a while, and the state in which they have misplaced their key, automatically issuing challenges in the former state.
- 3.
References
Diem documentation - accounts (2020). https://developers.diem.com/docs/core/accounts/#creating-accounts
Amsden, Z., et al.: The Libra blockchain. Calibra corp, p. 29 (2019)
Androulaki, E., et al.: Hyperledger fabric: a distributed operating system for permissioned blockchains. In: Proceedings of the Thirteenth EuroSys Conference, EuroSys 2018, Porto, Portugal, 23–26 April 2018, pp. 30:1–30:15 (2018)
Avarikioti, G., Kokoris-Kogias, E., Wattenhofer, R.: Brick: asynchronous state channels. CoRR (2019). http://arxiv.org/abs/1905.11360
Aydar, M., Cetin, S.C., Ayvaz, S., Aygun, B.: Private key encryption and recovery in blockchain. arXiv preprint arXiv:1907.04156 (2019)
Baldimtsi, F., Camenisch, J., Hanzlik, L., Krenn, S., Lehmann, A., Neven, G.: Recovering lost device-bound credentials. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 307–327. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28166-7_15
Baldimtsi, F., Lysyanskaya, A.: Anonymous credentials light. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 1087–1098 (2013)
Battagliola, M., Longo, R., Meneghetti, A., Sala, M.: A provably-unforgeable threshold EdDSA with an offline recovery party (2020)
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE Symposium on Security and Privacy, pp. 459–474. IEEE Computer Society Press, May 2014. https://doi.org/10.1109/SP.2014.36
Brenner, M.: How I snatched 153,037 ETH after a bad tinder date (2017). https://eprint.iacr.org/2019/1128
Buterin, V., Van de Sande, A.: EIP-55: Mixed-case checksum address encoding (2016). https://eips.ethereum.org/EIPS/eip-55
Di Nicola, V., Longo, R., Mazzone, F., Russo, G.: Resilient custody of crypto-assets, and threshold multisignatures. Mathematics 8(10), 1773 (2020)
Duncan1949: Lost passphrase for extra account on trezor (2015). https://www.reddit.com/r/TREZOR/comments/33i03g/lost_passphrase_for_extra_account_on_trezor
Falkon, S.: The story of the DAO - its history and consequences (2017). https://medium.com/swlh/the-story-of-the-dao-its-history-and-consequences-71e6a8a551ee
Grube, T., Thummerer, M., Daubert, J., Mühlhäuser, M.: Cover traffic: a trade of anonymity and efficiency. In: Livraga, G., Mitchell, C. (eds.) STM 2017. LNCS, vol. 10547, pp. 213–223. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68063-7_15
Guilherme Schmidt, R., Mota, M., Buterin, V.: naxe: Secret multisig recovery (2019). https://gitlab.com/status-im/docs/EIPs/blob/secret-multisig-recovery/EIPS/eip-2429.md
Haig, S.: Eth community discuss DAO for reversing funds lost to wrong addresses (2020). https://cointelegraph.com/news/eth-community-discuss-dao-for-reversing-funds-lost-to-wrong-addresses
Hearn, M.: Corda: A distributed ledger. https://www.r3.com/wp-content/uploads/2019/08/corda-technical-whitepaper-August-29-2019.pdf
Jarecki, S., Kiayias, A., Krawczyk, H., Xu, J.: Highly-efficient and composable password-protected secret sharing (or: how to protect your bitcoin wallet online). In: 2016 IEEE European Symposium on Security and Privacy (EuroS P), pp. 276–291 (2016). https://doi.org/10.1109/EuroSP.2016.30
Khan, A.G., Zahid, A.H., Hussain, M., Riaz, U.: Security of cryptocurrency using hardware wallet and QR code. In: 2019 International Conference on Innovative Computing (ICIC), pp. 1–10. IEEE (2019)
Khovratovich, D., Law, J.: BIP32-Ed25519: hierarchical deterministic keys over a non-linear keyspace. In: 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 27–31. IEEE (2017)
Maxwell, G.: Coinjoin: Bitcoin privacy for the real world. bitcointalk.org (2013)
Meiklejohn, S., et al.: A fistful of bitcoins: characterizing payments among men with no names. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 127–140 (2013)
Micali, S.: ALGORAND: the efficient and democratic ledger. CoRR (2016). http://arxiv.org/abs/1607.01341
Möser, M., Eyal, I., Gün Sirer, E.: Bitcoin covenants. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 126–141. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_9
Pfeffer, J.: Over 12,000 ether are lost forever due to typos (2018). https://media.consensys.net/over-12-000-ether-are-lost-forever-due-to-typos-f6ccc35432f8
Pollock, D.: Infamous discarded hard drive holding 7,500 bitcoins would be worth \$80 million today (2017). https://cointelegraph.com/news/infamous-discarded-hard-drive-holding-7500-bitcoins-would-be-worth-80-million-today
Ruffing, T., Kate, A., Schröder, D.: Liar, liar, coins on fire! Penalizing equivocation by loss of bitcoins. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 219–230. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2810103.2813686
TierNolan: Bitcoin wiki: Atomic cross-chain trading (2013). https://en.bitcoin.it/wiki/Atomic_swap
Van Saberhagen, N.: Cryptonote v 2.0 (2013). https://cryptonote.org/whitepaper.pdf
Zamyatin, A., et al.: SoK: communication across distributed ledgers. Cryptology ePrint Archive, Report 2019/1128 (2019). https://eprint.iacr.org/2019/1128
Zhang, F., Daian, P., Kaptchuk, G., Bentov, I., Miers, I., Juels, A.: Paralysis proofs: secure access-structure updates for cryptocurrencies and more. Cryptology ePrint Archive, Report 2018/096 (2018). https://eprint.iacr.org/2018/096
Acknowledgements
The authors would like to thank all anonymous reviewers of FC21 WTSC workshop for comments and suggestions that greatly improved the quality of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A KELP Implementation in Diem Blockchain
A KELP Implementation in Diem Blockchain
In this appendix, we present an implementation of the KELP protocol for the Diem Framework v1.2. The code is mostly a straightforward, but has a few Diem-specific features that we will explain here:
Automatic Challenges Using Sequence Numbers. Like many other blockchains, Diem accounts have sequence numbers that are incremented each time a transaction is sent from the account. Our implementation timestamps each reveal on \(address_c\) with the sequence number of \(address_c\). In the code for
, we check that no transactions have been sent from \(address_c\) since the reveal. This ensures that any transaction sent from \(address_c\) is implicitly a challenge.
Reclaiming Entire Accounts with
. Diem accounts support key rotation. Each account
has a unique
resource whose holder has the permission to rotate the authentication key for
. An account that opts in to KELP recovery must give its
to the KELP resource. KELP then uses this resource to rotate the key for
in the logic for
. This allows the claiming party to completely regain control of the account, not just its funds.
Using the
Type To Avoid Some Uses of \(address_r\). The Move language has a type called
Footnote 3 that represents an authenticated user with a specific address. Our implementation leverages this type to omit some uses of \(address_r\) from the protocol. For example: we don’t need to include \(address_r\) in the \(\mathsf {Commit}\) message because we use
to ensure that a commit and reveal transaction originate from the same address.
Rights and permissions
Copyright information
© 2021 International Financial Cryptography Association
About this paper
Cite this paper
Blackshear, S. et al. (2021). Reactive Key-Loss Protection in Blockchains. In: Bernhard, M., et al. Financial Cryptography and Data Security. FC 2021 International Workshops. FC 2021. Lecture Notes in Computer Science(), vol 12676. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-63958-0_34
Download citation
DOI: https://doi.org/10.1007/978-3-662-63958-0_34
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-63957-3
Online ISBN: 978-3-662-63958-0
eBook Packages: Computer ScienceComputer Science (R0)