Tell HN: I came up with an interesting way to do decentralized account recovery
Link to the Escrovery paper: https://github.com/pickhardt/escrovery/blob/master/escrovery...
I came up with an interesting way to do totally decentralized account recovery. Why might this be useful? Suppose you have some account on Bitcoin, Ethereum, etc and you lose your secret key. Worse, you also lose (or never had) any way to recover it.
Escrovery gives you a way to recover it, and without simply using a centralized service like Coinbase or needing secret shares from k of n friends. This could also be used as a recovery method with self-sovereign identities.
The way it works it using escrowed payments to deter malicious recovery attempts. Any user may make an Escrovery challenge to recover any account by first placing an amount of money in escrow. If the original account owner responds to the challenge in a certain amount of time, they earn the escrow. Otherwise, the challenger takes ownership of the account and recovers their escrow.
The main limitation is that it requires users to be regularly active in checking for challenges to their account. For some use cases, this would be fine. For others, perhaps it wouldn't work.
117 comments
[ 5.6 ms ] story [ 192 ms ] threadThe only failure mode I see is that you can effectively "bet" a small amount of bitcoin regularly that someone will lose access to their account (or stop checking in) to gain access to it.
More generally, you'd want to make small bids against every account that's been idle for a while.
This has the flavor of https://en.wikipedia.org/wiki/Adverse_possession for land. It's socially good that land doesn't stay in limbo forever, but bitcoin being in limbo is a key feature of the economy.
So it wouldn't work with existing accounts/addresses.
If you have a deterministic link between the account holder and e.g. an email address, you can just do normal recovery.
If the recovery attempt gets posted to a public place, then HFT-style actors can arb the system by bidding 99.99% of the holdings in the account, for all accounts everywhere.
A - It uses a two-phase commit and reveal procedure to prevent front-running, like was used with name registration on Namecoin.
The resulting cat-and-mouse game would double as a replacement for SatoshiDice. Also, it'd let the network clean up dust and recover money sent to invalid addresses.
"When this public address gets bid on, send an alert to this email and phone number".
In fact that was the bigger, more dangerous consequence of the 2008 financial crisis. So when I saw opposition to the bailouts I was annoyed: not because those opponents' arguments were necessarily wrong (some were, some weren't) but because mostly even the people whose theory was correct were working about the wrong problem.
It feels wrong to call deflation an issue with bitcoin when that is arguably the main reason anyone buys it.
The basic math is you only get a net ROI across all users when someone derives some value from the act of using bitcoin. As a currency that’s either from efficient transactions or as a stable store of value. Otherwise it’s an inefficient pyramid scheme where case inflows = cash outflows - mining costs.
PS: By contrast bonds can retain a high percentage of their value after a massive sale because they become more appealing as the price drops as they have some underlying value.
Everybody who does the math gives stock investors shit for doing worse than random strategy but then you see what the amateurs do when they play at "investing" (really speculation but it is considered rude to call it what it really is) like beanie babies or baseball cards. And even they are geniuses compared to those who try lotto tickets, race tracks, and slot machines.
If "once accepted a pizza for bitcoin and forgot to convert it" quanities becomes worth a luxury car later no matter how much you sub divide it people are discouraged from actually using it as a currency and instead exchanging directly to avoid the future losses. Except that when everyone does that it becomes worthless because nobody is using it to exchange anything - the source of its value.
That’s interesting statement. In modern economy there is no such thing as “hoarded” money. Even if you are all cash, you have that money in bank which is landing it out and putting it to work. So I am not sure how this statement could make sense.
The theory I see mentioned there is:
> Because of the doctrine of adverse possession, a landowner can be secure in title to his land. Otherwise, long-lost heirs of any former owner, possessor or lien holder of centuries past could come forward with a legal claim on the property.
But I don't see why they wouldn't exclude the actual owner from this and limit it to just former owners/heirs/etc... and frankly it seems even those should only have to go through this process once before they're recognized as the current owners and not have to put up with this possibility again.
Because abandonment of real property is a real phenomenon with externalized costs, so resolving disputed against an owner that has effectively abandoned real property was itself viewed as desirable. The time and openness of possession requirements mean that, in practice, adverse possession doesn't adversely impact anyone who hasn't effectively abandoned property.
They are referring to potential actual owners: the heirs of a past owner are relevant because of their putative inheritance of actual ownership. Adverse possession settles claims on favor of the putative owner openly occupying property for the required period over other putative owners.
What about when there was a war and Jews want to go back to Poland to their house?
What if a native American or a Palestinian descendant wants to go back?
Do we count heirs over bank deeds?
If their abdication was forced by the claimanint said claims the absense is far more justified but that gets into other concepts like damages and the fact they never intended to let it lapse but were forced to.
Well, presumably Satoshi intended to abandon his keys, therefore they wouldn't have used the scheme in the first place. In general I think the scheme would be more useful with a long claim period, eg. the original owner could be given a month, or more to claim back his account.
EDIT: In fact, why not make it a huge percentage of the account value. Even 100%. If you had to bid 100% of the account value to recover it, almost nobody who wasn't the real account owner would take that risk. And the real account holder, being that they knew for sure they would get it back, could presumably find a way to raise money from friends/family/loans to acquire enough capital to make the bid.
EDIT2: In second fact...why not make the lockup period adjustable based on the size of the bid relative to the account value (within limits)? If you bid 50% of the account value, you wait 2x the lockup period. If you bid 200%, you wait 1/2 of the lockup period. You'd need to have a hard minimum lockup of say, 1 month. But in this way, if you were the true account owner, you could bid way more than your account value to get it back pretty quickly, while also ensuring that people that couldn't raise as much capital could get their money back eventually.
Satoshi has effectively 380 tons of gold worth of btc.
His wealth is about 1/10 the amount stored in Fort Knox. And that's just one guy. What of the criminal empires and corrupt politicians who have their wealth stashed away in wallets? There's easily hundreds of billions of dollars of lost money out there.
All that money going back into the system destabilizes it. Imagine someone saves up all their lives for 10 btc, then some guy just drops 1000 btc on a house like it was nothing. Pretty soon, there's inflation, and the prices (vs other currencies) plummet.
This is all theoretical, but the reality is that there's no harm if nobody gets the coins.
So it will be very important to set the escrow value high enough to prevent this but low enough so that people who have legitimately lost their account can still recover their own accounts.
For me, I'm not tying up the majority of my net worth in a single crypto. I could set an escrow at double the value of my wallet. It's highly unlikely that I do lose my secret key, and if I do, it'll be a huge pain to come up with the escrow, but it'd be doable.
And of course, you could probably set a cap so that even an in extreme spike of values, the escrow won't ever reach an amount that's infeasible for you.
It'd wash out in the end.
Those 99 that didn't work out gave everyone you tried it on a 1% return.
1. someone makes a claim on my account, which costs them money.
2. i am notified of this.
3. I approve or deny the claim.
4. If denied, I get to keep the money submitted with the claim.
5. If approved or nothing is done within an amount of time, the account is awarded to the claimant?
You specifically call out that Bitcoin has no account recovery and > 20% are lost forever. You never talk about how someone might recover a bitcoin private key. So how does this work for Bitcoin or any other crypto?
Even if it did work, it doesn't solve the issue of the initial person being able to set a value on their account and the price a challenge you must offer. If there is a $1B account, someone can easily just make $0.01 challenges all day long. Now that this is luckily decentralized, I can run a node and catch an unsophisticated user's IP after a bit of monitoring. Now I only need to physically locate them and EMP their house and the $1B is mine. There is far too much hand waving in this idea and paper to be taken seriously.
> You never talk about how someone might recover a bitcoin private key.
I skimmed the paper and it sounds like this doesn’t help with bitcoin but requires its own blockchain or smart contract.
Perhaps you can do it with Bitcoin's scriptSig, but it's easier to do it with a cryptocurrency like Ethereum. Or if you're designing a new system you might consider making it a part of the system.
In Bitcoin the way to implement this would be by transferring any funds in the account first to a time-locked escrow account and then to a new account for which the challenger possesses the key. It's doable but probably not worthwhile; IMHO the effort would be better spent on ensuring that you don't lose the key in the first place.
The type of people that lose their secret keys are the type that don't know to back them up in the first place.
They would never know to look for a service like this, and if they did, they would at that point also likely understand the value of their private key, and come up with a means to keep it.
The biggest problem with this whole project is the fact that people need to trust you with total control of their money.
That's a big ask .. and that you're asking them to trust their money to your coding skills, that you're going to pile lots of private keys in one place (making you a target), and crossing your fingers you don't run across persons smarter than yourself.
If you get even a few people to use this service, it's going to end perilously.
One aspect about squatters rights is that someone presumably has to put the time and effort in (depends on the law) and couldn't just squat all over the place and just get all the things.
E-squatters rights as we see here seems like it could be heavily gamed / abused, and may simply not be an option for someone who is poor, meanwhile someone who is not poor gets their stuff.
The only thing that happened here is someone put up some money in escrow, that really seems like a poor way to judge ownership.
On the perverse side OP actually wants a bit of spam because only a fraction of the escrow is awarded to the wallet on a successful response according to the paper, the rest is going somewhere, likely going into OPs accounts if I had a guess.
There's 3 sides to the optimization of the escrow percentage required for a challenge: 1) you want it high enough to discourage loads of spurious challenges, 2) account owners want it low enough to make recovery feasible without raising tons of money to dump into escrow, and 3) OP wants plenty of money flowing through the recovery contract since they're getting a cut of failed/invalid recovery attempts.
I don't care a lot about my old emails, but I care if someone else has access to my old emails.
Q - How much do you have to put in escrow to recover an account?
A - It's up to the user but they'll probably set it at a percent of the amount at stake. Or if it's a self-sovereign identity then it'd vary based on how important the account is to the person.
Q - What if you're too poor to initiate a recovery?
A - See the earlier question; the amount is configurable but would likely scale with the account size.
Q - What if I go on vacation?
A - You should be able to enable/disable this as a recovery process, and also configure the duration. So if you go on a month vacation, perhaps set your recovery duration to two months, or disable it entirely while on vacation.
Q - If multiple challenges, do you go with the challenge issued first?
A - Yes.
Q - Can't someone just make Escrovery requests for a whole lot of accounts and hope to earn enough back to make it worthwhile?
A - Profitability would depend on the amount you have to put into escrow and the percent of accounts that are lost. You want to set the amount accordingly so that isn't profitable.
Q - Can I use it to steal Satoshi's account now?
A - Since it didn't exist back then, no. In fact, it'll likely never be default on Bitcoin, but could be opt-in with smart contracts on something like Ethereum. One could also build it into other decentralized systems, for instance a decentralized and self-sovereign identity system that wants to have an account recovery mechanism.
Q - Can't I just attack/kidnap/detain the person for their challenge duration to steal their account?
A - It's not secure against kidnapping, jailing, etc. but if someone's willing to physically attack you, they're likely also willing to steal your laptop or beat you up to get your keys already: https://www.xkcd.com/538/
Q - What about front-running the challenge?
A - It uses a two-phase commit and reveal procedure to prevent front-running, like was used with name registration on Namecoin.
There are simply too many real-world corner cases that will fail. What if someone dies? Can you go and raid people's accounts before their estate's executors can find them?
If used for something like unclaimed money from the state, it's a very easy way for people to fraudulently make an enormous amount of money.
> A - You should be able to enable/disable this as a recovery process
What if I'm, say, injured in a car accident and unconscious for 2 weeks, and didn't update the time or disable this? I'll just wake up to the gift of losing my possessions as well?
The correct way to do it would be to make it so the escrow amount is the same as the amount to be recovered or even more, and for the service to return that full amount plus the keys to the account upon a successful challenge.
So if you're the account holder, and you're sure you are, and sure you've just lost the keys, bricked the hard drive, whatever, you know for sure that you're going to win the challenge. The only issue is being forced to come up with the initial funds to make the challenge, which isn't too hard to do.
But for the speculative challenger that everyone's hypothesizing, they'd have to risk a substantial amount of money for a relatively small payoff. The larger the escrow amount the more unfavorable the bet looks to a challenger, it wouldn't take much to make the entire concept of a nefarious challenger obviously unworkable.
That fully depends on the person. Suppose I mined Bitcoin in college when it was still rather young and amassed a ton of BTC, but then lost my wallet at some point.
Many years later, BTC is worth a great deal more than when I was mining. Perhaps my wallet is now valued at tens (or hundreds) of thousands of dollars. Depending on my life scenario, I may not have that amount in liquid assets to put toward making the challenge.
Maybe the victim thinks they accidentally deleted the key or whatever ("oops, my hard drive failed"). The victim then goes to recover their account, thinking that there will be no problem because nobody can possibly challenge them. Then the attacker denies their claim and doubles their winnings!
What makes this especially bad is that the victim's second loss is likely to affect them more than their first loss. Most people aren't going to put their retirement savings or paycheck in Bitcoin - it's more likely to be discretionary income that isn't going to kill them if they lose it. The escrow money is less likely to be discretionary income - it'll be real money, not funny money that has been sitting in their Bitcoin wallet for 5 years.
So now the victim is in a really bad position and the attacker has significant leverage over them. "Hey victim, I'll give you your life savings back if you do insert_illegal_thing_here for me."
The web site isn't great but... https://darkcrystal.pw/
and here, of course, is the Scuttlebutt site: https://www.scuttlebutt.nz/
> The web site isn't great but... https://darkcrystal.pw/
> and here, of course, is the Scuttlebutt site: https://www.scuttlebutt.nz/
Sounds like a variant of Shamir's Secret Sharing [1]. Here are some other variants of secret sharing mentioned [2].
[1] https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
[2] https://en.wikipedia.org/wiki/Secret_sharing
> without simply using a centralized service like Coinbase or needing secret shares from k of n friends.
Is there any white paper or something similar?
http://hackingdistributed.com/2016/02/26/how-to-implement-se...
(There's also a slight similarity to the 'Fomo3D' blockchain game, where someone who can manage to be 'last to act' can win a large pot.)
Practically, the need to stay aware of challenges, and answer them, introduces some new costs & risks. For example:
* A user might want to have a bit of sentinel software watching-for & responding to challenges, to lower the burden on their attention/time. But then that sentinel itself becomes a regularly-online, potentially-compromisable key location. And, an attacker who can force a sentinel-outage may be able to sneak away with funds via a timely challenge.
* A user who has a secure, offline key might nonetheless have their online systems temporarily compromised by an attacker. A challenge procedure could then prompt the target to move their offline key onto a compromised system, to answer the challenge, but then lose funds that otherwise were not at risk.
That said, there might still be situations where these concerns are acceptable, perhaps in combination with further refinements (along the lines of the `Vault` idea or other tuned tradeoffs between things like amounts, timing, and number of involved keys).
A bit more darkly, I know you've more-or-less ruled out security against physical attack as a goal, but it strikes me that this system may offer an edge to attackers who can precisely time their ability to kidnap/incapacitate/kill a target. By knowing first, and exactly when, a target won't be able to respond to a challenge, the attacker can be first to claim the unprotected funds. This timing-based aspect has some similarities to the old idea of "assassination markets", where being able to precisely time a death is what lets an anonymous perpetrator collect a bounty. See:
https://en.wikipedia.org/wiki/Assassination_market
Ouch. End up in prison for wire fraud, lose all your BTC in the process cause you can't respond to the challenge. And you only figure it out years later after you got free from prison. It might be vulnerable to (other) forms of (D)DoS as well.
Let us assume the owner of the BTC deceased and took their secret key with them to the grave. Who'd be the rightful owner of the BTC? I'd say the family (who exactly and how much differs per jurisdiction!). So if you want to assure that is possible, all you need is e.g. a notary or apply shamir's secret sharing with multiple family members (arguably a poor man's notary though it has its own advantages and disadvantages e.g. a notary can conspire against you but so can family members; for a notary there's much more at stake I suppose given its their profession and credibility at stake). These solutions are less complex, and rely on your own responsibility to implement correctly. Which, to be fair, also has its pros and cons.
Have M of N existing private keys sign that a new public key can be given X rights. (Usually M should be 1 or 2 depending on security.)
This certificate can be posted in a “keybase” style merkle tree or just send the latest one to whatever gatekeepers check it.
You can also have one MASTER key (derived from a passphrase you know or store somewhere privately, or in a secure enclave unlocked with biometrics) that is required in order to do any really sensitive operation like adding or removing access to resource X (eg your identity somewhere) for a new public key.
So you can give K > M public keys to K friends and if you lose ALL YOUR DEVICES then simply get M friends together and togethee with your MASTER KEY you can grant access to a new public key to recover all your stuff.
Are you thinking the response has to be the same amount? What if challenger puts down $1M - do I have to match the amount? Or will $1 work?
What would the time period be? What if I miss the notification or the email?
With some refinement and supporting systems, maybe this could work for some economies.
Even with a mnemonic phrase for Hiercharchical Deterministic address sequences being recovered, how would your system or me know which address the funds are being associated with?