Part 1: Genesis of Ledger Recover – Self Custody Without Compromise

2023-7-27 14:51

Ledger’s objective has always been to deliver uncompromising security and usability to anyone exploring the world of digital assets. Of all the self-custody solutions to keep your private keys safe and accessible, our hardware devices are second to none.

When using a Ledger device, you are guaranteed that no one can interact with your private keys without your consent. Ever. Any interaction with the secrets held by your device will always require a manual action on your end: it’s the core principle behind your hardware wallet’s security.

But pure technical security is only part of the equation, and the user experience in crypto has much room for improvement. The first question every newcomer asks when going down the self-custody path and generating their Secret Recovery Phrase is: “What the heck do I do with these 24 words?”.

While some people may memorize their Secret Recovery Phrase, I don’t have this kind of trusting relationship with my brain. The standard advice so far has been to write them down on a piece of paper or in a metal store, and to keep it in a secure location. These options are not ideal, and make it harder to increase crypto-adoption.

In order to make self-custody more easily accessible, Ledger has brought forward a new answer: Ledger Recover.

In short, Ledger Recover is a self-custody solution to securely back up your Secret Recovery Phrase to the cloud, allowing you – and only you – to restore it to your hardware device in the future.

Reading this, your crypto-spidey senses should be tingling: Cloud and Secret Recovery Phrase backup don’t usually go well together. But the reality is that a cloud backup can be a perfect solution, as long as it is well-designed and entirely secure.

There are several reasons why other cloud backups solutions have a bad reputation: the Secret Recovery Phrase is at some point unencrypted (whether on your computer, browser, or server), the backup is usually held by a single entity, and it’s too easy to access it.

While designing Ledger Recover, we carefully considered these objections (and more) and succeeded in building the most secure solution for crypto users looking for a simpler yet robust personal OpSec.

Ledger Recover’s flow: Maybe a bit much to take all at once

To understand its rather complex design, let’s rebuild it together from scratch over the course of a few blog posts. Our starting point will be this simple idea:

I have a Secret Recovery Phrase on a bulletproof hardware wallet and would like to back it up online, without compromising security or control.

First, let’s look at how you could do this yourself, moving away from having your Secret Recovery Phrase written on a piece of paper. Then, we’ll dig a little deeper into how Ledger Recover does the same, or even better, online.

The Entropy, the Seed, and the Secret Recovery Phrase

In this blog post and various Ledger publications, we often mention the ‘Secret Recovery Phrase’, the ‘seed’ and the ‘entropy’, somewhat interchangeably. While not being strictly equivalent, these three concepts are tightly linked, and their usage depends on the technical context.

Want to learn more about this? Ledger Academy has got you covered!

Splitting the Secret Recovery Phrase: A key way to keep control

The first thing you want to avoid is giving your entire Secret Recovery Phrase to any single entity, as secure or trustful as they might be. Once again, self-custody is critical for effective fund management, so giving your entire Secret Recovery Phrase to anyone is never acceptable. 

Any weakness in the system, whether human or machine, would compromise all your funds, or make you lose your backed-up Secret Recovery Phrase. This is why cloud backups have such a bad reputation in Web3, and why any standard cloud backup system is unsuitable for handling Secret Recovery Phrases.

The classic way to avoid this loss of control is to distribute the risk by splitting your Secret Recovery Phrase into multiple parts, also called shares or fragments. Each share is only a part of your secret, so they will need to be combined to obtain the original Secret Recovery Phrase. Individually, they are useless. Therefore, these shares can be given separately to different people such that no single entity can recombine the Secret Recovery Phrase.

If you need to recover your Secret Recovery Phrase – maybe because you’ve lost your hardware device and need to initialize a new one – you would ask each ‘backup friend’ for their share.

Now, what’s the best way to split your Secret Recovery Phrase?

One option is to write your 24-words on a piece of paper, then cut it into three parts, for example, which are each given to different people to hold safely. In this setup, all three of your friends would have to collude to steal your hard-earned crypto.

The Secret Recovery Phrase split into three parts

This kind of naive split is easy to perform, but is far from ideal. While it does not readily submit control of your funds, each share reveals a big part of your Secret Recovery Phrase, which heavily reduces the difficulty of guessing the rest of it. The situation is even worse if any two of your backup friends collude because they have enough information to perform a brute-force attack to find the remaining part. Finally, if even a single one of your friends has genuinely lost their share, then the only way for you to recover it is to’ brute-force it’ yourself.

There is also a question of how the split is done: You don’t want anyone eavesdropping while you process your most valuable secret. It must be done in a secure and safe environment.

How Ledger Recover does it: Shamir Secret Sharing

Luckily, in the case of digital secrets, cryptography has a better way of splitting than the method above in the form of the Shamir Secret Sharing scheme (abbreviated SSS later).

Using SSS to split your Secret Recovery Phrase guarantees that each share provides no extra information on the rest of the Secret Recovery Phrase. In other words, the difficulty of guessing the entire Secret Recovery Phrase remains the same whether you have prior knowledge of one of the shares or not.

On top of that, SSS easily supports m-of-n setups, which means you can generate n shares to be distributed but only need m shares to rebuild your Secret Recovery Phrase. In other words you can afford to lose some parts of your backup without impacting its restoring capabilities. This added redundancy is very important to create a resilient system.

In Ledger Recover, we have chosen to use a 2-of-3 scheme. It means at least two shares are required to rebuild the original Secret Recovery Phrase. In this way, no single backup provider has control of your secret, but the backup is resilient to the loss of one provider.

The initial three backup providers are:
– Coincover, a company based in the UK,
– EscrowTec, a company based in the US,
– And us, Ledger, based in France.

In the future, we also intend to have more backup providers to choose from. This will allow users to build the best setup for themselves.

You can find an excellent introduction to SSS here, but let us give you a feel of how it works for a simple 2-of-n scheme.

Using our elementary school math courses, we know that only one straight line goes through two distinct points, but an infinite number of straight lines go through a single point.

We’ll be using this to generate the shares of your secret:

Let’s say the secret is the value s We then pick a random straight line that goes through the point (0,s) We can define the n shares as the points of the random line at indices {x=1, x=2, x=3, …, x=n}  Share generation in Shamir Secret Sharing scheme

Now, if you have any two shares, you can easily reconstruct the only straight line that goes through them. You will have retrieved your initial secret by intersecting this line with the y-axis (x=0).

But if you only have a single share, an infinite number of straight lines go through it, so the secret could be any number, and guessing the right line is as difficult as guessing the secret in the first place!

Pedersen Verifiable Secret Sharing

Ledger Recover uses a variation of Shamir Secret Sharing, called Pedersen Verifiable Secret Sharing. Like SSS, this scheme securely splits a secret into shares in any m-of-n setup. However, as the name implies, it allows the Ledger Recover Orchestrator to verify that the backup providers have the correct shares. With the Pedersen VSS, backup providers can double-check the shares they protect when a user activates the recovery process of their Secret Recovery Phrase.

It allows us to notify all involved parties when the backup is done with a guarantee of correctness. This is extremely useful to make the solution resilient to data loss and bad actors.

To learn more about Pedersen’s VSS, you can head over to Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing.

As mentioned before, this cryptographic process needs to be done in a protected environment so no part of the secret is ever revealed to potential attackers. When using Ledger hardware wallets, the share computation is entirely done inside the Secure Element, under the strict control of the user pin code. This ensures that no external software or machine can ever access the Secret Recovery Phrase during the backup process. More on this in the next blog posts of the series!

Ok, let’s back up a bit

We’ve learned that when designing a backup, it is good practice to split your secret into multiple shares and distribute them to different backup providers (friends, trusted entities, etc.). This is compatible with self-custody, as you remain the only person able to retrieve the entire seed phrase without depending on third-party approval to use your funds. However, the split scheme cannot be left to chance, as it can drastically reduce your overall security if chosen incorrectly.

Thanks to a 2-of-3 setup using Pedersen Verifiable Secret Sharing scheme, we have made Ledger Recover more resilient to backup provider failures. By performing the share split entirely inside your hardware wallet’s Secure Element, the user’s Secret Recovery Phrase is not vulnerable to malicious parties. In addition, we can safely verify that backups are correctly generated, which is crucial if we want to restore them in the future!

Now it’s time for Part 2 to address the next elephant in the room: How can you securely generate and distribute the shares over an open network, without compromising your Secret Recovery Phrase?

Similar to Notcoin - Blum - Airdrops In 2024

origin »

Quantum Resistant Ledger (QRL) íà Currencies.ru

$ 0 (+0.00%)
Îáúåì 24H $0
Èçìåíåèÿ 24h: 0.00 %, 7d: 0.00 %
Cåãîäíÿ L: $0 - H: $0.307
Êàïèòàëèçàöèÿ $0 Rank 99999
Öåíà â ÷àñ íîâîñòè $ 0.1392 (-100%)

recover your ledger phrase cloud allowing restore

recover your → Ðåçóëüòàòîâ: 29


Wallet Recovery Service KeychainX Can Recover Your Bitcoin wallet and Bring Your Funds Back

There have been many cases when those who had bought crypto long ago could not reach it because they have lost the keys to their wallets. Amidst growing crypto rates and news background announcing a prosperous future for those smart who managed to buy coins beforehand, thus, enriching with the growing market, it comes to […] Ñîîáùåíèå Wallet Recovery Service KeychainX Can Recover Your Bitcoin wallet and Bring Your Funds Back ïîÿâèëèñü ñíà÷àëà íà Coinstelegram.

2021-9-20 17:55


Are crypto-regulations alone enough to safeguard your Bitcoins against an exchange hack?

No amount of doodles, numbers, and letters in your password can help recover your Bitcoins stored on a crypto-exchange if it happens to get hacked. However, the main target here is not your crypto-walThe post Are crypto-regulations alone enough to safeguard your Bitcoins against an exchange hack? appeared first on AMBCrypto.

2020-5-9 18:00


On Collusion

Special thanks to Glen Weyl, Phil Daian and Jinglan Wang for review Over the last few years there has been an increasing interest in using deliberately engineered economic incentives and mechanism design to align behavior of participants in various contexts.

2019-4-5 04:03


Ôîòî:

This company promises to recover files from your locked iPhone – but it won’t help the FBI

DriveSavers, a company known for its data recovery services, announced that it can offer “passcode lockout recovery service,” which means it can unlock your secured iPhone. That’s notable because it’s damn near impossible to unlock an iOS device without the passcode or access to the owners’ biometric signatures for authentication.

2018-11-28 16:50


XRP Crashes 40% From September High

This year has been a strange one for XRP (and digital currency in general!), the token has seen fluctuation after fluctuation and the price has never stayed in one area for a long period of time. The token, owned and designed by Ripple, has recently seen a change in price over the past month and even a time when we thought that the bad times were essentially over but now it has crashed down by over 40% from its high in September of $0.

2018-10-11 12:30