1 of 15

Social wallet recovery

Nadav Ivgi / @shesek

FCF1 9B67 8665 62F0 8A43

AAD6 81F6 104C D0F1 50FC

2 of 15

Problem: Users lose their keys

Bitcoin owners are looking for self sovereignty, but what happens when you can’t tap your wealth because you lost�access to your private keys?

3 of 15

Solution: Social recovery via m-of-n trusted friends/family

But what if your friends collude together to steal from you?

4 of 15

Your friends can help you recover your funds�
But have to announce their intention (on-chain) and wait for a predefined period�
The user will be notified and can stop the recovery process if he’s still in control over�his keys

CTV-based Two-Step Recovery Process

Friends can initiate recovery

Mandatory delay period

(e.g. 6 months)

Wallet funds

Funds can be recovered

The user can abort the recovery process

The user normally signs alone

5 of 15

Why SSSS and not multi-sig?

The people you trust are not necessarily technical and might not be able to generate keys and sign transactions for you
The user generates the keys/shares and is responsible for recovery. The friends just get an envelope for safekeeping
Possible with large M-of-N
Reduced on-chain footprint and costs (even compared to Taproot+Musig)

6 of 15

The two-step recovery covenant implemented in Minsc with Taproot (+ does TapTweak) - Open editor

7 of 15

Wallet creation demo

11 of 15

Limitations I ran into

12 of 15

No CTV-capable wallets

There are no wallets today that can manage outputs with a CTV-based�scripts inside the taproot tree (even if the CTV spend path is not used)�
Almost got it to work with the PR bitcoin/bitcoin#23480 that�adds a rawtr() descriptor (unmerged WIP)�
A more ideal solution is rawleaf() suggested in bitcoin/bitcoin#24114�(not yet implemented)

13 of 15

One-time backups are tricky

CTV requires pre-committing to exact output amounts, which must be known in order to recover
Using dynamic amounts means the user has to keep updating the backup
Some solutions:

Multiple fixed denominations (e.g. 0.1/0.2/0.3/0.5/1.0 BTC) - what I did for the hackathon
Scan all outputs
Mark outputs with OP_RETURN
Elements-style covenant introspection opcodes
Add support for relative amounts to CTV - allow output amounts to be defined as�total_input_sum - N (also helps avoid stuck funds!)
Accept that backups are dynamic and get your friends to install an app?

14 of 15

What works & what doesn’t

Can create a wallet backup with secret share splitting
Can prepare the CTV-based covenant with the transaction template
Can generate Taproot addresses with the recovery clause leaf�to receive funds
Cannot spend :-(

15 of 15

Thank you

Source code:

https://github.com/shesek/plebfi2022-social-recovery