It has been encouraging to watch crypto users become more savvy over time with respect to private key storage. Although I still think key loss is the number one attack vector (albeit self-inflicted), its prevalence seems much lower than it was even a year ago. Bravo, community!

With that said, we are still far from having a product ready for the mass market. I have long believed that most mainstream users prefer to have their accounts in the custody of a third party (up until that third party is hacked, of course) simply because it is one fewer worry. The crypto mindset of “be your own bank” does not resonate with “normal people” and Grid+ is building a product with those people in mind. What to do?

Although tools like MyEtherWallet, MetaMask and Trezor/Ledger provide arguably the best recovery mechanism we can get with a single device (i.e. backing up by physically writing down a BIP39 seed phrase), this remains vulnerable to what we at Grid+ like to call the “sock drawer attack”.

The Sock Drawer Attack

Have you ever kept your Ledger Nano S or Trezor backup seed in your sock drawer? If so, you have been exposed to the sock drawer attack! Imagine a physical attacker suspects you have lots of cryptocurrency and gains entry to your residence while you are away. This attacker rummages through your sock drawer and pulls out a piece of paper that looks like this:

Except with the words written down

Whoops, there goes your life’s savings. Such is the problem with single-device keys, which must be guarded with a physical backup.

Note that a reasonably cautious person who really did have their life’s savings on a hardware wallet would likely rent a safety deposit box at a bank or bury their seed phrase in Central Park. Regardless, the attack vector rests somewhere in the physical world.

Shamir’s Secret Sharing

In 1979 Adi Shamir published a new cryptographic scheme to split a secret S into a set of n slices such that some subset of size k may be combined to reveal the original secret, but any subset of size k-1 (or smaller) reveals no information about S . If you want to try it out, a node.js implementation is available here.

In this article, we propose an architecture utilizing Shamir’s Secret Sharing with multiple actors to allow recovery of any key without needing a physical backup.

Devices in Grid+

We begin with three identifiable actors, of which two are user-controlled. The Agent device is an always-on, general-compute device that pays for your electricity every hour via Ethereum. The Mobile Phone holds a Grid+ app, which “owns” your Agent via our Registry contract.

Both the Agent and the Mobile Phone are required to use Grid+ and each has its own public/private key pair.

Create the slices

Assume that we want to share the Mobile Phone private key with the other two actors. The app slices its private key into 3 pieces using Shamir’s algorithm.

// 3 slices, 2 needed to recover

var slices = secrets.share(private_key, 3, 2);

All three slices are now held on the phone.

Distributing the slices

The first slice can be distributed to the Grid+ server with a simple HTTPS POST request.

Now the server holds one of the slices, which Grid+ stores for backup.

The next slice needs to be sent to the other user-controlled device, but in the Grid+ architecture must pass through our server. In order to avoid exposing this secret slice to Grid+, it is first encrypted with the Agent’s public key. However, the Agent must first send Grid+ that public key, at which point it can be requested by the phone.

With the Agent’s public key in hand, the phone can now encrypt another slice and send it to the server, at which point the Agent can access the encrypted slice.

The last step is to decrypt the secret with the Agent’s private key. Voila! The secrets are distributed.

Recovering an account

Now suppose something happens to your phone. Maybe you get mugged or simply forget to backup your accounts during an upgrade (I’ve done this). In any event, assume that your phone is now gone, but you still have your Agent.

If your Agent requests K1 from our server via an HTTPS GET request, it is able to reconstruct your old phone’s private key via that nifty Shamir algorithm and subsequently withdraw any funds and/or transfer Agent ownership to a new address that your phone generates.

var private_key = secrets.combine([K1, K3]);

Note that all Grid+ customers are KYCed and this recovery process will probably be slow and manual, but the service will be available to any Grid+ customer for a small fee.

More devices, more recovery

This scheme is also extendable to more devices. Suppose you add your mom’s iPad as a trusted device by installing the Grid+ app and the secret gets split in 4. Note that in this case, your own phone would remain the “admin” and could block any recovery attempts.

With 4 slices and only 2 needed for recovery, you can rest assured that even if your house burns down, destroying both the agent and your phone, you can still recover both keys (Agent and phone) with your mom’s iPad and your KYC credentials.

Your sock drawer is not safe

This architecture obviates the need for a physical backup. It could also be configured to leave Grid+ out and instead utilize additional backup devices. In this case, Grid+ would not be party to any account recovery and all secrets, when shared, would pass through the Grid+ server encrypted.

Grid+ plans to offer a 2-of-3 recovery service option by default. We believe this architecture is a good tradeoff of privacy, security, and trust and enables us to bring cryptocurrency use to a mainstream audience in a seamless UX. We hope that customers will find comfort in this configuration but, as usual, privacy settings in Grid+ are ultimately up to the user. If you feel more comfortable backing up your keys individually, you are free to do that instead. All we ask is that you don’t use your sock drawer.

If you liked this article, be sure to check out gridplus.io for more information and subscribe to get updates.