Seedless Recovery

Rarimo's Seedless Recovery provides an innovative, visual approach to crypto account recovery designed to complement traditional backup methods. Instead of relying solely on memorizing 12 or 24-word seed phrases, which can be challenging, you can leverage your natural visual memory by using distinctive physical objects (like a unique book cover, your face, or even your pet) as an additional recovery factor. This method should ideally be used in conjunction with other factors to enhance security rather than replacing established recovery practices entirely. Seedless Recovery offers cautious users an extra layer of protection, ensuring both convenience and safety without relying on centralized services.

How it works

The solution is based on account abstraction and implements the Universal Account Recovery Standard (UARS).

For the actual image recognition, Rarimo is currently researching two approaches:

1. Seedless Recovery with Bionetta ZKML: This approach uses the Bionetta ZKML framework to perform image recognition on the client side and generate ZK proofs of image proximity.
2. Seedless Recovery with Fuzzy Extractors: This approach uses fuzzy extractors to generate a unique representation of the scanned object or face, which can be used for recovery without storing the initial features vector of the object.

Seedless Recovery with Bionetta ZKML

Seedless Recovery using Bionetta ZKML involves secure, privacy-preserving account recovery through image recognition, following these steps:

Setup:

1. Scan a unique physical object (e.g., a book cover) or your face using a mobile app.
2. Extract a unique feature vector (S) from the scanned object using a locally-run ZKML model.
3. Securely store the S vector so that only you can access it (e.g., encrypted cloud storage with end-to-end encryption or share the secret between members of your social quorum, etc).
4. Compute a Poseidon hash of the S vector and store this hash in a smart contract wallet.

No raw image data is stored on-chain, and the S vector remains confidential.

Recovery:

1. Rescan the original object or face.
2. Provide the new scan, original feature vector (S), and the hash(S) to the Bionetta ZKML circuit. The circuit will:
   • Generate a new vector (S') from the scan.
   • Verify the similarity between S and S' using a distance metric: dist(S, S') < threshold
   • Prove that S matches the stored hash(S).
3. Submit the zero-knowledge proof to the smart contract wallet, which verifies and unlocks the account.

Note: While this approach requires securely storing the original S vector, it significantly enhances privacy and security by never storing raw image data on-chain.

Seedless Recovery with Fuzzy Extractors

Fuzzy Extractors offer cryptographic security for account recovery using noisy data, like images of faces or objects, without storing sensitive raw data:

Setup:

1. Scan the physical object or your face with a mobile app.
2. Generate a secure cryptographic hash H(IMG) from the scanned image using a fuzzy extractor algorithm. We will use this hash as a private key for a keypair (K_priv, K_pub). This keypair will be used to authorize wallet transactions.
3. Store K_pub in the smart contract wallet.

Recovery:

1. Rescan the same object or face.
2. Derive H(IMG) using the fuzzy extractor from the recent scan and derive the keypair (K_priv, K_pub).

The primary advantage of this method is its enhanced security and lightweight operation, as it eliminates the need to store the original feature vector (S) or run the ZKML model on the device.

Seedless Recovery for Bitcoin

Seedless Recovery is also available for Bitcoin wallets. It transforms something you already have, such as your face or a distinctive physical object, into a secure backup key without revealing the original image.

For Taproot addresses, Seedless Recovery is implemented by embedding an alternative spending path that requires the signature (by the secret key derived from the object) and timelock. Let's look at both paths:

• Key-path: This is the default method, allowing you to spend Bitcoin using your regular, full 32-byte secret key, typically used for everyday transactions.
• Recovery path: This serves as a backup method in case you lose your seed phrase. The spend key for this path is derived from:
  • Fuzzy extractor output (H(IMG)) represents a hashed version of the original image.
  • A short random nonce (r).
  • A static bitmask (m).

This recovery path includes a timelock, enhancing security (see below).

If you lose your private key, recovery involves the following steps:

1. Scan the original object again to recreate the hash (H(IMG)).
2. Recover the nonce (r). Knowing H(IMG) and m, we can recover the nonce r using Pollard's rho algorithm for discrete logarithms, which is achievable on consumer hardware in a reasonable time due to the small nonce length.
3. Derive the recovery key from the values H(IMG), r, and the known mask m.
4. Transfer funds securely to a new wallet.

Without the H(IMG) value, attackers face brute-forcing a 180-bit key, an economically impractical task. Additionally, the timelock provides extra protection against such attacks.

Challenges & limitations

• Face scanning on mobile devices will be less accurate than built-in Face ID or similar solutions due to hardware limitations.
• On its own, Seedless Recovery may not be robust enough, making it more suitable for a multi-factor authentication setup. For example, you can combine Seedless Recovery with a hardware wallet or a social recovery mechanism.

Can I use it now?

Seedless Recovery is not production grade yet. However, you can contact us on Telegram to discuss your use case and get early access to the solution.

Conclusion

Seedless Recovery utilizes visual recognition to create secure and intuitive account backups, complementing traditional recovery methods. By using memorable objects alongside established security practices, users benefit from increased convenience and resilience against loss, all without relying on centralized services.