Seedless Recovery
Rarimo's Seedless Recovery provides an innovative, visual approach to crypto account recovery designed to complement traditional backup methods. Instead of relying solely on memorizing 12 or 24-word seed phrases, which can be challenging, you can leverage your natural visual memory by using distinctive physical objects (like a unique book cover, your face, or even your pet) as an additional recovery factor. This method should ideally be used in conjunction with other factors to enhance security rather than replacing established recovery practices entirely. Seedless Recovery provides cautious users with an extra layer of protection, ensuring both convenience and safety without reliance on centralized services.
How it works
The solution is based on account abstraction and implements the Universal Account Recovery Standard (UARS).
For the actual image recognition, Rarimo is currently researching two approaches:
- Seedless Recovery with Bionetta ZKML: This approach uses the Bionetta ZKML framework to perform image recognition on the client side and generate ZK proofs of image proximity.
- Seedless Recovery with Fuzzy Extractors: This approach uses fuzzy extractors to generate a unique representation of the scanned object or face, which can be used for recovery without storing the raw image data.
Seedless Recovery with Bionetta ZKML
Seedless Recovery using Bionetta ZKML involves secure, privacy-preserving account recovery through image recognition, following these steps:
Setup:
- Scan a unique physical object (e.g., a book cover) or your face using a mobile app.
- Extract a unique feature vector (S) from the scanned object using a locally-run ZKML model.
- Securely store the S vector so that only you can access it (e.g., encrypted cloud storage with end-to-end encryption).
- Compute a Poseidon hash of the S vector and store this hash in a smart contract wallet.
No raw image data is stored on-chain, and the S vector remains confidential.
Recovery:
-
Rescan the original object or face.
-
Provide the new scan, original feature vector (S), and the hash(S) to the Bionetta ZKML circuit. The circuit will:
-
Generate a new vector (S') from the scan.
-
Verify the similarity between S and S' using a distance metric:
dist(S, S') < threshold
-
Prove that S matches the stored hash(S).
-
-
Submit the zero-knowledge proof to the smart contract wallet, verifying and unlocking the account.
Note: While this approach requires securely storing the original S vector, it significantly enhances privacy and security by never storing raw image data on-chain.
Seedless Recovery with Fuzzy Extractors
Fuzzy Extractors offer cryptographic security for account recovery using noisy data, like images of faces or objects, without storing sensitive raw data:
Setup:
- Scan the physical object or your face with a mobile app.
- Generate a secure cryptographic hash from the scanned image using a fuzzy extractor algorithm. This derived key does not expose sensitive image information.
- Store this cryptographic hash on a smart contract.
Recovery:
- Rescan the same object or face.
- Generate a new hash using the fuzzy extractor from the recent scan.
- Submit this new hash to the smart contract. If the new hash closely matches the stored hash within an acceptable threshold (
d
), the smart contract will unlock the account.
The primary advantage of this method is its enhanced security and lightweight operation, as it eliminates the need to store the original feature vector (S) or running the ZKML model on the device.
Seedless Recovery for Bitcoin
Seedless Recovery is also available for Bitcoin wallets. It transforms something you already have, such as your face or a distinctive physical object, into a secure backup key without revealing the original image.
For Taproot wallets, Seedless Recovery is implemented by embedding a small script tree next to the standard key-path. Let's look at both paths:
-
Key-path: This is the default method, allowing you to spend Bitcoin using your regular, full 32-byte secret key, typically used for everyday transactions.
-
Recovery path: This acts as an emergency method if you lose your seed phrase. The spend key for this path is derived from:
- A 120-bit fuzzy extractor output (H(IMG)), representing a hashed version of the original image.
- A random 60-bit nonce (r).
- A static 16-bit mask (m).
This recovery path includes a timelock, enhancing security (see below).
If you lose your private key, recovery involves the following steps:
- Scan the original object again to recreate the hash (H(IMG)).
- Recover the nonce (r) using Pollard’s rho algorithm for discrete logarithms, which is achievable on consumer hardware in a reasonable time due to the 60-bit nonce length.
- Derive the recovery key from the values H(IMG), r, and the known mask m.
- Transfer funds securely to a new wallet.
Without the H(IMG) value, attackers face brute-forcing a 180-bit key, an economically impractical task. Additionally, the timelock provides extra protection against such attacks.
Challenges & limitations
- Face scanning on mobile devices will be less accurate than built-in Face ID or similar solutions, due to hardware limitations.
- On its own, Seedless Recovery may be not robust enough, making it more suitable for a multi-factor authentication setup. For example, you can combine Seedless Recovery with a hardware wallet or a social recovery mechanism.
Can I use it now?
Seedless Recovery is not production grade yet. However, you can contact us on Telegram to discuss your use case and get early access to the solution.
Conclusion
Seedless Recovery leverages visual recognition to create secure, intuitive account backups, complementing traditional recovery methods. By using memorable objects alongside established security practices, users benefit from increased convenience and resilience against loss, all without relying on centralized services.