ARC-85: Revocable Decentralized Recovery (ReDeRec) #344
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tasosbit
changed the title
Contributor
Author
|
Validated the proof of concept with goal and documented it here: https://gist.github.com/tasosbit/493a4cd82c4d950efb463ad11a2efa02 |
cusma
reviewed
Jun 19, 2025
| --- | ||
|
|
||
| ## Abstract | ||
| This ARC outlines a new approach to Decentralized Recovery which enables revocability. Instead of sharing private key shards with custodians, an Algorand account can be rekeyed to a specially crafted multisig so that the owner account can self-sign, and the recovery custodians can combine in a multisig threshold fashion (2/3, 3/4, etc) to help recover the account. Self-signing is enabled by repeating the owner account's key in the subsigners field, in order to satisfy the threshold requirement as a standalone signer. Revoking custodians is as simple as rekeying to another authorizer account. |
Contributor
There was a problem hiding this comment.
Suggested change
| This ARC outlines a new approach to Decentralized Recovery which enables revocability. Instead of sharing private key shards with custodians, an Algorand account can be rekeyed to a specially crafted multisig so that the owner account can self-sign, and the recovery custodians can combine in a multisig threshold fashion (2/3, 3/4, etc) to help recover the account. Self-signing is enabled by repeating the owner account's key in the subsigners field, in order to satisfy the threshold requirement as a standalone signer. Revoking custodians is as simple as rekeying to another authorizer account. | |
| This ARC outlines a new approach to _Decentralized Recovery_, which enables revocability. Instead of sharing private key shards with custodians, an Algorand account can be rekeyed to a weighted multi-signature so that the owner account can self-sign, and the recovery custodians can combine in a multi-signature threshold fashion (2/3, 3/4, etc.) to help recover the account. Self-signing is enabled by repeating the owner account's key in the sub-signers field, to satisfy the threshold requirement as a standalone signer. Revoking custodians is as simple as rekeying to another authorizer account. |
| This ARC outlines a new approach to Decentralized Recovery which enables revocability. Instead of sharing private key shards with custodians, an Algorand account can be rekeyed to a specially crafted multisig so that the owner account can self-sign, and the recovery custodians can combine in a multisig threshold fashion (2/3, 3/4, etc) to help recover the account. Self-signing is enabled by repeating the owner account's key in the subsigners field, in order to satisfy the threshold requirement as a standalone signer. Revoking custodians is as simple as rekeying to another authorizer account. | ||
|
|
||
| ## Motivation | ||
| Sharing private key shards for decentralized recovery purposes is a concern that is worth addressing. This ARC improves upon the irrevocable nature of "classic" decentralized recovery by introducing an "active-state" method to achieve the same result without the potential for private key compromise if enough shards are compromised over time. |
Contributor
There was a problem hiding this comment.
Suggested change
| Sharing private key shards for decentralized recovery purposes is a concern that is worth addressing. This ARC improves upon the irrevocable nature of "classic" decentralized recovery by introducing an "active-state" method to achieve the same result without the potential for private key compromise if enough shards are compromised over time. | |
| Sharing private key shards for decentralized recovery purposes is a concern worth addressing. This ARC improves upon the irrevocable nature of "classic" decentralized recovery by introducing an "active-state" method to achieve the same result without the potential for private key compromise if enough shards are compromised over time. |
| ## Specification | ||
| The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL NOT**", "**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this document are to be interpreted as described in <a href="https://www.ietf.org/rfc/rfc2119.txt">RFC-2119</a>. | ||
|
|
||
| An active decentralized recovery signer account is a multi-signature composed the owner account and the "custodian" accounts. |
Contributor
There was a problem hiding this comment.
Suggested change
| An active decentralized recovery signer account is a multi-signature composed the owner account and the "custodian" accounts. | |
| An active decentralized recovery signer account is a weighted multi-signature with threshold `T`, composed of the Owner and the Custodians (`C`). |
|
|
||
| An active decentralized recovery signer account is a multi-signature composed the owner account and the "custodian" accounts. | ||
|
|
||
| - The Owner Account (OA) MUST be able to sign for transactions without requiring signatures from any other party. |
Contributor
There was a problem hiding this comment.
Suggested change
| - The Owner Account (OA) MUST be able to sign for transactions without requiring signatures from any other party. | |
| - The Owner **MUST** be able to sign for transactions without requiring signatures from any other party. |
| An active decentralized recovery signer account is a multi-signature composed the owner account and the "custodian" accounts. | ||
|
|
||
| - The Owner Account (OA) MUST be able to sign for transactions without requiring signatures from any other party. | ||
| - Custodian accounts (CAs) MUST be able to sign for transactions when enough signatures are presented to meet the recovery threshold. |
Contributor
There was a problem hiding this comment.
Suggested change
| - Custodian accounts (CAs) MUST be able to sign for transactions when enough signatures are presented to meet the recovery threshold. | |
| - Custodians' signature weight **MUST** be equal to 1. | |
| - A _single_ Custodian **MUST NOT** be able to sign for transactions. | |
| - Any group of `K` out of `C` Custodians, with `K <= C`, **MUST** be able to sign for transactions. |
|
|
||
| Note: Algorand allows for a single-signature account to be rekeyed to a multisig wherein the single-sig is its own sub-signer, which enables users to use this pattern without requiring a new private key (and corresponding mnemonic to save.) | ||
|
|
||
| Example: Alice wants to add Bob, Eve and Steve as recovery custodians to her account. She wants any 2 of the 3 custodians to be able to help her recover her account. |
Contributor
There was a problem hiding this comment.
Suggested change
| Example: Alice wants to add Bob, Eve and Steve as recovery custodians to her account. She wants any 2 of the 3 custodians to be able to help her recover her account. | |
| ## Example | |
| Alice wants to add Bob, Eve, and Steve as _recovery custodians_ to her account. She wants any 2 (`K`) of the 3 (`C`) custodians to be able to help her recover her `T` out of `N` weighted multi-signature account with `T = K = 2` and `N = T + C = 5`. |
|
|
||
| - The Owner Account (OA) MUST be able to sign for transactions without requiring signatures from any other party. | ||
| - Custodian accounts (CAs) MUST be able to sign for transactions when enough signatures are presented to meet the recovery threshold. | ||
| - The recovery threshold (T) is the number of CA signatures required to recover an account. |
Contributor
There was a problem hiding this comment.
Suggested change
| - The recovery threshold (T) is the number of CA signatures required to recover an account. | |
| Given the requirements, a ReDeRec account **MUST** be a `T` out of `N` weighted threshold multi-signature with: | |
| - `T = K > 1`; | |
| - `N = T + C`. |
| ``` | ||
|
|
||
| ## Backwards Compatibility | ||
| This method requires a wallet that supports rekeying and multi-signature accounts. Beyond that on-chain compatibility should be 100%, as transaction signature schemes are transparent as far as Applications are concerned. Off-chain systems validating account ownership for "login" functionality must be able to support multi-sig accounts. |
Contributor
There was a problem hiding this comment.
Suggested change
| This method requires a wallet that supports rekeying and multi-signature accounts. Beyond that on-chain compatibility should be 100%, as transaction signature schemes are transparent as far as Applications are concerned. Off-chain systems validating account ownership for "login" functionality must be able to support multi-sig accounts. | |
| - On-Chain: Guaranteed, as both _multisig_ and _rekey_ are native protocol features, and transaction signature schemes are transparent to Applications. | |
| - Off-Chain: Wallet **MUST** support _rekeying_ and _multisig_ accounts. Off-chain systems validating account ownership for "login" functionality **MUST** support _multisig_ accounts. |
| TODO | ||
|
|
||
| ## Security Considerations | ||
| Note that when accounts are closed out (i.e. taken to a zero ALGO balance) their rekeying status reverts to the default, so users of active DeRec are RECOMMENDED to maintain a minimum balance requirement above the base account MBR (0.1 ALGO) as a safety precaution against accidental close-outs. |
Contributor
There was a problem hiding this comment.
Suggested change
| Note that when accounts are closed out (i.e. taken to a zero ALGO balance) their rekeying status reverts to the default, so users of active DeRec are RECOMMENDED to maintain a minimum balance requirement above the base account MBR (0.1 ALGO) as a safety precaution against accidental close-outs. | |
| Note that when accounts are closed out (i.e., taken to a zero ALGO balance), their rekeying status reverts to the default, so users of active DeRec are **RECOMMENDED** to maintain a minimum balance requirement above the base account MBR (0.1 ALGO) as a safety precaution against accidental close-outs. |
| ## Security Considerations | ||
| Note that when accounts are closed out (i.e. taken to a zero ALGO balance) their rekeying status reverts to the default, so users of active DeRec are RECOMMENDED to maintain a minimum balance requirement above the base account MBR (0.1 ALGO) as a safety precaution against accidental close-outs. | ||
|
|
||
| Availability of the custodian account private keys is not enforced in this standard. A periodic heartbeat mechanism could be built for CA subsigners to prove that their private keys are still available. |
Contributor
There was a problem hiding this comment.
Suggested change
| Availability of the custodian account private keys is not enforced in this standard. A periodic heartbeat mechanism could be built for CA subsigners to prove that their private keys are still available. | |
| This standard does not enforce the availability of the custodian account's private keys. It is **RECOMMENDED** to adopt a periodic heartbeat mechanism for Custodian sub-signers to prove that their private keys are still available. |
cusma
reviewed
Jun 19, 2025
| --- | ||
| arc: 85 | ||
| title: Revocable Decentralized Recovery (ReDeRec) | ||
| description: Revocable Decentralized Recovery protocol utilizing rekeying and multisigs instead of sharing mnemonic shards. |
Contributor
There was a problem hiding this comment.
Suggested change
| description: Revocable Decentralized Recovery protocol utilizing rekeying and multisigs instead of sharing mnemonic shards. | |
| description: Revocable Decentralized Recovery protocol utilizing rekeying and multi-signatures instead of sharing mnemonic shards. |
|
When discussing wallets in the Backwards Compatibility section, it may be worth mentioning that while Multi-Sig support is required, an additional feature of bypassing the signature collection step when the signer has enough weight is highly encouraged to make the UX bearable. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This ARC outlines a new approach to Decentralized Recovery which enables revocability.
Instead of sharing private key shards with custodians, an Algorand account can be rekeyed to a specially crafted multisig so that the owner account can self-sign, and the recovery accounts ("custodians") can combine in a multisig threshold fashion (2/3, 3/4, etc) to help recover the account.
Self-signing is enabled by repeating the owner account's keys in the subsigners field, in order to satisfy the threshold requirement as a standalone signer. Revoking custodians is as simple as rekeying to another account.
For those unfamiliar with GitHub, you can view an easily readable version of the proposal here: https://github.com/tasosbit/ARCs/blob/arc85-active-derec/ARCs/arc-0085.md
TODO:
[ ] Test cases
[ ] Reference Implementation?