Self-sovereign cryptocurrency private key recovery introduced by Squarelink
Private key management has come a long way, but there's still an enormous distance to go.
Squarelink is now "the only pure non-custodial private key recovery platform for cryptocurrency and blockchain applications", according to a press release.
It may be worth contextualising the problem this is solving in the wider context of what cryptocurrency needs for wider adoption.
Not your keys, not your crypto
Or maybe it's "your keys, your crypto" if you're more of a glass-half-full type.
Private key management is simultaneously one of the most commonly-identified obstacles to cryptocurrency adoption and one of the least-solved problems in the space.
Part of the issue is that it's just so comprehensively alien to what people are used to and to what they want. One of the most definitive technology trends of the last decade is a constant consumer preference for convenience over security and a strong desire to outsource management of our personal data to third parties for the sake of even more convenience.
But cryptocurrency, by its self-sovereign nature, inhabits the exact opposite end of the scale. Suddenly, the full weight of management is put back onto the end user, who mostly just wanted to make a quick buck rather than babysit a password in perpetuity. It runs counter to everything we've come to expect from other technologies that gravitate towards speed and convenience.
Beyond convenience, there's also the risk of having no recourse if something goes wrong. The strong growth of digital asset custody services in recent years is a testament to the fact that a lot of people would much rather risk using a licensed and regulated third party than be left with no recourse in case of human error on their end.
It's a valid concern.
According to BitInfoCharts, 64% of Bitcoin in circulation has not moved in over a year, 39% has not moved in two years and 24% has not moved in five years. The first possible conclusion here is that all these hodlers have strong hands. The second conclusion, which is potentially much more likely based on the fact that the overwhelming majority of dormant addresses over the years never made a single transfer out, is that private key management sucks and the vast majority of Bitcoin is gone forever.
Another piece of evidence, which lends further support to the theory of lost keys rather than strong hands, is that private key management does indeed suck. That said, the immutability and censorship resistance of cryptocurrency, and to a certain extent the generally low cost of using it, hinge on personally managing one's own keys.
At the intersection of these problems, we find the highly-specific, but also potentially very important, question of how to create a reliable non-custodial private key recovery system.
The answer, in short, is lots and lots of cryptography.
Username and password and private key
Squarelink aims to be a holistic private key management service, bringing that "single sign-in" convenience to blockchain, where you can use the same account to sign into a wide range of dapps.
As such, the main event of a Squarelink account is an encrypted 512-bit Master Key, which can be used to access a number of private keys on the same Squarelink account.
This Master Key is generated at the time of account creation. When a user sets up an account, they enter their email address and choose a password as usual. Their email and password are then individually put through the cryptographic wringer and combined with additional cryptographic mojo from the Squarelink application, and then they are put through the wringer again. This combination is used to generate the Master Key.
The Master Key is heavily encrypted and never accessible to Squarelink, but a user can still unlock it with their email and password combination on the Squarelink application. With this, you now have a system for managing multiple private keys with one email and password combination in a way that the manager cannot see the email and password.
Now you add a password recovery system.
This is done with a Recovery Seed, which can be used to re-generate the Master Key. It's an encrypted bundle kept in two separate parts, which can only be unlocked by bringing both parts together.
One of these parts is a combination of a public key derived from the Master Key and the aforementioned cryptographic mojo, which is stored in relation to the user's password. As such, this half is intrinsically tied to the account's Master Key and the account, but it's also encrypted in its own way and useless by itself.
The other half is a separately-encrypted version of the password, which can only be unlocked by data the user provides. This data can be any combination of security questions, PGP authentication and Universal Second Factor (U2F) authentication. The user chooses which recovery method(s) they want at the time of their account creation, which is encrypted separately.
Now the user can recover a complete account simply by providing their chosen combination of security questions, PGP authentication and/or U2F authentication. This opens half the bundle, which can then be combined with the other half, which then folds out into the Recovery Seed, all without giving Squarelink or any other third party the ability to do the same.
The end result is a system where
- The user can sign in and manage multiple private keys with an email and password login combination.
- No third party is (theoretically) ever able to access the user's account.
- The user can recover their account if needed by providing just the necessary information.
- The user can choose their own balance of convenience, ease of use and security.
It's not completely trustless though.
The keys will keep working on the blockchain regardless of what happens to Squarelink and its servers, but you're still dependent on Squarelink's servers for accessing funds through the email and password combination or for recovering a password. Plus, any account recovery option creates a potential new avenue for theft. You probably don't want to choose something like "mother's maiden name" as your security question – not that you'd likely even be able to.
On the one hand, this is an example of how the cryptocurrency space is evolving to become more user-friendly and solve the problems of convenience and account recovery that are limiting uptake.
On the other hand, this is an example of how difficult it is to solve the private key problem and how much further there is to go before cryptocurrency's user experience and account recovery options can match what we're used to in other technologies.
Disclosure: The author holds BNB and BTC at the time of writing.