Towards the ideals of Self-Recovery and Metadata Privacy in Social Vault Recovery

TL;DR

This paper introduces Apollo, a social key recovery framework that enhances user privacy and reduces memorization burden by distributing indistinguishable data among social contacts, with a scalable multi-layered secret sharing scheme.

Contribution

Apollo is the first framework to balance recovery metadata privacy and memorability by using indistinguishable data distribution and a novel multi-layered secret sharing scheme.

Findings

Apollo reduces malicious recovery chances to 0.005%-1.8%.

The multi-layered scheme significantly lowers latency, from 1.1x to 740kx.

Prototype implementation demonstrates practical performance.

Abstract

Social key recovery mechanisms enable users to recover their vaults with the help of trusted contacts, or trustees, avoiding the need for a single point of trust or memorizing complex strings. However, existing mechanisms overlook the memorability demands on users for recovery, such as the need to recall a threshold number of trustees. Therefore, we first formalize the notion of recovery metadata in the context of social key recovery, illustrating the tradeoff between easing the burden of memorizing the metadata and maintaining metadata privacy. We present Apollo, the first framework that addresses this tradeoff by distributing indistinguishable data within a user's social circle, where trustees hold relevant data and non-trustees store random data. Apollo eliminates the need to memorize recovery metadata since a user eventually gathers sufficient data from her social circle for recovery. Due to indistinguishability, Apollo protects metadata privacy by forming an anonymity set that hides the trustees among non-trustees. To make the anonymity set scalable, Apollo proposes a novel multi-layered secret sharing scheme that mitigates the overhead due to the random data distributed among non-trustees. Finally, we provide a prototype implementation of Apollo and report on its performance. Apollo reduces the chances of malicious recovery to between 0.005% and 1.8%, depending on the adversary's ability to compromise. The multi-layered design shows a latency reduction from 1.1x to 740kx compared to a single-layered approach, depending on the number of reconnections.