A simple backup scheme for wallet accounts

In the realm of cryptocurrency wallets, particularly those that do not utilize a single-signature mechanism, the importance of backing up wallet descriptors cannot be overstated. The failure to properly back up these descriptors could lead to irreversible loss of funds, even when the seed phrases, theoretically sufficient for recovery, are intact. This is especially true for multisig (multiple signature) wallets, where losing just one extended public key (xpub) can render the entire wallet's funds inaccessible. Despite this critical need, there currently exists no standardized method for wallet backups, prompting individuals to devise their own methods, some going as far as engraving their descriptors on metal. However, treating descriptors in the same manner as seeds is fundamentally flawed and should be discouraged due to their differing levels of sensitivity and associated risks.

Seeds are considered secret because they protect the key material necessary for fund transactions, making them highly valuable targets for attackers. Consequently, both digital and redundant physical copies of seeds pose significant security risks. Descriptors and xpubs, contrastingly, are categorized as private; unauthorized access allows visibility into one's funds but does not directly endanger the ownership of those funds. Therefore, while having multiple digital and physical copies of descriptors poses a moderate risk, it is an acceptable practice for mitigating the potential loss of funds.

To address the proper backup of descriptors and wallet policies digitally, a few desirable properties have been outlined. Digital backups should be encrypted, allowing for storage with untrusted parties like cloud providers. They should incorporate access control, ensuring decryption is limited to designated cosigners, and be easy to implement across various hardware signing devices without reliance on vendor-specific tools. Furthermore, backups should be deterministic, producing consistent results from identical inputs.

A proposed scheme for achieving these goals involves a combination of symmetric and asymmetric encryption techniques. By encrypting a random symmetric secret with the public keys of each party involved and then encrypting the payload with said secret, the scheme effectively minimizes the backup size. Additionally, leveraging the existing public keys for encryption simplifies the process by eliminating the need for asymmetric decryption capabilities, which might not be supported by all secure enclaves. This method also ensures determinism by deriving a shared secret from the combined entropy of the descriptor's xpubs.

While this deterministic encryption approach deviates from traditional semantic security standards, it is deemed sufficiently secure within the specific context of wallet backup, assuming adversaries lack access to plaintext versions of the data.

This concept aims to inspire further development towards a formalized backup standard that could be universally adopted by software wallets, enhancing the security and recoverability of digital assets stored within multisig configurations. For an effective timelocked recovery mechanism, the project liana is recommended, addressing the risks associated with seed mismanagement.