Sirraya Labs · Editors Draft

DID Key Recovery (DID-KR)

Decentralized Identifier Key Recovery Extension

Editor
Amir Hameed Mir
Organization
Sirraya Labs
Version
1.0.0
Repository
github.com/sirraya-labs/did-kr

Abstract

This specification defines a standardized, interoperable mechanism for recovering control of Decentralized Identifiers (DIDs) when private keys are lost or compromised. It introduces three complementary recovery types — Social ZKP Recovery, Deterministic Seedling Inheritance, and MPC-based Mediated Recovery — each addressing different trust models and user personas.

The specification includes cryptographic hardening through mathematically correct Verifiable Secret Sharing (Feldman VSS over a proper prime-order group), Verifiable Delay Functions, Proactive Secret Refreshment, and comprehensive security considerations with a formal JSON-LD context for machine interoperability.

Status of This Document

This is the Editors Draft prepared by Amir Hameed Mir of Sirraya Labs. This document defines the normative requirements for DID Key Recovery implementations.

1. Introduction

The Decentralized Identifier (DID) architecture provides the foundation for self-sovereign identity but deliberately omits key recovery mechanisms, leaving implementers to develop ad-hoc, non-interoperable solutions. This gap represents a critical barrier to mass adoption, as users face permanent loss of identity or vendor lock-in when keys are lost.

The DID Key Recovery Extension (DID-KR) addresses this gap by defining standardized recovery methods that can be published in DID Documents, discovered by resolvers, and executed through interoperable protocols. The specification embraces a "three-way solution" recognizing that no single recovery model suits all use cases:

  • Type A (Social ZKP Recovery): For users prioritizing autonomy, using threshold cryptography with zero-knowledge proofs to prevent guardian collusion.
  • Type B (Deterministic Seedling): For inheritance and migration, using hierarchical deterministic keys with Verifiable Delay Functions for decentralized time-locks.
  • Type C (MPC-Mediated): For enterprise and convenience users, using multi-party computation with threshold signatures and proactive share refreshment.

1.1 Design Goals

  • Non-Custodial: No single entity ever possesses the full private key.
  • Interoperable: Recovery methods are discoverable and executable across different wallet implementations.
  • Privacy-Preserving: Recovery metadata minimizes leakage of social graphs and security posture.
  • Mathematically Sound: All cryptographic constructions use correctly parameterized groups with proven security properties.
  • Future-Proof: Cryptographic agility allows migration to quantum-resistant algorithms.

1.2 Relationship to DID Core

This specification extends DID Core by defining:

  1. A new recovery verification relationship.
  2. Three new verification method types for recovery.
  3. Service endpoint definitions for recovery protocols.
  4. A JSON-LD context for machine-readable discovery.

2. Conformance

As well as sections marked as non-normative, all authoring guidelines, diagrams, examples, and notes in this specification are non-normative. Everything else in this specification is normative.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Terminology

DID Controller
The entity authorized to make changes to a DID Document.
Recovery Method
A verification method specifically designated for recovering control of a DID.
Guardian
An entity holding a share of a recovery secret in Type A schemes.
Beneficiary
An entity authorized to inherit a DID in Type B schemes.
Provider
An MPC node participating in threshold signature generation for Type C schemes.
Threshold (t)
The minimum number of shares/participants required to complete recovery.
Scalar Field Zq
A prime field of order q used for polynomial arithmetic in VSS. All share values and polynomial coefficients live in Zq.
Commitment Group Zp*
The multiplicative group modulo a prime p used for Feldman commitments. Distinct from the scalar field; chosen so that q divides (p−1).
Safe Prime
A prime p such that p = 2q+1 and q is also prime. Used to guarantee a subgroup of prime order q in Zp*.
Share Refreshment
The process of generating new secret shares without changing the secret or the public commitments, achieved by adding shares of a zero-secret refresh polynomial.
Verifiable Delay Function (VDF)
A function requiring a specific amount of sequential computation to evaluate.
Epoch
A version identifier for MPC provider share sets, incremented with each refreshment.
Catch-up Protocol
A mechanism for synchronizing lagging MPC providers to the current epoch.

4. The Recovery Method Architecture

The DID-KR architecture introduces a new verification relationship recovery in the DID Document. This relationship contains one or more recovery methods that define how a DID can be recovered.

4.1 Discovery Model

Recovery methods are discovered through standard DID resolution. A resolver or wallet implementing DID-KR:

  1. Resolves the DID Document.
  2. Checks for the @context including the DID-KR context.
  3. Extracts the recovery verification relationship.
  4. Parses the recovery methods according to their type.

4.2 Lifecycle

  1. Setup: The DID Controller generates recovery parameters and publishes them in the DID Document.
  2. Execution: When recovery is needed, the recovering party initiates the protocol defined by the recovery method.
  3. Completion: Upon successful recovery, the DID Document is updated with new verification methods, and the recovery methods may be rotated.
  4. Revocation: Recovery methods can be revoked by the current controller using an active verification method.

5. Recovery Method Types

5.1 Type A: Social ZKP Recovery

Type URI: RecoveryMethodZKPSocial

The Social ZKP Recovery mechanism enables recovery through a threshold of trusted guardians without revealing secret shares to any party, including the guardians themselves.

5.1.1 Cryptographic Requirements

Implementations MUST use:

  • Verifiable Secret Sharing (VSS): Feldman's VSS as specified in §7.1, using the group parameters defined in §7.0.
  • Zero-Knowledge Proofs: Schnorr proofs of share consistency as specified in §7.2.
  • Group: The 256-bit safe-prime group (p, q, g) defined in §7.0.

5.1.2 Setup Phase

  1. Generates a random secret s ∈ Zq (the recovery key).
  2. Constructs a random polynomial P(x) of degree t−1 over Zq where P(0) = s.
  3. Computes shares si = P(i) mod q for each of n guardians.
  4. Computes Feldman commitments Cj = gaj mod p for each coefficient aj.
  5. Distributes to each guardian their encrypted share si, the commitments Cj, and a nonce for ZKP challenges.
  6. Publishes commitments, guardian identifiers/endpoints, and threshold t in the DID Document.

5.1.3 Recovery Phase

  1. Recovering party contacts t guardians.
  2. Each guardian generates a Schnorr ZKP (§7.2) proving knowledge of share si consistent with commitments Cj, without revealing si.
  3. ZKPs are verified and shares are reconstructed using Lagrange interpolation in Zq.
  4. The reconstructed secret s is used to generate new DID keys.

5.1.4 DID Document Representation

{
  "id": "did:example:123#recovery-social",
  "type": "RecoveryMethodZKPSocial",
  "controller": "did:example:123",
  "recoveryThreshold": 3,
  "vssScheme": "feldman-safe-prime-256-2025",
  "vssGroupParameters": {
    "p": "0x50179e4375e428b3af8fe52af1f2a50e5100b916d0d1c1bbedc304c3d35f3217",
    "q": "0x280bcf21baf21459d7c7f29578f9528728805c8b6868e0ddf6e18261e9af990b",
    "g": "4"
  },
  "vssCommitments": [
    "0x2a3f...",
    "0x7c91..."
  ],
  "recoveryGuardians": [
    {
      "id": "did:guardian:abc#key-1",
      "guardianEndpoint": "https://guardian1.example.com/recover",
      "guardianType": "person",
      "commitmentIndex": 0
    }
  ],
  "curve": "safe-prime-256"
}
Figure 1 — Type A: Social ZKP Recovery Flow
sequenceDiagram participant User as User (Recovering Party) participant G1 as Guardian 1 participant G2 as Guardian 2 participant G3 as Guardian 3 participant Aggregator as ZKP Aggregator Note over User: Initiates recovery (threshold=3) User->>G1: Request recovery (nonce, commitments) User->>G2: Request recovery (nonce, commitments) User->>G3: Request recovery (nonce, commitments) G1->>G1: Generate Schnorr ZKP G2->>G2: Generate Schnorr ZKP G3->>G3: Generate Schnorr ZKP G1-->>User: ZKP Proof 1 G2-->>User: ZKP Proof 2 G3-->>User: ZKP Proof 3 User->>Aggregator: Submit proofs (threshold=3) Aggregator->>Aggregator: Verify ZKPs against C_j Aggregator->>Aggregator: Lagrange interpolation in Z_q Aggregator-->>User: Recovered secret s User->>User: Generate new DID keys User->>DID Method: Update DID Document

5.2 Type B: Deterministic Seedling Inheritance

Type URI: RecoveryMethodDeterministic

The Deterministic Seedling mechanism enables recovery through a master seed phrase, with optional time-locked inheritance for beneficiaries.

5.2.1 Cryptographic Requirements

  • Hierarchical Deterministic Keys: BIP-32 or BIP-39 style derivation.
  • Encryption: XChaCha20-Poly1305 for seed lockbox.
  • Time-Locks: Verifiable Delay Functions (VDFs) for decentralized inheritance.
  • VDF Algorithm: Wesolowski's VDF or Pietrzak's VDF.

5.2.2 Setup Phase

  1. Generates a master seed S (128–256 bits of entropy).
  2. Derives the DID private key using a standardized derivation path.
  3. If inheritance desired: generates VDF parameters, computes y = x2T mod N, and uses y to derive the seed lockbox encryption key.
  4. Encrypts seed S to beneficiary's public key.
  5. Publishes derivation path, encrypted lockbox, and VDF parameters in DID Document.

5.2.3 DID Document Representation

{
  "id": "did:example:123#recovery-seedling",
  "type": "RecoveryMethodDeterministic",
  "controller": "did:example:123",
  "seedDerivationPath": "m/44'/0'/0'/0/0",
  "derivationStandard": "bip32-ed25519",
  "encryptedSeedLockbox": {
    "ciphertext": "0x7b3a...f9c2",
    "algorithm": "XChaCha20-Poly1305",
    "iv": "0x1a2b...3c4d",
    "beneficiaryPublicKey": "did:beneficiary:abc#key-1",
    "beneficiaryKeyType": "x25519"
  },
  "deadMansSwitch": {
    "type": "VDFTimeLock",
    "vdfParameters": {
      "difficulty": 1000000,
      "estimatedWallTime": "P30D",
      "referencePlatform": "intel-i9-13900k-2024",
      "tolerance": 0.2,
      "modulus": "0x8f3b...a1c4",
      "challenge": "0x2d4e...f8a1",
      "vdfAlgorithm": "wesolowski-2024"
    },
    "inactivityPeriod": "P1Y"
  }
}
Figure 2 — Type B: VDF Time-Locked Inheritance
sequenceDiagram participant User as Original User participant Beneficiary as Beneficiary participant VDF as VDF Computation participant DID as DID Method Note over User: Setup Phase User->>User: Generate master seed User->>User: Encrypt seed with VDF-derived key User->>DID: Publish encrypted lockbox + VDF params Note over User: User becomes inactive Beneficiary->>VDF: Compute VDF (difficulty=1M) VDF->>VDF: Sequential squaring (~30 days) VDF-->>Beneficiary: VDF output + Wesolowski proof Beneficiary->>Beneficiary: Derive decryption key from VDF output Beneficiary->>Beneficiary: Decrypt seed lockbox Beneficiary->>Beneficiary: Derive DID keys Beneficiary->>DID: Update DID Document with new controller

5.3 Type C: MPC-Mediated Recovery

Type URI: RecoveryMethodMPC

The MPC-Mediated Recovery mechanism distributes key shares across multiple independent providers who perform threshold signatures without reconstructing the full key.

5.3.1 Cryptographic Requirements

  • Threshold Signatures: fROST (Flexible Round-Optimized Schnorr Threshold) signatures.
  • Proactive Secret Sharing: Share refreshment as specified in §7.1.4.
  • Authentication: Verifiable Credentials or WebAuthn.
  • Transport: mTLS or Noise Protocol for secure provider communication.

5.3.2 Share Refreshment

Providers MUST support periodic share refreshment using the proactive refresh protocol defined in §7.1.4. After each refresh:

  1. Each provider's share changes, but the secret and group public key remain identical.
  2. Combined commitments are updated: Cjnew = Cjold · grj mod p.
  3. Old shares are securely deleted.
  4. The epoch counter is incremented.

5.3.3 DID Document Representation

{
  "id": "did:example:123#recovery-mpc",
  "type": "RecoveryMethodMPC",
  "controller": "did:example:123",
  "mpcThreshold": 2,
  "mpcTotalProviders": 3,
  "mpcProtocol": "fROST-ed25519-2024",
  "mpcProviders": [
    {
      "id": "did:provider:one#mpc-node",
      "endpoint": "https://provider1.example.com/mpc",
      "authType": "vc-presentation"
    }
  ],
  "shareRotation": {
    "rotationInterval": "P30D",
    "currentEpoch": 42,
    "lastRotationProof": "0x8a3c...f2b5"
  }
}
Figure 3 — Type C: MPC Recovery with Epoch Catch-up
sequenceDiagram participant User as User participant P1 as Provider 1 (Epoch 42) participant P2 as Provider 2 (Epoch 42) participant P3 as Provider 3 (Epoch 41) participant Coord as MPC Coordinator User->>P1: Authenticate User->>P2: Authenticate User->>P3: Authenticate P1-->>User: Auth OK (epoch=42) P2-->>User: Auth OK (epoch=42) P3-->>User: Auth OK (epoch=41) Note over User: Detects epoch skew on P3 User->>P3: Request catch-up P3->>P1: Request refresh transcript (41→42) P1-->>P3: Verifiable refresh proof P3->>P3: Verify & update share to epoch 42 P3-->>User: Ready (epoch=42) User->>Coord: Initiate MPC signing Coord->>P1: Signing request Coord->>P2: Signing request Coord->>P3: Signing request P1-->>Coord: Partial signature P2-->>Coord: Partial signature P3-->>Coord: Partial signature Coord->>Coord: Aggregate (threshold=2) Coord-->>User: Final signature User->>DID Method: Update DID Document

5.4 Provider State Synchronization (Normative)

When providers operate at different epochs, the recovery protocol MUST handle version skew to prevent state drift from becoming a single point of failure.

5.4.1 Epoch Discovery

During recovery initiation, each provider MUST include their currentEpoch in the authentication response.

5.4.2 Lag Detection

The recovering party MUST compare epochs from all providers. Any provider more than maxEpochSkew (RECOMMENDED: 1) behind the majority MUST be excluded from the signing ceremony until caught up.

5.4.3 Automatic Catch-up Protocol

  1. Catch-up Request: Lagging provider sends a signed request to an up-to-date provider specifying currentEpoch and targetEpoch.
  2. Verifiable Refresh Transcript: The responding provider returns the group public key plus a cryptographically verifiable transcript of each refresh operation between the two epochs.
  3. Verification and Update: The lagging provider verifies each transcript, updates their local share, and securely deletes the old share.
  4. Confirmation: Provider confirms readiness to the recovering party.

5.4.4 Synchronization Parameters

"shareRotation": {
  "rotationInterval": "P30D",
  "currentEpoch": 42,
  "providerStateEndpoint": "https://provider1.example.com/state",
  "lastRotationProof": "0x8a3c...f2b5",
  "synchronization": {
    "maxEpochSkew": 1,
    "catchupProtocol": "vss-refresh-verifiable-2025",
    "timeout": "PT30S",
    "requiredQuorum": 2
  }
}

6. Verification Relationships

6.1 The recovery Relationship

The recovery verification relationship indicates that the associated verification methods are specifically authorized for recovering control of the DID. These methods are limited to recovery operations and MUST NOT be used for general authentication.

{
  "@context": [
    "https://www.w3.org/ns/did/v1",
    "https://sirraya.org/ns/did/recovery/v1"
  ],
  "id": "did:example:123",
  "recovery": [
    "did:example:123#recovery-social",
    "did:example:123#recovery-seedling",
    "did:example:123#recovery-mpc"
  ]
}

6.2 Processing Rules

  1. The resolver MUST verify that the recovery method is listed in the recovery relationship.
  2. The resolver MUST verify that the recovery method's controller is authorized to modify the DID Document.
  3. The resolver MUST perform dependency checking to prevent recovery loops (see §8.4).

7. Cryptographic Primitives

7.0 VSS Group Parameters

7.0.1 Group Requirements

Feldman VSS verification requires the equation:

gsi ≡ ∏j=0t−1 Cjij (mod p)

For this to hold consistently, exponents on both sides must reduce modulo the same value — the order of the generator g in the group. This requires:

  1. A scalar field of prime order q for polynomial arithmetic (shares, coefficients, Lagrange interpolation).
  2. A group prime p with q | (p−1), so that a subgroup of order exactly q exists in Zp*.
  3. A generator g of order exactly q in Zp*.

7.0.2 Mandatory Group Parameters

Implementations MUST use the following parameters, or an equivalent set verifiable by the same properties:

p0x50179e4375e428b3af8fe52af1f2a50e5100b916d0d1c1bbedc304c3d35f3217
q0x280bcf21baf21459d7c7f29578f9528728805c8b6868e0ddf6e18261e9af990b
g4
bits256-bit safe prime (p = 2q+1)

7.0.3 Parameter Verification

Any implementation MUST be able to verify the following properties hold:

isPrime(p) = True
isPrime(q) = True
p = 2·q + 1 // safe prime
pow(g, q, p) = 1 // g has order q
pow(g, 1, p) ≠ 1 // g is not the identity

7.0.4 Alternative Parameters

Implementations MAY use alternative parameters of equivalent or greater security, provided they satisfy all properties in §7.0.3 and publish the parameters in the DID Document's vssGroupParameters field for interoperability.

7.1 Verifiable Secret Sharing (Feldman's VSS)

Let (p, q, g) be as defined in §7.0. All scalar (polynomial) operations are in Zq. All commitment (group) operations are in Zp.

7.1.1 Share Generation

  1. Dealer chooses secret s ∈ Zq and random coefficients a1, …, at−1R Zq.
  2. Forms polynomial P(x) = s + a1x + … + at−1xt−1 over Zq.
  3. For participant i = 1…n, share si = P(i) mod q.
  4. Computes Feldman commitments: Cj = gaj mod p for j = 0…t−1.

7.1.2 Share Verification

Participant i verifies their share by checking (all arithmetic mod p, exponents mod q):

gsi ≡ ∏j=0t−1 Cjij mod q (mod p)

This holds because ord(g) = q, so gx mod q = gx mod p for any integer x.

Implementation Note

Exponents ij MUST be reduced modulo q (the scalar field order).

7.1.3 Secret Recovery

Given t shares {(i, si)}, recover s = P(0) via Lagrange interpolation in Zq:

s = ∑j sj · Lj(0) mod q

Lj(0) = ∏m≠j (0 − xm) / (xj − xm) mod q

Division is computed as multiplication by the modular inverse: a−1 mod q = aq−2 mod q (Fermat, since q is prime).

7.1.4 Proactive Share Refreshment

To re-randomize shares without changing the secret:

  1. Generate refresh polynomial R(x) = r1x + … + rt−1xt−1 over Zq with R(0) = 0.
  2. Compute refresh shares δi = R(i) mod q and refresh commitments Dj = grj mod p.
  3. Update each share: sinew = (siold + δi) mod q.
  4. Update commitments: Cjnew = Cjold · Dj mod p = gaj + rj mod p.
  5. Secret is preserved: Pnew(0) = Pold(0) + R(0) = s + 0 = s.
  6. Verify each refreshed share against combined commitments before deleting the old share.

7.2 Zero-Knowledge Proof of Share

To prove knowledge of share si ∈ Zq without revealing it (Schnorr proof, all operations mod p/q as appropriate):

  1. Prover chooses random r ← Zq.
  2. Prover sends R = gr mod p.
  3. Verifier sends challenge c ← Zq.
  4. Prover sends z = (r + c · si) mod q.
  5. Verifier checks: gz ≡ R · (∏ Cjij mod q)c (mod p).

7.3 Verifiable Delay Function (Wesolowski)

Input: x ∈ QR(N), time parameter T
Output: y = x2T mod N, proof π

  1. Compute y = x2T mod N via sequential squaring.
  2. Let l = ⌊2T / 2⌋, compute π = xl mod N.
  3. Verifier checks: π2(T/2) · x2T mod 2(T/2) = y mod N.

7.3.1 VDF Parameter Calibration (Normative)

Difficulty is measured in sequential squaring operations. Published parameters MUST include a referencePlatform and tolerance factor.

"vdfParameters": {
  "difficulty": 1000000,
  "estimatedWallTime": "P30D",
  "referencePlatform": "intel-i9-13900k-2024",
  "tolerance": 0.2,
  "verificationMode": "wesolowski-optimistic"
}

7.4 fROST Threshold Signatures

fROST enables t-of-n threshold Schnorr signatures:

  1. Key Generation: Distributed key generation produces group public key and individual secret shares.
  2. Signing: Each participant generates a nonce and commitment.
  3. Aggregation: Coordinator aggregates commitments and challenges.
  4. Response: Each participant responds with partial signatures.
  5. Finalization: Coordinator aggregates partial signatures into final signature.

8. Security Considerations

Normative Reference

This section provides a summary of key security considerations. For complete threat taxonomy, detailed attack catalog, and comprehensive countermeasures, refer to the DID Threat Model Specification (DID-TM), which formalizes the threats introduced here and provides CVSS-DID scoring, attack trees, and normative requirements traceable to each threat.

8.1 Guardian Collusion (Type A)

Threat: A threshold of guardians collude to reconstruct the user's private key.

Mitigation: Feldman VSS with Pedersen commitments ensures shares are individually verifiable. Guardians SHOULD be selected from diverse trust domains, and threshold SHOULD be ≥ 3-of-5.

DID-TM Mapping: This threat is classified as E — Privilege Escalation and K (K2 — Share Lifecycle Failure). Full analysis in DID-TM-ATK-400 (Guardian Collusion at Threshold). Normative mitigations: REQ-400, REQ-401, REQ-402, REQ-403.

8.2 Time-Lock Bypass (Type B)

Threat: An attacker compromises the dead man's switch to release inheritance keys prematurely.

Mitigation: VDFs provide computational asymmetry that cannot be parallelized, making premature release computationally infeasible within the specified time window.

DID-TM Mapping: This threat is classified as K (K3 — Time-Lock Integrity Failure). Full analysis in DID-TM-ATK-402 (VDF Difficulty Miscalibration) and DID-TM-ATK-431 (Wesolowski Proof Forgery). Normative mitigations: REQ-408, REQ-409, REQ-410, REQ-411, REQ-442, REQ-443, REQ-444.

8.3 Provider State Drift (Type C)

Threat: MPC providers update shares independently, causing key desynchronization.

Mitigation: Proactive Secret Sharing with verifiable refresh transcripts (§7.1.4) ensures consistency. The catch-up protocol (§5.4.3) handles epoch lag.

DID-TM Mapping: This threat is classified as K (K2 — Share Lifecycle Failure) and D — Denial of Service. Full analysis in DID-TM-ATK-401 (MPC Epoch Share Drift). Normative mitigations: REQ-404, REQ-405, REQ-406, REQ-407.

8.4 Recovery-Loop Prevention

Threat: Circular recovery dependencies make recovery impossible.

Mitigation: Implementations MUST validate that the dependency graph of recovery methods is acyclic at publication time, at recovery initiation, and during periodic health checks.

DID-TM Mapping: This threat is classified as D — Denial of Service and K (K6 — Inheritance and Recovery Chain Failure). Full analysis in DID-TM-ATK-404 (Recovery Loop Deadlock). Normative mitigations: REQ-415, REQ-416, REQ-417.

function checkAcyclic(did, visited = new Set()): if visited.has(did): return false visited.add(did) for each recoveryMethod in resolve(did).recovery: for each guardian in recoveryMethod.guardians: if guardian.id is DID: if not checkAcyclic(guardian.id, visited): return false visited.delete(did) return true
Figure 4 — Recovery-Loop Detection
graph TD subgraph bad["Graph 1: Loop Detected ✗"] A1[did:example:123] -->|recovery| B1[did:guardian:abc] B1 -->|controller| A1 end subgraph good["Graph 2: Valid Tree ✓"] A2[did:example:456] -->|recovery| C2[did:guardian:def] A2 -->|recovery| D2[did:guardian:ghi] end style A1 fill:#fee2e2,stroke:#ef4444,stroke-width:3px style B1 fill:#fee2e2,stroke:#ef4444 style A2 fill:#dcfce7,stroke:#22c55e,stroke-width:3px style C2 fill:#dcfce7,stroke:#22c55e style D2 fill:#dcfce7,stroke:#22c55e

8.5 Key Wrapping Security

Threat: Weak encryption of seed lockboxes.

Mitigation: All encrypted payloads MUST use AEAD with ≥ 256-bit keys. XChaCha20-Poly1305 or AES-256-GCM are REQUIRED. The algorithm MUST be explicitly named in the DID Document.

DID-TM Mapping: This threat is classified under I — Information Disclosure and K (K1 — Key Ceremony Failure). Refer to DID-TM §22 (Side-Channel and Implementation Threats) for cryptographic implementation requirements. Normative mitigations: REQ-460, REQ-461.

8.6 Quantum Computing Resistance

Current algorithms are secure against classical computers. Implementations SHOULD plan transition paths:

  • Type A: Consider lattice-based VSS for post-quantum security.
  • Type B: Use hash-based signatures for seed commitment.
  • Type C: Transition to threshold lattice signatures when standardized.

DID-TM Mapping: This threat is classified as K (K5 — Post-Quantum Migration Failure). Full analysis in DID-TM §23 (Post-Quantum Threat Model), including Harvest-Now Decrypt-Later attacks and migration dependency analysis. Normative mitigations: REQ-470, REQ-471.

9. Privacy Considerations

Normative Reference

For complete privacy threat analysis, refer to DID-TM §6 (LINDDUN-DID Privacy Threat Mapping) and DID-TM §25 (Normative Privacy Requirements), which provide structured mapping of linkability, identifiability, detectability, and other privacy threats with traceable controls.

9.1 Metadata Leakage

Recovery methods may expose social graph (guardian identities), security posture (threshold values), and activity patterns. Mitigations include encrypted DID Document entries, guardian anonymity via onion services, and minimum-disclosure design.

DID-TM Mapping: This threat falls under I — Information Disclosure and LINDDUN-DID's Linkability and Detectability categories. Refer to DID-TM-ATK-501 (Cross-DID Correlation via Resolver Logs) and PRI-301 (hashed guardian identifiers).

9.2 Guardian Privacy

Instead of full DIDs, implementations SHOULD publish salted hashes:

"recoveryGuardians": [
        {
            "id": "urn:hash:sha256:3a7b...c9f2",
            "salt": "0x4d8e...f2a3",
            "guardianEndpoint": "http://guardian1.onion/recover",
            "commitmentIndex": 0
        }
        ]

DID-TM Mapping: This mitigation corresponds to DID-TM PRI-301 (Recovery method representations MUST use hashed or pseudonymous guardian identifiers).

9.3 Correlation Risk

The same recovery method across multiple DIDs could correlate them. DID controllers SHOULD use different guardian sets, salt values, and encryption keys per DID.

DID-TM Mapping: This threat is addressed by DID-TM PRI-200 (pairwise DIDs) and PRI-201 (ZKP unlinkability). Refer to DID-TM §25.2 for complete unlinkability requirements.

9.4 Beneficiary Privacy

Beneficiaries SHOULD use single-use derived keys specific to each inheritance relationship, not linked to their primary identity.

DID-TM Mapping: This aligns with DID-TM PRI-102 (data minimization) and PRI-302 (single-use credentials for sensitive attributes).

Complete Reference

For comprehensive coverage, including the full STRIDE-DID taxonomy, the novel K-Class (Key Lifecycle Failure), the complete attack catalog (50+ attacks with CVSS-DID scoring), and all normative security/privacy requirements with traceability matrices, see the DID Threat Model Specification (DID-TM).

10. Interoperability Requirements

10.1 Mandatory-to-Implement Algorithms

AlgorithmUsage
Ed25519Signatures, guardian keys
SHA-256Hashing
XChaCha20-Poly1305Seed lockbox encryption
AES-256-GCMShare encryption at rest
BIP-32Key derivation
fROST (Ed25519)Threshold signatures
Feldman VSS (p,q,g per §7.0)Verifiable secret sharing
Wesolowski VDFTime-locks
PBKDF2-SHA256 (100k iter)Seed derivation

10.2 Optional Algorithms

AlgorithmUsage
secp256k1Blockchain compatibility
BLS12-381Pairing-based cryptography
Pietrzak VDFAlternative time-locks
DilithiumPost-quantum signatures
KyberPost-quantum encryption

10.3 DID Method Compatibility

This specification is DID method agnostic but requires methods that support DID Document updates, resolution for recovery method discovery, and deactivation of compromised recovery methods.

11. JSON-LD Context

Available at: https://sirraya.org/ns/did/recovery/v1.jsonld

{
  "@context": {
    "@version": 1.1,
    "@protected": true,

    "id": "@id",
    "type": "@type",

    "RecoveryMethod": "https://sirraya.org/ns/did/recovery#RecoveryMethod",
    "RecoveryMethodZKPSocial": "https://sirraya.org/ns/did/recovery#RecoveryMethodZKPSocial",
    "RecoveryMethodDeterministic": "https://sirraya.org/ns/did/recovery#RecoveryMethodDeterministic",
    "RecoveryMethodMPC": "https://sirraya.org/ns/did/recovery#RecoveryMethodMPC",

    "recovery": {
      "@id": "https://sirraya.org/ns/did/recovery#recovery",
      "@type": "@id",
      "@container": "@set"
    },
    "recoveryThreshold": {
      "@id": "https://sirraya.org/ns/did/recovery#recoveryThreshold",
      "@type": "xsd:integer"
    },
    "vssGroupParameters": {
      "@id": "https://sirraya.org/ns/did/recovery#vssGroupParameters",
      "@type": "@id"
    },
    "vssScheme": {
      "@id": "https://sirraya.org/ns/did/recovery#vssScheme",
      "@type": "xsd:string"
    },
    "recoveryGuardians": {
      "@id": "https://sirraya.org/ns/did/recovery#recoveryGuardians",
      "@type": "@id",
      "@container": "@set"
    },
    "guardianEndpoint": {
      "@id": "https://sirraya.org/ns/did/recovery#guardianEndpoint",
      "@type": "xsd:anyURI"
    },
    "vssCommitments": {
      "@id": "https://sirraya.org/ns/did/recovery#vssCommitments",
      "@type": "xsd:string",
      "@container": "@list"
    },
    "seedDerivationPath": {
      "@id": "https://sirraya.org/ns/did/recovery#seedDerivationPath",
      "@type": "xsd:string"
    },
    "encryptedSeedLockbox": {
      "@id": "https://sirraya.org/ns/did/recovery#encryptedSeedLockbox",
      "@type": "@id"
    },
    "deadMansSwitch": {
      "@id": "https://sirraya.org/ns/did/recovery#deadMansSwitch",
      "@type": "@id"
    },
    "vdfParameters": {
      "@id": "https://sirraya.org/ns/did/recovery#vdfParameters",
      "@type": "@id"
    },
    "mpcThreshold": {
      "@id": "https://sirraya.org/ns/did/recovery#mpcThreshold",
      "@type": "xsd:integer"
    },
    "mpcProviders": {
      "@id": "https://sirraya.org/ns/did/recovery#mpcProviders",
      "@type": "@id",
      "@container": "@set"
    },
    "shareRotation": {
      "@id": "https://sirraya.org/ns/did/recovery#shareRotation",
      "@type": "@id"
    },
    "currentEpoch": {
      "@id": "https://sirraya.org/ns/did/recovery#currentEpoch",
      "@type": "xsd:integer"
    },
    "synchronization": {
      "@id": "https://sirraya.org/ns/did/recovery#synchronization",
      "@type": "@id"
    },
    "maxEpochSkew": {
      "@id": "https://sirraya.org/ns/did/recovery#maxEpochSkew",
      "@type": "xsd:integer"
    },
    "catchupProtocol": {
      "@id": "https://sirraya.org/ns/did/recovery#catchupProtocol",
      "@type": "xsd:string"
    }
  }
}

12. Recovery Protocol Flows

12.1 Type A Recovery Protocol

Request:

POST /recover HTTP/1.1
Host: guardian1.example.com
Content-Type: application/json

{
  "protocol": "did-kr-recovery-v1",
  "recoveryId": "did:example:123#recovery-social",
  "did": "did:example:123",
  "nonce": "a1b2c3d4e5f6...",
  "challenge": "0x4d5e6f7a8b9c...",
  "commitmentIndex": 0
}

Response:

{
  "status": "success",
  "proof": {
    "type": "schnorr-proof-2025",
    "commitment": "0x8f3a2b1c...",
    "challenge": "0x4d5e6f7a...",
    "response": "0x2b7c8d9e..."
  },
  "guardianId": "did:guardian:abc#key-1",
  "signature": "0x9a8b7c6d..."
}

12.2 Type B Recovery Protocol

Self-recovery:

POST /recover/seed HTTP/1.1
Host: wallet.example.com
Content-Type: application/json

{
  "protocol": "did-kr-recovery-v1",
  "recoveryId": "did:example:123#recovery-seedling",
  "seedPhrase": "abandon ability able about above ...",
  "derivationPath": "m/44'/0'/0'/0/0"
}

12.3 Type C Recovery Protocol

Phase 1: Authentication Response

{
  "status": "authenticated",
  "provider": "did:provider:one#mpc-node",
  "currentEpoch": 42,
  "lastRotation": "2024-05-15T10:30:00Z",
  "signature": "0x9a8b7c6d..."
}

Phase 2: MPC Signing Ceremony

POST /mpc/sign HTTP/1.1
Host: provider1.example.com
Content-Type: application/json

{
  "protocol": "did-kr-recovery-v1",
  "sessionId": "sess_abc123def456",
  "operation": {
    "type": "update-did",
    "newDocument": { "id": "did:example:123", "..." : "..." }
  },
  "commitment": "0x3e4f5a6b..."
}

13. Test Vectors

13.1 Type A Test Vector — Feldman VSS

Group parameters: (p, q, g) as in §7.0.

Setup:

  • Secret: s = 42 (as a scalar in Zq)
  • Threshold: t = 2
  • Total shares: n = 3
  • Polynomial: P(x) = 42 + 17·x (over Zq)

Shares (computed as P(i) mod q):

s₁ = P(1) mod q = 59
s₂ = P(2) mod q = 76
s₃ = P(3) mod q = 93

Commitments (computed as gaj mod p):

C₀ = 442 mod p
C₁ = 417 mod p

Share verification example for s₃ (x=3):

LHS = 493 mod p
RHS = C₀1 · C₁3 mod q mod p = 442 · 417·3 mod p = 442+51 mod p = 493 mod p ✓

Recovery with shares s₁, s₂ (Lagrange in Zq):

L₁(0) = (0−2)/(1−2) mod q = (−2)·(−1)⁻¹ mod q = 2
L₂(0) = (0−1)/(2−1) mod q = (−1)·(1)⁻¹ mod q = q−1
s = 59·2 + 76·(q−1) mod q = 118 − 76 mod q = 42 ✓

13.2 Type A Test Vector — Proactive Refresh

Continuing from §13.1 — applying a refresh polynomial R(x) = 5·x (R(0)=0):

δ₁ = R(1) = 5, δ₂ = R(2) = 10, δ₃ = R(3) = 15

s₁ᶰᵉʷ = (59 + 5) mod q = 64
s₂ᶰᵉʷ = (76 + 10) mod q = 86
s₃ᶰᵉʷ = (93 + 15) mod q = 108

C₀ᶰᵉʷ = C₀ · g⁰ mod p = C₀ (r₀ = 0, constant term is always 0)
C₁ᶰᵉʷ = C₁ · 4⁵ mod p = 4¹⁷ · 4⁵ mod p = 4²² mod p

Recovery with s₁ᶰᵉʷ, s₂ᶰᵉʷ: s = 64·2 + 86·(q−1) mod q = 128 − 86 = 42 ✓

13.3 Type B Test Vector

Master Seed: 0x7f3a9b8c2d5e1f4a3b6c7d8e9f0a1b2c

Derivation Path: m/44'/0'/0'/0/0

PBKDF2 salt: "did-kr-salt:did:example:123" (UTF-8), 100,000 iterations

Derived Private Key: SHA-256(PBKDF2(seed, salt, 100000, 32))

13.4 Type C Test Vector

fROST t=2, n=3 — share format (illustrative, not actual key material):

Group Public Key: 0x3a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d...
Share 1 (epoch 1): 0x8c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f...
Share 2 (epoch 1): 0x2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e...
Share 3 (epoch 1): 0x7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c...

14. References

14.1 Normative References

[DID-CORE]
Decentralized Identifier Specification v1.0
[RFC2119]
Key words for use in RFCs
[RFC8174]
Ambiguity of Uppercase vs Lowercase in RFC2119
[BIP32]
Hierarchical Deterministic Wallets
[BIP39]
Mnemonic code for generating deterministic keys
[FROST]
Flexible Round-Optimized Schnorr Threshold Signatures
[VDF]
Verifiable Delay Functions — Boneh et al., 2018
[FELDMAN]
Feldman's Verifiable Secret Sharing — Feldman, 1987
[SAFE-PRIME]
Safe prime group parameter generation — NIST SP 800-57

14.2 Informative References

[SOCIAL-RECOVERY]
Social Key Recovery for Self-Sovereign Identity
[MPC-WALLET]
Threshold Signatures for Cryptographic Wallets
[TIME-LOCK]
Time-Lock Encryption with Verifiable Delay Functions
[ZKP-AUTH]
Zero-Knowledge Proofs for Authentication
[PROACTIVE]
Proactive Secret Sharing — Herzberg et al., 1995

15. Acknowledgements

The editor would like to thank the members of the decentralized identity community for their valuable feedback and contributions. Special thanks to the cryptographic reviewers who validated the group parameters, the privacy researchers who contributed to guardian privacy enhancements, and the implementers who provided integration feedback.

Appendices

Appendix A: Implementation Checklist

RequirementStatusNotes
Type A: VSS group parameters (§7.0) ✓ Complete 256-bit safe prime (p, q, g); verified in reference impl
Type A: VSS share generation & verification (§7.1) ✓ Complete Feldman VSS; all-indices self-check passes
Type A: ZKP implementation (§7.2) ☐ Open Schnorr proofs of share knowledge
Type A: Guardian privacy (§9.2) ☐ Open Hashed guardian identifiers
Type A: Social recovery (reconstruct + re-key) ☐ Open Guardian HTTP endpoints; share delivery protocol
Type B: HD key derivation (§5.2) ☐ Open BIP-32 compatible
Type B: VDF implementation (§7.3) ☐ Open Wesolowski or Pietrzak
Type C: fROST implementation (§7.4) ☐ Open Threshold signatures
Type C: Share refreshment (§7.1.4) ✓ Complete Proactive refresh with combined commitments
Type C: Epoch synchronization (§5.4) ☐ Open Catch-up protocol; verifiable refresh transcripts
Recovery-loop detection (§8.4) ✓ Complete DFS acyclicity check; validate_recovery_graph()
JSON-LD context (§11) ✓ Complete Schema with vssGroupParameters
Test vectors (§13) ✓ Complete VSS, refresh, and recovery vectors machine-verified

© 2026 Sirraya Labs. Licensed under the MIT License.

Editor: Amir Hameed Mir · amir@sirraya.org · GitHub