This document describes the backup system used by Taler wallets. This is the second, simplified iteration of the proposal, which leaves out multi-device synchronization.
Backup must work both with and without Anastasis.
Arbitrary number of backup providers must be supported.
Minimize information leaks / timing side channels.
Minimize potential to lose money or important information.
Since real-time sync is not supported yet, wallets should have a feature where their whole content is “emptied” to another wallet, and the wallet is reset.
CG: This boils down to the existing ‘reset’ button (developer mode). Very dangerous. Could be OK if we had some way to notice the number of wallets using the same backup and then allow this ‘reset’ as longa as # wallets > 1. Still, doing so will require a handshake with the other wallets to ensure that the user doesn’t accidentally reset on both wallets at the same time, each believing the other wallet is still sync’ed. So we would need like a 2-phase commit “planning to remove”, “acknowledged” (by other wallet), “remove”. Very bad UX without real-time sync.
Even without real-time sync, the backup data must support merging with old, existing wallet state, as the device that the wallet runs on may be restored from backup or be offline for a long time.
Each wallet has a 64 (CG: 32 should be enough, AND better for URLs/QR codes/printing/writing down) byte wallet root secret, which is used to derive all other secrets used during backup, which are currently:
If the user chooses to use Anastasis, the following information is backed up in Anastasis (as the core secret in Anastasis terminology):
TBD. Considerations from Design Doc 005: Wallet Backup and Sync still apply, especially regarding the CRDT.
The user will be asked to set up backup&sync (by selecting a provider) after the first withdrawal operation has been confirmed. After selecting the backup&sync providers, the user will be presented with a “checklist” that contains an option to (1) show/print the recovery secret and (2) set up Anastasis.
The wallet will initially only withdraw enough money to pay the backup&sync/anastasis providers. Only after successful backup of the wallet’s signed planchets, the full withdrawal will be completed.
Should the exchange tell the wallet about available sync/Anastasis providers? Otherwise, what do we do if the wallet does not know any providers for the currency of the user?
Should the wallet root secret and wallet database be locally encrypted and protected via a passphrase?
What happens if the same Anastasis user has multiple wallets? Can Anastasis somehow support multiple “instances” per application?
CG would definitively solve this using a more complex format for the master secret, basically serializing multiple root secret values with meta data (which wallet/device/name).