Social Recovery: The Human Side of Cryptographic Security

The biggest fear with zero-knowledge encryption is simple: what if I lose my recovery phrase? Traditional recovery mechanisms — security questions, email resets, knowledge-based answers — all create backdoors that undermine the entire trust model. The moment a provider can reset your account, your data is only as secure as their helpdesk. Social recovery offers an elegant alternative: it pushes the recovery decision out to a small group of people who already care about you, while keeping the cryptography intact.

Social recovery is not a new idea. The cryptographic primitive that powers it — Shamir Secret Sharing — was published in 1979. What is new is the user experience that makes it accessible to people who have never thought about thresholds, lattice cryptography, or key wrapping. Done well, social recovery turns a math problem into a conversation between trusted humans.

Shamir Secret Sharing

Keeplas uses Shamir Secret Sharing (SSS), a cryptographic technique that splits a secret into multiple shares. You define two parameters: the total number of shares (n) and the minimum threshold needed to reconstruct the secret (k). For example, you might create 5 shares and require 3 to recover. The mathematics is based on polynomial interpolation in a finite field: any k points define a unique polynomial of degree k-1, but k-1 points reveal nothing about it.

Each share is distributed to a trusted contact. No single share reveals anything about the original secret — not even a single bit. Only when the threshold is met can the secret be mathematically reconstructed. This 'information-theoretic' security is stronger than computational security: it is not 'hard to break,' it is provably impossible to break with fewer shares than the threshold.

How It Works in Practice

When you set up social recovery in Keeplas, your recovery key is split into shares and encrypted individually for each trusted contact using post-quantum ML-KEM-768. If you ever need to recover, your contacts receive a recovery request through the platform, verify the legitimacy of the request — typically through a secondary out-of-band channel like a phone call — and release their share. Only when enough shares are combined does your recovery key become available, and the entire reconstruction happens on your new device.

Your contacts never see your data. They never see each other's shares. They simply authorize a recovery request, and the cryptography handles the rest. Equally important, Keeplas servers are not the recovery oracle: they relay encrypted shares but cannot reconstruct the key, even if every contact's share passed through their infrastructure simultaneously.

Choosing Your Circle

The strength of social recovery depends on choosing trusted contacts wisely. We recommend a mix of family members and close friends, geographically distributed, with a threshold that balances accessibility with security — typically 3-of-5 or 4-of-7. A 2-of-3 setup is easy to break if two of your contacts collude; a 5-of-5 setup is brittle because a single unreachable contact locks you out. The sweet spot rewards diversity: pick people from different parts of your life who would have no reason to coordinate against you.

Recovery Conditions and Delays

Social recovery is not only for the moment you forget your phrase. It is also the mechanism through which your digital legacy reaches your heirs. Keeplas supports time-locked recoveries, where a quorum can unlock the vault after a waiting period that you set in advance. This waiting period gives you the chance to cancel an unwanted recovery while you are still alive, and gives your heirs a predictable path to access when you are not.

Maintaining the Plan Over Time

A recovery circle is not a static document. People move, change phones, fall out of touch, and occasionally pass away themselves. Treat your social recovery configuration like a fire drill: review the participants every six to twelve months, rotate any compromised devices, and confirm that each contact still has the Keeplas app installed and recognized.