Backup and Recovery
1. Automatic Backups
Backups are created automatically when accounts or settings are modified. These backups are encrypted locally using ML-KEM before being uploaded to a remote server.
Why ML-KEM?
NIST-standardized lattice-based algorithm .
Resistant to attacks from both classical and quantum computers.
Used to securely encrypt sensitive data like account records and recovery information.
Encryption Flow: ML-KEM + XSalsa20-Poly1305
The wallet uses a hybrid encryption model :
A shared secret is generated using ML-KEM.
The actual data is encrypted using XSalsa20-Poly1305 , a symmetric cipher.
The shared secret is then encapsulated using the recipient's ML-KEM public key .
Uploading the Backup
After encryption, the backup is signed using SLH-DSA to ensure authenticity before upload.
The backup and signature are sent via an authenticated API call:
2. Manual Recovery
There are two main ways to restore a wallet:
Option A: Recovery via Mnemonic Phrase (12/24 Words)
Process:
User enters their 12/24-word mnemonic during recovery.
The wallet regenerates:
SLH-DSA signing keypair (for Quranium Chain).
ML-KEM encryption keypair (for decrypting backups).
All accounts are re-created deterministically based on derivation paths.
Option B: Restore from Cloud Backup
Use this option if you want to restore specific encrypted backups (e.g., saved settings or additional accounts).
Requirements:
ML-KEM Private Key : Either regenerated from the mnemonic or exported earlier.
Encrypted Backup File : Must contain the
capsule
,symmetricCiphertext
, andnonce
.
Decryption Steps:
Use the ML-KEM private key to extract the shared secret from the capsule.
Decrypt the symmetric ciphertext using the shared secret and nonce.
Last updated