<aside> <img src="/icons/binoculars_blue.svg" alt="/icons/binoculars_blue.svg" width="40px" /> Introduction

</aside>

Technical Documentation

<aside> <img src="/icons/log-in_brown.svg" alt="/icons/log-in_brown.svg" width="40px" /> Getting Started

</aside>

<aside> <img src="/icons/translate_brown.svg" alt="/icons/translate_brown.svg" width="40px" /> How it works

</aside>

Testing program

<aside> <img src="/icons/confetti-party-popper_orange.svg" alt="/icons/confetti-party-popper_orange.svg" width="40px" /> How to Participate

</aside>

Additional information

<aside> <img src="/icons/thought-dialogue_pink.svg" alt="/icons/thought-dialogue_pink.svg" width="40px" /> FAQ

</aside>

<aside> <img src="/icons/document_pink.svg" alt="/icons/document_pink.svg" width="40px" /> Lite Paper

</aside>

Introduction

Secrets Vault is an innovative solution that allows you to safeguard your secrets using an image that you provide. You can store this image anywhere you like, even openly on social media, and create as many copies as you want, all without the risk of compromising your information. Furthermore, you can share your secrets, either openly so anybody can see them, or by inviting your trusted third parties.

<aside> <img src="/icons/dialogue_brown.svg" alt="/icons/dialogue_brown.svg" width="40px" /> What is a secret? It's any digital information you want to securely back up: → My wallet seed phrase(s) → My password(s) → Some critical document → A picture of my seed phrase → A private picture → An audio message → …

</aside>

<aside> 🆔

Secrets Vault has also applications in identity and authentication management. These use cases are not covered in this documentation.

</aside>

Main system components

At high level, these are the main components of Secrets Vault

User:
- The user interacts with Secrets Vault via a Portal (which could be web-based, or a mobile app…) or third party (D)Apps (e.g. wallet) that integrates Secrets Vault technology.
Portal, Wallets and (D)Apps
- Secrets Vault SDK can be integrated inside any existing Wallet applications or (D)App to provide a more seamless access to Secrets Vault without using another application.
- The Portal provides to the user a web interface to interact with the Secrets Vault without interacting the SDK.
Secrets Vault SDK:
- The SDK implements the client side visual cryptographic protocol steps that protect the secret to be hidden.
- Since it is executed in the user device, no secret information can be accessed outside this device, ensuring complete privacy.
- SDK also provides the user with an interface for providing the image that will be used to hide the secret (e.g., take a picture), and store or share the image latter on.
- All the user interfaces (Portal, wallets…) integrate with the SDK to interact with Secrets Vault Backend.
Secrets Vault Backend:
- The backend component implements the server side cryptographic protocol steps that allow to verify and securely custody the key image component needed to retrieve the secret from the image chosen by the user.
- Additionally, backend implements identity management based on an authentication service that allows to identify users using third-party identity providers (e.g., social login, or another crypto wallet).
- Backend also implements user secret recovery management processes (accessible through the Portal) that facilitates users to manage their current secret recovery keys (e.g., delete or renew) and define restore policies (e.g., define nominees that could access recovery keys in certain conditions).
- Finally, Backend also manages the secure (encrypted) storage of the recovery keys and the interaction with other custodians on the execution of distributed recovery key protection.

graph TD
    User[User] <--> Portal[Portal]
    User <--> W1[Wallet 1]
    User <--> Wn[Wallet n]
    User <--> Dn[Dapp n]
    Portal <--> SDK[Secrets Vault SDK]
    W1 <--> SDK
    Wn <--> SDK
    Dn <--> SDK
    SDK <--> Backend[Secrets Vault Backend]

Safeguarding a secret

The process to protect your secrets is straightforward for users, hiding the complexities behind the scenes:

User Authentication:
- The user provides an authentication factor to Secrets Vault, such as a web3 wallet, social login, or email, demonstrating access to a reliable third-party system.
Backend Validation:
- The Secrets Vault backend validates the authentication information and generates an authentication token with a unique Secrets Vault user pseudonym that will be used to identify the user in the Backend.
Providing Secret Information:
- Using Secret Vault client application, the user provides the secret information to be safeguarded and an image that will be used to protect it. Secrets Vault client (i) generates a recovery key (image key) used for protecting the secret in the image, (ii) protects this image key using a custodian key, and (iii) sends the protected image key to the backend.
Backend Storage:
- The backend validates the correctness of the protected image key information (without knowing its contents) and securely stores it.
Confirmation:
- The user receives confirmation of the successful validation and storage of the image key and therefore, he/she can store or share the image used for hiding the secret in a completely secure and open way: the image has no traces that has been used to hide anything.

sequenceDiagram
    autonumber
    actor User
    participant App as Client Application
    participant SSGApp as Secrets Vault SDK
    participant SBUServ as Secrets Vault Backend
    
    User ->> App: Provide authentication factor (e.g., web3 wallet, social login, email)
    App ->> SBUServ: Validate authentication factor
    SBUServ ->> App: Send authentication token
    App ->> User: Request secret information and image
    User ->> App: Provide secret information and image
    App ->> SSGApp: Process secret information and image
    SSGApp ->> SSGApp: Generate image key
    SSGApp ->> SSGApp: Protect image key with custodian key
    SSGApp ->> SBUServ: Send protected image key and secret ID
    SBUServ ->> SBUServ: Validate and store protected image key
    SBUServ ->> App: Confirmation of successful storage
    App ->> User: Confirmation received, user can store/share image

Recovering a secret

The process to recover your secrets with Secrets Vault is straightforward for users, hiding the complexities behind the scenes:

User Authentication:
- The user provides an authentication factor to Secrets Vault, such as a web3 wallet, social login, or email, demonstrating access to a reliable third-party system.
Providing recovery information:
- Secrets Vault prompts the user to provide the secret identifier and the image used for protecting the secret.
- User sends the secret identifier that wants to retrieve, a user key and a proof of image ownership.
Backend Validation:
- The Secrets Vault backend validates the authentication and ownership proof send by user and retrieves the protected image key from its secure storage if everything is correct.
- Renews the image key protection using the custodian and user keys.
- Sends the protected image key to the user.
Recovering the Secret:
- By combining the protected image key provided by the backend and the image provided by the user, Secrets Vault client recovers the secret information, which is then displayed to the user.

sequenceDiagram
    autonumber
    actor User
    participant App as Client Application
    participant SSGApp as Secrets Vault SDK
    participant SBUServ as Secrets Vault Backend
    
    User ->> App: Provide authentication factor (e.g., web3 wallet, social login, email)
    App ->> SBUServ: Validate authentication factor
    SBUServ ->> App: Authentication token
    App ->> User: Request secret ID and related image
    User ->> App: Secret ID and image
    App ->> SSGApp: Retrieve secret with secret ID from image
    SSGApp ->> SBUServ: Provide protected image key of secret ID
    SBUServ ->> SSGApp: Protected image key
    SSGApp ->> SSGApp: Retrieve the secret information
    SSGApp ->> App: Recovered secret information
    App ->> User: Show the recovered secret information

The cryptography behind the scenes

Secrets Vault uses a combination of advanced cryptographic primitives to provide a reliable and secure mechanism for safeguarding your information. The main cryptographic protocols used are:

Multi-Party Computation

Multi-Party Computation (MPC) is a cryptographic protocol that enables multiple parties to jointly compute a function over their inputs while keeping those inputs private. In Secrets Vault, MPC is used to enhance the security of image keys protected by custodians, ensuring that no single custodian can compromise the custodied data.

Homomorphic Encryption

Homomorphic Encryption (HE) is a form of encryption that allows computations to be performed on ciphertext, generating an encrypted result that, when decrypted, matches the result of operations performed on the plaintext. Secrets Vault uses Partially Homomorphic Encryption (PHE) to ensure that sensitive data can be processed without ever exposing the actual data, enhancing security and privacy. Fully Homomorphic Encryption (FHE) is also supported, but not implemented yet in production.

Zero Knowledge Proofs

Zero-Knowledge Proofs (ZKP) are cryptographic methods that allow one party to prove to another that a statement is true without revealing any information beyond the validity of the statement itself. Secrets Vault employs ZKP to verify user authorship, data integrity, and proof of ownership without compromising user and secret privacy.

“Zero” Steganography

At Secrets Vault, we deliberately chose not to manipulate images to hide information, and therefore, our approach cannot be properly classified as steganography. Instead, we follow a visual cryptography approach—specifically, a secret-sharing scheme. In our method, images are not used as a container for hidden information, as in steganography. Rather, an image (the ‘Keepic’) serves as one of the essential shares in a cryptographic secret-sharing protocol used for protecting a secret.