1. Introduction

To understand how Anastasis works, you need to understand three key concepts: user identifiers, our adversary model and the role of the recovery document.

1.1. User Identifiers

To uniquely identify users, an “unforgettable” identifier is used. This identifier should be difficult to guess for anybody but the user. However, the identifier is not expected to have sufficient entropy or secrecy to be cryptographically secure. Examples for such identifier would be a concatenation of the full name of the user and their social security or passport number(s). For Swiss citizens, the AHV number could also be used.

1.2. Adversary models

The adversary model of Anastasis has two types of adversaries: weak adversaries which do not know the user’s identifier, and strong adversaries which somehow do know a user’s identifier. For weak adversaries the system guarantees full confidentiality. For strong adversaries, breaking confidentiality additionally requires that Anastasis escrow providers must have colluded. The user is able to specify a set of policies which determine which Anastasis escrow providers would need to collude to break confidentiality. These policies also set the bar for the user to recover their core secret.

1.3. The recovery document

A recovery document includes all of the information a user needs to recover access to their core secret. It specifies a set of escrow methods, which specify how the user should convince the Anastasis server that they are “real”. Escrow methods can for example include SMS-based verification, video identification or a security question. For each escrow method, the Anastasis server is provided with truth, that is data the Anastasis operator may learn during the recovery process. Truth always consists of an encrypted key share and associated data to authenticate the user. Examples for truth would be a phone number (for SMS), a picture of the user (for video identification), or the (hash of) a security answer. A strong adversary is assumed to be able to learn the truth, while weak adversaries must not. In addition to a set of escrow methods and associated Anastasis server operators, the recovery document also specifies policies, which describe the combination(s) of the escrow methods that suffice to obtain access to the core secret. For example, a policy could say that the escrow methods (A and B) suffice, and a second policy may permit (A and C). A different user may choose to use the policy that (A and B and C) are all required. Anastasis imposes no limit on the number of policies in a recovery document, or the set of providers or escrow methods involved in guarding a user’s secret. Weak adversaries must not be able to deduce information about a user’s recovery document (except for its length, which may be exposed to an adversary which monitors the user’s network traffic).