Account Recovery
Comprehensive guide to recovering your Zentalk identity and data after device loss, damage, or upgrade.
Recovery Overview
Account recovery in Zentalk operates under a fundamental constraint: your private keys never leave your devices. This self-custody model means recovery depends entirely on preparation and the backup mechanisms you have in place.
What Can Be Recovered
| Data Type | Recovery Source | Requirements |
|---|---|---|
| Identity Key | Mnemonic phrase or encrypted backup | 24-word phrase or backup password |
| Wallet Address | Derived from mnemonic | Mnemonic phrase |
| Contact List | Mesh storage backup | Identity Key + backup password |
| Profile Data | Mesh storage backup | Identity Key + backup password |
| Device Keys | Cannot be recovered | Regenerated on new device |
| Message History | Encrypted backup only | Backup enabled + password |
| Verification Status | Manual re-verification | Out-of-band confirmation |
What Cannot Be Recovered
| Data Type | Reason | Consequence |
|---|---|---|
| Active Sessions | Ephemeral keys deleted | Must re-establish with contacts |
| Session Keys | Forward secrecy design | Previous session state lost |
| One-Time Pre-Keys (used) | Single-use by design | Already consumed |
| Device-Specific Keys | Per-device generation | New keys created |
| Pending Messages | Encrypted to old keys | May be lost if undelivered |
| Disappearing Messages | Auto-deleted | Not recoverable by design |
Recovery Methods Comparison
| Method | Data Recovered | Security | Convenience |
|---|---|---|---|
| Mnemonic Phrase | Identity + derived keys | Highest | Low |
| Encrypted Backup | Identity + contacts + messages | High | Medium |
| Multi-Device Transfer | Everything except sessions | High | High |
| On-Chain Recovery | Identity verification only | Medium | Low |
Mnemonic Phrase Recovery
The mnemonic phrase is the ultimate backup for your Zentalk identity. It encodes the seed from which all your keys are derived.
BIP-39 Standard
Zentalk uses the BIP-39 standard for mnemonic generation:
| Property | Specification |
|---|---|
| Word List | 2048 English words |
| Phrase Length | 24 words (256-bit entropy) |
| Checksum | Last 8 bits (final word encodes checksum) |
| Encoding | 11 bits per word (2^11 = 2048) |
Word List Properties:
| Property | Benefit |
|---|---|
| No similar words | ”cat” and “car” not both included |
| Unique prefixes | First 4 characters identify each word |
| Alphabetically sorted | Easier to look up |
| Common English | Easier to write and remember |
Entropy to Mnemonic Conversion
The 24-word phrase encodes 256 bits of entropy plus an 8-bit checksum:
Entropy Generation:
1. Generate 256 random bits from secure RNG
2. Compute checksum = SHA-256(entropy)[0:8]
3. Concatenate: entropy || checksum = 264 bits
4. Split into 24 groups of 11 bits each
5. Map each 11-bit value to word list indexBit Allocation:
| Component | Bits | Purpose |
|---|---|---|
| Entropy | 256 | Randomness source |
| Checksum | 8 | Error detection |
| Total | 264 | 24 × 11 bits |
Mnemonic to Seed Derivation
Converting the mnemonic back to a usable seed:
Seed Derivation (PBKDF2):
Input: mnemonic phrase (space-separated words)
Salt: "mnemonic" + optional_passphrase
Iterations: 2048
Hash: HMAC-SHA512
Output: 512-bit seed
seed = PBKDF2-HMAC-SHA512(
password = normalize(mnemonic),
salt = "mnemonic" + passphrase,
iterations = 2048,
output_length = 64 bytes
)Optional Passphrase:
| With Passphrase | Without Passphrase |
|---|---|
| 25th word protection | 24 words sufficient |
| Plausible deniability | Simpler recovery |
| Different seed per passphrase | Single identity |
| Must remember passphrase | Mnemonic only needed |
Seed to Identity Key Derivation
From the 512-bit seed, Zentalk derives the Identity Key using hierarchical deterministic derivation:
Key Derivation Path:
Master Key = HMAC-SHA512("ed25519 seed", seed)
Path: m/44'/1991'/0'/0/0
44' = BIP-44 purpose (hardened)
1991' = Zentalk coin type (hardened)
0' = Account index (hardened)
0 = Change (external)
0 = Address index
Identity Key = derive_ed25519(Master Key, path)Derivation Components:
| Path Element | Value | Meaning |
|---|---|---|
| Purpose | 44’ | BIP-44 compliant |
| Coin Type | 1991’ | Zentalk registered type |
| Account | 0’ | Primary account |
| Change | 0 | External chain |
| Index | 0 | First key |
Step-by-Step Recovery Process
Phase 1: Input Validation
1. User enters 24-word phrase
2. Validate each word exists in BIP-39 list
3. Compute checksum from first 23 words + partial 24th
4. Verify checksum matches final word
5. If invalid: display specific errorPhase 2: Key Regeneration
1. Convert mnemonic to seed (PBKDF2)
2. Derive master key from seed
3. Derive wallet key: m/44'/60'/0'/0/0 (secp256k1)
4. Derive identity key: m/44'/1991'/0'/0/0 (Ed25519)
5. Compute wallet address from public key
6. Generate new device key for this devicePhase 3: Network Re-registration
1. Generate new signed pre-key
2. Generate 100 new one-time pre-keys
3. Sign pre-key bundle with identity key
4. Publish to DHT and API servers
5. Fetch existing contacts from mesh backup
6. Notify contacts of new device (key unchanged)Phase 4: Session Re-establishment
1. For each contact:
- Fetch their current key bundle
- Perform X3DH key exchange
- Initialize new Double Ratchet session
2. Old sessions are abandoned
3. Pending messages to old device keys are lostRecovery Validation
| Check | Validation |
|---|---|
| Word count | Exactly 24 words |
| Word validity | Each word in BIP-39 list |
| Checksum | Last word encodes valid checksum |
| Address match | Derived address matches expected |
| Signature test | Can sign test message |
Encrypted Backup Recovery
Encrypted backups provide a more complete recovery option, including data that cannot be derived from the mnemonic alone.
Backup File Structure
The encrypted backup file contains multiple sections:
Backup File Format:
┌─────────────────────────────────────────────────┐
│ Header (32 bytes) │
│ Magic: "ZTBK" (4 bytes) │
│ Version: 1 (2 bytes) │
│ Timestamp: Unix epoch (8 bytes) │
│ Key derivation params (18 bytes) │
├─────────────────────────────────────────────────┤
│ Salt (32 bytes) │
├─────────────────────────────────────────────────┤
│ Nonce (12 bytes) │
├─────────────────────────────────────────────────┤
│ Encrypted Payload (variable) │
│ Identity Key material │
│ Contact list │
│ Group memberships │
│ Settings │
│ Message history (optional) │
├─────────────────────────────────────────────────┤
│ Authentication Tag (16 bytes) │
└─────────────────────────────────────────────────┘Header Fields:
| Field | Size | Description |
|---|---|---|
| Magic | 4 bytes | File type identifier “ZTBK” |
| Version | 2 bytes | Backup format version |
| Timestamp | 8 bytes | Creation time (Unix epoch) |
| KDF ID | 1 byte | Key derivation function (1 = PBKDF2) |
| Iterations | 4 bytes | PBKDF2 iteration count |
| Reserved | 13 bytes | Future use |
Password-Based Decryption
The backup is encrypted with a key derived from the user’s password:
Key Derivation:
password = user_input
salt = backup_file[32:64] // 32 bytes
iterations = header.iterations // minimum 600,000
derived_key = PBKDF2-HMAC-SHA256(
password,
salt,
iterations,
output_length = 32 bytes
)
Decryption:
nonce = backup_file[64:76] // 12 bytes
ciphertext = backup_file[76:-16]
tag = backup_file[-16:] // last 16 bytes
plaintext = AES-256-GCM-Decrypt(
key = derived_key,
nonce = nonce,
ciphertext = ciphertext,
associated_data = header,
tag = tag
)Security Parameters:
| Parameter | Value | Purpose |
|---|---|---|
| PBKDF2 Iterations | ≥ 600,000 | Slow brute-force attacks |
| Salt | 32 bytes random | Prevent rainbow tables |
| AES-256-GCM | 256-bit key | Encryption + authentication |
| Nonce | 12 bytes random | Unique per backup |
Backup Contents
Required Components:
| Component | Size (approx) | Recovery Use |
|---|---|---|
| Identity Key Seed | 32 bytes | Regenerate all derived keys |
| Wallet Key | 32 bytes | Blockchain operations |
| Contact List | Variable | Restore address book |
| Group Memberships | Variable | Rejoin groups |
| Profile Data | Variable | Username, avatar hash |
Optional Components:
| Component | Size | When Included |
|---|---|---|
| Message History | Variable | If user enabled |
| Media Index | Variable | If backup media enabled |
| Custom Settings | ~1 KB | Always |
| Blocked Users | Variable | If any exist |
Backup Validation and Integrity
Before recovery proceeds, the backup undergoes validation:
Structural Validation:
1. Check file size minimum (96 bytes header + tag)
2. Verify magic bytes = "ZTBK"
3. Check version is supported (currently 1)
4. Verify timestamp is reasonable (not future, not too old)
5. Validate KDF parameters are secureCryptographic Validation:
1. Derive key from password
2. Attempt AES-GCM decryption
3. Verify authentication tag
- If tag invalid: wrong password or corrupted
4. Parse decrypted payload
5. Verify internal checksumsContent Validation:
1. Deserialize identity key material
2. Derive public key from private key
3. Compute wallet address
4. Compare with embedded address
5. If mismatch: backup may be for different accountError Conditions:
| Error | Cause | Resolution |
|---|---|---|
| Invalid magic | Not a Zentalk backup | Use correct file |
| Unsupported version | Newer backup format | Update app |
| Decryption failed | Wrong password | Retry password |
| Tag verification failed | Corrupted or tampered | Use different backup |
| Checksum mismatch | Partial corruption | Try older backup |
Multi-Device Recovery
When you have another device with your Zentalk account active, recovery is simpler and more complete.
Prerequisites
| Requirement | Description |
|---|---|
| Existing Device | Phone, tablet, or desktop with active Zentalk |
| Network Connection | Both devices online |
| Physical Proximity | For QR code scanning (recommended) |
| Device Unlocked | Biometric or PIN required |
Recovering from Existing Device
Option A: QR Code Pairing
On Existing Device:
1. Navigate to Settings → Devices → Add Device
2. Authenticate with biometric/PIN
3. Generate ephemeral X25519 keypair
4. Display QR code containing:
- Ephemeral public key (32 bytes)
- Session ID (16 bytes)
- Timestamp (8 bytes)
- Signature from Identity Key
On New Device:
1. Select "Recover from existing device"
2. Scan QR code from camera
3. Parse and validate QR data
4. Generate own ephemeral keypair
5. Compute shared secretOption B: Numeric Code Pairing
On Existing Device:
1. Navigate to Settings → Devices → Add Device
2. Select "Use numeric code"
3. Display 8-digit code + ephemeral public key
4. Code valid for 60 seconds
On New Device:
1. Enter 8-digit code
2. Fetch pairing data from server using code
3. Proceed with key exchangeQR Code Pairing Flow
Detailed Protocol:
Phase 1: QR Generation (Existing Device)
EK_old = generate_x25519_keypair()
session_id = random(16 bytes)
timestamp = current_unix_time()
payload = EK_old.public || session_id || timestamp
signature = Ed25519_sign(Identity_Key, payload)
qr_data = Base64(payload || signature)
Phase 2: QR Scan (New Device)
Parse qr_data
Verify timestamp not expired (60 second window)
Extract EK_old_public, session_id, signature
EK_new = generate_x25519_keypair()
shared_secret = X25519(EK_new.private, EK_old_public)
encryption_key = HKDF(shared_secret, "ZentalkDeviceLink")
Phase 3: Key Request (New Device → Server → Existing Device)
Generate device keypair for new device
request = {
session_id: session_id,
ephemeral_public: EK_new.public,
device_public_key: new_device_public_key,
device_info: encrypted(encryption_key, device_name)
}
Send request to server
Phase 4: Key Transfer (Existing Device)
Receive request via push notification
Verify session_id matches pending pairing
shared_secret = X25519(EK_old.private, EK_new_public)
encryption_key = HKDF(shared_secret, "ZentalkDeviceLink")
transfer_data = {
identity_key_seed: encrypted(encryption_key, seed),
contacts: encrypted(encryption_key, contact_list),
groups: encrypted(encryption_key, group_list),
settings: encrypted(encryption_key, settings)
}
Sign transfer_data with Identity Key
Send to new device via server
Phase 5: Verification (Both Devices)
verification_code = HKDF(shared_secret, "verify")[0:6]
Convert to 6-digit number
Both devices display same code
User confirms codes match
If match confirmed:
New device finalizes setup
Add new device to device listSecure Key Transfer Between Devices
Transfer Security Properties:
| Property | Mechanism |
|---|---|
| Confidentiality | AES-256-GCM encryption |
| Authenticity | Identity Key signature |
| Forward Secrecy | Ephemeral X25519 keys |
| MITM Prevention | Out-of-band verification code |
| Replay Prevention | Single-use session ID |
| Timeout | 60-second validity window |
What Gets Transferred:
| Data | Transferred | Notes |
|---|---|---|
| Identity Key Seed | Yes | Encrypted with shared secret |
| Contact List | Yes | Full address book |
| Group Memberships | Yes | Group IDs and metadata |
| Active Sessions | No | Must re-establish |
| Message History | Partial | Recent messages only |
| Device Keys | No | New device generates own |
What Does NOT Transfer:
| Data | Reason |
|---|---|
| Double Ratchet State | Device-specific, forward secrecy |
| Used One-Time Pre-Keys | Already consumed |
| Session Keys | Per-device isolation |
| Push Tokens | Device-specific |
Message History Recovery
Message recovery is the most limited aspect of account recovery due to forward secrecy design.
When Messages Can Be Recovered
| Scenario | Recovery Possible | Method |
|---|---|---|
| Encrypted backup enabled | Yes | Restore from backup |
| Multi-device sync enabled | Yes | Sync from other device |
| Mesh storage backup | Partial | Recent messages only |
| No backup, single device lost | No | Messages permanently lost |
When Messages Are Permanently Lost
| Scenario | Reason |
|---|---|
| Device lost, no backup | Session keys only existed on device |
| Backup exists, wrong password | Cannot decrypt backup |
| Forward secrecy window passed | Old keys deleted |
| Disappearing messages | Deleted by design |
| Device wiped remotely | Keys destroyed |
Message Backup Mechanics
What Message Backups Contain:
Message Backup Entry:
┌─────────────────────────────────────────────────┐
│ conversation_id: hash(participant_addresses) │
│ message_id: unique_identifier │
│ timestamp: unix_epoch_ms │
│ sender: wallet_address │
│ type: text | media | system │
│ content: encrypted_message_body │
│ media_refs: [encrypted_media_keys] │
│ read_status: boolean │
│ delivery_status: sent | delivered | read │
└─────────────────────────────────────────────────┘Backup Encryption:
| Layer | Key Source | Algorithm |
|---|---|---|
| Message Content | Original session key | AES-256-GCM |
| Backup Encryption | Backup password | PBKDF2 + AES-256-GCM |
| Mesh Storage | Identity Key derived | AES-256-GCM |
Message Recovery Process
Phase 1: Identify Available Sources
Check for local encrypted backup file
Check mesh storage for backup markers
Check for other linked devices
Phase 2: Priority-Based Recovery
1. If other device available:
- Request message sync via encrypted channel
- Transfer complete conversation history
2. If encrypted backup available:
- Decrypt backup file
- Import message database
- Verify message signatures
3. If mesh backup only:
- Fetch encrypted blobs from mesh
- Decrypt with recovered Identity Key
- May have limited history (30 days default)
Phase 3: Session Reconstruction
For each conversation:
- Establish new session with contact
- Link historical messages to new session
- Mark old session keys as unrecoverablePartial Recovery Scenarios
| Scenario | Messages Recovered | Messages Lost |
|---|---|---|
| Multi-device, one lost | All | None |
| Backup from 7 days ago | Up to 7 days ago | Last 7 days |
| Mesh backup only | Last 30 days | Older messages |
| Mnemonic only recovery | None | All |
Recovery Limitations
Understanding what cannot be recovered is crucial for setting appropriate expectations and backup strategies.
Forward Secrecy Implications
The Double Ratchet algorithm provides forward secrecy by design:
Forward Secrecy Effect:
Time T-1: Message encrypted with Key(T-1)
Time T: Key(T-1) deleted, Key(T) derived
Time T+1: Key(T) deleted, Key(T+1) derived
Attacker at T+1 cannot recover Key(T-1) or Key(T)
Even with Identity Key compromiseWhat This Means for Recovery:
| If You Lose | You Cannot Recover |
|---|---|
| Device at time T | Session keys from before T |
| Chain Key | Previous message keys in that chain |
| Root Key | Previous chain keys |
| All devices | All session state |
Items That CANNOT Be Recovered
Cryptographic Limitations:
| Item | Why Unrecoverable |
|---|---|
| Session Keys | Deleted after use (forward secrecy) |
| Used One-Time Pre-Keys | Single-use by cryptographic design |
| Ephemeral Keys | Deleted after key exchange |
| Chain Keys (old) | One-way derivation function |
| Ratchet State | Per-device, not backed up |
Design Limitations:
| Item | Why Unrecoverable |
|---|---|
| Disappearing Messages | Deleted after timer expires |
| Verification Status | Requires out-of-band re-verification |
| Read Receipts (old) | Ephemeral status data |
| Typing Indicators | Never stored |
| Online Status History | Never stored |
Session Re-establishment Requirements
After recovery, sessions with all contacts must be re-established:
Session Re-establishment Flow:
1. New device generates fresh pre-keys
2. Publishes new key bundle to network
3. For each contact attempting to message you:
- They detect new key bundle
- They perform fresh X3DH
- New Double Ratchet session begins
4. Contacts see "safety number changed" warning
5. High-security contacts should re-verifyImpact on Contacts:
| Contact Action | Required | Optional |
|---|---|---|
| Accept new keys | Yes | - |
| Re-verify fingerprints | Recommended | Yes |
| Acknowledge key change | Yes | - |
| Re-send failed messages | Manual | Yes |
Security During Recovery
Recovery is a high-risk operation that requires careful security measures.
Verification of Recovered Identity
After recovery, verify that the correct identity was restored:
Self-Verification Steps:
1. Check wallet address matches expected
2. View identity fingerprint
3. Compare with recorded fingerprint (if available)
4. Verify contact list matches expectations
5. Check group memberships are correctTechnical Verification:
| Check | Method |
|---|---|
| Address Derivation | Re-derive from mnemonic, compare |
| Signature Test | Sign test message, verify with known public key |
| Contact Verification | Ask trusted contact to confirm your fingerprint |
| On-Chain Check | Verify against on-chain identity (if registered) |
Contact Notification of Key Change
When you recover on a new device, contacts are notified:
Automatic Notifications:
When contact sends message after your recovery:
1. They fetch your key bundle
2. Detect Identity Key unchanged but device keys new
3. System message: "User's security info changed"
4. Warning displayed: "Verify if unexpected"Notification Levels:
| Scenario | Notification | Action Required |
|---|---|---|
| New device, same IK | ”Added new device” | None (trusted) |
| Identity Key changed | ”Security code changed” | Verify recommended |
| Suspicious timing | ”Verify in person” | Verification required |
Preventing Recovery Attacks
Attack Vectors and Mitigations:
| Attack | Description | Mitigation |
|---|---|---|
| Mnemonic Theft | Attacker steals 24 words | Secure physical storage, encryption |
| Backup Password Guessing | Brute-force backup password | Strong password, high PBKDF2 iterations |
| Social Engineering | Trick user into sharing phrase | Education, never share phrase |
| Phishing | Fake recovery interface | Verify app signature, official sources |
| MITM on Recovery | Intercept device pairing | QR code + verification code |
| Evil Maid | Access device during recovery | Full disk encryption, secure boot |
Security Best Practices During Recovery:
| Practice | Reason |
|---|---|
| Verify app authenticity | Prevent malicious recovery app |
| Use secure network | Prevent network interception |
| Private location | Prevent shoulder surfing |
| Clear clipboard after | Mnemonic may be copied |
| Verify new device fingerprint | Confirm correct identity restored |
| Re-verify critical contacts | Detect potential compromise |
Recovery Environment Security
Recommended Environment:
Before Recovery:
✓ Official Zentalk app from verified source
✓ Device malware scan completed
✓ Secure, private location
✓ Trusted network (home WiFi or cellular)
✓ No screen recording active
✓ Clipboard cleared
During Recovery:
✓ Do not photograph mnemonic
✓ Do not read mnemonic aloud
✓ Verify each word carefully
✓ Watch for autocorrect interference
✓ Confirm address matches expected
After Recovery:
✓ Clear clipboard again
✓ Lock mnemonic backup securely
✓ Verify contact fingerprints
✓ Test send/receive with trusted contact
✓ Enable device security (biometric, PIN)Recovery Procedures Reference
Quick Reference: Recovery Options
| Situation | Available Options | Recommended |
|---|---|---|
| Lost phone, have backup | Mnemonic or encrypted backup | Encrypted backup (more complete) |
| Lost phone, no backup | Mnemonic only | Mnemonic (if stored securely) |
| Lost phone, other device active | Multi-device transfer | QR code pairing |
| Forgotten backup password | Mnemonic only | Mnemonic recovery |
| All devices lost | Mnemonic or encrypted backup | Whichever available |
| Mnemonic lost, have backup | Encrypted backup only | Backup (create new mnemonic backup after) |
| All recovery methods lost | None | Account unrecoverable |
Recovery Time Estimates
| Method | Time Required | Data Recovered |
|---|---|---|
| Mnemonic Recovery | 5-10 minutes | Identity only |
| Encrypted Backup | 5-15 minutes | Identity + contacts + messages |
| Multi-Device Transfer | 2-5 minutes | Nearly complete |
| Full Sync from Device | 10-30 minutes | Complete (depending on history size) |
Related Documentation
- Wallet-Based Identity - How identity keys work
- Cryptography Fundamentals - Key derivation details
- Multi-Device Support - Device linking protocols
- Threat Model - Security assumptions
- Protocol Specification - X3DH and Double Ratchet
Last updated on