Home
Learn

How It Works

Tokenomics

Roadmap

Humanitarian Impact Fund

FAQ
Products

Wallet

DEX

LaunchPad

Token Factory

Vaults
Company

About

Contact
Buy JIL
← Back to Patent Claims
Patent Claim 16 All Patents →

Social Recovery Ceremony

Guardian-Attested Key Recovery with Timelock Protection

Patent Claim JIL Sovereign February 2026 Claim 16 of 36

01Executive Summary

Social Recovery Ceremony is JIL Sovereign's protocol-native key recovery mechanism, designed to eliminate the single point of failure that causes an estimated $4 billion in permanently lost crypto assets each year. The system enables account holders to designate a set of trusted guardians who can collectively authorize key recovery through a multi-step, time-locked ceremony.

Unlike conventional social recovery schemes that rely on application-layer logic, JIL's implementation is embedded directly into the Layer 1 protocol. Recovery requests are submitted as on-chain transactions, guardian attestations are cryptographically verified by validators, and the mandatory 24-hour timelock is enforced at the consensus level. This architecture ensures that no single party - including JIL itself - can unilaterally recover or compromise an account.

Key Innovation: The combination of M-of-N guardian attestation, mandatory 24-hour consensus-enforced timelock, multi-channel alert dispatch, and owner cancellation window creates a recovery mechanism that is simultaneously accessible to legitimate owners and resistant to social engineering attacks.

02Problem Statement

Key loss remains the most significant barrier to mainstream crypto adoption. Chainalysis estimates that approximately 20% of all Bitcoin - over $100 billion - is locked in wallets whose owners have lost access to their private keys. Existing recovery mechanisms fall into two unsatisfactory categories.

Custodial Recovery

Centralized exchanges and custodians offer password reset flows, but this requires users to surrender sovereignty over their assets. Custodial recovery introduces counterparty risk, regulatory seizure risk, and the possibility of insider compromise. Users must trust the custodian's security practices, employee vetting, and business continuity.

Existing Social Recovery

Projects like Argent and Safe have pioneered guardian-based recovery, but their implementations suffer from critical limitations. Guardian attestations execute immediately without mandatory delay periods, leaving no window for the legitimate owner to detect and cancel fraudulent recovery attempts. Alert mechanisms are limited to single channels (typically push notifications), which can be silenced by an attacker who has physical access to the victim's device.

The Gap: No existing system combines on-chain guardian attestation with mandatory timelocks, multi-channel alerts (email, SMS, push, on-chain event), and a cryptographic cancellation mechanism. JIL's Social Recovery Ceremony fills this gap.

03Technical Architecture

The Social Recovery Ceremony operates through five distinct protocol components, each enforced at the L1 consensus layer.

ComponentFunctionEnforcement
Recovery RegistryOn-chain contract accepting recovery requests with target account, new key material, and designated guardian setConsensus-validated
Guardian Attestation ProtocolM-of-N cryptographic attestation from designated guardians confirming recovery legitimacyEd25519 signature verification
Timelock EngineMandatory 24-hour delay after M-th attestation before key rotation executesBlock height enforcement
Alert DispatcherMulti-channel notification to all registered contact methods during timelock periodOff-chain with on-chain event trigger
Cancellation MechanismEnables legitimate owner to abort recovery by signing cancellation with any existing valid keyConsensus-validated

Guardian Configuration

Account holders configure their guardian set through the guardian-attestor service. The default configuration is 3-of-5 guardians, meaning any three of five designated guardians must independently attest to a recovery request. Guardian addresses are stored on-chain in the Recovery Registry, and modifications to the guardian set require the account holder's signature plus a 48-hour delay to prevent last-minute guardian manipulation.

Recovery Flow

Initiator submits recovery request to Recovery Registry
  - Target account, new public key, guardian set hash
  - Recovery enters PENDING state
  - Alert Dispatcher fires on all channels

Guardians independently verify and submit attestations
  - Each attestation is an Ed25519 signature over the recovery request hash
  - Registry tracks attestation count

M-th attestation received - Timelock begins
  - 24-hour countdown enforced at block height
  - Second wave of alerts dispatched
  - Owner cancellation window open

Timelock expires - Key rotation executes
  - Old key material deactivated
  - New key material activated
  - Recovery enters COMPLETED state

04Implementation

The Social Recovery Ceremony is implemented across three JIL Sovereign services, with the core logic enforced by the L1 validator consensus.

Recovery Registry Contract

The on-chain registry maintains a mapping from account addresses to their guardian configurations and active recovery requests. Each recovery request is assigned a unique ceremony_id derived from the keccak256 hash of the target account, new key material, and block number. This prevents replay attacks and ensures each ceremony is uniquely identifiable.

Multi-Channel Alert System

When a recovery request transitions to PENDING, the Alert Dispatcher sends notifications through all registered channels within 30 seconds. Channel delivery is independent - failure of one channel does not block others.

ChannelLatencyDelivery GuaranteeRetry Policy
EmailUnder 60sAt-least-once via SES3 retries, exponential backoff
SMSUnder 30sBest-effort via Twilio2 retries, 30s interval
Push NotificationUnder 10sBest-effort via FCM/APNs1 retry
On-Chain EventNext block (1.5s)Guaranteed by consensusIncluded in block or rejected

Cancellation Mechanism

The legitimate account holder can cancel any active recovery ceremony by submitting a cancellation transaction signed with any key material currently associated with the account. This includes the primary key, any backup keys, or any MPC shard that can produce a valid signature. Cancellation is immediate and irrevocable - once cancelled, the same recovery request cannot be resubmitted for 72 hours.

05Integration with JIL Ecosystem

Social Recovery Ceremony integrates with multiple JIL Sovereign subsystems to provide a seamless recovery experience while maintaining the platform's security guarantees.

MPC Cosigner

Recovery ceremonies that involve MPC key shards coordinate with the mpc-cosigner service. The new key material can be a fresh MPC key set, maintaining the 2-of-3 threshold signing model post-recovery.

Compliance API

Recovery requests trigger a compliance check to ensure the new key material is not associated with sanctioned addresses. The compliance-api validates against OFAC, EU sanctions lists, and zone-specific restrictions.

Protection Coverage

Protection coverage is maintained throughout the recovery ceremony. The 24-hour timelock ensures underwriters have adequate notice of key rotation events, and coverage transfers seamlessly to the new key material.

Proof Verifier

Each guardian attestation generates a zero-knowledge proof that the guardian possesses the correct private key without revealing it. These proofs are verified by the proof-verifier service before being accepted by the registry.

06Prior Art Differentiation

JIL's Social Recovery Ceremony introduces several novel elements not found in existing implementations.

FeatureArgentSafe (Gnosis)JIL Sovereign
Guardian AttestationApplication-layerMulti-sig transactionL1 consensus-verified
Mandatory TimelockNone (immediate)Optional module24h consensus-enforced
Alert ChannelsPush onlyNone built-inEmail, SMS, Push, On-chain
Cancellation WindowLimitedOwner can cancelAny valid key + 72h cooldown
Post-Quantum ReadyNoNoDilithium-compatible attestations
Guardian Set Modification Delay36hNone48h with multi-channel alert
Novel Combination: While individual elements (guardians, timelocks, alerts) exist in isolation across various projects, no prior art combines all five components (on-chain registry, M-of-N attestation, mandatory timelock, multi-channel alerts, cryptographic cancellation) into a single protocol-native recovery mechanism.

07Implementation Roadmap

Phase 1
Q1 2026

Core Ceremony Protocol

Deploy Recovery Registry contract on JIL L1. Implement guardian attestation protocol with Ed25519 signature verification. Enable 24-hour timelock enforcement at consensus level.

Phase 2
Q2 2026

Multi-Channel Alerts

Integrate Alert Dispatcher with email (SES), SMS (Twilio), push (FCM/APNs), and on-chain event emission. Implement retry policies and delivery confirmation tracking.

Phase 3
Q3 2026

MPC Integration

Enable recovery ceremonies that generate new MPC key sets. Coordinate with mpc-cosigner for shard distribution. Add guardian-assisted MPC re-keying flows.

Phase 4
Q4 2026

Post-Quantum Migration

Transition guardian attestations to Dilithium signatures. Enable hybrid attestation mode supporting both Ed25519 and Dilithium during migration period. Full PQ readiness.

08Patent Claim

Claim 16: A method for cryptographic key recovery using social guardians, comprising: an on-chain recovery registry accepting recovery requests specifying the target account, new key material, and designated guardian set; a guardian attestation protocol requiring M-of-N designated guardians to submit cryptographic attestations confirming the recovery request's legitimacy; a mandatory timelock period of at least twenty-four (24) hours beginning after sufficient guardian attestations are received; an automated multi-channel alert system dispatching notifications to all registered contact methods associated with the account during the timelock period; and a cancellation mechanism enabling the legitimate account holder to abort the recovery by signing a cancellation transaction with any existing valid key material during the timelock period.