# Coercion Resistance (Anti-Kidnapping)

## The Threat

**Scenario:**
```
High-value crypto wallet encrypted with CQRIT
→ Attacker kidnaps user
→ Attacker coerces user to reveal memory inputs
→ Attacker gains key
→ Attacker steals crypto
```

**Traditional Encryption:**
- User knows the key/passphrase
- Under duress, user reveals it
- Attacker gains full access
- No protection possible

**CQRIT Goal:**
Make coercion pointless by ensuring even full user cooperation cannot grant attacker access.

## The Mitigation

### Core Concept: Split Knowledge

**Principle:**
User intentionally sets up encryption such that they cannot decrypt alone, even if they want to.

**Mechanism:**
Social recovery with high threshold (M-of-N where M is large and N is distributed).

**Example:**
```
User sets up 10-of-10 recovery:
- 10 shares distributed to 10 guardians
- All guardians in different countries
- User knows memory inputs but cannot access all guardians
- Even if user cooperates fully, attacker gets only user's inputs, not all shares
- Attacker cannot decrypt without all 10 guardians
```

**Result:**
Kidnapping user becomes useless. User cannot help attacker.

## How It Works

### Setup Phase

**Step 1: User Creates High-Threshold Recovery**
```
User creates 10-of-10 scheme:
Guardian 1: Friend in USA
Guardian 2: Sibling in Canada
Guardian 3: Colleague in UK
Guardian 4: Friend in Germany
Guardian 5: Business partner in Japan
Guardian 6: Relative in Australia
Guardian 7: Lawyer in Switzerland
Guardian 8: Trusted contact in Brazil
Guardian 9: Old roommate in India
Guardian 10: Anonymous service in Iceland
```

**Step 2: Each Guardian Stores Share**
```
Each guardian encrypts share with own memory-derived key
Shares stored on guardian's device/safe
User has no access to shares (only contact info)
```

**Step 3: User Configures Coercion-Resistant Mode**
```
Setting: "Require all guardians for decryption"
User's memory inputs alone = insufficient
Must contact guardians to decrypt
```

### Coercion Event

**Attacker's Actions:**
1. Kidnaps user
2. Threatens user
3. Demands user decrypt wallet

**User's Cooperation:**
```
User: "I want to help, I really do. But I cannot decrypt alone."
User: "The system requires 10 people to reconstruct the key."
User: "I only know the memory inputs. I need all 10 guardians."
```

**Attacker's Options:**
- Kidnap all 10 guardians (across 10 countries) ❌ Infeasible
- Force user to contact guardians ❌ Guardians alert authorities
- Torture user ❌ User physically cannot provide what they don't have

**Result:**
Coercion becomes pointless. User's cooperation is insufficient.

## Security Properties

### Guarantees

✅ **User Cooperation Insufficient:**
Even if user fully cooperates, attacker cannot decrypt.

✅ **Physical Separation:**
Guardians geographically distributed = attacker cannot access all.

✅ **Time Delay:**
Contacting guardians takes time. User can alert authorities.

✅ **Observable Recovery:**
Guardian contact creates activity. Guardians can refuse or alert police.

### Limitations

⚠️ **Attacker with Resources:**
Nation-state actor could theoretically coerce all guardians.

⚠️ **Guardian Compromise:**
If guardians also coerced, shares revealed.

⚠️ **User Daily Access:**
If user needs frequent access, high threshold inconvenient.

## Threat Model

### What This Protects Against

✅ **Individual Kidnapping:**
- Attacker kidnaps user
- Attacker cannot get guardians
- Wallet safe

✅ **$5 Wrench Attack:**
- [xkcd 538](https://xkcd.com/538/)
- User beaten for key
- User cannot provide (doesn't have full access)

✅ **Coercive Warrant:**
- Government demands user decrypt
- User physically cannot (needs guardians)

### What This Does NOT Protect Against

❌ **User Chooses to Decrypt Normally:**
If user contacts guardians for legitimate reason, they can decrypt.

❌ **All Guardians Simultaneously Coerced:**
If attacker has resources to kidnap all 10 guardians globally, they win.

❌ **User Gives Away Funds Before Coercion:**
This protects encryption, not user decisions.

## Implementation Strategies

### Strategy 1: High M-of-N (All Required)

**Configuration:**
```
10-of-10: All guardians required
User can access with all 10 shares
Attacker cannot feasibly get all 10
```

**Pros:**
- Maximum coercion resistance
- Clear "impossible to help" message

**Cons:**
- Inconvenient for user (must contact 10 people)
- If one guardian unavailable, access fails

**Use Case:**
Cold storage of high-value crypto. Rare access needed.

### Strategy 2: High M-of-N (Most Required)

**Configuration:**
```
9-of-10: 9 of 10 guardians required
User can access with 9 shares
Attacker must get 9 guardians (still hard)
```

**Pros:**
- High coercion resistance
- Redundancy (1 guardian can be unavailable)

**Cons:**
- Still inconvenient

**Use Case:**
Balance between security and usability.

### Strategy 3: Tiered Access

**Configuration:**
```
Tier 1 (Daily Access): User's memory inputs + 2-of-3 close guardians
Tier 2 (High-Value Vault): User's memory inputs + 9-of-10 distributed guardians
```

**Behavior:**
- User accesses daily data with 2-of-3 (convenient)
- User accesses vault with 9-of-10 (rare, coercion-resistant)

**Pros:**
- Usability for frequent access
- Security for high-value items

**Cons:**
- Complexity

**Use Case:**
Separate "hot wallet" (tier 1) and "cold storage" (tier 2).

### Strategy 4: Time-Locked Shares

**Configuration:**
```
Shares unlock 24 hours after request
Guardian receives notification
Guardian can confirm/deny
```

**Behavior:**
- User requests access
- 24-hour delay
- Guardians notified, can investigate
- If user under duress, can refuse

**Pros:**
- Detection of coercion
- Guardian oversight

**Cons:**
- Slower access

**Use Case:**
High-value items where immediate access not needed.

## Guardian Selection for Coercion Resistance

### Ideal Guardian Properties

✅ **Geographically Distributed:**
Different countries = harder to coerce all

✅ **Independent Relationships:**
Guardians don't know each other = harder to find all

✅ **Trustworthy:**
Will not collude with attacker

✅ **Reachable:**
User has contact method (but attacker does not)

✅ **Security-Conscious:**
Will question suspicious recovery requests

### Example Guardian Network (10-of-10)

```
1. Sibling (USA) - Family trust
2. Parent (Canada) - Family trust
3. Best friend (UK) - Personal trust
4. Co-founder (Germany) - Business trust
5. Old college roommate (Japan) - Long history
6. Lawyer (Switzerland) - Professional relationship
7. Accountant (Australia) - Professional relationship
8. Anonymous service (Iceland) - No personal connection
9. Trusted colleague (Brazil) - Work relationship
10. Distant relative (India) - Indirect relationship
```

**Properties:**
- 10 different countries
- Mix of family/friends/professionals
- Some know each other, some don't
- Attacker must locate and coerce all 10

## Real-World Scenarios

### Scenario 1: Crypto Whale Kidnapping

**Background:**
- User holds $10M in crypto
- Wallet encrypted in CQRIT
- 10-of-10 recovery scheme

**Attack:**
- Criminals identify user as crypto holder
- Kidnap user
- Demand wallet decryption

**Outcome:**
```
User: "I physically cannot decrypt. The system requires 10 people."
Criminals: "We'll hurt you."
User: "I want to help, but I can't. The 10 people are in 10 countries."
Criminals: "Give us their contact info."
User: "Some are anonymous. And if I contact them suspiciously, they'll refuse."
```

**Result:**
- Criminals realize this is futile
- Release user (or worse, but still no wallet access)
- Wallet remains secure

### Scenario 2: Government Warrant

**Background:**
- User has encrypted files
- Government issues decryption warrant
- User legally compelled to decrypt

**Attack:**
- Court order: Decrypt or face contempt
- User cannot decrypt alone (10-of-10)

**Outcome:**
```
User: "I cannot comply. The system requires 10 people to decrypt."
Court: "Contact them."
User: "Some are in foreign countries and may refuse."
Court: "We cannot compel foreign nationals."
```

**Result:**
- User cannot be held in contempt for impossibility
- Encrypted data legally protected (depends on jurisdiction)

**Note:** Legal protections vary by country. Some jurisdictions may still penalize non-compliance.

### Scenario 3: Border Crossing

**Background:**
- User travels with laptop
- Encrypted CQRIT data on laptop
- Border agent demands decryption

**Attack:**
- Border agent: "Decrypt this or denial of entry."
- User cannot decrypt (10-of-10)

**Outcome:**
```
User: "This data is protected by a 10-person recovery system. I cannot decrypt alone."
Agent: "Then you cannot enter."
```

**Result:**
- User denied entry (in some countries)
- But data remains encrypted
- User still has access once home (can contact guardians)

**Note:** May not prevent denial of entry, but protects data.

## User Experience Considerations

### Daily Use vs. High-Security Vault

**Problem:** High threshold inconvenient for frequent access.

**Solution:**
```
Separate vaults:
- Hot wallet: 2-of-3 guardians (frequent access)
- Cold storage: 10-of-10 guardians (rare access)
```

**Example:**
- User keeps $1K in hot wallet (working capital)
- User keeps $10M in cold storage (long-term hold)
- Daily access easy (hot wallet)
- Coercion-resistant (cold storage)

### Emergency Access

**Scenario:** User needs urgent access but cannot get all guardians.

**Options:**
1. **Lower Threshold for Specific Items:** E.g., medical records have 2-of-3, crypto has 10-of-10
2. **Emergency Guardian:** One guardian has override (user's lawyer with legal instructions)
3. **Time-Locked Recovery:** After 30 days, threshold lowers (user can set)

### Guardian Communication

**Challenge:** User must contact 10 people.

**Solutions:**
- **Automated Contact:** App sends encrypted request to all guardians
- **Group Chat:** Guardians in secure group (not revealing identities)
- **Physical Meetup:** If local guardians available

## Comparison with Other Anti-Coercion Methods

### Plausible Deniability

**Concept:** Hidden volume with different password reveals decoy data.

**CQRIT vs. Plausible Deniability:**

| Aspect | Plausible Deniability | CQRIT High-Threshold |
|--------|----------------------|---------------------|
| User knows real key | Yes | No (needs guardians) |
| Coercion resistance | User can lie (risky) | User cannot help (truthful) |
| Verifiability | Attacker cannot verify decoy | Attacker can verify need for guardians |
| Legal risk | Lying under oath | Truthful compliance |

**Advantage of CQRIT:**
User does not lie. User truthfully states they cannot decrypt alone.

### Duress Codes

**Concept:** User enters duress password, triggers alert or wipes data.

**CQRIT vs. Duress Codes:**

| Aspect | Duress Code | CQRIT High-Threshold |
|--------|------------|---------------------|
| Coercion response | Destroy data or alert | Cannot decrypt |
| Data preservation | Data lost | Data intact (recoverable later) |
| Attacker awareness | May realize duress code used | Cannot tell if user cooperating |

**Advantage of CQRIT:**
Data not destroyed. User can still recover later with guardians.

### Dead Man's Switch

**Concept:** User must check in periodically or data released/destroyed.

**CQRIT vs. Dead Man's Switch:**

| Aspect | Dead Man's Switch | CQRIT High-Threshold |
|--------|------------------|---------------------|
| Coercion response | Data released to others or destroyed | Cannot decrypt |
| Time sensitivity | Must act before deadline | No urgency |
| Collateral damage | Innocent parties may get data | Data remains private |

**Advantage of CQRIT:**
No unintended consequences. Data stays secure.

## Advanced Configurations

### Configuration 1: Anonymous Guardians

**Setup:**
- Some guardians are anonymous services
- User has contact method (e.g., Signal number, Tor onion address)
- Attacker cannot identify guardian

**Pros:**
- Even if user reveals guardian list, attacker cannot find anonymous ones

**Cons:**
- Trust in anonymous service
- Service may disappear

### Configuration 2: Multi-Jurisdictional

**Setup:**
- Guardians in countries with strong privacy laws
- Legal requests cannot compel all

**Example:**
- Guardians in Switzerland (banking secrecy)
- Guardians in Iceland (free speech protections)
- Guardians in jurisdictions hostile to requester

**Pros:**
- Legal coercion harder

**Cons:**
- User must trust foreign jurisdictions

### Configuration 3: Hardware-Backed Shares

**Setup:**
- Some guardians store shares in hardware security modules (HSMs)
- Shares cannot be extracted without physical access

**Pros:**
- Digital coercion impossible (needs physical access)

**Cons:**
- Expensive
- HSM management complexity

## Ethical and Legal Considerations

### Legality of Coercion Resistance

**Question:** Is it legal to design a system where you cannot comply with court orders?

**Jurisdictional Variance:**
- **USA:** Fifth Amendment may protect (cannot compel self-incrimination), but compelled decryption laws evolving
- **UK:** Regulation of Investigatory Powers Act (RIPA) can compel decryption, refusal = jail
- **EU:** Varies by country
- **Authoritarian Regimes:** Often compel decryption

**CQRIT Position:**
System truthfully designed for coercion resistance (anti-kidnapping). User cannot comply even if willing.

**Legal Risk:**
User may still face contempt charges in some jurisdictions, even if compliance impossible.

### Ethical Use

**Legitimate Uses:**
✅ Protect high-value crypto from kidnapping
✅ Protect activists from authoritarian regimes
✅ Protect journalists' sources
✅ Protect corporate secrets from coercion

**Illegitimate Uses:**
❌ Hide evidence of crime (obstruction of justice)
❌ Evade lawful court orders with no legitimate reason

**CQRIT Stance:**
Tool designed for self-defense against unlawful coercion. Users responsible for lawful use.

## Future Enhancements

- Biometric + geographic requirements (must be in specific location to decrypt)
- Guardian vote system (majority vote to approve recovery, detect coercion)
- Time-locked shares with decreasing threshold (after X time, fewer guardians needed)
- Duress code integration (enters duress code → alerts guardians, recovery locked)

---

**Next:** Read [Threat Model](threat-model.md) for full adversary analysis