MPC Wallet Development: Distributed Key Management
We develop multi-party computation wallets for distributed key management without a single point of failure. Traditional crypto wallets hold a private key in one place: a device, HSM, or cloud. Any compromise means loss of funds. Multi-Party Computation solves this fundamentally: the private key never exists entirely in any system. Instead, multiple parties hold key shares and jointly compute a signature without revealing their shares to each other.
This is not multisig. In multisig, a transaction signature requires M out of N signatures, each visible on-chain. In MPC, the final signature looks like a normal ECDSA signature of a single key. No on-chain overhead, no protocol changes. This is critical for: lower gas costs (30% less than multisig), privacy (hides key management scheme), and compatibility with any chain or dApp. Over 5 years in blockchain development, we have delivered 30+ projects, including MPC wallets for leading DeFi protocols.
MPC wallets are 1.43 times more gas-efficient than multisig, saving $300 per month for a protocol processing 10,000 transactions at $0.10 each.
How MPC Wallet Mathematics Work
Shamir's Secret Sharing and Threshold Schemes
MPC wallets rely on threshold signature schemes (TSS). The most used are GG18, GG20 (Gennaro-Goldfeder), CGGMP (Canetti-Gennaro-Goldfeder-Makriyannis-Peled), and DKLS.
Shamir's Secret Sharing is a basic concept, not TSS itself. In SSS, a secret is split into N shares; M of N suffice for reconstruction. Problem: reconstruction requires assembling shares in one place – a vulnerability. TSS eliminates this: the signature is computed without reconstructing the key.
Threshold ECDSA (we use secp256k1 as in Bitcoin/Ethereum):
Let the private key d = d1 + d2 (mod q) for a 2-of-2 scheme. Each party holds d1 and d2. During signing:
1. Each party generates its own nonce: k1, k2
2. Jointly compute R = (k1 + k2)^(-1) * G (commitment protocol)
3. Each party computes its part of s: s1, s2
4. Final signature: s = s1 + s2 (mod q)
5. Signature (r, s) – a normal ECDSA signature
The complexity is in step 2: direct computation would require revealing k1 or k2. Therefore, we use Oblivious Transfer, Paillier encryption, or Curve25519-based protocols for secure computation.
Protocols: GG20 vs CGGMP
GG20 – long the de facto standard. Used in Fireblocks, ZenGo, Coinbase Wallet. Supports threshold t-of-n for arbitrary t and n. Requires Paillier encryption for secure multiplication. Drawbacks: complex implementation, expensive keygen (O(n²) communication), vulnerability to rogue key attack requiring range proofs that increase message size. GG20 requires 15 communication rounds for signing.
CGGMP – current state-of-the-art. Fixes GG20 vulnerabilities, more efficient signing (3 rounds instead of 15). Supports identifiable abort – if a party misbehaves, it can be identified with cryptographic proof.
DKLS – an alternative based on Oblivious Transfer. More compact messages, but fewer production implementations.
Key Refresh
A critical operation: periodic update of key shares without changing the public key (hence no address change). If an attacker compromises one share but hasn't obtained a final signature before refresh, the compromise is neutralized.
Refresh protocol (simplified):
1. Each party generates new random shares: r1, r2, ...rn
2. Sum: Σri = 0 (zero net change)
3. Each party adds its ri to its current di
4. Public key d*G unchanged: Σ(di + ri)*G = d*G + Σri*G = d*G
Recommended refresh frequency: every 30–90 days, or upon suspicion of compromise of any participant.
Production MPC Wallet Architecture
Typical 2-of-3 Scheme for a Mobile Wallet
┌──────────────────────────────────────────────────────┐
│ User Device (Mobile) │ Company Server │ Backup │
│ Share 1 (locally, │ Share 2 │ Share 3 │
│ encrypted with biometrics) │ (HSM/TEE) │ (MPC │
│ │ │ backup) │
└──────────────────────────────────────────────────────┘
Signing: Device + Server (2-of-3)
Recovery: Device + Backup or Server + Backup
User loses phone → recovery via Server + Backup shares. Server hacked → no access without Device or Backup. This is the model used by ZenGo and similar non-custodial MPC wallets.
System Components
- Key generation service. Implements Distributed Key Generation (DKG) protocol among participants. Result: each participant receives its share (32 bytes), no one knows the full key. Implementations:
tss-lib(Binance, Go),multi-party-ecdsa(ZenGo, Rust),threshold-sig-lib(Fireblocks internal).
// ZenGo's curv + tss-lib example (Rust)
use curv::elliptic::curves::{Secp256k1, Point, Scalar};
use multi_party_ecdsa::protocols::multi_party_ecdsa::gg_2020::party_i::*;
// Phase 1: each party generates commitment
let party1_keys = Keys::create(1);
let (commit1, decom1) = party1_keys.phase1_broadcast_phase3_proof_of_correct_key();
// Phase 2: exchange commitments, compute VSS
// Phase 3-5: verification and finalize shares
// Result: party1_keys.u_i – private share of party 1
-
Signing service. Orchestrates signing sessions between participants. Must support: concurrent sessions (multiple transactions in parallel), timeout handling (if a participant does not respond), session IDs for message correlation.
-
Communication layer. Encrypted P2P channel between participants. TLS + additional end-to-end encryption of protocol messages. Unencrypted channels cannot be used: intermediate messages contain partial values that could leak shares if accumulated.
-
HSM/TEE integration. Server share stored in HSM (AWS CloudHSM, Thales) or TEE (Intel SGX, ARM TrustZone). Critical: share operations execute inside the secure environment; the share never leaves that memory. Azure Key Vault Managed HSM and AWS CloudHSM support custom key operations via PKCS#11 interface.
Recovery Protocol
A crucial UX aspect: how the user recovers access without a seed phrase.
-
Social recovery with MPC. Backup share encrypted with keys of trusted guardians. Recovery requires consent from M of N guardians. Implementation: backup share encrypted via threshold encryption for the guardian set. A guardian can be: another user device, an email service (via KMS), a trusted friend (via their public key), or a recovery service.
-
KMS-based backup. Backup share encrypted with a user KMS key. Recovery: pass KYC/authentication via KMS provider → decrypt backup share → perform re-sharing with a new device share.
Multi-Chain Support: Multi-Curve MPC
Different blockchains use different elliptic curves:
| Chain | Curve | Signature Algorithm |
|---|---|---|
| Ethereum, Bitcoin | secp256k1 | ECDSA |
| Solana, Cardano | ed25519 | EdDSA |
| Cosmos | secp256k1 + ed25519 | both |
| StarkNet | STARK curve | Schnorr-like |
| Aptos, Sui | ed25519 | EdDSA |
TSS for ed25519 differs from secp256k1: it uses a Schnorr signature-based scheme (FROST – Flexible Round-Optimized Schnorr Threshold). FROST is simpler to implement and more communication-efficient (3 rounds, same as CGGMP). For a production multi-chain wallet, both must be supported.
Hierarchical Deterministic (HD) in the MPC context. Classic BIP32 cannot be applied directly: there is no single seed. Solution: threshold BIP32 – each party stores its share for the master private key; child key derivation is performed via MPC operations or by storing separate shares for each derived path (less efficient but simpler).
Security and Audit Recommendations
Attack Vectors
-
Malicious party in signing protocol. A participant may try to learn about others' shares through anomalous messages. Defense: range proofs, zero-knowledge proofs of correctness for each intermediate value. CGGMP is specifically designed with identifiable abort: the protocol can prove which party misbehaved.
-
Replay attack on signing sessions. Intercepted messages from one signing session must not be usable in another. Defense: session ID included in every message; sessions are one-time.
-
Side-channel via timing. Implementations in Java/Python are vulnerable to timing attacks on big-number operations. Production implementations must use constant-time arithmetic (library
ct-codecs, Rustsubtlecrate). -
Compromised communication channel. TLS with certificate pinning plus additional authenticated encryption at the protocol level (each MPC message signed with the sender's long-term key).
Audit Recommendations
MPC protocol is cryptographically complex. Auditing must include:
- Verify correctness of the specific protocol (GG20/CGGMP) implementation against the paper
- Side-channel resistance analysis
- Fuzz testing of signing sessions with anomalous messages
- Verifiable key generation (public key matches expected)
Audit providers for MPC: NCC Group, Kudelski Security, specialized in cryptographic implementations.
Gennaro & Goldfeder show that threshold ECDSA is possible without reconstructing the full key, which forms the basis of production MPC wallets.
Compared to multisig, MPC wallets reduce gas costs by 30% and lower on-chain interaction complexity. The final signature is indistinguishable from a regular ECDSA signature, making MPC ideal for private DeFi solutions.
Ready Libraries vs Custom Implementation
| Library | Language | Protocol | Production Use |
|---|---|---|---|
| tss-lib (Binance) | Go | GG18/GG20 | Binance DEX |
| multi-party-ecdsa (ZenGo) | Rust | GG20/CGGMP | ZenGo Wallet |
| threshold-bls (dfinity) | Rust | threshold BLS | Internet Computer |
| FROST (ZKCrypto) | Rust | FROST (ed25519) | Zcash |
| Web3Auth MPC SDK | TS/SDK | CGGMP | SaaS |
Our recommendation: for most projects, integrate with Web3Auth MPC Core Kit or Fireblocks MPC SDK rather than writing from scratch. Custom MPC protocol implementation requires deep expertise in applied cryptography and takes 6–12 months. An error in MPC implementation = potential leakage of user private keys.
What's Included in Our Work
- Architecture documentation with protocol selection, share storage scheme, and recovery model.
- Core MPC implementation: keygen, signing, key refresh based on a proven library.
- HSM/TEE integration for the server key share.
- Multi-chain support: ECDSA, EdDSA, HD derivation.
- Recovery flow implementation: social recovery or KMS-based backup.
- Cryptographic audit by partners (NCC Group, Kudelski Security).
- SDK for mobile and web applications.
- Post-release support and monitoring.
We also provide training for the client's team on secure MPC wallet usage.
Development Stages
| Phase | Content | Duration |
|---|---|---|
| Architecture | Protocol selection, share storage scheme, recovery model | 2 weeks |
| Core MPC | Keygen, signing, key refresh (based on existing library) | 4–8 weeks |
| HSM/TEE integration | Server share in secure environment | 2–4 weeks |
| Chain support | Multi-curve, HD derivation | 2–4 weeks |
| Recovery flows | Social recovery or KMS backup | 2–4 weeks |
| Security audit | Cryptographic + code review audit | 4–6 weeks |
| Mobile/Web SDK | SDK for integration into the application | 3–5 weeks |
A minimal production-ready MPC wallet (2-of-2, one chain, basic recovery) takes 4–5 months. A full-featured multi-chain wallet with social recovery and HSM takes 8–12 months. Typical project cost ranges from $150,000 to $400,000 depending on complexity.
Contact us to discuss your project. Get a consultation on an MPC solution for your DeFi protocol or crypto application.







