MPC-based Exchange

Threshold Signature Scheme (TSS) is the foundational cryptographic protocol for most modern MPC wallets. It allows a group of parties to collaboratively generate a signature without any single party ever reconstructing the full private key. Critical properties include:

• Distributed Key Generation (DKG): Keys are created in a distributed manner.
• Signature Generation: A threshold (e.g., 2-of-3) of parties can sign a transaction.
• Proactive Secret Sharing: Key shares can be periodically refreshed to enhance security against compromise.

Secure Multi-Party Computation (MPC) is the broader cryptographic field that enables parties to jointly compute a function over their inputs while keeping those inputs private. In the context of exchanges and wallets, this function is digital signature generation. Core concepts include:

• Privacy: No party learns the secret data of another.
• Correctness: The output is guaranteed to be correct.
• Robustness: The protocol completes even if some parties are malicious or fail.

The cryptographic core of an MPC exchange is a Threshold Signature Scheme (TSS), where a private key is secret-shared among multiple parties. A transaction is only valid and executable when a pre-defined threshold (e.g., 2-of-3) of parties collaborate to produce a signature. This ensures:

• No single party ever has access to the complete private key.
• Resilience to compromise of a minority of key shares.
• Non-repudiation, as the final signature is mathematically identical to one from a single key.

MPC security is formally defined by its adversarial model, which specifies the number of corrupted parties the system can tolerate. Common models include:

• Honest Majority: The system is secure as long as a majority of parties (e.g., 2 out of 3) are honest.
• Malicious Security: Protocols remain secure even if corrupted parties deviate arbitrarily from the protocol.
• Semi-Honest (Passive): Assumes corrupted parties follow the protocol but try to learn extra information. The critical trust shift is from a single custodian to the correct operation and non-collusion of the MPC node operators.

The initial generation of the secret-shared key is a high-risk operation. Secure Distributed Key Generation (DKG) protocols ensure no single party learns the full key at any point. To mitigate long-term key exposure, proactive secret sharing or key refresh protocols are employed, where shares are periodically updated without changing the underlying public address. This limits the window for an attacker to compromise the required threshold of shares.

While MPC reduces cryptographic single points of failure, it introduces complex operational risks:

• Coordinated Signing Orchestration: The availability and latency of the signing ceremony become critical.
• Insider Collusion: If the threshold number of MPC node operators collude, they can reconstruct the key and steal funds.
• Side-Channel Attacks: Physical or network-based attacks (timing, power analysis) on individual nodes during signing.
• Client-Side Security: The user's device generating transaction inputs remains a vulnerability for front-running or manipulation.

MPC is often contrasted with on-chain multisig wallets (e.g., 2-of-3). Key differences:

• On-Chain vs. Off-Chain: Multisig logic and signatures are on-chain and verifiable; MPC signatures are a single, standard signature, hiding the governance model.
• Cost & Privacy: MPC transactions have lower fees and better privacy than multisig, which reveals the signer set.
• Flexibility: MPC allows complex policies (e.g., 5-of-9 with specific subsets) without bloating the blockchain.
• Custodial Comparison: Unlike a traditional custodian, MPC distributes trust, but users still rely on the exchange's operational security for the MPC nodes.

A significant challenge for MPC exchanges is providing cryptographic proof of reserves and liabilities without revealing secret shares. Techniques include:

• Zero-Knowledge Proofs (ZKPs) to prove control of assets linked to public keys.
• Attestations from node operators and hardware security modules (HSMs).
• Real-time proof systems that demonstrate solvency. The opacity of the off-chain signing process makes external verification more difficult than with transparent on-chain multisig contracts.

This defines who controls the cryptographic keys.

• Custodial MPC: The exchange or service provider manages some or all of the key shares on behalf of the user. This offers a recovery option but introduces a degree of counterparty risk.
• Non-Custodial MPC (or MPC Wallet): The user retains sole control over their key shares, typically across their own devices. The service provider may facilitate the MPC protocol but cannot sign transactions without the user's direct participation, maximizing self-sovereignty.

Traditional wallet classifications based on internet connectivity.

• Hot Wallet: Connected to the internet, convenient for frequent transactions but vulnerable to remote attacks.
• Cold Storage (e.g., hardware wallets): Kept entirely offline, highly secure but inconvenient.

MPC technology blurs this line. By distributing key shares, it can create a warm wallet solution: some shares remain online for operational speed, while others are kept in secure, offline environments. This maintains high security (as no single online node holds a complete key) while enabling transaction efficiency.

A foundational secret-sharing algorithm often mentioned alongside MPC. SSS is a method to split a secret (like a private key) into multiple shares, where only a specified number of shares are needed to reconstruct it. Crucially, SSS involves reconstruction of the original secret at a single point, which is a security vulnerability MPC-based TSS is designed to avoid. MPC protocols perform computations on the shares without ever reconstructing the full secret.

The business logic and rules governing how transactions are approved on an MPC-based exchange. This is where security meets usability. Policies can mandate:

• Multi-factor authentication (e.g., 2-of-3 signatures from user phone, exchange server, and backup device).
• Time locks or withdrawal limits.
• Geographic or IP-based restrictions.
• Multi-user governance for institutional wallets (e.g., 3-of-5 executives must approve). The MPC protocol technically enforces these policies at the cryptographic level.