MPC Security
Multi-Party Computation ensures no single point of key compromise.
EmbarkAI uses the DKLS23 threshold signature protocol to split private key material across two parties — the client and the server. Neither party ever holds the complete private key, eliminating single points of failure and removing the need for seed phrases.
What is MPC/TSS?
Multi-Party Computation (MPC) allows multiple parties to jointly compute a function over their private inputs without revealing those inputs to each other. When applied to digital signatures, this is called Threshold Signature Scheme (TSS).
In a TSS wallet, the private key is never assembled in one place. Instead, each party holds a keyshare and they collaborate through a cryptographic protocol to produce a valid signature.
The DKLS23 Protocol
EmbarkAI implements the DKLS23 protocol — a state-of-the-art two-party threshold ECDSA scheme published by Doerner, Kondi, Lee, and Shelat (2023). Key properties:
| Property | Detail |
|---|---|
| Threshold | 2-of-2 (both parties must participate) |
| Curve | secp256k1 (Ethereum-compatible) |
| DKG rounds | 3 rounds of communication |
| Signing rounds | Interactive protocol producing a standard ECDSA signature |
| Security model | Malicious security with identifiable abort |
2-of-2 Threshold Scheme
The EmbarkAI architecture splits key material between two parties:
Client Keyshare
- Stored locally by the application (backend or browser)
- Managed through the
KeyshareStorageinterface in the Core SDK - In server wallets, stored in your chosen secure storage (KMS, Vault, database)
- In frontend wallets, stored in the browser via the UI Kit
Server Keyshare
- Stored on EmbarkAI’s TSS infrastructure
- Protected by hardware security modules and access controls
- Never exposed to the client or any API response
Both keyshares are required to sign any transaction. A compromise of either party alone is insufficient to produce a valid signature.
Distributed Key Generation (DKG)
When you create a wallet, the SDK runs the DKG protocol to generate key material without ever assembling a full private key:
import { createServerWalletManager, MemoryKeyshareStorage } from '@embarkai/core'
const manager = createServerWalletManager({
apiKey: process.env.EMBARK_API_KEY!,
chainId: 994873017,
storage: new MemoryKeyshareStorage(),
})
// DKG runs automatically during wallet creation
const wallet = await manager.createWallet('my-wallet')The DKG protocol proceeds in three rounds:
- Round 1 — Both parties generate random commitments and exchange encrypted shares
- Round 2 — Parties verify commitments and derive their respective keyshares
- Round 3 — Parties compute the joint public key and verify consistency
After DKG completes, the SDK stores the client keyshare via your KeyshareStorage implementation and the server stores its keyshare internally. The public key (and derived Ethereum address) is deterministic and identical for both parties.
Signing Protocol
When a transaction needs to be signed, the client and server collaborate in an interactive protocol:
- The client constructs the message digest (UserOperation hash)
- Both parties engage in a multi-round signing protocol
- Each party contributes its keyshare to produce partial signature components
- The final ECDSA signature
(r, s, v)is assembled — valid and indistinguishable from a standard signature
// Sign an arbitrary digest
const signature = await wallet.signDigest('0xabcdef1234...')
console.log(signature.r, signature.s, signature.v)The resulting signature is a standard ECDSA signature that any Ethereum contract or node can verify normally.
Keyshare Storage
The security of MPC wallets depends on the safe storage of client keyshares:
| Environment | Recommended Storage |
|---|---|
| Development | MemoryKeyshareStorage (built-in, ephemeral) |
| Production backend | AWS KMS, HashiCorp Vault, Azure Key Vault, encrypted database |
| Production frontend | Browser storage managed by UI Kit automatically |
Warning: If a client keyshare is lost, the wallet becomes permanently inaccessible. Always implement redundant, encrypted storage with backups. Use Vault Backup for an additional recovery layer.
No Single Point of Failure
The 2-of-2 architecture provides defense in depth:
- Server breach alone — Attacker cannot sign without the client keyshare
- Client breach alone — Attacker cannot sign without the server keyshare
- Network interception — Protocol messages are encrypted; intercepting them reveals nothing useful
- Rogue server — The server cannot forge signatures or extract the client’s keyshare
Comparison with Traditional Wallets
| Aspect | Seed Phrase Wallet | MPC Wallet (EmbarkAI) |
|---|---|---|
| Key storage | Single secret (12/24 words) | Split across two parties |
| Single point of failure | Yes — seed phrase compromise = full access | No — both parties required |
| Backup mechanism | Write down seed phrase | Encrypted vault backup |
| User experience | Users must manage seed phrases | No seed phrases needed |
| Signing | Local ECDSA | Interactive threshold ECDSA |
| Recovery | Import seed phrase | Restore from vault with password |
Next Steps
- Account Abstraction — How smart accounts work with MPC signatures
- Server Wallets — Manage wallets and keyshare storage from your backend
- Vault Backup — Back up keyshares for recovery
- Deploy a Smart Wallet — Create your first MPC wallet