Architecture & Cryptography
Closed Alpha: TSS-MPC Embedded Wallets
Dynamic’s TSS-MPC offering is currently in closed alpha - contact us for early access or to learn more. If you’re looking to start using Dynamic today, we recommend starting with our TEE wallets. When our TSS-MPC wallets are rolled out, you’ll have a clear upgrade path to transition your users to the new system.
Architecture Overview
Dynamic’s TSS-MPC implementation uses a default 2-of-2 threshold signature scheme, where:
- The user holds one User Share
- Dynamic holds a Dynamic Server Share
- Both shares are required to sign transactions
Key Share Management
During wallet creation:
- The User Share is generated and stored locally on their device (on web, this is done in an iframe)
- The Dynamic Server Share is generated and stored by Dynamic in encrypted form
- An encrypted copy of the User Share is stored by Dynamic using User Share Backup Options
- The backup is encrypted using the Encryption Proxy Service
- Dynamic cannot decrypt the backup without the user
- Users can optionally add Passcode Encryption for additional backup security
When signing transactions:
- The User Share participates from their local device
- The encrypted Dynamic Server Share is decrypted and used for signing within a TEE (Trusted Execution Environment)
- The complete private key is never reconstructed, even within the TEE
This architecture ensures that:
- No single party has complete control of the private key
- Users maintain self-custody of their wallet
- Recovery is possible if a user loses access to their device
- The system is resistant to compromise of any single party
- All sensitive signing operations are protected within the TEE
For advanced recovery options including cloud backup (Google Drive/iCloud) and upgrading to a 2-of-3 setup, see our Recovery documentation.
Technical Implementation
Distributed Key Generation (DKG)
The wallet creation process begins with Distributed Key Generation, where multiple parties work together to generate key shares without ever constructing the complete private key. Each party generates random values and participates in a secure protocol to create their share of the final key. This ensures no single party ever has access to the complete private key.
Communication Security using MPC Relay
All communication between parties during key generation and signing is secured through our MPC Relay infrastructure. The relay:
- Ensures authenticated and encrypted communication channels
- Manages session establishment and party coordination
- Provides fault tolerance and retry mechanisms
- Implements rate limiting and abuse prevention
Key Management Operations
To maintain security over time, two key management operations are available:
- Key Resharing: Modifies the existing parties or updates the threshold signature scheme
- Key Refreshing: Rotates existing key shares to generate new cryptographically equivalent shares
Protocols
We employ the following TSS-MPC cryptographic protocols in our SDK using audited libraries:
Signature Schemes
- ECDSA (DKLs19 Protocol): For Ethereum and EVM-compatible chains
- EdDSA (FROST Protocol): For Solana, StarkNet, and other EdDSA ecosystems
- BIP-340 (FROST Protocol): For Bitcoin and Taproot-enabled blockchains
Was this page helpful?