Closed Alpha: TSS-MPC Embedded Wallets

Dynamic’s TSS-MPC offering is currently in closed alpha - contact us for early access or to learn more. If you’re looking to start using Dynamic today, we recommend starting with our TEE wallets. When our TSS-MPC wallets are rolled out, you’ll have a clear upgrade path to transition your users to the new system.

TermDefinitionUse
TSS (Threshold Signature Scheme)A cryptographic protocol that distributes signing authority across multiple parties, requiring a minimum threshold of participants to create valid signatures. Enables secure, distributed control while maintaining resilience against compromise of individual participants.Dynamic enables the distribution, redistribution of shares across parties. Dynamic allows for thresholds to be adjusted based on the desired level of security and trust. Dynamic’s TSS-MPC ensures a private key does not exist or compiled during any signing or ceremonies.
TEE (Trusted Execution Environment)Isolated execution environments that operate within hardened Amazon EC2 instances and are ideal for handling highly sensitive data. Data can be encrypted and processed securely without leaving the protected environment. Allows for Cryptographic Attestation to verify the enclave is operating as expected and not tampered with. Dynamic uses AWS Nitro Enclaves.Protects key management from unauthorized access. The TEE is stateless. Used for Server Share encryption/decryption and signing operations.
MPC RelayThe infrastructure that manages signing ceremonies and share communication over secure socket connections without exposing key material.Enables decentralized signing with key shares. Ensures encrypted communication, session management, and fault tolerance.
Encryption Proxy ServiceA relay that securely encrypts and proxies data for backup and recovery.The encryption proxy service is a third-party encryption service for backups and recovery. It facilitates encrypted backup key storage and recovery. Used to double encrypt a passcode (if used). Further removes any single point of failure risks and ensures Dynamic does not have access to any key operations.
Key ResharingThe process of modifying the existing parties or updating the threshold signature scheme (e.g., upgrading from 2-of-2 to 2-of-3).Used if a user adds a backup or if the Developer would like to modify the signature scheme to host backups for independent recovery. Resharing and refreshing requires user participation to prevent unilateral decisioning.
Key RefreshingThe process of rotating existing key shares to generate new cryptographically equivalent shares without changing the underlying wallet address.Enhances security by preventing long-term exposure of shares. Can be manually triggered. Automatically performed during resharing.
Dynamic Server ShareA key share retained by Dynamic generated and encrypted within a Trusted Execution Environment (TEE).Ensures Dynamic can participate in MPC signing without full key control. Generated securely inside a TEE where it is encrypted and then sent to Dynamic for storage.
User ShareClient-side key share, owned and controlled by the end user. Depending on the TSS Scheme there can be multiple user shares.Used when signing transactions, stored locally or with an encrypted backup. Rendered in an iframe, stored in local storage or in device enclave (if mobile device used).
User Share Backup OptionsMethods for securely storing an encrypted copy of the User Share for recovery purposes. Options include Google Drive, Apple iCloud, or local download. The backup is always encrypted before storage, with Dynamic never having access to decryption keys.Enables User Share recovery in case of device loss or when setting up a new device. When using cloud storage options (Google Drive, Apple iCloud), encryption is done in the browser. For all options, the Encryption Proxy Service ensures Dynamic cannot access the stored share.
Passcode EncryptionAn optional user-set passcode that encrypts a User Share before storage.Adds an extra layer of user-controlled security for stored shares. Used to restore a share on new devices or sessions. When a passcode is set up: Double encryption process: (1) Browser-side encryption with passcode, (2) Proxy Service encryption before storage. Dynamic never sees the passcode and only ever has access to a hash of the passcode encrypted share, ensuring it cannot be used to decrypt the share.
Independent RecoveryIn 2-of-3 or 3-of-5 setups it enables offline recovery without Dynamic. Moving from 2-of-2 to 2-of-3 can be performed by the user.Ensures account access if user share is lost. Can be stored by the user on Google Drive, Apple iCloud, or locally. In advanced setups, enterprises can be involved in independent recovery.
Developer-Hosted BackupsAn enterprise feature allowing organizations to maintain their own backup infrastructure for key shares.Enables custom backup policies, internal recovery processes, and business continuity management according to organization requirements.
ECDSA (DKLs19 Protocol)A widely used digital signature algorithm for blockchain transactions, implemented using the DKLs19 protocol.Supported on Ethereum, EVM-compatible chains. Used in Dynamic’s TSS-MPC infrastructure for secure transaction signing.
EdDSA (FROST Protocol)A modern, efficient, and secure digital signature algorithm based on Edwards curves. Implemented using the FROST Protocol.Supported on Solana, StarkNet, and other ecosystems utilizing EdDSA. Used in Dynamic’s TSS-MPC infrastructure for secure transaction signing.
BIP-340 (FROST Protocol)A Schnorr-based digital signature scheme used in Bitcoin and other networks. Implemented using the FROST Protocol.Supported on Bitcoin and Taproot-enabled blockchains. Used in Dynamic’s TSS-MPC infrastructure for secure transaction signing.

Important Note: Dynamic never has access to a quorum of shares that would allow key reconstruction. Even if a backup is encrypted via Dynamic’s Encryption Proxy Service, it cannot be decrypted unilaterally by Dynamic.