Our Embedded Wallets
Glossary of Terms
Core MPC Concepts
| Term | Definition | Use |
|---|---|---|
| Party | An entity participating in an MPC operation (e.g., user device, Dynamic’s server, enterprise server) | Parties collaborate during ceremonies to perform distributed operations like key generation, signing, or resharing. Each party holds a key share and participates in the MPC protocol. |
| Ceremony | A coordinated event where parties come together to perform MPC operations like key generation, signing, or resharing | Ceremonies are managed by the MPC relay and ensure all parties can securely communicate and coordinate their operations. |
| Room | A unique communication channel on the MPC relay that allows all parties to securely communicate during ceremonies | Rooms provide isolated, encrypted communication channels for each MPC operation, ensuring data privacy and session management. |
| Quorum | When the threshold has been reached for the MPC configuration (e.g., 2 out of 3 parties) | Quorum must be achieved before any MPC operation can complete. This ensures security while providing fault tolerance. |
| TSS (Threshold Signature Scheme) | A cryptographic protocol that distributes signing authority across multiple parties, requiring a minimum threshold of participants to create valid signatures. Enables secure, distributed control while maintaining resilience against compromise of individual participants. | Dynamic enables the distribution and redistribution of shares across parties. Dynamic allows for thresholds to be adjusted based on the desired level of security and trust. Dynamic’s TSS-MPC infrastructure ensures a private key does not exist or compiled during any signing or ceremonies. |
Key Management Operations
| Term | Definition | Use |
|---|---|---|
| Key Generation Initialization | A preliminary process that creates encryption keys for secure communication between parties and assigns unique identifiers to each participant | Used before key generation or resharing to establish secure communication channels and assign party IDs. |
| Party ID / Key Generation ID | A unique public identifier for a party in the MPC system | Used to identify parties during ceremonies and for routing encrypted communications between participants. |
| Distributed Key Generation (DKG) | The process by which a key is generated in a distributed fashion, such that each party involved receives a share without all shares being constructed together | Core MPC operation that creates the initial key shares. No single party ever sees the complete private key during this process. |
| Key / Keyring | The complete set of all key shares that collectively represent the wallet’s signing capability | The keyring contains all shares needed to reach quorum and perform signing operations. Individual shares cannot be used alone. |
| Key Share | An individual party’s portion of the distributed key, containing a public key and secret share | Each party receives one key share during DKG. The share enables participation in signing operations but cannot reconstruct the private key alone. |
| Secret Share | The private component of a key share that must be kept secure | The secret share is the cryptographic material that enables a party to participate in MPC operations. It must be encrypted and stored securely. |
| Key Resharing | The process of modifying the existing parties or updating the threshold signature scheme (e.g., upgrading from 2-of-2 to 2-of-3) | Used if a user adds a backup or if the Developer would like to modify the signature scheme to host backups for independent recovery. Resharing and refreshing requires user participation to prevent unilateral decisioning. |
| Key Refreshing | The process of replacing existing key shares with new cryptographically equivalent shares, without changing the underlying wallet address | Improves security by limiting the long-term exposure of key shares. The process can be triggered manually and also runs automatically during resharing. |
| Export | Creating a portable backup of a key share for recovery or migration purposes | Enables users to backup their shares to external storage or migrate between different wallet providers. |
| Offline Export | Generating a backup share that can be stored independently of the online system | Provides air-gapped security for high-value wallets or compliance requirements. |
Share Types and Storage
| Term | Definition | Use |
|---|---|---|
| Dynamic Server Share | A key share retained by Dynamic that is generated and encrypted within a Trusted Execution Environment (TEE) | Ensures Dynamic can participate in MPC signing without full key control. Stored encrypted in Dynamic’s database and decrypted only within TEE during operations. |
| User Share | Client-side key share, owned and controlled by the end-user. Depending on the TSS scheme there can be multiple user shares | Used for signing transactions and stored either locally or with an encrypted backup. Rendered in an iFrame and stored in local storage or in a device enclave when accessed from a mobile device. |
| Local Share | A user share stored directly on the user’s device (browser localStorage, mobile device storage) | Provides fast access for signing operations and maintains user control over their share. |
| Device Share | A kind of user share that is stored locally on the user’s device in a secure enclave | Can be stored in the browser or a device’s secure enclave (iOS Secure Enclave, Android Keystore) for enhanced security. |
| Cloud Share | A share that is stored in a user’s cloud storage (Google Drive, iCloud, OneDrive, etc.) | Provides cross-device access and backup capabilities while maintaining user control over storage location. |
| Export Share | A share that has been exported as a file on the user’s device (base64 encoded) | Enables offline backup and migration between different wallet providers or storage systems. |
| Backup Share / Cold Share | Any user share that is stored in a durable store server-side | This could be a user share stored by Dynamic, a user share stored by a customer, or even a user share stored in Google Drive. Provides recovery options for lost devices. |
| Primary Share / Hot Share | The main share used for regular operations and daily signing | Typically stored on the user’s primary device for fast access during normal wallet usage. |
| Customer Share (Enterprise) | A share that has been generated on a server and stored in a database, controlled by enterprise customers | Enables enterprise control over wallet operations and compliance with internal security policies. |
Security Infrastructure
| Term | Definition | Use |
|---|---|---|
| TEE (Trusted Execution Environment) | Isolated execution environments running inside hardened Amazon EC2 instances, designed for processing highly sensitive data. Data remains encrypted and is securely handled within the protected environment without exposure. These environments support cryptographic attestation, allowing verification that the enclave is operating correctly and has not been tampered with. Dynamic uses AWS Nitro Enclaves to ensure this level of security. | Protects key management from unauthorized access by using a stateless Trusted Execution Environment (TEE). The TEE is used for encrypting, decrypting, and signing operations involving the server key share. |
| MPC Relay | The infrastructure that manages signing ceremonies and share communication over secure socket connections without ever constructing a full private key | Enables decentralized signing using key shares, while ensuring secure communication, robust session management, and fault tolerance. |
| Encryption Proxy Service | A relay that securely encrypts and proxies data for backup and recovery | The encryption proxy service is a third-party encryption service for backups and recovery. It facilitates encrypted backup key storage, recovery, and is used to double encrypt a passcode (if used). |
Cryptographic Protocols
| Term | Definition | Use |
|---|---|---|
| ECDSA (DKLs19 Protocol) | A widely used digital signature algorithm for blockchain transactions, implemented using the DKLs19 protocol | Supported on Ethereum and EVM-compatible chains. Used in Dynamic’s TSS-MPC infrastructure for secure transaction signing. |
| EdDSA (FROST Protocol) | A modern, efficient, and secure digital signature algorithm based on Edwards curves. Implemented using the FROST Protocol. | Supported on Solana, StarkNet, and other ecosystems utilizing EdDSA. Used in Dynamic’s TSS-MPC infrastructure for secure transaction signing. |
| BIP-340 (FROST Protocol) | A Schnorr-based digital signature algorithm used in Bitcoin and other networks. Implemented using the FROST Protocol. | Supported on Bitcoin and Taproot-enabled blockchains. Used in Dynamic’s TSS-MPC infrastructure for secure transaction signing. |
User Experience Features
| Term | Definition | Use |
|---|---|---|
| User Share Backup Options | Methods for securely storing an encrypted copy of the User Share for recovery purposes. Options include Google Drive, Apple iCloud, or local download. The backup is always encrypted before storage, with Dynamic never having access to decryption keys. | Enables User Share recovery in case of device loss or when setting up a new device. When using cloud storage options (Google Drive, Apple iCloud), encryption is done in the browser. For all options, the Encryption Proxy Service ensures Dynamic cannot access the stored share. |
| Passcode Encryption | An optional user-set passcode that encrypts a User Share before storage | Adds an additional layer of user-controlled security for stored shares and enables share recovery on new devices or sessions. When a passcode is set, a double encryption process is applied: (1) encryption in the browser using the passcode, and (2) encryption by the Proxy Service before storage. Dynamic never sees the passcode and only stores a hash of the encrypted share, ensuring it cannot be used to decrypt the underlying data. |
| Independent Recovery | In 2-of-3 or 3-of-5 configurations, it enables offline recovery without relying on Dynamic. Users can upgrade from a 2-of-2 to a 2-of-3 setup themselves. | Ensures account access if the User Share is lost. Backup shares can be stored by the user on Google Drive, Apple iCloud, or locally. In advanced setups, enterprises can be involved in independent recovery. |
| Developer-Hosted Backups | An enterprise feature allowing organizations to maintain their own backup infrastructure for key shares | Enables custom backup policies, internal recovery processes, and business continuity management according to organization requirements. |