Coming Soon: TSS-MPC Embedded Wallets

Dynamic announced our new TSS-MPC offering at EthDenver 2025, and its rolling out in the coming weeks - contact us for early access or to learn more. If you’re looking to start using Dynamic today, we recommend starting with our TEE wallets. When our TSS-MPC wallets are rolled out, you’ll have a clear upgrade path to transition your users to the new system.

Architecture Overview

Dynamic’s TSS-MPC implementation uses a default 2-of-2 threshold signature scheme, where:

  • The user holds one key share
  • Dynamic holds the other key share (this is called a server share and is generated in a TEE)
  • Both shares are required to sign transactions

Key Share Management

During wallet creation:

  1. The user’s key share is generated and stored locally on their device (on web, this is done in an iframe)
  2. The server share is generated within a Trusted Execution Environment (TEE) and stored by Dynamic in encrypted form
  3. An encrypted backup of the user’s share is stored by Dynamic
  4. The backup is encrypted using a third-party proxy encryption service
  5. Dynamic cannot decrypt the backup without the user
  6. Users can optionally add a passcode for additional backup security

When signing transactions:

  1. The user’s share participates from their local device
  2. The encrypted server share is sent to the TEE where it is decrypted and used for signing
  3. The actual signing with the server share happens entirely within the TEE
  4. The complete private key is never reconstructed, even within the TEE

This architecture ensures that:

  • No single party has complete control of the private key
  • Users maintain self-custody of their wallet
  • Recovery is possible if a user loses access to their device
  • The system is resistant to compromise of any single party
  • The server share remains protected within the TEE during signing

For advanced recovery options including iCloud/Google Drive backup and silent-upgrading to a 2-of-3 setup, see our Recovery documentation.

Technical Implementation

Distributed Key Generation (DKG)

The wallet creation process begins with Distributed Key Generation, where multiple parties work together to generate key shares without ever constructing the complete private key. Each party generates random values and participates in a secure protocol to create their share of the final key. This ensures no single party ever has access to the complete private key.

Communication Security using Relay

All communication between parties during key generation and signing is secured through our relay infrastructure. The relay:

  • Ensures authenticated and encrypted communication channels
  • Manages session establishment and party coordination
  • Provides fault tolerance and retry mechanisms
  • Implements rate limiting and abuse prevention

Key Refreshes and resharing

To maintain security over time, key shares can be manually refreshed without changing the underlying wallet address. This process:

  • Generates new shares that are cryptographically equivalent to the original
  • Helps prevent potential key compromise from long-term exposure
  • Can be triggered manually

Protocols

We employ the following TSS-MPC cryptographic protocols in our SDK using audited libraries:

Signature Schemes

  • ECDSA: Implemented using DKLs19 protocol
  • EdDSA: Implemented using FROST protocol
  • BIP-340: Implemented using FROST protocol

Was this page helpful?

OverviewCreating Embedded Wallets