Cold Wallet for MPC Threshold Signing Service

MPC TSS Protocol includes two main functions: Distributed Key Generation (DKG), and Signing. Take 2-out-of-3 setting as example, the service can generate 3 key shares and put one of them into cold storage, since the remaining two is sufficient to carry out threshold signing. This is suitable for most scenarios where exchange and user each maintains some key shares: exchange keeps two shares (namely exchange key and backup key), and user keeps one share (namely user key).

In practice, exchanges usually adopt hierarchical deterministic (HD) wallet in order to derive many user addresses from a master key. One widely used standard is BIP-32/44 originated from BTC specifications, which accept address path input and yield a child private key and a child public key. The address paths are thus organised into a tree structure, and the public key is further translated into an address. The whole address space linked to the master key is called a wallet.

MPC and HD wallet can work together to provide crypto custodian service to users. In such case each node of MPC group owns a master key share, and those master key shares after DKG process can output many sets of child key shares.

For example:

master key shares <k1, k2, k3>

child A key shares <A1, A2, A3>

child B key shares <B1, B2, B3>

The question is: do we still need to put those spared child key shares [A3, B3] into cold storage? if so there will be many for exchange to manage. Note that we cannot put one of master key share, k3, into cold because child key derivation requires all the three master key shares to participate.

In summary, cold wallet for MPC only works for signing, not for DKG.