Self-custody has always been a cornerstone of cryptocurrency. While many institutions prefer the convenience of using a trusted custodian to manage their keys and digital assets on their behalf, others will prefer to hold their own keys and execute their own transactions through self-custody.
The concept of self-custody is simple: hold your own keys so that you and only you can securely store and transfer your digital assets. However, that simple concept becomes more complicated for institutional digital asset holders.
Institutions often hold digital assets valued in millions of dollars. Because of this, they require self-custody solutions with highly advanced levels of security. Being institutions rather than individuals, they also require self-custody wallets that provide robust governance and policy controls.
This blog explores the important options and considerations for institutions planning to self-custody their digital assets.
Key Benefits of Secure Multi-Party Computation for Institutional Self-Custody
Secure Multi-Party Computation (MPC) has emerged as the undisputed security technology of choice for digital asset custodians, exchanges, and institutions.
MPC generates, stores, and uses keys in the form of distributed key shares, which collectively represents a complete private key.
These key shares exist on separate MPC nodes, which are controlled by different parties within the institution. No single administrator or individual has visibility or control over all nodes or key shares. These MPC attributes eliminate the existence of a complete key on any single device and the associated single point of failure, increasing overall security efficacy.
MPC also supports a variety of operational models with 2-party, 3-party, and various m of n models where operations can proceed even if one or potentially more of the MPC nodes is unavailable. When all (or a pre-defined subset) of the key shares are used to approve and sign a transaction, these nodes compute a signed transaction just as if it were signed by a single approver, with a single signature.
Collectively, these core MPC attributes introduce many security, control, and operational benefits for institutional self-custody such as:
- MPC decentralizes the private key, so that no party ever has knowledge or possession of a complete key – mitigating the risk of insider misuse and theft by hackers;
- MPC facilitates multi-party approvals with flexible quorums, similar to but more flexibly than multi-sig;
- MPC generates a standard single signature that is natively supported by all blockchain protocols, eliminating the need for smart contracts for a consistent and enabling a uniform approval process across all digital asset types.
MPC Supports Flexible Self-Custody Wallet Hosting
Unlike hardware wallets, MPC is used to create and manage highly-secure software-based wallets or applications. For institutional self-hosted wallets the software is hosted and directly controlled by the institution, giving them full and exclusive control over key generation, storage and use.
MPC wallet software can be hosted on multiple nodes running locally on-premises, in private clouds, public clouds, on your mobile device, or some combination of the above. This flexibility of node types and operational environments gives institutions the freedom to deploy their self-custody wallets in configurations that support their business needs.
Some institutions will have the resources to operate and manage these nodes on-premises to meet their security, availability, and performance needs. Others will prefer to leverage the convenience and agility available from major cloud service providers (CSPs), including the option to run some or all of the MPC nodes in confidential computing enclaves for increased levels of security. Hosting MPC nodes across different CSPs can further increase wallet resilience and availability, while also improving your overall wallet security.
Regardless of where the nodes are hosted, a self-hosted MPC wallet system can allow you to egress encrypted key shares for safe storage and emergency recovery procedures. This assures access in the event that any one or all of the nodes or hosting environments encounter a catastrophic failure or become subject to any condition that might limit your access to your node and key share.
MPC hosting flexibility provides many benefits for institutional self-custody wallets:
- Complete control of how key materials are accessed, policies are managed, and signing is performed;
- Freedom to host wallet infrastructure and key shares on-premises, in private clouds, public clouds, mobile devices, or a combination;
- Flexibility to host different MPC systems in different markets, potentially using different models when appropriate;
- Versatility to meet different business requirements. MPC supports operational models with 2-party, 3-party, or n of m-party models;
- Cloud-level redundancy and disaster recovery options;
- Full control over your infrastructure and key shares.
Institutional Self-Custody Wallet Governance and Control
The self-custody attribute of keeping keys secure and under your exclusive control is often necessary but not sufficient for institutions. These organizations also require policy controls to assure that digital assets are transferred only after a predefined set of criteria has been satisfied. This requires another level of governance and control, beyond MPC key management and protection.
As a result, institutional self-custody wallets should have policy controls such as:
- Approver quorums, with the ability to specify groups or individual approvers with different roles for checks and balances;
- Conditional controls to enforce various approvers and other checks and balances depending on the attributes of the transaction;
- Checklist controls to optionally limit the transfer of assets to pre-approved wallets, and to prevent transfers to blacklisted wallets;
- Operational controls to limit the risk of large numbers of lower-amount transfers that might bypass the intended approvals.
If these policies control your keys, institutions will also want the ability to directly host and control their wallet policy framework as well as their key shares.
Finally, these policies must be secured and protected with the same level of effectiveness as the private keys, otherwise an internal bad actor or hacker may modify policies to defeat the intended controls.
Blockdaemon Offers Institutional Grade Custodial Wallet Technology and an Ecosystem of Custody Partners
In July of 2022, Blockdaemon acquired Sepior, the market leader in MPC wallet technology. Sepior developed the world’s first commercial MPC wallet in 2018 and currently provides self-hosted custodial wallet key management technology to many of the world’s largest banks, custodians, exchanges, institutions, and third-party wallet and custody technology providers.
At Blockdaemon, we’re dedicated to delivering institutional-grade custodial wallet technology that gives you complete control over your digital assets.
Our secure multi-party computation (MPC) solutions provide robust security, flexible hosting options, and policy controls, all designed to meet the needs of today’s institutions. Whether you’re a bank, custodian, exchange, or other organization, we can help you create a self-custody solution that meets your specific requirements.
Click here to learn more about our Advanced MPC Wallet or TSM, and explore our ecosystem of custody partners.
Get in touch with us today and let us help you take control of your digital assets.
Download our Introduction to MPC Whitepaper here: