Definition
An MPC wallet uses multi-party computation (MPC) to replace a single private key with distributed cryptographic control. Authority is divided into several key shares held by different parties or devices. To authorize a transaction, a threshold of those shares run an interactive protocol that jointly computes one valid signature — the full private key is never created, stored, or exposed at any single point, not even for a microsecond during signing. It is a genuinely elegant piece of cryptography, and also a category where marketing routinely outruns the trust model, so the details deserve a careful look.
No Single Point of Key Compromise
Because the key is never assembled, there is no single seed phrase sitting on any one device for an attacker to capture. Compromising one share, one server, or one operator is insufficient to move funds — the attacker must breach a threshold of independently held shares, ideally on different devices, platforms, and networks. Shares can also be refreshed periodically through a resharing protocol: the underlying key and addresses stay the same, but old shares become worthless, so an attacker who quietly stole a share last year gains nothing today. These properties are why MPC dominates institutional custody, where key-person risk and insider threats are the primary concern.
How It Relates to Other Schemes
MPC wallets are typically built on threshold ECDSA or, for Schnorr-based systems, protocols like FROST. Unlike Shamir's Secret Sharing, MPC shares are not fragments of a key waiting to be glued back together — Shamir reconstruction creates the very single point of failure MPC exists to avoid — the shares cooperate to produce signatures without reconstruction ever occurring. And unlike on-chain multisig, the resulting signature looks like an ordinary single-key signature. That aids privacy and keeps fees flat regardless of how many signers participate, but it also removes the independent, on-chain auditability that script-based multisig provides: an outside observer, or an heir executing your estate plan, cannot verify the quorum policy from the chain alone.
The Honest Trade-offs
Now the caveats, which matter more than the cryptography. Most MPC wallets in the wild are operated by custodians or vendors who hold one or more shares and run proprietary signing software. That reintroduces counterparty trust — the very thing self-custody exists to eliminate. Ask the uncomfortable questions: Can you sign without the vendor's servers, or does an outage or a compliance decision freeze your funds? Can you export enough material to reconstruct spending ability independently, or is "recovery" just the vendor re-provisioning you? Is the protocol implementation audited and open, or are you trusting a black box with your threshold? Threshold ECDSA in particular is complex, interactive cryptography — historically, implementation flaws in these protocols have been found and fixed, which argues for conservative, well-reviewed code over novel proprietary schemes. Complexity is a cost even when the math is sound.
Where It Genuinely Fits
MPC shines where multiple parties must share signing authority with policy enforcement and no ceremony around a seed — businesses, funds, inheritance arrangements with professional co-signers. For an individual sovereign holder, a hardware wallet with a well-tested seed backup, or transparent on-chain multisig for larger sums, remains the simpler and more auditable path. The test is always the same: after the vendor disappears, can you still spend? If the honest answer is no, the wallet is MPC-flavored custody — which may be a fine product, as long as nobody calls it self-custody.
If you do adopt MPC, adopt it deliberately: prefer open, audited implementations over proprietary black boxes, insist on a documented vendor-independent recovery path and rehearse it, and keep the arrangement written down where your heirs can find it — signature invisibility that defeats chain surveillance also defeats estate executors. Distributed cryptography is a tool, not a custody policy; the policy is knowing exactly who can sign, under what conditions, and proving it to yourself before the amounts get serious.
In Simple Terms
An MPC wallet uses multi-party computation (MPC) to replace a single private key with distributed cryptographic control. Authority is divided into several key shares held…
