Skip to main content

What Is an MPC Wallet? How Multi-Party Computation Secures Crypto

An MPC wallet splits one private key into shares that sign together but never combine. How the cryptography works, how it compares with multisig and hardware wallets, and who runs it today.

Written by Eco
What Is an MPC Wallet? How Multi-Party Computation Secures Crypto


An MPC wallet is a crypto wallet that splits a private key into multiple mathematical shares held on separate devices, so that no complete key ever exists anywhere. The shares jointly sign transactions through multi-party computation (MPC), a cryptographic technique in which several parties compute a result together without revealing their individual inputs to each other. The approach has become the default for institutional custody: Fireblocks, the largest MPC infrastructure provider, reported more than $10 trillion in supported asset transfers across over 2,400 organizations as of February 2026.

Think of it like a bank vault door that opens only when three separate gears, kept in three separate rooms, turn at the same time. Nobody ever holds the whole mechanism, and stealing one gear gets a thief nothing.

That single design choice, no complete key anywhere, is what separates MPC wallets from every other kind of blockchain wallet. This article explains the cryptography in plain terms, compares MPC with multisig and hardware wallets, and looks at who actually runs MPC in production, from custodians like Copper to consumer apps like Zengo.

What Is an MPC Wallet?

An MPC wallet secures crypto by splitting one private key into two or more shares distributed across separate devices or parties. The full key is never created, stored, or assembled, even during signing. Each share contributes to a joint signature through multi-party computation, so compromising a single device or server reveals nothing usable to an attacker.

The underlying idea is older than crypto itself. Secure computation was formally introduced in 1982 with the "Millionaires' Problem," in which two people determine who is richer without revealing their wealth, and generalized to arbitrary computations by Andrew Yao in 1986. For decades it stayed academic. What pulled it into production was blockchain's brutal key problem: a private key is a single string of data, and whoever copies it owns the funds. Permanently.

MPC wallets attack that problem at the root. Instead of protecting one secret harder, they arrange for the secret to never exist. In Fireblocks' formulation, "the complete key is never assembled in one place, at any point in time." The wallet still produces a standard signature that any blockchain accepts, which means the network cannot tell an MPC wallet apart from an ordinary one.

Most production MPC wallets implement a threshold signature scheme (TSS), a specific family of MPC protocols for signing. The widely cited academic foundation is the 2018 protocol by Rosario Gennaro and Steven Goldfeder, known as GG18, which "enables distributed signing among n players such that any subgroup of size t+1 can sign, whereas any group with t or fewer players cannot." That "t of n" property is what lets an institution require, say, any 3 of 5 key shares to approve a transfer.

How Does an MPC Wallet Work?

An MPC wallet works in three phases: distributed key generation, where each party independently creates a key share; threshold signing, where a quorum of shares jointly computes a valid signature without combining; and share refresh, where shares are re-randomized periodically so stolen material goes stale. The blockchain sees one ordinary signature throughout.

Start with key generation. In a traditional wallet, one device generates one private key, usually backed up as a recovery phrase or an encrypted keystore file. In an MPC wallet, several parties run a distributed key generation (DKG) ceremony. Each party ends up holding a share, and the corresponding public key (the wallet address) is derived collectively. Nobody deals out the shares from a master copy; that is the "dealerless" property the GG18 paper emphasizes, and it matters because a dealer would briefly hold the whole key. Fireblocks describes the deployment pattern: "Individual key shares are created and randomized across multiple endpoints, e.g. cloud servers, on-premises hardware, or mobile devices."

Where the shares live is a design decision, not a fixed rule. A consumer app might use two shares, phone plus provider server. An institution might spread five shares across a data center, two cloud regions, an executive's device, and an air-gapped machine, then require any three to sign. The threshold sets the security budget: an attacker needs to compromise that many independent environments simultaneously, and each environment can run different operating systems and physical controls.

Signing is where the magic happens, and where it gets weird if you are used to normal cryptography: the parties exchange a series of messages and out pops a valid signature, yet none of them ever saw a private key. In the Fireblocks setup, "a quorum of at least 3 endpoints each independently validate the transaction against the organization's policy rules and contribute their share of the signature."

Here is the flow for a 2-of-3 institutional wallet:

User approves transfer on mobile app        |        v[Share 1: phone]----+                    |--> MPC signing rounds --> one valid[Share 2: cloud]----+    (shares never meet)    signature                                                    |[Share 3: offline backup, not needed today]        v                                            broadcast onchain

Protocol efficiency matters here because signing is interactive. GG18 requires 9 communication rounds per signature. Fireblocks' newer MPC-CMP protocol, published with academic coauthors in 2020, cut that to 1 round, which the company states "signs transactions 8x faster than standard MPC." Fewer rounds also means a share can live on an air-gapped device and still participate, enabling cold-storage MPC.

The third phase, share refresh, is MPC's quiet superpower. Because the address is fixed but the shares are just math, operators can re-randomize all shares on a schedule. The new shares produce the same signatures for the same address, but old stolen material becomes worthless. An attacker must therefore steal a quorum of shares from different environments within one refresh window, not over months. Cryptographers call this proactive security, and it has no equivalent in single-key wallets, where a leaked seed phrase stays dangerous forever.

MPC Wallet vs Multisig: What Is the Difference?

MPC and multisig both require multiple approvals, but they operate at different layers. Multisig uses several complete private keys and smart-contract or protocol logic onchain, so the arrangement is visible and chain-specific. MPC splits one key at the cryptographic layer, producing a standard single signature that works identically across chains and reveals nothing about signers.

Multisig is the older pattern, and on Ethereum it mostly means smart-contract wallets like Safe. The scale is real: Safe reports over $60 billion in total value secured across 57 million+ deployed accounts as of July 2026, with more than $1 trillion in processed volume. Eco's Safe wallet deep dive covers that model in detail, and the broader smart wallet category builds on the same contract-account foundation.

The structural difference shows up in four places. First, chain coverage: because MPC "operates at the cryptographic layer rather than the blockchain protocol layer," as Fireblocks puts it, one implementation covers Bitcoin, Ethereum, Solana, and other ECDSA or EdDSA chains, while "not all blockchain protocols support multi-sig, and those that do implement it differently." Second, privacy: a multisig's signer set and threshold sit in public onchain state; an MPC wallet looks like any single-signature account. Third, cost: a Safe transaction executes contract logic and pays gas for it, while an MPC signature costs the same as a basic transfer. Fourth, flexibility: changing multisig signers requires onchain transactions and sometimes a new address, whereas MPC shares "can be refreshed without requiring a new wallet address or an onchain transaction."

Multisig keeps one large advantage: verifiability. Anyone can audit a Safe's policy onchain, and no vendor sits in the loop. MPC policies live in operator infrastructure, which is exactly what a DAO treasury does not want and an institution with compliance controls does.

Cost differences compound at volume. Every Safe execution pays gas for contract logic on top of the underlying transfer, and on Ethereum mainnet during congestion that overhead is material for a payments desk pushing thousands of settlements a day. An MPC wallet's signature is indistinguishable from a retail transfer, so the fee floor is the network's, not the wallet's. For institutions running high-frequency stablecoin flows, that difference alone often decides the architecture.

Dimension

MPC wallet

Onchain multisig

Hardware wallet

Single-key software wallet

Complete key exists?

Never

Yes, several of them

Yes, inside device

Yes, on device

Chain coverage

Any ECDSA/EdDSA chain

Chain-specific

Broad, per firmware

Broad

Policy visibility

Offchain, private

Onchain, public

None (single signer)

None

Extra gas cost

None

Yes (contract execution)

None

None

Change signers

Offchain share refresh

Onchain transaction

Not applicable

Not applicable

How Do MPC Wallets Compare to Hardware Wallets?

A hardware wallet concentrates the complete private key inside one tamper-resistant offline device, while an MPC wallet distributes key shares so no complete key exists at all. Hardware defends against remote malware but leaves a single physical object and its seed phrase backup as the point of failure. The two approaches can also be combined.

Both designs answer the same question, where does the key live, with opposite philosophies. A hardware wallet's answer is "in one very well-defended place." Its secure element keeps the key offline and signs internally, which Eco's hardware wallet guide walks through step by step, so this article won't repeat the mechanics.

The trade-off is concentration. The device can be lost, destroyed, or coerced out of its owner, and the recovery phrase that backs it up is itself a complete copy of the key, sitting on paper. MPC removes that concentration but adds coordination: signing requires live participation from multiple share holders, and the protocol software is far more complex than a chip that signs.

In practice the designs are converging rather than competing. Fireblocks' cold MPC configuration keeps at least one key share "stored offline in an air-gapped device," which is hardware-wallet thinking applied to a key share instead of a key. Consumer MPC apps take the opposite convergence path, replacing the seed phrase entirely with encrypted cloud backups and biometrics, closer in spirit to passkey wallets than to a Ledger in a drawer.

A useful rule of thumb for choosing: hardware wallets suit individuals holding long-term positions who touch their keys rarely and want zero dependence on any company. MPC suits operations, teams and apps that sign constantly, need policy controls, and can accept a provider relationship. Plenty of institutions run both, MPC for the operating float and offline hardware-backed storage for deep reserves.

Who Uses MPC Wallets? Institutional and Retail Examples

Institutions dominate MPC adoption because the technology maps directly onto corporate controls: quorum approvals, policy engines, and no single employee who can move funds. Fireblocks and Copper anchor the institutional segment, securing trillions in annual transfer volume, while Zengo applies the same 2-of-2 cryptography to a consumer app with no seed phrase.

On the institutional side, MPC pairs naturally with how asset managers, payment companies, and tokenization issuers already think about controls. A treasury policy like "transfers above $1 million need approvals from two officers on separate infrastructure" translates directly into share placement and signing quorums, with best-execution and settlement workflows layered on top. Fireblocks, founded in 2018, reported securing more than $5 trillion in digital asset transfers annually as of February 2026; its network also functions as a settlement layer, which Eco covers in its Fireblocks Network explainer.

Copper, a London-based custodian serving trading institutions, describes its MPC design as distributing "shards of a key among devices of participating parties," for example the client, a third party, and Copper, so that "a single key never exists in whole, or lives on any device." Copper couples that custody model with ClearLoop, its off-exchange settlement network that lets funds trade on exchanges while assets stay in custody.

Zengo shows the retail version. The app, which has operated since 2018, replaces the private key with "two independently created mathematical secret shares," one on the user's phone and one on Zengo's server, and signs transactions "without ever revealing their secrets to each other." Recovery works through an encrypted backup of the device share plus a decryption code in the user's personal cloud and a biometric face scan, no seed phrase involved.

The common thread across institutional deployments is consolidation. A payment company or asset manager settling across a dozen chains does not want a dozen custody arrangements; because MPC signs for any ECDSA or EdDSA chain from one key-management layer, a single integration reaches every market the desk trades. That is usually the deciding argument in procurement, ahead of any specific cryptographic property.

Other providers, including Coinbase's institutional custody stack and wallet-as-a-service platforms, ship variations on the same threshold cryptography. A separate Eco guide to MPC wallet providers compares the major options in depth.

Where MPC Wallets Fall Short

MPC wallets trade the single point of failure for coordination costs and vendor dependence. Signing is interactive and needs multiple online parties, protocols are complex and mostly proprietary, policy enforcement is not publicly auditable the way onchain multisig is, and recovery depends on the provider's specific share-backup design rather than a universal standard.

Three limitations deserve honest treatment. First, protocol risk is real and concentrated in very new math. GG18 itself needed revisions; the paper's own changelog notes it "fixes some issues in the protocol and security proof." Implementation bugs in threshold ECDSA libraries have repeatedly required coordinated patches across the industry, and unlike a hardware wallet's secure element, this attack surface is novel cryptographic code rather than decades-tested chip design.

Second, portability is weak. There is no MPC equivalent of typing a recovery phrase into a different wallet. Shares follow each vendor's proprietary format and ceremony, so leaving a provider generally means sweeping funds to a new address. For an institution, that is a migration project, not an export button.

Third, the trust model is murkier than it looks. The marketing says "no single point of failure," but the provider's policy engine decides which transactions the server-side shares will sign. If that infrastructure goes down or the vendor gates a withdrawal, self-custody becomes conditional in ways an onchain multisig never is. Teams that need publicly verifiable control logic should weigh the smart wallet alternatives before defaulting to MPC.

None of these are reasons to avoid MPC. They are reasons to know what you are buying: a coordination system with a vendor in it, purchased in exchange for eliminating the single stealable secret. For most institutions moving size, and for retail users who keep losing seed phrases, that trade has proven worth making. For a solo holder with a hardware wallet and good backup discipline, it may solve a problem they do not have.

Eco's Role: MPC Custody in Stablecoin Settlement

Eco builds stablecoin liquidity infrastructure that treats custody technology as a neutral input. Whether an institution holds funds in MPC custody with Fireblocks or Copper, an onchain multisig, or hardware-secured accounts, Eco's routing works at the settlement layer, moving stablecoin value across chains through partner rails without requiring any particular wallet architecture.

That neutrality matters more as stablecoins scale. The stablecoin market stands at roughly $310 billion as of July 2026, and the institutions driving that growth overwhelmingly custody through MPC platforms. For them, the practical question is not which cryptography wins but whether one integration can reach every market. Eco's approach, including Eco Routes for cross-chain transfers over rails like CCTP and Hyperlane, plugs into MPC custody the same way it plugs into everything else: as one more standard signature arriving onchain.

What this means in practice: if you can explain to a colleague that an MPC wallet is one key, split into shares that sign together but never meet, you understand the technology. Everything else, quorums, refresh schedules, provider choice, is configuration on top of that one idea.

Methodology: figures in this article come from provider disclosures and primary sources current as of July 7, 2026, including Fireblocks press materials (February 2026), Safe's published metrics, Zengo and Copper documentation, and the Gennaro-Goldfeder threshold ECDSA paper (IACR ePrint 2019/114). Market data reflects DeFiLlama snapshots from July 2026.

Did this answer your question?