How the MPC Signer in Codono Enterprise Works — and Why Threshold Custody Beats a Vault Full of Keys
Table of Contents
- The Shortest Possible Explanation
- Why Exchange Custody Keeps Failing
- What Multi-Party Computation Actually Is
- From Academic Curiosity to Exchange Backbone
- Inside the Codono Enterprise MPC Signer
- Key Generation: The Ceremony Where No Key Is Born
- The Signing Flow, Gate by Gate
- Address Derivation Without Touching Keys
- MPC vs Multisig vs HSM vs Single Key
- Why MPC Fits Exchanges Better Than Anything Else
- How Secure Is It Really? A Threat-Model Walkthrough
- What MPC Does Not Solve — and What Codono Wraps Around It
- The Compliance Dividend
- Operating MPC Day to Day
- Evaluating MPC Custody: A Buyer’s Checklist
- Quick Glossary
The Shortest Possible Explanation
Codono Enterprise’s MPC signer is a self-hosted Go service that holds cryptographic key shares instead of private keys. Three shares are generated on separate machines through a distributed ceremony; any two of them can co-produce a valid signature through an interactive protocol — but the full private key never exists on any machine, at any moment, including the moment it was “created.” Steal one signer node and you have stolen nothing spendable.
That single property — the key never exists — eliminates the failure mode behind the largest custody losses in exchange history. The rest of this article explains how the signer achieves it, what the signing pipeline looks like gate by gate, how it compares to multisig and HSMs, and — because security writing that only lists strengths is marketing, not engineering — a frank assessment of what MPC does not protect against and how the surrounding exchange security architecture covers those gaps.

Why Exchange Custody Keeps Failing
Every catastrophic exchange loss traces back to the same primitive: somewhere, a complete private key existed, and someone got to it.
Mt. Gox lost roughly 850,000 BTC because hot wallet keys were accessible to compromised infrastructure for years. The 2022 Ronin bridge attack drained about $625 million because five of nine validator keys — complete, spendable keys — ended up under one operator’s control, and that operator was phished. Chainalysis put 2022’s total stolen crypto at $3.8 billion. The details differ; the primitive doesn’t. A complete key is a complete theft waiting for one mistake.
The industry’s traditional answers each mitigate the primitive without removing it:
- Cold storage moves the key offline — but the key still exists, and every treasury movement is a manual, error-prone event. Operational reality forces a hot wallet anyway, and the hot wallet holds… a complete key.
- On-chain multisig splits authority but not keys — each signer holds a complete, individually stealable key, and the arrangement must be re-implemented per chain (where it’s supported at all).
- HSMs put the key in tamper-resistant hardware — but the key exists inside the device, the device is a single point of failure and availability, and an attacker who can ask the HSM to sign doesn’t need to extract anything.
Threshold MPC is the first widely deployed approach that removes the primitive itself. There is no key to steal, cold or hot, in hardware or software, because the key is never assembled — it exists only as a mathematical abstraction distributed across shares. This is why the technique moved in a few years from academic papers to securing institutional custody at firms like Fireblocks and Zengo, and why Codono Enterprise made it the custody backbone of the platform rather than an add-on.
What Multi-Party Computation Actually Is
Multi-party computation is a branch of cryptography with a striking guarantee: several parties can jointly compute a function over their private inputs without any party revealing its input to the others.
Applied to signatures, the “function” is the signing algorithm and the “private inputs” are key shares:
- Generation. N parties run a distributed key generation (DKG) protocol. Each ends up holding one share. The corresponding public key — and therefore the deposit addresses — is known to everyone, but the private key is never computed by anyone. It is implicitly defined by the shares, the way a point is defined by lines that intersect there without any line “containing” it.
- Signing. When a signature is needed, a threshold of parties (t of n — in Codono’s deployment, 2 of 3) engages in an interactive protocol. Each party computes partial results using only its own share, exchanging blinded intermediate values. Out of the interaction falls a perfectly standard ECDSA or EdDSA signature — indistinguishable on-chain from one produced by a normal wallet.
- The crucial invariant. At no step — generation, storage, signing, or recovery — do the shares combine into a private key. Compromising fewer than t shares yields zero signing ability and zero information about the key. This is not “the attacker gets part of the key”; secret-sharing math means below-threshold collections of shares are informationally worthless.
The protocols Codono builds on come from the publicly audited tss-lib family — the threshold ECDSA constructions descended from the Gennaro–Goldfeder line of work, plus threshold EdDSA for ed25519 chains. This matters for due diligence: the cryptography is published, peer-reviewed, and battle-tested across the industry, not proprietary math you are asked to take on faith. Your technical team can audit the implementation directly, because Codono Enterprise ships the signer’s source code along with the rest of the platform.
From Academic Curiosity to Exchange Backbone
It helps to know how unusually well-traveled this cryptography is, because “novel cryptography” is normally a custody red flag — and threshold signing is anything but novel.
The foundations are older than most of the internet. Adi Shamir published secret sharing in 1979 — the mathematical trick for splitting a secret so that any t fragments reconstruct it while t−1 reveal nothing. Andrew Yao framed secure multi-party computation in 1982 with his famous millionaires’ problem: two parties computing who is richer without revealing their wealth. Through the 1980s and 90s, the GMW and BGW protocols established that any function could, in principle, be computed jointly over private inputs. What was missing for decades was practicality — early MPC was thousands of times too slow for real systems.
Two things changed that. First, a generation of protocol engineering: threshold EdDSA is comparatively natural because Schnorr-style signatures are linear, and threshold ECDSA — long the hard case, and the one Bitcoin and Ethereum require — became practical through the Gennaro–Goldfeder protocol line (GG18, GG20) and its successors. Second, an industry with an urgent, well-funded reason to care: after each wave of exchange and bridge losses, custody teams went looking for an architecture where key theft was structurally impossible rather than procedurally discouraged.
The result is that by the mid-2020s, threshold MPC had become the quiet standard of institutional digital-asset custody — the technology under products like Fireblocks and the wallet infrastructure of several major exchanges — with open-source, audited implementations (the tss-lib family among them) that anyone can inspect. When Codono Enterprise adopted the same protocol family for its signer, the decision was deliberately conservative: use the constructions the industry has already spent a decade attacking, and spend the innovation budget on the integration — the gates, policies, and ceremonies around the cryptography — where exchange-specific engineering actually pays off.
That conservatism is worth stating as a principle, because it generalizes: in custody, boring cryptography plus disciplined engineering beats clever cryptography every time. The signer’s job is to make a ten-year-old, peer-reviewed protocol impossible to misuse — not to impress anyone with new math.
Inside the Codono Enterprise MPC Signer
The signer is deliberately boring from the outside — a small, isolated service with a narrow, authenticated API — because custody components should be the least clever, most auditable pieces of an exchange. The important properties:
A separate service, in a separate language, with a separate attack surface. The signer is written in Go and runs as its own process — typically on its own host or hardened container — apart from the Java trading backend and the Node.js engine that make up the rest of the platform. A vulnerability in a web-facing component does not become code execution next to key shares; reaching the signer requires crossing another authentication boundary.
Nothing talks to it except the backend, and the backend must prove it. Every request to the signer’s API carries an HMAC over the request contents, and the transport is mutually authenticated TLS. There is no dashboard, no public port, no convenience endpoint. An attacker who owns a web server has not thereby gained the ability to ask for signatures — they hold neither the transport credentials nor the request-signing secret.
Shares are encrypted even at rest. Hot signing shares are stored under authenticated encryption (AES-256-GCM) and decrypted only in process memory for the duration of a signing round. Disk images, backups, and stolen volumes yield ciphertext.
Two classes of shares, two custody temperatures. The 2-of-3 arrangement is deployed asymmetrically: two operational shares live on separated signer infrastructure and participate in day-to-day signing for the hot path, while the third — the recovery share — is generated in an offline ceremony, exported once under its own one-time encryption, and stored entirely outside production (safe-deposit, security officer custody, or your jurisdiction’s equivalent). Day-to-day operations never touch it; disaster recovery and resharing ceremonies do.
Both signature families, one model. Threshold ECDSA covers the secp256k1 world — Bitcoin, Ethereum and every EVM chain, Tron, Litecoin, XRP — while threshold EdDSA covers ed25519 chains like Solana and TON. The exchange’s 50+ supported blockchains inherit one uniform custody model rather than a per-chain patchwork.
Key Generation: The Ceremony Where No Key Is Born
Everything downstream inherits its security from the generation ceremony, so it deserves its own section.
When a Codono Enterprise deployment initializes custody, the participating signer nodes run the DKG protocol together. Each node independently samples secret randomness, the nodes exchange cryptographic commitments and verification values, and each finishes holding: its own share, proof that every other participant behaved honestly, and the collective public key. Three properties are worth internalizing:
- No trusted dealer. Naive secret-sharing has a fatal bootstrap flaw: someone generates the key, then splits it — and for that moment, a complete key existed on the dealer’s machine. DKG removes the dealer. The key is never generated whole and then split; it is born distributed.
- Verifiable participation. The commitment rounds mean a malicious or buggy participant cannot silently corrupt the ceremony — deviations are detected, and the ceremony aborts rather than producing a weak key.
- Deterministic recovery paths. The ceremony’s outputs include everything needed for future resharing ceremonies: replacing a compromised share, rotating infrastructure, or changing the threshold — all without ever reconstructing the key and without moving funds or invalidating deposit addresses.
The recovery share’s handling deserves emphasis because it is where cryptography meets procedure: it is produced during the ceremony, encrypted under a ceremony-specific key, downloaded once, verified, and then removed from any networked system. The discipline here — who witnesses the ceremony, where the share is stored, who can retrieve it — is operational security, not math, and Codono’s deployment assistance includes establishing these procedures rather than leaving them as an exercise.
The Signing Flow, Gate by Gate
A signature request is the most dangerous message in an exchange. Here is the full path a withdrawal travels in Codono Enterprise before a signature exists:

Gate 1 — User-level controls. The withdrawal request must clear two-factor authentication, anti-phishing verification, and — where the operator enables it — the withdrawal address allowlist, which restricts destinations to addresses the user pre-registered through a time-delayed process.
Gate 2 — Platform risk pipeline. Per-tier and per-period limits, velocity rules, and risk scoring run first; amounts and patterns that exceed configured thresholds are diverted into the maker-checker approval queue, where a human administrator — with role-based permissions and an immutable audit trail — must approve before anything proceeds. Emergency kill-switches can freeze the entire outbound path in one action.
Gate 3 — Authenticated signing request. Only after clearing the pipeline does the backend construct the actual transaction and call the signer — over mTLS, with the request HMAC-signed. Malformed, replayed, or unauthenticated requests die here.
Gate 4 — Policy checks and the threshold round. The signer applies its own policy layer before engaging the shares — validating request structure and enforcing signer-side constraints — then the two operational shares execute the interactive threshold protocol. Partial computations cross between nodes; a standard signature emerges; the key, as always, does not.
Gate 5 — Broadcast and reconciliation. The signed transaction is broadcast through the relevant blockchain driver, recorded against the platform’s double-entry ledger, and picked up by reconciliation monitoring that continuously compares on-chain reality against internal balances.
The design principle across all five gates: the cryptography is the last line of defense, not the only one. By the time the shares engage, the request has survived identity checks, risk analysis, possibly human approval, and two layers of service authentication.
Address Derivation Without Touching Keys
An exchange needs a unique deposit address for every user on every chain — potentially millions of addresses. A naive custody design generates (and must then protect) a key per address. The Codono signer avoids the entire problem with hierarchical-deterministic derivation:
The ceremony yields an extended public key (xpub). From it, the exchange backend derives per-user deposit addresses using standard BIP-32 non-hardened derivation — a public-key-only operation. The backend can mint unlimited addresses without ever holding key material, and the signer can later produce signatures for any derived address by applying the same derivation path inside the threshold protocol.
Two practical consequences: deposit-address generation is fast and key-free (the signer isn’t even contacted), and one ceremony’s shares protect the entire address tree — across every EVM network simultaneously, since EVM chains share address derivation. Fewer ceremonies, fewer shares, less procedure — with no reduction in isolation.
MPC vs Multisig vs HSM vs Single Key
| Property | Single key | On-chain multisig | HSM | Threshold MPC |
|---|---|---|---|---|
| Complete key exists somewhere | Yes | Yes — one per signer | Yes — inside device | Never |
| Single machine compromise = theft | Yes | No (needs m of n) | Yes, if it can request signatures | No — below-threshold shares are worthless |
| Works identically across chains | Yes | No — per-chain support and semantics | Mostly | Yes — output is a standard signature |
| On-chain footprint | Normal | Distinct script/address, higher fees, visible policy | Normal | Normal — indistinguishable |
| Key rotation without moving funds | No | No — new address, migrate funds | Limited | Yes — resharing ceremony, same addresses |
| Signing availability | Fragile | Coordination overhead | Device is a chokepoint | Any t of n shares; tolerate node loss |
| Auditability of the mechanism | Trivial | On-chain script | Vendor firmware — closed | Published protocols; source shipped in Codono Enterprise |
The row that decides real procurement is usually the third one. An exchange running 50+ chains cannot build its custody model on multisig, because half those chains implement multisig differently and several barely support it; whatever custody story works for Bitcoin’s script-based multisig simply does not exist in the same form on Tron or TON. MPC moves the multi-party property off-chain into mathematics, which makes it chain-agnostic by construction.
The rotation row matters more than teams expect, too. Under any key-based scheme, responding to a suspected compromise means generating new keys and moving every balance — an emergency migration touching every chain, with fee costs, downtime, and its own attack window. Under MPC, a resharing ceremony retires the suspect share and issues a fresh one; addresses, balances, and users notice nothing.
Why MPC Fits Exchanges Better Than Anything Else
Beyond the comparison table, four properties align specifically with how exchanges operate:
1. The hot path is the dangerous path — and MPC hardens exactly that. Cold storage protects treasury well enough; the perennial weakness is the hot float that must sign withdrawals automatically, at all hours, at retail speed. That is precisely the path where “the server holds a key” historically meant “the server is the key.” Threshold signing keeps automated availability while removing the single point of theft — the property no amount of cold storage can provide for funds that must move on demand. Codono pairs this with hot/cold segregation and automated sweeps, so the MPC-protected float stays thin and the treasury stays offline.
2. Normal addresses, normal fees, normal privacy. MPC-custodied addresses are indistinguishable from ordinary ones on-chain. Competitors and chain-analysts cannot enumerate your custody structure from explorers; users pay standard transaction fees; nothing about your security posture leaks into public data.
3. Institutional expectations have converged on it. Custody tech is one of the questions banking partners, insurers, and licensing authorities now ask directly. “Threshold MPC with offline recovery share, encrypted share storage, maker-checker approvals, and full audit trails” is an answer that maps cleanly onto VASP and MiCA-era custody expectations — and onto the due-diligence checklists of the institutional counterparties an exchange eventually wants.
4. You own it. Most MPC custody on the market is sold as a per-transaction or AUM-priced SaaS — excellent products, permanent dependency and permanent fees. In Codono Enterprise the signer is your infrastructure: self-hosted, source included, running in your environment under your license like the rest of the platform. The same ownership argument that applies to the exchange applies to its custody.
How Secure Is It Really? A Threat-Model Walkthrough
Security claims mean nothing without a threat model. Walk through what an attacker must actually accomplish against this architecture:
Steal a disk, a backup, or a snapshot → ciphertext. Shares are encrypted at rest; the encryption key is not stored beside them.
Fully compromise one signer node — root access, memory access, everything → one decrypted share, during signing rounds, at best. Below the 2-of-3 threshold, that share carries zero signing power and zero information about the key. The attacker’s next requirement is a simultaneous, independent compromise of a second node — separated infrastructure, separate credentials, ideally separate administrators — before detection and a resharing ceremony rotate their first foothold into worthlessness.
Compromise the network between backend and signer → mTLS to intercept, plus per-request HMAC to forge. Owning the network position yields neither.
Compromise the web tier and try to request malicious signatures → this is the serious scenario, and it is exactly why Gates 1–4 exist. The request must originate from the authenticated backend, survive limits and velocity rules, clear the allowlist if enforced, pass maker-checker for large amounts, and satisfy signer-side policy. Each gate is an independent control with an independent audit trail. This scenario is also why the honest section below exists.
Phish or coerce an administrator → RBAC means no single admin role both configures limits and approves withdrawals; maker-checker means the approver cannot be the initiator; audit logs mean the action is attributable; kill-switches mean the response is one action, not a war room.
Attack the cryptography itself → the protocols are the published, audited tss-lib constructions used across the institutional custody industry. Not impossible — nothing is — but this is the best-studied corner of the entire attack surface.
The honest summary: MPC converts custody risk from “one mistake, total loss” into “multiple independent, simultaneous failures required, with detection and rotation in between.” That is not invulnerability. It is the difference between a system that fails catastrophically and one that fails gradually and visibly — which is the most any custody engineering can honestly promise.
What MPC Does Not Solve — and What Codono Wraps Around It
Any vendor selling MPC as a complete security story is selling incompletely. Three gaps deserve plain statements:
The “signing what?” problem. Threshold cryptography guarantees how a signature is made, not whether it should be. If an attacker can inject a withdrawal request that looks legitimate to every gate, mathematically perfect shares will produce a mathematically perfect signature on a theft. This is the deepest truth in custody security, and it is why the majority of this architecture’s defenses — allowlists, limits, maker-checker, signer-side policy, reconciliation alarms — live upstream and downstream of the cryptography. Evaluate any MPC product by asking what stands between “attacker controls a backend box” and “signer receives a request”: if the answer is only “authentication,” keep evaluating.
Ceremony and share-handling discipline. The math assumes shares were generated honestly and stored separately. A recovery share photographed during the ceremony, or two “separated” nodes administered by one credential set, quietly collapses the threshold. This is procedure, not software — which is why deployments include ceremony protocols and why the security architecture guide treats internal controls as a first-class layer.
Availability engineering. A 2-of-3 scheme tolerates one lost share — but two simultaneous infrastructure failures halt signing (safely: funds are unspendable, not lost, recoverable via the offline share). Monitoring signer health, testing recovery ceremonies before they’re needed, and rehearsing the runbook are operational obligations that come with owning custody rather than renting it.
None of these caveats argue against MPC — every alternative shares the same gaps plus the existence of stealable keys. They argue against treating any single technology as a security strategy, which is precisely how the platform’s defense-in-depth is designed.
The Compliance Dividend
Custody architecture is increasingly a regulatory topic, not just an engineering one. Threshold custody pays several compliance dividends:
- License applications under VASP-style frameworks ask how client assets are protected against both external attack and internal misappropriation. “No complete key exists; signing requires two separated systems; large withdrawals require dual human approval; every action is audit-logged” answers both prongs in one architecture.
- The Travel Rule and transaction monitoring integrate at Gate 2 — the risk pipeline — where KYC/AML tooling screens withdrawals before any signing request exists.
- Proof-of-reserves works naturally: MPC addresses are standard addresses, so reserve attestations, on-chain verification, and auditor sampling proceed exactly as with any wallet — no exotic scripts to explain.
- Auditability runs end to end: the ledger records the balance change, the admin log records the approval, the signer logs the signing event, and the chain records the result — four independently checkable records of every outbound coin.
Operating MPC Day to Day
What Enterprise operators actually do, once live:
- Deposits: nothing. Address derivation is key-free; the signer isn’t involved in receiving funds at all.
- Routine withdrawals: nothing. The pipeline runs automatically within configured limits; the threshold round adds milliseconds, not workflow.
- Large withdrawals: approve. Maker-checker queues surface in the admin panel with full context.
- Periodically: verify. Reconciliation reports compare ledger to chain; signer health metrics feed the same observability stack as the rest of the platform.
- Rarely: ceremonies. Staff changes, infrastructure migrations, or suspected exposure trigger resharing — a scheduled procedure, not an emergency migration.
- Never: key backups. There is no key to back up. Share custody procedures replace the midnight “who has the seed phrase” panic entirely.
Evaluating MPC Custody: A Buyer’s Checklist
Whether you evaluate Codono Enterprise or any alternative, these seven questions separate real threshold custody from marketing:
- Is key generation distributed, or dealt? If a key is generated and then split, it existed. Insist on DKG.
- What is the threshold, and how are shares separated? 2-of-3 with genuinely independent infrastructure beats 3-of-5 on one cloud account.
- What sits between a compromised app server and the signer? Count the independent gates. Fewer than three is thin.
- Can you rotate shares without moving funds? Resharing is the difference between incident response and emergency migration.
- Which curves are supported? ECDSA alone strands your ed25519 chains on a different custody model.
- Can your team audit the implementation? Published protocols and shipped source, or a black box?
- Who owns it at year five? Per-transaction custody fees compound the way SaaS platform fees do. Owned infrastructure doesn’t.
Codono Enterprise’s answers: DKG; 2-of-3 with an offline recovery share; five gates; yes, resharing; both curve families; full source; you own it outright.
Quick Glossary
- MPC (multi-party computation) — cryptography enabling several parties to jointly compute a result over private inputs without revealing those inputs to each other.
- Threshold signature (t-of-n) — a signature scheme where any t of n key shares can co-produce a valid signature, and fewer than t can produce nothing.
- Key share — one participant’s fragment of signing capability. Not a piece of the key in any recoverable sense; below the threshold, shares reveal no key information.
- DKG (distributed key generation) — a ceremony in which shares are generated collaboratively so the complete private key never exists, even momentarily, on any machine.
- Resharing — a ceremony that issues a fresh set of shares for the same public key, retiring old shares without moving funds or changing addresses.
- xpub (extended public key) — the public half of an HD wallet tree; lets the exchange derive unlimited deposit addresses with no key material present.
- Maker-checker — an approval workflow in which the person who initiates a sensitive action can never be the person who approves it.
Evaluate it hands-on. The signer ships with Codono Enterprise — see current license tiers, walk through the live platform demo, or talk to the deployment team about custody ceremonies for your launch. For the broader security picture, continue with the exchange security architecture guide and the enterprise security framework.
Exchange Infrastructure Engineer
Scott covers exchange architecture, security, and blockchain integrations. He has worked on trading infrastructure serving millions of transactions across 50+ blockchains.
View all posts by Scott Otten →