alternatives to MPC custody
Alternatives to MPC custody: when threshold key shares are still keys
MPC custody splits a private key into shares held by independent parties so no single operator can sign alone. That is a real improvement over a single hot wallet, and it is still custody. The shares persist at rest, the operators that hold them are coercible, and the recombination process is the new attack surface. The honest alternative is not 'more shares' but no persistent shares at all: reconstructing the key inside hardware only at the instant of use, then destroying every intermediate value.
By Sue Pontius, Chief Executive Officer, Lokblok · Published 22 April 2026
Why MPC custody isn't the end of the story
Production MPC custody systems hold each party's share in a key-management service, an HSM, or a cloud KMS. The share is encrypted, audited, and rotated, but it is data at rest, and data at rest can be exfiltrated, subpoenaed, or quietly read by an insider with the right credentials. The cryptography says no single share is enough; operational reality says the same insider can often touch more than one.
The recombination protocol introduces its own surface. Whether the key is briefly assembled in one location or only a partial signature is generated, the orchestration layer, the signing nodes, and the network between them all need hardening. Vendor breaches in 2022–2024 hit precisely these orchestration paths, not the cryptography itself.
Recovery is the quietest failure mode. When a participant disappears, the surviving shares must be redistributed, which means the key has to be reconstructed somewhere, by someone, under time pressure. That is the moment most custodians discover their MPC deployment was indistinguishable from a multi-sig with extra steps.
A model that has nothing to steal between operations
Zero-persistence reconstruction inverts the question. Instead of distributing and protecting shares, the system holds only public, useless artifacts (Regen Tokens) at rest. When a signing operation is authorised by a quorum of independent recovery agents, ephemeral shares are derived inside a certified secure element, the signing key is reconstructed for one operation, the signature is produced, and every intermediate value is destroyed before the call returns.
Between operations there is nothing in any store that an attacker, insider, regulator, or future quantum adversary can use. Recovery is the same primitive as everyday signing, a quorum re-derives the key on demand, so disaster recovery does not become a separate trust assumption.
Side by side
| Dimension | Conventional approach | Zero-persistence reconstruction |
|---|---|---|
| Material at rest | Encrypted key shares | Public Regen Tokens |
| Insider compromise of one operator | Reduces threshold by one | Reveals nothing useful |
| Subpoena of any holder | Yields ciphertext shares | Yields no key material |
| Recovery | Re-share ceremony, key briefly assembled | Same flow as a signing operation |
| Quantum exposure (HNDL) | Stored shares are harvestable | Nothing to harvest |
| Audit trail | Operator logs | Cryptographic chain bound to hardware attestation |
What this looks like in practice
- A regulated digital-asset custodian stops needing operator-level segregation policies because no operator ever holds key material; the segregation is enforced by the cryptography itself.
- An exchange running cold, warm, and hot tiers collapses the tiers, the security difference between them was 'how often is the key present?', and the answer is now 'never except for the signing instant'.
- A bank moving toward MiCA Article 67/70 alignment evidences key control through hardware attestation and a quorum log, instead of through layered procedural controls on share holders.
Related Lokblok material
- zero-custody digital asset architecture
- hierarchical signatures with policy-bound delegation
- the underlying threshold-reconstruction architecture
About the author
Sue Pontius
Chief Executive Officer, Lokblok
Sue Pontius is CEO of Lokblok, where she leads the company's work on zero-persistence cryptography for digital assets, identity, and high-assurance custody.
View LinkedIn profile →FAQ
- Isn't MPC custody already non-custodial?
- No. MPC custody distributes trust between operators, but every share-holder is still a custodian of part of the key, and any sufficiently large subset of operators can collectively reconstruct it. A non-custodial architecture is one where the operator has nothing at any point in time that, alone or in collusion, can reproduce a usable key outside an authorised signing event.
- What happens during recovery if a recovery agent goes offline?
- Threshold reconstruction tolerates m-of-n agents being available, where m is the configured threshold. As long as the quorum is met, the missing agents are irrelevant to that operation. New agents can be enrolled by re-deriving Regen Tokens from a fresh quorum, without ever assembling the underlying key in storage.
- Is this just MPC with a hardware enclave?
- It uses threshold cryptography as a primitive but inverts the persistence model. Conventional MPC stores shares between operations; zero-persistence reconstruction stores only public material and derives shares on demand inside the hardware that will use them. The difference is whether anything sensitive exists at rest at all.
- How do auditors verify a key was used correctly if it never existed in storage?
- Each operation produces a signed, hardware-attested chain: the quorum vote, the policy evaluation, the secure-element attestation, and the resulting signature. Auditors verify the chain rather than inspect a key store; the cryptographic record is stronger than any operational log because it cannot be backdated or rewritten.