Implementing Threshold Cryptography: Why We Ditched Standard PKI for MPC at SQHWYD

https://medium.com/@anyavolkov/the-death-of-the-private-key-how-threshold-cryptography-mpc-redefine-asset-security-70d695c0340e

As the CTO of SQHWYD, one of the first architectural decisions I had to make was: How do we store the keys?In standard Public Key Infrastructure (PKI), the private key is a 256-bit integer. It’s a Single Point of Failure (SPOF). If you store it in an AWS S3 bucket (don't do this), it leaks. If you store it in a standard Hot Wallet, it’s vulnerable to server-side injection attacks.We decided to implement Multi-Party Computation (MPC) using Threshold Signature Schemes (TSS). Here is a look at our security stack.The Math: Shamir's Secret Sharing on SteroidsInstead of generating a private key $d$, we generate $n$ key shares.$$d \neq \sum s_i$$The key is never reconstructed. Instead, we compute the signature $\sigma$ using a distributed protocol where each party inputs their share $s_i$.At SQHWYD, we use a (t, n) threshold setup:Shard A: Stored in our HSM (Hardware Security Module).Shard B: Encrypted on the Client's device (Secure Enclave).Shard C: Held by an offline auditor.This ensures that even if our backend is compromised (root access), the attacker cannot sign a transaction because they lack the client's shard 1.Infrastructure Layer: The Hybrid ModelWe strictly separate "Operational Liquidity" from "Vault Assets."Hot/Warm Layer (MPC): Handles daily withdrawal/deposit velocity.Cold Layer (Air-Gapped): We keep 95%+ of assets in proprietary air-gapped cold storage2. These are physically isolated devices stored in geographically distributed bank-grade vaults3.The AI WatchdogWe pipe our transaction logs into Orion AI Engine™.It acts as an Intrusion Detection System (IDS) specifically for blockchain transactions. It monitors mempool states and internal logic for anomalies4.If withdrawal_amount > user_avg + 3*std_devThen trigger_manual_reviewConclusionBuilding an exchange in 2025 requires moving beyond "Perimeter Defense" to "Cryptographic Defense." By using MPC, we eliminate the private key as a vulnerability.If you are interested in distributed systems or cryptography, check out our whitepaper for the full specs.Dr. Anya VolkovCTO, SQHWYDhttps://www.sqhwyd.net/