Cryptocurrency wallets and other online services are vulnerable to private key theft and misuse. Blockdaemon Builder Vault™ is an institutional-grade, self-hosted, virtual key management and protection system. It allows developers to build applications that are protected against private key vulnerabilities and provides multiparty control using secure multi-party computation (MPC).

Builder Vault is application agnostic, supporting verifiable digital signatures and encryption services using public key cryptography (PKC) with popular primitives based on ECDSA, Schnoor/EdDSA, RSA, HMAC and more for virtually any online or offline service.

How MPC Key Management Works
MPC is a specialized subfield of cryptography that generates, stores, and uses private keys in the form of distributed key shares, each controlled by a different party (application or person). A critical benefit of MPC is that these shares are never combined to create a complete private key. Therefore a complete key is never known to any single machine or controlled by any single party which could become compromised or maliciously use the private key for illicit purposes.

How Builder Vault Works
Builder Vault uses Blockdaemon's Advanced MPC™ technology, which is hosted on AWS Nitro, to create a virtual key management and protection system called a Threshold Security Module (TSM). Think of a TSM as a virtual hardware security module (HSM) and key management system that exists in a distributed form across multiple nodes, with each node controlled by a different party. The parties must collaborate for the nodes to collectively generate, store, and use private keys in the form of distributed key shares. Similar to a HSM, messages to be signed or ciphertext to be decrypted are sent into the virtual TSM where they are signed or decrypted. The private keys never leave their secure virtual TSM, which is hosted in AWS Nitro.

At the application level, it appears as if a single party with a single key is performing the cryptographic services. These MPC attributes allow Builder Vault to dramatically improve the security of private keys and cryptographically enforce multiparty approvals, while appearing as a standard single key service to applications.

Builder Vault requires a minimum of two parties, which use two TSM nodes. This minimum configuration supports a 2 of 2 operational model, where both parties must participate to provide a cryptographic operation. If more parties are desired, simply add more nodes. A third node can support a 2 of 3 model, or a 3 of 3 model. Additional nodes support additional "m" (minimum) of "n" (total number of nodes) models.

Application SDKs
Each TSM node can be accessed and controlled using a Builder Vault SDK. SDKs are available supporting server nodes (in AWS) and mobile nodes (for mobile phone applications - contact Blockdaemon for details). SDKs are available in Go (golang), Node.js, Java, as well as mobile endpoints for iOS and Android.

Builder Vault TSM Package
Nodes that constitute a TSM are available in two CloudFormation templates. A minimum of a TSM Core template is required to configure a 2 node TSM, supporting a 2 of 2 threshold model. Additional nodes may be added to the TSM using the TSM Node template (up to 5 nodes total) to support other m of n threshold models such as 2 of 3, 3 of 3, 3 of 5 and others. Each package includes support for up to 75,000 public/private key pairs.

The TSM Core Template includes two MPC nodes hosted in AWS Nitro to form a 2 of 2 TSM.

The TSM Node Template provides the option to add additional TSM nodes to a TSM Core template to support larger m of n TSM models.