MPC Key Generation


The creation of multi-party computation (MPC) keys involves a dynamic, step-by-step procedure that involves several rounds of communication between your backend and the Fireblocks API. This process operates asynchronously, meaning that it takes place over multiple interactions rather than a single continuous operation.

Key Generation

Let's break down the process for better clarity:

  1. Your application calls the generateMPCKeys method in our SDK to initiate the generation of MPC keys. This step triggers the process and sets everything in motion.
  2. generateMPCKeys can be called with the algorithms you wish to create under the wallet. Currently, it is MPC_EDDSA_ED25519 or MPC_ECDSA_SECP256K1. More information about it can be found here
  3. The crucial part of the whole process lies in the communication rounds between your backend and our API. These rounds are essential for securely creating the keys.
  4. Your backend calls the Fireblocks RPC API with a payload obtained from the outgoingMessageHandler instance created on the application side.
  5. The process unfolds repeatedly, with each round building upon the previous one. Your application and backend exchange messages, refining the communication until the process is complete.
  6. After successfully generating MPC keys, the final step involves securely storing these keys to ensure protection for your end users. You can tailor this process to your preferences through various options, such as mobile enclaves, biometric authentication, two-factor authentication (2FA), and more. You retain total control over the implementation that best suits your security needs.

Key Generation


Supported Algorithms

Currently the Fireblocks NCW feature supports MPC_ECDSA_SECP256K1 and MPC_EDDSA_ED25519.

By default, only MPC_ECDSA_SECP256K1 is turned on a workspace. If you need to support MPC_EDDSA_ED25519 in your workspace, contact your CSM or write to us in our community .

First, create an NCW using the Fireblocks API SDK. You can add the below to your application's customer backend.

import { FireblocksSDK } from "fireblocks-sdk";

//Provide your NCW Admin API key and API secret here
const fireblocks = new FireblocksSDK(privateKey, apiKey);

//Create a new wallet
const walletId = await fireblocks.NCW.createWallet();

Next, create a new account in the newly created NCW (also on the backend).

// create account under wallet
const accountId = await fireblocks.NCW.createAccount(walletId);

Lastly, start the MPC key generation from your application. You can add the below to your customer application.

import { IKeyDescriptor } from "@fireblocks/ncw-js-sdk";

// Generate MPC Keys
const algorithms = new Set(["MPC_CMP_ECDSA_SECP256K1"]);
const keyDescriptor: Set<IKeyDescriptor> = await fireblocksNCW.generateMPCKeys(algorithms);
val algorithms = setOf(Algorithm.MPC_ECDSA_SECP256K1)
fireblocksSdk.generateMPCKeys(algorithms = algorithms){ result ->
    Timber.i("generateMPCKeys result: $result")
// generate MPC key for ECDSA using concurrency
let algorithms = Set([.MPC_ECDSA_SECP256K1])
let keys = try await instance.generateMPCKeys(algorithms: algorithms)


// generate MPC key for ECDSA using callback
let algorithms = Set([.MPC_ECDSA_SECP256K1])
try instance.generateMPCKeys(algorithms: algorithms, callback: { [weak self] result in
	//handle result

Eventually, the SDK will reach the RPC endpoint on your backend. When you delegate the RPC call alongside the correct walletId, make sure you are using the NCW Signer role on the Fireblocks SDK.

If the device storage has generated keys (e.g., the NCW SDK already initialized with a specific deviceId that was called successfully with the generateMPCKeys function), you do not need to call this function. This scenario relates to a situation in which an end-user is logging in to an already set-up device.

If you are using a deviceId or walletId that you previously created keys on and no longer have them persisted on the current device (e.g. after you reinstall your app or a different web browser) and you call the generateMPCkeys function, it will fail since Fireblocks only allows creating a key once for each walletId and deviceId. In this scenario, you will need to recover the key share by calling therecoverKeys interface.