Server Architecture

Commitment Server Topology — Client + Server 2-Party MPC

1. Architecture Overview

What is Server MPC?

In a Server-based MPC topology, a mobile client (Party 0) and a commitment server (Party 1) jointly generate and sign keys. The client holds its share in the Secure Enclave; the server holds its share in a HSM (Hardware Security Module) or KMS. All cryptographic operations happen collaboratively over an encrypted WebSocket connection.

Key advantage: The server is always available. If the client is offline, the signature request waits. When the client comes back online, it can immediately sign without re-running key generation.

Component	Location	Storage	Role
Client	Mobile device	Secure Enclave	Party 0 — initiates signing
Server	Cloud (AWS, GCP, etc.)	HSM or KMS	Party 1 — co-signs requests
Channel	Internet	TLS 1.3	Encrypted transport

2. System Topology

Client-Server Architecture

Mobile Client (Party 0)

Key share x_0 in Secure Enclave
Public key Q (verified locally)
App runs signing UX
Session keys for TLS

Commitment Server (Party 1)

Key share x_1 in HSM
Public key Q (verified on-chain)
REST API + WebSocket endpoint
Session tracking & rate limits

Client

←→

TLS 1.3
WebSocket

←→

Server

3. Remote Key Generation

KeyGen Protocol Over Network

Client initiates: POST /keygen { "curve": "secp256k1", "client_id": "mobile-abc123", "timestamp": 1704067200 } Server responds: 101 Switching Protocols (WebSocket) Round 1: Client sends commitment(x_0) Round 2: Server sends commitment(x_1) Round 3: Exchange and verify public key Q Round 4: Confirm and store locally

Session Management: Each KeyGen starts a new WebSocket session with a unique session ID. Sessions timeout after 5 minutes of inactivity and require re-authentication via JWT.

Storage: After KeyGen completes, the client stores x_0 in Secure Enclave (non-exportable). The server stores x_1 in its HSM.

Zero-Knowledge Proofs

During KeyGen, the client and server prove correctness of their shares using non-interactive zero-knowledge proofs (Schnorr with Fischlin's transform). This ensures both parties are honest without exposing the shares.

4. Collaborative Signing

Signing Protocol

User taps "Sign"

→

Client connects to server via WebSocket

→

3-round MPC signing protocol

→

Signature returned to client

Round 1 (Setup): Client sends message hash and nonce commitment. Server generates its nonce and commits.

Round 2 (Compute): Both parties compute partial signature components in parallel. Client and server exchange partial signatures.

Round 3 (Final): Client combines the partial signatures into the final ECDSA signature (r, s).

Client sends: POST /sign { "msg_hash": "5a7f8d...", "session_id": "sess_xyz789", "nonce_commit": "0245a3...", "metadata": { "tx_id": "0x123...", "value": "1.5 ETH" } } Server responds (via WebSocket): { "round": 1, "server_nonce_commit": "0378b1...", "signature_component": "2045c7..." } Client computes final signature: (r, s) = combine(client_sig_part, server_sig_part)

Offline Support

If the client loses connection mid-signing, the protocol can resume from the last round. The server maintains session state for 10 minutes, allowing reconnection without restarting.

5. Server API Reference

REST Endpoints

Endpoint	Method	Purpose	Auth
`/keygen`	POST	Initiate 2PC key generation	JWT token
`/sign`	POST	Initiate collaborative signing	JWT token
`/refresh`	POST	Rotate key shares (forward security)	JWT token
`/status`	GET	Server health & version	None
`/pubkey`	GET	Retrieve public key (after keygen)	JWT token

WebSocket: All MPC protocols (KeyGen, Sign, Refresh) use WebSocket for bidirectional real-time communication. Upgrade from HTTP with: GET /ws?session_id=sess_xyz789

Mobile Experience

6. iOS App — Server-Based Signing

6.1 Server Status and Setup

Server Status

Connection

● Connected (latency: 42ms)

Server Version

1.3.2 (AWS us-east-1)

Public Key

02 8a7f9e2c...

Last Refresh

2 days ago

Status

Remote KeyGen

Round 1: Generate commitment

Round 2: Exchange shares

Round 3: Verify key

Connected to server

Generating key with commitment server...

KeyGen

6.2 Signing Request Flow

Sign Transaction

Hash

5a7f8d9c2b4e1f3a...

Amount

1.5 ETH to 0x1234...

Server Status

Connected (42ms)

Sign

Signing in Progress

⏳

Round 1: Nonce exchange

Round 2: Partial signatures

Round 3: Combine

Running 3-round MPC...

Progress

Signature Ready

✓

Signature (DER)

30 45 02 20 8a7f...

Verification

Valid for secp256k1

Done

7. Server-Based vs. Other Architectures

Architecture Comparison

Aspect	Server (2PC)	Device-to-Device	Single Device
Availability	Server always available	Both devices must be online	Single point of failure
Latency	100-500ms (network)	50-100ms (BLE)	<10ms (local)
Security Model	Threshold: compromise server or client (either alone)	Threshold: compromise both devices	Full key in one place
Scalability	Excellent (many clients per server)	Poor (limited to 2-3 peers)	N/A (single party)
Backup & Recovery	Supported via PVE	Manual coordination	User is responsible
Use Case	Mobile wallet, institutional	Peer cosigners	Custodial

Security Considerations

Server Compromise: If the server's HSM is compromised, attackers can sign arbitrary transactions. Mitigate with: rate limiting, transaction validation, and signing policies.

Client Compromise: If the Secure Enclave is broken, attackers can extract the key share. Mitigate with: key refresh (rotate shares), TLS pinning, and device attestation.

Combined Attack: If both are compromised simultaneously, the full key is exposed. This is the threshold property: threshold = 1 share leakage tolerance.