Key restructuring in MPC is the process of redistributing key shares among a new set of participants without ever reconstructing the original private key. This is crucial for maintaining long-term security, adapting to organisational changes, or replacing compromised participants in an MPC quorum.
In Threshold Signature Schemes (TSS), key restructuring allows a set of existing signers to securely transfer their key shares to a new group while preserving the same private key. You can modify the quorum—for example, changing the number of required signers or replacing nodes—without generating a completely new key.
This ensures operational continuity while improving resilience against:
- Key compromise
- Insider threats
- System upgrades
- Organisational changes
Palisade's implementation of key restructuring allows organisations to seamlessly rotate signers, ensuring that access control remains dynamic, secure, and breach-resistant without ever exposing the private key.
Key restructuring is appropriate when you need to:
| Use case | Description |
|---|---|
| Expand the quorum | Add more participants to increase security threshold |
| Reduce the quorum | Remove participants while maintaining security |
| Replace a participant | Swap out a device or user without changing the key |
| Change the threshold | Modify how many participants are required to sign |
| Respond to incidents | Remove a potentially compromised device |
| Adapt to org changes | Update quorum membership as team members change |
The key restructuring process follows these steps:
- Initiate restructuring – Administrator starts the key restructuring operation
- Define new quorum – Specify new participants and threshold
- Generate new key shares – The system computes and distributes new shares
- Update quorum policy – The system applies the new configuration
- Invalidate old shares – Previous key shares become obsolete
Throughout this process, the private key is never reconstructed.
A company uses Palisade MPC with a (2-of-3) quorum:
- CloudSign 1 (cloud-based signing node)
- CloudSign 2 (cloud-based signing node)
- CloudSign 3 (cloud-based signing node)
Currently, two out of three participants must approve to sign a transaction. As part of a security policy update, they decide to expand to a (3-of-4) quorum, requiring a higher threshold of approvals.
Initiate restructuring – The administrator starts a key restructuring operation, specifying a move from (2-of-3) to (3-of-4)
Generate new key shares – New key shares are securely computed and distributed:
- CloudSign 1 receives a refreshed key share
- CloudSign 2 receives a refreshed key share
- CloudSign 3 receives a refreshed key share
- CloudSign 4 (new) receives a newly generated key share
Update quorum policy – The new configuration requires three out of four participants to approve transactions
Invalidate old shares – The old key shares from the (2-of-3) quorum are retired
✅ The private key remains unchanged—no disruption to wallets or smart contracts
✅ The signing threshold is now higher (3-of-4)—improved resistance to insider threats
✅ CloudSign 4 is now part of the quorum—additional oversight added
✅ Old key shares are no longer valid—prevents unauthorized use
A company uses Palisade MPC with a (2-of-3) quorum:
- CloudSign 1 (cloud-based signing node)
- CloudSign 2 (cloud-based signing node)
- MobileSign (Bob) (iOS mobile device for human approvals)
The organisation needs to replace MobileSign (Bob) with MobileSign (Alice) because Bob is leaving the company.
Initiate restructuring – The administrator triggers a key restructuring operation
Generate new key shares – New key shares are computed and distributed:
- CloudSign 1 receives a refreshed key share
- CloudSign 2 receives a refreshed key share
- MobileSign (Alice) receives a newly generated key share
Revoke MobileSign (Bob) – Bob's previous key share becomes obsolete and can no longer participate in signing
Quorum remains intact – The (2-of-3) quorum remains operational with the updated participants
✅ The private key remains unchanged—no impact on wallets or authentication
✅ MobileSign (Alice) can now approve transactions—replacing Bob securely
✅ The system remains resilient to insider threats—old key shares cannot be reused
✅ No downtime during the transition
To perform key restructuring in Palisade:
- Navigate to the Controls section in the Palisade console
- Select the MPC Quorums tab
- Select the quorum you want to restructure
- Click Modify quorum
- Add or remove participants as needed
- Set the new threshold requirement
- Initiate the restructuring process
- Existing participants approve the restructuring
- The system distributes new key shares to all participants
Modification of quorum devices is only supported on Cloud quorums at the moment. Mixed quorums with MobileSign devices may have additional restrictions.
- Plan restructuring carefully – Document the changes before initiating
- Ensure device availability – All current and new participants should be available
- Communicate with stakeholders – Inform relevant team members of the change
- Test in sandbox first – Verify the process in a test environment
- Update backups after restructuring – Old backups will be incompatible
- Key resharing – Refresh key shares without changing participants
- MPC quorums – Create and manage quorums
- Understanding MPC-TSS – How MPC-TSS works
- MPC terminology – Key terms and definitions