{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-products/wallet/sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"type":"markdown"},"seo":{"title":"Key restructuring","description":"User guides, API reference, and support resources.","siteUrl":"https://docs.ripple.com/products/custody","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"key-restructuring","__idx":0},"children":["Key restructuring"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Key restructuring"]}," in MPC is the process of redistributing key shares among a new set of participants without ever reconstructing the original private key. This is crucial for maintaining long-term security, adapting to organisational changes, or replacing compromised participants in an MPC quorum."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"overview","__idx":1},"children":["Overview"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["In Threshold Signature Schemes (TSS), key restructuring allows a set of existing signers to securely transfer their key shares to a new group while ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["preserving the same private key"]},". You can modify the quorum—for example, changing the number of required signers or replacing nodes—without generating a completely new key."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This ensures ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["operational continuity"]}," while improving resilience against:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Key compromise"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Insider threats"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["System upgrades"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Organisational changes"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Palisade's implementation of key restructuring allows organisations to seamlessly rotate signers, ensuring that access control remains ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["dynamic, secure, and breach-resistant"]}," without ever exposing the private key."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"when-to-use-key-restructuring","__idx":2},"children":["When to use key restructuring"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Key restructuring is appropriate when you need to:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Use case"},"children":["Use case"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Expand the quorum"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Add more participants to increase security threshold"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Reduce the quorum"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Remove participants while maintaining security"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Replace a participant"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Swap out a device or user without changing the key"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Change the threshold"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Modify how many participants are required to sign"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Respond to incidents"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Remove a potentially compromised device"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Adapt to org changes"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Update quorum membership as team members change"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"key-restructuring-process","__idx":3},"children":["Key restructuring process"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The key restructuring process follows these steps:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Initiate restructuring"]}," – Administrator starts the key restructuring operation"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Define new quorum"]}," – Specify new participants and threshold"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Generate new key shares"]}," – The system computes and distributes new shares"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Update quorum policy"]}," – The system applies the new configuration"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Invalidate old shares"]}," – Previous key shares become obsolete"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Throughout this process, the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["private key is never reconstructed"]},"."]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"example-1-expanding-the-quorum","__idx":4},"children":["Example 1: Expanding the quorum"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"scenario","__idx":5},"children":["Scenario"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A company uses Palisade MPC with a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["(2-of-3) quorum"]},":"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CloudSign 1"]}," (cloud-based signing node)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CloudSign 2"]}," (cloud-based signing node)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CloudSign 3"]}," (cloud-based signing node)"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Currently, ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["two out of three participants"]}," must approve to sign a transaction. As part of a security policy update, they decide to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["expand to a (3-of-4) quorum"]},", requiring a higher threshold of approvals."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"key-restructuring-process-1","__idx":6},"children":["Key restructuring process"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Initiate restructuring"]}," – The administrator starts a key restructuring operation, specifying a move from (2-of-3) to (3-of-4)"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Generate new key shares"]}," – New key shares are securely computed and distributed:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["CloudSign 1 receives a refreshed key share"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["CloudSign 2 receives a refreshed key share"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["CloudSign 3 receives a refreshed key share"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CloudSign 4"]}," (new) receives a newly generated key share"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Update quorum policy"]}," – The new configuration requires ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["three out of four"]}," participants to approve transactions"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Invalidate old shares"]}," – The old key shares from the (2-of-3) quorum are retired"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"outcome","__idx":7},"children":["Outcome"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["✅ The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["private key remains unchanged"]},"—no disruption to wallets or smart contracts"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["✅ The signing threshold is now ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["higher (3-of-4)"]},"—improved resistance to insider threats"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["✅ ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CloudSign 4 is now part of the quorum"]},"—additional oversight added"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["✅ Old key shares are ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["no longer valid"]},"—prevents unauthorized use"]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"example-2-replacing-a-participant","__idx":8},"children":["Example 2: Replacing a participant"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"scenario-1","__idx":9},"children":["Scenario"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["A company uses Palisade MPC with a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["(2-of-3) quorum"]},":"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CloudSign 1"]}," (cloud-based signing node)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["CloudSign 2"]}," (cloud-based signing node)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["MobileSign (Bob)"]}," (iOS mobile device for human approvals)"]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The organisation needs to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["replace MobileSign (Bob) with MobileSign (Alice)"]}," because Bob is leaving the company."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"key-restructuring-process-2","__idx":10},"children":["Key restructuring process"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Initiate restructuring"]}," – The administrator triggers a key restructuring operation"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Generate new key shares"]}," – New key shares are computed and distributed:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["CloudSign 1 receives a refreshed key share"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["CloudSign 2 receives a refreshed key share"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["MobileSign (Alice)"]}," receives a newly generated key share"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Revoke MobileSign (Bob)"]}," – Bob's previous key share becomes obsolete and can no longer participate in signing"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Quorum remains intact"]}," – The (2-of-3) quorum remains operational with the updated participants"]}]}]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"img","attributes":{"src":"/assets/replaced_signer.493f4ffb8f4222c90a818bedf6a450bd12accc79bcd26dcf76e0382241430a9f.0ba50ef8.svg","alt":"Key restructuring - replacing a participant"},"children":[]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"outcome-1","__idx":11},"children":["Outcome"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["✅ The ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["private key remains unchanged"]},"—no impact on wallets or authentication"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["✅ ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["MobileSign (Alice) can now approve transactions"]},"—replacing Bob securely"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["✅ The system remains ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["resilient to insider threats"]},"—old key shares cannot be reused"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["✅ ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["No downtime"]}," during the transition"]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"performing-key-restructuring","__idx":12},"children":["Performing key restructuring"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To perform key restructuring in Palisade:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Navigate to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Controls"]}," section in the Palisade console"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["MPC Quorums"]}," tab"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Select the quorum you want to restructure"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Modify quorum"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Add or remove participants as needed"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Set the new threshold requirement"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Initiate the restructuring process"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Existing participants approve the restructuring"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["The system distributes new key shares to all participants"]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"warning","name":"Limitation"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Modification of quorum devices is only supported on Cloud quorums at the moment. Mixed quorums with MobileSign devices may have additional restrictions."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"best-practices","__idx":13},"children":["Best practices"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Plan restructuring carefully"]}," – Document the changes before initiating"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Ensure device availability"]}," – All current and new participants should be available"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Communicate with stakeholders"]}," – Inform relevant team members of the change"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Test in sandbox first"]}," – Verify the process in a test environment"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Update backups after restructuring"]}," – Old backups will be incompatible"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"related-topics","__idx":14},"children":["Related topics"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/products/wallet/user-interface/security-controls/key-resharing"},"children":["Key resharing"]}," – Refresh key shares without changing participants"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/products/wallet/user-interface/security-controls/mpc-quorums"},"children":["MPC quorums"]}," – Create and manage quorums"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/products/wallet/introduction/understanding-mpc-tss"},"children":["Understanding MPC-TSS"]}," – How MPC-TSS works"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"/products/wallet/introduction/mpc-terminology"},"children":["MPC terminology"]}," – Key terms and definitions"]}]}]},"headings":[{"value":"Key restructuring","id":"key-restructuring","depth":1},{"value":"Overview","id":"overview","depth":2},{"value":"When to use key restructuring","id":"when-to-use-key-restructuring","depth":2},{"value":"Key restructuring process","id":"key-restructuring-process","depth":2},{"value":"Example 1: Expanding the quorum","id":"example-1-expanding-the-quorum","depth":2},{"value":"Scenario","id":"scenario","depth":3},{"value":"Key restructuring process","id":"key-restructuring-process-1","depth":3},{"value":"Outcome","id":"outcome","depth":3},{"value":"Example 2: Replacing a participant","id":"example-2-replacing-a-participant","depth":2},{"value":"Scenario","id":"scenario-1","depth":3},{"value":"Key restructuring process","id":"key-restructuring-process-2","depth":3},{"value":"Outcome","id":"outcome-1","depth":3},{"value":"Performing key restructuring","id":"performing-key-restructuring","depth":2},{"value":"Best practices","id":"best-practices","depth":2},{"value":"Related topics","id":"related-topics","depth":2}],"frontmatter":{"title":"Key restructuring","seo":{"title":"Key restructuring"}},"lastModified":"2026-03-06T11:27:59.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/products/wallet/user-interface/security-controls/key-restructuring","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}