Fystack release MPCium v0.3.2 (DH Key exchange + AWS KMS support)
Thi Nguyen
We’re excited to announce the release of MPCium v0.3.2, which brings several important security and deployment enhancements.
Key Highlights
- DH key exchange and encryption for P2P messages
- AWS KMS integration with support for P256 signatures
- Native Linux systemd deployment for better node lifecycle management
1. DH Key Exchange and Secure P2P Messaging
In this release, we’ve implemented Diffie-Hellman (DH) key exchange with AES-GCM encryption for all peer-to-peer messages. This improvement was inspired by a recommendation from contributor Nan Cheng (PhD candidate in MPC & ZKP) thank you Nan for the valuable input! Learn more about Nan.
Pseudo code
// 1. Generate ephemeral key pairs
node_A: private_key_A, public_key_A = generate_x25519_keypair()
node_B: private_key_B, public_key_B = generate_x25519_keypair()
// 2. Exchange signed public keys via NATS
broadcast_signed_message({from: node_id, public_key: public_key})
// 3. Compute shared secret and derive AES key
shared_secret = ecdh(my_private_key, peer_public_key)
symmetric_key = hkdf(shared_secret, peer_info, 32_bytes)
// 4. Encrypt/decrypt all subsequent messages
send: ciphertext = aes_gcm_encrypt(message, symmetric_key)
receive: message = aes_gcm_decrypt(ciphertext, symmetric_key)
Pull request: https://github.com/fystack/mpcium/pull/95
2. AWS KMS Integration for Event Signing
We’ve added AWS KMS support so MPCium can sign messages using the P256 algorithm. This makes MPCium client more cloud native and simplifies deployment in cloud environments.
Users can now configure event initiator public keys and signing algorithms directly in the config file.
To generate and kms key and get public key in hex value. Do the folloiwng commands
aws kms create-key \
--description "Kkeypair for Mpcium" \
--key-usage SIGN_VERIFY \
--customer-master-key-spec ECC_NIST_P256
export KMS_KEY_ID="330a9df7-4fd9-4e86-bfc5-f360b4c4be39" # Replace with your KeyId
aws kms get-public-key \
--key-id $KMS_KEY_ID \
--query PublicKey \
--output text | base64 -d | xxd -p -c 256Sample signer: See kms_signer.go
3. Native Linux Deployment with systemd
To improve lifecycle and credential management of the node, MPCium now supports systemd deployment with systemd-creds for secure credential storage.
To better manage lifecyle of node now user can follow hte instruction at https://github.com/fystack/mpcium/tree/master/deployments/systemd to deploy service with systemd
$ sudo systemctl start mpcium
$ sudo systemctl status mpcium
$ journalctl -u mpcium -f # check logsClosing
MPCium v0.3.2 makes node communication more secure, cloud integration smoother, and deployment more production-ready.
We welcome feedback and contributions from the community.
At Fystack, we go beyond open source, we offer on-premise MPC wallet infrastructure deployment, enabling fintechs and Web3 companies to cut secure wallet development from months down to just weeks. Check us out at http://fystack.io/ .
