Security Model

The Planbok MPC system implements a multi-layered security architecture designed to protect assets against infrastructure compromise, insider threats, and unauthorized access.

Standard MPC Security

Protocol-Level Isolation

In the Standard MPC model, Node 1 and Node 2 are both managed by Planbok's infrastructure, but they are physically and logically isolated:

• Isolated Infrastructures: Nodes are deployed in separate containers and, in production, distributed across different namespaces and potentially different cloud regions to ensure that a compromise of one does not affect the other.
• Node Authentication: All communication between nodes is conducted over secure, TLS-encrypted gRPC channels, and requires cryptographic authentication.
• Restricted Access: Administrative access to the nodes is strictly limited, and key shares are never stored in plain text. They are always encrypted using hardware-backed secrets (HSM/Vault).

Trustless MPC Security

Cryptographic Boundaries

Trustless MPC introduces a higher level of isolation by requiring client-managed entropy:

• Organization Secret: The organization provides a high-entropy secret during registration. This secret is used to "blind" Node 1's share.
• Client-Side Authorization: Node 1 cannot unwrap its share or participate in the signing protocol without the client providing the corresponding encrypted_secret during each signing request.
• Sovereignty: This ensures that even if Planbok infrastructure were fully compromised, the attacker would still need the organization's secret to sign a transaction.

Customer Custody Security

Zero-Knowledge Architecture

For end-users, we utilize a PIN-blinding mechanism to ensure zero-knowledge self-custody:

• PIN Hashing: The user's PIN is hashed on the client-side using Argon2id, a state-of-the-art password hashing algorithm that is resistant to GPU-based brute-force attacks.
• Blinded Share: Node 1's share is wrapped (encrypted) with a key derived from the Argon2id hash. This blinded share is stored by Planbok, but it is unusable without the user's PIN.
• PIN-Protected Operations: Every signing or export request requires the user to re-enter their PIN to derive the temporary signing secret.

Secure Recovery Flows

Planbok offers robust recovery mechanisms that maintain the zero-knowledge security boundary:

• Security Questions: User-defined questions are hashed and salted. During recovery, the answers are combined to reconstruct a recovery secret that can unwrap the Node 1 share.
• Email/App Recovery: Encrypted secrets can be delegated to secure channels, allowing users to restore access to their blinded shares without Planbok ever seeing the underlying key material.

Role-Based Access Control (RBAC)

All interactions with the MPC system are governed by a granular RBAC system:

• Owners: Full authority over organization identity, admin management, and wallet set control.
• Admins: Can manage members, wallet sets, and register secrets.
• Members: Can view data and interact with wallets as permitted by their specific roles.

[!NOTE] All critical security operations—from DKG initiation to transaction signing—are logged in an immutable audit trail, providing organizations with full visibility into the lifecycle of their keys and assets.