Short answer
AERKey is the first of Aeredium's five core primitives. It is a threshold ECDSA system (the protocol variant is TSS-USIG) covered by USPTO provisional application 63/977,868. Private key shares are generated independently inside Trusted Execution Environment (TEE) hardware enclaves running across three or more cloud providers in three or more geographic regions. Any threshold of those shares produces a valid ECDSA signature. No individual share, and no subset below the threshold, reveals anything about the key. The complete private key never exists as a single object in the system's history.
This matters because the standard model for "institutional custody" still assembles a full private key somewhere, on some server, in some datacenter. AERKey eliminates that point of assembly. It also means AERKey can sign on behalf of any chain that accepts standard ECDSA signatures: Bitcoin, Ethereum, and the eight other confirmed chains in Aeredium's Trans Layer network. The signatures are indistinguishable from regular wallet signatures on the target chain.
The current production protocol is CGGMP24. The next-generation CGGMP25 protocol is in active deployment. In Asia-Pacific, 62 signing modules are deployed per region, with a measured signing latency of around 300ms. A published benchmark from May 2026 confirmed 13,254 transactions per minute per signing group under production conditions.
AERKey at a glance
The private key problem
Every serious crypto theft traces back to the same architectural failure: a private key existed as a complete object, in one place, and someone obtained it. The specific mechanism varies: an internal breach, a compromised server, a software exploit, a social engineering attack on a key holder. But the enabling condition is always the same. The full key existed somewhere. Finding it was sufficient to steal everything it controlled.
The pattern is consistent across scale and sophistication. Exchange hot wallets have been drained by server compromises. Multi-billion-dollar custody platforms have suffered key extraction through supply-chain attacks on signing hardware. The April 2026 KelpDAO/LayerZero exploit (approximately $290 million via poisoned cross-chain RPC nodes) and a separate Drift Protocol exploit ($285 million, different vector, same month) added to more than $1 billion in cumulative crypto infrastructure losses in early 2026 alone. In the same period, AI-accelerated attack tooling drove median exploit costs down roughly 70% across four consecutive model generations, per Anthropic's December 2025 red-team research.
The AI dimension changes the calculus. Finding a vulnerability used to require a skilled human attacker with weeks of time. An April 2026 a16z analysis found that AI agents reliably identify vulnerabilities when given access to codebases. The cost per attempt against institutional infrastructure is measured in dollars, not thousands. For any system where finding a vulnerability is equivalent to extracting value, this is a structural problem.
AERKey's architectural bet is that finding a vulnerability should not be equivalent to extracting value. The threshold distribution is the mechanism: you would need to compromise a qualifying subset of TEE enclaves, simultaneously, across multiple independent cloud providers, in multiple geographic regions, each running hardware-attested code that any counterparty can independently verify. That is a fundamentally different attack surface than locating a single signing server.
Standard approaches and their limits
Hot wallets and single-key custody
A server holds the full private key in memory and signs on request. Fast and simple. The attack surface is the server. Anyone who obtains persistent access to that server, or to the key material in memory, controls all funds. This is the architecture that has failed repeatedly at exchanges and custodians. It is not used by institutional-grade systems, but it remains common in DeFi protocols where admin keys control upgradeable contracts.
Multi-signature (multi-sig)
Multiple distinct private keys are required to authorize a transaction. Each co-signer holds a complete private key. The on-chain signature set is visible to the network. Multi-sig raises the bar significantly over single-key custody, and it is a meaningful improvement. Its limits: each individual co-signer still holds a complete key, so compromising any co-signer's key material is a partial path to exploitation. Coordination attacks targeting key holders (SIM swaps, coercion, social engineering) have successfully bypassed multi-sig arrangements. The on-chain visibility of the multi-sig structure also reveals institutional signing relationships and transaction patterns to any observer.
MPC-CMP (multi-party computation, threshold signing)
The category that AERKey belongs to. MPC threshold signing splits key generation and signing across multiple parties so that no single party holds the complete key. A threshold of parties must cooperate to sign. The resulting on-chain signature looks identical to a single-signer ECDSA signature. MPC-CMP is now used by serious institutional custodians. The standard implementation runs MPC across signing nodes operated by the custody vendor, often with a customer's own node as one of the parties. The typical trust architecture: the vendor operates a majority of nodes on vendor infrastructure, inside one primary cloud provider's enclave, with attestation generated and validated by the vendor's own systems. Cryptography prevents key extraction, but the vendor holds effective majority signing control by construction.
AERKey sits in the MPC-CMP category but differs from the standard implementation in three ways: signing nodes are distributed across genuinely independent cloud providers (not co-located on vendor infrastructure), hardware attestation is open for independent third-party verification (not vendor-generated and vendor-validated), and the anti-equivocation property (USIG) is enforced by hardware rather than by coordination. The result is a materially different trust assumption: you are trusting open cryptography across three cloud jurisdictions, anchored to a public blockchain, rather than trusting a custody vendor's infrastructure.
How AERKey works
Key generation: shares, not fragments
When an AERKey signing group is provisioned, each enclave independently generates its own cryptographic share inside protected memory using the CGGMP24 protocol. The shares are never combined or transmitted in plaintext. Any threshold of shares (the specific threshold is configurable per use case) is mathematically sufficient to produce a valid ECDSA signature. Any number of shares below the threshold is cryptographically useless for reconstructing the key or signing. The complete private key does not exist at any point in this process.
TEE hardware: the enforcement layer
Each signing node runs inside a Trusted Execution Environment: a hardware-isolated region of a processor with encrypted memory, protected from the host operating system, the cloud provider's hypervisor, and any software running outside the enclave. The four platforms in production are AWS Nitro Enclaves, Azure SEV-SNP, Google Cloud Confidential Space, and Intel TDX. Each platform provides hardware attestation: a cryptographic certificate, signed by the hardware manufacturer's key, that proves which code is running inside the enclave and that the enclave is genuine.
Crucially, this attestation is open. Any counterparty (a regulator, an auditor, an institutional client, a sceptical researcher) can independently verify that signing occurred in a legitimate enclave running legitimate code, without taking Aeredium's word for it. The trust assumption is that at least one of the three major cloud hardware vendors (AWS, Azure, Google Cloud) is honest about what code is running inside their hardware. This is a much weaker assumption than "trust this custody vendor entirely."
USIG: hardware-enforced anti-equivocation
USIG (Unique Sequential Identifier Generator) is a hardware counter inside each enclave. Every message an enclave signs carries a counter value that increments monotonically and is attested by the hardware. Equivocation (signing two contradictory messages at the same block height) would require the counter to produce the same value twice. The hardware makes this structurally impossible rather than merely difficult to coordinate among participants. This is the mechanism that allows Aeredium's TEE-BFT consensus to require 2f+1 nodes (where f is the tolerable number of faulty nodes) rather than the 3f+1 standard BFT requires: the equivocation attack class is eliminated by hardware enforcement, not by increasing the signing quorum.
Signing: the threshold in action
When a transaction requires a signature, the signing request is distributed to the enclave network. Each enclave computes its partial signature contribution using its share. A threshold of contributions is combined (inside enclave memory, never in plaintext on any single machine) to produce a complete ECDSA signature. That signature is a standard, single-signer ECDSA signature on the target chain. Bitcoin, Ethereum, and the other eight confirmed chains in the Trans Layer network cannot distinguish an AERKey-produced signature from any other. The threshold process is entirely invisible at the chain level.
Five roles AERKey plays in the Aeredium stack
Per white paper v3.7, AERKey is not a single-purpose key management tool. It serves five distinct roles across the Aeredium ecosystem, each using the same cryptographic primitive.
Institutional signing
Every block produced on the AEREDIUM chain is threshold-signed by AERKey. The same threshold is also used for cross-chain settlement operations (Trans Layer), Bitcoin anchoring (OP_RETURN writes to the Bitcoin blockchain), and AERLink API calls into bank and enterprise systems. There is no separate signing mechanism for any of these operations; one cryptographic layer serves the entire stack.
Privacy key custodian (User Master Keys)
User Master Keys (the keys that encrypt private transaction data in Aeredium's Privacy Layer) are held as Shamir secret shares inside the AERKey enclave network. This means the Privacy Layer's encryption keys inherit the same threshold distribution and hardware attestation as the consensus keys. A user's encrypted data cannot be decrypted by anyone who does not have the user's authorization, even by operators with full infrastructure access.
Policy Engine
AERKey contains a Policy Engine that runs inside the signing layer, before any signature is produced. Policy rules include spending limits per day, hour, or transaction; whitelisted destination addresses; time-of-day restrictions; multi-party approval workflows above threshold values; velocity controls; and sanctioned-address exclusions (OFAC integration via AERLink). Policy and signature are the same act, not separately compromisable. The target chain only ever sees the output: a valid signature or no signature. Policy rules cannot be bypassed by submitting a transaction directly to the chain, because the signature that authorizes it comes only from the threshold signing process, which includes the Policy Engine check.
Institutional identity and recovery
AERKey serves as the institutional identity layer for onboarded participants. Institutional recovery processes (replacing a lost or compromised share) use the threshold mechanism rather than a manual key escrow or a centralized backup. There is no "master recovery key" held by Aeredium staff that could be compelled, phished, or stolen.
Smart contract key custody (Trust Contracts)
Trust Contracts (Aeredium's extended Solidity contracts with encrypted state and cross-chain capabilities) can have their admin keys managed under AERKey threshold custody. This eliminates the single-point-of-key-compromise pattern that makes smart contract exploits so lucrative: finding a vulnerability in the contract code does not automatically give an attacker the admin key needed to drain or upgrade it. The key is threshold-distributed, not sitting on a server.
The anchored audit trail
Every operation AERKey performs (signature, policy evaluation, key generation, share refresh) emits an audit entry. Entries are written to a lock-free ring buffer capable of processing more than 150,000 attestations per second without blocking the signing path. The audit system does not slow down signing.
Entries are gathered into Merkle trees. The Merkle root is anchored to the AEREDIUM blockchain, and that anchor is itself signed by a quorum of threshold validators on the consensus layer. Every 100 blocks (approximately every 200 seconds at a 2-second block time), the AEREDIUM chain's own Merkle root is written to the Bitcoin blockchain via OP_RETURN. This creates a tamper-evident chain from individual signing operations up through AEREDIUM's on-chain record, and from there into Bitcoin's immutable history.
The audit trail cannot be forged, quietly rewritten, or omitted. Rewriting any entry would invalidate the Merkle root. Rewriting the on-chain anchor would invalidate the Bitcoin inscription. Any gap or inconsistency is visible to anyone with chain access. The audit is produced by the cryptographic protocol itself, not by Aeredium showing auditors a vendor screen. Even Aeredium staff with full internal infrastructure access cannot rewrite the log without leaving a permanent, publicly visible inconsistency.
Two access tiers are available for audit purposes. Auditor tokens give read-access to all signing activity across all namespaces. Partner tokens give read-access scoped to a single client namespace, with structural isolation from all other clients; this is not a configuration that can be reversed by a configuration change, it is enforced cryptographically. The FATF Travel Rule can be satisfied by generating structured originator/beneficiary data at the Policy Engine layer and delivering it through the auditor access tier to the requesting counterparty.
Policy Engine: signing and compliance as one act
The Policy Engine runs inside the signing process, not as a separate smart contract or middleware layer. This distinction matters: a separate compliance layer can be bypassed by routing a transaction around it. A Policy Engine that is part of the signing process cannot be bypassed; if the policy check fails, no signature is produced, and without a valid signature from the threshold system, the transaction cannot be authorized on any of the supported chains.
Standard Policy Engine rules available to institutional onboardees: spending limits denominated per day, per hour, and per transaction; whitelisted destination addresses (transactions to non-whitelisted addresses are blocked at the signing layer, not just flagged); time-of-day restrictions (signing only permitted during business hours, or outside business hours for specific address classes); multi-party approval workflows for values above a defined threshold; velocity controls that flag or block unusual transaction frequency patterns; and sanctioned-address exclusions integrated via AERLink's OFAC compliance API.
For institutions with regulatory disclosure requirements, the Policy Engine provides selective disclosure: a regulator or auditor with the appropriate scoped access token can see specific signing activity, time-bounded and purpose-bounded, without gaining access to other clients' data or the full signing history. This is the architecture Aeredium describes as compatible with MiCA reporting requirements and FATF Travel Rule compliance.
AERKey Privacy Layer
The Privacy Layer is Aeredium's fifth primitive and is architecturally dependent on AERKey. User Master Keys are Shamir-shared across the AERKey enclave network, so the Privacy Layer's security properties are inherited from the threshold distribution.
The layer is structured in five tiers. Layers 1 and 4 deploy at mainnet (August 2026, per official white paper v3.7). Layers 2, 3, and 5 are on the post-mainnet roadmap with no confirmed dates as of white paper v3.7.
Wallet-level encryption
Transaction payload is encrypted at the wallet using AES-256-GCM before broadcast. The chain stores only ciphertext. Nodes relay and include transactions without seeing their contents. Address hashing uses HMAC-SHA256; key derivation uses HKDF-SHA256. MetaMask and other standard Ethereum wallets connected to the AEREDIUM RPC endpoint see only ciphertext; StablePro Wallet is required for the full Privacy Mode user experience.
Mempool encryption
Transactions are encrypted in the mempool before block inclusion. This is the layer that eliminates MEV extraction by preventing validators from seeing transaction contents before ordering. The architectural groundwork is in AEREDIUM's TEE-BFT consensus, but mempool-level encryption as a formal layer is post-mainnet with no confirmed date.
Smart contract state encryption
State variables in Trust Contracts would be encrypted at rest, readable only by parties with the appropriate scoped key. Currently in design phase. This would extend Privacy Mode from transaction-level to full contract state, enabling confidential DeFi and confidential corporate treasury logic on-chain.
Chain-native encryption and tiered block explorer
The block explorer exposes three information tiers. Public view: transaction ID and ciphertext only. Authorised third party (with a scoped Policy Engine token): fields specified in the policy grant. Owner (with own decryption key): full plaintext. An unauthenticated address query returns "no transactions found" rather than "access denied"; the latter would confirm that encrypted transactions exist for that address. The distinction is deliberate and has practical privacy implications.
Encrypted DeFi operations
Confidential DeFi (AMMs, lending, order books) where liquidity positions and trade intents are not visible to other market participants. Currently in design phase. The cryptographic primitives already in the stack (AES-256-GCM payload encryption, threshold key custody, Policy Engine scoping) are the building blocks for this layer.
The Privacy Layer is crypto-agile: every on-chain record carries cipher_id and sig_suite fields, so the encryption and signature algorithms can be upgraded without rewriting historical records. The planned migration path to post-quantum cryptography uses hybrid secp256k1 + ML-DSA-65 for wallet keys and thresholdised Falcon for the TSS signing layer.
AEREDIUM Audit: continuous reserve verification
AEREDIUM Audit (USPTO 19/400,910) is a separate primitive that runs alongside AERKey rather than inside it. It is an AI-driven continuous reserve verification system with a full audit cycle every 60 seconds. Results are cryptographically signed on-chain.
Three model classes run in parallel: an XGBoost fraud-detection ensemble plus Isolation Forest anomaly detection (trained on more than 7 million on-chain transactions), and a quantile LSTM forecasting model for forward-looking anomaly projection. The system produces one of four output states: PASS, CAUTION, ALERT, or HALT, with automated treasury actions tied to each state. A HALT is not a manual decision; it is a protocol-level response to the audit result.
The relationship with AERKey: audit results are signed by the same threshold signing infrastructure. A fraudulent audit result cannot be produced without compromising the AERKey signing threshold. And an accurate audit result, once on-chain, cannot be retroactively altered without breaking the Merkle-anchored audit trail. The combination is intended to provide cryptographic proof of reserve status, rather than periodic attestation documents.
Academic lineage
The cryptographic ideas behind AERKey have a traceable academic history. Aeredium's white paper v3.7 documents this lineage explicitly.
Practical Byzantine Fault Tolerance (PBFT), published by Miguel Castro and Barbara Liskov in 1999, established that a distributed system could continue operating correctly even if a minority of its nodes behaved arbitrarily maliciously, as long as 2f+1 honest nodes were present (for a system tolerating f Byzantine faults). PBFT's limitation was the communication complexity required to detect and prove Byzantine behavior, which scaled poorly to large node sets.
TrInc (Trusted Incrementing), developed at MIT in 2009, introduced the concept of using trusted hardware to produce monotonically increasing counters as a Byzantine fault mechanism. Rather than detecting equivocation after the fact through complex coordination, TrInc made equivocation impossible by hardware enforcement. This was the conceptual predecessor to USIG.
USIG (Unique Sequential Identifier Generator), published in 2013, operationalized TrInc for practical BFT consensus. A hardware-attested counter per node means equivocation leaves a detectable hardware signature. Combined with MPC threshold signing, USIG is what allows Aeredium's TEE-BFT consensus to run with fewer nodes than standard PBFT requires, and what AERKey's USIG anti-equivocation relies on for the patent claim (USPTO 63/977,868 specifically covers the TSS-USIG combination).
The CGGMP24 protocol (from Canetti, Gennaro, Goldfeder, Makriyannis, and Peled, 2024) is the current threshold ECDSA implementation in production. CGGMP25 is the successor protocol, in active deployment across the AERKey network as of white paper v3.7.
How AERKey compares to standard institutional custody
The typical institutional custody platform uses MPC-CMP threshold signing. The architectural differences between a standard implementation and AERKey are worth documenting specifically, because they determine the actual trust assumption the institution is taking on.
- 2-of-3 signing nodes operated by the custody vendor on vendor infrastructure; vendor holds majority signing control by construction
- Customer's node operates inside one cloud provider's enclave
- Remote attestation generated and validated by vendor's own server
- Policy engine runs in the same trust domain as the signing code; they are separable
- Audit log stored by the vendor, accessible to the vendor
- Effective trust assumption: trust this custody vendor's infrastructure and operational integrity
- Signing nodes across multiple independent cloud providers in multiple continents; no single party holds majority control
- Hardware attestation open for independent third-party verification (any auditor, regulator, counterparty)
- Policy Engine runs inside the signing process; policy and signature are the same act, not separately compromisable
- USIG anti-equivocation enforced by hardware (USPTO patent moat; category cannot replicate without licensing)
- Audit log Merkle-anchored to AEREDIUM chain, then Bitcoin-anchored every ~200 seconds
- Effective trust assumption: trust open cryptography across three cloud hardware jurisdictions anchored to a public ledger
Cryptography prevents key extraction in both cases. The difference is where the trust is placed beyond that cryptographic layer. Standard MPC custody still routes meaningful operational trust through the vendor. AERKey routes trust through open hardware attestation and a public blockchain ledger.
Sources
Aeredium white paper v3.7 (May 2026)
The authoritative technical reference for all AERKey specifications, protocol versions, TEE platforms, audit trail mechanics, Privacy Layer architecture, and institutional use cases. Published May 2026.
USPTO provisional application 63/977,868
Patent application covering the TSS-USIG threshold signing architecture. Two additional patents cover AEREDIUM Audit (19/400,910) and AERLink/DACA (09857-P0001A).
Aeredium blog: "13,254 TPM per signing group" (May 17 2026)
Published benchmark confirming linear scalability on a live production AERKey cluster. Source for the per-signing-group throughput figure cited in this guide.
Castro & Liskov: "Practical Byzantine Fault Tolerance" (OSDI 1999)
Foundational PBFT paper establishing the 2f+1 / 3f+1 tolerances that TEE-BFT with USIG improves upon.
Levin et al.: "TrInc: Small Trusted Hardware for Large Distributed Systems" (NSDI 2009)
The trusted hardware counter concept that became the basis for USIG anti-equivocation.
Veronese et al.: "Efficient Byzantine Fault Tolerance" (IEEE TC 2013)
The USIG specification that AERKey's anti-equivocation mechanism is derived from. The core contribution: hardware-attested monotonic counters make equivocation structurally impossible.
Frequently asked questions
What is AERKey?
AERKey is Aeredium's patented threshold signing system (USPTO 63/977,868). It splits a private key across multiple TEE hardware enclaves on multiple cloud providers so the key never exists as a single object at any point. Any threshold of shares produces a valid signature; any subset below the threshold reveals nothing about the key.
How is AERKey different from multi-sig?
Multi-sig requires multiple distinct on-chain signatures visible to the network. Each co-signer holds a complete private key. AERKey produces a single standard ECDSA signature that any target chain treats as a normal wallet signature. No co-signer holds a full key; each enclave holds a share that is cryptographically useless below the threshold.
What is USIG and why does it matter?
USIG is a hardware-attested counter inside each enclave. It makes equivocation (signing contradictory messages at the same block height) structurally impossible, which allows Aeredium's BFT consensus to require 2f+1 signing nodes rather than the 3f+1 standard BFT needs. It is also the specific mechanism covered by the USPTO patent.
Which cloud providers does AERKey use?
AWS Nitro Enclaves, Azure SEV-SNP, Google Cloud Confidential Space, and Intel TDX, all four in production. The trust assumption is that at least one of these three hardware vendors is honest about what code is running inside their enclaves. Independently verifiable by any counterparty.
Can AERKey sign on Bitcoin and Ethereum?
Yes. AERKey produces standard ECDSA signatures indistinguishable from regular wallet signatures on the target chain. This is how the Trans Layer achieves native cross-chain settlement across 10 confirmed chains without bridges or wrapped tokens.
What happens if one cloud provider goes offline?
AERKey is a threshold system: any qualifying subset of shares produces a valid signature. If one provider goes offline, signing continues across the remaining providers as long as a threshold of enclaves is operational. There is no fallback to a less secure signing path.
When does the Privacy Layer go live?
Layers 1 and 4 deploy at mainnet, confirmed for August 2026 per white paper v3.7. Layers 2, 3, and 5 are on the post-mainnet roadmap with no confirmed dates in the current white paper.
Is CryptoWisdomHub affiliated with Aeredium?
No. CryptoWisdomHub is independent and is not affiliated with, endorsed by, or operated by the official Aeredium project.