# Security & Technology Vultisig's security is built on Threshold Signature Schemes (TSS), a form of Multi-Party Computation (MPC) that eliminates single points of failure. This section explains the cryptographic foundations and technical processes that secure your assets. *** ## Core Concepts ### No Private Key Ever Exists Unlike traditional wallets, Vultisig never constructs a complete private key. Instead, cryptographic operations are performed across distributed vault shares using zero-knowledge proofs. Even during signing, the key remains split—only the signature is assembled. ### Threshold Security Vultisig uses a `t`-of-`n` threshold model. For a 2-of-3 vault, any 2 devices can sign, but no single device can act alone. This provides both security (no single point of compromise) and redundancy (one device can be lost). *** ## TSS Protocols Vultisig supports two TSS protocols: | Protocol | Status | Signing Rounds | Speed | | ------------------------------------------------------------------------------------------------ | ------- | -------------- | ------------ | | [GG20](https://docs.vultisig.com/security-and-technology/security-technology/how-gg20-works) | Legacy | 6 rounds | Baseline | | [DKLS23](https://docs.vultisig.com/security-and-technology/security-technology/how-dkls23-works) | Current | 3 rounds | 5-10x faster | New vaults use DKLS23 by default. Existing GG20 vaults can be [upgraded](https://docs.vultisig.com/app-guide/vault-management/vault-upgrade). *** ## Key Operations | Operation | Description | Guide | | ------------------ | -------------------------------------- | ------------------------------------------------------------------------------------------------ | | **Key Generation** | Creating vault shares across devices | [TSS Actions](https://docs.vultisig.com/security-and-technology/security-technology/tss-actions) | | **Key Signing** | Threshold devices signing transactions | [Keysign](https://docs.vultisig.com/security-and-technology/security-technology/keysign) | | **Re-sharing** | Adding/removing devices from a vault | [TSS Actions](https://docs.vultisig.com/security-and-technology/security-technology/tss-actions) | *** ## Security Comparisons Understanding how Vultisig compares to alternative approaches: * [Difference to Multi-Signatures](https://docs.vultisig.com/security-and-technology/security-technology/difference-to-multi-sig) — Why TSS is superior to traditional multi-sig * [Difference to Passkeys](https://docs.vultisig.com/security-and-technology/security-technology/difference-to-passkeys) — Why passkeys aren't suitable for crypto *** ## Emergency Procedures In the unlikely event that Vultisig software becomes unavailable, vault shares can be recombined to extract a traditional private key: * [Emergency Recovery](https://docs.vultisig.com/security-and-technology/security-technology/emergency-recovery) — Last-resort key extraction {% hint style="danger" %} Emergency recovery permanently converts a TSS vault to a single-signature wallet. Only use if Vultisig software is completely unavailable. {% endhint %} *** ## Technical Deep Dives {% content-ref url="security-technology/how-dkls23-works" %} [how-dkls23-works](https://docs.vultisig.com/security-and-technology/security-technology/how-dkls23-works) {% endcontent-ref %} {% content-ref url="security-technology/how-gg20-works" %} [how-gg20-works](https://docs.vultisig.com/security-and-technology/security-technology/how-gg20-works) {% endcontent-ref %} {% content-ref url="security-technology/tss-actions" %} [tss-actions](https://docs.vultisig.com/security-and-technology/security-technology/tss-actions) {% endcontent-ref %} {% content-ref url="security-technology/keysign" %} [keysign](https://docs.vultisig.com/security-and-technology/security-technology/keysign) {% endcontent-ref %}