Hierarchical deterministic wallets are a solved problem on a single machine: a parent key derives a tree of child keys, and “hardened” derivation makes sure a leaked child key plus a chain code cannot be walked back up to the parent. The hard part — the part worth a patent — is doing the same thing when the parent key never exists in one place because it is split across multiple-party-computation (MPC) nodes. US12,362,918, granted to MetaLoop Inc. on July 15, 2025, claims exactly that narrow problem.

The independent claim recites deriving child private-key shares from parent private-key shares, not from a reconstructed parent. That distinction is the entire reason the patent exists. In an MPC custody setting, you cannot assemble the parent key to derive a child without defeating the point of the split. So the derivation itself has to run inside the computation, on shares, and still produce a child that is properly hardened and still refreshable.

The method includes deriving child private key shares from parent private key shares using hardened multiparty computation while maintaining key refresh properties.

Two limitations carry the weight. First, “while maintaining key refresh properties” — proactive secret sharing periodically re-randomizes the shares so that an attacker who compromises a node in one epoch learns nothing usable in the next. Naive child derivation can break this, because the derivation has to be deterministic enough to reproduce the child but not so static that it pins the shares. The claim insists the derivation coexist with refresh. Second, and more concretely, the method selects a random number generator G and a second random number generator G′, and derives child shares by computing an offset using G′.

That second generator is the recited novelty, and it is where claim scope lives. The patent is not a monopoly on “HD wallets in MPC” — a derivation that hardens via a single generator, or via a different offset construction, or that drops refresh compatibility, reads outside the claim. What MetaLoop fenced is the specific two-generator construction: G for the base derivation, G′ for the hardening offset, executed multiparty so the offset is applied to shares rather than to an assembled key. An accused system infringes only if it performs that G′-offset computation, not merely if it derives child keys in an MPC context.

The CPC placement is consistent and tight: H04L 9/0825 (public-key/encryption arrangements) and H04L 9/0869 (generation of secret information including keys, involving random number generators). Notably, this grant does not carry the H04L 9/50 blockchain-specific class that custody backup patents often do. That is a small but real signal: the claim is written as a cryptographic-primitive improvement — hardened derivation on shares — rather than as a blockchain-application filing. It would read on any system using this derivation, on-chain or not, which is both broader in domain and narrower in mechanism than a chain-tagged claim.

It helps to be concrete about why the two-generator framing is not arbitrary. In standard single-machine hardened derivation, the child is computed by feeding the parent private key and an index through a one-way function so the relationship cannot be reversed. You cannot do that directly on shares without either reconstructing the parent — forbidden here — or finding a construction where the hardening offset can be applied to each share independently and still produce shares of the correct child. The second generator G′ is the device that lets the offset be computed in a way the parties can apply locally to their shares while the result remains a valid sharing of a properly hardened child. Whether or not a competitor lands on the same trick, the claim is tied to this trick; that is the difference between owning a goal and owning a method.

A scope reader should also resist over-reading the refresh limitation. "Maintaining key refresh properties" is recited as a property the method preserves, not as a separately claimed refresh protocol. The patent is not fencing proactive secret sharing — that predates it by decades. It is fencing a derivation that does not break refresh. An accused system that derives child shares in some way wholly incompatible with refresh would, ironically, fall outside the claim for failing to meet a limitation, which is a reminder that limitations cut both ways: they narrow the patent and they define the exact target an infringer would have to hit.

For a portfolio reader, the value here is the wedge it represents. Custody vendors compete partly on key management ergonomics: can you give an institutional client a clean address hierarchy — one wallet per desk, per fund, per purpose — without ever materializing the master key and without breaking your proactive-refresh security model? MetaLoop's grant stakes a position on one answer to that. The inventors named, Xiangjun Li, Yijie Bei, and Ryan Lehmkuhl, are working the cryptographic primitive itself, not the application skin around it.

The honest scope assessment: this is a useful, real, and genuinely narrow grant. It does not stop a competitor from offering hierarchical MPC wallets; it stops them from offering this particular hardened-derivation construction with a second generator computing the offset. As always on this beat, “patented” is not a synonym for “novel” or “blocking” — it is a question of claim scope, and claim 1 here draws a precise line. The canonical record, with the full claim set, is deep-linked above; read the limitation yourself before crediting any “we own MPC derivation” marketing.