# Mercury Architecture
# Mercury server archecture
The lockbox is a separate application to the main Mercury server that performs all server private key share generation and operations, and stores the server private key shares in a secured way (sealed). The main server application handles all communication with user wallets, all the statechain (proof and commitment) operations and backup system (watching). The main server (which can be replicated) calls the Lockbox server whenever a private key share operation is required: these operations are:
- Server key share generation, verification and pubkey derivation upon user deposit (
- Backup transaction co-signing on both deposit and transfer (
- Key share transfer, update and deletion. (generation of
s2share update and deletion in
To provide additional protections against malicious access to the unprotected server and physical access to the lockbox machine - the lockbox enclave can also perform verification of the any transaction signed, to ensure that
nLocktime is decremented correctly (storing the latest
nLocktime state for each key share). The transaction pre-image and sighash would be deserialised within the enclave and verified.
Schematic of the Mercury statechain infrastructure.