What is Multi-Party Computation (MPC)?
Multi-Party Computation (MPC) is a methodology of separating private keys into multiple parts. It's similar to Shamir's Secret Sharing (SSS) but in reverse - in SSS, a private key is generated and then split into distributable shards, but in MPC, shards are defined first and come together later to produce a private key signature. A benefit of both SSS and MPC is that they can't be identified on-chain - to observers, it just looks like a single signature.
MPC is often described as an alternative to standard multisignature. Although similar, they approach the challenge of signature aggregation differently:
Comparison to Multi-signature
From a functional point of view, multi-signature wallets, which use M-of-N keys per wallet, are similar to MPC based wallets, which use M-of-N parts of a key for a single signature wallet. The difference is that a multi-signature wallet will make use of distinct signatures generated by distinct private keys to secure the wallet, while MPC uses only creates a single signature regardless of the number of private key parts that participated.
MPC itself is a general methodology/framework, and many different protocol implementations exist.
How does MPC work?
MPC removes the concept of a single private key; such a key is never gathered as a whole, neither during the first creation of the MPC wallet nor during the actual signature. MPC follows a set of steps to guarantee that there is never a single point of compromise of the private key:
- Individual secrets are randomized by each of the several (always more than 3) endpoints – either servers or mobile devices. Those secrets are never shared with each other.
- The individual endpoints engage in a decentralized wallet creation protocol in which they compute the public key (wallet address) that corresponds to the set of individual private shares.
- When a signature on a blockchain transaction is requested, a quorum (at least 3) of endpoints engage in a distributed signature process where each one of the endpoints individually validates the transaction and policy and signs the transaction.
In a similar fashion to multi-sig, the MPC private key protection layer removes the single point of compromise from both external hackers and insiders – as the private key is never concentrated on a single device at any point in time.
Tradeoffs of MPC vs Multisignature
MPC attempts to address 2 main challenges inherent to multisignature:
Multisig is not protocol agnostic
Various cryptocurrency protocols support multisignature in some form, but it generally must be implemented in a way that is protocol-specific. This means that supporting multisignature across different coins usually requires maintaining several different implementations - and many coins don't support multisignature at all.
Multisig can be operationally inflexible
Multisignature wallets are preconfigured to work with a predefined set of signers, which limits the ability to augment those key quorums as operational dynamics change - e.g., adding/revoking key shares, changing signature thresholds, etc. To make these changes in a multisignature setup, a new wallet needs to be created according to those parameters, and funds must be swept to this new wallet. This can present challenges in a growing business with constantly evolving constraints.
In contrast, native multisignature enforces security at the protocol level, which reduces the attack surface and implementation complexity (assuming you don't try to support many different multisignature implementations across different coins). For platforms/apps where multiple digital assets are being supported, MPC is likely the better choice - it presents less engineering complexity with reasonable security. However, for bitcoin-only businesses, native bitcoin multisignature provides a better security profile, assuming operational challenges can be appropriately managed at the business level.
MPC based wallets introduce a significant problem not present with multi-signature wallets: accountability. With multi-signature wallets, it is always explicit which private keys are used to sign a transaction. This is important because individual private keys are often assigned to specific individuals and understanding who participated in signing a transaction is critical. However, with MPC based signatures, it is impossible to distinguish which of the key parts were used to sign the transaction. Once the MPC is complete — all signatures look identical.
Accountability may not sound like a huge drawback, but it is vital in monetary systems, especially when considering the differences in types of people and storage that are typically used for the independent parts of the keys:
- Key material may be stored by different people. If key material is stored by executives at a company (the CEO, CFO, CSO, etc), and 2 of them collude on an inside job, how will investigators know who perpetrated the crime? How would the innocent executives defend themselves when questioned about who signed the transaction?
- Key material may be stored at separate locations. If 3 private keys are required from storage in 5 locations, a critical part of forensics would be to know which of the locations had participated in the transaction.
- Multi-institutional Security
- Key material may be stored at separate companies. A common practice today is to provision backup keys with independent parties at independent companies. When the backup key can be specifically identified, as with multi-signature security, owners of funds are safe from theft by the backup holder. However, when accountability is eliminated with MPC, backup holders will be unwilling to hold backup keys, as it would be impossible to distinguish if the backup key holder had participated in a fraudulent transaction.
Many of today’s MPC implementers are using proprietary implementations and methods with limited or no public review. As Schneier on Security would say, “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.” Unfortunately, many cryptographic algorithms are never mathematically proven to work — rather, cryptographers rely on peer review and sufficient review time (measured in years or decades) before accepting an algorithm as trusted and secure. Because ECDSA MPC is so new, vendors are reluctant to share their algorithms, source code, and implementation details. Many patent applications have already been submitted by current implementations that might further restrict use of these tools. Lack of transparency and attempts to restrict access to these algorithms makes it impossible to verify correctness or security or predict possible licensing costs.
Multi-signature technology, by contrast, is tried-and-true; it utilizes well known, heavily scrutinized algorithms with multiple implementations. Multi-signature based wallets take on no additional cryptographic risk — they use the simple cryptographic algorithms that are the most heavily vetted and understood in practice.
Lack of Hardware Security Module (HSM) Support
Also troubling for MPC-based signatures is the lack of industry Hardware Security Modules (HSMs) that support the technology. While HSMs have been employed for decades by financial institutions to secure private key material, current HSMs do not offer support for the brand-new MPC cryptography. Security experts have long recognized that key material must be stored and accessed exclusively through HSMs in order to maintain basic security, and MPC is no different. The key material, or parts of keys, must be securely stored. If MPC implementers do not build customized HSMs for their technology, it is arguably less safe than single-key systems.
Combining MPC and Multisignature
Multisignature and MPC can actually be complementary when used in conjunction - individual keys in a corporate multisignature quorum can be generated and managed via MPC to get the best of both protocols. In that way, the signing quorum stays fixed, but additional flexibility/control can be incorporated at the individual key level. In other words, funds might be secured on-chain through multisig, but MPC can be used to control access to each one of those keys to facilitate securely sharing and rotating internal access to key shards.