MPC 101
What is MPC (Multi-Party Computation)?
If you’re in the institutional digital asset space, you’ve probably heard about MPC (multi-party computation). While MPC theory has been around since the early ’80s, it first entered the digital asset space just a few years ago; since then, MPC has become one of the primary technologies wallet providers and custodians are utilizing to secure crypto assets.
But what is MPC? How does it work, and what benefits does it have? We’ll walk you through everything you need to know about multi-party computation and its role in digital asset security today.
Let’s start with an introduction to cryptography in general to get a better understanding of MPC’s origins.
A (Very) Brief Introduction to Cryptography
The field of cryptography provides its users with a method for:
- sending messages that only the intended receiver of the message will understand
- preventing unauthorized third parties from reading them in case of interception
- verifying the authenticity and integrity of digital messages from a known sender
Though cryptography stretches as far back as the ancient Egyptians, one of the most famous modern examples is the Enigma machine – a device used by the Germans to send encrypted messages during WWII which was finally cracked by the British mathematician, Alan Turing.
Whereas cryptography was once primarily the concern of government and military agencies, in the internet era cryptography plays an increasingly central role in the way we all transfer information.
While the idea behind cryptography can appear simple, the field does include some extremely complex math. In essence, messages are scrambled, or “encrypted,” by a secret recipe (or algorithm) that hides the information contained within it. This way, should the encrypted message be stolen or intercepted by a malicious or non-trusted third party, they will be unable to understand, see or alter the information the message holds. Instead, the only one who can read that message correctly is the one who knows how the message was encrypted and thus holds the key to unscramble, or “decrypt,” it.
Encrypted Message: HZZO HZ VO OCZ KJNO JAADXZ
Secret Algorithm: *use the letter which is five letters preceding the ‘real message’ letter*
ABCDEFGHIJKLMNOPQRSTUVWXYZ
Decrypted Message: MEET ME AT THE POST OFFICE
This ‘Caesar cipher’ utilizes very simple math to demonstrate the concept of encryption. However, it is known to be broken. To securely encrypt information, more advanced math is required.
In the world of blockchain, the “message” being transferred is a digital asset, and the “key” to that digital asset is essentially the decryption tool used to receive that digital asset.
That key itself – known as the “private key,” as access to a digital asset requires both a publicly known cryptographic key and a related private one – must be kept safe, as anyone who knows the private key can move the asset to their own wallet. This is where MPC comes in: it’s one of the most powerful tools for protecting private keys.
What is MPC (multi-party computation) and how does it work?
In a general sense, MPC enables multiple parties – each holding their own private data – to evaluate a computation without ever revealing any of the private data held by each party (or any otherwise related secret information).
The two basic properties that a multi-party computation protocol must ensure are:
- Privacy: The private information held by the parties cannot be inferred from the execution of the protocol.
- Accuracy: If a number of parties within the group decide to share information or deviate from the instructions during the protocol execution, the MPC will not allow them to force the honest parties to output an incorrect result or leak an honest party’s secret information.
In an MPC, a given number of participants each possess a piece of private data (d1, d2, …, dN). Together, the participants can compute the value of a public function on that private data: F(d1, d2, …, dN) while keeping their own piece of data secret.
For example, let’s imagine three people, John, Rob, and Sam, want to find out who has the highest salary without revealing to each other how much each of them makes – this is actually a classic example of multi-party computation, known as The Millionaire’s Problem. Using simply their own salaries (d1, d2, and d3), they want to find out which salary is the highest and not share any actual numbers with each other. Mathematically, this translates to them computing:
F(d1,d2,d3) = max(d1,d2,d3)
If there were some trusted third party (i.e. a mutual friend who they knew could keep a secret), they could each tell their salary to that friend and find out which of them makes the most, AKA F(d1,d2,d3), without ever learning the private info. The goal of MPC is to design a protocol, where, by exchanging messages only with each other, John, Rob, and Sam can still learn F(d1,d2,d3) without revealing who makes what and without having to rely on an external third party. They should learn no more by engaging in the MPC than they would have by interacting with their trustworthy mutual friend.
History and Applications of MPC
MPC’s (multi-party computation) initial development began in the ’80s – a fairly recent breakthrough within the world of cryptography.
Up until that point, the majority of cryptography had been about concealing content; this new type of computation focused instead on concealing partial information while computing with data from multiple sources.
- 1982 – Secure two-party computation is formally introduced as a method of solving The Millionaire’s Problem
- 1986 – Andrew Yao adapts two-party computation to any feasible computation
- 1987 – Goldreich, Micali, and Wigderson adapt the two-party case to multi-party
- 1990s – Study of MPC leads to breakthroughs in areas including universal composability (pioneered by Fireblocks cryptography advisor Ran Canetti) and mobile security
- 2008 – The first large-scale, practical application of multi-party computation – demonstrated in an auction – takes place in Denmark
- Late 2010s – MPC is first utilized by digital asset custodians and wallets for digital asset security
- 2019 – Debut of MPC-CMP, the first 1-round, automatic key-refreshing MPC algorithm
Today, MPC is utilized for a number of practical applications, such as electronic voting, digital auctions, and privacy-centric data mining. One of the top applications for multi-party computation is for securing digital assets – and recently, MPC has become the standard for institutions looking to secure their assets while retaining fast and easy access to them.
Why is MPC becoming the standard for digital asset security?
To utilize your digital assets, you need a public key and a private key; your ability to safely hold and transfer the asset itself is only guaranteed as long as the private key is safe. Once that key is in someone else’s hands, they can transfer the assets to their own wallet. Therefore, preventing the theft of private keys is crucial to maintaining digital asset security.
Historically, there have been a few primary options for securely storing private keys. These options tend to fall into either hot, cold, or hardware based storage.
- Cold Storage – Private key is held offline
- Hot Storage – Private key is held online
- Hardware Wallet – Private key is held offline on a physical device
While these tools were at one point the only options for digital asset storage, certain operational and security inefficiencies in each have led to the rise of new solutions, such as multi-party computation. Importantly, MPC is strong for not only digital asset storage, but digital asset transfers, as well – and as the digital asset market has developed and grown, so has the need for a security tool that enables fast transfers and advanced business strategies.
Cold Storage
One way to reduce the exposure to digital asset loss is by storing funds in cold storage.
Cold storage enables a user to sign a transaction with their private keys in an offline environment. Any transaction initiated online is temporarily transferred to an offline wallet kept on a device such as an offline computer, where it is then digitally signed before it is transmitted to the online network. Because the private key does not come into contact with a server connected online during the signing process, even if an online hacker comes across the transaction, they would not be able to access the private key used for it.
However, there are several issues with cold storage:
- For a contemporary digital asset business that’s actually trading assets with any frequency, it is too slow to trade from – often taking between 24 to 48 hours to make a transfer
- It does not protect against deposit address spoofing or credential theft
Hardware Wallet
Another method of securely storing private keys is the hardware wallet. Hardware wallets are external devices where you store your private keys, such as a USB stick. Hardware wallets are resilient to malware, and if you happen to lose the wallet you’ll be able to recover the funds using a seed phrase. On the other hand, if you lose the seed phrase, there is no other way of recovering your bitcoin.
Like cold storage solutions, hardware wallet solutions lack the speed that today’s digital asset businesses require.
Hot Wallets
Alternatively, storing funds in a hot wallet is cumbersome due to error-prone copy-pasting of addresses, ever-changing whitelists, and constant 2FA rituals.
Some hot wallets utilize multisignature, or multisig, technology to divide private keys into multiple shares. Unfortunately, multi-sig is not protocol-agnostic (meaning it’s not compatible with all blockchains), and lacks the operational flexibility to support growing teams.
As a result, the best solution is one that offers both operational and institutional security requirements to store the private key safely while at the same time not hindering operational efficiency.
Learn more about hot wallets vs cold crypto wallets on our blog.
MPC for Private Key Security
With MPC, private keys (as well as other sensitive information, such as authentication credentials) no longer need to be stored in one single place. The risk involved with storing private keys in one single location is referred to as a “single point of compromise.” With MPC, the private key is broken up into shares, encrypted, and divided among multiple parties.
These parties will independently compute their part of the private key share they hold to produce a signature without revealing the encryption to the other parties. This means there is never a time when the private key is formed in one place; instead, it exists in a fully “liquid” form.
Ordinarily, when a single private key is stored in one place, a wallet’s owner would need to trust that the device or party that holds that private key is completely secure. Such a device could be an HSM or, less securely, a crypto exchange that essentially holds the customer’s private keys on their behalf.
However, these parties have proven themselves to be vulnerable. When an attacker only needs to succeed in hacking one point of compromise to steal a private key, it leaves the digital assets that key unlocks wide open to theft.
Multi-party computation does away with this problem, as the private key is now no longer held by any one party at any point in time. Instead, it is decentralized and held across multiple parties (i.e. devices), each blind to the other. Whenever the key is required, MPC is set in motion to confirm that all parties, or a predetermined number of parties out of the full set, approve of the request.
With MPC technology in play, a potential hacker now has a much harder task ahead of them. To gain control over a user’s wallet, they now need to attack multiple parties across different operating platforms at different locations simultaneously.
The multi-party computation solution then solves the problem of secure key storage. As the key no longer resides in one single place, it also allows more personnel to access a wallet without the risk of any of them turning rogue and running off with the digital assets it contains.
In addition, with the private key completely secure, users can now hold their assets online and no longer need cumbersome cold-storage devices. This means that transferring digital assets is now more fluid and no compromise is required between security and operational efficiency.
Types of MPC Algorithms
Given its inherent properties, multi-party computation, in and of itself, is a powerful tool for securing digital assets. However, not all MPC algorithms are created equal. Today, many institutions that are using MPC employ algorithms such as Gennaro and Goldfeder’s algorithm (MPC-GG18); while protocols like this one are still considered the industry standard by many, it doesn’t reach as high of a level of efficiency, security, or operational flexibility as certain new MPC algorithms are able to achieve.
To effectively run a profitable digital asset business in today’s ever-changing market or execute high-volume withdrawal requests for a large retail customer base, financial institutions (such as exchanges, lending providers, and banks) require instant and secure access to funds.
However, due to a complex regulatory environment, many of these institutions are forced to operate with secure but slow cold storage solutions. So, the compatibility of an algorithm with cold storage is another important factor to consider when evaluating MPC algorithms.
The Gennaro and Goldfeder MPC Algorithm
Gennaro and Goldfeder’s algorithm is currently one of the top MPC algorithms available, and many institutions that protect their private data using MPC utilize this algorithm.
However, with Gennaro and Goldfeder’s algorithm, the communication latency between the MPC-shares (the devices that hold the key shares) doesn’t reach the highest level of efficiency – as it requires users to wait for transactions to undergo up to 9 signature rounds.
In addition, Gennaro and Goldfeder’s algorithm doesn’t offer any flexibility for institutions that need to use cold storage.
The Lindell et al. Multi-party Computation Algorithm
Lindell et al. offers a slight decrease in the number of transactions that need to be signed from Gennaro and Goldfeder, at 8. However, this still doesn’t reach the level of operational efficiency necessary for today’s markets.
Like Gennaro and Goldfeder, Lindell et al. does not offer support for cold storage. In August 204, Fireblocks Researchers Uncover Vulnerabilities Impacting Dozens of Major Wallet Providers.
The Doerner et al. MPC Algorithm
Doerner et al.’s MPC algorithm accomplishes a threshold using just 6 signatures. Yet, again, the level of efficiency that’s possible with today’s technology is still higher than this.
And like the previous two algorithms, Doerner et al. can’t provide solutions for institutions that are looking to use cold storage in tandem with MPC.
MPC-CMP: The Newest Innovation in MPC
Building off of the groundwork laid by Gennaro and Goldfeder, the Fireblocks cryptography team (in collaboration with Professor Ran Canetti, the founder of the universal composability security model) recently developed and released a new algorithm, MPC-CMP. MPC-CMP enables digital asset transactions to be signed in just 1 round, meaning that it offers the fastest transaction signing speeds of any MPC algorithm by 800%.
MPC-CMP also solves the challenges faced by businesses looking to use cold storage in tandem with multi-party computation by allowing hot and cold key signing mechanisms – with at least one key share stored offline in an air-gapped device.
This introduces new configuration possibilities for institutions in regions with specific regulations around cold storage and strengthens the security of MPC wallets by adding a key refresh mechanism (minutes-long intervals). While traditional cold wallets require physical proximity and trust for certain employees to operate these wallets without making an error or acting maliciously, MPC-CMP operationalizes cold wallets – creating a solution for today’s high-paced crypto markets.
With the new algorithm, we’ve introduced a new security feature that ensures MPC key shares are automatically refreshed in minutes-long intervals. That means a malicious actor only has a few moments to steal all the key shards before the shares are refreshed and they have to start over – effectively adding a new layer of protection to our multi-layered security system.
MPC is open-source and peer-reviewed. We will not be applying for patents on MPC-CMP. That means all digital asset custodians and MPC vendors can access our new protocol and use it for free. In addition, the algorithm is universally composable, guaranteeing strong security properties for any implementation out-of-the-box. Universally composable cryptographic protocols are important to practical implications of new cryptography, as they remain secure even when arbitrarily composed with other protocols – and guarantee that even when multiple transactions are concurrently signed in parallel, security is not compromised.
Algorithm | Transaction Rounds | Universally Composable | Cold Storage Compatible | Peer-Reviewed | Open-Source |
Gennaro and Goldfeder | 9 | No | No | Yes | Yes |
Lindell et al. | 8 | No | No | Yes | No |
Doerner et al. | 6 | No | No | Yes | No |
MPC-CMP | 1 | Yes | Yes | Yes | Yes |
What’s next for MPC?
MPC has quickly become the standard for securing digital assets. Major financial institutions – including BNY Mellon (the largest global custodial bank) and Revolut (Europe’s largest neobank), have announced their transition to MPC. But in 2021, multi-party computation is only one part of the equation for digital asset security.
As we’ve seen over the years, the best defense against cybercriminals is a multilayered one that can provide redundancy in the event that one of the security controls fails. That’s why today’s institutions require a security system that layers MPC alongside numerous other software and hardware defenses to make breaking in highly expensive and nearly impossible.
At Fireblocks, our “defense-in-depth” security system fulfills these requirements, utilizing Intel SGX chip-level hardware isolation, distribution of sensitive information across multiple tier-1 cloud providers, and a highly customizable policy engine in addition to MPC. Today, we’re using MPC-CMP – the fastest and most secure MPC algorithm currently available – adding a new degree of flexibility to the equation (including the ability to sign an MPC from a hardware storage device).
Learn more about why MPC technology is the future of digital asset security on our blog.