Multi-Party Computation (MPC) 101

Julia Wu
7 min readJul 23, 2022

--

It’s the hot new acronym on the street being popularized by giants like Coinbase and Fireblocks. A tool that could be used for building large-scale, privacy-preserving applications.

Simply put, MPC allows a group to compute something without revealing each participant’s private inputs.

MPC also enables “semi-custodial” wallets that serve as alternatives to fully non-custodial wallets with seed phrases.

This post aims to provide an initial view into MPC, but the rabbit hole can go very deep. For the curious, I’ve linked some additional resources at the end.

Intro to MPC

It’s been a big topic in cryptography since the 80s (Pioneered by Andrew Yao), and more recently applied to digital assets. The protocol remained mostly in academic and theoretical realms until computing power and algorithmic improvements in the 2000s made it possible to put it into practice.

As the name implies, the objective of MPC is to allow multiple parties to share the ability to compute some data. Several participants can hold a piece of private data, such as a partition of a private key. Each piece can be used to sign a transaction without revealing the entire private key, or even the individual shares.

Here’s a hypothetical use case, known as Yao’s Millionaires’ Problem (1982): Imagine 2 friends, Alice and Bob, who want to find out who is richer without revealing each person’s exact net worth (try with your friends at your own risk).

https://www.researchgate.net/figure/Millionaires-problem_fig1_320290997

In this scenario, the function to compute is:

F(x1,x2) = max(x1,x2)

Using MPC, the 2 millionaires can figure out who makes the most money without having to share exactly how much each person makes. Each person brings the data on their salary, and the function can indicate who gave the highest input.

The first large-scale commercial use case of MPC was in 2008 when the protocol was used during a sealed-bid auction for sugar beets in Denmark. The highest bidder wins the auction but pays the price proposed by the second highest bidder. MPC was used to keep the bid prices private while determining the rank of the bids.

Relevance to Key Management

When it comes to crypto wallets, one of the biggest issues today is how easy it is to lose or give away seed phrases. This becomes a single point of compromise.

With MPC, private keys no longer have to be stored in a single place — because MPC breaks up the key into pieces through distributed key generation. These pieces can be stored by multiple parties and in different places.

Individual secrets (private key shares) are randomized by a set of endpoints, either computers or mobile devices. The endpoints can compute the public key (wallet address) from the individual private shares — using only their portion of the private key! The whole “naked” key is never formed or revealed in one place.

When a transaction needs to be signed, the MPC protocol will summon each independent share owner to sign the transaction in a distributed, private manner.

Each party’s input is fed into a function. This input includes their secret share and a private message. The output is a signed message. The digital signature would look just as if it were done with a single private key. It is then sent to the blockchain network to approve a transaction.

MPC can be configured to require all or a threshold of key shares to be present at the same time, or to perform the computation in their own time.

Axelar Network: Security Measures

If a hacker wants to gain access to a wallet, they now have to find a way to access all parts of the key. It’s not enough to just get the key from an individual. In the case of organizations and teams, multiple people can now access a wallet without the ability of one person to run off with the funds.

Related: Threshold Digital Signatures

TSS is when a threshold of at least m out of n parties is required to produce a signature, thereby removing the need for trusting a single entity. This protocol can be combined with MPC to require a minimum number of signatures to approve a message.

Multi-sig vs. MPC

The difference between multi-sig and MPC is that, instead of 1 key being split up into multiple shares held by multiple parties (MPC), each party in a multi-sig has its own private key. For the transaction to succeed, a minimum threshold of signers needs to approve it.

https://docs.gnosis-safe.io/introduction/the-programmable-account/eoas-vs.-contract-accounts

With MPC, the signing process is distributed across multiple computers where each computer processes a piece of private data using a share of a single key. Together, the shares cooperate to sign transactions in a distributed manner.

A multi-sig wallet will create distinct signatures using distinct private keys, while MPC is a single signature from multiple shares of a private key.

For multi-sig to work, the blockchain needs to support it. But not all chains support multi-sig wallets, which usually come in the form of a smart contract. MPC uses the standardized cryptographic signature algorithm (ECDSA) which can be implemented by the vast majority of blockchains.

With multi-sigs, it is also not as easy to support dApps or most DeFi services because multiple signatures are required for a transaction to be approved — which is unlike the common flow of a single click on MetaMask.

Coinbase’s Pete Kim put it well:

“ A MPC-powered wallet (we call them dApp wallets), can support anything and everything a normal self-custody wallet can. Not just sending, receiving and trading, but also using dApps, DEXes, storing and trading NFTs, voting in governance, yield farming, web3 games, etc.”

Even though MPC would just output a single signature, it also has a more complex approval structure. MPC wallets may lack the ability to determine which key part was used to sign the transaction because all the key shares contribute to the same signature. With MPC wallets, there is also a lack of support from hardware security modules (HSM, aka hardware wallets).

Multi-sig example: Gnosis Safe

The Gnosis Safe allows users to define a list of owner accounts and a threshold of minimum signatures required to confirm a transaction. When the threshold is reached, a Safe transaction can be executed.

Multisigs require a minimum number of people to approve a transaction before it can be processed. If there are 3 stakeholders in a business, you can configure Gnosis so that approval needs to come from all 3 people for the transaction to succeed. It is also self-custodial.

To get started, you will need a signer wallet such as MetaMask. The Gnosis Safe itself does not hold a private key so it cannot sign or execute transactions.

https://gnosis-safe.io/static/df5a5bc44d16189df7e6b1cc9556a685/bc8e0/multisig.png

MPC In Use

Fireblocks

Serving 1300 large institutional players, Fireblocks offers a platform for digital asset custody that involves MPC wallets, token issuance/management, as well as access to defi. Its customers include banks, exchanges, lending desks, hedge funds, market makers, and other institutions.

One of Fireblocks’s customers, Revolut (5.5B valuation, one of the largest fintechs), is using Fireblocks MPC to introduce crypto services for 13M global retail customers. The infrastructure is used to provide secure payment rails for digital asset transfers. Through the MPC wallet, Revolut can add product lines and retail-facing capabilities that involve crypto.

ZenGo

ZenGo creates two key shares, one stored on your mobile device and the other on the ZenGo server. This means that ZenGo cannot access your funds, but users initiate a process in which the server and device shares will sign the transaction without revealing each party’s secret to one another.

https://zengo.com/a-deep-dive-into-zengo-guaranteed-access-solution/

Coinbase

Coinbase is launching a way for users to explore dApps without having to manage a recovery phrase, and using MPC to split up the key between users and Coinbase.

Conclusion

We are still in the early innings of MPC, but it is becoming a compelling choice for securing digital assets in a way that preserves user experience while avoiding the storage of an entire private key online, offline, or in a physical device (single point of compromise).

We have yet to see MPC wallets widely adopted and used for seamless on-chain interactions similar to MetaMask. However, it is very exciting to witness these efforts around solutions that enhance the security of users and organizations.

Sources & Further Reading

Deeper dives

--

--

Julia Wu

Building something new. Prev. eng at Brex, Apple, MSFT. More at juliawu.me