Multi-Party Computation: The next generation of crypto security

Interoperability solutions have shown great promise in unlocking the potential of decentralized applications in our emerging multi-chain ecosystem. However, due to the high volumes of digital assets and critical data flowing across them, blockchain bridges are amongst the most targeted protocols in the web3 space. This leaves researchers hunting for more advanced security designs.

Multi-party computation (MPC) is one of the most interesting potential solutions. Secure MPC represents a powerful next step in digital asset security because it eliminates the risks of a single point of compromise.

Instead of relying on Multisig and other (older) key management methods that either expose relayer identities or introduce exploitable single points of failure, relayers would run a secure MPC ceremony each time a user wishes to bridge funds or transfer arbitrary data.

In this way, multi-party computation enables multiple parties to carry out a distributed computation of their secret inputs without revealing anything but the output.

This concept has been studied by academia for decades. Still, it's only recently become viable for real-world applications like Sygma, the interoperability layer for building cross-chain applications. Let's unpack how MPC works, what makes it unique, and why we chose to adopt it.

Threshold Signature Schemes Explained

Threshold Signature Schemes (TSS) are a type of digital signature protocol used in Multi-party Computation to authorize transactions. They are particularly useful for digital assets because they allow for the distribution of a private key to multiple parties, introducing redundancy into asset management security.

In other words, it enables a set of parties to perform certain cryptographic techniques, like signing transactions, while none of them holds a full private key. Instead, the key is split across the parties and can only be used when a subset of them—the size of which is larger than a certain threshold—combines their key shares.

Thanks to the homomorphic properties of the underlying scheme, a fully formed private key doesn't ever need to exist. FYI, “Homomorphism” is just a fancy math term—it means that operations like addition and multiplication work the same way on both unencrypted and encrypted data.

Privacy benefits via TSS

As an example, say a user sends encrypted financial data to the server, and it responds with an encrypted credit score that only they can decrypt. If that sounds interesting, see this article for more details and this library if you want to tinker with it.

Imagine you have a secret key sk and a special algorithm that can divide this key into n pieces such that \([ski]=\)share_key\((pk,n,t) \). Imagine now you want to sign a transaction m, so you apply a similar algorithm to get partial signatures \([si] = sign(m,[ski])\). Now, to reconstruct a valid signature, you would simply sum all partial signatures together \(s=s0+s1+…+si\) and call it a day.

You might've also noticed a third argument when we shared our key. Although the key is shared between n parties, we only need a threshold number of them to actually sign something. This is akin to a multisig scheme, which, interestingly, is just an emulation of threshold signatures using a high-level smart contract language like Solidity.

Costs of Multi-party Computation

Of course, multisigs come with a cost, where one would pay miners to process each call to the multisig contract. Conversely, threshold signatures are processed offchain, and only a single compact ECDSA signature needs to be transacted onchain once. ¹ Furthermore, such a signature won't leak anything about its signers, which secures them from targeted attacks and is great for privacy. ²

When discussing security, MPC algorithms generally provide guarantees based on the threshold number of corrupted parties a system can tolerate. ³

This places TSS in a unique position, as such schemes present the control of their robustness directly in the developer's hands. Furthermore, this allows it to withstand even the dishonest majority—an extreme state where adversaries can corrupt all but one participant. ⁴

You may already know about the blockchain's Scalability Trilemma and the Interoperability Trilemma of the cross-chain ecosystem. Let's introduce a third one for the MPC domain—the Threshold Trilemma. Below are the three properties that MPC protocols try to maximize, but can only have two of at the same time:

Risk minimization (robustness)

The higher the threshold value set, the harder it is for parties to collude against the system, e.g., forge a signature.

Fault tolerance (liveness)

The lower the threshold value compared to the total number of parties, the more unforeseen failures such a system can tolerate, such as a peer accidentally going offline.

Performance (latency)

The more parties the system employs, the more decentralized, secure, and reliable it would be, but at the expense of increasing performance overhead due to MPC's high communication complexity.

Balancing risk and performance

Generally, protocol engineers prefer to minimize risk first and then balance liveness and performance based on the chosen threshold. However, it's essential to base the threshold calculation on concrete metrics, such as the number of collateral nodes that would have to be staked or the amount of computation work needed for participation.

One last trick that can present an even greater degree of confidence in threshold cryptosystems is their unique “Key Reshare” mechanism, which allows parties from the old set to rotate key shares with new participants without changing the underlying public key. This helps bring new members into the signing group and, more importantly, stops hackers from gradually compromising different members over multiple sessions. ⁵

Practical applications of TSS today

There are many ways TSS is used today. Keyless wallets like ZenGo or Torus are making a more convenient and secure alternative—no more paper-written mnemonics or cloud-backed keys are needed. Instead, the wallet provider's server/nodes actively cooperate with the user to sign transactions.

The folks at Chainlink are using thresh-sigs to efficiently and verifiably aggregate data for their oracle network. Even some rollups like Skale Network are flirting with this technology, although instead of ECDSA, they use BLS signatures that require less MPC-intensive setup due to their elliptic curve pairing properties.

Probably the biggest beneficiaries of the TSS are a new generation of custodian services led by Fireblocks and Entropy. These companies aim to disrupt the way big institutions and foundations operate their escrows and treasuries.

Finally, threshold cryptography has great promise for various cross-chain applications. We designed Sygma as a new way for different blockchains to work together. We believe using MPC for relayer communication will strengthen security and significantly lower fees.