MPC-based Threshold Signature Explained
One of the foundational concepts in the operation of blockchain and cryptocurrencies is Digital Signature. In abstract terms, a digital signature is a cryptographic scheme in which a hash of a message is encrypted using an entity’s private key to prove to a third party that such a message has been originated by that entity. In the context of cryptocurrencies, this process starts with the user creating a crypto wallet (a.k.a, private/public key pairs) using an online service. For a user transaction to be accepted and included in the distributed ledger, the user first signs that transaction using its private key, and then some miner nodes verify that transaction and add it to the ledger.
Indeed, the protection of the private key is of paramount importance as any entity with access to the private key can sign a transaction and spend the cryptocurrencies of the original user.
Therefore, the effectiveness of protecting users’ crypto assets through digital signatures primarily depends on maintaining the secrecy of private keys. One of the earlier attempts to secure private keys is the use of secret sharing techniques. To achieve this, the private key is divided into shares stored in different servers from which it can be reassembled for creating the signature. The security is improved here by the fact that the shares are not kept in a single server, thus, a malicious actor would need to compromise all servers to obtain the shares and reconstruct the signing key. However, one of the limitations of such a technique is that the loss of a single share (e.g., server damaged or compromised) will overturn the benefits sought as the key can never be reconstructed. In the case of cryptocurrencies, it means that the private key owner will lose access to its crypto assets and would not be able to sign any transactions. To tackle such a problem, more advanced threshold-based sharing schemes have been introduced such as Shamir Secret Sharing (SSS).
In SSS, the private key is still to be converted into shares once created, however, the reconstruction of the private key could be made to require only a specific number of shares for creating the signature.
Threshold-based sharing schemes have introduced better security, however, they did not completely eliminate the ability of a malicious actor to compromise the key. Indeed, a malicious attacker can still comprise the key on two occasions, once the key is generated and once it is reconstructed for the signing process. For instance, in threshold-based SSS, the shares of the private key need to be re-grouped on a single server before they can be utilized to create a signature. This creates a single point of compromise on the server where the key is reconstructed.
To overcome the aforementioned problem, the research community introduced the MPC (multi-party computation) scheme in which multiple parties — each holding their own private data — can evaluate a computation (e.g. create a signature) without ever revealing any of the secret data held by each party. With MPC, the computation of the private key is shared among multiple parties in which each party independently computes its share of the private key. The parties then communicate through a couple of rounds to create a signature without revealing their shares to each other. This ensures that the private key is never materialized in a single place; instead, it always exists in a completely “liquid” state eliminating the single point of compromise. Indeed under the MPC technology, a malicious actor now faces a far more difficult task to hack the private key of a user’s wallet and get control of it as he/she needs now to simultaneously attack multiple parties across different locations.
The Disadvantages of MPC:
Despite its clear advantages when it comes to securing private keys, MPC has its own limitations including the following:
1. Signature Accountability
The introduction of MPC-based wallets raises a serious accountability issue. It is always obvious whose private keys are being used to sign a transaction with non-MPC wallets, making it quite simple to identify the signers of a signed transaction. With MPC-based signatures, however, any combination of the shares always produces the same signature making it impossible to discern which of the shares are used in signing the transaction.
2. Peer Review
It is noticed that several MPC implementations used today are proprietary and did not undergo sufficient public review or scrutiny with several cryptographic algorithms used in such implementations are never mathematically proven to work. In addition, the vendors of MPC tend to restrict access to their implementation details and the source code with several patent applications already filed making it hard to verify the security or predict the licensing cost. By contrast, non-MPC methods (e.g., multi-signature technology) utilize well-scrutinized and well-vetted algorithms so they come with no additional cartographic risk.
3. High computational and communication costs
It is well-known that MPC-based techniques require high computation resources as they rely on complex mathematical operations to achieve a high degree of security including homomorphic encryption and zero-knowledge proofs, a fact that would evidently decrease the performance of MPC protocols. This is further worsened by the need for several rounds of communication among the participating parties to create a signature.
If you want to get your hands wet and experimenting with one of the MPC implementation visit this blog.