MPC Explained: The Bold New Vision for Securing Crypto Money

key-ring-e1506017749285
10 June 2019

Michael J. Casey is the chairman of CoinDesk’s advisory board and a senior advisor for blockchain research at MIT’s Digital Currency Initiative.

The following article originally appeared in CoinDesk Weekly, a custom-curated newsletter delivered every Sunday exclusively to our subscribers.


Advances in cryptography are converging to help developers bring blockchain applications closer to the core decentralizing principles on which this technology is founded.

Inventions such as atomic swapszk-SNARKS and Lightning-based smart contracts are allowing developers to realize the dream of true peer-to-peer transactions in which neither party, nor an outside intermediary, can act maliciously. Witness the rising number of non-custodial and decentralized exchange (DEX) services for trading crypto assets.

This is exciting. But it also shines a light on another big problem that has curtailed the widespread adoption of cryptocurrency and blockchain technology: secure key management.

For too long, the most reliable means of protecting the private keys that afford the holder control over an underlying crypto asset have been too clunky, insufficiently versatile, or difficult to implement on scale. User experience has been sacrificed in return for security.

Now, some big strides in another hugely important field of cryptography – secure multiparty computation, or MPC – point to a potential Holy Grail situation of both usability and security in a decentralized system.

A keyless wallet

Progress in this field was marked last week by Tel Aviv-based KZen’s public announcement of the specs for its new ZenGo wallet. ZenGo uses MPC, along with other sophisticated cryptographic tools such as zero-knowledge proofs and threshold cryptography, to share signing responsibility for a particular cryptocurrency address among a group of otherwise non-trusting entities.

The beauty of the KZen model is that security is no longer a function of one or more entities maintaining total control over a distinct private key of their own – the core point of vulnerability in cryptocurrency management until now. Instead the key is collectively derived from individual fragments which are separately generated by multiple, non-trusting computers.

The model draws on the genius of MPC cryptography.

With this approach, multiple non-trusting computers can each conduct computation on their own unique fragments of a larger data set to collectively produce a desired common outcome without any one node knowing the details of the others’ fragments.

The private key that executes the transaction is thus a collectively generated value; at no point is a single, vulnerable computer responsible for an actual key. (KZen’s site includes a useful explainer on how it all works.)

KZen is not the only provider of MPC solutions for blockchain key management. Unbound, another Israeli company, is going after the enterprise marketplace with its MPC solutions for crypto security.

Unbound’s prolific (if blatantly pro-MPC) blog offers different angles on the same argument.

It makes a repeated case for why MPC is superior to the two preferred approaches to crypto security of the moment: hardware security modules (HSM), on which hardware wallets like Ledger and Trezor are built, and multi-signature (multisig) technologies, which are favored by exchanges.

Attacking the trade-offs

If KZen and Unbound are to be believed, MPC solutions resolve both the hot-versus-cold trade-off in key management and the dilemma of self-versus-managed custody.

Cold wallets, in which keys are stored in an entirely offline environment out of attackers’ reach, are quite secure so long as they remain in that offline state. (Though you really don’t want to lose that piece of paper on which you printed out your private key.)

But bringing them into a transactable, online environment poses an overly cumbersome challenge when you want to use those keys to send money. That’s perhaps not a problem if you’re just a HODLer who transacts rarely but it’s a serious limitation to blockchain technology’s prospects for transforming overall global commerce.

On the other hand, hot wallets have, until now, been notoriously vulnerable.

Whether it’s the relentless “SIM jack” attacks on people’s phones that are emptying out both hosted (third-party custodial) wallets and on-phone self-custody holdings, retail participants’ horror stories are legion. And, of course, we all know the stories of custodial exchanges being hacked – from Japan, to Hong Kong, to Canada, to  Malta.

At the same time, the solution that regulated institutional investors are currently seeking – that custodians and exchanges build Fort Knox-like “military-grade” custody solutions  – inherently contain a compromise.

Not only does this approach fail to resolve the dependence on a third-party, but there are serious doubts about whether any such solution can be forever safe from hackers, who are constantly improving their methods for getting over firewalls. In best-case scenarios, the constant IT upgrades becomes a massive money suck.

Alternative to HSMs and multisig

None of this is not to say that existing security technologies are useless.

Ledger and Trezor’s hardware devices – a more nimble form of cold wallet – are widely used by individuals who are uncomfortable with both external third-party custody and online, on-device self-custody wallets. And, separately, multi-signature (multisig) solutions, in which an m-of-n quorum of keys are required to execute a transaction, have proven robust enough to be used by most exchanges.

But in both cases, vulnerabilities have been exposed. And to a large extent those risks come down to the fact that, regardless of the surrounding security model’s sophistication, the all-important keys are always sitting at single points of failure.

Just last week, researchers demonstrated how they could hack into a remote hardware security module. The irony: the researchers were from Ledger, which relies on HSM to secure its customers’ keys.

Multisig models arguably offer protections across such attacks, because a breach requires simultaneous control of more than one key held in separate locations, but the fact is that multisig solutions have also failed because of both technical and human vulnerabilities (inside jobs).

What’s more, both solutions are inherently limited by the need to customize them to particular specifications or ledgers. Crypto developer Christopher Allen pointed out last week , for example, that HSMs are particularly constrained by the fact that they are defined by government standards.

And in each case, the ledger-specific design of the underlying cryptography means there is no support for the kind of multi-asset wallets that will be needed in a decentralized interoperable world of cross-chain transactions.

By contrast, KZen is boasting that its key-less wallet will be a multi-ledger application from day one.

Challenges and opportunities

To be sure, MPC remains unproven in a practical sense.

For some time, the heavy resources needed to carry out these network computing functions made it a challenging, costly concept to bring into real-world environments. But rapid technical improvements in recent years have made this sophisticated technology a viable option for all kinds of distributed computing environments where trust is an issue.

And key management isn’t its only application for blockchains, either. MPC technology plays a vital role in MIT-founded startup Enigma’s work on “secret contracts” as part of its sweeping plan to build the “privacy layer for the decentralized web.”

(An aside: Enigma CEO and founder, Guy Zyskind, is also an Israeli. Israel has fostered a remarkable concentration of cryptographic expertise in this space.)

It would be unwise to assume that MPC, or any technology for that matter, will provide a perfect, totally infallible solution to security problems. It is always true that the biggest security threats come when human beings complacently believe security is not a threat.

However, if you squint hard enough, and think about how this technology’s prospects for better key management can be married to Enigma’s vision for an MPC-based secret contract layer and to the broader march toward decentralized, interoperable asset exchanges, a compelling vision of true peer-to-peer blockchain-based commerce starts to emerge.

At the very least, you need to watch this space.

Keys image via Shutterstock