Comparison to Multi-signature

From a functional point of view, multi-signature wallets, which use M-of-N keys per wallet, are similar to MPC based wallets, which use M-of-N parts of a key for a single signature wallet. The difference is that a multi-signature wallet will make use of distinct signatures generated by distinct private keys to secure the wallet, while MPC uses only creates a single signature regardless of the number of private key parts that participated.

MPC removes the concept of a single private key; such a key is never gathered as a whole, neither during the first creation of the MPC wallet nor during the actual signature. MPC follows a set of steps to guarantee that there is never a single point of compromise of the private key:

1. Individual secrets are randomized by each of the several (always more than 3) endpoints – either servers or mobile devices. Those secrets are never shared with each other.
2. The individual endpoints engage in a decentralized wallet creation protocol in which they compute the public key (wallet address) that corresponds to the set of individual private shares.
3. When a signature on a blockchain transaction is requested, a quorum (at least 3) of endpoints engage in a distributed signature process where each one of the endpoints individually validates the transaction and policy and signs the transaction.

In a similar fashion to multi-sig, the MPC private key protection layer removes the single point of compromise from both external hackers and insiders – as the private key is never concentrated on a single device at any point in time.

Signature Accountability

MPC based wallets introduce a significant problem not present with multi-signature wallets: accountability. With multi-signature wallets, it is always explicit which private keys are used to sign a transaction. This is important because individual private keys are often assigned to specific individuals and understanding who participated in signing a transaction is critical. However, with MPC based signatures, it is impossible to distinguish which of the key parts were used to sign the transaction. Once the MPC is complete — all signatures look identical.

Accountability may not sound like a huge drawback, but it is vital in monetary systems, especially when considering the differences in types of people and storage that are typically used for the independent parts of the keys:

• People
  • Key material may be stored by different people. If key material is stored by executives at a company (the CEO, CFO, CSO, etc), and 2 of them collude on an inside job, how will investigators know who perpetrated the crime? How would the innocent executives defend themselves when questioned about who signed the transaction?
• Geography
  • Key material may be stored at separate locations. If 3 private keys are required from storage in 5 locations, a critical part of forensics would be to know which of the locations had participated in the transaction.
• Multi-institutional Security
  • Key material may be stored at separate companies. A common practice today is to provision backup keys with independent parties at independent companies. When the backup key can be specifically identified, as with multi-signature security, owners of funds are safe from theft by the backup holder. However, when accountability is eliminated with MPC, backup holders will be unwilling to hold backup keys, as it would be impossible to distinguish if the backup key holder had participated in a fraudulent transaction.

Peer Review

Many of today’s MPC implementers are using proprietary implementations and methods with limited or no public review. As Schneier on Security would say, “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.” Unfortunately, many cryptographic algorithms are never mathematically proven to work — rather, cryptographers rely on peer review and sufficient review time (measured in years or decades) before accepting an algorithm as trusted and secure. Because ECDSA MPC is so new, vendors are reluctant to share their algorithms, source code, and implementation details. Many patent applications have already been submitted by current implementations that might further restrict use of these tools. Lack of transparency and attempts to restrict access to these algorithms makes it impossible to verify correctness or security or predict possible licensing costs.

Multi-signature technology, by contrast, is tried-and-true; it utilizes well known, heavily scrutinized algorithms with multiple implementations. Multi-signature based wallets take on no additional cryptographic risk — they use the simple cryptographic algorithms that are the most heavily vetted and understood in practice.

Lack of Hardware Security Module (HSM) Support

Also troubling for MPC-based signatures is the lack of industry Hardware Security Modules (HSMs) that support the technology. While HSMs have been employed for decades by financial institutions to secure private key material, current HSMs do not offer support for the brand-new MPC cryptography. Security experts have long recognized that key material must be stored and accessed exclusively through HSMs in order to maintain basic security, and MPC is no different. The key material, or parts of keys, must be securely stored. If MPC implementers do not build customized HSMs for their technology, it is arguably less safe than single-key systems.