MPC (Multi-Party Computation)

The foundational cryptographic technique where a private key or sensitive data is split into multiple secret shares. No single party holds the complete secret; the original data can only be reconstructed when a sufficient number of shares (the threshold) are combined. This eliminates single points of failure.

• Example: A private key is split into 3 shares with a threshold of 2. Any 2 of the 3 parties can collaborate to sign a transaction, but no single party can do it alone.

A specific MPC protocol for generating digital signatures. Multiple parties collaboratively create a signature without any single device ever reconstructing the full private key. The resulting signature is standard-compliant (e.g., ECDSA, EdDSA) and appears on-chain as if from a single key, simplifying blockchain integration.

• Key Benefit: Provides native key management security without requiring changes to blockchain protocol or smart contracts.

MPC allows parties to compute a joint function (e.g., a sum, average, or model) over their private inputs without revealing those inputs to each other. The protocol guarantees that only the output of the computation is revealed.

• Use Case: Multiple financial institutions can compute their aggregate risk exposure without disclosing individual client portfolios.
• Formal Guarantee: Security is based on simulation-based proofs that show participants learn nothing beyond the output.

MPC protocols are designed to be resilient to failures and malicious actors. They typically define two key thresholds:

• Privacy Threshold: The maximum number of colluding parties that cannot learn the secret.
• Robustness Threshold: The maximum number of malicious parties that cannot disrupt the computation or produce an incorrect result. This ensures the system remains operational and correct even if some participants are offline or adversarial.

MPC protocols offer different security models:

• Information-Theoretic Security (ITS): Provides unconditional security, meaning it is secure even against adversaries with unlimited computing power. This typically requires secure channels and honest majority assumptions.
• Computational Security: Security relies on computational hardness assumptions (e.g., factoring large integers). This model is more efficient and practical for most real-world applications, similar to the security of blockchain cryptography.

A critical performance metric for MPC is its communication overhead. Protocols are analyzed by:

• Number of Rounds: The sequential steps of communication between parties. Fewer rounds mean lower latency.
• Total Communication: The amount of data exchanged. This impacts bandwidth costs and scalability. Modern MPC research focuses on optimizing these for practical deployment, balancing security with performance for applications like private auctions or secure data analytics.

MPC security is defined by a threshold scheme (t-of-n), where a secret is split among n parties and can only be reconstructed with t or more shares. The core risk is that if an adversary compromises t or more parties, the secret is lost. This creates a trade-off between availability (lower t) and security (higher t). For example, a 2-of-3 scheme is common, balancing fault tolerance with the requirement that two colluding parties can reconstruct the key.

The initial Distributed Key Generation (DKG) and subsequent proactive secret sharing protocols are critical. A flawed DKG can leak information or create a biased key. Without periodic key refreshes, an attacker with persistent access to fewer than t parties could eventually gather enough shares over time (via mobile adversary attacks). Robust implementations must use verifiable and audited DKG protocols.

MPC protocols require secure, authenticated channels between parties. Risks include:

• Man-in-the-Middle (MITM) Attacks: Intercepting or altering messages between parties.
• Denial-of-Service (DoS): Preventing parties from communicating, halting operations.
• Protocol Deviation: A malicious party deviating from the protocol to leak information or cause incorrect results. Secure implementations use commitment schemes and zero-knowledge proofs to ensure participants follow the protocol correctly.

Even cryptographically secure MPC can be vulnerable if the hardware or software running the computation leaks information. Key risks:

• Timing Attacks: Analyzing computation time to infer secret data.
• Power Analysis: Measuring power consumption of a device during computation (e.g., on an HSM).
• Memory Scraping: Extracting key shares from a compromised device's memory. Mitigations include constant-time algorithms and dedicated secure enclaves.

MPC's security model depends heavily on who controls the parties (n).

• Enterprise Custodial: All parties are under one organization's control. Risk is centralized to internal compromise and collusion.
• Multi-Custodial: Parties are distributed among independent entities (e.g., different banks). Reduces single-entity risk but increases coordination complexity and potential for legal disputes.
• User-Controlled (Non-Custodial): User controls multiple devices (phone, laptop, hardware module). Shifts risk to user device security and backup procedures.

MPC introduces a different risk profile compared to other private key management solutions:

• vs. Single Private Keys: Eliminates single points of failure but adds protocol complexity.
• vs. Multisig: MPC computes a single signature, avoiding on-chain coordination and fees, but its security is purely cryptographic vs. multisig's on-chain verifiability.
• vs. Shamir's Secret Sharing (SSS): SSS has a central dealer who knows the whole secret during creation, a key generation risk MPC's DKG avoids. However, SSS shares are static, while MPC can perform proactive refreshes.

A core building block of MPC where a secret (e.g., a private key) is split into multiple shares. No single share reveals any information about the original secret. The secret can only be reconstructed when a sufficient number of shares (the threshold) are combined. This enables secure distribution of trust across multiple parties.

• Example: A private key is split into 3 shares with a threshold of 2. Any 2 shares can reconstruct the key, but any single share reveals nothing.

A specific application of MPC for digital signatures. In a TSS, the signing key is never fully assembled in one place. Instead, it is distributed as shares among participants. To generate a valid signature, a predefined threshold of participants must collaborate using MPC protocols. This eliminates the single point of failure present in traditional multi-signature setups.

• Key Benefit: Produces a single, standard signature from a collaboratively generated key, improving privacy and blockchain efficiency.

A foundational MPC protocol that allows two parties to compute any function on their private inputs. One party garbles (encrypts) a Boolean circuit representing the function. The other party then evaluates this garbled circuit using encrypted versions of their inputs, learning only the output. This technique is particularly efficient for one-time computations of complex functions.

• Use Case: Secure auctions, privacy-preserving data analysis, and biometric matching.

A cryptographic method where one party (the prover) can prove to another (the verifier) that a statement is true without revealing any information beyond the validity of the statement. While distinct from MPC, ZKPs are often used in conjunction with it to enhance privacy and verify correctness of computations without exposing underlying data.

• Synergy with MPC: Can be used to prove that an MPC participant followed the protocol correctly (malicious security).

A form of encryption that allows computations to be performed directly on ciphertexts. The result, when decrypted, matches the result of operations performed on the plaintext. This enables data to be processed by an untrusted party (like a cloud server) without ever being decrypted. It represents a client-server model of secure computation, contrasting with MPC's decentralized model.

• Comparison to MPC: MPC distributes computation among parties holding data, while homomorphic encryption centralizes computation on encrypted data.

A fundamental cryptographic primitive used as a building block in many MPC protocols. In a 1-out-of-2 OT, a sender has two messages. A receiver can choose to learn one of them without learning anything about the other, while the sender remains oblivious to which message was chosen. This enables secure selection and transfer of data within larger MPC computations.

• Role in MPC: Essential for protocols based on Garbled Circuits and secret sharing, facilitating secure input sharing.