Multi-Party Computation

MPC protocols are classified by their underlying security guarantees.

• Information-Theoretic Security (ITS): Security holds even against adversaries with unlimited computing power, relying on secrets like Shamir's Secret Sharing. However, it typically requires secure channels and honest majority assumptions.
• Computational Security: Security relies on computational hardness assumptions (e.g., factoring large integers). This model is more efficient and enables protocols in broader network settings (like the malicious majority model).

Protocols define adversarial assumptions to guarantee correctness and privacy.

• Honest Majority: Assumes more than half of the participants follow the protocol. This model enables highly efficient protocols but is vulnerable to coalition attacks.
• Malicious Majority (Active Security): Protects against any number of corrupted parties who may deviate arbitrarily. This requires more complex cryptographic primitives like zero-knowledge proofs or commitment schemes to ensure participants cannot cheat.

MPC guarantees two primary properties for any computed function f(input1, input2, ...).

• Input Privacy: No party learns anything about another's private input beyond what is revealed by the function's output.
• Output Correctness: All honest parties receive the correct result of the computation, even if some participants are malicious and attempt to submit invalid data or deviate from the protocol.

To improve real-time performance, many MPC protocols use a preprocessing (or offline) phase.

• In this phase, parties generate correlated randomness (like Beaver triples for multiplication) without knowing the actual inputs.
• During the online phase, this precomputed material is consumed, allowing the actual computation to be fast and non-interactive (requiring fewer communication rounds), which is critical for low-latency applications like wallet signing.

Defines which subsets of parties can be corrupted. This is more granular than simple majority models.

• Threshold Adversary: Any set of up to t parties can be corrupted (e.g., t < n/2).
• General Adversary: Described by a monotone adversary structure—a list of all possible subsets that can be corrupted. This allows for modeling complex trust relationships, such as protecting against specific coalitions of parties from different organizations.

MPC allows for sealed-bid auctions where bids remain encrypted until the auction concludes. The protocol computes the winning bid and bidder without revealing any losing bids. This ensures bid privacy and prevents auction manipulation, enabling fair and transparent processes for ad placements, spectrum license sales, or decentralized finance (DeFi) liquidations.

Facilitates privacy-preserving collaboration on highly sensitive data. Researchers from different institutions can perform joint studies on genomic sequences or patient health records. MPC protocols allow them to compute statistics, find genetic markers for diseases, or match patients to clinical trials without ever exchanging or centralizing the raw, identifiable genetic data, complying with regulations like HIPAA and GDPR.

Financial institutions and payment networks use MPC to detect coordinated fraud attacks, such as synthetic identity fraud or money laundering rings, that span multiple entities. By securely computing on combined transaction graphs and alert patterns, they can identify malicious networks and collusive fraud without directly sharing sensitive customer transaction logs between competitors.

MPC protocols like Drand or Randcast generate unbiased, unpredictable, and publicly verifiable randomness (a random beacon). Multiple participants each contribute a random seed. Using MPC, they combine these into a single random value that no single party could have predicted or manipulated, which is critical for fair lotteries, NFT minting, and blockchain consensus.

MPC networks act as decentralized signers for cross-chain bridges and oracle services. A committee of nodes uses MPC-TSS to collectively manage the private keys controlling assets on multiple chains. To authorize a bridge transfer or attest to off-chain data, a threshold of nodes runs an MPC signing ceremony, making the system more secure than a multisig with on-chain transactions.

While both provide multi-authorization, MPC and Multisig differ fundamentally:

• MPC-TSS: Cryptographic. A single on-chain address with a key split via math. Signing is an off-chain protocol. More private and gas-efficient.
• Multisig (e.g., Gnosis Safe): On-chain smart contract. Multiple addresses, each with its own key, submit signatures to a contract. Transaction logic and signers are fully visible on-chain.

Implementing MPC at scale involves overcoming significant hurdles:

• Latency & Complexity: MPC protocols require multiple rounds of communication between parties, increasing computation time.
• Active Security: Protocols must be secure against malicious actors who deviate from the protocol, not just passive eavesdroppers.
• Key Refresh & Proactive Security: To withstand long-term attacks, secret shares must be periodically refreshed without changing the public key.

A primary application of MPC in blockchain, enabling a private key to be split into secret shares distributed among multiple parties. Signatures are generated collaboratively without ever reconstructing the full private key on a single device.

• Security Benefit: Eliminates single points of failure for private key storage.
• Example: A 2-of-3 TSS wallet requires any two of three parties to sign a transaction, providing resilience against the loss or compromise of one share.

MPC protocols are formally analyzed under specific adversarial models that define an attacker's capabilities.

• Semi-Honest (Passive): Adversaries follow the protocol but try to learn extra information from the transcript. Provides privacy.
• Malicious (Active): Adversaries can deviate arbitrarily from the protocol. Provides both privacy and correctness.
• Threshold Assumption: Security often relies on an honest majority (e.g., t-out-of-n) assumption, where security fails if too many parties are compromised.

Two contrasting approaches for secure computation.

• Pure MPC: Relies solely on cryptographic protocols and distributed trust. No hardware trust required, but can be computationally intensive.
• TEEs (e.g., Intel SGX): Use isolated, hardware-enforced execution environments (enclaves) to protect code and data. Simpler and faster but introduces trust in the hardware manufacturer and is vulnerable to side-channel attacks. Hybrid models combine both for efficiency.

The primary trade-off for MPC's security is performance. Protocols require multiple rounds of communication between parties, creating latency.

• Complexity: Computation and communication overhead grows with the number of parties and the complexity of the function.
• Network Assumption: Protocols are designed for synchronous (bounded delay) or asynchronous networks, impacting liveness guarantees. This makes MPC suitable for high-value, lower-frequency operations like wallet signing rather than general-purpose smart contract execution.

MPC enables confidential smart contracts where contract state and logic are hidden from participants and the blockchain.

• Mechanism: Parties jointly compute contract outcomes using their private inputs.
• Use Case: Sealed-bid auctions, private voting, or confidential decentralized finance (DeFi) strategies where bid amounts, votes, or trading positions must remain secret.
• Challenge: Significant computational overhead compared to public execution.

The formal, academic term often used interchangeably with MPC. It emphasizes the security properties guaranteed by the protocol, which typically include:

• Privacy: No party learns anything beyond the output.
• Correctness: The output is computed correctly.
• Independence of Inputs: Parties must commit to their inputs independently. The 'secure' prefix distinguishes it from simpler collaborative computations that may not provide cryptographic guarantees.

A simpler cryptographic building block upon which many MPC protocols are constructed. It involves splitting a secret (like a private key) into multiple shares distributed to parties. Original secret reconstruction requires a specified threshold of shares. Shamir's Secret Sharing is the most famous scheme. While secret sharing is about storage, MPC is about computation using those shares without reconstruction.

MPC is built on foundational cryptographic protocols that enable secure computation. Key approaches include:

• Garbled Circuits: Allows two parties to evaluate a function on their private inputs without revealing them.
• Secret Sharing: Data is split into shares distributed among participants; the original data can only be reconstructed by combining a sufficient number of shares.
• Oblivious Transfer: A protocol where a receiver obtains one of several messages from a sender without the sender learning which message was chosen.

A major application of MPC in blockchain, enabling decentralized key management. Threshold Signatures allow a group of n parties to collectively control a cryptographic key, where any subset of t+1 parties (the threshold) can produce a valid signature, but no t or fewer parties can. This eliminates single points of failure for private keys and is foundational for MPC wallets and institutional custody solutions.

MPC enables collaborative analysis on sensitive datasets without exposing the raw data. Real-world use cases include:

• Healthcare: Multiple hospitals can jointly study patient data for medical research while maintaining patient confidentiality.
• Financial Fraud Detection: Banks can collaboratively train machine learning models to detect money laundering patterns without sharing individual transaction records.
• Advertiser Analytics: Competing companies can calculate aggregate market share metrics without revealing proprietary sales data.

Understanding how MPC differs from related cryptographic primitives is crucial:

• vs. Homomorphic Encryption (FHE): FHE performs computations on encrypted data, but typically involves a single data holder. MPC is inherently multi-party and often more efficient for specific functions.
• vs. Zero-Knowledge Proofs (ZKPs): ZKPs prove a statement is true without revealing underlying data. MPC is about computing a joint function on private inputs. They are often complementary, with ZK-SNARKs sometimes used within MPC protocols for verification.

MPC protocols are proven secure under rigorous mathematical models that define adversarial capabilities:

• Semi-Honest (Passive) Adversaries: Participants follow the protocol but try to learn extra information from the transcript.
• Malicious (Active) Adversaries: Participants may deviate arbitrarily from the protocol to sabotage the computation or learn other inputs.
• Universal Composability (UC): A strong framework ensuring security is maintained even when the protocol is composed with other protocols. Achieving security against malicious adversaries in the UC framework is a gold standard.