Secure Multiparty Computation (MPC) is a technology that is gaining widespread interest for both data privacy and protection applications. This article focuses on the use of secure MPC to protect digital assets under custody.
In this scenario, the objective of secure MPC is to provide bank-grade protection against the theft or misuse of private keys that are used to digitally sign and authorize transactions for digital assets under custody. Secure MPC facilitates this objective through the following attributes:
private keys are created in the form of multiple distributed key shares by a group of cooperating servers and/or mobile devices;
locally generated key shares are stored and used by different parties;
when each party approves a transaction, their key share is used to generate a partial signature;
when enough partial signatures are collected, a single signature is generated and the transaction is approved;
key shares never leave the parties’ machine, and at no time does a complete key exist anywhere, at any time;
lost devices (key shares) are easily replaced without changing the private key.
This secure MPC approach to custody wallet key management eliminates the risk that the breach of any single party, or possibly even multiple parties, could result in theft or misuse of the private key. When properly implemented as part of a broader security process and framework, secure MPC enables custody wallet services with the security efficacy of offline, cold-storage and the accessibility, scale, and automation of online hot wallets.
What is secure MPC?
Secure MPC is a cryptography technology that enables a group of different data owners to jointly compute a function of their private inputs, without requiring them to share their private data with one another or any other party(1). For a digital asset custody wallet the “different data owners” are the multiple parties that are responsible to hold a share of a private key and use those key shares to provide their part of a multiparty approval of a transaction. Their “joint computation” generates a single digital signature to release digital assets for transfer to a third party.
Why is secure MPC required?
Some background for readers less familiar with cryptocurrency and digital asset technologies:
Digital asset wallets are based on a cryptographic public-private key pair. The public key is used to indicate the address of the wallet and verify the of authenticity of an associated signature. The private key is used to generate a verifiable digital signature, which authorizes the blockchain to release digital assets associated with the wallet. The public key is shared publicly, so that other parties know where to send outgoing digital assets or where incoming digital assets were sent from. The private key must be kept secret, because anyone with access to the private key can use it to generate a signature and transfer digital assets from the associated wallet to any other wallet of their choosing.
For digital assets using public blockchain technologies such as Bitcoin, Ethereum or similar, these transactions cannot be reversed even when they are known to be fraudulent. Consequently, protecting the private key is paramount to protecting the wallet.
Any digital asset wallet is subject to attack, where an external hacker or malicious internal party gains access to the private key and uses it to steal the associated digital assets. The consequences of such a theft can result in asset losses worth millions to hundreds of millions of US dollars for institutional wallet users, and exchanges and custodians using wallets for their own needs or on their client’s behalf.
In an ideal-world, secure storage of the private key would be assured using existing security technologies and operational practices. Unfortunately, we live in the real-world, where good people make innocent operational mistakes, where bad actors or compromised parties make unfortunate choices, and where security systems inevitably become compromised. This is particularly true when the rewards justify the persistent focus of skilled hacking resources. This is where secure MPC is required.
Secure MPC eliminates the existence of a complete key in the possession of any single individual or stored on any single physical or virtual machine. As a result, there is no single party that could be corrupted or otherwise compromised and yield access to the private key.
Security of MPC
The security of MPC is based on the model that no single party ever possesses an entire secret, eliminating the threat that the compromise of a single party could result in disclosure of the secret. But that alone is not sufficient to fully trust in the security of MPC(2).
Secure protocols must withstand adversarial attacks, where an adversary controls one or more of the parties in the computation. To achieve this, secure MPC requires protocols and often other mechanisms to assure the following attributes, even if some of the parties are or become corrupt:
Privacy (ensuring no private data is disclosed or can be derived)
Correctness (ensuring outputs are trustworthy)
Guaranteed Output Delivery (even in presence of DoS attacks)
Fairness (all parties receive the output, or no one receives the output)
Other requirements may exist for certain applications
How is Secure MPC Implemented
Secure MPC protocols can be developed using many different techniques. The preferred techniques vary depending on adversarial models and the optimizations(3). Following are examples of common techniques to use secure MPC for digital asset wallet security.
SHAMIR’S SECRET SHARING
Shamir’s Secret Sharing (SSS) is a cryptography algorithm developed by Adi Shamir in the late 1970s. It is a form of secret sharing where a secret, such as the private key, is divided into multiple parts called shares and can be recreated using less than all shares. With SSS, shares are distributed to different parties so that no single party possesses the full secret, minimizing the risk that a single party could become compromised and disclose the secret.
THRESHOLD CRYPTOGRAPHY
Threshold cryptography builds on Shamir’s secret sharing model to enable a set of parties to carry out a cryptographic operation, such as creating a digital signature, without having to recombine shares to create a full key. Instead, each party uses their share of the key to generate their share of a computed output, in this case, a partial signature. When enough partial signatures are combined, a complete threshold signature is generated.
Threshold cryptography and Shamir’s Secret Sharing can be designed to enforce specific security models and operational criteria. Some examples include the ability to support m of n quorum approvals, and the option to specify that a particular party must be one of the m approvers before a complete signature is generated.
Threshold cryptography also introduces a framework for specifying the number of parties that may become corrupt and still allow secure MPC to maintain correctness and privacy. Correctness relates to the signature, which must be validated by the public key to be a legitimate signature. The privacy relates to keeping the key shares and private key secret.
How Does Secure MPC Protect Custody Wallets?
Secure MPC is a cryptography technology that can be used to protect private keys for any key management application. Wallet security is just one specialized application. Secure MPC achieves superior key security through a combination of attributes:
Secure Even When Corrupted: Secure MPC can be designed to maintain reliable operations, with privacy and correctness, in the presence of different types of adversaries and different corruption strategies. This ensures that legitimate transactions are signed, even if a malicious third party attempted to block the transaction by creating an intentionally invalid signature. Nearly all alternative security schemes become inoperable or ineffective when an adversary is present within the trusted environment.
No Complete Key Ever Exists: Secure MPC never generates a complete private key on any machine, at any time, throughout the entire lifecycle of a key. Instead, keys are generated by secure MPC, in the form of distributed key shares, which spend their entire lifecycle inside the confines of the machine on which they are generated. This attribute, sometimes referred to as “keyless” eliminates many vulnerabilities that have to do with key generation, key distribution, key storage, and key destruction.
Multiple Party Approval: Secure MPC natively supports multiparty approval models. Each party in possession of a key share acts as an MPC approver. The practice of requiring multiple MPC approvers mitigates the risk that an internal bad actor gains access to a full key and uses it fraudulently. Secure MPC systems can be designed to require multiple parties or quorums of parties to satisfy their security and compliance policies before a MPC party grants their approval and generates a partial signature. It can also be designed to mandate that certain parties be required for any m of n quorum approval schemes.
Secure Signature Generation: Secure MPC allows each party to use their share of a key to generate a partial signature within the machine securing the key share. The key share is never accessed by or presented to any other system to generate the partial signature, so the key share never leaves the party’s machine. The partial signature is then exported from the machine. When enough parties have generated and exported partial signatures they are combined to create a full signature. Through this process, the key share is never disclosed to any other party and never leaves the security of the machine on which it was created.
Key Share Rotation (or Refresh): Private keys are binary numbers that are often represented using hexadecimal strings. Secure MPC key shares are simply different combinations of mathematical values that are used as inputs to a joint computation to equal the cryptographic private key value. The combination of key shares, each representing a numerical value, can be changed at any time, without changing the actual private key. By rotating or refreshing these key values we reduce the probability that a malicious party could compromise enough key share parties’ machines to derive the key. Depending on the preferred MPC security model, automated key share refresh may or may not be a requirement. Secure MPC key shares support key share rotation without changing the actual public-private key combination, which eliminates many potential administrative complexities while maximizing security.
Off-chain Policy Changes: Secure MPC runs entirely off-chain from the blockchain technology used by any digital asset. In contrast, alternative multiparty approval schemes such as MultiSig run on-chain. The benefit of an off-chain scheme is that a change to a security policy, such as an approver or the number of approvers, is not recorded on the blockchain, decoupling key management from the underlying ledger technology. This eliminates the electronic breadcrumb trail that can provide would-be hackers with insight into your security policies or update practices. Reducing this electronic footprint increases privacy and reduces overall security risks.
Fully Auditable Records: While Secure MPC runs off-chain, the application can still provide a full record of exactly which parties participated in the approval of any transaction, as well as all other security audit records. This approach retains full audit and accountability enforcement which is essential for any effective security scheme.
No Digital Memory of the Key: Since no full key ever exists in any form, on any machine, there is no digital memory of a key that could be harvested from previously used machines. As a result, the theft, misplacement or retirement of mobile phones, laptops, desktops, servers, virtual machines or containers that once hosted a key share cannot be mined to derive a full key.
What Makes Secure MPC The Preferred Custody Wallet Technology?
Secure MPC is not the only wallet security technology, but it is considered the best and increasingly the choice for new custody infrastructures. Some of the benefits of Secure MPC include:
Commercially Proven and Ready: Secure MPC has been under extensive study and research since the 1980s. The first commercial deployment of MPC was in 2008 by the co-founders of Sepior. MPC technology has been used by major firms such as Google, Facebook, and Bosch to support various privacy and security applications. The first secure MPC custody wallet was jointly developed by SBI Holdings (spinout from Softbank) and Sepior incorporating novel techniques for fast signing. Since then dozens of exchanges, custody providers, and institutional wallet providers have rolled out secure MPC as part of their digital asset wallet and custody services.
Superior Interoperability: Unlike other multiparty approval technologies, secure MPC generates a standard single signature. Since all digital asset types and blockchains natively support a single signature scheme there is no requirement for smart contracts or special code to support each new asset type.
Smaller, More Efficient, Lower Cost Transactions: The single signature nature of threshold signatures using secure MPC result in the smallest transaction size, which results in more transactions per block and lower mining and gas fees.
Operational Flexibility: Secure MPC can be designed and implemented to support fully online, fully offline, or hybrid approver models. This makes secure MPC suitable for both online custody wallets and offline cold storage applications.
Adaptability: The off-chain nature of secure MPC makes it very easy to modify security models and processes as regulatory, compliance, and business practices evolve.
Low Friction, Proactive Security: The ability to support key share refresh without changing the private key increases security efficacy and eliminates the associated operational complexity and incremental transactions and fees associated with alternative schemes.
Sustained Secure Operations, Even With Corrupted Parties: Unlike alternative multiparty approval schemes, secure MPC can continue to operate and execute legitimate, approved transactions, even when one or possibly more parties becomes corrupted. Other schemes either stop protecting or stop operations entirely in those conditions.
Quantum Safe: key material is effectively encrypted, because it is broken up and distributed across parties (secret shared) during the computation, which makes it safe against single-server quantum attacks.
Sepior ThresholdSig – A Trusted MPC Wallet Security Technology Partner
Since 2014, Sepior has been singularly focused on developing the world’s highest performing secure MPC solutions for key management applications. Our world-renowned cryptographers have been at the forefront of the MPC revolution for multiple decades. Our team consists not only of experts in the field of secure MPC, but also experts in the practical application of MPC in real-world applications.
Sepior offers secure MPC technology SDKs, libraries, software, and integration expertise to assist platform and service providers with custom integrated MPC solutions that work within your existing framework and constraints. We also offer full turn-key solutions through some of our customers who have become business partners. We invite you to review one of our white papers(4), contact us at info@sepior.com, and to visit www.sepior.com for more information.
References
(1) Secure multi-party computation (Wikipedia)
(2) Secure Multiparty Computation and Secret Sharing (Book)
(3) Scalable and Unconditionally Secure Multiparty Computation (IACR Paper)