Multi-Sig vs MPC: Which is more secure?

At BitGo, we’ve been advocating the need for multi-signature wallets for over 6 years now due to their strong security and strong authentication properties. However, we’re always evaluating new cryptographic developments and in recent months a new technology known as multi-party computation (MPC) has been cited frequently. MPC offers a strong alternative to Shamir’s Secret Sharing (SSS), and some wallet providers are suggesting that MPC may be safer and easier to use than multi-signature technology. In this article we will describe MPC and how it differs from multi-signature wallet security. We believe that MPC offers utility when used in conjunction with multi-signature technology, but we do not believe it is a prudent replacement to multi-signature technology at this time.

Background on MPC

MPC is a relatively new cryptographic method that separates private keys into multiple parts. It is often compared with a technology called Shamir’s Secret Sharing (SSS) which has been around since the late 1970s and is used to split a single private key into multiple parts. The key concept between both technologies is that the private portion of a key pair can be maintained as N parts, such that M of those parts would need to come together in order to create a signature using the private key. This class of technology is known as M-of-N, where M parts out of N total parts protect the underlying data.

Both SSS and MPC, like multi-signature technology, can help mitigate two critical risks:

1. Theft
   If less than M parts are stolen or hacked, there is no possibility for an adversary to generate a valid signature
2. Loss
   In most cases (where M is less than N), the inadvertent loss of one part is recoverable with a backup part.

MPC offers one significant advantage over SSS. In the case of SSS, the independent pieces of a key need to be re-assembled on a single machine before they can be used to enact a signature. This creates a single-point-of-failure on the machine where the key is re-assembled. MPC, by contrast, does not require the parts to be reassembled on a single machine. Instead, each of the parts can be used mathematically on separate machines, and only after M of the parts have applied this mathematical function is the signature valid. This allows each of the parts to remain completely separate and avoids the single-point-of-failure.

An interesting benefit of both SSS and MPC is that they can be used without the blockchain knowing that they were utilized at all. This is significant for some blockchains, such as Monero, that do not yet offer native multi-signature capabilities, as MPC signatures can be applied externally.

Comparison to Multi-signature

From a functional point of view, multi-signature wallets, which use M-of-N keys per wallet, are similar to MPC based wallets, which use M-of-N parts of a key for a single signature wallet. The difference is that a multi-signature wallet will make use of distinct signatures generated by distinct private keys to secure the wallet, while MPC uses only creates a single signature regardless of the number of private key parts that participated.

Signature Accountability

MPC based wallets introduce a significant problem not present with multi-signature wallets: accountability. With multi-signature wallets, it is always explicit which private keys are used to sign a transaction. This is important because individual private keys are often assigned to specific individuals and understanding who participated in signing a transaction is critical. However, with MPC based signatures, it is impossible to distinguish which of the key parts were used to sign the transaction. Once the MPC is complete — all signatures look identical.

Accountability may not sound like a huge drawback, but it is vital in monetary systems, especially when considering the differences in types of people and storage that are typically used for the independent parts of the keys:

• People
  Key material may be stored by different people. If key material is stored by executives at a company (the CEO, CFO, CSO, etc), and 2 of them collude on an inside job, how will investigators know who perpetrated the crime? How would the innocent executives defend themselves when questioned about who signed the transaction?
• Geography
  Key material may be stored at separate locations. If 3 private keys are required from storage in 5 locations, a critical part of forensics would be to know which of the locations had participated in the transaction.
• Multi-institutional Security
  Key material may be stored at separate companies. A common practice today is to provision backup keys with independent parties at independent companies. When the backup key can be specifically identified, as with multi-signature security, owners of funds are safe from theft by the backup holder. However, when accountability is eliminated with MPC, backup holders will be unwilling to hold backup keys, as it would be impossible to distinguish if the backup key holder had participated in a fraudulent transaction.

Peer Review

Many of today’s MPC implementers are using proprietary implementations and methods with limited or no public review. As Schneier on Security would say, “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.” Unfortunately, many cryptographic algorithms are never mathematically proven to work — rather, cryptographers rely on peer review and sufficient review time (measured in years or decades) before accepting an algorithm as trusted and secure. Because ECDSA MPC is so new, vendors are reluctant to share their algorithms, source code, and implementation details. Many patent applications have already been submitted by current implementations that might further restrict use of these tools. Lack of transparency and attempts to restrict access to these algorithms makes it impossible to verify correctness or security or predict possible licensing costs.

Multi-signature technology, by contrast, is tried-and-true; it utilizes well known, heavily scrutinized algorithms with multiple implementations. Multi-signature based wallets take on no additional cryptographic risk — they use the simple cryptographic algorithms that are the most heavily vetted and understood in practice.

Lack of Hardware Security Module (HSM) Support

Also troubling for MPC-based signatures is the lack of industry Hardware Security Modules (HSMs) that support the technology. While HSMs have been employed for decades by financial institutions to secure private key material, current HSMs do not offer support for the brand-new MPC cryptography. Security experts have long recognized that key material must be stored and accessed exclusively through HSMs in order to maintain basic security, and MPC is no different. The key material, or parts of keys, must be securely stored. If MPC implementers do not build customized HSMs for their technology, it is arguably less safe than single-key systems.

Impact on Need for Cold Storage and HSMs

Some proponents of MPC suggest that MPC eliminates the need for “cold storage”, but it does not.

“Cold storage” simply refers to any wallet where the private key material is stored offline. Similarly, “hot storage” refers to wallets where the private key material is stored online. Whether there is one private key or three, whether MPC is used or not, the need to secure private key material is exactly the same.

The fact is that hacking continues to plague the industry. Facebook has been hacked. Google has been hacked. The US Government has been repeatedly hacked. If MPC private key parts are stored online, they are vulnerable to the same hacking and theft risks as any other data stored online.

Conclusion

In summary, the strongest security for digital wallets today remains with multi-signature wallets. MPC could be used to augment an existing multi-signature scheme by dividing one or more of the private keys into parts. For example, if three people were utilized to secure a 2-of-3 multi-signature wallet, each of those three users could subdivide their individual private keys using MPC and store their MPC key parts on independent machines. However, exclusive reliance on MPC technology without multi-signature protections reduces security protection and eliminates transaction-time accountability significantly.