Rob Behnke
December 8th, 2022
With a slew of hacks exploiting stolen private keys and affecting both individuals and custodians, crypto wallet security has become a hot topic. Common solutions proposed include storing keys in cold storage and using multisig wallets. However, these solutions are still lacking in many respects—Harmony Bridge (exploited for $100M) used a multisig wallet, for example.
Multi-party computation (or MPC) wallets are a newer approach to securing cryptocurrency funds that balance security and efficiency. This article explains what MPC wallets are, why they matter for users and how they compare to traditional cryptocurrency storage solutions such as multisig wallets.
An MPC wallet is a type of crypto wallet that requires more than one participant to authorize transactions. It is called “multi-party computation” because the process of generating wallet keys and creating digital signatures is executed by different parties running a distributed computing protocol.
Traditional crypto wallets (e.g. MetaMask) have a single private key and a seed phrase to recover lost private keys. As the private key is required to authorize the movement of funds from a wallet, keeping it safe is important.
However, there are many issues with single-key wallets, primarily the single point of failure that they create. If a user’s private key is lost or compromised, funds stored in the wallet may be stolen or remain inaccessible forever.
MPC wallets attempt to solve the problems of traditional crypto wallets by redundantly distributing ownership of a private key between n parties. Each party does not hold an individual private key per se; they only have a part of the key (called a shard or key share). To sign a transaction, all parties apply their key shares to the transaction—this is the only way to create a valid digital signature for that wallet.
With multi-party computation, those involved in key generation and signing never have to reveal their inputs. Thus, an attacker who manages to compromise a single key shard cannot transfer funds from an MPC wallet without authorization. Only if all parties are compromised simultaneously can attackers possibly hack an MPC wallet.
Although MPC wallets are fairly new in the cryptocurrency industry, MPC has been studied for decades. Formally known as secure multi-party computation, MPC technology creates the means for some parties (P1, P2,…, Pn) to compute the value of a function over some data f(D1, D2,…, Dn) while keeping the data D private.
An early demonstration of MPC was in solving the “Millionaire’s Problem” developed by Andrew Yao. In the Millionaire’s Problem, three co-workers wish to know the highest earner without revealing their individual salaries.
This problem can be represented as a mathematical relationship between a function over some inputs and its output y = f(S1, S2, S3) where S represents each worker’s salary and their private inputs to the multiparty computation protocol. The use of MPC, in this case, guarantees the following:
Traditional crypto wallets are often insecure due to the reliance on a single private key for controlling funds. Attackers have evolved different strategies for gaining access to private keys (e.g., phishing, malware, and spoofing), resulting in a string of high-profile cases of compromised wallets.
MPC wallets aren’t tied to a single private key, but instead split private key shares across different locations such as a server and a user’s device. Digital signatures authorizing transactions originating from a wallet are computed in a distributed manner; however, the private key is never fully reconstructed at any point in time. With no private key to steal, cryptocurrency thieves will find compromising MPC wallets more difficult.
One suggestion for keeping private-key wallets secure is keeping keys in cold storage (i.e., offline). Transactions are signed in a device disconnected from the Internet before being broadcast to the blockchain network. Since the private key is never stored in an online location (e.g., a remote server or a user’s browser), the possibility of private key theft reduces.
That said, cold storage can introduce inefficiencies in the management of crypto-assets. An exchange or institutional custodian that needs fast access to funds may find the process of signing transactions offline and broadcasting online too cumbersome.
MPC wallets, however, improve efficiency—private key shares can be kept online since it is infeasible for malicious actors to compromise a wallet by stealing a single key shard. Thus, MPC wallets can improve efficiency for everyday cryptocurrency users and large industry players without sacrificing security.
Like an MPC wallet, a multisignature wallet (aka multisig wallet) requires multiple parties to approve transactions before execution. Specifically, multisigs use an m-of-n signing scheme where a threshold of participants—say, 3-of-5 or 2-of-2—must sign a wallet transaction for it to be valid. This removes the risk of centralization and mitigates the damage from one signer going rogue or getting compromised.
While multisigs are similar to MPC wallets, there are some differences between both solutions:
Being a special type of wallet, multisigs aren’t compatible with every blockchain. In contrast, MPC wallets are protocol-agnostic and can work with most blockchains that implement the standard EdDSA/ECDSA signing algorithm.
Multisigs aid accountability by revealing signatories to a transaction, but also introduce issues around privacy for large organizations. Consider a large cryptocurrency custodian using a multisignature wallet to manage deposited assets:
MPC wallets use an m-of-n key share scheme in which a threshold of participants contributes key shares to collectively generate transaction signatures. Note that only the signature is submitted on-chain; the signing phase happens off-chain. Signatures for an MPC wallet are indistinguishable from that of a regular wallet, increasing privacy for users.
Multisigs require more than one signature, increasing the data bytes encoded per transaction and fees paid for processing transactions. Conversely, MPC wallets offer cheaper transactions since transactions need only one signature. The compute-intensive process of signing data with key shares happens off-chain, which reduces the costs of processing transactions.
Multisigs can present many problems from an administrative perspective. For example, changing the approval threshold for a multisig wallet needs to be updated—say, from 4-of-5 to 3-of-4—would require the following:
1. Setting up a new wallet. Once set up with a number of keys initially, the approval mechanism of a multisig wallet is permanent.
2. Moving funds from the old multisig to the new multisig.
3. Notifying external parties about the change in wallet address(es) since funds sent to the old wallet may be irrecoverable.
MPC wallets are different in that they allow for a more flexible approval policy. For example, if an individual’s key share needs to be revoked (perhaps as a result of leaving a company), the remaining parties can agree to perform another distributed computation and output new key shares. In this case, the wallet address never changes, nor do the funds have to move anywhere.
MPC wallets offer a new way of securing cryptocurrency funds and reducing risks for both average investors and large custodians. Already, MPC technology has been adopted by key industry players including ZenGo wallet and Fireblocks.
While MPC wallets are superior to many alternatives, like cold wallets or multisigs, using them can come with drawbacks. For example, the communication between participants to create threshold signatures can only happen with all parties online at the same time. And if all key shares are compromised simultaneously, attackers can still create a valid signature for an MPC wallet.
Nevertheless, the advantages of using MPC technology often outweigh the risks and the wider crypto industry can benefit from the broad adoption of MPC wallets. At the very least, this can help reduce incidents of “compromised private keys” that continue to plague Web3 today. Not sure if an MPC wallet is right for your organization? Get in touch with our Web3 security experts today at halborn@protonmail.com.