What is MPC?
Multi-party computation (MPC) is a set of cryptographic protocols that let multiple parties compute a function together without revealing their inputs to each other.
MPC in Cryptocurrency
In cryptocurrency, MPC is used in conjunction with public-key cryptography to collaboratively sign transactions. Multiple shares (or parts) of one private key are distributed to different parties without ever revealing the complete private key.
With traditional MPC, one key is divided into shares, and each share is distributed among the participants in the MPC protocol. WaaS uses a sub-field of MPC called Threshold Signing (TSS). With TSS, the key shares themselves are generated in a distributed way without ever producing the whole key on any one machine.
Interacting with a blockchain involves sending and receiving digitally signed messages to a blockchain node using public-key cryptography. For example, to alter a blockchain ledger, say to allocate (or "withdraw") 10 BTC to yourself, you would send a signed message that proves you own that 10 BTC and have the authority to reallocate those funds.
With public-key cryptography, messages are signed with a private (or secret) key. Signatures are verified with the public key associated with each private key (generated as part of a public/private key pair). We share public keys so that others can use them to verify our privately encrypted messages.
Evolution of Message Signing
The methods by which blockchain messages can be securely signed has improved over time. At a high-level, the evolution of cryptographic signing has been:
Single-key digital signature schemes: one party, one key pair.
Multi-signature encryption: multiple parties, multiple key pairs.
Multi-sig with MPC (or TSS): multiple parties, one sharded key pair.
Single-sig and multi-sig are digital signature schemes which are used to verify the authenticity and integrity of a message or document. MPC/TSS is not a digital signature scheme -- MPC protocols are used for secure computation and used in conjunction with digital signature schemes.
Single-sig
Single-key digital signature schemes use a single private key to sign messages or transactions, and the corresponding public key is used to verify the signature.
Satoshi Nakamoto used a single key, produced with the ECDSA algorithm, to sign transactions on the Bitcoin network. Bitcoin still uses ECDSA to generate key pairs, and single-sig is still popular; but multi-sig is more secure (and more complex).
Whatever the algorithm, the trouble with single-sig is that if the owner loses the key (or the owner dies without leaving a record of the key) the funds are lost.
Multi-Sig
Multi-sig solves the single key/owner problem by the widening the signing authority across multiple parties. Multi-sig requires multiple cryptographic signatures to authorize a transaction and each signature is done with a unique private key.
The signatures can come from different sources, such as different people, different machines, or even different cryptographic keys held by the same person. The system is more secure because no single entity can authorize a transaction on its own; multiple signatures are required to ensure the legitimacy of the transaction.
To guard against the possibility that one of the parties loses their key, an "M-of-N" configuration is applied. "N" represents the total number of possible signers (for example, 3), and "M" represents the minimum number of signatures required to authorize a transaction (for example, 2). In an 2-of-3 scheme, then, three people are authorized to sign a transaction but only two are required to sign (so if one key is lost, the funds are recoverable).
MPC
MPC is like multi-sig in that they both involve multiple parties when signing a blockchain transaction. However, there are important differences. In MPC, each party holds only a share (or "shard") of a single key, rather than a unique private key. To sign a transaction with MPC, multiple shares are securely "computed" into one effective key.
MPC can be combined with multi-sig to use an "M-of-N" scheme to define "N" number of authorized signers and "M" number of required signers. When MPC is not combined with mulit-sig, the scheme is M-of-M. WaaS, for example, has a 2-of-2 scheme and does not currently combine its MPC with multi-sig.
The strength of MPC lies in its ability to enable multiple parties (whether M-of-M or M-of-N) to perform computations using a fragmented secret, such as a private key in blockchain technology, without any one of them having access to the complete secret.
One way to understand the difference between MPC and multi-sig is to think of an orchestra:
- Like MPC, multiple musicians create a symphony, each one contributing a unique part without knowing the other roles in the composition.
- Like multi-sig, at least M out of N musicians must play a certain melody at the same time to create a specific symphony. For example, a composer might call for 3 trumpets in such and such a piece, but only 2 are required for the piece to actually work.
With MPC, the emphasis is on the distributed computation of a private key to sign a transaction. With multi-sig, the emphasis is on the method by which multiple private keys are combined to sign a transaction.