“Not your keys, not your coins” has resulted in over $100 billion lost or stolen since the early 2010s, specifically because of private key mismanagement. Clinging to this ‘golden rule’ will fail to onboard the next 1 billion into a bankless, self-empowered Web3. Secure crypto technologies like MPC are the hybrid solution for an overwhelming majority of new and current users, offering optimal tradeoffs between security, self-custody, recoverability, and interoperability.

Not Your Keys Not Your Crypto? Outdated.

The mantra of “not your keys not your crypto” is as powerful today as it was in 2017. But the result? Lost and stolen seed phrases, misplaced private keys, stress for new users, and a flight to CeFi exchanges and ‘crypto banks.’

An estimated $100 billion dollars of Bitcoin (just Bitcoin) has been lost forever, because of private key mismanagement.

As a community, crypto has been dogmatically clinging to a purported “private key gold standard,” more obsessed about the technology than providing what people actually need. MPC is a solution that already exists, recently championed by companies like Coinbase and ZenGo.

Simple and secure MPC technology is already being used at the institutional level – companies like Fireblocks are helping custody billions of dollars of cryptoassets with MPC cryptography. It’s time average users get the same bulletproof security as the big players, and developers understand the security benefits of MPC to onboard more crypto users.

The false dichotomy: Centralized Exchanges v. Non-Custodial Wallets

For years the status-quo perpetuated a dangerous misconception: There are only 2 ways to store crypto. This false dichotomy is why so many potential crypto-enthusiasts haven’t started to get involved in the ecosystem.

Option 1: Exchanges

Custody cryptoassets in a centralized exchange, giving up your freedom, control, and on-chain access in return for relative security, simplicity, and comfort knowing someone else will worry about secure crypto storage.

Option 2: Self-custody with Private Keys

Use an on-chain crypto wallet with private keys, rendering assets vulnerable to scammers, hacks, lost or misplaced keys – but knowing you have ultimate control over your crypto: to store, HODL, or lose…

There’s actually a better way: A hybrid solution in the form of a type of cryptography called MPC, or multi-party computation.

What is MPC and how does it work?

MPC stands for Multi-Party Computation. This is a type of cryptographic technology.

Leveraging MPC, wallets (and institutions) can securely design an on-chain asset management system that makes recovery easier, while simultaneously increasing secure self-custody by removing the single point of failure of a private key.

At a basic level, MPC (within the cryptographic world of threshold signatures) allows 2 (or more) parties to securely input information into a system and activate (or unlock) an outcome > without any party being able to see the inputs of the others.

This makes it possible to design a crypto wallet that uses multiple parties to backup or restore a user’s funds > while keeping the funds in the user’s custody at all times.

This design offers a number of advantages:

• Easy to recover
• No single point of failure for phishing
• Entirely user controlled

Why MPC is a better user experience than a “seed phrase” wallet

This type of recovery is immediately more familiar and far less scary for the majority of people. Almost everyone who has created an account of any kind online knows how to recover their login using an email, trusted contact, cloud backup, or their biometric scan.

This is why these types of recoverability are crucial for bringing new people into crypto systems. Implementing familiar solutions for recovery will allow more people to feel comfortable using crypto.

Once in the ecosystem, some will want different types of security or options with a low centralization risk. There is nothing preventing anyone from using multiple wallets once they have started using crypto. In fact, it is encouraged to use more than 1 wallet when storing cryptoassets.

There is, however, a HUGE barrier to entry with the majority of wallets for the majority of people: Seed phrases.

Having a single phrase that can move the entire contents of an account in an instant can be scary. Some people are willing to rely fully on themselves to keep something this important safe. Most people are not.

Having a path to enter crypto for the first time, try applications, and hold assets where users DON’T have to worry about a seed phrase is CRITICAL for the next 1 Billion people to join the world of #Web3.

MPC Wallets do not use seed phrases

MPC wallets like ZenGo replace the traditional private key with two independently created mathematical “secret shares.” One share is stored on your mobile device and the other on the ZenGo server.

With no single point of failure, even if something happens to one of the shares, no one can access your crypto but you.

Learn more about MPC: Threshold Signature Scheme (TSS):

To understand the type of cryptography behind MPC it’s helpful to learn about TSS (Threshold Cryptography) which is a subfield of MPC.

In TSS cryptography, cryptographic operations are defined with a threshold assumption in mind – it is assumed that at least a threshold of the parties involved in the computation are acting honestly and not controlled by an attacker at the same time. It could be two parties, or more. Learn more about TSS here.

MPC Cryptography is gaining adoption

While ZenGo was the 1st crypto wallet to support MPC for consumers, companies like Fireblocks have been managing billions of dollars of assets for some of the world’s leading crypto institutions for years. Coinbase recently announced support for an MPC-powered Dapp browser inside of their custodial crypto wallet.

As MPC offers the optimal balance between on-chain self-custody, wallet security and crypto recoverability, it is only a matter of time until MPC becomes widely adopted.

FAQ: MPC Crypto Wallet

Q: How does MPC (Multi-Party Computation) work?
A: MPC works by splitting the traditional private keys into multiple pieces, distributing them in multiple places to ensure no one person has full access to the traditional private key. The major advantage here is that the private key is always used in a distributed manner.

When a transaction signature is required, the parties involved (in ZenGo there are two: the ZenGo server and the user’s phone) in order to separately run a computation to make whatever you wanted to happen on the blockchain, well, happen! The best part of this process is no single entity can ever get access to any private key: There is no single point of vulnerability. Even if an attacker tried to get access to one of the two shares, they can’t access all of the ‘secret shares’ simultaneously, making your digital assets much safer than in the traditional private key architecture.

Q: Who uses MPC?
A: A number of billion-dollar institutions are using by MPC technology, including Fireblocks, Coinbase, and ZenGo.

Q: Is MPC new technology?
A: MPC technology is actually dozens of years old – initial development began in the 1980s – but applied MPC technology to crypto wallets is a relatively recent technological innovation in the last decade.

Q: Does MPC support many blockchains?
A: A major advantage of MPC, in addition to its security and recoverability benefits, includes the fact that it is chain-agnostic. Unlike multi-signature (MultiSigs) approaches which do not support every blockchain, MPC can be applied to many. ZenGo actively contributes to open-source MPC material on GitHub, learn more here.

More info for professionals:

If you’re in the institutional digital asset space, you’ve probably heard about MPC (multi-party computation). While MPC theory has been around since the early ’80s, it first entered the digital asset space just a few years ago; since then, MPC has become one of the primary technologies wallet providers and custodians are utilizing to secure crypto assets.

But what exactly is MPC? How does it work, and what benefits does it have? We’ll walk you through everything you need to know about the technology and its role in digital asset security today.

Let’s start with an introduction to cryptography in general to get a better understanding of MPC’s origins.

A (Very) Brief Introduction to Cryptography

The field of cryptography provides its users with a method for:

• sending messages that only the intended receiver of the message will understand
• preventing unauthorized third parties from reading them in case of interception
• verifying the authenticity and integrity of digital messages from a known sender

Though cryptography stretches as far back as the ancient Egyptians, one of the most famous modern examples is the Enigma machine – a device used by the Germans to send encrypted messages during WWII which was finally cracked by the British mathematician, Alan Turing.

Whereas cryptography was once primarily the concern of government and military agencies, in the internet era cryptography plays an increasingly central role in the way we all transfer information.

While the idea behind cryptography can appear simple, the field does include some extremely complex math. In essence, messages are scrambled, or “encrypted,” by a secret recipe (or algorithm) that hides the information contained within it. This way, should the encrypted message be stolen or intercepted by a malicious or non-trusted third party, they will be unable to understand, see or alter the information the message holds. Instead, the only one who can read that message correctly is the one who knows how the message was encrypted and thus holds the key to unscramble, or “decrypt,” it.

Encrypted Message: HZZO HZ VO OCZ KJNO JAADXZ

Secret Algorithm: *use the letter which is five letters preceding the ‘real message’ letter*

ABCDEFGHIJKLMNOPQRSTUVWXYZ

Decrypted Message: MEET ME AT THE POST OFFICE

This ‘Caesar cipher’ utilizes very simple math to demonstrate the concept of encryption. However, it is known to be broken. To securely encrypt information, more advanced math is required.

In the world of blockchain, the “message” being transferred is a digital asset, and the “key” to that digital asset is essentially the decryption tool used to receive that digital asset.

That key itself – known as the “private key,” as access to a digital asset requires both a publicly known cryptographic key and a related private one – must be kept safe, as anyone who knows the private key can move the asset to their own wallet. This is where MPC comes in: it’s one of the most powerful tools for protecting private keys.

How does MPC (multi-party computation) work?

In a general sense, MPC enables multiple parties – each holding their own private data – to evaluate a computation without ever revealing any of the private data held by each party (or any otherwise related secret information).

The two basic properties that a multi-party computation protocol must ensure are:

• Privacy: The private information held by the parties cannot be inferred from the execution of the protocol.
• Accuracy: If a number of parties within the group decide to share information or deviate from the instructions during the protocol execution, the MPC will not allow them to force the honest parties to output an incorrect result or leak an honest party’s secret information.

In an MPC, a given number of participants each possess a piece of private data (d1, d2, …, dN). Together, the participants can compute the value of a public function on that private data: F(d1, d2, …, dN) while keeping their own piece of data secret.

For example, let’s imagine three people, John, Rob, and Sam, want to find out who has the highest salary without revealing to each other how much each of them makes – this is actually a classic example of MPC, known as The Millionaire’s Problem. Using simply their own salaries (d1, d2, and d3), they want to find out which salary is the highest and not share any actual numbers with each other. Mathematically, this translates to them computing:

F(d1,d2,d3) = max(d1,d2,d3)

If there were some trusted third party (i.e. a mutual friend who they knew could keep a secret), they could each tell their salary to that friend and find out which of them makes the most, AKA F(d1,d2,d3), without ever learning the private info. The goal of MPC is to design a protocol, where, by exchanging messages only with each other, John, Rob, and Sam can still learn F(d1,d2,d3) without revealing who makes what and without having to rely on an external third party. They should learn no more by engaging in the MPC than they would have by interacting with their trustworthy mutual friend.

History and Applications of MPC

MPC’s (multi-party computation) initial development began in the ’80s – a fairly recent breakthrough within the world of cryptography.

Up until that point, the majority of cryptography had been about concealing content; this new type of computation focused instead on concealing partial information while computing with data from multiple sources.

• 1982 – Secure two-party computation is formally introduced as a method of solving The Millionaire’s Problem
• 1986 – Andrew Yao adapts two-party computation to any feasible computation
• 1987 – Goldreich, Micali, and Wigderson adapt the two-party case to multi-party
• 1990s – Study of MPC leads to breakthroughs in areas including universal composability (pioneered by Fireblocks cryptography advisor Ran Canetti) and mobile security
• 2008 – The first large-scale, practical application of multi-party computation – demonstrated in an auction – takes place in Denmark
• Late 2010s – MPC is first utilized by digital asset custodians and wallets for digital asset security
• 2019 – Debut of MPC-CMP, the first 1-round, automatic key-refreshing MPC algorithm

Today, MPC is utilized for a number of practical applications, such as electronic voting, digital auctions, and privacy-centric data mining. One of the top applications for MPC is for securing digital assets – and recently, MPC has become the standard for institutions looking to secure their assets while retaining fast and easy access to them.

Why is MPC becoming the standard for digital asset security?

To utilize your digital assets, you need a public key and a private key; your ability to safely hold and transfer the asset itself is only guaranteed as long as the private key is safe. Once that key is in someone else’s hands, they can transfer the assets to their own wallet. Therefore, preventing the theft of private keys is crucial to maintaining digital asset security.

Historically, there have been a few primary options for securely storing private keys. These options tend to fall into either hot, cold, or hardware based storage.

• Hot Storage – Private key is held online
• Cold Storage – Private key is held offline
• Hardware Wallet – Private key is held offline on a physical device

While these tools were at one point the only options for digital asset storage, certain operational and security inefficiencies in each have led to the rise of new solutions, such as MPC. Importantly, MPC is strong for not only digital asset storage, but digital asset transfers, as well – and as the digital asset market has developed and grown, so has the need for a security tool that enables fast transfers and advanced business strategies.

Cold Storage

One way to reduce the exposure to digital asset loss is by storing funds in cold storage.

Cold storage enables a user to sign a transaction with their private keys in an offline environment. Any transaction initiated online is temporarily transferred to an offline wallet kept on a device such as an offline computer, where it is then digitally signed before it is transmitted to the online network. Because the private key does not come into contact with a server connected online during the signing process, even if an online hacker comes across the transaction, they would not be able to access the private key used for it.

However, there are several issues with cold storage:

• For a contemporary digital asset business that’s actually trading assets with any frequency, it is too slow to trade from – often taking between 24 to 48 hours to make a transfer
• It does not protect against deposit address spoofing or credential theft

Hardware Wallet

Another method of securely storing private keys is the hardware wallet. Hardware wallets are external devices where you store your private keys, such as a USB stick. Hardware wallets are resilient to malware, and if you happen to lose the wallet you’ll be able to recover the funds using a seed phrase. On the other hand, if you lose the seed phrase, there is no other way of recovering your bitcoin.

Like cold storage solutions, hardware wallet solutions lack the speed that today’s digital asset businesses require.

Hot Wallets

Alternatively, storing funds in a hot wallet is cumbersome due to error-prone copy-pasting of addresses, ever-changing whitelists, and constant 2FA rituals.

Some hot wallets utilize multisignature, or multisig, technology to divide private keys into multiple shares. Unfortunately, multi-sig is not protocol-agnostic (meaning it’s not compatible with all blockchains), and lacks the operational flexibility to support growing teams.

As a result, the best solution is one that offers both operational and institutional security requirements to store the private key safely while at the same time not hindering operational efficiency.

MPC for Private Key Security

With MPC, private keys (as well as other sensitive information, such as authentication credentials) no longer need to be stored in one single place. The risk involved with storing private keys in one single location is referred to as a “single point of compromise.” With MPC, the private key is broken up into shares, encrypted, and divided among multiple parties.

These parties will independently compute their part of the private key share they hold to produce a signature without revealing the encryption to the other parties. This means there is never a time when the private key is formed in one place; instead, it exists in a fully “liquid” form.

Ordinarily, when a single private key is stored in one place, a wallet’s owner would need to trust that the device or party that holds that private key is completely secure. Such a device could be an HSM or, less securely, a crypto exchange that essentially holds the customer’s private keys on their behalf.

However, these parties have proven themselves to be vulnerable. When an attacker only needs to succeed in hacking one point of compromise to steal a private key, it leaves the digital assets that key unlocks wide open to theft.

MPC does away with this problem, as the private key is now no longer held by any one party at any point in time. Instead, it is decentralized and held across multiple parties (i.e. devices), each blind to the other. Whenever the key is required, MPC is set in motion to confirm that all parties, or a predetermined number of parties out of the full set, approve of the request.

With MPC technology in play, a potential hacker now has a much harder task ahead of them. To gain control over a user’s wallet, they now need to attack multiple parties across different operating platforms at different locations simultaneously.

The MPC solution then solves the problem of secure key storage. As the key no longer resides in one single place, it also allows more personnel to access a wallet without the risk of any of them turning rogue and running off with the digital assets it contains.

In addition, with the private key completely secure, users can now hold their assets online and no longer need cumbersome cold-storage devices. This means that transferring digital assets is now more fluid and no compromise is required between security and operational efficiency.

Types of MPC Algorithms

Given its inherent properties MPC, in and of itself, is a powerful tool for securing digital assets. However, not all MPC algorithms are created equal. Today, many institutions that are using MPC employ algorithms such as Gennaro and Goldfeder’s algorithm (MPC-GG18); while protocols like this one are still considered the industry standard by many, it doesn’t reach as high of a level of efficiency, security, or operational flexibility as certain new MPC algorithms are able to achieve.

To effectively run a profitable digital asset business in today’s ever-changing market or execute high-volume withdrawal requests for a large retail customer base, financial institutions (such as exchanges, lending providers, and banks) require instant and secure access to funds.

However, due to a complex regulatory environment, many of these institutions are forced to operate with secure but slow cold storage solutions. So, the compatibility of an algorithm with cold storage is another important factor to consider when evaluating MPC algorithms.

The Gennaro and Goldfeder MPC Algorithm

Gennaro and Goldfeder’s algorithm is currently one of the top MPC algorithms available, and many institutions that protect their private data using MPC utilize this algorithm.

However, with Gennaro and Goldfeder’s algorithm, the communication latency between the MPC-shares (the devices that hold the key shares) doesn’t reach the highest level of efficiency – as it requires users to wait for transactions to undergo up to 9 signature rounds.

In addition, Gennaro and Goldfeder’s algorithm doesn’t offer any flexibility for institutions that need to use cold storage.

The Lindell et al. MPC Algorithm

Lindell et al. offers a slight decrease in the number of transactions that need to be signed from Gennaro and Goldfeder, at 8. However, this still doesn’t reach the level of operational efficiency necessary for today’s markets.

Like Gennaro and Goldfeder, Lindell et al. does not offer support for cold storage.

The Doerner et al. MPC Algorithm

Doerner et al.’s MPC algorithm accomplishes a threshold using just 6 signatures. Yet, again, the level of efficiency that’s possible with today’s technology is still higher than this.

And like the previous two algorithms, Doerner et al. can’t provide solutions for institutions that are looking to use cold storage in tandem with MPC.

MPC-CMP: The Newest Innovation in MPC

Building off of the groundwork laid by Gennaro and Goldfeder, the Fireblocks cryptography team (in collaboration with Professor Ran Canetti, the founder of the universal composability security model) recently developed and released a new algorithm, MPC-CMP. MPC-CMP enables digital asset transactions to be signed in just 1 round, meaning that it offers the fastest transaction signing speeds of any MPC algorithm by 800%. 

MPC-CMP also solves the challenges faced by businesses looking to use cold storage in tandem with MPC by allowing hot and cold key signing mechanisms – with at least one key share stored offline in an air-gapped device.

This introduces new configuration possibilities for institutions in regions with specific regulations around cold storage and strengthens the security of MPC-based wallets by adding a key refresh mechanism (minutes-long intervals). While traditional cold wallets require physical proximity and trust for certain employees to operate these wallets without making an error or acting maliciously, MPC-CMP operationalizes cold wallets – creating a solution for today’s high-paced crypto markets.

With the new algorithm, we’ve introduced a new security feature that ensures MPC key shares are automatically refreshed in minutes-long intervals. That means a malicious actor only has a few moments to steal all the key shards before the shares are refreshed and they have to start over – effectively adding a new layer of protection to our multi-layered security system.

MPC is open-source and peer-reviewed. We will not be applying for patents on MPC-CMP. That means all digital asset custodians and MPC vendors can access our new protocol and use it for free. In addition, the algorithm is universally composable, guaranteeing strong security properties for any implementation out-of-the-box. Universally composable cryptographic protocols are important to practical implications of new cryptography, as they remain secure even when arbitrarily composed with other protocols – and guarantee that even when multiple transactions are concurrently signed in parallel, security is not compromised.

Algorithm	Transaction Rounds	Universally Composable	Cold Storage Compatible	Peer-Reviewed	Open-Source
Gennaro and Goldfeder	9	No	No	Yes	Yes
Lindell et al.	8	No	No	Yes	No
Doerner et al.	6	No	No	Yes	No
MPC-CMP	1	Yes	Yes	Yes	Yes

What’s next for MPC?

MPC has quickly become the standard for securing digital assets. Major financial institutions – including Celsius (biggest US crypto lending desk), and Revolut (Europe’s largest neobank) – have announced their transition to MPC. But in 2021, MPC is only one part of the equation for digital asset security.

As we’ve seen over the years, the best defense against cybercriminals is a multilayered one that can provide redundancy in the event that one of the security controls fails. That’s why today’s institutions require a security system that layers MPC alongside numerous other software and hardware defenses to make breaking in highly expensive and nearly impossible.

At Fireblocks, our “defense-in-depth” security system fulfills these requirements, utilizing Intel SGX chip-level hardware isolation, distribution of sensitive information across multiple tier-1 cloud providers, and a highly customizable policy engine in addition to MPC. Today, we’re using MPC-CMP – the fastest and most secure MPC algorithm currently available – adding a new degree of flexibility to the equation (including the ability to sign an MPC from a hardware storage device).