Multi-party computation (MPC) is a branch of cryptography that started with the seminal work of Andrew C. Yao in the 1980s. In MPC, a set of parties that do not trust each other try to jointly compute a function over their inputs while keeping those inputs private. While the technology isn't new, MPC has gained considerable interest due to its inherent ability to protect cryptographic keys from theft or misuse. Together with threshold signature schemes (TSS), a sub-field of MPC, threshold key generation and signing solutions keep popping out everywhere.
The common assertion about Multi-Party Computation (MPC) is that it is significantly more secure and easier to manage compared to traditional methods of private key generation, storage, and transaction signing. It's often claimed to be substantially safer and less susceptible to theft. However, it's important to take a closer look and evaluate the actual safety of MPC systems.
With MPC, the computation of the private key is shared among multiple parties in which each party independently computes its share of the private key. The parties then communicate through a couple of rounds to create a signature without revealing their shares to each other. This ensures that the private key is never materialized in a single place; instead, it always exists in a completely “liquid” state eliminating the single point of compromise. Indeed under the MPC technology, a malicious actor now faces a far more difficult task to hack the private key of a user’s wallet and get control of it as he/she needs now to simultaneously attack multiple parties across different locations.
Despite its clear advantages when it comes to securing private keys, MPC has some disadvantages that are worth noting:
Accountability
The introduction of MPC-based wallets raises a serious accountability issue. It is always obvious whose private keys are being used to sign a transaction with non-MPC wallets, making it quite simple to identify the signers of a signed transaction. With MPC-based signatures, however, any combination of the shares always produces the same signature making it impossible to discern which of the shares are used in signing the transaction.
Not sufficiently tested and reviewed
It is noticed that several MPC implementations used today are proprietary and did not undergo sufficient public review or scrutiny with several cryptographic algorithms used in such implementations are never mathematically proven to work. In addition, the vendors of MPC tend to restrict access to their implementation details and the source code with several patent applications already filed making it hard to verify the security or predict the licensing cost.
High computational and communication costs
It is well-known that MPC-based techniques require high computation resources as they rely on complex mathematical operations to achieve a high degree of security including homomorphic encryption and zero-knowledge proofs, a fact that would evidently decrease the performance of MPC protocols. This is further worsened by the need for several rounds of communication among the participating parties to create a signature.
Insufficient decentralization
Multi-Party Computation (MPC) networks often face challenges in achieving sufficient decentralization due to their inherent structural and operational requirements. The primary issue lies in the distribution of computational tasks and decision-making authority among participants. In MPC, while the computation is distributed, it often requires a certain degree of coordination and trust among a limited number of nodes or parties. This can lead to a concentration of control in the hands of a few, rather than a truly decentralized system where power and responsibility are widely dispersed. Additionally, the technical complexity and resource demands of MPC can limit the number of participants able to effectively engage in the network, further centralizing control. As such, despite the distributed nature of computations in MPC, these networks can struggle to attain the level of decentralization seen in other blockchain or distributed ledger technologies, where a larger and more diverse group of participants contributes to the network's operations.
Operational hazard
Because of insufficient decentralization, MPC networks are currently controlled by a few parties that are susceptible to data corruption, network outages, hacks and even permanent decomissioning.
Whether you lose access to your account if the MPC network goes offline depends on the specific design and implementation of the network. The operational hazard is not in your control, but in the hands of the few network operations. In the rare case where the MPC network goes offline permanently without any backup or recovery mechanisms, there could be a risk of losing access to your account indefinitely. This would occur if the shares of the key held by the offline parts of the network are essential for its reconstruction and cannot be retrieved or substituted.
Even if the operators do their best in managing the network, your account is still dependent on the network to be in good shape.
Conclusion
A well-designed MPC network would typically have measures in place to prevent the permanent loss of accounts even if parts of the network go offline. However, the exact risk would depend on the specifics of the network's architecture, the robustness of its contingency planning and the expertize and its operators.
Choose your network with care, conducting thorough research and maintaining a healthy skepticism about entrusting your funds to other. Given that this technology is relatively new and has yet to attain significant decentralization and rigorous testing, it's advisable to approach it cautiously.
