Research | Multi-signature and Multi-party Computing: Which is more secure?

Mike Belshe

This article was originally compiled by the Coin Trust Research Institute, the original link:

https://blog.bitgo.com/multi-sig-vs-mpc-which-is-more-secure-699ecefc8430

The copyright of this article belongs to the original author, which only represents the author's own opinion, and does not represent the opinion or position of Cointrust or the Cointrust Research Institute.

This article is about 2500 words and it takes about 6 minutes to read the full text.

Due to its strong security and strong authentication features, we have been advocating the use of multi-signature wallets for more than six years. However, we have been evaluating the progress of new encryption technologies, and in recent months, a new technology called multi-party computation (MPC) has been frequently cited. Multi-party computing provides a powerful alternative to Shamir's Secret Sharing (SSS). Some wallet providers believe that multi-party computing may be more secure and easier to use than multi-signature technology. In this article, we will describe multi-party computing and how it differs from multi-signature wallet security. We believe that the use of multi-party computing in combination with multi-signature technology can provide practicality, but we do not believe that it is currently a sensible alternative to multi-signature technology.

Multi-party computing background

Multiparty computing is a relatively new encryption method that can divide a private key into multiple parts. It is often compared to a technique called Shamir's secret sharing, which has been around since the late 1970s for splitting a single private key into multiple parts. The key concept between the two technologies is that the private part of a key pair can be divided into N parts, so in order to create a signature using a private key, M of these parts need to be put together. This type of technology is called M-of-N, where M of the N total sections protect the underlying data.

Like multi-signature technology, Shamir's secret sharing and multi-party computing can help mitigate two key risks:

  • theft

If less than M parts are stolen or hacked, it is impossible for the adversary to generate a valid signature

  • loss

In most cases (M is less than N), a part of the unintentional loss can be made up by the spare part.

Compared with Shamir's secret sharing, multi-party computing has an important advantage. For Shamir's secret sharing, before using it for signature, it is necessary to reassemble the independent part of the key on a single machine. This creates a single point of failure on the machine where the keys are reassembled. In contrast, multi-party computing does not require reassembling parts on a single machine. Instead, each part can be used for a mathematical function on a separate machine, and the signature is valid only after applying M parts to this mathematical function. This allows each part to remain completely separated and avoids a single point of failure.

An interesting benefit of Shamir's secret sharing and multiparty computing is that they can be used without the blockchain knowing that they have been exploited. This is significant for some blockchains (such as Monero) that do not yet provide native multi-signature capabilities, because multi-party computing signatures can be applied externally.

Comparison with multi-signature

From a functional perspective, a multi-signature wallet that uses an M-of-N key for each signature wallet is similar to a multi-party calculation-based wallet that uses the M-of-N portion of a single-signature wallet as the key. The difference is that a multi-signature wallet will protect the wallet with a unique signature generated by different private keys, while multi-party calculations only use to create a single signature, regardless of the number of private key parts involved.

Signature accountability

Multi-party computing-based wallets introduce a major problem that does not exist with multi-signature wallets: accountability. For multi-signature wallets, we always know which private keys are used to sign transactions. This is important because we usually assign a single private key to a specific individual and knowing who is involved in signing a transaction is critical. However, using signatures based on multiparty calculations, we cannot distinguish which key part was used to sign the transaction. After the multi-party calculation is complete, all signatures look the same.

Accountability doesn't sound like a huge disadvantage, but it is crucial in the currency system, especially when considering the differences in people and storage types that are typically used for various parts of keys:

  • personnel

The keys may be stored by different people. If the keys are stored by company executives (CEO, CFO, CSO, etc.) and 2 of them conspired to commit burglary, how will investigators know who the criminals are? How will innocent executives defend themselves when asked who signed the deal?

  • Geography

The keys may be stored in several separate locations. If you need 3 private keys stored in 5 locations, a key part of forensics is knowing which locations are involved in the transaction.

  • Multi-agency

Security key material can be stored at several separate companies. A common practice today is to provide backup keys to independent parties in independent companies. When the backup key can be clearly identified, as with multi-signature security, the owner of the funds will not be able to steal the funds from the backup holder. However, if accountability is removed from multi-party calculations, backup holders will be reluctant to hold backup keys because it cannot be distinguished whether backup key holders have participated in fraudulent transactions.

Peer review

Many of today's multi-party computing implementors are using proprietary implementations and methods with limited public review or no at all. As Schneier puts it in "On Security" (https://www.schneier.com/blog/archives/2011/04/schneiers_law.html): "From the most clumsy amateur to the best cryptography Home, anyone can create an algorithm they can't crack. "Unfortunately, many encryption algorithms have never proven mathematically effective-instead, cryptographers rely on peer review before accepting that the algorithm is trustworthy and secure And sufficient review time (in years or decades). Because the elliptic curve digital signature algorithm (ECDSA) multiparty computation is too new, vendors are reluctant to share their algorithms, source code, and implementation details. The current implementation has filed many patent applications, which may further limit the use of these tools. The lack of transparency and attempts to restrict access to these algorithms makes it impossible to verify their correctness or security, or to predict possible license costs.

In contrast, multi-signature technology is tried and tested. It uses well-known, scrutinized algorithms and has multiple implementations. Multi-signature-based wallets do not bear additional encryption risks, they use simple encryption algorithms that have been rigorously reviewed and understood in practice.

Lack of hardware security module (HSM) support

Similarly, the problem with multiparty-based signatures is the lack of industrial-grade hardware security modules (HSMs) that support the technology. Although hardware security modules have been used by financial institutions to protect private keys for decades, current hardware security modules do not support new multiparty computing encryption. Security experts have long recognized that key security must be stored and accessed exclusively through hardware security modules to maintain basic security, and multi-party computing is no exception. The key or part of the key must be stored securely. If multi-party computing implementers do not build a customized hardware security module for their technology, we can say that it is less secure than a single key system.

Impact on cold storage and hardware security module requirements

Some proponents of multiparty computing have suggested that multiparty computing eliminates the need for "cold storage", but this is not the case.

"Cold storage" refers only to any wallet where private keys are stored offline. Similarly, "hot storage" refers to wallets that store private keys online. Regardless of whether one or three private keys are used, whether or not multi-party computing is used, the requirements for protecting private keys are exactly the same.

The truth is that hackers continue to haunt the industry. Facebook has been hacked. Google has been hacked. The US government has been repeatedly hacked. If the multi-party computing private key portion is stored online, they are as vulnerable to hacking and theft as any other data stored online.

in conclusion

In summary, the most powerful security of digital wallets today is still multi-signature wallets. By dividing one or more private keys into multiple parts, multiparty computing can be used to enhance existing multisignature schemes. For example, if three people are used to protect a 2-3 multi-signature wallet, each of these three users can use multiparty calculations to subdivide their private keys and store their multiparty calculation key parts on separate machines . However, full reliance on multi-party computing technology without multi-signature protection reduces security protection and significantly eliminates transaction-time accountability.