Article predicts five major impacts of secure multiparty computing (MPC) on the blockchain industry in 2020

Note: The original author is Omer Shlomovits, co-founder of the ZenGo team. One of the core technologies of the project is secure multiparty computing (MPC).

Secure Multiparty Computing (MPC) allows independent parties to perform functions on personal confidential data without revealing the data itself. The secure multiparty computing (MPC) has a history of nearly 40 years, and many related cryptographic protocols have been proposed by the academic community, but only recently has this technology achieved practical breakthroughs in the blockchain industry.


This article is a prediction made by the author on the use of MPC in the field of blockchain based on the experience of the past two years and their research results. Please do not rely on these forecasts to make any financial decisions.

Thanks to Ittai Abraham, Vasily Shapovalov, Sascha Hanse, Jake Craige, Cheng Wang, Zaki Manian, and Daniel Benarroch for their useful insights.


(Picture from:

I. Key Management

Up to now, the largest application of secure multiparty computing (MPC) technology in all industries, including the blockchain industry, is key management through threshold signature schemes (TSS). Threshold signature allows the private key to be split between multiple participants, resulting in a multi-signature-like protocol, but for its participants, it is completely local (explanation: in the blockchain scenario, it is completely a chain External processing).

Compared with the traditional single key system or multi-signature system, secure multiparty computing (MPC) has obvious advantages. Most notably, it improves security by removing a single point of attack (a single device) to recover the private key. Another benefit is that it does not require on-chain support. Because of this, businesses that support many cryptocurrencies (they want to use a threshold signature scheme for cold storage of funds) can implement this feature once and can easily add this feature to other cryptocurrencies in the future.

However, we predict that within the next year, there will still be some unresolved issues in the use of the threshold signature scheme (TSS):

  1. Interactivity : Most threshold signature schemes (TSS) available in practice today require all participants to stay online during the agreement. We predict that this can reduce the complexity by changing the way of offline computing, or by changing the security model / assumption. For general threshold situations, support for offline parties will be provided;
  2. Initiative : Most threshold signature scheme (TSS) libraries are designed to assume that users will never change their secret shares. This is not a good way to deal with it, we already know how to solve it. We predict that more and more libraries will support secret rotation, even offline. See PSS offline device blog post ;
  3. Auditability (identifiable suspension): At present, almost all threshold signature (TSS) schemes lack auditability. If the agreement fails, it is difficult to determine who is responsible. We predict that it will be possible to accurately track which signer has failed a calculation. The "blame" phase will be part of the new agreement, see Steven Goldfeder's speech at CESC2019 ;

These issues are common issues for most major signature types currently used in blockchains. However, for some signature types, they may be easier to resolve. Specifically, it is a signature type led by a strong research team such as Blockstream, web3, and Dfinity. We predict that BLS signatures and Schnorr signature research will focus on the availability of various multi-party settings. For example, see Andrew Poelstra's presentation .

Nevertheless, the ECDSA signature scheme will continue to be the king. Due to its application in popular blockchains such as Bitcoin and Ethereum, the signature scheme has attracted the attention of most researchers.

From an implementation perspective, we speculate that the threshold signature (TSS) schemes in the preprocessing model will be sufficiently attractive that they can be implemented in production-level libraries. The preprocessing model assumes that the server can run calculations offline before it knows the message to sign. The ECDSA-specific protocol in this model has been published by researchers on eprint this year.

The trend of using class groups ( groups of unknown order) does not skip the threshold signature (TSS) scheme. This method for threshold signatures (TSS) was first proposed at this year's CRYPTO conference. We predict that the same work will continue in the entire threshold signature case, with two candidate reference implementations.

Regarding the statement that "single protocol will rule everything", we believe that it is unlikely to happen next year, and different security and performance tradeoffs will continue to determine which protocol is best for which application. Within a year's time frame, we also don't think that the standardization work will usher in any practical results.


Some cryptographic protocols require a trusted setting (a single trusted party sets the initial parameters). And secure multiparty computing (MPC) can be used to do the same setup, but it is distributed (trust minimized) or, in some cases, completely trustless.

In 2020, the biggest ceremony we will see is the generation of Ethereum 2.0 (Eth2.0) distributed RSA keys. We speculate that the ceremony will be successful and will be recorded as the largest dishonest majority MPC ever. Once the code and research paper are made public, we expect that it will launch follow-up work in an attempt to provide a better security model and efficiency than the original Eth2.0 model. We will hope to see more blockchains use the same ritual form as this event, or learn from other innovations.

One of the major innovations is the use of semi-trusted coordinators to facilitate communication between participants, which also reduces the burden of some homomorphic computing in the network.

We predict that this communication model will gain greater visibility, which will lead to the development of distributed computing.


Excerpt from presentation by Eth2.0 researcher Justin Drake at Devcon 2018

There is also a more common type of ritual that can be used to generate public parameters for zk-SNARKs that require trusted settings.

Inspired by the success of the Zcash Sapling rituals, which use a new MPC protocol , there are several other teams performing these rituals (though the requirements are different). Specifically, there are currently four ongoing MPC ceremonies, which are held on the Aztec, Loopring, Filecoin, and Ethereum platforms. We look forward to seeing more ceremonies in the coming year, especially around the latest developments in zkSNARKs, which have universal and updatable parameters (basically one-time trusted settings) and their importance in blockchain settings Sex. All these types of SNARKs and applications will be discussed at the third ZKProof seminar next year.


Since BLS supports non-interactive signature aggregation, it will continue to be the main candidate for threshold-based cryptographic consensus.

Although BLS signature is simple and elegant, it is based on paired cryptography, which is a new cryptography technique we are used to in Byzantine Fault Tolerance (BFT) systems. In general, we would say that BFT implementers would actively consider using a threshold cryptosystem in their design. Perhaps it will even become the cornerstone of the next-generation BFT consensus system. Specifically, for BLS signatures, we hope that the ongoing standardization work will end.

However, we are skeptical that we will see a brilliant consensus layer based on threshold BLS next year.

There is still too much activity to sort out, but we believe some research and code is available. See the Algorand reference code for the draft BLS standard;

Fourth, Layer 2

In blockchain applications such as lottery and poker, the MPC toolbox has played a very good role in the past few years.

We are likely to see that, as in previous years, some new theories about blockchain and MPC will emerge. However, we do not expect them to have significant practical utility.

We predict that the homomorphic time lock problem raised at the CRYPTO conference this year will play an important role in the new development of the layer2 protocol. Other secret sharing-based constructs may also be released. For wallets based on the threshold signature (TSS) scheme, some new exciting possibilities have been opened up on how to implement the layer2 function.

Another area of ​​concern is the Watchtower , which attempts to improve the availability and security of protocol participants by reducing the need to stay online during the entire protocol execution process. For example, in the case of the Lightning Network channel, this is done by the participants sending status updates to the Watchtower, and then actively paying attention to potential malicious counterparties trying to publish outdated channel status. We expect this type of research to get more Much attention, and MPC technology seems to be an ideal candidate solution, which can support the Watchtower.

The Threshold Signature (TSS) scheme has found a way to layer 2, which is an alternative and dedicated channel construction method. However, we don't think it will be adjusted next year, nor will it be included in the implementation of Lightning Network.

Finally, the Threshold Signature (TSS) scheme was first applied this year to implement a decentralized anchor chain ( tBTC ). We assume that the tBTC network code will be open source next year, and it is expected to see the release of its mainnet.

Five, the new front of MPC

5.1 Identity

This is not a new field, but we see more and more applications of MPC in decentralized identity management (DID). We expect that several companies will provide DID and authentication services by the end of the year, some of which will use it as a new perspective on key management, and some companies will provide identity management services in a broader context. Including distributed biometrics.

5, 2 Side channel

In cryptography, to avoid revealing secrets during execution, it is usually best to let the implementation run for a constant time. It is unclear in what sense the MPC code can become constant time and what it means. Because the MPC system supports high value, we expect to take some preliminary steps to better understand this area. In addition, secret sharing programs to prevent program leakage will also make progress, but mainly at a theoretical level. We do not expect significant progress in this regard next year.

5, 3 MPC + security hardware

Another revolution that coincided with the rise of MPC was the use of Secure Enclave (SE), which has now become a mobile and desktop product. We expect that in the coming year, we will see some clever solutions that combine the advantages of threshold signatures (TSS) and SE security, especially multiple RISC-based SE architectures are being formed (see Keystone ).

5, 4 PSI

Private set intersection ( PSI ) is a privacy enhancement technology that can be used to find the intersection between two sets without exposing any elements outside the set. Google recently released the open source code for PSI , and we predict that next year the PSI solution will find its application in the field of blockchain privacy solutions.

6. Conclusion

We recently announced the establishment of a Secure Multiparty Computing (MPC) Alliance , a cross-industry non-profit organization whose mission is to accelerate the adoption of MPC. Of the current 26 member companies, we have calculated that more than half of the members are from the blockchain field. This is a clear signal for us that the first killer feature of MPC will come from this industry.


(Photo from:


Excerpt from

We look forward to seeing more of this exchange in academia and industry.

Overall, for people working for blockchain infrastructure, we predict some exciting moments that will be achieved through cutting-edge cryptographic techniques.