Why I Would Not Participate in a MPC Wallet

The personal liabilities associated with multi-party computation (MPC) based wallets are so great I don’t see how I (or anyone) could ever participate in a MPC wallet.

No Accountability

The core problem with MPC is an architectural one. While MPC does create a mechanism whereby multiple people can each hold independent parts of a key to eliminate single points of failure, MPC fails to offer any accountability about who participated in the signing of a transaction.

Imagine you create a 4-of-7 MPC wallet with 7 people participating, and 4 required to authorize a transaction. What if, unbeknownst to you, 4 of the other people holding key parts in the MPC wallet decide to steal the money? Because MPC does not offer signature accountability, no one can be certain who participated in the transaction.  As such, even though you had nothing to do with the crime, you’re now a suspect, and it may take months or years to clear your good name.

Co-Signers Make MPC Even Worse

Vendors offering MPC services and co-signing dismiss this vulnerability and claim, “don’t worry, we keep track of who participated and will log all accesses to the signing process”.  In other words, even though no one can determine who participated in the transaction from the signature itself, the vendors claim that they know the answer within their application logs. Thinking about this carefully, you’ll realize this makes the vulnerability even more severe.

With the vendor as a co-signer, you can now imagine the same attack scenario as above where 4 of the other participants on the wallet collude to steal the money.  In this case, however, imagine one of the perpetrators is a rogue employee at the MPC vendor itself. In this scenario, you have no protection that the MPC vendor isn’t modifying its application logs and data. In addition having already been a suspect, the MPC rogue employee or vendor can now frame you for the crime. How would you defend yourself in this scenario?  They hold all the cards, the data, the logs, and the technology.  Unless you’re a cryptography expert, it will be extremely difficult to defend against them.

Conclusion

MPC vendors forget that accountability is a critical part of security, trust, and safety in a multi-user system. Participants on MPC wallets need to be very careful that they can fully trust all of their MPC wallet co-participants. This may not seem like a large risk if your wallet balances are small. But these vendors are encouraging MPC for protecting billions of dollars of assets. 

Multi-signature systems, by contrast, offer all of the benefits that MPC systems offer, but without any ambiguity of accountability.  With a multi-signature system, everyone on the blockchain can publicly see that you did not participate in the transaction without a shadow of a doubt.

I don’t see why anyone participating in the security of assets would even consider using MPC without multi-signature.  The personal risk for the users of the MPC system is massive, and is simply beyond tolerances as the asset values go up.

Proprietary Cryptography

One of the best things about the growth of Bitcoin is how it has propelled research and development in cryptography. What was once a relatively sleepy field of computer science has now become one of the most popular areas of study.  There is no doubt that this additional research will yield great advances in the coming decades. But cryptography is unique from other computer science disciplines, in that there is no margin for error – especially if that cryptography is being used to secure money or digital assets. Unfortunately, the growth of Bitcoin has also fueled a new wave of rushed cryptography.  Rushed cryptography is brand new cryptographic technology that hasn’t had sufficient peer review or test, yet is being promoted as the new panacea to all your hacking woes.

The creators of rushed cryptography always know that they rushed it.  They know they haven’t done sufficient testing or peer review. Testing takes months to years and peer review takes years to decades.  Excited to launch products with their new technology, combined with a little hubris and a little ambition, rushed cryptographers use their new algorithms prematurely. While they make bold claims and brag about the awesomeness of their creation, internally, the rushed cryptographer is actually full of fear – fear that someone will find a bug, a hole, or a problem before they do.  To prevent this from happening, they fall back on the oldest trick in the book: they make it proprietary.

What is proprietary cryptography?  Nobody knows except the creator – the same one that is now trying to sell you his product. The creator says they tested it.  They hired PhD’s, experts and mathematicians to attest they did a great job. They hired security auditors and code reviewers. But did they?  How can you know? How can you possibly use this to secure assets worth millions?

OWASP (the Open Web Application Security Project) has this to say about proprietary cryptography: “Proprietary encryption algorithms are not to be trusted as they typically rely on ‘security through obscurity’ and not sound mathematics. These algorithms should be avoided if possible.

Remember Schneier’s Law: “Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.”

It is an exciting time for cryptography, computer science, and digital assets.  But one of the best things about Bitcoin is that it relies on stable, steady, known algorithms.  This conservative development helps the system, builds trust, and is known to be secure. To those that are rushing new crypto, don’t forget peer review and open source implementations: this is money!