At Zengo one of our core technologies is secure multiparty computation (MPC). MPC wallets allow independent parties to execute functions over individually secret data without disclosing the data itself. MPC has been carefully studied and developed over the last 4 decades, with a multitude of cryptographic protocols proposed by academics (ranging from mental poker to secret coding protocols) but only recently the technology has made its practical breakthrough into blockchain industry. For the past several years we have been witnessing a growing body of companies using applied scientific contributions in the field to support various use cases in the blockchain space. At Zengo we use threshold signatures (TSS) to support our key management solution and we are actively researching and implementing a plethora of MPC protocols as part of our research team, to be incorporated eventually in our MPC wallet.
Disclaimer
We deliver these predictions on the usage of MPC in the blockchain space based solely on our view of the industry over the past two years and our research roots in academia. Please do not rely on these predictions to make any financial decision.
We would like to extend our thanks to Ittai Abraham, Vasiliy Shapovalov, Sascha Hanse, Jake Craige, Cheng Wang, Zaki Manian and Daniel Benarroch for helpful insights.
Key Management
The biggest use case to date for MPC, not only in the blockchain industry, but throughout all industries, is for key management via TSS. Threshold signatures allow for a private key to be, so to speak, divisible between multiple participants, resulting in a multisig-like protocol but entirely local to its participants (i.e. entirely offchain for blockchains). MPC provides clear advantages over the classic single key systems or the traditional multi-signature. Most notably, improved security by removing the single point of attack (a single device) to recover the private key. Another benefit is that it requires no on-chain support. Because of this, businesses supporting many cryptocurrencies, which wish to store cold funds with TSS can do so by implementing it once, then easily reuse that work for others in the future. However, there are still some open issues with using TSS that we predict will get major improvements over the course of the next year:
- Interactivity: Currently most TSS schemes available in practice require all participants to stay online for the duration of the protocol. We predict round complexity will decrease by moving some computation offline or by way of changing the security model/assumptions. Support for offline parties will become available for the general threshold case
- Proactivity: Most TSS libraries are designed in a way that assumes the user won’t ever change its secret share. This is not considered a good security practice and we have known ways to do this with MPC. We predict more and more libraries will support secret rotation, even for offline parties. See PSS with offline devices blog
- Auditability (identifiable abort): Almost all TSS schemes lack accountability: if the protocol fails, it’s hard to tell who exactly is to blame. We predict it will become possible to trace exactly which signer failed the computation. A “blame” phase will be incorporated as part of new protocols. See CESC2019 talk by Steven goldfeder
These problems are common to most major signatures types used in blockchains today. However, they might be easier for some signature types. Concretely, led by strong research teams such as Blockstream, web3 and Dfinity, we predict that BLS and Schnorr signatures research will focus on usability for various multiparty settings. For example see Andrew Poelstra’s talk. ECDSA will continue to be the king, attracting most of the focus of the research community due to its use in popular blockchains like Bitcoin and Ethereum.
From implementation perspective we conjecture that a TSS in the pre-processing model will become attractive enough to become implemented in production grade libraries. The pre-processing model assumes that servers can run computation offline before they know the message to sign. Dedicated protocols for ECDSA in this model have been published on eprint this year.
The trend of using class groups (groups of unknown order) did not skip TSS. This approach for TSS was presented first at CRYPTO this year for the two party case and we predict the same line of work will continue for the full threshold case, together with a couple of candidate reference implementations.
We do not believe that a one protocol “to rule them all” will become apparent next year and that different security and performance tradeoffs will continue to set which protocol works best for which use cases. We also do not see in the 1year horizon the standardization efforts that started carrying any practical fruits.
Ceremonies
Some cryptographic protocols requires a trusted setup (a single trusted party setting initial parameters). MPC can be used to do the same setup but in a distributed (so trust-minimized) or, in some cases, entirely trustless manner. The biggest ceremony we will see this year will be the Ethereum 2.0 (Eth2.0) distributed RSA key generation. We conjecture this ceremony will be successful and will be recorded as the largest dishonest majority MPC ever made. Once the code and research paper will become public, we predict it will initiate follow up works trying to offer better security model and efficiency than the original Eth2.0 model. We will hopefully see more blockchains use the same ceremony format or borrowing other innovations from this one time event. One main innovation is the use of a semi-trusted coordinator to facilitate communication between the participants and which also offload some of the homomorphic computations from the network. We predict this communication model will get greater visibility which will lead to improvements taken from the world of distributed computing.
There is another, more common type of ceremony, that is used to generate public parameters for zk-SNARKs that require a trusted setup. Inspired by the success of the Zcash Sapling ceremony, which utilized a novel MPC protocol, there are several other teams performing these ceremonies (albeit different requirements). Specifically, today there are four on-going MPC ceremonies, with Aztec, Loopring, Filecoin and Ethereum. We expect to see more ceremonies in the coming year, especially around recent advancements in zkSNARKs that have universal and updateable parameters (essentially a one-time trusted setup) and their importance in blockchain settings. All these types of SNARKs and applications will be discussed at the 3rd ZKProof Workshop next year.
Consensus
BLS will continue to be the dominant candidate for consensus based on threshold cryptography due to its support for non-interactive signature aggregation (one of the open issues mentioned above). While simple and elegant, BLS is based on pairing based cryptography which is a new level of cryptography from what we got used to in byzantine fault tolerance (BFT) systems. In general we would say that BFT implementers will consider positively the usage of threshold cryptography in their design. Perhaps it will even become the cornerstone of the next generation of BFTs. Concretely, for BLS we hope that on-going standardization efforts will conclude, including treatment of multiparty settings which is considered easier with BLS. However, we are skeptical we will see a threshold BLS based consensus layer in all its glory in the next year. There are still too many moving parts to sort out, but we certainly predict that some research and code to play with will be available. See Algorand reference code to BLS draft standard
Layer2
The MPC toolbox served well in the last few years to find ways to achieve fairness in applications on top of blockchains, lottery and poker to name a few. We will likely to see, as in any year, some new theoretical results on MPC over blockchains. However, we do not estimate they will produce significant practical utility.
We predict that homomorphic time lock puzzles, presented at CRYPTO this year will play a major role in new developments of layer2 protocols. Other secret sharing based construction will probably be published, opening some new exciting possibilities in how TSS based wallets can achieve layer2 capabilities.
Another interesting area to look after is Watchtowers, which try to improve usability and security for protocol participants by alleviating the need to stay online during the entire execution of a protocol. For example, in the case of lightning channels, this is done by participants sending state updates to a watchtower, which then actively watches for a potentially malicious counterparty trying to publish outdated channel states We predict that they will get more attention in general and MPC seem like an ideal candidate to support some flavours of them.
TSS has found its way to layer2 in the form of an alternative way for channel constructions. However, we do not assume it will be adapted in the next year or be incorporated in lightning implementations.
Finally, TSS was first used this year to achieve decentralized pegged chain (tBTC). We assume next year the tBTC network code will become open source and hope to see a mainnet launch.
New Fronts
Identity
This is not an entirely new front but we see a growing usage of MPC for decentralized identity management (DID). We predict DID and authentication will be offered by several companies before the end of the year, some as a new angle for key management, some to provide identity management in the broader context. This includes distributed Biometric identity.
Side channels
In cryptography it is usually a best practice have implementations run in constant time to avoid leaking secrets during execution. It is not clear in what sense MPC code can become constant time and what the implications are. Motivated by the high monetary value put behind MPC systems, we predict that some preliminary steps will be taken to understand this field better. In addition, schemes to prevent leakage from secret sharing schemes will also make progress, mainly from a theoretical perspective. We do not predict significant progress made in implementations on this front in the next year.
MPC + secure HW
Another revolution, that happened in parallel to the rise of MPC, is the use of secure enclaves (SE), which nowadays have become a commodity in mobile and desktops. We predict that within the next year we will see some clever hacks on combining security advantages of both TSS and SE, especially with multiple RISC-based SE architectures taking form (see Keystone).
PSI
Private set intersection is privacy enhancing technology for finding intersection between two sets without exposing any element outside the sets. Google recently released open source code for PSI. We predict PSI will find its utility in the blockchain space this year in the area of privacy solutions.
Conclusions
We recently announced the MPC Alliance, a cross industry non-profit with the mission to accelerate MPC adoption. Out of current 26 member companies we counted more than half operating in the blockchain space. This is a clear signal for us that MPC first killer feature will come from our industry.
Overall we predict exciting times, full of cutting edge cryptography, for anyone who’s working on blockchain infrastructure and low level. To learn more on MPC we invite you to join our humble research telegram group or to visit our github playground .
Happy and secure new year,
Team Z.