Secure Multiparty Computation (MPC) is a technology that has gained widespread adoption for both data privacy and protection applications. This article is an update to a blog originally posted in 2021, which focuses on the use of secure MPC to protect cryptographic keys used for practical enterprise key management applications.
Historically, key management was complex, inflexible, and expensive. Enterprises need key management solutions that easily support operational requirements such as:
· elastic scaling of capacity and performance,
· rapid integration into new applications and services,
· DevOps agility, rapid deployment of pilots and prototypes,
· migration of data or applications to public or private cloud instances,
· geographic expansion and multi-jurisdictional deployments,
· compliance with jurisdictional privacy and security mandates
All too often, the rigidity of key management solutions inhibit the ability for enterprises to embrace change and respond to new opportunities.
Key management systems (KMS) that rely on hardware-based root-of-trust elements offer good security, but can require weeks to months to order, physically install and commission. Traditional pure-software key management systems are more flexible and scalable, but lack the level of security that enterprise-grade services require. Cloud service providers offer cloud-hosted key management services optionally backed by Hardware Security Modules (HSMs). The challenge is, each of them have their own key management solution resulting in increased cost and complexity. Collectively, no ideal solutions have been available, until relatively recently.
Secure MPC can provide key management and protection with the levels of security associated with the most advanced hardware security modules, but with the agility, scalability, and efficiency of software-based solutions. Secure MPC can also support key management across multiple cloud and enterprise locations, making it an ideal platform for almost any application.
Secure Multiparty Computation (MPC) is a cryptographic technique that enables multiple parties to jointly compute a function of their private inputs, without requiring them to share their private information with one another or any other party(1). For enterprise key management applications, the multiple parties may be two or more virtual servers that securely generate, store, and use their own share of a private key to provide a cryptographic service. Their “joint computation” may be to produce a complete key on a client application, for use locally by the client; or to provide encryption, decryption or signature services within the virtual key management system without egressing any key shares or ever creating a complete key.
In many ways, the secure MPC system can be thought of as a key management system (KMS) and a virtual HSM in one combined system. Keys are created and stored in a highly secure manner in the form of distributed key shares, and they can be used to provide cryptographic services without ever egressing the key shares from the secure MPC system, much like an HSM. Alternatively, the system may export key shares for client-side assembly to create a full key for local use by the client, much like a KMS. One important difference is that no complete key ever exists on any single server or virtual machine which comprises the secure MPC system. As a result, no single party can be compromised to yield the keys or allow the keys to be misused.
In an ideal-world, secure storage and use of keys would be assured using existing security technologies and operational practices. Unfortunately, we live in an imperfect real-world, where good people make operational mistakes, where bad actors or compromised parties design deliberate attacks, and where security systems inevitably become compromised. This is where secure MPC is required.
Secure MPC eliminates the existence of a complete key in the possession of any single physical or virtual machine associated with key management operations. As a result, there is no single party that could be corrupted or otherwise compromised to yield access to the keys. The result is an entirely software-based system that, when properly implemented, satisfies FIPS 140-3 L2 or better validation criteria to provide a far more agile and secure key management solution than any conventional alternatives.
The security of Multiparty Computation (MPC) is based on the model that no single party ever possesses an entire secret, eliminating the threat that the compromise of a single party could result in disclosure of the secret. But that alone is not sufficient to fully trust in the security of MPC(2).
Secure protocols must withstand adversarial attacks, where an adversary controls one or more of the parties in the computation. To achieve this, secure MPC implementations require threshold protocols and often other mechanisms to assure the following attributes, even if some of the parties are or become corrupt:
· Privacy (ensuring no private data is disclosed or can be derived)
· Correctness (ensuring outputs are trustworthy)
· Guaranteed Output Delivery (even in presence of DoS attacks)
· Fairness (all parties receive the output, or no one receives the output)
· Other requirements may exist for certain applications
Secure Multiparty Computation (MPC) protocols can be developed using many different techniques. The preferred techniques vary depending on operational and adversarial models, and desired optimizations(3). Following are examples of common techniques to use secure MPC for key management and protection.
Shamir’s Secret Sharing (SSS) is a cryptography algorithm developed by Adi Shamir in the late 1970s. It is a form of secret sharing where a secret, such as the private key, is divided into multiple parts called shares and can be recreated using less than all shares. With SSS, shares are distributed to different parties so that no single party possesses the full secret, minimizing the risk that a single party could become compromised and disclose the secret.
Threshold cryptography builds on Shamir’s secret sharing model to enable a set of parties to carry out a cryptographic operation such as providing key shares to an authenticated client to conduct cryptographic operations locally, or encrypting or decrypting a document inside the system, without ever creating a complete key and never egressing any key shares.
Threshold cryptography and Shamir’s Secret Sharing can be designed to enforce specific security models and operational criteria. As an example, certain implementations may include the ability for a subset of parties to continue to provide full operations and cryptographic services even when a defined threshold of t parties become corrupted. In conventional security systems, the compromise of a single key server or HSM would yield access to large numbers of keys, resulting in a major security event. Secure MPC using threshold cryptography protects against the reality that individual system components will eventually become compromised and secure operations must continue.
Secure Multiparty Computation (MPC) is a cryptographic technique that can be used to protect cryptographic keys for any key management application. Secure MPC achieves superior key security through a combination of attributes:
1. Secure Even When Corrupted: Secure MPC can be designed to maintain reliable operations, with privacy and correctness, in the presence of different types of adversaries and different corruption strategies. This ensures that key integrity is maintained and operations continue, even if a malicious third-party gains access to and corrupts the key shares stored by up to a threshold of t parties. Nearly all alternative security schemes become inoperable or ineffective when an adversary is present within the trusted environment.
2. No Complete Key Ever Exists on Any Key Server or HSM: Secure MPC never generates a complete private key on any key management-related machine, at any time, throughout the entire lifecycle of a key. Instead, keys are generated by secure MPC, in the form of distributed key shares, which reside on different clouds or virtual machines, ideally in different networks under different administrative domains. Such decentralized models greatly reduce the potential for multiple systems to be compromised concurrently, mitigating the potential for key theft or misuse.
3. Options for Internally Provided Cryptographic Services, Never Egressing Any Keys or Key Shares: For compliance reasons, some applications may require that certain content may only be encrypted, decrypted, or signed within the confines of a FIPS 140-3 system. Secure MPC can support this operational model by providing all cryptographic operations in a distributed multiparty model, where the parties are different virtual subsystems of the complete system. In addition, the system can be designed so that no single subsystem party ever has visibility to a complete plaintext document, providing an increased level of security over traditional HSMs.
4. Options for Client-Side Cryptographic Services: Many applications require cryptography and key management services to run transparently, with no perceptible delays to end-users. Such applications may require remote client systems to use keys locally. Secure MPC can provide this capability with unique security attributes, where key shares are only recombined and accessible on an endpoint while the associated encrypted document is present.
5. Multiple Party Approval: Secure MPC natively supports multiparty approval models for signature services. Each party in possession of a key share can act as an MPC approver. The practice of requiring multiple MPC approvers mitigates the risk that an internal bad actor gains access to a full key and uses it fraudulently. Secure MPC systems can be designed to require multiple parties or quorums of parties to satisfy their security and compliance policies before a MPC party grants their approval and generates a partial signature. It can also be designed to mandate that certain parties be required for any m of n quorum approval schemes.
6. Secure On-line or Off-line Signature Generation: Secure MPC allows each party to use their share of a key to generate a partial signature within the machine securing the key share. Signature generation may be performed on devices that are air-gapped for compliance reasons then later moved to an on-line system through secure devices or other means in order to complete a transaction. The key share is never accessed by or presented to any other system to generate the partial signature, so the key share never leaves the party’s machine. The partial signature is then exported from the machine. When enough parties have generated and exported partial signatures they are combined to create a full signature. Through this process, the key share is never disclosed to any other party and never leaves the security of the machine on which it was created.
7. Key Share Rotation (or Refresh): Private keys are binary numbers that are often represented using hexadecimal strings. Secure MPC key shares are simply different combinations of mathematical values that are used as inputs to a joint computation to equal the cryptographic private key value. The combination of key shares, each representing a numerical value, can be changed at any time, without changing the actual private key. By rotating or refreshing these key values we reduce the probability that a malicious party could compromise enough parties’ machines to derive the key. Depending on the preferred MPC security model, automated key share refresh may or may not be a requirement. Secure MPC key shares support key share rotation without changing the actual public-private key combination, which eliminates many potential administrative complexities while maximizing security.
Secure Multiparty Computation (MPC) can be implemented to provide complete life-cycle key management and protection all in one virtual system. The result is a far more agile and adaptable system, which secures your keys and associated assets with greater innovation and lower costs. Some of the many benefits of Secure MPC include:
1. Adaptable to Nearly Any Deployment or Operational Model: The software-nature of secure MPC makes it highly adaptable to a wide range of potential applications and use cases. MPC systems can be designed for 2 MPC hosting parties or more, with some implementations supporting dozens of parties if required. The only requirement is for the parties participating in the MPC operations to support a modest amount of computing and memory, and to support network connectivity between parties at initialization and key generation. Subsequently, the MPC parties or nodes may be isolated if off-line signing is a requirement.
2. Run it in Secure Cloud Enclaves for Flexible Scale and Security: MPC can be hosted in secure cloud enclave services such as AWS Nitro and other cloud services. Hosting MPC node instances in this environment enables easy scaling to support increased work loads and regional deployment flexibility. Secret injection with remote attestation works in combination with secure enclave hosting to protect against threats even inside the cloud service provider to ensure clouds are both flexible and secure.
3. Run it Across Multiple Clouds to Maximize Security and Availability: Host a different MPC node in AWS, Azure, Google and other cloud services. Running MPC in different environments under different administrative domains provides increased service resiliency and greatly reduces the potential that multiple parties could be concurrently hacked.
4. Hybrid Cloud – Enterprise Deployments: Host MPC in one or multiple clouds and in one or multiple enterprise locations to benefit from cloud economies and satisfying compliance requirements for local hosting. No complete key will ever exist in any cloud, mitigating any risk of a cloud provider security breach or legal compulsion resulting in the loss or hand over keys.
5. Run it on a laptop, mobile phone or IoT: Host MPC on your local device as part of a larger system for true client-side control of services.
6. Easy Expansion: Spin up new instances to increase capacity or provide coverage in new geographies or with new cloud providers.
7. Sustained Secure Operations, Even With Corrupted Parties: Unlike alternative key management and protection schemes, secure MPC can continue to operate and execute legitimate, approved transactions, even when one or possibly more parties becomes corrupted. Other schemes either stop protecting or stop operations entirely in those conditions.
8. Commercially Proven and Ready: Secure MPC has been under extensive study and research since the 1980s. The first commercial deployment of MPC was in 2008 by the co-founders of Sepior, which was acquired by Blockdaemon in 2022. Blockdaemon co-developed the world’s first MPC-based digital asset wallet in 2018 and has been licensing MPC for key management applications ever since. Today, MPC is used to secure private keys used in digital asset wallets by thousands of institutions, including many of the world’s largest banks, custodians, exchanges, and other financial institutions.
Since 2014, Blockdamon has been singularly focused on developing the world’s highest performing secure MPC solutions for key management applications. Our world-renowned cryptographers have been at the forefront of the MPC research for multiple decades. Our team consists not only of experts in the field of secure MPC, but also experts in the practical application of MPC in real-world applications.
Today, Blockdaemon offers multiple MPC-based wallet and technology sourcing options. We invite you to experience MPC firsthand by trialing our Builder Vault self-service sandbox to see MPC key generation, storage, and use in action. If you prefer a ready to go institutional-grade treasury or custodial services wallet be sure to evaluate the Institutional Wallet, which is also available with an evaluation sandbox. We invite you to review one of our white papers(4), contact us at [email protected], and to visit www.blockdaemon.com for more information.
(1) Secure multi-party computation (Wikipedia)
(2) Secure Multiparty Computation and Secret Sharing (Book)
(3) Scalable and Unconditionally Secure Multiparty Computation (IACR Paper)
(4) An Introduction to MPC and Threshold Cryptography (White Paper)