If there is one certainty about information security, it is that there are no silver bullets. Any set of solutions – from access controls to firewalls to data encryption – can be highly effective. Because there are no airtight guarantees, the defenses must be deployed in proportion to the perceived risks.
Now gaining prominence as part of the cybersecurity arsenal is secure multiparty computation, MPC for short. This is not only due to its proven strength, but also to its suitability for the collaborative networking and partnering on which businesses increasingly depend.
Rooted in encryption science – cryptologist and digital currency pioneer David Chaum coined the term – multiparty computation is defined in a Medium post as enabling “multiple parties to evaluate a computation without revealing any of their private data to computing parties.”
MPC is thus a component in decentralized finance (DeFi) and digital-asset custody.
MPC’s ability to protect data integrity in multiparty ecosystems, ensuring that individual participants have access only to what they own or need to know, has wide-ranging implications for privacy, controls and compliance, and potentially regulatory oversight. In addition to crypto finance and blockchain, applications could include medical research, voting systems, financial analysis or any situation requiring a balance between data sharing and confidentiality.
Rebecca Wynn, Click Solutions Group
“Multiparty computation is a cryptographic technique that allows two or more data owners to jointly compute a function of their input data, without revealing the input data or exposing intermediate results,” explains David Evans, professor of computer science at the University of Virginia and co-author of A Pragmatic Introduction to Secure Multi-Party Computation. In short, by relying on encryption and within trusted implementations, “MPC eliminates the risks of sensitive data being revealed.”
Interest is growing in financial services, health care, even government agencies needing to secure sensitive data, says Rebecca Wynn, global chief cybersecurity strategist and chief information security officer, Click Solutions Group. “It’s all about keeping sensitive information secure while still collaborating. It’s great for situations where you need to share insights without exposing raw data – like fraud detection, secure voting or collaborative research.”
Financial firms’ digital-asset and blockchain initiatives are a boon to vendors such as Fireblocks, a leading ecosystem platform working with the likes of BNY Mellon and BNP Paribas. Fireblocks in 2023 expanded its MPC-CMP (certificate management protocol) wallet and key management technology to include support for hardware security modules (HSMs) and public and private clouds.
“These flexible deployment models allow banks and financial institutions to leverage Fireblocks’ industry-leading security and technology stack to quickly bring their digital asset initiatives into production,” said Fireblocks’ announcement.
“We understand the risk requirements in the bank at an architectural level, and we have strategically developed components to make sure that our customers can get from proof-of-concept to production in the shortest timeframe possible,” said Fireblocks co-founder and CEO Michael Shaulov.
Fireblocks brought its MPC into collaborations more recently, such as with Coinbase International and Chainlink Labs.
MPC Threshold Signature Scheme: Multiple custodians each use part of a private key to sign a transaction. (Source: Chainlink, Secure Multi-Party Computation)
MPC is also embedded in offerings of digital-asset and -custody platforms including Anchorage Digital, BitGo, Figure Markets and Komainu, which partnered with Blockdaemon, as did Zodia Custody.
In December, Fordefi said it became “the first MPC wallet to offer full DeFi support” on the TON blockchain.
There are compelling MPC use cases where parties that are “mutually distrusting” or structurally disconnected collaborate, Professor Evans says. For example: separate government agencies doing linked data analyses; fraud detection efforts across multiple banks; and medical data sharing.
David Evans, University of Virginia
“All of these uses still require legal agreements,” Evans points out, which may or may not affect their ability to use MPC. “Hence, the most successful industrial uses have been in organizations that have highly valuable data to protect and want to mitigate the risk that a single server compromise or rogue employee will cause catastrophic damage.”
At the University of Virginia, “we built an MPC protocol to conduce the stable matching algorithm used to match medical residents,” Evans notes. “Instead of trusting a third party to collect all the sensitive ranking forms and opaquely perform the match, an MPC algorithm can be used to produce the match without exposing any information about individual and hospital rankings . . . and with a guarantee that the algorithm was followed correctly.”
Similarly, Wynn says that Click Solutions Group has explored MPC in health care, as in sharing patient data across organizations.
MPC protects data during processing, without the need for a trusted third party, and even if an end user gets compromised, the damage of the breach is contained.
But it is not lightweight technology. “MPC can be pretty resource heavy,” Wynn says. “It’s not exactly plug-and-play. You need expertise, or solutions built for it.”
Evans agrees on the need for sophistication in integrating MPC and believes many organizations will need outside help.
And like any tech advancement, MPC could be susceptible to over-hyping. “It’s powerful,” Wynn opines, “but it’s not always practical or worth the cost, depending on the use case.”
To Evans, it is most important to “understand the threat model the technology is designed for, and how well it matches the needs of the organization. MPC has a very specific functionality, and different MPC protocols make different trade-offs in terms of threat models they support.”