MPC Alliance Learn Section
TinySMPC Tutorial
Awesome MPC
TinySMPC GitHub
IACR 2023/765
Choosing an MPC Framework
Secure Multiparty Computation and Secret Sharing
Polynonce: ECDSA Attack
HackMD Document 1
HackMD Document 2
HackMD Profile
Ren Project MPC
White City Report
Stanford CS355 Schedule
IACR 2021/060
Securing Computation Videos
YouTube Playlist
Google Codelab on MPC
Google Cloud Blog on MPC
Coinbase Blog on Threshold Signatures
Fortifying ZenGo
IACR 2022/1636
IACR 2020/300
Coinbase MPC Whitepaper
JugglingSwap: TSS-Based Atomic Swaps
IACR 2023/841
IACR 2023/832
IITB MPC 2017
Lecture 26 Notes
Spinroot P10
Pragmatic MPC
Bolt Labs TSS-ECDSA
SCALE-MAMBA
NIST Video on Threshold ECDSA
NCC Group on Paillier Cryptosystem
Wallet Infrastructure Comparisons
Proactive Threshold Wallets
IACR 2020/501
IACR 2021/1330
IACR 2020/498
IACR 2018/987
IACR 2019/1136
Smol-MPC
MPZ: MPC Libraries in Rust
Pragmatic MPC
[Building Blocks](https://wiki.mpcalliance.org/Basic Building Blocks.html)
Videos
-
UC Non-Interactive, Proactive, Threshold ECDSA w/ Identifiable Aborts
-
A Full CryptoCurrency Custody Solution Based on MPC and Threshold ECDSA | Unbound Tech
Protocols for Secure Computations by Andrew Yao
Yao’s Garbled Circuits
The Garbled Circuits protocol is asymmetric: each of the two parties does something different. One of the parties is what I’ll call the garbler: their job is to obfuscate the circuit and the input values, and hand that mess over to the other party. I’ll call this other party the evaluator: their job is to take this garbled circuit, and evaluate it, producing the final result. They then share this result with the garbler, and everybody is happy.
(y1, y2) = F(x1,x2)
Party P1 holds x1, and wants to learn y1
Party P2 holds x2 and wants to learn y2
Take function f and write it as a boolean circuit. Aim is to encrypt each gate. Each wire in the circuit can have two values on it 0, or 1. We assign 2 symmetric keys to each wire value on each wire. Each gate is a function with two input wires and one output wire wk = G(wi, wj)
Each key is indistinguishable! The garbler does know each key. A garbled gate is table where each gate in the circuit has four ciphertexts associated with it.
Code Examples
MPC and TSS for Blockchains
An Introduction to Secret-Sharing-Based Secure Multiparty Computation
DKGs in Groups
HD wallets and the Legendrery PRF in MPC
https://www.cryptologie.net/article/605/whats-out-there-for-ecdsa-threshold-signatures/
Implementations
Web3Auth
Web3Auth Example
ZenGo-X
Unbound Security
FROST
FROST implementation in Secp256k1-zkp
FROST is a “k-of-n” threshold scheme. Meetup transcript covers FROST in detail, especially the DKG part.
ROAST
ROAST is a wrapper around FROST allowing for t-of-n thresholds while allowing for signers to operate in unreliable conditions.
BIP340 Schnorr
See Bitcoin
MuSig2
MuSig2 allows for “n-of-n” signatures only but is simpler overhead.
MuSig-DN: Schnorr Multi-Signatures with Verifiably Deterministic Nonces
Threshold Signing
Managing MPC wallets in a commercial environment can be tricky. Is it possible to use HD derivation tools with MPC? Yes, albiet it gets expensive to manage as there are more participants. HD wallets are really good with backups, tends to be focused on retail users - not commerical setting since backup can be built into the key generation.
Coinbase has production TSS .
During key generation, we segment private keys into shares using Shamir Secret Sharing (SSS) and delete the full key for extra security. Each share is held by a different party, and no individual party has full access to the private key. For a long time, there was one way to create a signature: reassemble private key shares to sign a transaction. Therefore, for our wallets to maintain the highest level of security, we only used an address once. If 1 BTC needed to be withdrawn from a key that stores 100 BTC, the remaining 99 BTC would be sent to a new private key during the withdrawal to ensure that we were not storing funds at a potentially vulnerable address.
Staking, however, requires single long-term addresses. Threshold signing, a specific use of MPC, permits individual parties to collaborate and produce a digital signature without reconstituting the original, composite private key.
In practice, this means that rather than parties uploading their private key shares, they individually sign a transaction with their key share and upload a partial signature.
Coinbase also deploys Hierarchical TSS, HTSS, to distinguish signers in TSS. This provides partial acocuntability. In the HTSS framework, assigning different ranks of each share induces that any valid signature generated includes the share of the manager.
HD wallets and the Legendrery PRF in MPC
UC Non-Interactive, Proactive, Threshold ECDSA with Identifiable Aborts
RenVM
ECDSA threshold signing that uses extra round of communication and constraints on network timing. For a network of n parties, this scheme is robustly secure against t malicious adversaries, such that n >= 3t + 1.