Part 2: What can MPC do for Blockchain?
By Jesper Buus Nielsen, Professor and Chief Cryptographic System Designer, Partisia
This second part of our MPC and blockchain blog series will analyse what MPC can do for blockchain, while outlining how we can efficiently combine these two technologies to build something ultimately secure. The relationship between MPC and blockchains is mutually beneficial. We can use MPC to secure many aspects of blockchains and we can use blockchains to orchestrate running MPC at a wide scale. First, let’s explore what MPC can do for blockchains.
Protecting Secret Keys
Accounts are always ultimately protected by some sort of secret key. These secret keys need to be protected. If they leak, there would be nothing distinguishing the owner of an account from a thief.
We can protect keys in transport and on a disk by using, for instance, encryption. Protecting the key when it is being used for signing a message is harder. The key needs to be present on a single computer during signing. This computer, however, might be compromised. This is where MPC comes in. We can secret share the secret key among several servers and use MPC to sign under the secret key without ever having the secret key present on a single machine.
The special case of using MPC for computing signatures without knowing the secret key is known as threshold signatures. Similarly, one can decrypt ciphertexts while keeping the decryption key secret shared at all times. You can imagine protecting the secrets of any cryptographic scheme this way, which is the field of study of threshold cryptography.
Privacy-Preserving Smart Contracts
A smart contract on a basic blockchain lives on a public ledger. Anyone can see the code of the contract and its state. This information might be sensitive.
There are some partial solutions to this problem where the state of a contract is kept off-chain by the stakeholders. Only a hash of the state is kept on the blockchain. When updating the state a stakeholder updates the hash and proves it was done correctly without leaking what the new state is. These proofs can come in many forms. Partial privacy is strongly connected to the field of verifiable outsourced computation.
Full privacy is the most meaningful in many settings. If for instance the smart contract is an auction, the participants might want to hide their bids from the other participants. Each participant should learn only its own inputs and outputs. In comes MPC. The state of the smart contract can be held in secret shared form on some servers which we could call the MPC nodes. These MPC nodes could for instance be part of the blockchain infrastructure like the baker nodes are. If inputs are given to the smart contract they are posted on the blockchain. Sensitive input can be posted in encrypted form under a public key belonging to the smart contract. The corresponding secret key can be stored in secret shared form among the MPC nodes. The decryption can be done in MPC. This way the inputs will only make sense to the smart contract and no MPC node will get any information on the inputs. If the smart contract makes public outputs, like who won an auction, this can be put on the blockchain by the MPC nodes to be visible by the world. Importantly, the state of the smart contract is now not visible on the blockchain. Neither is it known to any of the MPC nodes. Only the desirable results are made public.
Exactly how this orchestration of the off-chain MPC is done efficiently and securely is a principal focus of the Partisia blockchain, and something we will take a look at in a later post.
Secure Blockchain Components
Instead of running your whole blockchain inside an MPC, you can be more selective and run only some critical components in MPC.
Some possible applications of blockchains need randomness which can not be biased by any of the participants. Simple examples are gaming and lotteries. Some rudimentary forms of unpredictability can be derived from blockchains by collecting and distilling randomness from the implementation of the blockchain, but they are insufficient for even lotteries. On the other hand, generating abundant, good randomness is a solved problem in MPC, which can therefore be used to provide good unbiased randomness.
One of the big advantages of blockchains is that they allow atomic operations. I might, for instance, want to transfer you ownership of my house if and only if you transfer me some amount of Bitcoin. Atomicity is important so we are both sure of getting our asset. Unfortunately atomicity is lost if the assets live on different blockchains. MPC can be used to solve this. Any type of multi-agent transaction can be described as a program taking as input some secret keys and some auxiliary data and computes who receives what assets in return. You can therefore set up an MPC on an MPC-enhanced blockchain. The MPC will compute the transactions and for instance release signatures on who should receive what assets. On the other blockchains you set up smart contracts in advance which transfer the desirable assets if given the appropriate signatures from the MPC. As an added benefit, the sensitive details of the transaction can be hidden inside the MPC.
MPC can also be used for sensitive network statistics as was done with the STORMY project for the Tor network. MPC can do much more for blockchain, but let us move on and ask: what can blockchain do for MPC? Find out in part three, coming soon!
About the author
Jesper is Professor in Computer Science at Aarhus University and also one of the co-founders of Partisia and Sepior. He is one of the top cited and publishing researchers in secure multiparty computation. Jesper’s primary research areas are secure multiparty computation, distributed consensus, and universal composability.