Separating Broadcast from Cheater Identification: Identifiable Abort in MPC Over P2P Channels
By , Silence Laboratories
Secure Multiparty Computation (MPC) is a technology that allows multiple parties to collaboratively compute functions without compromising on the privacy of their individual inputs. For example, Silent Shard virtually combines parties’ secret key shares to sign messages, and Silent Compute enables more general analysis of virtually assembled secret data.
All of the MPC protocols offered by Silence Laboratories guarantee security against malicious behaviour, meaning that parties’ secret inputs are protected from any protocol deviations. In particular, they achieve security with abort, meaning that each party either receives the correct output of the protocol, or — in the event that an attacker creates trouble — terminates with a special “abort” output. In either case, adversarial parties are mathematically guaranteed to learn nothing meaningful about honest parties’ private inputs, or in technical parlance the aborts are simulatable without knowledge of private inputs.
While parties’ secret inputs are protected from attempts to breach privacy, the liveness of the system is still open to disruption. It is natural to wonder if even stronger guarantees are possible; indeed the ability for an adversary to disrupt the protocol execution might lead to Denial of Service (DoS) conditions that are unacceptable in certain applications. In high-availability settings that simply can not afford downtime, such as blockchains or massive scale key management networks, DoS-resistance is paramount. In the MPC literature, Guaranteed Output Delivery (GOD) provides exactly this feature, and is attainable in such settings as it is reasonable to assume that colluding parties form a small minority. In small scale settings that are centrally managed and involve a few MPC nodes, one may simply reset the system or resort to out-of-band methods to recover from an abort. But what about scenarios that involve a diverse set of node operators at a smaller scale?
In the MPC literature, “Identifiable Abort” refers to a security feature that informs parties of the identity of a disruptor. In particular, if an adversarial party attempts to disrupt the protocol, the Identifiable Abort property guarantees that honest parties are informed of its identity — though they may be deprived of the output of the computation itself. The idea is to enable accountability for disruptive behaviour by external methods, rather than in-built protocol mechanisms to recover from faults. This can be a more competitive strategy in many scenarios: for example the threat of slashing staked assets can be a powerful incentive for honest behaviour in a lightweight MPC protocol, as opposed to a heavier protocol that incorporates complex recovery mechanisms itself.
Identifiable Abort is therefore an appealing proposition in theory, but we have found designing and deploying a system based on this principle to be anything but straightforward. We have been investigating this topic in some detail at Silence Laboratories (along with external collaborators), and we have found there to be a lot of nuance to be added to the present discourse.
Our initial results — a collaboration with Divya Ravi at the University of Amsterdam — will appear at the ACM CCS 2025 conference in Taipei, the ACM’s flagship conference on computer security. The technical details can be found in our paper, but we will present a few highlights below for those with an interest in this field.
There are broadly two types of cheating strategies that an adversarial party may execute to disrupt a protocol: sending malformed messages and simply withholding messages altogether. As we explain below, both are equally important in a real system, but the latter problem has been understudied in the literature.
- Sending malformed messages: this is where the vast majority of the cryptography literature has focused its attention, because this can be expressed and solved as a purely cryptographic problem. In particular, one can define a format for a “well-formed” message, and cryptographically prove that all messages in the protocol adhere to this format. The proofs can either be proactive with each message to rule out cheats altogether or in retrospect, to assign blame once a cheat has already occurred. Actually instantiating such an approach requires technical depth and is the subject of several papers, but it can generally be done with the right cryptographic machinery.
- Non-responsiveness: most protocols need a minimum number of parties to actively contribute messages — enough parties simply withholding their messages can induce a failure. Unlike the previous issue, addressing this is not just a question of finding the right cryptographic tools; mathematics alone can not compel the delivery of messages. One standard approach in the literature is to assume a mechanism that makes any message sent in the protocol available to all parties within a time bound, typically a broadcast channel or bulletin board — the absence of a message on this channel is taken to imply that a party is non-responsive. This does solve the issue on paper, but realizing such an object in practice can be very challenging. Potential instantiations include a blockchain if the context permits, broadcast protocols that are highly interactive, or a central message coordinator who is trusted to honestly report offline parties. None of these solutions is truly general in our opinion, and therefore, this issue has been the focus of our work.
Our work begins by tweaking the definition of Identifiable Abort to more closely match this “external disincentive to cheat” paradigm. We strengthen one dimension while weakening another: we relax the requirement that parties all agree on the identity of the cheater, but we require any party that blames another for a cheat to additionally provide a proof of this fact. This way, an external auditor can independently verify the identity of a disruptive party, and penalize it appropriately. Notice that consensus among protocol participants on the identity of the cheater is not strictly necessary — this fact can be leveraged to circumvent difficulties around consensus primitives.
We call this new notion “Provable Identifiable Selective Abort”, or PISA for short. “Provable” due to the externally verifiable proofs of cheating or non-responsiveness, and “Selective” as nodes may not be in unanimous agreement. As an additional feature, we consider proofs of cheating that distinguish between non-responsive parties and those that send malformed messages; a party with a bad network connection may perhaps be punished less harshly than one that undeniably deviated from the protocol.
With our definition in place, we first rule out the possibility of achieving this notion in the dishonest majority (t >= n/2) context. Intuitively, this is because a majority of parties could always collude to ignore all messages from any given party, and falsely certify it as non-responsive.
Next, we construct a new broadcast primitive for the PISA context when a majority of nodes (t < n/2) are honest. In particular, we design a simple echoing protocol that achieves our target notion within just two rounds. We show how this primitive can then be used to build a highly efficient distributed ECDSA signing protocol with the same threshold, now with the ability to provably identify any kind of disruptor — running over point-to-point channels alone.
While real-world performance will depend on a number of factors, including network conditions, our benchmarks showed that our protocol is over an order of magnitude lighter in computation than existing alternatives such as CGGMP20 — before even accounting for broadcast. Moreover, we show that any Identifiable Abort MPC protocol can replace its use of broadcast with our new primitive and achieve PISA security with P2P channels alone.
Impact and Adoption
- Silence Laboratories is enabling slashing in restaking-based protocols such as MPC-TSS AVS on Eigen Cloud.
The protocols and tools in this paper—along with upcoming work—form the basis for the deployment of KMS networks built on top of Eigen Layer.
- Cross-chain bridges are adopting MPC-TSS with slashing using concepts introduced in the paper.
We invite you to read the paper, and get in touch with us at Silence Laboratories to learn more about how our nuanced approach to cheater identification could be relevant in your context.
Acknowledgements
The author is grateful to Divya Ravi and Daniel Noble for their helpful comments on this article, and to Ananya for the artwork that accompanies the text.
