*Secure Multiparty Computation and Shamir’s Secret Sharing on Wanchain*

*Secure Multiparty Computation and Shamir’s Secret Sharing on Wanchain*

## Secure Multiparty Computation (MPC) and Shamir’s Secret Sharing are two of the core components of Wanchain’s technology.

*By Noah Maizels*

**What exactly are these two concepts, and why are they so important? Let’s begin with Secure Multiparty Computation.**

**Secure Multiparty Computation**

MPC is defined as a way for multiple parties to run a computation on a series of inputs for which each party only knows one of the inputs. Well, what exactly does that mean? Let’s take a look at an illustrative case to get a better understanding. Let’s say, for example, that you’re getting drinks with a group of friends, and you decide you all want to know the average salary of the group. But…you don’t want to involve any strangers or staff from the bar, and you also don’t want to reveal any individual’s salary. This is a perfect situation for using MPC! To start with, the first person picks a random element, which is known only by him, to modify his salary — let’s say he adds the random number 874,346 to his salary, and then shares the result of that addition with the person next to him. The next person then adds his salary to the first result, and passes the result of that computation on to the third person, and so on, until all the salaries have been summed and returned to the first person. The intermediate results are passed securely from the previous person to the next person, and only the final sum is returned to the first person. The first person then subtracts the random element 874,346 from the total, and then may calculate the average salary of the group without knowing the salary of any one individual. In practice, MPC is generally far more complex than this for a variety of reasons (such as to prevent collusion amongst the parties involved), but that’s the general idea.

To understand why MPC is so important to Wanchain’s cross chain functionality, a basic understanding of cross chain mechanics is needed. First, the asset whose value will be transferred to Wanchain’s network (for example, ETH) is locked in an account on its original chain using a smart contract. After being locked on its original chain, tokens of the equivalent value are released on the Wanchain network (in the case of ETH, it is represented by a WETH token). Then these tokens can be traded on Wanchain’s network. The locked account holds the control of the funds. The user who sent the ETH to the locked account only has ownership of the mapping token (WETH in the example before). WETH can be sent to other users on the Wanchain blockchain. When any user holding the WETH decides to convert their proxy token back to ETH, the corresponding number of ETH is released to that user by the Storeman and the equivalent portion of WETH is burned.

*The problem that must be solved in the above system is who will be trusted to control the private key of the locked account on the original chain?* If one entity controls the private key, the system is no longer decentralized, and the problematic element of trust will be introduced. Wanchain’s solution to this problem is the introduction of a group of entities known as Storeman nodes. Instead of one entity controlling the private key, each Storeman will control only one piece of the private key, which is known as a key share. The Storeman nodes then work together using MPC to perform the computations necessary to produce a smart contract that locks the asset on the original chain without any node ever having access to the entire private key.

**Shamir’s Secret Sharing**

As you were reading the description above about how the private key is divided into many pieces, you may have wondered: *“What if one of the Storeman nodes loses a keyshare or goes offline, how will it still be able to broadcast a transaction?”* This is possible through the magic of Shamir’s Secret Sharing (SSS). The basic principle behind secret sharing can be illustrated easily by considering how many points are needed to define a line. Let’s say you use a secret mathematical formula as the password to your online bank account, and the formula you used defines the line below:

You were worried you might forget your password, so you decide to give one point from your line, (-2, 1), to your friend Albert, and another point, (1, 4), to your friend Ada. Neither of your friends with their one point could ever reconstruct the password to your bank account, since with only one point on a line, there are an infinite number of other points which could be chosen to define the line. But what if you don’t totally trust your friends Ada and Albert, and are worried about them putting their points together to generate your password? Well, let’s see how we might deal with that using a different formula as your online banking password.

This time, you give (2, 1) to Ada, (1.5, 0.75) to Albert, and (0, 3) to your friend Steve. Since this formula is more complex, knowing two points is not enough for Ada and Albert to reconstruct it. They would need to collude with your friend Steve as well in order to reconstruct the formula and access your online bank account. While this formula only requires three points, we can in fact increase the complexity of the formula to any level we would like for added security — so that it would require five, ten, fifteen or more points to be able to reconstruct the formula.

Going through this thought experiment, you may have wondered, “What if one of my friends forgets their point, or is kidnapped, or falls off a cliff, etc., how would I be able to access my bank account?” Well, this is solved simply by handing out more points on the graph of the formula you chose. All you need to do is pick one more point, (3, 3), and give it to your friend Satoshi. Now any combination of three of your four friends is enough to reconstruct your password.

If you wished, you could hand out even more points, in case you were worried some of your friends might lose theirs. As long as any three of them can give you their points, your password can be reconstructed. This is what is known as (t, n) threshold secret sharing, for which you give out *n* different pieces of a secret, and a minimum threshold of *t* pieces are required to reconstruct your secret.

Now you understand the basic theory behind Shamir’s Secret Sharing. While we may not be dealing with formulae that describe a line on a graph, the basic theory is the same. With Shamir’s Secret Sharing, each Storeman node receives only one part of the private key, and uses that part to construct one part of the transaction to be broadcast to the network. Even if one or two Storeman nodes are offline or somehow lose access to the private key, using technology based on the principles explained above, it is still possible to reconstruct the complete transaction from the pieces of the transaction held by the remaining Storeman nodes.

*Through the use of cutting edge technologies such as MPC, threshold secret sharing, ring signatures, and so on, Wanchain has become the first blockchain to actually implement secure, private, cross chain functionality.*

#### About Wanchain

Wanchain is a blockchain ecosystem that enables the exchange of digital assets between blockchains with privacy protection and cross-chain smart contracts. The Wanchain infrastructure simplifies the creation of distributed financial applications for individuals and organizations to access financial services such as loans, asset exchange, multi-asset ICOs, and other asset management capabilities. Wanchain 2.0 enables the cross-chain functionalities with Ethereum. Wanchain 3.0, which will launch before the close of 2018, will enable the same functionalities with Bitcoin.