This article is an output of what I learned through the Privacy and Scaling Explorations (PSE) Learning Grant Program. I am very grateful for such an opportunity. And I would like to express my gratitude to everyone at PSE who gave me feedback on writing the article.
Many of the articles currently available explaining the MPC Wallet only go as far as explaining how the MPC Wallet functions from a high-level perspective. As a result, even users who are not familiar with software development or cryptography can understand what kind of concept the MPC Wallet is.
On the other hand, many misunderstandings arise among the general public because the explanations in these articles are vague.
Also, there are also many articles that exaggerate as if one proposal is vulnerable, in order to appeal that their proposal is superior.
In this article, we will help you correctly understand the MPC Wallet through detailed explanations about the technology in order to dispel these misunderstandings.
The True Identity of MPC Wallet is "Threshold Signature"
What is often referred to as MPC Wallet in public, is actually a technology known as Threshold Signature.
The history of threshold signatures dates back to 1987[1]. The underlying Threshold Cryptography is a method that allows for the signing and encryption of messages in a situation where keys are distributed among several parties. To put it more bluntly, it's not about carefully managing one key, but rather having one key and multiple key-shares so it's okay if one of the share is leaked.
Particularly, Threshold ECDSA is attracting attention among threshold signatures, and the reason is obviously Bitcoin and Ethereum. Many blockchains adopt ECDSA signatures as their signature algorithm, and signatures are required to execute a transaction. Blockchains also have the property of having no key lifecycle because the account address is deterministically determined by the public key, and financial damage of Hundreds of millions of dollars can occur instantaneously due to the key's criticality.
By the way, it only recently started to be called MPC Wallet, and in an article by ZenGo in November 2019, it was referred to as "Threshold Wallet". Indeed, the term MPC Wallet feels more familiar, but it is an abstract term, and it is a word that can give users the impression of "I don't really understand, but it seems somehow safe".
Proactive Threshold Wallets with Offline Devices - Zengo
Related Works on Threshold ECDSA
The first proposal of threshold signatures is Gennaro's Threshold DSS Signature (1996)[2], which uses Pedersen's Verifiable Secret Sharing.
MacKenzie and Reiter (2004)[3] proposed a two-party protocol.
Lindell et. al.(2017)[4] proposed a practical protocol that improved MacKenzie's protocol. Later, they extended it to a multi-party protocol (2018)[5].
Many of these methods have used Paillier Encryption or Oblivious Transfer.