Multi-Party Computation (MPC): Secure, Private Collaboration

What is multi-party computation (MPC)?

Multi-party computation (MPC) is a subfield of cryptography focused on secure computation that allows multiple participants to perform calculations while keeping individual data secret. Each participant will only see the final result, not the inputs of others. MPC combines cryptographic protocols for computation, verification (to detect cheating), and privacy preservation. 

Imagine three companies tasked with calculating their average revenue without disclosing the actual numbers to each other. MPC allows them to compute the average, with each company seeing only the final result, not the other companies' revenue.

While both zero-knowledge proofs (ZKPs) and multi-party computation (MPC) belong to privacy-preserving cryptography, they serve distinct purposes. ZKPs allow a party to prove knowledge of a secret without revealing it (e.g., proving identity without disclosing any sensitive credentials), even in multi-party settings. MPC, however, enables multiple parties to jointly compute a function over their private inputs without exposing the inputs themselves.

The key breakthrough of multi-party computation is that parties can collaborate on calculations without revealing their data to anyone.
‍

History

Multi-party computation emerged in the 1980s as a theoretical concept in cryptography, but its practical applications took decades to materialize. Below are key milestones in its evolution—from early protocols like Yao’s Garbled Circuits to modern blockchain integrations. This timeline highlights how MPC transitioned from academic research to real-world privacy solutions. 

‍

Core concepts

Privacy preservation

Multi-party computation ensures input privacy through mathematical guarantees. The protocol mathematically prevents participants from learning others' inputs while still allowing computation on those inputs.

Distributed trust

No single party holds all the data or controls the computation. The security of multi-party computation comes from distributing trust across multiple participants, making it resistant to individual compromises.

So, why does all this matter? Let’s explore why MPC is critical for today’s privacy needs.
‍

The importance of MPC

MPC solves a specific problem in data privacy: how to compute sensitive data without exposing it. This matters for several reasons:

1. Data privacy laws: Organizations must analyze data while complying with regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
‍
2. Cross-organization collaboration: Companies can work together without sharing confidential information.
‍
3. Single point of failure: Traditional systems that collect and centralize data in a single location create security risks.
‍
4. Trust minimization: MPC removes reliance on a single trusted third party. For example, organizations can collaborate without sharing raw data, and cryptographic systems (like ZKP trusted setups) can generate public parameters securely without a central authority.
‍

But how does MPC protect against potential threats? Let's look at the security models behind it.
‍

Understanding MPC security models

What is an adversary in MPC?

In MPC protocols, an "adversary" refers to a participant (or group of participants) who attempts to break the protocol's security. Adversaries are bad actors in the system. They could be:

• External attackers trying to learn private information
• Participants in the protocol who don't follow the rules
• Compromised parties (like hacked servers)
  ‍

Therefore, MPC protocols are designed around two foundational questions:

1. Adversarial settings: How many participants can be corrupt before a protocol’s security guarantee fails? (Note: Often referred to simply as "settings" in academic papers). Example: A protocol designed for a dishonest majority setting (explained below) is mathematically guaranteed to remain secure even if 4 out of 5 parties are corrupted.
   ‍
2. Adversarial behavior: What tactics can parties use to attack the system? Example: Passive observers might be able to infer private data, while active attackers could falsify inputs or collude.

These questions define the protocol’s resilience to collusion (e.g., multiple corrupted parties secretly sharing data to breach privacy) and its ability to handle adversarial actions like eavesdropping (intercepting messages to infer private inputs) or sabotage (deliberately disrupting computations).

The security models describe what these adversaries might do and how the protocol protects against them. Some of the main security models in multi-party computation include:
‍

Semi-honest security model (passive / honest-but-curious)

What it means:

The semi-honest security model assumes adversaries follow the protocol rules but attempt to infer private information from exchanged messages. A protocol that is secure against semi-honest adversaries (known as a semi-honest secure protocol) ensures that parties can’t infer private inputs, even if they passively analyze protocol interactions.
‍

How it works:

Semi-honest secure protocols use cryptographic primitives like garbled circuits and secret-sharing schemes (discussed later) to ensure no single party can reconstruct private data without collaboration (e.g., obtaining enough secret shares).
‍

Use cases: 

1. Banks using MPC for fraud detection: Semi-honest security allows multiple banks to collaboratively analyze transaction data and identify fraud patterns without exposing customer records. Semi-honest protocols provide security against passive adversaries while maintaining the computational efficiency required for processing large-scale datasets.
   ‍
2. Medical research collaborations: Semi-honest protocols allow hospitals to jointly analyze patient genomes while preserving privacy. By minimizing computational overhead, these protocols remain practical for data-heavy tasks like genomic studies.
   ‍

Benefits of semi-honest security:

• Efficiency: Generally requires fewer cryptographic verification steps than malicious-secure protocols (e.g., no zero-knowledge proofs or cut-and-choose).
  ‍
• Lower overhead: Reduced computational costs compared to active-adversary models.
  ‍
• Scalability: Ideal for applications where participants are incentivized to cooperate (e.g., mutually beneficial analytics)
  ‍

Malicious (active) security model

What it means:

The malicious security model assumes adversaries may arbitrarily deviate from the protocol: sending fake inputs, tampering with computations, or aborting prematurely to disrupt results. A malicious-secure protocol guarantees privacy and correctness even if some parties cheat, ensuring outputs are valid and inputs remain confidential.
‍

How it works:

The malicious-secure protocol includes additional cryptographic verification steps (e.g., zero-knowledge proofs, cut-and-choose, authenticated secret sharing MACs) that mathematically detect and prevent cheating. It forces parties to prove they follow the protocol correctly at each step, guaranteeing input privacy and computation integrity, even against active attackers.
‍

Use cases: 

1. Voting systems: Malicious security ensures no party can submit invalid ballots (e.g., votes for non-existent candidates) or manipulate tallying. For example, ZK proofs prove that votes are valid (e.g., for registered candidates) without revealing individual choices.
   ‍
2. Cryptocurrency: Threshold signatures require malicious security to prevent adversarial parties from biasing key generation or stealing funds. Checks ensure that private keys are never reconstructed in a single location.
   ‍

Benefits of malicious-secure security:

• Stronger security: Privacy and correctness are guaranteed even if adversaries sabotage the protocol.
  ‍
• Deterrence: Cheating is either detected (e.g., honest parties abort the protocol if invalid ZK proofs are detected) or rendered cryptographically impossible.
  ‍
• High-stakes suitability: This is essential for applications like financial settlements, where errors or leaks have severe consequences.
  ‍

Other security models, such as covert security, provide a middle ground between semi-honest and malicious security, but these two are the most widely used. 

These security models define how protocols handle adversaries. Let’s examine the settings that dictate their implementation:
‍

MPC settings

1. Dishonest majority: 

• Security guarantees hold even if only one participant is honest; in a 5-party system, a protocol remains secure even if 4 parties are corrupted.
  ‍
• The most conservative security assumption (compared to an honest majority) as it assumes most parties are malicious.
  ‍
• Used by protocols like SPDZ.
  ‍
• Dishonest-majority protocols tend to have higher computational and communication overhead due to the additional security measures required.
  ‍

2. Honest majority:

• Security guarantees hold when most participants are honest; in a 7-party system, at least 4 must be honest.
  ‍
• The BGW protocol is a special case that requires even more honest parties: for malicious security, fewer than one-third of parties can be corrupt (e.g., at least 5 honest parties in a 7-party system).
  ‍
• Typically achieves greater efficiency and lower communication complexity compared to the dishonest majority.
  ‍

3. Threshold-based:

• Security depends on a threshold (e.g., 50% honest parties in a 4-party system).
  ‍
• Delivers flexibility in security vs efficiency trade-offs.
  ‍

Popular MPC protocols

1. BGW: The BGW (Ben-Or, Goldwasser, and Wigderson) protocol, introduced in 1988, is foundational to multi-party computation. It’s a secure MPC protocol that allows a group of parties to jointly compute a function while keeping inputs private. It extends Shamir’s Secret Sharing (explained below) with cryptographic techniques to enable secure multi-party computation on private inputs. BGW is secure against both semi-honest adversaries (if fewer than half are corrupt) and malicious adversaries (if fewer than one-third are corrupt).
   ‍
2. GMW: The GMW (Goldreich, Micali, and Wigderson) protocol, introduced in 1987, is a classical MPC protocol that operates using a boolean-circuit representation. When computing a function, it breaks computations into logical operations (like AND, OR, NOT gates) and processes encrypted data step-by-step. It’s primarily secure against semi-honest adversaries who follow the protocol but try to learn additional information from the messages they receive. The GMW protocol employs techniques such as oblivious transfer to ensure each party learns only what they are supposed to learn from a computation.
   ‍
   
3. SPDZ: The SPDZ (Smart, Pastro, Damgård, and Zakarias) protocol, developed in 2012, represents a significant advancement in practical MPCs. SPDZ uses additive secret sharing (splitting secrets into random numbers that sum to the original) and incorporates MAC-based checking (cryptographic tags to ensure data integrity) to confirm participants follow the protocol correctly. SPDZ requires a preprocessing phase (preparing cryptographic materials in advance) and achieves high performance during the online computation phase (real-time execution). It provides security against malicious adversaries, meaning it remains secure even when participants actively try to cheat.

Now, let’s explore how secret sharing enables secure computations. 
‍

Secret sharing in multi-party computation

Secret sharing allows splitting a secret into multiple pieces, called shares, where:

• Each participant receives a share
• Individual shares reveal nothing about the secret
• Combining enough shares reconstructs the secret

In a threshold secret-sharing scheme:

• n: The total number of shares (pieces) a secret is split into (e.g., 5).
• t: The threshold - minimum number of shares needed to reconstruct the secret (e.g., 3)

For a practical example, see Shamir’s secret sharing below.
‍

Common secret sharing schemes:

1. Shamir's secret sharing

• Splits a secret into shares using polynomials over a finite field. Reconstruction uses Lagrange interpolation: a threshold of shares uniquely determines the polynomial (and thus the secret). Fewer shares reveal nothing—akin to needing enough points to define a curve.
  ‍
• Flexible threshold scheme: can reconstruct secret with any t shares (out of n) total shares, where the polynomial is of degree t-1, ensuring security if fewer than t shares are available.

For example, in a 3-out-of-5 scheme:

• The secret is split into five total shares
• Any three shares can reconstruct the secret
• Two or fewer shares reveal nothing

This works like a puzzle: you need a minimum number of pieces (the "threshold") to solve it, but individual pieces alone are useless. 
‍

2. Additive secret sharing

• Splits secret into random shares that sum to the secret. 
• Requires all shares for reconstruction (if split into n shares, the threshold, t, is equal to n)
• Used in protocols like SPDZ
• More efficient for linear computations (e.g., additions, averages) compared to non-linear computations.
  ‍

Example:  if the secret is 10, shares could be 3, 5, and 2 (3 + 5 + 2 = 10). All shares must be combined to recover the secret.
‍

MPC wallets in blockchain

Unlike traditional cryptocurrency wallets, which store a single private key, MPC wallets split key generation and signing among multiple independent parties. When a user signs a transaction, these parties work together using cryptographic protocols to create the signature without having access to the full key. 

This approach eliminates the single point of failure present in traditional wallets. There is no single private key in one location that can be stolen or lost. If one device is compromised, the funds remain secure because the attacker must compromise multiple parties simultaneously. This security model also enables more flexible key management by allowing users to add or remove devices, set up multiple approval requirements, and more.
‍

Examples of MPC wallets include:

• ZenGo: A keyless crypto wallet that uses multi-party computation for private key management.
  ‍
• Fireblocks: An enterprise-grade digital asset platform that uses MPC. It secures digital assets for institutions like Revolut. 
  ‍

Threshold signatures in MPC wallets

MPC wallets use threshold signatures where:

• The private key is split into shares.
• A specified number of shares (threshold) must be reached to sign.
• The signature is mathematically identical to a regular signature.
• Verifiers can’t tell if it was created using MPC.

Example: In a 2-of-3 threshold scheme, two parties must collaborate to sign - one cannot.
‍

Multi-party computation vs. multi-signature wallets

Multi-signature wallets require multiple private keys; each party holds their complete key and signs independently. In contrast, MPC wallets split a single private key into shares using secret sharing. No party holds the complete key and must collaborate to create a single signature. The result is a standard digital signature that functions like any other on the blockchain.

Now that we’ve covered how MPC wallets work, let’s explore their broader applications—both today and in the future.
‍

MPC use cases

Digital asset custody

MPC enables secure key management for cryptocurrencies in blockchain wallets:

• Private keys are split across multiple parties
• No single party can access or use the keys alone
• Transactions require collaboration
• If one party is compromised, attackers cannot access the full key, preserving the assets.

Privacy-preserving analytics

MPC enables organizations to derive insights from shared data without exposing individual inputs. For example:

• Boston Women’s Workforce Council: Collaborated with universities to analyze gender pay gaps using MPC, keeping individual salary data private.
  ‍
• Danish Sugar Beet Auction (2008): The first large-scale commercial MPC application where farmers computed fair prices without revealing bids.

Privacy-preserving machine learning

MPC enables collaborative AI training without sharing raw data:

• Meta (Facebook): Meta’s research team is exploring MPC frameworks to train machine learning models on decentralized datasets while preserving user privacy.

Zero-knowledge proof trusted setup ceremonies

MPCs secure parameter generation for cryptographic systems (e.g., ZKP trusted setups), ensuring no single party learns sensitive parameters:

• Zcash Sapling Ceremony: Used MPC to generate public parameters for zero-knowledge proofs, preventing any single participant from compromising the system.
  ‍

The future of MPC

Multi-party computation’s core strength—enabling collaboration without exposing data—can address complex demands in fields where secrecy is needed. For example:

• Healthcare: Hospitals can collaborate on cross-institution research (e.g., cancer studies) and genetic privacy without sharing records.
  ‍
• Finance: Banks can jointly screen transactions for anti-money laundering and assess creditworthiness without revealing customer details.
  ‍
• Supply chain: Companies can audit suppliers globally while protecting trade secrets.
  ‍

Conclusion

Multi-party computation evolved from a theoretical concept in the 1980s to a practical technology that solves real privacy challenges today. Its ability to process sensitive data without exposure has opened new possibilities across industries, from helping hospitals collaborate on medical research to enabling more secure cryptocurrency wallets.

While MPC isn't a magic solution for every privacy problem, it enables multiple parties to collaborate without directly sharing their data. As privacy concerns grow and regulations become stricter, MPC's role in enabling secure collaboration will likely become even more critical.