Multi-party computation (MPC) is a subfield of cryptography focused on secure computation that allows multiple participants to perform calculations while keeping individual data secret. Each participant will only see the final result, not the inputs of others. MPC combines cryptographic protocols for computation, verification (to detect cheating), and privacy preservation.
Imagine three companies tasked with calculating their average revenue without disclosing the actual numbers to each other. MPC allows them to compute the average, with each company seeing only the final result, not the other companies' revenue.
While both zero-knowledge proofs (ZKPs) and multi-party computation (MPC) belong to privacy-preserving cryptography, they serve distinct purposes. ZKPs allow a party to prove knowledge of a secret without revealing it (e.g., proving identity without disclosing any sensitive credentials), even in multi-party settings. MPC, however, enables multiple parties to jointly compute a function over their private inputs without exposing the inputs themselves.
The key breakthrough of multi-party computation is that parties can collaborate on calculations without revealing their data to anyone.
Multi-party computation emerged in the 1980s as a theoretical concept in cryptography, but its practical applications took decades to materialize. Below are key milestones in its evolution—from early protocols like Yao’s Garbled Circuits to modern blockchain integrations. This timeline highlights how MPC transitioned from academic research to real-world privacy solutions.
Multi-party computation ensures input privacy through mathematical guarantees. The protocol mathematically prevents participants from learning others' inputs while still allowing computation on those inputs.
No single party holds all the data or controls the computation. The security of multi-party computation comes from distributing trust across multiple participants, making it resistant to individual compromises.
So, why does all this matter? Let’s explore why MPC is critical for today’s privacy needs.
MPC solves a specific problem in data privacy: how to compute sensitive data without exposing it. This matters for several reasons:
1. Data privacy laws: Organizations must analyze data while complying with regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
2. Cross-organization collaboration: Companies can work together without sharing confidential information.
3. Single point of failure: Traditional systems that collect and centralize data in a single location create security risks.
4. Trust minimization: MPC removes reliance on a single trusted third party. For example, organizations can collaborate without sharing raw data, and cryptographic systems (like ZKP trusted setups) can generate public parameters securely without a central authority.
But how does MPC protect against potential threats? Let's look at the security models behind it.
In MPC protocols, an "adversary" refers to a participant (or group of participants) who attempts to break the protocol's security. Adversaries are bad actors in the system. They could be:
Therefore, MPC protocols are designed around two foundational questions:
These questions define the protocol’s resilience to collusion (e.g., multiple corrupted parties secretly sharing data to breach privacy) and its ability to handle adversarial actions like eavesdropping (intercepting messages to infer private inputs) or sabotage (deliberately disrupting computations).
The security models describe what these adversaries might do and how the protocol protects against them. Some of the main security models in multi-party computation include:
What it means:
The semi-honest security model assumes adversaries follow the protocol rules but attempt to infer private information from exchanged messages. A protocol that is secure against semi-honest adversaries (known as a semi-honest secure protocol) ensures that parties can’t infer private inputs, even if they passively analyze protocol interactions.
How it works:
Semi-honest secure protocols use cryptographic primitives like garbled circuits and secret-sharing schemes (discussed later) to ensure no single party can reconstruct private data without collaboration (e.g., obtaining enough secret shares).
Use cases:
Benefits of semi-honest security:
What it means:
The malicious security model assumes adversaries may arbitrarily deviate from the protocol: sending fake inputs, tampering with computations, or aborting prematurely to disrupt results. A malicious-secure protocol guarantees privacy and correctness even if some parties cheat, ensuring outputs are valid and inputs remain confidential.
How it works:
The malicious-secure protocol includes additional cryptographic verification steps (e.g., zero-knowledge proofs, cut-and-choose, authenticated secret sharing MACs) that mathematically detect and prevent cheating. It forces parties to prove they follow the protocol correctly at each step, guaranteeing input privacy and computation integrity, even against active attackers.
Use cases:
Benefits of malicious-secure security:
Other security models, such as covert security, provide a middle ground between semi-honest and malicious security, but these two are the most widely used.
These security models define how protocols handle adversaries. Let’s examine the settings that dictate their implementation:
Now, let’s explore how secret sharing enables secure computations.
Secret sharing allows splitting a secret into multiple pieces, called shares, where:
In a threshold secret-sharing scheme:
For a practical example, see Shamir’s secret sharing below.
1. Shamir's secret sharing
For example, in a 3-out-of-5 scheme:
This works like a puzzle: you need a minimum number of pieces (the "threshold") to solve it, but individual pieces alone are useless.
2. Additive secret sharing
Example: if the secret is 10, shares could be 3, 5, and 2 (3 + 5 + 2 = 10). All shares must be combined to recover the secret.
Unlike traditional cryptocurrency wallets, which store a single private key, MPC wallets split key generation and signing among multiple independent parties. When a user signs a transaction, these parties work together using cryptographic protocols to create the signature without having access to the full key.
This approach eliminates the single point of failure present in traditional wallets. There is no single private key in one location that can be stolen or lost. If one device is compromised, the funds remain secure because the attacker must compromise multiple parties simultaneously. This security model also enables more flexible key management by allowing users to add or remove devices, set up multiple approval requirements, and more.
Examples of MPC wallets include:
MPC wallets use threshold signatures where:
Example: In a 2-of-3 threshold scheme, two parties must collaborate to sign - one cannot.
Multi-signature wallets require multiple private keys; each party holds their complete key and signs independently. In contrast, MPC wallets split a single private key into shares using secret sharing. No party holds the complete key and must collaborate to create a single signature. The result is a standard digital signature that functions like any other on the blockchain.
Now that we’ve covered how MPC wallets work, let’s explore their broader applications—both today and in the future.
MPC enables secure key management for cryptocurrencies in blockchain wallets:
MPC enables organizations to derive insights from shared data without exposing individual inputs. For example:
MPC enables collaborative AI training without sharing raw data:
MPCs secure parameter generation for cryptographic systems (e.g., ZKP trusted setups), ensuring no single party learns sensitive parameters:
Multi-party computation’s core strength—enabling collaboration without exposing data—can address complex demands in fields where secrecy is needed. For example:
Multi-party computation evolved from a theoretical concept in the 1980s to a practical technology that solves real privacy challenges today. Its ability to process sensitive data without exposure has opened new possibilities across industries, from helping hospitals collaborate on medical research to enabling more secure cryptocurrency wallets.
While MPC isn't a magic solution for every privacy problem, it enables multiple parties to collaborate without directly sharing their data. As privacy concerns grow and regulations become stricter, MPC's role in enabling secure collaboration will likely become even more critical.