MPC vs Multi-sig — Misconceptions and Valid Arguments

At Screen Protocol, our mission is to help you grasp the concept of fund custody. Today, we aim to highlight one of the most debated topics: MPC vs Multi-sig. Through this blog, we seek to educate you about these technologies, highlight their differences, and debunk some common misconceptions about custody solutions.

TLDR of the blog in a single image:

To achieve this blog’s goal, we will start by understanding the following topics:

• What is MPC — Pros & Cons
• What is Multi-Sign — Pros & Cons
• Misconceptions
• Valid concerns

Once we have a clear understanding of these terms, we will explore the misconceptions surrounding them, separating fact from fiction. We will also delve into the grey areas that may be partially true but require a nuanced perspective. Finally, we will address valid concerns that demand attention.

Let’s dive right in and explore these fascinating aspects!

What is MPC

MPC stands for “Multi-Party Computation,” which in its most crude form is a cryptographic protocol that enables multiple parties to jointly perform a computation while keeping their individual inputs private. MPC as a technique is very powerful and is used in a lot of places like

• Privacy-Preserving Data Analysis: MPC allows multiple parties to jointly analyze their data without revealing the individual data points.
• Secure Multi-Party Machine Learning: MPC allows multiple parties to train a machine learning model collaboratively without sharing their private data.
• Privacy-Preserving Financial Calculations: In financial settings, MPC can be used to perform calculations involving sensitive financial data, such as portfolio optimization, risk assessment, or credit scoring, without exposing individual financial information.

The above are just a few of the examples, there are many more ways to utilise the protocol.

When used in the context of crypto, we use MPC to compute a signature for a transaction where multiple parties compute part of a signature using their private shard and these signatures are combined later to make the complete and valid signature.

Now how do these multiple parties get their private shards? It can be achieved using multiple cryptographic techniques where we distribute a secret among a group of participants. Here the secret is a private key and it is divided into multiple parts, called shards, and is shared with participating entities.

Pros

1. No need to store private keys: With MPC, private keys are distributed among multiple parties, meaning that no single entity possesses the complete private key. As a user, you can choose not to store the private keys yourself.
2. Fault Tolerance: MPC offers fault tolerance. If one party goes offline or loses their data, the other parties can still sign transactions or aid in recovering the private keys. This assumes that the number of active parties exceeds the minimum required threshold.
3. Easy Recovery: Recovery can occur off-chain when external parties holding shards agree to collaborate, eliminating gas fees associated with recovery.

Cons

1. Permanent Shards: MPC has a drawback in that shards are permanent. This means that not only the current guardians but also previous guardians could collude to steal your assets, posing an unacceptably high risk, as expressed by Vitalik.
2. Trust Assumptions: MPC protocols often rely on the assumption that a certain fraction of parties are honest. If this assumption is violated, such as through the collusion of more than a specific fraction of parties, the security and privacy guarantees of the protocol may be compromised.
3. MPC wallets are EOA: Most current MPC wallet implementations rely on externally owned accounts (EOAs). If the private key is compromised through an attack on enough shards or collusion among parties holding shards, the wallet is permanently compromised and cannot be considered secure.
4. Key Management: Managing key shares and ensuring their secure storage and availability when needed can be challenging in MPC protocols.
5. Complexity: Designing and implementing MPC protocols correctly can be complex. Errors or vulnerabilities may arise if not done properly.
6. Communication Overhead: MPC protocols often require significant communication between parties, which can impact performance and increase the risk of network-based attacks.

What is multi-sig

Multi-sig wallets are smart contract wallets where either two or more parties provide signatures using their own private keys to authorise a transaction or recovery of a wallet. Every party have their own private key and the corresponding public key is added as an authorised entity in the smart contract. Users can configure the minimum threshold of signatures required for any specific action. For example, I can say to help recover a wallet 2 out of 3 authorised entity needs to sign a transaction. This way if in the future user feel an entity is not behaving properly, the user can remove that entity from the list of authorised entities.

Multi-sig smart contracts have been popular since 2017 with the launch of Gnosis SAFE. And it is one of the most popular choices amongst DAOs and high-net-worth individuals, including Vitalik. Safe itself has over $40B worth of assets stored on-chain. Sequence, Argent, and Instadapp are amongst the other players who have utilised the power of multi-sign smart contract wallets where users can recover their SCWs with the use of third parties.

After the rise of Account Abstraction, i.e. EIP 4337, we already have seen modular smart contracts initiatives (EIP-6900) which will pave the way forward for multi-sig & other smart contract wallets. Soulwallet also released its initiative for modularised smart contract wallet infrastructure.

Pros

1. Enhanced Security: Multi-sig wallets provide an additional layer of security by requiring multiple signatures to execute transactions. This reduces the risk of a single point of failure or compromise. Even if one of the key holders’ private keys is stolen or compromised, the funds remain secure as the attacker would still need access to the other authorized key(s) to initiate a transaction.
2. Recovery: In the event of a lost or compromised private key, multi-sig wallets can provide recovery options. Depending on the configuration, the remaining authorized parties can vote to change the set of authorized keys, allowing for the restoration of wallet access without losing funds. Hence users don’t need to store private keys anymore
3. Modules: Most of the multi-sig smart contract wallets allow modules, with such modular structure modules like transaction limits can be set. For example, if we have 4 authorised entities in an SCW we can have limits like
   3.1. a single signature for less than $100, more than two signatures for $100 to $10k, and a hardware key for amounts exceeding $10k.
   3.2. We can also dedicate certain authorised entities’ roles, which means they can only help in recovery but can never initiate transactions. This way you can have custom third parties which can help you recover your funds. We at Screen Protocol, are working towards such modules to enhance security of your smart contract wallets.
   3.3. Banana Wallet is also bringing zk-based 2-factor OTPs to SCWs to help prevent fraud by adding a 2fa authentication.
   Since a module can be anything, the sky is the limit and we see this space growing large in future. Since all these modules are on-chain, they will be decentralised, trustless and verifiable.
4. No trust assumptions: Since you can remove or edit authorised entities, the trust assumptions on them are low. However in MPC, if a party have a shard of the private key that shard is permanent and you can never revoke that shard from the entity. But in the multi-sig wallet, a user can send a transaction to remove a malicious party from the list of authorised entities at any point in time.
5. Pay gas in any token: With the advent of ERC4337, users can now also pay gas in any token in a decentralised way without the need to rely on a centralised relayer. Such is not possible with MPC without the introduction of a centralised relayer.

Cons

1. Gas cost: Since all these checks and recovery happen on-chain, there is an inherent gas cost associated with these actions.
2. Complexity: Multi-sig wallets have to be rigorously tested and audited before you can opt for them in production, any small bug can lead to drainage of all the funds. That said SAFE has been properly audited and has been in production with no bugs for about 4+ years now.

Now that we understand both concepts holistically, let’s dive into our segment where we dissect the most common questions and misconceptions.

Misconceptions

Now, let’s address some common questions and misconceptions surrounding these concepts.

#1 SCW are new and MPC is tried and tested

The reality is that SCWs (Smart Contract Wallets) have been around since 2017, with SAFE being one of the pioneers in popularizing multi-sig SCWs. At its peak, SAFE stored approximately 100 billion dollars worth of assets, and major DAOs have entrusted their assets to SAFE. Other SCW providers like Argent, Sequence, and Instadapp have also contributed to simplifying the web3 ecosystem by incorporating features such as social logins and recovery. With the introduction of EIP4337, SCWs can now become first-class citizens of the blockchain. As a user, you will no longer require an externally owned account (EOA) to send transactions to the blockchain.

On the other hand, MPC has primarily been utilized in high-trust scenarios, where enterprises establish legal contracts with the parties responsible for handling the shards of private keys. However, it hasn’t gained widespread acceptance among retail investors or everyday users like you and me. This is largely due to the permanent nature of the shards, as they remain with the party holding them indefinitely.

#2 Multi-sig is used by DOAs only

Share of SAFE grouped by number of owners

While the adoption of multi-sig wallets initially gained traction among DAOs, it has since expanded to include individuals as well. In fact, upon conducting research on existing multi-sig solutions like SAFE, we discovered that approximately 50% of all SAFE wallets are held by individuals. Personally, I also choose to store my funds on a multi-sig wallet like SAFE. I find it to be more secure, and the recovery process is incredibly straightforward. In my case, I have configured my wallet with a 2/4 device setup. I use Metamask as one of the signers, a mobile wallet like Rainbow as another, and two hardware wallets (such as Trezor and Ledger) as the remaining signers. This setup allows me to diversify my keys and their storage. For most simple transactions, I use my mobile device as the second factor for signing. In the event that one of my main devices becomes corrupt or inaccessible, I can still recover my funds using my hardware keys. This approach provides a higher level of security and convenience compared to any hardware or MPC solution currently available.

Valid concerns

Now, let’s address some valid concerns regarding SCWs and discuss the ongoing efforts to address them.

#1 High gas cost of SCWs

Since SCWs utilize smart contracts, each transaction incurs some overhead compared to equivalent transactions with EOAs or MPC. Additionally, there is a cost associated with deploying the smart contract wallet on-chain.

However, several factors work in favour of SCWs to lower transaction costs:

• SCWs have the capability to batch transactions, meaning that multiple actions that would typically require multiple transactions with EOAs can be accomplished in a single transaction with an SCW. For example, interacting with a DeFi protocol often involves multiple steps (e.g., approval, swapping, and depositing). In an SCW, all these actions can be performed within one atomic transaction, resulting in gas savings.
• ERC-4337 supports signature aggregation, allowing multiple SCW transactions to effectively “share” a signature, reducing the cost for each individual transaction. Vitalik Buterin has provided some relevant numbers on this matter.
• ERC-4337 does not deploy the smart contract account until the user’s first transaction. Prior to that, the account existed in a “counterfactual” state — it has an address but is not truly deployed. This means that users can receive assets without incurring any deployment costs.

As a result, the gas cost comparison between SCW transactions and regular transactions depends on the specific workload. In certain applications, particularly within the DeFi space, SCW transactions may prove to be more cost-effective.

#2 Cross-chain functionality in SCWs is challenging

The multi-chain ecosystem offers numerous benefits for users and developers. However, deploying the same smart contract wallet code across multiple blockchains presents unique challenges and trade-offs.

One of the challenges is the concept of counterfactual deployment. While counterfactual deployment allows deploying the same smart contract code with identical initial conditions on multiple chains, it raises concerns:

Unconscious state drift: Each chain has its own distinct state and data storage, which can lead to inconsistencies between the states of a smart contract on different chains.

Incompleteness: Counterfactual deployment works well on many pure EVM chains, but it may encounter difficulties on chains with slight deviations from the EVM, such as certain zk-Rollups, which could disrupt the ability to create identical addresses.

While it’s understandable that users desire a single low-level address, relying solely on counterfactual deployment may have limitations and potential drawbacks. It could become an anti-pattern in the long run.

To address this, ENS (Ethereum Name Service) has introduced multichain address resolution. This approach allows a single ENS name to be mapped to different addresses based on the specific chain. It provides a unified human-readable identifier while utilizing distinct low-level addresses for unique accounts on each chain. This approach is considered superior to relying solely on counterfactual deployments.

While the cross-chain problem is still a work in progress, various researchers have been actively working to identify the best solutions. You can explore the approach proposed by the founder of SAFE on the SAFE forum at https://forum.safe.global/t/how-can-a-safe-hold-asset-on-multiple-chains/2242.

Conclusion

In conclusion, our exploration of MPC and Multi-Sig wallets has highlighted their functionalities and addressed misconceptions. While MPC offers privacy-preserving computations, it is primarily utilized in high-trust enterprise settings. On the other hand, Multi-Sig wallets have become a trusted choice for individuals, offering enhanced security and convenient recovery options. Challenges such as gas costs and cross-chain functionality are being addressed, and ongoing research aims to enhance these custody solutions. We at Screen are betting on SCW and are working towards bringing all of its benefits to each and every one of you.

Reach us at garvit@screenprotocol.io or @screenprotocol if you have any feedback regarding the blog.