- Shamir Secret Sharing and Quorums
- Threshold Signature Schemes
- Additional Properties of Threshold Signing
- MPC Compared to Other Approaches
- Asynchronous Approval in Threshold Signing

**Brief Recap**In the first five blog posts in this series, I described the use of MPC and threshold signing for protecting cryptocurrencies, along with its main features and properties. In this post, I talk about the importance of proofs of security in this domain.

**Why are proofs of security needed?**Cryptography is fundamentally different to other fields of computer science and engineering. One reason for this is that security cannot be tested in the same sense as other software. Take encryption for example – one can encrypt a message and then decrypt it and test that the original message is received back. This indeed validates that encryption and decryption functionally works. However, it says nothing whatsoever about whether or not the encryption is secure, meaning that it prevents an attacker from learning anything it shouldn’t. In other fields of software engineering, testing is not perfect, but it works well in practice. This is because what you are testing is whether or not the functionality you are implementing works. In cryptography, something functionally working is of little interest; the main question is whether the cryptographic function prevents an attacker from breaking the defined security property. The only way to overcome this is to mathematically prove that an encryption scheme is secure, relative to a well-defined notion of security for encryption. This has become standard practice for cryptography, and proofs of security are necessary for any new standard. It is important to note that the basic underlying hard problems used to construct cryptographic schemes (like the discrete log problem, RSA, a specific block cipher being a pseudorandom permutation, and so on) cannot actually be proven without major breakthroughs in computer science, and are therefore unproven assumptions. However, encryption schemes, digital signature schemes, key exchange protocols, and so on, are all formally proven secure under the assumption that the underlying hard problem really is hard. This methodology has proven itself to work well, and is the foundation that modern cryptography rests upon. (I note that some of cryptography is information-theoretic, meaning that it does not rely on unproven assumptions. This is also true of MPC. However, even in this case, the communication channels between the parties must be encrypted, and in practice this requires assumptions.)

**The practice of MPC building on the science**As with any area of modern cryptography, any MPC protocol must be proven secure relative to a specific definition of security. It is interesting to note that definitions of security for MPC are very non-trivial (in part because they involve interaction, and in part because unlike other areas of cryptography some information is learned, in the form of the output being computed). In fact, although MPC was first studied in the mid to late 80s, the definitions of security used today took many years to develop. There are also different levels of security, and one should ask any MPC provider what definition of security they are using, what adversary they are assuming, and whether they are using protocols with full proofs of security (and if they are designing their own protocols or making any changes to existing protocols, whether they have the expertise for this type of work). The paradigm of constructing a protocol, and proving its security relative to a given appropriate definition, is what makes MPC a science rather than an art form.

**Peer review and transparency**All humans are fallible, and this is true of scientists and cryptographers as well. Thus, proofs of security need to be reviewed by independent third parties. In academia, this comes in the form of peer review before publication. Once again, this is not perfect, since the reviewers are human too and are fallible. However, the lack of perfection does not mean that the process does not work well, the vast majority of the time. In industry, cryptographic schemes and protocols that are developed and used may not be published. In such a case, it is crucial that independent reviews are carried out, and that vendors are transparent with their customers about what they are doing. Given the nature of intellectual property, this may be under NDA and not publicly available on the vendor’s website. This is fine, as long as customers can gain confidence that the protocols being used are secure and have been independently validated. This is especially true today where although MPC is based on decades of deep scientific research, it still requires expertise to deploy.

**Summary**No cryptographic scheme should be used without a proof of security (relative to some hard problem), and MPC is no exception. Unbound strongly believes in independent review and transparency, because no one is infallible.