Part of the solution to digital assets custody is professional and involves bringing custodial and other structures from the traditional financial world to bear on handling this new class of assets. But due to the unique nature of digital assets part of the security solution must be technological.
Why is securing digital assets different?
Digital assets differ from other asset classes in some crucial ways. Compare Bitcoin with gold. If you own a million dollars’ worth of gold, it can be custodied by a qualified custodian and secured in a vault. Should you one day wish to put it in the trunk of your car and drive away with it, you would be asked to identify yourself. Records of your ownership would exist with your custodian and elsewhere.
If you own a million dollars’ worth of Bitcoin — 84.93BTC at the time of writing — it can also be custodied by a qualified custodian. But now there’s no physical asset to put in a vault. Owning BTC means having the private key to the address where that BTC has been deposited. If that private key is lost there is no other form of verification, so the key is far more important than any single proof of ownership could be in the case of another asset.
Naturally, this has become the focus of security efforts in the digital assets space.
What is an HSM and how does it work?
HSM stands for Hardware Security Module. It’s a physical computing device intended to keep private keys safe and useable simultaneously, as well as to provide cold storage — where private keys are kept on devices completely disconnected from the network.
Currently, HSMs are the industry standard as the majority of retail investors and exchanges tend toward cold storage for security.
Main advantages
The main advantages of a HSM are:
- Security: Used correctly, HSMs provide real security against external threats since authentication takes place inside the module.
- Key retention: Unlike software-based solutions, a HSM keeps keys right on the device itself and they never leave.
- Tamper tracking: Many HSMs are built to be tamper-evident, leaving a trail; most are designed to be tamper-proof in various ways.
Main disadvantages
However, HSMs are not a perfect security solution. They have several major drawbacks.
- Key misuse: Keys can be misused once, and the consequence can be the loss of all digital assets associated with that address. Solutions to this problem include quorum access, where more than one person must sign off on transactions; however, HSMs do not provide for this functionality for key use, only for administrative actions.
- Agility: HSMs are harder to update than software solutions, and upgrades can involve replacing the device or undergoing firmware updates.
- Ledger support: HSMs are built to match the cryptographic curve used by a ledger, rather than the ledger itself. For example, Bitcoin uses the secp256k1 curve. A HSM built to work with this will work with other ledgers that use the same curve, but not with ledgers tat use a different curve. Thus, HSMs militate against a diversified digital assets portfolio and make it more difficult to assimilate new ledgers and the assets supported by them.
- Slower transaction times: HSMs involve slower transactions than some other solutions because transactions must be authorized manually, and the modules have little capacity for automation.
- Scalability: Each client must have one or more HSMs, so as client bases grow, so does the need for HSMs and qualified personnel to maintain and operate them.
What is MPC and how does it work?
MPC stands for Multi-Party Computation. In the digital asset space, MPC involves splitting private key control and access in such a way that multiple individuals can access it, and that multiple individuals must access it in order for a transaction to be authorized.
It’s worth pausing to look at how this works, because MPC represents a radical departure from previous technologies used for digital asset custody. It’s not a different name for multi-signature security.
MPC lets multiple, non-trusting computers each conduct computation on their own fragment of a larger data set. What this means is that the key used is collaboratively generated, and there isn’t a single, vulnerable complete private key sitting on a computer somewhere, reliant on being disconnected from the network to keep it secure.
MPC thus realizes the hopes of other digital asset security tools, to offer both security and accessibility.
Additionally, it addresses the biggest problem with digital asset security: the assets are secured by blockchain, but the private keys aren’t. MPC creates a distributed, modular network for storing private keys. Keys are split and represented by key shares held by multiple signers; the key always remains split into multiple shares, even when in use, so there’s no single point of entry to defend.
As well as the security advantages, MPC lets key holders assemble complex signing quora without the additional effort of multi-sig. This is referred to as “n-of-m” signing: a given number of people are allocated key shares, and of these, a given number must sign off on the transaction.
Thus MPC offers the agility and security that institutional investors require, not as part of a tradeoff, but as complementary parts of a new way to approach security.
Main advantages
- Key share separation: Key shares always remain separate, so the complete key remains secure. This is true even when a quorum assembles a key to make a transaction: the key is never assembled on a single machine.
- Multisignatory quora without multisig: Groups can be assigned key shares, and a set number required to make a transaction — without the inconvenience and slower, heavy transactions of traditional multisig.
- M-of-n non-trusting entities can carry out transactions: The entities making up a quorum need not be solely from one organization and non-trusting entities can co-sign transactions.
- Blockchain-agnostic: MPC is a security layer that sits on top of blockchain access and doesn’t need to match any ledger’s key generation algorithm or other systems.
- Flexibility and scalability: Keyshares can be created and destroyed on the fly, making MPC operationally flexible and scalable.
- Lower transaction sizes: MPC transactions are smaller, faster and incur lower on-chain transaction charges.
Main disadvantages
- Changeover and buy-in: Moving to MPC means everyone who uses it to sign off on transactions needs to switch to it, and that means “lateral selling” — convincing partners to switch to a new technology.
- Convincing clients: Most custody clients have heard of cold storage. The idea seems common-sense and it’s familiar: the industry standard. Clients will need to be convinced of the reasons why you’d rather protect their assets with MPC.
- Key shares still need to be stored securely: Key shares still represent attack surface and still need to be kept secure. One of the most effective ways to do this is by storing keyshares on HSMs.
- Currently, there’s no way to know which quorum members signed: unlike blockchains, where transactions are auditable, MPCs record signing but can’t differentiate between quorum members, increasing the potential for unethical collusions. These can still be safeguarded against but the technology itself does not do this automatically.
- New technology: The technology is new and there are relatively few HSMs ready to plug into it, for instance; non-optimised HSMs are less secure. Industry-leading MPC companies are often unwilling to share their source code or implementation details.
- Lack of security testing: Older technologies have had time to be tested more stringently. MPC has not, and setups based on MPC have yet to pass standard penetration and security tests like Common Criteria, FIPS or CSPN.
Which is better and why?
HSMs require custody arrangements to take place outside the technological solution itself and do not provide functionality to model custody arrangements directly on the HSM itself. They are essentially upgraded cold storage: a step in the right direction, but on their own insufficient to meet the needs of a new generation of institutional digital assets investors.
Thus, HSMs need to be integrated into security, transaction and storage structures that provide the flexibility and safety clients require. When this is done, though, they can be part of an overarching solution that is both more secure and more responsive than MPC alone can provide.
By contrast, MPCs are like all the best technologies in that they both solve stubborn, familiar problems — key security, quorum transactions, transaction weight — and create the potential for new forms of success in their space. At the moment when banks in the United States are eyeing their new permissions to custody digital assets, there’s increasing interest in technological solutions that facilitate multi-party transaction signing and accelerate and lighten transactions.
However, they also introduce a significant attack vector in the form of the devices used to store keyshares. This is new attack surface that requires expertise to manage and make safe — expertise that many custodians do not possess. While digital asset keys are the sole mode of access to the assets and, if lost, cannot be recovered or replaced, changing the technology used to protect them must be done carefully — a point emphasized by Jonathan Katz in his keynote talk at the 2019 IACR Crypto conference, which outlined concerning vulnerabilities in MPC implementation of fixed-key AES.
Conclusion: MPC, HSM, or something else?
MPC is a substantially untested technology with great potential and little track record. While it offers significantly improved functionality over traditional multi-sig systems and HSMs, it isn’t a perfect solution. Implementation is all, and MPC must be implemented alongside keyshare storage and professional structures that protect client assets.
However, HSMs do not provide a perfect solution either. The advantage they have is that they perform their simple, clearly-defined role extremely well, and thus they can be used as the dedicated security solution within an integrated approach to digital asset custody, each of whose components is well-understood and extensively tested.