Cassie Heart on Warpcast

Cassie Heart pfp

Been a while since I took the time to write a threadoor essay, but I feel like there's been an alarming trend that warrants discussion: the rise of "MPC" protocols which are actually glorified networks of trusted operators.

4 replies

8 recasts

39 reactions

Cassie Heart pfp

What is a trusted operator? In the context of protocols, a network's design can require the participants are trusted – that is, vetted and approved, or trustless – the protocol is inherently secure against participants behaving maliciously.

1 reply

0 recast

0 reaction

Cassie Heart pfp

This applies to everything from a blockchain (Bitcoin, for example, is trustless, whereas the current iteration of Optimism is trusted/single sequencer) to file sharing (BitTorrent is trustless, an SFTP server is trusted).

1 reply

0 recast

2 reactions

Cassie Heart pfp

In MPC, a common trusted operator would be a Trusted Execution Environment (TEE), e.g. Intel SGX, Amazon Nitro. These environments create a chain of custody asserting the code executed in the TEE is only what was intended and the only extractible information is the output intended to be delivered from the TEE.

1 reply

0 recast

2 reactions

Cassie Heart pfp

Much of the research in the MPC space has been on maliciously secure protocols. This along with how academic the space is, has made it hard for non-academics to see there is a spectrum where protocols may require some or all operators to be trusted, or may be completely trustless by design.

1 reply

0 recast

2 reactions

Cassie Heart pfp

This has, intentionally or not, lead to the goodwill of the security of trustless MPC to be co-opted by MPC protocols with trusted operators. The flexibility of the term has resulted in a rise of companies which opt for the far easier work of using trusted operators. This has extremely dangerous consequences.

1 reply

0 recast

2 reactions

Cassie Heart pfp

TEEs do not have mathematical proofs of security, and are frequently fallible – SGX, for example, has been broken many times over, and these revelations are simply public scrutiny. Consider that TEEs may also be compromised by design, for specific actors: https://twitter.com/matthew_d_green/status/1703959863796158678

1 reply

0 recast

1 reaction

Cassie Heart pfp

Does this mean TEEs are inherently bad? No! TEEs have great practicality for personal use – in fact, you likely use one on your own phone or laptop to unlock it. That is a significant improvement over passwords (which are frequently bad and reused) or storing keys in plaintext on disk.

1 reply

0 recast

2 reactions

Cassie Heart pfp

MPC is frequently used to improve security under high stakes, low trust situations – a common case being crypto asset custody. Instead of having to hack or steal one target, you have to attack several, of varying configurations, to extract a private key.

1 reply

0 recast

2 reactions

Cassie Heart pfp

But in the context of decentralized MPC protocols, TEEs are outright dangerous. Instead of rigorous mathematical proofs that key shares are being used to sign a transaction exactly as requested by the logical key's owner, these trusted implementations simply combine and sign in enclaves.

2 replies

0 recast

3 reactions

Cassie Heart pfp

When a centralized service provider does this form of MPC, you are extending your trust to them, and that may be an acceptable and reasonable risk. But there are _decentralized_ protocols which are now doing this, using hardware attestations to confirm the trusted status of an operator.

1 reply

0 recast

2 reactions

Cassie Heart pfp

What does this mean? This means the security of the protocol is reduced to the security of the weakest permitted operator, which may be compromised by state actors, or just broken implementations. But worse, it also means that it is one exploit away from whatever value it holds being unlocked and stolen.

1 reply

0 recast

2 reactions

Cassie Heart pfp

To me, calling this "MPC" feels not only insultingly theatrical, it is outright deceptive. I call this Fake MPC. So if you're not an academic, how do you spot it? If a decentralized offering claims to be using MPC, look into how to run a node on the network. This is where they cannot hide the truth.

1 reply

0 recast

3 reactions

Cassie Heart pfp

Many times, they'll have this buried deep in their documentation pages or only mention it in their codebase, which further emphasizes how clearly manipulative the use of the term MPC is here given their willingness to wildly gesticulate "We're MPC! We're Secure!"

1 reply

0 recast

2 reactions

Cassie Heart pfp

When your security is reduced to the exploitability of a single vendor, the M in MPC becomes moot. Stay safe out there – never trust, always verify.

1 reply

1 recast

7 reactions

Ale Machado pfp

What are some examples of MPC protocols live today that you personally consider dangerous?

1 reply

0 recast

1 reaction