Cassie Heart pfp
Cassie Heart
@cassie
Been a while since I took the time to write a threadoor essay, but I feel like there's been an alarming trend that warrants discussion: the rise of "MPC" protocols which are actually glorified networks of trusted operators.
4 replies
8 recasts
39 reactions

Cassie Heart pfp
Cassie Heart
@cassie
What is a trusted operator? In the context of protocols, a network's design can require the participants are trusted – that is, vetted and approved, or trustless – the protocol is inherently secure against participants behaving maliciously.
1 reply
0 recast
0 reaction

Cassie Heart pfp
Cassie Heart
@cassie
This applies to everything from a blockchain (Bitcoin, for example, is trustless, whereas the current iteration of Optimism is trusted/single sequencer) to file sharing (BitTorrent is trustless, an SFTP server is trusted).
1 reply
0 recast
2 reactions

Cassie Heart pfp
Cassie Heart
@cassie
In MPC, a common trusted operator would be a Trusted Execution Environment (TEE), e.g. Intel SGX, Amazon Nitro. These environments create a chain of custody asserting the code executed in the TEE is only what was intended and the only extractible information is the output intended to be delivered from the TEE.
1 reply
0 recast
2 reactions

Cassie Heart pfp
Cassie Heart
@cassie
Much of the research in the MPC space has been on maliciously secure protocols. This along with how academic the space is, has made it hard for non-academics to see there is a spectrum where protocols may require some or all operators to be trusted, or may be completely trustless by design.
1 reply
0 recast
2 reactions

Cassie Heart pfp
Cassie Heart
@cassie
This has, intentionally or not, lead to the goodwill of the security of trustless MPC to be co-opted by MPC protocols with trusted operators. The flexibility of the term has resulted in a rise of companies which opt for the far easier work of using trusted operators. This has extremely dangerous consequences.
1 reply
0 recast
2 reactions

Cassie Heart pfp
Cassie Heart
@cassie
TEEs do not have mathematical proofs of security, and are frequently fallible – SGX, for example, has been broken many times over, and these revelations are simply public scrutiny. Consider that TEEs may also be compromised by design, for specific actors: https://twitter.com/matthew_d_green/status/1703959863796158678
1 reply
0 recast
1 reaction

Cassie Heart pfp
Cassie Heart
@cassie
Does this mean TEEs are inherently bad? No! TEEs have great practicality for personal use – in fact, you likely use one on your own phone or laptop to unlock it. That is a significant improvement over passwords (which are frequently bad and reused) or storing keys in plaintext on disk.
1 reply
0 recast
2 reactions

Cassie Heart pfp
Cassie Heart
@cassie
MPC is frequently used to improve security under high stakes, low trust situations – a common case being crypto asset custody. Instead of having to hack or steal one target, you have to attack several, of varying configurations, to extract a private key.
1 reply
0 recast
2 reactions

Cassie Heart pfp
Cassie Heart
@cassie
But in the context of decentralized MPC protocols, TEEs are outright dangerous. Instead of rigorous mathematical proofs that key shares are being used to sign a transaction exactly as requested by the logical key's owner, these trusted implementations simply combine and sign in enclaves.
2 replies
0 recast
3 reactions

Cassie Heart pfp
Cassie Heart
@cassie
When a centralized service provider does this form of MPC, you are extending your trust to them, and that may be an acceptable and reasonable risk. But there are _decentralized_ protocols which are now doing this, using hardware attestations to confirm the trusted status of an operator.
1 reply
0 recast
2 reactions

Cassie Heart pfp
Cassie Heart
@cassie
What does this mean? This means the security of the protocol is reduced to the security of the weakest permitted operator, which may be compromised by state actors, or just broken implementations. But worse, it also means that it is one exploit away from whatever value it holds being unlocked and stolen.
1 reply
0 recast
2 reactions

Cassie Heart pfp
Cassie Heart
@cassie
To me, calling this "MPC" feels not only insultingly theatrical, it is outright deceptive. I call this Fake MPC. So if you're not an academic, how do you spot it? If a decentralized offering claims to be using MPC, look into how to run a node on the network. This is where they cannot hide the truth.
1 reply
0 recast
3 reactions

Cassie Heart pfp
Cassie Heart
@cassie
Many times, they'll have this buried deep in their documentation pages or only mention it in their codebase, which further emphasizes how clearly manipulative the use of the term MPC is here given their willingness to wildly gesticulate "We're MPC! We're Secure!"
1 reply
0 recast
2 reactions