Cryptocurrency wallets in exchange platforms or banks require strong security because they protect vast amounts of money. Some solutions rely on advanced cryptographic methods that distribute trust across multiple parties, in the spirit of Shamir's secret-sharing. These include multi-party computation (MPC) and threshold signature schemes (TSS), which are a special case of MPC to sign data in a distributed, yet trustless manner. TSS has notably been tested and deployed in major organizations where secret key generation and digital signing are needed. But these techniques, although powerful and "magic" on paper, can prove fragile in practice, as this talk will show.
We introduce MPC and TSS in a way suitable for non-experts, highlighting their unique properties and showing how they can be used to protect enterprise-grade wallets. We review TSS' building blocks such as verifiable secret sharing and Schnorr signatures and explain the design and security goals of TSS libraries, and how these goals differ from those of traditional cryptography, in terms of managing complexity, interactiveness, and composition of protocols.
MPC and TSS seem very secure and state-of-the-art, so what could go wrong?
Complexity is the enemy of security, and this complexity is what we exploit. We describe a new type of logical vulnerability, enabled by extra layers of complexity in TSS implementations, which opens up a new attack surface and devastating attacks allowing a malicious participant to sabotage key generation and break TSS's security. This attack could allow an attacker, for example, to empty an organization's cold wallet. We describe a related attack on a major MPC solution used by a leading organization.
We conclude with lessons learned and best practices across the development pipeline of complex cryptographic software, including extensive testing, defense-in-depth controls, how to implement new academic work, and how an audit by specialists should be done to be the most effective.