Multiparty computation: The Trojan Horse of crypto regulation

Every once in a while, the crypto community crowns a new king for secure transactions, and the latest king seems to be multiparty computation, or MPC. This year, MPC adoption by custodial and noncustodial players has progressed and gained market traction at a rapid pace.

However, it could come at a price. MPC providers offer regulators a backdoor into cryptocurrency transactions. As the industry becomes more reliant on MPC for security, it could end up compromising on the long-held principles of decentralization and censorship-resistance.

The hidden features of MPC
In order to identify where the risks exist, let’s briefly recap on MPC and how it’s used. At the most basic level, MPC technology involves splitting private keys into segments and distributing them between different parties. Most commonly, the client holds one key segment, and the MPC provider holds another. The aim is to improve security by ensuring that no party has full control over any given transaction, which can only be executed if both parties provide their key segments.

MPC service providers usually present their technology as something that merely helps to secure transactions. It’s sold under the premise of: “We keep half a key, you keep the other half, but you are the boss — only you decide when and where to transfer your funds. You can also pull all your funds from our account whenever you want.”

But in reality, that isn’t exactly the case. MPC service providers act as middlemen whose approval is needed for a transaction to be executed.

In this sense, MPC providers are playing a near-identical role to banks, with blockchain serving the role played by the SWIFT system. You could replace the sender’s bank with an MPC third-party service provider and replace the SWIFT system with the blockchain. The sole difference here lies in how the sender sends the payment. With a bank, the sender instructs the bank to release the funds; with an MPC provider, the sender and provider jointly sign the transaction. Both parties submit a partial key that is then transmitted to the blockchain by the MPC service provider.

One could make the argument that there’s a significant difference between banks and MPC providers not accounted for in this comparison: Banks can freeze funds and even confiscate them. However, the issue is that such backdoors also exist in MPC providers.

There is no argument here that MPC providers are just bad guys who want to rob their clients of their funds. As reputable, professional companies working with institutions, they need to meet a primary demand from their clients — that crypto funds are recoverable if someone loses their key.

Private key security has long been a sticking point for institutions and crypto firms. So the ability to recover funds in the event of a key loss is absolutely critical for any firm that is claiming to offer secure crypto storage. Imagine a bank that didn’t allow you to recover a forgotten password, simply telling you that if you’ve lost your password, your money has gone forever.

Here comes the regulator
In light of the responsibility they hold for customer’s funds as a third party, it’s evident that MPC providers offer a backdoor for regulatory intervention. Ultimately, this means that MPC companies could play the same role as banks.

If a legal authority demands an MPC service provider to stop a transaction, it will be compelled to do so. Furthermore, if MPC providers allow users to recover lost keys, it means that a regulator could also issue a demand to confiscate funds. Again, assuming this is a legally binding request, the provider would be forced to comply if they want to stay in business.

This isn’t mere hyperbole. The regulators are already here. In June 2019, the Financial Action Task Force, or FATF, approved an initiative to regulate virtual assets and virtual asset service managers. While overall compliance is still low, we can rest assured that the FATF will continue to widen the net until all Virtual Asset Service Providers are included.

While the crypto community’s focus has been on how exchanges will manage the FATF regulation, MPC providers also perfectly match the profile of a Virtual Asset Service Provider, which manages and transfers client funds in a similar way to a banking wire transfer. The same regulatory conditions apply to all companies that directly or indirectly hold, manage or control virtual assets.

So it follows that this regulation creates the same expectations from MPCs as those that are currently applied to the banking system. In the end, this could mean large transactions become reportable to the regulator, and clients are subject to the same Know Your Customer and Anti-Money Laundering requirements as they are for a bank account.