Sign in Subscribe

MPC Threshold Wallets Revisited

Mike Lodder

7 min read
MPC Threshold Wallets Revisited

Addressing the MPC Criticisms and How Lit Protocol Approaches Them

Multi-Party Computation (MPC) has sparked a significant amount of excitement in the world of digital asset custody—sometimes leading to inflated claims and misunderstandings. In the article MPC does have a single point of failure, You're not getting the security guarantees you think you are, it lays out very valid criticisms of MPC-based wallets, highlighting real and pertinent tradeoffs around single points of failure, the illusion that “the key never exists,” and performance constraints. In this piece, I will examine each criticism, examine the underlying tradeoffs, and demonstrate how Lit Protocol’s specific design decisions fully-or at least very nearly-resolve them and sets Lit apart from competitors.

Criticism: “MPC Wallets Can Still Have a Single Point of Failure”

The article rightly points out that simply splitting a private key into multiple shares does not automatically eradicate all single points of failure. If the same software that is used is identical across multiple cloud instances—often administered by the same single party—compromise of one node can quickly lead to compromise of others. Additionally, “less secure” variants of MPC (e.g., honest-but-curious protocols) can be catastrophically broken by a single malicious participant. One crucial aspect the article does not explicitly address—but which emerges naturally from the same critique—is that any deployment controlled by a single organization effectively reduces to a single security domain. A “security domain” is defined by the uniform administrative authority, policies, and procedures that govern all machines within it, regardless of whether those machines reside in a public cloud, private cloud, or on-premises environment. Consequently, spreading an architecture across multiple servers under one entity’s purview does not truly create independent trust assumptions. To rectify this shortcoming, it is essential to have at least two distinct security domains—each governed by a separate administrative authority—thereby ensuring no single entity can unilaterally compromise the system.

Two distinct security domains

Lit Protocol’s Perspective

  1. Diverse, Independent Node Operators: Lit addresses the single point of failure concern-multiple security domains-by employing multiple node operators from different companies and groups, each maintaining a share of the key. By distributing trust across organizational boundaries, Lit ensures that no single operator (or uniform stack) controls enough shares to unilaterally compromise the system. Although this measure does not entirely eliminate the inherent risk of relying on a single software vendor, Lit minimizes it through 3rd party audits and by open-sourcing its code. This model allows independent scrutiny, communal contributions, and the freedom for interested parties to adapt the software in accordance with its license. In practice, this approach represents the most pragmatic balance currently attainable—barring the more onerous requirement of having multiple vendors produce functionally identical implementations.
  2. Threshold Enforcement (e.g., 18-out-of-30): Lit’s protocol requires a strict majority of these independent nodes (e.g., 18-of-30) to participate in MPC. This threshold ensures that even if a subset of nodes fails or is compromised, the attacker cannot easily control the entire wallet. Moreover, Lit enforces a minimum threshold limit to ensure that signing requirements cannot drop below a critical security baseline, preventing the system from operating at dangerously low levels of multi-party consensus.
  3. Hardware Isolation with TEEs: To further mitigate the risk of collusion and software-level exploits, Lit leverages Trusted Execution Environments (TEEs). TEEs isolate cryptographic operations from the operating system, securely storing private key shares in hardware-protected enclaves. This design safeguards against malicious OS-level interference and inhibits collusion among node operators, thereby reducing insider threats. Additionally, Lit employs attestation mechanisms so that both clients and node peers can verify that the nodes are, in fact, running within a genuine TEE environment, thus reducing the risk of any rogue or counterfeit nodes from participating.
  4. Key Share Refresh and Resharing Events: Lit periodically refreshes key shares (proactive security) to prevent attackers from accumulating partial knowledge over time. When the set of participating node set changes, Lit performs a resharing event, effectively invalidating old shares and re-distributing new ones. This keeps the network’s security posture dynamic and robust against persistent threats.

Why It Matters: By combining these layers—diverse node operators, threshold enforcement, TEEs, and share refresh/reshare—Lit’s approach, while not entirely eliminating the risk, does substantially reduces risk to a more manageable level that “MPC inevitably collapses into a single point of failure.” Instead of identical software deployments under one party’s control, Lit’s design introduces real-world separation of powers.

Criticism: “The Key Doesn’t Really Exist—But This Is Illusory and Error-Prone”

The article underscores the complexity of threshold signature schemes. Turning something like Ed25519 or Secp256k1 into a multi-party computation involves intricate protocols, zero-knowledge proofs, and network messages. Minor errors in these protocols can subvert security, effectively reconstructing the private key or leaking it inadvertently. Additionally, many implementations generate a private key “all at once” before splitting it into shares, undercutting the idea that “the key never exists.”

Lit Protocol’s Perspective

  • Distributed Key Generation (DKG) from the Start: A key hallmark of MPC is the ability to generate cryptographic keys without ever materializing them as a single piece of data. Lit has solved this for distributed key generation—the key is generated in a truly distributed manner among all the node operators. This ensures there is no single device or party that has seen the private key in its entirety, removing the risk of a one-time “key extraction” event.
3-out-of-5 MPC
  • Fully MPC-Driven Approach: Lit uses MPC for everything—not just for signing but also for the initial key generation and periodic share refreshes. This approach bolsters the claim that the “key never really exists in one place,” because no single node ever obtains enough information to produce the private key on its own.
  • Third-Party Audits: Given the complexity of MPC protocols, regular and thorough auditing is crucial. Lit’s code undergoes reviews by independent third parties to catch cryptographic errors early. While no system is ever 100% bug-free, ongoing audits help ensure the high-assurance properties of MPC, cryptography, and security remain intact.

Why It Matters: The path from theory to practice is non-trivial in MPC; the biggest threat is often a subtle bug in the implementation. By committing to an auditable, fully distributed key generation and signing pipeline, Lit provides the stringent checks necessary to minimize errors that would otherwise undermine the promise of MPC.

Criticism: “Performance Is a Problem, Leading to Compromises in Security”

MPC protocols for threshold signatures can be computationally heavy. Each operation involves cryptographic proofs and network communication among the parties. For users accustomed to near-instant transaction signing, the added latency (e.g., 1 or 2 seconds or more) can be unacceptable. Many implementations reduce security assumptions or disable MPC features entirely to reduce signing times, transforming what should have been a “cold” MPC wallet into a “hot” single-signer wallet in practice as is the case with many vendors.

Lit Protocol’s Perspective

  1. Multiple Realms of Security and Speed: Lit tackles the performance challenge with the idea of providing multiple “realms” that can handle different types of signing requests with varying levels of security. A high-security realm might require strict multi-party coordination (and hence more time) for large or critical transfers; a lower-security realm might allow faster signing for smaller, routine actions. Higher security equating to a higher threshold vs a lower threshold.
  2. Efficient MPC Implementations and Ongoing Optimization: While MPC is inherently more complex than single-signer systems, Lit’s engineers continuously refine their cryptographic design for better performance. By experimenting with a variety of protocols and iterating on implementations, we have significantly reduced signing latency. This iterative process—encompassing parallelization strategies and other protocol-level optimizations—demonstrates Lit’s commitment to balancing strong security guarantees with practical usability.

Why It Matters: Security always intersects with usability. By providing different performance tiers, Lit acknowledges that not all transactions carry the same risk profile. Instead of sacrificing fundamental security for speed across the board, the Lit adapts—offering stronger security where it’s needed most, and lower latency where risk is lower.

Bringing It All Together: Lit Protocol’s Optimized MPC Model

  • Security Model:
    • Multiple Independent Node Operators: Minimizes single points of failure by distributing trust across multiple security domains.
    • TEEs: Strengthens isolation of private key shares at the hardware level.
    • Full MPC Lifecycle: From key generation to signing, no single node ever possesses the entire key.
    • Proactive Refresh & Resharing: Defends against long-term, persistent attackers.
  • Implementation Rigor:
    • Third-Party Audits: Reduces the risk of subtle cryptographic or implementation bugs.
    • Strict Threshold Requirements: majority e.g. 18-of-30 signing ensures collusion or compromise remains difficult.
  • Performance Strategy:
    • Multiple Security Realms: Tailors latency requirements to risk.
    • Ongoing MPC Optimization: Employs new cryptographic techniques and concurrency models to reduce overhead as newer strategies and techniques become available.

Conclusion

The original article raises valid criticisms of many existing MPC-based wallets. Indeed, MPC is not a silver bullet: if poorly implemented or deployed under a single administrator’s complete control, it can devolve into the very single point of failure it aims to prevent. Further, the complexity of threshold signature schemes makes them susceptible to subtle errors—an unfortunate reality that demands vigilant security hygiene.

Lit Protocol, however, demonstrates how these challenges can be addressed head-on:

  1. By diversifying node operators and placing them under different administrative domains, collusion and single-party compromise become far less likely.
  2. By using TEEs, audited and peer reviewed MPC protocols, and distributed key generation, Lit minimizes the risk of private key exposure.
  3. Finally, by adopting performance-oriented features such as multiple security realms and continuously optimizing cryptographic protocols, Lit tries to strike a better balance between high security and acceptable user experience.

MPC may not be a panacea, but when carefully designed—as Lit Protocol exemplifies—it can offer a robust, decentralized, and practical approach to digital asset custody. The key is to be transparent about design decisions, honest about tradeoffs, and rigorous in implementation and auditing.