listen to this article:
As we have seen in previous blog posts, multisig and threshold signatures are essentially just different ways of achieving the same goal – only an authorized subset, or a quorum of parties can generate a (new) valid signature, and any subset of parties that does not constitute a quorum cannot. However, there are numerous differences, and in this blog post we will discuss them.
What Are the Main Differences Between MultiSig and MPC?
Cryptographically, multisig is much simpler. In particular, the original KeyGen, Sign and Verify algorithms are used, and the only difference is a small amount of code to verify multiple signatures and check the quorum structure.
In contrast, threshold signature schemes are advanced cryptographic protocols that require high expertise to design and deploy.
Threshold signing schemes generate standard signatures that are the same as locally generated signatures. As such, they are agnostic to the platform, and no special support is needed. Concretely, the blockchain or specific cryptocurrency need not have any support or even be aware that the signature is generated in a special way.
In contrast, multisig signatures need to be verified in a different way, and thus they must be concretely supported by the platform. Since not all cryptocurrencies support multisig, this can be a problem.
In addition, there is a cost associated with multisig (since it’s a type of smart contract), and there can be limitations on the complexity of the quorum structure.
Finally, going forward, it is not possible to know what future currencies will or will not support multisig, and to what extent. Thus, multisig is more limited in applicability.
In some cases, the type of quorum structure being used may itself be a secret (e.g., in order to not publicly reveal to the adversary what shares have to be stolen, or since the business process may be confidential). Since threshold signatures generate a standard single signature, the structure can be kept secret.
In contrast, in multisig, the structure is publicly known.
As I described in the previous post, threshold signatures support a refresh of the sharing in order to prevent gradual theft of the shares.
Multisig does not support this, since each key is held in its entirety and cannot be changed without transferring the funds. Thus, there is no mitigation against an attacker slowly stealing each key over a long time.
Likewise, as described in the previous post, threshold signatures support removing and adding parties who hold key shares and are authorized to be part of a quorum. This is a crucial feature in business settings.
In contrast, multisig does not support this. If we wish to modify a quorum from 2-out-of-3 to 2-out-of-4 (since a new employee joined the group), then we would have to transfer the funds to the new structure when using multisig.
Furthermore, removing an employee and changing the quorum from 2-out-of-4 to 2-out-of-3 would require transferring the funds.
Finally, replacing an employee with another would also require changing the key and thus transferring the funds, since otherwise, the previous employee would still have authorization (unless the employee’s share is on a secure smartcard, in which case the card itself can just be handed over).
Should You Protect Your Crypto Assets with Multisig or MPC?
In short, although threshold signing and multisig address the same basic issue, threshold signing has many advantages over multisig.
The primary advantage of multisig is that it requires less cryptographic expertise to build and deploy. However, in enterprise settings, and where large sums are being protected, threshold signatures is widely accepted today to be a far preferred option.