Skip to main content
Use this page to understand how private client inputs move through Stoffel: input collection, secret sharing, VM execution, openings, and client-output delivery. If you are deciding which backend to use, start with MPC Backends. If you already chose a backend and need config or runtime details, use How Backend Selection Works. HoneyBadger MPC runtime diagram showing client input/output paths, coordinator-managed sessions, preprocessing, and protocol rounds among parties. Campaign-style networked privacy backend diagram showing application clients, coordinator-managed sessions, preprocessing, party mesh communication, and authorized output delivery.

Protocol Architecture

Protocol architecture

Current backend support

BackendPurposeDeveloper selector
HoneyBadgerMPCDefault asynchronous/robust backend for field-compatible secret application values.honeybadger / MpcBackend::HoneyBadger
AVSSAVSS backend for verifiable scalar shares, public commitments, and curve-compatible outputs.avss, avss:<curve> / MpcBackend::Avss { curve }
Both backends use the same high-level Stoffel application model, but they are not interchangeable at the cryptographic layer. HoneyBadgerMPC is field-arithmetic oriented. AVSS is group/scalar oriented and is the backend to use when the output boundary needs public commitments, curve-encoded values, or scalar responses that match an external verifier.

Integration points

Stoffel VM

  • Secret register operations map to backend share operations.
  • Clear-to-secret transitions create backend share data.
  • Reveal/open operations reconstruct values through the selected backend.
  • Share.random, Share.open, Share.get_commitment, and Mpc.* builtins route through backend capabilities.

CLI and bytecode

  • Stoffel.toml stores [mpc] backend, optional curve, parties, and threshold.
  • CLI flags such as --backend, --field, --parties, and --threshold override project settings.
  • .stflb bytecode records backend and curve/field metadata so execution can validate the runtime configuration.

Rust SDK

  • MpcConfig::builder() configures parties, threshold, instance ID, and backend.
  • Program builders accept .backend(...) and .curve(...).
  • NetworkDeployment and off-chain client configs carry backend selection into generated network/client TOML.

Security model

Each backend has its own threat model and assumptions. Do not treat “MPC backend” as a single security claim.
BackendSecurity posture
HoneyBadgerMPCAsynchronous, Byzantine-robust, field-based MPC for private computation over application values. Use it when the output boundary is an opened result or client-output shares.
AVSSAsynchronous verifiable secret sharing with Feldman-style commitments. Use it when public commitments, curve-encoded values, or scalar responses are part of the verifier-facing protocol boundary.
Current Stoffel local/network config validates:
Use five parties and threshold one for local development unless you are intentionally testing a larger topology.

Data protection flow

  • Inputs become secret shares through ClientStore or direct secret-value paths.
  • Computation proceeds over backend share data.
  • Intermediate secret values remain secret unless the program opens/reveals them.
  • Outputs are returned, opened, or sent to client slots only where the program explicitly does so.

Performance considerations

Operation shapeNotes
Local share arithmeticAddition, subtraction, and scalar operations are usually cheap.
Secret multiplicationRequires backend protocol work and preprocessing.
Opening/revealRequires reconstruction from enough parties.
Comparisons and bit-heavy logicMore expensive than field arithmetic because they lower into additional share operations.
Curve/commitment workflowsUse AVSS when the output boundary needs public commitments, curve-encoded values, or opened scalar responses.

See also