Stoffel separates application code from the MPC protocol used to run it. The selected backend determines how secret values are shared, computed over, and reconstructed across MPC parties.
Stoffel currently supports two asynchronous, robust MPC backend families:
| Backend | Selector | Use when | Main design lens |
|---|
| HoneyBadgerMPC | honeybadger | Your program is mostly private field arithmetic over application values. | Circuit shape: multiplication count, multiplication depth, type choices, reveals, and preprocessing capacity. |
| AVSS | avss or avss:<curve> | Your program needs committed scalar shares, public commitments, curve-compatible outputs, or threshold-cryptography building blocks. | Protocol transcript: curve selection, commitments, transcript-to-field boundaries, openings, and verifier-facing artifacts. |
Both backends are designed for asynchronous/robust settings: parties do not rely on a fixed network round clock, and the run can tolerate Byzantine parties up to the configured threshold. The backend choice determines which share representation, curve/field, preprocessing, and client I/O path Stoffel records in the bytecode manifest.
mpc-protocols has received an external audit from Zellic. Audit scope matters: validate the specific protocol version, integration code, deployment configuration, and threat model you rely on. Other Stoffel components have also had AI-assisted security review, including tools such as veria.dev. Treat audit and review coverage as component-scoped when evaluating a deployment.
Choose by workload shape
Start from the shape of the secret work, not the name of the application.
Select AVSS with the default curve:
Overview
HoneyBadger is an asynchronous Byzantine fault-tolerant (BFT) MPC protocol that:
- Tolerates malicious parties: Up to
t parties can be actively malicious
- Works asynchronously: No timing assumptions required
- Provides guaranteed output delivery: Honest parties always get results
Security Guarantees
| Property | Description |
|---|
| Privacy | No coalition of ≤t parties learns anything about honest inputs |
| Correctness | Output is always the correct result of the computation |
| Guaranteed Output | Honest parties always receive their outputs |
| Fairness | Either all honest parties get output, or none do |
Configuration Constraints
The number of parties n and threshold t must satisfy:
Select AVSS with a specific curve:
You can also keep backend = "avss" and set the curve separately:
Accepted curve names include bls12_381, bn254, curve25519, ed25519, secp256k1, and p-256.
Select a backend from the CLI
stoffel check, stoffel compile, stoffel build, stoffel run, and stoffel dev accept the same backend/field overrides when they compile source or project settings.
Select a backend from Rust
On program builders, use .backend(...) or .curve(...):
Generated manifests can carry the bytecode backend and curve into SDK builders, so app code does not need to duplicate backend literals by hand.
Current topology constraints
Stoffel validates local and network MPC configs with the current robust-MPC threshold rule:
That means the common developer default is five parties with threshold one. The reconstruction shape differs by backend:
| Backend | Reconstruction shape |
|---|
| HoneyBadgerMPC | Uses robust field-share reconstruction; current SDK summaries report 2 * threshold + 1 reconstruction shares. |
| AVSS | Uses Feldman-style share reconstruction; current SDK summaries report threshold + 1 reconstruction shares. |
The protocol literature often describes asynchronous Byzantine thresholds in terms of n >= 3t + 1. Stoffel’s current configuration layer enforces the stricter 4t + 1 rule because the implemented local/network path includes preprocessing and robust execution requirements.
Further reading