Skip to main content
Stoffel separates application code from the MPC protocol used to run it. The selected backend determines how secret values are shared, computed over, and reconstructed across MPC parties. Stoffel currently supports two asynchronous, robust MPC backend families:
BackendSelectorUse whenMain design lens
HoneyBadgerMPChoneybadgerYour program is mostly private field arithmetic over application values.Circuit shape: multiplication count, multiplication depth, type choices, reveals, and preprocessing capacity.
AVSSavss or avss:<curve>Your program needs committed scalar shares, public commitments, curve-compatible outputs, or threshold-cryptography building blocks.Protocol transcript: curve selection, commitments, transcript-to-field boundaries, openings, and verifier-facing artifacts.
Both backends are designed for asynchronous/robust settings: parties do not rely on a fixed network round clock, and the run can tolerate Byzantine parties up to the configured threshold. The backend choice determines which share representation, curve/field, preprocessing, and client I/O path Stoffel records in the bytecode manifest.
mpc-protocols has received an external audit from Zellic. Audit scope matters: validate the specific protocol version, integration code, deployment configuration, and threat model you rely on. Other Stoffel components have also had AI-assisted security review, including tools such as veria.dev. Treat audit and review coverage as component-scoped when evaluating a deployment.

Choose by workload shape

Start from the shape of the secret work, not the name of the application. MPC privacy flow showing private inputs split into shares, computation across MPC parties, and explicit output reconstruction. Select AVSS with the default curve: Campaign-style networked privacy backend diagram showing how clients, the coordinator, preprocessing, and VM parties fit together for MPC execution.

Overview

HoneyBadger is an asynchronous Byzantine fault-tolerant (BFT) MPC protocol that:
  • Tolerates malicious parties: Up to t parties can be actively malicious
  • Works asynchronously: No timing assumptions required
  • Provides guaranteed output delivery: Honest parties always get results

Security Guarantees

PropertyDescription
PrivacyNo coalition of ≤t parties learns anything about honest inputs
CorrectnessOutput is always the correct result of the computation
Guaranteed OutputHonest parties always receive their outputs
FairnessEither all honest parties get output, or none do

Configuration Constraints

The number of parties n and threshold t must satisfy:
Select AVSS with a specific curve:
You can also keep backend = "avss" and set the curve separately:
Accepted curve names include bls12_381, bn254, curve25519, ed25519, secp256k1, and p-256.

Select a backend from the CLI

stoffel check, stoffel compile, stoffel build, stoffel run, and stoffel dev accept the same backend/field overrides when they compile source or project settings.

Select a backend from Rust

On program builders, use .backend(...) or .curve(...):
Generated manifests can carry the bytecode backend and curve into SDK builders, so app code does not need to duplicate backend literals by hand.

Current topology constraints

Stoffel validates local and network MPC configs with the current robust-MPC threshold rule:
That means the common developer default is five parties with threshold one. The reconstruction shape differs by backend:
BackendReconstruction shape
HoneyBadgerMPCUses robust field-share reconstruction; current SDK summaries report 2 * threshold + 1 reconstruction shares.
AVSSUses Feldman-style share reconstruction; current SDK summaries report threshold + 1 reconstruction shares.
The protocol literature often describes asynchronous Byzantine thresholds in terms of n >= 3t + 1. Stoffel’s current configuration layer enforces the stricter 4t + 1 rule because the implemented local/network path includes preprocessing and robust execution requirements.

Further reading