> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stoffelmpc.com/llms.txt
> Use this file to discover all available pages before exploring further.

# MPC Backends

> Choose the Stoffel MPC backend that matches your program's secret value representation, cost model, and verifier-facing outputs.

Stoffel separates application code from the MPC protocol used to run it. The selected backend determines how secret values are shared, computed over, and reconstructed across MPC parties.

Stoffel currently supports two asynchronous, robust MPC backend families:

| Backend        | Selector                 | Use when                                                                                                                             | Main design lens                                                                                                            |
| -------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------- |
| HoneyBadgerMPC | `honeybadger`            | Your program is mostly private field arithmetic over application values.                                                             | Circuit shape: multiplication count, multiplication depth, type choices, reveals, and preprocessing capacity.               |
| AVSS           | `avss` or `avss:<curve>` | Your program needs committed scalar shares, public commitments, curve-compatible outputs, or threshold-cryptography building blocks. | Protocol transcript: curve selection, commitments, transcript-to-field boundaries, openings, and verifier-facing artifacts. |

Both backends are designed for asynchronous/robust settings: parties do not rely on a fixed network round clock, and the run can tolerate Byzantine parties up to the configured threshold. The backend choice determines which share representation, curve/field, preprocessing, and client I/O path Stoffel records in the bytecode manifest.

<Note>
  `mpc-protocols` has received an external audit from Zellic. Audit scope matters: validate the specific protocol version, integration code, deployment configuration, and threat model you rely on. Other Stoffel components have also had AI-assisted security review, including tools such as veria.dev. Treat audit and review coverage as component-scoped when evaluating a deployment.
</Note>

## Choose by workload shape

Start from the shape of the secret work, not the name of the application.

<img src="https://mintcdn.com/stoffellabs/WsJVEVCX73RSUEma/images/diagrams/mpc-privacy-flow.svg?fit=max&auto=format&n=WsJVEVCX73RSUEma&q=85&s=96ce1b614b363754700fc51b6425c7d7" alt="MPC privacy flow showing private inputs split into shares, computation across MPC parties, and explicit output reconstruction." width="1200" height="675" data-path="images/diagrams/mpc-privacy-flow.svg" />

Select AVSS with the default curve:

<img src="https://mintcdn.com/stoffellabs/WsJVEVCX73RSUEma/images/campaign/stoffel-networked-privacy-backend.png?fit=max&auto=format&n=WsJVEVCX73RSUEma&q=85&s=ce93340ce44de6b4039ac1c8a2a8bac4" alt="Campaign-style networked privacy backend diagram showing how clients, the coordinator, preprocessing, and VM parties fit together for MPC execution." width="1800" height="1125" data-path="images/campaign/stoffel-networked-privacy-backend.png" />

### Overview

HoneyBadger is an asynchronous Byzantine fault-tolerant (BFT) MPC protocol that:

* **Tolerates malicious parties**: Up to `t` parties can be actively malicious
* **Works asynchronously**: No timing assumptions required
* **Provides guaranteed output delivery**: Honest parties always get results

### Security Guarantees

| Property              | Description                                                    |
| --------------------- | -------------------------------------------------------------- |
| **Privacy**           | No coalition of ≤t parties learns anything about honest inputs |
| **Correctness**       | Output is always the correct result of the computation         |
| **Guaranteed Output** | Honest parties always receive their outputs                    |
| **Fairness**          | Either all honest parties get output, or none do               |

### Configuration Constraints

The number of parties `n` and threshold `t` must satisfy:

```
n >= 3t + 1
```

Select AVSS with a specific curve:

```toml theme={null}
[mpc]
backend = "avss:secp256k1"
parties = 5
threshold = 1
```

You can also keep `backend = "avss"` and set the curve separately:

```toml theme={null}
[mpc]
backend = "avss"
curve = "p-256"
parties = 5
threshold = 1
```

Accepted curve names include `bls12_381`, `bn254`, `curve25519`, `ed25519`, `secp256k1`, and `p-256`.

## Select a backend from the CLI

```bash theme={null}
# Default field-MPC backend
stoffel build --backend honeybadger --parties 5 --threshold 1

# AVSS default curve
stoffel build --backend avss --parties 5 --threshold 1

# AVSS over an elliptic-curve scalar field
stoffel build --backend avss --field secp256k1 --parties 5 --threshold 1

# Equivalent selector form
stoffel build --backend avss:secp256k1 --parties 5 --threshold 1
```

`stoffel check`, `stoffel compile`, `stoffel build`, `stoffel run`, and `stoffel dev` accept the same backend/field overrides when they compile source or project settings.

## Select a backend from Rust

```rust theme={null}
use stoffel::prelude::*;

# fn example() -> stoffel::Result<()> {
let honeybadger = MpcConfig::builder()
    .parties(5)
    .threshold(1)
    .honeybadger()
    .build()?;

let avss = MpcConfig::builder()
    .parties(5)
    .threshold(1)
    .avss(Curve::Secp256k1)
    .build()?;
# Ok(())
# }
```

On program builders, use `.backend(...)` or `.curve(...)`:

```rust theme={null}
# use stoffel::prelude::*;
# async fn example() -> stoffel::Result<()> {
let result = Stoffel::load_file("target/debug/threshold-demo.stflb")?
    .parties(5)
    .threshold(1)
    .backend(MpcBackend::Avss { curve: Curve::Secp256k1 })
    .execute_local()
    .await?;
# Ok(())
# }
```

Generated manifests can carry the bytecode backend and curve into SDK builders, so app code does not need to duplicate backend literals by hand.

## Current topology constraints

Stoffel validates local and network MPC configs with the current robust-MPC threshold rule:

```text theme={null}
parties >= 4 * threshold + 1
```

That means the common developer default is five parties with threshold one. The reconstruction shape differs by backend:

| Backend        | Reconstruction shape                                                                                            |
| -------------- | --------------------------------------------------------------------------------------------------------------- |
| HoneyBadgerMPC | Uses robust field-share reconstruction; current SDK summaries report `2 * threshold + 1` reconstruction shares. |
| AVSS           | Uses Feldman-style share reconstruction; current SDK summaries report `threshold + 1` reconstruction shares.    |

The protocol literature often describes asynchronous Byzantine thresholds in terms of `n >= 3t + 1`. Stoffel's current configuration layer enforces the stricter `4t + 1` rule because the implemented local/network path includes preprocessing and robust execution requirements.

## Further reading

* [Performance and circuit shaping](./performance-and-circuit-shaping)
* [HoneyBadgerMPC](./honeybadger-mpc)
* [AVSS](./avss)
* [How backend selection works](./implementation)
* [CLI overview](../cli/overview)
* [Rust SDK API](../rust-sdk/api)
