MPC-Prompt is a proof-of-concept framework enabling multiple mutually distrustful parties to jointly run autoregressive (AR) inference using a shared Transformer model without revealing private inputs or weights.
flowchart LR
subgraph PartyA["Party A"]
A1[SubmitPrompt]
end
subgraph PartyB["Party B"]
B1[SubmitPrompt]
end
subgraph Coordinator["Coordinator"]
C1[gRPC API]
C2[Scheduler]
C3[Secure Attention]
C4[MPC Matmul]
end
subgraph Enclave["Enclave"]
E1[KMS Decrypt]
E2[mTLS Identity]
end
subgraph TripleSvc["Triple Service"]
T1[Generate Triples]
T2[Sacrifice Checks]
end
PartyA --> C1
PartyB --> C1
C1 --> C2 --> C3 --> C4 --> TripleSvc
Coordinator --> Enclave
sequenceDiagram
autonumber
participant A as Party A
participant B as Party B
participant C as Coordinator
participant T as Triple Service
participant E as Enclave/TEE
A->>C: RegisterParty()
B->>C: RegisterParty()
C->>E: Validate attestation & mTLS identity
A->>C: SubmitPrompt()
B->>C: SubmitPrompt()
C->>T: Request Beaver Triples
T-->>C: Triples + Sacrifice Verification
C->>C: Secret-Shared Attention & MLP Step
C->>E: Secure intermediate masking
C-->>A: TokenOutput Stream
C-->>B: TokenOutput Stream
Additional hardening, side‑channel mitigation, attestation policy enforcement,
constant‑time kernels, and supply‑chain controls are required.
- Secret sharing and MPC are used for all attention, MLP, and projection computations.
- Secure matmul uses Beaver triples with MACed shares (SPDZ).
- Exponential is approximated with Chebyshev minimax polynomial to avoid leakage.
- All transport is protected with mTLS or WireGuard; enclaves bind identity to attestation.
- Only the final predicted token is revealed; KV cache remains secret-shared.
- MPC math is correct but not formally malicious‑secure.
- No padding to hide sequence length.
- Attestation uses placeholders; no SEV‑SNP/TDX verifier SDK in PoC.
- Containers use non‑root users but not full AppArmor/Seccomp confinement.
- Timing uniformity tests exist but kernel is not fully constant-time.
- Constant-time C or WASM kernels for all MPC ops.
- Real SEV‑SNP/TDX verification + attestation-bound mTLS identity.
- DP/noise or padding to hide length information.
- SLSA-compliant CI, signed images, SBOM generation.
- WireGuard key rotation + certificate revocation.
- Encrypted FS for enclave-side model + config.
| Setting | Description |
|---|---|
| tls.enabled | Enable TLS/mTLS |
| fixed_point.scale_bits | MPC precision |
| cheby.deg | Approximation degree |
| scheduler.max_context | Max secret-shared context |
| triple_pool.min_size | Triple regen threshold |
| topk | Sampling control |
- Docker Compose (local simulation)
- AWS Nitro Enclaves (via EIF build)
- OCI Confidential VM
- Torrents
- Ethereum
- Bitcoin
- Kubernetes (future)