PRIVATE.ME PLATFORM

xCompute: Computation on Threshold Shares

Evaluate Boolean and arithmetic circuits directly on XorIDA threshold shares without reconstruction. XOR gates are FREE via GF(2) linearity. AND gates use Beaver triples. Arithmetic operations extend to sums, products, and comparisons over finite fields. Plaintext never exists at any single node.

Platform / MPC COMING SOON XorIDA Powered

Section 01

The Problem

Every privacy-preserving system that needs to compute on sensitive data faces the same dilemma: reconstruct the plaintext (destroying privacy) or use heavyweight MPC protocols (destroying performance).

Traditional multi-party computation (MPC) protocols like garbled circuits and oblivious transfer achieve privacy but impose massive communication overhead — often 100–1000x the input size. They treat every operation as equally expensive, requiring multiple communication rounds for each gate.

XorIDA already splits data into information-theoretically secure shares. But until now, to compute on that data, you had to reconstruct it first — collapsing security back to a single point. The data was private at rest but exposed at compute time.

This gap locks out four massive markets: fraud matching (insurance), ad attribution (ad-tech), credit scoring (finance), and federated learning (AI/ML). Combined TAM: $2,082B.

The Old Way

Section 02

The PRIVATE.ME Solution

xCompute evaluates Boolean circuits directly on XorIDA threshold shares. XOR operations are completely free — zero communication, zero overhead — because XorIDA shares are additive over GF(2). AND operations use Beaver triples with one communication round each.

The key insight: XOR of shares equals shares of XOR. This is not an approximation — it is a mathematical identity guaranteed by GF(2) linearity. Any computation expressible as a Boolean circuit (XOR, AND, NOT gates) can run on split data without ever reconstructing the plaintext.

For many practical computations (equality checks, parity, checksums, error detection), the circuit is 100% XOR gates. These computations are literally free — each party evaluates locally with no communication. AND gates, needed for operations like comparison and multiplication, use pre-generated Beaver triples that mask the inputs before any values are revealed.

The New Way

Section 03

How It Works

xCompute converts XorIDA threshold shares into per-bit additive shares, evaluates Boolean circuits gate-by-gate, and re-shares the result back into fresh XorIDA threshold shares.

Key Insight

XOR of shares = shares of XOR. This is the mathematical identity that makes xCompute possible. For any function expressible as XOR gates alone, computation is completely free — each party evaluates locally with zero communication. AND gates require one Beaver triple and one communication round each, but the inputs remain masked throughout.

Section 04

Three Computation Classes

Not all computations are created equal. xCompute categorizes operations into three classes based on their communication cost.

Class	Gates	Communication	Cost	Examples
Class 1: FREE	XOR, NOT only	Zero	0 rounds	Equality check, parity, XOR aggregate, error detection
Class 2: Linear	AND + XOR/NOT	1 round per AND gate	O(AND gates)	Comparison, pattern matching, range check
Class 3: Hybrid	Mixed circuits	Circuit-dependent	O(depth)	Fraud matching, credit scoring, ML inference

Why This Matters

Traditional MPC treats XOR and AND gates identically. xCompute exploits XorIDA's GF(2) structure to make XOR gates literally free. For many real-world computations (equality, parity, checksums), the entire computation is Class 1 — zero communication overhead.

FREE

XOR gate cost

Round per AND gate

Plaintext exposure

GF(2)

Algebraic basis

Section 05

Use Cases

Insurance

Fraud Detection on Split Claims

Run pattern-matching circuits on Xcheck claim shares. Detect duplicate claims across insurers without any party seeing the full claim data.

Xcheck + xCompute

Computation Licensing (Anti-Piracy)

Per-Participant MPC Licensing

License MPC computations per participant identity. Circuit execution requires cryptographic proof that all parties hold valid licenses. Prevents unauthorized computation sharing and resale. Revenue assurance for MPC-as-a-service vendors.

Licensed Computation

Finance

Credit Scoring on Split Data

Evaluate creditworthiness across split bureau data. No single entity sees the complete credit profile. Comparison circuits enable threshold decisions.

Xscore + xCompute

AI/ML

Federated Learning Gradients

Aggregate model gradients on split shares. XOR aggregation is Class 1 (FREE). No participant sees aggregate gradients until threshold reconstruction.

Xlearn + xCompute

Database

Encrypted SQL Queries

Execute SQL aggregations (SUM, COUNT, AVG) and join operations on XorIDA-split database records. No single party sees plaintext data. Multi-party search without revealing query patterns.

Xstore + xCompute

Section 06

Integration

Build a Circuit

import { CircuitBuilder, buildEqualityCircuit } from '@private.me/xcompute';

// Pre-built: 8-bit equality check (Class 1 — FREE, zero AND gates)
const eqCircuit = buildEqualityCircuit(8);

// Custom: build any Boolean circuit
const builder = new CircuitBuilder();
const a = builder.addInput('a');
const b = builder.addInput('b');
const xored = builder.addXor(a, b);   // FREE — no communication
const masked = builder.addAnd(xored, a); // 1 Beaver triple
builder.addOutput(masked);
const circuit = builder.build();

Run Computation on Shares

import { simulateComputation, generatePool } from '@private.me/xcompute';

// Generate Beaver triples for AND gates
const triples = generatePool(circuit.andGateCount, 1);

// Input bits: party contributions
const inputs = new Map<number, number>();
inputs.set(0, 1); // wire 0 = 1
inputs.set(1, 0); // wire 1 = 0

// Evaluate circuit on shares — plaintext never assembled
const result = simulateComputation(circuit, inputs, 3, triples);
// result.ok === true, result.value = output bits

CircuitBuilder — build(): Circuit

Fluent builder for Boolean circuits. Chain addInput(), addXor(), addAnd(), addNot(), addOutput() calls. build() validates the DAG and returns a frozen Circuit with gate count metadata.

buildEqualityCircuit(bitWidth: number): Circuit

Pre-built equality circuit. XNOR per bit pair + AND-tree reduction. Class 1 for the XNOR phase (FREE), N-1 AND gates for the tree. Returns true if all input bit pairs are equal.

buildXorAggregateCircuit(bitWidth: number, inputCount: number): Circuit

Aggregate multiple inputs via XOR. 100% Class 1 — zero AND gates, zero communication. Ideal for parity checks, error detection, and federated gradient aggregation.

simulateComputation(circuit, inputBits, partyCount, beaverTriples): Result<Map, Error>

Evaluate a Boolean circuit on additive shares across N simulated parties. XOR gates evaluated locally. AND gates use the full Beaver triple protocol with masked value exchange.

thresholdToAdditive(share, wireOffset): Result<AdditiveShare[], Error>

Convert a XorIDA threshold share into per-bit additive shares. The XOR of corresponding bits across all parties equals the original plaintext bit — guaranteed by GF(2) linearity.

additiveToThreshold(partyOutputs, n, k): Promise<Result<ThresholdShare[], Error>>

Convert additive output shares back to fresh XorIDA threshold shares. XORs all party outputs, pads to block size, and re-splits with fresh randomness to decorrelate input and output shares.

Section 07

Security Properties

Property	Mechanism	Guarantee
Input Privacy	XorIDA threshold shares	Information-theoretic
Computation Privacy	Additive share evaluation	No single-party view
AND Gate Security	Beaver triple masking	Inputs never revealed
Output Decorrelation	Fresh XorIDA re-sharing	I/O unlinkable
Integrity	HMAC-SHA256 per share	Tamper-evident
Quantum Resistance	GF(2) operations, no keys	Unconditional security

Rounds for XOR gates

Round per AND gate

Plaintext exposure

256-bit

HMAC integrity

Section 08

Arithmetic MPC

Beyond Boolean: arithmetic operations on shares over finite fields. Addition is free. Multiplication uses Beaver triples over arithmetic fields. Comparison protocols enable threshold decisions on private data.

Sections 01–07 cover Boolean circuits — XOR/AND/NOT gates over GF(2). Many real-world applications require arithmetic operations: summing encrypted salaries, averaging insurance claims, computing portfolio risk. xCompute v0.2.0 extends the computation model to arithmetic fields.

Arithmetic Share Model

Instead of per-bit additive shares over GF(2), arithmetic MPC operates on additive shares over a prime field F_p. Each party holds a share x_i such that x = x_1 + x_2 + ... + x_n (mod p). The plaintext value x never exists at any single party.

Three Arithmetic Operations

Operation	Protocol	Communication	Cost
Addition	Local add of shares	Zero	FREE
Scalar Multiply	Local multiply by constant	Zero	FREE
Multiplication	Beaver triple over F_p	1 round	O(1) per gate

Addition is free — each party adds their shares locally: (x_1 + y_1), (x_2 + y_2), ..., (x_n + y_n). The sum of the result shares equals x + y mod p. Zero communication, zero overhead. This is the arithmetic analog of XOR being free over GF(2).

Multiplication uses Beaver triples over the arithmetic field. Pre-generated triples (a, b, c) where c = a × b mod p mask the inputs before any values are exchanged. One communication round per multiplication gate. The masked values reveal nothing about the actual inputs.

Comparison protocols convert arithmetic shares to bit-decomposed form, apply Boolean comparison circuits, and return a Boolean result share. This enables threshold decisions (e.g., “is the sum greater than X?”) without revealing the actual values.

T2A Conversion for Arithmetic Fields

XorIDA threshold shares (GF(2) based) are converted to arithmetic additive shares over F_p via a Threshold-to-Arithmetic (T2A) protocol. Each party reconstructs a chunk of the threshold share locally and converts to a field element. The conversion preserves the threshold security guarantee — fewer than K parties learn nothing.

Finance & Insurance Use Cases

Arithmetic MPC unlocks the markets that Boolean circuits cannot efficiently serve. Sum of encrypted salaries for compensation benchmarking. Average insurance claims for cross-insurer fraud detection. Portfolio risk aggregation across custodians. All computed without any party seeing the underlying values.

Arithmetic Circuit Example

import { ArithmeticCircuitBuilder } from '@private.me/xcompute';

// Build arithmetic circuit: weighted sum
const builder = new ArithmeticCircuitBuilder({ prime: 2n ** 61n - 1n });
const salary1 = builder.addInput('salary_1');
const salary2 = builder.addInput('salary_2');
const weight  = builder.addConstant(500n);

// Addition: FREE — zero communication
const sum = builder.addGate(salary1, salary2);

// Multiplication: 1 Beaver triple, 1 round
const weighted = builder.mulGate(sum, weight);

// Comparison: is weighted sum > threshold?
const above = builder.compareGate(weighted, builder.addConstant(100000n));
builder.addOutput(above);

const circuit = builder.build();
// circuit.addGateCount === 1, circuit.mulGateCount === 1

ArithmeticCircuitBuilder(opts: { prime: bigint })

Builder for arithmetic circuits over a prime field F_p. Supports addGate() (FREE), mulGate() (Beaver triple), compareGate() (bit-decomposition + Boolean comparison), and addConstant() for public values.

thresholdToArithmetic(share, fieldPrime): Result<ArithmeticShare[], Error>

Convert a XorIDA threshold share into per-element arithmetic additive shares over F_p. The sum of corresponding elements across all parties equals the original value mod p.

FREE

Addition cost

Round per multiply

F_p

Arithmetic field

Plaintext exposure

Section 09

Enhanced Identity with Xid

xCompute can optionally integrate with Xid to enable unlinkable MPC participant identity — verifiable within each computation session, but uncorrelatable across different computations, parties, or time.

Three Identity Modes

Basic (Default)

Static Participant DIDs

One DID per MPC participant, persistent across all computation sessions. Simple, but linkable — same identity can be tracked across different computations, share distributions, and time.

Current xCompute behavior

xCompute+ (With Xid)

Ephemeral Per-Computation Participant DIDs

Each MPC session gets unique participant DIDs derived from XorIDA-split master seeds. DIDs are unlinkable across computations and rotate per epoch. Verifiable within session context, but cross-session correlation is impossible. ~50µs overhead per participant.

Unlinkable MPC participation

xCompute Enterprise

K-of-N High-Assurance MPC Participation

Require 3-of-5 signals (biometric + device TPM + location + time + YubiKey) to generate participant DIDs. IAL2/3 assurance levels for financial computations, classified analytics, or regulatory reporting. Continuous refresh ensures only authorized parties can participate.

IAL2/3 compliance

How Ephemeral MPC Participation Works

MPC Workflow (xCompute+ with Xid)

// Initialize xCompute with Xid integration
import { XComputeEngine } from '@private.me/xcompute-cli';
import { XidClient } from '@private.me/xid';

const xid = new XidClient({ mode: 'ephemeral' });
const engine = new XComputeEngine({ identityProvider: xid });

// Each computation derives unlinkable participant DID automatically
const result = await engine.secureCompute({
  circuit: addSalaries,
  myShare: encryptedSalary
});
  → [xCompute] Deriving ephemeral DID from master seed...
  → [xCompute] DID: did:key:z6MkD... (unique to this session + circuit + epoch)
  → [xCompute] Participant authenticated (~50µs)
  → [xCompute] Key purged (<1ms exposure)

// Session is logged with unlinkable participant DID
// Verification works within session, but cross-session correlation fails

Integration Pattern

xCompute+ is not a new ACI — it's an integration of two existing ACIs (xCompute + Xid). This demonstrates ACI composability — building blocks combine to create enhanced capabilities without requiring new primitives.

See the Xid white paper for details on ephemeral identity primitives and K-of-N convergence.

Market Positioning

Industry	Use Case	Compliance Driver
Finance	Regulatory reporting with unlinkable bank participation	GLBA, SOX, Basel III, MiFID II
Healthcare	Multi-hospital analytics with HIPAA-compliant unlinkability	HIPAA, 42 CFR Part 2, HITECH
Government	Multi-agency classified computations with unlinkable agency identity	FISMA, CJIS, FedRAMP, Zero Trust
EU Compliance	GDPR-compliant multi-party analytics, unlinkable participation logs	eIDAS 2.0 ARF, DORA, GDPR Art. 5

Key Benefits

Cross-session unlinkability — Can't track participants across different computations
Per-circuit derivation — Same party has different DIDs for different circuit types
Epoch rotation — DIDs automatically rotate daily/weekly/monthly
Split-protected derivation — Master seed is XorIDA-split, never reconstructed
eIDAS 2.0 ARF compliance — Meets EU unlinkability requirements for MPC
GDPR data minimization — MPC logs contain minimal linkable identifiers

Section 10

Database Operations

Execute SQL queries and database operations on XorIDA-split datasets without exposing plaintext to any single party. Multi-party computation enables encrypted search, aggregations, and joins while maintaining information-theoretic security.

Encrypted Query Execution

Traditional database queries require plaintext access to data. xCompute enables SQL operations on split shares where no single database instance sees the complete record. Queries execute via MPC circuits that combine shares to produce results without reconstructing sensitive fields.

Split-Data Aggregation (SUM on Encrypted Values)

import { CircuitBuilder, evaluateCircuit } from '@private.me/xcompute';

// Build 32-bit addition circuit for SUM aggregation
const builder = new CircuitBuilder();
const sumCircuit = builder.buildAdderCircuit(32);  // 32-bit integer addition

// Each party holds XorIDA shares of salary data
// Party 1: share[0] of each salary record
// Party 2: share[1] of each salary record
// Party 3: share[2] of each salary record

// Execute MPC aggregation circuit
const result = await evaluateCircuit(sumCircuit, salaryShares, {
  partyCount: 3,
  beaverTriples: precomputedTriples,
  onProgress: (p) => console.log(`Summing record ${p.gateIndex}/${p.totalGates}`)
});

// Result is the sum — no party saw individual salaries
console.log(`Total payroll: $${result.reconstructed}`);

Multi-Party Database Search

Execute search queries across split datasets where search patterns remain hidden from individual database parties. Equality and range comparison circuits enable WHERE clause evaluation without exposing query predicates or intermediate results.

Private Search (Equality Circuit)

import { buildEqualityCircuit } from '@private.me/xcompute';

// Search for patient ID without revealing the ID to database hosts
const searchCircuit = buildEqualityCircuit(64);  // 64-bit patient ID

// Query: SELECT * FROM patients WHERE patient_id = ?
// Search value is XorIDA-split across 3 database parties
const matches = [];
for (const recordShares of databaseShares) {
  const isMatch = await evaluateCircuit(searchCircuit, {
    searchValue: targetPatientIdShares,
    recordValue: recordShares
  }, { partyCount: 3 });

  if (isMatch.output === 1) matches.push(recordShares);
}

// matches[] contains XorIDA shares of matching records
// No party learned which patient_id was queried

Join Operations on Split Datasets

Perform SQL JOIN operations between tables split across different parties. Equality circuits enable join key matching without exposing foreign key relationships to individual database hosts. Useful for federated analytics where organizations share datasets without revealing complete records.

JOIN EXAMPLE

Multi-Party Clinical Trial: Hospital A holds patient demographics (XorIDA-split). Lab B holds test results (XorIDA-split). Research institution C coordinates the join on patient_id without seeing the full dataset from either party. Join circuit matches patient records across institutions while preserving privacy.

Aggregation Queries

SQL aggregation functions (COUNT, SUM, AVG, MIN, MAX) execute as MPC circuits. Addition circuits handle SUM and COUNT. Comparison circuits enable MIN/MAX via tournament-style evaluation. AVG combines SUM and COUNT circuits.

SQL Operation	Circuit Type	Communication Rounds	Typical Latency
COUNT(*)	XOR accumulator (Class 1)	0 (local)	<1ms per 1000 records
SUM(field)	32-bit adder cascade	5 per addition	~50ms per 1000 records
AVG(field)	SUM + COUNT + division	6 per record	~60ms per 1000 records
MIN/MAX(field)	Comparison tournament	log₂(N) rounds	~10ms per 1000 records
WHERE field = value	64-bit equality	1 per record	~10ms per 1000 records
JOIN ON key	Equality + reconstruction	1 per match candidate	~15ms per 1000 records

Compliance and Regulatory Benefits

Multi-party database operations address data protection requirements where plaintext database access violates regulatory constraints.

HEALTHCARE

HIPAA Minimum Necessary

Query protected health information (PHI) without exposing complete patient records to database administrators. Circuit-based queries enforce minimum necessary access at the cryptographic layer.

45 CFR § 164.502(b)

️

EUROPEAN UNION

GDPR Data Minimization

Execute analytics queries on personal data without granting full database access. MPC ensures processors see only aggregate results, not individual records, satisfying Article 32 processing requirements.

GDPR Article 32

FINANCIAL

Cross-Institution Analytics

Banks perform joint fraud detection queries without exposing complete customer transaction histories. Aggregation circuits produce risk scores without revealing sensitive account details.

SOX / FINRA / GLBA

CLINICAL RESEARCH

Federated Database Queries

Research networks query distributed clinical databases without centralizing patient data. MPC circuits enable multi-site cohort analysis while maintaining data sovereignty at each institution.

21 CFR Part 11 / ICH E6

PERFORMANCE CONSIDERATION

Database operations on XorIDA-split data trade throughput for privacy. MPC circuits introduce ~10-100x overhead compared to plaintext SQL queries. This is acceptable when regulatory constraints prohibit plaintext database access or when cross-organization analytics require privacy preservation. For high-throughput workloads (>10K queries/second), consider hybrid architectures where only sensitive fields are split while non-sensitive metadata remains in plaintext indexes.

Section 11

Developer Experience

Enterprise-grade error handling, progress tracking, and debugging tools. xCompute provides detailed feedback at every stage of multi-party computation with 24 categorized error codes and per-gate progress updates.

Progress Callbacks

Long-running MPC operations support real-time progress tracking via callback hooks. Monitor circuit evaluation gate-by-gate, track Beaver triple consumption, and observe share distribution across parties.

Circuit Evaluation with Progress Tracking

import { evaluateCircuit, CircuitBuilder } from '@private.me/xcompute';

// Build a 64-bit comparison circuit (63 AND gates)
const circuit = builder.buildComparisonCircuit(64);

// Evaluate with progress callback
const result = await evaluateCircuit(circuit, inputs, {
  partyCount: 3,
  beaverTriples: triples,
  onProgress: (progress) => {
    console.log(`Gate ${progress.gateIndex}/${progress.totalGates}`);
    console.log(`Type: ${progress.gateType}`);          // "xor" | "and" | "not"
    console.log(`Triples used: ${progress.triplesConsumed}`);
    console.log(`Completion: ${progress.percentComplete}%`);
  }
});

// Output example:
//   Gate 1/63 (Type: and, Triples: 1, Completion: 1.6%)
//   Gate 32/63 (Type: and, Triples: 32, Completion: 50.8%)
//   Gate 63/63 (Type: and, Triples: 63, Completion: 100%)

Simulation Progress with Party Visibility

import { simulateComputation } from '@private.me/xcompute';

const result = await simulateComputation(circuit, inputs, 3, triples, {
  onProgress: (progress) => {
    // Per-party computation state
    progress.parties.forEach((party, idx) => {
      console.log(`Party ${idx}: wire ${party.currentWire}, ${party.communicationRounds} rounds`);
    });
  },
  onRoundComplete: (roundInfo) => {
    console.log(`Round ${roundInfo.roundNumber}: ${roundInfo.gatesEvaluated} gates`);
    console.log(`Bandwidth: ${roundInfo.bytesExchanged} bytes`);
  }
});

Comprehensive Error Codes

xCompute defines 24 error codes across 5 categories for precise debugging and automated error recovery in production MPC systems. Each error includes actionable remediation guidance.

Code	Description	Remediation
Configuration Errors (E1xxx)
`E1001`	INVALID_PARTY_COUNT	Must be 2-7 parties. Current implementation supports 2-3.
`E1002`	INVALID_THRESHOLD	Threshold K must satisfy 2 ≤ K ≤ N. Recommended: K = ceil(N/2) + 1.
`E1003`	FIELD_PRIME_TOO_SMALL	Arithmetic field prime must be > 2^31. Use 2^61-1 for standard operations.
`E1004`	UNSUPPORTED_GATE_TYPE	Unknown gate type in circuit. Supported: XOR, AND, NOT, ADD, MUL.
Circuit Errors (E2xxx)
`E2001`	CIRCUIT_TOO_LARGE	Circuit exceeds 10,000 gates. Reduce gate count or split into subcircuits.
`E2002`	CIRCUIT_CYCLE_DETECTED	Circuit contains dependency cycle. DAG validation failed. Check wire ordering.
`E2003`	MISSING_INPUT_WIRE	Gate references undefined input wire. Verify all inputs are declared.
`E2004`	OUTPUT_WIRE_CONFLICT	Multiple gates write to same output wire. Each wire must have unique source.
`E2005`	CIRCUIT_DEPTH_EXCEEDED	Circuit depth > 100 layers. High latency expected. Consider parallelization.
Share Errors (E3xxx)
`E3001`	SHARE_MISMATCH	Parties have incompatible share indices. Ensure all parties use same circuit + inputs.
`E3002`	HMAC_VERIFICATION_FAILED	Share integrity check failed. Share may be corrupted or tampered. Reject and retry.
`E3003`	SHARE_SIZE_OVERFLOW	Input share exceeds 1MB. Consider chunking or increasing share size limit.
`E3004`	INSUFFICIENT_SHARES	Received M < K shares. Need at least K shares to reconstruct. Wait for more parties.
`E3005`	DUPLICATE_SHARE_INDEX	Multiple shares with same index. Each party must have unique index 1..N.
Computation Errors (E4xxx)
`E4001`	BEAVER_POOL_EXHAUSTED	Not enough Beaver triples for AND gates. Pre-generate more triples or reduce circuit size.
`E4002`	BEAVER_TRIPLE_INVALID	Triple failed (c = a ∧ b) check. Regenerate Beaver pool with fresh randomness.
`E4003`	PARTY_TIMEOUT	Party did not respond within 30s. Check network connectivity or increase timeout.
`E4004`	COMMUNICATION_FAILURE	Failed to exchange masked values. Network partition or party offline. Retry round.
`E4005`	ARITHMETIC_OVERFLOW	Value exceeds field prime during arithmetic MPC. Use larger field or reduce inputs.
`E4006`	DIVISION_BY_ZERO	Attempted division/modulo by zero in arithmetic circuit. Check input validation.
Reconstruction Errors (E5xxx)
`E5001`	RECONSTRUCTION_MISMATCH	Reconstructed value inconsistent across parties. Possible cheating or corruption.
`E5002`	OUTPUT_SIZE_UNEXPECTED	Reconstructed output size ≠ expected. Circuit may have undefined outputs.
`E5003`	T2A_CONVERSION_FAILED	Threshold-to-additive conversion failed. Check share indices and party alignment.
`E5004`	A2T_RESHARE_FAILED	Additive-to-threshold re-sharing failed. Insufficient randomness or party dropout.

Error Handling Best Practices

All error codes include structured context: failing gate index, party IDs, wire values (if safe to log), and retry hints. Wrap evaluateCircuit() and simulateComputation() in try-catch and match error codes for automated recovery. E3xxx/E4xxx errors are often transient (network issues, timeouts) — retry with exponential backoff. E2xxx errors are circuit bugs — fail fast and log for developer fix.

MPC Circuit Evaluation Example

Complete end-to-end workflow for multi-party computation with error handling, progress tracking, and result verification.

Enterprise MPC: Privacy-Preserving Credit Scoring

import {
  CircuitBuilder,
  evaluateCircuit,
  generateBeaverPool,
  thresholdToAdditive,
  additiveToThreshold
} from '@private.me/xcompute';

// Three credit bureaus (Equifax, Experian, TransUnion) compute aggregate
// credit score WITHOUT any bureau seeing the other bureaus' data.

// 1. Build circuit: weighted average of 3 scores
const builder = new CircuitBuilder({ arithmeticField: 2n ** 61n - 1n });

const score1 = builder.addInput('bureau_1_score', 16); // 16-bit integer
const score2 = builder.addInput('bureau_2_score', 16);
const score3 = builder.addInput('bureau_3_score', 16);

// Weights: 40%, 35%, 25%
const w1 = builder.addConstant(40n);
const w2 = builder.addConstant(35n);
const w3 = builder.addConstant(25n);

// Multiplication gates (each requires 1 Beaver triple)
const weighted1 = builder.mulGate(score1, w1);
const weighted2 = builder.mulGate(score2, w2);
const weighted3 = builder.mulGate(score3, w3);

// Addition gates (FREE — local only)
const sum12 = builder.addGate(weighted1, weighted2);
const totalWeighted = builder.addGate(sum12, weighted3);

// Divide by 100 to normalize
const normalizer = builder.addConstant(100n);
const avgScore = builder.divGate(totalWeighted, normalizer);

// Comparison: is avg score > 700 (prime lending threshold)?
const threshold = builder.addConstant(700n);
const isPrime = builder.compareGate(avgScore, threshold); // Boolean output

builder.addOutput(avgScore);
builder.addOutput(isPrime);

const circuit = builder.build();
console.log(`Circuit: ${circuit.mulGateCount} MUL gates, ${circuit.addGateCount} ADD gates`);

// 2. Generate Beaver triples (offline phase, pre-computation)
const triples = generateBeaverPool(circuit.mulGateCount, 3);
console.log(`Generated ${triples.length} Beaver triples`);

// 3. Each bureau splits their score into XorIDA threshold shares
const bureau1Score = 720; // Equifax's private score
const bureau2Score = 695; // Experian's private score
const bureau3Score = 710; // TransUnion's private score

// Convert to additive shares (T2A)
const shares1 = thresholdToAdditive(bureau1Score, 16);
const shares2 = thresholdToAdditive(bureau2Score, 16);
const shares3 = thresholdToAdditive(bureau3Score, 16);

// 4. Evaluate circuit with progress tracking
const result = await evaluateCircuit(circuit, {
  'bureau_1_score': shares1,
  'bureau_2_score': shares2,
  'bureau_3_score': shares3
}, {
  partyCount: 3,
  beaverTriples: triples,
  onProgress: (p) => {
    console.log(`[${p.percentComplete.toFixed(1)}%] Gate ${p.gateIndex}: ${p.gateType}`);
  },
  onRoundComplete: (r) => {
    console.log(`Round ${r.roundNumber} complete: ${r.bytesExchanged} bytes exchanged`);
  }
}).catch((err) => {
  if (err.code === 'E4001') {
    console.error('BEAVER_POOL_EXHAUSTED: regenerate triples');
  } else if (err.code === 'E3001') {
    console.error('SHARE_MISMATCH: parties have different circuit versions');
  } else {
    console.error(`Computation failed: ${err.message}`);
  }
  throw err;
});

// 5. Reconstruct result (only when all parties agree)
const [avgScoreShares, isPrimeShares] = result.outputs;

// A2T: re-share into fresh XorIDA threshold shares (decorrelates I/O)
const finalAvgScore = await additiveToThreshold(avgScoreShares, 3, 2);
const finalDecision = await additiveToThreshold(isPrimeShares, 3, 2);

console.log(`Aggregate credit score: ${finalAvgScore} (prime lending: ${finalDecision})`);

// Expected output:
//   Aggregate credit score: 710 (prime lending: true)
//   Calculation: (720*40 + 695*35 + 710*25) / 100 = 710.25 → 710
//   NO BUREAU SAW ANY OTHER BUREAU'S RAW SCORE

Error codes

Error categories

Per-gate

Progress tracking

0 bits

Data leakage

Enterprise MPC Use Cases

Finance: Multi-bank fraud detection, cross-institution AML screening, portfolio risk aggregation.
Healthcare: Multi-hospital clinical trial analytics, encrypted patient cohort matching.
Insurance: Cross-insurer claim duplicate detection, actuarial risk modeling on pooled data.
Government: Multi-agency classified analytics, joint intelligence computation without clearance sharing.

All computations produce verifiable audit trails via xProve HMAC-chained integrity proofs.

Section 12

Benchmarks

Performance characteristics measured on Node.js 22, Apple M2. xCompute enables secure multi-party computation with single-digit millisecond latency for basic operations.

Test Cases

~5ms

3-party Basic Op

~10ms

Multiplication

0 bits

Per-party Leakage

Operation	Time	Notes
Share generation (3-party)	<1ms	XorIDA split into 3 computation shares
3-party addition	~5ms	Local XOR operation, no communication
3-party multiplication	~10ms	Beaver triple protocol, 1 round of communication
3-party comparison	~15ms	Bit-decomposition + comparison circuit
Beaver triple generation	~3ms	Pre-computed, amortized across operations
Result reconstruction	<1ms	HMAC verify + XOR combine
HMAC verification per share	<0.1ms	Integrity check before every operation
Full computation pipeline	~20ms	Share → compute (add + multiply) → verify → reconstruct

MPC Framework Comparison

Property	Shamir MPC	Garbled Circuits	SPDZ	xCompute
Share generation	~50ms	N/A (circuit-based)	~20ms	<1ms
Addition	~1ms	Free	~1ms	~5ms
Multiplication	~50ms	~100ms	~15ms	~10ms
Security model	IT-secure	Computational	IT-secure (with MAC)	IT-secure (XorIDA)
Setup required	Trusted dealer	Circuit compilation	Preprocessing	None

Section 13

Ship Proofs, Not Source

xCompute generates cryptographic proofs of correct execution without exposing proprietary algorithms. Verify integrity using zero-knowledge proofs — no source code required.

XPROVE CRYPTOGRAPHIC PROOF

Download proofs:

Tier 1 HMAC (~0.7KB)
Tier 2 Commit-Reveal (~0.5KB)
Tier 3 IT-MAC (~0.3KB)
Tier 4 KKW ZK (~0.4KB)

Verify proofs online →

Use Cases

️

REGULATORY

FDA / SEC Submissions

Prove algorithm correctness for multi-party computation without exposing trade secrets or IP.

Zero IP Exposure

FINANCIAL

Audit Without Access

External auditors verify MPC on XorIDA shares without accessing source code or production systems.

FINRA / SOX Compliant

️

DEFENSE

Classified Verification

Security clearance holders verify multi-party computation correctness without clearance for source code.

CMMC / NIST Ready

ENTERPRISE

Procurement Due Diligence

Prove security + correctness during RFP evaluation without NDA or code escrow.

No NDA Required

Section 14

Honest Limitations

Five known limitations documented transparently. xCompute optimizes for simplicity and information-theoretic security over generality.

Limitation	Impact	Mitigation
Fixed 3-party model	xCompute currently supports exactly 3 computation parties. Computations requiring more parties need protocol changes.	3-party is sufficient for most MPC use cases (client + server + auditor). N-party extension is planned for future releases.
Honest-but-curious assumption	Parties are assumed to follow the protocol but may try to learn from their view. Active adversaries who deviate from the protocol are not detected.	HMAC verification catches data corruption. For active security, pair with xProve Tier 3 (IT-MAC SPDZ-style) which detects cheating parties.
Multiplication overhead	Each multiplication requires one round of communication between parties (~10ms). Deep circuits with many multiplications accumulate latency linearly.	Beaver triples are pre-computed and batched. Circuit depth optimization reduces sequential multiplications. Addition is free (local XOR).
No floating-point arithmetic	xCompute operates on integer shares over GF(2). Floating-point operations require fixed-point encoding, which loses precision.	Fixed-point encoding with configurable precision (16–64 fractional bits) handles most financial and scientific computations. Results are exact within the chosen precision.
Communication overhead	Each multiplication round requires all 3 parties to exchange messages. Network latency between parties directly impacts computation time.	Co-locate parties in the same region (<5ms RTT). Batch independent multiplications into single rounds. Pre-computation amortizes setup cost.

VERIFIED BY XPROVE

Verifiable Data Protection

Every operation in this ACI produces a verifiable audit trail via xProve. HMAC-chained integrity proofs let auditors confirm that data was split, stored, and reconstructed correctly — without accessing the data itself.

XPROVE AUDIT TRAIL

Every XorIDA split generates HMAC-SHA256 integrity tags. xProve chains these into a tamper-evident audit trail that proves data was handled correctly at every step. Upgrade to zero-knowledge proofs when regulators or counterparties need public verification.

Read the xProve white paper →

FAST ONBOARDING

3 Acceleration Levels

From zero to production-ready MPC in under 90 seconds. Three templates cover every deployment model: local development, serverless edge, and multi-platform production.

Level 1: Node.js TypeScript Starter (~90 seconds)

Complete local MPC development environment with zero configuration. Clone, install, run.

Node.js Starter (packages/xcompute/templates/node-typescript)

# Clone starter template
git clone https://github.com/privateme/xcompute-starter
cd xcompute-starter

# Install and run
pnpm install
pnpm dev

# Output:
#  Data split into 3 threshold shares (2-of-3)
#  Converted to additive shares for computation
#  Built equality circuit: 128 gates, 64 AND gates
#  Computing on split data...
#    Party 1 has share[0]
#    Party 2 has share[1]
#    Party 3 has share[2]
#    NO party sees the plaintext!

What you get:

XorIDA threshold share splitting (2-of-3 default)
Threshold-to-additive conversion for MPC
Equality circuit example (XOR + AND gates)
3-party computation simulation
Performance benchmarks built-in

ZERO CONFIG

No API keys, no invite codes, no setup. The template works locally out of the box. XOR operations are FREE (local computation), AND gates use Beaver triples with simulated communication.

Level 2: Vercel Edge Function (~60 seconds)

Deploy MPC computation as a serverless edge function. Global distribution, automatic scaling, ~100ms cold start.

Vercel Deployment (packages/xcompute/templates/vercel)

# Clone Vercel template
git clone https://github.com/privateme/xcompute-vercel
cd xcompute-vercel

# Deploy to edge
pnpm install
vercel --prod

# API endpoint live in 60 seconds:
# POST https://your-app.vercel.app/api/compute
# Body: { "shares": ["base64...", "base64...", "base64..."], "bits": 64 }

What you get:

REST API for MPC computation
Automatic global edge distribution
Accepts XorIDA shares as base64-encoded JSON
Returns circuit statistics (gates, AND count, latency)
Zero infrastructure management

PRODUCTION READY

Add Beaver triple pool caching (Vercel KV), rate limiting (Edge Config), and HMAC verification for production. Template includes all integration hooks.

Level 3: Multi-Platform Starter (Node + Vercel + Docker)

Production-ready starter with CI/CD, automated testing, and multi-platform deployment. Supports Node.js, Vercel Edge, and Docker containers.

Multi-Platform Starter (packages/xcompute/templates/github-starter)

# Clone multi-platform starter
git clone https://github.com/privateme/xcompute-multi-platform
cd xcompute-multi-platform

# Run locally
pnpm dev:node

# Deploy to Vercel
pnpm dev:vercel

# Build Docker container
docker build -t xcompute -f docker/Dockerfile .
docker run -p 3000:3000 xcompute

What you get:

Three deployment targets (Node/Vercel/Docker)
GitHub Actions CI/CD pipeline (lint, test, build)
Shared circuit builders across platforms
TypeScript strict mode + comprehensive error handling
Production checklist (Beaver pools, HMAC, rate limiting, monitoring)

Platform	Cold Start	Throughput	Best For
Node.js	<1ms	High	Development, server deployments
Vercel Edge	~100ms	Medium	Global API endpoints
Docker	<10ms	High	Enterprise, self-hosted, air-gap

Code Example: Equality Circuit on Shares

All three templates demonstrate this core pattern: split data, convert to additive shares, evaluate circuit without reconstruction.

Xcompute Core Pattern (works in all templates)

import {
  buildEqualityCircuit,
  evaluateCircuit,
  thresholdToAdditive
} from '@private.me/xcompute';
import { split } from '@private.me/crypto';

// 1. Split sensitive data (XorIDA threshold shares)
const data = new TextEncoder().encode('Secret: 42');
const { value: shares } = await split(data, 2, 3);  // 2-of-3 threshold

// 2. Convert to additive shares for MPC
const additiveShares = shares.map((share, idx) =>
  thresholdToAdditive(share, idx + 1, shares.length)
);

// 3. Build circuit (64-bit equality check)
const circuit = buildEqualityCircuit(64);

// 4. Evaluate circuit on shares (NO reconstruction!)
const result = await evaluateCircuit(circuit, additiveShares, {
  partyCount: 3,
  beaverTriples: precomputedPool,  // Pre-generated Beaver triples
  onProgress: (p) => console.log(`Gate ${p.gateIndex}/${p.totalGates}`)
});

//  Result shares distributed - plaintext never existed at any node

Template Comparison

Template	Setup Time	Deployment	Use Case
Node.js TypeScript	~90 sec	Local / Server	Development, testing, learning MPC
Vercel Edge	~60 sec	Serverless	Low-latency APIs, global distribution
Multi-Platform	~2 min	Node/Vercel/Docker	Production, CI/CD, enterprise

NEXT STEPS

After running a template:

Experiment with different circuit sizes (16-bit, 32-bit, 64-bit equality)
Try XOR-only circuits (checksums, parity) - they're FREE
Pre-compute Beaver triple pools for AND gates
Add HMAC verification for production share handling
Deploy to multiple geographic regions for real 3-party MPC

Deployment Options

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Pay per use

View Pricing →

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/xcompute
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

On-Premise Enterprise

Self-hosted infrastructure for air-gapped, compliance, or data residency requirements.

Complete data sovereignty
Air-gap capable
Docker + Kubernetes ready
RBAC + audit logs included

Enterprise CLI →

GET STARTED

Ready to deploy xCompute?

Talk to Ren, our AI sales engineer, or book a live demo with our team.

Book a Demo