Loading...
private.me Docs
Get xProve
PRIVATE.ME · Technical White Paper

Xprove: Verifiable Computation

Prove the answer is right without seeing the question. Generate cryptographic proofs that xCompute evaluations were performed correctly — so regulators, auditors, and counterparties can verify results without re-running the computation or accessing the underlying data.

v0.1.0 128 tests passing 8 modules 5 error codes All 4 tiers + KKW Dual ESM/CJS
Section 01

Executive Summary

xProve bridges the gap between "we computed this privately" and "here is cryptographic proof the computation was honest." Multi-party computation produces answers, but answers without proof require trust. In regulated industries — insurance, healthcare, finance, government — trust is not enough.

Xprove generates cryptographic proofs that xCompute evaluations were performed correctly. The verifier learns that the result is correct — nothing else. No access to the underlying data, shares, or intermediate values. The computation can be verified in logarithmic time without re-execution.

Key insight: XorIDA operates over GF(2), and GF(2) is the native field for binary-tower STARK proofs. This is not a coincidence to be ignored. XOR is free in xCompute (zero communication) and free in the proof system (linear constraint). AND gates are the only non-trivial constraint in both systems. The cost structures align perfectly.

This structural alignment means xProve proofs for xCompute circuits are 10–50x more efficient than encoding the same circuits into prime-field proof systems (which waste 30–255x space per bit).

Section 02

Developer Experience

Xprove provides real-time progress tracking and structured error codes to help developers build reliable, auditable verification systems.

Progress Callbacks

Both prove() and verify() operations support onProgress callbacks for tracking long-running proof generation and verification, especially useful for Tier 4 zero-knowledge proofs.

Progress tracking example
import { prove, verify } from '@private.me/xprove';

// Generate proof with progress tracking
const proofResult = await prove({
  tier: 4,
  circuit,
  witness,
  onProgress: async (event) => {
    switch (event.stage) {
      case 'hashing':
        console.log('Computing commitment tree...');
        break;
      case 'proving':
        console.log(`Generating proof ${event.current}/${event.total}...`);
        break;
      case 'complete':
        console.log('Proof generated successfully');
        break;
    }
  }
});

// Verify with progress tracking
const result = await verify(proofResult.value, {
  onProgress: async (event) => {
    if (event.stage === 'verifying') {
      console.log(`Checking proof constraint ${event.current}...`);
    }
  }
});

Structured Error Handling

Xprove uses a Result<T, E> pattern with detailed error structures. Every error includes a machine-readable code, human-readable message, actionable hint, and documentation URL.

Error detail structure
interface ErrorDetail {
  code: string;         // e.g., 'PROOF_FAILED'
  message: string;      // Human-readable description
  hint?: string;        // Actionable suggestion
  field?: string;       // Field that caused the error
  docs?: string;        // Documentation URL
}

Error Categories

Xprove organizes 5 error codes across distinct verification failure modes:

Code Category When
INVALID_CONFIG Configuration Invalid tier or security parameter
AUDIT_FAILED Tier 1 HMAC chain verification failure
COMMIT_FAILED Tier 2 Beaver triple commitment mismatch
MAC_FAILED Tier 3 IT-MAC verification failure
PROOF_FAILED Tier 4 ZKBoo/KKW proof verification rejection
Section 03

The Problem

xCompute produces answers. But answers without proof require trust. In regulated industries, trust is not enough.

Multi-party computation lets organizations compute on private data without revealing it. But the output arrives with a fundamental question: how do you know the computation was done correctly?

Today, the participants must either trust each other, trust the compute infrastructure, or re-run the computation themselves (which defeats the purpose of delegation). In regulated industries — insurance, healthcare, finance, government — a third party (regulator, auditor, court) needs assurance that the result is correct, without accessing the underlying data.

This is the verifiable computation gap: the space between "we computed this privately" and "here is cryptographic proof the computation was honest."

Without xProve

xCompute MPC on shares Correct result Auditor "Trust us" No proof ? Unverifiable
The Gap
Insurance fraud detection across 3 insurers via xCompute produces a match list. The regulator asks: "Prove this match list was computed correctly from the actual claims data." Without xProve, the only answer is "trust us." With xProve, the answer is a cryptographic proof.
Section 04

Use Cases

Xprove enables verifiable computation across regulated industries where auditors, regulators, and counterparties need cryptographic proof that private computations were performed correctly.

Insurance
Fraud Detection Audits
Three insurers detect duplicate claims via xCompute. State regulator receives xProve proof that the match algorithm was executed correctly — without seeing any policyholder data.
Tier 3
Healthcare
Clinical Trial Integrity
Multi-site trial computes efficacy statistics on patient data via xCompute. FDA receives xProve proof that the statistical analysis was performed correctly per protocol.
Tier 4
Finance
Credit Risk Scoring
Banks jointly compute aggregate default risk via xCompute. OCC auditor verifies computation correctness with xProve proof — no access to individual loan portfolios required.
Tier 2
Government
Intelligence Correlation
IC agencies compute threat correlation on classified datasets via xCompute. Congressional oversight receives xProve proof that analysis was performed correctly without clearance.
Tier 4
Section 05

How It Works

Xprove provides four verification tiers, each offering different tradeoffs between proof size, generation cost, and security guarantees. All tiers verify that xCompute circuits were evaluated correctly.

Verification Tiers

Choose the tier that matches your threat model and performance requirements:

Tier 1
Audit Trail
HMAC chain
Each party logs intermediate values with HMAC commitments. Detect after-the-fact if any party deviated. Efficient but not zero-knowledge — verifier sees circuit structure.
Tier 2
Commit-Reveal
Beaver triple commitments
Parties commit to Beaver triples before use, then reveal during verification. Prevents equivocation during AND gate evaluation. Malicious security with abort.
Tier 3
IT-MAC
Information-theoretic MACs
SPDZ-style authentication on every wire value. Malicious security with statistical soundness. Verifier learns nothing about intermediate values. Recommended for regulated industries.
Tier 4
Zero-Knowledge
ZKBoo or KKW proofs
Full zero-knowledge proof that circuit was evaluated correctly. Choose ZKBoo (880KB, standard security) or KKW (50KB, ~17x smaller). Maximum privacy, highest cost.
Tier Selection
Tier 3 (IT-MAC) is the default for regulated industries. It provides malicious security, verifier privacy, and reasonable proof sizes (~2–10KB). Tier 4 is for scenarios requiring full zero-knowledge (e.g., classified intelligence, clinical trials under FDA scrutiny).
Section 06

Integration

Xprove integrates directly with xCompute circuits. Enable verification by specifying a tier in your compute configuration.

Basic integration example
import { createCircuit } from '@private.me/xcompute';
import { prove, verify } from '@private.me/xprove';

// Define circuit (fraud detection example)
const circuit = createCircuit({
  inputs: { claimA: 256, claimB: 256 },
  gates: [
    { type: 'XOR', in: ['claimA', 'claimB'], out: 'diff' },
    { type: 'POPCOUNT', in: ['diff'], out: 'distance' }
  ],
  output: 'distance'
});

// Execute computation with Tier 3 verification
const result = await circuit.evaluate({
  claimA: data1,
  claimB: data2,
  tier: 3  // Enable IT-MAC proofs
});

// Generate proof
const proofResult = await prove({
  tier: 3,
  circuit,
  witness: result.witness,
  publicOutput: result.value
});

// Auditor verifies (no access to inputs)
const verification = await verify(proofResult.value, {
  circuit,
  publicOutput: result.value
});

if (verification.ok) {
  console.log('Computation verified: result is correct');
}

Proof Bundle Structure

All tiers produce a ProofBundle that can be serialized and sent to external verifiers:

Proof bundle format
interface ProofBundle {
  tier: 1 | 2 | 3 | 4;
  circuitHash: Uint8Array;    // SHA-256 of circuit structure
  publicOutput: Uint8Array;   // Final result (revealed)
  proof: Uint8Array;          // Tier-specific proof data
  metadata?: {
    timestamp: number;
    sessionId: string;
    proofSize: number;
  };
}
Section 07

Security Properties

Each verification tier provides different security guarantees. Understand the threat model before selecting a tier.

Property Tier 1 Tier 2 Tier 3 Tier 4
Correctness Semi-honest Malicious w/ abort Malicious w/ abort Malicious w/ reject
Zero-Knowledge Circuit visible Circuit visible Intermediate values hidden Full ZK
Verifier Privacy Sees structure Sees structure Learns output only Learns output only
Soundness Computational Computational Statistical (2⁻⁴⁰) Computational (2⁻¹²⁸)
Proof Size ~500B ~2KB ~10KB 50KB (KKW) / 880KB (ZKBoo)
Verification Time O(n) O(n) O(n) O(log n)
Security Note
Tier 1 provides no protection against malicious parties. Use only in trusted environments (e.g., internal audit trails). Tiers 2–4 provide malicious security with varying levels of verifier privacy.
Section 08

Performance

Benchmark results for fraud detection circuit (256-bit claim comparison, 512 AND gates). Measured on M1 Pro (8-core, 16GB RAM). All timings in milliseconds.

Tier Prove Time Verify Time Proof Size Security
Tier 1 (HMAC) 12ms 8ms 480B Semi-honest only
Tier 2 (Beaver) 28ms 15ms 2.1KB Malicious w/ abort
Tier 3 (IT-MAC) 45ms 22ms 9.8KB Malicious + ZK wires
Tier 4 (KKW) 380ms 18ms 52KB Full ZK, log verify
Tier 4 (ZKBoo) 420ms 210ms 880KB Full ZK, standard

Scaling Characteristics

O(n)
Tier 1–3 Prove
O(n log n)
Tier 4 Prove
O(log n)
Tier 4 Verify
~17x
KKW vs ZKBoo size
Section 09

Honest Limitations

Xprove is production-ready for regulated industries, but has known limitations you should understand before deployment.

1. Proof Generation Cost (Tier 4)

Zero-knowledge proofs (Tier 4) are 10–40x slower to generate than IT-MAC proofs (Tier 3). For large circuits (>10K gates), proof generation can take seconds to minutes. If your threat model does not require full zero-knowledge, use Tier 3 — it provides malicious security and verifier privacy at much lower cost.

2. Circuit Preprocessing

All tiers require the circuit to be converted to a Boolean gate representation (AND/XOR/NOT). Arithmetic circuits (e.g., range checks, comparisons) incur overhead during this conversion. For arithmetic-heavy workloads, consider plonky2 or similar prime-field proof systems — they handle arithmetic natively.

3. No Universal Proving

Xprove does not support universal proving (one-time setup, prove any circuit). Each circuit requires its own proof generation. If you need to prove arbitrary programs without circuit specification, consider VM-based proof systems (e.g., RISC Zero, SP1).

4. Verification Time (Tier 1–3)

Tiers 1–3 verification time is linear in circuit size — O(n) for n gates. For very large circuits (>100K gates), verification can take hundreds of milliseconds. Tier 4 offers O(log n) verification but at the cost of slower proof generation.

5. Soundness Error (Tier 3)

Tier 3 IT-MAC has statistical soundness with error probability 2⁻⁴⁰. This is sufficient for most regulated use cases but not for cryptographic applications requiring 128-bit security. For higher soundness, use Tier 4 with KKW (computational soundness 2⁻¹²⁸).

Recommendation
For 90% of regulated industry use cases (insurance, healthcare, finance audits), Tier 3 is the right choice. It provides malicious security, verifier privacy, and acceptable proof sizes. Reserve Tier 4 for scenarios requiring full zero-knowledge (classified intelligence, high-stakes clinical trials).
Section 10

Enterprise CLI

Self-hosted verification server. Docker-ready. Air-gapped capable. Port 3400. 68 tests. Part of the Enterprise CLI Suite.

@private.me/xprove-cli provides a production-grade verifiable computation server with full REST API, proof generation, verification, and tier-based proof mode selection (T1-T4). Integrates the complete @private.me/xprove package for enterprise deployments.

CLI Commands

Xprove CLI
# Start the Xprove verification server
xprove serve --port 3400
  → HTTP server on :3400 with proof generation + verification

# Generate a Tier 3 proof (IT-MAC)
xprove prove --circuit "circuits/transfer.json" --witness "witness.json" --tier 3
  → Generates IT-MAC proof, returns serialized proof bundle

# Verify a proof
xprove verify --proof "proof.json" --circuit "circuits/transfer.json"
  → Verifies proof, returns true/false + timing

# Generate KKW zero-knowledge proof (Tier 4)
xprove prove --circuit "circuits/audit.json" --witness "witness.json" --tier 4 --zkmode "kkw"
  → Generates ~50KB KKW proof (vs 880KB ZKBoo)

# Benchmark proof generation
xprove benchmark --circuit "circuits/compliance.json" --tiers "1,2,3,4"
  → Runs proof generation for all tiers, reports timings

# Validate circuit format
xprove validate --circuit "circuits/risk-check.json"
  → Checks circuit structure, gate types, input/output bindings

Docker Deployment

Docker Compose
# Pull and run the Xprove verification server
docker compose up -d xprove

# Verify health
curl http://localhost:3400/health
# {"status":"ok","version":"0.1.0","uptime":42}

# Air-gapped deployment
docker save private.me/xprove-cli > xprove-cli.tar
# Transfer to air-gapped environment
docker load < xprove-cli.tar
docker compose up -d
3400
Default port
4
Proof tiers
68
Tests passing
~12
REST endpoints
Enterprise CLI Suite
Xprove CLI is part of the Enterprise CLI Suite — 21 self-hosted reference servers covering verifiable computation, identity management, passwordless auth, secret sharing, encrypted search, secure ingest, key transport, split storage, and more. All Docker-ready, air-gapped capable, with HMAC-chained audit logs and multi-role RBAC.
Advanced Topics

Developer Reference

Complete API surface, error codes, and codebase statistics. For integration engineers and auditors.

Appendix A1

Full ACI Surface

Xprove exposes 5 primary functions. All functions return Result<T, E> and support optional progress callbacks.

prove(config: ProveConfig): Promise<Result<ProofBundle, string>>
Generate a cryptographic proof that a circuit was evaluated correctly. Config specifies tier (1–4), circuit, witness, and optional progress callback. Returns serializable proof bundle.
verify(bundle: ProofBundle, config: VerifyConfig): Promise<Result<boolean, string>>
Verify a proof bundle. Config specifies circuit and public output. Returns true if proof is valid, false otherwise. Supports progress callbacks for Tier 4 verification.
serializeProof(bundle: ProofBundle): Uint8Array
Serialize a proof bundle for transmission to external verifiers. Output is a compact binary format (TLV encoding) suitable for network transmission or archival.
deserializeProof(data: Uint8Array): Result<ProofBundle, string>
Deserialize a proof bundle from binary format. Validates structure and returns typed bundle. Use this on the verifier side after receiving proof over the network.
estimateProofSize(circuit: Circuit, tier: 1 | 2 | 3 | 4): number
Estimate proof size in bytes before generation. Useful for capacity planning and network bandwidth estimation. Returns conservative upper bound.
Appendix A2

Error Taxonomy

Xprove defines 5 error codes across configuration and tier-specific verification failures. All errors include actionable hints and documentation URLs.

Code Category Description
INVALID_CONFIG Configuration Invalid tier or security parameter. Hint: Verify tier is 1–4 and security parameter is valid for chosen tier.
AUDIT_FAILED Tier 1 HMAC chain verification failed. Hint: Party computation may be inconsistent or malicious. Check audit logs for deviation.
COMMIT_FAILED Tier 2 Beaver commitment verification failed. Hint: Party may have equivocated during commitment phase. Abort protocol.
MAC_FAILED Tier 3 IT-MAC verification failed. Hint: Wire values may have been tampered. Reject computation and investigate parties.
PROOF_FAILED Tier 4 ZKBoo or KKW proof verification failed. Hint: Computation may be incorrect or proof corrupted. Request new proof.

Error Detail Structure

All errors include structured metadata for debugging and user-facing error messages:

Example error detail
{
  "code": "PROOF_FAILED",
  "message": "ZKBoo proof verification failed",
  "hint": "Computation may be incorrect. Request new proof from prover.",
  "field": "proof",
  "docs": "https://private.me/docs/packages/xprove#tier4"
}
Appendix A3

Codebase Statistics

Xprove is a focused verification library. All 4 tiers plus KKW variant implemented in 2,839 lines of TypeScript across 8 source files.

2,839
Source LOC
8
Source Files
128
Tests Passing
7
Test Files
272
Error Handling LOC
5
Error Codes

Module Breakdown

Module Purpose Lines
tier1-audit.ts HMAC chain audit trail ~320
tier2-commit.ts Beaver triple commitments ~380
tier3-itmac.ts IT-MAC SPDZ authentication ~450
tier4-zkboo.ts ZKBoo zero-knowledge proofs ~520
tier4-kkw.ts KKW compact ZK proofs ~480
errors.ts Error hierarchy + details 272
types.ts TypeScript interfaces ~180
index.ts Public exports ~237

Deployment Options

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

  • Zero infrastructure setup
  • Automatic updates
  • 99.9% uptime SLA
  • Pay per use
View Pricing →

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

  • npm install @private.me/xprove
  • TypeScript/JavaScript SDK
  • Full source access
  • Enterprise support available
Get Started →

On-Premise Enterprise

Self-hosted infrastructure for air-gapped, compliance, or data residency requirements.

  • Complete data sovereignty
  • Air-gap capable
  • Docker + Kubernetes ready
  • RBAC + audit logs included
Enterprise CLI →

Custom Requirements? Need dedicated infrastructure, white-label deployment, or custom integration? Contact our enterprise team →