Three parties, one answer, zero inputs revealed. Build real MPC from shares and OTs up to threshold ECDSA wallets and sealed-bid auctions — 100 challenges in Python and Rust.
A hundred challenges that teach secure multi-party computation the way it's actually built in production: secret sharing, oblivious transfer, garbled circuits, GMW with Beaver triples, SPDZ with malicious security, threshold ECDSA, and private set intersection. Every demo is in Python or Rust — the two languages where production MPC libraries actually live. Culminates in five capstones (any three earn the certificate) including a maliciously-secure sealed-bid auction and a 2-of-3 threshold ECDSA signer that deploys to Ethereum.
Built by Lakshya Kumar
We grant free access case-by-case — students, career-switchers, builders on a tight budget. Sign in to send us a note.
Sign in to applyComplete all modules, then submit the required number of capstone projects. Each must earn a passing rating from an admin reviewer.
Encrypt a 256-bit secret into 5 Shamir shares over GF(2^256) such that any 3 reconstruct and any 2 learn zero. Ship a CLI with `split` and `combine` commands, a statistical test empirically confirming 2-share views are indistinguishable from uniform, and a writeup explaining why prime-field arithmetic (GF(2^256) via AES-NI or a 256-bit prime) is chosen over integer-modulo arithmetic. Include a rotation protocol — swap out a share without reconstructing the secret — and document its threat model.
The textbook for this field. Free online PDF. Every module of this course maps to one or two chapters. Read the chapter before the module.
Paste this into any AI chat. Fill in the bracketed parts with your context — you'll get back a straight answer on whether this belongs on your plate.
I'm considering a "Multi-Party Computation" course. It covers secret sharing, oblivious transfer, garbled circuits, GMW with Beaver triples, SPDZ with malicious security, threshold cryptography, private set intersection, and production MPC frameworks — 100 challenges in Python + Rust. Capstones: Shamir vault, sealed-bid auction, PSI for contact discovery, 2-of-3 threshold ECDSA Ethereum signer, and 2PC privacy-preserving ML inference. Any 3 of 5 capstones earn the certificate. Context: 1. Where I sit today: [e.g. "cryptographer in training", "backend dev considering custody / wallets", "academic finishing a PhD in a related area", "privacy engineer at a consumer app", "blockchain / DeFi builder"] 2. My math background: [comfortable with fields and groups / know modular arithmetic only / need to rebuild the math] 3. My concrete goal: [e.g. "build an MPC wallet at work", "publish a paper", "understand what Zcash / Signal / Apple are actually doing", "just intellectual curiosity"] Tell me straight: - Given my background, which 3 modules are most load-bearing for my goal, and which 3 can I safely skim? - What's the single most common failure mode I'll hit trying to implement MPC — is it the math, the network engineering, the security-proof mindset, or operating production protocols? - Which of the 5 capstones actually tests mastery for my goal, and which are window-dressing? Be honest. - In 3 months, how will I know this course paid off — what specifically should I be able to do that I cannot today?
Three bidders submit sealed bids to three non-colluding MPC parties using (2,3) Shamir sharing. The parties run SPDZ-style maliciously-secure comparison to output (winner_id, second_highest_price) — a Vickrey auction. Include: (a) ZK range proofs that each bid is in [0, MAX], (b) information-theoretic MACs on every shared value under a joint key α, (c) an active-abort check so any cheating party is caught and the auction is voided before output. Measure bandwidth per bid and total runtime for N=10 bidders. Provide a threat-model writeup distinguishing which attacks are prevented (malicious minority) and which are not (≥2 colluding parties).
Alice holds 10k phone numbers. Bob (service) holds 1M registered numbers. Compute the intersection so Alice learns which of her contacts are on the service, Bob learns nothing about Alice's non-matches. Implement batched OPRF + cuckoo hashing (KKRT-style). Target: end-to-end <2s on localhost, <10 MB bandwidth. Compare against naive H(phone) hash-matching and quantify the privacy improvement — i.e., the attack a hash-based PSI is vulnerable to (offline enumeration of the phone-number space) and how OPRF blocks it.
Three parties jointly generate a single secp256k1 public key using Pedersen DKG — no party ever holds the full private key. Any 2 parties can sign an Ethereum transaction using GG18/Lindell threshold ECDSA. Deploy: send ETH to the resulting address on Sepolia, then sign a transfer transaction with only 2 of 3 parties, broadcast, and confirm inclusion in a block. Include a malicious-abort check using ZK proofs on the intermediate multiplicative shares so a cheating party cannot forge a signature or leak the key. Provide the on-chain tx hash as proof.
Alice holds a trained binary classifier (logistic regression or small MLP — any model that fits in a boolean circuit of ≤100k gates). Bob holds a private input vector. Compute inference via 2PC so Bob learns the prediction, Alice learns nothing about Bob's input, Bob learns nothing about the weights. Use garbled circuits (preferred) or GMW with Beaver triples. Measure: accuracy vs plaintext baseline (should match exactly for integer weights, approximate for fixed-point), total bandwidth per inference, and wall-clock latency on localhost and across a WAN link with 50ms RTT. Be honest about which attacks this does not prevent (e.g., Alice can still run adaptive queries to reconstruct Bob's input distribution over many inferences).
The rigorous textbook. Heavy on proofs. Pair with Evans-Kolesnikov-Rosulek when you want the theorems, not just the protocols.