Sightless Protocol
v0.1 · DRAFT github →
Sightless Protocol — Specification An open standard · Apache 2.0 · Pre-audit

Compute
without seeing.
Prove it. Verifiably. Offline. Forever.

Sightless is the open protocol for verifiable private compute — backend-agnostic across FHE, TEE, MPC and ZK, with portable cryptographic Receipts any third party can validate.

Read the spec crates/ source
§ 01 — Abstract

What it is.

Every cloud AI service in production today reads user data in cleartext. Communication is encrypted in transit, storage is encrypted at rest — but the operator running the model holds the keys and processes the plaintext. This is the trust singleton.

Sightless changes that. A Data Owner encrypts data locally, transmits the ciphertext to a remote Operator that evaluates a requested function homomorphically without decrypting it, and receives the encrypted result alongside a signed Sightless Receipt that any third party can validate offline.

The Receipt cryptographically binds the Operator's claim about which function ran on which inputs under which policy — providing accountability that survives long after the session and is portable across machines, time, and counterparties.

Analogy

Sightless is to private compute what HTTPS is to web encryption. HTTPS did not invent ciphers, public-key cryptography, or certificate hierarchies — those existed long before TLS. What HTTPS standardized was the orchestration layer above them. Sightless plays the same role for FHE, TEE, MPC, ZK, and FE.

§ 02 — Architecture

Three layers, backend-agnostic by construction.

The protocol is defined entirely at the top layer. The wire format, the cryptographic envelope, and the validation rules are meaningful regardless of which backend evaluates the function.

v0.1 specifies a single concrete backend — TFHE via tfhe-rs — but the artifacts that travel on the wire are defined in terms of opaque ciphertext bytes and structural attestations. A TEE-based Operator, an MPC consortium, or a ZK-augmented FHE Operator can implement the same envelope with localized changes.

L3  Sightless protocol — wire format, envelope, validation
L2  Backends — FHE (v0.1), TEE, MPC, ZK, FE (future)
L1  Cryptographic primitives & hardware

Three protocol layers, L3 dispatching to backends, backends wrapping primitives. L3 — PROTOCOL Sightless protocol wire format · envelope · validation · ops dispatches L2 — BACKENDS FHE v0.1 · ACTIVE TEE future MPC future ZK-FHE future wraps L1 — PRIMITIVES & HARDWARE TFHE Intel TDX AMD SEV Arm CCA Secure Enclave zk-SNARK zk-STARK secret-sharing …and so on
Fig. 01 — L3 is what this spec defines. Backends substitute; envelope persists.

Protocol overview — three actors, one signed envelope.

Sequence diagram: Data Owner, Operator, Verifier. Data Owner Operator Verifier holds sk_fhe · x holds sk_op · NEVER sees x, y holds pk_op (OOB) ① PREPARE Cx = Enc_pk_fhe(x) nonce = CSPRNG(16) ② ComputeRequest{ Cx, policy, … } ③ EVALUATE BLINDLY validate (12 op rules) Cy = Eval(function_id, Cx) σ = Sign_sk_op(JCS(unsigned)) — never decrypts — ④ ComputeResponse{ Cy, π } ⑤ VALIDATE & DECRYPT 14 client rules · then y = Dec_sk_fhe(Cy) ⑥ Receipt — anytime · offline · async ⑦ VERIFY OFFLINE verify_receipt(π, pk_op) TIME →
Fig. 02 — The Verifier never speaks to the Operator. A regulator in 2030 can validate a Receipt issued in 2026.
§ 03 — The Sightless Receipt

A signed envelope portable in time, space, and counterparty.

The Receipt cryptographically binds the Operator to a tuple: which function ran, on which input, under which policy, producing which output. Given only the Receipt and the Operator's public key — acquired out-of-band — any Verifier can validate it offline, at any time, without contacting the Operator that signed it.

What the Ed25519 signature covers. SIGN_SK_OP( JCS( UNSIGNED ) ) UNSIGNED RECEIPT protocol_version operator_signing_key request_id · nonce · ts function_id · model_id? policy_id ← H(JCS(policy)) pk_fhe_hash ← H(safe_serialize) input_ciphertext_hash output_ciphertext_hash sightless v0.1
Every field bound. One signature, one truth.
SIGHTLESS
v0.1
RECEIPT
protocol_version { major: 0, minor: 1 }
operator_signing_key ed25519:6f3a2b…c8d1 (32 bytes, base64url)
request_id a4f1e9c2-7b3d-4f51-91e0-2e8a73c9b1d4
request_nonce d7c4…a3b2 (16 bytes)
client_timestamp_ms 1735689600000
operator_timestamp_ms 1735689601247
function_id "weighted-sum-u8/v1"
model_id "logreg-creditrisk/v3"
policy_id H(JCS(policy)) — 32B
pk_fhe_hash H(safe_serialize(pk_fhe)) — 32B
input_ciphertext_hash H(safe_serialize(Cx)) — 32B
output_ciphertext_hash H(safe_serialize(Cy)) — 32B
signature Sign_sk_op( JCS(unsigned) ) — 64 bytes Ed25519

Every field above is bound by the signature. JCS (RFC 8785) guarantees deterministic byte-for-byte reproducibility. H_label (SHA-256 with domain separation) prevents cross-purpose hash confusion.

§ 04 — Demo

End-to-end, in one terminal session.

A worked example against the v0.1 reference implementation. The Client encrypts four credit features under TFHE, the Operator evaluates weighted_sum_u8/v1 against the credit_risk_v3 model without ever decrypting, and signs a Receipt the Verifier validates offline against pk_op. Every §7.6 validation rule — 12 on the Operator side, 14 on the Client side, 3 on the Verifier — is exercised on the wire.

backend
TFHE via tfhe-rs
signature
Ed25519 over JCS(unsigned)
function
weighted_sum_u8/v1
model
credit_risk_v3
output
OwnerOnly (§3.1)
invoke
cargo run -p sightless --example credit_scoring_demo
Client Holds sk_fhe. Encrypts the input, runs the 14 client rules on the response, decrypts the result.
Operator Never sees plaintext. Runs the 12 op rules, evaluates the function under FHE, signs the Receipt with sk_op.
Verifier Holds pk_op out-of-band. Validates the Receipt offline, anywhere, any time — never contacts the Operator.
00.0s
Fig. 04 — One request, one signed Receipt, one offline verification.
§ 05 — Security Properties

What the protocol actually proves.

v0.1 makes a deliberate split: cryptographic prevention for plaintext confidentiality, cryptographic accountability for computation integrity. Honest specs distinguish what they prove from what they make attributable.

Two halves of the v0.1 guarantee: prevention vs. accountability. P1 · CONFIDENTIALITY CRYPTOGRAPHIC PREVENTION The Operator cannot see x. guarantee: TFHE encryption of inputs defense: cryptanalytic intractability recourse: none required — broken means 128-bit security is broken → mathematical, not legal vs P2 · INTEGRITY ACCOUNTABILITY (V0.1) The Operator cannot deny. guarantee: Ed25519 signature over JCS defense: non-repudiable attestation recourse: legal, contractual, reputational — ZK prevention in Phase 4 → attribution, not prevention (today)
Fig. 04 — An honest spec distinguishes what it proves from what it merely makes attributable.
P1 — confidentiality

Plaintext stays encrypted.

Input x and output y are not revealed to any network adversary or to an honest-but-curious Operator. Holds against passive and active wire attackers under TFHE security.

P2 — accountability

The Operator cannot deny what it signed.

A valid Receipt cryptographically attributes the claimed (function, input_hash, output_hash, policy) tuple to the Operator's pk_op. Cryptographic prevention (ZK proofs) is targeted in Phase 4.

P3 — non-repudiation

Signatures are forever.

No party — including the Operator — can credibly deny having produced the signature, absent compromise of sk_op. Verifiers acquire pk_op through a trusted out-of-band channel.

P4 — replay resistance

Each request is one-shot.

A Receipt cannot be reused for a different ComputeRequest; a request cannot be replayed within the Operator's acceptance window. Enforced by 16-byte CSPRNG nonces and timestamp mirroring.

P5 — portability

Verify offline. Anywhere. Forever.

Given only (Receipt, pk_op), any Verifier can validate without contacting the Operator, at any time after issuance. A regulator in 2030 verifies a Receipt issued in 2026.

P6 — backend-agnosticism

Same envelope, any primitive.

Signing and validation logic do not change when the backend changes. Future TEE, MPC, and ZK backends inherit P1–P5 by construction via localized extensions to the wire format.

§ 06 — Roadmap

From draft to standard, in deliberate phases.

v0.1 is an open invitation to adversarial review. Each phase below is a commitment of intent, not of timeline. The protocol's value stands on what is delivered, not what is projected.

  1. Now v0.1
    Wire format & FHE backend
    Draft
    Receipt envelope, validation rules, error taxonomy. TFHE via tfhe-rs. Ed25519 signatures over JCS-canonical bytes. Reference Rust implementation.
  2. Phase 2 v0.2
    Target-Operator binding & signature domain separation
    Next
    Backwards-incompatible fixes identified during pre-publication review. Closes cross-Operator replay (S13) and adds a domain prefix to signed bytes.
  3. Phase 3 v0.3
    Multi-backend support — TEE, MPC
    Future
    TEE attestation evidence (TDX, SEV-SNP, CCA, Secure Enclave) and MPC transcript binding, both as localized extensions of the same envelope.
  4. Phase 4 v0.4
    Zero-knowledge proofs of correct evaluation
    Future
    Cryptographic prevention of false Receipts, not merely accountability. ZK proof composed alongside the Ed25519 signature for soundness + non-repudiation.
  5. v1.0
    Audit, freeze, IETF I-D
    Future
    Independent cryptographic audit, exhaustive test vectors, wire-format freeze with v1.x backwards-compatibility commitment, IETF Internet-Draft submission.