MPC vs TEE vs FHE: Which Privacy Technology Should You Use in 2026?
Multi-Party Computation, Trusted Execution Environments, and Fully Homomorphic Encryption each solve privacy differently. This guide compares performance, trust assumptions, and practical deployment so you can pick the right one for your use case.
You need to process sensitive data without exposing it. Maybe you're running a key signing service, aggregating medical records for an ML model, or building a cross-exchange trading system where no single party should see the complete order book.
Three technologies claim to solve this problem: Multi-Party Computation (MPC), Trusted Execution Environments (TEEs), and Fully Homomorphic Encryption (FHE). They all protect data during computation — not just at rest or in transit. But they work in fundamentally different ways, with different performance characteristics, trust models, and practical constraints.
This guide cuts through the marketing and compares them on what actually matters when you're building a production system.
The Core Problem: Data in Use
Encryption at rest (AES on disk) and encryption in transit (TLS) are solved problems. The gap is data in use — the moment your application decrypts a secret, processes it, and acts on the result. During that window, the data exists in plaintext in memory, accessible to the operating system, the hypervisor, and anyone with privileged access to the machine.
All three technologies close this gap. They differ in how.
Multi-Party Computation (MPC)
MPC lets multiple parties jointly compute a function over their combined inputs without any party learning the others' data.
How it works: The computation is split into an interactive protocol. Each party holds a share of the input, performs local computations, and exchanges intermediate messages. At the end, all parties learn the output — but no party learns anything about the other parties' inputs beyond what the output reveals.
Real-world example: Three hospitals want to compute the average patient age across their combined datasets. With MPC, each hospital inputs its data into the protocol. They all learn the average, but Hospital A never sees Hospital B's individual patient records.
Strengths:
- No hardware trust — Security is mathematical, based on cryptographic assumptions. No special CPU or hardware required.
- Composable — Works across organizations, jurisdictions, and cloud providers. Parties can run their nodes anywhere.
- Threshold schemes — You can require k-of-n parties to cooperate, tolerating up to n-k compromised participants.
- Mature for key management — MPC-based wallet signing (e.g., Fireblocks, Fordefi) is battle-tested in production.
Weaknesses:
- Communication overhead — Parties must exchange messages during computation. Latency scales with the number of parties and the circuit depth. For complex functions, this can be orders of magnitude slower than computing in the clear.
- Limited computation — General-purpose MPC exists in theory, but practical deployments are restricted to specific functions: key signing, private set intersection, aggregation. Running arbitrary Docker containers over MPC is not feasible today.
- Availability depends on participants — If a party goes offline during the protocol, the computation fails. This creates operational complexity for always-on services.
- Complex development — Writing MPC circuits requires specialized expertise. You can't take an existing application and "MPC-ify" it without significant redesign.
Best for: Multi-party key management, threshold signing, private set intersection, cross-organizational analytics where no single party should hold all the data.
Trusted Execution Environments (TEEs)
A TEE creates a hardware-isolated enclave where data is processed in plaintext — but the memory is encrypted by the CPU itself, and no external software (including the OS and hypervisor) can access it.
How it works: The CPU partitions a region of memory, encrypts it with hardware-managed keys, and measures the code loaded into it. The resulting measurements (Platform Configuration Registers) are signed by a key embedded in the CPU at manufacturing time. A remote party can verify this attestation to confirm exactly what code is running — without trusting the operator.
Real-world example: An AI agent runs inside a Nitro Enclave. It holds a private key, signs transactions, and responds to API requests. The cloud operator, the host OS, and every other process on the machine cannot read the agent's memory. A client verifies the enclave's attestation before trusting its responses.
Strengths:
- Near-native performance — Code runs at full speed. The overhead of memory encryption is single-digit percentage in most workloads. You're not computing over ciphertexts — the CPU decrypts inside the enclave boundary and computes in the clear.
- General-purpose — If it runs in Docker, it runs in a TEE. No circuit design, no special programming model. AWS Nitro Enclaves accept standard container images.
- Attestation — Cryptographic proof of exactly what code is running, signed by the hardware. This is unique to TEEs — neither MPC nor FHE can prove what computation was performed.
- Single-party operation — One organization can deploy and manage the enclave. No coordination protocol with external parties.
Weaknesses:
- Hardware trust — You trust the CPU manufacturer (AWS, Intel, AMD) to correctly implement the isolation boundary. If the hardware has a bug or backdoor, the security model breaks. Historical side-channel attacks on SGX have demonstrated this is not purely theoretical.
- Provider lock-in — Your security depends on the specific hardware. AWS Nitro Enclaves work differently from Intel TDX, which works differently from AMD SEV-SNP. Switching providers may require re-architecting.
- No persistent storage — Most TEEs are ephemeral. Enclaves lose their state on reboot. You need external encrypted storage for persistence.
- Physical access risk — Advanced attackers with physical access to the hardware can potentially perform side-channel or fault injection attacks, though this is extremely expensive and impractical for most threat models.
Best for: Key management and signing, running untrusted or multi-tenant code, regulatory compliance (HIPAA, SOC2), autonomous AI agents, any workload that needs to run arbitrary code privately with verifiable integrity.
Fully Homomorphic Encryption (FHE)
FHE allows computation directly on encrypted data. The server never decrypts anything — it operates on ciphertexts and produces an encrypted result that only the data owner can decrypt.
How it works: The data owner encrypts their input with an FHE scheme. The server performs operations on the ciphertext — addition, multiplication, comparison — using the mathematical properties of the encryption scheme. The result is a new ciphertext that, when decrypted, equals the result of performing those operations on the plaintext.
Real-world example: A cloud service evaluates a machine learning model on a patient's encrypted medical record. The service never sees the patient's data. The patient decrypts the result to get their diagnosis.
Strengths:
- Strongest privacy guarantee — The server literally cannot see the data. Not "chooses not to" or "is hardware-prevented from" — it mathematically cannot. The data is encrypted throughout the entire computation.
- No hardware trust — Like MPC, security is cryptographic. You don't need to trust any CPU manufacturer.
- No interaction — Unlike MPC, the computation doesn't require back-and-forth communication. The client sends encrypted data, the server computes, the client gets the result. Offline-friendly.
- Composable across services — Multiple services can chain computations on the same ciphertext without decrypting between steps.
Weaknesses:
- Extreme performance overhead — The single biggest barrier. FHE operations are 1,000x to 1,000,000x slower than their plaintext equivalents, depending on the scheme and operation. A multiplication that takes nanoseconds in the clear can take milliseconds or seconds under FHE.
- Limited operations — Not all computations are FHE-friendly. Branching, comparisons, and string operations are either extremely expensive or require approximation. You can't take an arbitrary program and run it under FHE.
- Ciphertext expansion — Encrypted data is significantly larger than plaintext. A 32-byte value might become kilobytes or megabytes of ciphertext, increasing storage and bandwidth costs.
- Noise management — FHE schemes accumulate "noise" with each operation. After too many operations, the ciphertext becomes undecryptable. Bootstrapping (refreshing the ciphertext) is expensive. This limits computation depth.
- Immature tooling — The developer experience is years behind TEEs and MPC. Libraries like Concrete (Zama) and SEAL (Microsoft) are advancing rapidly, but building production FHE applications still requires deep cryptographic expertise.
Best for: Privacy-preserving ML inference, encrypted database queries, scenarios where the server must provably never see the data, and use cases where latency is acceptable.
Head-to-Head Comparison
| Dimension | MPC | TEE | FHE |
|---|---|---|---|
| Performance | 10-100x overhead | ~1x (near native) | 1,000-1,000,000x overhead |
| Trust assumption | Cryptographic (math) | Hardware (CPU manufacturer) | Cryptographic (math) |
| Arbitrary code | No (circuit-based) | Yes (Docker containers) | No (limited operations) |
| Attestation / proof of execution | No | Yes (hardware-signed) | No |
| Parties required | 2+ (interactive) | 1 (single operator) | 1 (non-interactive) |
| Developer experience | Specialized (circuit design) | Standard (containers, REST APIs) | Specialized (FHE schemes) |
| Maturity | Production (for specific use cases) | Production (general purpose) | Early production / research |
| Server sees plaintext? | No (only shares) | Yes (inside enclave only) | No (encrypted throughout) |
| Side-channel risk | Low | Medium (hardware dependent) | Low |
| Key management | Distributed (threshold) | Enclave-isolated | Client-held |
Decision Framework: Which One Do You Need?
Use MPC when:
- Multiple parties need to collaborate without a trusted intermediary. Cross-exchange settlement, multi-org analytics, supply chain coordination.
- Threshold key management is the core requirement. You want 3-of-5 signing for a treasury wallet. MPC wallets from Fireblocks, Fordefi, and others are mature and audited.
- You can't trust any single hardware platform. Your threat model explicitly includes compromised CPUs.
- The computation is well-defined and narrow. Key signing, set intersection, aggregation — these have efficient MPC protocols.
Use TEEs when:
- Performance matters. Your workload needs to run at production speed — API servers, real-time agents, transaction signing, inference. TEEs are the only option that doesn't impose orders-of-magnitude overhead.
- You need to run arbitrary code. Your application is a standard Docker container and rewriting it as a circuit or FHE program isn't feasible.
- Attestation is required. Regulators, partners, or clients need cryptographic proof of what code processed their data. TEEs are the only technology that provides this natively.
- Single-party operation is acceptable. You don't need multi-party coordination. You want a single organization to deploy and manage the secure compute.
- Compliance drives the architecture. HIPAA, SOC2, FIPS, and Common Criteria frameworks recognize hardware-based isolation. Attestation documents map directly to audit evidence.
Use FHE when:
- The server must provably never see the data. Not "hardware-prevented from seeing it" — mathematically incapable. This is the strongest privacy guarantee available.
- Latency is not critical. Batch processing, overnight analytics, pre-computed ML inference. If you can wait minutes or hours, FHE is viable.
- The computation is arithmetically simple. Linear regressions, summations, basic ML models. The fewer multiplications, the more practical FHE becomes.
- You're building for the future. FHE performance is improving rapidly. Zama, Duality Technologies, and hardware accelerators from Intel and DARPA DPRIVE are pushing toward practical FHE within 3-5 years.
Hybrid Architectures: The Pragmatic Answer
In practice, the best systems combine these technologies:
TEE + MPC: Use a TEE for high-speed execution and attestation, with MPC for distributed key generation. The key is split across multiple parties using MPC, then the active share is loaded into a TEE for signing. If the TEE is compromised, the attacker only gets one share — not the full key.
TEE + FHE: Use FHE for data transport and storage, with a TEE for computation. Data arrives encrypted (FHE), is decrypted inside the enclave, processed at full speed, re-encrypted (FHE), and returned. The TEE never exposes plaintext outside its boundary, and the FHE layer ensures data is protected even if the ciphertext is intercepted in transit or at rest.
MPC + FHE: Use FHE to reduce MPC communication rounds. Instead of interactive protocols, parties can compute on encrypted shares locally and exchange fewer messages. This is an active research area — IACR ePrint has dozens of papers from 2025-2026 on this combination.
What This Looks Like in Practice
Here's what deploying a privacy-preserving workload looks like with a TEE using Treza. No circuit design, no FHE scheme selection — just a Docker container running in hardware isolation:
import { TrezaClient } from '@treza/sdk';
const treza = new TrezaClient({
baseUrl: 'https://app.trezalabs.com',
});
// Deploy any Docker image into a hardware-isolated enclave
const enclave = await treza.createEnclave({
name: 'private-ml-inference',
region: 'us-east-1',
walletAddress: '0xYourWallet...',
providerId: 'aws-nitro',
providerConfig: {
dockerImage: 'myorg/inference-server:latest',
cpuCount: 4,
memoryMiB: 2048,
},
});
// Verify attestation — cryptographic proof of what's running
const verification = await treza.verifyAttestation(enclave.id, {
nonce: 'audit-' + Date.now(),
});
console.log('Code integrity verified:', verification.isValid);
console.log('Trust level:', verification.trustLevel);
console.log('HIPAA compliant:', verification.complianceChecks.hipaa);
console.log('SOC2 compliant:', verification.complianceChecks.soc2);The workload runs at native speed inside the enclave. Clients can verify the attestation remotely. The compliance checks map directly to regulatory frameworks. And the entire deployment was five API calls.
The Bottom Line
There is no single "best" privacy technology. There is only the best technology for your specific constraints:
- If you need speed and can trust hardware: TEE
- If you need multi-party collaboration without any trusted party: MPC
- If the server must mathematically never see the data: FHE
- If you're not sure: Start with a TEE. It has the lowest integration barrier, the best performance, and the most mature tooling. You can layer MPC or FHE on top later if your threat model demands it.
The privacy technology landscape is converging. TEE hardware is getting more secure. MPC protocols are getting faster. FHE is approaching practical performance thresholds. The systems that will win are the ones designed to combine these technologies as they mature — not bet everything on one.
Further Reading
- What is a TEE? Complete Guide — Deep dive into TEE technology and hardware comparisons
- A Pragmatic Introduction to MPC — Academic overview of multi-party computation
- Concrete by Zama — Leading open-source FHE compiler
- AWS Nitro Enclaves — AWS TEE documentation
- Treza SDK — Deploy workloads in TEEs with five lines of code
- Confidential Computing Consortium — Linux Foundation cross-industry initiative
Treza builds privacy infrastructure for crypto and finance. Deploy workloads in hardware-secured enclaves with cryptographic proof of integrity. Learn more.
